req: Add -cipher option to specify private key encryption cipher

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25796)
2024-10-24 23:37:27 +05:30 · 2024-10-24 23:37:27 +05:30 · bca1bb2977
commit bca1bb2977
parent 43ba601723
2 changed files with 22 additions and 1 deletions
--- a/apps/req.c
+++ b/apps/req.c
@ -81,6 +81,7 @@ static int batch = 0;

 typedef enum OPTION_choice {
    OPT_COMMON,
+    OPT_CIPHER,
    OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_KEYGEN_ENGINE, OPT_KEY,
    OPT_PUBKEY, OPT_NEW, OPT_CONFIG, OPT_KEYFORM, OPT_IN, OPT_OUT,
    OPT_KEYOUT, OPT_PASSIN, OPT_PASSOUT, OPT_NEWKEY,
@ -98,6 +99,7 @@ typedef enum OPTION_choice {
 const OPTIONS req_options[] = {
    OPT_SECTION("General"),
    {"help", OPT_HELP, '-', "Display this summary"},
+    {"cipher", OPT_CIPHER, 's', "Specify the cipher for private key encryption"},
 #ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
    {"keygen_engine", OPT_KEYGEN_ENGINE, 's',
@ -250,7 +252,7 @@ int req_main(int argc, char **argv)
    LHASH_OF(OPENSSL_STRING) *addexts = NULL;
    X509 *new_x509 = NULL, *CAcert = NULL;
    X509_REQ *req = NULL;
-    EVP_CIPHER *cipher = NULL;
+    const EVP_CIPHER *cipher = NULL;
    int ext_copy = EXT_COPY_UNSET;
    BIO *addext_bio = NULL;
    char *extsect = NULL;
@ -491,6 +493,13 @@ int req_main(int argc, char **argv)
        case OPT_PRECERT:
            newreq = precert = 1;
            break;
+        case OPT_CIPHER:
+            cipher = EVP_get_cipherbyname(opt_arg());
+            if (cipher == NULL) {
+                BIO_printf(bio_err, "Unknown cipher: %s\n", opt_arg());
+                goto opthelp;
+            }
+            break;
        case OPT_MD:
            digest = opt_unknown();
            break;
--- a/doc/man1/openssl-req.pod.in
+++ b/doc/man1/openssl-req.pod.in
@ -9,6 +9,7 @@ openssl-req - PKCS#10 certificate request and certificate generating command

 B<openssl> B<req>
 [B<-help>]
+[B<-cipher>]
 [B<-inform> B<DER>|B<PEM>]
 [B<-outform> B<DER>|B<PEM>]
 [B<-in> I<filename>]
@ -86,6 +87,13 @@ See L<openssl-format-options(1)> for details.

 The data is a PKCS#10 object.

+=item B<-cipher> I<name>
+
+Specify the cipher to be used for encrypting the private key.
+The default cipher is 3DES (DES-EDE3-CBC).
+If no cipher is specified, 3DES will be used by default.
+You can override this by providing any valid OpenSSL cipher name.
+
 =item B<-in> I<filename>

 This specifies the input filename to read a request from.
@ -652,6 +660,10 @@ Examine and verify certificate request:

 openssl req -in req.pem -text -verify -noout

+Specify the cipher to be used for encrypting the private key:
+
+ openssl req -newkey rsa:2048 -keyout privatekey.pem -out request.csr -cipher aes-256-cbc
+
 Create a private key and then generate a certificate request from it:

 openssl genrsa -out key.pem 2048