From e2fad4e6bdd4e404b3f4c186de52078738af2271 Mon Sep 17 00:00:00 2001
From: bcook <>
Date: Fri, 11 Sep 2015 14:30:23 +0000
Subject: Remove engine command and parameters from openssl(1).

We do not have any builtin or dynamic engines, meaning openssl(1) has
no way to use the engine command or parameters at all.

ok jsing@
---
 src/usr.bin/openssl/ca.c | 36 +++++++++---------------------------
 1 file changed, 9 insertions(+), 27 deletions(-)

(limited to 'src/usr.bin/openssl/ca.c')

diff --git a/src/usr.bin/openssl/ca.c b/src/usr.bin/openssl/ca.c
index 8645128e42..254d551aa5 100644
--- a/src/usr.bin/openssl/ca.c
+++ b/src/usr.bin/openssl/ca.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ca.c,v 1.11 2015/09/10 16:01:06 jsing Exp $ */
+/* $OpenBSD: ca.c,v 1.12 2015/09/11 14:30:23 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -135,7 +135,7 @@ static const char *ca_usage[] = {
 	" -md arg         - md to use, one of md2, md5, sha or sha1\n",
 	" -policy arg     - The CA 'policy' to support\n",
 	" -keyfile arg    - private key file\n",
-	" -keyform arg    - private key file format (PEM or ENGINE)\n",
+	" -keyform arg    - private key file format (PEM)\n",
 	" -key arg        - key to decode the private key if it is encrypted\n",
 	" -cert file      - The CA certificate\n",
 	" -selfsign       - sign a certificate with the key associated with it\n",
@@ -156,9 +156,6 @@ static const char *ca_usage[] = {
 	" -extensions ..  - Extension section (override value in config file)\n",
 	" -extfile file   - Configuration file with X509v3 extentions to add\n",
 	" -crlexts ..     - CRL extension section (override value in config file)\n",
-#ifndef OPENSSL_NO_ENGINE
-	" -engine e       - use engine e, possibly a hardware device.\n",
-#endif
 	" -status serial  - Shows certificate status given the serial number\n",
 	" -updatedb       - Updates db for expired certificates\n",
 	NULL
@@ -178,7 +175,7 @@ static int certify_cert(X509 ** xret, char *infile, EVP_PKEY * pkey,
     unsigned long chtype, int multirdn, int email_dn, char *startdate,
     char *enddate, long days, int batch, char *ext_sect, CONF * conf,
     int verbose, unsigned long certopt, unsigned long nameopt, int default_op,
-    int ext_copy, ENGINE * e);
+    int ext_copy);
 static int certify_spkac(X509 ** xret, char *infile, EVP_PKEY * pkey,
     X509 * x509, const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
     STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj,
@@ -213,7 +210,6 @@ static int msie_hack = 0;
 int
 ca_main(int argc, char **argv)
 {
-	ENGINE *e = NULL;
 	char *key = NULL, *passargin = NULL;
 	int create_ser = 0;
 	int free_key = 0;
@@ -286,9 +282,6 @@ ca_main(int argc, char **argv)
 	STACK_OF(OPENSSL_STRING) * sigopts = NULL;
 #define BUFLEN 256
 	char buf[3][BUFLEN];
-#ifndef OPENSSL_NO_ENGINE
-	char *engine = NULL;
-#endif
 	char *tofree = NULL;
 	const char *errstr = NULL;
 	DB_ATTR db_attr;
@@ -478,13 +471,6 @@ ca_main(int argc, char **argv)
 			rev_arg = *(++argv);
 			rev_type = REV_CA_COMPROMISE;
 		}
-#ifndef OPENSSL_NO_ENGINE
-		else if (strcmp(*argv, "-engine") == 0) {
-			if (--argc < 1)
-				goto bad;
-			engine = *(++argv);
-		}
-#endif
 		else {
 bad:
 			if (errstr)
@@ -536,10 +522,6 @@ bad:
 	free(tofree);
 	tofree = NULL;
 
-#ifndef OPENSSL_NO_ENGINE
-	e = setup_engine(bio_err, engine, 0);
-#endif
-
 	/* Lets get the config section we are using */
 	if (section == NULL) {
 		section = NCONF_get_string(conf, BASE_SECTION, ENV_DEFAULT_CA);
@@ -639,7 +621,7 @@ bad:
 			goto err;
 		}
 	}
-	pkey = load_key(bio_err, keyfile, keyform, 0, key, e, "CA private key");
+	pkey = load_key(bio_err, keyfile, keyform, 0, key, "CA private key");
 	if (key)
 		explicit_bzero(key, strlen(key));
 	if (pkey == NULL) {
@@ -655,7 +637,7 @@ bad:
 			lookup_fail(section, ENV_CERTIFICATE);
 			goto err;
 		}
-		x509 = load_cert(bio_err, certfile, FORMAT_PEM, NULL, e,
+		x509 = load_cert(bio_err, certfile, FORMAT_PEM, NULL,
 		    "CA certificate");
 		if (x509 == NULL)
 			goto err;
@@ -1028,7 +1010,7 @@ bad:
 			    sigopts, attribs, db, serial, subj, chtype,
 			    multirdn, email_dn, startdate, enddate, days, batch,
 			    extensions, conf, verbose, certopt, nameopt,
-			    default_op, ext_copy, e);
+			    default_op, ext_copy);
 			if (j < 0)
 				goto err;
 			if (j > 0) {
@@ -1314,7 +1296,7 @@ bad:
 		} else {
 			X509 *revcert;
 			revcert = load_cert(bio_err, infile, FORMAT_PEM,
-			    NULL, e, infile);
+			    NULL, infile);
 			if (revcert == NULL)
 				goto err;
 			j = do_revoke(revcert, db, rev_type, rev_arg);
@@ -1446,14 +1428,14 @@ certify_cert(X509 ** xret, char *infile, EVP_PKEY * pkey, X509 * x509,
     unsigned long chtype, int multirdn, int email_dn, char *startdate,
     char *enddate, long days, int batch, char *ext_sect, CONF * lconf,
     int verbose, unsigned long certopt, unsigned long nameopt, int default_op,
-    int ext_copy, ENGINE * e)
+    int ext_copy)
 {
 	X509 *req = NULL;
 	X509_REQ *rreq = NULL;
 	EVP_PKEY *pktmp = NULL;
 	int ok = -1, i;
 
-	if ((req = load_cert(bio_err, infile, FORMAT_PEM, NULL, e,
+	if ((req = load_cert(bio_err, infile, FORMAT_PEM, NULL,
 	    infile)) == NULL)
 		goto err;
 	if (verbose)
-- 
cgit v1.2.3-55-g6feb