The branch master has been updated via 4fdb0d2535323373650bd68e7a659f9320828857 (commit) via f2b6edcfdd9ba0b17c8d6d6d76aa892fe76315fc (commit) from b4fec69b2a8b5b93ec0e2603e4d27e5d722b87fc (commit)
- Log ----------------------------------------------------------------- commit 4fdb0d2535323373650bd68e7a659f9320828857 Author: Dr. David von Oheimb <david.von.ohe...@siemens.com> Date: Wed Aug 25 12:21:06 2021 +0200 APPS/req: Fix AKID generation in case -CA option is used Reviewed-by: Tomas Mraz <to...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16420) commit f2b6edcfdd9ba0b17c8d6d6d76aa892fe76315fc Author: Dr. David von Oheimb <david.von.ohe...@siemens.com> Date: Wed Aug 25 12:11:38 2021 +0200 APPS/req: Fix misconceptions on -CA, -CAkey, and -key options. -CA now implies -x509 Reviewed-by: Tomas Mraz <to...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16420) ----------------------------------------------------------------------- Summary of changes: apps/req.c | 51 ++++++++++++++++++++------------------------- doc/man1/openssl-req.pod.in | 31 ++++++++++++++------------- 2 files changed, 40 insertions(+), 42 deletions(-) diff --git a/apps/req.c b/apps/req.c index a0ecda8225..6aa364fec5 100644 --- a/apps/req.c +++ b/apps/req.c @@ -116,10 +116,10 @@ const OPTIONS req_options[] = { {"reqopt", OPT_REQOPT, 's', "Various request text options"}, {"text", OPT_TEXT, '-', "Text form of request"}, {"x509", OPT_X509, '-', - "Output an x509 structure instead of a cert request"}, - {"CA", OPT_CA, '<', "Issuer certificate to use with -x509"}, + "Output an X.509 certificate structure instead of a cert request"}, + {"CA", OPT_CA, '<', "Issuer cert to use for signing a cert, implies -x509"}, {"CAkey", OPT_CAKEY, 's', - "Issuer private key to use with -x509; default is -CA arg"}, + "Issuer private key to use with -CA; default is -CA arg"}, {OPT_MORE_STR, 1, 1, "(Required by some CA's)"}, {"subj", OPT_SUBJ, 's', "Set or modify subject of request or cert"}, {"subject", OPT_SUBJECT, '-', @@ -139,7 +139,7 @@ const OPTIONS req_options[] = { {"precert", OPT_PRECERT, '-', "Add a poison extension (implies -new)"}, OPT_SECTION("Keys and Signing"), - {"key", OPT_KEY, 's', "Private key to use"}, + {"key", OPT_KEY, 's', "Key to include and to use for self-signature"}, {"keyform", OPT_KEYFORM, 'f', "Key file format (ENGINE, other values ignored)"}, {"pubkey", OPT_PUBKEY, '-', "Output public key"}, {"keyout", OPT_KEYOUT, '>', "File to write private key to"}, @@ -406,6 +406,7 @@ int req_main(int argc, char **argv) break; case OPT_CA: CAfile = opt_arg(); + gen_x509 = 1; break; case OPT_CAKEY: CAkeyfile = opt_arg(); @@ -630,7 +631,6 @@ int req_main(int argc, char **argv) goto end; app_RAND_load_conf(req_conf, section); } - if (newreq && pkey == NULL) { app_RAND_load_conf(req_conf, section); @@ -755,28 +755,21 @@ int req_main(int argc, char **argv) "Ignoring -CAkey option since no -CA option is given\n"); } else { if ((CAkey = load_key(CAkeyfile, FORMAT_UNDEF, - 0, passin, e, "issuer private key")) == NULL) + 0, passin, e, + CAkeyfile != CAfile + ? "issuer private key from -CAkey arg" + : "issuer private key from -CA arg")) == NULL) goto end; } } if (CAfile != NULL) { - if (!gen_x509) { + if ((CAcert = load_cert_pass(CAfile, FORMAT_UNDEF, 1, passin, + "issuer cert from -CA arg")) == NULL) + goto end; + if (!X509_check_private_key(CAcert, CAkey)) { BIO_printf(bio_err, - "Warning: Ignoring -CA option without -x509\n"); - } else { - if (CAkeyfile == NULL) { - BIO_printf(bio_err, - "Need to give the -CAkey option if using -CA\n"); - goto end; - } - if ((CAcert = load_cert_pass(CAfile, FORMAT_UNDEF, 1, passin, - "issuer certificate")) == NULL) - goto end; - if (!X509_check_private_key(CAcert, CAkey)) { - BIO_printf(bio_err, - "Issuer certificate and key do not match\n"); - goto end; - } + "Issuer CA certificate and key do not match\n"); + goto end; } } if (newreq || gen_x509) { @@ -798,6 +791,7 @@ int req_main(int argc, char **argv) } if (gen_x509) { EVP_PKEY *pub_key = X509_REQ_get0_pubkey(req); + EVP_PKEY *issuer_key = CAcert != NULL ? CAkey : pkey; X509V3_CTX ext_ctx; X509_NAME *issuer = CAcert != NULL ? X509_get_subject_name(CAcert) : X509_REQ_get_subject_name(req); @@ -828,7 +822,8 @@ int req_main(int argc, char **argv) if (!pub_key || !X509_set_pubkey(new_x509, pub_key)) goto end; if (ext_copy == EXT_COPY_UNSET) { - BIO_printf(bio_err, "Warning: No -copy_extensions given; ignoring any extensions in the request\n"); + if (infile != NULL) + BIO_printf(bio_err, "Warning: No -copy_extensions given; ignoring any extensions in the request\n"); } else if (!copy_extensions(new_x509, req, ext_copy)) { BIO_printf(bio_err, "Error copying extensions from request\n"); goto end; @@ -837,11 +832,12 @@ int req_main(int argc, char **argv) /* Set up V3 context struct */ X509V3_set_ctx(&ext_ctx, CAcert != NULL ? CAcert : new_x509, new_x509, NULL, NULL, X509V3_CTX_REPLACE); - if (CAcert == NULL) { /* self-issued, possibly self-signed */ - if (!X509V3_set_issuer_pkey(&ext_ctx, pkey)) /* prepare right AKID */ + /* prepare fallback for AKID, but only if issuer cert == new_x509 */ + if (CAcert == NULL) { + if (!X509V3_set_issuer_pkey(&ext_ctx, issuer_key)) goto end; ERR_set_mark(); - if (!X509_check_private_key(new_x509, pkey)) + if (!X509_check_private_key(new_x509, issuer_key)) BIO_printf(bio_err, "Warning: Signature key and public key of cert do not match\n"); ERR_pop_to_mark(); @@ -872,8 +868,7 @@ int req_main(int argc, char **argv) } } - i = do_X509_sign(new_x509, CAcert != NULL ? CAkey : pkey, - digest, sigopts, &ext_ctx); + i = do_X509_sign(new_x509, issuer_key, digest, sigopts, &ext_ctx); if (!i) goto end; } else { diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in index 75d0da1743..9926901571 100644 --- a/doc/man1/openssl-req.pod.in +++ b/doc/man1/openssl-req.pod.in @@ -103,7 +103,7 @@ which supports both options for good reasons. =item B<-passin> I<arg> -The password source for the request input file and the certificate input. +The password source for private key and certificate input. For more information about the format of B<arg> see L<openssl-passphrase-options(1)>. @@ -124,7 +124,7 @@ Prints out the certificate request in text form. =item B<-subject> Prints out the certificate request subject -(or certificate subject if B<-x509> is specified). +(or certificate subject if B<-x509> is in use). =item B<-pubkey> @@ -193,8 +193,8 @@ See L<openssl-genpkey(1)/KEY GENERATION OPTIONS> for more details. =item B<-key> I<filename>|I<uri> -This specifies the private key to use for request self-signature -and signing certificates produced using the B<-x509> option. +This specifies the key to include and to use for request self-signature +and for self-signing certificates produced with the B<-x509> option. It also accepts PKCS#8 format private keys for PEM format files. =item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE> @@ -266,6 +266,7 @@ This option has been deprecated and has no effect. This option outputs a certificate instead of a certificate request. This is typically used to generate test certificates. +It is implied by the B<-CA> option. If an existing request is specified with the B<-in> option, it is converted to the a certificate; otherwise a request is created from scratch. @@ -281,7 +282,8 @@ or using the B<-addext> option. =item B<-CA> I<filename>|I<uri> -Specifies the "CA" certificate to be used for signing with the B<-x509> option. +Specifies the "CA" certificate to be used for signing a new certificate +and implies use of B<-x509>. When present, this behaves like a "micro CA" as follows: The subject name of the "CA" certificate is placed as issuer name in the new certificate, which is then signed using the "CA" key given as specified below. @@ -294,7 +296,7 @@ If this option is not provided then the key must be present in the B<-CA> input. =item B<-days> I<n> -When the B<-x509> option is being used this specifies the number of +When B<-x509> is in use this specifies the number of days to certify the certificate for, otherwise it is ignored. I<n> should be a positive integer. The default is 30 days. @@ -307,7 +309,7 @@ If not given, a large random number will be used. =item B<-copy_extensions> I<arg> Determines how X.509 extensions in certificate requests should be handled -when B<-x509> is given. +when B<-x509> is in use. If I<arg> is B<none> or this option is not present then extensions are ignored. If I<arg> is B<copy> or B<copyall> then all extensions in the request are copied to the certificate. @@ -317,8 +319,8 @@ values for certain extensions such as subjectAltName. =item B<-addext> I<ext> -Add a specific extension to the certificate (if the B<-x509> option is -present) or certificate request. The argument must have the form of +Add a specific extension to the certificate (if B<-x509> is in use) +or certificate request. The argument must have the form of a key=value pair as it would appear in a config file. This option can be given multiple times. @@ -328,8 +330,8 @@ This option can be given multiple times. =item B<-reqexts> I<section> These options specify alternative sections to include certificate -extensions (if the B<-x509> option is present) or certificate -request extensions. This allows several different sections to +extensions (if B<-x509> is in use) or certificate request extensions. +This allows several different sections to be used in the same configuration file to specify requests for a variety of purposes. @@ -399,7 +401,8 @@ The options available are described in detail below. =over 4 -=item B<input_password output_password> +=item B<input_password> +=item B<output_password> The passwords for the input private key file (if present) and the output private key file (if one will be created). The @@ -479,8 +482,8 @@ extension section format. =item B<x509_extensions> This specifies the configuration file section containing a list of -extensions to add to certificate generated when the B<-x509> switch -is used. It can be overridden by the B<-extensions> command line switch. +extensions to add to certificate generated when B<-x509> is in use. +It can be overridden by the B<-extensions> command line switch. =item B<prompt>