apps/req.c: flag "-new" is implied by "-precert"

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/843)

diff --git a/apps/CA.pl.in b/apps/CA.pl.in
index b9b93cb452608685882d6e047a050d6d3687bf86..ddbc70d710f0adf2e59065c7dc4608de1116b8a3 100644 (file)
--- a/apps/CA.pl.in
+++ b/apps/CA.pl.in
@@ -125,7 +125,7 @@ if ($WHAT eq '-newcert' ) {
     print "Cert is in $NEWCERT, private key is in $NEWKEY\n" if $RET == 0;
 } elsif ($WHAT eq '-precert' ) {
     # create a pre-certificate
-    $RET = run("$REQ -new -x509 -precert -keyout $NEWKEY -out $NEWCERT $DAYS");
+    $RET = run("$REQ -x509 -precert -keyout $NEWKEY -out $NEWCERT $DAYS");
     print "Pre-cert is in $NEWCERT, private key is in $NEWKEY\n" if $RET == 0;
 } elsif ($WHAT eq '-newreq' ) {
     # create a certificate request

diff --git a/apps/req.c b/apps/req.c
index 8945cb6c012156517672c8e6ef1cae8844a12f2f..ddb0fdce99b4d2dbd7001b86034a4aaccb7c1c18 100644 (file)
--- a/apps/req.c
+++ b/apps/req.c
@@ -126,7 +126,7 @@ const OPTIONS req_options[] = {
      "Cert extension section (override value in config file)"},
     {"reqexts", OPT_REQEXTS, 's',
      "Request extension section (override value in config file)"},
-    {"precert", OPT_PRECERT, '-', "Add a poison extension"},
+    {"precert", OPT_PRECERT, '-', "Add a poison extension (implies -new)"},
     {"", OPT_MD, '-', "Any supported digest"},
 #ifndef OPENSSL_NO_ENGINE
     {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
@@ -161,8 +161,7 @@ int req_main(int argc, char **argv)
     int pkey_type = -1, private = 0;
     int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyform = FORMAT_PEM;
     int modulus = 0, multirdn = 0, verify = 0, noout = 0, text = 0;
-    int nodes = 0, newhdr = 0, subject = 0, pubkey = 0;
-    int precert = 0;
+    int nodes = 0, newhdr = 0, subject = 0, pubkey = 0, precert = 0;
     long newkey = -1;
     unsigned long chtype = MBSTRING_ASC, nmflag = 0, reqflag = 0;
     char nmflag_set = 0;
@@ -321,7 +320,7 @@ int req_main(int argc, char **argv)
             req_exts = opt_arg();
             break;
         case OPT_PRECERT:
-            precert = 1;
+            newreq = precert = 1;
             break;
         case OPT_MD:
             if (!opt_md(opt_unknown(), &md_alg))

diff --git a/doc/man1/req.pod b/doc/man1/req.pod
index 5ac629aa4449837f3db83ab80d0e56ee7af319e1..641d8f62bcedb5f0ebb54c4386458b3d0db72cf6 100644 (file)
--- a/doc/man1/req.pod
+++ b/doc/man1/req.pod
@@ -262,6 +262,8 @@ Transparency logs in order to obtain signed certificate timestamps (SCTs).
 These SCTs can then be embedded into the pre-certificate as an extension, before
 removing the poison and signing the certificate.
 
+This implies the B<-new> flag.
+
 =item B<-utf8>
 
 this option causes field values to be interpreted as UTF8 strings, by