APPS/{x509,req}: Fix description and diagnostics of -key, -in, etc. options

Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16440)
2021-08-27 07:11:36 +02:00 · 2021-08-27 07:11:36 +02:00 · 611ef4f373
parent 85efdaab4d
commit 611ef4f373
4 changed files with 78 additions and 27 deletions
--- a/apps/req.c
+++ b/apps/req.c
@ -103,7 +103,7 @@ const OPTIONS req_options[] = {
    {"keygen_engine", OPT_KEYGEN_ENGINE, 's',
     "Specify engine to be used for key generation operations"},
 #endif
-    {"in", OPT_IN, '<', "X.509 request input file"},
+    {"in", OPT_IN, '<', "X.509 request input file (default stdin)"},
    {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
    {"verify", OPT_VERIFY, '-', "Verify self-signature on the request"},

@ -136,10 +136,10 @@ const OPTIONS req_options[] = {
     "Cert extension section (override value in config file)"},
    {"reqexts", OPT_REQEXTS, 's',
     "Request extension section (override value in config file)"},
-    {"precert", OPT_PRECERT, '-', "Add a poison extension (implies -new)"},
+    {"precert", OPT_PRECERT, '-', "Add a poison extension to generated cert (implies -new)"},

    OPT_SECTION("Keys and Signing"),
-    {"key", OPT_KEY, 's', "Key to include and to use for self-signature"},
+    {"key", OPT_KEY, 's', "Key for signing, and to include unless -in given"},
    {"keyform", OPT_KEYFORM, 'f', "Key file format (ENGINE, other values ignored)"},
    {"pubkey", OPT_PUBKEY, '-', "Output public key"},
    {"keyout", OPT_KEYOUT, '>', "File to write private key to"},
@ -489,8 +489,13 @@ int req_main(int argc, char **argv)
        if (ext_copy == EXT_COPY_NONE)
            BIO_printf(bio_err, "Ignoring -copy_extensions 'none' when -x509 is not given\n");
    }
-    if (gen_x509 && infile == NULL)
-        newreq = 1;
+    if (infile == NULL) {
+        if (gen_x509)
+            newreq = 1;
+        else
+            BIO_printf(bio_err,
+                       "Warning: Will read cert request from stdin since no -in option is given\n");
+    }

    if (!app_passwd(passargin, passargout, &passin, &passout)) {
        BIO_printf(bio_err, "Error getting passwords\n");
@ -631,6 +636,11 @@ int req_main(int argc, char **argv)
            goto end;
        app_RAND_load_conf(req_conf, section);
    }
+    if (keyalg != NULL && pkey != NULL) {
+        BIO_printf(bio_err,
+                   "Warning: Not generating key via given -newkey option since -key is given\n");
+        /* Better throw an error in this case */
+    }
    if (newreq && pkey == NULL) {
        app_RAND_load_conf(req_conf, section);

@ -742,9 +752,17 @@ int req_main(int argc, char **argv)
        goto end;

    if (!newreq) {
-        req = load_csr(infile, informat, "X509 request");
+        if (keyfile != NULL)
+            BIO_printf(bio_err,
+                       "Warning: Not placing -key in cert or request since request is used\n");
+        req = load_csr(infile /* if NULL, reads from stdin */,
+                       informat, "X509 request");
        if (req == NULL)
            goto end;
+    } else if (infile != NULL) {
+        BIO_printf(bio_err,
+                   "Warning: Ignoring -in option since -new or -newkey or -precert is given\n");
+        /* Better throw an error in this case, as done in the x509 app */
    }

    if (CAkeyfile == NULL)
@ -752,7 +770,7 @@ int req_main(int argc, char **argv)
    if (CAkeyfile != NULL) {
        if (CAfile == NULL) {
            BIO_printf(bio_err,
-                       "Ignoring -CAkey option since no -CA option is given\n");
+                       "Warning: Ignoring -CAkey option since no -CA option is given\n");
        } else {
            if ((CAkey = load_key(CAkeyfile, FORMAT_UNDEF,
                                  0, passin, e,
@ -788,6 +806,7 @@ int req_main(int argc, char **argv)
                BIO_printf(bio_err, "Error making certificate request\n");
                goto end;
            }
+            /* Note that -x509 can take over -key and -subj option values. */
        }
        if (gen_x509) {
            EVP_PKEY *pub_key = X509_REQ_get0_pubkey(req);
@ -798,6 +817,10 @@ int req_main(int argc, char **argv)
            X509_NAME *n_subj = fsubj != NULL ? fsubj :
                X509_REQ_get_subject_name(req);

+            if (CAcert != NULL && keyfile != NULL)
+                BIO_printf(bio_err,
+                           "Warning: Not using -key or -newkey for signing since -CA option is given\n");
+
            if ((new_x509 = X509_new_ex(app_get0_libctx(),
                                        app_get0_propq())) == NULL)
                goto end;
@ -874,6 +897,10 @@ int req_main(int argc, char **argv)
        } else {
            X509V3_CTX ext_ctx;

+            if (precert) {
+                BIO_printf(bio_err,
+                           "Warning: Ignoring -precert flag since no cert is produced\n");
+            }
            /* Set up V3 context struct */
            X509V3_set_ctx(&ext_ctx, NULL, NULL, req, NULL, 0);
            X509V3_set_nconf(&ext_ctx, req_conf);
--- a/apps/x509.c
+++ b/apps/x509.c
@ -61,7 +61,7 @@ const OPTIONS x509_options[] = {
    {"help", OPT_HELP, '-', "Display this summary"},

    {"in", OPT_IN, '<',
-     "Certificate input (default stdin), or CSR input file with -req"},
+     "Certificate input, or CSR input file with -req (default stdin)"},
    {"passin", OPT_PASSIN, 's', "Private key and cert file pass-phrase source"},
    {"new", OPT_NEW, '-', "Generate a certificate from scratch"},
    {"x509toreq", OPT_X509TOREQ, '-',
@ -73,7 +73,7 @@ const OPTIONS x509_options[] = {
     "CSR input file format (DER or PEM) - default PEM"},
    {"vfyopt", OPT_VFYOPT, 's', "CSR verification parameter in n:v form"},
    {"key", OPT_KEY, 's',
-     "Key to be used in certificate or cert request"},
+     "Key for signing, and to include unless using -force_pubkey"},
    {"signkey", OPT_SIGNKEY, 's',
     "Same as -key"},
    {"keyform", OPT_KEYFORM, 'E',
@ -630,7 +630,7 @@ int x509_main(int argc, char **argv)
        }
        if (privkeyfile == NULL && pubkeyfile == NULL) {
            BIO_printf(bio_err,
-                       "The -new option without -key requires using -force_pubkey\n");
+                       "The -new option requires using the -key or -force_pubkey option\n");
            goto end;
        }
    }
@ -642,7 +642,7 @@ int x509_main(int argc, char **argv)
        CAkeyfile = CAfile;
    if (CAfile != NULL) {
        if (privkeyfile != NULL) {
-            BIO_printf(bio_err, "Cannot use both -key and -CA option\n");
+            BIO_printf(bio_err, "Cannot use both -key/-signkey and -CA option\n");
            goto end;
        }
    } else if (CAkeyfile != NULL) {
@ -676,6 +676,9 @@ int x509_main(int argc, char **argv)
    }

    if (reqfile) {
+        if (infile == NULL)
+            BIO_printf(bio_err,
+                       "Warning: Reading cert request from stdin since no -in option is given\n");
        req = load_csr(infile, informat, "certificate request input");
        if (req == NULL)
            goto end;
@ -725,6 +728,9 @@ int x509_main(int argc, char **argv)
            }
        }
    } else {
+        if (infile == NULL)
+            BIO_printf(bio_err,
+                       "Warning: Reading certificate from stdin since no -in option is given\n");
        x = load_cert_pass(infile, informat, 1, passin, "certificate");
        if (x == NULL)
            goto end;
@ -819,7 +825,7 @@ int x509_main(int argc, char **argv)

    if (x509toreq) { /* also works in conjunction with -req */
        if (privkey == NULL) {
-            BIO_printf(bio_err, "Must specify request key using -key\n");
+            BIO_printf(bio_err, "Must specify request signing key using -key\n");
            goto end;
        }
        if (clrext && ext_copy != EXT_COPY_NONE) {
--- a/doc/man1/openssl-req.pod.in
+++ b/doc/man1/openssl-req.pod.in
@ -79,9 +79,10 @@ The data is a PKCS#10 object.

 =item B<-in> I<filename>

-This specifies the input filename to read a request from or standard input
-if this option is not specified. A request is only read if the creation
-options (B<-new> or B<-newkey>) are not specified.
+This specifies the input filename to read a request from.
+This defaults to standard input unless B<-x509> or B<-CA> is specified.
+A request is only read if the creation options
+(B<-new> or B<-newkey> or B<-precert>) are not specified.

 =item B<-sigopt> I<nm>:I<v>

@ -156,8 +157,13 @@ else by default an RSA key with 2048 bits length.

 =item B<-newkey> I<arg>

-This option creates a new certificate request and a new private
-key. The argument takes one of several forms.
+This option is used to generate a new private key unless B<-key> is given.
+It is subsequently used as if it was given using the B<-key> option.
+
+This option implies the B<-new> flag to create a new certificate request
+or a new certificate in case B<-x509> is given.
+
+The argument takes one of several forms.

 [B<rsa:>]I<nbits> generates an RSA key I<nbits> in size.
 If I<nbits> is omitted, i.e., B<-newkey> B<rsa> is specified,
@ -193,9 +199,14 @@ See L<openssl-genpkey(1)/KEY GENERATION OPTIONS> for more details.

 =item B<-key> I<filename>|I<uri>

-This specifies the key to include and to use for request self-signature
-and for self-signing certificates produced with the B<-x509> option.
-It also accepts PKCS#8 format private keys for PEM format files.
+This option provides the private key for signing a new certificate or
+certificate request.
+Unless B<-in> is given, the corresponding public key is placed in
+the new certificate or certificate request, resulting in a self-signature.
+
+For certificate signing this option is overridden by the B<-CA> option.
+
+This option also accepts PKCS#8 format private keys for PEM format files.

 =item B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>

@ -268,6 +279,8 @@ This option outputs a certificate instead of a certificate request.
 This is typically used to generate test certificates.
 It is implied by the B<-CA> option.

+This option implies the B<-new> flag if B<-in> is not given.
+
 If an existing request is specified with the B<-in> option, it is converted
 to the a certificate; otherwise a request is created from scratch.

--- a/doc/man1/openssl-x509.pod.in
+++ b/doc/man1/openssl-x509.pod.in
@ -102,9 +102,11 @@ Print out a usage message.

 =item B<-in> I<filename>|I<uri>

-If the B<-req> option is not used this specifies the input
-to read a certificate from or standard input if this option is not specified.
-With the B<-req> option this specifies a certificate request file.
+This specifies the input to read a certificate from
+or the input file for reading a certificate request if the B<-req> flag is used.
+In both cases this defaults to standard input.
+
+This option cannot be combined with the B<-new> flag.

 =item B<-passin> I<arg>

@ -163,9 +165,12 @@ Names and values of these options are algorithm-specific.

 =item B<-key> I<filename>|I<uri>

-This option causes the new certificate or certificate request
-to be self-signed using the supplied private key.
-This cannot be used in conjunction with the B<-CA> option.
+This option provides the private key for signing a new certificate or
+certificate request.
+Unless B<-force_pubkey> is given, the corresponding public key is placed in
+the new certificate or certificate request, resulting in a self-signature.
+
+This option cannot be used in conjunction with the B<-CA> option.

 It sets the issuer name to the subject name (i.e., makes it self-issued)
 and changes the public key to the supplied value (unless overridden
@ -466,7 +471,7 @@ certificate, which is then signed using the "CA" key given as detailed below.

 This option cannot be used in conjunction with the B<-key> option.
 This option is normally combined with the B<-req> option referencing a CSR.
-Without the B<-req> option the input must be a self-signed certificate
+Without the B<-req> option the input must be an existing certificate
 unless the B<-new> option is given, which generates a certificate from scratch.

 =item B<-CAform> B<DER>|B<PEM>|B<P12>,