]>
git.ipfire.org Git - thirdparty/openssl.git/blob - apps/crl.c
1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
62 #include <openssl/bio.h>
63 #include <openssl/err.h>
64 #include <openssl/x509.h>
65 #include <openssl/x509v3.h>
66 #include <openssl/pem.h>
68 typedef enum OPTION_choice
{
69 OPT_ERR
= -1, OPT_EOF
= 0, OPT_HELP
,
70 OPT_INFORM
, OPT_IN
, OPT_OUTFORM
, OPT_OUT
, OPT_KEYFORM
, OPT_KEY
,
71 OPT_ISSUER
, OPT_LASTUPDATE
, OPT_NEXTUPDATE
, OPT_FINGERPRINT
,
72 OPT_CRLNUMBER
, OPT_BADSIG
, OPT_GENDELTA
, OPT_CAPATH
, OPT_CAFILE
,
73 OPT_VERIFY
, OPT_TEXT
, OPT_HASH
, OPT_HASH_OLD
, OPT_NOOUT
,
77 OPTIONS crl_options
[] = {
78 {"help", OPT_HELP
, '-', "Display this summary"},
79 {"inform", OPT_INFORM
, 'F', "Input format; default PEM"},
80 {"in", OPT_IN
, '<', "Input file - default stdin"},
81 {"outform", OPT_OUTFORM
, 'F', "Output format - default PEM"},
82 {"out", OPT_OUT
, '>', "output file - default stdout"},
83 {"keyform", OPT_KEYFORM
, 'F'},
84 {"key", OPT_KEY
, '<'},
85 {"issuer", OPT_ISSUER
, '-', "Print issuer DN"},
86 {"lastupdate", OPT_LASTUPDATE
, '-', "Set lastUpdate field"},
87 {"nextupdate", OPT_NEXTUPDATE
, '-', "Set nextUpdate field"},
88 {"noout", OPT_NOOUT
, '-', "No CRL output"},
89 {"fingerprint", OPT_FINGERPRINT
, '-', "Print the crl fingerprint"},
90 {"crlnumber", OPT_CRLNUMBER
, '-', "Print CRL number"},
91 {"badsig", OPT_BADSIG
, '-'},
92 {"gendelta", OPT_GENDELTA
, '<'},
93 {"CApath", OPT_CAPATH
, '/', "Verify CRL using certificates in dir"},
94 {"CAfile", OPT_CAFILE
, '<', "Verify CRL using certificates in file name"},
95 {"verify", OPT_VERIFY
, '-'},
96 {"text", OPT_TEXT
, '-', "Print out a text format version"},
97 {"hash", OPT_HASH
, '-', "Print hash value"},
98 {"nameopt", OPT_NAMEOPT
, 's', "Various certificate name options"},
99 {"", OPT_MD
, '-', "Any supported digest"},
100 #ifndef OPENSSL_NO_MD5
101 {"hash_old", OPT_HASH_OLD
, '-', "Print old-style (MD5) hash value"},
106 int crl_main(int argc
, char **argv
)
110 X509_STORE
*store
= NULL
;
112 X509_LOOKUP
*lookup
= NULL
;
115 const EVP_MD
*digest
= EVP_sha1();
116 unsigned long nmflag
= 0;
117 char *infile
= NULL
, *outfile
= NULL
, *crldiff
= NULL
, *keyfile
= NULL
;
118 char *CAfile
= NULL
, *CApath
= NULL
, *prog
;
120 int hash
= 0, issuer
= 0, lastupdate
= 0, nextupdate
= 0, noout
= 0;
121 int informat
= FORMAT_PEM
, outformat
= FORMAT_PEM
, keyformat
= FORMAT_PEM
;
122 int ret
= 1, num
= 0, badsig
= 0, fingerprint
= 0, crlnumber
= 0;
123 int text
= 0, do_ver
= 0;
125 #ifndef OPENSSL_NO_MD5
129 prog
= opt_init(argc
, argv
, crl_options
);
130 while ((o
= opt_next()) != OPT_EOF
) {
135 BIO_printf(bio_err
, "%s: Use -help for summary.\n", prog
);
138 opt_help(crl_options
);
142 if (!opt_format(opt_arg(), OPT_FMT_PEMDER
, &informat
))
149 if (!opt_format(opt_arg(), OPT_FMT_PEMDER
, &outformat
))
156 if (!opt_format(opt_arg(), OPT_FMT_PEMDER
, &keyformat
))
174 #ifndef OPENSSL_NO_MD5
199 case OPT_FINGERPRINT
:
209 if (!set_name_ex(&nmflag
, opt_arg()))
213 if (!opt_md(opt_unknown(), &digest
))
217 argc
= opt_num_rest();
220 if (!app_load_modules(NULL
))
223 x
= load_crl(infile
, informat
);
228 if ((store
= setup_verify(CAfile
, CApath
)) == NULL
)
230 lookup
= X509_STORE_add_lookup(store
, X509_LOOKUP_file());
233 if (!X509_STORE_CTX_init(&ctx
, store
, NULL
, NULL
)) {
234 BIO_printf(bio_err
, "Error initialising X509 store\n");
238 i
= X509_STORE_get_by_subject(&ctx
, X509_LU_X509
,
239 X509_CRL_get_issuer(x
), &xobj
);
241 BIO_printf(bio_err
, "Error getting CRL issuer certificate\n");
244 pkey
= X509_get_pubkey(xobj
.data
.x509
);
245 X509_OBJECT_free_contents(&xobj
);
247 BIO_printf(bio_err
, "Error getting CRL issuer public key\n");
250 i
= X509_CRL_verify(x
, pkey
);
255 BIO_printf(bio_err
, "verify failure\n");
257 BIO_printf(bio_err
, "verify OK\n");
261 X509_CRL
*newcrl
, *delta
;
263 BIO_puts(bio_err
, "Missing CRL signing key\n");
266 newcrl
= load_crl(crldiff
, informat
);
269 pkey
= load_key(keyfile
, keyformat
, 0, NULL
, NULL
, "CRL signing key");
271 X509_CRL_free(newcrl
);
274 delta
= X509_CRL_diff(x
, newcrl
, pkey
, digest
, 0);
275 X509_CRL_free(newcrl
);
281 BIO_puts(bio_err
, "Error creating delta CRL\n");
287 for (i
= 1; i
<= num
; i
++) {
289 print_name(bio_out
, "issuer=", X509_CRL_get_issuer(x
),
292 if (crlnumber
== i
) {
293 ASN1_INTEGER
*crlnum
;
294 crlnum
= X509_CRL_get_ext_d2i(x
, NID_crl_number
, NULL
, NULL
);
295 BIO_printf(bio_out
, "crlNumber=");
297 i2a_ASN1_INTEGER(bio_out
, crlnum
);
298 ASN1_INTEGER_free(crlnum
);
300 BIO_puts(bio_out
, "<NONE>");
301 BIO_printf(bio_out
, "\n");
304 BIO_printf(bio_out
, "%08lx\n",
305 X509_NAME_hash(X509_CRL_get_issuer(x
)));
307 #ifndef OPENSSL_NO_MD5
309 BIO_printf(bio_out
, "%08lx\n",
310 X509_NAME_hash_old(X509_CRL_get_issuer(x
)));
313 if (lastupdate
== i
) {
314 BIO_printf(bio_out
, "lastUpdate=");
315 ASN1_TIME_print(bio_out
, X509_CRL_get_lastUpdate(x
));
316 BIO_printf(bio_out
, "\n");
318 if (nextupdate
== i
) {
319 BIO_printf(bio_out
, "nextUpdate=");
320 if (X509_CRL_get_nextUpdate(x
))
321 ASN1_TIME_print(bio_out
, X509_CRL_get_nextUpdate(x
));
323 BIO_printf(bio_out
, "NONE");
324 BIO_printf(bio_out
, "\n");
326 if (fingerprint
== i
) {
329 unsigned char md
[EVP_MAX_MD_SIZE
];
331 if (!X509_CRL_digest(x
, digest
, md
, &n
)) {
332 BIO_printf(bio_err
, "out of memory\n");
335 BIO_printf(bio_out
, "%s Fingerprint=",
336 OBJ_nid2sn(EVP_MD_type(digest
)));
337 for (j
= 0; j
< (int)n
; j
++) {
338 BIO_printf(bio_out
, "%02X%c", md
[j
], (j
+ 1 == (int)n
)
344 out
= bio_open_default(outfile
, "w");
349 X509_CRL_print(out
, x
);
357 x
->signature
->data
[x
->signature
->length
- 1] ^= 0x1;
359 if (outformat
== FORMAT_ASN1
)
360 i
= (int)i2d_X509_CRL_bio(out
, x
);
362 i
= PEM_write_bio_X509_CRL(out
, x
);
364 BIO_printf(bio_err
, "unable to write CRL\n");
371 ERR_print_errors(bio_err
);
375 X509_STORE_CTX_cleanup(&ctx
);
376 X509_STORE_free(store
);