-#ifndef OPENSSL_NO_ECDSA
- if (CApkey->type == EVP_PKEY_ECDSA)
- digest = EVP_ecdsa();
-#endif
-
- assert(need_rand);
- if (!x509_certify(ctx,CAfile,digest,x,xca,
- CApkey, CAserial,CA_createserial,days, clrext,
- extconf, extsect, sno))
- goto end;
- }
- else if (x509req == i)
- {
- EVP_PKEY *pk;
-
- BIO_printf(bio_err,"Getting request Private Key\n");
- if (keyfile == NULL)
- {
- BIO_printf(bio_err,"no request key file specified\n");
- goto end;
- }
- else
- {
- pk=load_key(bio_err,
- keyfile,FORMAT_PEM, passin, e,
- "request key");
- if (pk == NULL) goto end;
- }
-
- BIO_printf(bio_err,"Generating certificate request\n");
-
- if (pk->type == EVP_PKEY_DSA)
- digest=EVP_dss1();
- else if (pk->type == EVP_PKEY_ECDSA)
- digest=EVP_ecdsa();
-
- rq=X509_to_X509_REQ(x,pk,digest);
- EVP_PKEY_free(pk);
- if (rq == NULL)
- {
- ERR_print_errors(bio_err);
- goto end;
- }
- if (!noout)
- {
- X509_REQ_print(out,rq);
- PEM_write_bio_X509_REQ(out,rq);
- }
- noout=1;
- }
- else if (ocspid == i)
- {
- X509_ocspid_print(out, x);
- }
- }
- }
-
- if (checkend)
- {
- time_t tnow=time(NULL);
-
- if (ASN1_UTCTIME_cmp_time_t(X509_get_notAfter(x), tnow+checkoffset) == -1)
- {
- BIO_printf(out,"Certificate will expire\n");
- ret=1;
- }
- else
- {
- BIO_printf(out,"Certificate will not expire\n");
- ret=0;
- }
- goto end;
- }
-
- if (noout)
- {
- ret=0;
- goto end;
- }
-
- if (outformat == FORMAT_ASN1)
- i=i2d_X509_bio(out,x);
- else if (outformat == FORMAT_PEM)
- {
- if (trustout) i=PEM_write_bio_X509_AUX(out,x);
- else i=PEM_write_bio_X509(out,x);
- }
- else if (outformat == FORMAT_NETSCAPE)
- {
- ASN1_HEADER ah;
- ASN1_OCTET_STRING os;
-
- os.data=(unsigned char *)NETSCAPE_CERT_HDR;
- os.length=strlen(NETSCAPE_CERT_HDR);
- ah.header= &os;
- ah.data=(char *)x;
- ah.meth=X509_asn1_meth();
-
- /* no macro for this one yet */
- i=ASN1_i2d_bio(i2d_ASN1_HEADER,out,(unsigned char *)&ah);
- }
- else {
- BIO_printf(bio_err,"bad output format specified for outfile\n");
- goto end;
- }
- if (!i)
- {
- BIO_printf(bio_err,"unable to write certificate\n");
- ERR_print_errors(bio_err);
- goto end;
- }
- ret=0;
-end:
- if (need_rand)
- app_RAND_write_file(NULL, bio_err);
- OBJ_cleanup();
- NCONF_free(extconf);
- BIO_free_all(out);
- BIO_free_all(STDout);
- X509_STORE_free(ctx);
- X509_REQ_free(req);
- X509_free(x);
- X509_free(xca);
- EVP_PKEY_free(Upkey);
- EVP_PKEY_free(CApkey);
- X509_REQ_free(rq);
- ASN1_INTEGER_free(sno);
- sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free);
- sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free);
- if (passin) OPENSSL_free(passin);
- apps_shutdown();
- EXIT(ret);
- }
-
-static ASN1_INTEGER *load_serial(char *CAfile, char *serialfile, int create)
- {
- char *buf = NULL, *p;
- MS_STATIC char buf2[1024];
- ASN1_INTEGER *bs = NULL, *bs2 = NULL;
- BIO *io = NULL;
- BIGNUM *serial = NULL;
-
- buf=OPENSSL_malloc( ((serialfile == NULL)
- ?(strlen(CAfile)+strlen(POSTFIX)+1)
- :(strlen(serialfile)))+1);
- if (buf == NULL) { BIO_printf(bio_err,"out of mem\n"); goto end; }
- if (serialfile == NULL)
- {
- strcpy(buf,CAfile);
- for (p=buf; *p; p++)
- if (*p == '.')
- {
- *p='\0';
- break;
- }
- strcat(buf,POSTFIX);
- }
- else
- strcpy(buf,serialfile);
- serial=BN_new();
- bs=ASN1_INTEGER_new();
- if ((serial == NULL) || (bs == NULL))
- {
- ERR_print_errors(bio_err);
- goto end;
- }
-
- io=BIO_new(BIO_s_file());
- if (io == NULL)
- {
- ERR_print_errors(bio_err);
- goto end;
- }
-
- if (BIO_read_filename(io,buf) <= 0)
- {
- if (!create)
- {
- perror(buf);
- goto end;
- }
- else
- {
- ASN1_INTEGER_set(bs,1);
- BN_one(serial);
- }
- }
- else
- {
- if (!a2i_ASN1_INTEGER(io,bs,buf2,1024))
- {
- BIO_printf(bio_err,"unable to load serial number from %s\n",buf);
- ERR_print_errors(bio_err);
- goto end;
- }
- else
- {
- serial=BN_bin2bn(bs->data,bs->length,serial);
- if (serial == NULL)
- {
- BIO_printf(bio_err,"error converting bin 2 bn");
- goto end;
- }
- }
- }
-
- if (!BN_add_word(serial,1))
- { BIO_printf(bio_err,"add_word failure\n"); goto end; }
- if (!(bs2 = BN_to_ASN1_INTEGER(serial, NULL)))
- { BIO_printf(bio_err,"error converting bn 2 asn1_integer\n"); goto end; }
- if (BIO_write_filename(io,buf) <= 0)
- {
- BIO_printf(bio_err,"error attempting to write serial number file\n");
- perror(buf);
- goto end;
- }
- i2a_ASN1_INTEGER(io,bs2);
- BIO_puts(io,"\n");
-
- BIO_free(io);
- if (buf) OPENSSL_free(buf);
- ASN1_INTEGER_free(bs2);
- BN_free(serial);
- io=NULL;
- return bs;
-
- end:
- if (buf) OPENSSL_free(buf);
- BIO_free(io);
- ASN1_INTEGER_free(bs);
- BN_free(serial);
- return NULL;
-
- }
-
-static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
- X509 *x, X509 *xca, EVP_PKEY *pkey, char *serialfile, int create,
- int days, int clrext, CONF *conf, char *section, ASN1_INTEGER *sno)
- {
- int ret=0;
- ASN1_INTEGER *bs=NULL;
- X509_STORE_CTX xsc;
- EVP_PKEY *upkey;
-
- upkey = X509_get_pubkey(xca);
- EVP_PKEY_copy_parameters(upkey,pkey);
- EVP_PKEY_free(upkey);
-
- if(!X509_STORE_CTX_init(&xsc,ctx,x,NULL))
- {
- BIO_printf(bio_err,"Error initialising X509 store\n");
- goto end;
- }
- if (sno) bs = sno;
- else if (!(bs = load_serial(CAfile, serialfile, create)))
- goto end;
-
- if (!X509_STORE_add_cert(ctx,x)) goto end;
-
- /* NOTE: this certificate can/should be self signed, unless it was
- * a certificate request in which case it is not. */
- X509_STORE_CTX_set_cert(&xsc,x);
- if (!reqfile && !X509_verify_cert(&xsc))
- goto end;
-
- if (!X509_check_private_key(xca,pkey))
- {
- BIO_printf(bio_err,"CA certificate and CA private key do not match\n");
- goto end;
- }
-
- if (!X509_set_issuer_name(x,X509_get_subject_name(xca))) goto end;
- if (!X509_set_serialNumber(x,bs)) goto end;
-
- if (X509_gmtime_adj(X509_get_notBefore(x),0L) == NULL)
- goto end;
-
- /* hardwired expired */
- if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) == NULL)
- goto end;
-
- if (clrext)
- {
- while (X509_get_ext_count(x) > 0) X509_delete_ext(x, 0);
- }
-
- if (conf)
- {
- X509V3_CTX ctx2;
- X509_set_version(x,2); /* version 3 certificate */
- X509V3_set_ctx(&ctx2, xca, x, NULL, NULL, 0);
- X509V3_set_nconf(&ctx2, conf);
- if (!X509V3_EXT_add_nconf(conf, &ctx2, section, x)) goto end;
- }
-
- if (!X509_sign(x,pkey,digest)) goto end;
- ret=1;
-end:
- X509_STORE_CTX_cleanup(&xsc);
- if (!ret)
- ERR_print_errors(bio_err);
- if (!sno) ASN1_INTEGER_free(bs);
- return ret;
- }
-
-static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx)
- {
- int err;
- X509 *err_cert;
-
- /* it is ok to use a self signed certificate
- * This case will catch both the initial ok == 0 and the
- * final ok == 1 calls to this function */
- err=X509_STORE_CTX_get_error(ctx);
- if (err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
- return 1;
-
- /* BAD we should have gotten an error. Normally if everything
- * worked X509_STORE_CTX_get_error(ctx) will still be set to
- * DEPTH_ZERO_SELF_.... */
- if (ok)
- {
- BIO_printf(bio_err,"error with certificate to be certified - should be self signed\n");
- return 0;
- }
- else
- {
- err_cert=X509_STORE_CTX_get_current_cert(ctx);
- print_name(bio_err, NULL, X509_get_subject_name(err_cert),0);
- BIO_printf(bio_err,"error with certificate - error %d at depth %d\n%s\n",
- err,X509_STORE_CTX_get_error_depth(ctx),
- X509_verify_cert_error_string(err));
- return 1;
- }
- }
-
-/* self sign */
-static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const EVP_MD *digest,
- CONF *conf, char *section)
- {
-
- EVP_PKEY *pktmp;
-
- pktmp = X509_get_pubkey(x);
- EVP_PKEY_copy_parameters(pktmp,pkey);
- EVP_PKEY_save_parameters(pktmp,1);
- EVP_PKEY_free(pktmp);
-
- if (!X509_set_issuer_name(x,X509_get_subject_name(x))) goto err;
- if (X509_gmtime_adj(X509_get_notBefore(x),0) == NULL) goto err;
-
- /* Lets just make it 12:00am GMT, Jan 1 1970 */
- /* memcpy(x->cert_info->validity->notBefore,"700101120000Z",13); */
- /* 28 days to be certified */
-
- if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) == NULL)
- goto err;
-
- if (!X509_set_pubkey(x,pkey)) goto err;
- if (clrext)
- {
- while (X509_get_ext_count(x) > 0) X509_delete_ext(x, 0);
- }
- if (conf)
- {
- X509V3_CTX ctx;
- X509_set_version(x,2); /* version 3 certificate */
- X509V3_set_ctx(&ctx, x, x, NULL, NULL, 0);
- X509V3_set_nconf(&ctx, conf);
- if (!X509V3_EXT_add_nconf(conf, &ctx, section, x)) goto err;
- }
- if (!X509_sign(x,pkey,digest)) goto err;
- return 1;
-err:
- ERR_print_errors(bio_err);
- return 0;
- }
+ {
+ BIO_printf(out, "Wrong Algorithm type");
+ }
+ BIO_printf(out, "\n");
+ } else if (pubkey == i) {
+ EVP_PKEY *pkey;
+
+ pkey = X509_get0_pubkey(x);
+ if (pkey == NULL) {
+ BIO_printf(bio_err, "Error getting public key\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ PEM_write_bio_PUBKEY(out, pkey);
+ } else if (C == i) {
+ unsigned char *d;
+ char *m;
+ int len;
+
+ print_name(out, "/*\n"
+ " * Subject: ", X509_get_subject_name(x), get_nameopt());
+ print_name(out, " * Issuer: ", X509_get_issuer_name(x), get_nameopt());
+ BIO_puts(out, " */\n");
+
+ len = i2d_X509(x, NULL);
+ m = app_malloc(len, "x509 name buffer");
+ d = (unsigned char *)m;
+ len = i2d_X509_NAME(X509_get_subject_name(x), &d);
+ print_array(out, "the_subject_name", len, (unsigned char *)m);
+ d = (unsigned char *)m;
+ len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(x), &d);
+ print_array(out, "the_public_key", len, (unsigned char *)m);
+ d = (unsigned char *)m;
+ len = i2d_X509(x, &d);
+ print_array(out, "the_certificate", len, (unsigned char *)m);
+ OPENSSL_free(m);
+ } else if (text == i) {
+ X509_print_ex(out, x, get_nameopt(), certflag);
+ } else if (startdate == i) {
+ BIO_puts(out, "notBefore=");
+ ASN1_TIME_print(out, X509_get0_notBefore(x));
+ BIO_puts(out, "\n");
+ } else if (enddate == i) {
+ BIO_puts(out, "notAfter=");
+ ASN1_TIME_print(out, X509_get0_notAfter(x));
+ BIO_puts(out, "\n");
+ } else if (fingerprint == i) {
+ int j;
+ unsigned int n;
+ unsigned char md[EVP_MAX_MD_SIZE];
+ const EVP_MD *fdig = digest;
+
+ if (fdig == NULL)
+ fdig = EVP_sha1();
+
+ if (!X509_digest(x, fdig, md, &n)) {
+ BIO_printf(bio_err, "out of memory\n");
+ goto end;
+ }
+ BIO_printf(out, "%s Fingerprint=",
+ OBJ_nid2sn(EVP_MD_type(fdig)));
+ for (j = 0; j < (int)n; j++) {
+ BIO_printf(out, "%02X%c", md[j], (j + 1 == (int)n)
+ ? '\n' : ':');
+ }
+ }
+
+ /* should be in the library */
+ else if (sign_flag == i && x509req == 0) {
+ BIO_printf(bio_err, "Getting Private key\n");
+ if (Upkey == NULL) {
+ Upkey = load_key(keyfile, keyformat, 0,
+ passin, e, "Private key");
+ if (Upkey == NULL)
+ goto end;
+ }
+
+ if (!sign(x, Upkey, fkey, sigopts, days, clrext, digest,
+ extconf, extsect, preserve_dates))
+ goto end;
+ } else if (CA_flag == i) {
+ BIO_printf(bio_err, "Getting CA Private Key\n");
+ if (CAkeyfile != NULL) {
+ CApkey = load_key(CAkeyfile, CAkeyformat,
+ 0, passin, e, "CA Private Key");
+ if (CApkey == NULL)
+ goto end;
+ }
+
+ if (!x509_certify(ctx, CAfile, digest, x, xca,
+ CApkey, sigopts,
+ CAserial, CA_createserial, days, clrext,
+ extconf, extsect, sno, reqfile, preserve_dates))
+ goto end;
+ } else if (x509req == i) {
+ EVP_PKEY *pk;
+
+ BIO_printf(bio_err, "Getting request Private Key\n");
+ if (keyfile == NULL) {
+ BIO_printf(bio_err, "no request key file specified\n");
+ goto end;
+ } else {
+ pk = load_key(keyfile, keyformat, 0,
+ passin, e, "request key");
+ if (pk == NULL)
+ goto end;
+ }
+
+ BIO_printf(bio_err, "Generating certificate request\n");
+
+ rq = X509_to_X509_REQ(x, pk, digest);
+ EVP_PKEY_free(pk);
+ if (rq == NULL) {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ if (!noout) {
+ X509_REQ_print_ex(out, rq, get_nameopt(), X509_FLAG_COMPAT);
+ PEM_write_bio_X509_REQ(out, rq);
+ }
+ noout = 1;
+ } else if (ocspid == i) {
+ X509_ocspid_print(out, x);
+ } else if (ext == i) {
+ print_x509v3_exts(out, x, exts);
+ }
+ }
+ }
+
+ if (checkend) {
+ time_t tcheck = time(NULL) + checkoffset;
+
+ if (X509_cmp_time(X509_get0_notAfter(x), &tcheck) < 0) {
+ BIO_printf(out, "Certificate will expire\n");
+ ret = 1;
+ } else {
+ BIO_printf(out, "Certificate will not expire\n");
+ ret = 0;
+ }
+ goto end;
+ }
+
+ print_cert_checks(out, x, checkhost, checkemail, checkip);
+
+ if (noout || nocert) {
+ ret = 0;
+ goto end;
+ }
+
+ if (outformat == FORMAT_ASN1) {
+ i = i2d_X509_bio(out, x);
+ } else if (outformat == FORMAT_PEM) {
+ if (trustout)
+ i = PEM_write_bio_X509_AUX(out, x);
+ else
+ i = PEM_write_bio_X509(out, x);
+ } else {
+ BIO_printf(bio_err, "bad output format specified for outfile\n");
+ goto end;
+ }
+ if (!i) {
+ BIO_printf(bio_err, "unable to write certificate\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ ret = 0;
+ end:
+ NCONF_free(extconf);
+ BIO_free_all(out);
+ X509_STORE_free(ctx);
+ X509_NAME_free(fsubj);
+ X509_REQ_free(req);
+ X509_free(x);
+ X509_free(xca);
+ EVP_PKEY_free(Upkey);
+ EVP_PKEY_free(CApkey);
+ EVP_PKEY_free(fkey);
+ sk_OPENSSL_STRING_free(sigopts);
+ sk_OPENSSL_STRING_free(vfyopts);
+ X509_REQ_free(rq);
+ ASN1_INTEGER_free(sno);
+ sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free);
+ sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free);
+ ASN1_OBJECT_free(objtmp);
+ release_engine(e);
+ OPENSSL_free(passin);
+ return ret;
+}
+
+static ASN1_INTEGER *x509_load_serial(const char *CAfile,
+ const char *serialfile, int create)
+{
+ char *buf = NULL;
+ ASN1_INTEGER *bs = NULL;
+ BIGNUM *serial = NULL;
+
+ if (serialfile == NULL) {
+ const char *p = strrchr(CAfile, '.');
+ size_t len = p != NULL ? (size_t)(p - CAfile) : strlen(CAfile);
+
+ buf = app_malloc(len + sizeof(POSTFIX), "serial# buffer");
+ memcpy(buf, CAfile, len);
+ memcpy(buf + len, POSTFIX, sizeof(POSTFIX));
+ serialfile = buf;
+ }
+
+ serial = load_serial(serialfile, create, NULL);
+ if (serial == NULL)
+ goto end;
+
+ if (!BN_add_word(serial, 1)) {
+ BIO_printf(bio_err, "add_word failure\n");
+ goto end;
+ }
+
+ if (!save_serial(serialfile, NULL, serial, &bs))
+ goto end;
+
+ end:
+ OPENSSL_free(buf);
+ BN_free(serial);
+ return bs;
+}
+
+static int x509_certify(X509_STORE *ctx, const char *CAfile, const EVP_MD *digest,
+ X509 *x, X509 *xca, EVP_PKEY *pkey,
+ STACK_OF(OPENSSL_STRING) *sigopts,
+ const char *serialfile, int create,
+ int days, int clrext, CONF *conf, const char *section,
+ ASN1_INTEGER *sno, int reqfile, int preserve_dates)
+{
+ int ret = 0;
+ ASN1_INTEGER *bs = NULL;
+ X509_STORE_CTX *xsc = NULL;
+ EVP_PKEY *upkey;
+
+ upkey = X509_get0_pubkey(xca);
+ if (upkey == NULL) {
+ BIO_printf(bio_err, "Error obtaining CA X509 public key\n");
+ goto end;
+ }
+ EVP_PKEY_copy_parameters(upkey, pkey);
+
+ xsc = X509_STORE_CTX_new();
+ if (xsc == NULL || !X509_STORE_CTX_init(xsc, ctx, x, NULL)) {
+ BIO_printf(bio_err, "Error initialising X509 store\n");
+ goto end;
+ }
+ if (sno)
+ bs = sno;
+ else if ((bs = x509_load_serial(CAfile, serialfile, create)) == NULL)
+ goto end;
+
+ /*
+ * NOTE: this certificate can/should be self signed, unless it was a
+ * certificate request in which case it is not.
+ */
+ X509_STORE_CTX_set_cert(xsc, x);
+ X509_STORE_CTX_set_flags(xsc, X509_V_FLAG_CHECK_SS_SIGNATURE);
+ if (!reqfile && X509_verify_cert(xsc) <= 0)
+ goto end;
+
+ if (!X509_check_private_key(xca, pkey)) {
+ BIO_printf(bio_err,
+ "CA certificate and CA private key do not match\n");
+ goto end;
+ }
+
+ if (!X509_set_issuer_name(x, X509_get_subject_name(xca)))
+ goto end;
+ if (!X509_set_serialNumber(x, bs))
+ goto end;
+
+ if (!preserve_dates && !set_cert_times(x, NULL, NULL, days))
+ goto end;
+
+ if (clrext) {
+ while (X509_get_ext_count(x) > 0)
+ X509_delete_ext(x, 0);
+ }
+
+ if (conf != NULL) {
+ X509V3_CTX ctx2;
+ X509_set_version(x, 2); /* version 3 certificate */
+ X509V3_set_ctx(&ctx2, xca, x, NULL, NULL, 0);
+ X509V3_set_nconf(&ctx2, conf);
+ if (!X509V3_EXT_add_nconf(conf, &ctx2, section, x))
+ goto end;
+ }
+
+ if (!do_X509_sign(x, pkey, digest, sigopts))
+ goto end;
+ ret = 1;
+ end:
+ X509_STORE_CTX_free(xsc);
+ if (!ret)
+ ERR_print_errors(bio_err);
+ if (!sno)
+ ASN1_INTEGER_free(bs);
+ return ret;
+}
+
+static int callb(int ok, X509_STORE_CTX *ctx)
+{
+ int err;
+ X509 *err_cert;
+
+ /*
+ * it is ok to use a self signed certificate This case will catch both
+ * the initial ok == 0 and the final ok == 1 calls to this function
+ */
+ err = X509_STORE_CTX_get_error(ctx);
+ if (err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
+ return 1;
+
+ /*
+ * BAD we should have gotten an error. Normally if everything worked
+ * X509_STORE_CTX_get_error(ctx) will still be set to
+ * DEPTH_ZERO_SELF_....
+ */
+ if (ok) {
+ BIO_printf(bio_err,
+ "error with certificate to be certified - should be self signed\n");
+ return 0;
+ } else {
+ err_cert = X509_STORE_CTX_get_current_cert(ctx);
+ print_name(bio_err, NULL, X509_get_subject_name(err_cert), 0);
+ BIO_printf(bio_err,
+ "error with certificate - error %d at depth %d\n%s\n", err,
+ X509_STORE_CTX_get_error_depth(ctx),
+ X509_verify_cert_error_string(err));
+ return 1;
+ }
+}
+
+/* self-issue; self-sign unless a forced public key (fkey) is given */
+static int sign(X509 *x, EVP_PKEY *pkey, EVP_PKEY *fkey,
+ STACK_OF(OPENSSL_STRING) *sigopts,
+ int days, int clrext,
+ const EVP_MD *digest, CONF *conf, const char *section,
+ int preserve_dates)
+{
+ if (!X509_set_issuer_name(x, X509_get_subject_name(x)))
+ goto err;
+ if (!preserve_dates && !set_cert_times(x, NULL, NULL, days))
+ goto err;
+ if (fkey == NULL && !X509_set_pubkey(x, pkey))
+ goto err;
+ if (clrext) {
+ while (X509_get_ext_count(x) > 0)
+ X509_delete_ext(x, 0);
+ }
+ if (conf != NULL) {
+ X509V3_CTX ctx;
+ X509_set_version(x, 2); /* version 3 certificate */
+ X509V3_set_ctx(&ctx, x, x, NULL, NULL, 0);
+ X509V3_set_nconf(&ctx, conf);
+ if (!X509V3_EXT_add_nconf(conf, &ctx, section, x))
+ goto err;
+ }
+ if (!do_X509_sign(x, pkey, digest, sigopts))
+ goto err;
+ return 1;
+ err:
+ ERR_print_errors(bio_err);
+ return 0;
+}