Browse Source

APPS/req: Fix misconceptions on -CA, -CAkey, and -key options. -CA now implies -x509

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16420)
master^2
Dr. David von Oheimb 10 months ago
committed by Dr. David von Oheimb
parent
commit
f2b6edcfdd
2 changed files with 34 additions and 37 deletions
  1. +17
    -23
      apps/req.c
  2. +17
    -14
      doc/man1/openssl-req.pod.in

+ 17
- 23
apps/req.c View File

@ -116,10 +116,10 @@ const OPTIONS req_options[] = {
{"reqopt", OPT_REQOPT, 's', "Various request text options"},
{"text", OPT_TEXT, '-', "Text form of request"},
{"x509", OPT_X509, '-',
"Output an x509 structure instead of a cert request"},
{"CA", OPT_CA, '<', "Issuer certificate to use with -x509"},
"Output an X.509 certificate structure instead of a cert request"},
{"CA", OPT_CA, '<', "Issuer cert to use for signing a cert, implies -x509"},
{"CAkey", OPT_CAKEY, 's',
"Issuer private key to use with -x509; default is -CA arg"},
"Issuer private key to use with -CA; default is -CA arg"},
{OPT_MORE_STR, 1, 1, "(Required by some CA's)"},
{"subj", OPT_SUBJ, 's', "Set or modify subject of request or cert"},
{"subject", OPT_SUBJECT, '-',
@ -139,7 +139,7 @@ const OPTIONS req_options[] = {
{"precert", OPT_PRECERT, '-', "Add a poison extension (implies -new)"},
OPT_SECTION("Keys and Signing"),
{"key", OPT_KEY, 's', "Private key to use"},
{"key", OPT_KEY, 's', "Key to include and to use for self-signature"},
{"keyform", OPT_KEYFORM, 'f', "Key file format (ENGINE, other values ignored)"},
{"pubkey", OPT_PUBKEY, '-', "Output public key"},
{"keyout", OPT_KEYOUT, '>', "File to write private key to"},
@ -406,6 +406,7 @@ int req_main(int argc, char **argv)
break;
case OPT_CA:
CAfile = opt_arg();
gen_x509 = 1;
break;
case OPT_CAKEY:
CAkeyfile = opt_arg();
@ -630,7 +631,6 @@ int req_main(int argc, char **argv)
goto end;
app_RAND_load_conf(req_conf, section);
}
if (newreq && pkey == NULL) {
app_RAND_load_conf(req_conf, section);
@ -755,28 +755,21 @@ int req_main(int argc, char **argv)
"Ignoring -CAkey option since no -CA option is given\n");
} else {
if ((CAkey = load_key(CAkeyfile, FORMAT_UNDEF,
0, passin, e, "issuer private key")) == NULL)
0, passin, e,
CAkeyfile != CAfile
? "issuer private key from -CAkey arg"
: "issuer private key from -CA arg")) == NULL)
goto end;
}
}
if (CAfile != NULL) {
if (!gen_x509) {
if ((CAcert = load_cert_pass(CAfile, FORMAT_UNDEF, 1, passin,
"issuer cert from -CA arg")) == NULL)
goto end;
if (!X509_check_private_key(CAcert, CAkey)) {
BIO_printf(bio_err,
"Warning: Ignoring -CA option without -x509\n");
} else {
if (CAkeyfile == NULL) {
BIO_printf(bio_err,
"Need to give the -CAkey option if using -CA\n");
goto end;
}
if ((CAcert = load_cert_pass(CAfile, FORMAT_UNDEF, 1, passin,
"issuer certificate")) == NULL)
goto end;
if (!X509_check_private_key(CAcert, CAkey)) {
BIO_printf(bio_err,
"Issuer certificate and key do not match\n");
goto end;
}
"Issuer CA certificate and key do not match\n");
goto end;
}
}
if (newreq || gen_x509) {
@ -828,7 +821,8 @@ int req_main(int argc, char **argv)
if (!pub_key || !X509_set_pubkey(new_x509, pub_key))
goto end;
if (ext_copy == EXT_COPY_UNSET) {
BIO_printf(bio_err, "Warning: No -copy_extensions given; ignoring any extensions in the request\n");
if (infile != NULL)
BIO_printf(bio_err, "Warning: No -copy_extensions given; ignoring any extensions in the request\n");
} else if (!copy_extensions(new_x509, req, ext_copy)) {
BIO_printf(bio_err, "Error copying extensions from request\n");
goto end;


+ 17
- 14
doc/man1/openssl-req.pod.in View File

@ -103,7 +103,7 @@ which supports both options for good reasons.
=item B<-passin> I<arg>
The password source for the request input file and the certificate input.
The password source for private key and certificate input.
For more information about the format of B<arg>
see L<openssl-passphrase-options(1)>.
@ -124,7 +124,7 @@ Prints out the certificate request in text form.
=item B<-subject>
Prints out the certificate request subject
(or certificate subject if B<-x509> is specified).
(or certificate subject if B<-x509> is in use).
=item B<-pubkey>
@ -193,8 +193,8 @@ See L<openssl-genpkey(1)/KEY GENERATION OPTIONS> for more details.
=item B<-key> I<filename>|I<uri>
This specifies the private key to use for request self-signature
and signing certificates produced using the B<-x509> option.
This specifies the key to include and to use for request self-signature
and for self-signing certificates produced with the B<-x509> option.
It also accepts PKCS#8 format private keys for PEM format files.
=item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>
@ -266,6 +266,7 @@ This option has been deprecated and has no effect.
This option outputs a certificate instead of a certificate request.
This is typically used to generate test certificates.
It is implied by the B<-CA> option.
If an existing request is specified with the B<-in> option, it is converted
to the a certificate; otherwise a request is created from scratch.
@ -281,7 +282,8 @@ or using the B<-addext> option.
=item B<-CA> I<filename>|I<uri>
Specifies the "CA" certificate to be used for signing with the B<-x509> option.
Specifies the "CA" certificate to be used for signing a new certificate
and implies use of B<-x509>.
When present, this behaves like a "micro CA" as follows:
The subject name of the "CA" certificate is placed as issuer name in the new
certificate, which is then signed using the "CA" key given as specified below.
@ -294,7 +296,7 @@ If this option is not provided then the key must be present in the B<-CA> input.
=item B<-days> I<n>
When the B<-x509> option is being used this specifies the number of
When B<-x509> is in use this specifies the number of
days to certify the certificate for, otherwise it is ignored. I<n> should
be a positive integer. The default is 30 days.
@ -307,7 +309,7 @@ If not given, a large random number will be used.
=item B<-copy_extensions> I<arg>
Determines how X.509 extensions in certificate requests should be handled
when B<-x509> is given.
when B<-x509> is in use.
If I<arg> is B<none> or this option is not present then extensions are ignored.
If I<arg> is B<copy> or B<copyall> then
all extensions in the request are copied to the certificate.
@ -317,8 +319,8 @@ values for certain extensions such as subjectAltName.
=item B<-addext> I<ext>
Add a specific extension to the certificate (if the B<-x509> option is
present) or certificate request. The argument must have the form of
Add a specific extension to the certificate (if B<-x509> is in use)
or certificate request. The argument must have the form of
a key=value pair as it would appear in a config file.
This option can be given multiple times.
@ -328,8 +330,8 @@ This option can be given multiple times.
=item B<-reqexts> I<section>
These options specify alternative sections to include certificate
extensions (if the B<-x509> option is present) or certificate
request extensions. This allows several different sections to
extensions (if B<-x509> is in use) or certificate request extensions.
This allows several different sections to
be used in the same configuration file to specify requests for
a variety of purposes.
@ -399,7 +401,8 @@ The options available are described in detail below.
=over 4
=item B<input_password output_password>
=item B<input_password>
=item B<output_password>
The passwords for the input private key file (if present) and
the output private key file (if one will be created). The
@ -479,8 +482,8 @@ extension section format.
=item B<x509_extensions>
This specifies the configuration file section containing a list of
extensions to add to certificate generated when the B<-x509> switch
is used. It can be overridden by the B<-extensions> command line switch.
extensions to add to certificate generated when B<-x509> is in use.
It can be overridden by the B<-extensions> command line switch.
=item B<prompt>


Loading…
Cancel
Save