diff options
| -rw-r--r-- | apps/req.c | 5 | ||||
| -rw-r--r-- | test/recipes/25-test_req.t | 17 |
2 files changed, 16 insertions, 6 deletions
diff --git a/apps/req.c b/apps/req.c index 76b337f6bc..7e59e673e0 100644 --- a/apps/req.c +++ b/apps/req.c @@ -765,8 +765,9 @@ int req_main(int argc, char **argv) } } if (newreq || gen_x509) { - if (pkey == NULL /* can happen only if !newreq */) { - BIO_printf(bio_err, "Must provide a signature key using -key\n"); + if (CAcert == NULL && pkey == NULL) { + BIO_printf(bio_err, "Must provide a signature key using -key or" + " provide -CA / -CAkey\n"); goto end; } diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t index c1587b76d7..ca70adf577 100644 --- a/test/recipes/25-test_req.t +++ b/test/recipes/25-test_req.t @@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/; setup("test_req"); -plan tests => 91; +plan tests => 92; require_ok(srctop_file('test', 'recipes', 'tconversion.pl')); @@ -49,6 +49,11 @@ ok(!run(app([@addext_args, "-addext", $val, "-addext", $val2]))); ok(!run(app([@addext_args, "-addext", $val, "-addext", $val3]))); ok(!run(app([@addext_args, "-addext", $val2, "-addext", $val3]))); +# If a CSR is provided with neither of -key or -CA/-CAkey, this should fail. +ok(!run(app(["openssl", "req", "-x509", + "-in", srctop_file(@certs, "x509-check.csr"), + "-out", "testreq.pem"]))); + subtest "generating alt certificate requests with RSA" => sub { plan tests => 3; @@ -383,7 +388,8 @@ sub generate_cert { my $ca_key = srctop_file(@certs, "ca-key.pem"); my $key = $is_ca ? $ca_key : srctop_file(@certs, "ee-key.pem"); my @cmd = ("openssl", "req", "-config", "", "-x509", - "-key", $key, "-subj", "/CN=$cn", @_, "-out", $cert); + "-subj", "/CN=$cn", @_, "-out", $cert); + push(@cmd, ("-key", $key)) if $ss; push(@cmd, ("-CA", $ca_cert, "-CAkey", $ca_key)) unless $ss; ok(run(app([@cmd])), "generate $cert"); } @@ -551,9 +557,11 @@ cert_ext_has_n_different_lines($cert, 6, $SKID_AKID); # SKID != AKID, both force # AKID of not self-issued certs $cert = "regular_v3_EE_default_KIDs.pem"; -generate_cert($cert, "-addext", "keyUsage = dataEncipherment"); +generate_cert($cert, "-addext", "keyUsage = dataEncipherment", + "-key", srctop_file(@certs, "ee-key.pem")); cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID strict_verify($cert, 1, $ca_cert); + $cert = "regular_v3_EE_copied_exts_default_KIDs.pem"; generate_cert($cert, "-copy_extensions", "copy", "-in", srctop_file(@certs, "ext-check.csr")); @@ -561,7 +569,8 @@ cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID strict_verify($cert, 1); $cert = "v3_EE_no_AKID.pem"; -generate_cert($cert, "-addext", "authorityKeyIdentifier = none"); +generate_cert($cert, "-addext", "authorityKeyIdentifier = none", + "-key", srctop_file(@certs, "ee-key.pem")); has_SKID($cert, 1); has_AKID($cert, 0); strict_verify($cert, 0, $ca_cert); |