[openssl-dev] [openssl.org #4687] Bug in apps/req.c introduced in openssl 1.0.2i

[scott.openssl@scottrix.co.uk via RT]

Hi,

When trying to generate a self signed certificate from a previously 
generate csr with the command line:

openssl req -x509 -key privkey.pem -in csr.pem -out selfsigned.pem

it now prompts for country code etc. which is stored in the CSR.  This 
change in behavior was introduced by:

commit fd7ca7465b67336b8950a505b6d2adee867a78f7
Author: Richard Levitte <levitte at openssl.org>
Date:   Mon Aug 22 15:22:17 2016 +0200

    Make 'openssl req -x509' more equivalent to 'openssl req -new'
    
    The following would fail, or rather, freeze:
    
	openssl genrsa -out rsa2048.pem 2048
	openssl req -x509 -key rsa2048.pem -keyform PEM -out cert.pem
    
    In that case, the second command wants to read a certificate request
    from stdin, because -x509 wasn't fully flagged as being for creating
    something new.  This changes makes it fully flagged.
    
    RT#4655
    
    Reviewed-by: Andy Polyakov <appro at openssl.org>

My propsed patch is:

diff -Nru openssl-1.0.2i/apps/req.c openssl-1.0.2i-1/apps/req.c
--- openssl-1.0.2i/apps/req.c  2016-09-22 19:59:10.000000000 +0100
+++ openssl-1.0.2i-1/apps/req.c        2016-09-27 17:37:07.917660064 +0100
@@ -787,7 +787,7 @@
	 BIO_printf(bio_err, "-----\n");
     }
 
-    if (!newreq) {
+    if (!newreq || (x509 && infile)) {
         /*
	  * Since we are using a pre-existing certificate request, the 
	  * kludge
	  * 'format' info should not be changed.


Scott Harrison


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4687
Please log in as guest with password guest if prompted