- else if (strcmp(*argv,"-ocspid") == 0)
- ocspid= ++num;
- else if ((md_alg=EVP_get_digestbyname(*argv + 1)))
- {
- /* ok */
- digest=md_alg;
- }
- else
- {
- BIO_printf(bio_err,"unknown option %s\n",*argv);
- badops=1;
- break;
- }
- argc--;
- argv++;
- }
-
- if (badops)
- {
-bad:
- for (pp=x509_usage; (*pp != NULL); pp++)
- BIO_printf(bio_err,"%s",*pp);
- goto end;
- }
-
- if (engine != NULL)
- {
- if((e = ENGINE_by_id(engine)) == NULL)
- {
- BIO_printf(bio_err,"invalid engine \"%s\"\n",
- engine);
- goto end;
- }
- if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
- {
- BIO_printf(bio_err,"can't use that engine\n");
- goto end;
- }
- BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
- /* Free our "structural" reference. */
- ENGINE_free(e);
- }
-
- if (need_rand)
- app_RAND_load_file(NULL, bio_err, 0);
-
- ERR_load_crypto_strings();
-
- if (!app_passwd(bio_err, passargin, NULL, &passin, NULL))
- {
- BIO_printf(bio_err, "Error getting password\n");
- goto end;
- }
-
- if (!X509_STORE_set_default_paths(ctx))
- {
- ERR_print_errors(bio_err);
- goto end;
- }
-
- if ((CAkeyfile == NULL) && (CA_flag) && (CAformat == FORMAT_PEM))
- { CAkeyfile=CAfile; }
- else if ((CA_flag) && (CAkeyfile == NULL))
- {
- BIO_printf(bio_err,"need to specify a CAkey if using the CA command\n");
- goto end;
- }
-
- if (extfile)
- {
- long errorline;
- X509V3_CTX ctx2;
- if (!(extconf=CONF_load(NULL,extfile,&errorline)))
- {
- if (errorline <= 0)
- BIO_printf(bio_err,
- "error loading the config file '%s'\n",
- extfile);
- else
- BIO_printf(bio_err,
- "error on line %ld of config file '%s'\n"
- ,errorline,extfile);
- goto end;
- }
- if (!extsect)
- {
- extsect = CONF_get_string(extconf, "default", "extensions");
- if (!extsect)
- {
- ERR_clear_error();
- extsect = "default";
- }
- }
- X509V3_set_ctx_test(&ctx2);
- X509V3_set_conf_lhash(&ctx2, extconf);
- if (!X509V3_EXT_add_conf(extconf, &ctx2, extsect, NULL))
- {
- BIO_printf(bio_err,
- "Error Loading extension section %s\n",
- extsect);
- ERR_print_errors(bio_err);
- goto end;
- }
- }
-
-
- if (reqfile)
- {
- EVP_PKEY *pkey;
- X509_CINF *ci;
- BIO *in;
-
- if (!sign_flag && !CA_flag)
- {
- BIO_printf(bio_err,"We need a private key to sign with\n");
- goto end;
- }
- in=BIO_new(BIO_s_file());
- if (in == NULL)
- {
- ERR_print_errors(bio_err);
- goto end;
- }
-
- if (infile == NULL)
- BIO_set_fp(in,stdin,BIO_NOCLOSE|BIO_FP_TEXT);
- else
- {
- if (BIO_read_filename(in,infile) <= 0)
- {
- perror(infile);
- BIO_free(in);
- goto end;
- }
- }
- req=PEM_read_bio_X509_REQ(in,NULL,NULL,NULL);
- BIO_free(in);
-
- if (req == NULL)
- {
- ERR_print_errors(bio_err);
- goto end;
- }
-
- if ( (req->req_info == NULL) ||
- (req->req_info->pubkey == NULL) ||
- (req->req_info->pubkey->public_key == NULL) ||
- (req->req_info->pubkey->public_key->data == NULL))
- {
- BIO_printf(bio_err,"The certificate request appears to corrupted\n");
- BIO_printf(bio_err,"It does not contain a public key\n");
- goto end;
- }
- if ((pkey=X509_REQ_get_pubkey(req)) == NULL)
- {
- BIO_printf(bio_err,"error unpacking public key\n");
- goto end;
- }
- i=X509_REQ_verify(req,pkey);
- EVP_PKEY_free(pkey);
- if (i < 0)
- {
- BIO_printf(bio_err,"Signature verification error\n");
- ERR_print_errors(bio_err);
- goto end;
- }
- if (i == 0)
- {
- BIO_printf(bio_err,"Signature did not match the certificate request\n");
- goto end;
- }
- else
- BIO_printf(bio_err,"Signature ok\n");
-
- print_name(bio_err, "subject=", X509_REQ_get_subject_name(req), nmflag);
-
- if ((x=X509_new()) == NULL) goto end;
- ci=x->cert_info;
-
- if (sno)
- {
- if (!X509_set_serialNumber(x, sno))
- goto end;
- }
- else if (!ASN1_INTEGER_set(X509_get_serialNumber(x),0)) goto end;
- if (!X509_set_issuer_name(x,req->req_info->subject)) goto end;
- if (!X509_set_subject_name(x,req->req_info->subject)) goto end;
-
- X509_gmtime_adj(X509_get_notBefore(x),0);
- X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days);
-
- pkey = X509_REQ_get_pubkey(req);
- X509_set_pubkey(x,pkey);
- EVP_PKEY_free(pkey);
- }
- else
- x=load_cert(bio_err,infile,informat);
-
- if (x == NULL) goto end;
- if (CA_flag)
- {
- xca=load_cert(bio_err,CAfile,CAformat);
- if (xca == NULL) goto end;
- }
-
- if (!noout || text)
- {
- OBJ_create("2.99999.3",
- "SET.ex3","SET x509v3 extension 3");
-
- out=BIO_new(BIO_s_file());
- if (out == NULL)
- {
- ERR_print_errors(bio_err);
- goto end;
- }
- if (outfile == NULL)
- {
- BIO_set_fp(out,stdout,BIO_NOCLOSE);
+ else if (strcmp(*argv, "-days") == 0) {
+ if (--argc < 1)
+ goto bad;
+ days = atoi(*(++argv));
+ if (days == 0) {
+ BIO_printf(bio_err, "bad number of days\n");
+ goto bad;
+ }
+ } else if (strcmp(*argv, "-passin") == 0) {
+ if (--argc < 1)
+ goto bad;
+ passargin = *(++argv);
+ } else if (strcmp(*argv, "-extfile") == 0) {
+ if (--argc < 1)
+ goto bad;
+ extfile = *(++argv);
+ } else if (strcmp(*argv, "-extensions") == 0) {
+ if (--argc < 1)
+ goto bad;
+ extsect = *(++argv);
+ } else if (strcmp(*argv, "-in") == 0) {
+ if (--argc < 1)
+ goto bad;
+ infile = *(++argv);
+ } else if (strcmp(*argv, "-out") == 0) {
+ if (--argc < 1)
+ goto bad;
+ outfile = *(++argv);
+ } else if (strcmp(*argv, "-signkey") == 0) {
+ if (--argc < 1)
+ goto bad;
+ keyfile = *(++argv);
+ sign_flag = ++num;
+ need_rand = 1;
+ } else if (strcmp(*argv, "-CA") == 0) {
+ if (--argc < 1)
+ goto bad;
+ CAfile = *(++argv);
+ CA_flag = ++num;
+ need_rand = 1;
+ } else if (strcmp(*argv, "-CAkey") == 0) {
+ if (--argc < 1)
+ goto bad;
+ CAkeyfile = *(++argv);
+ } else if (strcmp(*argv, "-CAserial") == 0) {
+ if (--argc < 1)
+ goto bad;
+ CAserial = *(++argv);
+ } else if (strcmp(*argv, "-set_serial") == 0) {
+ if (--argc < 1)
+ goto bad;
+ if (!(sno = s2i_ASN1_INTEGER(NULL, *(++argv))))
+ goto bad;
+ } else if (strcmp(*argv, "-force_pubkey") == 0) {
+ if (--argc < 1)
+ goto bad;
+ fkeyfile = *(++argv);
+ } else if (strcmp(*argv, "-addtrust") == 0) {
+ if (--argc < 1)
+ goto bad;
+ if (!(objtmp = OBJ_txt2obj(*(++argv), 0))) {
+ BIO_printf(bio_err, "Invalid trust object value %s\n", *argv);
+ goto bad;
+ }
+ if (!trust)
+ trust = sk_ASN1_OBJECT_new_null();
+ sk_ASN1_OBJECT_push(trust, objtmp);
+ trustout = 1;
+ } else if (strcmp(*argv, "-addreject") == 0) {
+ if (--argc < 1)
+ goto bad;
+ if (!(objtmp = OBJ_txt2obj(*(++argv), 0))) {
+ BIO_printf(bio_err,
+ "Invalid reject object value %s\n", *argv);
+ goto bad;
+ }
+ if (!reject)
+ reject = sk_ASN1_OBJECT_new_null();
+ sk_ASN1_OBJECT_push(reject, objtmp);
+ trustout = 1;
+ } else if (strcmp(*argv, "-setalias") == 0) {
+ if (--argc < 1)
+ goto bad;
+ alias = *(++argv);
+ trustout = 1;
+ } else if (strcmp(*argv, "-certopt") == 0) {
+ if (--argc < 1)
+ goto bad;
+ if (!set_cert_ex(&certflag, *(++argv)))
+ goto bad;
+ } else if (strcmp(*argv, "-nameopt") == 0) {
+ if (--argc < 1)
+ goto bad;
+ if (!set_name_ex(&nmflag, *(++argv)))
+ goto bad;
+ }
+#ifndef OPENSSL_NO_ENGINE
+ else if (strcmp(*argv, "-engine") == 0) {
+ if (--argc < 1)
+ goto bad;
+ engine = *(++argv);
+ }
+#endif
+ else if (strcmp(*argv, "-C") == 0)
+ C = ++num;
+ else if (strcmp(*argv, "-email") == 0)
+ email = ++num;
+ else if (strcmp(*argv, "-ocsp_uri") == 0)
+ ocsp_uri = ++num;
+ else if (strcmp(*argv, "-serial") == 0)
+ serial = ++num;
+ else if (strcmp(*argv, "-next_serial") == 0)
+ next_serial = ++num;
+ else if (strcmp(*argv, "-modulus") == 0)
+ modulus = ++num;
+ else if (strcmp(*argv, "-pubkey") == 0)
+ pubkey = ++num;
+ else if (strcmp(*argv, "-x509toreq") == 0)
+ x509req = ++num;
+ else if (strcmp(*argv, "-text") == 0)
+ text = ++num;
+ else if (strcmp(*argv, "-hash") == 0
+ || strcmp(*argv, "-subject_hash") == 0)
+ subject_hash = ++num;
+#ifndef OPENSSL_NO_MD5
+ else if (strcmp(*argv, "-subject_hash_old") == 0)
+ subject_hash_old = ++num;
+#endif
+ else if (strcmp(*argv, "-issuer_hash") == 0)
+ issuer_hash = ++num;
+#ifndef OPENSSL_NO_MD5
+ else if (strcmp(*argv, "-issuer_hash_old") == 0)
+ issuer_hash_old = ++num;
+#endif
+ else if (strcmp(*argv, "-subject") == 0)
+ subject = ++num;
+ else if (strcmp(*argv, "-issuer") == 0)
+ issuer = ++num;
+ else if (strcmp(*argv, "-fingerprint") == 0)
+ fingerprint = ++num;
+ else if (strcmp(*argv, "-dates") == 0) {
+ startdate = ++num;
+ enddate = ++num;
+ } else if (strcmp(*argv, "-purpose") == 0)
+ pprint = ++num;
+ else if (strcmp(*argv, "-startdate") == 0)
+ startdate = ++num;
+ else if (strcmp(*argv, "-enddate") == 0)
+ enddate = ++num;
+ else if (strcmp(*argv, "-checkend") == 0) {
+ if (--argc < 1)
+ goto bad;
+ checkoffset = atoi(*(++argv));
+ checkend = 1;
+ } else if (strcmp(*argv, "-checkhost") == 0) {
+ if (--argc < 1)
+ goto bad;
+ checkhost = *(++argv);
+ } else if (strcmp(*argv, "-checkemail") == 0) {
+ if (--argc < 1)
+ goto bad;
+ checkemail = *(++argv);
+ } else if (strcmp(*argv, "-checkip") == 0) {
+ if (--argc < 1)
+ goto bad;
+ checkip = *(++argv);
+ } else if (strcmp(*argv, "-noout") == 0)
+ noout = ++num;
+ else if (strcmp(*argv, "-trustout") == 0)
+ trustout = 1;
+ else if (strcmp(*argv, "-clrtrust") == 0)
+ clrtrust = ++num;
+ else if (strcmp(*argv, "-clrreject") == 0)
+ clrreject = ++num;
+ else if (strcmp(*argv, "-alias") == 0)
+ aliasout = ++num;
+ else if (strcmp(*argv, "-CAcreateserial") == 0)
+ CA_createserial = ++num;
+ else if (strcmp(*argv, "-clrext") == 0)
+ clrext = 1;
+#if 1 /* stay backwards-compatible with 0.9.5; this
+ * should go away soon */
+ else if (strcmp(*argv, "-crlext") == 0) {
+ BIO_printf(bio_err, "use -clrext instead of -crlext\n");
+ clrext = 1;
+ }
+#endif
+ else if (strcmp(*argv, "-ocspid") == 0)
+ ocspid = ++num;
+ else if (strcmp(*argv, "-badsig") == 0)
+ badsig = 1;
+ else if ((md_alg = EVP_get_digestbyname(*argv + 1))) {
+ /* ok */
+ digest = md_alg;
+ } else {
+ BIO_printf(bio_err, "unknown option %s\n", *argv);
+ badops = 1;
+ break;
+ }
+ argc--;
+ argv++;
+ }
+
+ if (badops) {
+ bad:
+ for (pp = x509_usage; (*pp != NULL); pp++)
+ BIO_printf(bio_err, "%s", *pp);
+ goto end;
+ }
+ e = setup_engine(bio_err, engine, 0);
+
+ if (need_rand)
+ app_RAND_load_file(NULL, bio_err, 0);
+
+ ERR_load_crypto_strings();
+
+ if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
+ BIO_printf(bio_err, "Error getting password\n");
+ goto end;
+ }
+
+ if (!X509_STORE_set_default_paths(ctx)) {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+
+ if (fkeyfile) {
+ fkey = load_pubkey(bio_err, fkeyfile, keyformat, 0,
+ NULL, e, "Forced key");
+ if (fkey == NULL)
+ goto end;
+ }
+
+ if ((CAkeyfile == NULL) && (CA_flag) && (CAformat == FORMAT_PEM)) {
+ CAkeyfile = CAfile;
+ } else if ((CA_flag) && (CAkeyfile == NULL)) {
+ BIO_printf(bio_err,
+ "need to specify a CAkey if using the CA command\n");
+ goto end;
+ }
+
+ if (extfile) {
+ long errorline = -1;
+ X509V3_CTX ctx2;
+ extconf = NCONF_new(NULL);
+ if (!NCONF_load(extconf, extfile, &errorline)) {
+ if (errorline <= 0)
+ BIO_printf(bio_err,
+ "error loading the config file '%s'\n", extfile);
+ else
+ BIO_printf(bio_err,
+ "error on line %ld of config file '%s'\n",
+ errorline, extfile);
+ goto end;
+ }
+ if (!extsect) {
+ extsect = NCONF_get_string(extconf, "default", "extensions");
+ if (!extsect) {
+ ERR_clear_error();
+ extsect = "default";
+ }
+ }
+ X509V3_set_ctx_test(&ctx2);
+ X509V3_set_nconf(&ctx2, extconf);
+ if (!X509V3_EXT_add_nconf(extconf, &ctx2, extsect, NULL)) {
+ BIO_printf(bio_err,
+ "Error Loading extension section %s\n", extsect);
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ }
+
+ if (reqfile) {
+ EVP_PKEY *pkey;
+ BIO *in;
+
+ if (!sign_flag && !CA_flag) {
+ BIO_printf(bio_err, "We need a private key to sign with\n");
+ goto end;
+ }
+ in = BIO_new(BIO_s_file());
+ if (in == NULL) {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+
+ if (infile == NULL)
+ BIO_set_fp(in, stdin, BIO_NOCLOSE | BIO_FP_TEXT);
+ else {
+ if (BIO_read_filename(in, infile) <= 0) {
+ perror(infile);
+ BIO_free(in);
+ goto end;
+ }
+ }
+ req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL);
+ BIO_free(in);
+
+ if (req == NULL) {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+
+ if ((req->req_info == NULL) ||
+ (req->req_info->pubkey == NULL) ||
+ (req->req_info->pubkey->public_key == NULL) ||
+ (req->req_info->pubkey->public_key->data == NULL)) {
+ BIO_printf(bio_err,
+ "The certificate request appears to corrupted\n");
+ BIO_printf(bio_err, "It does not contain a public key\n");
+ goto end;
+ }
+ if ((pkey = X509_REQ_get_pubkey(req)) == NULL) {
+ BIO_printf(bio_err, "error unpacking public key\n");
+ goto end;
+ }
+ i = X509_REQ_verify(req, pkey);
+ EVP_PKEY_free(pkey);
+ if (i < 0) {
+ BIO_printf(bio_err, "Signature verification error\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ if (i == 0) {
+ BIO_printf(bio_err,
+ "Signature did not match the certificate request\n");
+ goto end;
+ } else
+ BIO_printf(bio_err, "Signature ok\n");
+
+ print_name(bio_err, "subject=", X509_REQ_get_subject_name(req),
+ nmflag);
+
+ if ((x = X509_new()) == NULL)
+ goto end;
+
+ if (sno == NULL) {
+ sno = ASN1_INTEGER_new();
+ if (!sno || !rand_serial(NULL, sno))
+ goto end;
+ if (!X509_set_serialNumber(x, sno))
+ goto end;
+ ASN1_INTEGER_free(sno);
+ sno = NULL;
+ } else if (!X509_set_serialNumber(x, sno))
+ goto end;
+
+ if (!X509_set_issuer_name(x, req->req_info->subject))
+ goto end;
+ if (!X509_set_subject_name(x, req->req_info->subject))
+ goto end;
+
+ X509_gmtime_adj(X509_get_notBefore(x), 0);
+ X509_time_adj_ex(X509_get_notAfter(x), days, 0, NULL);
+ if (fkey)
+ X509_set_pubkey(x, fkey);
+ else {
+ pkey = X509_REQ_get_pubkey(req);
+ X509_set_pubkey(x, pkey);
+ EVP_PKEY_free(pkey);
+ }
+ } else
+ x = load_cert(bio_err, infile, informat, NULL, e, "Certificate");
+
+ if (x == NULL)
+ goto end;
+ if (CA_flag) {
+ xca = load_cert(bio_err, CAfile, CAformat, NULL, e, "CA Certificate");
+ if (xca == NULL)
+ goto end;
+ }
+
+ if (!noout || text || next_serial) {
+ OBJ_create("2.99999.3", "SET.ex3", "SET x509v3 extension 3");
+
+ out = BIO_new(BIO_s_file());
+ if (out == NULL) {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ if (outfile == NULL) {
+ BIO_set_fp(out, stdout, BIO_NOCLOSE);