On Wed, Dec 05, 2018 at 10:03:50PM +0100, Sebastian Andrzej Siewior wrote: > On 2018-12-05 11:09:25 [+0100], Manuel Montecelo wrote: > > the subcommand genrsa changed interface from its previous version, and does > > not > > accept -config or -batch options anymore: > … > > > I worked around the issue in other ways, and I know that "genpkey" is > > supposed > > to supercede "genrsa", but this problem might affect scripts that the users > > cannot easily change, and it's OK-ish for major versions but would be nice > > to > > not affect systems with stable-security updates. > > > > For reference, command that used to work: > > > > openssl genrsa -out "${KEY_FILE}" 4096 -config "${CONFIG_FILE}" -batch > > > > As a workaround with "genrsa": > > > > OPENSSL_CONF="${CONFIG_FILE}" openssl genrsa -out "${KEY_FILE}" 4096 > > Are you sure that the workaround vs > openssl genrsa -out "${KEY_FILE}" 4096 > > makes a difference? > > I'm asking because bisect identifies commit 847997f98c28b ("Check # of > arguments for remaining commands.") as the one that introduced the > regression. This change only adds the error if you specify invalid > arguments. Both `-config' and `-batch' are not part of accepted > arguments. > So I think 1.1.0f should produce the same result with or without those > two options. Is it true?
It stops parsing for options when it doesn't find an argument that start with a '-', so 4096 is not an option anymore, but it tries to convert it to the number of bits. Everything after that was just ignored, now it gives an error. Also note that the manpage does put [numbits] at the end of the arguments. It was clear to me that it needs to be the last argument, but I can at least see why it might not be clear. Kurt