Implement more options for req CLI

[nhatnghiho]

Issues:

Resolves #CryptoAlg-3380

Description of changes:

Implement the following options for x509 cli command:

• sha256
• config
• key
• passin
• extensions
• outform

Testing:

Unit tests added, including missing coverage for some existing x509 options.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

[github-actions]

clang-tidy made some suggestions

There were too many comments to post at once. Showing the first 10 out of 11. Check the log or trigger a new build to see more.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 35.73243% with 759 lines in your changes missing coverage. Please review.
✅ Project coverage is 78.43%. Comparing base (93f9f73) to head (5d2bc29).

Files with missing lines	Patch %	Lines
tool-openssl/req_test.cc	31.13%	374 Missing and 2 partials ⚠️
tool-openssl/pkcs8_test.cc	17.10%	126 Missing ⚠️
tool-openssl/req.cc	59.86%	116 Missing ⚠️
tool-openssl/test_util.cc	4.25%	88 Missing and 2 partials ⚠️
tool-openssl/pkeyutl_test.cc	44.00%	42 Missing ⚠️
tool-openssl/pkeyutl.cc	64.00%	9 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2775      +/-   ##
==========================================
+ Coverage   78.42%   78.43%   +0.01%     
==========================================
  Files         683      683              
  Lines      116286   117177     +891     
  Branches    16401    16477      +76     
==========================================
+ Hits        91197    91911     +714     
- Misses      24215    24381     +166     
- Partials      874      885      +11     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

clang-tidy made some suggestions

[github-actions]

clang-tidy made some suggestions

[justsmth]

Codecov shows most of req.cc as not being covered -- the logic seems to be mostly covered by comparison tests, but apparently not by unit tests. We should have unit tests to provide better coverage and possibly hit a few edge cases that aren't easily covered by comparisons.

[justsmth]

Also a couple of the Openssl comparison tests are failing for this:

[ RUN      ] ReqComparisonTest.DigestSelectionFromConfig
Writing private key to awslcTestTmpFileWWLGLo
Generating a RSA private key
..........................................................................................................................................................+++++
..................................................+++++
writing new private key to 'awslcTestTmpFile0XuYdf'
-----
unable to find 'distinguished_name' in config
problems making Certificate Request
140514192817024:error:0E06D06C:configuration file routines:NCONF_get_string:no value:crypto/conf/conf_lib.c:273:group=req name=distinguished_name
/home/runner/work/aws-lc/aws-lc/tool-openssl/req_test.cc:550: Failure
Expected equality of these values:
  ExecuteCommand(openssl_command)
    Which is: 256
  0
[  FAILED  ] ReqComparisonTest.DigestSelectionFromConfig (747 ms)

[ RUN      ] ReqComparisonTest.GenerateProtectedPrivateKey
AWS-LC command: /home/runner/work/aws-lc/aws-lc/test_build_dir/tool-openssl/openssl req -new -config awslcTestTmpFiledvLFlt -key awslcTestTmpFileOXNEGz -passout pass:testpassword -keyout awslcTestTmpFilep2rXBR -out awslcTestTmpFileBxyzmy -subj "/CN=encrypted-key.example.com"
OpenSSL command: /home/runner/work/aws-lc/openssl-scratch/libcrypto_install_dir/openssl-OpenSSL_1_1_1-stable/bin/openssl req -new -config awslcTestTmpFiledvLFlt -key awslcTestTmpFileOXNEGz -passout pass:testpassword -keyout awslcTestTmpFile9S9dHU -out awslcTestTmpFilee5UCiH -subj "/CN=encrypted-key.example.com"
Writing private key to awslcTestTmpFilep2rXBR
/home/runner/work/aws-lc/aws-lc/tool-openssl/req_test.cc:681: Failure
Value of: openssl_key_content.find( "-----BEGIN ENCRYPTED PRIVATE KEY-----") != std::string::npos
  Actual: false
Expected: true
OpenSSL private key should be encrypted PKCS#8
/home/runner/work/aws-lc/aws-lc/tool-openssl/req_test.cc:697: Failure
Value of: openssl_key
  Actual: false
Expected: true
Failed to load OpenSSL private key
89335319809600:error:0900006e:PEM routines:OPENSSL_internal:NO_START_LINE:/home/runner/work/aws-lc/aws-lc/crypto/pem/pem_lib.c:635:Expecting: ANY PRIVATE KEY
[  FAILED  ] ReqComparisonTest.GenerateProtectedPrivateKey (250 ms)

[justsmth]

In some CI setups this test might be run in parallel, which creates a race condition since the "privkey.pem" created by one run could be deleted or overwritten by another.

[WillChilds-Klein]

aren't these unreachable due to L497?

[WillChilds-Klein]

also unreachable?

[WillChilds-Klein]

don't you still need to call X509_NAME_cmp on the subject names?

[WillChilds-Klein]

here and elsewhere, why change this flag?

[WillChilds-Klein]

hm, it's not generally a good practice to set errno directly in the application layer

The <errno.h> header file defines the integer variable errno,
which is set by system calls and some library functions in the
event of an error to indicate what went wrong.

https://man7.org/linux/man-pages/man3/errno.3.html

why do we do so here?

[WillChilds-Klein]

do we have an upper bound on the buffer size here? negative length is not encouraged for new usages

aws-lc/include/openssl/bio.h

Lines 461 to 463 in 981c79b

	// If |len| is negative, then |buf| is treated as a NUL-terminated string, but
	// don't depend on this in new code.
	OPENSSL_EXPORT BIO *BIO_new_mem_buf(const void *buf, ossl_ssize_t len);