#define DEF_DAYS 30
static int callb(int ok, X509_STORE_CTX *ctx);
-static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext,
+static int sign(X509 *x, EVP_PKEY *pkey, EVP_PKEY *fkey, int days, int clrext,
const EVP_MD *digest, CONF *conf, const char *section,
int preserve_dates);
static int x509_certify(X509_STORE *ctx, const char *CAfile, const EVP_MD *digest,
{"CAform", OPT_CAFORM, 'F', "CA format - default PEM"},
{"CAkeyform", OPT_CAKEYFORM, 'f', "CA key format - default PEM"},
{"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
- {"force_pubkey", OPT_FORCE_PUBKEY, '<', "Force the Key to put inside certificate"},
+ {"force_pubkey", OPT_FORCE_PUBKEY, '<', "Force the key to put inside certificate"},
{"next_serial", OPT_NEXT_SERIAL, '-', "Increment current certificate serial number"},
{"clrreject", OPT_CLRREJECT, '-',
"Clears all the prohibited or rejected uses of the certificate"},
if (!set_cert_times(x, NULL, NULL, days))
goto end;
- if (fkey != NULL) {
- X509_set_pubkey(x, fkey);
- } else {
- pkey = X509_REQ_get0_pubkey(req);
- X509_set_pubkey(x, pkey);
- }
+ if (!X509_set_pubkey(x, fkey != NULL ? fkey : X509_REQ_get0_pubkey(req)))
+ goto end;
} else {
x = load_cert(infile, informat, "Certificate");
+ if (x == NULL)
+ goto end;
+ if (fkey != NULL && !X509_set_pubkey(x, fkey))
+ goto end;
}
- if (x == NULL)
- goto end;
if (CA_flag) {
xca = load_cert(CAfile, CAformat, "CA Certificate");
if (xca == NULL)
goto end;
}
- if (!sign(x, Upkey, days, clrext, digest, extconf, extsect, preserve_dates))
+ if (!sign(x, Upkey, fkey, days, clrext, digest, extconf,
+ extsect, preserve_dates))
goto end;
} else if (CA_flag == i) {
BIO_printf(bio_err, "Getting CA Private Key\n");
}
}
-/* self sign */
-static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext,
+/* self-issue; self-sign unless a forced public key (fkey) is given */
+static int sign(X509 *x, EVP_PKEY *pkey, EVP_PKEY *fkey, int days, int clrext,
const EVP_MD *digest, CONF *conf, const char *section,
int preserve_dates)
{
goto err;
if (!preserve_dates && !set_cert_times(x, NULL, NULL, days))
goto err;
- if (!X509_set_pubkey(x, pkey))
+ if (fkey == NULL && !X509_set_pubkey(x, pkey))
goto err;
if (clrext) {
while (X509_get_ext_count(x) > 0)
[B<-CAkey filename>]
[B<-CAcreateserial>]
[B<-CAserial filename>]
-[B<-force_pubkey key>]
+[B<-force_pubkey filename>]
[B<-text>]
[B<-ext extensions>]
[B<-certopt option>]
=item B<-preserve_dates>
-When signing a certificate, preserve the "notBefore" and "notAfter" dates instead
-of adjusting them to current time and duration. Cannot be used with the B<-days> option.
+When signing a certificate, preserve the "notBefore" and "notAfter" dates
+instead of adjusting them to current time and duration.
+Cannot be used with the B<-days> option.
=back
This option causes the input file to be self signed using the supplied
private key.
-If the input file is a certificate it sets the issuer name to the
-subject name (i.e. makes it self signed) changes the public key to the
-supplied value and changes the start and end dates. The start date is
-set to the current time and the end date is set to a value determined
-by the B<-days> option. Any certificate extensions are retained unless
-the B<-clrext> option is supplied; this includes, for example, any existing
-key identifier extensions.
-
-If the input is a certificate request then a self signed certificate
-is created using the supplied private key using the subject name in
-the request.
+It sets the issuer name to the subject name (i.e., makes it self-issued)
+and changes the public key to the supplied value (unless overridden by
+B<-force_pubkey>). It sets the validity start date to the current time
+and the end date to a value determined by the B<-days> option.
+It retains any certificate extensions unless the B<-clrext> option is supplied;
+this includes, for example, any existing key identifier extensions.
=item B<-passin arg>
L<x509v3_config(5)> manual page for details of the
extension section format.
-=item B<-force_pubkey key>
+=item B<-force_pubkey filename>
-When a certificate is created set its public key to B<key> instead of the
-key in the certificate or certificate request. This option is useful for
-creating certificates where the algorithm can't normally sign requests, for
-example DH.
+When a certificate is created set its public key to the key in B<filename>
+instead of the key contained in the input or given with the B<-signkey> option.
+This option is useful for creating self-issued certificates that are not
+self-signed, for instance when the key cannot be used for signing, such as DH.
-The format or B<key> can be specified using the B<-keyform> option.
+The format of the key file can be specified using the B<-keyform> option.
=back
projects / oweals / openssl.git / commitdiff