Adds a "-precert" flag to "openssl req" for creating pre-certificates

This makes it a little easier to create a pre-certificate. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/843)
author: Rob Percival <robpercival@google.com> 2016-03-10 19:15:13 +0000
committer: Rich Salz <rsalz@openssl.org> 2017-02-22 10:40:30 -0500
commit: b6486bf749bf6246dbae7643c5fb7717cf388072 (patch)
tree: b35d838352b52ec5a9ef4223573ac768dd53b2e9 /apps
parent: 79020b27beff060d02830870fdfd821fe8cbd439 (diff)
download: openssl-b6486bf749bf6246dbae7643c5fb7717cf388072.tar.gz
2 files changed, 19 insertions, 1 deletions
diff --git a/apps/CA.pl.in b/apps/CA.pl.in
index 11566dfc21..940e7d60ab 100644
--- a/apps/CA.pl.in
+++ b/apps/CA.pl.in
@@ -123,6 +123,10 @@ if ($WHAT eq '-newcert' ) {
     # create a certificate
     $RET = run("$REQ -new -x509 -keyout $NEWKEY -out $NEWCERT $DAYS $EXTRA{req}");
     print "Cert is in $NEWCERT, private key is in $NEWKEY\n" if $RET == 0;
+} elsif ($WHAT eq '-newprecert' ) {
+    # create a pre-certificate
+    $RET = run("$REQ -new -x509 -precert -keyout $NEWKEY -out $NEWCERT $DAYS");
+    print "Pre-cert is in $NEWCERT, private key is in $NEWKEY\n" if $RET == 0;
 } elsif ($WHAT eq '-newreq' ) {
     # create a certificate request
     $RET = run("$REQ -new -keyout $NEWKEY -out $NEWREQ $DAYS $EXTRA{req}");
diff --git a/apps/req.c b/apps/req.c
index 766a27ea6b..8945cb6c01 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -79,7 +79,7 @@ typedef enum OPTION_choice {
     OPT_VERIFY, OPT_NODES, OPT_NOOUT, OPT_VERBOSE, OPT_UTF8,
     OPT_NAMEOPT, OPT_REQOPT, OPT_SUBJ, OPT_SUBJECT, OPT_TEXT, OPT_X509,
     OPT_MULTIVALUE_RDN, OPT_DAYS, OPT_SET_SERIAL, OPT_EXTENSIONS,
-    OPT_REQEXTS, OPT_MD
+    OPT_REQEXTS, OPT_PRECERT, OPT_MD
 } OPTION_CHOICE;
 
 const OPTIONS req_options[] = {
@@ -126,6 +126,7 @@ const OPTIONS req_options[] = {
      "Cert extension section (override value in config file)"},
     {"reqexts", OPT_REQEXTS, 's',
      "Request extension section (override value in config file)"},
+    {"precert", OPT_PRECERT, '-', "Add a poison extension"},
     {"", OPT_MD, '-', "Any supported digest"},
 #ifndef OPENSSL_NO_ENGINE
     {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
@@ -161,6 +162,7 @@ int req_main(int argc, char **argv)
     int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyform = FORMAT_PEM;
     int modulus = 0, multirdn = 0, verify = 0, noout = 0, text = 0;
     int nodes = 0, newhdr = 0, subject = 0, pubkey = 0;
+    int precert = 0;
     long newkey = -1;
     unsigned long chtype = MBSTRING_ASC, nmflag = 0, reqflag = 0;
     char nmflag_set = 0;
@@ -318,6 +320,9 @@ int req_main(int argc, char **argv)
         case OPT_REQEXTS:
             req_exts = opt_arg();
             break;
+        case OPT_PRECERT:
+            precert = 1;
+            break;
         case OPT_MD:
             if (!opt_md(opt_unknown(), &md_alg))
                 goto opthelp;
@@ -644,6 +649,15 @@ int req_main(int argc, char **argv)
                 goto end;
             }
 
+            /* If a pre-cert was requested, we need to add a poison extension */
+            if (precert) {
+                if (X509_add1_ext_i2d(x509ss, NID_ct_precert_poison, NULL, 1, 0)
+                    != 1) {
+                    BIO_printf(bio_err, "Error adding poison extension\n");
+                    goto end;
+                }
+            }
+
             i = do_X509_sign(x509ss, pkey, digest, sigopts);
             if (!i) {
                 ERR_print_errors(bio_err);
author	Rob Percival <robpercival@google.com>	2016-03-10 19:15:13 +0000
committer	Rich Salz <rsalz@openssl.org>	2017-02-22 10:40:30 -0500
commit	b6486bf749bf6246dbae7643c5fb7717cf388072 (patch)
tree	b35d838352b52ec5a9ef4223573ac768dd53b2e9 /apps
parent	79020b27beff060d02830870fdfd821fe8cbd439 (diff)
download	openssl-b6486bf749bf6246dbae7643c5fb7717cf388072.tar.gz