The branch master has been updated via 6b38d7dc1bccc708279ca5091ebc28cd4bdf225d (commit) from ab98861e919b8f8f7fee3f2d44ef3b4b05908a25 (commit)
- Log ----------------------------------------------------------------- commit 6b38d7dc1bccc708279ca5091ebc28cd4bdf225d Author: Dmitry Belyavskiy <beld...@gmail.com> Date: Mon Aug 2 17:00:51 2021 +0200 If we have passed the private key, don't copy it implicitly Fixes #16197 Reviewed-by: David von Oheimb <david.von.ohe...@siemens.com> Reviewed-by: Paul Dale <pa...@openssl.org> Reviewed-by: Tomas Mraz <to...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16199) ----------------------------------------------------------------------- Summary of changes: apps/req.c | 2 +- doc/man1/openssl-req.pod.in | 11 ++++++----- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/apps/req.c b/apps/req.c index eb286f8a8e..5524092f2c 100644 --- a/apps/req.c +++ b/apps/req.c @@ -686,7 +686,7 @@ int req_main(int argc, char **argv) EVP_PKEY_CTX_free(genctx); genctx = NULL; } - if (keyout == NULL) { + if (keyout == NULL && keyfile == NULL) { keyout = NCONF_get_string(req_conf, section, KEYFILE); if (keyout == NULL) ERR_clear_error(); diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in index 7897610818..75d0da1743 100644 --- a/doc/man1/openssl-req.pod.in +++ b/doc/man1/openssl-req.pod.in @@ -205,11 +205,12 @@ See L<openssl-format-options(1)> for details. =item B<-keyout> I<filename> This gives the filename to write any private key to that has been newly created -or read from B<-key>. -If the B<-keyout> option is not given the filename specified in the -configuration file with the B<default_keyfile> option is used, if present. -If a new key is generated and no filename is specified -the key is written to standard output. +or read from B<-key>. If neither the B<-keyout> option nor the B<-key> option +are given then the filename specified in the configuration file with the +B<default_keyfile> option is used, if present. Thus, if you want to write the +private key and the B<-key> option is provided, you should provide the +B<-keyout> option explicitly. If a new key is generated and no filename is +specified the key is written to standard output. =item B<-noenc>