]> git.ipfire.org Git - thirdparty/openssl.git/blame - apps/ca.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Move do_subject() to apps.c and rename it to parse_name(). The
[thirdparty/openssl.git] / apps / ca.c
CommitLineData
d02b48c6 1/* apps/ca.c */
58964a49 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
d02b48c6
RE		 3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59/* The PPKI stuff has been donated by Jeff Barber <jeffb@issl.atl.hp.com> */
60
61#include <stdio.h>
62#include <stdlib.h>
63#include <string.h>
c67cdb50 64#include <ctype.h>
d02b48c6
RE		 65#include <sys/types.h>
66#include <sys/stat.h>
ec577822
BM		 67#include <openssl/conf.h>
68#include <openssl/bio.h>
69#include <openssl/err.h>
70#include <openssl/bn.h>
71#include <openssl/txt_db.h>
72#include <openssl/evp.h>
73#include <openssl/x509.h>
74#include <openssl/x509v3.h>
75#include <openssl/objects.h>
a6b7ffdd 76#include <openssl/ocsp.h>
ec577822 77#include <openssl/pem.h>
d02b48c6
RE		 78
79#ifndef W_OK
bc36ee62 80# ifdef OPENSSL_SYS_VMS
7d7d2cbc
UM		 81# if defined(__DECC)
82# include <unistd.h>
83# else
84# include <unixlib.h>
85# endif
4d8743f4 86# elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_NETWARE)
7d7d2cbc
UM		 87# include <sys/file.h>
88# endif
89#endif
90
d610d27f
RL		 91#include "apps.h"
92
7d7d2cbc
UM		 93#ifndef W_OK
94# define F_OK 0
95# define X_OK 1
96# define W_OK 2
97# define R_OK 4
d02b48c6
RE		 98#endif
99
100#undef PROG
101#define PROG ca_main
102
103#define BASE_SECTION "ca"
d5a2ea4b 104#define CONFIG_FILE "openssl.cnf"
d02b48c6
RE		 105
106#define ENV_DEFAULT_CA "default_ca"
107
108#define ENV_DIR "dir"
109#define ENV_CERTS "certs"
110#define ENV_CRL_DIR "crl_dir"
111#define ENV_CA_DB "CA_DB"
112#define ENV_NEW_CERTS_DIR "new_certs_dir"
113#define ENV_CERTIFICATE "certificate"
114#define ENV_SERIAL "serial"
fd4ef699 115#define ENV_CRLNUMBER "crlnumber"
d02b48c6
RE		 116#define ENV_CRL "crl"
117#define ENV_PRIVATE_KEY "private_key"
118#define ENV_RANDFILE "RANDFILE"
119#define ENV_DEFAULT_DAYS "default_days"
58964a49 120#define ENV_DEFAULT_STARTDATE "default_startdate"
ed7f60fb 121#define ENV_DEFAULT_ENDDATE "default_enddate"
d02b48c6
RE		 122#define ENV_DEFAULT_CRL_DAYS "default_crl_days"
123#define ENV_DEFAULT_CRL_HOURS "default_crl_hours"
124#define ENV_DEFAULT_MD "default_md"
89da653f 125#define ENV_DEFAULT_EMAIL_DN "email_in_dn"
d02b48c6
RE		 126#define ENV_PRESERVE "preserve"
127#define ENV_POLICY "policy"
128#define ENV_EXTENSIONS "x509_extensions"
1756d405 129#define ENV_CRLEXT "crl_extensions"
d02b48c6 130#define ENV_MSIE_HACK "msie_hack"
535d79da
DSH		 131#define ENV_NAMEOPT "name_opt"
132#define ENV_CERTOPT "cert_opt"
791bd0cd 133#define ENV_EXTCOPY "copy_extensions"
d02b48c6
RE		 134
135#define ENV_DATABASE "database"
136
a6b7ffdd
DSH		 137/* Additional revocation information types */
138
139#define REV_NONE 0 /* No addditional information */
140#define REV_CRL_REASON 1 /* Value is CRL reason code */
141#define REV_HOLD 2 /* Value is hold instruction */
142#define REV_KEY_COMPROMISE 3 /* Value is cert key compromise time */
143#define REV_CA_COMPROMISE 4 /* Value is CA key compromise time */
144
d02b48c6
RE		 145static char *ca_usage[]={
146"usage: ca args\n",
147"\n",
148" -verbose - Talk alot while doing things\n",
149" -config file - A config file\n",
150" -name arg - The particular CA definition to use\n",
151" -gencrl - Generate a new CRL\n",
152" -crldays days - Days is when the next CRL is due\n",
153" -crlhours hours - Hours is when the next CRL is due\n",
9a0f732d
BM		 154" -startdate YYMMDDHHMMSSZ - certificate validity notBefore\n",
155" -enddate YYMMDDHHMMSSZ - certificate validity notAfter (overrides -days)\n",
d02b48c6
RE		 156" -days arg - number of days to certify the certificate for\n",
157" -md arg - md to use, one of md2, md5, sha or sha1\n",
158" -policy arg - The CA 'policy' to support\n",
32d862ed
RL		 159" -keyfile arg - private key file\n",
160" -keyform arg - private key file format (PEM or ENGINE)\n",
d02b48c6 161" -key arg - key to decode the private key if it is encrypted\n",
29d28247 162" -cert file - The CA certificate\n",
d6df2b28 163" -selfsign - sign a certificate with the key associated with it\n",
d02b48c6
RE		 164" -in file - The input PEM encoded certificate request(s)\n",
165" -out file - Where to put the output file(s)\n",
166" -outdir dir - Where to put output certificates\n",
167" -infiles .... - The last argument, requests to process\n",
168" -spkac file - File contains DN and signed public key and challenge\n",
58964a49 169" -ss_cert file - File contains a self signed cert to sign\n",
d02b48c6 170" -preserveDN - Don't re-order the DN\n",
89da653f 171" -noemailDN - Don't add the EMAIL field into certificate' subject\n",
7c7c8851
RE		 172" -batch - Don't ask questions\n",
173" -msie_hack - msie modifications to handle all those universal strings\n",
f9a25931 174" -revoke file - Revoke a certificate (given in file)\n",
bad40585 175" -subj arg - Use arg instead of request's subject\n",
7ce9e425 176" -multivalue-rdn - enable support for multivalued RDNs\n",
87a25f90 177" -extensions .. - Extension section (override value in config file)\n",
dfebac32 178" -extfile file - Configuration file with X509v3 extentions to add\n",
87a25f90 179" -crlexts .. - CRL extension section (override value in config file)\n",
0b13e9f0 180#ifndef OPENSSL_NO_ENGINE
5270e702 181" -engine e - use engine e, possibly a hardware device.\n",
0b13e9f0 182#endif
c67cdb50
BM		 183" -status serial - Shows certificate status given the serial number\n",
184" -updatedb - Updates db for expired certificates\n",
d02b48c6
RE		 185NULL
186};
187
188#ifdef EFENCE
189extern int EF_PROTECT_FREE;
190extern int EF_PROTECT_BELOW;
191extern int EF_ALIGNMENT;
192#endif
193
d02b48c6 194static void lookup_fail(char *name,char *tag);
d02b48c6 195static int certify(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
f85b68cd 196 const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,CA_DB *db,
7ce9e425 197 BIGNUM *serial, char *subj, int multirdn, int email_dn, char *startdate,
89da653f
BM		 198 char *enddate, long days, int batch, char *ext_sect, CONF *conf,
199 int verbose, unsigned long certopt, unsigned long nameopt,
16b1b035 200 int default_op, int ext_copy, int selfsign);
58964a49 201static int certify_cert(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
ba404b5e 202 const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,
7ce9e425 203 CA_DB *db, BIGNUM *serial, char *subj, int multirdn, int email_dn,
89da653f
BM		 204 char *startdate, char *enddate, long days, int batch,
205 char *ext_sect, CONF *conf,int verbose, unsigned long certopt,
ce16450a
RL		 206 unsigned long nameopt, int default_op, int ext_copy,
207 ENGINE *e);
d02b48c6 208static int certify_spkac(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
ba404b5e 209 const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,
7ce9e425 210 CA_DB *db, BIGNUM *serial,char *subj, int multirdn, int email_dn,
89da653f
BM		 211 char *startdate, char *enddate, long days, char *ext_sect,
212 CONF *conf, int verbose, unsigned long certopt,
213 unsigned long nameopt, int default_op, int ext_copy);
d02b48c6 214static int fix_data(int nid, int *type);
82fc1d9c 215static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext);
e778802f 216static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
7ce9e425 217 STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial,char *subj, int multirdn,
89da653f
BM		 218 int email_dn, char *startdate, char *enddate, long days, int batch,
219 int verbose, X509_REQ *req, char *ext_sect, CONF *conf,
535d79da 220 unsigned long certopt, unsigned long nameopt, int default_op,
16b1b035 221 int ext_copy, int selfsign);
f85b68cd
RL		 222static int do_revoke(X509 *x509, CA_DB *db, int ext, char *extval);
223static int get_certificate_status(const char *ser_status, CA_DB *db);
224static int do_updatedb(CA_DB *db);
d02b48c6 225static int check_time_format(char *str);
a6b7ffdd
DSH		 226char *make_revocation_str(int rev_type, char *rev_arg);
227int make_revoked(X509_REVOKED *rev, char *str);
535d79da 228int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str);
b7a26e6d
DSH		 229static CONF *conf=NULL;
230static CONF *extconf=NULL;
d02b48c6
RE		 231static char *section=NULL;
232
233static int preserve=0;
234static int msie_hack=0;
235
35a99b63 236
667ac4ec
RE		 237int MAIN(int, char **);
238
6b691a5c 239int MAIN(int argc, char **argv)
d02b48c6 240 {
5270e702 241 ENGINE *e = NULL;
bd08a2bd 242 char *key=NULL,*passargin=NULL;
b65f8513 243 int free_key = 0;
d02b48c6
RE		 244 int total=0;
245 int total_done=0;
246 int badops=0;
247 int ret=1;
89da653f 248 int email_dn=1;
d02b48c6
RE		 249 int req=0;
250 int verbose=0;
251 int gencrl=0;
a36a1a51 252 int dorevoke=0;
c67cdb50 253 int doupdatedb=0;
d02b48c6
RE		 254 long crldays=0;
255 long crlhours=0;
256 long errorline= -1;
257 char *configfile=NULL;
258 char *md=NULL;
259 char *policy=NULL;
260 char *keyfile=NULL;
261 char *certfile=NULL;
32d862ed 262 int keyform=FORMAT_PEM;
d02b48c6
RE		 263 char *infile=NULL;
264 char *spkac_file=NULL;
58964a49 265 char *ss_cert_file=NULL;
c67cdb50 266 char *ser_status=NULL;
d02b48c6
RE		 267 EVP_PKEY *pkey=NULL;
268 int output_der = 0;
269 char *outfile=NULL;
270 char *outdir=NULL;
271 char *serialfile=NULL;
fd4ef699 272 char *crlnumberfile=NULL;
d02b48c6 273 char *extensions=NULL;
dfebac32 274 char *extfile=NULL;
bad40585 275 char *subj=NULL;
7ce9e425 276 int multirdn = 0;
89da653f 277 char *tmp_email_dn=NULL;
1756d405 278 char *crl_ext=NULL;
a6b7ffdd
DSH		 279 int rev_type = REV_NONE;
280 char *rev_arg = NULL;
d02b48c6 281 BIGNUM *serial=NULL;
fd4ef699 282 BIGNUM *crlnumber=NULL;
58964a49 283 char *startdate=NULL;
ed7f60fb 284 char *enddate=NULL;
b7a26e6d 285 long days=0;
d02b48c6 286 int batch=0;
82fc1d9c 287 int notext=0;
535d79da
DSH		 288 unsigned long nameopt = 0, certopt = 0;
289 int default_op = 1;
791bd0cd 290 int ext_copy = EXT_COPY_NONE;
16b1b035
RL		 291 int selfsign = 0;
292 X509 *x509=NULL, *x509p = NULL;
d02b48c6
RE		 293 X509 *x=NULL;
294 BIO *in=NULL,*out=NULL,*Sout=NULL,*Cout=NULL;
295 char *dbfile=NULL;
f85b68cd 296 CA_DB *db=NULL;
d02b48c6 297 X509_CRL *crl=NULL;
d02b48c6 298 X509_REVOKED *r=NULL;
35bf3541
DSH		 299 ASN1_TIME *tmptm;
300 ASN1_INTEGER *tmpser;
d02b48c6
RE		 301 char **pp,*p,*f;
302 int i,j;
e778802f 303 const EVP_MD *dgst=NULL;
ba404b5e 304 STACK_OF(CONF_VALUE) *attribs=NULL;
b4604683 305 STACK_OF(X509) *cert_sk=NULL;
d02b48c6
RE		 306#undef BSIZE
307#define BSIZE 256
308 MS_STATIC char buf[3][BSIZE];
95fdc5ee 309 char *randfile=NULL;
0b13e9f0 310#ifndef OPENSSL_NO_ENGINE
5270e702 311 char *engine = NULL;
0b13e9f0 312#endif
54a656ef 313 char *tofree=NULL;
f85b68cd 314 DB_ATTR db_attr;
d02b48c6
RE		 315
316#ifdef EFENCE
317EF_PROTECT_FREE=1;
318EF_PROTECT_BELOW=1;
319EF_ALIGNMENT=0;
320#endif
321
322 apps_startup();
323
a32640b0 324 conf = NULL;
b74ba295
BM		 325 key = NULL;
326 section = NULL;
327
d02b48c6 328 preserve=0;
b74ba295 329 msie_hack=0;
d02b48c6
RE		 330 if (bio_err == NULL)
331 if ((bio_err=BIO_new(BIO_s_file())) != NULL)
58964a49 332 BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
d02b48c6
RE		 333
334 argc--;
335 argv++;
336 while (argc >= 1)
337 {
338 if (strcmp(*argv,"-verbose") == 0)
339 verbose=1;
340 else if (strcmp(*argv,"-config") == 0)
341 {
342 if (--argc < 1) goto bad;
343 configfile= *(++argv);
344 }
345 else if (strcmp(*argv,"-name") == 0)
346 {
347 if (--argc < 1) goto bad;
348 section= *(++argv);
349 }
bad40585
BM		 350 else if (strcmp(*argv,"-subj") == 0)
351 {
352 if (--argc < 1) goto bad;
353 subj= *(++argv);
354 /* preserve=1; */
355 }
7ce9e425
RL		 356 else if (strcmp(*argv,"-multivalue-rdn") == 0)
357 multirdn=1;
58964a49
RE		 358 else if (strcmp(*argv,"-startdate") == 0)
359 {
360 if (--argc < 1) goto bad;
361 startdate= *(++argv);
362 }
ed7f60fb
DSH		 363 else if (strcmp(*argv,"-enddate") == 0)
364 {
365 if (--argc < 1) goto bad;
366 enddate= *(++argv);
367 }
d02b48c6
RE		 368 else if (strcmp(*argv,"-days") == 0)
369 {
370 if (--argc < 1) goto bad;
371 days=atoi(*(++argv));
372 }
373 else if (strcmp(*argv,"-md") == 0)
374 {
375 if (--argc < 1) goto bad;
376 md= *(++argv);
377 }
378 else if (strcmp(*argv,"-policy") == 0)
379 {
380 if (--argc < 1) goto bad;
381 policy= *(++argv);
382 }
383 else if (strcmp(*argv,"-keyfile") == 0)
384 {
385 if (--argc < 1) goto bad;
386 keyfile= *(++argv);
387 }
32d862ed
RL		 388 else if (strcmp(*argv,"-keyform") == 0)
389 {
390 if (--argc < 1) goto bad;
391 keyform=str2fmt(*(++argv));
392 }
bd08a2bd
DSH		 393 else if (strcmp(*argv,"-passin") == 0)
394 {
395 if (--argc < 1) goto bad;
396 passargin= *(++argv);
397 }
d02b48c6
RE		 398 else if (strcmp(*argv,"-key") == 0)
399 {
400 if (--argc < 1) goto bad;
401 key= *(++argv);
402 }
403 else if (strcmp(*argv,"-cert") == 0)
404 {
405 if (--argc < 1) goto bad;
406 certfile= *(++argv);
407 }
16b1b035
RL		 408 else if (strcmp(*argv,"-selfsign") == 0)
409 selfsign=1;
d02b48c6
RE		 410 else if (strcmp(*argv,"-in") == 0)
411 {
412 if (--argc < 1) goto bad;
413 infile= *(++argv);
414 req=1;
415 }
416 else if (strcmp(*argv,"-out") == 0)
417 {
418 if (--argc < 1) goto bad;
419 outfile= *(++argv);
420 }
421 else if (strcmp(*argv,"-outdir") == 0)
422 {
423 if (--argc < 1) goto bad;
424 outdir= *(++argv);
425 }
82fc1d9c
DSH		 426 else if (strcmp(*argv,"-notext") == 0)
427 notext=1;
d02b48c6
RE		 428 else if (strcmp(*argv,"-batch") == 0)
429 batch=1;
430 else if (strcmp(*argv,"-preserveDN") == 0)
431 preserve=1;
89da653f
BM		 432 else if (strcmp(*argv,"-noemailDN") == 0)
433 email_dn=0;
d02b48c6
RE		 434 else if (strcmp(*argv,"-gencrl") == 0)
435 gencrl=1;
436 else if (strcmp(*argv,"-msie_hack") == 0)
437 msie_hack=1;
438 else if (strcmp(*argv,"-crldays") == 0)
439 {
440 if (--argc < 1) goto bad;
441 crldays= atol(*(++argv));
442 }
443 else if (strcmp(*argv,"-crlhours") == 0)
444 {
445 if (--argc < 1) goto bad;
446 crlhours= atol(*(++argv));
447 }
448 else if (strcmp(*argv,"-infiles") == 0)
449 {
450 argc--;
451 argv++;
452 req=1;
453 break;
454 }
58964a49
RE		 455 else if (strcmp(*argv, "-ss_cert") == 0)
456 {
457 if (--argc < 1) goto bad;
458 ss_cert_file = *(++argv);
459 req=1;
460 }
d02b48c6
RE		 461 else if (strcmp(*argv, "-spkac") == 0)
462 {
463 if (--argc < 1) goto bad;
464 spkac_file = *(++argv);
465 req=1;
466 }
f9a25931
RE		 467 else if (strcmp(*argv,"-revoke") == 0)
468 {
469 if (--argc < 1) goto bad;
470 infile= *(++argv);
a36a1a51 471 dorevoke=1;
f9a25931 472 }
87a25f90
DSH		 473 else if (strcmp(*argv,"-extensions") == 0)
474 {
475 if (--argc < 1) goto bad;
476 extensions= *(++argv);
477 }
dfebac32
BM		 478 else if (strcmp(*argv,"-extfile") == 0)
479 {
480 if (--argc < 1) goto bad;
481 extfile= *(++argv);
482 }
c67cdb50
BM		 483 else if (strcmp(*argv,"-status") == 0)
484 {
485 if (--argc < 1) goto bad;
486 ser_status= *(++argv);
487 }
488 else if (strcmp(*argv,"-updatedb") == 0)
489 {
490 doupdatedb=1;
491 }
87a25f90
DSH		 492 else if (strcmp(*argv,"-crlexts") == 0)
493 {
494 if (--argc < 1) goto bad;
495 crl_ext= *(++argv);
496 }
a6b7ffdd
DSH		 497 else if (strcmp(*argv,"-crl_reason") == 0)
498 {
499 if (--argc < 1) goto bad;
500 rev_arg = *(++argv);
501 rev_type = REV_CRL_REASON;
502 }
503 else if (strcmp(*argv,"-crl_hold") == 0)
504 {
505 if (--argc < 1) goto bad;
506 rev_arg = *(++argv);
507 rev_type = REV_HOLD;
508 }
509 else if (strcmp(*argv,"-crl_compromise") == 0)
510 {
511 if (--argc < 1) goto bad;
512 rev_arg = *(++argv);
513 rev_type = REV_KEY_COMPROMISE;
514 }
515 else if (strcmp(*argv,"-crl_CA_compromise") == 0)
516 {
517 if (--argc < 1) goto bad;
518 rev_arg = *(++argv);
519 rev_type = REV_CA_COMPROMISE;
520 }
0b13e9f0 521#ifndef OPENSSL_NO_ENGINE
5270e702
RL		 522 else if (strcmp(*argv,"-engine") == 0)
523 {
524 if (--argc < 1) goto bad;
525 engine= *(++argv);
526 }
0b13e9f0 527#endif
d02b48c6
RE		 528 else
529 {
530bad:
531 BIO_printf(bio_err,"unknown option %s\n",*argv);
532 badops=1;
533 break;
534 }
535 argc--;
536 argv++;
537 }
538
539 if (badops)
540 {
541 for (pp=ca_usage; (*pp != NULL); pp++)
4327aae8 542 BIO_printf(bio_err,"%s",*pp);
d02b48c6
RE		 543 goto err;
544 }
545
546 ERR_load_crypto_strings();
547
0b13e9f0 548#ifndef OPENSSL_NO_ENGINE
54a656ef 549 e = setup_engine(bio_err, engine, 0);
0b13e9f0 550#endif
5270e702 551
d02b48c6 552 /*****************************************************************/
54a656ef 553 tofree=NULL;
e40b7abe
DSH		 554 if (configfile == NULL) configfile = getenv("OPENSSL_CONF");
555 if (configfile == NULL) configfile = getenv("SSLEAY_CONF");
d02b48c6
RE		 556 if (configfile == NULL)
557 {
54a656ef
BL		 558 const char *s=X509_get_default_cert_area();
559
bc36ee62 560#ifdef OPENSSL_SYS_VMS
54a656ef
BL		 561 tofree=OPENSSL_malloc(strlen(s)+sizeof(CONFIG_FILE));
562 strcpy(tofree,s);
7d7d2cbc 563#else
54a656ef
BL		 564 tofree=OPENSSL_malloc(strlen(s)+sizeof(CONFIG_FILE)+1);
565 strcpy(tofree,s);
566 strcat(tofree,"/");
7d7d2cbc 567#endif
54a656ef
BL		 568 strcat(tofree,CONFIG_FILE);
569 configfile=tofree;
d02b48c6
RE		 570 }
571
572 BIO_printf(bio_err,"Using configuration from %s\n",configfile);
b7a26e6d
DSH		 573 conf = NCONF_new(NULL);
574 if (NCONF_load(conf,configfile,&errorline) <= 0)
d02b48c6
RE		 575 {
576 if (errorline <= 0)
577 BIO_printf(bio_err,"error loading the config file '%s'\n",
578 configfile);
579 else
580 BIO_printf(bio_err,"error on line %ld of config file '%s'\n"
581 ,errorline,configfile);
582 goto err;
583 }
54a656ef 584 if(tofree)
5b7249f3 585 {
54a656ef 586 OPENSSL_free(tofree);
5b7249f3
DSH		 587 tofree = NULL;
588 }
d02b48c6 589
3647bee2
DSH		 590 if (!load_config(bio_err, conf))
591 goto err;
592
d02b48c6
RE		 593 /* Lets get the config section we are using */
594 if (section == NULL)
595 {
b7a26e6d 596 section=NCONF_get_string(conf,BASE_SECTION,ENV_DEFAULT_CA);
d02b48c6
RE		 597 if (section == NULL)
598 {
599 lookup_fail(BASE_SECTION,ENV_DEFAULT_CA);
600 goto err;
601 }
602 }
603
dfeab068
RE		 604 if (conf != NULL)
605 {
b7a26e6d 606 p=NCONF_get_string(conf,NULL,"oid_file");
2c0d1012
BM		 607 if (p == NULL)
608 ERR_clear_error();
dfeab068
RE		 609 if (p != NULL)
610 {
611 BIO *oid_bio;
612
613 oid_bio=BIO_new_file(p,"r");
614 if (oid_bio == NULL)
615 {
616 /*
617 BIO_printf(bio_err,"problems opening %s for extra oid's\n",p);
618 ERR_print_errors(bio_err);
619 */
c106c613 620 ERR_clear_error();
dfeab068
RE		 621 }
622 else
623 {
624 OBJ_create_objects(oid_bio);
625 BIO_free(oid_bio);
626 }
627 }
c67cdb50 628 if (!add_oid_section(bio_err,conf))
a31011e8 629 {
a43aa73e
DSH		 630 ERR_print_errors(bio_err);
631 goto err;
a31011e8 632 }
a43aa73e 633 }
dfeab068 634
b7a26e6d 635 randfile = NCONF_get_string(conf, BASE_SECTION, "RANDFILE");
2c0d1012
BM		 636 if (randfile == NULL)
637 ERR_clear_error();
a31011e8 638 app_RAND_load_file(randfile, bio_err, 0);
f85b68cd
RL		 639
640 db_attr.unique_subject = 1;
641 p = NCONF_get_string(conf, section, "unique_subject");
642 if (p)
643 {
63b6fe2b 644#ifdef RL_DEBUG
f85b68cd 645 BIO_printf(bio_err, "DEBUG: unique_subject = \"%s\"\n", p);
63b6fe2b 646#endif
f85b68cd
RL		 647 switch(*p)
648 {
649 case 'f': /* false */
650 case 'F': /* FALSE */
651 case 'n': /* no */
652 case 'N': /* NO */
653 db_attr.unique_subject = 0;
654 break;
655 case 't': /* true */
656 case 'T': /* TRUE */
657 case 'y': /* yes */
658 case 'Y': /* YES */
659 default:
660 db_attr.unique_subject = 1;
661 break;
662 }
663 }
63b6fe2b 664#ifdef RL_DEBUG
f85b68cd
RL		 665 else
666 BIO_printf(bio_err, "DEBUG: unique_subject undefined\n", p);
63b6fe2b
RL		 667#endif
668#ifdef RL_DEBUG
f85b68cd
RL		 669 BIO_printf(bio_err, "DEBUG: configured unique_subject is %d\n",
670 db_attr.unique_subject);
63b6fe2b 671#endif
a31011e8 672
d02b48c6
RE		 673 in=BIO_new(BIO_s_file());
674 out=BIO_new(BIO_s_file());
675 Sout=BIO_new(BIO_s_file());
676 Cout=BIO_new(BIO_s_file());
677 if ((in == NULL) || (out == NULL) || (Sout == NULL) || (Cout == NULL))
678 {
679 ERR_print_errors(bio_err);
680 goto err;
681 }
682
683 /*****************************************************************/
c67cdb50
BM		 684 /* report status of cert with serial number given on command line */
685 if (ser_status)
686 {
b7a26e6d 687 if ((dbfile=NCONF_get_string(conf,section,ENV_DATABASE)) == NULL)
c67cdb50
BM		 688 {
689 lookup_fail(section,ENV_DATABASE);
690 goto err;
691 }
f85b68cd 692 db = load_index(dbfile,&db_attr);
c67cdb50
BM		 693 if (db == NULL) goto err;
694
f85b68cd 695 if (!index_index(db)) goto err;
c67cdb50
BM		 696
697 if (get_certificate_status(ser_status,db) != 1)
698 BIO_printf(bio_err,"Error verifying serial %s!\n",
699 ser_status);
700 goto err;
701 }
702
703 /*****************************************************************/
16b1b035 704 /* we definitely need a private key, so let's get it */
d02b48c6 705
b7a26e6d 706 if ((keyfile == NULL) && ((keyfile=NCONF_get_string(conf,
d02b48c6
RE		 707 section,ENV_PRIVATE_KEY)) == NULL))
708 {
709 lookup_fail(section,ENV_PRIVATE_KEY);
710 goto err;
711 }
b65f8513 712 if (!key)
bd08a2bd 713 {
b65f8513
DSH		 714 free_key = 1;
715 if (!app_passwd(bio_err, passargin, NULL, &key, NULL))
716 {
717 BIO_printf(bio_err,"Error getting password\n");
718 goto err;
719 }
bd08a2bd 720 }
da9b9724 721 pkey = load_key(bio_err, keyfile, keyform, 0, key, e,
30b4c272 722 "CA private key");
4579924b 723 if (key) OPENSSL_cleanse(key,strlen(key));
d02b48c6
RE		 724 if (pkey == NULL)
725 {
30b4c272 726 /* load_key() has already printed an appropriate message */
d02b48c6
RE		 727 goto err;
728 }
729
730 /*****************************************************************/
731 /* we need a certificate */
16b1b035 732 if (!selfsign || spkac_file || ss_cert_file || gencrl)
d02b48c6 733 {
16b1b035
RL		 734 if ((certfile == NULL)
735 && ((certfile=NCONF_get_string(conf,
736 section,ENV_CERTIFICATE)) == NULL))
737 {
738 lookup_fail(section,ENV_CERTIFICATE);
739 goto err;
740 }
741 x509=load_cert(bio_err, certfile, FORMAT_PEM, NULL, e,
742 "CA certificate");
743 if (x509 == NULL)
744 goto err;
d02b48c6 745
16b1b035
RL		 746 if (!X509_check_private_key(x509,pkey))
747 {
748 BIO_printf(bio_err,"CA certificate and CA private key do not match\n");
749 goto err;
750 }
dfeab068 751 }
16b1b035 752 if (!selfsign) x509p = x509;
dfeab068 753
b7a26e6d 754 f=NCONF_get_string(conf,BASE_SECTION,ENV_PRESERVE);
2c0d1012
BM		 755 if (f == NULL)
756 ERR_clear_error();
d02b48c6
RE		 757 if ((f != NULL) && ((*f == 'y') || (*f == 'Y')))
758 preserve=1;
b7a26e6d 759 f=NCONF_get_string(conf,BASE_SECTION,ENV_MSIE_HACK);
2c0d1012
BM		 760 if (f == NULL)
761 ERR_clear_error();
d02b48c6
RE		 762 if ((f != NULL) && ((*f == 'y') || (*f == 'Y')))
763 msie_hack=1;
764
b7a26e6d 765 f=NCONF_get_string(conf,section,ENV_NAMEOPT);
535d79da
DSH		 766
767 if (f)
768 {
769 if (!set_name_ex(&nameopt, f))
770 {
771 BIO_printf(bio_err, "Invalid name options: \"%s\"\n", f);
772 goto err;
773 }
774 default_op = 0;
775 }
776 else
777 ERR_clear_error();
778
b7a26e6d 779 f=NCONF_get_string(conf,section,ENV_CERTOPT);
535d79da
DSH		 780
781 if (f)
782 {
783 if (!set_cert_ex(&certopt, f))
784 {
785 BIO_printf(bio_err, "Invalid certificate options: \"%s\"\n", f);
786 goto err;
787 }
788 default_op = 0;
789 }
790 else
791 ERR_clear_error();
792
b7a26e6d 793 f=NCONF_get_string(conf,section,ENV_EXTCOPY);
791bd0cd
DSH		 794
795 if (f)
796 {
797 if (!set_ext_copy(&ext_copy, f))
798 {
799 BIO_printf(bio_err, "Invalid extension copy option: \"%s\"\n", f);
800 goto err;
801 }
802 }
803 else
804 ERR_clear_error();
535d79da 805
d02b48c6
RE		 806 /*****************************************************************/
807 /* lookup where to write new certificates */
808 if ((outdir == NULL) && (req))
809 {
810 struct stat sb;
811
b7a26e6d 812 if ((outdir=NCONF_get_string(conf,section,ENV_NEW_CERTS_DIR))
d02b48c6
RE		 813 == NULL)
814 {
815 BIO_printf(bio_err,"there needs to be defined a directory for new certificate to be placed in\n");
816 goto err;
817 }
bc36ee62
RL		 818#ifndef OPENSSL_SYS_VMS
819 /* outdir is a directory spec, but access() for VMS demands a
207c7df7
RL		 820 filename. In any case, stat(), below, will catch the problem
821 if outdir is not a directory spec, and the fopen() or open()
822 will catch an error if there is no write access.
823
824 Presumably, this problem could also be solved by using the DEC
825 C routines to convert the directory syntax to Unixly, and give
826 that to access(). However, time's too short to do that just
827 now.
bad40585 828 */
d02b48c6
RE		 829 if (access(outdir,R_OK|W_OK|X_OK) != 0)
830 {
657e60fa 831 BIO_printf(bio_err,"I am unable to access the %s directory\n",outdir);
d02b48c6
RE		 832 perror(outdir);
833 goto err;
834 }
835
836 if (stat(outdir,&sb) != 0)
837 {
838 BIO_printf(bio_err,"unable to stat(%s)\n",outdir);
839 perror(outdir);
840 goto err;
841 }
79875776 842#ifdef S_IFDIR
d02b48c6
RE		 843 if (!(sb.st_mode & S_IFDIR))
844 {
845 BIO_printf(bio_err,"%s need to be a directory\n",outdir);
846 perror(outdir);
847 goto err;
848 }
cb464c38 849#endif
79875776 850#endif
d02b48c6
RE		 851 }
852
853 /*****************************************************************/
854 /* we need to load the database file */
b7a26e6d 855 if ((dbfile=NCONF_get_string(conf,section,ENV_DATABASE)) == NULL)
d02b48c6
RE		 856 {
857 lookup_fail(section,ENV_DATABASE);
858 goto err;
859 }
f85b68cd 860 db = load_index(dbfile, &db_attr);
d02b48c6
RE		 861 if (db == NULL) goto err;
862
863 /* Lets check some fields */
f85b68cd 864 for (i=0; i<sk_num(db->db->data); i++)
d02b48c6 865 {
f85b68cd 866 pp=(char **)sk_value(db->db->data,i);
d02b48c6
RE		 867 if ((pp[DB_type][0] != DB_TYPE_REV) &&
868 (pp[DB_rev_date][0] != '\0'))
869 {
7c7c8851 870 BIO_printf(bio_err,"entry %d: not revoked yet, but has a revocation date\n",i+1);
d02b48c6
RE		 871 goto err;
872 }
873 if ((pp[DB_type][0] == DB_TYPE_REV) &&
a6b7ffdd 874 !make_revoked(NULL, pp[DB_rev_date]))
d02b48c6 875 {
a6b7ffdd 876 BIO_printf(bio_err," in entry %d\n", i+1);
d02b48c6
RE		 877 goto err;
878 }
879 if (!check_time_format(pp[DB_exp_date]))
880 {
881 BIO_printf(bio_err,"entry %d: invalid expiry date\n",i+1);
882 goto err;
883 }
884 p=pp[DB_serial];
885 j=strlen(p);
acba75c5
DSH		 886 if (*p == '-')
887 {
888 p++;
889 j--;
890 }
d02b48c6
RE		 891 if ((j&1) || (j < 2))
892 {
893 BIO_printf(bio_err,"entry %d: bad serial number length (%d)\n",i+1,j);
894 goto err;
895 }
896 while (*p)
897 {
898 if (!( ((*p >= '0') && (*p <= '9')) ||
899 ((*p >= 'A') && (*p <= 'F')) ||
900 ((*p >= 'a') && (*p <= 'f'))) )
901 {
902 BIO_printf(bio_err,"entry %d: bad serial number characters, char pos %ld, char is '%c'\n",i+1,(long)(p-pp[DB_serial]),*p);
903 goto err;
904 }
905 p++;
906 }
907 }
908 if (verbose)
909 {
58964a49 910 BIO_set_fp(out,stdout,BIO_NOCLOSE|BIO_FP_TEXT); /* cannot fail */
bc36ee62 911#ifdef OPENSSL_SYS_VMS
645749ef
RL		 912 {
913 BIO *tmpbio = BIO_new(BIO_f_linebuffer());
914 out = BIO_push(tmpbio, out);
915 }
916#endif
f85b68cd 917 TXT_DB_write(out,db->db);
d02b48c6 918 BIO_printf(bio_err,"%d entries loaded from the database\n",
f85b68cd 919 db->db->data->num);
657e60fa 920 BIO_printf(bio_err,"generating index\n");
d02b48c6
RE		 921 }
922
f85b68cd 923 if (!index_index(db)) goto err;
d02b48c6 924
c67cdb50
BM		 925 /*****************************************************************/
926 /* Update the db file for expired certificates */
927 if (doupdatedb)
928 {
929 if (verbose)
930 BIO_printf(bio_err, "Updating %s ...\n",
931 dbfile);
932
933 i = do_updatedb(db);
934 if (i == -1)
935 {
936 BIO_printf(bio_err,"Malloc failure\n");
937 goto err;
bad40585 938 }
c67cdb50 939 else if (i == 0)
bad40585 940 {
c67cdb50
BM		 941 if (verbose) BIO_printf(bio_err,
942 "No entries found to mark expired\n");
943 }
944 else
945 {
f85b68cd
RL		 946 if (!save_index(dbfile,"new",db)) goto err;
947
948 if (!rotate_index(dbfile,"new","old")) goto err;
c67cdb50
BM		 949
950 if (verbose) BIO_printf(bio_err,
951 "Done. %d entries marked as expired\n",i);
952 }
953 goto err;
954 }
955
dfebac32
BM		 956 /*****************************************************************/
957 /* Read extentions config file */
958 if (extfile)
959 {
b7a26e6d
DSH		 960 extconf = NCONF_new(NULL);
961 if (NCONF_load(extconf,extfile,&errorline) <= 0)
dfebac32
BM		 962 {
963 if (errorline <= 0)
964 BIO_printf(bio_err, "ERROR: loading the config file '%s'\n",
965 extfile);
966 else
967 BIO_printf(bio_err, "ERROR: on line %ld of config file '%s'\n",
968 errorline,extfile);
969 ret = 1;
970 goto err;
971 }
972
973 if (verbose)
e2350001 974 BIO_printf(bio_err, "Successfully loaded extensions file %s\n", extfile);
dfebac32
BM		 975
976 /* We can have sections in the ext file */
b7a26e6d 977 if (!extensions && !(extensions = NCONF_get_string(extconf, "default", "extensions")))
dfebac32 978 extensions = "default";
bad40585 979 }
dfebac32 980
d02b48c6
RE		 981 /*****************************************************************/
982 if (req || gencrl)
983 {
984 if (outfile != NULL)
985 {
d02b48c6
RE		 986 if (BIO_write_filename(Sout,outfile) <= 0)
987 {
988 perror(outfile);
989 goto err;
990 }
991 }
992 else
645749ef 993 {
58964a49 994 BIO_set_fp(Sout,stdout,BIO_NOCLOSE|BIO_FP_TEXT);
bc36ee62 995#ifdef OPENSSL_SYS_VMS
645749ef
RL		 996 {
997 BIO *tmpbio = BIO_new(BIO_f_linebuffer());
998 Sout = BIO_push(tmpbio, Sout);
999 }
1000#endif
1001 }
d02b48c6
RE		 1002 }
1003
1004 if (req)
1005 {
b7a26e6d 1006 if ((md == NULL) && ((md=NCONF_get_string(conf,
d02b48c6
RE		 1007 section,ENV_DEFAULT_MD)) == NULL))
1008 {
1009 lookup_fail(section,ENV_DEFAULT_MD);
1010 goto err;
1011 }
89da653f
BM		 1012 if ((email_dn == 1) && ((tmp_email_dn=NCONF_get_string(conf,
1013 section,ENV_DEFAULT_EMAIL_DN)) != NULL ))
1014 {
1015 if(strcmp(tmp_email_dn,"no") == 0)
1016 email_dn=0;
1017 }
d02b48c6
RE		 1018 if ((dgst=EVP_get_digestbyname(md)) == NULL)
1019 {
1020 BIO_printf(bio_err,"%s is an unsupported message digest type\n",md);
1021 goto err;
1022 }
1023 if (verbose)
1024 BIO_printf(bio_err,"message digest is %s\n",
1025 OBJ_nid2ln(dgst->type));
b7a26e6d 1026 if ((policy == NULL) && ((policy=NCONF_get_string(conf,
d02b48c6
RE		 1027 section,ENV_POLICY)) == NULL))
1028 {
1029 lookup_fail(section,ENV_POLICY);
1030 goto err;
1031 }
1032 if (verbose)
1033 BIO_printf(bio_err,"policy is %s\n",policy);
1034
b7a26e6d 1035 if ((serialfile=NCONF_get_string(conf,section,ENV_SERIAL))
d02b48c6
RE		 1036 == NULL)
1037 {
1038 lookup_fail(section,ENV_SERIAL);
1039 goto err;
1040 }
dfebac32
BM		 1041
1042 if (!extconf)
2c0d1012 1043 {
dfebac32
BM		 1044 /* no '-extfile' option, so we look for extensions
1045 * in the main configuration file */
2c0d1012 1046 if (!extensions)
2c0d1012 1047 {
b7a26e6d 1048 extensions=NCONF_get_string(conf,section,
dfebac32
BM		 1049 ENV_EXTENSIONS);
1050 if (!extensions)
1051 ERR_clear_error();
1052 }
1053 if (extensions)
1054 {
1055 /* Check syntax of file */
1056 X509V3_CTX ctx;
1057 X509V3_set_ctx_test(&ctx);
b7a26e6d
DSH		 1058 X509V3_set_nconf(&ctx, conf);
1059 if (!X509V3_EXT_add_nconf(conf, &ctx, extensions,
dfebac32
BM		 1060 NULL))
1061 {
1062 BIO_printf(bio_err,
1063 "Error Loading extension section %s\n",
b2347661 1064 extensions);
dfebac32
BM		 1065 ret = 1;
1066 goto err;
1067 }
2c0d1012 1068 }
d02b48c6
RE		 1069 }
1070
58964a49
RE		 1071 if (startdate == NULL)
1072 {
b7a26e6d 1073 startdate=NCONF_get_string(conf,section,
58964a49 1074 ENV_DEFAULT_STARTDATE);
2c0d1012
BM		 1075 if (startdate == NULL)
1076 ERR_clear_error();
ed7f60fb
DSH		 1077 }
1078 if (startdate && !ASN1_UTCTIME_set_string(NULL,startdate))
1079 {
1080 BIO_printf(bio_err,"start date is invalid, it should be YYMMDDHHMMSSZ\n");
1081 goto err;
1082 }
1083 if (startdate == NULL) startdate="today";
1084
1085 if (enddate == NULL)
1086 {
b7a26e6d 1087 enddate=NCONF_get_string(conf,section,
ed7f60fb 1088 ENV_DEFAULT_ENDDATE);
2c0d1012
BM		 1089 if (enddate == NULL)
1090 ERR_clear_error();
ed7f60fb
DSH		 1091 }
1092 if (enddate && !ASN1_UTCTIME_set_string(NULL,enddate))
1093 {
1094 BIO_printf(bio_err,"end date is invalid, it should be YYMMDDHHMMSSZ\n");
1095 goto err;
58964a49
RE		 1096 }
1097
d02b48c6
RE		 1098 if (days == 0)
1099 {
b7a26e6d
DSH		 1100 if(!NCONF_get_number(conf,section, ENV_DEFAULT_DAYS, &days))
1101 days = 0;
d02b48c6 1102 }
ed7f60fb 1103 if (!enddate && (days == 0))
d02b48c6
RE		 1104 {
1105 BIO_printf(bio_err,"cannot lookup how many days to certify for\n");
1106 goto err;
1107 }
1108
f85b68cd 1109 if ((serial=load_serial(serialfile, 0, NULL)) == NULL)
d02b48c6
RE		 1110 {
1111 BIO_printf(bio_err,"error while loading serial number\n");
1112 goto err;
1113 }
1114 if (verbose)
1115 {
2245cd87
RL		 1116 if (BN_is_zero(serial))
1117 BIO_printf(bio_err,"next serial number is 00\n");
1118 else
1119 {
1120 if ((f=BN_bn2hex(serial)) == NULL) goto err;
1121 BIO_printf(bio_err,"next serial number is %s\n",f);
1122 OPENSSL_free(f);
1123 }
d02b48c6
RE		 1124 }
1125
b7a26e6d 1126 if ((attribs=NCONF_get_section(conf,policy)) == NULL)
d02b48c6
RE		 1127 {
1128 BIO_printf(bio_err,"unable to find 'section' for %s\n",policy);
1129 goto err;
1130 }
1131
b4604683 1132 if ((cert_sk=sk_X509_new_null()) == NULL)
d02b48c6 1133 {
26a3a48d 1134 BIO_printf(bio_err,"Memory allocation failure\n");
d02b48c6
RE		 1135 goto err;
1136 }
1137 if (spkac_file != NULL)
1138 {
1139 total++;
1140 j=certify_spkac(&x,spkac_file,pkey,x509,dgst,attribs,db,
7ce9e425 1141 serial,subj,multirdn,email_dn,startdate,enddate,days,extensions,
89da653f 1142 conf,verbose,certopt,nameopt,default_op,ext_copy);
d02b48c6
RE		 1143 if (j < 0) goto err;
1144 if (j > 0)
1145 {
1146 total_done++;
1147 BIO_printf(bio_err,"\n");
1148 if (!BN_add_word(serial,1)) goto err;
b4604683 1149 if (!sk_X509_push(cert_sk,x))
d02b48c6 1150 {
26a3a48d 1151 BIO_printf(bio_err,"Memory allocation failure\n");
d02b48c6
RE		 1152 goto err;
1153 }
1154 if (outfile)
1155 {
1156 output_der = 1;
1157 batch = 1;
1158 }
1159 }
1160 }
58964a49
RE		 1161 if (ss_cert_file != NULL)
1162 {
1163 total++;
1164 j=certify_cert(&x,ss_cert_file,pkey,x509,dgst,attribs,
7ce9e425 1165 db,serial,subj,multirdn,email_dn,startdate,enddate,days,batch,
535d79da 1166 extensions,conf,verbose, certopt, nameopt,
ce16450a 1167 default_op, ext_copy, e);
58964a49
RE		 1168 if (j < 0) goto err;
1169 if (j > 0)
1170 {
1171 total_done++;
1172 BIO_printf(bio_err,"\n");
1173 if (!BN_add_word(serial,1)) goto err;
b4604683 1174 if (!sk_X509_push(cert_sk,x))
58964a49 1175 {
26a3a48d 1176 BIO_printf(bio_err,"Memory allocation failure\n");
58964a49
RE		 1177 goto err;
1178 }
1179 }
1180 }
d02b48c6
RE		 1181 if (infile != NULL)
1182 {
1183 total++;
16b1b035 1184 j=certify(&x,infile,pkey,x509p,dgst,attribs,db,
7ce9e425 1185 serial,subj,multirdn,email_dn,startdate,enddate,days,batch,
535d79da 1186 extensions,conf,verbose, certopt, nameopt,
16b1b035 1187 default_op, ext_copy, selfsign);
d02b48c6
RE		 1188 if (j < 0) goto err;
1189 if (j > 0)
1190 {
1191 total_done++;
1192 BIO_printf(bio_err,"\n");
1193 if (!BN_add_word(serial,1)) goto err;
b4604683 1194 if (!sk_X509_push(cert_sk,x))
d02b48c6 1195 {
26a3a48d 1196 BIO_printf(bio_err,"Memory allocation failure\n");
d02b48c6
RE		 1197 goto err;
1198 }
1199 }
1200 }
1201 for (i=0; i<argc; i++)
1202 {
1203 total++;
16b1b035 1204 j=certify(&x,argv[i],pkey,x509p,dgst,attribs,db,
7ce9e425 1205 serial,subj,multirdn,email_dn,startdate,enddate,days,batch,
535d79da 1206 extensions,conf,verbose, certopt, nameopt,
16b1b035 1207 default_op, ext_copy, selfsign);
d02b48c6
RE		 1208 if (j < 0) goto err;
1209 if (j > 0)
1210 {
1211 total_done++;
1212 BIO_printf(bio_err,"\n");
1213 if (!BN_add_word(serial,1)) goto err;
b4604683 1214 if (!sk_X509_push(cert_sk,x))
d02b48c6 1215 {
26a3a48d 1216 BIO_printf(bio_err,"Memory allocation failure\n");
d02b48c6
RE		 1217 goto err;
1218 }
1219 }
1220 }
1221 /* we have a stack of newly certified certificates
1222 * and a data base and serial number that need
1223 * updating */
1224
b4604683 1225 if (sk_X509_num(cert_sk) > 0)
d02b48c6
RE		 1226 {
1227 if (!batch)
1228 {
1229 BIO_printf(bio_err,"\n%d out of %d certificate requests certified, commit? [y/n]",total_done,total);
d58d092b 1230 (void)BIO_flush(bio_err);
d02b48c6
RE		 1231 buf[0][0]='\0';
1232 fgets(buf[0],10,stdin);
1233 if ((buf[0][0] != 'y') && (buf[0][0] != 'Y'))
1234 {
1235 BIO_printf(bio_err,"CERTIFICATION CANCELED\n");
1236 ret=0;
1237 goto err;
1238 }
1239 }
1240
b4604683 1241 BIO_printf(bio_err,"Write out database with %d new entries\n",sk_X509_num(cert_sk));
d02b48c6 1242
4c771796 1243 if (!save_serial(serialfile,"new",serial,NULL)) goto err;
7d7d2cbc 1244
f85b68cd 1245 if (!save_index(dbfile, "new", db)) goto err;
d02b48c6
RE		 1246 }
1247
1248 if (verbose)
1249 BIO_printf(bio_err,"writing new certificates\n");
b4604683 1250 for (i=0; i<sk_X509_num(cert_sk); i++)
d02b48c6
RE		 1251 {
1252 int k;
1253 unsigned char *n;
1254
b4604683 1255 x=sk_X509_value(cert_sk,i);
d02b48c6
RE		 1256
1257 j=x->cert_info->serialNumber->length;
1258 p=(char *)x->cert_info->serialNumber->data;
1259
c8632017 1260 if(strlen(outdir) >= (size_t)(j ? BSIZE-j*2-6 : BSIZE-8))
54a656ef
BL		 1261 {
1262 BIO_printf(bio_err,"certificate file name too long\n");
1263 goto err;
1264 }
1265
1266 strcpy(buf[2],outdir);
7d7d2cbc 1267
bc36ee62 1268#ifndef OPENSSL_SYS_VMS
d02b48c6 1269 strcat(buf[2],"/");
7d7d2cbc
UM		 1270#endif
1271
d02b48c6
RE		 1272 n=(unsigned char *)&(buf[2][strlen(buf[2])]);
1273 if (j > 0)
1274 {
1275 for (k=0; k<j; k++)
1276 {
58964a49 1277 sprintf((char *)n,"%02X",(unsigned char)*(p++));
d02b48c6
RE		 1278 n+=2;
1279 }
1280 }
1281 else
1282 {
1283 *(n++)='0';
1284 *(n++)='0';
1285 }
1286 *(n++)='.'; *(n++)='p'; *(n++)='e'; *(n++)='m';
1287 *n='\0';
1288 if (verbose)
1289 BIO_printf(bio_err,"writing %s\n",buf[2]);
1290
1291 if (BIO_write_filename(Cout,buf[2]) <= 0)
1292 {
1293 perror(buf[2]);
1294 goto err;
1295 }
82fc1d9c
DSH		 1296 write_new_certificate(Cout,x, 0, notext);
1297 write_new_certificate(Sout,x, output_der, notext);
d02b48c6
RE		 1298 }
1299
b4604683 1300 if (sk_X509_num(cert_sk))
d02b48c6
RE		 1301 {
1302 /* Rename the database and the serial file */
4c771796 1303 if (!rotate_serial(serialfile,"new","old")) goto err;
d02b48c6 1304
f85b68cd 1305 if (!rotate_index(dbfile,"new","old")) goto err;
7d7d2cbc 1306
d02b48c6
RE		 1307 BIO_printf(bio_err,"Data Base Updated\n");
1308 }
1309 }
1310
1311 /*****************************************************************/
1312 if (gencrl)
1313 {
a6b7ffdd 1314 int crl_v2 = 0;
2c0d1012
BM		 1315 if (!crl_ext)
1316 {
b7a26e6d 1317 crl_ext=NCONF_get_string(conf,section,ENV_CRLEXT);
2c0d1012
BM		 1318 if (!crl_ext)
1319 ERR_clear_error();
1320 }
1321 if (crl_ext)
1322 {
1756d405 1323 /* Check syntax of file */
41b731f2
DSH		 1324 X509V3_CTX ctx;
1325 X509V3_set_ctx_test(&ctx);
b7a26e6d
DSH		 1326 X509V3_set_nconf(&ctx, conf);
1327 if (!X509V3_EXT_add_nconf(conf, &ctx, crl_ext, NULL))
2c0d1012 1328 {
1756d405
DSH		 1329 BIO_printf(bio_err,
1330 "Error Loading CRL extension section %s\n",
1331 crl_ext);
1332 ret = 1;
1333 goto err;
2c0d1012 1334 }
1756d405 1335 }
d02b48c6 1336
fd4ef699
RL		 1337 if ((crlnumberfile=NCONF_get_string(conf,section,ENV_CRLNUMBER))
1338 != NULL)
1339 if ((crlnumber=load_serial(crlnumberfile,0,NULL)) == NULL)
1340 {
1341 BIO_printf(bio_err,"error while loading CRL number\n");
1342 goto err;
1343 }
1344
d02b48c6
RE		 1345 if (!crldays && !crlhours)
1346 {
b7a26e6d
DSH		 1347 if (!NCONF_get_number(conf,section,
1348 ENV_DEFAULT_CRL_DAYS, &crldays))
1349 crldays = 0;
1350 if (!NCONF_get_number(conf,section,
1351 ENV_DEFAULT_CRL_HOURS, &crlhours))
1352 crlhours = 0;
d02b48c6
RE		 1353 }
1354 if ((crldays == 0) && (crlhours == 0))
1355 {
7e661761 1356 BIO_printf(bio_err,"cannot lookup how long until the next CRL is issued\n");
d02b48c6
RE		 1357 goto err;
1358 }
1359
1360 if (verbose) BIO_printf(bio_err,"making CRL\n");
1361 if ((crl=X509_CRL_new()) == NULL) goto err;
7e661761 1362 if (!X509_CRL_set_issuer_name(crl, X509_get_subject_name(x509))) goto err;
d02b48c6 1363
35bf3541
DSH		 1364 tmptm = ASN1_TIME_new();
1365 if (!tmptm) goto err;
1366 X509_gmtime_adj(tmptm,0);
1367 X509_CRL_set_lastUpdate(crl, tmptm);
1368 X509_gmtime_adj(tmptm,(crldays*24+crlhours)*60*60);
1369 X509_CRL_set_nextUpdate(crl, tmptm);
1370
1371 ASN1_TIME_free(tmptm);
d02b48c6 1372
f85b68cd 1373 for (i=0; i<sk_num(db->db->data); i++)
d02b48c6 1374 {
f85b68cd 1375 pp=(char **)sk_value(db->db->data,i);
d02b48c6
RE		 1376 if (pp[DB_type][0] == DB_TYPE_REV)
1377 {
1378 if ((r=X509_REVOKED_new()) == NULL) goto err;
a6b7ffdd
DSH		 1379 j = make_revoked(r, pp[DB_rev_date]);
1380 if (!j) goto err;
1381 if (j == 2) crl_v2 = 1;
acba75c5
DSH		 1382 if (!BN_hex2bn(&serial, pp[DB_serial]))
1383 goto err;
35bf3541 1384 tmpser = BN_to_ASN1_INTEGER(serial, NULL);
acba75c5
DSH		 1385 BN_free(serial);
1386 serial = NULL;
35bf3541 1387 if (!tmpser)
d02b48c6 1388 goto err;
35bf3541
DSH		 1389 X509_REVOKED_set_serialNumber(r, tmpser);
1390 ASN1_INTEGER_free(tmpser);
9d6b1ce6 1391 X509_CRL_add0_revoked(crl,r);
d02b48c6
RE		 1392 }
1393 }
35bf3541 1394
d02b48c6
RE		 1395 /* sort the data so it will be written in serial
1396 * number order */
35bf3541 1397 X509_CRL_sort(crl);
d02b48c6 1398
13e91dd3 1399 /* we now have a CRL */
d02b48c6
RE		 1400 if (verbose) BIO_printf(bio_err,"signing CRL\n");
1401 if (md != NULL)
1402 {
1403 if ((dgst=EVP_get_digestbyname(md)) == NULL)
1404 {
1405 BIO_printf(bio_err,"%s is an unsupported message digest type\n",md);
1406 goto err;
1407 }
1408 }
1409 else
c67cdb50 1410 {
cf1b7d96 1411#ifndef OPENSSL_NO_DSA
c67cdb50
BM		 1412 if (pkey->type == EVP_PKEY_DSA)
1413 dgst=EVP_dss1();
1414 else
4d94ae00
BM		 1415#endif
1416#ifndef OPENSSL_NO_ECDSA
5488bb61 1417 if (pkey->type == EVP_PKEY_EC)
4d94ae00
BM		 1418 dgst=EVP_ecdsa();
1419 else
13e91dd3 1420#endif
c67cdb50
BM		 1421 dgst=EVP_md5();
1422 }
512d2228 1423
1756d405
DSH		 1424 /* Add any extensions asked for */
1425
fd4ef699 1426 if (crl_ext || crlnumberfile != NULL)
c67cdb50
BM		 1427 {
1428 X509V3_CTX crlctx;
c67cdb50 1429 X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0);
b7a26e6d 1430 X509V3_set_nconf(&crlctx, conf);
1756d405 1431
fd4ef699
RL		 1432 if (crl_ext)
1433 if (!X509V3_EXT_CRL_add_nconf(conf, &crlctx,
1434 crl_ext, crl)) goto err;
1435 if (crlnumberfile != NULL)
1436 {
1437 tmpser = BN_to_ASN1_INTEGER(crlnumber, NULL);
1438 if (!tmpser) goto err;
1439 X509_CRL_add1_ext_i2d(crl,NID_crl_number,tmpser,0,0);
1440 ASN1_INTEGER_free(tmpser);
1441 crl_v2 = 1;
1442 if (!BN_add_word(crlnumber,1)) goto err;
1443 }
c67cdb50 1444 }
a6b7ffdd
DSH		 1445 if (crl_ext || crl_v2)
1446 {
35bf3541
DSH		 1447 if (!X509_CRL_set_version(crl, 1))
1448 goto err; /* version 2 CRL */
a6b7ffdd 1449 }
1756d405 1450
fd4ef699
RL		 1451
1452 if (crlnumberfile != NULL) /* we have a CRL number that need updating */
1453 if (!save_serial(crlnumberfile,"new",crlnumber,NULL)) goto err;
1454
d02b48c6
RE		 1455 if (!X509_CRL_sign(crl,pkey,dgst)) goto err;
1456
1457 PEM_write_bio_X509_CRL(Sout,crl);
fd4ef699
RL		 1458
1459 if (crlnumberfile != NULL) /* Rename the crlnumber file */
1460 if (!rotate_serial(crlnumberfile,"new","old")) goto err;
1461
d02b48c6
RE		 1462 }
1463 /*****************************************************************/
a36a1a51 1464 if (dorevoke)
f9a25931 1465 {
b1c4fe36
BM		 1466 if (infile == NULL)
1467 {
1468 BIO_printf(bio_err,"no input files\n");
1469 goto err;
1470 }
f9a25931
RE		 1471 else
1472 {
a0ad17bb 1473 X509 *revcert;
ce16450a
RL		 1474 revcert=load_cert(bio_err, infile, FORMAT_PEM,
1475 NULL, e, infile);
a0ad17bb 1476 if (revcert == NULL)
f9a25931 1477 goto err;
a6b7ffdd 1478 j=do_revoke(revcert,db, rev_type, rev_arg);
a0ad17bb
DSH		 1479 if (j <= 0) goto err;
1480 X509_free(revcert);
f9a25931 1481
f85b68cd
RL		 1482 if (!save_index(dbfile, "new", db)) goto err;
1483
1484 if (!rotate_index(dbfile, "new", "old")) goto err;
54a656ef 1485
b1c4fe36
BM		 1486 BIO_printf(bio_err,"Data Base Updated\n");
1487 }
f9a25931
RE		 1488 }
1489 /*****************************************************************/
d02b48c6
RE		 1490 ret=0;
1491err:
54a656ef
BL		 1492 if(tofree)
1493 OPENSSL_free(tofree);
645749ef
RL		 1494 BIO_free_all(Cout);
1495 BIO_free_all(Sout);
1496 BIO_free_all(out);
ce16450a 1497 BIO_free_all(in);
d02b48c6 1498
4e78074b
RL		 1499 if (cert_sk)
1500 sk_X509_pop_free(cert_sk,X509_free);
d02b48c6
RE		 1501
1502 if (ret) ERR_print_errors(bio_err);
a31011e8 1503 app_RAND_write_file(randfile, bio_err);
09ad2458 1504 if (free_key && key)
b65f8513 1505 OPENSSL_free(key);
a43aa73e 1506 BN_free(serial);
f85b68cd 1507 free_index(db);
a43aa73e 1508 EVP_PKEY_free(pkey);
16b1b035 1509 if (x509) X509_free(x509);
a43aa73e 1510 X509_CRL_free(crl);
b7a26e6d 1511 NCONF_free(conf);
a43aa73e 1512 OBJ_cleanup();
ce16450a 1513 apps_shutdown();
1c3e4a36 1514 OPENSSL_EXIT(ret);
d02b48c6
RE		 1515 }
1516
6b691a5c 1517static void lookup_fail(char *name, char *tag)
d02b48c6
RE		 1518 {
1519 BIO_printf(bio_err,"variable lookup failed for %s::%s\n",name,tag);
1520 }
1521
6b691a5c 1522static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
f85b68cd 1523 const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db,
7ce9e425 1524 BIGNUM *serial, char *subj, int multirdn, int email_dn, char *startdate, char *enddate,
89da653f 1525 long days, int batch, char *ext_sect, CONF *lconf, int verbose,
535d79da 1526 unsigned long certopt, unsigned long nameopt, int default_op,
16b1b035 1527 int ext_copy, int selfsign)
d02b48c6
RE		 1528 {
1529 X509_REQ *req=NULL;
1530 BIO *in=NULL;
1531 EVP_PKEY *pktmp=NULL;
1532 int ok= -1,i;
1533
1534 in=BIO_new(BIO_s_file());
1535
1536 if (BIO_read_filename(in,infile) <= 0)
1537 {
1538 perror(infile);
1539 goto err;
1540 }
74678cc2 1541 if ((req=PEM_read_bio_X509_REQ(in,NULL,NULL,NULL)) == NULL)
d02b48c6
RE		 1542 {
1543 BIO_printf(bio_err,"Error reading certificate request in %s\n",
1544 infile);
1545 goto err;
1546 }
1547 if (verbose)
1548 X509_REQ_print(bio_err,req);
1549
1550 BIO_printf(bio_err,"Check that the request matches the signature\n");
1551
16b1b035
RL		 1552 if (selfsign && !X509_REQ_check_private_key(req,pkey))
1553 {
1554 BIO_printf(bio_err,"Certificate request and CA private key do not match\n");
1555 ok=0;
1556 goto err;
1557 }
d02b48c6
RE		 1558 if ((pktmp=X509_REQ_get_pubkey(req)) == NULL)
1559 {
1560 BIO_printf(bio_err,"error unpacking public key\n");
1561 goto err;
1562 }
1563 i=X509_REQ_verify(req,pktmp);
10061c7c 1564 EVP_PKEY_free(pktmp);
d02b48c6
RE		 1565 if (i < 0)
1566 {
1567 ok=0;
1568 BIO_printf(bio_err,"Signature verification problems....\n");
1569 goto err;
1570 }
1571 if (i == 0)
1572 {
1573 ok=0;
1574 BIO_printf(bio_err,"Signature did not match the certificate request\n");
1575 goto err;
1576 }
1577 else
1578 BIO_printf(bio_err,"Signature ok\n");
1579
7ce9e425 1580 ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj, multirdn, email_dn,
89da653f 1581 startdate,enddate,days,batch,verbose,req,ext_sect,lconf,
16b1b035 1582 certopt, nameopt, default_op, ext_copy, selfsign);
d02b48c6
RE		 1583
1584err:
1585 if (req != NULL) X509_REQ_free(req);
1586 if (in != NULL) BIO_free(in);
1587 return(ok);
1588 }
1589
6b691a5c 1590static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
f85b68cd 1591 const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db,
7ce9e425 1592 BIGNUM *serial, char *subj, int multirdn, int email_dn, char *startdate, char *enddate,
89da653f 1593 long days, int batch, char *ext_sect, CONF *lconf, int verbose,
535d79da 1594 unsigned long certopt, unsigned long nameopt, int default_op,
ce16450a 1595 int ext_copy, ENGINE *e)
58964a49
RE		 1596 {
1597 X509 *req=NULL;
1598 X509_REQ *rreq=NULL;
58964a49
RE		 1599 EVP_PKEY *pktmp=NULL;
1600 int ok= -1,i;
1601
ce16450a 1602 if ((req=load_cert(bio_err, infile, FORMAT_PEM, NULL, e, infile)) == NULL)
58964a49 1603 goto err;
58964a49
RE		 1604 if (verbose)
1605 X509_print(bio_err,req);
1606
1607 BIO_printf(bio_err,"Check that the request matches the signature\n");
1608
1609 if ((pktmp=X509_get_pubkey(req)) == NULL)
1610 {
1611 BIO_printf(bio_err,"error unpacking public key\n");
1612 goto err;
1613 }
1614 i=X509_verify(req,pktmp);
10061c7c 1615 EVP_PKEY_free(pktmp);
58964a49
RE		 1616 if (i < 0)
1617 {
1618 ok=0;
1619 BIO_printf(bio_err,"Signature verification problems....\n");
1620 goto err;
1621 }
1622 if (i == 0)
1623 {
1624 ok=0;
dfeab068 1625 BIO_printf(bio_err,"Signature did not match the certificate\n");
58964a49
RE		 1626 goto err;
1627 }
1628 else
1629 BIO_printf(bio_err,"Signature ok\n");
1630
1631 if ((rreq=X509_to_X509_REQ(req,NULL,EVP_md5())) == NULL)
1632 goto err;
1633
7ce9e425 1634 ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,multirdn,email_dn,startdate,enddate,
89da653f 1635 days,batch,verbose,rreq,ext_sect,lconf, certopt, nameopt, default_op,
16b1b035 1636 ext_copy, 0);
58964a49
RE		 1637
1638err:
1639 if (rreq != NULL) X509_REQ_free(rreq);
1640 if (req != NULL) X509_free(req);
58964a49
RE		 1641 return(ok);
1642 }
1643
6b691a5c 1644static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
f85b68cd 1645 STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj,
7ce9e425 1646 int multirdn,
89da653f
BM		 1647 int email_dn, char *startdate, char *enddate, long days, int batch,
1648 int verbose, X509_REQ *req, char *ext_sect, CONF *lconf,
535d79da 1649 unsigned long certopt, unsigned long nameopt, int default_op,
16b1b035 1650 int ext_copy, int selfsign)
d02b48c6 1651 {
89da653f 1652 X509_NAME *name=NULL,*CAname=NULL,*subject=NULL, *dn_subject=NULL;
58964a49 1653 ASN1_UTCTIME *tm,*tmptm;
d02b48c6
RE		 1654 ASN1_STRING *str,*str2;
1655 ASN1_OBJECT *obj;
1656 X509 *ret=NULL;
1657 X509_CINF *ci;
1658 X509_NAME_ENTRY *ne;
1659 X509_NAME_ENTRY *tne,*push;
d02b48c6
RE		 1660 EVP_PKEY *pktmp;
1661 int ok= -1,i,j,last,nid;
1662 char *p;
1663 CONF_VALUE *cv;
f85b68cd 1664 char *row[DB_NUMBER],**rrow=NULL,**irow=NULL;
535d79da 1665 char buf[25];
d02b48c6 1666
58964a49
RE		 1667 tmptm=ASN1_UTCTIME_new();
1668 if (tmptm == NULL)
1669 {
1670 BIO_printf(bio_err,"malloc error\n");
1671 return(0);
1672 }
1673
d02b48c6
RE		 1674 for (i=0; i<DB_NUMBER; i++)
1675 row[i]=NULL;
1676
bad40585
BM		 1677 if (subj)
1678 {
6d5ffb59 1679 X509_NAME *n = parse_name(subj, MBSTRING_ASC, multirdn);
bad40585
BM		 1680
1681 if (!n)
1682 {
1683 ERR_print_errors(bio_err);
1684 goto err;
1685 }
1686 X509_REQ_set_subject_name(req,n);
1687 req->req_info->enc.modified = 1;
1688 X509_NAME_free(n);
1689 }
1690
535d79da
DSH		 1691 if (default_op)
1692 BIO_printf(bio_err,"The Subject's Distinguished Name is as follows\n");
89da653f 1693
d02b48c6
RE		 1694 name=X509_REQ_get_subject_name(req);
1695 for (i=0; i<X509_NAME_entry_count(name); i++)
1696 {
535d79da 1697 ne= X509_NAME_get_entry(name,i);
d02b48c6 1698 str=X509_NAME_ENTRY_get_data(ne);
535d79da 1699 obj=X509_NAME_ENTRY_get_object(ne);
d02b48c6
RE		 1700
1701 if (msie_hack)
1702 {
1703 /* assume all type should be strings */
1704 nid=OBJ_obj2nid(ne->object);
1705
1706 if (str->type == V_ASN1_UNIVERSALSTRING)
1707 ASN1_UNIVERSALSTRING_to_string(str);
1708
1709 if ((str->type == V_ASN1_IA5STRING) &&
1710 (nid != NID_pkcs9_emailAddress))
1711 str->type=V_ASN1_T61STRING;
1712
1713 if ((nid == NID_pkcs9_emailAddress) &&
1714 (str->type == V_ASN1_PRINTABLESTRING))
1715 str->type=V_ASN1_IA5STRING;
1716 }
1717
89da653f
BM		 1718 /* If no EMAIL is wanted in the subject */
1719 if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) && (!email_dn))
1720 continue;
1721
d02b48c6
RE		 1722 /* check some things */
1723 if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) &&
1724 (str->type != V_ASN1_IA5STRING))
1725 {
1726 BIO_printf(bio_err,"\nemailAddress type needs to be of type IA5STRING\n");
1727 goto err;
1728 }
e7156ff2 1729 if ((str->type != V_ASN1_BMPSTRING) && (str->type != V_ASN1_UTF8STRING))
d02b48c6 1730 {
e7156ff2
DSH		 1731 j=ASN1_PRINTABLE_type(str->data,str->length);
1732 if ( ((j == V_ASN1_T61STRING) &&
1733 (str->type != V_ASN1_T61STRING)) ||
1734 ((j == V_ASN1_IA5STRING) &&
1735 (str->type == V_ASN1_PRINTABLESTRING)))
1736 {
1737 BIO_printf(bio_err,"\nThe string contains characters that are illegal for the ASN.1 type\n");
1738 goto err;
1739 }
d02b48c6 1740 }
535d79da
DSH		 1741
1742 if (default_op)
1743 old_entry_print(bio_err, obj, str);
d02b48c6
RE		 1744 }
1745
1746 /* Ok, now we check the 'policy' stuff. */
1747 if ((subject=X509_NAME_new()) == NULL)
1748 {
26a3a48d 1749 BIO_printf(bio_err,"Memory allocation failure\n");
d02b48c6
RE		 1750 goto err;
1751 }
1752
1753 /* take a copy of the issuer name before we mess with it. */
16b1b035
RL		 1754 if (selfsign)
1755 CAname=X509_NAME_dup(name);
1756 else
1757 CAname=X509_NAME_dup(x509->cert_info->subject);
d02b48c6
RE		 1758 if (CAname == NULL) goto err;
1759 str=str2=NULL;
1760
ba404b5e 1761 for (i=0; i<sk_CONF_VALUE_num(policy); i++)
d02b48c6 1762 {
ba404b5e 1763 cv=sk_CONF_VALUE_value(policy,i); /* get the object id */
d02b48c6
RE		 1764 if ((j=OBJ_txt2nid(cv->name)) == NID_undef)
1765 {
1766 BIO_printf(bio_err,"%s:unknown object type in 'policy' configuration\n",cv->name);
1767 goto err;
1768 }
1769 obj=OBJ_nid2obj(j);
1770
1771 last= -1;
1772 for (;;)
1773 {
1774 /* lookup the object in the supplied name list */
1775 j=X509_NAME_get_index_by_OBJ(name,obj,last);
1776 if (j < 0)
1777 {
1778 if (last != -1) break;
1779 tne=NULL;
1780 }
1781 else
1782 {
1783 tne=X509_NAME_get_entry(name,j);
1784 }
1785 last=j;
1786
1787 /* depending on the 'policy', decide what to do. */
1788 push=NULL;
1789 if (strcmp(cv->value,"optional") == 0)
1790 {
1791 if (tne != NULL)
1792 push=tne;
1793 }
1794 else if (strcmp(cv->value,"supplied") == 0)
1795 {
1796 if (tne == NULL)
1797 {
1798 BIO_printf(bio_err,"The %s field needed to be supplied and was missing\n",cv->name);
1799 goto err;
1800 }
1801 else
1802 push=tne;
1803 }
1804 else if (strcmp(cv->value,"match") == 0)
1805 {
1806 int last2;
1807
1808 if (tne == NULL)
1809 {
1810 BIO_printf(bio_err,"The mandatory %s field was missing\n",cv->name);
1811 goto err;
1812 }
1813
1814 last2= -1;
1815
1816again2:
1817 j=X509_NAME_get_index_by_OBJ(CAname,obj,last2);
1818 if ((j < 0) && (last2 == -1))
1819 {
1820 BIO_printf(bio_err,"The %s field does not exist in the CA certificate,\nthe 'policy' is misconfigured\n",cv->name);
1821 goto err;
1822 }
1823 if (j >= 0)
1824 {
1825 push=X509_NAME_get_entry(CAname,j);
1826 str=X509_NAME_ENTRY_get_data(tne);
1827 str2=X509_NAME_ENTRY_get_data(push);
1828 last2=j;
1829 if (ASN1_STRING_cmp(str,str2) != 0)
1830 goto again2;
1831 }
1832 if (j < 0)
1833 {
c6125200 1834 BIO_printf(bio_err,"The %s field needed to be the same in the\nCA certificate (%s) and the request (%s)\n",cv->name,((str2 == NULL)?"NULL":(char *)str2->data),((str == NULL)?"NULL":(char *)str->data));
d02b48c6
RE		 1835 goto err;
1836 }
1837 }
1838 else
1839 {
1840 BIO_printf(bio_err,"%s:invalid type in 'policy' configuration\n",cv->value);
1841 goto err;
1842 }
1843
1844 if (push != NULL)
1845 {
74400f73 1846 if (!X509_NAME_add_entry(subject,push, -1, 0))
d02b48c6
RE		 1847 {
1848 if (push != NULL)
1849 X509_NAME_ENTRY_free(push);
26a3a48d 1850 BIO_printf(bio_err,"Memory allocation failure\n");
d02b48c6
RE		 1851 goto err;
1852 }
1853 }
1854 if (j < 0) break;
1855 }
1856 }
1857
1858 if (preserve)
1859 {
1860 X509_NAME_free(subject);
89da653f
BM		 1861 /* subject=X509_NAME_dup(X509_REQ_get_subject_name(req)); */
1862 subject=X509_NAME_dup(name);
d02b48c6
RE		 1863 if (subject == NULL) goto err;
1864 }
1865
1866 if (verbose)
657e60fa 1867 BIO_printf(bio_err,"The subject name appears to be ok, checking data base for clashes\n");
d02b48c6 1868
89da653f
BM		 1869 /* Build the correct Subject if no e-mail is wanted in the subject */
1870 /* and add it later on because of the method extensions are added (altName) */
1871
437db75b
DSH		 1872 if (email_dn)
1873 dn_subject = subject;
1874 else
89da653f 1875 {
437db75b
DSH		 1876 X509_NAME_ENTRY *tmpne;
1877 /* Its best to dup the subject DN and then delete any email
1878 * addresses because this retains its structure.
1879 */
1880 if (!(dn_subject = X509_NAME_dup(subject)))
89da653f
BM		 1881 {
1882 BIO_printf(bio_err,"Memory allocation failure\n");
1883 goto err;
1884 }
437db75b 1885 while((i = X509_NAME_get_index_by_NID(dn_subject,
6229a560 1886 NID_pkcs9_emailAddress, -1)) >= 0)
89da653f 1887 {
437db75b
DSH		 1888 tmpne = X509_NAME_get_entry(dn_subject, i);
1889 X509_NAME_delete_entry(dn_subject, i);
1890 X509_NAME_ENTRY_free(tmpne);
89da653f
BM		 1891 }
1892 }
1893
2245cd87
RL		 1894 if (BN_is_zero(serial))
1895 row[DB_serial]=BUF_strdup("00");
1896 else
1897 row[DB_serial]=BN_bn2hex(serial);
87e8feca 1898 if (row[DB_serial] == NULL)
d02b48c6 1899 {
26a3a48d 1900 BIO_printf(bio_err,"Memory allocation failure\n");
d02b48c6
RE		 1901 goto err;
1902 }
1903
f85b68cd 1904 if (db->attributes.unique_subject)
d02b48c6 1905 {
f85b68cd
RL		 1906 rrow=TXT_DB_get_by_index(db->db,DB_name,row);
1907 if (rrow != NULL)
1908 {
1909 BIO_printf(bio_err,
1910 "ERROR:There is already a certificate for %s\n",
1911 row[DB_name]);
1912 }
d02b48c6 1913 }
f85b68cd 1914 if (rrow == NULL)
d02b48c6 1915 {
f85b68cd 1916 rrow=TXT_DB_get_by_index(db->db,DB_serial,row);
d02b48c6
RE		 1917 if (rrow != NULL)
1918 {
1919 BIO_printf(bio_err,"ERROR:Serial number %s has already been issued,\n",
1920 row[DB_serial]);
1921 BIO_printf(bio_err," check the database/serial_file for corruption\n");
1922 }
1923 }
1924
1925 if (rrow != NULL)
1926 {
1927 BIO_printf(bio_err,
1928 "The matching entry has the following details\n");
1929 if (rrow[DB_type][0] == 'E')
1930 p="Expired";
1931 else if (rrow[DB_type][0] == 'R')
1932 p="Revoked";
1933 else if (rrow[DB_type][0] == 'V')
1934 p="Valid";
1935 else
1936 p="\ninvalid type, Data base error\n";
b1c4fe36 1937 BIO_printf(bio_err,"Type :%s\n",p);;
d02b48c6
RE		 1938 if (rrow[DB_type][0] == 'R')
1939 {
1940 p=rrow[DB_exp_date]; if (p == NULL) p="undef";
1941 BIO_printf(bio_err,"Was revoked on:%s\n",p);
1942 }
1943 p=rrow[DB_exp_date]; if (p == NULL) p="undef";
1944 BIO_printf(bio_err,"Expires on :%s\n",p);
1945 p=rrow[DB_serial]; if (p == NULL) p="undef";
1946 BIO_printf(bio_err,"Serial Number :%s\n",p);
1947 p=rrow[DB_file]; if (p == NULL) p="undef";
1948 BIO_printf(bio_err,"File name :%s\n",p);
1949 p=rrow[DB_name]; if (p == NULL) p="undef";
1950 BIO_printf(bio_err,"Subject Name :%s\n",p);
1951 ok= -1; /* This is now a 'bad' error. */
1952 goto err;
1953 }
1954
657e60fa 1955 /* We are now totally happy, lets make and sign the certificate */
d02b48c6
RE		 1956 if (verbose)
1957 BIO_printf(bio_err,"Everything appears to be ok, creating and signing the certificate\n");
1958
1959 if ((ret=X509_new()) == NULL) goto err;
1960 ci=ret->cert_info;
1961
1962#ifdef X509_V3
1963 /* Make it an X509 v3 certificate. */
c4448f60 1964 if (!X509_set_version(ret,2)) goto err;
d02b48c6
RE		 1965#endif
1966
1967 if (BN_to_ASN1_INTEGER(serial,ci->serialNumber) == NULL)
1968 goto err;
16b1b035
RL		 1969 if (selfsign)
1970 {
1971 if (!X509_set_issuer_name(ret,subject))
1972 goto err;
1973 }
1974 else
1975 {
1976 if (!X509_set_issuer_name(ret,X509_get_subject_name(x509)))
1977 goto err;
1978 }
d02b48c6 1979
58964a49 1980 if (strcmp(startdate,"today") == 0)
58964a49 1981 X509_gmtime_adj(X509_get_notBefore(ret),0);
ed7f60fb
DSH		 1982 else ASN1_UTCTIME_set_string(X509_get_notBefore(ret),startdate);
1983
1984 if (enddate == NULL)
58964a49 1985 X509_gmtime_adj(X509_get_notAfter(ret),(long)60*60*24*days);
ed7f60fb
DSH		 1986 else ASN1_UTCTIME_set_string(X509_get_notAfter(ret),enddate);
1987
d02b48c6
RE		 1988 if (!X509_set_subject_name(ret,subject)) goto err;
1989
1990 pktmp=X509_REQ_get_pubkey(req);
10061c7c
DSH		 1991 i = X509_set_pubkey(ret,pktmp);
1992 EVP_PKEY_free(pktmp);
1993 if (!i) goto err;
d02b48c6
RE		 1994
1995 /* Lets add the extensions, if there are any */
b2347661 1996 if (ext_sect)
d02b48c6 1997 {
175b0942 1998 X509V3_CTX ctx;
d02b48c6
RE		 1999 if (ci->version == NULL)
2000 if ((ci->version=ASN1_INTEGER_new()) == NULL)
2001 goto err;
2002 ASN1_INTEGER_set(ci->version,2); /* version 3 certificate */
2003
2004 /* Free the current entries if any, there should not
657e60fa 2005 * be any I believe */
d02b48c6 2006 if (ci->extensions != NULL)
0b3f827c
BL		 2007 sk_X509_EXTENSION_pop_free(ci->extensions,
2008 X509_EXTENSION_free);
d02b48c6 2009
b2347661
DSH		 2010 ci->extensions = NULL;
2011
dfebac32 2012 /* Initialize the context structure */
16b1b035
RL		 2013 if (selfsign)
2014 X509V3_set_ctx(&ctx, ret, ret, req, NULL, 0);
2015 else
2016 X509V3_set_ctx(&ctx, x509, ret, req, NULL, 0);
175b0942 2017
dfebac32
BM		 2018 if (extconf)
2019 {
2020 if (verbose)
2021 BIO_printf(bio_err, "Extra configuration file found\n");
2022
2023 /* Use the extconf configuration db LHASH */
b7a26e6d 2024 X509V3_set_nconf(&ctx, extconf);
dfebac32
BM		 2025
2026 /* Test the structure (needed?) */
2027 /* X509V3_set_ctx_test(&ctx); */
2028
2029 /* Adds exts contained in the configuration file */
b7a26e6d 2030 if (!X509V3_EXT_add_nconf(extconf, &ctx, ext_sect,ret))
dfebac32
BM		 2031 {
2032 BIO_printf(bio_err,
2033 "ERROR: adding extensions in section %s\n",
2034 ext_sect);
2035 ERR_print_errors(bio_err);
2036 goto err;
2037 }
2038 if (verbose)
2039 BIO_printf(bio_err, "Successfully added extensions from file.\n");
2040 }
2041 else if (ext_sect)
2042 {
2043 /* We found extensions to be set from config file */
b7a26e6d 2044 X509V3_set_nconf(&ctx, lconf);
d02b48c6 2045
b7a26e6d 2046 if(!X509V3_EXT_add_nconf(lconf, &ctx, ext_sect, ret))
dfebac32
BM		 2047 {
2048 BIO_printf(bio_err, "ERROR: adding extensions in section %s\n", ext_sect);
2049 ERR_print_errors(bio_err);
2050 goto err;
2051 }
2052
2053 if (verbose)
2054 BIO_printf(bio_err, "Successfully added extensions from config\n");
2055 }
d02b48c6
RE		 2056 }
2057
791bd0cd
DSH		 2058 /* Copy extensions from request (if any) */
2059
2060 if (!copy_extensions(ret, req, ext_copy))
2061 {
2062 BIO_printf(bio_err, "ERROR: adding extensions from request\n");
2063 ERR_print_errors(bio_err);
2064 goto err;
2065 }
2066
89da653f
BM		 2067 /* Set the right value for the noemailDN option */
2068 if( email_dn == 0 )
2069 {
2070 if (!X509_set_subject_name(ret,dn_subject)) goto err;
2071 }
791bd0cd
DSH		 2072
2073 if (!default_op)
2074 {
2075 BIO_printf(bio_err, "Certificate Details:\n");
2076 /* Never print signature details because signature not present */
2077 certopt |= X509_FLAG_NO_SIGDUMP | X509_FLAG_NO_SIGNAME;
2078 X509_print_ex(bio_err, ret, nameopt, certopt);
2079 }
2080
2081 BIO_printf(bio_err,"Certificate is to be certified until ");
2082 ASN1_UTCTIME_print(bio_err,X509_get_notAfter(ret));
3ae70939 2083 if (days) BIO_printf(bio_err," (%ld days)",days);
791bd0cd 2084 BIO_printf(bio_err, "\n");
d02b48c6
RE		 2085
2086 if (!batch)
2087 {
791bd0cd 2088
d02b48c6 2089 BIO_printf(bio_err,"Sign the certificate? [y/n]:");
d58d092b 2090 (void)BIO_flush(bio_err);
d02b48c6
RE		 2091 buf[0]='\0';
2092 fgets(buf,sizeof(buf)-1,stdin);
2093 if (!((buf[0] == 'y') || (buf[0] == 'Y')))
2094 {
2095 BIO_printf(bio_err,"CERTIFICATE WILL NOT BE CERTIFIED\n");
2096 ok=0;
2097 goto err;
2098 }
2099 }
2100
dfeab068 2101
cf1b7d96 2102#ifndef OPENSSL_NO_DSA
c35f549e 2103 if (pkey->type == EVP_PKEY_DSA) dgst=EVP_dss1();
b1c4fe36
BM		 2104 pktmp=X509_get_pubkey(ret);
2105 if (EVP_PKEY_missing_parameters(pktmp) &&
d02b48c6
RE		 2106 !EVP_PKEY_missing_parameters(pkey))
2107 EVP_PKEY_copy_parameters(pktmp,pkey);
10061c7c 2108 EVP_PKEY_free(pktmp);
d02b48c6 2109#endif
4d94ae00 2110#ifndef OPENSSL_NO_ECDSA
5488bb61 2111 if (pkey->type == EVP_PKEY_EC)
4d94ae00
BM		 2112 dgst = EVP_ecdsa();
2113 pktmp = X509_get_pubkey(ret);
2114 if (EVP_PKEY_missing_parameters(pktmp) &&
2115 !EVP_PKEY_missing_parameters(pkey))
2116 EVP_PKEY_copy_parameters(pktmp, pkey);
2117 EVP_PKEY_free(pktmp);
2118#endif
2119
d02b48c6
RE		 2120
2121 if (!X509_sign(ret,pkey,dgst))
2122 goto err;
2123
2124 /* We now just add it to the database */
26a3a48d 2125 row[DB_type]=(char *)OPENSSL_malloc(2);
d02b48c6
RE		 2126
2127 tm=X509_get_notAfter(ret);
26a3a48d 2128 row[DB_exp_date]=(char *)OPENSSL_malloc(tm->length+1);
d02b48c6
RE		 2129 memcpy(row[DB_exp_date],tm->data,tm->length);
2130 row[DB_exp_date][tm->length]='\0';
2131
2132 row[DB_rev_date]=NULL;
2133
2134 /* row[DB_serial] done already */
26a3a48d 2135 row[DB_file]=(char *)OPENSSL_malloc(8);
87e8feca 2136 row[DB_name]=X509_NAME_oneline(X509_get_subject_name(ret),NULL,0);
d02b48c6
RE		 2137
2138 if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
87e8feca 2139 (row[DB_file] == NULL) || (row[DB_name] == NULL))
d02b48c6 2140 {
26a3a48d 2141 BIO_printf(bio_err,"Memory allocation failure\n");
d02b48c6
RE		 2142 goto err;
2143 }
2144 strcpy(row[DB_file],"unknown");
2145 row[DB_type][0]='V';
2146 row[DB_type][1]='\0';
2147
26a3a48d 2148 if ((irow=(char **)OPENSSL_malloc(sizeof(char *)*(DB_NUMBER+1))) == NULL)
d02b48c6 2149 {
26a3a48d 2150 BIO_printf(bio_err,"Memory allocation failure\n");
d02b48c6
RE		 2151 goto err;
2152 }
2153
2154 for (i=0; i<DB_NUMBER; i++)
2155 {
2156 irow[i]=row[i];
2157 row[i]=NULL;
2158 }
2159 irow[DB_NUMBER]=NULL;
2160
f85b68cd 2161 if (!TXT_DB_insert(db->db,irow))
d02b48c6
RE		 2162 {
2163 BIO_printf(bio_err,"failed to update database\n");
f85b68cd 2164 BIO_printf(bio_err,"TXT_DB error number %ld\n",db->db->error);
d02b48c6
RE		 2165 goto err;
2166 }
2167 ok=1;
2168err:
2169 for (i=0; i<DB_NUMBER; i++)
26a3a48d 2170 if (row[i] != NULL) OPENSSL_free(row[i]);
d02b48c6
RE		 2171
2172 if (CAname != NULL)
2173 X509_NAME_free(CAname);
2174 if (subject != NULL)
2175 X509_NAME_free(subject);
437db75b
DSH		 2176 if ((dn_subject != NULL) && !email_dn)
2177 X509_NAME_free(dn_subject);
79875776
BM		 2178 if (tmptm != NULL)
2179 ASN1_UTCTIME_free(tmptm);
d02b48c6
RE		 2180 if (ok <= 0)
2181 {
2182 if (ret != NULL) X509_free(ret);
2183 ret=NULL;
2184 }
2185 else
2186 *xret=ret;
2187 return(ok);
2188 }
2189
82fc1d9c 2190static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext)
d02b48c6 2191 {
d02b48c6
RE		 2192
2193 if (output_der)
2194 {
2195 (void)i2d_X509_bio(bp,x);
2196 return;
2197 }
82fc1d9c
DSH		 2198#if 0
2199 /* ??? Not needed since X509_print prints all this stuff anyway */
d02b48c6
RE		 2200 f=X509_NAME_oneline(X509_get_issuer_name(x),buf,256);
2201 BIO_printf(bp,"issuer :%s\n",f);
2202
2203 f=X509_NAME_oneline(X509_get_subject_name(x),buf,256);
2204 BIO_printf(bp,"subject:%s\n",f);
2205
2206 BIO_puts(bp,"serial :");
2207 i2a_ASN1_INTEGER(bp,x->cert_info->serialNumber);
2208 BIO_puts(bp,"\n\n");
82fc1d9c 2209#endif
c67cdb50 2210 if (!notext)X509_print(bp,x);
d02b48c6 2211 PEM_write_bio_X509(bp,x);
d02b48c6
RE		 2212 }
2213
6b691a5c 2214static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
f85b68cd 2215 const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db,
7ce9e425 2216 BIGNUM *serial, char *subj, int multirdn, int email_dn, char *startdate, char *enddate,
89da653f 2217 long days, char *ext_sect, CONF *lconf, int verbose, unsigned long certopt,
535d79da 2218 unsigned long nameopt, int default_op, int ext_copy)
d02b48c6 2219 {
ba404b5e 2220 STACK_OF(CONF_VALUE) *sk=NULL;
d02b48c6
RE		 2221 LHASH *parms=NULL;
2222 X509_REQ *req=NULL;
2223 CONF_VALUE *cv=NULL;
2224 NETSCAPE_SPKI *spki = NULL;
d02b48c6
RE		 2225 X509_REQ_INFO *ri;
2226 char *type,*buf;
2227 EVP_PKEY *pktmp=NULL;
2228 X509_NAME *n=NULL;
2229 X509_NAME_ENTRY *ne=NULL;
2230 int ok= -1,i,j;
2231 long errline;
2232 int nid;
2233
2234 /*
2235 * Load input file into a hash table. (This is just an easy
2236 * way to read and parse the file, then put it into a convenient
2237 * STACK format).
2238 */
2239 parms=CONF_load(NULL,infile,&errline);
2240 if (parms == NULL)
2241 {
2242 BIO_printf(bio_err,"error on line %ld of %s\n",errline,infile);
2243 ERR_print_errors(bio_err);
2244 goto err;
2245 }
2246
2247 sk=CONF_get_section(parms, "default");
ba404b5e 2248 if (sk_CONF_VALUE_num(sk) == 0)
d02b48c6
RE		 2249 {
2250 BIO_printf(bio_err, "no name/value pairs found in %s\n", infile);
2251 CONF_free(parms);
2252 goto err;
2253 }
2254
2255 /*
2256 * Now create a dummy X509 request structure. We don't actually
2257 * have an X509 request, but we have many of the components
2258 * (a public key, various DN components). The idea is that we
2259 * put these components into the right X509 request structure
2260 * and we can use the same code as if you had a real X509 request.
2261 */
2262 req=X509_REQ_new();
2263 if (req == NULL)
2264 {
2265 ERR_print_errors(bio_err);
2266 goto err;
2267 }
2268
2269 /*
2270 * Build up the subject name set.
2271 */
2272 ri=req->req_info;
2273 n = ri->subject;
2274
2275 for (i = 0; ; i++)
2276 {
ba404b5e 2277 if (sk_CONF_VALUE_num(sk) <= i) break;
d02b48c6 2278
ba404b5e 2279 cv=sk_CONF_VALUE_value(sk,i);
d02b48c6 2280 type=cv->name;
f9150e54
DSH		 2281 /* Skip past any leading X. X: X, etc to allow for
2282 * multiple instances
2283 */
c67cdb50
BM		 2284 for (buf = cv->name; *buf ; buf++)
2285 if ((*buf == ':') || (*buf == ',') || (*buf == '.'))
2286 {
2287 buf++;
2288 if (*buf) type = buf;
2289 break;
2290 }
d02b48c6 2291
f9150e54 2292 buf=cv->value;
d02b48c6
RE		 2293 if ((nid=OBJ_txt2nid(type)) == NID_undef)
2294 {
2295 if (strcmp(type, "SPKAC") == 0)
2296 {
8ce97163 2297 spki = NETSCAPE_SPKI_b64_decode(cv->value, -1);
d02b48c6
RE		 2298 if (spki == NULL)
2299 {
2300 BIO_printf(bio_err,"unable to load Netscape SPKAC structure\n");
2301 ERR_print_errors(bio_err);
2302 goto err;
2303 }
2304 }
2305 continue;
2306 }
2307
89da653f
BM		 2308 /*
2309 if ((nid == NID_pkcs9_emailAddress) && (email_dn == 0))
2310 continue;
2311 */
2312
d02b48c6
RE		 2313 j=ASN1_PRINTABLE_type((unsigned char *)buf,-1);
2314 if (fix_data(nid, &j) == 0)
2315 {
2316 BIO_printf(bio_err,
2317 "invalid characters in string %s\n",buf);
2318 goto err;
2319 }
2320
2321 if ((ne=X509_NAME_ENTRY_create_by_NID(&ne,nid,j,
2322 (unsigned char *)buf,
2323 strlen(buf))) == NULL)
2324 goto err;
2325
74400f73 2326 if (!X509_NAME_add_entry(n,ne,-1, 0)) goto err;
d02b48c6
RE		 2327 }
2328 if (spki == NULL)
2329 {
2330 BIO_printf(bio_err,"Netscape SPKAC structure not found in %s\n",
2331 infile);
2332 goto err;
2333 }
2334
2335 /*
2336 * Now extract the key from the SPKI structure.
2337 */
2338
2339 BIO_printf(bio_err,"Check that the SPKAC request matches the signature\n");
2340
8ce97163 2341 if ((pktmp=NETSCAPE_SPKI_get_pubkey(spki)) == NULL)
d02b48c6
RE		 2342 {
2343 BIO_printf(bio_err,"error unpacking SPKAC public key\n");
2344 goto err;
2345 }
2346
2347 j = NETSCAPE_SPKI_verify(spki, pktmp);
2348 if (j <= 0)
2349 {
2350 BIO_printf(bio_err,"signature verification failed on SPKAC public key\n");
2351 goto err;
2352 }
2353 BIO_printf(bio_err,"Signature ok\n");
2354
2355 X509_REQ_set_pubkey(req,pktmp);
10061c7c 2356 EVP_PKEY_free(pktmp);
7ce9e425 2357 ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,multirdn,email_dn,startdate,enddate,
535d79da 2358 days,1,verbose,req,ext_sect,lconf, certopt, nameopt, default_op,
16b1b035 2359 ext_copy, 0);
d02b48c6
RE		 2360err:
2361 if (req != NULL) X509_REQ_free(req);
2362 if (parms != NULL) CONF_free(parms);
d02b48c6
RE		 2363 if (spki != NULL) NETSCAPE_SPKI_free(spki);
2364 if (ne != NULL) X509_NAME_ENTRY_free(ne);
2365
2366 return(ok);
2367 }
2368
6b691a5c 2369static int fix_data(int nid, int *type)
d02b48c6
RE		 2370 {
2371 if (nid == NID_pkcs9_emailAddress)
2372 *type=V_ASN1_IA5STRING;
2373 if ((nid == NID_commonName) && (*type == V_ASN1_IA5STRING))
2374 *type=V_ASN1_T61STRING;
2375 if ((nid == NID_pkcs9_challengePassword) && (*type == V_ASN1_IA5STRING))
2376 *type=V_ASN1_T61STRING;
2377 if ((nid == NID_pkcs9_unstructuredName) && (*type == V_ASN1_T61STRING))
2378 return(0);
2379 if (nid == NID_pkcs9_unstructuredName)
2380 *type=V_ASN1_IA5STRING;
2381 return(1);
2382 }
2383
6b691a5c 2384static int check_time_format(char *str)
d02b48c6
RE		 2385 {
2386 ASN1_UTCTIME tm;
2387
2388 tm.data=(unsigned char *)str;
2389 tm.length=strlen(str);
2390 tm.type=V_ASN1_UTCTIME;
2391 return(ASN1_UTCTIME_check(&tm));
2392 }
2393
f85b68cd 2394static int do_revoke(X509 *x509, CA_DB *db, int type, char *value)
c67cdb50 2395 {
a6b7ffdd 2396 ASN1_UTCTIME *tm=NULL;
b1c4fe36 2397 char *row[DB_NUMBER],**rrow,**irow;
a6b7ffdd 2398 char *rev_str = NULL;
a0ad17bb 2399 BIGNUM *bn = NULL;
b1c4fe36
BM		 2400 int ok=-1,i;
2401
2402 for (i=0; i<DB_NUMBER; i++)
2403 row[i]=NULL;
a0ad17bb
DSH		 2404 row[DB_name]=X509_NAME_oneline(X509_get_subject_name(x509),NULL,0);
2405 bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x509),NULL);
2245cd87
RL		 2406 if (BN_is_zero(bn))
2407 row[DB_serial]=BUF_strdup("00");
2408 else
2409 row[DB_serial]=BN_bn2hex(bn);
a0ad17bb 2410 BN_free(bn);
b1c4fe36
BM		 2411 if ((row[DB_name] == NULL) || (row[DB_serial] == NULL))
2412 {
26a3a48d 2413 BIO_printf(bio_err,"Memory allocation failure\n");
b1c4fe36
BM		 2414 goto err;
2415 }
a0ad17bb
DSH		 2416 /* We have to lookup by serial number because name lookup
2417 * skips revoked certs
2418 */
f85b68cd 2419 rrow=TXT_DB_get_by_index(db->db,DB_serial,row);
b1c4fe36
BM		 2420 if (rrow == NULL)
2421 {
f85b68cd 2422 BIO_printf(bio_err,"Adding Entry with serial number %s to DB for %s\n", row[DB_serial], row[DB_name]);
b1c4fe36
BM		 2423
2424 /* We now just add it to the database */
26a3a48d 2425 row[DB_type]=(char *)OPENSSL_malloc(2);
b1c4fe36
BM		 2426
2427 tm=X509_get_notAfter(x509);
26a3a48d 2428 row[DB_exp_date]=(char *)OPENSSL_malloc(tm->length+1);
b1c4fe36
BM		 2429 memcpy(row[DB_exp_date],tm->data,tm->length);
2430 row[DB_exp_date][tm->length]='\0';
2431
2432 row[DB_rev_date]=NULL;
2433
2434 /* row[DB_serial] done already */
26a3a48d 2435 row[DB_file]=(char *)OPENSSL_malloc(8);
b1c4fe36
BM		 2436
2437 /* row[DB_name] done already */
2438
2439 if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
2440 (row[DB_file] == NULL))
2441 {
26a3a48d 2442 BIO_printf(bio_err,"Memory allocation failure\n");
b1c4fe36
BM		 2443 goto err;
2444 }
2445 strcpy(row[DB_file],"unknown");
2446 row[DB_type][0]='V';
2447 row[DB_type][1]='\0';
2448
26a3a48d 2449 if ((irow=(char **)OPENSSL_malloc(sizeof(char *)*(DB_NUMBER+1))) == NULL)
b1c4fe36 2450 {
26a3a48d 2451 BIO_printf(bio_err,"Memory allocation failure\n");
b1c4fe36
BM		 2452 goto err;
2453 }
2454
2455 for (i=0; i<DB_NUMBER; i++)
2456 {
2457 irow[i]=row[i];
2458 row[i]=NULL;
2459 }
2460 irow[DB_NUMBER]=NULL;
2461
f85b68cd 2462 if (!TXT_DB_insert(db->db,irow))
b1c4fe36
BM		 2463 {
2464 BIO_printf(bio_err,"failed to update database\n");
f85b68cd 2465 BIO_printf(bio_err,"TXT_DB error number %ld\n",db->db->error);
b1c4fe36
BM		 2466 goto err;
2467 }
2468
2469 /* Revoke Certificate */
a6b7ffdd 2470 ok = do_revoke(x509,db, type, value);
b1c4fe36 2471
b1c4fe36
BM		 2472 goto err;
2473
2474 }
35a99b63 2475 else if (index_name_cmp((const char **)row,(const char **)rrow))
b1c4fe36 2476 {
a0ad17bb
DSH		 2477 BIO_printf(bio_err,"ERROR:name does not match %s\n",
2478 row[DB_name]);
b1c4fe36
BM		 2479 goto err;
2480 }
2481 else if (rrow[DB_type][0]=='R')
2482 {
2483 BIO_printf(bio_err,"ERROR:Already revoked, serial number %s\n",
2484 row[DB_serial]);
2485 goto err;
2486 }
2487 else
2488 {
2489 BIO_printf(bio_err,"Revoking Certificate %s.\n", rrow[DB_serial]);
a6b7ffdd
DSH		 2490 rev_str = make_revocation_str(type, value);
2491 if (!rev_str)
2492 {
2493 BIO_printf(bio_err, "Error in revocation arguments\n");
2494 goto err;
2495 }
b1c4fe36
BM		 2496 rrow[DB_type][0]='R';
2497 rrow[DB_type][1]='\0';
a6b7ffdd 2498 rrow[DB_rev_date] = rev_str;
b1c4fe36
BM		 2499 }
2500 ok=1;
f9a25931 2501err:
b1c4fe36
BM		 2502 for (i=0; i<DB_NUMBER; i++)
2503 {
2504 if (row[i] != NULL)
26a3a48d 2505 OPENSSL_free(row[i]);
b1c4fe36 2506 }
b1c4fe36 2507 return(ok);
c67cdb50
BM		 2508 }
2509
f85b68cd 2510static int get_certificate_status(const char *serial, CA_DB *db)
c67cdb50 2511 {
8e5b6314 2512 char *row[DB_NUMBER],**rrow;
c67cdb50
BM		 2513 int ok=-1,i;
2514
2515 /* Free Resources */
2516 for (i=0; i<DB_NUMBER; i++)
2517 row[i]=NULL;
2518
2519 /* Malloc needed char spaces */
2520 row[DB_serial] = OPENSSL_malloc(strlen(serial) + 2);
2521 if (row[DB_serial] == NULL)
2522 {
2523 BIO_printf(bio_err,"Malloc failure\n");
2524 goto err;
2525 }
2526
2527 if (strlen(serial) % 2)
2528 {
2529 /* Set the first char to 0 */;
2530 row[DB_serial][0]='0';
2531
2532 /* Copy String from serial to row[DB_serial] */
2533 memcpy(row[DB_serial]+1, serial, strlen(serial));
2534 row[DB_serial][strlen(serial)+1]='\0';
2535 }
2536 else
2537 {
2538 /* Copy String from serial to row[DB_serial] */
2539 memcpy(row[DB_serial], serial, strlen(serial));
2540 row[DB_serial][strlen(serial)]='\0';
2541 }
2542
2543 /* Make it Upper Case */
2544 for (i=0; row[DB_serial][i] != '\0'; i++)
dfebac32
BM		 2545 row[DB_serial][i] = toupper(row[DB_serial][i]);
2546
c67cdb50
BM		 2547
2548 ok=1;
2549
2550 /* Search for the certificate */
f85b68cd 2551 rrow=TXT_DB_get_by_index(db->db,DB_serial,row);
c67cdb50
BM		 2552 if (rrow == NULL)
2553 {
2554 BIO_printf(bio_err,"Serial %s not present in db.\n",
2555 row[DB_serial]);
2556 ok=-1;
2557 goto err;
2558 }
2559 else if (rrow[DB_type][0]=='V')
2560 {
2561 BIO_printf(bio_err,"%s=Valid (%c)\n",
2562 row[DB_serial], rrow[DB_type][0]);
2563 goto err;
2564 }
2565 else if (rrow[DB_type][0]=='R')
2566 {
2567 BIO_printf(bio_err,"%s=Revoked (%c)\n",
2568 row[DB_serial], rrow[DB_type][0]);
2569 goto err;
2570 }
2571 else if (rrow[DB_type][0]=='E')
2572 {
2573 BIO_printf(bio_err,"%s=Expired (%c)\n",
2574 row[DB_serial], rrow[DB_type][0]);
2575 goto err;
2576 }
2577 else if (rrow[DB_type][0]=='S')
2578 {
2579 BIO_printf(bio_err,"%s=Suspended (%c)\n",
2580 row[DB_serial], rrow[DB_type][0]);
2581 goto err;
2582 }
2583 else
2584 {
2585 BIO_printf(bio_err,"%s=Unknown (%c).\n",
2586 row[DB_serial], rrow[DB_type][0]);
2587 ok=-1;
2588 }
2589err:
2590 for (i=0; i<DB_NUMBER; i++)
2591 {
2592 if (row[i] != NULL)
2593 OPENSSL_free(row[i]);
2594 }
2595 return(ok);
2596 }
2597
f85b68cd 2598static int do_updatedb (CA_DB *db)
c67cdb50
BM		 2599 {
2600 ASN1_UTCTIME *a_tm = NULL;
2601 int i, cnt = 0;
2602 int db_y2k, a_y2k; /* flags = 1 if y >= 2000 */
2603 char **rrow, *a_tm_s;
2604
2605 a_tm = ASN1_UTCTIME_new();
2606
2607 /* get actual time and make a string */
2608 a_tm = X509_gmtime_adj(a_tm, 0);
2609 a_tm_s = (char *) OPENSSL_malloc(a_tm->length+1);
2610 if (a_tm_s == NULL)
2611 {
2612 cnt = -1;
2613 goto err;
2614 }
2615
2616 memcpy(a_tm_s, a_tm->data, a_tm->length);
2617 a_tm_s[a_tm->length] = '\0';
2618
2619 if (strncmp(a_tm_s, "49", 2) <= 0)
2620 a_y2k = 1;
2621 else
2622 a_y2k = 0;
f9a25931 2623
f85b68cd 2624 for (i = 0; i < sk_num(db->db->data); i++)
c67cdb50 2625 {
f85b68cd 2626 rrow = (char **) sk_value(db->db->data, i);
c67cdb50
BM		 2627
2628 if (rrow[DB_type][0] == 'V')
2629 {
2630 /* ignore entries that are not valid */
2631 if (strncmp(rrow[DB_exp_date], "49", 2) <= 0)
2632 db_y2k = 1;
2633 else
2634 db_y2k = 0;
2635
2636 if (db_y2k == a_y2k)
2637 {
2638 /* all on the same y2k side */
2639 if (strcmp(rrow[DB_exp_date], a_tm_s) <= 0)
2640 {
2641 rrow[DB_type][0] = 'E';
2642 rrow[DB_type][1] = '\0';
2643 cnt++;
2644
2645 BIO_printf(bio_err, "%s=Expired\n",
2646 rrow[DB_serial]);
2647 }
2648 }
2649 else if (db_y2k < a_y2k)
2650 {
2651 rrow[DB_type][0] = 'E';
2652 rrow[DB_type][1] = '\0';
2653 cnt++;
2654
2655 BIO_printf(bio_err, "%s=Expired\n",
2656 rrow[DB_serial]);
2657 }
2658
2659 }
2660 }
2661
2662err:
2663
2664 ASN1_UTCTIME_free(a_tm);
2665 OPENSSL_free(a_tm_s);
2666
2667 return (cnt);
2668 }
a6b7ffdd
DSH		 2669
2670static char *crl_reasons[] = {
2671 /* CRL reason strings */
2672 "unspecified",
2673 "keyCompromise",
2674 "CACompromise",
2675 "affiliationChanged",
2676 "superseded",
2677 "cessationOfOperation",
2678 "certificateHold",
2679 "removeFromCRL",
2680 /* Additional pseudo reasons */
2681 "holdInstruction",
2682 "keyTime",
2683 "CAkeyTime"
2684};
2685
2686#define NUM_REASONS (sizeof(crl_reasons) / sizeof(char *))
2687
2688/* Given revocation information convert to a DB string.
2689 * The format of the string is:
2690 * revtime[,reason,extra]. Where 'revtime' is the
2691 * revocation time (the current time). 'reason' is the
2692 * optional CRL reason and 'extra' is any additional
2693 * argument
2694 */
2695
2696char *make_revocation_str(int rev_type, char *rev_arg)
2697 {
2698 char *reason = NULL, *other = NULL, *str;
2699 ASN1_OBJECT *otmp;
2700 ASN1_UTCTIME *revtm = NULL;
2701 int i;
2702 switch (rev_type)
2703 {
2704 case REV_NONE:
2705 break;
2706
2707 case REV_CRL_REASON:
2708 for (i = 0; i < 8; i++)
2709 {
2710 if (!strcasecmp(rev_arg, crl_reasons[i]))
2711 {
2712 reason = crl_reasons[i];
2713 break;
2714 }
2715 }
2716 if (reason == NULL)
2717 {
2718 BIO_printf(bio_err, "Unknown CRL reason %s\n", rev_arg);
2719 return NULL;
2720 }
2721 break;
2722
2723 case REV_HOLD:
2724 /* Argument is an OID */
2725
2726 otmp = OBJ_txt2obj(rev_arg, 0);
2727 ASN1_OBJECT_free(otmp);
2728
2729 if (otmp == NULL)
2730 {
2731 BIO_printf(bio_err, "Invalid object identifier %s\n", rev_arg);
2732 return NULL;
2733 }
2734
2735 reason = "holdInstruction";
2736 other = rev_arg;
2737 break;
2738
2739 case REV_KEY_COMPROMISE:
2740 case REV_CA_COMPROMISE:
2741
2742 /* Argument is the key compromise time */
2743 if (!ASN1_GENERALIZEDTIME_set_string(NULL, rev_arg))
2744 {
2745 BIO_printf(bio_err, "Invalid time format %s. Need YYYYMMDDHHMMSSZ\n", rev_arg);
2746 return NULL;
2747 }
2748 other = rev_arg;
2749 if (rev_type == REV_KEY_COMPROMISE)
2750 reason = "keyTime";
2751 else
2752 reason = "CAkeyTime";
2753
2754 break;
2755
2756 }
2757
2758 revtm = X509_gmtime_adj(NULL, 0);
2759
2760 i = revtm->length + 1;
2761
2762 if (reason) i += strlen(reason) + 1;
2763 if (other) i += strlen(other) + 1;
2764
2765 str = OPENSSL_malloc(i);
2766
2767 if (!str) return NULL;
2768
2769 strcpy(str, (char *)revtm->data);
2770 if (reason)
2771 {
2772 strcat(str, ",");
2773 strcat(str, reason);
2774 }
2775 if (other)
2776 {
2777 strcat(str, ",");
2778 strcat(str, other);
2779 }
2780 ASN1_UTCTIME_free(revtm);
2781 return str;
2782 }
2783
2784/* Convert revocation field to X509_REVOKED entry
2785 * return code:
2786 * 0 error
2787 * 1 OK
2788 * 2 OK and some extensions added (i.e. V2 CRL)
2789 */
2790
ee306a13 2791
a6b7ffdd
DSH		 2792int make_revoked(X509_REVOKED *rev, char *str)
2793 {
2794 char *tmp = NULL;
a6b7ffdd
DSH		 2795 int reason_code = -1;
2796 int i, ret = 0;
2797 ASN1_OBJECT *hold = NULL;
2798 ASN1_GENERALIZEDTIME *comp_time = NULL;
2799 ASN1_ENUMERATED *rtmp = NULL;
a6b7ffdd 2800
35bf3541 2801 ASN1_TIME *revDate = NULL;
a6b7ffdd 2802
35bf3541 2803 i = unpack_revinfo(&revDate, &reason_code, &hold, &comp_time, str);
a6b7ffdd 2804
ee306a13 2805 if (i == 0)
a6b7ffdd 2806 goto err;
a6b7ffdd 2807
35bf3541
DSH		 2808 if (rev && !X509_REVOKED_set_revocationDate(rev, revDate))
2809 goto err;
2810
a6b7ffdd
DSH		 2811 if (rev && (reason_code != OCSP_REVOKED_STATUS_NOSTATUS))
2812 {
2813 rtmp = ASN1_ENUMERATED_new();
2814 if (!rtmp || !ASN1_ENUMERATED_set(rtmp, reason_code))
2815 goto err;
2816 if (!X509_REVOKED_add1_ext_i2d(rev, NID_crl_reason, rtmp, 0, 0))
2817 goto err;
2818 }
2819
2820 if (rev && comp_time)
2821 {
2822 if (!X509_REVOKED_add1_ext_i2d(rev, NID_invalidity_date, comp_time, 0, 0))
2823 goto err;
2824 }
2825 if (rev && hold)
2826 {
2827 if (!X509_REVOKED_add1_ext_i2d(rev, NID_hold_instruction_code, hold, 0, 0))
2828 goto err;
2829 }
2830
2831 if (reason_code != OCSP_REVOKED_STATUS_NOSTATUS)
2832 ret = 2;
2833 else ret = 1;
2834
2835 err:
2836
2837 if (tmp) OPENSSL_free(tmp);
2838 ASN1_OBJECT_free(hold);
2839 ASN1_GENERALIZEDTIME_free(comp_time);
2840 ASN1_ENUMERATED_free(rtmp);
35bf3541 2841 ASN1_TIME_free(revDate);
a6b7ffdd
DSH		 2842
2843 return ret;
2844 }
bad40585 2845
535d79da
DSH		 2846int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str)
2847 {
2848 char buf[25],*pbuf, *p;
2849 int j;
2850 j=i2a_ASN1_OBJECT(bp,obj);
2851 pbuf=buf;
2852 for (j=22-j; j>0; j--)
2853 *(pbuf++)=' ';
2854 *(pbuf++)=':';
2855 *(pbuf++)='\0';
2856 BIO_puts(bp,buf);
2857
2858 if (str->type == V_ASN1_PRINTABLESTRING)
2859 BIO_printf(bp,"PRINTABLE:'");
2860 else if (str->type == V_ASN1_T61STRING)
2861 BIO_printf(bp,"T61STRING:'");
2862 else if (str->type == V_ASN1_IA5STRING)
2863 BIO_printf(bp,"IA5STRING:'");
2864 else if (str->type == V_ASN1_UNIVERSALSTRING)
2865 BIO_printf(bp,"UNIVERSALSTRING:'");
2866 else
2867 BIO_printf(bp,"ASN.1 %2d:'",str->type);
2868
2869 p=(char *)str->data;
2870 for (j=str->length; j>0; j--)
2871 {
2872 if ((*p >= ' ') && (*p <= '~'))
2873 BIO_printf(bp,"%c",*p);
2874 else if (*p & 0x80)
2875 BIO_printf(bp,"\\0x%02X",*p);
2876 else if ((unsigned char)*p == 0xf7)
2877 BIO_printf(bp,"^?");
2878 else BIO_printf(bp,"^%c",*p+'@');
2879 p++;
2880 }
2881 BIO_printf(bp,"'\n");
2882 return 1;
2883 }
ee306a13
DSH		 2884
2885int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, ASN1_GENERALIZEDTIME **pinvtm, char *str)
2886 {
2887 char *tmp = NULL;
2888 char *rtime_str, *reason_str = NULL, *arg_str = NULL, *p;
2889 int reason_code = -1;
27545970
GT		 2890 int ret = 0;
2891 unsigned int i;
ee306a13
DSH		 2892 ASN1_OBJECT *hold = NULL;
2893 ASN1_GENERALIZEDTIME *comp_time = NULL;
2894 tmp = BUF_strdup(str);
2895
2896 p = strchr(tmp, ',');
2897
2898 rtime_str = tmp;
2899
2900 if (p)
2901 {
2902 *p = '\0';
2903 p++;
2904 reason_str = p;
2905 p = strchr(p, ',');
2906 if (p)
2907 {
2908 *p = '\0';
2909 arg_str = p + 1;
2910 }
2911 }
2912
2913 if (prevtm)
2914 {
2915 *prevtm = ASN1_UTCTIME_new();
2916 if (!ASN1_UTCTIME_set_string(*prevtm, rtime_str))
2917 {
2918 BIO_printf(bio_err, "invalid revocation date %s\n", rtime_str);
2919 goto err;
2920 }
2921 }
2922 if (reason_str)
2923 {
2924 for (i = 0; i < NUM_REASONS; i++)
2925 {
2926 if(!strcasecmp(reason_str, crl_reasons[i]))
2927 {
2928 reason_code = i;
2929 break;
2930 }
2931 }
2932 if (reason_code == OCSP_REVOKED_STATUS_NOSTATUS)
2933 {
2934 BIO_printf(bio_err, "invalid reason code %s\n", reason_str);
2935 goto err;
2936 }
2937
2938 if (reason_code == 7)
2939 reason_code = OCSP_REVOKED_STATUS_REMOVEFROMCRL;
2940 else if (reason_code == 8) /* Hold instruction */
2941 {
2942 if (!arg_str)
2943 {
2944 BIO_printf(bio_err, "missing hold instruction\n");
2945 goto err;
2946 }
2947 reason_code = OCSP_REVOKED_STATUS_CERTIFICATEHOLD;
2948 hold = OBJ_txt2obj(arg_str, 0);
2949
2950 if (!hold)
2951 {
2952 BIO_printf(bio_err, "invalid object identifier %s\n", arg_str);
2953 goto err;
2954 }
2955 if (phold) *phold = hold;
2956 }
2957 else if ((reason_code == 9) || (reason_code == 10))
2958 {
2959 if (!arg_str)
2960 {
2961 BIO_printf(bio_err, "missing compromised time\n");
2962 goto err;
2963 }
2964 comp_time = ASN1_GENERALIZEDTIME_new();
2965 if (!ASN1_GENERALIZEDTIME_set_string(comp_time, arg_str))
2966 {
2967 BIO_printf(bio_err, "invalid compromised time %s\n", arg_str);
2968 goto err;
2969 }
2970 if (reason_code == 9)
2971 reason_code = OCSP_REVOKED_STATUS_KEYCOMPROMISE;
2972 else
2973 reason_code = OCSP_REVOKED_STATUS_CACOMPROMISE;
2974 }
2975 }
2976
2977 if (preason) *preason = reason_code;
2978 if (pinvtm) *pinvtm = comp_time;
2979 else ASN1_GENERALIZEDTIME_free(comp_time);
2980
35bf3541
DSH		 2981 ret = 1;
2982
ee306a13
DSH		 2983 err:
2984
2985 if (tmp) OPENSSL_free(tmp);
2986 if (!phold) ASN1_OBJECT_free(hold);
2987 if (!pinvtm) ASN1_GENERALIZEDTIME_free(comp_time);
2988
2989 return ret;
2990 }
A mirror of the official openssl repository