EVP_PKEY_CTX *genctx = NULL;
const char *keyalg = NULL;
char *keyalgstr = NULL;
- STACK *pkeyopts = NULL;
+ STACK_OF(OPENSSL_STRING) *pkeyopts = NULL, *sigopts = NULL;
EVP_PKEY *pkey=NULL;
int i=0,badops=0,newreq=0,verbose=0,pkey_type=-1;
long newkey = -1;
if (--argc < 1)
goto bad;
if (!pkeyopts)
- pkeyopts = sk_new_null();
- if (!pkeyopts || !sk_push(pkeyopts, *(++argv)))
+ pkeyopts = sk_OPENSSL_STRING_new_null();
+ if (!pkeyopts || !sk_OPENSSL_STRING_push(pkeyopts, *(++argv)))
+ goto bad;
+ }
+ else if (strcmp(*argv,"-sigopt") == 0)
+ {
+ if (--argc < 1)
+ goto bad;
+ if (!sigopts)
+ sigopts = sk_OPENSSL_STRING_new_null();
+ if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv)))
goto bad;
}
else if (strcmp(*argv,"-batch") == 0)
serial = s2i_ASN1_INTEGER(NULL, *(++argv));
if (!serial) goto bad;
}
- else if ((md_alg=EVP_get_digestbyname(&((*argv)[1]))) != NULL)
- {
- /* ok */
- digest=md_alg;
- }
else if (strcmp(*argv,"-extensions") == 0)
{
if (--argc < 1) goto bad;
if (--argc < 1) goto bad;
req_exts = *(++argv);
}
+ else if ((md_alg=EVP_get_digestbyname(&((*argv)[1]))) != NULL)
+ {
+ /* ok */
+ digest=md_alg;
+ }
else
{
BIO_printf(bio_err,"unknown option %s\n",*argv);
message */
goto end;
}
- if (EVP_PKEY_type(pkey->type) == EVP_PKEY_DSA ||
- EVP_PKEY_type(pkey->type) == EVP_PKEY_EC)
+ else
{
char *randfile = NCONF_get_string(req_conf,SECTION,"RANDFILE");
if (randfile == NULL)
if (pkeyopts)
{
char *genopt;
- for (i = 0; i < sk_num(pkeyopts); i++)
+ for (i = 0; i < sk_OPENSSL_STRING_num(pkeyopts); i++)
{
- genopt = sk_value(pkeyopts, i);
+ genopt = sk_OPENSSL_STRING_value(pkeyopts, i);
if (pkey_ctrl_string(genctx, genopt) <= 0)
{
BIO_printf(bio_err,
if (!X509_set_issuer_name(x509ss, X509_REQ_get_subject_name(req))) goto end;
if (!X509_gmtime_adj(X509_get_notBefore(x509ss),0)) goto end;
- if (!X509_gmtime_adj(X509_get_notAfter(x509ss), (long)60*60*24*days)) goto end;
+ if (!X509_time_adj_ex(X509_get_notAfter(x509ss), days, 0, NULL)) goto end;
if (!X509_set_subject_name(x509ss, X509_REQ_get_subject_name(req))) goto end;
tmppkey = X509_REQ_get_pubkey(req);
if (!tmppkey || !X509_set_pubkey(x509ss,tmppkey)) goto end;
extensions);
goto end;
}
-
- if (!(i=X509_sign(x509ss,pkey,digest)))
+
+ i=do_X509_sign(bio_err, x509ss, pkey, digest, sigopts);
+ if (!i)
{
ERR_print_errors(bio_err);
goto end;
req_exts);
goto end;
}
- if (!(i=X509_REQ_sign(req,pkey,digest)))
+ i=do_X509_REQ_sign(bio_err, req, pkey, digest, sigopts);
+ if (!i)
{
ERR_print_errors(bio_err);
goto end;
if (genctx)
EVP_PKEY_CTX_free(genctx);
if (pkeyopts)
- sk_free(pkeyopts);
+ sk_OPENSSL_STRING_free(pkeyopts);
+ if (sigopts)
+ sk_OPENSSL_STRING_free(sigopts);
#ifndef OPENSSL_NO_ENGINE
if (gen_eng)
ENGINE_free(gen_eng);
/* setup version number */
if (!X509_REQ_set_version(req,0L)) goto err; /* version 1 */
- if (no_prompt)
+ if (subj)
+ i = build_subject(req, subj, chtype, multirdn);
+ else if (no_prompt)
i = auto_info(req, dn_sk, attr_sk, attribs, chtype);
- else
- {
- if (subj)
- i = build_subject(req, subj, chtype, multirdn);
- else
- i = prompt_info(req, dn_sk, dn_sect, attr_sk, attr_sect, attribs, chtype);
- }
+ else
+ i = prompt_info(req, dn_sk, dn_sect, attr_sk, attr_sect, attribs, chtype);
if(!i) goto err;
if (!X509_REQ_set_pubkey(req,pkey)) goto err;
BIO_snprintf(buf,sizeof buf,"%s_min",type);
if (!NCONF_get_number(req_conf,attr_sect,buf, &n_min))
+ {
+ ERR_clear_error();
n_min = -1;
+ }
BIO_snprintf(buf,sizeof buf,"%s_max",type);
if (!NCONF_get_number(req_conf,attr_sect,buf, &n_max))
+ {
+ ERR_clear_error();
n_max = -1;
+ }
if (!add_attribute_object(req,
v->value,def,value,nid,n_min,n_max, chtype))
buf[0]='\0';
if (!batch)
{
- fgets(buf,sizeof buf,stdin);
+ if (!fgets(buf,sizeof buf,stdin))
+ return 0;
}
else
{
buf[0]='\0';
if (!batch)
{
- fgets(buf,sizeof buf,stdin);
+ if (!fgets(buf,sizeof buf,stdin))
+ return 0;
}
else
{
if (!param)
{
X509 *x;
- BIO_reset(pbio);
+ (void)BIO_reset(pbio);
x = PEM_read_bio_X509(pbio, NULL, NULL, NULL);
if (x)
{
ERR_print_errors(err);
return NULL;
}
-
+#ifndef OPENSSL_NO_RSA
if ((*pkey_type == EVP_PKEY_RSA) && (keylen != -1))
{
if (EVP_PKEY_CTX_set_rsa_keygen_bits(gctx, keylen) <= 0)
return NULL;
}
}
+#endif
return gctx;
}
#endif
return 1;
}
+
+static int do_sign_init(BIO *err, EVP_MD_CTX *ctx, EVP_PKEY *pkey,
+ const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts)
+ {
+ EVP_PKEY_CTX *pkctx = NULL;
+ int i;
+ EVP_MD_CTX_init(ctx);
+ if (!EVP_DigestSignInit(ctx, &pkctx, md, NULL, pkey))
+ return 0;
+ for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++)
+ {
+ char *sigopt = sk_OPENSSL_STRING_value(sigopts, i);
+ if (pkey_ctrl_string(pkctx, sigopt) <= 0)
+ {
+ BIO_printf(err, "parameter error \"%s\"\n", sigopt);
+ ERR_print_errors(bio_err);
+ return 0;
+ }
+ }
+ return 1;
+ }
+
+int do_X509_sign(BIO *err, X509 *x, EVP_PKEY *pkey, const EVP_MD *md,
+ STACK_OF(OPENSSL_STRING) *sigopts)
+ {
+ int rv;
+ EVP_MD_CTX mctx;
+ EVP_MD_CTX_init(&mctx);
+ rv = do_sign_init(err, &mctx, pkey, md, sigopts);
+ if (rv > 0)
+ rv = X509_sign_ctx(x, &mctx);
+ EVP_MD_CTX_cleanup(&mctx);
+ return rv > 0 ? 1 : 0;
+ }
+
+
+int do_X509_REQ_sign(BIO *err, X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md,
+ STACK_OF(OPENSSL_STRING) *sigopts)
+ {
+ int rv;
+ EVP_MD_CTX mctx;
+ EVP_MD_CTX_init(&mctx);
+ rv = do_sign_init(err, &mctx, pkey, md, sigopts);
+ if (rv > 0)
+ rv = X509_REQ_sign_ctx(x, &mctx);
+ EVP_MD_CTX_cleanup(&mctx);
+ return rv > 0 ? 1 : 0;
+ }
+
+
+
+int do_X509_CRL_sign(BIO *err, X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md,
+ STACK_OF(OPENSSL_STRING) *sigopts)
+ {
+ int rv;
+ EVP_MD_CTX mctx;
+ EVP_MD_CTX_init(&mctx);
+ rv = do_sign_init(err, &mctx, pkey, md, sigopts);
+ if (rv > 0)
+ rv = X509_CRL_sign_ctx(x, &mctx);
+ EVP_MD_CTX_cleanup(&mctx);
+ return rv > 0 ? 1 : 0;
+ }
+
+