2000-01-10 06:22:05 +00:00
/* apps/ca.c */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved .
*
* This package is an SSL implementation written
* by Eric Young ( eay @ cryptsoft . com ) .
* The implementation was written so as to conform with Netscapes SSL .
*
* This library is free for commercial and non - commercial use as long as
* the following conditions are aheared to . The following conditions
* apply to all code found in this distribution , be it the RC4 , RSA ,
* lhash , DES , etc . , code ; not just the SSL code . The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson ( tjh @ cryptsoft . com ) .
*
* Copyright remains Eric Young ' s , and as such any Copyright notices in
* the code are not to be removed .
* If this package is used in a product , Eric Young should be given attribution
* as the author of the parts of the library used .
* This can be in the form of a textual message at program startup or
* in documentation ( online or textual ) provided with the package .
*
* Redistribution and use in source and binary forms , with or without
* modification , are permitted provided that the following conditions
* are met :
* 1. Redistributions of source code must retain the copyright
* notice , this list of conditions and the following disclaimer .
* 2. Redistributions in binary form must reproduce the above copyright
* notice , this list of conditions and the following disclaimer in the
* documentation and / or other materials provided with the distribution .
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement :
* " This product includes cryptographic software written by
* Eric Young ( eay @ cryptsoft . com ) "
* The word ' cryptographic ' can be left out if the rouines from the library
* being used are not cryptographic related : - ) .
* 4. If you include any Windows specific code ( or a derivative thereof ) from
* the apps directory ( application code ) you must include an acknowledgement :
* " This product includes software written by Tim Hudson (tjh@cryptsoft.com) "
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ` ` AS IS ' ' AND
* ANY EXPRESS OR IMPLIED WARRANTIES , INCLUDING , BUT NOT LIMITED TO , THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED . IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT , INDIRECT , INCIDENTAL , SPECIAL , EXEMPLARY , OR CONSEQUENTIAL
* DAMAGES ( INCLUDING , BUT NOT LIMITED TO , PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES ; LOSS OF USE , DATA , OR PROFITS ; OR BUSINESS INTERRUPTION )
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY , WHETHER IN CONTRACT , STRICT
* LIABILITY , OR TORT ( INCLUDING NEGLIGENCE OR OTHERWISE ) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE , EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE .
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed . i . e . this code cannot simply be
* copied and put under another distribution licence
* [ including the GNU Public Licence . ]
*/
/* The PPKI stuff has been donated by Jeff Barber <jeffb@issl.atl.hp.com> */
# include <stdio.h>
# include <stdlib.h>
# include <string.h>
2003-01-28 21:43:22 +00:00
# include <ctype.h>
2000-01-10 06:22:05 +00:00
# include <sys/types.h>
# include <sys/stat.h>
# include <openssl/conf.h>
# include <openssl/bio.h>
# include <openssl/err.h>
# include <openssl/bn.h>
# include <openssl/txt_db.h>
# include <openssl/evp.h>
# include <openssl/x509.h>
# include <openssl/x509v3.h>
# include <openssl/objects.h>
2003-01-28 21:43:22 +00:00
# include <openssl/ocsp.h>
2000-01-10 06:22:05 +00:00
# include <openssl/pem.h>
# ifndef W_OK
2003-01-28 21:43:22 +00:00
# ifdef OPENSSL_SYS_VMS
2000-01-10 06:22:05 +00:00
# if defined(__DECC)
# include <unistd.h>
# else
# include <unixlib.h>
# endif
2006-07-29 19:10:21 +00:00
# elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_NETWARE)
2000-01-10 06:22:05 +00:00
# include <sys / file.h>
# endif
# endif
2003-01-28 21:43:22 +00:00
# include "apps.h"
2000-01-10 06:22:05 +00:00
# ifndef W_OK
# define F_OK 0
# define X_OK 1
# define W_OK 2
# define R_OK 4
# endif
# undef PROG
# define PROG ca_main
# define BASE_SECTION "ca"
# define CONFIG_FILE "openssl.cnf"
# define ENV_DEFAULT_CA "default_ca"
2006-07-29 19:10:21 +00:00
# define STRING_MASK "string_mask"
# define UTF8_IN "utf8"
2000-01-10 06:22:05 +00:00
# define ENV_DIR "dir"
# define ENV_CERTS "certs"
# define ENV_CRL_DIR "crl_dir"
# define ENV_CA_DB "CA_DB"
# define ENV_NEW_CERTS_DIR "new_certs_dir"
# define ENV_CERTIFICATE "certificate"
# define ENV_SERIAL "serial"
2004-03-17 15:49:33 +00:00
# define ENV_CRLNUMBER "crlnumber"
2000-01-10 06:22:05 +00:00
# define ENV_CRL "crl"
# define ENV_PRIVATE_KEY "private_key"
# define ENV_RANDFILE "RANDFILE"
# define ENV_DEFAULT_DAYS "default_days"
# define ENV_DEFAULT_STARTDATE "default_startdate"
# define ENV_DEFAULT_ENDDATE "default_enddate"
# define ENV_DEFAULT_CRL_DAYS "default_crl_days"
# define ENV_DEFAULT_CRL_HOURS "default_crl_hours"
# define ENV_DEFAULT_MD "default_md"
2003-01-28 21:43:22 +00:00
# define ENV_DEFAULT_EMAIL_DN "email_in_dn"
2000-01-10 06:22:05 +00:00
# define ENV_PRESERVE "preserve"
# define ENV_POLICY "policy"
# define ENV_EXTENSIONS "x509_extensions"
# define ENV_CRLEXT "crl_extensions"
# define ENV_MSIE_HACK "msie_hack"
2003-01-28 21:43:22 +00:00
# define ENV_NAMEOPT "name_opt"
# define ENV_CERTOPT "cert_opt"
# define ENV_EXTCOPY "copy_extensions"
2006-07-29 19:10:21 +00:00
# define ENV_UNIQUE_SUBJECT "unique_subject"
2000-01-10 06:22:05 +00:00
# define ENV_DATABASE "database"
2003-01-28 21:43:22 +00:00
/* Additional revocation information types */
# define REV_NONE 0 /* No addditional information */
# define REV_CRL_REASON 1 /* Value is CRL reason code */
# define REV_HOLD 2 /* Value is hold instruction */
# define REV_KEY_COMPROMISE 3 /* Value is cert key compromise time */
# define REV_CA_COMPROMISE 4 /* Value is CA key compromise time */
2006-07-29 19:10:21 +00:00
static const char * ca_usage [ ] = {
2000-01-10 06:22:05 +00:00
" usage: ca args \n " ,
" \n " ,
" -verbose - Talk alot while doing things \n " ,
" -config file - A config file \n " ,
" -name arg - The particular CA definition to use \n " ,
" -gencrl - Generate a new CRL \n " ,
" -crldays days - Days is when the next CRL is due \n " ,
" -crlhours hours - Hours is when the next CRL is due \n " ,
2000-04-13 06:33:22 +00:00
" -startdate YYMMDDHHMMSSZ - certificate validity notBefore \n " ,
" -enddate YYMMDDHHMMSSZ - certificate validity notAfter (overrides -days) \n " ,
2000-01-10 06:22:05 +00:00
" -days arg - number of days to certify the certificate for \n " ,
" -md arg - md to use, one of md2, md5, sha or sha1 \n " ,
" -policy arg - The CA 'policy' to support \n " ,
2003-01-28 21:43:22 +00:00
" -keyfile arg - private key file \n " ,
" -keyform arg - private key file format (PEM or ENGINE) \n " ,
2000-01-10 06:22:05 +00:00
" -key arg - key to decode the private key if it is encrypted \n " ,
" -cert file - The CA certificate \n " ,
2006-07-29 19:10:21 +00:00
" -selfsign - sign a certificate with the key associated with it \n " ,
2000-01-10 06:22:05 +00:00
" -in file - The input PEM encoded certificate request(s) \n " ,
" -out file - Where to put the output file(s) \n " ,
" -outdir dir - Where to put output certificates \n " ,
" -infiles .... - The last argument, requests to process \n " ,
" -spkac file - File contains DN and signed public key and challenge \n " ,
" -ss_cert file - File contains a self signed cert to sign \n " ,
" -preserveDN - Don't re-order the DN \n " ,
2003-01-28 21:43:22 +00:00
" -noemailDN - Don't add the EMAIL field into certificate' subject \n " ,
2000-01-10 06:22:05 +00:00
" -batch - Don't ask questions \n " ,
" -msie_hack - msie modifications to handle all those universal strings \n " ,
" -revoke file - Revoke a certificate (given in file) \n " ,
2003-01-28 21:43:22 +00:00
" -subj arg - Use arg instead of request's subject \n " ,
2006-07-29 19:10:21 +00:00
" -utf8 - input characters are UTF8 (default ASCII) \n " ,
" -multivalue-rdn - enable support for multivalued RDNs \n " ,
2000-04-13 06:33:22 +00:00
" -extensions .. - Extension section (override value in config file) \n " ,
2003-01-28 21:43:22 +00:00
" -extfile file - Configuration file with X509v3 extentions to add \n " ,
2000-04-13 06:33:22 +00:00
" -crlexts .. - CRL extension section (override value in config file) \n " ,
2003-02-19 23:17:42 +00:00
# ifndef OPENSSL_NO_ENGINE
2003-01-28 21:43:22 +00:00
" -engine e - use engine e, possibly a hardware device. \n " ,
2003-02-19 23:17:42 +00:00
# endif
2003-01-28 21:43:22 +00:00
" -status serial - Shows certificate status given the serial number \n " ,
" -updatedb - Updates db for expired certificates \n " ,
2000-01-10 06:22:05 +00:00
NULL
} ;
# ifdef EFENCE
extern int EF_PROTECT_FREE ;
extern int EF_PROTECT_BELOW ;
extern int EF_ALIGNMENT ;
# endif
2006-07-29 19:10:21 +00:00
static void lookup_fail ( const char * name , const char * tag ) ;
2000-01-10 06:22:05 +00:00
static int certify ( X509 * * xret , char * infile , EVP_PKEY * pkey , X509 * x509 ,
2004-03-17 15:49:33 +00:00
const EVP_MD * dgst , STACK_OF ( CONF_VALUE ) * policy , CA_DB * db ,
2006-07-29 19:10:21 +00:00
BIGNUM * serial , char * subj , unsigned long chtype , int multirdn , int email_dn , char * startdate ,
2003-01-28 21:43:22 +00:00
char * enddate , long days , int batch , char * ext_sect , CONF * conf ,
int verbose , unsigned long certopt , unsigned long nameopt ,
2006-07-29 19:10:21 +00:00
int default_op , int ext_copy , int selfsign ) ;
2000-01-10 06:22:05 +00:00
static int certify_cert ( X509 * * xret , char * infile , EVP_PKEY * pkey , X509 * x509 ,
const EVP_MD * dgst , STACK_OF ( CONF_VALUE ) * policy ,
2006-07-29 19:10:21 +00:00
CA_DB * db , BIGNUM * serial , char * subj , unsigned long chtype , int multirdn , int email_dn ,
2003-01-28 21:43:22 +00:00
char * startdate , char * enddate , long days , int batch ,
char * ext_sect , CONF * conf , int verbose , unsigned long certopt ,
unsigned long nameopt , int default_op , int ext_copy ,
ENGINE * e ) ;
2000-01-10 06:22:05 +00:00
static int certify_spkac ( X509 * * xret , char * infile , EVP_PKEY * pkey , X509 * x509 ,
const EVP_MD * dgst , STACK_OF ( CONF_VALUE ) * policy ,
2006-07-29 19:10:21 +00:00
CA_DB * db , BIGNUM * serial , char * subj , unsigned long chtype , int multirdn , int email_dn ,
2003-01-28 21:43:22 +00:00
char * startdate , char * enddate , long days , char * ext_sect ,
CONF * conf , int verbose , unsigned long certopt ,
unsigned long nameopt , int default_op , int ext_copy ) ;
2000-01-10 06:22:05 +00:00
static int fix_data ( int nid , int * type ) ;
2000-04-13 06:33:22 +00:00
static void write_new_certificate ( BIO * bp , X509 * x , int output_der , int notext ) ;
2000-01-10 06:22:05 +00:00
static int do_body ( X509 * * xret , EVP_PKEY * pkey , X509 * x509 , const EVP_MD * dgst ,
2006-07-29 19:10:21 +00:00
STACK_OF ( CONF_VALUE ) * policy , CA_DB * db , BIGNUM * serial , char * subj , unsigned long chtype , int multirdn ,
2003-01-28 21:43:22 +00:00
int email_dn , char * startdate , char * enddate , long days , int batch ,
int verbose , X509_REQ * req , char * ext_sect , CONF * conf ,
unsigned long certopt , unsigned long nameopt , int default_op ,
2006-07-29 19:10:21 +00:00
int ext_copy , int selfsign ) ;
2004-03-17 15:49:33 +00:00
static int do_revoke ( X509 * x509 , CA_DB * db , int ext , char * extval ) ;
static int get_certificate_status ( const char * ser_status , CA_DB * db ) ;
static int do_updatedb ( CA_DB * db ) ;
2000-01-10 06:22:05 +00:00
static int check_time_format ( char * str ) ;
2003-01-28 21:43:22 +00:00
char * make_revocation_str ( int rev_type , char * rev_arg ) ;
2006-07-29 19:10:21 +00:00
int make_revoked ( X509_REVOKED * rev , const char * str ) ;
2003-01-28 21:43:22 +00:00
int old_entry_print ( BIO * bp , ASN1_OBJECT * obj , ASN1_STRING * str ) ;
static CONF * conf = NULL ;
static CONF * extconf = NULL ;
2000-01-10 06:22:05 +00:00
static char * section = NULL ;
static int preserve = 0 ;
static int msie_hack = 0 ;
2003-01-28 21:43:22 +00:00
2000-04-13 06:33:22 +00:00
int MAIN ( int , char * * ) ;
2000-01-10 06:22:05 +00:00
int MAIN ( int argc , char * * argv )
{
2003-01-28 21:43:22 +00:00
ENGINE * e = NULL ;
2000-11-13 01:03:58 +00:00
char * key = NULL , * passargin = NULL ;
2005-02-25 05:39:05 +00:00
int create_ser = 0 ;
2003-01-28 21:43:22 +00:00
int free_key = 0 ;
2000-01-10 06:22:05 +00:00
int total = 0 ;
int total_done = 0 ;
int badops = 0 ;
int ret = 1 ;
2003-01-28 21:43:22 +00:00
int email_dn = 1 ;
2000-01-10 06:22:05 +00:00
int req = 0 ;
int verbose = 0 ;
int gencrl = 0 ;
int dorevoke = 0 ;
2003-01-28 21:43:22 +00:00
int doupdatedb = 0 ;
2000-01-10 06:22:05 +00:00
long crldays = 0 ;
long crlhours = 0 ;
long errorline = - 1 ;
char * configfile = NULL ;
char * md = NULL ;
char * policy = NULL ;
char * keyfile = NULL ;
char * certfile = NULL ;
2003-01-28 21:43:22 +00:00
int keyform = FORMAT_PEM ;
2000-01-10 06:22:05 +00:00
char * infile = NULL ;
char * spkac_file = NULL ;
char * ss_cert_file = NULL ;
2003-01-28 21:43:22 +00:00
char * ser_status = NULL ;
2000-01-10 06:22:05 +00:00
EVP_PKEY * pkey = NULL ;
int output_der = 0 ;
char * outfile = NULL ;
char * outdir = NULL ;
char * serialfile = NULL ;
2004-03-17 15:49:33 +00:00
char * crlnumberfile = NULL ;
2000-01-10 06:22:05 +00:00
char * extensions = NULL ;
2003-01-28 21:43:22 +00:00
char * extfile = NULL ;
char * subj = NULL ;
2006-07-29 19:10:21 +00:00
unsigned long chtype = MBSTRING_ASC ;
int multirdn = 0 ;
2003-01-28 21:43:22 +00:00
char * tmp_email_dn = NULL ;
2000-01-10 06:22:05 +00:00
char * crl_ext = NULL ;
2003-01-28 21:43:22 +00:00
int rev_type = REV_NONE ;
char * rev_arg = NULL ;
2000-01-10 06:22:05 +00:00
BIGNUM * serial = NULL ;
2004-03-17 15:49:33 +00:00
BIGNUM * crlnumber = NULL ;
2000-01-10 06:22:05 +00:00
char * startdate = NULL ;
char * enddate = NULL ;
2003-01-28 21:43:22 +00:00
long days = 0 ;
2000-01-10 06:22:05 +00:00
int batch = 0 ;
2000-04-13 06:33:22 +00:00
int notext = 0 ;
2003-01-28 21:43:22 +00:00
unsigned long nameopt = 0 , certopt = 0 ;
int default_op = 1 ;
int ext_copy = EXT_COPY_NONE ;
2006-07-29 19:10:21 +00:00
int selfsign = 0 ;
X509 * x509 = NULL , * x509p = NULL ;
2000-01-10 06:22:05 +00:00
X509 * x = NULL ;
BIO * in = NULL , * out = NULL , * Sout = NULL , * Cout = NULL ;
char * dbfile = NULL ;
2004-03-17 15:49:33 +00:00
CA_DB * db = NULL ;
2000-01-10 06:22:05 +00:00
X509_CRL * crl = NULL ;
X509_REVOKED * r = NULL ;
2003-01-28 21:43:22 +00:00
ASN1_TIME * tmptm ;
ASN1_INTEGER * tmpser ;
2006-07-29 19:10:21 +00:00
char * f ;
const char * p , * * pp ;
2000-01-10 06:22:05 +00:00
int i , j ;
const EVP_MD * dgst = NULL ;
STACK_OF ( CONF_VALUE ) * attribs = NULL ;
2000-11-13 01:03:58 +00:00
STACK_OF ( X509 ) * cert_sk = NULL ;
2000-01-10 06:22:05 +00:00
# undef BSIZE
# define BSIZE 256
MS_STATIC char buf [ 3 ] [ BSIZE ] ;
2000-04-13 06:33:22 +00:00
char * randfile = NULL ;
2003-02-19 23:17:42 +00:00
# ifndef OPENSSL_NO_ENGINE
2003-01-28 21:43:22 +00:00
char * engine = NULL ;
2003-02-19 23:17:42 +00:00
# endif
2003-01-28 21:43:22 +00:00
char * tofree = NULL ;
2004-03-17 15:49:33 +00:00
DB_ATTR db_attr ;
2000-01-10 06:22:05 +00:00
# ifdef EFENCE
EF_PROTECT_FREE = 1 ;
EF_PROTECT_BELOW = 1 ;
EF_ALIGNMENT = 0 ;
# endif
apps_startup ( ) ;
2000-04-13 06:33:22 +00:00
conf = NULL ;
key = NULL ;
section = NULL ;
2000-01-10 06:22:05 +00:00
preserve = 0 ;
2000-04-13 06:33:22 +00:00
msie_hack = 0 ;
2000-01-10 06:22:05 +00:00
if ( bio_err = = NULL )
if ( ( bio_err = BIO_new ( BIO_s_file ( ) ) ) ! = NULL )
BIO_set_fp ( bio_err , stderr , BIO_NOCLOSE | BIO_FP_TEXT ) ;
argc - - ;
argv + + ;
while ( argc > = 1 )
{
if ( strcmp ( * argv , " -verbose " ) = = 0 )
verbose = 1 ;
else if ( strcmp ( * argv , " -config " ) = = 0 )
{
if ( - - argc < 1 ) goto bad ;
configfile = * ( + + argv ) ;
}
else if ( strcmp ( * argv , " -name " ) = = 0 )
{
if ( - - argc < 1 ) goto bad ;
section = * ( + + argv ) ;
}
2003-01-28 21:43:22 +00:00
else if ( strcmp ( * argv , " -subj " ) = = 0 )
{
if ( - - argc < 1 ) goto bad ;
subj = * ( + + argv ) ;
/* preserve=1; */
}
2006-07-29 19:10:21 +00:00
else if ( strcmp ( * argv , " -utf8 " ) = = 0 )
chtype = MBSTRING_UTF8 ;
else if ( strcmp ( * argv , " -create_serial " ) = = 0 )
create_ser = 1 ;
else if ( strcmp ( * argv , " -multivalue-rdn " ) = = 0 )
multirdn = 1 ;
2000-01-10 06:22:05 +00:00
else if ( strcmp ( * argv , " -startdate " ) = = 0 )
{
if ( - - argc < 1 ) goto bad ;
startdate = * ( + + argv ) ;
}
else if ( strcmp ( * argv , " -enddate " ) = = 0 )
{
if ( - - argc < 1 ) goto bad ;
enddate = * ( + + argv ) ;
}
else if ( strcmp ( * argv , " -days " ) = = 0 )
{
if ( - - argc < 1 ) goto bad ;
days = atoi ( * ( + + argv ) ) ;
}
else if ( strcmp ( * argv , " -md " ) = = 0 )
{
if ( - - argc < 1 ) goto bad ;
md = * ( + + argv ) ;
}
else if ( strcmp ( * argv , " -policy " ) = = 0 )
{
if ( - - argc < 1 ) goto bad ;
policy = * ( + + argv ) ;
}
else if ( strcmp ( * argv , " -keyfile " ) = = 0 )
{
if ( - - argc < 1 ) goto bad ;
keyfile = * ( + + argv ) ;
}
2003-01-28 21:43:22 +00:00
else if ( strcmp ( * argv , " -keyform " ) = = 0 )
{
if ( - - argc < 1 ) goto bad ;
keyform = str2fmt ( * ( + + argv ) ) ;
}
2000-11-13 01:03:58 +00:00
else if ( strcmp ( * argv , " -passin " ) = = 0 )
{
if ( - - argc < 1 ) goto bad ;
passargin = * ( + + argv ) ;
}
2000-01-10 06:22:05 +00:00
else if ( strcmp ( * argv , " -key " ) = = 0 )
{
if ( - - argc < 1 ) goto bad ;
key = * ( + + argv ) ;
}
else if ( strcmp ( * argv , " -cert " ) = = 0 )
{
if ( - - argc < 1 ) goto bad ;
certfile = * ( + + argv ) ;
}
2006-07-29 19:10:21 +00:00
else if ( strcmp ( * argv , " -selfsign " ) = = 0 )
selfsign = 1 ;
2000-01-10 06:22:05 +00:00
else if ( strcmp ( * argv , " -in " ) = = 0 )
{
if ( - - argc < 1 ) goto bad ;
infile = * ( + + argv ) ;
req = 1 ;
}
else if ( strcmp ( * argv , " -out " ) = = 0 )
{
if ( - - argc < 1 ) goto bad ;
outfile = * ( + + argv ) ;
}
else if ( strcmp ( * argv , " -outdir " ) = = 0 )
{
if ( - - argc < 1 ) goto bad ;
outdir = * ( + + argv ) ;
}
2000-04-13 06:33:22 +00:00
else if ( strcmp ( * argv , " -notext " ) = = 0 )
notext = 1 ;
2000-01-10 06:22:05 +00:00
else if ( strcmp ( * argv , " -batch " ) = = 0 )
batch = 1 ;
else if ( strcmp ( * argv , " -preserveDN " ) = = 0 )
preserve = 1 ;
2003-01-28 21:43:22 +00:00
else if ( strcmp ( * argv , " -noemailDN " ) = = 0 )
email_dn = 0 ;
2000-01-10 06:22:05 +00:00
else if ( strcmp ( * argv , " -gencrl " ) = = 0 )
gencrl = 1 ;
else if ( strcmp ( * argv , " -msie_hack " ) = = 0 )
msie_hack = 1 ;
else if ( strcmp ( * argv , " -crldays " ) = = 0 )
{
if ( - - argc < 1 ) goto bad ;
crldays = atol ( * ( + + argv ) ) ;
}
else if ( strcmp ( * argv , " -crlhours " ) = = 0 )
{
if ( - - argc < 1 ) goto bad ;
crlhours = atol ( * ( + + argv ) ) ;
}
else if ( strcmp ( * argv , " -infiles " ) = = 0 )
{
argc - - ;
argv + + ;
req = 1 ;
break ;
}
else if ( strcmp ( * argv , " -ss_cert " ) = = 0 )
{
if ( - - argc < 1 ) goto bad ;
ss_cert_file = * ( + + argv ) ;
req = 1 ;
}
else if ( strcmp ( * argv , " -spkac " ) = = 0 )
{
if ( - - argc < 1 ) goto bad ;
spkac_file = * ( + + argv ) ;
req = 1 ;
}
else if ( strcmp ( * argv , " -revoke " ) = = 0 )
{
if ( - - argc < 1 ) goto bad ;
infile = * ( + + argv ) ;
dorevoke = 1 ;
}
2000-04-13 06:33:22 +00:00
else if ( strcmp ( * argv , " -extensions " ) = = 0 )
{
if ( - - argc < 1 ) goto bad ;
extensions = * ( + + argv ) ;
}
2003-01-28 21:43:22 +00:00
else if ( strcmp ( * argv , " -extfile " ) = = 0 )
{
if ( - - argc < 1 ) goto bad ;
extfile = * ( + + argv ) ;
}
else if ( strcmp ( * argv , " -status " ) = = 0 )
{
if ( - - argc < 1 ) goto bad ;
ser_status = * ( + + argv ) ;
}
else if ( strcmp ( * argv , " -updatedb " ) = = 0 )
{
doupdatedb = 1 ;
}
2000-04-13 06:33:22 +00:00
else if ( strcmp ( * argv , " -crlexts " ) = = 0 )
{
if ( - - argc < 1 ) goto bad ;
crl_ext = * ( + + argv ) ;
}
2003-01-28 21:43:22 +00:00
else if ( strcmp ( * argv , " -crl_reason " ) = = 0 )
{
if ( - - argc < 1 ) goto bad ;
rev_arg = * ( + + argv ) ;
rev_type = REV_CRL_REASON ;
}
else if ( strcmp ( * argv , " -crl_hold " ) = = 0 )
{
if ( - - argc < 1 ) goto bad ;
rev_arg = * ( + + argv ) ;
rev_type = REV_HOLD ;
}
else if ( strcmp ( * argv , " -crl_compromise " ) = = 0 )
{
if ( - - argc < 1 ) goto bad ;
rev_arg = * ( + + argv ) ;
rev_type = REV_KEY_COMPROMISE ;
}
else if ( strcmp ( * argv , " -crl_CA_compromise " ) = = 0 )
{
if ( - - argc < 1 ) goto bad ;
rev_arg = * ( + + argv ) ;
rev_type = REV_CA_COMPROMISE ;
}
2003-02-19 23:17:42 +00:00
# ifndef OPENSSL_NO_ENGINE
2003-01-28 21:43:22 +00:00
else if ( strcmp ( * argv , " -engine " ) = = 0 )
{
if ( - - argc < 1 ) goto bad ;
engine = * ( + + argv ) ;
}
2003-02-19 23:17:42 +00:00
# endif
2000-01-10 06:22:05 +00:00
else
{
bad :
BIO_printf ( bio_err , " unknown option %s \n " , * argv ) ;
badops = 1 ;
break ;
}
argc - - ;
argv + + ;
}
if ( badops )
{
for ( pp = ca_usage ; ( * pp ! = NULL ) ; pp + + )
2003-01-28 21:43:22 +00:00
BIO_printf ( bio_err , " %s " , * pp ) ;
2000-01-10 06:22:05 +00:00
goto err ;
}
ERR_load_crypto_strings ( ) ;
/*****************************************************************/
2003-01-28 21:43:22 +00:00
tofree = NULL ;
2000-01-10 06:22:05 +00:00
if ( configfile = = NULL ) configfile = getenv ( " OPENSSL_CONF " ) ;
if ( configfile = = NULL ) configfile = getenv ( " SSLEAY_CONF " ) ;
if ( configfile = = NULL )
{
2003-01-28 21:43:22 +00:00
const char * s = X509_get_default_cert_area ( ) ;
2004-03-17 15:49:33 +00:00
size_t len ;
2003-01-28 21:43:22 +00:00
# ifdef OPENSSL_SYS_VMS
2004-03-17 15:49:33 +00:00
len = strlen ( s ) + sizeof ( CONFIG_FILE ) ;
tofree = OPENSSL_malloc ( len ) ;
2003-01-28 21:43:22 +00:00
strcpy ( tofree , s ) ;
2000-01-10 06:22:05 +00:00
# else
2004-03-17 15:49:33 +00:00
len = strlen ( s ) + sizeof ( CONFIG_FILE ) + 1 ;
tofree = OPENSSL_malloc ( len ) ;
BUF_strlcpy ( tofree , s , len ) ;
BUF_strlcat ( tofree , " / " , len ) ;
2000-01-10 06:22:05 +00:00
# endif
2004-03-17 15:49:33 +00:00
BUF_strlcat ( tofree , CONFIG_FILE , len ) ;
2003-01-28 21:43:22 +00:00
configfile = tofree ;
2000-01-10 06:22:05 +00:00
}
BIO_printf ( bio_err , " Using configuration from %s \n " , configfile ) ;
2003-01-28 21:43:22 +00:00
conf = NCONF_new ( NULL ) ;
if ( NCONF_load ( conf , configfile , & errorline ) < = 0 )
2000-01-10 06:22:05 +00:00
{
if ( errorline < = 0 )
BIO_printf ( bio_err , " error loading the config file '%s' \n " ,
configfile ) ;
else
BIO_printf ( bio_err , " error on line %ld of config file '%s' \n "
, errorline , configfile ) ;
goto err ;
}
2003-01-28 21:43:22 +00:00
if ( tofree )
2003-02-19 23:17:42 +00:00
{
2003-01-28 21:43:22 +00:00
OPENSSL_free ( tofree ) ;
2003-02-19 23:17:42 +00:00
tofree = NULL ;
}
2003-01-28 21:43:22 +00:00
if ( ! load_config ( bio_err , conf ) )
goto err ;
2000-01-10 06:22:05 +00:00
2005-02-25 05:39:05 +00:00
# ifndef OPENSSL_NO_ENGINE
e = setup_engine ( bio_err , engine , 0 ) ;
# endif
2000-01-10 06:22:05 +00:00
/* Lets get the config section we are using */
if ( section = = NULL )
{
2003-01-28 21:43:22 +00:00
section = NCONF_get_string ( conf , BASE_SECTION , ENV_DEFAULT_CA ) ;
2000-01-10 06:22:05 +00:00
if ( section = = NULL )
{
lookup_fail ( BASE_SECTION , ENV_DEFAULT_CA ) ;
goto err ;
}
}
if ( conf ! = NULL )
{
2003-01-28 21:43:22 +00:00
p = NCONF_get_string ( conf , NULL , " oid_file " ) ;
if ( p = = NULL )
ERR_clear_error ( ) ;
2000-01-10 06:22:05 +00:00
if ( p ! = NULL )
{
BIO * oid_bio ;
oid_bio = BIO_new_file ( p , " r " ) ;
if ( oid_bio = = NULL )
{
/*
BIO_printf ( bio_err , " problems opening %s for extra oid's \n " , p ) ;
ERR_print_errors ( bio_err ) ;
*/
ERR_clear_error ( ) ;
}
else
{
OBJ_create_objects ( oid_bio ) ;
BIO_free ( oid_bio ) ;
}
}
2003-01-28 21:43:22 +00:00
if ( ! add_oid_section ( bio_err , conf ) )
2000-04-13 06:33:22 +00:00
{
2000-01-10 06:22:05 +00:00
ERR_print_errors ( bio_err ) ;
goto err ;
2000-04-13 06:33:22 +00:00
}
2000-01-10 06:22:05 +00:00
}
2003-01-28 21:43:22 +00:00
randfile = NCONF_get_string ( conf , BASE_SECTION , " RANDFILE " ) ;
if ( randfile = = NULL )
ERR_clear_error ( ) ;
2000-04-13 06:33:22 +00:00
app_RAND_load_file ( randfile , bio_err , 0 ) ;
2004-03-17 15:49:33 +00:00
2006-07-29 19:10:21 +00:00
f = NCONF_get_string ( conf , section , STRING_MASK ) ;
if ( ! f )
ERR_clear_error ( ) ;
if ( f & & ! ASN1_STRING_set_default_mask_asc ( f ) ) {
BIO_printf ( bio_err , " Invalid global string mask setting %s \n " , f ) ;
goto err ;
}
if ( chtype ! = MBSTRING_UTF8 ) {
f = NCONF_get_string ( conf , section , UTF8_IN ) ;
if ( ! f )
ERR_clear_error ( ) ;
else if ( ! strcmp ( f , " yes " ) )
chtype = MBSTRING_UTF8 ;
}
2004-03-17 15:49:33 +00:00
db_attr . unique_subject = 1 ;
2006-07-29 19:10:21 +00:00
p = NCONF_get_string ( conf , section , ENV_UNIQUE_SUBJECT ) ;
2004-03-17 15:49:33 +00:00
if ( p )
{
# ifdef RL_DEBUG
BIO_printf ( bio_err , " DEBUG: unique_subject = \" %s \" \n " , p ) ;
# endif
2006-07-29 19:10:21 +00:00
db_attr . unique_subject = parse_yesno ( p , 1 ) ;
2004-03-17 15:49:33 +00:00
}
else
2005-02-25 05:39:05 +00:00
ERR_clear_error ( ) ;
# ifdef RL_DEBUG
if ( ! p )
2004-03-17 15:49:33 +00:00
BIO_printf ( bio_err , " DEBUG: unique_subject undefined \n " , p ) ;
# endif
# ifdef RL_DEBUG
BIO_printf ( bio_err , " DEBUG: configured unique_subject is %d \n " ,
db_attr . unique_subject ) ;
# endif
2000-04-13 06:33:22 +00:00
2000-01-10 06:22:05 +00:00
in = BIO_new ( BIO_s_file ( ) ) ;
out = BIO_new ( BIO_s_file ( ) ) ;
Sout = BIO_new ( BIO_s_file ( ) ) ;
Cout = BIO_new ( BIO_s_file ( ) ) ;
if ( ( in = = NULL ) | | ( out = = NULL ) | | ( Sout = = NULL ) | | ( Cout = = NULL ) )
{
ERR_print_errors ( bio_err ) ;
goto err ;
}
/*****************************************************************/
2003-01-28 21:43:22 +00:00
/* report status of cert with serial number given on command line */
if ( ser_status )
{
if ( ( dbfile = NCONF_get_string ( conf , section , ENV_DATABASE ) ) = = NULL )
{
lookup_fail ( section , ENV_DATABASE ) ;
goto err ;
}
2004-03-17 15:49:33 +00:00
db = load_index ( dbfile , & db_attr ) ;
2003-01-28 21:43:22 +00:00
if ( db = = NULL ) goto err ;
2004-03-17 15:49:33 +00:00
if ( ! index_index ( db ) ) goto err ;
2003-01-28 21:43:22 +00:00
if ( get_certificate_status ( ser_status , db ) ! = 1 )
BIO_printf ( bio_err , " Error verifying serial %s! \n " ,
ser_status ) ;
goto err ;
}
/*****************************************************************/
2006-07-29 19:10:21 +00:00
/* we definitely need a private key, so let's get it */
2000-01-10 06:22:05 +00:00
2003-01-28 21:43:22 +00:00
if ( ( keyfile = = NULL ) & & ( ( keyfile = NCONF_get_string ( conf ,
2000-01-10 06:22:05 +00:00
section , ENV_PRIVATE_KEY ) ) = = NULL ) )
{
lookup_fail ( section , ENV_PRIVATE_KEY ) ;
goto err ;
}
2003-01-28 21:43:22 +00:00
if ( ! key )
2000-01-10 06:22:05 +00:00
{
2003-01-28 21:43:22 +00:00
free_key = 1 ;
if ( ! app_passwd ( bio_err , passargin , NULL , & key , NULL ) )
{
BIO_printf ( bio_err , " Error getting password \n " ) ;
goto err ;
}
2000-01-10 06:22:05 +00:00
}
2003-01-28 21:43:22 +00:00
pkey = load_key ( bio_err , keyfile , keyform , 0 , key , e ,
" CA private key " ) ;
if ( key ) OPENSSL_cleanse ( key , strlen ( key ) ) ;
2000-01-10 06:22:05 +00:00
if ( pkey = = NULL )
{
2003-01-28 21:43:22 +00:00
/* load_key() has already printed an appropriate message */
2000-01-10 06:22:05 +00:00
goto err ;
}
/*****************************************************************/
/* we need a certificate */
2006-07-29 19:10:21 +00:00
if ( ! selfsign | | spkac_file | | ss_cert_file | | gencrl )
2000-01-10 06:22:05 +00:00
{
2006-07-29 19:10:21 +00:00
if ( ( certfile = = NULL )
& & ( ( certfile = NCONF_get_string ( conf ,
section , ENV_CERTIFICATE ) ) = = NULL ) )
{
lookup_fail ( section , ENV_CERTIFICATE ) ;
goto err ;
}
x509 = load_cert ( bio_err , certfile , FORMAT_PEM , NULL , e ,
" CA certificate " ) ;
if ( x509 = = NULL )
goto err ;
2000-01-10 06:22:05 +00:00
2006-07-29 19:10:21 +00:00
if ( ! X509_check_private_key ( x509 , pkey ) )
{
BIO_printf ( bio_err , " CA certificate and CA private key do not match \n " ) ;
goto err ;
}
2000-01-10 06:22:05 +00:00
}
2006-07-29 19:10:21 +00:00
if ( ! selfsign ) x509p = x509 ;
2000-01-10 06:22:05 +00:00
2003-01-28 21:43:22 +00:00
f = NCONF_get_string ( conf , BASE_SECTION , ENV_PRESERVE ) ;
if ( f = = NULL )
ERR_clear_error ( ) ;
2000-01-10 06:22:05 +00:00
if ( ( f ! = NULL ) & & ( ( * f = = ' y ' ) | | ( * f = = ' Y ' ) ) )
preserve = 1 ;
2003-01-28 21:43:22 +00:00
f = NCONF_get_string ( conf , BASE_SECTION , ENV_MSIE_HACK ) ;
if ( f = = NULL )
ERR_clear_error ( ) ;
2000-01-10 06:22:05 +00:00
if ( ( f ! = NULL ) & & ( ( * f = = ' y ' ) | | ( * f = = ' Y ' ) ) )
msie_hack = 1 ;
2003-01-28 21:43:22 +00:00
f = NCONF_get_string ( conf , section , ENV_NAMEOPT ) ;
if ( f )
{
if ( ! set_name_ex ( & nameopt , f ) )
{
BIO_printf ( bio_err , " Invalid name options: \" %s \" \n " , f ) ;
goto err ;
}
default_op = 0 ;
}
else
ERR_clear_error ( ) ;
f = NCONF_get_string ( conf , section , ENV_CERTOPT ) ;
if ( f )
{
if ( ! set_cert_ex ( & certopt , f ) )
{
BIO_printf ( bio_err , " Invalid certificate options: \" %s \" \n " , f ) ;
goto err ;
}
default_op = 0 ;
}
else
ERR_clear_error ( ) ;
f = NCONF_get_string ( conf , section , ENV_EXTCOPY ) ;
if ( f )
{
if ( ! set_ext_copy ( & ext_copy , f ) )
{
BIO_printf ( bio_err , " Invalid extension copy option: \" %s \" \n " , f ) ;
goto err ;
}
}
else
ERR_clear_error ( ) ;
2000-01-10 06:22:05 +00:00
/*****************************************************************/
/* lookup where to write new certificates */
if ( ( outdir = = NULL ) & & ( req ) )
{
struct stat sb ;
2003-01-28 21:43:22 +00:00
if ( ( outdir = NCONF_get_string ( conf , section , ENV_NEW_CERTS_DIR ) )
2000-01-10 06:22:05 +00:00
= = NULL )
{
BIO_printf ( bio_err , " there needs to be defined a directory for new certificate to be placed in \n " ) ;
goto err ;
}
2003-01-28 21:43:22 +00:00
# ifndef OPENSSL_SYS_VMS
/* outdir is a directory spec, but access() for VMS demands a
2000-04-13 06:33:22 +00:00
filename . In any case , stat ( ) , below , will catch the problem
if outdir is not a directory spec , and the fopen ( ) or open ( )
will catch an error if there is no write access .
Presumably , this problem could also be solved by using the DEC
C routines to convert the directory syntax to Unixly , and give
that to access ( ) . However , time ' s too short to do that just
now .
2003-01-28 21:43:22 +00:00
*/
2000-01-10 06:22:05 +00:00
if ( access ( outdir , R_OK | W_OK | X_OK ) ! = 0 )
{
2000-04-13 06:33:22 +00:00
BIO_printf ( bio_err , " I am unable to access the %s directory \n " , outdir ) ;
2000-01-10 06:22:05 +00:00
perror ( outdir ) ;
goto err ;
}
if ( stat ( outdir , & sb ) ! = 0 )
{
BIO_printf ( bio_err , " unable to stat(%s) \n " , outdir ) ;
perror ( outdir ) ;
goto err ;
}
2000-04-13 06:33:22 +00:00
# ifdef S_IFDIR
2000-01-10 06:22:05 +00:00
if ( ! ( sb . st_mode & S_IFDIR ) )
{
BIO_printf ( bio_err , " %s need to be a directory \n " , outdir ) ;
perror ( outdir ) ;
goto err ;
}
2000-04-13 06:33:22 +00:00
# endif
# endif
2000-01-10 06:22:05 +00:00
}
/*****************************************************************/
/* we need to load the database file */
2003-01-28 21:43:22 +00:00
if ( ( dbfile = NCONF_get_string ( conf , section , ENV_DATABASE ) ) = = NULL )
2000-01-10 06:22:05 +00:00
{
lookup_fail ( section , ENV_DATABASE ) ;
goto err ;
}
2004-03-17 15:49:33 +00:00
db = load_index ( dbfile , & db_attr ) ;
2000-01-10 06:22:05 +00:00
if ( db = = NULL ) goto err ;
/* Lets check some fields */
2004-03-17 15:49:33 +00:00
for ( i = 0 ; i < sk_num ( db - > db - > data ) ; i + + )
2000-01-10 06:22:05 +00:00
{
2006-07-29 19:10:21 +00:00
pp = ( const char * * ) sk_value ( db - > db - > data , i ) ;
2000-01-10 06:22:05 +00:00
if ( ( pp [ DB_type ] [ 0 ] ! = DB_TYPE_REV ) & &
( pp [ DB_rev_date ] [ 0 ] ! = ' \0 ' ) )
{
BIO_printf ( bio_err , " entry %d: not revoked yet, but has a revocation date \n " , i + 1 ) ;
goto err ;
}
if ( ( pp [ DB_type ] [ 0 ] = = DB_TYPE_REV ) & &
2003-01-28 21:43:22 +00:00
! make_revoked ( NULL , pp [ DB_rev_date ] ) )
2000-01-10 06:22:05 +00:00
{
2003-01-28 21:43:22 +00:00
BIO_printf ( bio_err , " in entry %d \n " , i + 1 ) ;
2000-01-10 06:22:05 +00:00
goto err ;
}
2006-07-29 19:10:21 +00:00
if ( ! check_time_format ( ( char * ) pp [ DB_exp_date ] ) )
2000-01-10 06:22:05 +00:00
{
BIO_printf ( bio_err , " entry %d: invalid expiry date \n " , i + 1 ) ;
goto err ;
}
p = pp [ DB_serial ] ;
j = strlen ( p ) ;
2003-01-28 21:43:22 +00:00
if ( * p = = ' - ' )
{
p + + ;
j - - ;
}
2000-01-10 06:22:05 +00:00
if ( ( j & 1 ) | | ( j < 2 ) )
{
BIO_printf ( bio_err , " entry %d: bad serial number length (%d) \n " , i + 1 , j ) ;
goto err ;
}
while ( * p )
{
if ( ! ( ( ( * p > = ' 0 ' ) & & ( * p < = ' 9 ' ) ) | |
( ( * p > = ' A ' ) & & ( * p < = ' F ' ) ) | |
( ( * p > = ' a ' ) & & ( * p < = ' f ' ) ) ) )
{
BIO_printf ( bio_err , " entry %d: bad serial number characters, char pos %ld, char is '%c' \n " , i + 1 , ( long ) ( p - pp [ DB_serial ] ) , * p ) ;
goto err ;
}
p + + ;
}
}
if ( verbose )
{
BIO_set_fp ( out , stdout , BIO_NOCLOSE | BIO_FP_TEXT ) ; /* cannot fail */
2003-01-28 21:43:22 +00:00
# ifdef OPENSSL_SYS_VMS
2000-11-13 01:03:58 +00:00
{
BIO * tmpbio = BIO_new ( BIO_f_linebuffer ( ) ) ;
out = BIO_push ( tmpbio , out ) ;
}
# endif
2004-03-17 15:49:33 +00:00
TXT_DB_write ( out , db - > db ) ;
2000-01-10 06:22:05 +00:00
BIO_printf ( bio_err , " %d entries loaded from the database \n " ,
2004-03-17 15:49:33 +00:00
db - > db - > data - > num ) ;
2000-04-13 06:33:22 +00:00
BIO_printf ( bio_err , " generating index \n " ) ;
2000-01-10 06:22:05 +00:00
}
2004-03-17 15:49:33 +00:00
if ( ! index_index ( db ) ) goto err ;
2000-01-10 06:22:05 +00:00
2003-01-28 21:43:22 +00:00
/*****************************************************************/
/* Update the db file for expired certificates */
if ( doupdatedb )
{
if ( verbose )
BIO_printf ( bio_err , " Updating %s ... \n " ,
dbfile ) ;
i = do_updatedb ( db ) ;
if ( i = = - 1 )
{
BIO_printf ( bio_err , " Malloc failure \n " ) ;
goto err ;
}
else if ( i = = 0 )
{
if ( verbose ) BIO_printf ( bio_err ,
" No entries found to mark expired \n " ) ;
}
else
{
2004-03-17 15:49:33 +00:00
if ( ! save_index ( dbfile , " new " , db ) ) goto err ;
if ( ! rotate_index ( dbfile , " new " , " old " ) ) goto err ;
2003-01-28 21:43:22 +00:00
if ( verbose ) BIO_printf ( bio_err ,
" Done. %d entries marked as expired \n " , i ) ;
}
}
/*****************************************************************/
/* Read extentions config file */
if ( extfile )
{
extconf = NCONF_new ( NULL ) ;
if ( NCONF_load ( extconf , extfile , & errorline ) < = 0 )
{
if ( errorline < = 0 )
BIO_printf ( bio_err , " ERROR: loading the config file '%s' \n " ,
extfile ) ;
else
BIO_printf ( bio_err , " ERROR: on line %ld of config file '%s' \n " ,
errorline , extfile ) ;
ret = 1 ;
goto err ;
}
if ( verbose )
BIO_printf ( bio_err , " Successfully loaded extensions file %s \n " , extfile ) ;
/* We can have sections in the ext file */
if ( ! extensions & & ! ( extensions = NCONF_get_string ( extconf , " default " , " extensions " ) ) )
extensions = " default " ;
}
2000-01-10 06:22:05 +00:00
/*****************************************************************/
if ( req | | gencrl )
{
if ( outfile ! = NULL )
{
if ( BIO_write_filename ( Sout , outfile ) < = 0 )
{
perror ( outfile ) ;
goto err ;
}
}
else
2000-11-13 01:03:58 +00:00
{
2000-01-10 06:22:05 +00:00
BIO_set_fp ( Sout , stdout , BIO_NOCLOSE | BIO_FP_TEXT ) ;
2003-01-28 21:43:22 +00:00
# ifdef OPENSSL_SYS_VMS
2000-11-13 01:03:58 +00:00
{
BIO * tmpbio = BIO_new ( BIO_f_linebuffer ( ) ) ;
Sout = BIO_push ( tmpbio , Sout ) ;
}
# endif
}
2000-01-10 06:22:05 +00:00
}
2006-07-29 19:10:21 +00:00
if ( ( md = = NULL ) & & ( ( md = NCONF_get_string ( conf ,
section , ENV_DEFAULT_MD ) ) = = NULL ) )
{
lookup_fail ( section , ENV_DEFAULT_MD ) ;
goto err ;
}
if ( ( dgst = EVP_get_digestbyname ( md ) ) = = NULL )
{
BIO_printf ( bio_err , " %s is an unsupported message digest type \n " , md ) ;
goto err ;
}
2000-01-10 06:22:05 +00:00
if ( req )
{
2003-01-28 21:43:22 +00:00
if ( ( email_dn = = 1 ) & & ( ( tmp_email_dn = NCONF_get_string ( conf ,
section , ENV_DEFAULT_EMAIL_DN ) ) ! = NULL ) )
{
if ( strcmp ( tmp_email_dn , " no " ) = = 0 )
email_dn = 0 ;
}
2000-01-10 06:22:05 +00:00
if ( verbose )
BIO_printf ( bio_err , " message digest is %s \n " ,
OBJ_nid2ln ( dgst - > type ) ) ;
2003-01-28 21:43:22 +00:00
if ( ( policy = = NULL ) & & ( ( policy = NCONF_get_string ( conf ,
2000-01-10 06:22:05 +00:00
section , ENV_POLICY ) ) = = NULL ) )
{
lookup_fail ( section , ENV_POLICY ) ;
goto err ;
}
if ( verbose )
BIO_printf ( bio_err , " policy is %s \n " , policy ) ;
2003-01-28 21:43:22 +00:00
if ( ( serialfile = NCONF_get_string ( conf , section , ENV_SERIAL ) )
2000-01-10 06:22:05 +00:00
= = NULL )
{
lookup_fail ( section , ENV_SERIAL ) ;
goto err ;
}
2003-01-28 21:43:22 +00:00
if ( ! extconf )
{
/* no '-extfile' option, so we look for extensions
* in the main configuration file */
if ( ! extensions )
{
extensions = NCONF_get_string ( conf , section ,
ENV_EXTENSIONS ) ;
if ( ! extensions )
ERR_clear_error ( ) ;
}
if ( extensions )
{
/* Check syntax of file */
X509V3_CTX ctx ;
X509V3_set_ctx_test ( & ctx ) ;
X509V3_set_nconf ( & ctx , conf ) ;
if ( ! X509V3_EXT_add_nconf ( conf , & ctx , extensions ,
NULL ) )
{
BIO_printf ( bio_err ,
" Error Loading extension section %s \n " ,
2000-01-10 06:22:05 +00:00
extensions ) ;
2003-01-28 21:43:22 +00:00
ret = 1 ;
goto err ;
}
}
2000-01-10 06:22:05 +00:00
}
if ( startdate = = NULL )
{
2003-01-28 21:43:22 +00:00
startdate = NCONF_get_string ( conf , section ,
2000-01-10 06:22:05 +00:00
ENV_DEFAULT_STARTDATE ) ;
2003-01-28 21:43:22 +00:00
if ( startdate = = NULL )
ERR_clear_error ( ) ;
2000-01-10 06:22:05 +00:00
}
if ( startdate & & ! ASN1_UTCTIME_set_string ( NULL , startdate ) )
{
BIO_printf ( bio_err , " start date is invalid, it should be YYMMDDHHMMSSZ \n " ) ;
goto err ;
}
if ( startdate = = NULL ) startdate = " today " ;
if ( enddate = = NULL )
{
2003-01-28 21:43:22 +00:00
enddate = NCONF_get_string ( conf , section ,
2000-01-10 06:22:05 +00:00
ENV_DEFAULT_ENDDATE ) ;
2003-01-28 21:43:22 +00:00
if ( enddate = = NULL )
ERR_clear_error ( ) ;
2000-01-10 06:22:05 +00:00
}
if ( enddate & & ! ASN1_UTCTIME_set_string ( NULL , enddate ) )
{
BIO_printf ( bio_err , " end date is invalid, it should be YYMMDDHHMMSSZ \n " ) ;
goto err ;
}
if ( days = = 0 )
{
2003-01-28 21:43:22 +00:00
if ( ! NCONF_get_number ( conf , section , ENV_DEFAULT_DAYS , & days ) )
days = 0 ;
2000-01-10 06:22:05 +00:00
}
if ( ! enddate & & ( days = = 0 ) )
{
BIO_printf ( bio_err , " cannot lookup how many days to certify for \n " ) ;
goto err ;
}
2005-02-25 05:39:05 +00:00
if ( ( serial = load_serial ( serialfile , create_ser , NULL ) ) = = NULL )
2000-01-10 06:22:05 +00:00
{
BIO_printf ( bio_err , " error while loading serial number \n " ) ;
goto err ;
}
if ( verbose )
{
2003-01-28 21:43:22 +00:00
if ( BN_is_zero ( serial ) )
BIO_printf ( bio_err , " next serial number is 00 \n " ) ;
else
{
if ( ( f = BN_bn2hex ( serial ) ) = = NULL ) goto err ;
BIO_printf ( bio_err , " next serial number is %s \n " , f ) ;
OPENSSL_free ( f ) ;
}
2000-01-10 06:22:05 +00:00
}
2003-01-28 21:43:22 +00:00
if ( ( attribs = NCONF_get_section ( conf , policy ) ) = = NULL )
2000-01-10 06:22:05 +00:00
{
BIO_printf ( bio_err , " unable to find 'section' for %s \n " , policy ) ;
goto err ;
}
2000-11-13 01:03:58 +00:00
if ( ( cert_sk = sk_X509_new_null ( ) ) = = NULL )
2000-01-10 06:22:05 +00:00
{
2000-11-13 01:03:58 +00:00
BIO_printf ( bio_err , " Memory allocation failure \n " ) ;
2000-01-10 06:22:05 +00:00
goto err ;
}
if ( spkac_file ! = NULL )
{
total + + ;
j = certify_spkac ( & x , spkac_file , pkey , x509 , dgst , attribs , db ,
2006-07-29 19:10:21 +00:00
serial , subj , chtype , multirdn , email_dn , startdate , enddate , days , extensions ,
2003-01-28 21:43:22 +00:00
conf , verbose , certopt , nameopt , default_op , ext_copy ) ;
2000-01-10 06:22:05 +00:00
if ( j < 0 ) goto err ;
if ( j > 0 )
{
total_done + + ;
BIO_printf ( bio_err , " \n " ) ;
if ( ! BN_add_word ( serial , 1 ) ) goto err ;
2000-11-13 01:03:58 +00:00
if ( ! sk_X509_push ( cert_sk , x ) )
2000-01-10 06:22:05 +00:00
{
2000-11-13 01:03:58 +00:00
BIO_printf ( bio_err , " Memory allocation failure \n " ) ;
2000-01-10 06:22:05 +00:00
goto err ;
}
if ( outfile )
{
output_der = 1 ;
batch = 1 ;
}
}
}
if ( ss_cert_file ! = NULL )
{
total + + ;
j = certify_cert ( & x , ss_cert_file , pkey , x509 , dgst , attribs ,
2006-07-29 19:10:21 +00:00
db , serial , subj , chtype , multirdn , email_dn , startdate , enddate , days , batch ,
2003-01-28 21:43:22 +00:00
extensions , conf , verbose , certopt , nameopt ,
default_op , ext_copy , e ) ;
2000-01-10 06:22:05 +00:00
if ( j < 0 ) goto err ;
if ( j > 0 )
{
total_done + + ;
BIO_printf ( bio_err , " \n " ) ;
if ( ! BN_add_word ( serial , 1 ) ) goto err ;
2000-11-13 01:03:58 +00:00
if ( ! sk_X509_push ( cert_sk , x ) )
2000-01-10 06:22:05 +00:00
{
2000-11-13 01:03:58 +00:00
BIO_printf ( bio_err , " Memory allocation failure \n " ) ;
2000-01-10 06:22:05 +00:00
goto err ;
}
}
}
if ( infile ! = NULL )
{
total + + ;
2006-07-29 19:10:21 +00:00
j = certify ( & x , infile , pkey , x509p , dgst , attribs , db ,
serial , subj , chtype , multirdn , email_dn , startdate , enddate , days , batch ,
2003-01-28 21:43:22 +00:00
extensions , conf , verbose , certopt , nameopt ,
2006-07-29 19:10:21 +00:00
default_op , ext_copy , selfsign ) ;
2000-01-10 06:22:05 +00:00
if ( j < 0 ) goto err ;
if ( j > 0 )
{
total_done + + ;
BIO_printf ( bio_err , " \n " ) ;
if ( ! BN_add_word ( serial , 1 ) ) goto err ;
2000-11-13 01:03:58 +00:00
if ( ! sk_X509_push ( cert_sk , x ) )
2000-01-10 06:22:05 +00:00
{
2000-11-13 01:03:58 +00:00
BIO_printf ( bio_err , " Memory allocation failure \n " ) ;
2000-01-10 06:22:05 +00:00
goto err ;
}
}
}
for ( i = 0 ; i < argc ; i + + )
{
total + + ;
2006-07-29 19:10:21 +00:00
j = certify ( & x , argv [ i ] , pkey , x509p , dgst , attribs , db ,
serial , subj , chtype , multirdn , email_dn , startdate , enddate , days , batch ,
2003-01-28 21:43:22 +00:00
extensions , conf , verbose , certopt , nameopt ,
2006-07-29 19:10:21 +00:00
default_op , ext_copy , selfsign ) ;
2000-01-10 06:22:05 +00:00
if ( j < 0 ) goto err ;
if ( j > 0 )
{
total_done + + ;
BIO_printf ( bio_err , " \n " ) ;
if ( ! BN_add_word ( serial , 1 ) ) goto err ;
2000-11-13 01:03:58 +00:00
if ( ! sk_X509_push ( cert_sk , x ) )
2000-01-10 06:22:05 +00:00
{
2000-11-13 01:03:58 +00:00
BIO_printf ( bio_err , " Memory allocation failure \n " ) ;
2000-01-10 06:22:05 +00:00
goto err ;
}
}
}
/* we have a stack of newly certified certificates
* and a data base and serial number that need
* updating */
2000-11-13 01:03:58 +00:00
if ( sk_X509_num ( cert_sk ) > 0 )
2000-01-10 06:22:05 +00:00
{
if ( ! batch )
{
BIO_printf ( bio_err , " \n %d out of %d certificate requests certified, commit? [y/n] " , total_done , total ) ;
( void ) BIO_flush ( bio_err ) ;
buf [ 0 ] [ 0 ] = ' \0 ' ;
fgets ( buf [ 0 ] , 10 , stdin ) ;
if ( ( buf [ 0 ] [ 0 ] ! = ' y ' ) & & ( buf [ 0 ] [ 0 ] ! = ' Y ' ) )
{
BIO_printf ( bio_err , " CERTIFICATION CANCELED \n " ) ;
ret = 0 ;
goto err ;
}
}
2000-11-13 01:03:58 +00:00
BIO_printf ( bio_err , " Write out database with %d new entries \n " , sk_X509_num ( cert_sk ) ) ;
2000-01-10 06:22:05 +00:00
2004-03-17 15:49:33 +00:00
if ( ! save_serial ( serialfile , " new " , serial , NULL ) ) goto err ;
2000-01-10 06:22:05 +00:00
2004-03-17 15:49:33 +00:00
if ( ! save_index ( dbfile , " new " , db ) ) goto err ;
2000-01-10 06:22:05 +00:00
}
if ( verbose )
BIO_printf ( bio_err , " writing new certificates \n " ) ;
2000-11-13 01:03:58 +00:00
for ( i = 0 ; i < sk_X509_num ( cert_sk ) ; i + + )
2000-01-10 06:22:05 +00:00
{
int k ;
2004-03-17 15:49:33 +00:00
char * n ;
2000-01-10 06:22:05 +00:00
2000-11-13 01:03:58 +00:00
x = sk_X509_value ( cert_sk , i ) ;
2000-01-10 06:22:05 +00:00
j = x - > cert_info - > serialNumber - > length ;
2006-07-29 19:10:21 +00:00
p = ( const char * ) x - > cert_info - > serialNumber - > data ;
2000-01-10 06:22:05 +00:00
2003-01-28 21:43:22 +00:00
if ( strlen ( outdir ) > = ( size_t ) ( j ? BSIZE - j * 2 - 6 : BSIZE - 8 ) )
{
BIO_printf ( bio_err , " certificate file name too long \n " ) ;
goto err ;
}
2000-01-10 06:22:05 +00:00
2003-01-28 21:43:22 +00:00
strcpy ( buf [ 2 ] , outdir ) ;
# ifndef OPENSSL_SYS_VMS
2004-03-17 15:49:33 +00:00
BUF_strlcat ( buf [ 2 ] , " / " , sizeof ( buf [ 2 ] ) ) ;
2000-01-10 06:22:05 +00:00
# endif
2004-03-17 15:49:33 +00:00
n = ( char * ) & ( buf [ 2 ] [ strlen ( buf [ 2 ] ) ] ) ;
2000-01-10 06:22:05 +00:00
if ( j > 0 )
{
for ( k = 0 ; k < j ; k + + )
{
2004-03-17 15:49:33 +00:00
if ( n > = & ( buf [ 2 ] [ sizeof ( buf [ 2 ] ) ] ) )
break ;
BIO_snprintf ( n ,
& buf [ 2 ] [ 0 ] + sizeof ( buf [ 2 ] ) - n ,
" %02X " , ( unsigned char ) * ( p + + ) ) ;
2000-01-10 06:22:05 +00:00
n + = 2 ;
}
}
else
{
* ( n + + ) = ' 0 ' ;
* ( n + + ) = ' 0 ' ;
}
* ( n + + ) = ' . ' ; * ( n + + ) = ' p ' ; * ( n + + ) = ' e ' ; * ( n + + ) = ' m ' ;
* n = ' \0 ' ;
if ( verbose )
BIO_printf ( bio_err , " writing %s \n " , buf [ 2 ] ) ;
if ( BIO_write_filename ( Cout , buf [ 2 ] ) < = 0 )
{
perror ( buf [ 2 ] ) ;
goto err ;
}
2000-04-13 06:33:22 +00:00
write_new_certificate ( Cout , x , 0 , notext ) ;
write_new_certificate ( Sout , x , output_der , notext ) ;
2000-01-10 06:22:05 +00:00
}
2000-11-13 01:03:58 +00:00
if ( sk_X509_num ( cert_sk ) )
2000-01-10 06:22:05 +00:00
{
/* Rename the database and the serial file */
2004-03-17 15:49:33 +00:00
if ( ! rotate_serial ( serialfile , " new " , " old " ) ) goto err ;
2000-01-10 06:22:05 +00:00
2004-03-17 15:49:33 +00:00
if ( ! rotate_index ( dbfile , " new " , " old " ) ) goto err ;
2000-01-10 06:22:05 +00:00
BIO_printf ( bio_err , " Data Base Updated \n " ) ;
}
}
/*****************************************************************/
if ( gencrl )
{
2003-01-28 21:43:22 +00:00
int crl_v2 = 0 ;
if ( ! crl_ext )
{
crl_ext = NCONF_get_string ( conf , section , ENV_CRLEXT ) ;
if ( ! crl_ext )
ERR_clear_error ( ) ;
}
if ( crl_ext )
{
2000-01-10 06:22:05 +00:00
/* Check syntax of file */
X509V3_CTX ctx ;
X509V3_set_ctx_test ( & ctx ) ;
2003-01-28 21:43:22 +00:00
X509V3_set_nconf ( & ctx , conf ) ;
if ( ! X509V3_EXT_add_nconf ( conf , & ctx , crl_ext , NULL ) )
{
2000-01-10 06:22:05 +00:00
BIO_printf ( bio_err ,
" Error Loading CRL extension section %s \n " ,
crl_ext ) ;
ret = 1 ;
goto err ;
2003-01-28 21:43:22 +00:00
}
2000-01-10 06:22:05 +00:00
}
2004-03-17 15:49:33 +00:00
if ( ( crlnumberfile = NCONF_get_string ( conf , section , ENV_CRLNUMBER ) )
! = NULL )
if ( ( crlnumber = load_serial ( crlnumberfile , 0 , NULL ) ) = = NULL )
{
BIO_printf ( bio_err , " error while loading CRL number \n " ) ;
goto err ;
}
2000-01-10 06:22:05 +00:00
if ( ! crldays & & ! crlhours )
{
2003-01-28 21:43:22 +00:00
if ( ! NCONF_get_number ( conf , section ,
ENV_DEFAULT_CRL_DAYS , & crldays ) )
crldays = 0 ;
if ( ! NCONF_get_number ( conf , section ,
ENV_DEFAULT_CRL_HOURS , & crlhours ) )
crlhours = 0 ;
2000-01-10 06:22:05 +00:00
}
if ( ( crldays = = 0 ) & & ( crlhours = = 0 ) )
{
2002-07-30 13:38:06 +00:00
BIO_printf ( bio_err , " cannot lookup how long until the next CRL is issued \n " ) ;
2000-01-10 06:22:05 +00:00
goto err ;
}
if ( verbose ) BIO_printf ( bio_err , " making CRL \n " ) ;
if ( ( crl = X509_CRL_new ( ) ) = = NULL ) goto err ;
2003-01-28 21:43:22 +00:00
if ( ! X509_CRL_set_issuer_name ( crl , X509_get_subject_name ( x509 ) ) ) goto err ;
2000-01-10 06:22:05 +00:00
2003-01-28 21:43:22 +00:00
tmptm = ASN1_TIME_new ( ) ;
if ( ! tmptm ) goto err ;
X509_gmtime_adj ( tmptm , 0 ) ;
X509_CRL_set_lastUpdate ( crl , tmptm ) ;
X509_gmtime_adj ( tmptm , ( crldays * 24 + crlhours ) * 60 * 60 ) ;
X509_CRL_set_nextUpdate ( crl , tmptm ) ;
ASN1_TIME_free ( tmptm ) ;
2000-01-10 06:22:05 +00:00
2004-03-17 15:49:33 +00:00
for ( i = 0 ; i < sk_num ( db - > db - > data ) ; i + + )
2000-01-10 06:22:05 +00:00
{
2006-07-29 19:10:21 +00:00
pp = ( const char * * ) sk_value ( db - > db - > data , i ) ;
2000-01-10 06:22:05 +00:00
if ( pp [ DB_type ] [ 0 ] = = DB_TYPE_REV )
{
if ( ( r = X509_REVOKED_new ( ) ) = = NULL ) goto err ;
2003-01-28 21:43:22 +00:00
j = make_revoked ( r , pp [ DB_rev_date ] ) ;
if ( ! j ) goto err ;
if ( j = = 2 ) crl_v2 = 1 ;
if ( ! BN_hex2bn ( & serial , pp [ DB_serial ] ) )
2000-01-10 06:22:05 +00:00
goto err ;
2003-01-28 21:43:22 +00:00
tmpser = BN_to_ASN1_INTEGER ( serial , NULL ) ;
BN_free ( serial ) ;
serial = NULL ;
if ( ! tmpser )
goto err ;
X509_REVOKED_set_serialNumber ( r , tmpser ) ;
ASN1_INTEGER_free ( tmpser ) ;
X509_CRL_add0_revoked ( crl , r ) ;
2000-01-10 06:22:05 +00:00
}
}
2003-01-28 21:43:22 +00:00
2000-01-10 06:22:05 +00:00
/* sort the data so it will be written in serial
* number order */
2003-01-28 21:43:22 +00:00
X509_CRL_sort ( crl ) ;
2000-01-10 06:22:05 +00:00
/* we now have a CRL */
if ( verbose ) BIO_printf ( bio_err , " signing CRL \n " ) ;
2003-01-28 21:43:22 +00:00
# ifndef OPENSSL_NO_DSA
2006-07-29 19:10:21 +00:00
if ( pkey - > type = = EVP_PKEY_DSA )
dgst = EVP_dss1 ( ) ;
else
# endif
# ifndef OPENSSL_NO_ECDSA
if ( pkey - > type = = EVP_PKEY_EC )
dgst = EVP_ecdsa ( ) ;
2000-01-10 06:22:05 +00:00
# endif
/* Add any extensions asked for */
2004-03-17 15:49:33 +00:00
if ( crl_ext | | crlnumberfile ! = NULL )
2003-01-28 21:43:22 +00:00
{
X509V3_CTX crlctx ;
X509V3_set_ctx ( & crlctx , x509 , NULL , NULL , crl , 0 ) ;
X509V3_set_nconf ( & crlctx , conf ) ;
2000-01-10 06:22:05 +00:00
2004-03-17 15:49:33 +00:00
if ( crl_ext )
if ( ! X509V3_EXT_CRL_add_nconf ( conf , & crlctx ,
crl_ext , crl ) ) goto err ;
if ( crlnumberfile ! = NULL )
{
tmpser = BN_to_ASN1_INTEGER ( crlnumber , NULL ) ;
if ( ! tmpser ) goto err ;
X509_CRL_add1_ext_i2d ( crl , NID_crl_number , tmpser , 0 , 0 ) ;
ASN1_INTEGER_free ( tmpser ) ;
crl_v2 = 1 ;
if ( ! BN_add_word ( crlnumber , 1 ) ) goto err ;
}
2003-01-28 21:43:22 +00:00
}
if ( crl_ext | | crl_v2 )
{
if ( ! X509_CRL_set_version ( crl , 1 ) )
goto err ; /* version 2 CRL */
}
2000-01-10 06:22:05 +00:00
2004-03-17 15:49:33 +00:00
if ( crlnumberfile ! = NULL ) /* we have a CRL number that need updating */
if ( ! save_serial ( crlnumberfile , " new " , crlnumber , NULL ) ) goto err ;
2000-01-10 06:22:05 +00:00
if ( ! X509_CRL_sign ( crl , pkey , dgst ) ) goto err ;
PEM_write_bio_X509_CRL ( Sout , crl ) ;
2004-03-17 15:49:33 +00:00
if ( crlnumberfile ! = NULL ) /* Rename the crlnumber file */
if ( ! rotate_serial ( crlnumberfile , " new " , " old " ) ) goto err ;
2000-01-10 06:22:05 +00:00
}
/*****************************************************************/
if ( dorevoke )
{
if ( infile = = NULL )
{
BIO_printf ( bio_err , " no input files \n " ) ;
goto err ;
}
else
{
2000-04-13 06:33:22 +00:00
X509 * revcert ;
2003-01-28 21:43:22 +00:00
revcert = load_cert ( bio_err , infile , FORMAT_PEM ,
NULL , e , infile ) ;
2000-04-13 06:33:22 +00:00
if ( revcert = = NULL )
2000-01-10 06:22:05 +00:00
goto err ;
2003-01-28 21:43:22 +00:00
j = do_revoke ( revcert , db , rev_type , rev_arg ) ;
2000-04-13 06:33:22 +00:00
if ( j < = 0 ) goto err ;
X509_free ( revcert ) ;
2000-01-10 06:22:05 +00:00
2004-03-17 15:49:33 +00:00
if ( ! save_index ( dbfile , " new " , db ) ) goto err ;
if ( ! rotate_index ( dbfile , " new " , " old " ) ) goto err ;
2003-01-28 21:43:22 +00:00
2000-01-10 06:22:05 +00:00
BIO_printf ( bio_err , " Data Base Updated \n " ) ;
}
}
/*****************************************************************/
ret = 0 ;
err :
2003-01-28 21:43:22 +00:00
if ( tofree )
OPENSSL_free ( tofree ) ;
2000-11-13 01:03:58 +00:00
BIO_free_all ( Cout ) ;
BIO_free_all ( Sout ) ;
BIO_free_all ( out ) ;
2003-01-28 21:43:22 +00:00
BIO_free_all ( in ) ;
2000-01-10 06:22:05 +00:00
2003-02-19 23:17:42 +00:00
if ( cert_sk )
sk_X509_pop_free ( cert_sk , X509_free ) ;
2000-01-10 06:22:05 +00:00
if ( ret ) ERR_print_errors ( bio_err ) ;
2000-04-13 06:33:22 +00:00
app_RAND_write_file ( randfile , bio_err ) ;
2003-02-19 23:17:42 +00:00
if ( free_key & & key )
2003-01-28 21:43:22 +00:00
OPENSSL_free ( key ) ;
2000-01-10 06:22:05 +00:00
BN_free ( serial ) ;
2004-03-17 15:49:33 +00:00
free_index ( db ) ;
2000-01-10 06:22:05 +00:00
EVP_PKEY_free ( pkey ) ;
2006-07-29 19:10:21 +00:00
if ( x509 ) X509_free ( x509 ) ;
2000-01-10 06:22:05 +00:00
X509_CRL_free ( crl ) ;
2003-01-28 21:43:22 +00:00
NCONF_free ( conf ) ;
2007-03-15 20:03:30 +00:00
NCONF_free ( extconf ) ;
2000-01-10 06:22:05 +00:00
OBJ_cleanup ( ) ;
2003-01-28 21:43:22 +00:00
apps_shutdown ( ) ;
OPENSSL_EXIT ( ret ) ;
2000-01-10 06:22:05 +00:00
}
2006-07-29 19:10:21 +00:00
static void lookup_fail ( const char * name , const char * tag )
2000-01-10 06:22:05 +00:00
{
BIO_printf ( bio_err , " variable lookup failed for %s::%s \n " , name , tag ) ;
}
static int certify ( X509 * * xret , char * infile , EVP_PKEY * pkey , X509 * x509 ,
2004-03-17 15:49:33 +00:00
const EVP_MD * dgst , STACK_OF ( CONF_VALUE ) * policy , CA_DB * db ,
2006-07-29 19:10:21 +00:00
BIGNUM * serial , char * subj , unsigned long chtype , int multirdn , int email_dn , char * startdate , char * enddate ,
2003-01-28 21:43:22 +00:00
long days , int batch , char * ext_sect , CONF * lconf , int verbose ,
unsigned long certopt , unsigned long nameopt , int default_op ,
2006-07-29 19:10:21 +00:00
int ext_copy , int selfsign )
2000-01-10 06:22:05 +00:00
{
X509_REQ * req = NULL ;
BIO * in = NULL ;
EVP_PKEY * pktmp = NULL ;
int ok = - 1 , i ;
in = BIO_new ( BIO_s_file ( ) ) ;
if ( BIO_read_filename ( in , infile ) < = 0 )
{
perror ( infile ) ;
goto err ;
}
if ( ( req = PEM_read_bio_X509_REQ ( in , NULL , NULL , NULL ) ) = = NULL )
{
BIO_printf ( bio_err , " Error reading certificate request in %s \n " ,
infile ) ;
goto err ;
}
if ( verbose )
X509_REQ_print ( bio_err , req ) ;
BIO_printf ( bio_err , " Check that the request matches the signature \n " ) ;
2006-07-29 19:10:21 +00:00
if ( selfsign & & ! X509_REQ_check_private_key ( req , pkey ) )
{
BIO_printf ( bio_err , " Certificate request and CA private key do not match \n " ) ;
ok = 0 ;
goto err ;
}
2000-01-10 06:22:05 +00:00
if ( ( pktmp = X509_REQ_get_pubkey ( req ) ) = = NULL )
{
BIO_printf ( bio_err , " error unpacking public key \n " ) ;
goto err ;
}
i = X509_REQ_verify ( req , pktmp ) ;
EVP_PKEY_free ( pktmp ) ;
if ( i < 0 )
{
ok = 0 ;
BIO_printf ( bio_err , " Signature verification problems.... \n " ) ;
goto err ;
}
if ( i = = 0 )
{
ok = 0 ;
BIO_printf ( bio_err , " Signature did not match the certificate request \n " ) ;
goto err ;
}
else
BIO_printf ( bio_err , " Signature ok \n " ) ;
2006-07-29 19:10:21 +00:00
ok = do_body ( xret , pkey , x509 , dgst , policy , db , serial , subj , chtype , multirdn , email_dn ,
2003-01-28 21:43:22 +00:00
startdate , enddate , days , batch , verbose , req , ext_sect , lconf ,
2006-07-29 19:10:21 +00:00
certopt , nameopt , default_op , ext_copy , selfsign ) ;
2000-01-10 06:22:05 +00:00
err :
if ( req ! = NULL ) X509_REQ_free ( req ) ;
if ( in ! = NULL ) BIO_free ( in ) ;
return ( ok ) ;
}
static int certify_cert ( X509 * * xret , char * infile , EVP_PKEY * pkey , X509 * x509 ,
2004-03-17 15:49:33 +00:00
const EVP_MD * dgst , STACK_OF ( CONF_VALUE ) * policy , CA_DB * db ,
2006-07-29 19:10:21 +00:00
BIGNUM * serial , char * subj , unsigned long chtype , int multirdn , int email_dn , char * startdate , char * enddate ,
2003-01-28 21:43:22 +00:00
long days , int batch , char * ext_sect , CONF * lconf , int verbose ,
unsigned long certopt , unsigned long nameopt , int default_op ,
int ext_copy , ENGINE * e )
2000-01-10 06:22:05 +00:00
{
X509 * req = NULL ;
X509_REQ * rreq = NULL ;
EVP_PKEY * pktmp = NULL ;
int ok = - 1 , i ;
2003-01-28 21:43:22 +00:00
if ( ( req = load_cert ( bio_err , infile , FORMAT_PEM , NULL , e , infile ) ) = = NULL )
2000-01-10 06:22:05 +00:00
goto err ;
if ( verbose )
X509_print ( bio_err , req ) ;
BIO_printf ( bio_err , " Check that the request matches the signature \n " ) ;
if ( ( pktmp = X509_get_pubkey ( req ) ) = = NULL )
{
BIO_printf ( bio_err , " error unpacking public key \n " ) ;
goto err ;
}
i = X509_verify ( req , pktmp ) ;
EVP_PKEY_free ( pktmp ) ;
if ( i < 0 )
{
ok = 0 ;
BIO_printf ( bio_err , " Signature verification problems.... \n " ) ;
goto err ;
}
if ( i = = 0 )
{
ok = 0 ;
BIO_printf ( bio_err , " Signature did not match the certificate \n " ) ;
goto err ;
}
else
BIO_printf ( bio_err , " Signature ok \n " ) ;
if ( ( rreq = X509_to_X509_REQ ( req , NULL , EVP_md5 ( ) ) ) = = NULL )
goto err ;
2006-07-29 19:10:21 +00:00
ok = do_body ( xret , pkey , x509 , dgst , policy , db , serial , subj , chtype , multirdn , email_dn , startdate , enddate ,
2003-01-28 21:43:22 +00:00
days , batch , verbose , rreq , ext_sect , lconf , certopt , nameopt , default_op ,
2006-07-29 19:10:21 +00:00
ext_copy , 0 ) ;
2000-01-10 06:22:05 +00:00
err :
if ( rreq ! = NULL ) X509_REQ_free ( rreq ) ;
if ( req ! = NULL ) X509_free ( req ) ;
return ( ok ) ;
}
static int do_body ( X509 * * xret , EVP_PKEY * pkey , X509 * x509 , const EVP_MD * dgst ,
2004-03-17 15:49:33 +00:00
STACK_OF ( CONF_VALUE ) * policy , CA_DB * db , BIGNUM * serial , char * subj ,
2006-07-29 19:10:21 +00:00
unsigned long chtype , int multirdn ,
2003-01-28 21:43:22 +00:00
int email_dn , char * startdate , char * enddate , long days , int batch ,
int verbose , X509_REQ * req , char * ext_sect , CONF * lconf ,
unsigned long certopt , unsigned long nameopt , int default_op ,
2006-07-29 19:10:21 +00:00
int ext_copy , int selfsign )
2000-01-10 06:22:05 +00:00
{
2003-01-28 21:43:22 +00:00
X509_NAME * name = NULL , * CAname = NULL , * subject = NULL , * dn_subject = NULL ;
2000-01-10 06:22:05 +00:00
ASN1_UTCTIME * tm , * tmptm ;
ASN1_STRING * str , * str2 ;
ASN1_OBJECT * obj ;
X509 * ret = NULL ;
X509_CINF * ci ;
X509_NAME_ENTRY * ne ;
X509_NAME_ENTRY * tne , * push ;
EVP_PKEY * pktmp ;
int ok = - 1 , i , j , last , nid ;
2006-07-29 19:10:21 +00:00
const char * p ;
2000-01-10 06:22:05 +00:00
CONF_VALUE * cv ;
2004-03-17 15:49:33 +00:00
char * row [ DB_NUMBER ] , * * rrow = NULL , * * irow = NULL ;
2003-01-28 21:43:22 +00:00
char buf [ 25 ] ;
2000-01-10 06:22:05 +00:00
tmptm = ASN1_UTCTIME_new ( ) ;
if ( tmptm = = NULL )
{
BIO_printf ( bio_err , " malloc error \n " ) ;
return ( 0 ) ;
}
for ( i = 0 ; i < DB_NUMBER ; i + + )
row [ i ] = NULL ;
2003-01-28 21:43:22 +00:00
if ( subj )
{
2006-07-29 19:10:21 +00:00
X509_NAME * n = parse_name ( subj , chtype , multirdn ) ;
2003-01-28 21:43:22 +00:00
if ( ! n )
{
ERR_print_errors ( bio_err ) ;
goto err ;
}
X509_REQ_set_subject_name ( req , n ) ;
req - > req_info - > enc . modified = 1 ;
X509_NAME_free ( n ) ;
}
if ( default_op )
BIO_printf ( bio_err , " The Subject's Distinguished Name is as follows \n " ) ;
2000-01-10 06:22:05 +00:00
name = X509_REQ_get_subject_name ( req ) ;
for ( i = 0 ; i < X509_NAME_entry_count ( name ) ; i + + )
{
2003-01-28 21:43:22 +00:00
ne = X509_NAME_get_entry ( name , i ) ;
2000-01-10 06:22:05 +00:00
str = X509_NAME_ENTRY_get_data ( ne ) ;
2003-01-28 21:43:22 +00:00
obj = X509_NAME_ENTRY_get_object ( ne ) ;
2000-01-10 06:22:05 +00:00
if ( msie_hack )
{
/* assume all type should be strings */
nid = OBJ_obj2nid ( ne - > object ) ;
if ( str - > type = = V_ASN1_UNIVERSALSTRING )
ASN1_UNIVERSALSTRING_to_string ( str ) ;
if ( ( str - > type = = V_ASN1_IA5STRING ) & &
( nid ! = NID_pkcs9_emailAddress ) )
str - > type = V_ASN1_T61STRING ;
if ( ( nid = = NID_pkcs9_emailAddress ) & &
( str - > type = = V_ASN1_PRINTABLESTRING ) )
str - > type = V_ASN1_IA5STRING ;
}
2003-01-28 21:43:22 +00:00
/* If no EMAIL is wanted in the subject */
if ( ( OBJ_obj2nid ( obj ) = = NID_pkcs9_emailAddress ) & & ( ! email_dn ) )
continue ;
2000-01-10 06:22:05 +00:00
/* check some things */
if ( ( OBJ_obj2nid ( obj ) = = NID_pkcs9_emailAddress ) & &
( str - > type ! = V_ASN1_IA5STRING ) )
{
BIO_printf ( bio_err , " \n emailAddress type needs to be of type IA5STRING \n " ) ;
goto err ;
}
2003-01-28 21:43:22 +00:00
if ( ( str - > type ! = V_ASN1_BMPSTRING ) & & ( str - > type ! = V_ASN1_UTF8STRING ) )
2000-01-10 06:22:05 +00:00
{
2003-01-28 21:43:22 +00:00
j = ASN1_PRINTABLE_type ( str - > data , str - > length ) ;
if ( ( ( j = = V_ASN1_T61STRING ) & &
( str - > type ! = V_ASN1_T61STRING ) ) | |
( ( j = = V_ASN1_IA5STRING ) & &
( str - > type = = V_ASN1_PRINTABLESTRING ) ) )
{
BIO_printf ( bio_err , " \n The string contains characters that are illegal for the ASN.1 type \n " ) ;
goto err ;
}
2000-01-10 06:22:05 +00:00
}
2003-01-28 21:43:22 +00:00
if ( default_op )
old_entry_print ( bio_err , obj , str ) ;
2000-01-10 06:22:05 +00:00
}
/* Ok, now we check the 'policy' stuff. */
if ( ( subject = X509_NAME_new ( ) ) = = NULL )
{
2000-11-13 01:03:58 +00:00
BIO_printf ( bio_err , " Memory allocation failure \n " ) ;
2000-01-10 06:22:05 +00:00
goto err ;
}
/* take a copy of the issuer name before we mess with it. */
2006-07-29 19:10:21 +00:00
if ( selfsign )
CAname = X509_NAME_dup ( name ) ;
else
CAname = X509_NAME_dup ( x509 - > cert_info - > subject ) ;
2000-01-10 06:22:05 +00:00
if ( CAname = = NULL ) goto err ;
str = str2 = NULL ;
for ( i = 0 ; i < sk_CONF_VALUE_num ( policy ) ; i + + )
{
cv = sk_CONF_VALUE_value ( policy , i ) ; /* get the object id */
if ( ( j = OBJ_txt2nid ( cv - > name ) ) = = NID_undef )
{
BIO_printf ( bio_err , " %s:unknown object type in 'policy' configuration \n " , cv - > name ) ;
goto err ;
}
obj = OBJ_nid2obj ( j ) ;
last = - 1 ;
for ( ; ; )
{
/* lookup the object in the supplied name list */
j = X509_NAME_get_index_by_OBJ ( name , obj , last ) ;
if ( j < 0 )
{
if ( last ! = - 1 ) break ;
tne = NULL ;
}
else
{
tne = X509_NAME_get_entry ( name , j ) ;
}
last = j ;
/* depending on the 'policy', decide what to do. */
push = NULL ;
if ( strcmp ( cv - > value , " optional " ) = = 0 )
{
if ( tne ! = NULL )
push = tne ;
}
else if ( strcmp ( cv - > value , " supplied " ) = = 0 )
{
if ( tne = = NULL )
{
BIO_printf ( bio_err , " The %s field needed to be supplied and was missing \n " , cv - > name ) ;
goto err ;
}
else
push = tne ;
}
else if ( strcmp ( cv - > value , " match " ) = = 0 )
{
int last2 ;
if ( tne = = NULL )
{
BIO_printf ( bio_err , " The mandatory %s field was missing \n " , cv - > name ) ;
goto err ;
}
last2 = - 1 ;
again2 :
j = X509_NAME_get_index_by_OBJ ( CAname , obj , last2 ) ;
if ( ( j < 0 ) & & ( last2 = = - 1 ) )
{
BIO_printf ( bio_err , " The %s field does not exist in the CA certificate, \n the 'policy' is misconfigured \n " , cv - > name ) ;
goto err ;
}
if ( j > = 0 )
{
push = X509_NAME_get_entry ( CAname , j ) ;
str = X509_NAME_ENTRY_get_data ( tne ) ;
str2 = X509_NAME_ENTRY_get_data ( push ) ;
last2 = j ;
if ( ASN1_STRING_cmp ( str , str2 ) ! = 0 )
goto again2 ;
}
if ( j < 0 )
{
2000-04-13 06:33:22 +00:00
BIO_printf ( bio_err , " The %s field needed to be the same in the \n CA certificate (%s) and the request (%s) \n " , cv - > name , ( ( str2 = = NULL ) ? " NULL " : ( char * ) str2 - > data ) , ( ( str = = NULL ) ? " NULL " : ( char * ) str - > data ) ) ;
2000-01-10 06:22:05 +00:00
goto err ;
}
}
else
{
BIO_printf ( bio_err , " %s:invalid type in 'policy' configuration \n " , cv - > value ) ;
goto err ;
}
if ( push ! = NULL )
{
2000-04-13 06:33:22 +00:00
if ( ! X509_NAME_add_entry ( subject , push , - 1 , 0 ) )
2000-01-10 06:22:05 +00:00
{
if ( push ! = NULL )
X509_NAME_ENTRY_free ( push ) ;
2000-11-13 01:03:58 +00:00
BIO_printf ( bio_err , " Memory allocation failure \n " ) ;
2000-01-10 06:22:05 +00:00
goto err ;
}
}
if ( j < 0 ) break ;
}
}
if ( preserve )
{
X509_NAME_free ( subject ) ;
2003-01-28 21:43:22 +00:00
/* subject=X509_NAME_dup(X509_REQ_get_subject_name(req)); */
subject = X509_NAME_dup ( name ) ;
2000-01-10 06:22:05 +00:00
if ( subject = = NULL ) goto err ;
}
if ( verbose )
2000-04-13 06:33:22 +00:00
BIO_printf ( bio_err , " The subject name appears to be ok, checking data base for clashes \n " ) ;
2000-01-10 06:22:05 +00:00
2003-01-28 21:43:22 +00:00
/* Build the correct Subject if no e-mail is wanted in the subject */
/* and add it later on because of the method extensions are added (altName) */
if ( email_dn )
dn_subject = subject ;
else
{
X509_NAME_ENTRY * tmpne ;
/* Its best to dup the subject DN and then delete any email
* addresses because this retains its structure .
*/
if ( ! ( dn_subject = X509_NAME_dup ( subject ) ) )
{
BIO_printf ( bio_err , " Memory allocation failure \n " ) ;
goto err ;
}
while ( ( i = X509_NAME_get_index_by_NID ( dn_subject ,
NID_pkcs9_emailAddress , - 1 ) ) > = 0 )
{
tmpne = X509_NAME_get_entry ( dn_subject , i ) ;
X509_NAME_delete_entry ( dn_subject , i ) ;
X509_NAME_ENTRY_free ( tmpne ) ;
}
}
if ( BN_is_zero ( serial ) )
row [ DB_serial ] = BUF_strdup ( " 00 " ) ;
else
row [ DB_serial ] = BN_bn2hex ( serial ) ;
if ( row [ DB_serial ] = = NULL )
2000-01-10 06:22:05 +00:00
{
2000-11-13 01:03:58 +00:00
BIO_printf ( bio_err , " Memory allocation failure \n " ) ;
2000-01-10 06:22:05 +00:00
goto err ;
}
2004-03-17 15:49:33 +00:00
if ( db - > attributes . unique_subject )
2000-01-10 06:22:05 +00:00
{
2004-03-17 15:49:33 +00:00
rrow = TXT_DB_get_by_index ( db - > db , DB_name , row ) ;
if ( rrow ! = NULL )
{
BIO_printf ( bio_err ,
" ERROR:There is already a certificate for %s \n " ,
row [ DB_name ] ) ;
}
2000-01-10 06:22:05 +00:00
}
2004-03-17 15:49:33 +00:00
if ( rrow = = NULL )
2000-01-10 06:22:05 +00:00
{
2004-03-17 15:49:33 +00:00
rrow = TXT_DB_get_by_index ( db - > db , DB_serial , row ) ;
2000-01-10 06:22:05 +00:00
if ( rrow ! = NULL )
{
BIO_printf ( bio_err , " ERROR:Serial number %s has already been issued, \n " ,
row [ DB_serial ] ) ;
BIO_printf ( bio_err , " check the database/serial_file for corruption \n " ) ;
}
}
if ( rrow ! = NULL )
{
BIO_printf ( bio_err ,
" The matching entry has the following details \n " ) ;
if ( rrow [ DB_type ] [ 0 ] = = ' E ' )
p = " Expired " ;
else if ( rrow [ DB_type ] [ 0 ] = = ' R ' )
p = " Revoked " ;
else if ( rrow [ DB_type ] [ 0 ] = = ' V ' )
p = " Valid " ;
else
p = " \n invalid type, Data base error \n " ;
BIO_printf ( bio_err , " Type :%s \n " , p ) ; ;
if ( rrow [ DB_type ] [ 0 ] = = ' R ' )
{
p = rrow [ DB_exp_date ] ; if ( p = = NULL ) p = " undef " ;
BIO_printf ( bio_err , " Was revoked on:%s \n " , p ) ;
}
p = rrow [ DB_exp_date ] ; if ( p = = NULL ) p = " undef " ;
BIO_printf ( bio_err , " Expires on :%s \n " , p ) ;
p = rrow [ DB_serial ] ; if ( p = = NULL ) p = " undef " ;
BIO_printf ( bio_err , " Serial Number :%s \n " , p ) ;
p = rrow [ DB_file ] ; if ( p = = NULL ) p = " undef " ;
BIO_printf ( bio_err , " File name :%s \n " , p ) ;
p = rrow [ DB_name ] ; if ( p = = NULL ) p = " undef " ;
BIO_printf ( bio_err , " Subject Name :%s \n " , p ) ;
ok = - 1 ; /* This is now a 'bad' error. */
goto err ;
}
2000-04-13 06:33:22 +00:00
/* We are now totally happy, lets make and sign the certificate */
2000-01-10 06:22:05 +00:00
if ( verbose )
BIO_printf ( bio_err , " Everything appears to be ok, creating and signing the certificate \n " ) ;
if ( ( ret = X509_new ( ) ) = = NULL ) goto err ;
ci = ret - > cert_info ;
# ifdef X509_V3
/* Make it an X509 v3 certificate. */
2003-10-01 12:32:41 +00:00
if ( ! X509_set_version ( ret , 2 ) ) goto err ;
2000-01-10 06:22:05 +00:00
# endif
if ( BN_to_ASN1_INTEGER ( serial , ci - > serialNumber ) = = NULL )
goto err ;
2006-07-29 19:10:21 +00:00
if ( selfsign )
{
if ( ! X509_set_issuer_name ( ret , subject ) )
goto err ;
}
else
{
if ( ! X509_set_issuer_name ( ret , X509_get_subject_name ( x509 ) ) )
goto err ;
}
2000-01-10 06:22:05 +00:00
if ( strcmp ( startdate , " today " ) = = 0 )
X509_gmtime_adj ( X509_get_notBefore ( ret ) , 0 ) ;
else ASN1_UTCTIME_set_string ( X509_get_notBefore ( ret ) , startdate ) ;
if ( enddate = = NULL )
X509_gmtime_adj ( X509_get_notAfter ( ret ) , ( long ) 60 * 60 * 24 * days ) ;
else ASN1_UTCTIME_set_string ( X509_get_notAfter ( ret ) , enddate ) ;
if ( ! X509_set_subject_name ( ret , subject ) ) goto err ;
pktmp = X509_REQ_get_pubkey ( req ) ;
i = X509_set_pubkey ( ret , pktmp ) ;
EVP_PKEY_free ( pktmp ) ;
if ( ! i ) goto err ;
/* Lets add the extensions, if there are any */
if ( ext_sect )
{
X509V3_CTX ctx ;
if ( ci - > version = = NULL )
if ( ( ci - > version = ASN1_INTEGER_new ( ) ) = = NULL )
goto err ;
ASN1_INTEGER_set ( ci - > version , 2 ) ; /* version 3 certificate */
/* Free the current entries if any, there should not
2000-04-13 06:33:22 +00:00
* be any I believe */
2000-01-10 06:22:05 +00:00
if ( ci - > extensions ! = NULL )
sk_X509_EXTENSION_pop_free ( ci - > extensions ,
X509_EXTENSION_free ) ;
ci - > extensions = NULL ;
2003-01-28 21:43:22 +00:00
/* Initialize the context structure */
2006-07-29 19:10:21 +00:00
if ( selfsign )
X509V3_set_ctx ( & ctx , ret , ret , req , NULL , 0 ) ;
else
X509V3_set_ctx ( & ctx , x509 , ret , req , NULL , 0 ) ;
2000-01-10 06:22:05 +00:00
2003-01-28 21:43:22 +00:00
if ( extconf )
{
if ( verbose )
BIO_printf ( bio_err , " Extra configuration file found \n " ) ;
/* Use the extconf configuration db LHASH */
X509V3_set_nconf ( & ctx , extconf ) ;
/* Test the structure (needed?) */
/* X509V3_set_ctx_test(&ctx); */
/* Adds exts contained in the configuration file */
if ( ! X509V3_EXT_add_nconf ( extconf , & ctx , ext_sect , ret ) )
{
BIO_printf ( bio_err ,
" ERROR: adding extensions in section %s \n " ,
ext_sect ) ;
ERR_print_errors ( bio_err ) ;
goto err ;
}
if ( verbose )
BIO_printf ( bio_err , " Successfully added extensions from file. \n " ) ;
}
else if ( ext_sect )
{
/* We found extensions to be set from config file */
X509V3_set_nconf ( & ctx , lconf ) ;
if ( ! X509V3_EXT_add_nconf ( lconf , & ctx , ext_sect , ret ) )
{
BIO_printf ( bio_err , " ERROR: adding extensions in section %s \n " , ext_sect ) ;
ERR_print_errors ( bio_err ) ;
goto err ;
}
if ( verbose )
BIO_printf ( bio_err , " Successfully added extensions from config \n " ) ;
}
2000-01-10 06:22:05 +00:00
}
2003-01-28 21:43:22 +00:00
/* Copy extensions from request (if any) */
if ( ! copy_extensions ( ret , req , ext_copy ) )
{
BIO_printf ( bio_err , " ERROR: adding extensions from request \n " ) ;
ERR_print_errors ( bio_err ) ;
goto err ;
}
/* Set the right value for the noemailDN option */
if ( email_dn = = 0 )
{
if ( ! X509_set_subject_name ( ret , dn_subject ) ) goto err ;
}
if ( ! default_op )
{
BIO_printf ( bio_err , " Certificate Details: \n " ) ;
/* Never print signature details because signature not present */
certopt | = X509_FLAG_NO_SIGDUMP | X509_FLAG_NO_SIGNAME ;
X509_print_ex ( bio_err , ret , nameopt , certopt ) ;
}
BIO_printf ( bio_err , " Certificate is to be certified until " ) ;
ASN1_UTCTIME_print ( bio_err , X509_get_notAfter ( ret ) ) ;
2006-07-29 19:10:21 +00:00
if ( days ) BIO_printf ( bio_err , " (%ld days) " , days ) ;
2003-01-28 21:43:22 +00:00
BIO_printf ( bio_err , " \n " ) ;
2000-01-10 06:22:05 +00:00
if ( ! batch )
{
2003-01-28 21:43:22 +00:00
2000-01-10 06:22:05 +00:00
BIO_printf ( bio_err , " Sign the certificate? [y/n]: " ) ;
( void ) BIO_flush ( bio_err ) ;
buf [ 0 ] = ' \0 ' ;
fgets ( buf , sizeof ( buf ) - 1 , stdin ) ;
if ( ! ( ( buf [ 0 ] = = ' y ' ) | | ( buf [ 0 ] = = ' Y ' ) ) )
{
BIO_printf ( bio_err , " CERTIFICATE WILL NOT BE CERTIFIED \n " ) ;
ok = 0 ;
goto err ;
}
}
2003-01-28 21:43:22 +00:00
# ifndef OPENSSL_NO_DSA
2000-01-10 06:22:05 +00:00
if ( pkey - > type = = EVP_PKEY_DSA ) dgst = EVP_dss1 ( ) ;
pktmp = X509_get_pubkey ( ret ) ;
if ( EVP_PKEY_missing_parameters ( pktmp ) & &
! EVP_PKEY_missing_parameters ( pkey ) )
EVP_PKEY_copy_parameters ( pktmp , pkey ) ;
EVP_PKEY_free ( pktmp ) ;
# endif
2006-07-29 19:10:21 +00:00
# ifndef OPENSSL_NO_ECDSA
if ( pkey - > type = = EVP_PKEY_EC )
dgst = EVP_ecdsa ( ) ;
pktmp = X509_get_pubkey ( ret ) ;
if ( EVP_PKEY_missing_parameters ( pktmp ) & &
! EVP_PKEY_missing_parameters ( pkey ) )
EVP_PKEY_copy_parameters ( pktmp , pkey ) ;
EVP_PKEY_free ( pktmp ) ;
# endif
2000-01-10 06:22:05 +00:00
if ( ! X509_sign ( ret , pkey , dgst ) )
goto err ;
/* We now just add it to the database */
2000-11-13 01:03:58 +00:00
row [ DB_type ] = ( char * ) OPENSSL_malloc ( 2 ) ;
2000-01-10 06:22:05 +00:00
tm = X509_get_notAfter ( ret ) ;
2000-11-13 01:03:58 +00:00
row [ DB_exp_date ] = ( char * ) OPENSSL_malloc ( tm - > length + 1 ) ;
2000-01-10 06:22:05 +00:00
memcpy ( row [ DB_exp_date ] , tm - > data , tm - > length ) ;
row [ DB_exp_date ] [ tm - > length ] = ' \0 ' ;
row [ DB_rev_date ] = NULL ;
/* row[DB_serial] done already */
2000-11-13 01:03:58 +00:00
row [ DB_file ] = ( char * ) OPENSSL_malloc ( 8 ) ;
2003-01-28 21:43:22 +00:00
row [ DB_name ] = X509_NAME_oneline ( X509_get_subject_name ( ret ) , NULL , 0 ) ;
2000-01-10 06:22:05 +00:00
if ( ( row [ DB_type ] = = NULL ) | | ( row [ DB_exp_date ] = = NULL ) | |
2003-01-28 21:43:22 +00:00
( row [ DB_file ] = = NULL ) | | ( row [ DB_name ] = = NULL ) )
2000-01-10 06:22:05 +00:00
{
2000-11-13 01:03:58 +00:00
BIO_printf ( bio_err , " Memory allocation failure \n " ) ;
2000-01-10 06:22:05 +00:00
goto err ;
}
2004-03-17 15:49:33 +00:00
BUF_strlcpy ( row [ DB_file ] , " unknown " , 8 ) ;
2000-01-10 06:22:05 +00:00
row [ DB_type ] [ 0 ] = ' V ' ;
row [ DB_type ] [ 1 ] = ' \0 ' ;
2000-11-13 01:03:58 +00:00
if ( ( irow = ( char * * ) OPENSSL_malloc ( sizeof ( char * ) * ( DB_NUMBER + 1 ) ) ) = = NULL )
2000-01-10 06:22:05 +00:00
{
2000-11-13 01:03:58 +00:00
BIO_printf ( bio_err , " Memory allocation failure \n " ) ;
2000-01-10 06:22:05 +00:00
goto err ;
}
for ( i = 0 ; i < DB_NUMBER ; i + + )
{
irow [ i ] = row [ i ] ;
row [ i ] = NULL ;
}
irow [ DB_NUMBER ] = NULL ;
2004-03-17 15:49:33 +00:00
if ( ! TXT_DB_insert ( db - > db , irow ) )
2000-01-10 06:22:05 +00:00
{
BIO_printf ( bio_err , " failed to update database \n " ) ;
2004-03-17 15:49:33 +00:00
BIO_printf ( bio_err , " TXT_DB error number %ld \n " , db - > db - > error ) ;
2000-01-10 06:22:05 +00:00
goto err ;
}
ok = 1 ;
err :
for ( i = 0 ; i < DB_NUMBER ; i + + )
2000-11-13 01:03:58 +00:00
if ( row [ i ] ! = NULL ) OPENSSL_free ( row [ i ] ) ;
2000-01-10 06:22:05 +00:00
if ( CAname ! = NULL )
X509_NAME_free ( CAname ) ;
if ( subject ! = NULL )
X509_NAME_free ( subject ) ;
2003-01-28 21:43:22 +00:00
if ( ( dn_subject ! = NULL ) & & ! email_dn )
X509_NAME_free ( dn_subject ) ;
2000-04-13 06:33:22 +00:00
if ( tmptm ! = NULL )
ASN1_UTCTIME_free ( tmptm ) ;
2000-01-10 06:22:05 +00:00
if ( ok < = 0 )
{
if ( ret ! = NULL ) X509_free ( ret ) ;
ret = NULL ;
}
else
* xret = ret ;
return ( ok ) ;
}
2000-04-13 06:33:22 +00:00
static void write_new_certificate ( BIO * bp , X509 * x , int output_der , int notext )
2000-01-10 06:22:05 +00:00
{
if ( output_der )
{
( void ) i2d_X509_bio ( bp , x ) ;
return ;
}
2000-04-13 06:33:22 +00:00
#if 0
/* ??? Not needed since X509_print prints all this stuff anyway */
2000-01-10 06:22:05 +00:00
f = X509_NAME_oneline ( X509_get_issuer_name ( x ) , buf , 256 ) ;
BIO_printf ( bp , " issuer :%s \n " , f ) ;
f = X509_NAME_oneline ( X509_get_subject_name ( x ) , buf , 256 ) ;
BIO_printf ( bp , " subject:%s \n " , f ) ;
BIO_puts ( bp , " serial : " ) ;
i2a_ASN1_INTEGER ( bp , x - > cert_info - > serialNumber ) ;
BIO_puts ( bp , " \n \n " ) ;
2000-04-13 06:33:22 +00:00
# endif
2003-01-28 21:43:22 +00:00
if ( ! notext ) X509_print ( bp , x ) ;
2000-01-10 06:22:05 +00:00
PEM_write_bio_X509 ( bp , x ) ;
}
static int certify_spkac ( X509 * * xret , char * infile , EVP_PKEY * pkey , X509 * x509 ,
2004-03-17 15:49:33 +00:00
const EVP_MD * dgst , STACK_OF ( CONF_VALUE ) * policy , CA_DB * db ,
2006-07-29 19:10:21 +00:00
BIGNUM * serial , char * subj , unsigned long chtype , int multirdn , int email_dn , char * startdate , char * enddate ,
2003-01-28 21:43:22 +00:00
long days , char * ext_sect , CONF * lconf , int verbose , unsigned long certopt ,
unsigned long nameopt , int default_op , int ext_copy )
2000-01-10 06:22:05 +00:00
{
STACK_OF ( CONF_VALUE ) * sk = NULL ;
LHASH * parms = NULL ;
X509_REQ * req = NULL ;
CONF_VALUE * cv = NULL ;
NETSCAPE_SPKI * spki = NULL ;
X509_REQ_INFO * ri ;
char * type , * buf ;
EVP_PKEY * pktmp = NULL ;
X509_NAME * n = NULL ;
X509_NAME_ENTRY * ne = NULL ;
int ok = - 1 , i , j ;
long errline ;
int nid ;
/*
* Load input file into a hash table . ( This is just an easy
* way to read and parse the file , then put it into a convenient
* STACK format ) .
*/
parms = CONF_load ( NULL , infile , & errline ) ;
if ( parms = = NULL )
{
BIO_printf ( bio_err , " error on line %ld of %s \n " , errline , infile ) ;
ERR_print_errors ( bio_err ) ;
goto err ;
}
sk = CONF_get_section ( parms , " default " ) ;
if ( sk_CONF_VALUE_num ( sk ) = = 0 )
{
BIO_printf ( bio_err , " no name/value pairs found in %s \n " , infile ) ;
CONF_free ( parms ) ;
goto err ;
}
/*
* Now create a dummy X509 request structure . We don ' t actually
* have an X509 request , but we have many of the components
* ( a public key , various DN components ) . The idea is that we
* put these components into the right X509 request structure
* and we can use the same code as if you had a real X509 request .
*/
req = X509_REQ_new ( ) ;
if ( req = = NULL )
{
ERR_print_errors ( bio_err ) ;
goto err ;
}
/*
* Build up the subject name set .
*/
ri = req - > req_info ;
n = ri - > subject ;
for ( i = 0 ; ; i + + )
{
if ( sk_CONF_VALUE_num ( sk ) < = i ) break ;
cv = sk_CONF_VALUE_value ( sk , i ) ;
type = cv - > name ;
2000-04-13 06:33:22 +00:00
/* Skip past any leading X. X: X, etc to allow for
* multiple instances
*/
2003-01-28 21:43:22 +00:00
for ( buf = cv - > name ; * buf ; buf + + )
if ( ( * buf = = ' : ' ) | | ( * buf = = ' , ' ) | | ( * buf = = ' . ' ) )
{
buf + + ;
if ( * buf ) type = buf ;
break ;
}
2000-01-10 06:22:05 +00:00
2000-04-13 06:33:22 +00:00
buf = cv - > value ;
2000-01-10 06:22:05 +00:00
if ( ( nid = OBJ_txt2nid ( type ) ) = = NID_undef )
{
if ( strcmp ( type , " SPKAC " ) = = 0 )
{
2000-04-13 06:33:22 +00:00
spki = NETSCAPE_SPKI_b64_decode ( cv - > value , - 1 ) ;
2000-01-10 06:22:05 +00:00
if ( spki = = NULL )
{
BIO_printf ( bio_err , " unable to load Netscape SPKAC structure \n " ) ;
ERR_print_errors ( bio_err ) ;
goto err ;
}
}
continue ;
}
2003-01-28 21:43:22 +00:00
/*
if ( ( nid = = NID_pkcs9_emailAddress ) & & ( email_dn = = 0 ) )
continue ;
*/
2000-01-10 06:22:05 +00:00
j = ASN1_PRINTABLE_type ( ( unsigned char * ) buf , - 1 ) ;
if ( fix_data ( nid , & j ) = = 0 )
{
BIO_printf ( bio_err ,
" invalid characters in string %s \n " , buf ) ;
goto err ;
}
if ( ( ne = X509_NAME_ENTRY_create_by_NID ( & ne , nid , j ,
( unsigned char * ) buf ,
strlen ( buf ) ) ) = = NULL )
goto err ;
2000-04-13 06:33:22 +00:00
if ( ! X509_NAME_add_entry ( n , ne , - 1 , 0 ) ) goto err ;
2000-01-10 06:22:05 +00:00
}
if ( spki = = NULL )
{
BIO_printf ( bio_err , " Netscape SPKAC structure not found in %s \n " ,
infile ) ;
goto err ;
}
/*
* Now extract the key from the SPKI structure .
*/
BIO_printf ( bio_err , " Check that the SPKAC request matches the signature \n " ) ;
2000-04-13 06:33:22 +00:00
if ( ( pktmp = NETSCAPE_SPKI_get_pubkey ( spki ) ) = = NULL )
2000-01-10 06:22:05 +00:00
{
BIO_printf ( bio_err , " error unpacking SPKAC public key \n " ) ;
goto err ;
}
j = NETSCAPE_SPKI_verify ( spki , pktmp ) ;
if ( j < = 0 )
{
BIO_printf ( bio_err , " signature verification failed on SPKAC public key \n " ) ;
goto err ;
}
BIO_printf ( bio_err , " Signature ok \n " ) ;
X509_REQ_set_pubkey ( req , pktmp ) ;
EVP_PKEY_free ( pktmp ) ;
2006-07-29 19:10:21 +00:00
ok = do_body ( xret , pkey , x509 , dgst , policy , db , serial , subj , chtype , multirdn , email_dn , startdate , enddate ,
2003-01-28 21:43:22 +00:00
days , 1 , verbose , req , ext_sect , lconf , certopt , nameopt , default_op ,
2006-07-29 19:10:21 +00:00
ext_copy , 0 ) ;
2000-01-10 06:22:05 +00:00
err :
if ( req ! = NULL ) X509_REQ_free ( req ) ;
if ( parms ! = NULL ) CONF_free ( parms ) ;
if ( spki ! = NULL ) NETSCAPE_SPKI_free ( spki ) ;
if ( ne ! = NULL ) X509_NAME_ENTRY_free ( ne ) ;
return ( ok ) ;
}
static int fix_data ( int nid , int * type )
{
if ( nid = = NID_pkcs9_emailAddress )
* type = V_ASN1_IA5STRING ;
if ( ( nid = = NID_commonName ) & & ( * type = = V_ASN1_IA5STRING ) )
* type = V_ASN1_T61STRING ;
if ( ( nid = = NID_pkcs9_challengePassword ) & & ( * type = = V_ASN1_IA5STRING ) )
* type = V_ASN1_T61STRING ;
if ( ( nid = = NID_pkcs9_unstructuredName ) & & ( * type = = V_ASN1_T61STRING ) )
return ( 0 ) ;
if ( nid = = NID_pkcs9_unstructuredName )
* type = V_ASN1_IA5STRING ;
return ( 1 ) ;
}
static int check_time_format ( char * str )
{
ASN1_UTCTIME tm ;
tm . data = ( unsigned char * ) str ;
tm . length = strlen ( str ) ;
tm . type = V_ASN1_UTCTIME ;
return ( ASN1_UTCTIME_check ( & tm ) ) ;
}
2004-03-17 15:49:33 +00:00
static int do_revoke ( X509 * x509 , CA_DB * db , int type , char * value )
2003-01-28 21:43:22 +00:00
{
ASN1_UTCTIME * tm = NULL ;
2000-01-10 06:22:05 +00:00
char * row [ DB_NUMBER ] , * * rrow , * * irow ;
2003-01-28 21:43:22 +00:00
char * rev_str = NULL ;
2000-04-13 06:33:22 +00:00
BIGNUM * bn = NULL ;
2000-01-10 06:22:05 +00:00
int ok = - 1 , i ;
for ( i = 0 ; i < DB_NUMBER ; i + + )
row [ i ] = NULL ;
2000-04-13 06:33:22 +00:00
row [ DB_name ] = X509_NAME_oneline ( X509_get_subject_name ( x509 ) , NULL , 0 ) ;
bn = ASN1_INTEGER_to_BN ( X509_get_serialNumber ( x509 ) , NULL ) ;
2003-01-28 21:43:22 +00:00
if ( BN_is_zero ( bn ) )
row [ DB_serial ] = BUF_strdup ( " 00 " ) ;
else
row [ DB_serial ] = BN_bn2hex ( bn ) ;
2000-04-13 06:33:22 +00:00
BN_free ( bn ) ;
2000-01-10 06:22:05 +00:00
if ( ( row [ DB_name ] = = NULL ) | | ( row [ DB_serial ] = = NULL ) )
{
2000-11-13 01:03:58 +00:00
BIO_printf ( bio_err , " Memory allocation failure \n " ) ;
2000-01-10 06:22:05 +00:00
goto err ;
}
2000-04-13 06:33:22 +00:00
/* We have to lookup by serial number because name lookup
* skips revoked certs
*/
2004-03-17 15:49:33 +00:00
rrow = TXT_DB_get_by_index ( db - > db , DB_serial , row ) ;
2000-01-10 06:22:05 +00:00
if ( rrow = = NULL )
{
2004-03-17 15:49:33 +00:00
BIO_printf ( bio_err , " Adding Entry with serial number %s to DB for %s \n " , row [ DB_serial ] , row [ DB_name ] ) ;
2000-01-10 06:22:05 +00:00
/* We now just add it to the database */
2000-11-13 01:03:58 +00:00
row [ DB_type ] = ( char * ) OPENSSL_malloc ( 2 ) ;
2000-01-10 06:22:05 +00:00
tm = X509_get_notAfter ( x509 ) ;
2000-11-13 01:03:58 +00:00
row [ DB_exp_date ] = ( char * ) OPENSSL_malloc ( tm - > length + 1 ) ;
2000-01-10 06:22:05 +00:00
memcpy ( row [ DB_exp_date ] , tm - > data , tm - > length ) ;
row [ DB_exp_date ] [ tm - > length ] = ' \0 ' ;
row [ DB_rev_date ] = NULL ;
/* row[DB_serial] done already */
2000-11-13 01:03:58 +00:00
row [ DB_file ] = ( char * ) OPENSSL_malloc ( 8 ) ;
2000-01-10 06:22:05 +00:00
/* row[DB_name] done already */
if ( ( row [ DB_type ] = = NULL ) | | ( row [ DB_exp_date ] = = NULL ) | |
( row [ DB_file ] = = NULL ) )
{
2000-11-13 01:03:58 +00:00
BIO_printf ( bio_err , " Memory allocation failure \n " ) ;
2000-01-10 06:22:05 +00:00
goto err ;
}
2004-03-17 15:49:33 +00:00
BUF_strlcpy ( row [ DB_file ] , " unknown " , 8 ) ;
2000-01-10 06:22:05 +00:00
row [ DB_type ] [ 0 ] = ' V ' ;
row [ DB_type ] [ 1 ] = ' \0 ' ;
2000-11-13 01:03:58 +00:00
if ( ( irow = ( char * * ) OPENSSL_malloc ( sizeof ( char * ) * ( DB_NUMBER + 1 ) ) ) = = NULL )
2000-01-10 06:22:05 +00:00
{
2000-11-13 01:03:58 +00:00
BIO_printf ( bio_err , " Memory allocation failure \n " ) ;
2000-01-10 06:22:05 +00:00
goto err ;
}
for ( i = 0 ; i < DB_NUMBER ; i + + )
{
irow [ i ] = row [ i ] ;
row [ i ] = NULL ;
}
irow [ DB_NUMBER ] = NULL ;
2004-03-17 15:49:33 +00:00
if ( ! TXT_DB_insert ( db - > db , irow ) )
2000-01-10 06:22:05 +00:00
{
BIO_printf ( bio_err , " failed to update database \n " ) ;
2004-03-17 15:49:33 +00:00
BIO_printf ( bio_err , " TXT_DB error number %ld \n " , db - > db - > error ) ;
2000-01-10 06:22:05 +00:00
goto err ;
}
/* Revoke Certificate */
2003-01-28 21:43:22 +00:00
ok = do_revoke ( x509 , db , type , value ) ;
2000-01-10 06:22:05 +00:00
goto err ;
}
2003-01-28 21:43:22 +00:00
else if ( index_name_cmp ( ( const char * * ) row , ( const char * * ) rrow ) )
2000-01-10 06:22:05 +00:00
{
2000-04-13 06:33:22 +00:00
BIO_printf ( bio_err , " ERROR:name does not match %s \n " ,
row [ DB_name ] ) ;
2000-01-10 06:22:05 +00:00
goto err ;
}
else if ( rrow [ DB_type ] [ 0 ] = = ' R ' )
{
BIO_printf ( bio_err , " ERROR:Already revoked, serial number %s \n " ,
row [ DB_serial ] ) ;
goto err ;
}
else
{
BIO_printf ( bio_err , " Revoking Certificate %s. \n " , rrow [ DB_serial ] ) ;
2003-01-28 21:43:22 +00:00
rev_str = make_revocation_str ( type , value ) ;
if ( ! rev_str )
{
BIO_printf ( bio_err , " Error in revocation arguments \n " ) ;
goto err ;
}
2000-01-10 06:22:05 +00:00
rrow [ DB_type ] [ 0 ] = ' R ' ;
rrow [ DB_type ] [ 1 ] = ' \0 ' ;
2003-01-28 21:43:22 +00:00
rrow [ DB_rev_date ] = rev_str ;
2000-01-10 06:22:05 +00:00
}
ok = 1 ;
err :
for ( i = 0 ; i < DB_NUMBER ; i + + )
{
if ( row [ i ] ! = NULL )
2000-11-13 01:03:58 +00:00
OPENSSL_free ( row [ i ] ) ;
2000-01-10 06:22:05 +00:00
}
return ( ok ) ;
2003-01-28 21:43:22 +00:00
}
2004-03-17 15:49:33 +00:00
static int get_certificate_status ( const char * serial , CA_DB * db )
2003-01-28 21:43:22 +00:00
{
char * row [ DB_NUMBER ] , * * rrow ;
int ok = - 1 , i ;
/* Free Resources */
for ( i = 0 ; i < DB_NUMBER ; i + + )
row [ i ] = NULL ;
/* Malloc needed char spaces */
row [ DB_serial ] = OPENSSL_malloc ( strlen ( serial ) + 2 ) ;
if ( row [ DB_serial ] = = NULL )
{
BIO_printf ( bio_err , " Malloc failure \n " ) ;
goto err ;
}
if ( strlen ( serial ) % 2 )
{
/* Set the first char to 0 */ ;
row [ DB_serial ] [ 0 ] = ' 0 ' ;
/* Copy String from serial to row[DB_serial] */
memcpy ( row [ DB_serial ] + 1 , serial , strlen ( serial ) ) ;
row [ DB_serial ] [ strlen ( serial ) + 1 ] = ' \0 ' ;
}
else
{
/* Copy String from serial to row[DB_serial] */
memcpy ( row [ DB_serial ] , serial , strlen ( serial ) ) ;
row [ DB_serial ] [ strlen ( serial ) ] = ' \0 ' ;
}
/* Make it Upper Case */
for ( i = 0 ; row [ DB_serial ] [ i ] ! = ' \0 ' ; i + + )
row [ DB_serial ] [ i ] = toupper ( row [ DB_serial ] [ i ] ) ;
ok = 1 ;
/* Search for the certificate */
2004-03-17 15:49:33 +00:00
rrow = TXT_DB_get_by_index ( db - > db , DB_serial , row ) ;
2003-01-28 21:43:22 +00:00
if ( rrow = = NULL )
{
BIO_printf ( bio_err , " Serial %s not present in db. \n " ,
row [ DB_serial ] ) ;
ok = - 1 ;
goto err ;
}
else if ( rrow [ DB_type ] [ 0 ] = = ' V ' )
{
BIO_printf ( bio_err , " %s=Valid (%c) \n " ,
row [ DB_serial ] , rrow [ DB_type ] [ 0 ] ) ;
goto err ;
}
else if ( rrow [ DB_type ] [ 0 ] = = ' R ' )
{
BIO_printf ( bio_err , " %s=Revoked (%c) \n " ,
row [ DB_serial ] , rrow [ DB_type ] [ 0 ] ) ;
goto err ;
}
else if ( rrow [ DB_type ] [ 0 ] = = ' E ' )
{
BIO_printf ( bio_err , " %s=Expired (%c) \n " ,
row [ DB_serial ] , rrow [ DB_type ] [ 0 ] ) ;
goto err ;
}
else if ( rrow [ DB_type ] [ 0 ] = = ' S ' )
{
BIO_printf ( bio_err , " %s=Suspended (%c) \n " ,
row [ DB_serial ] , rrow [ DB_type ] [ 0 ] ) ;
goto err ;
}
else
{
BIO_printf ( bio_err , " %s=Unknown (%c). \n " ,
row [ DB_serial ] , rrow [ DB_type ] [ 0 ] ) ;
ok = - 1 ;
}
err :
for ( i = 0 ; i < DB_NUMBER ; i + + )
{
if ( row [ i ] ! = NULL )
OPENSSL_free ( row [ i ] ) ;
}
return ( ok ) ;
}
2004-03-17 15:49:33 +00:00
static int do_updatedb ( CA_DB * db )
2003-01-28 21:43:22 +00:00
{
ASN1_UTCTIME * a_tm = NULL ;
int i , cnt = 0 ;
int db_y2k , a_y2k ; /* flags = 1 if y >= 2000 */
char * * rrow , * a_tm_s ;
a_tm = ASN1_UTCTIME_new ( ) ;
/* get actual time and make a string */
a_tm = X509_gmtime_adj ( a_tm , 0 ) ;
a_tm_s = ( char * ) OPENSSL_malloc ( a_tm - > length + 1 ) ;
if ( a_tm_s = = NULL )
{
cnt = - 1 ;
goto err ;
}
memcpy ( a_tm_s , a_tm - > data , a_tm - > length ) ;
a_tm_s [ a_tm - > length ] = ' \0 ' ;
if ( strncmp ( a_tm_s , " 49 " , 2 ) < = 0 )
a_y2k = 1 ;
else
a_y2k = 0 ;
2004-03-17 15:49:33 +00:00
for ( i = 0 ; i < sk_num ( db - > db - > data ) ; i + + )
2003-01-28 21:43:22 +00:00
{
2004-03-17 15:49:33 +00:00
rrow = ( char * * ) sk_value ( db - > db - > data , i ) ;
2003-01-28 21:43:22 +00:00
if ( rrow [ DB_type ] [ 0 ] = = ' V ' )
{
/* ignore entries that are not valid */
if ( strncmp ( rrow [ DB_exp_date ] , " 49 " , 2 ) < = 0 )
db_y2k = 1 ;
else
db_y2k = 0 ;
if ( db_y2k = = a_y2k )
{
/* all on the same y2k side */
if ( strcmp ( rrow [ DB_exp_date ] , a_tm_s ) < = 0 )
{
rrow [ DB_type ] [ 0 ] = ' E ' ;
rrow [ DB_type ] [ 1 ] = ' \0 ' ;
cnt + + ;
BIO_printf ( bio_err , " %s=Expired \n " ,
rrow [ DB_serial ] ) ;
}
}
else if ( db_y2k < a_y2k )
{
rrow [ DB_type ] [ 0 ] = ' E ' ;
rrow [ DB_type ] [ 1 ] = ' \0 ' ;
cnt + + ;
BIO_printf ( bio_err , " %s=Expired \n " ,
rrow [ DB_serial ] ) ;
}
}
}
err :
ASN1_UTCTIME_free ( a_tm ) ;
OPENSSL_free ( a_tm_s ) ;
return ( cnt ) ;
}
2006-07-29 19:10:21 +00:00
static const char * crl_reasons [ ] = {
2003-01-28 21:43:22 +00:00
/* CRL reason strings */
" unspecified " ,
" keyCompromise " ,
" CACompromise " ,
" affiliationChanged " ,
" superseded " ,
" cessationOfOperation " ,
" certificateHold " ,
" removeFromCRL " ,
/* Additional pseudo reasons */
" holdInstruction " ,
" keyTime " ,
" CAkeyTime "
} ;
# define NUM_REASONS (sizeof(crl_reasons) / sizeof(char *))
/* Given revocation information convert to a DB string.
* The format of the string is :
* revtime [ , reason , extra ] . Where ' revtime ' is the
* revocation time ( the current time ) . ' reason ' is the
* optional CRL reason and ' extra ' is any additional
* argument
*/
char * make_revocation_str ( int rev_type , char * rev_arg )
{
2006-07-29 19:10:21 +00:00
char * other = NULL , * str ;
const char * reason = NULL ;
2003-01-28 21:43:22 +00:00
ASN1_OBJECT * otmp ;
ASN1_UTCTIME * revtm = NULL ;
int i ;
switch ( rev_type )
{
case REV_NONE :
break ;
case REV_CRL_REASON :
for ( i = 0 ; i < 8 ; i + + )
{
if ( ! strcasecmp ( rev_arg , crl_reasons [ i ] ) )
{
reason = crl_reasons [ i ] ;
break ;
}
}
if ( reason = = NULL )
{
BIO_printf ( bio_err , " Unknown CRL reason %s \n " , rev_arg ) ;
return NULL ;
}
break ;
case REV_HOLD :
/* Argument is an OID */
otmp = OBJ_txt2obj ( rev_arg , 0 ) ;
ASN1_OBJECT_free ( otmp ) ;
if ( otmp = = NULL )
{
BIO_printf ( bio_err , " Invalid object identifier %s \n " , rev_arg ) ;
return NULL ;
}
reason = " holdInstruction " ;
other = rev_arg ;
break ;
case REV_KEY_COMPROMISE :
case REV_CA_COMPROMISE :
/* Argument is the key compromise time */
if ( ! ASN1_GENERALIZEDTIME_set_string ( NULL , rev_arg ) )
{
BIO_printf ( bio_err , " Invalid time format %s. Need YYYYMMDDHHMMSSZ \n " , rev_arg ) ;
return NULL ;
}
other = rev_arg ;
if ( rev_type = = REV_KEY_COMPROMISE )
reason = " keyTime " ;
else
reason = " CAkeyTime " ;
break ;
}
revtm = X509_gmtime_adj ( NULL , 0 ) ;
i = revtm - > length + 1 ;
if ( reason ) i + = strlen ( reason ) + 1 ;
if ( other ) i + = strlen ( other ) + 1 ;
str = OPENSSL_malloc ( i ) ;
if ( ! str ) return NULL ;
2004-03-17 15:49:33 +00:00
BUF_strlcpy ( str , ( char * ) revtm - > data , i ) ;
2003-01-28 21:43:22 +00:00
if ( reason )
{
2004-03-17 15:49:33 +00:00
BUF_strlcat ( str , " , " , i ) ;
BUF_strlcat ( str , reason , i ) ;
2003-01-28 21:43:22 +00:00
}
if ( other )
{
2004-03-17 15:49:33 +00:00
BUF_strlcat ( str , " , " , i ) ;
BUF_strlcat ( str , other , i ) ;
2003-01-28 21:43:22 +00:00
}
ASN1_UTCTIME_free ( revtm ) ;
return str ;
}
/* Convert revocation field to X509_REVOKED entry
* return code :
* 0 error
* 1 OK
* 2 OK and some extensions added ( i . e . V2 CRL )
*/
2006-07-29 19:10:21 +00:00
int make_revoked ( X509_REVOKED * rev , const char * str )
2003-01-28 21:43:22 +00:00
{
char * tmp = NULL ;
int reason_code = - 1 ;
int i , ret = 0 ;
ASN1_OBJECT * hold = NULL ;
ASN1_GENERALIZEDTIME * comp_time = NULL ;
ASN1_ENUMERATED * rtmp = NULL ;
ASN1_TIME * revDate = NULL ;
i = unpack_revinfo ( & revDate , & reason_code , & hold , & comp_time , str ) ;
if ( i = = 0 )
goto err ;
if ( rev & & ! X509_REVOKED_set_revocationDate ( rev , revDate ) )
goto err ;
if ( rev & & ( reason_code ! = OCSP_REVOKED_STATUS_NOSTATUS ) )
{
rtmp = ASN1_ENUMERATED_new ( ) ;
if ( ! rtmp | | ! ASN1_ENUMERATED_set ( rtmp , reason_code ) )
goto err ;
if ( ! X509_REVOKED_add1_ext_i2d ( rev , NID_crl_reason , rtmp , 0 , 0 ) )
goto err ;
}
if ( rev & & comp_time )
{
if ( ! X509_REVOKED_add1_ext_i2d ( rev , NID_invalidity_date , comp_time , 0 , 0 ) )
goto err ;
}
if ( rev & & hold )
{
if ( ! X509_REVOKED_add1_ext_i2d ( rev , NID_hold_instruction_code , hold , 0 , 0 ) )
goto err ;
}
if ( reason_code ! = OCSP_REVOKED_STATUS_NOSTATUS )
ret = 2 ;
else ret = 1 ;
err :
if ( tmp ) OPENSSL_free ( tmp ) ;
ASN1_OBJECT_free ( hold ) ;
ASN1_GENERALIZEDTIME_free ( comp_time ) ;
ASN1_ENUMERATED_free ( rtmp ) ;
ASN1_TIME_free ( revDate ) ;
return ret ;
}
int old_entry_print ( BIO * bp , ASN1_OBJECT * obj , ASN1_STRING * str )
{
char buf [ 25 ] , * pbuf , * p ;
int j ;
j = i2a_ASN1_OBJECT ( bp , obj ) ;
pbuf = buf ;
for ( j = 22 - j ; j > 0 ; j - - )
* ( pbuf + + ) = ' ' ;
* ( pbuf + + ) = ' : ' ;
* ( pbuf + + ) = ' \0 ' ;
BIO_puts ( bp , buf ) ;
if ( str - > type = = V_ASN1_PRINTABLESTRING )
BIO_printf ( bp , " PRINTABLE:' " ) ;
else if ( str - > type = = V_ASN1_T61STRING )
BIO_printf ( bp , " T61STRING:' " ) ;
else if ( str - > type = = V_ASN1_IA5STRING )
BIO_printf ( bp , " IA5STRING:' " ) ;
else if ( str - > type = = V_ASN1_UNIVERSALSTRING )
BIO_printf ( bp , " UNIVERSALSTRING:' " ) ;
else
BIO_printf ( bp , " ASN.1 %2d:' " , str - > type ) ;
p = ( char * ) str - > data ;
for ( j = str - > length ; j > 0 ; j - - )
{
if ( ( * p > = ' ' ) & & ( * p < = ' ~ ' ) )
BIO_printf ( bp , " %c " , * p ) ;
else if ( * p & 0x80 )
BIO_printf ( bp , " \\ 0x%02X " , * p ) ;
else if ( ( unsigned char ) * p = = 0xf7 )
BIO_printf ( bp , " ^? " ) ;
else BIO_printf ( bp , " ^%c " , * p + ' @ ' ) ;
p + + ;
}
BIO_printf ( bp , " ' \n " ) ;
return 1 ;
}
2006-07-29 19:10:21 +00:00
int unpack_revinfo ( ASN1_TIME * * prevtm , int * preason , ASN1_OBJECT * * phold , ASN1_GENERALIZEDTIME * * pinvtm , const char * str )
2003-01-28 21:43:22 +00:00
{
char * tmp = NULL ;
char * rtime_str , * reason_str = NULL , * arg_str = NULL , * p ;
int reason_code = - 1 ;
2006-07-29 19:10:21 +00:00
int ret = 0 ;
unsigned int i ;
2003-01-28 21:43:22 +00:00
ASN1_OBJECT * hold = NULL ;
ASN1_GENERALIZEDTIME * comp_time = NULL ;
tmp = BUF_strdup ( str ) ;
p = strchr ( tmp , ' , ' ) ;
rtime_str = tmp ;
if ( p )
{
* p = ' \0 ' ;
p + + ;
reason_str = p ;
p = strchr ( p , ' , ' ) ;
if ( p )
{
* p = ' \0 ' ;
arg_str = p + 1 ;
}
}
if ( prevtm )
{
* prevtm = ASN1_UTCTIME_new ( ) ;
if ( ! ASN1_UTCTIME_set_string ( * prevtm , rtime_str ) )
{
BIO_printf ( bio_err , " invalid revocation date %s \n " , rtime_str ) ;
goto err ;
}
}
if ( reason_str )
{
for ( i = 0 ; i < NUM_REASONS ; i + + )
{
if ( ! strcasecmp ( reason_str , crl_reasons [ i ] ) )
{
reason_code = i ;
break ;
}
}
if ( reason_code = = OCSP_REVOKED_STATUS_NOSTATUS )
{
BIO_printf ( bio_err , " invalid reason code %s \n " , reason_str ) ;
goto err ;
}
if ( reason_code = = 7 )
reason_code = OCSP_REVOKED_STATUS_REMOVEFROMCRL ;
else if ( reason_code = = 8 ) /* Hold instruction */
{
if ( ! arg_str )
{
BIO_printf ( bio_err , " missing hold instruction \n " ) ;
goto err ;
}
reason_code = OCSP_REVOKED_STATUS_CERTIFICATEHOLD ;
hold = OBJ_txt2obj ( arg_str , 0 ) ;
if ( ! hold )
{
BIO_printf ( bio_err , " invalid object identifier %s \n " , arg_str ) ;
goto err ;
}
if ( phold ) * phold = hold ;
}
else if ( ( reason_code = = 9 ) | | ( reason_code = = 10 ) )
{
if ( ! arg_str )
{
BIO_printf ( bio_err , " missing compromised time \n " ) ;
goto err ;
}
comp_time = ASN1_GENERALIZEDTIME_new ( ) ;
if ( ! ASN1_GENERALIZEDTIME_set_string ( comp_time , arg_str ) )
{
BIO_printf ( bio_err , " invalid compromised time %s \n " , arg_str ) ;
goto err ;
}
if ( reason_code = = 9 )
reason_code = OCSP_REVOKED_STATUS_KEYCOMPROMISE ;
else
reason_code = OCSP_REVOKED_STATUS_CACOMPROMISE ;
}
}
if ( preason ) * preason = reason_code ;
if ( pinvtm ) * pinvtm = comp_time ;
else ASN1_GENERALIZEDTIME_free ( comp_time ) ;
ret = 1 ;
err :
if ( tmp ) OPENSSL_free ( tmp ) ;
if ( ! phold ) ASN1_OBJECT_free ( hold ) ;
if ( ! pinvtm ) ASN1_GENERALIZEDTIME_free ( comp_time ) ;
return ret ;
}