From: Rich Salz Date: Wed, 4 Mar 2020 19:41:53 +0000 (-0500) Subject: Add -section option to 'req' command X-Git-Tag: openssl-3.0.0-alpha1~315 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=d462b5ff21e9fcdef98447c8f8d8c694b1e79602;p=oweals%2Fopenssl.git Add -section option to 'req' command This removes "req" as the hardwired section for the req command. Doing this will let us merge some test configs. Reviewed-by: Tomas Mraz Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/11249) --- diff --git a/apps/ca.c b/apps/ca.c index 84e1905d38..e3e2fd2e7e 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -177,6 +177,7 @@ const OPTIONS ca_options[] = { OPT_SECTION("Configuration"), {"config", OPT_CONFIG, 's', "A config file"}, {"name", OPT_NAME, 's', "The particular CA definition to use"}, + {"section", OPT_NAME, 's', "An alias for -name"}, {"policy", OPT_POLICY, 's', "The CA 'policy' to support"}, OPT_SECTION("Certificate"), diff --git a/apps/req.c b/apps/req.c index dcad9dc238..5186017282 100644 --- a/apps/req.c +++ b/apps/req.c @@ -32,7 +32,6 @@ # include #endif -#define SECTION "req" #define BITS "default_bits" #define KEYFILE "default_keyfile" @@ -77,6 +76,8 @@ static int join(char buf[], size_t buf_size, const char *name, static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr, int *pkey_type, long *pkeylen, char **palgnam, ENGINE *keygen_engine); + +static const char *section = "req"; static CONF *req_conf = NULL; static CONF *addext_conf = NULL; static int batch = 0; @@ -91,6 +92,7 @@ typedef enum OPTION_choice { OPT_NAMEOPT, OPT_REQOPT, OPT_SUBJ, OPT_SUBJECT, OPT_TEXT, OPT_X509, OPT_MULTIVALUE_RDN, OPT_DAYS, OPT_SET_SERIAL, OPT_ADDEXT, OPT_EXTENSIONS, OPT_REQEXTS, OPT_PRECERT, OPT_MD, OPT_SM2ID, OPT_SM2HEXID, + OPT_SECTION, OPT_R_ENUM, OPT_PROV_ENUM } OPTION_CHOICE; @@ -109,6 +111,7 @@ const OPTIONS req_options[] = { OPT_SECTION("Certificate"), {"new", OPT_NEW, '-', "New request"}, {"config", OPT_CONFIG, '<', "Request template file"}, + {"section", OPT_SECTION, 's', "Config section to use (default \"req\")"}, {"utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)"}, {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"}, {"reqopt", OPT_REQOPT, 's', "Various request text options"}, @@ -309,6 +312,9 @@ int req_main(int argc, char **argv) case OPT_CONFIG: template = opt_arg(); break; + case OPT_SECTION: + section = opt_arg(); + break; case OPT_KEYFORM: if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform)) goto opthelp; @@ -519,7 +525,7 @@ int req_main(int argc, char **argv) goto end; if (md_alg == NULL) { - p = NCONF_get_string(req_conf, SECTION, "default_md"); + p = NCONF_get_string(req_conf, section, "default_md"); if (p == NULL) { ERR_clear_error(); } else { @@ -530,7 +536,7 @@ int req_main(int argc, char **argv) } if (extensions == NULL) { - extensions = NCONF_get_string(req_conf, SECTION, V3_EXTENSIONS); + extensions = NCONF_get_string(req_conf, section, V3_EXTENSIONS); if (extensions == NULL) ERR_clear_error(); } @@ -558,19 +564,19 @@ int req_main(int argc, char **argv) if (passin == NULL) { passin = nofree_passin = - NCONF_get_string(req_conf, SECTION, "input_password"); + NCONF_get_string(req_conf, section, "input_password"); if (passin == NULL) ERR_clear_error(); } if (passout == NULL) { passout = nofree_passout = - NCONF_get_string(req_conf, SECTION, "output_password"); + NCONF_get_string(req_conf, section, "output_password"); if (passout == NULL) ERR_clear_error(); } - p = NCONF_get_string(req_conf, SECTION, STRING_MASK); + p = NCONF_get_string(req_conf, section, STRING_MASK); if (p == NULL) ERR_clear_error(); @@ -580,7 +586,7 @@ int req_main(int argc, char **argv) } if (chtype != MBSTRING_UTF8) { - p = NCONF_get_string(req_conf, SECTION, UTF8_IN); + p = NCONF_get_string(req_conf, section, UTF8_IN); if (p == NULL) ERR_clear_error(); else if (strcmp(p, "yes") == 0) @@ -588,7 +594,7 @@ int req_main(int argc, char **argv) } if (req_exts == NULL) { - req_exts = NCONF_get_string(req_conf, SECTION, REQ_EXTENSIONS); + req_exts = NCONF_get_string(req_conf, section, REQ_EXTENSIONS); if (req_exts == NULL) ERR_clear_error(); } @@ -611,14 +617,14 @@ int req_main(int argc, char **argv) /* load_key() has already printed an appropriate message */ goto end; } else { - app_RAND_load_conf(req_conf, SECTION); + app_RAND_load_conf(req_conf, section); } } if (newreq && (pkey == NULL)) { - app_RAND_load_conf(req_conf, SECTION); + app_RAND_load_conf(req_conf, section); - if (!NCONF_get_number(req_conf, SECTION, BITS, &newkey)) { + if (!NCONF_get_number(req_conf, section, BITS, &newkey)) { newkey = DEFAULT_KEY_LENGTH; } @@ -688,7 +694,7 @@ int req_main(int argc, char **argv) genctx = NULL; if (keyout == NULL) { - keyout = NCONF_get_string(req_conf, SECTION, KEYFILE); + keyout = NCONF_get_string(req_conf, section, KEYFILE); if (keyout == NULL) ERR_clear_error(); } @@ -701,10 +707,10 @@ int req_main(int argc, char **argv) if (out == NULL) goto end; - p = NCONF_get_string(req_conf, SECTION, "encrypt_rsa_key"); + p = NCONF_get_string(req_conf, section, "encrypt_rsa_key"); if (p == NULL) { ERR_clear_error(); - p = NCONF_get_string(req_conf, SECTION, "encrypt_key"); + p = NCONF_get_string(req_conf, section, "encrypt_key"); if (p == NULL) ERR_clear_error(); } @@ -1062,13 +1068,13 @@ static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int multirdn, STACK_OF(CONF_VALUE) *dn_sk, *attr_sk = NULL; char *tmp, *dn_sect, *attr_sect; - tmp = NCONF_get_string(req_conf, SECTION, PROMPT); + tmp = NCONF_get_string(req_conf, section, PROMPT); if (tmp == NULL) ERR_clear_error(); if ((tmp != NULL) && strcmp(tmp, "no") == 0) no_prompt = 1; - dn_sect = NCONF_get_string(req_conf, SECTION, DISTINGUISHED_NAME); + dn_sect = NCONF_get_string(req_conf, section, DISTINGUISHED_NAME); if (dn_sect == NULL) { BIO_printf(bio_err, "unable to find '%s' in config\n", DISTINGUISHED_NAME); @@ -1080,7 +1086,7 @@ static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int multirdn, goto err; } - attr_sect = NCONF_get_string(req_conf, SECTION, ATTRIBUTES); + attr_sect = NCONF_get_string(req_conf, section, ATTRIBUTES); if (attr_sect == NULL) { ERR_clear_error(); attr_sk = NULL; diff --git a/doc/man1/openssl-ca.pod.in b/doc/man1/openssl-ca.pod.in index 8eef310ca4..a3c83d8076 100644 --- a/doc/man1/openssl-ca.pod.in +++ b/doc/man1/openssl-ca.pod.in @@ -12,6 +12,7 @@ B B [B<-verbose>] [B<-config> I] [B<-name> I
] +[B<-section> I
] [B<-gencrl>] [B<-revoke> I] [B<-valid> I] @@ -94,7 +95,7 @@ Specifies the configuration file to use. Optional; for a description of the default value, see L. -=item B<-name> I
+=item B<-name> I
, B<-section> I
Specifies the configuration file section to use (overrides B in the B section). @@ -772,6 +773,8 @@ seeding mechanism. The new seeding mechanism makes it unnecessary to define a RANDFILE for saving and restoring randomness. This option is retained mainly for compatibility reasons. +The B<-section> option was added in OpenSSL 3.0.0. + =head1 SEE ALSO L, diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in index 703a208bc1..7587cb5a71 100644 --- a/doc/man1/openssl-req.pod.in +++ b/doc/man1/openssl-req.pod.in @@ -30,6 +30,7 @@ B B [B<-keygen_engine> I] [B<-I>] [B<-config> I] +[B<-section> I] [B<-multivalue-rdn>] [B<-x509>] [B<-days> I] @@ -206,6 +207,10 @@ This allows an alternative configuration file to be specified. Optional; for a description of the default value, see L. +=item B<-section> I + +Specifies the name of the section to use; the default is B. + =item B<-subj> I Sets subject name for new request or supersedes the subject name @@ -331,8 +336,10 @@ argument for this option is string of hexadecimal digits. =head1 CONFIGURATION FILE FORMAT The configuration options are specified in the B section of -the configuration file. As with all configuration files if no -value is specified in the specific section (i.e. B) then +the configuration file. An alternate name be specified by using the +B<-section> option. +As with all configuration files, if no +value is specified in the specific section then the initial unnamed or B section is searched too. The options available are described in detail below. @@ -678,6 +685,10 @@ L, L, L +=head1 HISTORY + +The B<-section> option was added in OpenSSL 3.0.0. + =head1 COPYRIGHT Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t index 1a6efa8be2..662109c896 100644 --- a/test/recipes/25-test_req.t +++ b/test/recipes/25-test_req.t @@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/; setup("test_req"); -plan tests => 15; +plan tests => 16; require_ok(srctop_file('test','recipes','tconversion.pl')); @@ -42,6 +42,34 @@ ok(!run(app([@addext_args, "-addext", $val, "-addext", $val2]))); ok(!run(app([@addext_args, "-addext", $val, "-addext", $val3]))); ok(!run(app([@addext_args, "-addext", $val2, "-addext", $val3]))); +subtest "generating alt certificate requests with RSA" => sub { + plan tests => 3; + + SKIP: { + skip "RSA is not supported by this OpenSSL build", 2 + if disabled("rsa"); + + ok(run(app(["openssl", "req", + "-config", srctop_file("test", "test.cnf"), + "-section", "altreq", + "-new", "-out", "testreq-rsa.pem", "-utf8", + "-key", srctop_file("test", "testrsa.pem")])), + "Generating request"); + + ok(run(app(["openssl", "req", + "-config", srctop_file("test", "test.cnf"), + "-verify", "-in", "testreq-rsa.pem", "-noout"])), + "Verifying signature on request"); + + ok(run(app(["openssl", "req", + "-config", srctop_file("test", "test.cnf"), + "-section", "altreq", + "-verify", "-in", "testreq-rsa.pem", "-noout"])), + "Verifying signature on request"); + } +}; + + subtest "generating certificate requests with RSA" => sub { plan tests => 2; diff --git a/test/test.cnf b/test/test.cnf index 1e2fa31cce..a686c3d8bd 100644 --- a/test/test.cnf +++ b/test/test.cnf @@ -1,7 +1,3 @@ -# -# SSLeay example configuration file. -# This is mostly being used for generation of certificate requests. -# #################################################################### [ ca ] @@ -58,28 +54,25 @@ default_keyfile = testkey.pem distinguished_name = req_distinguished_name encrypt_rsa_key = no +# Make altreq be identical to req +[ altreq ] +default_bits = 2048 +default_keyfile = testkey.pem +distinguished_name = req_distinguished_name +encrypt_rsa_key = no + [ req_distinguished_name ] -countryName = Country Name (2 letter code) -countryName_default = AU +countryName = C field countryName_value = AU - -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Queensland +stateOrProvinceName = SP field stateOrProvinceName_value = - -localityName = Locality Name (eg, city) +localityName = L field localityName_value = Brisbane - -organizationName = Organization Name (eg, company) -organizationName_default = +organizationName = O field organizationName_value = CryptSoft Pty Ltd - -organizationalUnitName = Organizational Unit Name (eg, section) -organizationalUnitName_default = +organizationalUnitName = OU field organizationalUnitName_value = . - -commonName = Common Name (eg, YOUR name) +commonName = CN field commonName_value = Eric Young - -emailAddress = Email Address +emailAddress = email field emailAddress_value = eay@mincom.oz.au