[openssl] master update

dev at ddvo.net dev at ddvo.net
Fri Apr 24 16:01:42 UTC 2020


The branch master has been updated
       via  01c12100f7d54db29da3fd47dc40c9d0e08c0ab0 (commit)
       via  3ee4e8cea72056ea56fdbfff8bb1b6daf2276933 (commit)
       via  51c833ac2d46653c8124a25def4df0b3d1a832b5 (commit)
       via  9d5aca655323d795ad8c28fa6be47250a08c18c7 (commit)
      from  852c2ed260860b6b85c84f9fe96fb4d23d49c9f2 (commit)


- Log -----------------------------------------------------------------
commit 01c12100f7d54db29da3fd47dc40c9d0e08c0ab0
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Wed Apr 22 14:58:41 2020 +0200

    Clean up the use of ERR_print_errors() in apps.c and in four apps
    
    Also make sure that all error messages in apps.c consistently begin upper-case.
    Changed files: apps/lib/apps.c and apps/{req.c,s_client.c,s_server.c,x509.c}
    
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    Reviewed-by: David von Oheimb <david.von.oheimb at siemens.com>
    (Merged from https://github.com/openssl/openssl/pull/4940)

commit 3ee4e8cea72056ea56fdbfff8bb1b6daf2276933
Author: David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Tue Dec 26 19:33:04 2017 +0100

    Remove a bad 'goto end' and a few superfluous ones in apps/lib/apps.c
    
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    Reviewed-by: David von Oheimb <david.von.oheimb at siemens.com>
    (Merged from https://github.com/openssl/openssl/pull/4940)

commit 51c833ac2d46653c8124a25def4df0b3d1a832b5
Author: David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Fri Dec 22 19:50:17 2017 +0100

    Improve feedback on wrong format with new print_format_error() in apps/lib/opt.c
    
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    Reviewed-by: David von Oheimb <david.von.oheimb at siemens.com>
    (Merged from https://github.com/openssl/openssl/pull/4940)

commit 9d5aca655323d795ad8c28fa6be47250a08c18c7
Author: David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Fri Dec 15 20:50:37 2017 +0100

    Add function load_csr(file,format,desc) to apps/lib/apps.c
    
    Make use of new load_csr() in 'ca', 'req', and 'x509' app
    Add '-inform' and '-certform' option to 'ca' app
    Add 'desc' parameter to load_crl() function defined in apps/lib/apps.c
    Allow 'desc' parameter to be NULL (gives option to suppress error output)
    
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    Reviewed-by: David von Oheimb <david.von.oheimb at siemens.com>
    (Merged from https://github.com/openssl/openssl/pull/4940)

-----------------------------------------------------------------------

Summary of changes:
 apps/ca.c                  |  59 ++++++++------
 apps/crl.c                 |   4 +-
 apps/include/apps.h        |  13 +--
 apps/include/opt.h         |   2 +
 apps/lib/apps.c            | 193 ++++++++++++++++++++++++++++-----------------
 apps/lib/opt.c             |  35 ++++++++
 apps/req.c                 |  25 ++----
 apps/s_client.c            |  15 +---
 apps/s_server.c            |  27 ++-----
 apps/x509.c                |  12 +--
 doc/man1/openssl-ca.pod.in |  12 +++
 test/recipes/80-test_ca.t  |   8 +-
 12 files changed, 237 insertions(+), 168 deletions(-)

diff --git a/apps/ca.c b/apps/ca.c
index e2fb43fd7e..a18ff0998e 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -93,7 +93,8 @@ typedef enum {
 
 static char *lookup_conf(const CONF *conf, const char *group, const char *tag);
 
-static int certify(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509,
+static int certify(X509 **xret, const char *infile, int informat,
+                   EVP_PKEY *pkey, X509 *x509,
                    const EVP_MD *dgst,
                    STACK_OF(OPENSSL_STRING) *sigopts,
                    STACK_OF(OPENSSL_STRING) *vfyopts,
@@ -104,7 +105,8 @@ static int certify(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509,
                    long days, int batch, const char *ext_sect, CONF *conf,
                    int verbose, unsigned long certopt, unsigned long nameopt,
                    int default_op, int ext_copy, int selfsign);
-static int certify_cert(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509,
+static int certify_cert(X509 **xret, const char *infile, int informat,
+                        EVP_PKEY *pkey, X509 *x509,
                         const EVP_MD *dgst,
                         STACK_OF(OPENSSL_STRING) *sigopts,
                         STACK_OF(OPENSSL_STRING) *vfyopts,
@@ -150,7 +152,8 @@ typedef enum OPTION_choice {
     OPT_ENGINE, OPT_VERBOSE, OPT_CONFIG, OPT_NAME, OPT_SUBJ, OPT_UTF8,
     OPT_CREATE_SERIAL, OPT_MULTIVALUE_RDN, OPT_STARTDATE, OPT_ENDDATE,
     OPT_DAYS, OPT_MD, OPT_POLICY, OPT_KEYFILE, OPT_KEYFORM, OPT_PASSIN,
-    OPT_KEY, OPT_CERT, OPT_SELFSIGN, OPT_IN, OPT_OUT, OPT_OUTDIR, OPT_VFYOPT,
+    OPT_KEY, OPT_CERT, OPT_CERTFORM, OPT_SELFSIGN,
+    OPT_IN, OPT_INFORM, OPT_OUT, OPT_OUTDIR, OPT_VFYOPT,
     OPT_SIGOPT, OPT_NOTEXT, OPT_BATCH, OPT_PRESERVEDN, OPT_NOEMAILDN,
     OPT_GENCRL, OPT_MSIE_HACK, OPT_CRLDAYS, OPT_CRLHOURS, OPT_CRLSEC,
     OPT_INFILES, OPT_SS_CERT, OPT_SPKAC, OPT_REVOKE, OPT_VALID,
@@ -168,7 +171,8 @@ const OPTIONS ca_options[] = {
     {"help", OPT_HELP, '-', "Display this summary"},
     {"verbose", OPT_VERBOSE, '-', "Verbose output during processing"},
     {"outdir", OPT_OUTDIR, '/', "Where to put output cert"},
-    {"in", OPT_IN, '<', "The input PEM encoded cert request(s)"},
+    {"in", OPT_IN, '<', "The input cert request(s)"},
+    {"inform", OPT_INFORM, 'F', "CSR input format (DER or PEM); default PEM"},
     {"infiles", OPT_INFILES, '-', "The last argument, requests to process"},
     {"out", OPT_OUT, '>', "Where to put the output file(s)"},
     {"notext", OPT_NOTEXT, '-', "Do not print the generated certificate"},
@@ -190,7 +194,7 @@ const OPTIONS ca_options[] = {
 
     OPT_SECTION("Certificate"),
     {"subj", OPT_SUBJ, 's', "Use arg instead of request's subject"},
-    {"utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)"},
+    {"utf8", OPT_UTF8, '-', "Input characters are UTF8; default ASCII"},
     {"create_serial", OPT_CREATE_SERIAL, '-',
      "If reading serial fails, create a new random serial"},
     {"rand_serial", OPT_RAND_SERIAL, '-',
@@ -215,6 +219,8 @@ const OPTIONS ca_options[] = {
     {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
     {"key", OPT_KEY, 's', "Key to decode the private key if it is encrypted"},
     {"cert", OPT_CERT, '<', "The CA cert"},
+    {"certform", OPT_CERTFORM, 'F',
+     "certificate input format (DER or PEM); default PEM"},
     {"selfsign", OPT_SELFSIGN, '-',
      "Sign a cert with the key associated with it"},
     {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
@@ -267,6 +273,7 @@ int ca_main(int argc, char **argv)
     char *configfile = default_config_file, *section = NULL;
     char *md = NULL, *policy = NULL, *keyfile = NULL;
     char *certfile = NULL, *crl_ext = NULL, *crlnumberfile = NULL, *key = NULL;
+    int certformat = FORMAT_PEM, informat = FORMAT_PEM;
     const char *infile = NULL, *spkac_file = NULL, *ss_cert_file = NULL;
     const char *extensions = NULL, *extfile = NULL, *passinarg = NULL;
     char *outdir = NULL, *outfile = NULL, *rev_arg = NULL, *ser_status = NULL;
@@ -306,6 +313,10 @@ opthelp:
             req = 1;
             infile = opt_arg();
             break;
+        case OPT_INFORM:
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
+                goto opthelp;
+            break;
         case OPT_OUT:
             outfile = opt_arg();
             break;
@@ -373,6 +384,10 @@ opthelp:
         case OPT_CERT:
             certfile = opt_arg();
             break;
+        case OPT_CERTFORM:
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &certformat))
+                goto opthelp;
+            break;
         case OPT_SELFSIGN:
             selfsign = 1;
             break;
@@ -571,7 +586,7 @@ end_of_options:
             && (certfile = lookup_conf(conf, section, ENV_CERTIFICATE)) == NULL)
             goto end;
 
-        x509 = load_cert(certfile, FORMAT_PEM, "CA certificate");
+        x509 = load_cert(certfile, certformat, "CA certificate");
         if (x509 == NULL)
             goto end;
 
@@ -926,7 +941,7 @@ end_of_options:
         }
         if (ss_cert_file != NULL) {
             total++;
-            j = certify_cert(&x, ss_cert_file, pkey, x509, dgst,
+            j = certify_cert(&x, ss_cert_file, certformat, pkey, x509, dgst,
                              sigopts, vfyopts, attribs,
                              db, serial, subj, chtype, multirdn, email_dn,
                              startdate, enddate, days, batch, extensions,
@@ -947,8 +962,8 @@ end_of_options:
         }
         if (infile != NULL) {
             total++;
-            j = certify(&x, infile, pkey, x509p, dgst, sigopts, vfyopts,
-                        attribs, db,
+            j = certify(&x, infile, informat, pkey, x509p, dgst,
+                        sigopts, vfyopts, attribs, db,
                         serial, subj, chtype, multirdn, email_dn, startdate,
                         enddate, days, batch, extensions, conf, verbose,
                         certopt, get_nameopt(), default_op, ext_copy, selfsign);
@@ -967,7 +982,8 @@ end_of_options:
         }
         for (i = 0; i < argc; i++) {
             total++;
-            j = certify(&x, argv[i], pkey, x509p, dgst, sigopts, vfyopts,
+            j = certify(&x, argv[i], informat, pkey, x509p, dgst,
+                        sigopts, vfyopts,
                         attribs, db,
                         serial, subj, chtype, multirdn, email_dn, startdate,
                         enddate, days, batch, extensions, conf, verbose,
@@ -1247,7 +1263,7 @@ end_of_options:
             goto end;
         } else {
             X509 *revcert;
-            revcert = load_cert(infile, FORMAT_PEM, infile);
+            revcert = load_cert(infile, certformat, infile);
             if (revcert == NULL)
                 goto end;
             if (dorevoke == 2)
@@ -1300,7 +1316,8 @@ static char *lookup_conf(const CONF *conf, const char *section, const char *tag)
     return entry;
 }
 
-static int certify(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509,
+static int certify(X509 **xret, const char *infile, int informat,
+                   EVP_PKEY *pkey, X509 *x509,
                    const EVP_MD *dgst,
                    STACK_OF(OPENSSL_STRING) *sigopts,
                    STACK_OF(OPENSSL_STRING) *vfyopts,
@@ -1313,20 +1330,12 @@ static int certify(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509,
                    int default_op, int ext_copy, int selfsign)
 {
     X509_REQ *req = NULL;
-    BIO *in = NULL;
     EVP_PKEY *pktmp = NULL;
     int ok = -1, i;
 
-    in = BIO_new_file(infile, "r");
-    if (in == NULL) {
-        ERR_print_errors(bio_err);
+    req = load_csr(infile, informat, "certificate request");
+    if (req == NULL)
         goto end;
-    }
-    if ((req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL)) == NULL) {
-        BIO_printf(bio_err, "Error reading certificate request in %s\n",
-                   infile);
-        goto end;
-    }
     if (verbose)
         X509_REQ_print_ex(bio_err, req, nameopt, X509_FLAG_COMPAT);
 
@@ -1367,11 +1376,11 @@ static int certify(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509,
 
  end:
     X509_REQ_free(req);
-    BIO_free(in);
     return ok;
 }
 
-static int certify_cert(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509,
+static int certify_cert(X509 **xret, const char *infile, int certformat,
+                        EVP_PKEY *pkey, X509 *x509,
                         const EVP_MD *dgst,
                         STACK_OF(OPENSSL_STRING) *sigopts,
                         STACK_OF(OPENSSL_STRING) *vfyopts,
@@ -1387,7 +1396,7 @@ static int certify_cert(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x
     EVP_PKEY *pktmp = NULL;
     int ok = -1, i;
 
-    if ((req = load_cert(infile, FORMAT_PEM, infile)) == NULL)
+    if ((req = load_cert(infile, certformat, infile)) == NULL)
         goto end;
     if (verbose)
         X509_print(bio_err, req);
diff --git a/apps/crl.c b/apps/crl.c
index 8b5a36322a..8028fef5de 100644
--- a/apps/crl.c
+++ b/apps/crl.c
@@ -205,7 +205,7 @@ int crl_main(int argc, char **argv)
     if (argc != 0)
         goto opthelp;
 
-    x = load_crl(infile, informat);
+    x = load_crl(infile, informat, "CRL");
     if (x == NULL)
         goto end;
 
@@ -250,7 +250,7 @@ int crl_main(int argc, char **argv)
             BIO_puts(bio_err, "Missing CRL signing key\n");
             goto end;
         }
-        newcrl = load_crl(crldiff, informat);
+        newcrl = load_crl(crldiff, informat, "other CRL");
         if (!newcrl)
             goto end;
         pkey = load_key(keyfile, keyformat, 0, NULL, NULL, "CRL signing key");
diff --git a/apps/include/apps.h b/apps/include/apps.h
index f9049f060f..e168942e19 100644
--- a/apps/include/apps.h
+++ b/apps/include/apps.h
@@ -104,16 +104,17 @@ int set_ext_copy(int *copy_type, const char *arg);
 int copy_extensions(X509 *x, X509_REQ *req, int copy_type);
 int app_passwd(const char *arg1, const char *arg2, char **pass1, char **pass2);
 int add_oid_section(CONF *conf);
-X509 *load_cert(const char *file, int format, const char *cert_descrip);
-X509_CRL *load_crl(const char *infile, int format);
+X509_REQ *load_csr(const char *file, int format, const char *desc);
+X509 *load_cert(const char *file, int format, const char *desc);
+X509_CRL *load_crl(const char *infile, int format, const char *desc);
 EVP_PKEY *load_key(const char *file, int format, int maybe_stdin,
-                   const char *pass, ENGINE *e, const char *key_descrip);
+                   const char *pass, ENGINE *e, const char *desc);
 EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin,
-                      const char *pass, ENGINE *e, const char *key_descrip);
+                      const char *pass, ENGINE *e, const char *desc);
 int load_certs(const char *file, STACK_OF(X509) **certs, int format,
-               const char *pass, const char *cert_descrip);
+               const char *pass, const char *desc);
 int load_crls(const char *file, STACK_OF(X509_CRL) **crls, int format,
-              const char *pass, const char *cert_descrip);
+              const char *pass, const char *desc);
 X509_STORE *setup_verify(const char *CAfile, int noCAfile,
                          const char *CApath, int noCApath,
                          const char *CAstore, int noCAstore);
diff --git a/apps/include/opt.h b/apps/include/opt.h
index 1a26f34649..1bf46215d5 100644
--- a/apps/include/opt.h
+++ b/apps/include/opt.h
@@ -342,6 +342,7 @@ char *opt_init(int ac, char **av, const OPTIONS * o);
 int opt_next(void);
 void opt_begin(void);
 int opt_format(const char *s, unsigned long flags, int *result);
+const char *format2str(int format);
 int opt_int(const char *arg, int *result);
 int opt_ulong(const char *arg, unsigned long *result);
 int opt_long(const char *arg, long *result);
@@ -370,6 +371,7 @@ int opt_provider(int i);
 void opt_help(const OPTIONS * list);
 void opt_print(const OPTIONS * opt, int doingparams, int width);
 int opt_format_error(const char *s, unsigned long flags);
+void print_format_error(int format, unsigned long flags);
 int opt_isdir(const char *name);
 int opt_printf_stderr(const char *fmt, ...);
 
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index 5395d842eb..1a23ae0846 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -421,7 +421,7 @@ static int load_pkcs12(BIO *in, const char *desc,
     int len, ret = 0;
     PKCS12 *p12;
     p12 = d2i_PKCS12_bio(in, NULL);
-    if (p12 == NULL) {
+    if (p12 == NULL && desc != NULL) {
         BIO_printf(bio_err, "Error loading PKCS12 file for %s\n", desc);
         goto die;
     }
@@ -433,7 +433,8 @@ static int load_pkcs12(BIO *in, const char *desc,
             pem_cb = (pem_password_cb *)password_callback;
         len = pem_cb(tpass, PEM_BUFSIZE, 0, cb_data);
         if (len < 0) {
-            BIO_printf(bio_err, "Passphrase callback error for %s\n", desc);
+            BIO_printf(bio_err, "Passphrase callback error for %s\n",
+                                desc != NULL ? desc : "PKCS12 input");
             goto die;
         }
         if (len < PEM_BUFSIZE)
@@ -441,7 +442,7 @@ static int load_pkcs12(BIO *in, const char *desc,
         if (!PKCS12_verify_mac(p12, tpass, len)) {
             BIO_printf(bio_err,
                        "Mac verify error (wrong password?) in PKCS12 file for %s\n",
-                       desc);
+                       desc != NULL ? desc : "PKCS12 input");
             goto die;
         }
         pass = tpass;
@@ -452,7 +453,7 @@ static int load_pkcs12(BIO *in, const char *desc,
     return ret;
 }
 
-X509 *load_cert(const char *file, int format, const char *cert_descrip)
+X509 *load_cert(const char *file, int format, const char *desc)
 {
     X509 *x = NULL;
     BIO *cert;
@@ -479,22 +480,26 @@ X509 *load_cert(const char *file, int format, const char *cert_descrip)
         x = PEM_read_bio_X509_AUX(cert, NULL,
                                   (pem_password_cb *)password_callback, NULL);
     } else if (format == FORMAT_PKCS12) {
-        if (!load_pkcs12(cert, cert_descrip, NULL, NULL, NULL, &x, NULL))
+        if (!load_pkcs12(cert, desc, NULL, NULL, NULL, &x, NULL))
             goto end;
     } else {
-        BIO_printf(bio_err, "bad input format specified for %s\n", cert_descrip);
-        goto end;
+        print_format_error(format,
+#if !defined(OPENSSL_NO_OCSP) && !defined(OPENSSL_NO_SOCK)
+                                   OPT_FMT_HTTP |
+#endif
+                                   OPT_FMT_PEMDER | OPT_FMT_PKCS12);
     }
+
  end:
-    if (x == NULL) {
-        BIO_printf(bio_err, "unable to load certificate\n");
+    if (x == NULL && desc != NULL) {
+        BIO_printf(bio_err, "Unable to load %s\n", desc);
         ERR_print_errors(bio_err);
     }
     BIO_free(cert);
     return x;
 }
 
-X509_CRL *load_crl(const char *infile, int format)
+X509_CRL *load_crl(const char *infile, int format, const char *desc)
 {
     X509_CRL *x = NULL;
     BIO *in = NULL;
@@ -513,23 +518,45 @@ X509_CRL *load_crl(const char *infile, int format)
         x = d2i_X509_CRL_bio(in, NULL);
     } else if (format == FORMAT_PEM) {
         x = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
-    } else {
-        BIO_printf(bio_err, "bad input format specified for input crl\n");
-        goto end;
-    }
-    if (x == NULL) {
-        BIO_printf(bio_err, "unable to load CRL\n");
+    } else
+        print_format_error(format, OPT_FMT_PEMDER);
+
+ end:
+    if (x == NULL && desc != NULL) {
+        BIO_printf(bio_err, "Unable to load %s\n", desc);
         ERR_print_errors(bio_err);
-        goto end;
     }
+    BIO_free(in);
+    return x;
+}
+
+X509_REQ *load_csr(const char *file, int format, const char *desc)
+{
+    X509_REQ *req = NULL;
+    BIO *in;
+
+    in = bio_open_default(file, 'r', format);
+    if (in == NULL)
+        goto end;
+
+    if (format == FORMAT_ASN1)
+        req = d2i_X509_REQ_bio(in, NULL);
+    else if (format == FORMAT_PEM)
+        req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL);
+    else
+        print_format_error(format, OPT_FMT_PEMDER);
 
  end:
+    if (req == NULL && desc != NULL) {
+        BIO_printf(bio_err, "Unable to load %s\n", desc);
+        ERR_print_errors(bio_err);
+    }
     BIO_free(in);
-    return x;
+    return req;
 }
 
 EVP_PKEY *load_key(const char *file, int format, int maybe_stdin,
-                   const char *pass, ENGINE *e, const char *key_descrip)
+                   const char *pass, ENGINE *e, const char *desc)
 {
     BIO *key = NULL;
     EVP_PKEY *pkey = NULL;
@@ -539,12 +566,12 @@ EVP_PKEY *load_key(const char *file, int format, int maybe_stdin,
     cb_data.prompt_info = file;
 
     if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE)) {
-        BIO_printf(bio_err, "no keyfile specified\n");
+        BIO_printf(bio_err, "No keyfile specified\n");
         goto end;
     }
     if (format == FORMAT_ENGINE) {
         if (e == NULL) {
-            BIO_printf(bio_err, "no engine specified\n");
+            BIO_printf(bio_err, "No engine specified\n");
         } else {
 #ifndef OPENSSL_NO_ENGINE
             if (ENGINE_init(e)) {
@@ -553,12 +580,12 @@ EVP_PKEY *load_key(const char *file, int format, int maybe_stdin,
                                                &cb_data);
                 ENGINE_finish(e);
             }
-            if (pkey == NULL) {
-                BIO_printf(bio_err, "cannot load %s from engine\n", key_descrip);
+            if (pkey == NULL && desc != NULL) {
+                BIO_printf(bio_err, "Cannot load %s from engine\n", desc);
                 ERR_print_errors(bio_err);
             }
 #else
-            BIO_printf(bio_err, "engines not supported\n");
+            BIO_printf(bio_err, "Engines not supported\n");
 #endif
         }
         goto end;
@@ -576,7 +603,8 @@ EVP_PKEY *load_key(const char *file, int format, int maybe_stdin,
     } else if (format == FORMAT_PEM) {
         pkey = PEM_read_bio_PrivateKey(key, NULL, wrap_password_callback, &cb_data);
     } else if (format == FORMAT_PKCS12) {
-        if (!load_pkcs12(key, key_descrip, wrap_password_callback, &cb_data,
+        if (!load_pkcs12(key, desc,
+                         (pem_password_cb *)password_callback, &cb_data,
                          &pkey, NULL, NULL))
             goto end;
 #if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) && !defined (OPENSSL_NO_RC4)
@@ -586,20 +614,27 @@ EVP_PKEY *load_key(const char *file, int format, int maybe_stdin,
         pkey = b2i_PVK_bio(key, wrap_password_callback, &cb_data);
 #endif
     } else {
-        BIO_printf(bio_err, "bad input format specified for key file\n");
-        goto end;
+        print_format_error(format, OPT_FMT_PEMDER | OPT_FMT_PKCS12
+#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) && !defined (OPENSSL_NO_RC4)
+                                 | OPT_FMT_MSBLOB | FORMAT_PVK
+#endif
+#ifndef OPENSSL_NO_ENGINE
+                                 | OPT_FMT_ENGINE
+#endif
+                           );
     }
+
  end:
     BIO_free(key);
-    if (pkey == NULL) {
-        BIO_printf(bio_err, "unable to load %s\n", key_descrip);
+    if (pkey == NULL && desc != NULL) {
+        BIO_printf(bio_err, "Unable to load %s\n", desc);
         ERR_print_errors(bio_err);
     }
     return pkey;
 }
 
 EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin,
-                      const char *pass, ENGINE *e, const char *key_descrip)
+                      const char *pass, ENGINE *e, const char *desc)
 {
     BIO *key = NULL;
     EVP_PKEY *pkey = NULL;
@@ -609,22 +644,22 @@ EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin,
     cb_data.prompt_info = file;
 
     if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE)) {
-        BIO_printf(bio_err, "no keyfile specified\n");
+        BIO_printf(bio_err, "No keyfile specified\n");
         goto end;
     }
     if (format == FORMAT_ENGINE) {
         if (e == NULL) {
-            BIO_printf(bio_err, "no engine specified\n");
+            BIO_printf(bio_err, "No engine specified\n");
         } else {
 #ifndef OPENSSL_NO_ENGINE
             pkey = ENGINE_load_public_key(e, file, (UI_METHOD *)get_ui_method(),
                                           &cb_data);
-            if (pkey == NULL) {
-                BIO_printf(bio_err, "cannot load %s from engine\n", key_descrip);
+            if (pkey == NULL && desc != NULL) {
+                BIO_printf(bio_err, "Cannot load %s from engine\n", desc);
                 ERR_print_errors(bio_err);
             }
 #else
-            BIO_printf(bio_err, "engines not supported\n");
+            BIO_printf(bio_err, "Engines not supported\n");
 #endif
         }
         goto end;
@@ -677,11 +712,19 @@ EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin,
     } else if (format == FORMAT_MSBLOB) {
         pkey = b2i_PublicKey_bio(key);
 #endif
+    } else {
+        print_format_error(format, OPT_FMT_PEMDER
+#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA)
+                                 | OPT_FMT_MSBLOB
+#endif
+                           );
     }
  end:
     BIO_free(key);
-    if (pkey == NULL)
-        BIO_printf(bio_err, "unable to load %s\n", key_descrip);
+    if (pkey == NULL && desc != NULL) {
+        BIO_printf(bio_err, "Unable to load %s\n", desc);
+        ERR_print_errors(bio_err);
+    }
     return pkey;
 }
 
@@ -701,7 +744,7 @@ static int load_certs_crls(const char *file, int format,
     cb_data.prompt_info = file;
 
     if (format != FORMAT_PEM) {
-        BIO_printf(bio_err, "bad input format specified for %s\n", desc);
+        BIO_printf(bio_err, "Bad input format specified for %s\n", desc);
         return 0;
     }
 
@@ -760,9 +803,11 @@ static int load_certs_crls(const char *file, int format,
             sk_X509_CRL_pop_free(*pcrls, X509_CRL_free);
             *pcrls = NULL;
         }
-        BIO_printf(bio_err, "unable to load %s\n",
-                   pcerts ? "certificates" : "CRLs");
-        ERR_print_errors(bio_err);
+        if (desc != NULL) {
+            BIO_printf(bio_err, "Unable to load %s for %s\n",
+                       pcerts ? "certificates" : "CRLs", desc);
+            ERR_print_errors(bio_err);
+        }
     }
     return rv;
 }
@@ -1094,6 +1139,7 @@ X509_STORE *setup_verify(const char *CAfile, int noCAfile,
     ERR_clear_error();
     return store;
  end:
+    ERR_print_errors(bio_err);
     X509_STORE_free(store);
     return NULL;
 }
@@ -1121,13 +1167,13 @@ ENGINE *setup_engine(const char *engine, int debug)
 #ifndef OPENSSL_NO_ENGINE
     if (engine != NULL) {
         if (strcmp(engine, "auto") == 0) {
-            BIO_printf(bio_err, "enabling auto ENGINE support\n");
+            BIO_printf(bio_err, "Enabling auto ENGINE support\n");
             ENGINE_register_all_complete();
             return NULL;
         }
         if ((e = ENGINE_by_id(engine)) == NULL
             && (e = try_load_engine(engine)) == NULL) {
-            BIO_printf(bio_err, "invalid engine \"%s\"\n", engine);
+            BIO_printf(bio_err, "Invalid engine \"%s\"\n", engine);
             ERR_print_errors(bio_err);
             return NULL;
         }
@@ -1137,13 +1183,13 @@ ENGINE *setup_engine(const char *engine, int debug)
         ENGINE_ctrl_cmd(e, "SET_USER_INTERFACE", 0, (void *)get_ui_method(),
                         0, 1);
         if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
-            BIO_printf(bio_err, "can't use that engine\n");
+            BIO_printf(bio_err, "Cannot use engine \"%s\"\n", ENGINE_get_id(e));
             ERR_print_errors(bio_err);
             ENGINE_free(e);
             return NULL;
         }
 
-        BIO_printf(bio_err, "engine \"%s\" set.\n", ENGINE_get_id(e));
+        BIO_printf(bio_err, "Engine \"%s\" set.\n", ENGINE_get_id(e));
     }
 #endif
     return e;
@@ -1222,14 +1268,13 @@ BIGNUM *load_serial(const char *serialfile, int create, ASN1_INTEGER **retai)
             BIO_printf(bio_err, "Out of memory\n");
     } else {
         if (!a2i_ASN1_INTEGER(in, ai, buf, 1024)) {
-            BIO_printf(bio_err, "unable to load number from %s\n",
+            BIO_printf(bio_err, "Unable to load number from %s\n",
                        serialfile);
             goto err;
         }
         ret = ASN1_INTEGER_to_BN(ai, NULL);
         if (ret == NULL) {
-            BIO_printf(bio_err,
-                       "error converting number from bin to BIGNUM\n");
+            BIO_printf(bio_err, "Error converting number from bin to BIGNUM\n");
             goto err;
         }
     }
@@ -1239,6 +1284,7 @@ BIGNUM *load_serial(const char *serialfile, int create, ASN1_INTEGER **retai)
         ai = NULL;
     }
  err:
+    ERR_print_errors(bio_err);
     BIO_free(in);
     ASN1_INTEGER_free(ai);
     return ret;
@@ -1258,7 +1304,7 @@ int save_serial(const char *serialfile, const char *suffix, const BIGNUM *serial
     else
         j = strlen(serialfile) + strlen(suffix) + 1;
     if (j >= BSIZE) {
-        BIO_printf(bio_err, "file name too long\n");
+        BIO_printf(bio_err, "File name too long\n");
         goto err;
     }
 
@@ -1273,7 +1319,6 @@ int save_serial(const char *serialfile, const char *suffix, const BIGNUM *serial
     }
     out = BIO_new_file(buf[0], "w");
     if (out == NULL) {
-        ERR_print_errors(bio_err);
         goto err;
     }
 
@@ -1289,6 +1334,8 @@ int save_serial(const char *serialfile, const char *suffix, const BIGNUM *serial
         ai = NULL;
     }
  err:
+    if (!ret)
+        ERR_print_errors(bio_err);
     BIO_free_all(out);
     ASN1_INTEGER_free(ai);
     return ret;
@@ -1305,7 +1352,7 @@ int rotate_serial(const char *serialfile, const char *new_suffix,
     if (i > j)
         j = i;
     if (j + 1 >= BSIZE) {
-        BIO_printf(bio_err, "file name too long\n");
+        BIO_printf(bio_err, "File name too long\n");
         goto err;
     }
 #ifndef OPENSSL_SYS_VMS
@@ -1321,19 +1368,20 @@ int rotate_serial(const char *serialfile, const char *new_suffix,
 #endif
         ) {
         BIO_printf(bio_err,
-                   "unable to rename %s to %s\n", serialfile, buf[1]);
+                   "Unable to rename %s to %s\n", serialfile, buf[1]);
         perror("reason");
         goto err;
     }
     if (rename(buf[0], serialfile) < 0) {
         BIO_printf(bio_err,
-                   "unable to rename %s to %s\n", buf[0], serialfile);
+                   "Unable to rename %s to %s\n", buf[0], serialfile);
         perror("reason");
         rename(buf[1], serialfile);
         goto err;
     }
     return 1;
  err:
+    ERR_print_errors(bio_err);
     return 0;
 }
 
@@ -1374,17 +1422,14 @@ CA_DB *load_index(const char *dbfile, DB_ATTR *db_attr)
 #endif
 
     in = BIO_new_file(dbfile, "r");
-    if (in == NULL) {
-        ERR_print_errors(bio_err);
+    if (in == NULL)
         goto err;
-    }
 
 #ifndef OPENSSL_NO_POSIX_IO
     BIO_get_fp(in, &dbfp);
     if (fstat(fileno(dbfp), &dbst) == -1) {
         ERR_raise_data(ERR_LIB_SYS, errno,
                        "calling fstat(%s)", dbfile);
-        ERR_print_errors(bio_err);
         goto err;
     }
 #endif
@@ -1421,6 +1466,7 @@ CA_DB *load_index(const char *dbfile, DB_ATTR *db_attr)
 #endif
 
  err:
+    ERR_print_errors(bio_err);
     NCONF_free(dbattr_conf);
     TXT_DB_free(tmpdb);
     BIO_free_all(in);
@@ -1436,20 +1482,23 @@ int index_index(CA_DB *db)
                              LHASH_HASH_FN(index_serial),
                              LHASH_COMP_FN(index_serial))) {
         BIO_printf(bio_err,
-                   "error creating serial number index:(%ld,%ld,%ld)\n",
+                   "Error creating serial number index:(%ld,%ld,%ld)\n",
                    db->db->error, db->db->arg1, db->db->arg2);
-        return 0;
+        goto err;
     }
 
     if (db->attributes.unique_subject
         && !TXT_DB_create_index(db->db, DB_name, index_name_qual,
                                 LHASH_HASH_FN(index_name),
                                 LHASH_COMP_FN(index_name))) {
-        BIO_printf(bio_err, "error creating name index:(%ld,%ld,%ld)\n",
+        BIO_printf(bio_err, "Error creating name index:(%ld,%ld,%ld)\n",
                    db->db->error, db->db->arg1, db->db->arg2);
-        return 0;
+        goto err;
     }
     return 1;
+ err:
+    ERR_print_errors(bio_err);
+    return 0;
 }
 
 int save_index(const char *dbfile, const char *suffix, CA_DB *db)
@@ -1460,7 +1509,7 @@ int save_index(const char *dbfile, const char *suffix, CA_DB *db)
 
     j = strlen(dbfile) + strlen(suffix);
     if (j + 6 >= BSIZE) {
-        BIO_printf(bio_err, "file name too long\n");
+        BIO_printf(bio_err, "File name too long\n");
         goto err;
     }
 #ifndef OPENSSL_SYS_VMS
@@ -1475,7 +1524,7 @@ int save_index(const char *dbfile, const char *suffix, CA_DB *db)
     out = BIO_new_file(buf[0], "w");
     if (out == NULL) {
         perror(dbfile);
-        BIO_printf(bio_err, "unable to open '%s'\n", dbfile);
+        BIO_printf(bio_err, "Unable to open '%s'\n", dbfile);
         goto err;
     }
     j = TXT_DB_write(out, db->db);
@@ -1486,7 +1535,7 @@ int save_index(const char *dbfile, const char *suffix, CA_DB *db)
     out = BIO_new_file(buf[1], "w");
     if (out == NULL) {
         perror(buf[2]);
-        BIO_printf(bio_err, "unable to open '%s'\n", buf[2]);
+        BIO_printf(bio_err, "Unable to open '%s'\n", buf[2]);
         goto err;
     }
     BIO_printf(out, "unique_subject = %s\n",
@@ -1495,6 +1544,7 @@ int save_index(const char *dbfile, const char *suffix, CA_DB *db)
 
     return 1;
  err:
+    ERR_print_errors(bio_err);
     return 0;
 }
 
@@ -1509,7 +1559,7 @@ int rotate_index(const char *dbfile, const char *new_suffix,
     if (i > j)
         j = i;
     if (j + 6 >= BSIZE) {
-        BIO_printf(bio_err, "file name too long\n");
+        BIO_printf(bio_err, "File name too long\n");
         goto err;
     }
 #ifndef OPENSSL_SYS_VMS
@@ -1530,12 +1580,12 @@ int rotate_index(const char *dbfile, const char *new_suffix,
         && errno != ENOTDIR
 #endif
         ) {
-        BIO_printf(bio_err, "unable to rename %s to %s\n", dbfile, buf[1]);
+        BIO_printf(bio_err, "Unable to rename %s to %s\n", dbfile, buf[1]);
         perror("reason");
         goto err;
     }
     if (rename(buf[0], dbfile) < 0) {
-        BIO_printf(bio_err, "unable to rename %s to %s\n", buf[0], dbfile);
+        BIO_printf(bio_err, "Unable to rename %s to %s\n", buf[0], dbfile);
         perror("reason");
         rename(buf[1], dbfile);
         goto err;
@@ -1545,14 +1595,14 @@ int rotate_index(const char *dbfile, const char *new_suffix,
         && errno != ENOTDIR
 #endif
         ) {
-        BIO_printf(bio_err, "unable to rename %s to %s\n", buf[4], buf[3]);
+        BIO_printf(bio_err, "Unable to rename %s to %s\n", buf[4], buf[3]);
         perror("reason");
         rename(dbfile, buf[0]);
         rename(buf[1], dbfile);
         goto err;
     }
     if (rename(buf[2], buf[4]) < 0) {
-        BIO_printf(bio_err, "unable to rename %s to %s\n", buf[2], buf[4]);
+        BIO_printf(bio_err, "Unable to rename %s to %s\n", buf[2], buf[4]);
         perror("reason");
         rename(buf[3], buf[4]);
         rename(dbfile, buf[0]);
@@ -1561,6 +1611,7 @@ int rotate_index(const char *dbfile, const char *new_suffix,
     }
     return 1;
  err:
+    ERR_print_errors(bio_err);
     return 0;
 }
 
@@ -1651,7 +1702,7 @@ X509_NAME *parse_name(const char *cp, long chtype, int canmulti)
             }
             if (*cp == '\\' && *++cp == '\0') {
                 BIO_printf(bio_err,
-                           "%s: escape character at end of string\n",
+                           "%s: Escape character at end of string\n",
                            opt_getprog());
                 goto err;
             }
@@ -1900,7 +1951,7 @@ static X509_CRL *load_crl_crldp(STACK_OF(DIST_POINT) *crldp)
         DIST_POINT *dp = sk_DIST_POINT_value(crldp, i);
         urlptr = get_dp_url(dp);
         if (urlptr)
-            return load_crl(urlptr, FORMAT_HTTP);
+            return load_crl(urlptr, FORMAT_HTTP, "CRL via CDP");
     }
     return NULL;
 }
diff --git a/apps/lib/opt.c b/apps/lib/opt.c
index d335d8e9db..566de8ab7d 100644
--- a/apps/lib/opt.c
+++ b/apps/lib/opt.c
@@ -282,6 +282,41 @@ int opt_format(const char *s, unsigned long flags, int *result)
     return 1;
 }
 
+/* Return string representing the given format. */
+const char *format2str(int format)
+{
+    switch (format) {
+    default:
+        return "(undefined)";
+    case FORMAT_PEM:
+        return "PEM";
+    case FORMAT_ASN1:
+        return "DER";
+    case FORMAT_TEXT:
+        return "TEXT";
+    case FORMAT_NSS:
+        return "NSS";
+    case FORMAT_SMIME:
+        return "SMIME";
+    case FORMAT_MSBLOB:
+        return "MSBLOB";
+    case FORMAT_ENGINE:
+        return "ENGINE";
+    case FORMAT_HTTP:
+        return "HTTP";
+    case FORMAT_PKCS12:
+        return "P12";
+    case FORMAT_PVK:
+        return "PVK";
+    }
+}
+
+/* Print an error message about unsuitable/unsupported format requested. */
+void print_format_error(int format, unsigned long flags)
+{
+    (void)opt_format_error(format2str(format), flags);
+}
+
 /* Parse a cipher name, put it in *EVP_CIPHER; return 0 on failure, else 1. */
 int opt_cipher(const char *name, const EVP_CIPHER **cipherp)
 {
diff --git a/apps/req.c b/apps/req.c
index 9ab120c34f..cba6952cad 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -230,7 +230,7 @@ static int duplicated(LHASH_OF(OPENSSL_STRING) *addexts, char *kv)
 int req_main(int argc, char **argv)
 {
     ASN1_INTEGER *serial = NULL;
-    BIO *in = NULL, *out = NULL;
+    BIO *out = NULL;
     ENGINE *e = NULL, *gen_eng = NULL;
     EVP_PKEY *pkey = NULL;
     EVP_PKEY_CTX *genctx = NULL;
@@ -469,7 +469,7 @@ int req_main(int argc, char **argv)
         BIO_printf(bio_err, "Using configuration from %s\n", template);
     if ((req_conf = app_load_config(template)) == NULL)
         goto end;
-    if (addext_bio) {
+    if (addext_bio != NULL) {
         if (verbose)
             BIO_printf(bio_err,
                        "Using additional configuration from command line\n");
@@ -590,12 +590,9 @@ int req_main(int argc, char **argv)
 
     if (keyfile != NULL) {
         pkey = load_key(keyfile, keyform, 0, passin, e, "Private Key");
-        if (pkey == NULL) {
-            /* load_key() has already printed an appropriate message */
+        if (pkey == NULL)
             goto end;
-        } else {
-            app_RAND_load_conf(req_conf, section);
-        }
+        app_RAND_load_conf(req_conf, section);
     }
 
     if (newreq && (pkey == NULL)) {
@@ -715,18 +712,9 @@ int req_main(int argc, char **argv)
     }
 
     if (!newreq) {
-        in = bio_open_default(infile, 'r', informat);
-        if (in == NULL)
+        req = load_csr(infile, informat, "X509 request");
+        if (req == NULL)
             goto end;
-
-        if (informat == FORMAT_ASN1)
-            req = d2i_X509_REQ_bio(in, NULL);
-        else
-            req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL);
-        if (req == NULL) {
-            BIO_printf(bio_err, "unable to load X509 request\n");
-            goto end;
-        }
     }
 
     if (newreq || x509) {
@@ -992,7 +980,6 @@ int req_main(int argc, char **argv)
     NCONF_free(req_conf);
     NCONF_free(addext_conf);
     BIO_free(addext_bio);
-    BIO_free(in);
     BIO_free_all(out);
     EVP_PKEY_free(pkey);
     EVP_PKEY_CTX_free(genctx);
diff --git a/apps/s_client.c b/apps/s_client.c
index a28b2867a3..eb4dbdcaa2 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -1714,18 +1714,14 @@ int s_client_main(int argc, char **argv)
     if (key_file != NULL) {
         key = load_key(key_file, key_format, 0, pass, e,
                        "client certificate private key file");
-        if (key == NULL) {
-            ERR_print_errors(bio_err);
+        if (key == NULL)
             goto end;
-        }
     }
 
     if (cert_file != NULL) {
         cert = load_cert(cert_file, cert_format, "client certificate file");
-        if (cert == NULL) {
-            ERR_print_errors(bio_err);
+        if (cert == NULL)
             goto end;
-        }
     }
 
     if (chain_file != NULL) {
@@ -1736,12 +1732,9 @@ int s_client_main(int argc, char **argv)
 
     if (crl_file != NULL) {
         X509_CRL *crl;
-        crl = load_crl(crl_file, crl_format);
-        if (crl == NULL) {
-            BIO_puts(bio_err, "Error loading CRL\n");
-            ERR_print_errors(bio_err);
+        crl = load_crl(crl_file, crl_format, "CRL");
+        if (crl == NULL)
             goto end;
-        }
         crls = sk_X509_CRL_new_null();
         if (crls == NULL || !sk_X509_CRL_push(crls, crl)) {
             BIO_puts(bio_err, "Error adding CRL\n");
diff --git a/apps/s_server.c b/apps/s_server.c
index 14550aebc2..23c762ba9f 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -1736,18 +1736,14 @@ int s_server_main(int argc, char *argv[])
     if (nocert == 0) {
         s_key = load_key(s_key_file, s_key_format, 0, pass, engine,
                          "server certificate private key file");
-        if (s_key == NULL) {
-            ERR_print_errors(bio_err);
+        if (s_key == NULL)
             goto end;
-        }
 
         s_cert = load_cert(s_cert_file, s_cert_format,
                            "server certificate file");
 
-        if (s_cert == NULL) {
-            ERR_print_errors(bio_err);
+        if (s_cert == NULL)
             goto end;
-        }
         if (s_chain_file != NULL) {
             if (!load_certs(s_chain_file, &s_chain, FORMAT_PEM, NULL,
                             "server certificate chain"))
@@ -1757,18 +1753,14 @@ int s_server_main(int argc, char *argv[])
         if (tlsextcbp.servername != NULL) {
             s_key2 = load_key(s_key_file2, s_key_format, 0, pass, engine,
                               "second server certificate private key file");
-            if (s_key2 == NULL) {
-                ERR_print_errors(bio_err);
+            if (s_key2 == NULL)
                 goto end;
-            }
 
             s_cert2 = load_cert(s_cert_file2, s_cert_format,
                                 "second server certificate file");
 
-            if (s_cert2 == NULL) {
-                ERR_print_errors(bio_err);
+            if (s_cert2 == NULL)
                 goto end;
-            }
         }
     }
 #if !defined(OPENSSL_NO_NEXTPROTONEG)
@@ -1787,12 +1779,9 @@ int s_server_main(int argc, char *argv[])
 
     if (crl_file != NULL) {
         X509_CRL *crl;
-        crl = load_crl(crl_file, crl_format);
-        if (crl == NULL) {
-            BIO_puts(bio_err, "Error loading CRL\n");
-            ERR_print_errors(bio_err);
+        crl = load_crl(crl_file, crl_format, "CRL");
+        if (crl == NULL)
             goto end;
-        }
         crls = sk_X509_CRL_new_null();
         if (crls == NULL || !sk_X509_CRL_push(crls, crl)) {
             BIO_puts(bio_err, "Error adding CRL\n");
@@ -1809,10 +1798,8 @@ int s_server_main(int argc, char *argv[])
 
         s_dkey = load_key(s_dkey_file, s_dkey_format,
                           0, dpass, engine, "second certificate private key file");
-        if (s_dkey == NULL) {
-            ERR_print_errors(bio_err);
+        if (s_dkey == NULL)
             goto end;
-        }
 
         s_dcert = load_cert(s_dcert_file, s_dcert_format,
                             "second server certificate file");
diff --git a/apps/x509.c b/apps/x509.c
index 16c1f95754..a2a52e41b1 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -572,18 +572,10 @@ int x509_main(int argc, char **argv)
 
     if (reqfile) {
         EVP_PKEY *pkey;
-        BIO *in;
 
-        in = bio_open_default(infile, 'r', informat);
-        if (in == NULL)
+        req = load_csr(infile, informat, "certificate request input");
+        if (req == NULL)
             goto end;
-        req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL);
-        BIO_free(in);
-
-        if (req == NULL) {
-            ERR_print_errors(bio_err);
-            goto end;
-        }
 
         if ((pkey = X509_REQ_get0_pubkey(req)) == NULL) {
             BIO_printf(bio_err, "error unpacking public key\n");
diff --git a/doc/man1/openssl-ca.pod.in b/doc/man1/openssl-ca.pod.in
index d561101d80..0202661845 100644
--- a/doc/man1/openssl-ca.pod.in
+++ b/doc/man1/openssl-ca.pod.in
@@ -36,8 +36,10 @@ B<openssl> B<ca>
 [B<-key> I<arg>]
 [B<-passin> I<arg>]
 [B<-cert> I<file>]
+[B<-certform> B<DER>|<PEM>]
 [B<-selfsign>]
 [B<-in> I<file>]
+[B<-inform> B<DER>|<PEM>]
 [B<-out> I<file>]
 [B<-notext>]
 [B<-outdir> I<dir>]
@@ -104,6 +106,11 @@ B<default_ca> in the B<ca> section).
 An input filename containing a single certificate request to be
 signed by the CA.
 
+=item B<-inform> B<DER>|B<PEM>
+
+The format of the data in CSR input files.
+The default is PEM.
+
 =item B<-ss_cert> I<filename>
 
 A single self-signed certificate to be signed by the CA.
@@ -135,6 +142,11 @@ F<.pem> appended.
 
 The CA certificate file.
 
+=item B<-certform> B<DER>|B<PEM>
+
+The format of the data in certificate input files.
+The default is PEM.
+
 =item B<-keyfile> I<filename>
 
 The private key to sign requests with.
diff --git a/test/recipes/80-test_ca.t b/test/recipes/80-test_ca.t
index 3b36a2bfd9..3d4dfcd060 100644
--- a/test/recipes/80-test_ca.t
+++ b/test/recipes/80-test_ca.t
@@ -32,12 +32,12 @@ plan tests => 6;
 
      $ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "Uss.cnf").'"';
      skip "failed creating new certificate request", 3
-	 if !ok(run(perlapp(["CA.pl","-newreq"])),
+	 if !ok(run(perlapp(["CA.pl","-newreq",
+                             "-extra-req","-outform DER"])),
 		'creating certificate request');
-
-     $ENV{OPENSSL_CONFIG} = '-rand_serial -config "'.$std_openssl_cnf.'"';
+     $ENV{OPENSSL_CONFIG} = '-rand_serial -inform DER -config "'.$std_openssl_cnf.'"';
      skip "failed to sign certificate request", 2
-	 if !is(yes(cmdstr(perlapp(["CA.pl", "-sign"]))), 0,
+	 if !is(yes(cmdstr(perlapp(["CA.pl", "-sign", "-extra-ca"]))), 0,
 		'signing certificate request');
 
      ok(run(perlapp(["CA.pl", "-verify", "newcert.pem"])),


More information about the openssl-commits mailing list