#undef POSTFIX
#define POSTFIX ".rvk"
-static char *crl_usage[]={
+static const char *crl_usage[]={
"usage: crl args\n",
"\n",
" -inform arg - input format - default PEM (DER or PEM)\n",
" -in arg - input file - default stdin\n",
" -out arg - output file - default stdout\n",
" -hash - print hash value\n",
+#ifndef OPENSSL_NO_MD5
+" -hash_old - print old-style (MD5) hash value\n",
+#endif
" -fingerprint - print the crl fingerprint\n",
" -issuer - print issuer DN\n",
" -lastupdate - lastUpdate field\n",
" -nextupdate - nextUpdate field\n",
+" -crlnumber - print CRL number\n",
" -noout - no CRL output\n",
" -CAfile name - verify CRL using certificates in file \"name\"\n",
" -CApath dir - verify CRL using certificates in \"dir\"\n",
NULL
};
-static X509_CRL *load_crl(char *file, int format);
static BIO *bio_out=NULL;
int MAIN(int, char **);
unsigned long nmflag = 0;
X509_CRL *x=NULL;
char *CAfile = NULL, *CApath = NULL;
- int ret=1,i,num,badops=0;
+ int ret=1,i,num,badops=0,badsig=0;
BIO *out=NULL;
- int informat,outformat;
- char *infile=NULL,*outfile=NULL;
+ int informat,outformat, keyformat;
+ char *infile=NULL,*outfile=NULL, *crldiff = NULL, *keyfile = NULL;
int hash=0,issuer=0,lastupdate=0,nextupdate=0,noout=0,text=0;
- int fingerprint = 0;
- char **pp;
+#ifndef OPENSSL_NO_MD5
+ int hash_old=0;
+#endif
+ int fingerprint = 0, crlnumber = 0;
+ const char **pp;
X509_STORE *store = NULL;
X509_STORE_CTX ctx;
X509_LOOKUP *lookup = NULL;
X509_OBJECT xobj;
EVP_PKEY *pkey;
int do_ver = 0;
- const EVP_MD *md_alg,*digest=EVP_md5();
+ const EVP_MD *md_alg,*digest=EVP_sha1();
apps_startup();
informat=FORMAT_PEM;
outformat=FORMAT_PEM;
+ keyformat=FORMAT_PEM;
argc--;
argv++;
if (--argc < 1) goto bad;
infile= *(++argv);
}
+ else if (strcmp(*argv,"-gendelta") == 0)
+ {
+ if (--argc < 1) goto bad;
+ crldiff= *(++argv);
+ }
+ else if (strcmp(*argv,"-key") == 0)
+ {
+ if (--argc < 1) goto bad;
+ keyfile= *(++argv);
+ }
+ else if (strcmp(*argv,"-keyform") == 0)
+ {
+ if (--argc < 1) goto bad;
+ keyformat=str2fmt(*(++argv));
+ }
else if (strcmp(*argv,"-out") == 0)
{
if (--argc < 1) goto bad;
text = 1;
else if (strcmp(*argv,"-hash") == 0)
hash= ++num;
+#ifndef OPENSSL_NO_MD5
+ else if (strcmp(*argv,"-hash_old") == 0)
+ hash_old= ++num;
+#endif
else if (strcmp(*argv,"-nameopt") == 0)
{
if (--argc < 1) goto bad;
noout= ++num;
else if (strcmp(*argv,"-fingerprint") == 0)
fingerprint= ++num;
+ else if (strcmp(*argv,"-crlnumber") == 0)
+ crlnumber= ++num;
+ else if (strcmp(*argv,"-badsig") == 0)
+ badsig = 1;
else if ((md_alg=EVP_get_digestbyname(*argv + 1)))
{
/* ok */
else BIO_printf(bio_err, "verify OK\n");
}
+ if (crldiff)
+ {
+ X509_CRL *newcrl, *delta;
+ if (!keyfile)
+ {
+ BIO_puts(bio_err, "Missing CRL signing key\n");
+ goto end;
+ }
+ newcrl = load_crl(crldiff,informat);
+ if (!newcrl)
+ goto end;
+ pkey = load_key(bio_err, keyfile, keyformat, 0, NULL, NULL,
+ "CRL signing key");
+ if (!pkey)
+ {
+ X509_CRL_free(newcrl);
+ goto end;
+ }
+ delta = X509_CRL_diff(x, newcrl, pkey, digest, 0);
+ X509_CRL_free(newcrl);
+ EVP_PKEY_free(pkey);
+ if (delta)
+ {
+ X509_CRL_free(x);
+ x = delta;
+ }
+ else
+ {
+ BIO_puts(bio_err, "Error creating delta CRL\n");
+ goto end;
+ }
+ }
+
if (num)
{
for (i=1; i<=num; i++)
{
print_name(bio_out, "issuer=", X509_CRL_get_issuer(x), nmflag);
}
-
+ if (crlnumber == i)
+ {
+ ASN1_INTEGER *crlnum;
+ crlnum = X509_CRL_get_ext_d2i(x, NID_crl_number,
+ NULL, NULL);
+ BIO_printf(bio_out,"crlNumber=");
+ if (crlnum)
+ {
+ i2a_ASN1_INTEGER(bio_out, crlnum);
+ ASN1_INTEGER_free(crlnum);
+ }
+ else
+ BIO_puts(bio_out, "<NONE>");
+ BIO_printf(bio_out,"\n");
+ }
if (hash == i)
{
BIO_printf(bio_out,"%08lx\n",
X509_NAME_hash(X509_CRL_get_issuer(x)));
}
+#ifndef OPENSSL_NO_MD5
+ if (hash_old == i)
+ {
+ BIO_printf(bio_out,"%08lx\n",
+ X509_NAME_hash_old(
+ X509_CRL_get_issuer(x)));
+ }
+#endif
if (lastupdate == i)
{
BIO_printf(bio_out,"lastUpdate=");
if (text) X509_CRL_print(out, x);
- if (noout) goto end;
+ if (noout)
+ {
+ ret = 0;
+ goto end;
+ }
+
+ if (badsig)
+ x->signature->data[x->signature->length - 1] ^= 0x1;
if (outformat == FORMAT_ASN1)
i=(int)i2d_X509_CRL_bio(out,x);
if (!i) { BIO_printf(bio_err,"unable to write CRL\n"); goto end; }
ret=0;
end:
+ if (ret != 0)
+ ERR_print_errors(bio_err);
BIO_free_all(out);
BIO_free_all(bio_out);
bio_out=NULL;
apps_shutdown();
OPENSSL_EXIT(ret);
}
-
-static X509_CRL *load_crl(char *infile, int format)
- {
- X509_CRL *x=NULL;
- BIO *in=NULL;
-
- in=BIO_new(BIO_s_file());
- if (in == NULL)
- {
- ERR_print_errors(bio_err);
- goto end;
- }
-
- if (infile == NULL)
- BIO_set_fp(in,stdin,BIO_NOCLOSE);
- else
- {
- if (BIO_read_filename(in,infile) <= 0)
- {
- perror(infile);
- goto end;
- }
- }
- if (format == FORMAT_ASN1)
- x=d2i_X509_CRL_bio(in,NULL);
- else if (format == FORMAT_PEM)
- x=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL);
- else {
- BIO_printf(bio_err,"bad input format specified for input crl\n");
- goto end;
- }
- if (x == NULL)
- {
- BIO_printf(bio_err,"unable to load CRL\n");
- ERR_print_errors(bio_err);
- goto end;
- }
-
-end:
- BIO_free(in);
- return(x);
- }
-