From b6486bf749bf6246dbae7643c5fb7717cf388072 Mon Sep 17 00:00:00 2001 From: Rob Percival Date: Thu, 10 Mar 2016 19:15:13 +0000 Subject: [PATCH] Adds a "-precert" flag to "openssl req" for creating pre-certificates This makes it a little easier to create a pre-certificate. Reviewed-by: Tim Hudson Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/843) --- apps/CA.pl.in | 4 ++++ apps/req.c | 16 +++++++++++++++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/apps/CA.pl.in b/apps/CA.pl.in index 11566dfc21..940e7d60ab 100644 --- a/apps/CA.pl.in +++ b/apps/CA.pl.in @@ -123,6 +123,10 @@ if ($WHAT eq '-newcert' ) { # create a certificate $RET = run("$REQ -new -x509 -keyout $NEWKEY -out $NEWCERT $DAYS $EXTRA{req}"); print "Cert is in $NEWCERT, private key is in $NEWKEY\n" if $RET == 0; +} elsif ($WHAT eq '-newprecert' ) { + # create a pre-certificate + $RET = run("$REQ -new -x509 -precert -keyout $NEWKEY -out $NEWCERT $DAYS"); + print "Pre-cert is in $NEWCERT, private key is in $NEWKEY\n" if $RET == 0; } elsif ($WHAT eq '-newreq' ) { # create a certificate request $RET = run("$REQ -new -keyout $NEWKEY -out $NEWREQ $DAYS $EXTRA{req}"); diff --git a/apps/req.c b/apps/req.c index 766a27ea6b..8945cb6c01 100644 --- a/apps/req.c +++ b/apps/req.c @@ -79,7 +79,7 @@ typedef enum OPTION_choice { OPT_VERIFY, OPT_NODES, OPT_NOOUT, OPT_VERBOSE, OPT_UTF8, OPT_NAMEOPT, OPT_REQOPT, OPT_SUBJ, OPT_SUBJECT, OPT_TEXT, OPT_X509, OPT_MULTIVALUE_RDN, OPT_DAYS, OPT_SET_SERIAL, OPT_EXTENSIONS, - OPT_REQEXTS, OPT_MD + OPT_REQEXTS, OPT_PRECERT, OPT_MD } OPTION_CHOICE; const OPTIONS req_options[] = { @@ -126,6 +126,7 @@ const OPTIONS req_options[] = { "Cert extension section (override value in config file)"}, {"reqexts", OPT_REQEXTS, 's', "Request extension section (override value in config file)"}, + {"precert", OPT_PRECERT, '-', "Add a poison extension"}, {"", OPT_MD, '-', "Any supported digest"}, #ifndef OPENSSL_NO_ENGINE {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, @@ -161,6 +162,7 @@ int req_main(int argc, char **argv) int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyform = FORMAT_PEM; int modulus = 0, multirdn = 0, verify = 0, noout = 0, text = 0; int nodes = 0, newhdr = 0, subject = 0, pubkey = 0; + int precert = 0; long newkey = -1; unsigned long chtype = MBSTRING_ASC, nmflag = 0, reqflag = 0; char nmflag_set = 0; @@ -318,6 +320,9 @@ int req_main(int argc, char **argv) case OPT_REQEXTS: req_exts = opt_arg(); break; + case OPT_PRECERT: + precert = 1; + break; case OPT_MD: if (!opt_md(opt_unknown(), &md_alg)) goto opthelp; @@ -644,6 +649,15 @@ int req_main(int argc, char **argv) goto end; } + /* If a pre-cert was requested, we need to add a poison extension */ + if (precert) { + if (X509_add1_ext_i2d(x509ss, NID_ct_precert_poison, NULL, 1, 0) + != 1) { + BIO_printf(bio_err, "Error adding poison extension\n"); + goto end; + } + } + i = do_X509_sign(x509ss, pkey, digest, sigopts); if (!i) { ERR_print_errors(bio_err); -- 2.25.1