Description: implements -resign and -rekey options for openssl req
---

Index: openssl-1.0.1e/doc/apps/req.pod
===================================================================
--- openssl-1.0.1e.orig/doc/apps/req.pod	2014-02-23 10:52:49.712661594 +0100
+++ openssl-1.0.1e/doc/apps/req.pod	2014-02-23 10:52:55.076688193 +0100
@@ -43,6 +43,8 @@
 [B<-utf8>]
 [B<-nameopt>]
 [B<-reqopt>]
+[B<-resign>]
+[B<-rekey>]
 [B<-subject>]
 [B<-subj arg>]
 [B<-batch>]
@@ -135,6 +137,15 @@
 I</type0=value0/type1=value1/type2=...>,
 characters may be escaped by \ (backslash), no spaces are skipped.
 
+=item B<-resign>
+
+Re-signs the input request with private key B<-key>.
+
+=item B<-rekey>
+
+Uses private key B<-key> to create a different public key for existing
+certificate request.
+
 =item B<-rand file(s)>
 
 a file or files containing random data used to seed the random number
Index: openssl-1.0.1e/apps/req.c
===================================================================
--- openssl-1.0.1e.orig/apps/req.c	2014-02-23 10:52:49.712661594 +0100
+++ openssl-1.0.1e/apps/req.c	2014-02-23 10:52:55.076688193 +0100
@@ -118,6 +118,8 @@
  * -keyform arg	- key file format.
  * -rand file(s) - load the file(s) into the PRNG.
  * -newkey	- make a key and a request.
+ * -resign  - re-sign existing certificate request.
+ * -rekey   - use new private key for existing certificate request.
  * -modulus	- print RSA modulus.
  * -pubkey	- output Public Key.
  * -x509	- output a self signed X509 structure instead.
@@ -171,7 +173,7 @@
 	long newkey = -1;
 	BIO *in=NULL,*out=NULL;
 	int informat,outformat,verify=0,noout=0,text=0,keyform=FORMAT_PEM;
-	int nodes=0,kludge=0,newhdr=0,subject=0,pubkey=0;
+	int nodes=0,kludge=0,newhdr=0,subject=0,pubkey=0,resign=0,rekey=0;
 	char *infile,*outfile,*prog,*keyfile=NULL,*template=NULL,*keyout=NULL;
 #ifndef OPENSSL_NO_ENGINE
 	char *engine=NULL;
@@ -355,6 +357,10 @@
 			kludge=1;
 		else if (strcmp(*argv,"-no-asn1-kludge") == 0)
 			kludge=0;
+		else if (strcmp(*argv,"-resign") == 0)
+			resign=1;
+		else if (strcmp(*argv,"-rekey") == 0)
+			rekey=1;
 		else if (strcmp(*argv,"-subj") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -435,6 +441,8 @@
 		BIO_printf(bio_err," -subj arg      set or modify request subject\n");
 		BIO_printf(bio_err," -multivalue-rdn enable support for multivalued RDNs\n");
 		BIO_printf(bio_err," -new           new request.\n");
+		BIO_printf(bio_err," -resign        re-sign existing certificate request.\n");
+		BIO_printf(bio_err," -rekey         use new private key for existing certificate request.\n");
 		BIO_printf(bio_err," -batch         do not ask anything during request generation\n");
 		BIO_printf(bio_err," -x509          output a x509 structure instead of a cert. req.\n");
 		BIO_printf(bio_err," -days          number of days a certificate generated by -x509 is valid for.\n");
@@ -931,6 +939,26 @@
 			}
 		}
 
+	if (rekey)
+		{
+	    if (!X509_REQ_set_pubkey(req,pkey))
+			{
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+		req->req_info->enc.modified = 1;
+        }
+
+	if (rekey || resign)
+		{
+		i=do_X509_REQ_sign(bio_err, req, pkey, digest, sigopts);
+		if (!i)
+			{
+			ERR_print_errors(bio_err);
+			goto end;
+			}
+        }
+
 	if (verify && !x509)
 		{
 		int tmp=0;