Alexandre Savard | 1b09e31 | 2012-08-07 20:33:29 -0400 | [diff] [blame] | 1 | /* apps/req.c */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. |
| 4 | * |
| 5 | * This package is an SSL implementation written |
| 6 | * by Eric Young (eay@cryptsoft.com). |
| 7 | * The implementation was written so as to conform with Netscapes SSL. |
| 8 | * |
| 9 | * This library is free for commercial and non-commercial use as long as |
| 10 | * the following conditions are aheared to. The following conditions |
| 11 | * apply to all code found in this distribution, be it the RC4, RSA, |
| 12 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation |
| 13 | * included with this distribution is covered by the same copyright terms |
| 14 | * except that the holder is Tim Hudson (tjh@cryptsoft.com). |
| 15 | * |
| 16 | * Copyright remains Eric Young's, and as such any Copyright notices in |
| 17 | * the code are not to be removed. |
| 18 | * If this package is used in a product, Eric Young should be given attribution |
| 19 | * as the author of the parts of the library used. |
| 20 | * This can be in the form of a textual message at program startup or |
| 21 | * in documentation (online or textual) provided with the package. |
| 22 | * |
| 23 | * Redistribution and use in source and binary forms, with or without |
| 24 | * modification, are permitted provided that the following conditions |
| 25 | * are met: |
| 26 | * 1. Redistributions of source code must retain the copyright |
| 27 | * notice, this list of conditions and the following disclaimer. |
| 28 | * 2. Redistributions in binary form must reproduce the above copyright |
| 29 | * notice, this list of conditions and the following disclaimer in the |
| 30 | * documentation and/or other materials provided with the distribution. |
| 31 | * 3. All advertising materials mentioning features or use of this software |
| 32 | * must display the following acknowledgement: |
| 33 | * "This product includes cryptographic software written by |
| 34 | * Eric Young (eay@cryptsoft.com)" |
| 35 | * The word 'cryptographic' can be left out if the rouines from the library |
| 36 | * being used are not cryptographic related :-). |
| 37 | * 4. If you include any Windows specific code (or a derivative thereof) from |
| 38 | * the apps directory (application code) you must include an acknowledgement: |
| 39 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" |
| 40 | * |
| 41 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
| 42 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| 43 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
| 44 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
| 45 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
| 46 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
| 47 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
| 48 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
| 49 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
| 50 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
| 51 | * SUCH DAMAGE. |
| 52 | * |
| 53 | * The licence and distribution terms for any publically available version or |
| 54 | * derivative of this code cannot be changed. i.e. this code cannot simply be |
| 55 | * copied and put under another distribution licence |
| 56 | * [including the GNU Public Licence.] |
| 57 | */ |
| 58 | |
| 59 | /* Until the key-gen callbacks are modified to use newer prototypes, we allow |
| 60 | * deprecated functions for openssl-internal code */ |
| 61 | #ifdef OPENSSL_NO_DEPRECATED |
| 62 | #undef OPENSSL_NO_DEPRECATED |
| 63 | #endif |
| 64 | |
| 65 | #include <stdio.h> |
| 66 | #include <stdlib.h> |
| 67 | #include <time.h> |
| 68 | #include <string.h> |
| 69 | #ifdef OPENSSL_NO_STDIO |
| 70 | #define APPS_WIN16 |
| 71 | #endif |
| 72 | #include "apps.h" |
| 73 | #include <openssl/bio.h> |
| 74 | #include <openssl/evp.h> |
| 75 | #include <openssl/conf.h> |
| 76 | #include <openssl/err.h> |
| 77 | #include <openssl/asn1.h> |
| 78 | #include <openssl/x509.h> |
| 79 | #include <openssl/x509v3.h> |
| 80 | #include <openssl/objects.h> |
| 81 | #include <openssl/pem.h> |
| 82 | #include <openssl/bn.h> |
| 83 | #ifndef OPENSSL_NO_RSA |
| 84 | #include <openssl/rsa.h> |
| 85 | #endif |
| 86 | #ifndef OPENSSL_NO_DSA |
| 87 | #include <openssl/dsa.h> |
| 88 | #endif |
| 89 | |
| 90 | #define SECTION "req" |
| 91 | |
| 92 | #define BITS "default_bits" |
| 93 | #define KEYFILE "default_keyfile" |
| 94 | #define PROMPT "prompt" |
| 95 | #define DISTINGUISHED_NAME "distinguished_name" |
| 96 | #define ATTRIBUTES "attributes" |
| 97 | #define V3_EXTENSIONS "x509_extensions" |
| 98 | #define REQ_EXTENSIONS "req_extensions" |
| 99 | #define STRING_MASK "string_mask" |
| 100 | #define UTF8_IN "utf8" |
| 101 | |
| 102 | #define DEFAULT_KEY_LENGTH 512 |
| 103 | #define MIN_KEY_LENGTH 384 |
| 104 | |
| 105 | #undef PROG |
| 106 | #define PROG req_main |
| 107 | |
| 108 | /* -inform arg - input format - default PEM (DER or PEM) |
| 109 | * -outform arg - output format - default PEM |
| 110 | * -in arg - input file - default stdin |
| 111 | * -out arg - output file - default stdout |
| 112 | * -verify - check request signature |
| 113 | * -noout - don't print stuff out. |
| 114 | * -text - print out human readable text. |
| 115 | * -nodes - no des encryption |
| 116 | * -config file - Load configuration file. |
| 117 | * -key file - make a request using key in file (or use it for verification). |
| 118 | * -keyform arg - key file format. |
| 119 | * -rand file(s) - load the file(s) into the PRNG. |
| 120 | * -newkey - make a key and a request. |
| 121 | * -modulus - print RSA modulus. |
| 122 | * -pubkey - output Public Key. |
| 123 | * -x509 - output a self signed X509 structure instead. |
| 124 | * -asn1-kludge - output new certificate request in a format that some CA's |
| 125 | * require. This format is wrong |
| 126 | */ |
| 127 | |
| 128 | static int make_REQ(X509_REQ *req,EVP_PKEY *pkey,char *dn,int mutlirdn, |
| 129 | int attribs,unsigned long chtype); |
| 130 | static int build_subject(X509_REQ *req, char *subj, unsigned long chtype, |
| 131 | int multirdn); |
| 132 | static int prompt_info(X509_REQ *req, |
| 133 | STACK_OF(CONF_VALUE) *dn_sk, char *dn_sect, |
| 134 | STACK_OF(CONF_VALUE) *attr_sk, char *attr_sect, int attribs, |
| 135 | unsigned long chtype); |
| 136 | static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *sk, |
| 137 | STACK_OF(CONF_VALUE) *attr, int attribs, |
| 138 | unsigned long chtype); |
| 139 | static int add_attribute_object(X509_REQ *req, char *text, const char *def, |
| 140 | char *value, int nid, int n_min, |
| 141 | int n_max, unsigned long chtype); |
| 142 | static int add_DN_object(X509_NAME *n, char *text, const char *def, char *value, |
| 143 | int nid,int n_min,int n_max, unsigned long chtype, int mval); |
| 144 | static int genpkey_cb(EVP_PKEY_CTX *ctx); |
| 145 | static int req_check_len(int len,int n_min,int n_max); |
| 146 | static int check_end(const char *str, const char *end); |
| 147 | static EVP_PKEY_CTX *set_keygen_ctx(BIO *err, const char *gstr, int *pkey_type, |
| 148 | long *pkeylen, char **palgnam, |
| 149 | ENGINE *keygen_engine); |
| 150 | #ifndef MONOLITH |
| 151 | static char *default_config_file=NULL; |
| 152 | #endif |
| 153 | static CONF *req_conf=NULL; |
| 154 | static int batch=0; |
| 155 | |
| 156 | int MAIN(int, char **); |
| 157 | |
| 158 | int MAIN(int argc, char **argv) |
| 159 | { |
| 160 | ENGINE *e = NULL, *gen_eng = NULL; |
| 161 | unsigned long nmflag = 0, reqflag = 0; |
| 162 | int ex=1,x509=0,days=30; |
| 163 | X509 *x509ss=NULL; |
| 164 | X509_REQ *req=NULL; |
| 165 | EVP_PKEY_CTX *genctx = NULL; |
| 166 | const char *keyalg = NULL; |
| 167 | char *keyalgstr = NULL; |
Alexandre Savard | 7541067 | 2012-08-08 09:50:01 -0400 | [diff] [blame] | 168 | STACK_OF(OPENSSL_STRING) *pkeyopts = NULL; |
Alexandre Savard | 1b09e31 | 2012-08-07 20:33:29 -0400 | [diff] [blame] | 169 | EVP_PKEY *pkey=NULL; |
| 170 | int i=0,badops=0,newreq=0,verbose=0,pkey_type=-1; |
| 171 | long newkey = -1; |
| 172 | BIO *in=NULL,*out=NULL; |
| 173 | int informat,outformat,verify=0,noout=0,text=0,keyform=FORMAT_PEM; |
| 174 | int nodes=0,kludge=0,newhdr=0,subject=0,pubkey=0; |
| 175 | char *infile,*outfile,*prog,*keyfile=NULL,*template=NULL,*keyout=NULL; |
| 176 | #ifndef OPENSSL_NO_ENGINE |
| 177 | char *engine=NULL; |
| 178 | #endif |
| 179 | char *extensions = NULL; |
| 180 | char *req_exts = NULL; |
| 181 | const EVP_CIPHER *cipher=NULL; |
| 182 | ASN1_INTEGER *serial = NULL; |
| 183 | int modulus=0; |
| 184 | char *inrand=NULL; |
| 185 | char *passargin = NULL, *passargout = NULL; |
| 186 | char *passin = NULL, *passout = NULL; |
| 187 | char *p; |
| 188 | char *subj = NULL; |
| 189 | int multirdn = 0; |
| 190 | const EVP_MD *md_alg=NULL,*digest=NULL; |
| 191 | unsigned long chtype = MBSTRING_ASC; |
| 192 | #ifndef MONOLITH |
| 193 | char *to_free; |
| 194 | long errline; |
| 195 | #endif |
| 196 | |
| 197 | req_conf = NULL; |
| 198 | #ifndef OPENSSL_NO_DES |
| 199 | cipher=EVP_des_ede3_cbc(); |
| 200 | #endif |
| 201 | apps_startup(); |
| 202 | |
| 203 | if (bio_err == NULL) |
| 204 | if ((bio_err=BIO_new(BIO_s_file())) != NULL) |
| 205 | BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT); |
| 206 | |
| 207 | infile=NULL; |
| 208 | outfile=NULL; |
| 209 | informat=FORMAT_PEM; |
| 210 | outformat=FORMAT_PEM; |
| 211 | |
| 212 | prog=argv[0]; |
| 213 | argc--; |
| 214 | argv++; |
| 215 | while (argc >= 1) |
| 216 | { |
| 217 | if (strcmp(*argv,"-inform") == 0) |
| 218 | { |
| 219 | if (--argc < 1) goto bad; |
| 220 | informat=str2fmt(*(++argv)); |
| 221 | } |
| 222 | else if (strcmp(*argv,"-outform") == 0) |
| 223 | { |
| 224 | if (--argc < 1) goto bad; |
| 225 | outformat=str2fmt(*(++argv)); |
| 226 | } |
| 227 | #ifndef OPENSSL_NO_ENGINE |
| 228 | else if (strcmp(*argv,"-engine") == 0) |
| 229 | { |
| 230 | if (--argc < 1) goto bad; |
| 231 | engine= *(++argv); |
| 232 | } |
| 233 | else if (strcmp(*argv,"-keygen_engine") == 0) |
| 234 | { |
| 235 | if (--argc < 1) goto bad; |
| 236 | gen_eng = ENGINE_by_id(*(++argv)); |
| 237 | if (gen_eng == NULL) |
| 238 | { |
| 239 | BIO_printf(bio_err, "Can't find keygen engine %s\n", *argv); |
| 240 | goto end; |
| 241 | } |
| 242 | } |
| 243 | #endif |
| 244 | else if (strcmp(*argv,"-key") == 0) |
| 245 | { |
| 246 | if (--argc < 1) goto bad; |
| 247 | keyfile= *(++argv); |
| 248 | } |
| 249 | else if (strcmp(*argv,"-pubkey") == 0) |
| 250 | { |
| 251 | pubkey=1; |
| 252 | } |
| 253 | else if (strcmp(*argv,"-new") == 0) |
| 254 | { |
| 255 | newreq=1; |
| 256 | } |
| 257 | else if (strcmp(*argv,"-config") == 0) |
| 258 | { |
| 259 | if (--argc < 1) goto bad; |
| 260 | template= *(++argv); |
| 261 | } |
| 262 | else if (strcmp(*argv,"-keyform") == 0) |
| 263 | { |
| 264 | if (--argc < 1) goto bad; |
| 265 | keyform=str2fmt(*(++argv)); |
| 266 | } |
| 267 | else if (strcmp(*argv,"-in") == 0) |
| 268 | { |
| 269 | if (--argc < 1) goto bad; |
| 270 | infile= *(++argv); |
| 271 | } |
| 272 | else if (strcmp(*argv,"-out") == 0) |
| 273 | { |
| 274 | if (--argc < 1) goto bad; |
| 275 | outfile= *(++argv); |
| 276 | } |
| 277 | else if (strcmp(*argv,"-keyout") == 0) |
| 278 | { |
| 279 | if (--argc < 1) goto bad; |
| 280 | keyout= *(++argv); |
| 281 | } |
| 282 | else if (strcmp(*argv,"-passin") == 0) |
| 283 | { |
| 284 | if (--argc < 1) goto bad; |
| 285 | passargin= *(++argv); |
| 286 | } |
| 287 | else if (strcmp(*argv,"-passout") == 0) |
| 288 | { |
| 289 | if (--argc < 1) goto bad; |
| 290 | passargout= *(++argv); |
| 291 | } |
| 292 | else if (strcmp(*argv,"-rand") == 0) |
| 293 | { |
| 294 | if (--argc < 1) goto bad; |
| 295 | inrand= *(++argv); |
| 296 | } |
| 297 | else if (strcmp(*argv,"-newkey") == 0) |
| 298 | { |
| 299 | if (--argc < 1) |
| 300 | goto bad; |
| 301 | keyalg = *(++argv); |
| 302 | newreq=1; |
| 303 | } |
| 304 | else if (strcmp(*argv,"-pkeyopt") == 0) |
| 305 | { |
| 306 | if (--argc < 1) |
| 307 | goto bad; |
| 308 | if (!pkeyopts) |
| 309 | pkeyopts = sk_OPENSSL_STRING_new_null(); |
| 310 | if (!pkeyopts || !sk_OPENSSL_STRING_push(pkeyopts, *(++argv))) |
| 311 | goto bad; |
| 312 | } |
Alexandre Savard | 1b09e31 | 2012-08-07 20:33:29 -0400 | [diff] [blame] | 313 | else if (strcmp(*argv,"-batch") == 0) |
| 314 | batch=1; |
| 315 | else if (strcmp(*argv,"-newhdr") == 0) |
| 316 | newhdr=1; |
| 317 | else if (strcmp(*argv,"-modulus") == 0) |
| 318 | modulus=1; |
| 319 | else if (strcmp(*argv,"-verify") == 0) |
| 320 | verify=1; |
| 321 | else if (strcmp(*argv,"-nodes") == 0) |
| 322 | nodes=1; |
| 323 | else if (strcmp(*argv,"-noout") == 0) |
| 324 | noout=1; |
| 325 | else if (strcmp(*argv,"-verbose") == 0) |
| 326 | verbose=1; |
| 327 | else if (strcmp(*argv,"-utf8") == 0) |
| 328 | chtype = MBSTRING_UTF8; |
| 329 | else if (strcmp(*argv,"-nameopt") == 0) |
| 330 | { |
| 331 | if (--argc < 1) goto bad; |
| 332 | if (!set_name_ex(&nmflag, *(++argv))) goto bad; |
| 333 | } |
| 334 | else if (strcmp(*argv,"-reqopt") == 0) |
| 335 | { |
| 336 | if (--argc < 1) goto bad; |
| 337 | if (!set_cert_ex(&reqflag, *(++argv))) goto bad; |
| 338 | } |
| 339 | else if (strcmp(*argv,"-subject") == 0) |
| 340 | subject=1; |
| 341 | else if (strcmp(*argv,"-text") == 0) |
| 342 | text=1; |
| 343 | else if (strcmp(*argv,"-x509") == 0) |
| 344 | x509=1; |
| 345 | else if (strcmp(*argv,"-asn1-kludge") == 0) |
| 346 | kludge=1; |
| 347 | else if (strcmp(*argv,"-no-asn1-kludge") == 0) |
| 348 | kludge=0; |
| 349 | else if (strcmp(*argv,"-subj") == 0) |
| 350 | { |
| 351 | if (--argc < 1) goto bad; |
| 352 | subj= *(++argv); |
| 353 | } |
| 354 | else if (strcmp(*argv,"-multivalue-rdn") == 0) |
| 355 | multirdn=1; |
| 356 | else if (strcmp(*argv,"-days") == 0) |
| 357 | { |
| 358 | if (--argc < 1) goto bad; |
| 359 | days= atoi(*(++argv)); |
| 360 | if (days == 0) days=30; |
| 361 | } |
| 362 | else if (strcmp(*argv,"-set_serial") == 0) |
| 363 | { |
| 364 | if (--argc < 1) goto bad; |
| 365 | serial = s2i_ASN1_INTEGER(NULL, *(++argv)); |
| 366 | if (!serial) goto bad; |
| 367 | } |
| 368 | else if (strcmp(*argv,"-extensions") == 0) |
| 369 | { |
| 370 | if (--argc < 1) goto bad; |
| 371 | extensions = *(++argv); |
| 372 | } |
| 373 | else if (strcmp(*argv,"-reqexts") == 0) |
| 374 | { |
| 375 | if (--argc < 1) goto bad; |
| 376 | req_exts = *(++argv); |
| 377 | } |
| 378 | else if ((md_alg=EVP_get_digestbyname(&((*argv)[1]))) != NULL) |
| 379 | { |
| 380 | /* ok */ |
| 381 | digest=md_alg; |
| 382 | } |
| 383 | else |
| 384 | { |
| 385 | BIO_printf(bio_err,"unknown option %s\n",*argv); |
| 386 | badops=1; |
| 387 | break; |
| 388 | } |
| 389 | argc--; |
| 390 | argv++; |
| 391 | } |
| 392 | |
| 393 | if (badops) |
| 394 | { |
| 395 | bad: |
| 396 | BIO_printf(bio_err,"%s [options] <infile >outfile\n",prog); |
| 397 | BIO_printf(bio_err,"where options are\n"); |
| 398 | BIO_printf(bio_err," -inform arg input format - DER or PEM\n"); |
| 399 | BIO_printf(bio_err," -outform arg output format - DER or PEM\n"); |
| 400 | BIO_printf(bio_err," -in arg input file\n"); |
| 401 | BIO_printf(bio_err," -out arg output file\n"); |
| 402 | BIO_printf(bio_err," -text text form of request\n"); |
| 403 | BIO_printf(bio_err," -pubkey output public key\n"); |
| 404 | BIO_printf(bio_err," -noout do not output REQ\n"); |
| 405 | BIO_printf(bio_err," -verify verify signature on REQ\n"); |
| 406 | BIO_printf(bio_err," -modulus RSA modulus\n"); |
| 407 | BIO_printf(bio_err," -nodes don't encrypt the output key\n"); |
| 408 | #ifndef OPENSSL_NO_ENGINE |
| 409 | BIO_printf(bio_err," -engine e use engine e, possibly a hardware device\n"); |
| 410 | #endif |
| 411 | BIO_printf(bio_err," -subject output the request's subject\n"); |
| 412 | BIO_printf(bio_err," -passin private key password source\n"); |
| 413 | BIO_printf(bio_err," -key file use the private key contained in file\n"); |
| 414 | BIO_printf(bio_err," -keyform arg key file format\n"); |
| 415 | BIO_printf(bio_err," -keyout arg file to send the key to\n"); |
| 416 | BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); |
| 417 | BIO_printf(bio_err," load the file (or the files in the directory) into\n"); |
| 418 | BIO_printf(bio_err," the random number generator\n"); |
| 419 | BIO_printf(bio_err," -newkey rsa:bits generate a new RSA key of 'bits' in size\n"); |
| 420 | BIO_printf(bio_err," -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'\n"); |
| 421 | #ifndef OPENSSL_NO_ECDSA |
| 422 | BIO_printf(bio_err," -newkey ec:file generate a new EC key, parameters taken from CA in 'file'\n"); |
| 423 | #endif |
| 424 | BIO_printf(bio_err," -[digest] Digest to sign with (md5, sha1, md2, mdc2, md4)\n"); |
| 425 | BIO_printf(bio_err," -config file request template file.\n"); |
| 426 | BIO_printf(bio_err," -subj arg set or modify request subject\n"); |
| 427 | BIO_printf(bio_err," -multivalue-rdn enable support for multivalued RDNs\n"); |
| 428 | BIO_printf(bio_err," -new new request.\n"); |
| 429 | BIO_printf(bio_err," -batch do not ask anything during request generation\n"); |
| 430 | BIO_printf(bio_err," -x509 output a x509 structure instead of a cert. req.\n"); |
| 431 | BIO_printf(bio_err," -days number of days a certificate generated by -x509 is valid for.\n"); |
| 432 | BIO_printf(bio_err," -set_serial serial number to use for a certificate generated by -x509.\n"); |
| 433 | BIO_printf(bio_err," -newhdr output \"NEW\" in the header lines\n"); |
| 434 | BIO_printf(bio_err," -asn1-kludge Output the 'request' in a format that is wrong but some CA's\n"); |
| 435 | BIO_printf(bio_err," have been reported as requiring\n"); |
| 436 | BIO_printf(bio_err," -extensions .. specify certificate extension section (override value in config file)\n"); |
| 437 | BIO_printf(bio_err," -reqexts .. specify request extension section (override value in config file)\n"); |
| 438 | BIO_printf(bio_err," -utf8 input characters are UTF8 (default ASCII)\n"); |
| 439 | BIO_printf(bio_err," -nameopt arg - various certificate name options\n"); |
| 440 | BIO_printf(bio_err," -reqopt arg - various request text options\n\n"); |
| 441 | goto end; |
| 442 | } |
| 443 | |
| 444 | ERR_load_crypto_strings(); |
| 445 | if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) { |
| 446 | BIO_printf(bio_err, "Error getting passwords\n"); |
| 447 | goto end; |
| 448 | } |
| 449 | |
| 450 | #ifndef MONOLITH /* else this has happened in openssl.c (global `config') */ |
| 451 | /* Lets load up our environment a little */ |
| 452 | p=getenv("OPENSSL_CONF"); |
| 453 | if (p == NULL) |
| 454 | p=getenv("SSLEAY_CONF"); |
| 455 | if (p == NULL) |
| 456 | p=to_free=make_config_name(); |
| 457 | default_config_file=p; |
| 458 | config=NCONF_new(NULL); |
| 459 | i=NCONF_load(config, p, &errline); |
| 460 | #endif |
| 461 | |
| 462 | if (template != NULL) |
| 463 | { |
| 464 | long errline = -1; |
| 465 | |
| 466 | if( verbose ) |
| 467 | BIO_printf(bio_err,"Using configuration from %s\n",template); |
| 468 | req_conf=NCONF_new(NULL); |
| 469 | i=NCONF_load(req_conf,template,&errline); |
| 470 | if (i == 0) |
| 471 | { |
| 472 | BIO_printf(bio_err,"error on line %ld of %s\n",errline,template); |
| 473 | goto end; |
| 474 | } |
| 475 | } |
| 476 | else |
| 477 | { |
| 478 | req_conf=config; |
| 479 | |
| 480 | if (req_conf == NULL) |
| 481 | { |
| 482 | BIO_printf(bio_err,"Unable to load config info from %s\n", default_config_file); |
| 483 | if (newreq) |
| 484 | goto end; |
| 485 | } |
| 486 | else if( verbose ) |
| 487 | BIO_printf(bio_err,"Using configuration from %s\n", |
| 488 | default_config_file); |
| 489 | } |
| 490 | |
| 491 | if (req_conf != NULL) |
| 492 | { |
| 493 | if (!load_config(bio_err, req_conf)) |
| 494 | goto end; |
| 495 | p=NCONF_get_string(req_conf,NULL,"oid_file"); |
| 496 | if (p == NULL) |
| 497 | ERR_clear_error(); |
| 498 | if (p != NULL) |
| 499 | { |
| 500 | BIO *oid_bio; |
| 501 | |
| 502 | oid_bio=BIO_new_file(p,"r"); |
| 503 | if (oid_bio == NULL) |
| 504 | { |
| 505 | /* |
| 506 | BIO_printf(bio_err,"problems opening %s for extra oid's\n",p); |
| 507 | ERR_print_errors(bio_err); |
| 508 | */ |
| 509 | } |
| 510 | else |
| 511 | { |
| 512 | OBJ_create_objects(oid_bio); |
| 513 | BIO_free(oid_bio); |
| 514 | } |
| 515 | } |
| 516 | } |
| 517 | if(!add_oid_section(bio_err, req_conf)) goto end; |
| 518 | |
| 519 | if (md_alg == NULL) |
| 520 | { |
| 521 | p=NCONF_get_string(req_conf,SECTION,"default_md"); |
| 522 | if (p == NULL) |
| 523 | ERR_clear_error(); |
| 524 | if (p != NULL) |
| 525 | { |
| 526 | if ((md_alg=EVP_get_digestbyname(p)) != NULL) |
| 527 | digest=md_alg; |
| 528 | } |
| 529 | } |
| 530 | |
| 531 | if (!extensions) |
| 532 | { |
| 533 | extensions = NCONF_get_string(req_conf, SECTION, V3_EXTENSIONS); |
| 534 | if (!extensions) |
| 535 | ERR_clear_error(); |
| 536 | } |
| 537 | if (extensions) { |
| 538 | /* Check syntax of file */ |
| 539 | X509V3_CTX ctx; |
| 540 | X509V3_set_ctx_test(&ctx); |
| 541 | X509V3_set_nconf(&ctx, req_conf); |
| 542 | if(!X509V3_EXT_add_nconf(req_conf, &ctx, extensions, NULL)) { |
| 543 | BIO_printf(bio_err, |
| 544 | "Error Loading extension section %s\n", extensions); |
| 545 | goto end; |
| 546 | } |
| 547 | } |
| 548 | |
| 549 | if(!passin) |
| 550 | { |
| 551 | passin = NCONF_get_string(req_conf, SECTION, "input_password"); |
| 552 | if (!passin) |
| 553 | ERR_clear_error(); |
| 554 | } |
| 555 | |
| 556 | if(!passout) |
| 557 | { |
| 558 | passout = NCONF_get_string(req_conf, SECTION, "output_password"); |
| 559 | if (!passout) |
| 560 | ERR_clear_error(); |
| 561 | } |
| 562 | |
| 563 | p = NCONF_get_string(req_conf, SECTION, STRING_MASK); |
| 564 | if (!p) |
| 565 | ERR_clear_error(); |
| 566 | |
| 567 | if(p && !ASN1_STRING_set_default_mask_asc(p)) { |
| 568 | BIO_printf(bio_err, "Invalid global string mask setting %s\n", p); |
| 569 | goto end; |
| 570 | } |
| 571 | |
| 572 | if (chtype != MBSTRING_UTF8) |
| 573 | { |
| 574 | p = NCONF_get_string(req_conf, SECTION, UTF8_IN); |
| 575 | if (!p) |
| 576 | ERR_clear_error(); |
| 577 | else if (!strcmp(p, "yes")) |
| 578 | chtype = MBSTRING_UTF8; |
| 579 | } |
| 580 | |
| 581 | |
| 582 | if(!req_exts) |
| 583 | { |
| 584 | req_exts = NCONF_get_string(req_conf, SECTION, REQ_EXTENSIONS); |
| 585 | if (!req_exts) |
| 586 | ERR_clear_error(); |
| 587 | } |
| 588 | if(req_exts) { |
| 589 | /* Check syntax of file */ |
| 590 | X509V3_CTX ctx; |
| 591 | X509V3_set_ctx_test(&ctx); |
| 592 | X509V3_set_nconf(&ctx, req_conf); |
| 593 | if(!X509V3_EXT_add_nconf(req_conf, &ctx, req_exts, NULL)) { |
| 594 | BIO_printf(bio_err, |
| 595 | "Error Loading request extension section %s\n", |
| 596 | req_exts); |
| 597 | goto end; |
| 598 | } |
| 599 | } |
| 600 | |
| 601 | in=BIO_new(BIO_s_file()); |
| 602 | out=BIO_new(BIO_s_file()); |
| 603 | if ((in == NULL) || (out == NULL)) |
| 604 | goto end; |
| 605 | |
| 606 | #ifndef OPENSSL_NO_ENGINE |
| 607 | e = setup_engine(bio_err, engine, 0); |
| 608 | #endif |
| 609 | |
| 610 | if (keyfile != NULL) |
| 611 | { |
| 612 | pkey = load_key(bio_err, keyfile, keyform, 0, passin, e, |
| 613 | "Private Key"); |
| 614 | if (!pkey) |
| 615 | { |
| 616 | /* load_key() has already printed an appropriate |
| 617 | message */ |
| 618 | goto end; |
| 619 | } |
| 620 | else |
| 621 | { |
| 622 | char *randfile = NCONF_get_string(req_conf,SECTION,"RANDFILE"); |
| 623 | if (randfile == NULL) |
| 624 | ERR_clear_error(); |
| 625 | app_RAND_load_file(randfile, bio_err, 0); |
| 626 | } |
| 627 | } |
| 628 | |
| 629 | if (newreq && (pkey == NULL)) |
| 630 | { |
| 631 | char *randfile = NCONF_get_string(req_conf,SECTION,"RANDFILE"); |
| 632 | if (randfile == NULL) |
| 633 | ERR_clear_error(); |
| 634 | app_RAND_load_file(randfile, bio_err, 0); |
| 635 | if (inrand) |
| 636 | app_RAND_load_files(inrand); |
| 637 | |
| 638 | if (keyalg) |
| 639 | { |
| 640 | genctx = set_keygen_ctx(bio_err, keyalg, &pkey_type, &newkey, |
| 641 | &keyalgstr, gen_eng); |
| 642 | if (!genctx) |
| 643 | goto end; |
| 644 | } |
| 645 | |
| 646 | if (newkey <= 0) |
| 647 | { |
| 648 | if (!NCONF_get_number(req_conf,SECTION,BITS, &newkey)) |
| 649 | newkey=DEFAULT_KEY_LENGTH; |
| 650 | } |
| 651 | |
| 652 | if (newkey < MIN_KEY_LENGTH && (pkey_type == EVP_PKEY_RSA || pkey_type == EVP_PKEY_DSA)) |
| 653 | { |
| 654 | BIO_printf(bio_err,"private key length is too short,\n"); |
| 655 | BIO_printf(bio_err,"it needs to be at least %d bits, not %ld\n",MIN_KEY_LENGTH,newkey); |
| 656 | goto end; |
| 657 | } |
| 658 | |
| 659 | if (!genctx) |
| 660 | { |
| 661 | genctx = set_keygen_ctx(bio_err, NULL, &pkey_type, &newkey, |
| 662 | &keyalgstr, gen_eng); |
| 663 | if (!genctx) |
| 664 | goto end; |
| 665 | } |
| 666 | |
| 667 | if (pkeyopts) |
| 668 | { |
| 669 | char *genopt; |
| 670 | for (i = 0; i < sk_OPENSSL_STRING_num(pkeyopts); i++) |
| 671 | { |
| 672 | genopt = sk_OPENSSL_STRING_value(pkeyopts, i); |
| 673 | if (pkey_ctrl_string(genctx, genopt) <= 0) |
| 674 | { |
| 675 | BIO_printf(bio_err, |
| 676 | "parameter error \"%s\"\n", |
| 677 | genopt); |
| 678 | ERR_print_errors(bio_err); |
| 679 | goto end; |
| 680 | } |
| 681 | } |
| 682 | } |
| 683 | |
| 684 | BIO_printf(bio_err,"Generating a %ld bit %s private key\n", |
| 685 | newkey, keyalgstr); |
| 686 | |
| 687 | EVP_PKEY_CTX_set_cb(genctx, genpkey_cb); |
| 688 | EVP_PKEY_CTX_set_app_data(genctx, bio_err); |
| 689 | |
| 690 | if (EVP_PKEY_keygen(genctx, &pkey) <= 0) |
| 691 | { |
| 692 | BIO_puts(bio_err, "Error Generating Key\n"); |
| 693 | goto end; |
| 694 | } |
| 695 | |
| 696 | EVP_PKEY_CTX_free(genctx); |
| 697 | genctx = NULL; |
| 698 | |
| 699 | app_RAND_write_file(randfile, bio_err); |
| 700 | |
| 701 | if (keyout == NULL) |
| 702 | { |
| 703 | keyout=NCONF_get_string(req_conf,SECTION,KEYFILE); |
| 704 | if (keyout == NULL) |
| 705 | ERR_clear_error(); |
| 706 | } |
| 707 | |
| 708 | if (keyout == NULL) |
| 709 | { |
| 710 | BIO_printf(bio_err,"writing new private key to stdout\n"); |
| 711 | BIO_set_fp(out,stdout,BIO_NOCLOSE); |
| 712 | #ifdef OPENSSL_SYS_VMS |
| 713 | { |
| 714 | BIO *tmpbio = BIO_new(BIO_f_linebuffer()); |
| 715 | out = BIO_push(tmpbio, out); |
| 716 | } |
| 717 | #endif |
| 718 | } |
| 719 | else |
| 720 | { |
| 721 | BIO_printf(bio_err,"writing new private key to '%s'\n",keyout); |
| 722 | if (BIO_write_filename(out,keyout) <= 0) |
| 723 | { |
| 724 | perror(keyout); |
| 725 | goto end; |
| 726 | } |
| 727 | } |
| 728 | |
| 729 | p=NCONF_get_string(req_conf,SECTION,"encrypt_rsa_key"); |
| 730 | if (p == NULL) |
| 731 | { |
| 732 | ERR_clear_error(); |
| 733 | p=NCONF_get_string(req_conf,SECTION,"encrypt_key"); |
| 734 | if (p == NULL) |
| 735 | ERR_clear_error(); |
| 736 | } |
| 737 | if ((p != NULL) && (strcmp(p,"no") == 0)) |
| 738 | cipher=NULL; |
| 739 | if (nodes) cipher=NULL; |
| 740 | |
| 741 | i=0; |
| 742 | loop: |
| 743 | if (!PEM_write_bio_PrivateKey(out,pkey,cipher, |
| 744 | NULL,0,NULL,passout)) |
| 745 | { |
| 746 | if ((ERR_GET_REASON(ERR_peek_error()) == |
| 747 | PEM_R_PROBLEMS_GETTING_PASSWORD) && (i < 3)) |
| 748 | { |
| 749 | ERR_clear_error(); |
| 750 | i++; |
| 751 | goto loop; |
| 752 | } |
| 753 | goto end; |
| 754 | } |
| 755 | BIO_printf(bio_err,"-----\n"); |
| 756 | } |
| 757 | |
| 758 | if (!newreq) |
| 759 | { |
| 760 | /* Since we are using a pre-existing certificate |
| 761 | * request, the kludge 'format' info should not be |
| 762 | * changed. */ |
| 763 | kludge= -1; |
| 764 | if (infile == NULL) |
| 765 | BIO_set_fp(in,stdin,BIO_NOCLOSE); |
| 766 | else |
| 767 | { |
| 768 | if (BIO_read_filename(in,infile) <= 0) |
| 769 | { |
| 770 | perror(infile); |
| 771 | goto end; |
| 772 | } |
| 773 | } |
| 774 | |
| 775 | if (informat == FORMAT_ASN1) |
| 776 | req=d2i_X509_REQ_bio(in,NULL); |
| 777 | else if (informat == FORMAT_PEM) |
| 778 | req=PEM_read_bio_X509_REQ(in,NULL,NULL,NULL); |
| 779 | else |
| 780 | { |
| 781 | BIO_printf(bio_err,"bad input format specified for X509 request\n"); |
| 782 | goto end; |
| 783 | } |
| 784 | if (req == NULL) |
| 785 | { |
| 786 | BIO_printf(bio_err,"unable to load X509 request\n"); |
| 787 | goto end; |
| 788 | } |
| 789 | } |
| 790 | |
| 791 | if (newreq || x509) |
| 792 | { |
| 793 | if (pkey == NULL) |
| 794 | { |
| 795 | BIO_printf(bio_err,"you need to specify a private key\n"); |
| 796 | goto end; |
| 797 | } |
| 798 | |
| 799 | if (req == NULL) |
| 800 | { |
| 801 | req=X509_REQ_new(); |
| 802 | if (req == NULL) |
| 803 | { |
| 804 | goto end; |
| 805 | } |
| 806 | |
| 807 | i=make_REQ(req,pkey,subj,multirdn,!x509, chtype); |
| 808 | subj=NULL; /* done processing '-subj' option */ |
| 809 | if ((kludge > 0) && !sk_X509_ATTRIBUTE_num(req->req_info->attributes)) |
| 810 | { |
| 811 | sk_X509_ATTRIBUTE_free(req->req_info->attributes); |
| 812 | req->req_info->attributes = NULL; |
| 813 | } |
| 814 | if (!i) |
| 815 | { |
| 816 | BIO_printf(bio_err,"problems making Certificate Request\n"); |
| 817 | goto end; |
| 818 | } |
| 819 | } |
| 820 | if (x509) |
| 821 | { |
| 822 | EVP_PKEY *tmppkey; |
| 823 | X509V3_CTX ext_ctx; |
| 824 | if ((x509ss=X509_new()) == NULL) goto end; |
| 825 | |
| 826 | /* Set version to V3 */ |
| 827 | if(extensions && !X509_set_version(x509ss, 2)) goto end; |
| 828 | if (serial) |
| 829 | { |
| 830 | if (!X509_set_serialNumber(x509ss, serial)) goto end; |
| 831 | } |
| 832 | else |
| 833 | { |
| 834 | if (!rand_serial(NULL, |
| 835 | X509_get_serialNumber(x509ss))) |
| 836 | goto end; |
| 837 | } |
| 838 | |
| 839 | if (!X509_set_issuer_name(x509ss, X509_REQ_get_subject_name(req))) goto end; |
| 840 | if (!X509_gmtime_adj(X509_get_notBefore(x509ss),0)) goto end; |
| 841 | if (!X509_time_adj_ex(X509_get_notAfter(x509ss), days, 0, NULL)) goto end; |
| 842 | if (!X509_set_subject_name(x509ss, X509_REQ_get_subject_name(req))) goto end; |
| 843 | tmppkey = X509_REQ_get_pubkey(req); |
| 844 | if (!tmppkey || !X509_set_pubkey(x509ss,tmppkey)) goto end; |
| 845 | EVP_PKEY_free(tmppkey); |
| 846 | |
| 847 | /* Set up V3 context struct */ |
| 848 | |
| 849 | X509V3_set_ctx(&ext_ctx, x509ss, x509ss, NULL, NULL, 0); |
| 850 | X509V3_set_nconf(&ext_ctx, req_conf); |
| 851 | |
| 852 | /* Add extensions */ |
| 853 | if(extensions && !X509V3_EXT_add_nconf(req_conf, |
| 854 | &ext_ctx, extensions, x509ss)) |
| 855 | { |
| 856 | BIO_printf(bio_err, |
| 857 | "Error Loading extension section %s\n", |
| 858 | extensions); |
| 859 | goto end; |
| 860 | } |
Alexandre Savard | 7541067 | 2012-08-08 09:50:01 -0400 | [diff] [blame] | 861 | |
| 862 | if (!(i=X509_sign(x509ss,pkey,digest))) |
Alexandre Savard | 1b09e31 | 2012-08-07 20:33:29 -0400 | [diff] [blame] | 863 | { |
| 864 | ERR_print_errors(bio_err); |
| 865 | goto end; |
| 866 | } |
| 867 | } |
| 868 | else |
| 869 | { |
| 870 | X509V3_CTX ext_ctx; |
| 871 | |
| 872 | /* Set up V3 context struct */ |
| 873 | |
| 874 | X509V3_set_ctx(&ext_ctx, NULL, NULL, req, NULL, 0); |
| 875 | X509V3_set_nconf(&ext_ctx, req_conf); |
| 876 | |
| 877 | /* Add extensions */ |
| 878 | if(req_exts && !X509V3_EXT_REQ_add_nconf(req_conf, |
| 879 | &ext_ctx, req_exts, req)) |
| 880 | { |
| 881 | BIO_printf(bio_err, |
| 882 | "Error Loading extension section %s\n", |
| 883 | req_exts); |
| 884 | goto end; |
| 885 | } |
Alexandre Savard | 7541067 | 2012-08-08 09:50:01 -0400 | [diff] [blame] | 886 | if (!(i=X509_REQ_sign(req,pkey,digest))) |
Alexandre Savard | 1b09e31 | 2012-08-07 20:33:29 -0400 | [diff] [blame] | 887 | { |
| 888 | ERR_print_errors(bio_err); |
| 889 | goto end; |
| 890 | } |
| 891 | } |
| 892 | } |
| 893 | |
| 894 | if (subj && x509) |
| 895 | { |
| 896 | BIO_printf(bio_err, "Cannot modifiy certificate subject\n"); |
| 897 | goto end; |
| 898 | } |
| 899 | |
| 900 | if (subj && !x509) |
| 901 | { |
| 902 | if (verbose) |
| 903 | { |
| 904 | BIO_printf(bio_err, "Modifying Request's Subject\n"); |
| 905 | print_name(bio_err, "old subject=", X509_REQ_get_subject_name(req), nmflag); |
| 906 | } |
| 907 | |
| 908 | if (build_subject(req, subj, chtype, multirdn) == 0) |
| 909 | { |
| 910 | BIO_printf(bio_err, "ERROR: cannot modify subject\n"); |
| 911 | ex=1; |
| 912 | goto end; |
| 913 | } |
| 914 | |
| 915 | req->req_info->enc.modified = 1; |
| 916 | |
| 917 | if (verbose) |
| 918 | { |
| 919 | print_name(bio_err, "new subject=", X509_REQ_get_subject_name(req), nmflag); |
| 920 | } |
| 921 | } |
| 922 | |
| 923 | if (verify && !x509) |
| 924 | { |
| 925 | int tmp=0; |
| 926 | |
| 927 | if (pkey == NULL) |
| 928 | { |
| 929 | pkey=X509_REQ_get_pubkey(req); |
| 930 | tmp=1; |
| 931 | if (pkey == NULL) goto end; |
| 932 | } |
| 933 | |
| 934 | i=X509_REQ_verify(req,pkey); |
| 935 | if (tmp) { |
| 936 | EVP_PKEY_free(pkey); |
| 937 | pkey=NULL; |
| 938 | } |
| 939 | |
| 940 | if (i < 0) |
| 941 | { |
| 942 | goto end; |
| 943 | } |
| 944 | else if (i == 0) |
| 945 | { |
| 946 | BIO_printf(bio_err,"verify failure\n"); |
| 947 | ERR_print_errors(bio_err); |
| 948 | } |
| 949 | else /* if (i > 0) */ |
| 950 | BIO_printf(bio_err,"verify OK\n"); |
| 951 | } |
| 952 | |
| 953 | if (noout && !text && !modulus && !subject && !pubkey) |
| 954 | { |
| 955 | ex=0; |
| 956 | goto end; |
| 957 | } |
| 958 | |
| 959 | if (outfile == NULL) |
| 960 | { |
| 961 | BIO_set_fp(out,stdout,BIO_NOCLOSE); |
| 962 | #ifdef OPENSSL_SYS_VMS |
| 963 | { |
| 964 | BIO *tmpbio = BIO_new(BIO_f_linebuffer()); |
| 965 | out = BIO_push(tmpbio, out); |
| 966 | } |
| 967 | #endif |
| 968 | } |
| 969 | else |
| 970 | { |
| 971 | if ((keyout != NULL) && (strcmp(outfile,keyout) == 0)) |
| 972 | i=(int)BIO_append_filename(out,outfile); |
| 973 | else |
| 974 | i=(int)BIO_write_filename(out,outfile); |
| 975 | if (!i) |
| 976 | { |
| 977 | perror(outfile); |
| 978 | goto end; |
| 979 | } |
| 980 | } |
| 981 | |
| 982 | if (pubkey) |
| 983 | { |
| 984 | EVP_PKEY *tpubkey; |
| 985 | tpubkey=X509_REQ_get_pubkey(req); |
| 986 | if (tpubkey == NULL) |
| 987 | { |
| 988 | BIO_printf(bio_err,"Error getting public key\n"); |
| 989 | ERR_print_errors(bio_err); |
| 990 | goto end; |
| 991 | } |
| 992 | PEM_write_bio_PUBKEY(out, tpubkey); |
| 993 | EVP_PKEY_free(tpubkey); |
| 994 | } |
| 995 | |
| 996 | if (text) |
| 997 | { |
| 998 | if (x509) |
| 999 | X509_print_ex(out, x509ss, nmflag, reqflag); |
| 1000 | else |
| 1001 | X509_REQ_print_ex(out, req, nmflag, reqflag); |
| 1002 | } |
| 1003 | |
| 1004 | if(subject) |
| 1005 | { |
| 1006 | if(x509) |
| 1007 | print_name(out, "subject=", X509_get_subject_name(x509ss), nmflag); |
| 1008 | else |
| 1009 | print_name(out, "subject=", X509_REQ_get_subject_name(req), nmflag); |
| 1010 | } |
| 1011 | |
| 1012 | if (modulus) |
| 1013 | { |
| 1014 | EVP_PKEY *tpubkey; |
| 1015 | |
| 1016 | if (x509) |
| 1017 | tpubkey=X509_get_pubkey(x509ss); |
| 1018 | else |
| 1019 | tpubkey=X509_REQ_get_pubkey(req); |
| 1020 | if (tpubkey == NULL) |
| 1021 | { |
| 1022 | fprintf(stdout,"Modulus=unavailable\n"); |
| 1023 | goto end; |
| 1024 | } |
| 1025 | fprintf(stdout,"Modulus="); |
| 1026 | #ifndef OPENSSL_NO_RSA |
| 1027 | if (EVP_PKEY_base_id(tpubkey) == EVP_PKEY_RSA) |
| 1028 | BN_print(out,tpubkey->pkey.rsa->n); |
| 1029 | else |
| 1030 | #endif |
| 1031 | fprintf(stdout,"Wrong Algorithm type"); |
| 1032 | EVP_PKEY_free(tpubkey); |
| 1033 | fprintf(stdout,"\n"); |
| 1034 | } |
| 1035 | |
| 1036 | if (!noout && !x509) |
| 1037 | { |
| 1038 | if (outformat == FORMAT_ASN1) |
| 1039 | i=i2d_X509_REQ_bio(out,req); |
| 1040 | else if (outformat == FORMAT_PEM) { |
| 1041 | if(newhdr) i=PEM_write_bio_X509_REQ_NEW(out,req); |
| 1042 | else i=PEM_write_bio_X509_REQ(out,req); |
| 1043 | } else { |
| 1044 | BIO_printf(bio_err,"bad output format specified for outfile\n"); |
| 1045 | goto end; |
| 1046 | } |
| 1047 | if (!i) |
| 1048 | { |
| 1049 | BIO_printf(bio_err,"unable to write X509 request\n"); |
| 1050 | goto end; |
| 1051 | } |
| 1052 | } |
| 1053 | if (!noout && x509 && (x509ss != NULL)) |
| 1054 | { |
| 1055 | if (outformat == FORMAT_ASN1) |
| 1056 | i=i2d_X509_bio(out,x509ss); |
| 1057 | else if (outformat == FORMAT_PEM) |
| 1058 | i=PEM_write_bio_X509(out,x509ss); |
| 1059 | else { |
| 1060 | BIO_printf(bio_err,"bad output format specified for outfile\n"); |
| 1061 | goto end; |
| 1062 | } |
| 1063 | if (!i) |
| 1064 | { |
| 1065 | BIO_printf(bio_err,"unable to write X509 certificate\n"); |
| 1066 | goto end; |
| 1067 | } |
| 1068 | } |
| 1069 | ex=0; |
| 1070 | end: |
| 1071 | #ifndef MONOLITH |
| 1072 | if(to_free) |
| 1073 | OPENSSL_free(to_free); |
| 1074 | #endif |
| 1075 | if (ex) |
| 1076 | { |
| 1077 | ERR_print_errors(bio_err); |
| 1078 | } |
| 1079 | if ((req_conf != NULL) && (req_conf != config)) NCONF_free(req_conf); |
| 1080 | BIO_free(in); |
| 1081 | BIO_free_all(out); |
| 1082 | EVP_PKEY_free(pkey); |
| 1083 | if (genctx) |
| 1084 | EVP_PKEY_CTX_free(genctx); |
| 1085 | if (pkeyopts) |
| 1086 | sk_OPENSSL_STRING_free(pkeyopts); |
Alexandre Savard | 1b09e31 | 2012-08-07 20:33:29 -0400 | [diff] [blame] | 1087 | #ifndef OPENSSL_NO_ENGINE |
| 1088 | if (gen_eng) |
| 1089 | ENGINE_free(gen_eng); |
| 1090 | #endif |
| 1091 | if (keyalgstr) |
| 1092 | OPENSSL_free(keyalgstr); |
| 1093 | X509_REQ_free(req); |
| 1094 | X509_free(x509ss); |
| 1095 | ASN1_INTEGER_free(serial); |
| 1096 | if(passargin && passin) OPENSSL_free(passin); |
| 1097 | if(passargout && passout) OPENSSL_free(passout); |
| 1098 | OBJ_cleanup(); |
| 1099 | apps_shutdown(); |
| 1100 | OPENSSL_EXIT(ex); |
| 1101 | } |
| 1102 | |
| 1103 | static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int multirdn, |
| 1104 | int attribs, unsigned long chtype) |
| 1105 | { |
| 1106 | int ret=0,i; |
| 1107 | char no_prompt = 0; |
| 1108 | STACK_OF(CONF_VALUE) *dn_sk, *attr_sk = NULL; |
| 1109 | char *tmp, *dn_sect,*attr_sect; |
| 1110 | |
| 1111 | tmp=NCONF_get_string(req_conf,SECTION,PROMPT); |
| 1112 | if (tmp == NULL) |
| 1113 | ERR_clear_error(); |
| 1114 | if((tmp != NULL) && !strcmp(tmp, "no")) no_prompt = 1; |
| 1115 | |
| 1116 | dn_sect=NCONF_get_string(req_conf,SECTION,DISTINGUISHED_NAME); |
| 1117 | if (dn_sect == NULL) |
| 1118 | { |
| 1119 | BIO_printf(bio_err,"unable to find '%s' in config\n", |
| 1120 | DISTINGUISHED_NAME); |
| 1121 | goto err; |
| 1122 | } |
| 1123 | dn_sk=NCONF_get_section(req_conf,dn_sect); |
| 1124 | if (dn_sk == NULL) |
| 1125 | { |
| 1126 | BIO_printf(bio_err,"unable to get '%s' section\n",dn_sect); |
| 1127 | goto err; |
| 1128 | } |
| 1129 | |
| 1130 | attr_sect=NCONF_get_string(req_conf,SECTION,ATTRIBUTES); |
| 1131 | if (attr_sect == NULL) |
| 1132 | { |
| 1133 | ERR_clear_error(); |
| 1134 | attr_sk=NULL; |
| 1135 | } |
| 1136 | else |
| 1137 | { |
| 1138 | attr_sk=NCONF_get_section(req_conf,attr_sect); |
| 1139 | if (attr_sk == NULL) |
| 1140 | { |
| 1141 | BIO_printf(bio_err,"unable to get '%s' section\n",attr_sect); |
| 1142 | goto err; |
| 1143 | } |
| 1144 | } |
| 1145 | |
| 1146 | /* setup version number */ |
| 1147 | if (!X509_REQ_set_version(req,0L)) goto err; /* version 1 */ |
| 1148 | |
| 1149 | if (no_prompt) |
| 1150 | i = auto_info(req, dn_sk, attr_sk, attribs, chtype); |
| 1151 | else |
| 1152 | { |
| 1153 | if (subj) |
| 1154 | i = build_subject(req, subj, chtype, multirdn); |
| 1155 | else |
| 1156 | i = prompt_info(req, dn_sk, dn_sect, attr_sk, attr_sect, attribs, chtype); |
| 1157 | } |
| 1158 | if(!i) goto err; |
| 1159 | |
| 1160 | if (!X509_REQ_set_pubkey(req,pkey)) goto err; |
| 1161 | |
| 1162 | ret=1; |
| 1163 | err: |
| 1164 | return(ret); |
| 1165 | } |
| 1166 | |
| 1167 | /* |
| 1168 | * subject is expected to be in the format /type0=value0/type1=value1/type2=... |
| 1169 | * where characters may be escaped by \ |
| 1170 | */ |
| 1171 | static int build_subject(X509_REQ *req, char *subject, unsigned long chtype, int multirdn) |
| 1172 | { |
| 1173 | X509_NAME *n; |
| 1174 | |
| 1175 | if (!(n = parse_name(subject, chtype, multirdn))) |
| 1176 | return 0; |
| 1177 | |
| 1178 | if (!X509_REQ_set_subject_name(req, n)) |
| 1179 | { |
| 1180 | X509_NAME_free(n); |
| 1181 | return 0; |
| 1182 | } |
| 1183 | X509_NAME_free(n); |
| 1184 | return 1; |
| 1185 | } |
| 1186 | |
| 1187 | |
| 1188 | static int prompt_info(X509_REQ *req, |
| 1189 | STACK_OF(CONF_VALUE) *dn_sk, char *dn_sect, |
| 1190 | STACK_OF(CONF_VALUE) *attr_sk, char *attr_sect, int attribs, |
| 1191 | unsigned long chtype) |
| 1192 | { |
| 1193 | int i; |
| 1194 | char *p,*q; |
| 1195 | char buf[100]; |
| 1196 | int nid, mval; |
| 1197 | long n_min,n_max; |
| 1198 | char *type, *value; |
| 1199 | const char *def; |
| 1200 | CONF_VALUE *v; |
| 1201 | X509_NAME *subj; |
| 1202 | subj = X509_REQ_get_subject_name(req); |
| 1203 | |
| 1204 | if(!batch) |
| 1205 | { |
| 1206 | BIO_printf(bio_err,"You are about to be asked to enter information that will be incorporated\n"); |
| 1207 | BIO_printf(bio_err,"into your certificate request.\n"); |
| 1208 | BIO_printf(bio_err,"What you are about to enter is what is called a Distinguished Name or a DN.\n"); |
| 1209 | BIO_printf(bio_err,"There are quite a few fields but you can leave some blank\n"); |
| 1210 | BIO_printf(bio_err,"For some fields there will be a default value,\n"); |
| 1211 | BIO_printf(bio_err,"If you enter '.', the field will be left blank.\n"); |
| 1212 | BIO_printf(bio_err,"-----\n"); |
| 1213 | } |
| 1214 | |
| 1215 | |
| 1216 | if (sk_CONF_VALUE_num(dn_sk)) |
| 1217 | { |
| 1218 | i= -1; |
| 1219 | start: for (;;) |
| 1220 | { |
| 1221 | i++; |
| 1222 | if (sk_CONF_VALUE_num(dn_sk) <= i) break; |
| 1223 | |
| 1224 | v=sk_CONF_VALUE_value(dn_sk,i); |
| 1225 | p=q=NULL; |
| 1226 | type=v->name; |
| 1227 | if(!check_end(type,"_min") || !check_end(type,"_max") || |
| 1228 | !check_end(type,"_default") || |
| 1229 | !check_end(type,"_value")) continue; |
| 1230 | /* Skip past any leading X. X: X, etc to allow for |
| 1231 | * multiple instances |
| 1232 | */ |
| 1233 | for(p = v->name; *p ; p++) |
| 1234 | if ((*p == ':') || (*p == ',') || |
| 1235 | (*p == '.')) { |
| 1236 | p++; |
| 1237 | if(*p) type = p; |
| 1238 | break; |
| 1239 | } |
| 1240 | if (*type == '+') |
| 1241 | { |
| 1242 | mval = -1; |
| 1243 | type++; |
| 1244 | } |
| 1245 | else |
| 1246 | mval = 0; |
| 1247 | /* If OBJ not recognised ignore it */ |
| 1248 | if ((nid=OBJ_txt2nid(type)) == NID_undef) goto start; |
| 1249 | if (BIO_snprintf(buf,sizeof buf,"%s_default",v->name) |
| 1250 | >= (int)sizeof(buf)) |
| 1251 | { |
| 1252 | BIO_printf(bio_err,"Name '%s' too long\n",v->name); |
| 1253 | return 0; |
| 1254 | } |
| 1255 | |
| 1256 | if ((def=NCONF_get_string(req_conf,dn_sect,buf)) == NULL) |
| 1257 | { |
| 1258 | ERR_clear_error(); |
| 1259 | def=""; |
| 1260 | } |
| 1261 | |
| 1262 | BIO_snprintf(buf,sizeof buf,"%s_value",v->name); |
| 1263 | if ((value=NCONF_get_string(req_conf,dn_sect,buf)) == NULL) |
| 1264 | { |
| 1265 | ERR_clear_error(); |
| 1266 | value=NULL; |
| 1267 | } |
| 1268 | |
| 1269 | BIO_snprintf(buf,sizeof buf,"%s_min",v->name); |
| 1270 | if (!NCONF_get_number(req_conf,dn_sect,buf, &n_min)) |
| 1271 | { |
| 1272 | ERR_clear_error(); |
| 1273 | n_min = -1; |
| 1274 | } |
| 1275 | |
| 1276 | BIO_snprintf(buf,sizeof buf,"%s_max",v->name); |
| 1277 | if (!NCONF_get_number(req_conf,dn_sect,buf, &n_max)) |
| 1278 | { |
| 1279 | ERR_clear_error(); |
| 1280 | n_max = -1; |
| 1281 | } |
| 1282 | |
| 1283 | if (!add_DN_object(subj,v->value,def,value,nid, |
| 1284 | n_min,n_max, chtype, mval)) |
| 1285 | return 0; |
| 1286 | } |
| 1287 | if (X509_NAME_entry_count(subj) == 0) |
| 1288 | { |
| 1289 | BIO_printf(bio_err,"error, no objects specified in config file\n"); |
| 1290 | return 0; |
| 1291 | } |
| 1292 | |
| 1293 | if (attribs) |
| 1294 | { |
| 1295 | if ((attr_sk != NULL) && (sk_CONF_VALUE_num(attr_sk) > 0) && (!batch)) |
| 1296 | { |
| 1297 | BIO_printf(bio_err,"\nPlease enter the following 'extra' attributes\n"); |
| 1298 | BIO_printf(bio_err,"to be sent with your certificate request\n"); |
| 1299 | } |
| 1300 | |
| 1301 | i= -1; |
| 1302 | start2: for (;;) |
| 1303 | { |
| 1304 | i++; |
| 1305 | if ((attr_sk == NULL) || |
| 1306 | (sk_CONF_VALUE_num(attr_sk) <= i)) |
| 1307 | break; |
| 1308 | |
| 1309 | v=sk_CONF_VALUE_value(attr_sk,i); |
| 1310 | type=v->name; |
| 1311 | if ((nid=OBJ_txt2nid(type)) == NID_undef) |
| 1312 | goto start2; |
| 1313 | |
| 1314 | if (BIO_snprintf(buf,sizeof buf,"%s_default",type) |
| 1315 | >= (int)sizeof(buf)) |
| 1316 | { |
| 1317 | BIO_printf(bio_err,"Name '%s' too long\n",v->name); |
| 1318 | return 0; |
| 1319 | } |
| 1320 | |
| 1321 | if ((def=NCONF_get_string(req_conf,attr_sect,buf)) |
| 1322 | == NULL) |
| 1323 | { |
| 1324 | ERR_clear_error(); |
| 1325 | def=""; |
| 1326 | } |
| 1327 | |
| 1328 | |
| 1329 | BIO_snprintf(buf,sizeof buf,"%s_value",type); |
| 1330 | if ((value=NCONF_get_string(req_conf,attr_sect,buf)) |
| 1331 | == NULL) |
| 1332 | { |
| 1333 | ERR_clear_error(); |
| 1334 | value=NULL; |
| 1335 | } |
| 1336 | |
| 1337 | BIO_snprintf(buf,sizeof buf,"%s_min",type); |
| 1338 | if (!NCONF_get_number(req_conf,attr_sect,buf, &n_min)) |
| 1339 | { |
| 1340 | ERR_clear_error(); |
| 1341 | n_min = -1; |
| 1342 | } |
| 1343 | |
| 1344 | BIO_snprintf(buf,sizeof buf,"%s_max",type); |
| 1345 | if (!NCONF_get_number(req_conf,attr_sect,buf, &n_max)) |
| 1346 | { |
| 1347 | ERR_clear_error(); |
| 1348 | n_max = -1; |
| 1349 | } |
| 1350 | |
| 1351 | if (!add_attribute_object(req, |
| 1352 | v->value,def,value,nid,n_min,n_max, chtype)) |
| 1353 | return 0; |
| 1354 | } |
| 1355 | } |
| 1356 | } |
| 1357 | else |
| 1358 | { |
| 1359 | BIO_printf(bio_err,"No template, please set one up.\n"); |
| 1360 | return 0; |
| 1361 | } |
| 1362 | |
| 1363 | return 1; |
| 1364 | |
| 1365 | } |
| 1366 | |
| 1367 | static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk, |
| 1368 | STACK_OF(CONF_VALUE) *attr_sk, int attribs, unsigned long chtype) |
| 1369 | { |
| 1370 | int i; |
| 1371 | char *p,*q; |
| 1372 | char *type; |
| 1373 | CONF_VALUE *v; |
| 1374 | X509_NAME *subj; |
| 1375 | |
| 1376 | subj = X509_REQ_get_subject_name(req); |
| 1377 | |
| 1378 | for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) |
| 1379 | { |
| 1380 | int mval; |
| 1381 | v=sk_CONF_VALUE_value(dn_sk,i); |
| 1382 | p=q=NULL; |
| 1383 | type=v->name; |
| 1384 | /* Skip past any leading X. X: X, etc to allow for |
| 1385 | * multiple instances |
| 1386 | */ |
| 1387 | for(p = v->name; *p ; p++) |
| 1388 | #ifndef CHARSET_EBCDIC |
| 1389 | if ((*p == ':') || (*p == ',') || (*p == '.')) { |
| 1390 | #else |
| 1391 | if ((*p == os_toascii[':']) || (*p == os_toascii[',']) || (*p == os_toascii['.'])) { |
| 1392 | #endif |
| 1393 | p++; |
| 1394 | if(*p) type = p; |
| 1395 | break; |
| 1396 | } |
| 1397 | #ifndef CHARSET_EBCDIC |
| 1398 | if (*p == '+') |
| 1399 | #else |
| 1400 | if (*p == os_toascii['+']) |
| 1401 | #endif |
| 1402 | { |
| 1403 | p++; |
| 1404 | mval = -1; |
| 1405 | } |
| 1406 | else |
| 1407 | mval = 0; |
| 1408 | if (!X509_NAME_add_entry_by_txt(subj,type, chtype, |
| 1409 | (unsigned char *) v->value,-1,-1,mval)) return 0; |
| 1410 | |
| 1411 | } |
| 1412 | |
| 1413 | if (!X509_NAME_entry_count(subj)) |
| 1414 | { |
| 1415 | BIO_printf(bio_err,"error, no objects specified in config file\n"); |
| 1416 | return 0; |
| 1417 | } |
| 1418 | if (attribs) |
| 1419 | { |
| 1420 | for (i = 0; i < sk_CONF_VALUE_num(attr_sk); i++) |
| 1421 | { |
| 1422 | v=sk_CONF_VALUE_value(attr_sk,i); |
| 1423 | if(!X509_REQ_add1_attr_by_txt(req, v->name, chtype, |
| 1424 | (unsigned char *)v->value, -1)) return 0; |
| 1425 | } |
| 1426 | } |
| 1427 | return 1; |
| 1428 | } |
| 1429 | |
| 1430 | |
| 1431 | static int add_DN_object(X509_NAME *n, char *text, const char *def, char *value, |
| 1432 | int nid, int n_min, int n_max, unsigned long chtype, int mval) |
| 1433 | { |
| 1434 | int i,ret=0; |
| 1435 | MS_STATIC char buf[1024]; |
| 1436 | start: |
| 1437 | if (!batch) BIO_printf(bio_err,"%s [%s]:",text,def); |
| 1438 | (void)BIO_flush(bio_err); |
| 1439 | if(value != NULL) |
| 1440 | { |
| 1441 | BUF_strlcpy(buf,value,sizeof buf); |
| 1442 | BUF_strlcat(buf,"\n",sizeof buf); |
| 1443 | BIO_printf(bio_err,"%s\n",value); |
| 1444 | } |
| 1445 | else |
| 1446 | { |
| 1447 | buf[0]='\0'; |
| 1448 | if (!batch) |
| 1449 | { |
| 1450 | if (!fgets(buf,sizeof buf,stdin)) |
| 1451 | return 0; |
| 1452 | } |
| 1453 | else |
| 1454 | { |
| 1455 | buf[0] = '\n'; |
| 1456 | buf[1] = '\0'; |
| 1457 | } |
| 1458 | } |
| 1459 | |
| 1460 | if (buf[0] == '\0') return(0); |
| 1461 | else if (buf[0] == '\n') |
| 1462 | { |
| 1463 | if ((def == NULL) || (def[0] == '\0')) |
| 1464 | return(1); |
| 1465 | BUF_strlcpy(buf,def,sizeof buf); |
| 1466 | BUF_strlcat(buf,"\n",sizeof buf); |
| 1467 | } |
| 1468 | else if ((buf[0] == '.') && (buf[1] == '\n')) return(1); |
| 1469 | |
| 1470 | i=strlen(buf); |
| 1471 | if (buf[i-1] != '\n') |
| 1472 | { |
| 1473 | BIO_printf(bio_err,"weird input :-(\n"); |
| 1474 | return(0); |
| 1475 | } |
| 1476 | buf[--i]='\0'; |
| 1477 | #ifdef CHARSET_EBCDIC |
| 1478 | ebcdic2ascii(buf, buf, i); |
| 1479 | #endif |
| 1480 | if(!req_check_len(i, n_min, n_max)) goto start; |
| 1481 | if (!X509_NAME_add_entry_by_NID(n,nid, chtype, |
| 1482 | (unsigned char *) buf, -1,-1,mval)) goto err; |
| 1483 | ret=1; |
| 1484 | err: |
| 1485 | return(ret); |
| 1486 | } |
| 1487 | |
| 1488 | static int add_attribute_object(X509_REQ *req, char *text, const char *def, |
| 1489 | char *value, int nid, int n_min, |
| 1490 | int n_max, unsigned long chtype) |
| 1491 | { |
| 1492 | int i; |
| 1493 | static char buf[1024]; |
| 1494 | |
| 1495 | start: |
| 1496 | if (!batch) BIO_printf(bio_err,"%s [%s]:",text,def); |
| 1497 | (void)BIO_flush(bio_err); |
| 1498 | if (value != NULL) |
| 1499 | { |
| 1500 | BUF_strlcpy(buf,value,sizeof buf); |
| 1501 | BUF_strlcat(buf,"\n",sizeof buf); |
| 1502 | BIO_printf(bio_err,"%s\n",value); |
| 1503 | } |
| 1504 | else |
| 1505 | { |
| 1506 | buf[0]='\0'; |
| 1507 | if (!batch) |
| 1508 | { |
| 1509 | if (!fgets(buf,sizeof buf,stdin)) |
| 1510 | return 0; |
| 1511 | } |
| 1512 | else |
| 1513 | { |
| 1514 | buf[0] = '\n'; |
| 1515 | buf[1] = '\0'; |
| 1516 | } |
| 1517 | } |
| 1518 | |
| 1519 | if (buf[0] == '\0') return(0); |
| 1520 | else if (buf[0] == '\n') |
| 1521 | { |
| 1522 | if ((def == NULL) || (def[0] == '\0')) |
| 1523 | return(1); |
| 1524 | BUF_strlcpy(buf,def,sizeof buf); |
| 1525 | BUF_strlcat(buf,"\n",sizeof buf); |
| 1526 | } |
| 1527 | else if ((buf[0] == '.') && (buf[1] == '\n')) return(1); |
| 1528 | |
| 1529 | i=strlen(buf); |
| 1530 | if (buf[i-1] != '\n') |
| 1531 | { |
| 1532 | BIO_printf(bio_err,"weird input :-(\n"); |
| 1533 | return(0); |
| 1534 | } |
| 1535 | buf[--i]='\0'; |
| 1536 | #ifdef CHARSET_EBCDIC |
| 1537 | ebcdic2ascii(buf, buf, i); |
| 1538 | #endif |
| 1539 | if(!req_check_len(i, n_min, n_max)) goto start; |
| 1540 | |
| 1541 | if(!X509_REQ_add1_attr_by_NID(req, nid, chtype, |
| 1542 | (unsigned char *)buf, -1)) { |
| 1543 | BIO_printf(bio_err, "Error adding attribute\n"); |
| 1544 | ERR_print_errors(bio_err); |
| 1545 | goto err; |
| 1546 | } |
| 1547 | |
| 1548 | return(1); |
| 1549 | err: |
| 1550 | return(0); |
| 1551 | } |
| 1552 | |
| 1553 | static int req_check_len(int len, int n_min, int n_max) |
| 1554 | { |
| 1555 | if ((n_min > 0) && (len < n_min)) |
| 1556 | { |
| 1557 | BIO_printf(bio_err,"string is too short, it needs to be at least %d bytes long\n",n_min); |
| 1558 | return(0); |
| 1559 | } |
| 1560 | if ((n_max >= 0) && (len > n_max)) |
| 1561 | { |
| 1562 | BIO_printf(bio_err,"string is too long, it needs to be less than %d bytes long\n",n_max); |
| 1563 | return(0); |
| 1564 | } |
| 1565 | return(1); |
| 1566 | } |
| 1567 | |
| 1568 | /* Check if the end of a string matches 'end' */ |
| 1569 | static int check_end(const char *str, const char *end) |
| 1570 | { |
| 1571 | int elen, slen; |
| 1572 | const char *tmp; |
| 1573 | elen = strlen(end); |
| 1574 | slen = strlen(str); |
| 1575 | if(elen > slen) return 1; |
| 1576 | tmp = str + slen - elen; |
| 1577 | return strcmp(tmp, end); |
| 1578 | } |
| 1579 | |
| 1580 | static EVP_PKEY_CTX *set_keygen_ctx(BIO *err, const char *gstr, int *pkey_type, |
| 1581 | long *pkeylen, char **palgnam, |
| 1582 | ENGINE *keygen_engine) |
| 1583 | { |
| 1584 | EVP_PKEY_CTX *gctx = NULL; |
| 1585 | EVP_PKEY *param = NULL; |
| 1586 | long keylen = -1; |
| 1587 | BIO *pbio = NULL; |
| 1588 | const char *paramfile = NULL; |
| 1589 | |
| 1590 | if (gstr == NULL) |
| 1591 | { |
| 1592 | *pkey_type = EVP_PKEY_RSA; |
| 1593 | keylen = *pkeylen; |
| 1594 | } |
| 1595 | else if (gstr[0] >= '0' && gstr[0] <= '9') |
| 1596 | { |
| 1597 | *pkey_type = EVP_PKEY_RSA; |
| 1598 | keylen = atol(gstr); |
| 1599 | *pkeylen = keylen; |
| 1600 | } |
| 1601 | else if (!strncmp(gstr, "param:", 6)) |
| 1602 | paramfile = gstr + 6; |
| 1603 | else |
| 1604 | { |
| 1605 | const char *p = strchr(gstr, ':'); |
| 1606 | int len; |
| 1607 | ENGINE *tmpeng; |
| 1608 | const EVP_PKEY_ASN1_METHOD *ameth; |
| 1609 | |
| 1610 | if (p) |
| 1611 | len = p - gstr; |
| 1612 | else |
| 1613 | len = strlen(gstr); |
| 1614 | /* The lookup of a the string will cover all engines so |
| 1615 | * keep a note of the implementation. |
| 1616 | */ |
| 1617 | |
| 1618 | ameth = EVP_PKEY_asn1_find_str(&tmpeng, gstr, len); |
| 1619 | |
| 1620 | if (!ameth) |
| 1621 | { |
| 1622 | BIO_printf(err, "Unknown algorithm %.*s\n", len, gstr); |
| 1623 | return NULL; |
| 1624 | } |
| 1625 | |
| 1626 | EVP_PKEY_asn1_get0_info(NULL, pkey_type, NULL, NULL, NULL, |
| 1627 | ameth); |
| 1628 | #ifndef OPENSSL_NO_ENGINE |
| 1629 | if (tmpeng) |
| 1630 | ENGINE_finish(tmpeng); |
| 1631 | #endif |
| 1632 | if (*pkey_type == EVP_PKEY_RSA) |
| 1633 | { |
| 1634 | if (p) |
| 1635 | { |
| 1636 | keylen = atol(p + 1); |
| 1637 | *pkeylen = keylen; |
| 1638 | } |
| 1639 | } |
| 1640 | else if (p) |
| 1641 | paramfile = p + 1; |
| 1642 | } |
| 1643 | |
| 1644 | if (paramfile) |
| 1645 | { |
| 1646 | pbio = BIO_new_file(paramfile, "r"); |
| 1647 | if (!pbio) |
| 1648 | { |
| 1649 | BIO_printf(err, "Can't open parameter file %s\n", |
| 1650 | paramfile); |
| 1651 | return NULL; |
| 1652 | } |
| 1653 | param = PEM_read_bio_Parameters(pbio, NULL); |
| 1654 | |
| 1655 | if (!param) |
| 1656 | { |
| 1657 | X509 *x; |
| 1658 | (void)BIO_reset(pbio); |
| 1659 | x = PEM_read_bio_X509(pbio, NULL, NULL, NULL); |
| 1660 | if (x) |
| 1661 | { |
| 1662 | param = X509_get_pubkey(x); |
| 1663 | X509_free(x); |
| 1664 | } |
| 1665 | } |
| 1666 | |
| 1667 | BIO_free(pbio); |
| 1668 | |
| 1669 | if (!param) |
| 1670 | { |
| 1671 | BIO_printf(err, "Error reading parameter file %s\n", |
| 1672 | paramfile); |
| 1673 | return NULL; |
| 1674 | } |
| 1675 | if (*pkey_type == -1) |
| 1676 | *pkey_type = EVP_PKEY_id(param); |
| 1677 | else if (*pkey_type != EVP_PKEY_base_id(param)) |
| 1678 | { |
| 1679 | BIO_printf(err, "Key Type does not match parameters\n"); |
| 1680 | EVP_PKEY_free(param); |
| 1681 | return NULL; |
| 1682 | } |
| 1683 | } |
| 1684 | |
| 1685 | if (palgnam) |
| 1686 | { |
| 1687 | const EVP_PKEY_ASN1_METHOD *ameth; |
| 1688 | ENGINE *tmpeng; |
| 1689 | const char *anam; |
| 1690 | ameth = EVP_PKEY_asn1_find(&tmpeng, *pkey_type); |
| 1691 | if (!ameth) |
| 1692 | { |
| 1693 | BIO_puts(err, "Internal error: can't find key algorithm\n"); |
| 1694 | return NULL; |
| 1695 | } |
| 1696 | EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL, &anam, ameth); |
| 1697 | *palgnam = BUF_strdup(anam); |
| 1698 | #ifndef OPENSSL_NO_ENGINE |
| 1699 | if (tmpeng) |
| 1700 | ENGINE_finish(tmpeng); |
| 1701 | #endif |
| 1702 | } |
| 1703 | |
| 1704 | if (param) |
| 1705 | { |
| 1706 | gctx = EVP_PKEY_CTX_new(param, keygen_engine); |
| 1707 | *pkeylen = EVP_PKEY_bits(param); |
| 1708 | EVP_PKEY_free(param); |
| 1709 | } |
| 1710 | else |
| 1711 | gctx = EVP_PKEY_CTX_new_id(*pkey_type, keygen_engine); |
| 1712 | |
| 1713 | if (!gctx) |
| 1714 | { |
| 1715 | BIO_puts(err, "Error allocating keygen context\n"); |
| 1716 | ERR_print_errors(err); |
| 1717 | return NULL; |
| 1718 | } |
| 1719 | |
| 1720 | if (EVP_PKEY_keygen_init(gctx) <= 0) |
| 1721 | { |
| 1722 | BIO_puts(err, "Error initializing keygen context\n"); |
| 1723 | ERR_print_errors(err); |
| 1724 | return NULL; |
| 1725 | } |
| 1726 | #ifndef OPENSSL_NO_RSA |
| 1727 | if ((*pkey_type == EVP_PKEY_RSA) && (keylen != -1)) |
| 1728 | { |
| 1729 | if (EVP_PKEY_CTX_set_rsa_keygen_bits(gctx, keylen) <= 0) |
| 1730 | { |
| 1731 | BIO_puts(err, "Error setting RSA keysize\n"); |
| 1732 | ERR_print_errors(err); |
| 1733 | EVP_PKEY_CTX_free(gctx); |
| 1734 | return NULL; |
| 1735 | } |
| 1736 | } |
| 1737 | #endif |
| 1738 | |
| 1739 | return gctx; |
| 1740 | } |
| 1741 | |
| 1742 | static int genpkey_cb(EVP_PKEY_CTX *ctx) |
| 1743 | { |
| 1744 | char c='*'; |
| 1745 | BIO *b = EVP_PKEY_CTX_get_app_data(ctx); |
| 1746 | int p; |
| 1747 | p = EVP_PKEY_CTX_get_keygen_info(ctx, 0); |
| 1748 | if (p == 0) c='.'; |
| 1749 | if (p == 1) c='+'; |
| 1750 | if (p == 2) c='*'; |
| 1751 | if (p == 3) c='\n'; |
| 1752 | BIO_write(b,&c,1); |
| 1753 | (void)BIO_flush(b); |
| 1754 | #ifdef LINT |
| 1755 | p=n; |
| 1756 | #endif |
| 1757 | return 1; |
| 1758 | } |