X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=apps%2Fca.c;h=09314019929500072a0f3449a5c97f5d829e9ca1;hb=05c2b37176e15f86f2ca2f96745f5258aa9b1192;hp=9cafe400e62cc695714abe89ae124f63f2f95293;hpb=a31011e8e0ea18f1cc79d7eb53238768ae9369c6;p=oweals%2Fopenssl.git diff --git a/apps/ca.c b/apps/ca.c index 9cafe400e6..0931401992 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -176,9 +176,7 @@ extern int EF_PROTECT_BELOW; extern int EF_ALIGNMENT; #endif -static int add_oid_section(LHASH *conf); static void lookup_fail(char *name,char *tag); -static int MS_CALLBACK key_callback(char *buf,int len,int verify,void *u); static unsigned long index_serial_hash(char **a); static int index_serial_cmp(char **a, char **b); static unsigned long index_name_hash(char **a); @@ -201,7 +199,7 @@ static int certify_spkac(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509, char *enddate, int days, char *ext_sect,LHASH *conf, int verbose); static int fix_data(int nid, int *type); -static void write_new_certificate(BIO *bp, X509 *x, int output_der); +static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext); static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial, char *startdate, char *enddate, int days, int batch, int verbose, @@ -209,14 +207,16 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, static int do_revoke(X509 *x509, TXT_DB *db); static int check_time_format(char *str); static LHASH *conf=NULL; -static char *key=NULL; static char *section=NULL; static int preserve=0; static int msie_hack=0; +int MAIN(int, char **); + int MAIN(int argc, char **argv) { + char *key=NULL,*passargin=NULL; int total=0; int total_done=0; int badops=0; @@ -248,6 +248,7 @@ int MAIN(int argc, char **argv) char *enddate=NULL; int days=0; int batch=0; + int notext=0; X509 *x509=NULL; X509 *x=NULL; BIO *in=NULL,*out=NULL,*Sout=NULL,*Cout=NULL; @@ -261,12 +262,12 @@ int MAIN(int argc, char **argv) long l; const EVP_MD *dgst=NULL; STACK_OF(CONF_VALUE) *attribs=NULL; - STACK *cert_sk=NULL; + STACK_OF(X509) *cert_sk=NULL; BIO *hex=NULL; #undef BSIZE #define BSIZE 256 MS_STATIC char buf[3][BSIZE]; - char *randfile; + char *randfile=NULL; #ifdef EFENCE EF_PROTECT_FREE=1; @@ -280,8 +281,6 @@ EF_ALIGNMENT=0; key = NULL; section = NULL; - X509V3_add_standard_extensions(); - preserve=0; msie_hack=0; if (bio_err == NULL) @@ -334,6 +333,11 @@ EF_ALIGNMENT=0; if (--argc < 1) goto bad; keyfile= *(++argv); } + else if (strcmp(*argv,"-passin") == 0) + { + if (--argc < 1) goto bad; + passargin= *(++argv); + } else if (strcmp(*argv,"-key") == 0) { if (--argc < 1) goto bad; @@ -360,6 +364,8 @@ EF_ALIGNMENT=0; if (--argc < 1) goto bad; outdir= *(++argv); } + else if (strcmp(*argv,"-notext") == 0) + notext=1; else if (strcmp(*argv,"-batch") == 0) batch=1; else if (strcmp(*argv,"-preserveDN") == 0) @@ -496,7 +502,7 @@ bad: BIO_free(oid_bio); } } - if(!add_oid_section(conf)) + if(!add_oid_section(bio_err,conf)) { ERR_print_errors(bio_err); goto err; @@ -517,7 +523,7 @@ bad: } /*****************************************************************/ - /* we definitly need an public key, so lets get it */ + /* we definitely need an public key, so lets get it */ if ((keyfile == NULL) && ((keyfile=CONF_get_string(conf, section,ENV_PRIVATE_KEY)) == NULL)) @@ -525,19 +531,19 @@ bad: lookup_fail(section,ENV_PRIVATE_KEY); goto err; } + if(!key && !app_passwd(bio_err, passargin, NULL, &key, NULL)) + { + BIO_printf(bio_err,"Error getting password\n"); + goto err; + } if (BIO_read_filename(in,keyfile) <= 0) { perror(keyfile); BIO_printf(bio_err,"trying to load CA private key\n"); goto err; } - if (key == NULL) - pkey=PEM_read_bio_PrivateKey(in,NULL,NULL,NULL); - else - { - pkey=PEM_read_bio_PrivateKey(in,NULL,key_callback,NULL); - memset(key,0,strlen(key)); - } + pkey=PEM_read_bio_PrivateKey(in,NULL,NULL,key); + if(key) memset(key,0,strlen(key)); if (pkey == NULL) { BIO_printf(bio_err,"unable to load CA private key\n"); @@ -590,14 +596,19 @@ bad: BIO_printf(bio_err,"there needs to be defined a directory for new certificate to be placed in\n"); goto err; } -#ifdef VMS - /* For technical reasons, VMS misbehaves with X_OK */ - if (access(outdir,R_OK|W_OK) != 0) -#else +#ifndef VMS /* outdir is a directory spec, but access() for VMS demands a + filename. In any case, stat(), below, will catch the problem + if outdir is not a directory spec, and the fopen() or open() + will catch an error if there is no write access. + + Presumably, this problem could also be solved by using the DEC + C routines to convert the directory syntax to Unixly, and give + that to access(). However, time's too short to do that just + now. + */ if (access(outdir,R_OK|W_OK|X_OK) != 0) -#endif { - BIO_printf(bio_err,"I am unable to acces the %s directory\n",outdir); + BIO_printf(bio_err,"I am unable to access the %s directory\n",outdir); perror(outdir); goto err; } @@ -615,6 +626,7 @@ bad: perror(outdir); goto err; } +#endif #endif } @@ -681,7 +693,7 @@ bad: TXT_DB_write(out,db); BIO_printf(bio_err,"%d entries loaded from the database\n", db->data->num); - BIO_printf(bio_err,"generating indexs\n"); + BIO_printf(bio_err,"generating index\n"); } if (!TXT_DB_create_index(db,DB_serial,NULL,index_serial_hash, @@ -805,7 +817,7 @@ bad: { if ((f=BN_bn2hex(serial)) == NULL) goto err; BIO_printf(bio_err,"next serial number is %s\n",f); - Free(f); + OPENSSL_free(f); } if ((attribs=CONF_get_section(conf,policy)) == NULL) @@ -814,9 +826,9 @@ bad: goto err; } - if ((cert_sk=sk_new_null()) == NULL) + if ((cert_sk=sk_X509_new_null()) == NULL) { - BIO_printf(bio_err,"Malloc failure\n"); + BIO_printf(bio_err,"Memory allocation failure\n"); goto err; } if (spkac_file != NULL) @@ -831,9 +843,9 @@ bad: total_done++; BIO_printf(bio_err,"\n"); if (!BN_add_word(serial,1)) goto err; - if (!sk_push(cert_sk,(char *)x)) + if (!sk_X509_push(cert_sk,x)) { - BIO_printf(bio_err,"Malloc failure\n"); + BIO_printf(bio_err,"Memory allocation failure\n"); goto err; } if (outfile) @@ -855,9 +867,9 @@ bad: total_done++; BIO_printf(bio_err,"\n"); if (!BN_add_word(serial,1)) goto err; - if (!sk_push(cert_sk,(char *)x)) + if (!sk_X509_push(cert_sk,x)) { - BIO_printf(bio_err,"Malloc failure\n"); + BIO_printf(bio_err,"Memory allocation failure\n"); goto err; } } @@ -874,9 +886,9 @@ bad: total_done++; BIO_printf(bio_err,"\n"); if (!BN_add_word(serial,1)) goto err; - if (!sk_push(cert_sk,(char *)x)) + if (!sk_X509_push(cert_sk,x)) { - BIO_printf(bio_err,"Malloc failure\n"); + BIO_printf(bio_err,"Memory allocation failure\n"); goto err; } } @@ -893,9 +905,9 @@ bad: total_done++; BIO_printf(bio_err,"\n"); if (!BN_add_word(serial,1)) goto err; - if (!sk_push(cert_sk,(char *)x)) + if (!sk_X509_push(cert_sk,x)) { - BIO_printf(bio_err,"Malloc failure\n"); + BIO_printf(bio_err,"Memory allocation failure\n"); goto err; } } @@ -904,7 +916,7 @@ bad: * and a data base and serial number that need * updating */ - if (sk_num(cert_sk) > 0) + if (sk_X509_num(cert_sk) > 0) { if (!batch) { @@ -920,7 +932,7 @@ bad: } } - BIO_printf(bio_err,"Write out database with %d new entries\n",sk_num(cert_sk)); + BIO_printf(bio_err,"Write out database with %d new entries\n",sk_X509_num(cert_sk)); strncpy(buf[0],serialfile,BSIZE-4); @@ -952,12 +964,12 @@ bad: if (verbose) BIO_printf(bio_err,"writing new certificates\n"); - for (i=0; icert_info->serialNumber->length; p=(char *)x->cert_info->serialNumber->data; @@ -992,11 +1004,11 @@ bad: perror(buf[2]); goto err; } - write_new_certificate(Cout,x, 0); - write_new_certificate(Sout,x, output_der); + write_new_certificate(Cout,x, 0, notext); + write_new_certificate(Sout,x, output_der, notext); } - if (sk_num(cert_sk)) + if (sk_X509_num(cert_sk)) { /* Rename the database and the serial file */ strncpy(buf[2],serialfile,BSIZE-4); @@ -1013,14 +1025,14 @@ bad: out=NULL; if (rename(serialfile,buf[2]) < 0) { - BIO_printf(bio_err,"unabel to rename %s to %s\n", + BIO_printf(bio_err,"unable to rename %s to %s\n", serialfile,buf[2]); perror("reason"); goto err; } if (rename(buf[0],serialfile) < 0) { - BIO_printf(bio_err,"unabel to rename %s to %s\n", + BIO_printf(bio_err,"unable to rename %s to %s\n", buf[0],serialfile); perror("reason"); rename(buf[2],serialfile); @@ -1037,14 +1049,14 @@ bad: if (rename(dbfile,buf[2]) < 0) { - BIO_printf(bio_err,"unabel to rename %s to %s\n", + BIO_printf(bio_err,"unable to rename %s to %s\n", dbfile,buf[2]); perror("reason"); goto err; } if (rename(buf[1],dbfile) < 0) { - BIO_printf(bio_err,"unabel to rename %s to %s\n", + BIO_printf(bio_err,"unable to rename %s to %s\n", buf[1],dbfile); perror("reason"); rename(buf[2],dbfile); @@ -1169,13 +1181,6 @@ bad: /*****************************************************************/ if (dorevoke) { - in=BIO_new(BIO_s_file()); - out=BIO_new(BIO_s_file()); - if ((in == NULL) || (out == NULL)) - { - ERR_print_errors(bio_err); - goto err; - } if (infile == NULL) { BIO_printf(bio_err,"no input files\n"); @@ -1183,19 +1188,22 @@ bad: } else { + X509 *revcert; if (BIO_read_filename(in,infile) <= 0) { perror(infile); BIO_printf(bio_err,"error trying to load '%s' certificate\n",infile); goto err; } - x509=PEM_read_bio_X509(in,NULL,NULL,NULL); - if (x509 == NULL) + revcert=PEM_read_bio_X509(in,NULL,NULL,NULL); + if (revcert == NULL) { BIO_printf(bio_err,"unable to load '%s' certificate\n",infile); goto err; } - j=do_revoke(x509,db); + j=do_revoke(revcert,db); + if (j <= 0) goto err; + X509_free(revcert); strncpy(buf[0],dbfile,BSIZE-4); strcat(buf[0],".new"); @@ -1207,10 +1215,6 @@ bad: } j=TXT_DB_write(out,db); if (j <= 0) goto err; - BIO_free(in); - BIO_free(out); - in=NULL; - out=NULL; strncpy(buf[1],dbfile,BSIZE-4); strcat(buf[1],".old"); if (rename(dbfile,buf[1]) < 0) @@ -1238,7 +1242,7 @@ err: BIO_free(out); BIO_free(in); - sk_pop_free(cert_sk,X509_free); + sk_X509_pop_free(cert_sk,X509_free); if (ret) ERR_print_errors(bio_err); app_RAND_write_file(randfile, bio_err); @@ -1248,7 +1252,6 @@ err: X509_free(x509); X509_CRL_free(crl); CONF_free(conf); - X509V3_EXT_cleanup(); OBJ_cleanup(); EXIT(ret); } @@ -1258,17 +1261,6 @@ static void lookup_fail(char *name, char *tag) BIO_printf(bio_err,"variable lookup failed for %s::%s\n",name,tag); } -static int MS_CALLBACK key_callback(char *buf, int len, int verify, void *u) - { - int i; - - if (key == NULL) return(0); - i=strlen(key); - i=(i > len)?len:i; - memcpy(buf,key,i); - return(i); - } - static unsigned long index_serial_hash(char **a) { char *n; @@ -1597,7 +1589,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, /* Ok, now we check the 'policy' stuff. */ if ((subject=X509_NAME_new()) == NULL) { - BIO_printf(bio_err,"Malloc failure\n"); + BIO_printf(bio_err,"Memory allocation failure\n"); goto err; } @@ -1679,7 +1671,7 @@ again2: } if (j < 0) { - BIO_printf(bio_err,"The %s field needed to be the same in the\nCA certificate (%s) and the request (%s)\n",cv->name,((str == NULL)?"NULL":(char *)str->data),((str2 == NULL)?"NULL":(char *)str2->data)); + BIO_printf(bio_err,"The %s field needed to be the same in the\nCA certificate (%s) and the request (%s)\n",cv->name,((str2 == NULL)?"NULL":(char *)str2->data),((str == NULL)?"NULL":(char *)str->data)); goto err; } } @@ -1691,12 +1683,11 @@ again2: if (push != NULL) { - if (!X509_NAME_add_entry(subject,push, - X509_NAME_entry_count(subject),0)) + if (!X509_NAME_add_entry(subject,push, -1, 0)) { if (push != NULL) X509_NAME_ENTRY_free(push); - BIO_printf(bio_err,"Malloc failure\n"); + BIO_printf(bio_err,"Memory allocation failure\n"); goto err; } } @@ -1712,13 +1703,13 @@ again2: } if (verbose) - BIO_printf(bio_err,"The subject name apears to be ok, checking data base for clashes\n"); + BIO_printf(bio_err,"The subject name appears to be ok, checking data base for clashes\n"); row[DB_name]=X509_NAME_oneline(subject,NULL,0); row[DB_serial]=BN_bn2hex(serial); if ((row[DB_name] == NULL) || (row[DB_serial] == NULL)) { - BIO_printf(bio_err,"Malloc failure\n"); + BIO_printf(bio_err,"Memory allocation failure\n"); goto err; } @@ -1769,7 +1760,7 @@ again2: goto err; } - /* We are now totaly happy, lets make and sign the certificate */ + /* We are now totally happy, lets make and sign the certificate */ if (verbose) BIO_printf(bio_err,"Everything appears to be ok, creating and signing the certificate\n"); @@ -1816,7 +1807,7 @@ again2: ASN1_INTEGER_set(ci->version,2); /* version 3 certificate */ /* Free the current entries if any, there should not - * be any I belive */ + * be any I believe */ if (ci->extensions != NULL) sk_X509_EXTENSION_pop_free(ci->extensions, X509_EXTENSION_free); @@ -1859,32 +1850,32 @@ again2: goto err; /* We now just add it to the database */ - row[DB_type]=(char *)Malloc(2); + row[DB_type]=(char *)OPENSSL_malloc(2); tm=X509_get_notAfter(ret); - row[DB_exp_date]=(char *)Malloc(tm->length+1); + row[DB_exp_date]=(char *)OPENSSL_malloc(tm->length+1); memcpy(row[DB_exp_date],tm->data,tm->length); row[DB_exp_date][tm->length]='\0'; row[DB_rev_date]=NULL; /* row[DB_serial] done already */ - row[DB_file]=(char *)Malloc(8); + row[DB_file]=(char *)OPENSSL_malloc(8); /* row[DB_name] done already */ if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) || (row[DB_file] == NULL)) { - BIO_printf(bio_err,"Malloc failure\n"); + BIO_printf(bio_err,"Memory allocation failure\n"); goto err; } strcpy(row[DB_file],"unknown"); row[DB_type][0]='V'; row[DB_type][1]='\0'; - if ((irow=(char **)Malloc(sizeof(char *)*(DB_NUMBER+1))) == NULL) + if ((irow=(char **)OPENSSL_malloc(sizeof(char *)*(DB_NUMBER+1))) == NULL) { - BIO_printf(bio_err,"Malloc failure\n"); + BIO_printf(bio_err,"Memory allocation failure\n"); goto err; } @@ -1904,7 +1895,7 @@ again2: ok=1; err: for (i=0; icert_info->serialNumber); BIO_puts(bp,"\n\n"); - X509_print(bp,x); - BIO_puts(bp,"\n"); +#endif + if(!notext)X509_print(bp,x); PEM_write_bio_X509(bp,x); - BIO_puts(bp,"\n"); } static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, @@ -2053,8 +2042,7 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, strlen(buf))) == NULL) goto err; - if (!X509_NAME_add_entry(n,ne,X509_NAME_entry_count(n),0)) - goto err; + if (!X509_NAME_add_entry(n,ne,-1, 0)) goto err; } if (spki == NULL) { @@ -2121,76 +2109,60 @@ static int check_time_format(char *str) return(ASN1_UTCTIME_check(&tm)); } -static int add_oid_section(LHASH *hconf) -{ - char *p; - STACK_OF(CONF_VALUE) *sktmp; - CONF_VALUE *cnf; - int i; - if(!(p=CONF_get_string(hconf,NULL,"oid_section"))) return 1; - if(!(sktmp = CONF_get_section(hconf, p))) { - BIO_printf(bio_err, "problem loading oid section %s\n", p); - return 0; - } - for(i = 0; i < sk_CONF_VALUE_num(sktmp); i++) { - cnf = sk_CONF_VALUE_value(sktmp, i); - if(OBJ_create(cnf->value, cnf->name, cnf->name) == NID_undef) { - BIO_printf(bio_err, "problem creating object %s=%s\n", - cnf->name, cnf->value); - return 0; - } - } - return 1; -} - static int do_revoke(X509 *x509, TXT_DB *db) { - ASN1_UTCTIME *tm=NULL; + ASN1_UTCTIME *tm=NULL, *revtm=NULL; char *row[DB_NUMBER],**rrow,**irow; + BIGNUM *bn = NULL; int ok=-1,i; for (i=0; icert_info->subject,NULL,0); - row[DB_serial]=BN_bn2hex(ASN1_INTEGER_to_BN(x509->cert_info->serialNumber,NULL)); + row[DB_name]=X509_NAME_oneline(X509_get_subject_name(x509),NULL,0); + bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x509),NULL); + row[DB_serial]=BN_bn2hex(bn); + BN_free(bn); if ((row[DB_name] == NULL) || (row[DB_serial] == NULL)) { - BIO_printf(bio_err,"Malloc failure\n"); + BIO_printf(bio_err,"Memory allocation failure\n"); goto err; } - rrow=TXT_DB_get_by_index(db,DB_name,row); + /* We have to lookup by serial number because name lookup + * skips revoked certs + */ + rrow=TXT_DB_get_by_index(db,DB_serial,row); if (rrow == NULL) { BIO_printf(bio_err,"Adding Entry to DB for %s\n", row[DB_name]); /* We now just add it to the database */ - row[DB_type]=(char *)Malloc(2); + row[DB_type]=(char *)OPENSSL_malloc(2); tm=X509_get_notAfter(x509); - row[DB_exp_date]=(char *)Malloc(tm->length+1); + row[DB_exp_date]=(char *)OPENSSL_malloc(tm->length+1); memcpy(row[DB_exp_date],tm->data,tm->length); row[DB_exp_date][tm->length]='\0'; row[DB_rev_date]=NULL; /* row[DB_serial] done already */ - row[DB_file]=(char *)Malloc(8); + row[DB_file]=(char *)OPENSSL_malloc(8); /* row[DB_name] done already */ if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) || (row[DB_file] == NULL)) { - BIO_printf(bio_err,"Malloc failure\n"); + BIO_printf(bio_err,"Memory allocation failure\n"); goto err; } strcpy(row[DB_file],"unknown"); row[DB_type][0]='V'; row[DB_type][1]='\0'; - if ((irow=(char **)Malloc(sizeof(char *)*(DB_NUMBER+1))) == NULL) + if ((irow=(char **)OPENSSL_malloc(sizeof(char *)*(DB_NUMBER+1))) == NULL) { - BIO_printf(bio_err,"Malloc failure\n"); + BIO_printf(bio_err,"Memory allocation failure\n"); goto err; } @@ -2209,16 +2181,15 @@ static int do_revoke(X509 *x509, TXT_DB *db) } /* Revoke Certificate */ - do_revoke(x509,db); + ok = do_revoke(x509,db); - ok=1; goto err; } - else if (index_serial_cmp(row,rrow)) + else if (index_name_cmp(row,rrow)) { - BIO_printf(bio_err,"ERROR:no same serial number %s\n", - row[DB_serial]); + BIO_printf(bio_err,"ERROR:name does not match %s\n", + row[DB_name]); goto err; } else if (rrow[DB_type][0]=='R') @@ -2230,21 +2201,22 @@ static int do_revoke(X509 *x509, TXT_DB *db) else { BIO_printf(bio_err,"Revoking Certificate %s.\n", rrow[DB_serial]); - tm=X509_gmtime_adj(tm,0); + revtm = ASN1_UTCTIME_new(); + revtm=X509_gmtime_adj(revtm,0); rrow[DB_type][0]='R'; rrow[DB_type][1]='\0'; - rrow[DB_rev_date]=(char *)Malloc(tm->length+1); - memcpy(rrow[DB_rev_date],tm->data,tm->length); - rrow[DB_rev_date][tm->length]='\0'; + rrow[DB_rev_date]=(char *)OPENSSL_malloc(revtm->length+1); + memcpy(rrow[DB_rev_date],revtm->data,revtm->length); + rrow[DB_rev_date][revtm->length]='\0'; + ASN1_UTCTIME_free(revtm); } ok=1; err: for (i=0; i