[openssl-dev] [openssl.org #4246] OpenSSL-1.1-pre2 openssl req fails to use engine

Fri, 15 Jan 2016 14:10:19 -0800 

req.c (and many of the other apps) appear to have lost the ability to use an 
engine.
The attached diff  is against the github.com verison using  Tag OpenSSL_1_1-pre2
In the req_options[] table:
OPT_KEY is set to "S" so pre- checking of the parameters does not drop the 
string passed to the engine.
OPT_KEY_FORM is set to "f" so pre-checking will allow engine

The engine is saved:
e = setup_engine(opt_arg(), 1);

(I turned on debug, may want that off. )

to allow the theOPT_KEY_FORM to be an engine:
if (!opt_format(opt_arg(), OPT_FMT_PEMDER|OPT_FMT_ENGINE, &keyform))

This was tested with a modified version of OpenSC using ECDSA key on card to 
generate a self signed certificate.

openssl req -config /tmp/genreq.6156.openssl.conf -engine pkcs11 -keyform e 
-sha256 -new -key slot_1-id_2 -out  /tmp/selfsigned.pem -x509 -text


P.S. The EC_KEY_* functions appear to be working too (#4225) Have not tried the 
ECDH yet.

-- Douglas E. Engert <deeng...@gmail.com>



diff --git a/apps/req.c b/apps/req.c
index a0da788..05109b7 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -136,8 +136,8 @@ OPTIONS req_options[] = {
     {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
     {"in", OPT_IN, '<', "Input file"},
     {"out", OPT_OUT, '>', "Output file"},
-    {"key", OPT_KEY, '<', "Use the private key contained in file"},
-    {"keyform", OPT_KEYFORM, 'F', "Key file format"},
+    {"key", OPT_KEY, 's', "Use the private key contained in file"}, /* might be engine parms */
+    {"keyform", OPT_KEYFORM, 'f', "Key file format"}, /* accept any  here */
     {"pubkey", OPT_PUBKEY, '-', "Output public key"},
     {"new", OPT_NEW, '-', "New request"},
     {"config", OPT_CONFIG, '<', "Request template file"},
@@ -235,7 +235,7 @@ int req_main(int argc, char **argv)
                 goto opthelp;
             break;
         case OPT_ENGINE:
-            (void)setup_engine(opt_arg(), 0);
+            e = setup_engine(opt_arg(), 1);
             break;
         case OPT_KEYGEN_ENGINE:
 #ifndef OPENSSL_NO_ENGINE
@@ -259,7 +259,7 @@ int req_main(int argc, char **argv)
             template = opt_arg();
             break;
         case OPT_KEYFORM:
-            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &keyform))
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER|OPT_FMT_ENGINE, &keyform))
                 goto opthelp;
             break;
         case OPT_IN:


_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to