]>
git.ipfire.org Git - thirdparty/openssl.git/blob - apps/crl.c
2 * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
15 #include <openssl/bio.h>
16 #include <openssl/err.h>
17 #include <openssl/x509.h>
18 #include <openssl/x509v3.h>
19 #include <openssl/pem.h>
21 typedef enum OPTION_choice
{
22 OPT_ERR
= -1, OPT_EOF
= 0, OPT_HELP
,
23 OPT_INFORM
, OPT_IN
, OPT_OUTFORM
, OPT_OUT
, OPT_KEYFORM
, OPT_KEY
,
24 OPT_ISSUER
, OPT_LASTUPDATE
, OPT_NEXTUPDATE
, OPT_FINGERPRINT
,
25 OPT_CRLNUMBER
, OPT_BADSIG
, OPT_GENDELTA
, OPT_CAPATH
, OPT_CAFILE
,
26 OPT_NOCAPATH
, OPT_NOCAFILE
, OPT_VERIFY
, OPT_TEXT
, OPT_HASH
, OPT_HASH_OLD
,
27 OPT_NOOUT
, OPT_NAMEOPT
, OPT_MD
30 const OPTIONS crl_options
[] = {
31 {"help", OPT_HELP
, '-', "Display this summary"},
32 {"inform", OPT_INFORM
, 'F', "Input format; default PEM"},
33 {"in", OPT_IN
, '<', "Input file - default stdin"},
34 {"outform", OPT_OUTFORM
, 'F', "Output format - default PEM"},
35 {"out", OPT_OUT
, '>', "output file - default stdout"},
36 {"keyform", OPT_KEYFORM
, 'F', "Private key file format (PEM or ENGINE)"},
37 {"key", OPT_KEY
, '<', "CRL signing Private key to use"},
38 {"issuer", OPT_ISSUER
, '-', "Print issuer DN"},
39 {"lastupdate", OPT_LASTUPDATE
, '-', "Set lastUpdate field"},
40 {"nextupdate", OPT_NEXTUPDATE
, '-', "Set nextUpdate field"},
41 {"noout", OPT_NOOUT
, '-', "No CRL output"},
42 {"fingerprint", OPT_FINGERPRINT
, '-', "Print the crl fingerprint"},
43 {"crlnumber", OPT_CRLNUMBER
, '-', "Print CRL number"},
44 {"badsig", OPT_BADSIG
, '-', "Corrupt last byte of loaded CRL signature (for test)" },
45 {"gendelta", OPT_GENDELTA
, '<', "Other CRL to compare/diff to the Input one"},
46 {"CApath", OPT_CAPATH
, '/', "Verify CRL using certificates in dir"},
47 {"CAfile", OPT_CAFILE
, '<', "Verify CRL using certificates in file name"},
48 {"no-CAfile", OPT_NOCAFILE
, '-',
49 "Do not load the default certificates file"},
50 {"no-CApath", OPT_NOCAPATH
, '-',
51 "Do not load certificates from the default certificates directory"},
52 {"verify", OPT_VERIFY
, '-', "Verify CRL signature"},
53 {"text", OPT_TEXT
, '-', "Print out a text format version"},
54 {"hash", OPT_HASH
, '-', "Print hash value"},
55 {"nameopt", OPT_NAMEOPT
, 's', "Various certificate name options"},
56 {"", OPT_MD
, '-', "Any supported digest"},
57 #ifndef OPENSSL_NO_MD5
58 {"hash_old", OPT_HASH_OLD
, '-', "Print old-style (MD5) hash value"},
63 int crl_main(int argc
, char **argv
)
67 X509_STORE
*store
= NULL
;
68 X509_STORE_CTX
*ctx
= NULL
;
69 X509_LOOKUP
*lookup
= NULL
;
70 X509_OBJECT
*xobj
= NULL
;
72 const EVP_MD
*digest
= EVP_sha1();
73 char *infile
= NULL
, *outfile
= NULL
, *crldiff
= NULL
, *keyfile
= NULL
;
74 const char *CAfile
= NULL
, *CApath
= NULL
, *prog
;
76 int hash
= 0, issuer
= 0, lastupdate
= 0, nextupdate
= 0, noout
= 0;
77 int informat
= FORMAT_PEM
, outformat
= FORMAT_PEM
, keyformat
= FORMAT_PEM
;
78 int ret
= 1, num
= 0, badsig
= 0, fingerprint
= 0, crlnumber
= 0;
79 int text
= 0, do_ver
= 0, noCAfile
= 0, noCApath
= 0;
81 #ifndef OPENSSL_NO_MD5
85 prog
= opt_init(argc
, argv
, crl_options
);
86 while ((o
= opt_next()) != OPT_EOF
) {
91 BIO_printf(bio_err
, "%s: Use -help for summary.\n", prog
);
94 opt_help(crl_options
);
98 if (!opt_format(opt_arg(), OPT_FMT_PEMDER
, &informat
))
105 if (!opt_format(opt_arg(), OPT_FMT_PEMDER
, &outformat
))
112 if (!opt_format(opt_arg(), OPT_FMT_PEMDER
, &keyformat
))
136 #ifndef OPENSSL_NO_MD5
161 case OPT_FINGERPRINT
:
171 if (!set_nameopt(opt_arg()))
175 if (!opt_md(opt_unknown(), &digest
))
179 argc
= opt_num_rest();
183 x
= load_crl(infile
, informat
);
188 if ((store
= setup_verify(CAfile
, CApath
, noCAfile
, noCApath
)) == NULL
)
190 lookup
= X509_STORE_add_lookup(store
, X509_LOOKUP_file());
193 ctx
= X509_STORE_CTX_new();
194 if (ctx
== NULL
|| !X509_STORE_CTX_init(ctx
, store
, NULL
, NULL
)) {
195 BIO_printf(bio_err
, "Error initialising X509 store\n");
199 xobj
= X509_STORE_CTX_get_obj_by_subject(ctx
, X509_LU_X509
,
200 X509_CRL_get_issuer(x
));
202 BIO_printf(bio_err
, "Error getting CRL issuer certificate\n");
205 pkey
= X509_get_pubkey(X509_OBJECT_get0_X509(xobj
));
206 X509_OBJECT_free(xobj
);
208 BIO_printf(bio_err
, "Error getting CRL issuer public key\n");
211 i
= X509_CRL_verify(x
, pkey
);
216 BIO_printf(bio_err
, "verify failure\n");
218 BIO_printf(bio_err
, "verify OK\n");
222 X509_CRL
*newcrl
, *delta
;
224 BIO_puts(bio_err
, "Missing CRL signing key\n");
227 newcrl
= load_crl(crldiff
, informat
);
230 pkey
= load_key(keyfile
, keyformat
, 0, NULL
, NULL
, "CRL signing key");
232 X509_CRL_free(newcrl
);
235 delta
= X509_CRL_diff(x
, newcrl
, pkey
, digest
, 0);
236 X509_CRL_free(newcrl
);
242 BIO_puts(bio_err
, "Error creating delta CRL\n");
248 const ASN1_BIT_STRING
*sig
;
250 X509_CRL_get0_signature(x
, &sig
, NULL
);
251 corrupt_signature(sig
);
255 for (i
= 1; i
<= num
; i
++) {
257 print_name(bio_out
, "issuer=", X509_CRL_get_issuer(x
),
260 if (crlnumber
== i
) {
261 ASN1_INTEGER
*crlnum
;
262 crlnum
= X509_CRL_get_ext_d2i(x
, NID_crl_number
, NULL
, NULL
);
263 BIO_printf(bio_out
, "crlNumber=");
265 i2a_ASN1_INTEGER(bio_out
, crlnum
);
266 ASN1_INTEGER_free(crlnum
);
268 BIO_puts(bio_out
, "<NONE>");
269 BIO_printf(bio_out
, "\n");
272 BIO_printf(bio_out
, "%08lx\n",
273 X509_NAME_hash(X509_CRL_get_issuer(x
)));
275 #ifndef OPENSSL_NO_MD5
277 BIO_printf(bio_out
, "%08lx\n",
278 X509_NAME_hash_old(X509_CRL_get_issuer(x
)));
281 if (lastupdate
== i
) {
282 BIO_printf(bio_out
, "lastUpdate=");
283 ASN1_TIME_print(bio_out
, X509_CRL_get0_lastUpdate(x
));
284 BIO_printf(bio_out
, "\n");
286 if (nextupdate
== i
) {
287 BIO_printf(bio_out
, "nextUpdate=");
288 if (X509_CRL_get0_nextUpdate(x
))
289 ASN1_TIME_print(bio_out
, X509_CRL_get0_nextUpdate(x
));
291 BIO_printf(bio_out
, "NONE");
292 BIO_printf(bio_out
, "\n");
294 if (fingerprint
== i
) {
297 unsigned char md
[EVP_MAX_MD_SIZE
];
299 if (!X509_CRL_digest(x
, digest
, md
, &n
)) {
300 BIO_printf(bio_err
, "out of memory\n");
303 BIO_printf(bio_out
, "%s Fingerprint=",
304 OBJ_nid2sn(EVP_MD_type(digest
)));
305 for (j
= 0; j
< (int)n
; j
++) {
306 BIO_printf(bio_out
, "%02X%c", md
[j
], (j
+ 1 == (int)n
)
312 out
= bio_open_default(outfile
, 'w', outformat
);
317 X509_CRL_print_ex(out
, x
, get_nameopt());
324 if (outformat
== FORMAT_ASN1
)
325 i
= (int)i2d_X509_CRL_bio(out
, x
);
327 i
= PEM_write_bio_X509_CRL(out
, x
);
329 BIO_printf(bio_err
, "unable to write CRL\n");
336 ERR_print_errors(bio_err
);
339 X509_STORE_CTX_free(ctx
);
340 X509_STORE_free(store
);