]>
git.ipfire.org Git - thirdparty/openssl.git/blob - apps/crl.c
2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
14 #include <openssl/bio.h>
15 #include <openssl/err.h>
16 #include <openssl/x509.h>
17 #include <openssl/x509v3.h>
18 #include <openssl/pem.h>
20 typedef enum OPTION_choice
{
21 OPT_ERR
= -1, OPT_EOF
= 0, OPT_HELP
,
22 OPT_INFORM
, OPT_IN
, OPT_OUTFORM
, OPT_OUT
, OPT_KEYFORM
, OPT_KEY
,
23 OPT_ISSUER
, OPT_LASTUPDATE
, OPT_NEXTUPDATE
, OPT_FINGERPRINT
,
24 OPT_CRLNUMBER
, OPT_BADSIG
, OPT_GENDELTA
, OPT_CAPATH
, OPT_CAFILE
,
25 OPT_NOCAPATH
, OPT_NOCAFILE
, OPT_VERIFY
, OPT_TEXT
, OPT_HASH
, OPT_HASH_OLD
,
26 OPT_NOOUT
, OPT_NAMEOPT
, OPT_MD
29 const OPTIONS crl_options
[] = {
30 {"help", OPT_HELP
, '-', "Display this summary"},
31 {"inform", OPT_INFORM
, 'F', "Input format; default PEM"},
32 {"in", OPT_IN
, '<', "Input file - default stdin"},
33 {"outform", OPT_OUTFORM
, 'F', "Output format - default PEM"},
34 {"out", OPT_OUT
, '>', "output file - default stdout"},
35 {"keyform", OPT_KEYFORM
, 'F', "Private key file format (PEM or ENGINE)"},
36 {"key", OPT_KEY
, '<', "CRL signing Private key to use"},
37 {"issuer", OPT_ISSUER
, '-', "Print issuer DN"},
38 {"lastupdate", OPT_LASTUPDATE
, '-', "Set lastUpdate field"},
39 {"nextupdate", OPT_NEXTUPDATE
, '-', "Set nextUpdate field"},
40 {"noout", OPT_NOOUT
, '-', "No CRL output"},
41 {"fingerprint", OPT_FINGERPRINT
, '-', "Print the crl fingerprint"},
42 {"crlnumber", OPT_CRLNUMBER
, '-', "Print CRL number"},
43 {"badsig", OPT_BADSIG
, '-', "Corrupt last byte of loaded CRL signature (for test)" },
44 {"gendelta", OPT_GENDELTA
, '<', "Other CRL to compare/diff to the Input one"},
45 {"CApath", OPT_CAPATH
, '/', "Verify CRL using certificates in dir"},
46 {"CAfile", OPT_CAFILE
, '<', "Verify CRL using certificates in file name"},
47 {"no-CAfile", OPT_NOCAFILE
, '-',
48 "Do not load the default certificates file"},
49 {"no-CApath", OPT_NOCAPATH
, '-',
50 "Do not load certificates from the default certificates directory"},
51 {"verify", OPT_VERIFY
, '-', "Verify CRL signature"},
52 {"text", OPT_TEXT
, '-', "Print out a text format version"},
53 {"hash", OPT_HASH
, '-', "Print hash value"},
54 {"nameopt", OPT_NAMEOPT
, 's', "Various certificate name options"},
55 {"", OPT_MD
, '-', "Any supported digest"},
56 #ifndef OPENSSL_NO_MD5
57 {"hash_old", OPT_HASH_OLD
, '-', "Print old-style (MD5) hash value"},
62 int crl_main(int argc
, char **argv
)
66 X509_STORE
*store
= NULL
;
67 X509_STORE_CTX
*ctx
= NULL
;
68 X509_LOOKUP
*lookup
= NULL
;
69 X509_OBJECT
*xobj
= NULL
;
71 const EVP_MD
*digest
= EVP_sha1();
72 unsigned long nmflag
= 0;
74 char *infile
= NULL
, *outfile
= NULL
, *crldiff
= NULL
, *keyfile
= NULL
;
75 const char *CAfile
= NULL
, *CApath
= NULL
, *prog
;
77 int hash
= 0, issuer
= 0, lastupdate
= 0, nextupdate
= 0, noout
= 0;
78 int informat
= FORMAT_PEM
, outformat
= FORMAT_PEM
, keyformat
= FORMAT_PEM
;
79 int ret
= 1, num
= 0, badsig
= 0, fingerprint
= 0, crlnumber
= 0;
80 int text
= 0, do_ver
= 0, noCAfile
= 0, noCApath
= 0;
82 #ifndef OPENSSL_NO_MD5
86 prog
= opt_init(argc
, argv
, crl_options
);
87 while ((o
= opt_next()) != OPT_EOF
) {
92 BIO_printf(bio_err
, "%s: Use -help for summary.\n", prog
);
95 opt_help(crl_options
);
99 if (!opt_format(opt_arg(), OPT_FMT_PEMDER
, &informat
))
106 if (!opt_format(opt_arg(), OPT_FMT_PEMDER
, &outformat
))
113 if (!opt_format(opt_arg(), OPT_FMT_PEMDER
, &keyformat
))
137 #ifndef OPENSSL_NO_MD5
162 case OPT_FINGERPRINT
:
173 if (!set_name_ex(&nmflag
, opt_arg()))
177 if (!opt_md(opt_unknown(), &digest
))
181 argc
= opt_num_rest();
186 nmflag
= XN_FLAG_ONELINE
;
188 x
= load_crl(infile
, informat
);
193 if ((store
= setup_verify(CAfile
, CApath
, noCAfile
, noCApath
)) == NULL
)
195 lookup
= X509_STORE_add_lookup(store
, X509_LOOKUP_file());
198 ctx
= X509_STORE_CTX_new();
199 if (ctx
== NULL
|| !X509_STORE_CTX_init(ctx
, store
, NULL
, NULL
)) {
200 BIO_printf(bio_err
, "Error initialising X509 store\n");
204 xobj
= X509_STORE_CTX_get_obj_by_subject(ctx
, X509_LU_X509
,
205 X509_CRL_get_issuer(x
));
207 BIO_printf(bio_err
, "Error getting CRL issuer certificate\n");
210 pkey
= X509_get_pubkey(X509_OBJECT_get0_X509(xobj
));
211 X509_OBJECT_free(xobj
);
213 BIO_printf(bio_err
, "Error getting CRL issuer public key\n");
216 i
= X509_CRL_verify(x
, pkey
);
221 BIO_printf(bio_err
, "verify failure\n");
223 BIO_printf(bio_err
, "verify OK\n");
227 X509_CRL
*newcrl
, *delta
;
229 BIO_puts(bio_err
, "Missing CRL signing key\n");
232 newcrl
= load_crl(crldiff
, informat
);
235 pkey
= load_key(keyfile
, keyformat
, 0, NULL
, NULL
, "CRL signing key");
237 X509_CRL_free(newcrl
);
240 delta
= X509_CRL_diff(x
, newcrl
, pkey
, digest
, 0);
241 X509_CRL_free(newcrl
);
247 BIO_puts(bio_err
, "Error creating delta CRL\n");
253 const ASN1_BIT_STRING
*sig
;
255 X509_CRL_get0_signature(x
, &sig
, NULL
);
256 corrupt_signature(sig
);
260 for (i
= 1; i
<= num
; i
++) {
262 print_name(bio_out
, "issuer=", X509_CRL_get_issuer(x
),
265 if (crlnumber
== i
) {
266 ASN1_INTEGER
*crlnum
;
267 crlnum
= X509_CRL_get_ext_d2i(x
, NID_crl_number
, NULL
, NULL
);
268 BIO_printf(bio_out
, "crlNumber=");
270 i2a_ASN1_INTEGER(bio_out
, crlnum
);
271 ASN1_INTEGER_free(crlnum
);
273 BIO_puts(bio_out
, "<NONE>");
274 BIO_printf(bio_out
, "\n");
277 BIO_printf(bio_out
, "%08lx\n",
278 X509_NAME_hash(X509_CRL_get_issuer(x
)));
280 #ifndef OPENSSL_NO_MD5
282 BIO_printf(bio_out
, "%08lx\n",
283 X509_NAME_hash_old(X509_CRL_get_issuer(x
)));
286 if (lastupdate
== i
) {
287 BIO_printf(bio_out
, "lastUpdate=");
288 ASN1_TIME_print(bio_out
, X509_CRL_get0_lastUpdate(x
));
289 BIO_printf(bio_out
, "\n");
291 if (nextupdate
== i
) {
292 BIO_printf(bio_out
, "nextUpdate=");
293 if (X509_CRL_get0_nextUpdate(x
))
294 ASN1_TIME_print(bio_out
, X509_CRL_get0_nextUpdate(x
));
296 BIO_printf(bio_out
, "NONE");
297 BIO_printf(bio_out
, "\n");
299 if (fingerprint
== i
) {
302 unsigned char md
[EVP_MAX_MD_SIZE
];
304 if (!X509_CRL_digest(x
, digest
, md
, &n
)) {
305 BIO_printf(bio_err
, "out of memory\n");
308 BIO_printf(bio_out
, "%s Fingerprint=",
309 OBJ_nid2sn(EVP_MD_type(digest
)));
310 for (j
= 0; j
< (int)n
; j
++) {
311 BIO_printf(bio_out
, "%02X%c", md
[j
], (j
+ 1 == (int)n
)
317 out
= bio_open_default(outfile
, 'w', outformat
);
322 X509_CRL_print(out
, x
);
329 if (outformat
== FORMAT_ASN1
)
330 i
= (int)i2d_X509_CRL_bio(out
, x
);
332 i
= PEM_write_bio_X509_CRL(out
, x
);
334 BIO_printf(bio_err
, "unable to write CRL\n");
341 ERR_print_errors(bio_err
);
344 X509_STORE_CTX_free(ctx
);
345 X509_STORE_free(store
);