We are currently working on a project, where a special kind of RA has
submit an unsigned CSR to a CA.
An unsigned CSR is a request where the signature field is unassigned
(null), because private key operations are inpractical and the RA has
already verified that the requester is in possession of the private key.
Would anybody mind applying the attached patch? Or does anyone have a
better idea how to create unsigned CSRs using the "openssl req" command?
Thanks, Remo
Only in openssl-0.9.8b-custom/apps: privkey.pem
diff -ru openssl-0.9.8b/apps/req.c openssl-0.9.8b-custom/apps/req.c
--- openssl-0.9.8b/apps/req.c 2006-07-17 10:52:06.000000000 +0200
+++ openssl-0.9.8b-custom/apps/req.c 2006-07-17 11:13:45.000000000 +0200
@@ -116,6 +116,7 @@
* -config file - Load configuration file.
* -key file - make a request using key in file (or use it for verification).
* -keyform arg - key file format.
+ * -pubin - expect a public key in input file (don't sign the request).
* -rand file(s) - load the file(s) into the PRNG.
* -newkey - make a key and a request.
* -modulus - print RSA modulus.
@@ -177,7 +178,7 @@
long newkey = -1;
BIO *in=NULL,*out=NULL;
int informat,outformat,verify=0,noout=0,text=0,keyform=FORMAT_PEM;
- int nodes=0,kludge=0,newhdr=0,subject=0,pubkey=0;
+ int nodes=0,kludge=0,newhdr=0,subject=0,pubin=0,pubkey=0;
char *infile,*outfile,*prog,*keyfile=NULL,*template=NULL,*keyout=NULL;
#ifndef OPENSSL_NO_ENGINE
char *engine=NULL;
@@ -419,11 +420,19 @@
else if (strcmp(*argv,"-modulus") == 0)
modulus=1;
else if (strcmp(*argv,"-verify") == 0)
+ {
+ if (pubin) goto bad;
verify=1;
+ }
else if (strcmp(*argv,"-nodes") == 0)
nodes=1;
else if (strcmp(*argv,"-noout") == 0)
noout=1;
+ else if (strcmp(*argv,"-pubin") == 0)
+ {
+ if (verify || x509) goto bad;
+ pubin=1;
+ }
else if (strcmp(*argv,"-verbose") == 0)
verbose=1;
else if (strcmp(*argv,"-utf8") == 0)
@@ -443,7 +452,10 @@
else if (strcmp(*argv,"-text") == 0)
text=1;
else if (strcmp(*argv,"-x509") == 0)
+ {
+ if (pubin) goto bad;
x509=1;
+ }
else if (strcmp(*argv,"-asn1-kludge") == 0)
kludge=1;
else if (strcmp(*argv,"-no-asn1-kludge") == 0)
@@ -515,6 +527,7 @@
BIO_printf(bio_err," -key file use the private key
contained in file\n");
BIO_printf(bio_err," -keyform arg key file format\n");
BIO_printf(bio_err," -keyout arg file to send the key to\n");
+ BIO_printf(bio_err," -pubin expect a public key in
input file (don't sign the request)\n");
BIO_printf(bio_err," -rand file%cfile%c...\n",
LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
BIO_printf(bio_err," load the file (or the files
in the directory) into\n");
BIO_printf(bio_err," the random number
generator\n");
@@ -711,8 +724,12 @@
if (keyfile != NULL)
{
- pkey = load_key(bio_err, keyfile, keyform, 0, passin, e,
- "Private Key");
+ if (pubin)
+ pkey = load_pubkey(bio_err, keyfile, keyform, 0,
passin, e,
+ "Public Key");
+ else
+ pkey = load_key(bio_err, keyfile, keyform, 0, passin, e,
+ "Private Key");
if (!pkey)
{
/* load_key() has already printed an appropriate
@@ -967,7 +984,7 @@
goto end;
}
- if (!(i=X509_sign(x509ss,pkey,digest)))
+ if (!pubin && !(i=X509_sign(x509ss,pkey,digest)))
goto end;
}
else
@@ -988,7 +1005,7 @@
req_exts);
goto end;
}
- if (!(i=X509_REQ_sign(req,pkey,digest)))
+ if (!pubin && !(i=X509_REQ_sign(req,pkey,digest)))
goto end;
}
}
