diff options
| author | Aditya <adimail2404@gmail.com> | 2024-10-24 20:07:27 +0200 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2024-10-30 12:55:23 +0100 |
| commit | bca1bb297778932c1e682166aa4780ecc96f0a0a (patch) | |
| tree | 478a57ee5b6c57e5f871108baeed595c8d31a0d2 | |
| parent | Remove sslkeylog file setup from quic-hq-interop (diff) | |
| download | openssl-bca1bb297778932c1e682166aa4780ecc96f0a0a.tar.xz openssl-bca1bb297778932c1e682166aa4780ecc96f0a0a.zip | |
req: Add -cipher option to specify private key encryption cipher
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25796)
| -rw-r--r-- | apps/req.c | 11 | ||||
| -rw-r--r-- | doc/man1/openssl-req.pod.in | 12 |
2 files changed, 22 insertions, 1 deletions
diff --git a/apps/req.c b/apps/req.c index 73dd94a567..37800b318d 100644 --- a/apps/req.c +++ b/apps/req.c @@ -81,6 +81,7 @@ static int batch = 0; typedef enum OPTION_choice { OPT_COMMON, + OPT_CIPHER, OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_KEYGEN_ENGINE, OPT_KEY, OPT_PUBKEY, OPT_NEW, OPT_CONFIG, OPT_KEYFORM, OPT_IN, OPT_OUT, OPT_KEYOUT, OPT_PASSIN, OPT_PASSOUT, OPT_NEWKEY, @@ -98,6 +99,7 @@ typedef enum OPTION_choice { const OPTIONS req_options[] = { OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, + {"cipher", OPT_CIPHER, 's', "Specify the cipher for private key encryption"}, #ifndef OPENSSL_NO_ENGINE {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, {"keygen_engine", OPT_KEYGEN_ENGINE, 's', @@ -250,7 +252,7 @@ int req_main(int argc, char **argv) LHASH_OF(OPENSSL_STRING) *addexts = NULL; X509 *new_x509 = NULL, *CAcert = NULL; X509_REQ *req = NULL; - EVP_CIPHER *cipher = NULL; + const EVP_CIPHER *cipher = NULL; int ext_copy = EXT_COPY_UNSET; BIO *addext_bio = NULL; char *extsect = NULL; @@ -491,6 +493,13 @@ int req_main(int argc, char **argv) case OPT_PRECERT: newreq = precert = 1; break; + case OPT_CIPHER: + cipher = EVP_get_cipherbyname(opt_arg()); + if (cipher == NULL) { + BIO_printf(bio_err, "Unknown cipher: %s\n", opt_arg()); + goto opthelp; + } + break; case OPT_MD: digest = opt_unknown(); break; diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in index 0eacfc51a4..5cb3004d3f 100644 --- a/doc/man1/openssl-req.pod.in +++ b/doc/man1/openssl-req.pod.in @@ -9,6 +9,7 @@ openssl-req - PKCS#10 certificate request and certificate generating command B<openssl> B<req> [B<-help>] +[B<-cipher>] [B<-inform> B<DER>|B<PEM>] [B<-outform> B<DER>|B<PEM>] [B<-in> I<filename>] @@ -86,6 +87,13 @@ See L<openssl-format-options(1)> for details. The data is a PKCS#10 object. +=item B<-cipher> I<name> + +Specify the cipher to be used for encrypting the private key. +The default cipher is 3DES (DES-EDE3-CBC). +If no cipher is specified, 3DES will be used by default. +You can override this by providing any valid OpenSSL cipher name. + =item B<-in> I<filename> This specifies the input filename to read a request from. @@ -652,6 +660,10 @@ Examine and verify certificate request: openssl req -in req.pem -text -verify -noout +Specify the cipher to be used for encrypting the private key: + + openssl req -newkey rsa:2048 -keyout privatekey.pem -out request.csr -cipher aes-256-cbc + Create a private key and then generate a certificate request from it: openssl genrsa -out key.pem 2048 |