APPS req: Extend the -keyout option to be respected also with -key

Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13715)
2025-01-18 13:44:20 +08:00 · 2021-05-26 09:22:48 +02:00 · 2021-05-26 09:22:48 +02:00 · 8b893c35da
commit 8b893c35da
parent 54e8f7259b
2 changed files with 21 additions and 16 deletions
--- a/apps/req.c
+++ b/apps/req.c
@ -142,7 +142,7 @@ const OPTIONS req_options[] = {
    {"key", OPT_KEY, 's', "Private key to use"},
    {"keyform", OPT_KEYFORM, 'f', "Key file format (ENGINE, other values ignored)"},
    {"pubkey", OPT_PUBKEY, '-', "Output public key"},
-    {"keyout", OPT_KEYOUT, '>', "File to save newly created private key"},
+    {"keyout", OPT_KEYOUT, '>', "File to write private key to"},
    {"passin", OPT_PASSIN, 's', "Private key and certificate password source"},
    {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
    {"newkey", OPT_NEWKEY, 's',
@ -676,17 +676,21 @@ int req_main(int argc, char **argv)

        EVP_PKEY_CTX_free(genctx);
        genctx = NULL;
-
-        if (keyout == NULL) {
-            keyout = NCONF_get_string(req_conf, section, KEYFILE);
-            if (keyout == NULL)
-                ERR_clear_error();
-        }
-
+    }
+    if (keyout == NULL) {
+        keyout = NCONF_get_string(req_conf, section, KEYFILE);
        if (keyout == NULL)
-            BIO_printf(bio_err, "Writing new private key to stdout\n");
-        else
-            BIO_printf(bio_err, "Writing new private key to '%s'\n", keyout);
+            ERR_clear_error();
+    }
+
+    if (pkey != NULL && (keyfile == NULL || keyout != NULL)) {
+        if (verbose) {
+            BIO_printf(bio_err, "Writing private key to ");
+            if (keyout == NULL)
+                BIO_printf(bio_err, "stdout\n");
+            else
+                BIO_printf(bio_err, "'%s'\n", keyout);
+        }
        out = bio_open_owner(keyout, outformat, newreq);
        if (out == NULL)
            goto end;
@ -705,7 +709,6 @@ int req_main(int argc, char **argv)

        i = 0;
 loop:
-        assert(newreq);
        if (!PEM_write_bio_PrivateKey(out, pkey, cipher,
                                      NULL, 0, NULL, passout)) {
            if ((ERR_GET_REASON(ERR_peek_error()) ==
--- a/doc/man1/openssl-req.pod.in
+++ b/doc/man1/openssl-req.pod.in
@ -204,10 +204,12 @@ See L<openssl-format-options(1)> for details.

 =item B<-keyout> I<filename>

-This gives the filename to write any newly created private key to.
-If this option is not given then the filename specified in the configuration
-file with the B<default_keyfile> option is used if present,
-else the key is written to standard output.
+This gives the filename to write any private key to that has been newly created
+or read from B<-key>.
+If the B<-keyout> option is not given the filename specified in the
+configuration file with the B<default_keyfile> option is used, if present.
+If a new key is generated and no filename is specified
+the key is written to standard output.

 =item B<-noenc>