]> git.ipfire.org Git - thirdparty/openssl.git/blob - apps/ca.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Allow multi-valued rdns in subjects. This adds the -multivalue-rdn option
[thirdparty/openssl.git] / apps / ca.c
1 /* apps/ca.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59 /* The PPKI stuff has been donated by Jeff Barber <jeffb@issl.atl.hp.com> */
60
61 #include <stdio.h>
62 #include <stdlib.h>
63 #include <string.h>
64 #include <ctype.h>
65 #include <sys/types.h>
66 #include <sys/stat.h>
67 #include <openssl/conf.h>
68 #include <openssl/bio.h>
69 #include <openssl/err.h>
70 #include <openssl/bn.h>
71 #include <openssl/txt_db.h>
72 #include <openssl/evp.h>
73 #include <openssl/x509.h>
74 #include <openssl/x509v3.h>
75 #include <openssl/objects.h>
76 #include <openssl/ocsp.h>
77 #include <openssl/pem.h>
78
79 #ifndef W_OK
80 # ifdef OPENSSL_SYS_VMS
81 # if defined(__DECC)
82 # include <unistd.h>
83 # else
84 # include <unixlib.h>
85 # endif
86 # elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_NETWARE)
87 # include <sys/file.h>
88 # endif
89 #endif
90
91 #include "apps.h"
92
93 #ifndef W_OK
94 # define F_OK 0
95 # define X_OK 1
96 # define W_OK 2
97 # define R_OK 4
98 #endif
99
100 #undef PROG
101 #define PROG ca_main
102
103 #define BASE_SECTION "ca"
104 #define CONFIG_FILE "openssl.cnf"
105
106 #define ENV_DEFAULT_CA "default_ca"
107
108 #define ENV_DIR "dir"
109 #define ENV_CERTS "certs"
110 #define ENV_CRL_DIR "crl_dir"
111 #define ENV_CA_DB "CA_DB"
112 #define ENV_NEW_CERTS_DIR "new_certs_dir"
113 #define ENV_CERTIFICATE "certificate"
114 #define ENV_SERIAL "serial"
115 #define ENV_CRLNUMBER "crlnumber"
116 #define ENV_CRL "crl"
117 #define ENV_PRIVATE_KEY "private_key"
118 #define ENV_RANDFILE "RANDFILE"
119 #define ENV_DEFAULT_DAYS "default_days"
120 #define ENV_DEFAULT_STARTDATE "default_startdate"
121 #define ENV_DEFAULT_ENDDATE "default_enddate"
122 #define ENV_DEFAULT_CRL_DAYS "default_crl_days"
123 #define ENV_DEFAULT_CRL_HOURS "default_crl_hours"
124 #define ENV_DEFAULT_MD "default_md"
125 #define ENV_DEFAULT_EMAIL_DN "email_in_dn"
126 #define ENV_PRESERVE "preserve"
127 #define ENV_POLICY "policy"
128 #define ENV_EXTENSIONS "x509_extensions"
129 #define ENV_CRLEXT "crl_extensions"
130 #define ENV_MSIE_HACK "msie_hack"
131 #define ENV_NAMEOPT "name_opt"
132 #define ENV_CERTOPT "cert_opt"
133 #define ENV_EXTCOPY "copy_extensions"
134
135 #define ENV_DATABASE "database"
136
137 /* Additional revocation information types */
138
139 #define REV_NONE 0 /* No addditional information */
140 #define REV_CRL_REASON 1 /* Value is CRL reason code */
141 #define REV_HOLD 2 /* Value is hold instruction */
142 #define REV_KEY_COMPROMISE 3 /* Value is cert key compromise time */
143 #define REV_CA_COMPROMISE 4 /* Value is CA key compromise time */
144
145 static char *ca_usage[]={
146 "usage: ca args\n",
147 "\n",
148 " -verbose - Talk alot while doing things\n",
149 " -config file - A config file\n",
150 " -name arg - The particular CA definition to use\n",
151 " -gencrl - Generate a new CRL\n",
152 " -crldays days - Days is when the next CRL is due\n",
153 " -crlhours hours - Hours is when the next CRL is due\n",
154 " -startdate YYMMDDHHMMSSZ - certificate validity notBefore\n",
155 " -enddate YYMMDDHHMMSSZ - certificate validity notAfter (overrides -days)\n",
156 " -days arg - number of days to certify the certificate for\n",
157 " -md arg - md to use, one of md2, md5, sha or sha1\n",
158 " -policy arg - The CA 'policy' to support\n",
159 " -keyfile arg - private key file\n",
160 " -keyform arg - private key file format (PEM or ENGINE)\n",
161 " -key arg - key to decode the private key if it is encrypted\n",
162 " -cert file - The CA certificate\n",
163 " -selfsign - sign a certificate with the key associated with it\n",
164 " -in file - The input PEM encoded certificate request(s)\n",
165 " -out file - Where to put the output file(s)\n",
166 " -outdir dir - Where to put output certificates\n",
167 " -infiles .... - The last argument, requests to process\n",
168 " -spkac file - File contains DN and signed public key and challenge\n",
169 " -ss_cert file - File contains a self signed cert to sign\n",
170 " -preserveDN - Don't re-order the DN\n",
171 " -noemailDN - Don't add the EMAIL field into certificate' subject\n",
172 " -batch - Don't ask questions\n",
173 " -msie_hack - msie modifications to handle all those universal strings\n",
174 " -revoke file - Revoke a certificate (given in file)\n",
175 " -subj arg - Use arg instead of request's subject\n",
176 " -multivalue-rdn - enable support for multivalued RDNs\n",
177 " -extensions .. - Extension section (override value in config file)\n",
178 " -extfile file - Configuration file with X509v3 extentions to add\n",
179 " -crlexts .. - CRL extension section (override value in config file)\n",
180 #ifndef OPENSSL_NO_ENGINE
181 " -engine e - use engine e, possibly a hardware device.\n",
182 #endif
183 " -status serial - Shows certificate status given the serial number\n",
184 " -updatedb - Updates db for expired certificates\n",
185 NULL
186 };
187
188 #ifdef EFENCE
189 extern int EF_PROTECT_FREE;
190 extern int EF_PROTECT_BELOW;
191 extern int EF_ALIGNMENT;
192 #endif
193
194 static void lookup_fail(char *name,char *tag);
195 static int certify(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
196 const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,CA_DB *db,
197 BIGNUM *serial, char *subj, int multirdn, int email_dn, char *startdate,
198 char *enddate, long days, int batch, char *ext_sect, CONF *conf,
199 int verbose, unsigned long certopt, unsigned long nameopt,
200 int default_op, int ext_copy, int selfsign);
201 static int certify_cert(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
202 const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,
203 CA_DB *db, BIGNUM *serial, char *subj, int multirdn, int email_dn,
204 char *startdate, char *enddate, long days, int batch,
205 char *ext_sect, CONF *conf,int verbose, unsigned long certopt,
206 unsigned long nameopt, int default_op, int ext_copy,
207 ENGINE *e);
208 static int certify_spkac(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
209 const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,
210 CA_DB *db, BIGNUM *serial,char *subj, int multirdn, int email_dn,
211 char *startdate, char *enddate, long days, char *ext_sect,
212 CONF *conf, int verbose, unsigned long certopt,
213 unsigned long nameopt, int default_op, int ext_copy);
214 static int fix_data(int nid, int *type);
215 static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext);
216 static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
217 STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial,char *subj, int multirdn,
218 int email_dn, char *startdate, char *enddate, long days, int batch,
219 int verbose, X509_REQ *req, char *ext_sect, CONF *conf,
220 unsigned long certopt, unsigned long nameopt, int default_op,
221 int ext_copy, int selfsign);
222 static int do_revoke(X509 *x509, CA_DB *db, int ext, char *extval);
223 static int get_certificate_status(const char *ser_status, CA_DB *db);
224 static int do_updatedb(CA_DB *db);
225 static int check_time_format(char *str);
226 char *make_revocation_str(int rev_type, char *rev_arg);
227 int make_revoked(X509_REVOKED *rev, char *str);
228 int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str);
229 static CONF *conf=NULL;
230 static CONF *extconf=NULL;
231 static char *section=NULL;
232
233 static int preserve=0;
234 static int msie_hack=0;
235
236
237 int MAIN(int, char **);
238
239 int MAIN(int argc, char **argv)
240 {
241 ENGINE *e = NULL;
242 char *key=NULL,*passargin=NULL;
243 int free_key = 0;
244 int total=0;
245 int total_done=0;
246 int badops=0;
247 int ret=1;
248 int email_dn=1;
249 int req=0;
250 int verbose=0;
251 int gencrl=0;
252 int dorevoke=0;
253 int doupdatedb=0;
254 long crldays=0;
255 long crlhours=0;
256 long errorline= -1;
257 char *configfile=NULL;
258 char *md=NULL;
259 char *policy=NULL;
260 char *keyfile=NULL;
261 char *certfile=NULL;
262 int keyform=FORMAT_PEM;
263 char *infile=NULL;
264 char *spkac_file=NULL;
265 char *ss_cert_file=NULL;
266 char *ser_status=NULL;
267 EVP_PKEY *pkey=NULL;
268 int output_der = 0;
269 char *outfile=NULL;
270 char *outdir=NULL;
271 char *serialfile=NULL;
272 char *crlnumberfile=NULL;
273 char *extensions=NULL;
274 char *extfile=NULL;
275 char *subj=NULL;
276 int multirdn = 0;
277 char *tmp_email_dn=NULL;
278 char *crl_ext=NULL;
279 int rev_type = REV_NONE;
280 char *rev_arg = NULL;
281 BIGNUM *serial=NULL;
282 BIGNUM *crlnumber=NULL;
283 char *startdate=NULL;
284 char *enddate=NULL;
285 long days=0;
286 int batch=0;
287 int notext=0;
288 unsigned long nameopt = 0, certopt = 0;
289 int default_op = 1;
290 int ext_copy = EXT_COPY_NONE;
291 int selfsign = 0;
292 X509 *x509=NULL, *x509p = NULL;
293 X509 *x=NULL;
294 BIO *in=NULL,*out=NULL,*Sout=NULL,*Cout=NULL;
295 char *dbfile=NULL;
296 CA_DB *db=NULL;
297 X509_CRL *crl=NULL;
298 X509_REVOKED *r=NULL;
299 ASN1_TIME *tmptm;
300 ASN1_INTEGER *tmpser;
301 char **pp,*p,*f;
302 int i,j;
303 const EVP_MD *dgst=NULL;
304 STACK_OF(CONF_VALUE) *attribs=NULL;
305 STACK_OF(X509) *cert_sk=NULL;
306 #undef BSIZE
307 #define BSIZE 256
308 MS_STATIC char buf[3][BSIZE];
309 char *randfile=NULL;
310 #ifndef OPENSSL_NO_ENGINE
311 char *engine = NULL;
312 #endif
313 char *tofree=NULL;
314 DB_ATTR db_attr;
315
316 #ifdef EFENCE
317 EF_PROTECT_FREE=1;
318 EF_PROTECT_BELOW=1;
319 EF_ALIGNMENT=0;
320 #endif
321
322 apps_startup();
323
324 conf = NULL;
325 key = NULL;
326 section = NULL;
327
328 preserve=0;
329 msie_hack=0;
330 if (bio_err == NULL)
331 if ((bio_err=BIO_new(BIO_s_file())) != NULL)
332 BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
333
334 argc--;
335 argv++;
336 while (argc >= 1)
337 {
338 if (strcmp(*argv,"-verbose") == 0)
339 verbose=1;
340 else if (strcmp(*argv,"-config") == 0)
341 {
342 if (--argc < 1) goto bad;
343 configfile= *(++argv);
344 }
345 else if (strcmp(*argv,"-name") == 0)
346 {
347 if (--argc < 1) goto bad;
348 section= *(++argv);
349 }
350 else if (strcmp(*argv,"-subj") == 0)
351 {
352 if (--argc < 1) goto bad;
353 subj= *(++argv);
354 /* preserve=1; */
355 }
356 else if (strcmp(*argv,"-multivalue-rdn") == 0)
357 multirdn=1;
358 else if (strcmp(*argv,"-startdate") == 0)
359 {
360 if (--argc < 1) goto bad;
361 startdate= *(++argv);
362 }
363 else if (strcmp(*argv,"-enddate") == 0)
364 {
365 if (--argc < 1) goto bad;
366 enddate= *(++argv);
367 }
368 else if (strcmp(*argv,"-days") == 0)
369 {
370 if (--argc < 1) goto bad;
371 days=atoi(*(++argv));
372 }
373 else if (strcmp(*argv,"-md") == 0)
374 {
375 if (--argc < 1) goto bad;
376 md= *(++argv);
377 }
378 else if (strcmp(*argv,"-policy") == 0)
379 {
380 if (--argc < 1) goto bad;
381 policy= *(++argv);
382 }
383 else if (strcmp(*argv,"-keyfile") == 0)
384 {
385 if (--argc < 1) goto bad;
386 keyfile= *(++argv);
387 }
388 else if (strcmp(*argv,"-keyform") == 0)
389 {
390 if (--argc < 1) goto bad;
391 keyform=str2fmt(*(++argv));
392 }
393 else if (strcmp(*argv,"-passin") == 0)
394 {
395 if (--argc < 1) goto bad;
396 passargin= *(++argv);
397 }
398 else if (strcmp(*argv,"-key") == 0)
399 {
400 if (--argc < 1) goto bad;
401 key= *(++argv);
402 }
403 else if (strcmp(*argv,"-cert") == 0)
404 {
405 if (--argc < 1) goto bad;
406 certfile= *(++argv);
407 }
408 else if (strcmp(*argv,"-selfsign") == 0)
409 selfsign=1;
410 else if (strcmp(*argv,"-in") == 0)
411 {
412 if (--argc < 1) goto bad;
413 infile= *(++argv);
414 req=1;
415 }
416 else if (strcmp(*argv,"-out") == 0)
417 {
418 if (--argc < 1) goto bad;
419 outfile= *(++argv);
420 }
421 else if (strcmp(*argv,"-outdir") == 0)
422 {
423 if (--argc < 1) goto bad;
424 outdir= *(++argv);
425 }
426 else if (strcmp(*argv,"-notext") == 0)
427 notext=1;
428 else if (strcmp(*argv,"-batch") == 0)
429 batch=1;
430 else if (strcmp(*argv,"-preserveDN") == 0)
431 preserve=1;
432 else if (strcmp(*argv,"-noemailDN") == 0)
433 email_dn=0;
434 else if (strcmp(*argv,"-gencrl") == 0)
435 gencrl=1;
436 else if (strcmp(*argv,"-msie_hack") == 0)
437 msie_hack=1;
438 else if (strcmp(*argv,"-crldays") == 0)
439 {
440 if (--argc < 1) goto bad;
441 crldays= atol(*(++argv));
442 }
443 else if (strcmp(*argv,"-crlhours") == 0)
444 {
445 if (--argc < 1) goto bad;
446 crlhours= atol(*(++argv));
447 }
448 else if (strcmp(*argv,"-infiles") == 0)
449 {
450 argc--;
451 argv++;
452 req=1;
453 break;
454 }
455 else if (strcmp(*argv, "-ss_cert") == 0)
456 {
457 if (--argc < 1) goto bad;
458 ss_cert_file = *(++argv);
459 req=1;
460 }
461 else if (strcmp(*argv, "-spkac") == 0)
462 {
463 if (--argc < 1) goto bad;
464 spkac_file = *(++argv);
465 req=1;
466 }
467 else if (strcmp(*argv,"-revoke") == 0)
468 {
469 if (--argc < 1) goto bad;
470 infile= *(++argv);
471 dorevoke=1;
472 }
473 else if (strcmp(*argv,"-extensions") == 0)
474 {
475 if (--argc < 1) goto bad;
476 extensions= *(++argv);
477 }
478 else if (strcmp(*argv,"-extfile") == 0)
479 {
480 if (--argc < 1) goto bad;
481 extfile= *(++argv);
482 }
483 else if (strcmp(*argv,"-status") == 0)
484 {
485 if (--argc < 1) goto bad;
486 ser_status= *(++argv);
487 }
488 else if (strcmp(*argv,"-updatedb") == 0)
489 {
490 doupdatedb=1;
491 }
492 else if (strcmp(*argv,"-crlexts") == 0)
493 {
494 if (--argc < 1) goto bad;
495 crl_ext= *(++argv);
496 }
497 else if (strcmp(*argv,"-crl_reason") == 0)
498 {
499 if (--argc < 1) goto bad;
500 rev_arg = *(++argv);
501 rev_type = REV_CRL_REASON;
502 }
503 else if (strcmp(*argv,"-crl_hold") == 0)
504 {
505 if (--argc < 1) goto bad;
506 rev_arg = *(++argv);
507 rev_type = REV_HOLD;
508 }
509 else if (strcmp(*argv,"-crl_compromise") == 0)
510 {
511 if (--argc < 1) goto bad;
512 rev_arg = *(++argv);
513 rev_type = REV_KEY_COMPROMISE;
514 }
515 else if (strcmp(*argv,"-crl_CA_compromise") == 0)
516 {
517 if (--argc < 1) goto bad;
518 rev_arg = *(++argv);
519 rev_type = REV_CA_COMPROMISE;
520 }
521 #ifndef OPENSSL_NO_ENGINE
522 else if (strcmp(*argv,"-engine") == 0)
523 {
524 if (--argc < 1) goto bad;
525 engine= *(++argv);
526 }
527 #endif
528 else
529 {
530 bad:
531 BIO_printf(bio_err,"unknown option %s\n",*argv);
532 badops=1;
533 break;
534 }
535 argc--;
536 argv++;
537 }
538
539 if (badops)
540 {
541 for (pp=ca_usage; (*pp != NULL); pp++)
542 BIO_printf(bio_err,"%s",*pp);
543 goto err;
544 }
545
546 ERR_load_crypto_strings();
547
548 #ifndef OPENSSL_NO_ENGINE
549 e = setup_engine(bio_err, engine, 0);
550 #endif
551
552 /*****************************************************************/
553 tofree=NULL;
554 if (configfile == NULL) configfile = getenv("OPENSSL_CONF");
555 if (configfile == NULL) configfile = getenv("SSLEAY_CONF");
556 if (configfile == NULL)
557 {
558 const char *s=X509_get_default_cert_area();
559
560 #ifdef OPENSSL_SYS_VMS
561 tofree=OPENSSL_malloc(strlen(s)+sizeof(CONFIG_FILE));
562 strcpy(tofree,s);
563 #else
564 tofree=OPENSSL_malloc(strlen(s)+sizeof(CONFIG_FILE)+1);
565 strcpy(tofree,s);
566 strcat(tofree,"/");
567 #endif
568 strcat(tofree,CONFIG_FILE);
569 configfile=tofree;
570 }
571
572 BIO_printf(bio_err,"Using configuration from %s\n",configfile);
573 conf = NCONF_new(NULL);
574 if (NCONF_load(conf,configfile,&errorline) <= 0)
575 {
576 if (errorline <= 0)
577 BIO_printf(bio_err,"error loading the config file '%s'\n",
578 configfile);
579 else
580 BIO_printf(bio_err,"error on line %ld of config file '%s'\n"
581 ,errorline,configfile);
582 goto err;
583 }
584 if(tofree)
585 {
586 OPENSSL_free(tofree);
587 tofree = NULL;
588 }
589
590 if (!load_config(bio_err, conf))
591 goto err;
592
593 /* Lets get the config section we are using */
594 if (section == NULL)
595 {
596 section=NCONF_get_string(conf,BASE_SECTION,ENV_DEFAULT_CA);
597 if (section == NULL)
598 {
599 lookup_fail(BASE_SECTION,ENV_DEFAULT_CA);
600 goto err;
601 }
602 }
603
604 if (conf != NULL)
605 {
606 p=NCONF_get_string(conf,NULL,"oid_file");
607 if (p == NULL)
608 ERR_clear_error();
609 if (p != NULL)
610 {
611 BIO *oid_bio;
612
613 oid_bio=BIO_new_file(p,"r");
614 if (oid_bio == NULL)
615 {
616 /*
617 BIO_printf(bio_err,"problems opening %s for extra oid's\n",p);
618 ERR_print_errors(bio_err);
619 */
620 ERR_clear_error();
621 }
622 else
623 {
624 OBJ_create_objects(oid_bio);
625 BIO_free(oid_bio);
626 }
627 }
628 if (!add_oid_section(bio_err,conf))
629 {
630 ERR_print_errors(bio_err);
631 goto err;
632 }
633 }
634
635 randfile = NCONF_get_string(conf, BASE_SECTION, "RANDFILE");
636 if (randfile == NULL)
637 ERR_clear_error();
638 app_RAND_load_file(randfile, bio_err, 0);
639
640 db_attr.unique_subject = 1;
641 p = NCONF_get_string(conf, section, "unique_subject");
642 if (p)
643 {
644 #ifdef RL_DEBUG
645 BIO_printf(bio_err, "DEBUG: unique_subject = \"%s\"\n", p);
646 #endif
647 switch(*p)
648 {
649 case 'f': /* false */
650 case 'F': /* FALSE */
651 case 'n': /* no */
652 case 'N': /* NO */
653 db_attr.unique_subject = 0;
654 break;
655 case 't': /* true */
656 case 'T': /* TRUE */
657 case 'y': /* yes */
658 case 'Y': /* YES */
659 default:
660 db_attr.unique_subject = 1;
661 break;
662 }
663 }
664 #ifdef RL_DEBUG
665 else
666 BIO_printf(bio_err, "DEBUG: unique_subject undefined\n", p);
667 #endif
668 #ifdef RL_DEBUG
669 BIO_printf(bio_err, "DEBUG: configured unique_subject is %d\n",
670 db_attr.unique_subject);
671 #endif
672
673 in=BIO_new(BIO_s_file());
674 out=BIO_new(BIO_s_file());
675 Sout=BIO_new(BIO_s_file());
676 Cout=BIO_new(BIO_s_file());
677 if ((in == NULL) || (out == NULL) || (Sout == NULL) || (Cout == NULL))
678 {
679 ERR_print_errors(bio_err);
680 goto err;
681 }
682
683 /*****************************************************************/
684 /* report status of cert with serial number given on command line */
685 if (ser_status)
686 {
687 if ((dbfile=NCONF_get_string(conf,section,ENV_DATABASE)) == NULL)
688 {
689 lookup_fail(section,ENV_DATABASE);
690 goto err;
691 }
692 db = load_index(dbfile,&db_attr);
693 if (db == NULL) goto err;
694
695 if (!index_index(db)) goto err;
696
697 if (get_certificate_status(ser_status,db) != 1)
698 BIO_printf(bio_err,"Error verifying serial %s!\n",
699 ser_status);
700 goto err;
701 }
702
703 /*****************************************************************/
704 /* we definitely need a private key, so let's get it */
705
706 if ((keyfile == NULL) && ((keyfile=NCONF_get_string(conf,
707 section,ENV_PRIVATE_KEY)) == NULL))
708 {
709 lookup_fail(section,ENV_PRIVATE_KEY);
710 goto err;
711 }
712 if (!key)
713 {
714 free_key = 1;
715 if (!app_passwd(bio_err, passargin, NULL, &key, NULL))
716 {
717 BIO_printf(bio_err,"Error getting password\n");
718 goto err;
719 }
720 }
721 pkey = load_key(bio_err, keyfile, keyform, 0, key, e,
722 "CA private key");
723 if (key) OPENSSL_cleanse(key,strlen(key));
724 if (pkey == NULL)
725 {
726 /* load_key() has already printed an appropriate message */
727 goto err;
728 }
729
730 /*****************************************************************/
731 /* we need a certificate */
732 if (!selfsign || spkac_file || ss_cert_file || gencrl)
733 {
734 if ((certfile == NULL)
735 && ((certfile=NCONF_get_string(conf,
736 section,ENV_CERTIFICATE)) == NULL))
737 {
738 lookup_fail(section,ENV_CERTIFICATE);
739 goto err;
740 }
741 x509=load_cert(bio_err, certfile, FORMAT_PEM, NULL, e,
742 "CA certificate");
743 if (x509 == NULL)
744 goto err;
745
746 if (!X509_check_private_key(x509,pkey))
747 {
748 BIO_printf(bio_err,"CA certificate and CA private key do not match\n");
749 goto err;
750 }
751 }
752 if (!selfsign) x509p = x509;
753
754 f=NCONF_get_string(conf,BASE_SECTION,ENV_PRESERVE);
755 if (f == NULL)
756 ERR_clear_error();
757 if ((f != NULL) && ((*f == 'y') || (*f == 'Y')))
758 preserve=1;
759 f=NCONF_get_string(conf,BASE_SECTION,ENV_MSIE_HACK);
760 if (f == NULL)
761 ERR_clear_error();
762 if ((f != NULL) && ((*f == 'y') || (*f == 'Y')))
763 msie_hack=1;
764
765 f=NCONF_get_string(conf,section,ENV_NAMEOPT);
766
767 if (f)
768 {
769 if (!set_name_ex(&nameopt, f))
770 {
771 BIO_printf(bio_err, "Invalid name options: \"%s\"\n", f);
772 goto err;
773 }
774 default_op = 0;
775 }
776 else
777 ERR_clear_error();
778
779 f=NCONF_get_string(conf,section,ENV_CERTOPT);
780
781 if (f)
782 {
783 if (!set_cert_ex(&certopt, f))
784 {
785 BIO_printf(bio_err, "Invalid certificate options: \"%s\"\n", f);
786 goto err;
787 }
788 default_op = 0;
789 }
790 else
791 ERR_clear_error();
792
793 f=NCONF_get_string(conf,section,ENV_EXTCOPY);
794
795 if (f)
796 {
797 if (!set_ext_copy(&ext_copy, f))
798 {
799 BIO_printf(bio_err, "Invalid extension copy option: \"%s\"\n", f);
800 goto err;
801 }
802 }
803 else
804 ERR_clear_error();
805
806 /*****************************************************************/
807 /* lookup where to write new certificates */
808 if ((outdir == NULL) && (req))
809 {
810 struct stat sb;
811
812 if ((outdir=NCONF_get_string(conf,section,ENV_NEW_CERTS_DIR))
813 == NULL)
814 {
815 BIO_printf(bio_err,"there needs to be defined a directory for new certificate to be placed in\n");
816 goto err;
817 }
818 #ifndef OPENSSL_SYS_VMS
819 /* outdir is a directory spec, but access() for VMS demands a
820 filename. In any case, stat(), below, will catch the problem
821 if outdir is not a directory spec, and the fopen() or open()
822 will catch an error if there is no write access.
823
824 Presumably, this problem could also be solved by using the DEC
825 C routines to convert the directory syntax to Unixly, and give
826 that to access(). However, time's too short to do that just
827 now.
828 */
829 if (access(outdir,R_OK|W_OK|X_OK) != 0)
830 {
831 BIO_printf(bio_err,"I am unable to access the %s directory\n",outdir);
832 perror(outdir);
833 goto err;
834 }
835
836 if (stat(outdir,&sb) != 0)
837 {
838 BIO_printf(bio_err,"unable to stat(%s)\n",outdir);
839 perror(outdir);
840 goto err;
841 }
842 #ifdef S_IFDIR
843 if (!(sb.st_mode & S_IFDIR))
844 {
845 BIO_printf(bio_err,"%s need to be a directory\n",outdir);
846 perror(outdir);
847 goto err;
848 }
849 #endif
850 #endif
851 }
852
853 /*****************************************************************/
854 /* we need to load the database file */
855 if ((dbfile=NCONF_get_string(conf,section,ENV_DATABASE)) == NULL)
856 {
857 lookup_fail(section,ENV_DATABASE);
858 goto err;
859 }
860 db = load_index(dbfile, &db_attr);
861 if (db == NULL) goto err;
862
863 /* Lets check some fields */
864 for (i=0; i<sk_num(db->db->data); i++)
865 {
866 pp=(char **)sk_value(db->db->data,i);
867 if ((pp[DB_type][0] != DB_TYPE_REV) &&
868 (pp[DB_rev_date][0] != '\0'))
869 {
870 BIO_printf(bio_err,"entry %d: not revoked yet, but has a revocation date\n",i+1);
871 goto err;
872 }
873 if ((pp[DB_type][0] == DB_TYPE_REV) &&
874 !make_revoked(NULL, pp[DB_rev_date]))
875 {
876 BIO_printf(bio_err," in entry %d\n", i+1);
877 goto err;
878 }
879 if (!check_time_format(pp[DB_exp_date]))
880 {
881 BIO_printf(bio_err,"entry %d: invalid expiry date\n",i+1);
882 goto err;
883 }
884 p=pp[DB_serial];
885 j=strlen(p);
886 if (*p == '-')
887 {
888 p++;
889 j--;
890 }
891 if ((j&1) || (j < 2))
892 {
893 BIO_printf(bio_err,"entry %d: bad serial number length (%d)\n",i+1,j);
894 goto err;
895 }
896 while (*p)
897 {
898 if (!( ((*p >= '0') && (*p <= '9')) ||
899 ((*p >= 'A') && (*p <= 'F')) ||
900 ((*p >= 'a') && (*p <= 'f'))) )
901 {
902 BIO_printf(bio_err,"entry %d: bad serial number characters, char pos %ld, char is '%c'\n",i+1,(long)(p-pp[DB_serial]),*p);
903 goto err;
904 }
905 p++;
906 }
907 }
908 if (verbose)
909 {
910 BIO_set_fp(out,stdout,BIO_NOCLOSE|BIO_FP_TEXT); /* cannot fail */
911 #ifdef OPENSSL_SYS_VMS
912 {
913 BIO *tmpbio = BIO_new(BIO_f_linebuffer());
914 out = BIO_push(tmpbio, out);
915 }
916 #endif
917 TXT_DB_write(out,db->db);
918 BIO_printf(bio_err,"%d entries loaded from the database\n",
919 db->db->data->num);
920 BIO_printf(bio_err,"generating index\n");
921 }
922
923 if (!index_index(db)) goto err;
924
925 /*****************************************************************/
926 /* Update the db file for expired certificates */
927 if (doupdatedb)
928 {
929 if (verbose)
930 BIO_printf(bio_err, "Updating %s ...\n",
931 dbfile);
932
933 i = do_updatedb(db);
934 if (i == -1)
935 {
936 BIO_printf(bio_err,"Malloc failure\n");
937 goto err;
938 }
939 else if (i == 0)
940 {
941 if (verbose) BIO_printf(bio_err,
942 "No entries found to mark expired\n");
943 }
944 else
945 {
946 if (!save_index(dbfile,"new",db)) goto err;
947
948 if (!rotate_index(dbfile,"new","old")) goto err;
949
950 if (verbose) BIO_printf(bio_err,
951 "Done. %d entries marked as expired\n",i);
952 }
953 goto err;
954 }
955
956 /*****************************************************************/
957 /* Read extentions config file */
958 if (extfile)
959 {
960 extconf = NCONF_new(NULL);
961 if (NCONF_load(extconf,extfile,&errorline) <= 0)
962 {
963 if (errorline <= 0)
964 BIO_printf(bio_err, "ERROR: loading the config file '%s'\n",
965 extfile);
966 else
967 BIO_printf(bio_err, "ERROR: on line %ld of config file '%s'\n",
968 errorline,extfile);
969 ret = 1;
970 goto err;
971 }
972
973 if (verbose)
974 BIO_printf(bio_err, "Successfully loaded extensions file %s\n", extfile);
975
976 /* We can have sections in the ext file */
977 if (!extensions && !(extensions = NCONF_get_string(extconf, "default", "extensions")))
978 extensions = "default";
979 }
980
981 /*****************************************************************/
982 if (req || gencrl)
983 {
984 if (outfile != NULL)
985 {
986 if (BIO_write_filename(Sout,outfile) <= 0)
987 {
988 perror(outfile);
989 goto err;
990 }
991 }
992 else
993 {
994 BIO_set_fp(Sout,stdout,BIO_NOCLOSE|BIO_FP_TEXT);
995 #ifdef OPENSSL_SYS_VMS
996 {
997 BIO *tmpbio = BIO_new(BIO_f_linebuffer());
998 Sout = BIO_push(tmpbio, Sout);
999 }
1000 #endif
1001 }
1002 }
1003
1004 if (req)
1005 {
1006 if ((md == NULL) && ((md=NCONF_get_string(conf,
1007 section,ENV_DEFAULT_MD)) == NULL))
1008 {
1009 lookup_fail(section,ENV_DEFAULT_MD);
1010 goto err;
1011 }
1012 if ((email_dn == 1) && ((tmp_email_dn=NCONF_get_string(conf,
1013 section,ENV_DEFAULT_EMAIL_DN)) != NULL ))
1014 {
1015 if(strcmp(tmp_email_dn,"no") == 0)
1016 email_dn=0;
1017 }
1018 if ((dgst=EVP_get_digestbyname(md)) == NULL)
1019 {
1020 BIO_printf(bio_err,"%s is an unsupported message digest type\n",md);
1021 goto err;
1022 }
1023 if (verbose)
1024 BIO_printf(bio_err,"message digest is %s\n",
1025 OBJ_nid2ln(dgst->type));
1026 if ((policy == NULL) && ((policy=NCONF_get_string(conf,
1027 section,ENV_POLICY)) == NULL))
1028 {
1029 lookup_fail(section,ENV_POLICY);
1030 goto err;
1031 }
1032 if (verbose)
1033 BIO_printf(bio_err,"policy is %s\n",policy);
1034
1035 if ((serialfile=NCONF_get_string(conf,section,ENV_SERIAL))
1036 == NULL)
1037 {
1038 lookup_fail(section,ENV_SERIAL);
1039 goto err;
1040 }
1041
1042 if (!extconf)
1043 {
1044 /* no '-extfile' option, so we look for extensions
1045 * in the main configuration file */
1046 if (!extensions)
1047 {
1048 extensions=NCONF_get_string(conf,section,
1049 ENV_EXTENSIONS);
1050 if (!extensions)
1051 ERR_clear_error();
1052 }
1053 if (extensions)
1054 {
1055 /* Check syntax of file */
1056 X509V3_CTX ctx;
1057 X509V3_set_ctx_test(&ctx);
1058 X509V3_set_nconf(&ctx, conf);
1059 if (!X509V3_EXT_add_nconf(conf, &ctx, extensions,
1060 NULL))
1061 {
1062 BIO_printf(bio_err,
1063 "Error Loading extension section %s\n",
1064 extensions);
1065 ret = 1;
1066 goto err;
1067 }
1068 }
1069 }
1070
1071 if (startdate == NULL)
1072 {
1073 startdate=NCONF_get_string(conf,section,
1074 ENV_DEFAULT_STARTDATE);
1075 if (startdate == NULL)
1076 ERR_clear_error();
1077 }
1078 if (startdate && !ASN1_UTCTIME_set_string(NULL,startdate))
1079 {
1080 BIO_printf(bio_err,"start date is invalid, it should be YYMMDDHHMMSSZ\n");
1081 goto err;
1082 }
1083 if (startdate == NULL) startdate="today";
1084
1085 if (enddate == NULL)
1086 {
1087 enddate=NCONF_get_string(conf,section,
1088 ENV_DEFAULT_ENDDATE);
1089 if (enddate == NULL)
1090 ERR_clear_error();
1091 }
1092 if (enddate && !ASN1_UTCTIME_set_string(NULL,enddate))
1093 {
1094 BIO_printf(bio_err,"end date is invalid, it should be YYMMDDHHMMSSZ\n");
1095 goto err;
1096 }
1097
1098 if (days == 0)
1099 {
1100 if(!NCONF_get_number(conf,section, ENV_DEFAULT_DAYS, &days))
1101 days = 0;
1102 }
1103 if (!enddate && (days == 0))
1104 {
1105 BIO_printf(bio_err,"cannot lookup how many days to certify for\n");
1106 goto err;
1107 }
1108
1109 if ((serial=load_serial(serialfile, 0, NULL)) == NULL)
1110 {
1111 BIO_printf(bio_err,"error while loading serial number\n");
1112 goto err;
1113 }
1114 if (verbose)
1115 {
1116 if (BN_is_zero(serial))
1117 BIO_printf(bio_err,"next serial number is 00\n");
1118 else
1119 {
1120 if ((f=BN_bn2hex(serial)) == NULL) goto err;
1121 BIO_printf(bio_err,"next serial number is %s\n",f);
1122 OPENSSL_free(f);
1123 }
1124 }
1125
1126 if ((attribs=NCONF_get_section(conf,policy)) == NULL)
1127 {
1128 BIO_printf(bio_err,"unable to find 'section' for %s\n",policy);
1129 goto err;
1130 }
1131
1132 if ((cert_sk=sk_X509_new_null()) == NULL)
1133 {
1134 BIO_printf(bio_err,"Memory allocation failure\n");
1135 goto err;
1136 }
1137 if (spkac_file != NULL)
1138 {
1139 total++;
1140 j=certify_spkac(&x,spkac_file,pkey,x509,dgst,attribs,db,
1141 serial,subj,multirdn,email_dn,startdate,enddate,days,extensions,
1142 conf,verbose,certopt,nameopt,default_op,ext_copy);
1143 if (j < 0) goto err;
1144 if (j > 0)
1145 {
1146 total_done++;
1147 BIO_printf(bio_err,"\n");
1148 if (!BN_add_word(serial,1)) goto err;
1149 if (!sk_X509_push(cert_sk,x))
1150 {
1151 BIO_printf(bio_err,"Memory allocation failure\n");
1152 goto err;
1153 }
1154 if (outfile)
1155 {
1156 output_der = 1;
1157 batch = 1;
1158 }
1159 }
1160 }
1161 if (ss_cert_file != NULL)
1162 {
1163 total++;
1164 j=certify_cert(&x,ss_cert_file,pkey,x509,dgst,attribs,
1165 db,serial,subj,multirdn,email_dn,startdate,enddate,days,batch,
1166 extensions,conf,verbose, certopt, nameopt,
1167 default_op, ext_copy, e);
1168 if (j < 0) goto err;
1169 if (j > 0)
1170 {
1171 total_done++;
1172 BIO_printf(bio_err,"\n");
1173 if (!BN_add_word(serial,1)) goto err;
1174 if (!sk_X509_push(cert_sk,x))
1175 {
1176 BIO_printf(bio_err,"Memory allocation failure\n");
1177 goto err;
1178 }
1179 }
1180 }
1181 if (infile != NULL)
1182 {
1183 total++;
1184 j=certify(&x,infile,pkey,x509p,dgst,attribs,db,
1185 serial,subj,multirdn,email_dn,startdate,enddate,days,batch,
1186 extensions,conf,verbose, certopt, nameopt,
1187 default_op, ext_copy, selfsign);
1188 if (j < 0) goto err;
1189 if (j > 0)
1190 {
1191 total_done++;
1192 BIO_printf(bio_err,"\n");
1193 if (!BN_add_word(serial,1)) goto err;
1194 if (!sk_X509_push(cert_sk,x))
1195 {
1196 BIO_printf(bio_err,"Memory allocation failure\n");
1197 goto err;
1198 }
1199 }
1200 }
1201 for (i=0; i<argc; i++)
1202 {
1203 total++;
1204 j=certify(&x,argv[i],pkey,x509p,dgst,attribs,db,
1205 serial,subj,multirdn,email_dn,startdate,enddate,days,batch,
1206 extensions,conf,verbose, certopt, nameopt,
1207 default_op, ext_copy, selfsign);
1208 if (j < 0) goto err;
1209 if (j > 0)
1210 {
1211 total_done++;
1212 BIO_printf(bio_err,"\n");
1213 if (!BN_add_word(serial,1)) goto err;
1214 if (!sk_X509_push(cert_sk,x))
1215 {
1216 BIO_printf(bio_err,"Memory allocation failure\n");
1217 goto err;
1218 }
1219 }
1220 }
1221 /* we have a stack of newly certified certificates
1222 * and a data base and serial number that need
1223 * updating */
1224
1225 if (sk_X509_num(cert_sk) > 0)
1226 {
1227 if (!batch)
1228 {
1229 BIO_printf(bio_err,"\n%d out of %d certificate requests certified, commit? [y/n]",total_done,total);
1230 (void)BIO_flush(bio_err);
1231 buf[0][0]='\0';
1232 fgets(buf[0],10,stdin);
1233 if ((buf[0][0] != 'y') && (buf[0][0] != 'Y'))
1234 {
1235 BIO_printf(bio_err,"CERTIFICATION CANCELED\n");
1236 ret=0;
1237 goto err;
1238 }
1239 }
1240
1241 BIO_printf(bio_err,"Write out database with %d new entries\n",sk_X509_num(cert_sk));
1242
1243 if (!save_serial(serialfile,"new",serial,NULL)) goto err;
1244
1245 if (!save_index(dbfile, "new", db)) goto err;
1246 }
1247
1248 if (verbose)
1249 BIO_printf(bio_err,"writing new certificates\n");
1250 for (i=0; i<sk_X509_num(cert_sk); i++)
1251 {
1252 int k;
1253 unsigned char *n;
1254
1255 x=sk_X509_value(cert_sk,i);
1256
1257 j=x->cert_info->serialNumber->length;
1258 p=(char *)x->cert_info->serialNumber->data;
1259
1260 if(strlen(outdir) >= (size_t)(j ? BSIZE-j*2-6 : BSIZE-8))
1261 {
1262 BIO_printf(bio_err,"certificate file name too long\n");
1263 goto err;
1264 }
1265
1266 strcpy(buf[2],outdir);
1267
1268 #ifndef OPENSSL_SYS_VMS
1269 strcat(buf[2],"/");
1270 #endif
1271
1272 n=(unsigned char *)&(buf[2][strlen(buf[2])]);
1273 if (j > 0)
1274 {
1275 for (k=0; k<j; k++)
1276 {
1277 sprintf((char *)n,"%02X",(unsigned char)*(p++));
1278 n+=2;
1279 }
1280 }
1281 else
1282 {
1283 *(n++)='0';
1284 *(n++)='0';
1285 }
1286 *(n++)='.'; *(n++)='p'; *(n++)='e'; *(n++)='m';
1287 *n='\0';
1288 if (verbose)
1289 BIO_printf(bio_err,"writing %s\n",buf[2]);
1290
1291 if (BIO_write_filename(Cout,buf[2]) <= 0)
1292 {
1293 perror(buf[2]);
1294 goto err;
1295 }
1296 write_new_certificate(Cout,x, 0, notext);
1297 write_new_certificate(Sout,x, output_der, notext);
1298 }
1299
1300 if (sk_X509_num(cert_sk))
1301 {
1302 /* Rename the database and the serial file */
1303 if (!rotate_serial(serialfile,"new","old")) goto err;
1304
1305 if (!rotate_index(dbfile,"new","old")) goto err;
1306
1307 BIO_printf(bio_err,"Data Base Updated\n");
1308 }
1309 }
1310
1311 /*****************************************************************/
1312 if (gencrl)
1313 {
1314 int crl_v2 = 0;
1315 if (!crl_ext)
1316 {
1317 crl_ext=NCONF_get_string(conf,section,ENV_CRLEXT);
1318 if (!crl_ext)
1319 ERR_clear_error();
1320 }
1321 if (crl_ext)
1322 {
1323 /* Check syntax of file */
1324 X509V3_CTX ctx;
1325 X509V3_set_ctx_test(&ctx);
1326 X509V3_set_nconf(&ctx, conf);
1327 if (!X509V3_EXT_add_nconf(conf, &ctx, crl_ext, NULL))
1328 {
1329 BIO_printf(bio_err,
1330 "Error Loading CRL extension section %s\n",
1331 crl_ext);
1332 ret = 1;
1333 goto err;
1334 }
1335 }
1336
1337 if ((crlnumberfile=NCONF_get_string(conf,section,ENV_CRLNUMBER))
1338 != NULL)
1339 if ((crlnumber=load_serial(crlnumberfile,0,NULL)) == NULL)
1340 {
1341 BIO_printf(bio_err,"error while loading CRL number\n");
1342 goto err;
1343 }
1344
1345 if (!crldays && !crlhours)
1346 {
1347 if (!NCONF_get_number(conf,section,
1348 ENV_DEFAULT_CRL_DAYS, &crldays))
1349 crldays = 0;
1350 if (!NCONF_get_number(conf,section,
1351 ENV_DEFAULT_CRL_HOURS, &crlhours))
1352 crlhours = 0;
1353 }
1354 if ((crldays == 0) && (crlhours == 0))
1355 {
1356 BIO_printf(bio_err,"cannot lookup how long until the next CRL is issued\n");
1357 goto err;
1358 }
1359
1360 if (verbose) BIO_printf(bio_err,"making CRL\n");
1361 if ((crl=X509_CRL_new()) == NULL) goto err;
1362 if (!X509_CRL_set_issuer_name(crl, X509_get_subject_name(x509))) goto err;
1363
1364 tmptm = ASN1_TIME_new();
1365 if (!tmptm) goto err;
1366 X509_gmtime_adj(tmptm,0);
1367 X509_CRL_set_lastUpdate(crl, tmptm);
1368 X509_gmtime_adj(tmptm,(crldays*24+crlhours)*60*60);
1369 X509_CRL_set_nextUpdate(crl, tmptm);
1370
1371 ASN1_TIME_free(tmptm);
1372
1373 for (i=0; i<sk_num(db->db->data); i++)
1374 {
1375 pp=(char **)sk_value(db->db->data,i);
1376 if (pp[DB_type][0] == DB_TYPE_REV)
1377 {
1378 if ((r=X509_REVOKED_new()) == NULL) goto err;
1379 j = make_revoked(r, pp[DB_rev_date]);
1380 if (!j) goto err;
1381 if (j == 2) crl_v2 = 1;
1382 if (!BN_hex2bn(&serial, pp[DB_serial]))
1383 goto err;
1384 tmpser = BN_to_ASN1_INTEGER(serial, NULL);
1385 BN_free(serial);
1386 serial = NULL;
1387 if (!tmpser)
1388 goto err;
1389 X509_REVOKED_set_serialNumber(r, tmpser);
1390 ASN1_INTEGER_free(tmpser);
1391 X509_CRL_add0_revoked(crl,r);
1392 }
1393 }
1394
1395 /* sort the data so it will be written in serial
1396 * number order */
1397 X509_CRL_sort(crl);
1398
1399 /* we now have a CRL */
1400 if (verbose) BIO_printf(bio_err,"signing CRL\n");
1401 if (md != NULL)
1402 {
1403 if ((dgst=EVP_get_digestbyname(md)) == NULL)
1404 {
1405 BIO_printf(bio_err,"%s is an unsupported message digest type\n",md);
1406 goto err;
1407 }
1408 }
1409 else
1410 {
1411 #ifndef OPENSSL_NO_DSA
1412 if (pkey->type == EVP_PKEY_DSA)
1413 dgst=EVP_dss1();
1414 else
1415 #endif
1416 #ifndef OPENSSL_NO_ECDSA
1417 if (pkey->type == EVP_PKEY_EC)
1418 dgst=EVP_ecdsa();
1419 else
1420 #endif
1421 dgst=EVP_md5();
1422 }
1423
1424 /* Add any extensions asked for */
1425
1426 if (crl_ext || crlnumberfile != NULL)
1427 {
1428 X509V3_CTX crlctx;
1429 X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0);
1430 X509V3_set_nconf(&crlctx, conf);
1431
1432 if (crl_ext)
1433 if (!X509V3_EXT_CRL_add_nconf(conf, &crlctx,
1434 crl_ext, crl)) goto err;
1435 if (crlnumberfile != NULL)
1436 {
1437 tmpser = BN_to_ASN1_INTEGER(crlnumber, NULL);
1438 if (!tmpser) goto err;
1439 X509_CRL_add1_ext_i2d(crl,NID_crl_number,tmpser,0,0);
1440 ASN1_INTEGER_free(tmpser);
1441 crl_v2 = 1;
1442 if (!BN_add_word(crlnumber,1)) goto err;
1443 }
1444 }
1445 if (crl_ext || crl_v2)
1446 {
1447 if (!X509_CRL_set_version(crl, 1))
1448 goto err; /* version 2 CRL */
1449 }
1450
1451
1452 if (crlnumberfile != NULL) /* we have a CRL number that need updating */
1453 if (!save_serial(crlnumberfile,"new",crlnumber,NULL)) goto err;
1454
1455 if (!X509_CRL_sign(crl,pkey,dgst)) goto err;
1456
1457 PEM_write_bio_X509_CRL(Sout,crl);
1458
1459 if (crlnumberfile != NULL) /* Rename the crlnumber file */
1460 if (!rotate_serial(crlnumberfile,"new","old")) goto err;
1461
1462 }
1463 /*****************************************************************/
1464 if (dorevoke)
1465 {
1466 if (infile == NULL)
1467 {
1468 BIO_printf(bio_err,"no input files\n");
1469 goto err;
1470 }
1471 else
1472 {
1473 X509 *revcert;
1474 revcert=load_cert(bio_err, infile, FORMAT_PEM,
1475 NULL, e, infile);
1476 if (revcert == NULL)
1477 goto err;
1478 j=do_revoke(revcert,db, rev_type, rev_arg);
1479 if (j <= 0) goto err;
1480 X509_free(revcert);
1481
1482 if (!save_index(dbfile, "new", db)) goto err;
1483
1484 if (!rotate_index(dbfile, "new", "old")) goto err;
1485
1486 BIO_printf(bio_err,"Data Base Updated\n");
1487 }
1488 }
1489 /*****************************************************************/
1490 ret=0;
1491 err:
1492 if(tofree)
1493 OPENSSL_free(tofree);
1494 BIO_free_all(Cout);
1495 BIO_free_all(Sout);
1496 BIO_free_all(out);
1497 BIO_free_all(in);
1498
1499 if (cert_sk)
1500 sk_X509_pop_free(cert_sk,X509_free);
1501
1502 if (ret) ERR_print_errors(bio_err);
1503 app_RAND_write_file(randfile, bio_err);
1504 if (free_key && key)
1505 OPENSSL_free(key);
1506 BN_free(serial);
1507 free_index(db);
1508 EVP_PKEY_free(pkey);
1509 if (x509) X509_free(x509);
1510 X509_CRL_free(crl);
1511 NCONF_free(conf);
1512 OBJ_cleanup();
1513 apps_shutdown();
1514 OPENSSL_EXIT(ret);
1515 }
1516
1517 static void lookup_fail(char *name, char *tag)
1518 {
1519 BIO_printf(bio_err,"variable lookup failed for %s::%s\n",name,tag);
1520 }
1521
1522 static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
1523 const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db,
1524 BIGNUM *serial, char *subj, int multirdn, int email_dn, char *startdate, char *enddate,
1525 long days, int batch, char *ext_sect, CONF *lconf, int verbose,
1526 unsigned long certopt, unsigned long nameopt, int default_op,
1527 int ext_copy, int selfsign)
1528 {
1529 X509_REQ *req=NULL;
1530 BIO *in=NULL;
1531 EVP_PKEY *pktmp=NULL;
1532 int ok= -1,i;
1533
1534 in=BIO_new(BIO_s_file());
1535
1536 if (BIO_read_filename(in,infile) <= 0)
1537 {
1538 perror(infile);
1539 goto err;
1540 }
1541 if ((req=PEM_read_bio_X509_REQ(in,NULL,NULL,NULL)) == NULL)
1542 {
1543 BIO_printf(bio_err,"Error reading certificate request in %s\n",
1544 infile);
1545 goto err;
1546 }
1547 if (verbose)
1548 X509_REQ_print(bio_err,req);
1549
1550 BIO_printf(bio_err,"Check that the request matches the signature\n");
1551
1552 if (selfsign && !X509_REQ_check_private_key(req,pkey))
1553 {
1554 BIO_printf(bio_err,"Certificate request and CA private key do not match\n");
1555 ok=0;
1556 goto err;
1557 }
1558 if ((pktmp=X509_REQ_get_pubkey(req)) == NULL)
1559 {
1560 BIO_printf(bio_err,"error unpacking public key\n");
1561 goto err;
1562 }
1563 i=X509_REQ_verify(req,pktmp);
1564 EVP_PKEY_free(pktmp);
1565 if (i < 0)
1566 {
1567 ok=0;
1568 BIO_printf(bio_err,"Signature verification problems....\n");
1569 goto err;
1570 }
1571 if (i == 0)
1572 {
1573 ok=0;
1574 BIO_printf(bio_err,"Signature did not match the certificate request\n");
1575 goto err;
1576 }
1577 else
1578 BIO_printf(bio_err,"Signature ok\n");
1579
1580 ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj, multirdn, email_dn,
1581 startdate,enddate,days,batch,verbose,req,ext_sect,lconf,
1582 certopt, nameopt, default_op, ext_copy, selfsign);
1583
1584 err:
1585 if (req != NULL) X509_REQ_free(req);
1586 if (in != NULL) BIO_free(in);
1587 return(ok);
1588 }
1589
1590 static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
1591 const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db,
1592 BIGNUM *serial, char *subj, int multirdn, int email_dn, char *startdate, char *enddate,
1593 long days, int batch, char *ext_sect, CONF *lconf, int verbose,
1594 unsigned long certopt, unsigned long nameopt, int default_op,
1595 int ext_copy, ENGINE *e)
1596 {
1597 X509 *req=NULL;
1598 X509_REQ *rreq=NULL;
1599 EVP_PKEY *pktmp=NULL;
1600 int ok= -1,i;
1601
1602 if ((req=load_cert(bio_err, infile, FORMAT_PEM, NULL, e, infile)) == NULL)
1603 goto err;
1604 if (verbose)
1605 X509_print(bio_err,req);
1606
1607 BIO_printf(bio_err,"Check that the request matches the signature\n");
1608
1609 if ((pktmp=X509_get_pubkey(req)) == NULL)
1610 {
1611 BIO_printf(bio_err,"error unpacking public key\n");
1612 goto err;
1613 }
1614 i=X509_verify(req,pktmp);
1615 EVP_PKEY_free(pktmp);
1616 if (i < 0)
1617 {
1618 ok=0;
1619 BIO_printf(bio_err,"Signature verification problems....\n");
1620 goto err;
1621 }
1622 if (i == 0)
1623 {
1624 ok=0;
1625 BIO_printf(bio_err,"Signature did not match the certificate\n");
1626 goto err;
1627 }
1628 else
1629 BIO_printf(bio_err,"Signature ok\n");
1630
1631 if ((rreq=X509_to_X509_REQ(req,NULL,EVP_md5())) == NULL)
1632 goto err;
1633
1634 ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,multirdn,email_dn,startdate,enddate,
1635 days,batch,verbose,rreq,ext_sect,lconf, certopt, nameopt, default_op,
1636 ext_copy, 0);
1637
1638 err:
1639 if (rreq != NULL) X509_REQ_free(rreq);
1640 if (req != NULL) X509_free(req);
1641 return(ok);
1642 }
1643
1644 static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
1645 STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj,
1646 int multirdn,
1647 int email_dn, char *startdate, char *enddate, long days, int batch,
1648 int verbose, X509_REQ *req, char *ext_sect, CONF *lconf,
1649 unsigned long certopt, unsigned long nameopt, int default_op,
1650 int ext_copy, int selfsign)
1651 {
1652 X509_NAME *name=NULL,*CAname=NULL,*subject=NULL, *dn_subject=NULL;
1653 ASN1_UTCTIME *tm,*tmptm;
1654 ASN1_STRING *str,*str2;
1655 ASN1_OBJECT *obj;
1656 X509 *ret=NULL;
1657 X509_CINF *ci;
1658 X509_NAME_ENTRY *ne;
1659 X509_NAME_ENTRY *tne,*push;
1660 EVP_PKEY *pktmp;
1661 int ok= -1,i,j,last,nid;
1662 char *p;
1663 CONF_VALUE *cv;
1664 char *row[DB_NUMBER],**rrow=NULL,**irow=NULL;
1665 char buf[25];
1666
1667 tmptm=ASN1_UTCTIME_new();
1668 if (tmptm == NULL)
1669 {
1670 BIO_printf(bio_err,"malloc error\n");
1671 return(0);
1672 }
1673
1674 for (i=0; i<DB_NUMBER; i++)
1675 row[i]=NULL;
1676
1677 if (subj)
1678 {
1679 X509_NAME *n = do_subject(subj, MBSTRING_ASC, multirdn);
1680
1681 if (!n)
1682 {
1683 ERR_print_errors(bio_err);
1684 goto err;
1685 }
1686 X509_REQ_set_subject_name(req,n);
1687 req->req_info->enc.modified = 1;
1688 X509_NAME_free(n);
1689 }
1690
1691 if (default_op)
1692 BIO_printf(bio_err,"The Subject's Distinguished Name is as follows\n");
1693
1694 name=X509_REQ_get_subject_name(req);
1695 for (i=0; i<X509_NAME_entry_count(name); i++)
1696 {
1697 ne= X509_NAME_get_entry(name,i);
1698 str=X509_NAME_ENTRY_get_data(ne);
1699 obj=X509_NAME_ENTRY_get_object(ne);
1700
1701 if (msie_hack)
1702 {
1703 /* assume all type should be strings */
1704 nid=OBJ_obj2nid(ne->object);
1705
1706 if (str->type == V_ASN1_UNIVERSALSTRING)
1707 ASN1_UNIVERSALSTRING_to_string(str);
1708
1709 if ((str->type == V_ASN1_IA5STRING) &&
1710 (nid != NID_pkcs9_emailAddress))
1711 str->type=V_ASN1_T61STRING;
1712
1713 if ((nid == NID_pkcs9_emailAddress) &&
1714 (str->type == V_ASN1_PRINTABLESTRING))
1715 str->type=V_ASN1_IA5STRING;
1716 }
1717
1718 /* If no EMAIL is wanted in the subject */
1719 if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) && (!email_dn))
1720 continue;
1721
1722 /* check some things */
1723 if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) &&
1724 (str->type != V_ASN1_IA5STRING))
1725 {
1726 BIO_printf(bio_err,"\nemailAddress type needs to be of type IA5STRING\n");
1727 goto err;
1728 }
1729 if ((str->type != V_ASN1_BMPSTRING) && (str->type != V_ASN1_UTF8STRING))
1730 {
1731 j=ASN1_PRINTABLE_type(str->data,str->length);
1732 if ( ((j == V_ASN1_T61STRING) &&
1733 (str->type != V_ASN1_T61STRING)) ||
1734 ((j == V_ASN1_IA5STRING) &&
1735 (str->type == V_ASN1_PRINTABLESTRING)))
1736 {
1737 BIO_printf(bio_err,"\nThe string contains characters that are illegal for the ASN.1 type\n");
1738 goto err;
1739 }
1740 }
1741
1742 if (default_op)
1743 old_entry_print(bio_err, obj, str);
1744 }
1745
1746 /* Ok, now we check the 'policy' stuff. */
1747 if ((subject=X509_NAME_new()) == NULL)
1748 {
1749 BIO_printf(bio_err,"Memory allocation failure\n");
1750 goto err;
1751 }
1752
1753 /* take a copy of the issuer name before we mess with it. */
1754 if (selfsign)
1755 CAname=X509_NAME_dup(name);
1756 else
1757 CAname=X509_NAME_dup(x509->cert_info->subject);
1758 if (CAname == NULL) goto err;
1759 str=str2=NULL;
1760
1761 for (i=0; i<sk_CONF_VALUE_num(policy); i++)
1762 {
1763 cv=sk_CONF_VALUE_value(policy,i); /* get the object id */
1764 if ((j=OBJ_txt2nid(cv->name)) == NID_undef)
1765 {
1766 BIO_printf(bio_err,"%s:unknown object type in 'policy' configuration\n",cv->name);
1767 goto err;
1768 }
1769 obj=OBJ_nid2obj(j);
1770
1771 last= -1;
1772 for (;;)
1773 {
1774 /* lookup the object in the supplied name list */
1775 j=X509_NAME_get_index_by_OBJ(name,obj,last);
1776 if (j < 0)
1777 {
1778 if (last != -1) break;
1779 tne=NULL;
1780 }
1781 else
1782 {
1783 tne=X509_NAME_get_entry(name,j);
1784 }
1785 last=j;
1786
1787 /* depending on the 'policy', decide what to do. */
1788 push=NULL;
1789 if (strcmp(cv->value,"optional") == 0)
1790 {
1791 if (tne != NULL)
1792 push=tne;
1793 }
1794 else if (strcmp(cv->value,"supplied") == 0)
1795 {
1796 if (tne == NULL)
1797 {
1798 BIO_printf(bio_err,"The %s field needed to be supplied and was missing\n",cv->name);
1799 goto err;
1800 }
1801 else
1802 push=tne;
1803 }
1804 else if (strcmp(cv->value,"match") == 0)
1805 {
1806 int last2;
1807
1808 if (tne == NULL)
1809 {
1810 BIO_printf(bio_err,"The mandatory %s field was missing\n",cv->name);
1811 goto err;
1812 }
1813
1814 last2= -1;
1815
1816 again2:
1817 j=X509_NAME_get_index_by_OBJ(CAname,obj,last2);
1818 if ((j < 0) && (last2 == -1))
1819 {
1820 BIO_printf(bio_err,"The %s field does not exist in the CA certificate,\nthe 'policy' is misconfigured\n",cv->name);
1821 goto err;
1822 }
1823 if (j >= 0)
1824 {
1825 push=X509_NAME_get_entry(CAname,j);
1826 str=X509_NAME_ENTRY_get_data(tne);
1827 str2=X509_NAME_ENTRY_get_data(push);
1828 last2=j;
1829 if (ASN1_STRING_cmp(str,str2) != 0)
1830 goto again2;
1831 }
1832 if (j < 0)
1833 {
1834 BIO_printf(bio_err,"The %s field needed to be the same in the\nCA certificate (%s) and the request (%s)\n",cv->name,((str2 == NULL)?"NULL":(char *)str2->data),((str == NULL)?"NULL":(char *)str->data));
1835 goto err;
1836 }
1837 }
1838 else
1839 {
1840 BIO_printf(bio_err,"%s:invalid type in 'policy' configuration\n",cv->value);
1841 goto err;
1842 }
1843
1844 if (push != NULL)
1845 {
1846 if (!X509_NAME_add_entry(subject,push, -1, 0))
1847 {
1848 if (push != NULL)
1849 X509_NAME_ENTRY_free(push);
1850 BIO_printf(bio_err,"Memory allocation failure\n");
1851 goto err;
1852 }
1853 }
1854 if (j < 0) break;
1855 }
1856 }
1857
1858 if (preserve)
1859 {
1860 X509_NAME_free(subject);
1861 /* subject=X509_NAME_dup(X509_REQ_get_subject_name(req)); */
1862 subject=X509_NAME_dup(name);
1863 if (subject == NULL) goto err;
1864 }
1865
1866 if (verbose)
1867 BIO_printf(bio_err,"The subject name appears to be ok, checking data base for clashes\n");
1868
1869 /* Build the correct Subject if no e-mail is wanted in the subject */
1870 /* and add it later on because of the method extensions are added (altName) */
1871
1872 if (email_dn)
1873 dn_subject = subject;
1874 else
1875 {
1876 X509_NAME_ENTRY *tmpne;
1877 /* Its best to dup the subject DN and then delete any email
1878 * addresses because this retains its structure.
1879 */
1880 if (!(dn_subject = X509_NAME_dup(subject)))
1881 {
1882 BIO_printf(bio_err,"Memory allocation failure\n");
1883 goto err;
1884 }
1885 while((i = X509_NAME_get_index_by_NID(dn_subject,
1886 NID_pkcs9_emailAddress, -1)) >= 0)
1887 {
1888 tmpne = X509_NAME_get_entry(dn_subject, i);
1889 X509_NAME_delete_entry(dn_subject, i);
1890 X509_NAME_ENTRY_free(tmpne);
1891 }
1892 }
1893
1894 if (BN_is_zero(serial))
1895 row[DB_serial]=BUF_strdup("00");
1896 else
1897 row[DB_serial]=BN_bn2hex(serial);
1898 if (row[DB_serial] == NULL)
1899 {
1900 BIO_printf(bio_err,"Memory allocation failure\n");
1901 goto err;
1902 }
1903
1904 if (db->attributes.unique_subject)
1905 {
1906 rrow=TXT_DB_get_by_index(db->db,DB_name,row);
1907 if (rrow != NULL)
1908 {
1909 BIO_printf(bio_err,
1910 "ERROR:There is already a certificate for %s\n",
1911 row[DB_name]);
1912 }
1913 }
1914 if (rrow == NULL)
1915 {
1916 rrow=TXT_DB_get_by_index(db->db,DB_serial,row);
1917 if (rrow != NULL)
1918 {
1919 BIO_printf(bio_err,"ERROR:Serial number %s has already been issued,\n",
1920 row[DB_serial]);
1921 BIO_printf(bio_err," check the database/serial_file for corruption\n");
1922 }
1923 }
1924
1925 if (rrow != NULL)
1926 {
1927 BIO_printf(bio_err,
1928 "The matching entry has the following details\n");
1929 if (rrow[DB_type][0] == 'E')
1930 p="Expired";
1931 else if (rrow[DB_type][0] == 'R')
1932 p="Revoked";
1933 else if (rrow[DB_type][0] == 'V')
1934 p="Valid";
1935 else
1936 p="\ninvalid type, Data base error\n";
1937 BIO_printf(bio_err,"Type :%s\n",p);;
1938 if (rrow[DB_type][0] == 'R')
1939 {
1940 p=rrow[DB_exp_date]; if (p == NULL) p="undef";
1941 BIO_printf(bio_err,"Was revoked on:%s\n",p);
1942 }
1943 p=rrow[DB_exp_date]; if (p == NULL) p="undef";
1944 BIO_printf(bio_err,"Expires on :%s\n",p);
1945 p=rrow[DB_serial]; if (p == NULL) p="undef";
1946 BIO_printf(bio_err,"Serial Number :%s\n",p);
1947 p=rrow[DB_file]; if (p == NULL) p="undef";
1948 BIO_printf(bio_err,"File name :%s\n",p);
1949 p=rrow[DB_name]; if (p == NULL) p="undef";
1950 BIO_printf(bio_err,"Subject Name :%s\n",p);
1951 ok= -1; /* This is now a 'bad' error. */
1952 goto err;
1953 }
1954
1955 /* We are now totally happy, lets make and sign the certificate */
1956 if (verbose)
1957 BIO_printf(bio_err,"Everything appears to be ok, creating and signing the certificate\n");
1958
1959 if ((ret=X509_new()) == NULL) goto err;
1960 ci=ret->cert_info;
1961
1962 #ifdef X509_V3
1963 /* Make it an X509 v3 certificate. */
1964 if (!X509_set_version(ret,2)) goto err;
1965 #endif
1966
1967 if (BN_to_ASN1_INTEGER(serial,ci->serialNumber) == NULL)
1968 goto err;
1969 if (selfsign)
1970 {
1971 if (!X509_set_issuer_name(ret,subject))
1972 goto err;
1973 }
1974 else
1975 {
1976 if (!X509_set_issuer_name(ret,X509_get_subject_name(x509)))
1977 goto err;
1978 }
1979
1980 if (strcmp(startdate,"today") == 0)
1981 X509_gmtime_adj(X509_get_notBefore(ret),0);
1982 else ASN1_UTCTIME_set_string(X509_get_notBefore(ret),startdate);
1983
1984 if (enddate == NULL)
1985 X509_gmtime_adj(X509_get_notAfter(ret),(long)60*60*24*days);
1986 else ASN1_UTCTIME_set_string(X509_get_notAfter(ret),enddate);
1987
1988 if (!X509_set_subject_name(ret,subject)) goto err;
1989
1990 pktmp=X509_REQ_get_pubkey(req);
1991 i = X509_set_pubkey(ret,pktmp);
1992 EVP_PKEY_free(pktmp);
1993 if (!i) goto err;
1994
1995 /* Lets add the extensions, if there are any */
1996 if (ext_sect)
1997 {
1998 X509V3_CTX ctx;
1999 if (ci->version == NULL)
2000 if ((ci->version=ASN1_INTEGER_new()) == NULL)
2001 goto err;
2002 ASN1_INTEGER_set(ci->version,2); /* version 3 certificate */
2003
2004 /* Free the current entries if any, there should not
2005 * be any I believe */
2006 if (ci->extensions != NULL)
2007 sk_X509_EXTENSION_pop_free(ci->extensions,
2008 X509_EXTENSION_free);
2009
2010 ci->extensions = NULL;
2011
2012 /* Initialize the context structure */
2013 if (selfsign)
2014 X509V3_set_ctx(&ctx, ret, ret, req, NULL, 0);
2015 else
2016 X509V3_set_ctx(&ctx, x509, ret, req, NULL, 0);
2017
2018 if (extconf)
2019 {
2020 if (verbose)
2021 BIO_printf(bio_err, "Extra configuration file found\n");
2022
2023 /* Use the extconf configuration db LHASH */
2024 X509V3_set_nconf(&ctx, extconf);
2025
2026 /* Test the structure (needed?) */
2027 /* X509V3_set_ctx_test(&ctx); */
2028
2029 /* Adds exts contained in the configuration file */
2030 if (!X509V3_EXT_add_nconf(extconf, &ctx, ext_sect,ret))
2031 {
2032 BIO_printf(bio_err,
2033 "ERROR: adding extensions in section %s\n",
2034 ext_sect);
2035 ERR_print_errors(bio_err);
2036 goto err;
2037 }
2038 if (verbose)
2039 BIO_printf(bio_err, "Successfully added extensions from file.\n");
2040 }
2041 else if (ext_sect)
2042 {
2043 /* We found extensions to be set from config file */
2044 X509V3_set_nconf(&ctx, lconf);
2045
2046 if(!X509V3_EXT_add_nconf(lconf, &ctx, ext_sect, ret))
2047 {
2048 BIO_printf(bio_err, "ERROR: adding extensions in section %s\n", ext_sect);
2049 ERR_print_errors(bio_err);
2050 goto err;
2051 }
2052
2053 if (verbose)
2054 BIO_printf(bio_err, "Successfully added extensions from config\n");
2055 }
2056 }
2057
2058 /* Copy extensions from request (if any) */
2059
2060 if (!copy_extensions(ret, req, ext_copy))
2061 {
2062 BIO_printf(bio_err, "ERROR: adding extensions from request\n");
2063 ERR_print_errors(bio_err);
2064 goto err;
2065 }
2066
2067 /* Set the right value for the noemailDN option */
2068 if( email_dn == 0 )
2069 {
2070 if (!X509_set_subject_name(ret,dn_subject)) goto err;
2071 }
2072
2073 if (!default_op)
2074 {
2075 BIO_printf(bio_err, "Certificate Details:\n");
2076 /* Never print signature details because signature not present */
2077 certopt |= X509_FLAG_NO_SIGDUMP | X509_FLAG_NO_SIGNAME;
2078 X509_print_ex(bio_err, ret, nameopt, certopt);
2079 }
2080
2081 BIO_printf(bio_err,"Certificate is to be certified until ");
2082 ASN1_UTCTIME_print(bio_err,X509_get_notAfter(ret));
2083 if (days) BIO_printf(bio_err," (%ld days)",days);
2084 BIO_printf(bio_err, "\n");
2085
2086 if (!batch)
2087 {
2088
2089 BIO_printf(bio_err,"Sign the certificate? [y/n]:");
2090 (void)BIO_flush(bio_err);
2091 buf[0]='\0';
2092 fgets(buf,sizeof(buf)-1,stdin);
2093 if (!((buf[0] == 'y') || (buf[0] == 'Y')))
2094 {
2095 BIO_printf(bio_err,"CERTIFICATE WILL NOT BE CERTIFIED\n");
2096 ok=0;
2097 goto err;
2098 }
2099 }
2100
2101
2102 #ifndef OPENSSL_NO_DSA
2103 if (pkey->type == EVP_PKEY_DSA) dgst=EVP_dss1();
2104 pktmp=X509_get_pubkey(ret);
2105 if (EVP_PKEY_missing_parameters(pktmp) &&
2106 !EVP_PKEY_missing_parameters(pkey))
2107 EVP_PKEY_copy_parameters(pktmp,pkey);
2108 EVP_PKEY_free(pktmp);
2109 #endif
2110 #ifndef OPENSSL_NO_ECDSA
2111 if (pkey->type == EVP_PKEY_EC)
2112 dgst = EVP_ecdsa();
2113 pktmp = X509_get_pubkey(ret);
2114 if (EVP_PKEY_missing_parameters(pktmp) &&
2115 !EVP_PKEY_missing_parameters(pkey))
2116 EVP_PKEY_copy_parameters(pktmp, pkey);
2117 EVP_PKEY_free(pktmp);
2118 #endif
2119
2120
2121 if (!X509_sign(ret,pkey,dgst))
2122 goto err;
2123
2124 /* We now just add it to the database */
2125 row[DB_type]=(char *)OPENSSL_malloc(2);
2126
2127 tm=X509_get_notAfter(ret);
2128 row[DB_exp_date]=(char *)OPENSSL_malloc(tm->length+1);
2129 memcpy(row[DB_exp_date],tm->data,tm->length);
2130 row[DB_exp_date][tm->length]='\0';
2131
2132 row[DB_rev_date]=NULL;
2133
2134 /* row[DB_serial] done already */
2135 row[DB_file]=(char *)OPENSSL_malloc(8);
2136 row[DB_name]=X509_NAME_oneline(X509_get_subject_name(ret),NULL,0);
2137
2138 if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
2139 (row[DB_file] == NULL) || (row[DB_name] == NULL))
2140 {
2141 BIO_printf(bio_err,"Memory allocation failure\n");
2142 goto err;
2143 }
2144 strcpy(row[DB_file],"unknown");
2145 row[DB_type][0]='V';
2146 row[DB_type][1]='\0';
2147
2148 if ((irow=(char **)OPENSSL_malloc(sizeof(char *)*(DB_NUMBER+1))) == NULL)
2149 {
2150 BIO_printf(bio_err,"Memory allocation failure\n");
2151 goto err;
2152 }
2153
2154 for (i=0; i<DB_NUMBER; i++)
2155 {
2156 irow[i]=row[i];
2157 row[i]=NULL;
2158 }
2159 irow[DB_NUMBER]=NULL;
2160
2161 if (!TXT_DB_insert(db->db,irow))
2162 {
2163 BIO_printf(bio_err,"failed to update database\n");
2164 BIO_printf(bio_err,"TXT_DB error number %ld\n",db->db->error);
2165 goto err;
2166 }
2167 ok=1;
2168 err:
2169 for (i=0; i<DB_NUMBER; i++)
2170 if (row[i] != NULL) OPENSSL_free(row[i]);
2171
2172 if (CAname != NULL)
2173 X509_NAME_free(CAname);
2174 if (subject != NULL)
2175 X509_NAME_free(subject);
2176 if ((dn_subject != NULL) && !email_dn)
2177 X509_NAME_free(dn_subject);
2178 if (tmptm != NULL)
2179 ASN1_UTCTIME_free(tmptm);
2180 if (ok <= 0)
2181 {
2182 if (ret != NULL) X509_free(ret);
2183 ret=NULL;
2184 }
2185 else
2186 *xret=ret;
2187 return(ok);
2188 }
2189
2190 static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext)
2191 {
2192
2193 if (output_der)
2194 {
2195 (void)i2d_X509_bio(bp,x);
2196 return;
2197 }
2198 #if 0
2199 /* ??? Not needed since X509_print prints all this stuff anyway */
2200 f=X509_NAME_oneline(X509_get_issuer_name(x),buf,256);
2201 BIO_printf(bp,"issuer :%s\n",f);
2202
2203 f=X509_NAME_oneline(X509_get_subject_name(x),buf,256);
2204 BIO_printf(bp,"subject:%s\n",f);
2205
2206 BIO_puts(bp,"serial :");
2207 i2a_ASN1_INTEGER(bp,x->cert_info->serialNumber);
2208 BIO_puts(bp,"\n\n");
2209 #endif
2210 if (!notext)X509_print(bp,x);
2211 PEM_write_bio_X509(bp,x);
2212 }
2213
2214 static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
2215 const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db,
2216 BIGNUM *serial, char *subj, int multirdn, int email_dn, char *startdate, char *enddate,
2217 long days, char *ext_sect, CONF *lconf, int verbose, unsigned long certopt,
2218 unsigned long nameopt, int default_op, int ext_copy)
2219 {
2220 STACK_OF(CONF_VALUE) *sk=NULL;
2221 LHASH *parms=NULL;
2222 X509_REQ *req=NULL;
2223 CONF_VALUE *cv=NULL;
2224 NETSCAPE_SPKI *spki = NULL;
2225 X509_REQ_INFO *ri;
2226 char *type,*buf;
2227 EVP_PKEY *pktmp=NULL;
2228 X509_NAME *n=NULL;
2229 X509_NAME_ENTRY *ne=NULL;
2230 int ok= -1,i,j;
2231 long errline;
2232 int nid;
2233
2234 /*
2235 * Load input file into a hash table. (This is just an easy
2236 * way to read and parse the file, then put it into a convenient
2237 * STACK format).
2238 */
2239 parms=CONF_load(NULL,infile,&errline);
2240 if (parms == NULL)
2241 {
2242 BIO_printf(bio_err,"error on line %ld of %s\n",errline,infile);
2243 ERR_print_errors(bio_err);
2244 goto err;
2245 }
2246
2247 sk=CONF_get_section(parms, "default");
2248 if (sk_CONF_VALUE_num(sk) == 0)
2249 {
2250 BIO_printf(bio_err, "no name/value pairs found in %s\n", infile);
2251 CONF_free(parms);
2252 goto err;
2253 }
2254
2255 /*
2256 * Now create a dummy X509 request structure. We don't actually
2257 * have an X509 request, but we have many of the components
2258 * (a public key, various DN components). The idea is that we
2259 * put these components into the right X509 request structure
2260 * and we can use the same code as if you had a real X509 request.
2261 */
2262 req=X509_REQ_new();
2263 if (req == NULL)
2264 {
2265 ERR_print_errors(bio_err);
2266 goto err;
2267 }
2268
2269 /*
2270 * Build up the subject name set.
2271 */
2272 ri=req->req_info;
2273 n = ri->subject;
2274
2275 for (i = 0; ; i++)
2276 {
2277 if (sk_CONF_VALUE_num(sk) <= i) break;
2278
2279 cv=sk_CONF_VALUE_value(sk,i);
2280 type=cv->name;
2281 /* Skip past any leading X. X: X, etc to allow for
2282 * multiple instances
2283 */
2284 for (buf = cv->name; *buf ; buf++)
2285 if ((*buf == ':') || (*buf == ',') || (*buf == '.'))
2286 {
2287 buf++;
2288 if (*buf) type = buf;
2289 break;
2290 }
2291
2292 buf=cv->value;
2293 if ((nid=OBJ_txt2nid(type)) == NID_undef)
2294 {
2295 if (strcmp(type, "SPKAC") == 0)
2296 {
2297 spki = NETSCAPE_SPKI_b64_decode(cv->value, -1);
2298 if (spki == NULL)
2299 {
2300 BIO_printf(bio_err,"unable to load Netscape SPKAC structure\n");
2301 ERR_print_errors(bio_err);
2302 goto err;
2303 }
2304 }
2305 continue;
2306 }
2307
2308 /*
2309 if ((nid == NID_pkcs9_emailAddress) && (email_dn == 0))
2310 continue;
2311 */
2312
2313 j=ASN1_PRINTABLE_type((unsigned char *)buf,-1);
2314 if (fix_data(nid, &j) == 0)
2315 {
2316 BIO_printf(bio_err,
2317 "invalid characters in string %s\n",buf);
2318 goto err;
2319 }
2320
2321 if ((ne=X509_NAME_ENTRY_create_by_NID(&ne,nid,j,
2322 (unsigned char *)buf,
2323 strlen(buf))) == NULL)
2324 goto err;
2325
2326 if (!X509_NAME_add_entry(n,ne,-1, 0)) goto err;
2327 }
2328 if (spki == NULL)
2329 {
2330 BIO_printf(bio_err,"Netscape SPKAC structure not found in %s\n",
2331 infile);
2332 goto err;
2333 }
2334
2335 /*
2336 * Now extract the key from the SPKI structure.
2337 */
2338
2339 BIO_printf(bio_err,"Check that the SPKAC request matches the signature\n");
2340
2341 if ((pktmp=NETSCAPE_SPKI_get_pubkey(spki)) == NULL)
2342 {
2343 BIO_printf(bio_err,"error unpacking SPKAC public key\n");
2344 goto err;
2345 }
2346
2347 j = NETSCAPE_SPKI_verify(spki, pktmp);
2348 if (j <= 0)
2349 {
2350 BIO_printf(bio_err,"signature verification failed on SPKAC public key\n");
2351 goto err;
2352 }
2353 BIO_printf(bio_err,"Signature ok\n");
2354
2355 X509_REQ_set_pubkey(req,pktmp);
2356 EVP_PKEY_free(pktmp);
2357 ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,multirdn,email_dn,startdate,enddate,
2358 days,1,verbose,req,ext_sect,lconf, certopt, nameopt, default_op,
2359 ext_copy, 0);
2360 err:
2361 if (req != NULL) X509_REQ_free(req);
2362 if (parms != NULL) CONF_free(parms);
2363 if (spki != NULL) NETSCAPE_SPKI_free(spki);
2364 if (ne != NULL) X509_NAME_ENTRY_free(ne);
2365
2366 return(ok);
2367 }
2368
2369 static int fix_data(int nid, int *type)
2370 {
2371 if (nid == NID_pkcs9_emailAddress)
2372 *type=V_ASN1_IA5STRING;
2373 if ((nid == NID_commonName) && (*type == V_ASN1_IA5STRING))
2374 *type=V_ASN1_T61STRING;
2375 if ((nid == NID_pkcs9_challengePassword) && (*type == V_ASN1_IA5STRING))
2376 *type=V_ASN1_T61STRING;
2377 if ((nid == NID_pkcs9_unstructuredName) && (*type == V_ASN1_T61STRING))
2378 return(0);
2379 if (nid == NID_pkcs9_unstructuredName)
2380 *type=V_ASN1_IA5STRING;
2381 return(1);
2382 }
2383
2384 static int check_time_format(char *str)
2385 {
2386 ASN1_UTCTIME tm;
2387
2388 tm.data=(unsigned char *)str;
2389 tm.length=strlen(str);
2390 tm.type=V_ASN1_UTCTIME;
2391 return(ASN1_UTCTIME_check(&tm));
2392 }
2393
2394 static int do_revoke(X509 *x509, CA_DB *db, int type, char *value)
2395 {
2396 ASN1_UTCTIME *tm=NULL;
2397 char *row[DB_NUMBER],**rrow,**irow;
2398 char *rev_str = NULL;
2399 BIGNUM *bn = NULL;
2400 int ok=-1,i;
2401
2402 for (i=0; i<DB_NUMBER; i++)
2403 row[i]=NULL;
2404 row[DB_name]=X509_NAME_oneline(X509_get_subject_name(x509),NULL,0);
2405 bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x509),NULL);
2406 if (BN_is_zero(bn))
2407 row[DB_serial]=BUF_strdup("00");
2408 else
2409 row[DB_serial]=BN_bn2hex(bn);
2410 BN_free(bn);
2411 if ((row[DB_name] == NULL) || (row[DB_serial] == NULL))
2412 {
2413 BIO_printf(bio_err,"Memory allocation failure\n");
2414 goto err;
2415 }
2416 /* We have to lookup by serial number because name lookup
2417 * skips revoked certs
2418 */
2419 rrow=TXT_DB_get_by_index(db->db,DB_serial,row);
2420 if (rrow == NULL)
2421 {
2422 BIO_printf(bio_err,"Adding Entry with serial number %s to DB for %s\n", row[DB_serial], row[DB_name]);
2423
2424 /* We now just add it to the database */
2425 row[DB_type]=(char *)OPENSSL_malloc(2);
2426
2427 tm=X509_get_notAfter(x509);
2428 row[DB_exp_date]=(char *)OPENSSL_malloc(tm->length+1);
2429 memcpy(row[DB_exp_date],tm->data,tm->length);
2430 row[DB_exp_date][tm->length]='\0';
2431
2432 row[DB_rev_date]=NULL;
2433
2434 /* row[DB_serial] done already */
2435 row[DB_file]=(char *)OPENSSL_malloc(8);
2436
2437 /* row[DB_name] done already */
2438
2439 if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
2440 (row[DB_file] == NULL))
2441 {
2442 BIO_printf(bio_err,"Memory allocation failure\n");
2443 goto err;
2444 }
2445 strcpy(row[DB_file],"unknown");
2446 row[DB_type][0]='V';
2447 row[DB_type][1]='\0';
2448
2449 if ((irow=(char **)OPENSSL_malloc(sizeof(char *)*(DB_NUMBER+1))) == NULL)
2450 {
2451 BIO_printf(bio_err,"Memory allocation failure\n");
2452 goto err;
2453 }
2454
2455 for (i=0; i<DB_NUMBER; i++)
2456 {
2457 irow[i]=row[i];
2458 row[i]=NULL;
2459 }
2460 irow[DB_NUMBER]=NULL;
2461
2462 if (!TXT_DB_insert(db->db,irow))
2463 {
2464 BIO_printf(bio_err,"failed to update database\n");
2465 BIO_printf(bio_err,"TXT_DB error number %ld\n",db->db->error);
2466 goto err;
2467 }
2468
2469 /* Revoke Certificate */
2470 ok = do_revoke(x509,db, type, value);
2471
2472 goto err;
2473
2474 }
2475 else if (index_name_cmp((const char **)row,(const char **)rrow))
2476 {
2477 BIO_printf(bio_err,"ERROR:name does not match %s\n",
2478 row[DB_name]);
2479 goto err;
2480 }
2481 else if (rrow[DB_type][0]=='R')
2482 {
2483 BIO_printf(bio_err,"ERROR:Already revoked, serial number %s\n",
2484 row[DB_serial]);
2485 goto err;
2486 }
2487 else
2488 {
2489 BIO_printf(bio_err,"Revoking Certificate %s.\n", rrow[DB_serial]);
2490 rev_str = make_revocation_str(type, value);
2491 if (!rev_str)
2492 {
2493 BIO_printf(bio_err, "Error in revocation arguments\n");
2494 goto err;
2495 }
2496 rrow[DB_type][0]='R';
2497 rrow[DB_type][1]='\0';
2498 rrow[DB_rev_date] = rev_str;
2499 }
2500 ok=1;
2501 err:
2502 for (i=0; i<DB_NUMBER; i++)
2503 {
2504 if (row[i] != NULL)
2505 OPENSSL_free(row[i]);
2506 }
2507 return(ok);
2508 }
2509
2510 static int get_certificate_status(const char *serial, CA_DB *db)
2511 {
2512 char *row[DB_NUMBER],**rrow;
2513 int ok=-1,i;
2514
2515 /* Free Resources */
2516 for (i=0; i<DB_NUMBER; i++)
2517 row[i]=NULL;
2518
2519 /* Malloc needed char spaces */
2520 row[DB_serial] = OPENSSL_malloc(strlen(serial) + 2);
2521 if (row[DB_serial] == NULL)
2522 {
2523 BIO_printf(bio_err,"Malloc failure\n");
2524 goto err;
2525 }
2526
2527 if (strlen(serial) % 2)
2528 {
2529 /* Set the first char to 0 */;
2530 row[DB_serial][0]='0';
2531
2532 /* Copy String from serial to row[DB_serial] */
2533 memcpy(row[DB_serial]+1, serial, strlen(serial));
2534 row[DB_serial][strlen(serial)+1]='\0';
2535 }
2536 else
2537 {
2538 /* Copy String from serial to row[DB_serial] */
2539 memcpy(row[DB_serial], serial, strlen(serial));
2540 row[DB_serial][strlen(serial)]='\0';
2541 }
2542
2543 /* Make it Upper Case */
2544 for (i=0; row[DB_serial][i] != '\0'; i++)
2545 row[DB_serial][i] = toupper(row[DB_serial][i]);
2546
2547
2548 ok=1;
2549
2550 /* Search for the certificate */
2551 rrow=TXT_DB_get_by_index(db->db,DB_serial,row);
2552 if (rrow == NULL)
2553 {
2554 BIO_printf(bio_err,"Serial %s not present in db.\n",
2555 row[DB_serial]);
2556 ok=-1;
2557 goto err;
2558 }
2559 else if (rrow[DB_type][0]=='V')
2560 {
2561 BIO_printf(bio_err,"%s=Valid (%c)\n",
2562 row[DB_serial], rrow[DB_type][0]);
2563 goto err;
2564 }
2565 else if (rrow[DB_type][0]=='R')
2566 {
2567 BIO_printf(bio_err,"%s=Revoked (%c)\n",
2568 row[DB_serial], rrow[DB_type][0]);
2569 goto err;
2570 }
2571 else if (rrow[DB_type][0]=='E')
2572 {
2573 BIO_printf(bio_err,"%s=Expired (%c)\n",
2574 row[DB_serial], rrow[DB_type][0]);
2575 goto err;
2576 }
2577 else if (rrow[DB_type][0]=='S')
2578 {
2579 BIO_printf(bio_err,"%s=Suspended (%c)\n",
2580 row[DB_serial], rrow[DB_type][0]);
2581 goto err;
2582 }
2583 else
2584 {
2585 BIO_printf(bio_err,"%s=Unknown (%c).\n",
2586 row[DB_serial], rrow[DB_type][0]);
2587 ok=-1;
2588 }
2589 err:
2590 for (i=0; i<DB_NUMBER; i++)
2591 {
2592 if (row[i] != NULL)
2593 OPENSSL_free(row[i]);
2594 }
2595 return(ok);
2596 }
2597
2598 static int do_updatedb (CA_DB *db)
2599 {
2600 ASN1_UTCTIME *a_tm = NULL;
2601 int i, cnt = 0;
2602 int db_y2k, a_y2k; /* flags = 1 if y >= 2000 */
2603 char **rrow, *a_tm_s;
2604
2605 a_tm = ASN1_UTCTIME_new();
2606
2607 /* get actual time and make a string */
2608 a_tm = X509_gmtime_adj(a_tm, 0);
2609 a_tm_s = (char *) OPENSSL_malloc(a_tm->length+1);
2610 if (a_tm_s == NULL)
2611 {
2612 cnt = -1;
2613 goto err;
2614 }
2615
2616 memcpy(a_tm_s, a_tm->data, a_tm->length);
2617 a_tm_s[a_tm->length] = '\0';
2618
2619 if (strncmp(a_tm_s, "49", 2) <= 0)
2620 a_y2k = 1;
2621 else
2622 a_y2k = 0;
2623
2624 for (i = 0; i < sk_num(db->db->data); i++)
2625 {
2626 rrow = (char **) sk_value(db->db->data, i);
2627
2628 if (rrow[DB_type][0] == 'V')
2629 {
2630 /* ignore entries that are not valid */
2631 if (strncmp(rrow[DB_exp_date], "49", 2) <= 0)
2632 db_y2k = 1;
2633 else
2634 db_y2k = 0;
2635
2636 if (db_y2k == a_y2k)
2637 {
2638 /* all on the same y2k side */
2639 if (strcmp(rrow[DB_exp_date], a_tm_s) <= 0)
2640 {
2641 rrow[DB_type][0] = 'E';
2642 rrow[DB_type][1] = '\0';
2643 cnt++;
2644
2645 BIO_printf(bio_err, "%s=Expired\n",
2646 rrow[DB_serial]);
2647 }
2648 }
2649 else if (db_y2k < a_y2k)
2650 {
2651 rrow[DB_type][0] = 'E';
2652 rrow[DB_type][1] = '\0';
2653 cnt++;
2654
2655 BIO_printf(bio_err, "%s=Expired\n",
2656 rrow[DB_serial]);
2657 }
2658
2659 }
2660 }
2661
2662 err:
2663
2664 ASN1_UTCTIME_free(a_tm);
2665 OPENSSL_free(a_tm_s);
2666
2667 return (cnt);
2668 }
2669
2670 static char *crl_reasons[] = {
2671 /* CRL reason strings */
2672 "unspecified",
2673 "keyCompromise",
2674 "CACompromise",
2675 "affiliationChanged",
2676 "superseded",
2677 "cessationOfOperation",
2678 "certificateHold",
2679 "removeFromCRL",
2680 /* Additional pseudo reasons */
2681 "holdInstruction",
2682 "keyTime",
2683 "CAkeyTime"
2684 };
2685
2686 #define NUM_REASONS (sizeof(crl_reasons) / sizeof(char *))
2687
2688 /* Given revocation information convert to a DB string.
2689 * The format of the string is:
2690 * revtime[,reason,extra]. Where 'revtime' is the
2691 * revocation time (the current time). 'reason' is the
2692 * optional CRL reason and 'extra' is any additional
2693 * argument
2694 */
2695
2696 char *make_revocation_str(int rev_type, char *rev_arg)
2697 {
2698 char *reason = NULL, *other = NULL, *str;
2699 ASN1_OBJECT *otmp;
2700 ASN1_UTCTIME *revtm = NULL;
2701 int i;
2702 switch (rev_type)
2703 {
2704 case REV_NONE:
2705 break;
2706
2707 case REV_CRL_REASON:
2708 for (i = 0; i < 8; i++)
2709 {
2710 if (!strcasecmp(rev_arg, crl_reasons[i]))
2711 {
2712 reason = crl_reasons[i];
2713 break;
2714 }
2715 }
2716 if (reason == NULL)
2717 {
2718 BIO_printf(bio_err, "Unknown CRL reason %s\n", rev_arg);
2719 return NULL;
2720 }
2721 break;
2722
2723 case REV_HOLD:
2724 /* Argument is an OID */
2725
2726 otmp = OBJ_txt2obj(rev_arg, 0);
2727 ASN1_OBJECT_free(otmp);
2728
2729 if (otmp == NULL)
2730 {
2731 BIO_printf(bio_err, "Invalid object identifier %s\n", rev_arg);
2732 return NULL;
2733 }
2734
2735 reason = "holdInstruction";
2736 other = rev_arg;
2737 break;
2738
2739 case REV_KEY_COMPROMISE:
2740 case REV_CA_COMPROMISE:
2741
2742 /* Argument is the key compromise time */
2743 if (!ASN1_GENERALIZEDTIME_set_string(NULL, rev_arg))
2744 {
2745 BIO_printf(bio_err, "Invalid time format %s. Need YYYYMMDDHHMMSSZ\n", rev_arg);
2746 return NULL;
2747 }
2748 other = rev_arg;
2749 if (rev_type == REV_KEY_COMPROMISE)
2750 reason = "keyTime";
2751 else
2752 reason = "CAkeyTime";
2753
2754 break;
2755
2756 }
2757
2758 revtm = X509_gmtime_adj(NULL, 0);
2759
2760 i = revtm->length + 1;
2761
2762 if (reason) i += strlen(reason) + 1;
2763 if (other) i += strlen(other) + 1;
2764
2765 str = OPENSSL_malloc(i);
2766
2767 if (!str) return NULL;
2768
2769 strcpy(str, (char *)revtm->data);
2770 if (reason)
2771 {
2772 strcat(str, ",");
2773 strcat(str, reason);
2774 }
2775 if (other)
2776 {
2777 strcat(str, ",");
2778 strcat(str, other);
2779 }
2780 ASN1_UTCTIME_free(revtm);
2781 return str;
2782 }
2783
2784 /* Convert revocation field to X509_REVOKED entry
2785 * return code:
2786 * 0 error
2787 * 1 OK
2788 * 2 OK and some extensions added (i.e. V2 CRL)
2789 */
2790
2791
2792 int make_revoked(X509_REVOKED *rev, char *str)
2793 {
2794 char *tmp = NULL;
2795 int reason_code = -1;
2796 int i, ret = 0;
2797 ASN1_OBJECT *hold = NULL;
2798 ASN1_GENERALIZEDTIME *comp_time = NULL;
2799 ASN1_ENUMERATED *rtmp = NULL;
2800
2801 ASN1_TIME *revDate = NULL;
2802
2803 i = unpack_revinfo(&revDate, &reason_code, &hold, &comp_time, str);
2804
2805 if (i == 0)
2806 goto err;
2807
2808 if (rev && !X509_REVOKED_set_revocationDate(rev, revDate))
2809 goto err;
2810
2811 if (rev && (reason_code != OCSP_REVOKED_STATUS_NOSTATUS))
2812 {
2813 rtmp = ASN1_ENUMERATED_new();
2814 if (!rtmp || !ASN1_ENUMERATED_set(rtmp, reason_code))
2815 goto err;
2816 if (!X509_REVOKED_add1_ext_i2d(rev, NID_crl_reason, rtmp, 0, 0))
2817 goto err;
2818 }
2819
2820 if (rev && comp_time)
2821 {
2822 if (!X509_REVOKED_add1_ext_i2d(rev, NID_invalidity_date, comp_time, 0, 0))
2823 goto err;
2824 }
2825 if (rev && hold)
2826 {
2827 if (!X509_REVOKED_add1_ext_i2d(rev, NID_hold_instruction_code, hold, 0, 0))
2828 goto err;
2829 }
2830
2831 if (reason_code != OCSP_REVOKED_STATUS_NOSTATUS)
2832 ret = 2;
2833 else ret = 1;
2834
2835 err:
2836
2837 if (tmp) OPENSSL_free(tmp);
2838 ASN1_OBJECT_free(hold);
2839 ASN1_GENERALIZEDTIME_free(comp_time);
2840 ASN1_ENUMERATED_free(rtmp);
2841 ASN1_TIME_free(revDate);
2842
2843 return ret;
2844 }
2845
2846 /*
2847 * subject is expected to be in the format /type0=value0/type1=value1/type2=...
2848 * where characters may be escaped by \
2849 */
2850 X509_NAME *do_subject(char *subject, long chtype, int multirdn)
2851 {
2852 size_t buflen = strlen(subject)+1; /* to copy the types and values into. due to escaping, the copy can only become shorter */
2853 char *buf = OPENSSL_malloc(buflen);
2854 size_t max_ne = buflen / 2 + 1; /* maximum number of name elements */
2855 char **ne_types = OPENSSL_malloc(max_ne * sizeof (char *));
2856 char **ne_values = OPENSSL_malloc(max_ne * sizeof (char *));
2857 int *mval = OPENSSL_malloc (max_ne * sizeof (int));
2858
2859 char *sp = subject, *bp = buf;
2860 int i, ne_num = 0;
2861
2862 X509_NAME *n = NULL;
2863 int nid;
2864
2865 if (!buf || !ne_types || !ne_values)
2866 {
2867 BIO_printf(bio_err, "malloc error\n");
2868 goto error;
2869 }
2870
2871 if (*subject != '/')
2872 {
2873 BIO_printf(bio_err, "Subject does not start with '/'.\n");
2874 goto error;
2875 }
2876 sp++; /* skip leading / */
2877
2878 /* no multivalued RDN by default */
2879 mval[ne_num] = 0;
2880
2881 while (*sp)
2882 {
2883 /* collect type */
2884 ne_types[ne_num] = bp;
2885 while (*sp)
2886 {
2887 if (*sp == '\\') /* is there anything to escape in the type...? */
2888 {
2889 if (*++sp)
2890 *bp++ = *sp++;
2891 else
2892 {
2893 BIO_printf(bio_err, "escape character at end of string\n");
2894 goto error;
2895 }
2896 }
2897 else if (*sp == '=')
2898 {
2899 sp++;
2900 *bp++ = '\0';
2901 break;
2902 }
2903 else
2904 *bp++ = *sp++;
2905 }
2906 if (!*sp)
2907 {
2908 BIO_printf(bio_err, "end of string encountered while processing type of subject name element #%d\n", ne_num);
2909 goto error;
2910 }
2911 ne_values[ne_num] = bp;
2912 while (*sp)
2913 {
2914 if (*sp == '\\')
2915 {
2916 if (*++sp)
2917 *bp++ = *sp++;
2918 else
2919 {
2920 BIO_printf(bio_err, "escape character at end of string\n");
2921 goto error;
2922 }
2923 }
2924 else if (*sp == '/')
2925 {
2926 sp++;
2927 /* no multivalued RDN by default */
2928 mval[ne_num+1] = 0;
2929 break;
2930 }
2931 else if (*sp == '+' && multirdn)
2932 {
2933 /* a not escaped + signals a mutlivalued RDN */
2934 sp++;
2935 mval[ne_num+1] = -1;
2936 break;
2937 }
2938 else
2939 *bp++ = *sp++;
2940 }
2941 *bp++ = '\0';
2942 ne_num++;
2943 }
2944
2945 if (!(n = X509_NAME_new()))
2946 goto error;
2947
2948 for (i = 0; i < ne_num; i++)
2949 {
2950 if ((nid=OBJ_txt2nid(ne_types[i])) == NID_undef)
2951 {
2952 BIO_printf(bio_err, "Subject Attribute %s has no known NID, skipped\n", ne_types[i]);
2953 continue;
2954 }
2955
2956 if (!*ne_values[i])
2957 {
2958 BIO_printf(bio_err, "No value provided for Subject Attribute %s, skipped\n", ne_types[i]);
2959 continue;
2960 }
2961
2962 if (!X509_NAME_add_entry_by_NID(n, nid, chtype, (unsigned char*)ne_values[i], -1,-1,mval[i]))
2963 goto error;
2964 }
2965
2966 OPENSSL_free(ne_values);
2967 OPENSSL_free(ne_types);
2968 OPENSSL_free(buf);
2969 return n;
2970
2971 error:
2972 X509_NAME_free(n);
2973 if (ne_values)
2974 OPENSSL_free(ne_values);
2975 if (ne_types)
2976 OPENSSL_free(ne_types);
2977 if (buf)
2978 OPENSSL_free(buf);
2979 return NULL;
2980 }
2981
2982 int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str)
2983 {
2984 char buf[25],*pbuf, *p;
2985 int j;
2986 j=i2a_ASN1_OBJECT(bp,obj);
2987 pbuf=buf;
2988 for (j=22-j; j>0; j--)
2989 *(pbuf++)=' ';
2990 *(pbuf++)=':';
2991 *(pbuf++)='\0';
2992 BIO_puts(bp,buf);
2993
2994 if (str->type == V_ASN1_PRINTABLESTRING)
2995 BIO_printf(bp,"PRINTABLE:'");
2996 else if (str->type == V_ASN1_T61STRING)
2997 BIO_printf(bp,"T61STRING:'");
2998 else if (str->type == V_ASN1_IA5STRING)
2999 BIO_printf(bp,"IA5STRING:'");
3000 else if (str->type == V_ASN1_UNIVERSALSTRING)
3001 BIO_printf(bp,"UNIVERSALSTRING:'");
3002 else
3003 BIO_printf(bp,"ASN.1 %2d:'",str->type);
3004
3005 p=(char *)str->data;
3006 for (j=str->length; j>0; j--)
3007 {
3008 if ((*p >= ' ') && (*p <= '~'))
3009 BIO_printf(bp,"%c",*p);
3010 else if (*p & 0x80)
3011 BIO_printf(bp,"\\0x%02X",*p);
3012 else if ((unsigned char)*p == 0xf7)
3013 BIO_printf(bp,"^?");
3014 else BIO_printf(bp,"^%c",*p+'@');
3015 p++;
3016 }
3017 BIO_printf(bp,"'\n");
3018 return 1;
3019 }
3020
3021 int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, ASN1_GENERALIZEDTIME **pinvtm, char *str)
3022 {
3023 char *tmp = NULL;
3024 char *rtime_str, *reason_str = NULL, *arg_str = NULL, *p;
3025 int reason_code = -1;
3026 int ret = 0;
3027 unsigned int i;
3028 ASN1_OBJECT *hold = NULL;
3029 ASN1_GENERALIZEDTIME *comp_time = NULL;
3030 tmp = BUF_strdup(str);
3031
3032 p = strchr(tmp, ',');
3033
3034 rtime_str = tmp;
3035
3036 if (p)
3037 {
3038 *p = '\0';
3039 p++;
3040 reason_str = p;
3041 p = strchr(p, ',');
3042 if (p)
3043 {
3044 *p = '\0';
3045 arg_str = p + 1;
3046 }
3047 }
3048
3049 if (prevtm)
3050 {
3051 *prevtm = ASN1_UTCTIME_new();
3052 if (!ASN1_UTCTIME_set_string(*prevtm, rtime_str))
3053 {
3054 BIO_printf(bio_err, "invalid revocation date %s\n", rtime_str);
3055 goto err;
3056 }
3057 }
3058 if (reason_str)
3059 {
3060 for (i = 0; i < NUM_REASONS; i++)
3061 {
3062 if(!strcasecmp(reason_str, crl_reasons[i]))
3063 {
3064 reason_code = i;
3065 break;
3066 }
3067 }
3068 if (reason_code == OCSP_REVOKED_STATUS_NOSTATUS)
3069 {
3070 BIO_printf(bio_err, "invalid reason code %s\n", reason_str);
3071 goto err;
3072 }
3073
3074 if (reason_code == 7)
3075 reason_code = OCSP_REVOKED_STATUS_REMOVEFROMCRL;
3076 else if (reason_code == 8) /* Hold instruction */
3077 {
3078 if (!arg_str)
3079 {
3080 BIO_printf(bio_err, "missing hold instruction\n");
3081 goto err;
3082 }
3083 reason_code = OCSP_REVOKED_STATUS_CERTIFICATEHOLD;
3084 hold = OBJ_txt2obj(arg_str, 0);
3085
3086 if (!hold)
3087 {
3088 BIO_printf(bio_err, "invalid object identifier %s\n", arg_str);
3089 goto err;
3090 }
3091 if (phold) *phold = hold;
3092 }
3093 else if ((reason_code == 9) || (reason_code == 10))
3094 {
3095 if (!arg_str)
3096 {
3097 BIO_printf(bio_err, "missing compromised time\n");
3098 goto err;
3099 }
3100 comp_time = ASN1_GENERALIZEDTIME_new();
3101 if (!ASN1_GENERALIZEDTIME_set_string(comp_time, arg_str))
3102 {
3103 BIO_printf(bio_err, "invalid compromised time %s\n", arg_str);
3104 goto err;
3105 }
3106 if (reason_code == 9)
3107 reason_code = OCSP_REVOKED_STATUS_KEYCOMPROMISE;
3108 else
3109 reason_code = OCSP_REVOKED_STATUS_CACOMPROMISE;
3110 }
3111 }
3112
3113 if (preason) *preason = reason_code;
3114 if (pinvtm) *pinvtm = comp_time;
3115 else ASN1_GENERALIZEDTIME_free(comp_time);
3116
3117 ret = 1;
3118
3119 err:
3120
3121 if (tmp) OPENSSL_free(tmp);
3122 if (!phold) ASN1_OBJECT_free(hold);
3123 if (!pinvtm) ASN1_GENERALIZEDTIME_free(comp_time);
3124
3125 return ret;
3126 }
A mirror of the official openssl repository