]> git.ipfire.org Git - thirdparty/openssl.git/blob - apps/ca.c
projects / thirdparty / openssl.git / blob
? search:


1e34e50232cb98f62bb3ee22ebbf2a12e5a3e30a
[thirdparty/openssl.git] / apps / ca.c
1 /* apps/ca.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59 /* The PPKI stuff has been donated by Jeff Barber <jeffb@issl.atl.hp.com> */
60
61 #include <stdio.h>
62 #include <stdlib.h>
63 #include <string.h>
64 #include <ctype.h>
65 #include <sys/types.h>
66 #include <sys/stat.h>
67 #include "apps.h"
68 #include <openssl/conf.h>
69 #include <openssl/bio.h>
70 #include <openssl/err.h>
71 #include <openssl/bn.h>
72 #include <openssl/txt_db.h>
73 #include <openssl/evp.h>
74 #include <openssl/x509.h>
75 #include <openssl/x509v3.h>
76 #include <openssl/objects.h>
77 #include <openssl/ocsp.h>
78 #include <openssl/pem.h>
79 #include <openssl/engine.h>
80
81 #ifdef OPENSSL_SYS_WINDOWS
82 #define strcasecmp _stricmp
83 #else
84 #include <strings.h>
85 #endif
86
87 #ifndef W_OK
88 # ifdef OPENSSL_SYS_VMS
89 # if defined(__DECC)
90 # include <unistd.h>
91 # else
92 # include <unixlib.h>
93 # endif
94 # else
95 # include <sys/file.h>
96 # endif
97 #endif
98
99 #ifndef W_OK
100 # define F_OK 0
101 # define X_OK 1
102 # define W_OK 2
103 # define R_OK 4
104 #endif
105
106 #undef PROG
107 #define PROG ca_main
108
109 #define BASE_SECTION "ca"
110 #define CONFIG_FILE "openssl.cnf"
111
112 #define ENV_DEFAULT_CA "default_ca"
113
114 #define ENV_DIR "dir"
115 #define ENV_CERTS "certs"
116 #define ENV_CRL_DIR "crl_dir"
117 #define ENV_CA_DB "CA_DB"
118 #define ENV_NEW_CERTS_DIR "new_certs_dir"
119 #define ENV_CERTIFICATE "certificate"
120 #define ENV_SERIAL "serial"
121 #define ENV_CRL "crl"
122 #define ENV_PRIVATE_KEY "private_key"
123 #define ENV_RANDFILE "RANDFILE"
124 #define ENV_DEFAULT_DAYS "default_days"
125 #define ENV_DEFAULT_STARTDATE "default_startdate"
126 #define ENV_DEFAULT_ENDDATE "default_enddate"
127 #define ENV_DEFAULT_CRL_DAYS "default_crl_days"
128 #define ENV_DEFAULT_CRL_HOURS "default_crl_hours"
129 #define ENV_DEFAULT_MD "default_md"
130 #define ENV_PRESERVE "preserve"
131 #define ENV_POLICY "policy"
132 #define ENV_EXTENSIONS "x509_extensions"
133 #define ENV_CRLEXT "crl_extensions"
134 #define ENV_MSIE_HACK "msie_hack"
135 #define ENV_NAMEOPT "name_opt"
136 #define ENV_CERTOPT "cert_opt"
137 #define ENV_EXTCOPY "copy_extensions"
138
139 #define ENV_DATABASE "database"
140
141 #define DB_type 0
142 #define DB_exp_date 1
143 #define DB_rev_date 2
144 #define DB_serial 3 /* index - unique */
145 #define DB_file 4
146 #define DB_name 5 /* index - unique for active */
147 #define DB_NUMBER 6
148
149 #define DB_TYPE_REV 'R'
150 #define DB_TYPE_EXP 'E'
151 #define DB_TYPE_VAL 'V'
152
153 /* Additional revocation information types */
154
155 #define REV_NONE 0 /* No addditional information */
156 #define REV_CRL_REASON 1 /* Value is CRL reason code */
157 #define REV_HOLD 2 /* Value is hold instruction */
158 #define REV_KEY_COMPROMISE 3 /* Value is cert key compromise time */
159 #define REV_CA_COMPROMISE 4 /* Value is CA key compromise time */
160
161 static char *ca_usage[]={
162 "usage: ca args\n",
163 "\n",
164 " -verbose - Talk alot while doing things\n",
165 " -config file - A config file\n",
166 " -name arg - The particular CA definition to use\n",
167 " -gencrl - Generate a new CRL\n",
168 " -crldays days - Days is when the next CRL is due\n",
169 " -crlhours hours - Hours is when the next CRL is due\n",
170 " -startdate YYMMDDHHMMSSZ - certificate validity notBefore\n",
171 " -enddate YYMMDDHHMMSSZ - certificate validity notAfter (overrides -days)\n",
172 " -days arg - number of days to certify the certificate for\n",
173 " -md arg - md to use, one of md2, md5, sha or sha1\n",
174 " -policy arg - The CA 'policy' to support\n",
175 " -keyfile arg - private key file\n",
176 " -keyform arg - private key file format (PEM or ENGINE)\n",
177 " -key arg - key to decode the private key if it is encrypted\n",
178 " -cert file - The CA certificate\n",
179 " -in file - The input PEM encoded certificate request(s)\n",
180 " -out file - Where to put the output file(s)\n",
181 " -outdir dir - Where to put output certificates\n",
182 " -infiles .... - The last argument, requests to process\n",
183 " -spkac file - File contains DN and signed public key and challenge\n",
184 " -ss_cert file - File contains a self signed cert to sign\n",
185 " -preserveDN - Don't re-order the DN\n",
186 " -batch - Don't ask questions\n",
187 " -msie_hack - msie modifications to handle all those universal strings\n",
188 " -revoke file - Revoke a certificate (given in file)\n",
189 " -subj arg - Use arg instead of request's subject\n",
190 " -extensions .. - Extension section (override value in config file)\n",
191 " -extfile file - Configuration file with X509v3 extentions to add\n",
192 " -crlexts .. - CRL extension section (override value in config file)\n",
193 " -engine e - use engine e, possibly a hardware device.\n",
194 " -status serial - Shows certificate status given the serial number\n",
195 " -updatedb - Updates db for expired certificates\n",
196 NULL
197 };
198
199 #ifdef EFENCE
200 extern int EF_PROTECT_FREE;
201 extern int EF_PROTECT_BELOW;
202 extern int EF_ALIGNMENT;
203 #endif
204
205 static void lookup_fail(char *name,char *tag);
206 static unsigned long index_serial_hash(const char **a);
207 static int index_serial_cmp(const char **a, const char **b);
208 static unsigned long index_name_hash(const char **a);
209 static int index_name_qual(char **a);
210 static int index_name_cmp(const char **a,const char **b);
211 static BIGNUM *load_serial(char *serialfile);
212 static int save_serial(char *serialfile, BIGNUM *serial);
213 static int certify(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
214 const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,TXT_DB *db,
215 BIGNUM *serial, char *subj, char *startdate,char *enddate,
216 long days, int batch, char *ext_sect, CONF *conf,int verbose,
217 unsigned long certopt, unsigned long nameopt, int default_op,
218 int ext_copy);
219 static int certify_cert(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
220 const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,
221 TXT_DB *db, BIGNUM *serial, char *subj, char *startdate,
222 char *enddate, long days, int batch, char *ext_sect,
223 CONF *conf,int verbose, unsigned long certopt,
224 unsigned long nameopt, int default_op, int ext_copy,
225 ENGINE *e);
226 static int certify_spkac(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
227 const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,
228 TXT_DB *db, BIGNUM *serial,char *subj, char *startdate,
229 char *enddate, long days, char *ext_sect,CONF *conf,
230 int verbose, unsigned long certopt, unsigned long nameopt,
231 int default_op, int ext_copy);
232 static int fix_data(int nid, int *type);
233 static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext);
234 static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
235 STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial,char *subj,
236 char *startdate, char *enddate, long days, int batch, int verbose,
237 X509_REQ *req, char *ext_sect, CONF *conf,
238 unsigned long certopt, unsigned long nameopt, int default_op,
239 int ext_copy);
240 static X509_NAME *do_subject(char *subject);
241 static int do_revoke(X509 *x509, TXT_DB *db, int ext, char *extval);
242 static int get_certificate_status(const char *ser_status, TXT_DB *db);
243 static int do_updatedb(TXT_DB *db);
244 static int check_time_format(char *str);
245 char *make_revocation_str(int rev_type, char *rev_arg);
246 int make_revoked(X509_REVOKED *rev, char *str);
247 int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str);
248 static CONF *conf=NULL;
249 static CONF *extconf=NULL;
250 static char *section=NULL;
251
252 static int preserve=0;
253 static int msie_hack=0;
254
255 static IMPLEMENT_LHASH_HASH_FN(index_serial_hash,const char **)
256 static IMPLEMENT_LHASH_COMP_FN(index_serial_cmp,const char **)
257 static IMPLEMENT_LHASH_HASH_FN(index_name_hash,const char **)
258 static IMPLEMENT_LHASH_COMP_FN(index_name_cmp,const char **)
259
260
261 int MAIN(int, char **);
262
263 int MAIN(int argc, char **argv)
264 {
265 ENGINE *e = NULL;
266 char *key=NULL,*passargin=NULL;
267 int total=0;
268 int total_done=0;
269 int badops=0;
270 int ret=1;
271 int req=0;
272 int verbose=0;
273 int gencrl=0;
274 int dorevoke=0;
275 int doupdatedb=0;
276 long crldays=0;
277 long crlhours=0;
278 long errorline= -1;
279 char *configfile=NULL;
280 char *md=NULL;
281 char *policy=NULL;
282 char *keyfile=NULL;
283 char *certfile=NULL;
284 int keyform=FORMAT_PEM;
285 char *infile=NULL;
286 char *spkac_file=NULL;
287 char *ss_cert_file=NULL;
288 char *ser_status=NULL;
289 EVP_PKEY *pkey=NULL;
290 int output_der = 0;
291 char *outfile=NULL;
292 char *outdir=NULL;
293 char *serialfile=NULL;
294 char *extensions=NULL;
295 char *extfile=NULL;
296 char *subj=NULL;
297 char *crl_ext=NULL;
298 int rev_type = REV_NONE;
299 char *rev_arg = NULL;
300 BIGNUM *serial=NULL;
301 char *startdate=NULL;
302 char *enddate=NULL;
303 long days=0;
304 int batch=0;
305 int notext=0;
306 unsigned long nameopt = 0, certopt = 0;
307 int default_op = 1;
308 int ext_copy = EXT_COPY_NONE;
309 X509 *x509=NULL;
310 X509 *x=NULL;
311 BIO *in=NULL,*out=NULL,*Sout=NULL,*Cout=NULL;
312 char *dbfile=NULL;
313 TXT_DB *db=NULL;
314 X509_CRL *crl=NULL;
315 X509_REVOKED *r=NULL;
316 ASN1_TIME *tmptm;
317 ASN1_INTEGER *tmpser;
318 char **pp,*p,*f;
319 int i,j;
320 long l;
321 const EVP_MD *dgst=NULL;
322 STACK_OF(CONF_VALUE) *attribs=NULL;
323 STACK_OF(X509) *cert_sk=NULL;
324 #undef BSIZE
325 #define BSIZE 256
326 MS_STATIC char buf[3][BSIZE];
327 char *randfile=NULL;
328 char *engine = NULL;
329
330 #ifdef EFENCE
331 EF_PROTECT_FREE=1;
332 EF_PROTECT_BELOW=1;
333 EF_ALIGNMENT=0;
334 #endif
335
336 apps_startup();
337
338 conf = NULL;
339 key = NULL;
340 section = NULL;
341
342 preserve=0;
343 msie_hack=0;
344 if (bio_err == NULL)
345 if ((bio_err=BIO_new(BIO_s_file())) != NULL)
346 BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
347
348 argc--;
349 argv++;
350 while (argc >= 1)
351 {
352 if (strcmp(*argv,"-verbose") == 0)
353 verbose=1;
354 else if (strcmp(*argv,"-config") == 0)
355 {
356 if (--argc < 1) goto bad;
357 configfile= *(++argv);
358 }
359 else if (strcmp(*argv,"-name") == 0)
360 {
361 if (--argc < 1) goto bad;
362 section= *(++argv);
363 }
364 else if (strcmp(*argv,"-subj") == 0)
365 {
366 if (--argc < 1) goto bad;
367 subj= *(++argv);
368 /* preserve=1; */
369 }
370 else if (strcmp(*argv,"-startdate") == 0)
371 {
372 if (--argc < 1) goto bad;
373 startdate= *(++argv);
374 }
375 else if (strcmp(*argv,"-enddate") == 0)
376 {
377 if (--argc < 1) goto bad;
378 enddate= *(++argv);
379 }
380 else if (strcmp(*argv,"-days") == 0)
381 {
382 if (--argc < 1) goto bad;
383 days=atoi(*(++argv));
384 }
385 else if (strcmp(*argv,"-md") == 0)
386 {
387 if (--argc < 1) goto bad;
388 md= *(++argv);
389 }
390 else if (strcmp(*argv,"-policy") == 0)
391 {
392 if (--argc < 1) goto bad;
393 policy= *(++argv);
394 }
395 else if (strcmp(*argv,"-keyfile") == 0)
396 {
397 if (--argc < 1) goto bad;
398 keyfile= *(++argv);
399 }
400 else if (strcmp(*argv,"-keyform") == 0)
401 {
402 if (--argc < 1) goto bad;
403 keyform=str2fmt(*(++argv));
404 }
405 else if (strcmp(*argv,"-passin") == 0)
406 {
407 if (--argc < 1) goto bad;
408 passargin= *(++argv);
409 }
410 else if (strcmp(*argv,"-key") == 0)
411 {
412 if (--argc < 1) goto bad;
413 key= *(++argv);
414 }
415 else if (strcmp(*argv,"-cert") == 0)
416 {
417 if (--argc < 1) goto bad;
418 certfile= *(++argv);
419 }
420 else if (strcmp(*argv,"-in") == 0)
421 {
422 if (--argc < 1) goto bad;
423 infile= *(++argv);
424 req=1;
425 }
426 else if (strcmp(*argv,"-out") == 0)
427 {
428 if (--argc < 1) goto bad;
429 outfile= *(++argv);
430 }
431 else if (strcmp(*argv,"-outdir") == 0)
432 {
433 if (--argc < 1) goto bad;
434 outdir= *(++argv);
435 }
436 else if (strcmp(*argv,"-notext") == 0)
437 notext=1;
438 else if (strcmp(*argv,"-batch") == 0)
439 batch=1;
440 else if (strcmp(*argv,"-preserveDN") == 0)
441 preserve=1;
442 else if (strcmp(*argv,"-gencrl") == 0)
443 gencrl=1;
444 else if (strcmp(*argv,"-msie_hack") == 0)
445 msie_hack=1;
446 else if (strcmp(*argv,"-crldays") == 0)
447 {
448 if (--argc < 1) goto bad;
449 crldays= atol(*(++argv));
450 }
451 else if (strcmp(*argv,"-crlhours") == 0)
452 {
453 if (--argc < 1) goto bad;
454 crlhours= atol(*(++argv));
455 }
456 else if (strcmp(*argv,"-infiles") == 0)
457 {
458 argc--;
459 argv++;
460 req=1;
461 break;
462 }
463 else if (strcmp(*argv, "-ss_cert") == 0)
464 {
465 if (--argc < 1) goto bad;
466 ss_cert_file = *(++argv);
467 req=1;
468 }
469 else if (strcmp(*argv, "-spkac") == 0)
470 {
471 if (--argc < 1) goto bad;
472 spkac_file = *(++argv);
473 req=1;
474 }
475 else if (strcmp(*argv,"-revoke") == 0)
476 {
477 if (--argc < 1) goto bad;
478 infile= *(++argv);
479 dorevoke=1;
480 }
481 else if (strcmp(*argv,"-extensions") == 0)
482 {
483 if (--argc < 1) goto bad;
484 extensions= *(++argv);
485 }
486 else if (strcmp(*argv,"-extfile") == 0)
487 {
488 if (--argc < 1) goto bad;
489 extfile= *(++argv);
490 }
491 else if (strcmp(*argv,"-status") == 0)
492 {
493 if (--argc < 1) goto bad;
494 ser_status= *(++argv);
495 }
496 else if (strcmp(*argv,"-updatedb") == 0)
497 {
498 doupdatedb=1;
499 }
500 else if (strcmp(*argv,"-crlexts") == 0)
501 {
502 if (--argc < 1) goto bad;
503 crl_ext= *(++argv);
504 }
505 else if (strcmp(*argv,"-crl_reason") == 0)
506 {
507 if (--argc < 1) goto bad;
508 rev_arg = *(++argv);
509 rev_type = REV_CRL_REASON;
510 }
511 else if (strcmp(*argv,"-crl_hold") == 0)
512 {
513 if (--argc < 1) goto bad;
514 rev_arg = *(++argv);
515 rev_type = REV_HOLD;
516 }
517 else if (strcmp(*argv,"-crl_compromise") == 0)
518 {
519 if (--argc < 1) goto bad;
520 rev_arg = *(++argv);
521 rev_type = REV_KEY_COMPROMISE;
522 }
523 else if (strcmp(*argv,"-crl_CA_compromise") == 0)
524 {
525 if (--argc < 1) goto bad;
526 rev_arg = *(++argv);
527 rev_type = REV_CA_COMPROMISE;
528 }
529 else if (strcmp(*argv,"-engine") == 0)
530 {
531 if (--argc < 1) goto bad;
532 engine= *(++argv);
533 }
534 else
535 {
536 bad:
537 BIO_printf(bio_err,"unknown option %s\n",*argv);
538 badops=1;
539 break;
540 }
541 argc--;
542 argv++;
543 }
544
545 if (badops)
546 {
547 for (pp=ca_usage; (*pp != NULL); pp++)
548 BIO_printf(bio_err,"%s",*pp);
549 goto err;
550 }
551
552 ERR_load_crypto_strings();
553
554 e = setup_engine(bio_err, engine, 0);
555
556 /*****************************************************************/
557 if (configfile == NULL) configfile = getenv("OPENSSL_CONF");
558 if (configfile == NULL) configfile = getenv("SSLEAY_CONF");
559 if (configfile == NULL)
560 {
561 /* We will just use 'buf[0]' as a temporary buffer. */
562 #ifdef OPENSSL_SYS_VMS
563 strncpy(buf[0],X509_get_default_cert_area(),
564 sizeof(buf[0])-1-sizeof(CONFIG_FILE));
565 #else
566 strncpy(buf[0],X509_get_default_cert_area(),
567 sizeof(buf[0])-2-sizeof(CONFIG_FILE));
568 strcat(buf[0],"/");
569 #endif
570 strcat(buf[0],CONFIG_FILE);
571 configfile=buf[0];
572 }
573
574 BIO_printf(bio_err,"Using configuration from %s\n",configfile);
575 conf = NCONF_new(NULL);
576 if (NCONF_load(conf,configfile,&errorline) <= 0)
577 {
578 if (errorline <= 0)
579 BIO_printf(bio_err,"error loading the config file '%s'\n",
580 configfile);
581 else
582 BIO_printf(bio_err,"error on line %ld of config file '%s'\n"
583 ,errorline,configfile);
584 goto err;
585 }
586
587 /* Lets get the config section we are using */
588 if (section == NULL)
589 {
590 section=NCONF_get_string(conf,BASE_SECTION,ENV_DEFAULT_CA);
591 if (section == NULL)
592 {
593 lookup_fail(BASE_SECTION,ENV_DEFAULT_CA);
594 goto err;
595 }
596 }
597
598 if (conf != NULL)
599 {
600 p=NCONF_get_string(conf,NULL,"oid_file");
601 if (p == NULL)
602 ERR_clear_error();
603 if (p != NULL)
604 {
605 BIO *oid_bio;
606
607 oid_bio=BIO_new_file(p,"r");
608 if (oid_bio == NULL)
609 {
610 /*
611 BIO_printf(bio_err,"problems opening %s for extra oid's\n",p);
612 ERR_print_errors(bio_err);
613 */
614 ERR_clear_error();
615 }
616 else
617 {
618 OBJ_create_objects(oid_bio);
619 BIO_free(oid_bio);
620 }
621 }
622 if (!add_oid_section(bio_err,conf))
623 {
624 ERR_print_errors(bio_err);
625 goto err;
626 }
627 }
628
629 randfile = NCONF_get_string(conf, BASE_SECTION, "RANDFILE");
630 if (randfile == NULL)
631 ERR_clear_error();
632 app_RAND_load_file(randfile, bio_err, 0);
633
634 in=BIO_new(BIO_s_file());
635 out=BIO_new(BIO_s_file());
636 Sout=BIO_new(BIO_s_file());
637 Cout=BIO_new(BIO_s_file());
638 if ((in == NULL) || (out == NULL) || (Sout == NULL) || (Cout == NULL))
639 {
640 ERR_print_errors(bio_err);
641 goto err;
642 }
643
644 /*****************************************************************/
645 /* report status of cert with serial number given on command line */
646 if (ser_status)
647 {
648 if ((dbfile=NCONF_get_string(conf,section,ENV_DATABASE)) == NULL)
649 {
650 lookup_fail(section,ENV_DATABASE);
651 goto err;
652 }
653 if (BIO_read_filename(in,dbfile) <= 0)
654 {
655 perror(dbfile);
656 BIO_printf(bio_err,"unable to open '%s'\n",dbfile);
657 goto err;
658 }
659 db=TXT_DB_read(in,DB_NUMBER);
660 if (db == NULL) goto err;
661
662 if (!make_serial_index(db))
663 goto err;
664
665 if (get_certificate_status(ser_status,db) != 1)
666 BIO_printf(bio_err,"Error verifying serial %s!\n",
667 ser_status);
668 goto err;
669 }
670
671 /*****************************************************************/
672 /* we definitely need a public key, so let's get it */
673
674 if ((keyfile == NULL) && ((keyfile=NCONF_get_string(conf,
675 section,ENV_PRIVATE_KEY)) == NULL))
676 {
677 lookup_fail(section,ENV_PRIVATE_KEY);
678 goto err;
679 }
680 if (!key && !app_passwd(bio_err, passargin, NULL, &key, NULL))
681 {
682 BIO_printf(bio_err,"Error getting password\n");
683 goto err;
684 }
685 pkey = load_key(bio_err, keyfile, keyform, key, e,
686 "CA private key");
687 if (key) memset(key,0,strlen(key));
688 if (pkey == NULL)
689 {
690 /* load_key() has already printed an appropriate message */
691 goto err;
692 }
693
694 /*****************************************************************/
695 /* we need a certificate */
696 if ((certfile == NULL) && ((certfile=NCONF_get_string(conf,
697 section,ENV_CERTIFICATE)) == NULL))
698 {
699 lookup_fail(section,ENV_CERTIFICATE);
700 goto err;
701 }
702 x509=load_cert(bio_err, certfile, FORMAT_PEM, NULL, e,
703 "CA certificate");
704 if (x509 == NULL)
705 goto err;
706
707 if (!X509_check_private_key(x509,pkey))
708 {
709 BIO_printf(bio_err,"CA certificate and CA private key do not match\n");
710 goto err;
711 }
712
713 f=NCONF_get_string(conf,BASE_SECTION,ENV_PRESERVE);
714 if (f == NULL)
715 ERR_clear_error();
716 if ((f != NULL) && ((*f == 'y') || (*f == 'Y')))
717 preserve=1;
718 f=NCONF_get_string(conf,BASE_SECTION,ENV_MSIE_HACK);
719 if (f == NULL)
720 ERR_clear_error();
721 if ((f != NULL) && ((*f == 'y') || (*f == 'Y')))
722 msie_hack=1;
723
724 f=NCONF_get_string(conf,section,ENV_NAMEOPT);
725
726 if (f)
727 {
728 if (!set_name_ex(&nameopt, f))
729 {
730 BIO_printf(bio_err, "Invalid name options: \"%s\"\n", f);
731 goto err;
732 }
733 default_op = 0;
734 }
735 else
736 ERR_clear_error();
737
738 f=NCONF_get_string(conf,section,ENV_CERTOPT);
739
740 if (f)
741 {
742 if (!set_cert_ex(&certopt, f))
743 {
744 BIO_printf(bio_err, "Invalid certificate options: \"%s\"\n", f);
745 goto err;
746 }
747 default_op = 0;
748 }
749 else
750 ERR_clear_error();
751
752 f=NCONF_get_string(conf,section,ENV_EXTCOPY);
753
754 if (f)
755 {
756 if (!set_ext_copy(&ext_copy, f))
757 {
758 BIO_printf(bio_err, "Invalid extension copy option: \"%s\"\n", f);
759 goto err;
760 }
761 }
762 else
763 ERR_clear_error();
764
765 /*****************************************************************/
766 /* lookup where to write new certificates */
767 if ((outdir == NULL) && (req))
768 {
769 struct stat sb;
770
771 if ((outdir=NCONF_get_string(conf,section,ENV_NEW_CERTS_DIR))
772 == NULL)
773 {
774 BIO_printf(bio_err,"there needs to be defined a directory for new certificate to be placed in\n");
775 goto err;
776 }
777 #ifndef OPENSSL_SYS_VMS
778 /* outdir is a directory spec, but access() for VMS demands a
779 filename. In any case, stat(), below, will catch the problem
780 if outdir is not a directory spec, and the fopen() or open()
781 will catch an error if there is no write access.
782
783 Presumably, this problem could also be solved by using the DEC
784 C routines to convert the directory syntax to Unixly, and give
785 that to access(). However, time's too short to do that just
786 now.
787 */
788 if (access(outdir,R_OK|W_OK|X_OK) != 0)
789 {
790 BIO_printf(bio_err,"I am unable to access the %s directory\n",outdir);
791 perror(outdir);
792 goto err;
793 }
794
795 if (stat(outdir,&sb) != 0)
796 {
797 BIO_printf(bio_err,"unable to stat(%s)\n",outdir);
798 perror(outdir);
799 goto err;
800 }
801 #ifdef S_IFDIR
802 if (!(sb.st_mode & S_IFDIR))
803 {
804 BIO_printf(bio_err,"%s need to be a directory\n",outdir);
805 perror(outdir);
806 goto err;
807 }
808 #endif
809 #endif
810 }
811
812 /*****************************************************************/
813 /* we need to load the database file */
814 if ((dbfile=NCONF_get_string(conf,section,ENV_DATABASE)) == NULL)
815 {
816 lookup_fail(section,ENV_DATABASE);
817 goto err;
818 }
819 if (BIO_read_filename(in,dbfile) <= 0)
820 {
821 perror(dbfile);
822 BIO_printf(bio_err,"unable to open '%s'\n",dbfile);
823 goto err;
824 }
825 db=TXT_DB_read(in,DB_NUMBER);
826 if (db == NULL) goto err;
827
828 /* Lets check some fields */
829 for (i=0; i<sk_num(db->data); i++)
830 {
831 pp=(char **)sk_value(db->data,i);
832 if ((pp[DB_type][0] != DB_TYPE_REV) &&
833 (pp[DB_rev_date][0] != '\0'))
834 {
835 BIO_printf(bio_err,"entry %d: not revoked yet, but has a revocation date\n",i+1);
836 goto err;
837 }
838 if ((pp[DB_type][0] == DB_TYPE_REV) &&
839 !make_revoked(NULL, pp[DB_rev_date]))
840 {
841 BIO_printf(bio_err," in entry %d\n", i+1);
842 goto err;
843 }
844 if (!check_time_format(pp[DB_exp_date]))
845 {
846 BIO_printf(bio_err,"entry %d: invalid expiry date\n",i+1);
847 goto err;
848 }
849 p=pp[DB_serial];
850 j=strlen(p);
851 if (*p == '-')
852 {
853 p++;
854 j--;
855 }
856 if ((j&1) || (j < 2))
857 {
858 BIO_printf(bio_err,"entry %d: bad serial number length (%d)\n",i+1,j);
859 goto err;
860 }
861 while (*p)
862 {
863 if (!( ((*p >= '0') && (*p <= '9')) ||
864 ((*p >= 'A') && (*p <= 'F')) ||
865 ((*p >= 'a') && (*p <= 'f'))) )
866 {
867 BIO_printf(bio_err,"entry %d: bad serial number characters, char pos %ld, char is '%c'\n",i+1,(long)(p-pp[DB_serial]),*p);
868 goto err;
869 }
870 p++;
871 }
872 }
873 if (verbose)
874 {
875 BIO_set_fp(out,stdout,BIO_NOCLOSE|BIO_FP_TEXT); /* cannot fail */
876 #ifdef OPENSSL_SYS_VMS
877 {
878 BIO *tmpbio = BIO_new(BIO_f_linebuffer());
879 out = BIO_push(tmpbio, out);
880 }
881 #endif
882 TXT_DB_write(out,db);
883 BIO_printf(bio_err,"%d entries loaded from the database\n",
884 db->data->num);
885 BIO_printf(bio_err,"generating index\n");
886 }
887
888 if (!make_serial_index(db))
889 goto err;
890
891 if (!TXT_DB_create_index(db, DB_name, index_name_qual,
892 LHASH_HASH_FN(index_name_hash),
893 LHASH_COMP_FN(index_name_cmp)))
894 {
895 BIO_printf(bio_err,"error creating name index:(%ld,%ld,%ld)\n",
896 db->error,db->arg1,db->arg2);
897 goto err;
898 }
899
900 /*****************************************************************/
901 /* Update the db file for expired certificates */
902 if (doupdatedb)
903 {
904 if (verbose)
905 BIO_printf(bio_err, "Updating %s ...\n",
906 dbfile);
907
908 i = do_updatedb(db);
909 if (i == -1)
910 {
911 BIO_printf(bio_err,"Malloc failure\n");
912 goto err;
913 }
914 else if (i == 0)
915 {
916 if (verbose) BIO_printf(bio_err,
917 "No entries found to mark expired\n");
918 }
919 else
920 {
921 out = BIO_new(BIO_s_file());
922 if (out == NULL)
923 {
924 ERR_print_errors(bio_err);
925 goto err;
926 }
927
928 #ifndef OPENSSL_SYS_VMS
929 j = BIO_snprintf(buf[0], sizeof buf[0], "%s.new", dbfile);
930 #else
931 j = BIO_snprintf(buf[0], sizeof buf[0], "%s-new", dbfile);
932 #endif
933 if (j < 0 || j >= sizeof buf[0])
934 {
935 BIO_printf(bio_err, "file name too long\n");
936 goto err;
937 }
938 if (BIO_write_filename(out,buf[0]) <= 0)
939 {
940 perror(dbfile);
941 BIO_printf(bio_err,"unable to open '%s'\n",
942 dbfile);
943 goto err;
944 }
945 j=TXT_DB_write(out,db);
946 if (j <= 0) goto err;
947
948 BIO_free(out);
949 out = NULL;
950 #ifndef OPENSSL_SYS_VMS
951 j = BIO_snprintf(buf[1], sizeof buf[1], "%s.old", dbfile);
952 #else
953 j = BIO_snprintf(buf[1], sizeof buf[1], "%s-old", dbfile);
954 #endif
955 if (j < 0 || j >= sizeof buf[1])
956 {
957 BIO_printf(bio_err, "file name too long\n");
958 goto err;
959 }
960 if (rename(dbfile,buf[1]) < 0)
961 {
962 BIO_printf(bio_err,
963 "unable to rename %s to %s\n",
964 dbfile, buf[1]);
965 perror("reason");
966 goto err;
967 }
968 if (rename(buf[0],dbfile) < 0)
969 {
970 BIO_printf(bio_err,
971 "unable to rename %s to %s\n",
972 buf[0],dbfile);
973 perror("reason");
974 rename(buf[1],dbfile);
975 goto err;
976 }
977
978 if (verbose) BIO_printf(bio_err,
979 "Done. %d entries marked as expired\n",i);
980 }
981 goto err;
982 }
983
984 /*****************************************************************/
985 /* Read extentions config file */
986 if (extfile)
987 {
988 extconf = NCONF_new(NULL);
989 if (NCONF_load(extconf,extfile,&errorline) <= 0)
990 {
991 if (errorline <= 0)
992 BIO_printf(bio_err, "ERROR: loading the config file '%s'\n",
993 extfile);
994 else
995 BIO_printf(bio_err, "ERROR: on line %ld of config file '%s'\n",
996 errorline,extfile);
997 ret = 1;
998 goto err;
999 }
1000
1001 if (verbose)
1002 BIO_printf(bio_err, "Succesfully loaded extensions file %s\n", extfile);
1003
1004 /* We can have sections in the ext file */
1005 if (!extensions && !(extensions = NCONF_get_string(extconf, "default", "extensions")))
1006 extensions = "default";
1007 }
1008
1009 /*****************************************************************/
1010 if (req || gencrl)
1011 {
1012 if (outfile != NULL)
1013 {
1014 if (BIO_write_filename(Sout,outfile) <= 0)
1015 {
1016 perror(outfile);
1017 goto err;
1018 }
1019 }
1020 else
1021 {
1022 BIO_set_fp(Sout,stdout,BIO_NOCLOSE|BIO_FP_TEXT);
1023 #ifdef OPENSSL_SYS_VMS
1024 {
1025 BIO *tmpbio = BIO_new(BIO_f_linebuffer());
1026 Sout = BIO_push(tmpbio, Sout);
1027 }
1028 #endif
1029 }
1030 }
1031
1032 if (req)
1033 {
1034 if ((md == NULL) && ((md=NCONF_get_string(conf,
1035 section,ENV_DEFAULT_MD)) == NULL))
1036 {
1037 lookup_fail(section,ENV_DEFAULT_MD);
1038 goto err;
1039 }
1040 if ((dgst=EVP_get_digestbyname(md)) == NULL)
1041 {
1042 BIO_printf(bio_err,"%s is an unsupported message digest type\n",md);
1043 goto err;
1044 }
1045 if (verbose)
1046 BIO_printf(bio_err,"message digest is %s\n",
1047 OBJ_nid2ln(dgst->type));
1048 if ((policy == NULL) && ((policy=NCONF_get_string(conf,
1049 section,ENV_POLICY)) == NULL))
1050 {
1051 lookup_fail(section,ENV_POLICY);
1052 goto err;
1053 }
1054 if (verbose)
1055 BIO_printf(bio_err,"policy is %s\n",policy);
1056
1057 if ((serialfile=NCONF_get_string(conf,section,ENV_SERIAL))
1058 == NULL)
1059 {
1060 lookup_fail(section,ENV_SERIAL);
1061 goto err;
1062 }
1063
1064 if (!extconf)
1065 {
1066 /* no '-extfile' option, so we look for extensions
1067 * in the main configuration file */
1068 if (!extensions)
1069 {
1070 extensions=NCONF_get_string(conf,section,
1071 ENV_EXTENSIONS);
1072 if (!extensions)
1073 ERR_clear_error();
1074 }
1075 if (extensions)
1076 {
1077 /* Check syntax of file */
1078 X509V3_CTX ctx;
1079 X509V3_set_ctx_test(&ctx);
1080 X509V3_set_nconf(&ctx, conf);
1081 if (!X509V3_EXT_add_nconf(conf, &ctx, extensions,
1082 NULL))
1083 {
1084 BIO_printf(bio_err,
1085 "Error Loading extension section %s\n",
1086 extensions);
1087 ret = 1;
1088 goto err;
1089 }
1090 }
1091 }
1092
1093 if (startdate == NULL)
1094 {
1095 startdate=NCONF_get_string(conf,section,
1096 ENV_DEFAULT_STARTDATE);
1097 if (startdate == NULL)
1098 ERR_clear_error();
1099 }
1100 if (startdate && !ASN1_UTCTIME_set_string(NULL,startdate))
1101 {
1102 BIO_printf(bio_err,"start date is invalid, it should be YYMMDDHHMMSSZ\n");
1103 goto err;
1104 }
1105 if (startdate == NULL) startdate="today";
1106
1107 if (enddate == NULL)
1108 {
1109 enddate=NCONF_get_string(conf,section,
1110 ENV_DEFAULT_ENDDATE);
1111 if (enddate == NULL)
1112 ERR_clear_error();
1113 }
1114 if (enddate && !ASN1_UTCTIME_set_string(NULL,enddate))
1115 {
1116 BIO_printf(bio_err,"end date is invalid, it should be YYMMDDHHMMSSZ\n");
1117 goto err;
1118 }
1119
1120 if (days == 0)
1121 {
1122 if(!NCONF_get_number(conf,section, ENV_DEFAULT_DAYS, &days))
1123 days = 0;
1124 }
1125 if (!enddate && (days == 0))
1126 {
1127 BIO_printf(bio_err,"cannot lookup how many days to certify for\n");
1128 goto err;
1129 }
1130
1131 if ((serial=load_serial(serialfile)) == NULL)
1132 {
1133 BIO_printf(bio_err,"error while loading serial number\n");
1134 goto err;
1135 }
1136 if (verbose)
1137 {
1138 if ((f=BN_bn2hex(serial)) == NULL) goto err;
1139 BIO_printf(bio_err,"next serial number is %s\n",f);
1140 OPENSSL_free(f);
1141 }
1142
1143 if ((attribs=NCONF_get_section(conf,policy)) == NULL)
1144 {
1145 BIO_printf(bio_err,"unable to find 'section' for %s\n",policy);
1146 goto err;
1147 }
1148
1149 if ((cert_sk=sk_X509_new_null()) == NULL)
1150 {
1151 BIO_printf(bio_err,"Memory allocation failure\n");
1152 goto err;
1153 }
1154 if (spkac_file != NULL)
1155 {
1156 total++;
1157 j=certify_spkac(&x,spkac_file,pkey,x509,dgst,attribs,db,
1158 serial,subj,startdate,enddate, days,extensions,conf,
1159 verbose, certopt, nameopt, default_op, ext_copy);
1160 if (j < 0) goto err;
1161 if (j > 0)
1162 {
1163 total_done++;
1164 BIO_printf(bio_err,"\n");
1165 if (!BN_add_word(serial,1)) goto err;
1166 if (!sk_X509_push(cert_sk,x))
1167 {
1168 BIO_printf(bio_err,"Memory allocation failure\n");
1169 goto err;
1170 }
1171 if (outfile)
1172 {
1173 output_der = 1;
1174 batch = 1;
1175 }
1176 }
1177 }
1178 if (ss_cert_file != NULL)
1179 {
1180 total++;
1181 j=certify_cert(&x,ss_cert_file,pkey,x509,dgst,attribs,
1182 db,serial,subj,startdate,enddate,days,batch,
1183 extensions,conf,verbose, certopt, nameopt,
1184 default_op, ext_copy, e);
1185 if (j < 0) goto err;
1186 if (j > 0)
1187 {
1188 total_done++;
1189 BIO_printf(bio_err,"\n");
1190 if (!BN_add_word(serial,1)) goto err;
1191 if (!sk_X509_push(cert_sk,x))
1192 {
1193 BIO_printf(bio_err,"Memory allocation failure\n");
1194 goto err;
1195 }
1196 }
1197 }
1198 if (infile != NULL)
1199 {
1200 total++;
1201 j=certify(&x,infile,pkey,x509,dgst,attribs,db,
1202 serial,subj,startdate,enddate,days,batch,
1203 extensions,conf,verbose, certopt, nameopt,
1204 default_op, ext_copy);
1205 if (j < 0) goto err;
1206 if (j > 0)
1207 {
1208 total_done++;
1209 BIO_printf(bio_err,"\n");
1210 if (!BN_add_word(serial,1)) goto err;
1211 if (!sk_X509_push(cert_sk,x))
1212 {
1213 BIO_printf(bio_err,"Memory allocation failure\n");
1214 goto err;
1215 }
1216 }
1217 }
1218 for (i=0; i<argc; i++)
1219 {
1220 total++;
1221 j=certify(&x,argv[i],pkey,x509,dgst,attribs,db,
1222 serial,subj,startdate,enddate,days,batch,
1223 extensions,conf,verbose, certopt, nameopt,
1224 default_op, ext_copy);
1225 if (j < 0) goto err;
1226 if (j > 0)
1227 {
1228 total_done++;
1229 BIO_printf(bio_err,"\n");
1230 if (!BN_add_word(serial,1)) goto err;
1231 if (!sk_X509_push(cert_sk,x))
1232 {
1233 BIO_printf(bio_err,"Memory allocation failure\n");
1234 goto err;
1235 }
1236 }
1237 }
1238 /* we have a stack of newly certified certificates
1239 * and a data base and serial number that need
1240 * updating */
1241
1242 if (sk_X509_num(cert_sk) > 0)
1243 {
1244 if (!batch)
1245 {
1246 BIO_printf(bio_err,"\n%d out of %d certificate requests certified, commit? [y/n]",total_done,total);
1247 (void)BIO_flush(bio_err);
1248 buf[0][0]='\0';
1249 fgets(buf[0],10,stdin);
1250 if ((buf[0][0] != 'y') && (buf[0][0] != 'Y'))
1251 {
1252 BIO_printf(bio_err,"CERTIFICATION CANCELED\n");
1253 ret=0;
1254 goto err;
1255 }
1256 }
1257
1258 BIO_printf(bio_err,"Write out database with %d new entries\n",sk_X509_num(cert_sk));
1259
1260 strncpy(buf[0],serialfile,BSIZE-4);
1261
1262 #ifdef OPENSSL_SYS_VMS
1263 strcat(buf[0],"-new");
1264 #else
1265 strcat(buf[0],".new");
1266 #endif
1267
1268 if (!save_serial(buf[0],serial)) goto err;
1269
1270 strncpy(buf[1],dbfile,BSIZE-4);
1271
1272 #ifdef OPENSSL_SYS_VMS
1273 strcat(buf[1],"-new");
1274 #else
1275 strcat(buf[1],".new");
1276 #endif
1277
1278 if (BIO_write_filename(out,buf[1]) <= 0)
1279 {
1280 perror(dbfile);
1281 BIO_printf(bio_err,"unable to open '%s'\n",dbfile);
1282 goto err;
1283 }
1284 l=TXT_DB_write(out,db);
1285 if (l <= 0) goto err;
1286 }
1287
1288 if (verbose)
1289 BIO_printf(bio_err,"writing new certificates\n");
1290 for (i=0; i<sk_X509_num(cert_sk); i++)
1291 {
1292 int k;
1293 unsigned char *n;
1294
1295 x=sk_X509_value(cert_sk,i);
1296
1297 j=x->cert_info->serialNumber->length;
1298 p=(char *)x->cert_info->serialNumber->data;
1299
1300 strncpy(buf[2],outdir,BSIZE-(j*2)-6);
1301
1302 #ifndef OPENSSL_SYS_VMS
1303 strcat(buf[2],"/");
1304 #endif
1305
1306 n=(unsigned char *)&(buf[2][strlen(buf[2])]);
1307 if (j > 0)
1308 {
1309 for (k=0; k<j; k++)
1310 {
1311 sprintf((char *)n,"%02X",(unsigned char)*(p++));
1312 n+=2;
1313 }
1314 }
1315 else
1316 {
1317 *(n++)='0';
1318 *(n++)='0';
1319 }
1320 *(n++)='.'; *(n++)='p'; *(n++)='e'; *(n++)='m';
1321 *n='\0';
1322 if (verbose)
1323 BIO_printf(bio_err,"writing %s\n",buf[2]);
1324
1325 if (BIO_write_filename(Cout,buf[2]) <= 0)
1326 {
1327 perror(buf[2]);
1328 goto err;
1329 }
1330 write_new_certificate(Cout,x, 0, notext);
1331 write_new_certificate(Sout,x, output_der, notext);
1332 }
1333
1334 if (sk_X509_num(cert_sk))
1335 {
1336 /* Rename the database and the serial file */
1337 strncpy(buf[2],serialfile,BSIZE-4);
1338
1339 #ifdef OPENSSL_SYS_VMS
1340 strcat(buf[2],"-old");
1341 #else
1342 strcat(buf[2],".old");
1343 #endif
1344
1345 BIO_free(in);
1346 BIO_free_all(out);
1347 in=NULL;
1348 out=NULL;
1349 if (rename(serialfile,buf[2]) < 0)
1350 {
1351 BIO_printf(bio_err,"unable to rename %s to %s\n",
1352 serialfile,buf[2]);
1353 perror("reason");
1354 goto err;
1355 }
1356 if (rename(buf[0],serialfile) < 0)
1357 {
1358 BIO_printf(bio_err,"unable to rename %s to %s\n",
1359 buf[0],serialfile);
1360 perror("reason");
1361 rename(buf[2],serialfile);
1362 goto err;
1363 }
1364
1365 strncpy(buf[2],dbfile,BSIZE-4);
1366
1367 #ifdef OPENSSL_SYS_VMS
1368 strcat(buf[2],"-old");
1369 #else
1370 strcat(buf[2],".old");
1371 #endif
1372
1373 if (rename(dbfile,buf[2]) < 0)
1374 {
1375 BIO_printf(bio_err,"unable to rename %s to %s\n",
1376 dbfile,buf[2]);
1377 perror("reason");
1378 goto err;
1379 }
1380 if (rename(buf[1],dbfile) < 0)
1381 {
1382 BIO_printf(bio_err,"unable to rename %s to %s\n",
1383 buf[1],dbfile);
1384 perror("reason");
1385 rename(buf[2],dbfile);
1386 goto err;
1387 }
1388 BIO_printf(bio_err,"Data Base Updated\n");
1389 }
1390 }
1391
1392 /*****************************************************************/
1393 if (gencrl)
1394 {
1395 int crl_v2 = 0;
1396 if (!crl_ext)
1397 {
1398 crl_ext=NCONF_get_string(conf,section,ENV_CRLEXT);
1399 if (!crl_ext)
1400 ERR_clear_error();
1401 }
1402 if (crl_ext)
1403 {
1404 /* Check syntax of file */
1405 X509V3_CTX ctx;
1406 X509V3_set_ctx_test(&ctx);
1407 X509V3_set_nconf(&ctx, conf);
1408 if (!X509V3_EXT_add_nconf(conf, &ctx, crl_ext, NULL))
1409 {
1410 BIO_printf(bio_err,
1411 "Error Loading CRL extension section %s\n",
1412 crl_ext);
1413 ret = 1;
1414 goto err;
1415 }
1416 }
1417
1418 if (!crldays && !crlhours)
1419 {
1420 if (!NCONF_get_number(conf,section,
1421 ENV_DEFAULT_CRL_DAYS, &crldays))
1422 crldays = 0;
1423 if (!NCONF_get_number(conf,section,
1424 ENV_DEFAULT_CRL_HOURS, &crlhours))
1425 crlhours = 0;
1426 }
1427 if ((crldays == 0) && (crlhours == 0))
1428 {
1429 BIO_printf(bio_err,"cannot lookup how long until the next CRL is issuer\n");
1430 goto err;
1431 }
1432
1433 if (verbose) BIO_printf(bio_err,"making CRL\n");
1434 if ((crl=X509_CRL_new()) == NULL) goto err;
1435 if (!X509_CRL_set_issuer_name(crl, X509_get_issuer_name(x509))) goto err;
1436
1437 tmptm = ASN1_TIME_new();
1438 if (!tmptm) goto err;
1439 X509_gmtime_adj(tmptm,0);
1440 X509_CRL_set_lastUpdate(crl, tmptm);
1441 X509_gmtime_adj(tmptm,(crldays*24+crlhours)*60*60);
1442 X509_CRL_set_nextUpdate(crl, tmptm);
1443
1444 ASN1_TIME_free(tmptm);
1445
1446 for (i=0; i<sk_num(db->data); i++)
1447 {
1448 pp=(char **)sk_value(db->data,i);
1449 if (pp[DB_type][0] == DB_TYPE_REV)
1450 {
1451 if ((r=X509_REVOKED_new()) == NULL) goto err;
1452 j = make_revoked(r, pp[DB_rev_date]);
1453 if (!j) goto err;
1454 if (j == 2) crl_v2 = 1;
1455 if (!BN_hex2bn(&serial, pp[DB_serial]))
1456 goto err;
1457 tmpser = BN_to_ASN1_INTEGER(serial, NULL);
1458 BN_free(serial);
1459 serial = NULL;
1460 if (!tmpser)
1461 goto err;
1462 X509_REVOKED_set_serialNumber(r, tmpser);
1463 ASN1_INTEGER_free(tmpser);
1464 X509_CRL_add0_revoked(crl,r);
1465 }
1466 }
1467
1468 /* sort the data so it will be written in serial
1469 * number order */
1470 X509_CRL_sort(crl);
1471
1472 /* we now have a CRL */
1473 if (verbose) BIO_printf(bio_err,"signing CRL\n");
1474 if (md != NULL)
1475 {
1476 if ((dgst=EVP_get_digestbyname(md)) == NULL)
1477 {
1478 BIO_printf(bio_err,"%s is an unsupported message digest type\n",md);
1479 goto err;
1480 }
1481 }
1482 else
1483 {
1484 #ifndef OPENSSL_NO_DSA
1485 if (pkey->type == EVP_PKEY_DSA)
1486 dgst=EVP_dss1();
1487 else
1488 #endif
1489 dgst=EVP_md5();
1490 }
1491
1492 /* Add any extensions asked for */
1493
1494 if (crl_ext)
1495 {
1496 X509V3_CTX crlctx;
1497 X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0);
1498 X509V3_set_nconf(&crlctx, conf);
1499
1500 if (!X509V3_EXT_CRL_add_nconf(conf, &crlctx,
1501 crl_ext, crl)) goto err;
1502 }
1503 if (crl_ext || crl_v2)
1504 {
1505 if (!X509_CRL_set_version(crl, 1))
1506 goto err; /* version 2 CRL */
1507 }
1508
1509 if (!X509_CRL_sign(crl,pkey,dgst)) goto err;
1510
1511 PEM_write_bio_X509_CRL(Sout,crl);
1512 }
1513 /*****************************************************************/
1514 if (dorevoke)
1515 {
1516 if (infile == NULL)
1517 {
1518 BIO_printf(bio_err,"no input files\n");
1519 goto err;
1520 }
1521 else
1522 {
1523 X509 *revcert;
1524 revcert=load_cert(bio_err, infile, FORMAT_PEM,
1525 NULL, e, infile);
1526 if (revcert == NULL)
1527 goto err;
1528 j=do_revoke(revcert,db, rev_type, rev_arg);
1529 if (j <= 0) goto err;
1530 X509_free(revcert);
1531
1532 strncpy(buf[0],dbfile,BSIZE-4);
1533 #ifndef OPENSSL_SYS_VMS
1534 strcat(buf[0],".new");
1535 #else
1536 strcat(buf[0],"-new");
1537 #endif
1538 if (BIO_write_filename(out,buf[0]) <= 0)
1539 {
1540 perror(dbfile);
1541 BIO_printf(bio_err,"unable to open '%s'\n",dbfile);
1542 goto err;
1543 }
1544 j=TXT_DB_write(out,db);
1545 if (j <= 0) goto err;
1546 strncpy(buf[1],dbfile,BSIZE-4);
1547 #ifndef OPENSSL_SYS_VMS
1548 strcat(buf[1],".old");
1549 #else
1550 strcat(buf[1],"-old");
1551 #endif
1552 if (rename(dbfile,buf[1]) < 0)
1553 {
1554 BIO_printf(bio_err,"unable to rename %s to %s\n", dbfile, buf[1]);
1555 perror("reason");
1556 goto err;
1557 }
1558 if (rename(buf[0],dbfile) < 0)
1559 {
1560 BIO_printf(bio_err,"unable to rename %s to %s\n", buf[0],dbfile);
1561 perror("reason");
1562 rename(buf[1],dbfile);
1563 goto err;
1564 }
1565 BIO_printf(bio_err,"Data Base Updated\n");
1566 }
1567 }
1568 /*****************************************************************/
1569 ret=0;
1570 err:
1571 BIO_free_all(Cout);
1572 BIO_free_all(Sout);
1573 BIO_free_all(out);
1574 BIO_free_all(in);
1575
1576 sk_X509_pop_free(cert_sk,X509_free);
1577
1578 if (ret) ERR_print_errors(bio_err);
1579 app_RAND_write_file(randfile, bio_err);
1580 BN_free(serial);
1581 TXT_DB_free(db);
1582 EVP_PKEY_free(pkey);
1583 X509_free(x509);
1584 X509_CRL_free(crl);
1585 NCONF_free(conf);
1586 OBJ_cleanup();
1587 apps_shutdown();
1588 EXIT(ret);
1589 }
1590
1591 static void lookup_fail(char *name, char *tag)
1592 {
1593 BIO_printf(bio_err,"variable lookup failed for %s::%s\n",name,tag);
1594 }
1595
1596 static unsigned long index_serial_hash(const char **a)
1597 {
1598 const char *n;
1599
1600 n=a[DB_serial];
1601 while (*n == '0') n++;
1602 return(lh_strhash(n));
1603 }
1604
1605 static int index_serial_cmp(const char **a, const char **b)
1606 {
1607 const char *aa,*bb;
1608
1609 for (aa=a[DB_serial]; *aa == '0'; aa++);
1610 for (bb=b[DB_serial]; *bb == '0'; bb++);
1611 return(strcmp(aa,bb));
1612 }
1613
1614 static unsigned long index_name_hash(const char **a)
1615 { return(lh_strhash(a[DB_name])); }
1616
1617 static int index_name_qual(char **a)
1618 { return(a[0][0] == 'V'); }
1619
1620 static int index_name_cmp(const char **a, const char **b)
1621 { return(strcmp(a[DB_name],
1622 b[DB_name])); }
1623
1624 static BIGNUM *load_serial(char *serialfile)
1625 {
1626 BIO *in=NULL;
1627 BIGNUM *ret=NULL;
1628 MS_STATIC char buf[1024];
1629 ASN1_INTEGER *ai=NULL;
1630
1631 if ((in=BIO_new(BIO_s_file())) == NULL)
1632 {
1633 ERR_print_errors(bio_err);
1634 goto err;
1635 }
1636
1637 if (BIO_read_filename(in,serialfile) <= 0)
1638 {
1639 perror(serialfile);
1640 goto err;
1641 }
1642 ai=ASN1_INTEGER_new();
1643 if (ai == NULL) goto err;
1644 if (!a2i_ASN1_INTEGER(in,ai,buf,1024))
1645 {
1646 BIO_printf(bio_err,"unable to load number from %s\n",
1647 serialfile);
1648 goto err;
1649 }
1650 ret=ASN1_INTEGER_to_BN(ai,NULL);
1651 if (ret == NULL)
1652 {
1653 BIO_printf(bio_err,"error converting number from bin to BIGNUM");
1654 goto err;
1655 }
1656 err:
1657 if (in != NULL) BIO_free(in);
1658 if (ai != NULL) ASN1_INTEGER_free(ai);
1659 return(ret);
1660 }
1661
1662 static int save_serial(char *serialfile, BIGNUM *serial)
1663 {
1664 BIO *out;
1665 int ret=0;
1666 ASN1_INTEGER *ai=NULL;
1667
1668 out=BIO_new(BIO_s_file());
1669 if (out == NULL)
1670 {
1671 ERR_print_errors(bio_err);
1672 goto err;
1673 }
1674 if (BIO_write_filename(out,serialfile) <= 0)
1675 {
1676 perror(serialfile);
1677 goto err;
1678 }
1679
1680 if ((ai=BN_to_ASN1_INTEGER(serial,NULL)) == NULL)
1681 {
1682 BIO_printf(bio_err,"error converting serial to ASN.1 format\n");
1683 goto err;
1684 }
1685 i2a_ASN1_INTEGER(out,ai);
1686 BIO_puts(out,"\n");
1687 ret=1;
1688 err:
1689 if (out != NULL) BIO_free_all(out);
1690 if (ai != NULL) ASN1_INTEGER_free(ai);
1691 return(ret);
1692 }
1693
1694 static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
1695 const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db,
1696 BIGNUM *serial, char *subj, char *startdate, char *enddate, long days,
1697 int batch, char *ext_sect, CONF *lconf, int verbose,
1698 unsigned long certopt, unsigned long nameopt, int default_op,
1699 int ext_copy)
1700 {
1701 X509_REQ *req=NULL;
1702 BIO *in=NULL;
1703 EVP_PKEY *pktmp=NULL;
1704 int ok= -1,i;
1705
1706 in=BIO_new(BIO_s_file());
1707
1708 if (BIO_read_filename(in,infile) <= 0)
1709 {
1710 perror(infile);
1711 goto err;
1712 }
1713 if ((req=PEM_read_bio_X509_REQ(in,NULL,NULL,NULL)) == NULL)
1714 {
1715 BIO_printf(bio_err,"Error reading certificate request in %s\n",
1716 infile);
1717 goto err;
1718 }
1719 if (verbose)
1720 X509_REQ_print(bio_err,req);
1721
1722 BIO_printf(bio_err,"Check that the request matches the signature\n");
1723
1724 if ((pktmp=X509_REQ_get_pubkey(req)) == NULL)
1725 {
1726 BIO_printf(bio_err,"error unpacking public key\n");
1727 goto err;
1728 }
1729 i=X509_REQ_verify(req,pktmp);
1730 EVP_PKEY_free(pktmp);
1731 if (i < 0)
1732 {
1733 ok=0;
1734 BIO_printf(bio_err,"Signature verification problems....\n");
1735 goto err;
1736 }
1737 if (i == 0)
1738 {
1739 ok=0;
1740 BIO_printf(bio_err,"Signature did not match the certificate request\n");
1741 goto err;
1742 }
1743 else
1744 BIO_printf(bio_err,"Signature ok\n");
1745
1746 ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,startdate, enddate,
1747 days,batch,verbose,req,ext_sect,lconf,
1748 certopt, nameopt, default_op, ext_copy);
1749
1750 err:
1751 if (req != NULL) X509_REQ_free(req);
1752 if (in != NULL) BIO_free(in);
1753 return(ok);
1754 }
1755
1756 static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
1757 const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db,
1758 BIGNUM *serial, char *subj, char *startdate, char *enddate, long days,
1759 int batch, char *ext_sect, CONF *lconf, int verbose,
1760 unsigned long certopt, unsigned long nameopt, int default_op,
1761 int ext_copy, ENGINE *e)
1762 {
1763 X509 *req=NULL;
1764 X509_REQ *rreq=NULL;
1765 EVP_PKEY *pktmp=NULL;
1766 int ok= -1,i;
1767
1768 if ((req=load_cert(bio_err, infile, FORMAT_PEM, NULL, e, infile)) == NULL)
1769 goto err;
1770 if (verbose)
1771 X509_print(bio_err,req);
1772
1773 BIO_printf(bio_err,"Check that the request matches the signature\n");
1774
1775 if ((pktmp=X509_get_pubkey(req)) == NULL)
1776 {
1777 BIO_printf(bio_err,"error unpacking public key\n");
1778 goto err;
1779 }
1780 i=X509_verify(req,pktmp);
1781 EVP_PKEY_free(pktmp);
1782 if (i < 0)
1783 {
1784 ok=0;
1785 BIO_printf(bio_err,"Signature verification problems....\n");
1786 goto err;
1787 }
1788 if (i == 0)
1789 {
1790 ok=0;
1791 BIO_printf(bio_err,"Signature did not match the certificate\n");
1792 goto err;
1793 }
1794 else
1795 BIO_printf(bio_err,"Signature ok\n");
1796
1797 if ((rreq=X509_to_X509_REQ(req,NULL,EVP_md5())) == NULL)
1798 goto err;
1799
1800 ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,startdate,enddate,days,
1801 batch,verbose,rreq,ext_sect,lconf, certopt, nameopt, default_op,
1802 ext_copy);
1803
1804 err:
1805 if (rreq != NULL) X509_REQ_free(rreq);
1806 if (req != NULL) X509_free(req);
1807 return(ok);
1808 }
1809
1810 static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
1811 STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial, char *subj,
1812 char *startdate, char *enddate, long days, int batch, int verbose,
1813 X509_REQ *req, char *ext_sect, CONF *lconf,
1814 unsigned long certopt, unsigned long nameopt, int default_op,
1815 int ext_copy)
1816 {
1817 X509_NAME *name=NULL,*CAname=NULL,*subject=NULL;
1818 ASN1_UTCTIME *tm,*tmptm;
1819 ASN1_STRING *str,*str2;
1820 ASN1_OBJECT *obj;
1821 X509 *ret=NULL;
1822 X509_CINF *ci;
1823 X509_NAME_ENTRY *ne;
1824 X509_NAME_ENTRY *tne,*push;
1825 EVP_PKEY *pktmp;
1826 int ok= -1,i,j,last,nid;
1827 char *p;
1828 CONF_VALUE *cv;
1829 char *row[DB_NUMBER],**rrow,**irow=NULL;
1830 char buf[25];
1831
1832 tmptm=ASN1_UTCTIME_new();
1833 if (tmptm == NULL)
1834 {
1835 BIO_printf(bio_err,"malloc error\n");
1836 return(0);
1837 }
1838
1839 for (i=0; i<DB_NUMBER; i++)
1840 row[i]=NULL;
1841
1842 if (subj)
1843 {
1844 X509_NAME *n = do_subject(subj);
1845
1846 if (!n)
1847 {
1848 ERR_print_errors(bio_err);
1849 goto err;
1850 }
1851 X509_REQ_set_subject_name(req,n);
1852 req->req_info->enc.modified = 1;
1853 X509_NAME_free(n);
1854 }
1855
1856 if (default_op)
1857 BIO_printf(bio_err,"The Subject's Distinguished Name is as follows\n");
1858 name=X509_REQ_get_subject_name(req);
1859 for (i=0; i<X509_NAME_entry_count(name); i++)
1860 {
1861 ne= X509_NAME_get_entry(name,i);
1862 str=X509_NAME_ENTRY_get_data(ne);
1863 obj=X509_NAME_ENTRY_get_object(ne);
1864
1865 if (msie_hack)
1866 {
1867 /* assume all type should be strings */
1868 nid=OBJ_obj2nid(ne->object);
1869
1870 if (str->type == V_ASN1_UNIVERSALSTRING)
1871 ASN1_UNIVERSALSTRING_to_string(str);
1872
1873 if ((str->type == V_ASN1_IA5STRING) &&
1874 (nid != NID_pkcs9_emailAddress))
1875 str->type=V_ASN1_T61STRING;
1876
1877 if ((nid == NID_pkcs9_emailAddress) &&
1878 (str->type == V_ASN1_PRINTABLESTRING))
1879 str->type=V_ASN1_IA5STRING;
1880 }
1881
1882 /* check some things */
1883 if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) &&
1884 (str->type != V_ASN1_IA5STRING))
1885 {
1886 BIO_printf(bio_err,"\nemailAddress type needs to be of type IA5STRING\n");
1887 goto err;
1888 }
1889 j=ASN1_PRINTABLE_type(str->data,str->length);
1890 if ( ((j == V_ASN1_T61STRING) &&
1891 (str->type != V_ASN1_T61STRING)) ||
1892 ((j == V_ASN1_IA5STRING) &&
1893 (str->type == V_ASN1_PRINTABLESTRING)))
1894 {
1895 BIO_printf(bio_err,"\nThe string contains characters that are illegal for the ASN.1 type\n");
1896 goto err;
1897 }
1898
1899 if (default_op)
1900 old_entry_print(bio_err, obj, str);
1901 }
1902
1903 /* Ok, now we check the 'policy' stuff. */
1904 if ((subject=X509_NAME_new()) == NULL)
1905 {
1906 BIO_printf(bio_err,"Memory allocation failure\n");
1907 goto err;
1908 }
1909
1910 /* take a copy of the issuer name before we mess with it. */
1911 CAname=X509_NAME_dup(x509->cert_info->subject);
1912 if (CAname == NULL) goto err;
1913 str=str2=NULL;
1914
1915 for (i=0; i<sk_CONF_VALUE_num(policy); i++)
1916 {
1917 cv=sk_CONF_VALUE_value(policy,i); /* get the object id */
1918 if ((j=OBJ_txt2nid(cv->name)) == NID_undef)
1919 {
1920 BIO_printf(bio_err,"%s:unknown object type in 'policy' configuration\n",cv->name);
1921 goto err;
1922 }
1923 obj=OBJ_nid2obj(j);
1924
1925 last= -1;
1926 for (;;)
1927 {
1928 /* lookup the object in the supplied name list */
1929 j=X509_NAME_get_index_by_OBJ(name,obj,last);
1930 if (j < 0)
1931 {
1932 if (last != -1) break;
1933 tne=NULL;
1934 }
1935 else
1936 {
1937 tne=X509_NAME_get_entry(name,j);
1938 }
1939 last=j;
1940
1941 /* depending on the 'policy', decide what to do. */
1942 push=NULL;
1943 if (strcmp(cv->value,"optional") == 0)
1944 {
1945 if (tne != NULL)
1946 push=tne;
1947 }
1948 else if (strcmp(cv->value,"supplied") == 0)
1949 {
1950 if (tne == NULL)
1951 {
1952 BIO_printf(bio_err,"The %s field needed to be supplied and was missing\n",cv->name);
1953 goto err;
1954 }
1955 else
1956 push=tne;
1957 }
1958 else if (strcmp(cv->value,"match") == 0)
1959 {
1960 int last2;
1961
1962 if (tne == NULL)
1963 {
1964 BIO_printf(bio_err,"The mandatory %s field was missing\n",cv->name);
1965 goto err;
1966 }
1967
1968 last2= -1;
1969
1970 again2:
1971 j=X509_NAME_get_index_by_OBJ(CAname,obj,last2);
1972 if ((j < 0) && (last2 == -1))
1973 {
1974 BIO_printf(bio_err,"The %s field does not exist in the CA certificate,\nthe 'policy' is misconfigured\n",cv->name);
1975 goto err;
1976 }
1977 if (j >= 0)
1978 {
1979 push=X509_NAME_get_entry(CAname,j);
1980 str=X509_NAME_ENTRY_get_data(tne);
1981 str2=X509_NAME_ENTRY_get_data(push);
1982 last2=j;
1983 if (ASN1_STRING_cmp(str,str2) != 0)
1984 goto again2;
1985 }
1986 if (j < 0)
1987 {
1988 BIO_printf(bio_err,"The %s field needed to be the same in the\nCA certificate (%s) and the request (%s)\n",cv->name,((str2 == NULL)?"NULL":(char *)str2->data),((str == NULL)?"NULL":(char *)str->data));
1989 goto err;
1990 }
1991 }
1992 else
1993 {
1994 BIO_printf(bio_err,"%s:invalid type in 'policy' configuration\n",cv->value);
1995 goto err;
1996 }
1997
1998 if (push != NULL)
1999 {
2000 if (!X509_NAME_add_entry(subject,push, -1, 0))
2001 {
2002 if (push != NULL)
2003 X509_NAME_ENTRY_free(push);
2004 BIO_printf(bio_err,"Memory allocation failure\n");
2005 goto err;
2006 }
2007 }
2008 if (j < 0) break;
2009 }
2010 }
2011
2012 if (preserve)
2013 {
2014 X509_NAME_free(subject);
2015 subject=X509_NAME_dup(X509_REQ_get_subject_name(req));
2016 if (subject == NULL) goto err;
2017 }
2018
2019 if (verbose)
2020 BIO_printf(bio_err,"The subject name appears to be ok, checking data base for clashes\n");
2021
2022 row[DB_name]=X509_NAME_oneline(subject,NULL,0);
2023 row[DB_serial]=BN_bn2hex(serial);
2024 if ((row[DB_name] == NULL) || (row[DB_serial] == NULL))
2025 {
2026 BIO_printf(bio_err,"Memory allocation failure\n");
2027 goto err;
2028 }
2029
2030 rrow=TXT_DB_get_by_index(db,DB_name,row);
2031 if (rrow != NULL)
2032 {
2033 BIO_printf(bio_err,"ERROR:There is already a certificate for %s\n",
2034 row[DB_name]);
2035 }
2036 else
2037 {
2038 rrow=TXT_DB_get_by_index(db,DB_serial,row);
2039 if (rrow != NULL)
2040 {
2041 BIO_printf(bio_err,"ERROR:Serial number %s has already been issued,\n",
2042 row[DB_serial]);
2043 BIO_printf(bio_err," check the database/serial_file for corruption\n");
2044 }
2045 }
2046
2047 if (rrow != NULL)
2048 {
2049 BIO_printf(bio_err,
2050 "The matching entry has the following details\n");
2051 if (rrow[DB_type][0] == 'E')
2052 p="Expired";
2053 else if (rrow[DB_type][0] == 'R')
2054 p="Revoked";
2055 else if (rrow[DB_type][0] == 'V')
2056 p="Valid";
2057 else
2058 p="\ninvalid type, Data base error\n";
2059 BIO_printf(bio_err,"Type :%s\n",p);;
2060 if (rrow[DB_type][0] == 'R')
2061 {
2062 p=rrow[DB_exp_date]; if (p == NULL) p="undef";
2063 BIO_printf(bio_err,"Was revoked on:%s\n",p);
2064 }
2065 p=rrow[DB_exp_date]; if (p == NULL) p="undef";
2066 BIO_printf(bio_err,"Expires on :%s\n",p);
2067 p=rrow[DB_serial]; if (p == NULL) p="undef";
2068 BIO_printf(bio_err,"Serial Number :%s\n",p);
2069 p=rrow[DB_file]; if (p == NULL) p="undef";
2070 BIO_printf(bio_err,"File name :%s\n",p);
2071 p=rrow[DB_name]; if (p == NULL) p="undef";
2072 BIO_printf(bio_err,"Subject Name :%s\n",p);
2073 ok= -1; /* This is now a 'bad' error. */
2074 goto err;
2075 }
2076
2077 /* We are now totally happy, lets make and sign the certificate */
2078 if (verbose)
2079 BIO_printf(bio_err,"Everything appears to be ok, creating and signing the certificate\n");
2080
2081 if ((ret=X509_new()) == NULL) goto err;
2082 ci=ret->cert_info;
2083
2084 #ifdef X509_V3
2085 /* Make it an X509 v3 certificate. */
2086 if (!X509_set_version(x509,2)) goto err;
2087 #endif
2088
2089 if (BN_to_ASN1_INTEGER(serial,ci->serialNumber) == NULL)
2090 goto err;
2091 if (!X509_set_issuer_name(ret,X509_get_subject_name(x509)))
2092 goto err;
2093
2094 if (strcmp(startdate,"today") == 0)
2095 X509_gmtime_adj(X509_get_notBefore(ret),0);
2096 else ASN1_UTCTIME_set_string(X509_get_notBefore(ret),startdate);
2097
2098 if (enddate == NULL)
2099 X509_gmtime_adj(X509_get_notAfter(ret),(long)60*60*24*days);
2100 else ASN1_UTCTIME_set_string(X509_get_notAfter(ret),enddate);
2101
2102 if (!X509_set_subject_name(ret,subject)) goto err;
2103
2104 pktmp=X509_REQ_get_pubkey(req);
2105 i = X509_set_pubkey(ret,pktmp);
2106 EVP_PKEY_free(pktmp);
2107 if (!i) goto err;
2108
2109 /* Lets add the extensions, if there are any */
2110 if (ext_sect)
2111 {
2112 X509V3_CTX ctx;
2113 if (ci->version == NULL)
2114 if ((ci->version=ASN1_INTEGER_new()) == NULL)
2115 goto err;
2116 ASN1_INTEGER_set(ci->version,2); /* version 3 certificate */
2117
2118 /* Free the current entries if any, there should not
2119 * be any I believe */
2120 if (ci->extensions != NULL)
2121 sk_X509_EXTENSION_pop_free(ci->extensions,
2122 X509_EXTENSION_free);
2123
2124 ci->extensions = NULL;
2125
2126 /* Initialize the context structure */
2127 X509V3_set_ctx(&ctx, x509, ret, req, NULL, 0);
2128
2129 if (extconf)
2130 {
2131 if (verbose)
2132 BIO_printf(bio_err, "Extra configuration file found\n");
2133
2134 /* Use the extconf configuration db LHASH */
2135 X509V3_set_nconf(&ctx, extconf);
2136
2137 /* Test the structure (needed?) */
2138 /* X509V3_set_ctx_test(&ctx); */
2139
2140 /* Adds exts contained in the configuration file */
2141 if (!X509V3_EXT_add_nconf(extconf, &ctx, ext_sect,ret))
2142 {
2143 BIO_printf(bio_err,
2144 "ERROR: adding extensions in section %s\n",
2145 ext_sect);
2146 ERR_print_errors(bio_err);
2147 goto err;
2148 }
2149 if (verbose)
2150 BIO_printf(bio_err, "Successfully added extensions from file.\n");
2151 }
2152 else if (ext_sect)
2153 {
2154 /* We found extensions to be set from config file */
2155 X509V3_set_nconf(&ctx, lconf);
2156
2157 if(!X509V3_EXT_add_nconf(lconf, &ctx, ext_sect, ret))
2158 {
2159 BIO_printf(bio_err, "ERROR: adding extensions in section %s\n", ext_sect);
2160 ERR_print_errors(bio_err);
2161 goto err;
2162 }
2163
2164 if (verbose)
2165 BIO_printf(bio_err, "Successfully added extensions from config\n");
2166 }
2167 }
2168
2169 /* Copy extensions from request (if any) */
2170
2171 if (!copy_extensions(ret, req, ext_copy))
2172 {
2173 BIO_printf(bio_err, "ERROR: adding extensions from request\n");
2174 ERR_print_errors(bio_err);
2175 goto err;
2176 }
2177
2178
2179 if (!default_op)
2180 {
2181 BIO_printf(bio_err, "Certificate Details:\n");
2182 /* Never print signature details because signature not present */
2183 certopt |= X509_FLAG_NO_SIGDUMP | X509_FLAG_NO_SIGNAME;
2184 X509_print_ex(bio_err, ret, nameopt, certopt);
2185 }
2186
2187 BIO_printf(bio_err,"Certificate is to be certified until ");
2188 ASN1_UTCTIME_print(bio_err,X509_get_notAfter(ret));
2189 if (days) BIO_printf(bio_err," (%d days)",days);
2190 BIO_printf(bio_err, "\n");
2191
2192 if (!batch)
2193 {
2194
2195 BIO_printf(bio_err,"Sign the certificate? [y/n]:");
2196 (void)BIO_flush(bio_err);
2197 buf[0]='\0';
2198 fgets(buf,sizeof(buf)-1,stdin);
2199 if (!((buf[0] == 'y') || (buf[0] == 'Y')))
2200 {
2201 BIO_printf(bio_err,"CERTIFICATE WILL NOT BE CERTIFIED\n");
2202 ok=0;
2203 goto err;
2204 }
2205 }
2206
2207
2208 #ifndef OPENSSL_NO_DSA
2209 if (pkey->type == EVP_PKEY_DSA) dgst=EVP_dss1();
2210 pktmp=X509_get_pubkey(ret);
2211 if (EVP_PKEY_missing_parameters(pktmp) &&
2212 !EVP_PKEY_missing_parameters(pkey))
2213 EVP_PKEY_copy_parameters(pktmp,pkey);
2214 EVP_PKEY_free(pktmp);
2215 #endif
2216
2217 if (!X509_sign(ret,pkey,dgst))
2218 goto err;
2219
2220 /* We now just add it to the database */
2221 row[DB_type]=(char *)OPENSSL_malloc(2);
2222
2223 tm=X509_get_notAfter(ret);
2224 row[DB_exp_date]=(char *)OPENSSL_malloc(tm->length+1);
2225 memcpy(row[DB_exp_date],tm->data,tm->length);
2226 row[DB_exp_date][tm->length]='\0';
2227
2228 row[DB_rev_date]=NULL;
2229
2230 /* row[DB_serial] done already */
2231 row[DB_file]=(char *)OPENSSL_malloc(8);
2232 /* row[DB_name] done already */
2233
2234 if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
2235 (row[DB_file] == NULL))
2236 {
2237 BIO_printf(bio_err,"Memory allocation failure\n");
2238 goto err;
2239 }
2240 strcpy(row[DB_file],"unknown");
2241 row[DB_type][0]='V';
2242 row[DB_type][1]='\0';
2243
2244 if ((irow=(char **)OPENSSL_malloc(sizeof(char *)*(DB_NUMBER+1))) == NULL)
2245 {
2246 BIO_printf(bio_err,"Memory allocation failure\n");
2247 goto err;
2248 }
2249
2250 for (i=0; i<DB_NUMBER; i++)
2251 {
2252 irow[i]=row[i];
2253 row[i]=NULL;
2254 }
2255 irow[DB_NUMBER]=NULL;
2256
2257 if (!TXT_DB_insert(db,irow))
2258 {
2259 BIO_printf(bio_err,"failed to update database\n");
2260 BIO_printf(bio_err,"TXT_DB error number %ld\n",db->error);
2261 goto err;
2262 }
2263 ok=1;
2264 err:
2265 for (i=0; i<DB_NUMBER; i++)
2266 if (row[i] != NULL) OPENSSL_free(row[i]);
2267
2268 if (CAname != NULL)
2269 X509_NAME_free(CAname);
2270 if (subject != NULL)
2271 X509_NAME_free(subject);
2272 if (tmptm != NULL)
2273 ASN1_UTCTIME_free(tmptm);
2274 if (ok <= 0)
2275 {
2276 if (ret != NULL) X509_free(ret);
2277 ret=NULL;
2278 }
2279 else
2280 *xret=ret;
2281 return(ok);
2282 }
2283
2284 static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext)
2285 {
2286
2287 if (output_der)
2288 {
2289 (void)i2d_X509_bio(bp,x);
2290 return;
2291 }
2292 #if 0
2293 /* ??? Not needed since X509_print prints all this stuff anyway */
2294 f=X509_NAME_oneline(X509_get_issuer_name(x),buf,256);
2295 BIO_printf(bp,"issuer :%s\n",f);
2296
2297 f=X509_NAME_oneline(X509_get_subject_name(x),buf,256);
2298 BIO_printf(bp,"subject:%s\n",f);
2299
2300 BIO_puts(bp,"serial :");
2301 i2a_ASN1_INTEGER(bp,x->cert_info->serialNumber);
2302 BIO_puts(bp,"\n\n");
2303 #endif
2304 if (!notext)X509_print(bp,x);
2305 PEM_write_bio_X509(bp,x);
2306 }
2307
2308 static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
2309 const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db,
2310 BIGNUM *serial, char *subj, char *startdate, char *enddate, long days,
2311 char *ext_sect, CONF *lconf, int verbose, unsigned long certopt,
2312 unsigned long nameopt, int default_op, int ext_copy)
2313 {
2314 STACK_OF(CONF_VALUE) *sk=NULL;
2315 LHASH *parms=NULL;
2316 X509_REQ *req=NULL;
2317 CONF_VALUE *cv=NULL;
2318 NETSCAPE_SPKI *spki = NULL;
2319 X509_REQ_INFO *ri;
2320 char *type,*buf;
2321 EVP_PKEY *pktmp=NULL;
2322 X509_NAME *n=NULL;
2323 X509_NAME_ENTRY *ne=NULL;
2324 int ok= -1,i,j;
2325 long errline;
2326 int nid;
2327
2328 /*
2329 * Load input file into a hash table. (This is just an easy
2330 * way to read and parse the file, then put it into a convenient
2331 * STACK format).
2332 */
2333 parms=CONF_load(NULL,infile,&errline);
2334 if (parms == NULL)
2335 {
2336 BIO_printf(bio_err,"error on line %ld of %s\n",errline,infile);
2337 ERR_print_errors(bio_err);
2338 goto err;
2339 }
2340
2341 sk=CONF_get_section(parms, "default");
2342 if (sk_CONF_VALUE_num(sk) == 0)
2343 {
2344 BIO_printf(bio_err, "no name/value pairs found in %s\n", infile);
2345 CONF_free(parms);
2346 goto err;
2347 }
2348
2349 /*
2350 * Now create a dummy X509 request structure. We don't actually
2351 * have an X509 request, but we have many of the components
2352 * (a public key, various DN components). The idea is that we
2353 * put these components into the right X509 request structure
2354 * and we can use the same code as if you had a real X509 request.
2355 */
2356 req=X509_REQ_new();
2357 if (req == NULL)
2358 {
2359 ERR_print_errors(bio_err);
2360 goto err;
2361 }
2362
2363 /*
2364 * Build up the subject name set.
2365 */
2366 ri=req->req_info;
2367 n = ri->subject;
2368
2369 for (i = 0; ; i++)
2370 {
2371 if (sk_CONF_VALUE_num(sk) <= i) break;
2372
2373 cv=sk_CONF_VALUE_value(sk,i);
2374 type=cv->name;
2375 /* Skip past any leading X. X: X, etc to allow for
2376 * multiple instances
2377 */
2378 for (buf = cv->name; *buf ; buf++)
2379 if ((*buf == ':') || (*buf == ',') || (*buf == '.'))
2380 {
2381 buf++;
2382 if (*buf) type = buf;
2383 break;
2384 }
2385
2386 buf=cv->value;
2387 if ((nid=OBJ_txt2nid(type)) == NID_undef)
2388 {
2389 if (strcmp(type, "SPKAC") == 0)
2390 {
2391 spki = NETSCAPE_SPKI_b64_decode(cv->value, -1);
2392 if (spki == NULL)
2393 {
2394 BIO_printf(bio_err,"unable to load Netscape SPKAC structure\n");
2395 ERR_print_errors(bio_err);
2396 goto err;
2397 }
2398 }
2399 continue;
2400 }
2401
2402 j=ASN1_PRINTABLE_type((unsigned char *)buf,-1);
2403 if (fix_data(nid, &j) == 0)
2404 {
2405 BIO_printf(bio_err,
2406 "invalid characters in string %s\n",buf);
2407 goto err;
2408 }
2409
2410 if ((ne=X509_NAME_ENTRY_create_by_NID(&ne,nid,j,
2411 (unsigned char *)buf,
2412 strlen(buf))) == NULL)
2413 goto err;
2414
2415 if (!X509_NAME_add_entry(n,ne,-1, 0)) goto err;
2416 }
2417 if (spki == NULL)
2418 {
2419 BIO_printf(bio_err,"Netscape SPKAC structure not found in %s\n",
2420 infile);
2421 goto err;
2422 }
2423
2424 /*
2425 * Now extract the key from the SPKI structure.
2426 */
2427
2428 BIO_printf(bio_err,"Check that the SPKAC request matches the signature\n");
2429
2430 if ((pktmp=NETSCAPE_SPKI_get_pubkey(spki)) == NULL)
2431 {
2432 BIO_printf(bio_err,"error unpacking SPKAC public key\n");
2433 goto err;
2434 }
2435
2436 j = NETSCAPE_SPKI_verify(spki, pktmp);
2437 if (j <= 0)
2438 {
2439 BIO_printf(bio_err,"signature verification failed on SPKAC public key\n");
2440 goto err;
2441 }
2442 BIO_printf(bio_err,"Signature ok\n");
2443
2444 X509_REQ_set_pubkey(req,pktmp);
2445 EVP_PKEY_free(pktmp);
2446 ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,startdate,enddate,
2447 days,1,verbose,req,ext_sect,lconf, certopt, nameopt, default_op,
2448 ext_copy);
2449 err:
2450 if (req != NULL) X509_REQ_free(req);
2451 if (parms != NULL) CONF_free(parms);
2452 if (spki != NULL) NETSCAPE_SPKI_free(spki);
2453 if (ne != NULL) X509_NAME_ENTRY_free(ne);
2454
2455 return(ok);
2456 }
2457
2458 static int fix_data(int nid, int *type)
2459 {
2460 if (nid == NID_pkcs9_emailAddress)
2461 *type=V_ASN1_IA5STRING;
2462 if ((nid == NID_commonName) && (*type == V_ASN1_IA5STRING))
2463 *type=V_ASN1_T61STRING;
2464 if ((nid == NID_pkcs9_challengePassword) && (*type == V_ASN1_IA5STRING))
2465 *type=V_ASN1_T61STRING;
2466 if ((nid == NID_pkcs9_unstructuredName) && (*type == V_ASN1_T61STRING))
2467 return(0);
2468 if (nid == NID_pkcs9_unstructuredName)
2469 *type=V_ASN1_IA5STRING;
2470 return(1);
2471 }
2472
2473 static int check_time_format(char *str)
2474 {
2475 ASN1_UTCTIME tm;
2476
2477 tm.data=(unsigned char *)str;
2478 tm.length=strlen(str);
2479 tm.type=V_ASN1_UTCTIME;
2480 return(ASN1_UTCTIME_check(&tm));
2481 }
2482
2483 static int do_revoke(X509 *x509, TXT_DB *db, int type, char *value)
2484 {
2485 ASN1_UTCTIME *tm=NULL;
2486 char *row[DB_NUMBER],**rrow,**irow;
2487 char *rev_str = NULL;
2488 BIGNUM *bn = NULL;
2489 int ok=-1,i;
2490
2491 for (i=0; i<DB_NUMBER; i++)
2492 row[i]=NULL;
2493 row[DB_name]=X509_NAME_oneline(X509_get_subject_name(x509),NULL,0);
2494 bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x509),NULL);
2495 row[DB_serial]=BN_bn2hex(bn);
2496 BN_free(bn);
2497 if ((row[DB_name] == NULL) || (row[DB_serial] == NULL))
2498 {
2499 BIO_printf(bio_err,"Memory allocation failure\n");
2500 goto err;
2501 }
2502 /* We have to lookup by serial number because name lookup
2503 * skips revoked certs
2504 */
2505 rrow=TXT_DB_get_by_index(db,DB_serial,row);
2506 if (rrow == NULL)
2507 {
2508 BIO_printf(bio_err,"Adding Entry to DB for %s\n", row[DB_name]);
2509
2510 /* We now just add it to the database */
2511 row[DB_type]=(char *)OPENSSL_malloc(2);
2512
2513 tm=X509_get_notAfter(x509);
2514 row[DB_exp_date]=(char *)OPENSSL_malloc(tm->length+1);
2515 memcpy(row[DB_exp_date],tm->data,tm->length);
2516 row[DB_exp_date][tm->length]='\0';
2517
2518 row[DB_rev_date]=NULL;
2519
2520 /* row[DB_serial] done already */
2521 row[DB_file]=(char *)OPENSSL_malloc(8);
2522
2523 /* row[DB_name] done already */
2524
2525 if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
2526 (row[DB_file] == NULL))
2527 {
2528 BIO_printf(bio_err,"Memory allocation failure\n");
2529 goto err;
2530 }
2531 strcpy(row[DB_file],"unknown");
2532 row[DB_type][0]='V';
2533 row[DB_type][1]='\0';
2534
2535 if ((irow=(char **)OPENSSL_malloc(sizeof(char *)*(DB_NUMBER+1))) == NULL)
2536 {
2537 BIO_printf(bio_err,"Memory allocation failure\n");
2538 goto err;
2539 }
2540
2541 for (i=0; i<DB_NUMBER; i++)
2542 {
2543 irow[i]=row[i];
2544 row[i]=NULL;
2545 }
2546 irow[DB_NUMBER]=NULL;
2547
2548 if (!TXT_DB_insert(db,irow))
2549 {
2550 BIO_printf(bio_err,"failed to update database\n");
2551 BIO_printf(bio_err,"TXT_DB error number %ld\n",db->error);
2552 goto err;
2553 }
2554
2555 /* Revoke Certificate */
2556 ok = do_revoke(x509,db, type, value);
2557
2558 goto err;
2559
2560 }
2561 else if (index_name_cmp((const char **)row,(const char **)rrow))
2562 {
2563 BIO_printf(bio_err,"ERROR:name does not match %s\n",
2564 row[DB_name]);
2565 goto err;
2566 }
2567 else if (rrow[DB_type][0]=='R')
2568 {
2569 BIO_printf(bio_err,"ERROR:Already revoked, serial number %s\n",
2570 row[DB_serial]);
2571 goto err;
2572 }
2573 else
2574 {
2575 BIO_printf(bio_err,"Revoking Certificate %s.\n", rrow[DB_serial]);
2576 rev_str = make_revocation_str(type, value);
2577 if (!rev_str)
2578 {
2579 BIO_printf(bio_err, "Error in revocation arguments\n");
2580 goto err;
2581 }
2582 rrow[DB_type][0]='R';
2583 rrow[DB_type][1]='\0';
2584 rrow[DB_rev_date] = rev_str;
2585 }
2586 ok=1;
2587 err:
2588 for (i=0; i<DB_NUMBER; i++)
2589 {
2590 if (row[i] != NULL)
2591 OPENSSL_free(row[i]);
2592 }
2593 return(ok);
2594 }
2595
2596 static int get_certificate_status(const char *serial, TXT_DB *db)
2597 {
2598 char *row[DB_NUMBER],**rrow;
2599 int ok=-1,i;
2600
2601 /* Free Resources */
2602 for (i=0; i<DB_NUMBER; i++)
2603 row[i]=NULL;
2604
2605 /* Malloc needed char spaces */
2606 row[DB_serial] = OPENSSL_malloc(strlen(serial) + 2);
2607 if (row[DB_serial] == NULL)
2608 {
2609 BIO_printf(bio_err,"Malloc failure\n");
2610 goto err;
2611 }
2612
2613 if (strlen(serial) % 2)
2614 {
2615 /* Set the first char to 0 */;
2616 row[DB_serial][0]='0';
2617
2618 /* Copy String from serial to row[DB_serial] */
2619 memcpy(row[DB_serial]+1, serial, strlen(serial));
2620 row[DB_serial][strlen(serial)+1]='\0';
2621 }
2622 else
2623 {
2624 /* Copy String from serial to row[DB_serial] */
2625 memcpy(row[DB_serial], serial, strlen(serial));
2626 row[DB_serial][strlen(serial)]='\0';
2627 }
2628
2629 /* Make it Upper Case */
2630 for (i=0; row[DB_serial][i] != '\0'; i++)
2631 row[DB_serial][i] = toupper(row[DB_serial][i]);
2632
2633
2634 ok=1;
2635
2636 /* Search for the certificate */
2637 rrow=TXT_DB_get_by_index(db,DB_serial,row);
2638 if (rrow == NULL)
2639 {
2640 BIO_printf(bio_err,"Serial %s not present in db.\n",
2641 row[DB_serial]);
2642 ok=-1;
2643 goto err;
2644 }
2645 else if (rrow[DB_type][0]=='V')
2646 {
2647 BIO_printf(bio_err,"%s=Valid (%c)\n",
2648 row[DB_serial], rrow[DB_type][0]);
2649 goto err;
2650 }
2651 else if (rrow[DB_type][0]=='R')
2652 {
2653 BIO_printf(bio_err,"%s=Revoked (%c)\n",
2654 row[DB_serial], rrow[DB_type][0]);
2655 goto err;
2656 }
2657 else if (rrow[DB_type][0]=='E')
2658 {
2659 BIO_printf(bio_err,"%s=Expired (%c)\n",
2660 row[DB_serial], rrow[DB_type][0]);
2661 goto err;
2662 }
2663 else if (rrow[DB_type][0]=='S')
2664 {
2665 BIO_printf(bio_err,"%s=Suspended (%c)\n",
2666 row[DB_serial], rrow[DB_type][0]);
2667 goto err;
2668 }
2669 else
2670 {
2671 BIO_printf(bio_err,"%s=Unknown (%c).\n",
2672 row[DB_serial], rrow[DB_type][0]);
2673 ok=-1;
2674 }
2675 err:
2676 for (i=0; i<DB_NUMBER; i++)
2677 {
2678 if (row[i] != NULL)
2679 OPENSSL_free(row[i]);
2680 }
2681 return(ok);
2682 }
2683
2684 static int do_updatedb (TXT_DB *db)
2685 {
2686 ASN1_UTCTIME *a_tm = NULL;
2687 int i, cnt = 0;
2688 int db_y2k, a_y2k; /* flags = 1 if y >= 2000 */
2689 char **rrow, *a_tm_s;
2690
2691 a_tm = ASN1_UTCTIME_new();
2692
2693 /* get actual time and make a string */
2694 a_tm = X509_gmtime_adj(a_tm, 0);
2695 a_tm_s = (char *) OPENSSL_malloc(a_tm->length+1);
2696 if (a_tm_s == NULL)
2697 {
2698 cnt = -1;
2699 goto err;
2700 }
2701
2702 memcpy(a_tm_s, a_tm->data, a_tm->length);
2703 a_tm_s[a_tm->length] = '\0';
2704
2705 if (strncmp(a_tm_s, "49", 2) <= 0)
2706 a_y2k = 1;
2707 else
2708 a_y2k = 0;
2709
2710 for (i = 0; i < sk_num(db->data); i++)
2711 {
2712 rrow = (char **) sk_value(db->data, i);
2713
2714 if (rrow[DB_type][0] == 'V')
2715 {
2716 /* ignore entries that are not valid */
2717 if (strncmp(rrow[DB_exp_date], "49", 2) <= 0)
2718 db_y2k = 1;
2719 else
2720 db_y2k = 0;
2721
2722 if (db_y2k == a_y2k)
2723 {
2724 /* all on the same y2k side */
2725 if (strcmp(rrow[DB_exp_date], a_tm_s) <= 0)
2726 {
2727 rrow[DB_type][0] = 'E';
2728 rrow[DB_type][1] = '\0';
2729 cnt++;
2730
2731 BIO_printf(bio_err, "%s=Expired\n",
2732 rrow[DB_serial]);
2733 }
2734 }
2735 else if (db_y2k < a_y2k)
2736 {
2737 rrow[DB_type][0] = 'E';
2738 rrow[DB_type][1] = '\0';
2739 cnt++;
2740
2741 BIO_printf(bio_err, "%s=Expired\n",
2742 rrow[DB_serial]);
2743 }
2744
2745 }
2746 }
2747
2748 err:
2749
2750 ASN1_UTCTIME_free(a_tm);
2751 OPENSSL_free(a_tm_s);
2752
2753 return (cnt);
2754 }
2755
2756 static char *crl_reasons[] = {
2757 /* CRL reason strings */
2758 "unspecified",
2759 "keyCompromise",
2760 "CACompromise",
2761 "affiliationChanged",
2762 "superseded",
2763 "cessationOfOperation",
2764 "certificateHold",
2765 "removeFromCRL",
2766 /* Additional pseudo reasons */
2767 "holdInstruction",
2768 "keyTime",
2769 "CAkeyTime"
2770 };
2771
2772 #define NUM_REASONS (sizeof(crl_reasons) / sizeof(char *))
2773
2774 /* Given revocation information convert to a DB string.
2775 * The format of the string is:
2776 * revtime[,reason,extra]. Where 'revtime' is the
2777 * revocation time (the current time). 'reason' is the
2778 * optional CRL reason and 'extra' is any additional
2779 * argument
2780 */
2781
2782 char *make_revocation_str(int rev_type, char *rev_arg)
2783 {
2784 char *reason = NULL, *other = NULL, *str;
2785 ASN1_OBJECT *otmp;
2786 ASN1_UTCTIME *revtm = NULL;
2787 int i;
2788 switch (rev_type)
2789 {
2790 case REV_NONE:
2791 break;
2792
2793 case REV_CRL_REASON:
2794 for (i = 0; i < 8; i++)
2795 {
2796 if (!strcasecmp(rev_arg, crl_reasons[i]))
2797 {
2798 reason = crl_reasons[i];
2799 break;
2800 }
2801 }
2802 if (reason == NULL)
2803 {
2804 BIO_printf(bio_err, "Unknown CRL reason %s\n", rev_arg);
2805 return NULL;
2806 }
2807 break;
2808
2809 case REV_HOLD:
2810 /* Argument is an OID */
2811
2812 otmp = OBJ_txt2obj(rev_arg, 0);
2813 ASN1_OBJECT_free(otmp);
2814
2815 if (otmp == NULL)
2816 {
2817 BIO_printf(bio_err, "Invalid object identifier %s\n", rev_arg);
2818 return NULL;
2819 }
2820
2821 reason = "holdInstruction";
2822 other = rev_arg;
2823 break;
2824
2825 case REV_KEY_COMPROMISE:
2826 case REV_CA_COMPROMISE:
2827
2828 /* Argument is the key compromise time */
2829 if (!ASN1_GENERALIZEDTIME_set_string(NULL, rev_arg))
2830 {
2831 BIO_printf(bio_err, "Invalid time format %s. Need YYYYMMDDHHMMSSZ\n", rev_arg);
2832 return NULL;
2833 }
2834 other = rev_arg;
2835 if (rev_type == REV_KEY_COMPROMISE)
2836 reason = "keyTime";
2837 else
2838 reason = "CAkeyTime";
2839
2840 break;
2841
2842 }
2843
2844 revtm = X509_gmtime_adj(NULL, 0);
2845
2846 i = revtm->length + 1;
2847
2848 if (reason) i += strlen(reason) + 1;
2849 if (other) i += strlen(other) + 1;
2850
2851 str = OPENSSL_malloc(i);
2852
2853 if (!str) return NULL;
2854
2855 strcpy(str, (char *)revtm->data);
2856 if (reason)
2857 {
2858 strcat(str, ",");
2859 strcat(str, reason);
2860 }
2861 if (other)
2862 {
2863 strcat(str, ",");
2864 strcat(str, other);
2865 }
2866 ASN1_UTCTIME_free(revtm);
2867 return str;
2868 }
2869
2870 /* Convert revocation field to X509_REVOKED entry
2871 * return code:
2872 * 0 error
2873 * 1 OK
2874 * 2 OK and some extensions added (i.e. V2 CRL)
2875 */
2876
2877
2878 int make_revoked(X509_REVOKED *rev, char *str)
2879 {
2880 char *tmp = NULL;
2881 int reason_code = -1;
2882 int i, ret = 0;
2883 ASN1_OBJECT *hold = NULL;
2884 ASN1_GENERALIZEDTIME *comp_time = NULL;
2885 ASN1_ENUMERATED *rtmp = NULL;
2886
2887 ASN1_TIME *revDate = NULL;
2888
2889 i = unpack_revinfo(&revDate, &reason_code, &hold, &comp_time, str);
2890
2891 if (i == 0)
2892 goto err;
2893
2894 if (rev && !X509_REVOKED_set_revocationDate(rev, revDate))
2895 goto err;
2896
2897 if (rev && (reason_code != OCSP_REVOKED_STATUS_NOSTATUS))
2898 {
2899 rtmp = ASN1_ENUMERATED_new();
2900 if (!rtmp || !ASN1_ENUMERATED_set(rtmp, reason_code))
2901 goto err;
2902 if (!X509_REVOKED_add1_ext_i2d(rev, NID_crl_reason, rtmp, 0, 0))
2903 goto err;
2904 }
2905
2906 if (rev && comp_time)
2907 {
2908 if (!X509_REVOKED_add1_ext_i2d(rev, NID_invalidity_date, comp_time, 0, 0))
2909 goto err;
2910 }
2911 if (rev && hold)
2912 {
2913 if (!X509_REVOKED_add1_ext_i2d(rev, NID_hold_instruction_code, hold, 0, 0))
2914 goto err;
2915 }
2916
2917 if (reason_code != OCSP_REVOKED_STATUS_NOSTATUS)
2918 ret = 2;
2919 else ret = 1;
2920
2921 err:
2922
2923 if (tmp) OPENSSL_free(tmp);
2924 ASN1_OBJECT_free(hold);
2925 ASN1_GENERALIZEDTIME_free(comp_time);
2926 ASN1_ENUMERATED_free(rtmp);
2927 ASN1_TIME_free(revDate);
2928
2929 return ret;
2930 }
2931
2932 static X509_NAME *do_subject(char *subject)
2933 {
2934 X509_NAME *n = NULL;
2935
2936 int i, nid, ne_num=0;
2937
2938 char *ne_name = NULL;
2939 char *ne_value = NULL;
2940
2941 char *tmp = NULL;
2942 char *p[2];
2943
2944 char *str_list[256];
2945
2946 p[0] = ",/";
2947 p[1] = "=";
2948
2949 n = X509_NAME_new();
2950
2951 tmp = strtok(subject, p[0]);
2952 while((tmp != NULL) && (ne_num < (sizeof str_list/sizeof *str_list)))
2953 {
2954 char *token = tmp;
2955
2956 while (token[0] == ' ')
2957 token++;
2958 str_list[ne_num] = token;
2959
2960 tmp = strtok(NULL, p[0]);
2961 ne_num++;
2962 }
2963
2964 for (i = 0; i < ne_num; i++)
2965 {
2966 ne_name = strtok(str_list[i], p[1]);
2967 ne_value = strtok(NULL, p[1]);
2968
2969 if ((nid=OBJ_txt2nid(ne_name)) == NID_undef)
2970 {
2971 BIO_printf(bio_err, "Subject Attribute %s has no known NID, skipped\n", ne_name);
2972 continue;
2973 }
2974
2975 if (ne_value == NULL)
2976 {
2977 BIO_printf(bio_err, "No value provided for Subject Attribute %s, skipped\n", ne_name);
2978 continue;
2979 }
2980
2981 if (!X509_NAME_add_entry_by_NID(n, nid, MBSTRING_ASC, (unsigned char*)ne_value, -1,-1,0))
2982 {
2983 X509_NAME_free(n);
2984 return NULL;
2985 }
2986 }
2987
2988 return n;
2989 }
2990
2991
2992 int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str)
2993 {
2994 char buf[25],*pbuf, *p;
2995 int j;
2996 j=i2a_ASN1_OBJECT(bp,obj);
2997 pbuf=buf;
2998 for (j=22-j; j>0; j--)
2999 *(pbuf++)=' ';
3000 *(pbuf++)=':';
3001 *(pbuf++)='\0';
3002 BIO_puts(bp,buf);
3003
3004 if (str->type == V_ASN1_PRINTABLESTRING)
3005 BIO_printf(bp,"PRINTABLE:'");
3006 else if (str->type == V_ASN1_T61STRING)
3007 BIO_printf(bp,"T61STRING:'");
3008 else if (str->type == V_ASN1_IA5STRING)
3009 BIO_printf(bp,"IA5STRING:'");
3010 else if (str->type == V_ASN1_UNIVERSALSTRING)
3011 BIO_printf(bp,"UNIVERSALSTRING:'");
3012 else
3013 BIO_printf(bp,"ASN.1 %2d:'",str->type);
3014
3015 p=(char *)str->data;
3016 for (j=str->length; j>0; j--)
3017 {
3018 if ((*p >= ' ') && (*p <= '~'))
3019 BIO_printf(bp,"%c",*p);
3020 else if (*p & 0x80)
3021 BIO_printf(bp,"\\0x%02X",*p);
3022 else if ((unsigned char)*p == 0xf7)
3023 BIO_printf(bp,"^?");
3024 else BIO_printf(bp,"^%c",*p+'@');
3025 p++;
3026 }
3027 BIO_printf(bp,"'\n");
3028 return 1;
3029 }
3030
3031 int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, ASN1_GENERALIZEDTIME **pinvtm, char *str)
3032 {
3033 char *tmp = NULL;
3034 char *rtime_str, *reason_str = NULL, *arg_str = NULL, *p;
3035 int reason_code = -1;
3036 int i, ret = 0;
3037 ASN1_OBJECT *hold = NULL;
3038 ASN1_GENERALIZEDTIME *comp_time = NULL;
3039 tmp = BUF_strdup(str);
3040
3041 p = strchr(tmp, ',');
3042
3043 rtime_str = tmp;
3044
3045 if (p)
3046 {
3047 *p = '\0';
3048 p++;
3049 reason_str = p;
3050 p = strchr(p, ',');
3051 if (p)
3052 {
3053 *p = '\0';
3054 arg_str = p + 1;
3055 }
3056 }
3057
3058 if (prevtm)
3059 {
3060 *prevtm = ASN1_UTCTIME_new();
3061 if (!ASN1_UTCTIME_set_string(*prevtm, rtime_str))
3062 {
3063 BIO_printf(bio_err, "invalid revocation date %s\n", rtime_str);
3064 goto err;
3065 }
3066 }
3067 if (reason_str)
3068 {
3069 for (i = 0; i < NUM_REASONS; i++)
3070 {
3071 if(!strcasecmp(reason_str, crl_reasons[i]))
3072 {
3073 reason_code = i;
3074 break;
3075 }
3076 }
3077 if (reason_code == OCSP_REVOKED_STATUS_NOSTATUS)
3078 {
3079 BIO_printf(bio_err, "invalid reason code %s\n", reason_str);
3080 goto err;
3081 }
3082
3083 if (reason_code == 7)
3084 reason_code = OCSP_REVOKED_STATUS_REMOVEFROMCRL;
3085 else if (reason_code == 8) /* Hold instruction */
3086 {
3087 if (!arg_str)
3088 {
3089 BIO_printf(bio_err, "missing hold instruction\n");
3090 goto err;
3091 }
3092 reason_code = OCSP_REVOKED_STATUS_CERTIFICATEHOLD;
3093 hold = OBJ_txt2obj(arg_str, 0);
3094
3095 if (!hold)
3096 {
3097 BIO_printf(bio_err, "invalid object identifier %s\n", arg_str);
3098 goto err;
3099 }
3100 if (phold) *phold = hold;
3101 }
3102 else if ((reason_code == 9) || (reason_code == 10))
3103 {
3104 if (!arg_str)
3105 {
3106 BIO_printf(bio_err, "missing compromised time\n");
3107 goto err;
3108 }
3109 comp_time = ASN1_GENERALIZEDTIME_new();
3110 if (!ASN1_GENERALIZEDTIME_set_string(comp_time, arg_str))
3111 {
3112 BIO_printf(bio_err, "invalid compromised time %s\n", arg_str);
3113 goto err;
3114 }
3115 if (reason_code == 9)
3116 reason_code = OCSP_REVOKED_STATUS_KEYCOMPROMISE;
3117 else
3118 reason_code = OCSP_REVOKED_STATUS_CACOMPROMISE;
3119 }
3120 }
3121
3122 if (preason) *preason = reason_code;
3123 if (pinvtm) *pinvtm = comp_time;
3124 else ASN1_GENERALIZEDTIME_free(comp_time);
3125
3126 ret = 1;
3127
3128 err:
3129
3130 if (tmp) OPENSSL_free(tmp);
3131 if (!phold) ASN1_OBJECT_free(hold);
3132 if (!pinvtm) ASN1_GENERALIZEDTIME_free(comp_time);
3133
3134 return ret;
3135 }
3136
3137 int make_serial_index(TXT_DB *db)
3138 {
3139 if (!TXT_DB_create_index(db, DB_serial, NULL,
3140 LHASH_HASH_FN(index_serial_hash),
3141 LHASH_COMP_FN(index_serial_cmp)))
3142 {
3143 BIO_printf(bio_err,
3144 "error creating serial number index:(%ld,%ld,%ld)\n",
3145 db->error,db->arg1,db->arg2);
3146 return 0;
3147 }
3148 return 1;
3149 }
A mirror of the official openssl repository