X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=apps%2Fca.c;h=2d71104745159c49667d35c023cf98f4a5a422d5;hb=c29dbb9562f275485c1266af523cd5d59311d583;hp=e0349a765608510401f89b42080faf136479ef38;hpb=a6b7ffddac43c0805d02e7236034308f39bcd183;p=oweals%2Fopenssl.git diff --git a/apps/ca.c b/apps/ca.c index e0349a7656..2d71104745 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -61,7 +61,6 @@ #include #include #include -#include #include #include #include "apps.h" @@ -74,9 +73,7 @@ #include #include #include -#include #include -#include #ifndef W_OK # ifdef VMS @@ -141,14 +138,6 @@ #define DB_TYPE_EXP 'E' #define DB_TYPE_VAL 'V' -/* Additional revocation information types */ - -#define REV_NONE 0 /* No addditional information */ -#define REV_CRL_REASON 1 /* Value is CRL reason code */ -#define REV_HOLD 2 /* Value is hold instruction */ -#define REV_KEY_COMPROMISE 3 /* Value is cert key compromise time */ -#define REV_CA_COMPROMISE 4 /* Value is CA key compromise time */ - static char *ca_usage[]={ "usage: ca args\n", "\n", @@ -163,8 +152,7 @@ static char *ca_usage[]={ " -days arg - number of days to certify the certificate for\n", " -md arg - md to use, one of md2, md5, sha or sha1\n", " -policy arg - The CA 'policy' to support\n", -" -keyfile arg - private key file\n", -" -keyform arg - private key file format (PEM or ENGINE)\n", +" -keyfile arg - PEM private key file\n", " -key arg - key to decode the private key if it is encrypted\n", " -cert file - The CA certificate\n", " -in file - The input PEM encoded certificate request(s)\n", @@ -178,11 +166,7 @@ static char *ca_usage[]={ " -msie_hack - msie modifications to handle all those universal strings\n", " -revoke file - Revoke a certificate (given in file)\n", " -extensions .. - Extension section (override value in config file)\n", -" -extfile file - Configuration file with X509v3 extentions to add\n", " -crlexts .. - CRL extension section (override value in config file)\n", -" -engine e - use engine e, possibly a hardware device.\n", -" -status serial - Shows certificate status given the serial number\n", -" -updatedb - Updates db for expired certificates\n", NULL }; @@ -193,11 +177,11 @@ extern int EF_ALIGNMENT; #endif static void lookup_fail(char *name,char *tag); -static unsigned long index_serial_hash(const char **a); -static int index_serial_cmp(const char **a, const char **b); -static unsigned long index_name_hash(const char **a); +static unsigned long index_serial_hash(char **a); +static int index_serial_cmp(char **a, char **b); +static unsigned long index_name_hash(char **a); static int index_name_qual(char **a); -static int index_name_cmp(const char **a,const char **b); +static int index_name_cmp(char **a,char **b); static BIGNUM *load_serial(char *serialfile); static int save_serial(char *serialfile, BIGNUM *serial); static int certify(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509, @@ -220,30 +204,18 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial, char *startdate, char *enddate, int days, int batch, int verbose, X509_REQ *req, char *ext_sect, LHASH *conf); -static int do_revoke(X509 *x509, TXT_DB *db, int ext, char *extval); -static int get_certificate_status(const char *ser_status, TXT_DB *db); -static int do_updatedb(TXT_DB *db); +static int do_revoke(X509 *x509, TXT_DB *db); static int check_time_format(char *str); -char *make_revocation_str(int rev_type, char *rev_arg); -int make_revoked(X509_REVOKED *rev, char *str); static LHASH *conf=NULL; -static LHASH *extconf=NULL; static char *section=NULL; static int preserve=0; static int msie_hack=0; -static IMPLEMENT_LHASH_HASH_FN(index_serial_hash,const char **) -static IMPLEMENT_LHASH_COMP_FN(index_serial_cmp,const char **) -static IMPLEMENT_LHASH_HASH_FN(index_name_hash,const char **) -static IMPLEMENT_LHASH_COMP_FN(index_name_cmp,const char **) - - int MAIN(int, char **); int MAIN(int argc, char **argv) { - ENGINE *e = NULL; char *key=NULL,*passargin=NULL; int total=0; int total_done=0; @@ -253,7 +225,6 @@ int MAIN(int argc, char **argv) int verbose=0; int gencrl=0; int dorevoke=0; - int doupdatedb=0; long crldays=0; long crlhours=0; long errorline= -1; @@ -262,21 +233,16 @@ int MAIN(int argc, char **argv) char *policy=NULL; char *keyfile=NULL; char *certfile=NULL; - int keyform=FORMAT_PEM; char *infile=NULL; char *spkac_file=NULL; char *ss_cert_file=NULL; - char *ser_status=NULL; EVP_PKEY *pkey=NULL; int output_der = 0; char *outfile=NULL; char *outdir=NULL; char *serialfile=NULL; char *extensions=NULL; - char *extfile=NULL; char *crl_ext=NULL; - int rev_type = REV_NONE; - char *rev_arg = NULL; BIGNUM *serial=NULL; char *startdate=NULL; char *enddate=NULL; @@ -302,7 +268,6 @@ int MAIN(int argc, char **argv) #define BSIZE 256 MS_STATIC char buf[3][BSIZE]; char *randfile=NULL; - char *engine = NULL; #ifdef EFENCE EF_PROTECT_FREE=1; @@ -368,11 +333,6 @@ EF_ALIGNMENT=0; if (--argc < 1) goto bad; keyfile= *(++argv); } - else if (strcmp(*argv,"-keyform") == 0) - { - if (--argc < 1) goto bad; - keyform=str2fmt(*(++argv)); - } else if (strcmp(*argv,"-passin") == 0) { if (--argc < 1) goto bad; @@ -454,54 +414,11 @@ EF_ALIGNMENT=0; if (--argc < 1) goto bad; extensions= *(++argv); } - else if (strcmp(*argv,"-extfile") == 0) - { - if (--argc < 1) goto bad; - extfile= *(++argv); - } - else if (strcmp(*argv,"-status") == 0) - { - if (--argc < 1) goto bad; - ser_status= *(++argv); - } - else if (strcmp(*argv,"-updatedb") == 0) - { - doupdatedb=1; - } else if (strcmp(*argv,"-crlexts") == 0) { if (--argc < 1) goto bad; crl_ext= *(++argv); } - else if (strcmp(*argv,"-crl_reason") == 0) - { - if (--argc < 1) goto bad; - rev_arg = *(++argv); - rev_type = REV_CRL_REASON; - } - else if (strcmp(*argv,"-crl_hold") == 0) - { - if (--argc < 1) goto bad; - rev_arg = *(++argv); - rev_type = REV_HOLD; - } - else if (strcmp(*argv,"-crl_compromise") == 0) - { - if (--argc < 1) goto bad; - rev_arg = *(++argv); - rev_type = REV_KEY_COMPROMISE; - } - else if (strcmp(*argv,"-crl_CA_compromise") == 0) - { - if (--argc < 1) goto bad; - rev_arg = *(++argv); - rev_type = REV_CA_COMPROMISE; - } - else if (strcmp(*argv,"-engine") == 0) - { - if (--argc < 1) goto bad; - engine= *(++argv); - } else { bad: @@ -516,30 +433,12 @@ bad: if (badops) { for (pp=ca_usage; (*pp != NULL); pp++) - BIO_printf(bio_err,"%s",*pp); + BIO_printf(bio_err,*pp); goto err; } ERR_load_crypto_strings(); - if (engine != NULL) - { - if ((e = ENGINE_by_id(engine)) == NULL) - { - BIO_printf(bio_err,"invalid engine \"%s\"\n", - engine); - goto err; - } - if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) - { - BIO_printf(bio_err,"can't use that engine\n"); - goto err; - } - BIO_printf(bio_err,"engine \"%s\" set.\n", engine); - /* Free our "structural" reference. */ - ENGINE_free(e); - } - /*****************************************************************/ if (configfile == NULL) configfile = getenv("OPENSSL_CONF"); if (configfile == NULL) configfile = getenv("SSLEAY_CONF"); @@ -584,8 +483,6 @@ bad: if (conf != NULL) { p=CONF_get_string(conf,NULL,"oid_file"); - if (p == NULL) - ERR_clear_error(); if (p != NULL) { BIO *oid_bio; @@ -605,7 +502,7 @@ bad: BIO_free(oid_bio); } } - if (!add_oid_section(bio_err,conf)) + if(!add_oid_section(bio_err,conf)) { ERR_print_errors(bio_err); goto err; @@ -613,8 +510,6 @@ bad: } randfile = CONF_get_string(conf, BASE_SECTION, "RANDFILE"); - if (randfile == NULL) - ERR_clear_error(); app_RAND_load_file(randfile, bio_err, 0); in=BIO_new(BIO_s_file()); @@ -628,41 +523,7 @@ bad: } /*****************************************************************/ - /* report status of cert with serial number given on command line */ - if (ser_status) - { - if ((dbfile=CONF_get_string(conf,section,ENV_DATABASE)) == NULL) - { - lookup_fail(section,ENV_DATABASE); - goto err; - } - if (BIO_read_filename(in,dbfile) <= 0) - { - perror(dbfile); - BIO_printf(bio_err,"unable to open '%s'\n",dbfile); - goto err; - } - db=TXT_DB_read(in,DB_NUMBER); - if (db == NULL) goto err; - - if (!TXT_DB_create_index(db, DB_serial, NULL, - LHASH_HASH_FN(index_serial_hash), - LHASH_COMP_FN(index_serial_cmp))) - { - BIO_printf(bio_err, - "error creating serial number index:(%ld,%ld,%ld)\n", - db->error,db->arg1,db->arg2); - goto err; - } - - if (get_certificate_status(ser_status,db) != 1) - BIO_printf(bio_err,"Error verifying serial %s!\n", - ser_status); - goto err; - } - - /*****************************************************************/ - /* we definitely need a public key, so let's get it */ + /* we definitely need an public key, so lets get it */ if ((keyfile == NULL) && ((keyfile=CONF_get_string(conf, section,ENV_PRIVATE_KEY)) == NULL)) @@ -670,36 +531,19 @@ bad: lookup_fail(section,ENV_PRIVATE_KEY); goto err; } - if (!key && !app_passwd(bio_err, passargin, NULL, &key, NULL)) + if(!key && !app_passwd(bio_err, passargin, NULL, &key, NULL)) { BIO_printf(bio_err,"Error getting password\n"); goto err; } - if (keyform == FORMAT_ENGINE) - { - if (!e) - { - BIO_printf(bio_err,"no engine specified\n"); - goto err; - } - pkey = ENGINE_load_private_key(e, keyfile, key); - } - else if (keyform == FORMAT_PEM) - { - if (BIO_read_filename(in,keyfile) <= 0) - { - perror(keyfile); - BIO_printf(bio_err,"trying to load CA private key\n"); - goto err; - } - pkey=PEM_read_bio_PrivateKey(in,NULL,NULL,key); - } - else + if (BIO_read_filename(in,keyfile) <= 0) { - BIO_printf(bio_err,"bad input format specified for key file\n"); + perror(keyfile); + BIO_printf(bio_err,"trying to load CA private key\n"); goto err; } - if (key) memset(key,0,strlen(key)); + pkey=PEM_read_bio_PrivateKey(in,NULL,NULL,key); + if(key) memset(key,0,strlen(key)); if (pkey == NULL) { BIO_printf(bio_err,"unable to load CA private key\n"); @@ -734,13 +578,9 @@ bad: } f=CONF_get_string(conf,BASE_SECTION,ENV_PRESERVE); - if (f == NULL) - ERR_clear_error(); if ((f != NULL) && ((*f == 'y') || (*f == 'Y'))) preserve=1; f=CONF_get_string(conf,BASE_SECTION,ENV_MSIE_HACK); - if (f == NULL) - ERR_clear_error(); if ((f != NULL) && ((*f == 'y') || (*f == 'Y'))) msie_hack=1; @@ -817,9 +657,10 @@ bad: goto err; } if ((pp[DB_type][0] == DB_TYPE_REV) && - !make_revoked(NULL, pp[DB_rev_date])) + !check_time_format(pp[DB_rev_date])) { - BIO_printf(bio_err," in entry %d\n", i+1); + BIO_printf(bio_err,"entry %d: invalid revocation date\n", + i+1); goto err; } if (!check_time_format(pp[DB_exp_date])) @@ -861,128 +702,27 @@ bad: BIO_printf(bio_err,"generating index\n"); } - if (!TXT_DB_create_index(db, DB_serial, NULL, - LHASH_HASH_FN(index_serial_hash), - LHASH_COMP_FN(index_serial_cmp))) + if (!TXT_DB_create_index(db,DB_serial,NULL,index_serial_hash, + index_serial_cmp)) { BIO_printf(bio_err,"error creating serial number index:(%ld,%ld,%ld)\n",db->error,db->arg1,db->arg2); goto err; } - if (!TXT_DB_create_index(db, DB_name, index_name_qual, - LHASH_HASH_FN(index_name_hash), - LHASH_COMP_FN(index_name_cmp))) + if (!TXT_DB_create_index(db,DB_name,index_name_qual,index_name_hash, + index_name_cmp)) { BIO_printf(bio_err,"error creating name index:(%ld,%ld,%ld)\n", db->error,db->arg1,db->arg2); goto err; } - /*****************************************************************/ - /* Update the db file for expired certificates */ - if (doupdatedb) - { - if (verbose) - BIO_printf(bio_err, "Updating %s ...\n", - dbfile); - - i = do_updatedb(db); - if (i == -1) - { - BIO_printf(bio_err,"Malloc failure\n"); - goto err; - } - else if (i == 0) - { - if (verbose) BIO_printf(bio_err, - "No entries found to mark expired\n"); - } - else - { - out = BIO_new(BIO_s_file()); - if (out == NULL) - { - ERR_print_errors(bio_err); - goto err; - } - - j = BIO_snprintf(buf[0], sizeof buf[0], "%s.new", dbfile); - if (j < 0 || j >= sizeof buf[0]) - { - BIO_printf(bio_err, "file name too long\n"); - goto err; - } - if (BIO_write_filename(out,buf[0]) <= 0) - { - perror(dbfile); - BIO_printf(bio_err,"unable to open '%s'\n", - dbfile); - goto err; - } - j=TXT_DB_write(out,db); - if (j <= 0) goto err; - - BIO_free(out); - out = NULL; - j = BIO_snprintf(buf[1], sizeof buf[1], "%s.old", dbfile); - if (j < 0 || j >= sizeof buf[1]) - { - BIO_printf(bio_err, "file name too long\n"); - goto err; - } - if (rename(dbfile,buf[1]) < 0) - { - BIO_printf(bio_err, - "unable to rename %s to %s\n", - dbfile, buf[1]); - perror("reason"); - goto err; - } - if (rename(buf[0],dbfile) < 0) - { - BIO_printf(bio_err, - "unable to rename %s to %s\n", - buf[0],dbfile); - perror("reason"); - rename(buf[1],dbfile); - goto err; - } - - if (verbose) BIO_printf(bio_err, - "Done. %d entries marked as expired\n",i); - } - goto err; - } - - /*****************************************************************/ - /* Read extentions config file */ - if (extfile) - { - if (!(extconf=CONF_load(NULL,extfile,&errorline))) - { - if (errorline <= 0) - BIO_printf(bio_err, "ERROR: loading the config file '%s'\n", - extfile); - else - BIO_printf(bio_err, "ERROR: on line %ld of config file '%s'\n", - errorline,extfile); - ret = 1; - goto err; - } - - if (verbose) - BIO_printf(bio_err, "Succesfully loaded extensions file %s\n", extfile); - - /* We can have sections in the ext file */ - if (!extensions && !(extensions = CONF_get_string(extconf, "default", "extensions"))) - extensions = "default"; - } - /*****************************************************************/ if (req || gencrl) { if (outfile != NULL) { + if (BIO_write_filename(Sout,outfile) <= 0) { perror(outfile); @@ -1032,42 +772,26 @@ bad: lookup_fail(section,ENV_SERIAL); goto err; } - - if (!extconf) - { - /* no '-extfile' option, so we look for extensions - * in the main configuration file */ - if (!extensions) - { - extensions=CONF_get_string(conf,section, - ENV_EXTENSIONS); - if (!extensions) - ERR_clear_error(); - } - if (extensions) - { - /* Check syntax of file */ - X509V3_CTX ctx; - X509V3_set_ctx_test(&ctx); - X509V3_set_conf_lhash(&ctx, conf); - if (!X509V3_EXT_add_conf(conf, &ctx, extensions, - NULL)) - { - BIO_printf(bio_err, - "Error Loading extension section %s\n", + if(!extensions) + extensions=CONF_get_string(conf,section,ENV_EXTENSIONS); + if(extensions) { + /* Check syntax of file */ + X509V3_CTX ctx; + X509V3_set_ctx_test(&ctx); + X509V3_set_conf_lhash(&ctx, conf); + if(!X509V3_EXT_add_conf(conf, &ctx, extensions, NULL)) { + BIO_printf(bio_err, + "Error Loading extension section %s\n", extensions); - ret = 1; - goto err; - } - } + ret = 1; + goto err; } + } if (startdate == NULL) { startdate=CONF_get_string(conf,section, ENV_DEFAULT_STARTDATE); - if (startdate == NULL) - ERR_clear_error(); } if (startdate && !ASN1_UTCTIME_set_string(NULL,startdate)) { @@ -1080,8 +804,6 @@ bad: { enddate=CONF_get_string(conf,section, ENV_DEFAULT_ENDDATE); - if (enddate == NULL) - ERR_clear_error(); } if (enddate && !ASN1_UTCTIME_set_string(NULL,enddate)) { @@ -1361,28 +1083,20 @@ bad: /*****************************************************************/ if (gencrl) { - int crl_v2 = 0; - if (!crl_ext) - { - crl_ext=CONF_get_string(conf,section,ENV_CRLEXT); - if (!crl_ext) - ERR_clear_error(); - } - if (crl_ext) - { + if(!crl_ext) crl_ext=CONF_get_string(conf,section,ENV_CRLEXT); + if(crl_ext) { /* Check syntax of file */ X509V3_CTX ctx; X509V3_set_ctx_test(&ctx); X509V3_set_conf_lhash(&ctx, conf); - if (!X509V3_EXT_add_conf(conf, &ctx, crl_ext, NULL)) - { + if(!X509V3_EXT_add_conf(conf, &ctx, crl_ext, NULL)) { BIO_printf(bio_err, "Error Loading CRL extension section %s\n", crl_ext); ret = 1; goto err; - } } + } if ((hex=BIO_new(BIO_s_mem())) == NULL) goto err; if (!crldays && !crlhours) @@ -1416,16 +1130,19 @@ bad: if (pp[DB_type][0] == DB_TYPE_REV) { if ((r=X509_REVOKED_new()) == NULL) goto err; - j = make_revoked(r, pp[DB_rev_date]); - if (!j) goto err; - if (j == 2) crl_v2 = 1; + ASN1_STRING_set((ASN1_STRING *) + r->revocationDate, + (unsigned char *)pp[DB_rev_date], + strlen(pp[DB_rev_date])); + /* strcpy(r->revocationDate,pp[DB_rev_date]);*/ + (void)BIO_reset(hex); if (!BIO_puts(hex,pp[DB_serial])) goto err; if (!a2i_ASN1_INTEGER(hex,r->serialNumber, buf[0],BSIZE)) goto err; - X509_CRL_add0_revoked(crl,r); + sk_X509_REVOKED_push(ci->revoked,r); } } /* sort the data so it will be written in serial @@ -1448,34 +1165,28 @@ bad: } } else - { + { #ifndef NO_DSA - if (pkey->type == EVP_PKEY_DSA) - dgst=EVP_dss1(); - else + if (pkey->type == EVP_PKEY_DSA) + dgst=EVP_dss1(); + else #endif - dgst=EVP_md5(); - } + dgst=EVP_md5(); + } /* Add any extensions asked for */ - if (crl_ext) - { - X509V3_CTX crlctx; - if (ci->version == NULL) - if ((ci->version=ASN1_INTEGER_new()) == NULL) goto err; - X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0); - X509V3_set_conf_lhash(&crlctx, conf); + if(crl_ext) { + X509V3_CTX crlctx; + if (ci->version == NULL) + if ((ci->version=ASN1_INTEGER_new()) == NULL) goto err; + ASN1_INTEGER_set(ci->version,1); /* version 2 CRL */ + X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0); + X509V3_set_conf_lhash(&crlctx, conf); - if (!X509V3_EXT_CRL_add_conf(conf, &crlctx, - crl_ext, crl)) goto err; - } - if (crl_ext || crl_v2) - { - if (ci->version == NULL) - if ((ci->version=ASN1_INTEGER_new()) == NULL) goto err; - ASN1_INTEGER_set(ci->version,1); /* version 2 CRL */ - } + if(!X509V3_EXT_CRL_add_conf(conf, &crlctx, + crl_ext, crl)) goto err; + } if (!X509_CRL_sign(crl,pkey,dgst)) goto err; @@ -1504,7 +1215,7 @@ bad: BIO_printf(bio_err,"unable to load '%s' certificate\n",infile); goto err; } - j=do_revoke(revcert,db, rev_type, rev_arg); + j=do_revoke(revcert,db); if (j <= 0) goto err; X509_free(revcert); @@ -1564,31 +1275,31 @@ static void lookup_fail(char *name, char *tag) BIO_printf(bio_err,"variable lookup failed for %s::%s\n",name,tag); } -static unsigned long index_serial_hash(const char **a) +static unsigned long index_serial_hash(char **a) { - const char *n; + char *n; n=a[DB_serial]; while (*n == '0') n++; return(lh_strhash(n)); } -static int index_serial_cmp(const char **a, const char **b) +static int index_serial_cmp(char **a, char **b) { - const char *aa,*bb; + char *aa,*bb; for (aa=a[DB_serial]; *aa == '0'; aa++); for (bb=b[DB_serial]; *bb == '0'; bb++); return(strcmp(aa,bb)); } -static unsigned long index_name_hash(const char **a) +static unsigned long index_name_hash(char **a) { return(lh_strhash(a[DB_name])); } static int index_name_qual(char **a) { return(a[0][0] == 'V'); } -static int index_name_cmp(const char **a, const char **b) +static int index_name_cmp(char **a, char **b) { return(strcmp(a[DB_name], b[DB_name])); } @@ -2090,7 +1801,7 @@ again2: else ASN1_UTCTIME_set_string(X509_get_notAfter(ret),enddate); ASN1_UTCTIME_print(bio_err,X509_get_notAfter(ret)); - if (days) BIO_printf(bio_err," (%d days)",days); + if(days) BIO_printf(bio_err," (%d days)",days); BIO_printf(bio_err, "\n"); if (!X509_set_subject_name(ret,subject)) goto err; @@ -2117,47 +1828,11 @@ again2: ci->extensions = NULL; - /* Initialize the context structure */ X509V3_set_ctx(&ctx, x509, ret, req, NULL, 0); + X509V3_set_conf_lhash(&ctx, lconf); - if (extconf) - { - if (verbose) - BIO_printf(bio_err, "Extra configuration file found\n"); - - /* Use the extconf configuration db LHASH */ - X509V3_set_conf_lhash(&ctx, extconf); - - /* Test the structure (needed?) */ - /* X509V3_set_ctx_test(&ctx); */ - - /* Adds exts contained in the configuration file */ - if (!X509V3_EXT_add_conf(extconf, &ctx, ext_sect,ret)) - { - BIO_printf(bio_err, - "ERROR: adding extensions in section %s\n", - ext_sect); - ERR_print_errors(bio_err); - goto err; - } - if (verbose) - BIO_printf(bio_err, "Successfully added extensions from file.\n"); - } - else if (ext_sect) - { - /* We found extensions to be set from config file */ - X509V3_set_conf_lhash(&ctx, lconf); - - if(!X509V3_EXT_add_conf(lconf, &ctx, ext_sect, ret)) - { - BIO_printf(bio_err, "ERROR: adding extensions in section %s\n", ext_sect); - ERR_print_errors(bio_err); - goto err; - } + if(!X509V3_EXT_add_conf(lconf, &ctx, ext_sect, ret)) goto err; - if (verbose) - BIO_printf(bio_err, "Successfully added extensions from config\n"); - } } @@ -2272,7 +1947,7 @@ static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext) i2a_ASN1_INTEGER(bp,x->cert_info->serialNumber); BIO_puts(bp,"\n\n"); #endif - if (!notext)X509_print(bp,x); + if(!notext)X509_print(bp,x); PEM_write_bio_X509(bp,x); } @@ -2345,13 +2020,12 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, /* Skip past any leading X. X: X, etc to allow for * multiple instances */ - for (buf = cv->name; *buf ; buf++) - if ((*buf == ':') || (*buf == ',') || (*buf == '.')) - { - buf++; - if (*buf) type = buf; - break; - } + for(buf = cv->name; *buf ; buf++) + if ((*buf == ':') || (*buf == ',') || (*buf == '.')) { + buf++; + if(*buf) type = buf; + break; + } buf=cv->value; if ((nid=OBJ_txt2nid(type)) == NID_undef) @@ -2449,11 +2123,10 @@ static int check_time_format(char *str) return(ASN1_UTCTIME_check(&tm)); } -static int do_revoke(X509 *x509, TXT_DB *db, int type, char *value) - { - ASN1_UTCTIME *tm=NULL; +static int do_revoke(X509 *x509, TXT_DB *db) +{ + ASN1_UTCTIME *tm=NULL, *revtm=NULL; char *row[DB_NUMBER],**rrow,**irow; - char *rev_str = NULL; BIGNUM *bn = NULL; int ok=-1,i; @@ -2522,12 +2195,12 @@ static int do_revoke(X509 *x509, TXT_DB *db, int type, char *value) } /* Revoke Certificate */ - ok = do_revoke(x509,db, type, value); + ok = do_revoke(x509,db); goto err; } - else if (index_name_cmp((const char **)row,(const char **)rrow)) + else if (index_name_cmp(row,rrow)) { BIO_printf(bio_err,"ERROR:name does not match %s\n", row[DB_name]); @@ -2542,15 +2215,14 @@ static int do_revoke(X509 *x509, TXT_DB *db, int type, char *value) else { BIO_printf(bio_err,"Revoking Certificate %s.\n", rrow[DB_serial]); - rev_str = make_revocation_str(type, value); - if (!rev_str) - { - BIO_printf(bio_err, "Error in revocation arguments\n"); - goto err; - } + revtm = ASN1_UTCTIME_new(); + revtm=X509_gmtime_adj(revtm,0); rrow[DB_type][0]='R'; rrow[DB_type][1]='\0'; - rrow[DB_rev_date] = rev_str; + rrow[DB_rev_date]=(char *)OPENSSL_malloc(revtm->length+1); + memcpy(rrow[DB_rev_date],revtm->data,revtm->length); + rrow[DB_rev_date][revtm->length]='\0'; + ASN1_UTCTIME_free(revtm); } ok=1; err: @@ -2560,406 +2232,5 @@ err: OPENSSL_free(row[i]); } return(ok); - } - -static int get_certificate_status(const char *serial, TXT_DB *db) - { - char *row[DB_NUMBER],**rrow; - int ok=-1,i; +} - /* Free Resources */ - for (i=0; i= 2000 */ - char **rrow, *a_tm_s; - - a_tm = ASN1_UTCTIME_new(); - - /* get actual time and make a string */ - a_tm = X509_gmtime_adj(a_tm, 0); - a_tm_s = (char *) OPENSSL_malloc(a_tm->length+1); - if (a_tm_s == NULL) - { - cnt = -1; - goto err; - } - - memcpy(a_tm_s, a_tm->data, a_tm->length); - a_tm_s[a_tm->length] = '\0'; - - if (strncmp(a_tm_s, "49", 2) <= 0) - a_y2k = 1; - else - a_y2k = 0; - - for (i = 0; i < sk_num(db->data); i++) - { - rrow = (char **) sk_value(db->data, i); - - if (rrow[DB_type][0] == 'V') - { - /* ignore entries that are not valid */ - if (strncmp(rrow[DB_exp_date], "49", 2) <= 0) - db_y2k = 1; - else - db_y2k = 0; - - if (db_y2k == a_y2k) - { - /* all on the same y2k side */ - if (strcmp(rrow[DB_exp_date], a_tm_s) <= 0) - { - rrow[DB_type][0] = 'E'; - rrow[DB_type][1] = '\0'; - cnt++; - - BIO_printf(bio_err, "%s=Expired\n", - rrow[DB_serial]); - } - } - else if (db_y2k < a_y2k) - { - rrow[DB_type][0] = 'E'; - rrow[DB_type][1] = '\0'; - cnt++; - - BIO_printf(bio_err, "%s=Expired\n", - rrow[DB_serial]); - } - - } - } - -err: - - ASN1_UTCTIME_free(a_tm); - OPENSSL_free(a_tm_s); - - return (cnt); - } - -static char *crl_reasons[] = { - /* CRL reason strings */ - "unspecified", - "keyCompromise", - "CACompromise", - "affiliationChanged", - "superseded", - "cessationOfOperation", - "certificateHold", - "removeFromCRL", - /* Additional pseudo reasons */ - "holdInstruction", - "keyTime", - "CAkeyTime" -}; - -#define NUM_REASONS (sizeof(crl_reasons) / sizeof(char *)) - -/* Given revocation information convert to a DB string. - * The format of the string is: - * revtime[,reason,extra]. Where 'revtime' is the - * revocation time (the current time). 'reason' is the - * optional CRL reason and 'extra' is any additional - * argument - */ - -char *make_revocation_str(int rev_type, char *rev_arg) - { - char *reason = NULL, *other = NULL, *str; - ASN1_OBJECT *otmp; - ASN1_UTCTIME *revtm = NULL; - int i; - switch (rev_type) - { - case REV_NONE: - break; - - case REV_CRL_REASON: - for (i = 0; i < 8; i++) - { - if (!strcasecmp(rev_arg, crl_reasons[i])) - { - reason = crl_reasons[i]; - break; - } - } - if (reason == NULL) - { - BIO_printf(bio_err, "Unknown CRL reason %s\n", rev_arg); - return NULL; - } - break; - - case REV_HOLD: - /* Argument is an OID */ - - otmp = OBJ_txt2obj(rev_arg, 0); - ASN1_OBJECT_free(otmp); - - if (otmp == NULL) - { - BIO_printf(bio_err, "Invalid object identifier %s\n", rev_arg); - return NULL; - } - - reason = "holdInstruction"; - other = rev_arg; - break; - - case REV_KEY_COMPROMISE: - case REV_CA_COMPROMISE: - - /* Argument is the key compromise time */ - if (!ASN1_GENERALIZEDTIME_set_string(NULL, rev_arg)) - { - BIO_printf(bio_err, "Invalid time format %s. Need YYYYMMDDHHMMSSZ\n", rev_arg); - return NULL; - } - other = rev_arg; - if (rev_type == REV_KEY_COMPROMISE) - reason = "keyTime"; - else - reason = "CAkeyTime"; - - break; - - } - - revtm = X509_gmtime_adj(NULL, 0); - - i = revtm->length + 1; - - if (reason) i += strlen(reason) + 1; - if (other) i += strlen(other) + 1; - - str = OPENSSL_malloc(i); - - if (!str) return NULL; - - strcpy(str, (char *)revtm->data); - if (reason) - { - strcat(str, ","); - strcat(str, reason); - } - if (other) - { - strcat(str, ","); - strcat(str, other); - } - ASN1_UTCTIME_free(revtm); - return str; - } - -/* Convert revocation field to X509_REVOKED entry - * return code: - * 0 error - * 1 OK - * 2 OK and some extensions added (i.e. V2 CRL) - */ - -int make_revoked(X509_REVOKED *rev, char *str) - { - char *tmp = NULL; - char *rtime_str, *reason_str = NULL, *arg_str = NULL, *p; - int reason_code = -1; - int i, ret = 0; - ASN1_OBJECT *hold = NULL; - ASN1_GENERALIZEDTIME *comp_time = NULL; - ASN1_ENUMERATED *rtmp = NULL; - tmp = BUF_strdup(str); - - p = strchr(tmp, ','); - - rtime_str = tmp; - - if (p) - { - *p = '\0'; - p++; - reason_str = p; - p = strchr(p, ','); - if (p) - { - *p = '\0'; - arg_str = p + 1; - } - } - - if (rev && !ASN1_UTCTIME_set_string(rev->revocationDate, rtime_str)) - { - BIO_printf(bio_err, "invalid revocation date %s\n", rtime_str); - goto err; - } - if (reason_str) - { - for (i = 0; i < NUM_REASONS; i++) - { - if(!strcasecmp(reason_str, crl_reasons[i])) - { - reason_code = i; - break; - } - } - if (reason_code == OCSP_REVOKED_STATUS_NOSTATUS) - { - BIO_printf(bio_err, "invalid reason code %s\n", reason_str); - goto err; - } - - if (reason_code == 7) - reason_code = OCSP_REVOKED_STATUS_REMOVEFROMCRL; - else if (reason_code == 8) /* Hold instruction */ - { - if (!arg_str) - { - BIO_printf(bio_err, "missing hold instruction\n"); - goto err; - } - reason_code = OCSP_REVOKED_STATUS_CERTIFICATEHOLD; - hold = OBJ_txt2obj(arg_str, 0); - - if (!hold) - { - BIO_printf(bio_err, "invalid object identifier %s\n", arg_str); - goto err; - } - } - else if ((reason_code == 9) || (reason_code == 10)) - { - if (!arg_str) - { - BIO_printf(bio_err, "missing compromised time\n"); - goto err; - } - comp_time = ASN1_GENERALIZEDTIME_new(); - if (!ASN1_GENERALIZEDTIME_set_string(comp_time, arg_str)) - { - BIO_printf(bio_err, "invalid compromised time %s\n", arg_str); - goto err; - } - if (reason_code == 9) - reason_code = OCSP_REVOKED_STATUS_KEYCOMPROMISE; - else - reason_code = OCSP_REVOKED_STATUS_CACOMPROMISE; - } - } - - if (rev && (reason_code != OCSP_REVOKED_STATUS_NOSTATUS)) - { - rtmp = ASN1_ENUMERATED_new(); - if (!rtmp || !ASN1_ENUMERATED_set(rtmp, reason_code)) - goto err; - if (!X509_REVOKED_add1_ext_i2d(rev, NID_crl_reason, rtmp, 0, 0)) - goto err; - } - - if (rev && comp_time) - { - if (!X509_REVOKED_add1_ext_i2d(rev, NID_invalidity_date, comp_time, 0, 0)) - goto err; - } - if (rev && hold) - { - if (!X509_REVOKED_add1_ext_i2d(rev, NID_hold_instruction_code, hold, 0, 0)) - goto err; - } - - if (reason_code != OCSP_REVOKED_STATUS_NOSTATUS) - ret = 2; - else ret = 1; - - err: - - if (tmp) OPENSSL_free(tmp); - ASN1_OBJECT_free(hold); - ASN1_GENERALIZEDTIME_free(comp_time); - ASN1_ENUMERATED_free(rtmp); - - return ret; - }