-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathopenssl_req_resign_rekey.patch
101 lines (97 loc) · 3.21 KB
/
openssl_req_resign_rekey.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
Description: implements -resign and -rekey options for openssl req
---
Index: openssl-1.0.1e/doc/apps/req.pod
===================================================================
--- openssl-1.0.1e.orig/doc/apps/req.pod 2014-02-23 10:52:49.712661594 +0100
+++ openssl-1.0.1e/doc/apps/req.pod 2014-02-23 10:52:55.076688193 +0100
@@ -43,6 +43,8 @@
[B<-utf8>]
[B<-nameopt>]
[B<-reqopt>]
+[B<-resign>]
+[B<-rekey>]
[B<-subject>]
[B<-subj arg>]
[B<-batch>]
@@ -135,6 +137,15 @@
I</type0=value0/type1=value1/type2=...>,
characters may be escaped by \ (backslash), no spaces are skipped.
+=item B<-resign>
+
+Re-signs the input request with private key B<-key>.
+
+=item B<-rekey>
+
+Uses private key B<-key> to create a different public key for existing
+certificate request.
+
=item B<-rand file(s)>
a file or files containing random data used to seed the random number
Index: openssl-1.0.1e/apps/req.c
===================================================================
--- openssl-1.0.1e.orig/apps/req.c 2014-02-23 10:52:49.712661594 +0100
+++ openssl-1.0.1e/apps/req.c 2014-02-23 10:52:55.076688193 +0100
@@ -118,6 +118,8 @@
* -keyform arg - key file format.
* -rand file(s) - load the file(s) into the PRNG.
* -newkey - make a key and a request.
+ * -resign - re-sign existing certificate request.
+ * -rekey - use new private key for existing certificate request.
* -modulus - print RSA modulus.
* -pubkey - output Public Key.
* -x509 - output a self signed X509 structure instead.
@@ -171,7 +173,7 @@
long newkey = -1;
BIO *in=NULL,*out=NULL;
int informat,outformat,verify=0,noout=0,text=0,keyform=FORMAT_PEM;
- int nodes=0,kludge=0,newhdr=0,subject=0,pubkey=0;
+ int nodes=0,kludge=0,newhdr=0,subject=0,pubkey=0,resign=0,rekey=0;
char *infile,*outfile,*prog,*keyfile=NULL,*template=NULL,*keyout=NULL;
#ifndef OPENSSL_NO_ENGINE
char *engine=NULL;
@@ -355,6 +357,10 @@
kludge=1;
else if (strcmp(*argv,"-no-asn1-kludge") == 0)
kludge=0;
+ else if (strcmp(*argv,"-resign") == 0)
+ resign=1;
+ else if (strcmp(*argv,"-rekey") == 0)
+ rekey=1;
else if (strcmp(*argv,"-subj") == 0)
{
if (--argc < 1) goto bad;
@@ -435,6 +441,8 @@
BIO_printf(bio_err," -subj arg set or modify request subject\n");
BIO_printf(bio_err," -multivalue-rdn enable support for multivalued RDNs\n");
BIO_printf(bio_err," -new new request.\n");
+ BIO_printf(bio_err," -resign re-sign existing certificate request.\n");
+ BIO_printf(bio_err," -rekey use new private key for existing certificate request.\n");
BIO_printf(bio_err," -batch do not ask anything during request generation\n");
BIO_printf(bio_err," -x509 output a x509 structure instead of a cert. req.\n");
BIO_printf(bio_err," -days number of days a certificate generated by -x509 is valid for.\n");
@@ -931,6 +939,26 @@
}
}
+ if (rekey)
+ {
+ if (!X509_REQ_set_pubkey(req,pkey))
+ {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ req->req_info->enc.modified = 1;
+ }
+
+ if (rekey || resign)
+ {
+ i=do_X509_REQ_sign(bio_err, req, pkey, digest, sigopts);
+ if (!i)
+ {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ }
+
if (verify && !x509)
{
int tmp=0;