From bca1bb297778932c1e682166aa4780ecc96f0a0a Mon Sep 17 00:00:00 2001
From: Aditya <adimail2404@gmail.com>
Date: Thu, 24 Oct 2024 23:37:27 +0530
Subject: [PATCH] req: Add -cipher option to specify private key encryption
 cipher

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25796)
---
 apps/req.c                  | 11 ++++++++++-
 doc/man1/openssl-req.pod.in | 12 ++++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/apps/req.c b/apps/req.c
index 73dd94a567..37800b318d 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -81,6 +81,7 @@ static int batch = 0;
 
 typedef enum OPTION_choice {
     OPT_COMMON,
+    OPT_CIPHER,
     OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_KEYGEN_ENGINE, OPT_KEY,
     OPT_PUBKEY, OPT_NEW, OPT_CONFIG, OPT_KEYFORM, OPT_IN, OPT_OUT,
     OPT_KEYOUT, OPT_PASSIN, OPT_PASSOUT, OPT_NEWKEY,
@@ -98,6 +99,7 @@ typedef enum OPTION_choice {
 const OPTIONS req_options[] = {
     OPT_SECTION("General"),
     {"help", OPT_HELP, '-', "Display this summary"},
+    {"cipher", OPT_CIPHER, 's', "Specify the cipher for private key encryption"},
 #ifndef OPENSSL_NO_ENGINE
     {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
     {"keygen_engine", OPT_KEYGEN_ENGINE, 's',
@@ -250,7 +252,7 @@ int req_main(int argc, char **argv)
     LHASH_OF(OPENSSL_STRING) *addexts = NULL;
     X509 *new_x509 = NULL, *CAcert = NULL;
     X509_REQ *req = NULL;
-    EVP_CIPHER *cipher = NULL;
+    const EVP_CIPHER *cipher = NULL;
     int ext_copy = EXT_COPY_UNSET;
     BIO *addext_bio = NULL;
     char *extsect = NULL;
@@ -491,6 +493,13 @@ int req_main(int argc, char **argv)
         case OPT_PRECERT:
             newreq = precert = 1;
             break;
+        case OPT_CIPHER:
+            cipher = EVP_get_cipherbyname(opt_arg());
+            if (cipher == NULL) {
+                BIO_printf(bio_err, "Unknown cipher: %s\n", opt_arg());
+                goto opthelp;
+            }
+            break;
         case OPT_MD:
             digest = opt_unknown();
             break;
diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in
index 0eacfc51a4..5cb3004d3f 100644
--- a/doc/man1/openssl-req.pod.in
+++ b/doc/man1/openssl-req.pod.in
@@ -9,6 +9,7 @@ openssl-req - PKCS#10 certificate request and certificate generating command
 
 B<openssl> B<req>
 [B<-help>]
+[B<-cipher>]
 [B<-inform> B<DER>|B<PEM>]
 [B<-outform> B<DER>|B<PEM>]
 [B<-in> I<filename>]
@@ -86,6 +87,13 @@ See L<openssl-format-options(1)> for details.
 
 The data is a PKCS#10 object.
 
+=item B<-cipher> I<name>
+
+Specify the cipher to be used for encrypting the private key.
+The default cipher is 3DES (DES-EDE3-CBC).
+If no cipher is specified, 3DES will be used by default.
+You can override this by providing any valid OpenSSL cipher name.
+
 =item B<-in> I<filename>
 
 This specifies the input filename to read a request from.
@@ -652,6 +660,10 @@ Examine and verify certificate request:
 
  openssl req -in req.pem -text -verify -noout
 
+Specify the cipher to be used for encrypting the private key:
+
+ openssl req -newkey rsa:2048 -keyout privatekey.pem -out request.csr -cipher aes-256-cbc
+
 Create a private key and then generate a certificate request from it:
 
  openssl genrsa -out key.pem 2048