mirror of
https://github.com/openssl/openssl.git
synced 2024-11-21 01:15:20 +08:00
Add 'openssl req' option to specify extension values on command line
The idea is to be able to add extension value lines directly on the command line instead of through the config file, for example: openssl req -new -extension 'subjectAltName = DNS:dom.ain, DNS:oth.er' \ -extension 'certificatePolicies = 1.2.3.4' Fixes #3311 Thank you Jacob Hoffman-Andrews for the inspiration Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4986)
This commit is contained in:
parent
8175af50cc
commit
bfa470a4f6
21
apps/apps.c
21
apps/apps.c
@ -442,7 +442,7 @@ static char *app_get_pass(const char *arg, int keepbio)
|
||||
return OPENSSL_strdup(tpass);
|
||||
}
|
||||
|
||||
static CONF *app_load_config_(BIO *in, const char *filename)
|
||||
CONF *app_load_config_bio(BIO *in, const char *filename)
|
||||
{
|
||||
long errorline = -1;
|
||||
CONF *conf;
|
||||
@ -453,12 +453,17 @@ static CONF *app_load_config_(BIO *in, const char *filename)
|
||||
if (i > 0)
|
||||
return conf;
|
||||
|
||||
if (errorline <= 0)
|
||||
BIO_printf(bio_err, "%s: Can't load config file \"%s\"\n",
|
||||
opt_getprog(), filename);
|
||||
if (errorline <= 0) {
|
||||
BIO_printf(bio_err, "%s: Can't load ", opt_getprog());
|
||||
} else {
|
||||
BIO_printf(bio_err, "%s: Error on line %ld of ", opt_getprog(),
|
||||
errorline);
|
||||
}
|
||||
if (filename != NULL)
|
||||
BIO_printf(bio_err, "config file \"%s\"\n", filename);
|
||||
else
|
||||
BIO_printf(bio_err, "%s: Error on line %ld of config file \"%s\"\n",
|
||||
opt_getprog(), errorline, filename);
|
||||
BIO_printf(bio_err, "config input");
|
||||
|
||||
NCONF_free(conf);
|
||||
return NULL;
|
||||
}
|
||||
@ -472,7 +477,7 @@ CONF *app_load_config(const char *filename)
|
||||
if (in == NULL)
|
||||
return NULL;
|
||||
|
||||
conf = app_load_config_(in, filename);
|
||||
conf = app_load_config_bio(in, filename);
|
||||
BIO_free(in);
|
||||
return conf;
|
||||
}
|
||||
@ -486,7 +491,7 @@ CONF *app_load_config_quiet(const char *filename)
|
||||
if (in == NULL)
|
||||
return NULL;
|
||||
|
||||
conf = app_load_config_(in, filename);
|
||||
conf = app_load_config_bio(in, filename);
|
||||
BIO_free(in);
|
||||
return conf;
|
||||
}
|
||||
|
@ -52,6 +52,7 @@ BIO *dup_bio_err(int format);
|
||||
BIO *bio_open_owner(const char *filename, int format, int private);
|
||||
BIO *bio_open_default(const char *filename, char mode, int format);
|
||||
BIO *bio_open_default_quiet(const char *filename, char mode, int format);
|
||||
CONF *app_load_config_bio(BIO *in, const char *filename);
|
||||
CONF *app_load_config(const char *filename);
|
||||
CONF *app_load_config_quiet(const char *filename);
|
||||
int app_load_modules(const CONF *config);
|
||||
|
46
apps/req.c
46
apps/req.c
@ -70,6 +70,7 @@ static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr,
|
||||
int *pkey_type, long *pkeylen,
|
||||
char **palgnam, ENGINE *keygen_engine);
|
||||
static CONF *req_conf = NULL;
|
||||
static CONF *addext_conf = NULL;
|
||||
static int batch = 0;
|
||||
|
||||
typedef enum OPTION_choice {
|
||||
@ -80,7 +81,7 @@ typedef enum OPTION_choice {
|
||||
OPT_PKEYOPT, OPT_SIGOPT, OPT_BATCH, OPT_NEWHDR, OPT_MODULUS,
|
||||
OPT_VERIFY, OPT_NODES, OPT_NOOUT, OPT_VERBOSE, OPT_UTF8,
|
||||
OPT_NAMEOPT, OPT_REQOPT, OPT_SUBJ, OPT_SUBJECT, OPT_TEXT, OPT_X509,
|
||||
OPT_MULTIVALUE_RDN, OPT_DAYS, OPT_SET_SERIAL, OPT_EXTENSIONS,
|
||||
OPT_MULTIVALUE_RDN, OPT_DAYS, OPT_SET_SERIAL, OPT_ADDEXT, OPT_EXTENSIONS,
|
||||
OPT_REQEXTS, OPT_PRECERT, OPT_MD,
|
||||
OPT_R_ENUM
|
||||
} OPTION_CHOICE;
|
||||
@ -124,6 +125,8 @@ const OPTIONS req_options[] = {
|
||||
"Enable support for multivalued RDNs"},
|
||||
{"days", OPT_DAYS, 'p', "Number of days cert is valid for"},
|
||||
{"set_serial", OPT_SET_SERIAL, 's', "Serial number to use"},
|
||||
{"addext", OPT_ADDEXT, 's',
|
||||
"Additional cert extension key=value pair (may be given more than once)"},
|
||||
{"extensions", OPT_EXTENSIONS, 's',
|
||||
"Cert extension section (override value in config file)"},
|
||||
{"reqexts", OPT_REQEXTS, 's',
|
||||
@ -150,6 +153,7 @@ int req_main(int argc, char **argv)
|
||||
X509_REQ *req = NULL;
|
||||
const EVP_CIPHER *cipher = NULL;
|
||||
const EVP_MD *md_alg = NULL, *digest = NULL;
|
||||
BIO *addext_bio = NULL;
|
||||
char *extensions = NULL, *infile = NULL;
|
||||
char *outfile = NULL, *keyfile = NULL;
|
||||
char *keyalgstr = NULL, *p, *prog, *passargin = NULL, *passargout = NULL;
|
||||
@ -313,6 +317,14 @@ int req_main(int argc, char **argv)
|
||||
case OPT_MULTIVALUE_RDN:
|
||||
multirdn = 1;
|
||||
break;
|
||||
case OPT_ADDEXT:
|
||||
if (addext_bio == NULL) {
|
||||
addext_bio = BIO_new(BIO_s_mem());
|
||||
}
|
||||
if (addext_bio == NULL
|
||||
|| BIO_printf(addext_bio, "%s\n", opt_arg()) < 0)
|
||||
goto end;
|
||||
break;
|
||||
case OPT_EXTENSIONS:
|
||||
extensions = opt_arg();
|
||||
break;
|
||||
@ -349,6 +361,12 @@ int req_main(int argc, char **argv)
|
||||
if (verbose)
|
||||
BIO_printf(bio_err, "Using configuration from %s\n", template);
|
||||
req_conf = app_load_config(template);
|
||||
if (addext_bio) {
|
||||
if (verbose)
|
||||
BIO_printf(bio_err,
|
||||
"Using additional configuraton from command line\n");
|
||||
addext_conf = app_load_config_bio(addext_bio, NULL);
|
||||
}
|
||||
if (template != default_config_file && !app_load_modules(req_conf))
|
||||
goto end;
|
||||
|
||||
@ -401,6 +419,16 @@ int req_main(int argc, char **argv)
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
if (addext_conf != NULL) {
|
||||
/* Check syntax of command line extensions */
|
||||
X509V3_CTX ctx;
|
||||
X509V3_set_ctx_test(&ctx);
|
||||
X509V3_set_nconf(&ctx, addext_conf);
|
||||
if (!X509V3_EXT_add_nconf(addext_conf, &ctx, "default", NULL)) {
|
||||
BIO_printf(bio_err, "Error Loading command line extensions\n");
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
|
||||
if (passin == NULL) {
|
||||
passin = nofree_passin =
|
||||
@ -605,7 +633,8 @@ int req_main(int argc, char **argv)
|
||||
goto end;
|
||||
|
||||
/* Set version to V3 */
|
||||
if (extensions != NULL && !X509_set_version(x509ss, 2))
|
||||
if ((extensions != NULL || addext_conf != NULL)
|
||||
&& !X509_set_version(x509ss, 2))
|
||||
goto end;
|
||||
if (serial != NULL) {
|
||||
if (!X509_set_serialNumber(x509ss, serial))
|
||||
@ -643,6 +672,12 @@ int req_main(int argc, char **argv)
|
||||
extensions);
|
||||
goto end;
|
||||
}
|
||||
if (addext_conf != NULL
|
||||
&& !X509V3_EXT_add_nconf(addext_conf, &ext_ctx, "default",
|
||||
x509ss)) {
|
||||
BIO_printf(bio_err, "Error Loading command line extensions\n");
|
||||
goto end;
|
||||
}
|
||||
|
||||
/* If a pre-cert was requested, we need to add a poison extension */
|
||||
if (precert) {
|
||||
@ -674,6 +709,12 @@ int req_main(int argc, char **argv)
|
||||
req_exts);
|
||||
goto end;
|
||||
}
|
||||
if (addext_conf != NULL
|
||||
&& !X509V3_EXT_REQ_add_nconf(addext_conf, &ext_ctx, "default",
|
||||
req)) {
|
||||
BIO_printf(bio_err, "Error Loading command line extensions\n");
|
||||
goto end;
|
||||
}
|
||||
i = do_X509_REQ_sign(req, pkey, digest, sigopts);
|
||||
if (!i) {
|
||||
ERR_print_errors(bio_err);
|
||||
@ -817,6 +858,7 @@ int req_main(int argc, char **argv)
|
||||
ERR_print_errors(bio_err);
|
||||
}
|
||||
NCONF_free(req_conf);
|
||||
BIO_free(addext_bio);
|
||||
BIO_free(in);
|
||||
BIO_free_all(out);
|
||||
EVP_PKEY_free(pkey);
|
||||
|
@ -37,6 +37,7 @@ B<openssl> B<req>
|
||||
[B<-days n>]
|
||||
[B<-set_serial n>]
|
||||
[B<-newhdr>]
|
||||
[B<-addext ext>]
|
||||
[B<-extensions section>]
|
||||
[B<-reqexts section>]
|
||||
[B<-precert>]
|
||||
@ -255,6 +256,14 @@ be a positive integer. The default is 30 days.
|
||||
Serial number to use when outputting a self signed certificate. This
|
||||
may be specified as a decimal value or a hex value if preceded by B<0x>.
|
||||
|
||||
=item B<-addext ext>
|
||||
|
||||
Add a specific extension to the certificate (if the B<-x509> option is
|
||||
present) or certificate request. The argument must have the form of
|
||||
a key=value pair as it would appear in a config file.
|
||||
|
||||
This option can be given multiple times.
|
||||
|
||||
=item B<-extensions section>
|
||||
|
||||
=item B<-reqexts section>
|
||||
@ -591,6 +600,14 @@ Sample configuration containing all field values:
|
||||
[ req_attributes ]
|
||||
challengePassword = A challenge password
|
||||
|
||||
Example of giving the most common attributes (subject and extensions)
|
||||
on the command line:
|
||||
|
||||
openssl req -new -subj "/C=GB/CN=foo" \
|
||||
-addext "subjectAltName = DNS:foo.co.uk" \
|
||||
-addext "certificatePolicies = 1.2.3.4" \
|
||||
-newkey rsa:2048 -keyout key.pem -out req.pem
|
||||
|
||||
|
||||
=head1 NOTES
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user