Commit b6486bf7 authored by Rob Percival's avatar Rob Percival Committed by Rich Salz
Browse files

Adds a "-precert" flag to "openssl req" for creating pre-certificates 



This makes it a little easier to create a pre-certificate.

Reviewed-by: default avatarTim Hudson <tjh@openssl.org>
Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/843)
parent 79020b27

apps/CA.pl.in

+4 −0
Original line number Diff line number Diff line
@@ -123,6 +123,10 @@ if ($WHAT eq '-newcert' ) { 
    # create a certificate

    $RET = run("$REQ -new -x509 -keyout $NEWKEY -out $NEWCERT $DAYS $EXTRA{req}");

    print "Cert is in $NEWCERT, private key is in $NEWKEY\n" if $RET == 0;

} elsif ($WHAT eq '-newprecert' ) {

    # create a pre-certificate

    $RET = run("$REQ -new -x509 -precert -keyout $NEWKEY -out $NEWCERT $DAYS");

    print "Pre-cert is in $NEWCERT, private key is in $NEWKEY\n" if $RET == 0;

} elsif ($WHAT eq '-newreq' ) {

    # create a certificate request

    $RET = run("$REQ -new -keyout $NEWKEY -out $NEWREQ $DAYS $EXTRA{req}");

apps/req.c

+15 −1
Original line number Diff line number Diff line
@@ -79,7 +79,7 @@ typedef enum OPTION_choice { 
    OPT_VERIFY, OPT_NODES, OPT_NOOUT, OPT_VERBOSE, OPT_UTF8,

    OPT_NAMEOPT, OPT_REQOPT, OPT_SUBJ, OPT_SUBJECT, OPT_TEXT, OPT_X509,

    OPT_MULTIVALUE_RDN, OPT_DAYS, OPT_SET_SERIAL, OPT_EXTENSIONS,

    OPT_REQEXTS, OPT_MD

    OPT_REQEXTS, OPT_PRECERT, OPT_MD

} OPTION_CHOICE;



const OPTIONS req_options[] = {
@@ -126,6 +126,7 @@ const OPTIONS req_options[] = { 
     "Cert extension section (override value in config file)"},

    {"reqexts", OPT_REQEXTS, 's',

     "Request extension section (override value in config file)"},

    {"precert", OPT_PRECERT, '-', "Add a poison extension"},

    {"", OPT_MD, '-', "Any supported digest"},

#ifndef OPENSSL_NO_ENGINE

    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
@@ -161,6 +162,7 @@ int req_main(int argc, char **argv) 
    int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyform = FORMAT_PEM;

    int modulus = 0, multirdn = 0, verify = 0, noout = 0, text = 0;

    int nodes = 0, newhdr = 0, subject = 0, pubkey = 0;

    int precert = 0;

    long newkey = -1;

    unsigned long chtype = MBSTRING_ASC, nmflag = 0, reqflag = 0;

    char nmflag_set = 0;
@@ -318,6 +320,9 @@ int req_main(int argc, char **argv) 
        case OPT_REQEXTS:

            req_exts = opt_arg();

            break;

        case OPT_PRECERT:

            precert = 1;

            break;

        case OPT_MD:

            if (!opt_md(opt_unknown(), &md_alg))

                goto opthelp;
@@ -644,6 +649,15 @@ int req_main(int argc, char **argv) 
                goto end;

            }



            /* If a pre-cert was requested, we need to add a poison extension */

            if (precert) {

                if (X509_add1_ext_i2d(x509ss, NID_ct_precert_poison, NULL, 1, 0)

                    != 1) {

                    BIO_printf(bio_err, "Error adding poison extension\n");

                    goto end;

                }

            }



            i = do_X509_sign(x509ss, pkey, digest, sigopts);

            if (!i) {

                ERR_print_errors(bio_err);