]>
git.ipfire.org Git - thirdparty/openssl.git/blob - apps/crl.c
2 * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
15 #include <openssl/bio.h>
16 #include <openssl/err.h>
17 #include <openssl/x509.h>
18 #include <openssl/x509v3.h>
19 #include <openssl/pem.h>
21 typedef enum OPTION_choice
{
23 OPT_INFORM
, OPT_IN
, OPT_OUTFORM
, OPT_OUT
, OPT_KEYFORM
, OPT_KEY
,
24 OPT_ISSUER
, OPT_LASTUPDATE
, OPT_NEXTUPDATE
, OPT_FINGERPRINT
,
25 OPT_CRLNUMBER
, OPT_BADSIG
, OPT_GENDELTA
, OPT_CAPATH
, OPT_CAFILE
, OPT_CASTORE
,
26 OPT_NOCAPATH
, OPT_NOCAFILE
, OPT_NOCASTORE
, OPT_VERIFY
, OPT_DATEOPT
, OPT_TEXT
, OPT_HASH
,
27 OPT_HASH_OLD
, OPT_NOOUT
, OPT_NAMEOPT
, OPT_MD
, OPT_PROV_ENUM
30 const OPTIONS crl_options
[] = {
31 OPT_SECTION("General"),
32 {"help", OPT_HELP
, '-', "Display this summary"},
33 {"verify", OPT_VERIFY
, '-', "Verify CRL signature"},
36 {"in", OPT_IN
, '<', "Input file - default stdin"},
37 {"inform", OPT_INFORM
, 'F', "CRL input format (DER or PEM); has no effect"},
38 {"key", OPT_KEY
, '<', "CRL signing Private key to use"},
39 {"keyform", OPT_KEYFORM
, 'F', "Private key file format (DER/PEM/P12); has no effect"},
41 OPT_SECTION("Output"),
42 {"out", OPT_OUT
, '>', "output file - default stdout"},
43 {"outform", OPT_OUTFORM
, 'F', "Output format - default PEM"},
44 {"dateopt", OPT_DATEOPT
, 's', "Datetime format used for printing. (rfc_822/iso_8601). Default is rfc_822."},
45 {"text", OPT_TEXT
, '-', "Print out a text format version"},
46 {"hash", OPT_HASH
, '-', "Print hash value"},
47 #ifndef OPENSSL_NO_MD5
48 {"hash_old", OPT_HASH_OLD
, '-', "Print old-style (MD5) hash value"},
50 {"nameopt", OPT_NAMEOPT
, 's', "Certificate subject/issuer name printing options"},
51 {"", OPT_MD
, '-', "Any supported digest"},
54 {"issuer", OPT_ISSUER
, '-', "Print issuer DN"},
55 {"lastupdate", OPT_LASTUPDATE
, '-', "Set lastUpdate field"},
56 {"nextupdate", OPT_NEXTUPDATE
, '-', "Set nextUpdate field"},
57 {"noout", OPT_NOOUT
, '-', "No CRL output"},
58 {"fingerprint", OPT_FINGERPRINT
, '-', "Print the crl fingerprint"},
59 {"crlnumber", OPT_CRLNUMBER
, '-', "Print CRL number"},
60 {"badsig", OPT_BADSIG
, '-', "Corrupt last byte of loaded CRL signature (for test)" },
61 {"gendelta", OPT_GENDELTA
, '<', "Other CRL to compare/diff to the Input one"},
63 OPT_SECTION("Certificate"),
64 {"CApath", OPT_CAPATH
, '/', "Verify CRL using certificates in dir"},
65 {"CAfile", OPT_CAFILE
, '<', "Verify CRL using certificates in file name"},
66 {"CAstore", OPT_CASTORE
, ':', "Verify CRL using certificates in store URI"},
67 {"no-CAfile", OPT_NOCAFILE
, '-',
68 "Do not load the default certificates file"},
69 {"no-CApath", OPT_NOCAPATH
, '-',
70 "Do not load certificates from the default certificates directory"},
71 {"no-CAstore", OPT_NOCASTORE
, '-',
72 "Do not load certificates from the default certificates store"},
77 int crl_main(int argc
, char **argv
)
81 X509_STORE
*store
= NULL
;
82 X509_STORE_CTX
*ctx
= NULL
;
83 X509_LOOKUP
*lookup
= NULL
;
84 X509_OBJECT
*xobj
= NULL
;
86 EVP_MD
*digest
= (EVP_MD
*)EVP_sha1();
87 char *infile
= NULL
, *outfile
= NULL
, *crldiff
= NULL
, *keyfile
= NULL
;
88 char *digestname
= NULL
;
89 const char *CAfile
= NULL
, *CApath
= NULL
, *CAstore
= NULL
, *prog
;
91 int hash
= 0, issuer
= 0, lastupdate
= 0, nextupdate
= 0, noout
= 0;
92 int informat
= FORMAT_UNDEF
, outformat
= FORMAT_PEM
, keyformat
= FORMAT_UNDEF
;
93 int ret
= 1, num
= 0, badsig
= 0, fingerprint
= 0, crlnumber
= 0;
94 int text
= 0, do_ver
= 0, noCAfile
= 0, noCApath
= 0, noCAstore
= 0;
95 unsigned long dateopt
= ASN1_DTFLGS_RFC822
;
97 #ifndef OPENSSL_NO_MD5
101 prog
= opt_init(argc
, argv
, crl_options
);
102 while ((o
= opt_next()) != OPT_EOF
) {
107 BIO_printf(bio_err
, "%s: Use -help for summary.\n", prog
);
110 opt_help(crl_options
);
114 if (!opt_format(opt_arg(), OPT_FMT_PEMDER
, &informat
))
121 if (!opt_format(opt_arg(), OPT_FMT_PEMDER
, &outformat
))
128 if (!opt_format(opt_arg(), OPT_FMT_ANY
, &keyformat
))
159 #ifndef OPENSSL_NO_MD5
167 if (!set_dateopt(&dateopt
, opt_arg()))
188 case OPT_FINGERPRINT
:
198 if (!set_nameopt(opt_arg()))
202 digestname
= opt_unknown();
205 if (!opt_provider(o
))
211 /* No remaining args. */
212 argc
= opt_num_rest();
216 if (digestname
!= NULL
) {
217 if (!opt_md(digestname
, &digest
))
220 x
= load_crl(infile
, informat
, 1, "CRL");
225 if ((store
= setup_verify(CAfile
, noCAfile
, CApath
, noCApath
,
226 CAstore
, noCAstore
)) == NULL
)
228 lookup
= X509_STORE_add_lookup(store
, X509_LOOKUP_file());
231 ctx
= X509_STORE_CTX_new();
232 if (ctx
== NULL
|| !X509_STORE_CTX_init(ctx
, store
, NULL
, NULL
)) {
233 BIO_printf(bio_err
, "Error initialising X509 store\n");
237 xobj
= X509_STORE_CTX_get_obj_by_subject(ctx
, X509_LU_X509
,
238 X509_CRL_get_issuer(x
));
240 BIO_printf(bio_err
, "Error getting CRL issuer certificate\n");
243 pkey
= X509_get_pubkey(X509_OBJECT_get0_X509(xobj
));
244 X509_OBJECT_free(xobj
);
246 BIO_printf(bio_err
, "Error getting CRL issuer public key\n");
249 i
= X509_CRL_verify(x
, pkey
);
254 BIO_printf(bio_err
, "verify failure\n");
256 BIO_printf(bio_err
, "verify OK\n");
259 if (crldiff
!= NULL
) {
260 X509_CRL
*newcrl
, *delta
;
262 BIO_puts(bio_err
, "Missing CRL signing key\n");
265 newcrl
= load_crl(crldiff
, informat
, 0, "other CRL");
268 pkey
= load_key(keyfile
, keyformat
, 0, NULL
, NULL
, "CRL signing key");
270 X509_CRL_free(newcrl
);
273 delta
= X509_CRL_diff(x
, newcrl
, pkey
, digest
, 0);
274 X509_CRL_free(newcrl
);
280 BIO_puts(bio_err
, "Error creating delta CRL\n");
286 const ASN1_BIT_STRING
*sig
;
288 X509_CRL_get0_signature(x
, &sig
, NULL
);
289 corrupt_signature(sig
);
293 for (i
= 1; i
<= num
; i
++) {
295 print_name(bio_out
, "issuer=", X509_CRL_get_issuer(x
));
297 if (crlnumber
== i
) {
298 ASN1_INTEGER
*crlnum
;
300 crlnum
= X509_CRL_get_ext_d2i(x
, NID_crl_number
, NULL
, NULL
);
301 BIO_printf(bio_out
, "crlNumber=");
303 BIO_puts(bio_out
, "0x");
304 i2a_ASN1_INTEGER(bio_out
, crlnum
);
305 ASN1_INTEGER_free(crlnum
);
307 BIO_puts(bio_out
, "<NONE>");
309 BIO_printf(bio_out
, "\n");
313 unsigned long hash_value
=
314 X509_NAME_hash_ex(X509_CRL_get_issuer(x
), app_get0_libctx(),
315 app_get0_propq(), &ok
);
318 BIO_printf(bio_out
, "issuer name hash=");
320 BIO_printf(bio_out
, "%08lx\n", hash_value
);
322 BIO_puts(bio_out
, "<ERROR>");
326 #ifndef OPENSSL_NO_MD5
329 BIO_printf(bio_out
, "issuer name old hash=");
330 BIO_printf(bio_out
, "%08lx\n",
331 X509_NAME_hash_old(X509_CRL_get_issuer(x
)));
334 if (lastupdate
== i
) {
335 BIO_printf(bio_out
, "lastUpdate=");
336 ASN1_TIME_print_ex(bio_out
, X509_CRL_get0_lastUpdate(x
), dateopt
);
337 BIO_printf(bio_out
, "\n");
339 if (nextupdate
== i
) {
340 BIO_printf(bio_out
, "nextUpdate=");
341 if (X509_CRL_get0_nextUpdate(x
))
342 ASN1_TIME_print_ex(bio_out
, X509_CRL_get0_nextUpdate(x
), dateopt
);
344 BIO_printf(bio_out
, "NONE");
345 BIO_printf(bio_out
, "\n");
347 if (fingerprint
== i
) {
350 unsigned char md
[EVP_MAX_MD_SIZE
];
352 if (!X509_CRL_digest(x
, digest
, md
, &n
)) {
353 BIO_printf(bio_err
, "out of memory\n");
356 BIO_printf(bio_out
, "%s Fingerprint=",
357 EVP_MD_get0_name(digest
));
358 for (j
= 0; j
< (int)n
; j
++) {
359 BIO_printf(bio_out
, "%02X%c", md
[j
], (j
+ 1 == (int)n
)
365 out
= bio_open_default(outfile
, 'w', outformat
);
370 X509_CRL_print_ex(out
, x
, get_nameopt());
377 if (outformat
== FORMAT_ASN1
)
378 i
= (int)i2d_X509_CRL_bio(out
, x
);
380 i
= PEM_write_bio_X509_CRL(out
, x
);
382 BIO_printf(bio_err
, "unable to write CRL\n");
389 ERR_print_errors(bio_err
);
393 X509_STORE_CTX_free(ctx
);
394 X509_STORE_free(store
);