X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=apps%2Fca.c;h=2d71104745159c49667d35c023cf98f4a5a422d5;hb=c29dbb9562f275485c1266af523cd5d59311d583;hp=f0ed07feb15fb92496a697c5515dd6b308f1481b;hpb=bad4058574a110c972616e4b2f629a6268322eb3;p=oweals%2Fopenssl.git diff --git a/apps/ca.c b/apps/ca.c index f0ed07feb1..2d71104745 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -61,7 +61,6 @@ #include #include #include -#include #include #include #include "apps.h" @@ -74,18 +73,10 @@ #include #include #include -#include #include -#include - -#ifdef OPENSSL_SYS_WINDOWS -#define strcasecmp _stricmp -#else -#include -#endif #ifndef W_OK -# ifdef OPENSSL_SYS_VMS +# ifdef VMS # if defined(__DECC) # include # else @@ -147,14 +138,6 @@ #define DB_TYPE_EXP 'E' #define DB_TYPE_VAL 'V' -/* Additional revocation information types */ - -#define REV_NONE 0 /* No addditional information */ -#define REV_CRL_REASON 1 /* Value is CRL reason code */ -#define REV_HOLD 2 /* Value is hold instruction */ -#define REV_KEY_COMPROMISE 3 /* Value is cert key compromise time */ -#define REV_CA_COMPROMISE 4 /* Value is CA key compromise time */ - static char *ca_usage[]={ "usage: ca args\n", "\n", @@ -169,8 +152,7 @@ static char *ca_usage[]={ " -days arg - number of days to certify the certificate for\n", " -md arg - md to use, one of md2, md5, sha or sha1\n", " -policy arg - The CA 'policy' to support\n", -" -keyfile arg - private key file\n", -" -keyform arg - private key file format (PEM or ENGINE)\n", +" -keyfile arg - PEM private key file\n", " -key arg - key to decode the private key if it is encrypted\n", " -cert file - The CA certificate\n", " -in file - The input PEM encoded certificate request(s)\n", @@ -183,13 +165,8 @@ static char *ca_usage[]={ " -batch - Don't ask questions\n", " -msie_hack - msie modifications to handle all those universal strings\n", " -revoke file - Revoke a certificate (given in file)\n", -" -subj arg - Use arg instead of request's subject\n", " -extensions .. - Extension section (override value in config file)\n", -" -extfile file - Configuration file with X509v3 extentions to add\n", " -crlexts .. - CRL extension section (override value in config file)\n", -" -engine e - use engine e, possibly a hardware device.\n", -" -status serial - Shows certificate status given the serial number\n", -" -updatedb - Updates db for expired certificates\n", NULL }; @@ -200,58 +177,45 @@ extern int EF_ALIGNMENT; #endif static void lookup_fail(char *name,char *tag); -static unsigned long index_serial_hash(const char **a); -static int index_serial_cmp(const char **a, const char **b); -static unsigned long index_name_hash(const char **a); +static unsigned long index_serial_hash(char **a); +static int index_serial_cmp(char **a, char **b); +static unsigned long index_name_hash(char **a); static int index_name_qual(char **a); -static int index_name_cmp(const char **a,const char **b); +static int index_name_cmp(char **a,char **b); static BIGNUM *load_serial(char *serialfile); static int save_serial(char *serialfile, BIGNUM *serial); static int certify(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509, const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,TXT_DB *db, - BIGNUM *serial, char *subj, char *startdate,char *enddate, - int days, int batch, char *ext_sect, LHASH *conf,int verbose); + BIGNUM *serial, char *startdate,char *enddate, int days, + int batch, char *ext_sect, LHASH *conf,int verbose); static int certify_cert(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509, const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy, - TXT_DB *db, BIGNUM *serial, char *subj, char *startdate, + TXT_DB *db, BIGNUM *serial,char *startdate, char *enddate, int days, int batch, char *ext_sect, LHASH *conf,int verbose); static int certify_spkac(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509, const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy, - TXT_DB *db, BIGNUM *serial,char *subj, char *startdate, + TXT_DB *db, BIGNUM *serial,char *startdate, char *enddate, int days, char *ext_sect,LHASH *conf, int verbose); static int fix_data(int nid, int *type); static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext); static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, - STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial,char *subj, + STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial, char *startdate, char *enddate, int days, int batch, int verbose, X509_REQ *req, char *ext_sect, LHASH *conf); -static X509_NAME *do_subject(char *subject); -static int do_revoke(X509 *x509, TXT_DB *db, int ext, char *extval); -static int get_certificate_status(const char *ser_status, TXT_DB *db); -static int do_updatedb(TXT_DB *db); +static int do_revoke(X509 *x509, TXT_DB *db); static int check_time_format(char *str); -char *make_revocation_str(int rev_type, char *rev_arg); -int make_revoked(X509_REVOKED *rev, char *str); static LHASH *conf=NULL; -static LHASH *extconf=NULL; static char *section=NULL; static int preserve=0; static int msie_hack=0; -static IMPLEMENT_LHASH_HASH_FN(index_serial_hash,const char **) -static IMPLEMENT_LHASH_COMP_FN(index_serial_cmp,const char **) -static IMPLEMENT_LHASH_HASH_FN(index_name_hash,const char **) -static IMPLEMENT_LHASH_COMP_FN(index_name_cmp,const char **) - - int MAIN(int, char **); int MAIN(int argc, char **argv) { - ENGINE *e = NULL; char *key=NULL,*passargin=NULL; int total=0; int total_done=0; @@ -261,7 +225,6 @@ int MAIN(int argc, char **argv) int verbose=0; int gencrl=0; int dorevoke=0; - int doupdatedb=0; long crldays=0; long crlhours=0; long errorline= -1; @@ -270,22 +233,16 @@ int MAIN(int argc, char **argv) char *policy=NULL; char *keyfile=NULL; char *certfile=NULL; - int keyform=FORMAT_PEM; char *infile=NULL; char *spkac_file=NULL; char *ss_cert_file=NULL; - char *ser_status=NULL; EVP_PKEY *pkey=NULL; int output_der = 0; char *outfile=NULL; char *outdir=NULL; char *serialfile=NULL; char *extensions=NULL; - char *extfile=NULL; - char *subj=NULL; char *crl_ext=NULL; - int rev_type = REV_NONE; - char *rev_arg = NULL; BIGNUM *serial=NULL; char *startdate=NULL; char *enddate=NULL; @@ -306,11 +263,11 @@ int MAIN(int argc, char **argv) const EVP_MD *dgst=NULL; STACK_OF(CONF_VALUE) *attribs=NULL; STACK_OF(X509) *cert_sk=NULL; + BIO *hex=NULL; #undef BSIZE #define BSIZE 256 MS_STATIC char buf[3][BSIZE]; char *randfile=NULL; - char *engine = NULL; #ifdef EFENCE EF_PROTECT_FREE=1; @@ -346,12 +303,6 @@ EF_ALIGNMENT=0; if (--argc < 1) goto bad; section= *(++argv); } - else if (strcmp(*argv,"-subj") == 0) - { - if (--argc < 1) goto bad; - subj= *(++argv); - /* preserve=1; */ - } else if (strcmp(*argv,"-startdate") == 0) { if (--argc < 1) goto bad; @@ -382,11 +333,6 @@ EF_ALIGNMENT=0; if (--argc < 1) goto bad; keyfile= *(++argv); } - else if (strcmp(*argv,"-keyform") == 0) - { - if (--argc < 1) goto bad; - keyform=str2fmt(*(++argv)); - } else if (strcmp(*argv,"-passin") == 0) { if (--argc < 1) goto bad; @@ -468,54 +414,11 @@ EF_ALIGNMENT=0; if (--argc < 1) goto bad; extensions= *(++argv); } - else if (strcmp(*argv,"-extfile") == 0) - { - if (--argc < 1) goto bad; - extfile= *(++argv); - } - else if (strcmp(*argv,"-status") == 0) - { - if (--argc < 1) goto bad; - ser_status= *(++argv); - } - else if (strcmp(*argv,"-updatedb") == 0) - { - doupdatedb=1; - } else if (strcmp(*argv,"-crlexts") == 0) { if (--argc < 1) goto bad; crl_ext= *(++argv); } - else if (strcmp(*argv,"-crl_reason") == 0) - { - if (--argc < 1) goto bad; - rev_arg = *(++argv); - rev_type = REV_CRL_REASON; - } - else if (strcmp(*argv,"-crl_hold") == 0) - { - if (--argc < 1) goto bad; - rev_arg = *(++argv); - rev_type = REV_HOLD; - } - else if (strcmp(*argv,"-crl_compromise") == 0) - { - if (--argc < 1) goto bad; - rev_arg = *(++argv); - rev_type = REV_KEY_COMPROMISE; - } - else if (strcmp(*argv,"-crl_CA_compromise") == 0) - { - if (--argc < 1) goto bad; - rev_arg = *(++argv); - rev_type = REV_CA_COMPROMISE; - } - else if (strcmp(*argv,"-engine") == 0) - { - if (--argc < 1) goto bad; - engine= *(++argv); - } else { bad: @@ -530,37 +433,19 @@ bad: if (badops) { for (pp=ca_usage; (*pp != NULL); pp++) - BIO_printf(bio_err,"%s",*pp); + BIO_printf(bio_err,*pp); goto err; } ERR_load_crypto_strings(); - if (engine != NULL) - { - if ((e = ENGINE_by_id(engine)) == NULL) - { - BIO_printf(bio_err,"invalid engine \"%s\"\n", - engine); - goto err; - } - if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) - { - BIO_printf(bio_err,"can't use that engine\n"); - goto err; - } - BIO_printf(bio_err,"engine \"%s\" set.\n", engine); - /* Free our "structural" reference. */ - ENGINE_free(e); - } - /*****************************************************************/ if (configfile == NULL) configfile = getenv("OPENSSL_CONF"); if (configfile == NULL) configfile = getenv("SSLEAY_CONF"); if (configfile == NULL) { /* We will just use 'buf[0]' as a temporary buffer. */ -#ifdef OPENSSL_SYS_VMS +#ifdef VMS strncpy(buf[0],X509_get_default_cert_area(), sizeof(buf[0])-1-sizeof(CONFIG_FILE)); #else @@ -598,8 +483,6 @@ bad: if (conf != NULL) { p=CONF_get_string(conf,NULL,"oid_file"); - if (p == NULL) - ERR_clear_error(); if (p != NULL) { BIO *oid_bio; @@ -619,7 +502,7 @@ bad: BIO_free(oid_bio); } } - if (!add_oid_section(bio_err,conf)) + if(!add_oid_section(bio_err,conf)) { ERR_print_errors(bio_err); goto err; @@ -627,8 +510,6 @@ bad: } randfile = CONF_get_string(conf, BASE_SECTION, "RANDFILE"); - if (randfile == NULL) - ERR_clear_error(); app_RAND_load_file(randfile, bio_err, 0); in=BIO_new(BIO_s_file()); @@ -642,41 +523,7 @@ bad: } /*****************************************************************/ - /* report status of cert with serial number given on command line */ - if (ser_status) - { - if ((dbfile=CONF_get_string(conf,section,ENV_DATABASE)) == NULL) - { - lookup_fail(section,ENV_DATABASE); - goto err; - } - if (BIO_read_filename(in,dbfile) <= 0) - { - perror(dbfile); - BIO_printf(bio_err,"unable to open '%s'\n",dbfile); - goto err; - } - db=TXT_DB_read(in,DB_NUMBER); - if (db == NULL) goto err; - - if (!TXT_DB_create_index(db, DB_serial, NULL, - LHASH_HASH_FN(index_serial_hash), - LHASH_COMP_FN(index_serial_cmp))) - { - BIO_printf(bio_err, - "error creating serial number index:(%ld,%ld,%ld)\n", - db->error,db->arg1,db->arg2); - goto err; - } - - if (get_certificate_status(ser_status,db) != 1) - BIO_printf(bio_err,"Error verifying serial %s!\n", - ser_status); - goto err; - } - - /*****************************************************************/ - /* we definitely need a public key, so let's get it */ + /* we definitely need an public key, so lets get it */ if ((keyfile == NULL) && ((keyfile=CONF_get_string(conf, section,ENV_PRIVATE_KEY)) == NULL)) @@ -684,36 +531,19 @@ bad: lookup_fail(section,ENV_PRIVATE_KEY); goto err; } - if (!key && !app_passwd(bio_err, passargin, NULL, &key, NULL)) + if(!key && !app_passwd(bio_err, passargin, NULL, &key, NULL)) { BIO_printf(bio_err,"Error getting password\n"); goto err; } - if (keyform == FORMAT_ENGINE) - { - if (!e) - { - BIO_printf(bio_err,"no engine specified\n"); - goto err; - } - pkey = ENGINE_load_private_key(e, keyfile, key); - } - else if (keyform == FORMAT_PEM) - { - if (BIO_read_filename(in,keyfile) <= 0) - { - perror(keyfile); - BIO_printf(bio_err,"trying to load CA private key\n"); - goto err; - } - pkey=PEM_read_bio_PrivateKey(in,NULL,NULL,key); - } - else + if (BIO_read_filename(in,keyfile) <= 0) { - BIO_printf(bio_err,"bad input format specified for key file\n"); + perror(keyfile); + BIO_printf(bio_err,"trying to load CA private key\n"); goto err; } - if (key) memset(key,0,strlen(key)); + pkey=PEM_read_bio_PrivateKey(in,NULL,NULL,key); + if(key) memset(key,0,strlen(key)); if (pkey == NULL) { BIO_printf(bio_err,"unable to load CA private key\n"); @@ -728,7 +558,7 @@ bad: lookup_fail(section,ENV_CERTIFICATE); goto err; } - if (BIO_read_filename(in,certfile) <= 0) + if (BIO_read_filename(in,certfile) <= 0) { perror(certfile); BIO_printf(bio_err,"trying to load CA certificate\n"); @@ -748,13 +578,9 @@ bad: } f=CONF_get_string(conf,BASE_SECTION,ENV_PRESERVE); - if (f == NULL) - ERR_clear_error(); if ((f != NULL) && ((*f == 'y') || (*f == 'Y'))) preserve=1; f=CONF_get_string(conf,BASE_SECTION,ENV_MSIE_HACK); - if (f == NULL) - ERR_clear_error(); if ((f != NULL) && ((*f == 'y') || (*f == 'Y'))) msie_hack=1; @@ -770,8 +596,7 @@ bad: BIO_printf(bio_err,"there needs to be defined a directory for new certificate to be placed in\n"); goto err; } -#ifndef OPENSSL_SYS_VMS - /* outdir is a directory spec, but access() for VMS demands a +#ifndef VMS /* outdir is a directory spec, but access() for VMS demands a filename. In any case, stat(), below, will catch the problem if outdir is not a directory spec, and the fopen() or open() will catch an error if there is no write access. @@ -780,7 +605,7 @@ bad: C routines to convert the directory syntax to Unixly, and give that to access(). However, time's too short to do that just now. - */ + */ if (access(outdir,R_OK|W_OK|X_OK) != 0) { BIO_printf(bio_err,"I am unable to access the %s directory\n",outdir); @@ -832,9 +657,10 @@ bad: goto err; } if ((pp[DB_type][0] == DB_TYPE_REV) && - !make_revoked(NULL, pp[DB_rev_date])) + !check_time_format(pp[DB_rev_date])) { - BIO_printf(bio_err," in entry %d\n", i+1); + BIO_printf(bio_err,"entry %d: invalid revocation date\n", + i+1); goto err; } if (!check_time_format(pp[DB_exp_date])) @@ -844,11 +670,6 @@ bad: } p=pp[DB_serial]; j=strlen(p); - if (*p == '-') - { - p++; - j--; - } if ((j&1) || (j < 2)) { BIO_printf(bio_err,"entry %d: bad serial number length (%d)\n",i+1,j); @@ -869,7 +690,7 @@ bad: if (verbose) { BIO_set_fp(out,stdout,BIO_NOCLOSE|BIO_FP_TEXT); /* cannot fail */ -#ifdef OPENSSL_SYS_VMS +#ifdef VMS { BIO *tmpbio = BIO_new(BIO_f_linebuffer()); out = BIO_push(tmpbio, out); @@ -881,128 +702,27 @@ bad: BIO_printf(bio_err,"generating index\n"); } - if (!TXT_DB_create_index(db, DB_serial, NULL, - LHASH_HASH_FN(index_serial_hash), - LHASH_COMP_FN(index_serial_cmp))) + if (!TXT_DB_create_index(db,DB_serial,NULL,index_serial_hash, + index_serial_cmp)) { BIO_printf(bio_err,"error creating serial number index:(%ld,%ld,%ld)\n",db->error,db->arg1,db->arg2); goto err; } - if (!TXT_DB_create_index(db, DB_name, index_name_qual, - LHASH_HASH_FN(index_name_hash), - LHASH_COMP_FN(index_name_cmp))) + if (!TXT_DB_create_index(db,DB_name,index_name_qual,index_name_hash, + index_name_cmp)) { BIO_printf(bio_err,"error creating name index:(%ld,%ld,%ld)\n", db->error,db->arg1,db->arg2); goto err; } - /*****************************************************************/ - /* Update the db file for expired certificates */ - if (doupdatedb) - { - if (verbose) - BIO_printf(bio_err, "Updating %s ...\n", - dbfile); - - i = do_updatedb(db); - if (i == -1) - { - BIO_printf(bio_err,"Malloc failure\n"); - goto err; - } - else if (i == 0) - { - if (verbose) BIO_printf(bio_err, - "No entries found to mark expired\n"); - } - else - { - out = BIO_new(BIO_s_file()); - if (out == NULL) - { - ERR_print_errors(bio_err); - goto err; - } - - j = BIO_snprintf(buf[0], sizeof buf[0], "%s.new", dbfile); - if (j < 0 || j >= sizeof buf[0]) - { - BIO_printf(bio_err, "file name too long\n"); - goto err; - } - if (BIO_write_filename(out,buf[0]) <= 0) - { - perror(dbfile); - BIO_printf(bio_err,"unable to open '%s'\n", - dbfile); - goto err; - } - j=TXT_DB_write(out,db); - if (j <= 0) goto err; - - BIO_free(out); - out = NULL; - j = BIO_snprintf(buf[1], sizeof buf[1], "%s.old", dbfile); - if (j < 0 || j >= sizeof buf[1]) - { - BIO_printf(bio_err, "file name too long\n"); - goto err; - } - if (rename(dbfile,buf[1]) < 0) - { - BIO_printf(bio_err, - "unable to rename %s to %s\n", - dbfile, buf[1]); - perror("reason"); - goto err; - } - if (rename(buf[0],dbfile) < 0) - { - BIO_printf(bio_err, - "unable to rename %s to %s\n", - buf[0],dbfile); - perror("reason"); - rename(buf[1],dbfile); - goto err; - } - - if (verbose) BIO_printf(bio_err, - "Done. %d entries marked as expired\n",i); - } - goto err; - } - - /*****************************************************************/ - /* Read extentions config file */ - if (extfile) - { - if (!(extconf=CONF_load(NULL,extfile,&errorline))) - { - if (errorline <= 0) - BIO_printf(bio_err, "ERROR: loading the config file '%s'\n", - extfile); - else - BIO_printf(bio_err, "ERROR: on line %ld of config file '%s'\n", - errorline,extfile); - ret = 1; - goto err; - } - - if (verbose) - BIO_printf(bio_err, "Succesfully loaded extensions file %s\n", extfile); - - /* We can have sections in the ext file */ - if (!extensions && !(extensions = CONF_get_string(extconf, "default", "extensions"))) - extensions = "default"; - } - /*****************************************************************/ if (req || gencrl) { if (outfile != NULL) { + if (BIO_write_filename(Sout,outfile) <= 0) { perror(outfile); @@ -1012,7 +732,7 @@ bad: else { BIO_set_fp(Sout,stdout,BIO_NOCLOSE|BIO_FP_TEXT); -#ifdef OPENSSL_SYS_VMS +#ifdef VMS { BIO *tmpbio = BIO_new(BIO_f_linebuffer()); Sout = BIO_push(tmpbio, Sout); @@ -1052,42 +772,26 @@ bad: lookup_fail(section,ENV_SERIAL); goto err; } - - if (!extconf) - { - /* no '-extfile' option, so we look for extensions - * in the main configuration file */ - if (!extensions) - { - extensions=CONF_get_string(conf,section, - ENV_EXTENSIONS); - if (!extensions) - ERR_clear_error(); - } - if (extensions) - { - /* Check syntax of file */ - X509V3_CTX ctx; - X509V3_set_ctx_test(&ctx); - X509V3_set_conf_lhash(&ctx, conf); - if (!X509V3_EXT_add_conf(conf, &ctx, extensions, - NULL)) - { - BIO_printf(bio_err, - "Error Loading extension section %s\n", + if(!extensions) + extensions=CONF_get_string(conf,section,ENV_EXTENSIONS); + if(extensions) { + /* Check syntax of file */ + X509V3_CTX ctx; + X509V3_set_ctx_test(&ctx); + X509V3_set_conf_lhash(&ctx, conf); + if(!X509V3_EXT_add_conf(conf, &ctx, extensions, NULL)) { + BIO_printf(bio_err, + "Error Loading extension section %s\n", extensions); - ret = 1; - goto err; - } - } + ret = 1; + goto err; } + } if (startdate == NULL) { startdate=CONF_get_string(conf,section, ENV_DEFAULT_STARTDATE); - if (startdate == NULL) - ERR_clear_error(); } if (startdate && !ASN1_UTCTIME_set_string(NULL,startdate)) { @@ -1100,8 +804,6 @@ bad: { enddate=CONF_get_string(conf,section, ENV_DEFAULT_ENDDATE); - if (enddate == NULL) - ERR_clear_error(); } if (enddate && !ASN1_UTCTIME_set_string(NULL,enddate)) { @@ -1147,7 +849,7 @@ bad: { total++; j=certify_spkac(&x,spkac_file,pkey,x509,dgst,attribs,db, - serial,subj,startdate,enddate, days,extensions,conf, + serial,startdate,enddate, days,extensions,conf, verbose); if (j < 0) goto err; if (j > 0) @@ -1171,7 +873,7 @@ bad: { total++; j=certify_cert(&x,ss_cert_file,pkey,x509,dgst,attribs, - db,serial,subj,startdate,enddate,days,batch, + db,serial,startdate,enddate,days,batch, extensions,conf,verbose); if (j < 0) goto err; if (j > 0) @@ -1190,7 +892,7 @@ bad: { total++; j=certify(&x,infile,pkey,x509,dgst,attribs,db, - serial,subj,startdate,enddate,days,batch, + serial,startdate,enddate,days,batch, extensions,conf,verbose); if (j < 0) goto err; if (j > 0) @@ -1209,7 +911,7 @@ bad: { total++; j=certify(&x,argv[i],pkey,x509,dgst,attribs,db, - serial,subj,startdate,enddate,days,batch, + serial,startdate,enddate,days,batch, extensions,conf,verbose); if (j < 0) goto err; if (j > 0) @@ -1248,7 +950,7 @@ bad: strncpy(buf[0],serialfile,BSIZE-4); -#ifdef OPENSSL_SYS_VMS +#ifdef VMS strcat(buf[0],"-new"); #else strcat(buf[0],".new"); @@ -1258,7 +960,7 @@ bad: strncpy(buf[1],dbfile,BSIZE-4); -#ifdef OPENSSL_SYS_VMS +#ifdef VMS strcat(buf[1],"-new"); #else strcat(buf[1],".new"); @@ -1288,7 +990,7 @@ bad: strncpy(buf[2],outdir,BSIZE-(j*2)-6); -#ifndef OPENSSL_SYS_VMS +#ifndef VMS strcat(buf[2],"/"); #endif @@ -1325,7 +1027,7 @@ bad: /* Rename the database and the serial file */ strncpy(buf[2],serialfile,BSIZE-4); -#ifdef OPENSSL_SYS_VMS +#ifdef VMS strcat(buf[2],"-old"); #else strcat(buf[2],".old"); @@ -1353,7 +1055,7 @@ bad: strncpy(buf[2],dbfile,BSIZE-4); -#ifdef OPENSSL_SYS_VMS +#ifdef VMS strcat(buf[2],"-old"); #else strcat(buf[2],".old"); @@ -1381,28 +1083,21 @@ bad: /*****************************************************************/ if (gencrl) { - int crl_v2 = 0; - if (!crl_ext) - { - crl_ext=CONF_get_string(conf,section,ENV_CRLEXT); - if (!crl_ext) - ERR_clear_error(); - } - if (crl_ext) - { + if(!crl_ext) crl_ext=CONF_get_string(conf,section,ENV_CRLEXT); + if(crl_ext) { /* Check syntax of file */ X509V3_CTX ctx; X509V3_set_ctx_test(&ctx); X509V3_set_conf_lhash(&ctx, conf); - if (!X509V3_EXT_add_conf(conf, &ctx, crl_ext, NULL)) - { + if(!X509V3_EXT_add_conf(conf, &ctx, crl_ext, NULL)) { BIO_printf(bio_err, "Error Loading CRL extension section %s\n", crl_ext); ret = 1; goto err; - } } + } + if ((hex=BIO_new(BIO_s_mem())) == NULL) goto err; if (!crldays && !crlhours) { @@ -1435,17 +1130,19 @@ bad: if (pp[DB_type][0] == DB_TYPE_REV) { if ((r=X509_REVOKED_new()) == NULL) goto err; - j = make_revoked(r, pp[DB_rev_date]); - if (!j) goto err; - if (j == 2) crl_v2 = 1; - if (!BN_hex2bn(&serial, pp[DB_serial])) + ASN1_STRING_set((ASN1_STRING *) + r->revocationDate, + (unsigned char *)pp[DB_rev_date], + strlen(pp[DB_rev_date])); + /* strcpy(r->revocationDate,pp[DB_rev_date]);*/ + + (void)BIO_reset(hex); + if (!BIO_puts(hex,pp[DB_serial])) goto err; - r->serialNumber = BN_to_ASN1_INTEGER(serial, r->serialNumber); - BN_free(serial); - serial = NULL; - if (!r->serialNumber) - goto err; - X509_CRL_add0_revoked(crl,r); + if (!a2i_ASN1_INTEGER(hex,r->serialNumber, + buf[0],BSIZE)) goto err; + + sk_X509_REVOKED_push(ci->revoked,r); } } /* sort the data so it will be written in serial @@ -1468,34 +1165,28 @@ bad: } } else - { -#ifndef OPENSSL_NO_DSA - if (pkey->type == EVP_PKEY_DSA) - dgst=EVP_dss1(); - else + { +#ifndef NO_DSA + if (pkey->type == EVP_PKEY_DSA) + dgst=EVP_dss1(); + else #endif - dgst=EVP_md5(); - } + dgst=EVP_md5(); + } /* Add any extensions asked for */ - if (crl_ext) - { - X509V3_CTX crlctx; - if (ci->version == NULL) - if ((ci->version=ASN1_INTEGER_new()) == NULL) goto err; - X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0); - X509V3_set_conf_lhash(&crlctx, conf); + if(crl_ext) { + X509V3_CTX crlctx; + if (ci->version == NULL) + if ((ci->version=ASN1_INTEGER_new()) == NULL) goto err; + ASN1_INTEGER_set(ci->version,1); /* version 2 CRL */ + X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0); + X509V3_set_conf_lhash(&crlctx, conf); - if (!X509V3_EXT_CRL_add_conf(conf, &crlctx, - crl_ext, crl)) goto err; - } - if (crl_ext || crl_v2) - { - if (ci->version == NULL) - if ((ci->version=ASN1_INTEGER_new()) == NULL) goto err; - ASN1_INTEGER_set(ci->version,1); /* version 2 CRL */ - } + if(!X509V3_EXT_CRL_add_conf(conf, &crlctx, + crl_ext, crl)) goto err; + } if (!X509_CRL_sign(crl,pkey,dgst)) goto err; @@ -1524,7 +1215,7 @@ bad: BIO_printf(bio_err,"unable to load '%s' certificate\n",infile); goto err; } - j=do_revoke(revcert,db, rev_type, rev_arg); + j=do_revoke(revcert,db); if (j <= 0) goto err; X509_free(revcert); @@ -1559,6 +1250,7 @@ bad: /*****************************************************************/ ret=0; err: + BIO_free(hex); BIO_free_all(Cout); BIO_free_all(Sout); BIO_free_all(out); @@ -1583,31 +1275,31 @@ static void lookup_fail(char *name, char *tag) BIO_printf(bio_err,"variable lookup failed for %s::%s\n",name,tag); } -static unsigned long index_serial_hash(const char **a) +static unsigned long index_serial_hash(char **a) { - const char *n; + char *n; n=a[DB_serial]; while (*n == '0') n++; return(lh_strhash(n)); } -static int index_serial_cmp(const char **a, const char **b) +static int index_serial_cmp(char **a, char **b) { - const char *aa,*bb; + char *aa,*bb; for (aa=a[DB_serial]; *aa == '0'; aa++); for (bb=b[DB_serial]; *bb == '0'; bb++); return(strcmp(aa,bb)); } -static unsigned long index_name_hash(const char **a) +static unsigned long index_name_hash(char **a) { return(lh_strhash(a[DB_name])); } static int index_name_qual(char **a) { return(a[0][0] == 'V'); } -static int index_name_cmp(const char **a, const char **b) +static int index_name_cmp(char **a, char **b) { return(strcmp(a[DB_name], b[DB_name])); } @@ -1683,7 +1375,7 @@ err: static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db, - BIGNUM *serial, char *subj, char *startdate, char *enddate, int days, + BIGNUM *serial, char *startdate, char *enddate, int days, int batch, char *ext_sect, LHASH *lconf, int verbose) { X509_REQ *req=NULL; @@ -1731,7 +1423,7 @@ static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, else BIO_printf(bio_err,"Signature ok\n"); - ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,startdate, enddate, + ok=do_body(xret,pkey,x509,dgst,policy,db,serial,startdate, enddate, days,batch,verbose,req,ext_sect,lconf); err: @@ -1742,7 +1434,7 @@ err: static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db, - BIGNUM *serial, char *subj, char *startdate, char *enddate, int days, + BIGNUM *serial, char *startdate, char *enddate, int days, int batch, char *ext_sect, LHASH *lconf, int verbose) { X509 *req=NULL; @@ -1793,7 +1485,7 @@ static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, if ((rreq=X509_to_X509_REQ(req,NULL,EVP_md5())) == NULL) goto err; - ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,startdate,enddate,days, + ok=do_body(xret,pkey,x509,dgst,policy,db,serial,startdate,enddate,days, batch,verbose,rreq,ext_sect,lconf); err: @@ -1804,7 +1496,7 @@ err: } static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, - STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial, char *subj, + STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial, char *startdate, char *enddate, int days, int batch, int verbose, X509_REQ *req, char *ext_sect, LHASH *lconf) { @@ -1833,21 +1525,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, for (i=0; ireq_info->enc.modified = 1; - X509_NAME_free(n); - } - - BIO_printf(bio_err,"The Subject's Distinguished Name is as follows\n"); + BIO_printf(bio_err,"The Subjects Distinguished Name is as follows\n"); name=X509_REQ_get_subject_name(req); for (i=0; iextensions = NULL; - /* Initialize the context structure */ X509V3_set_ctx(&ctx, x509, ret, req, NULL, 0); + X509V3_set_conf_lhash(&ctx, lconf); - if (extconf) - { - if (verbose) - BIO_printf(bio_err, "Extra configuration file found\n"); - - /* Use the extconf configuration db LHASH */ - X509V3_set_conf_lhash(&ctx, extconf); - - /* Test the structure (needed?) */ - /* X509V3_set_ctx_test(&ctx); */ - - /* Adds exts contained in the configuration file */ - if (!X509V3_EXT_add_conf(extconf, &ctx, ext_sect,ret)) - { - BIO_printf(bio_err, - "ERROR: adding extensions in section %s\n", - ext_sect); - ERR_print_errors(bio_err); - goto err; - } - if (verbose) - BIO_printf(bio_err, "Successfully added extensions from file.\n"); - } - else if (ext_sect) - { - /* We found extensions to be set from config file */ - X509V3_set_conf_lhash(&ctx, lconf); - - if(!X509V3_EXT_add_conf(lconf, &ctx, ext_sect, ret)) - { - BIO_printf(bio_err, "ERROR: adding extensions in section %s\n", ext_sect); - ERR_print_errors(bio_err); - goto err; - } + if(!X509V3_EXT_add_conf(lconf, &ctx, ext_sect, ret)) goto err; - if (verbose) - BIO_printf(bio_err, "Successfully added extensions from config\n"); - } } @@ -2209,7 +1851,7 @@ again2: } -#ifndef OPENSSL_NO_DSA +#ifndef NO_DSA if (pkey->type == EVP_PKEY_DSA) dgst=EVP_dss1(); pktmp=X509_get_pubkey(ret); if (EVP_PKEY_missing_parameters(pktmp) && @@ -2305,13 +1947,13 @@ static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext) i2a_ASN1_INTEGER(bp,x->cert_info->serialNumber); BIO_puts(bp,"\n\n"); #endif - if (!notext)X509_print(bp,x); + if(!notext)X509_print(bp,x); PEM_write_bio_X509(bp,x); } static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db, - BIGNUM *serial, char *subj, char *startdate, char *enddate, int days, + BIGNUM *serial, char *startdate, char *enddate, int days, char *ext_sect, LHASH *lconf, int verbose) { STACK_OF(CONF_VALUE) *sk=NULL; @@ -2378,13 +2020,12 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, /* Skip past any leading X. X: X, etc to allow for * multiple instances */ - for (buf = cv->name; *buf ; buf++) - if ((*buf == ':') || (*buf == ',') || (*buf == '.')) - { - buf++; - if (*buf) type = buf; - break; - } + for(buf = cv->name; *buf ; buf++) + if ((*buf == ':') || (*buf == ',') || (*buf == '.')) { + buf++; + if(*buf) type = buf; + break; + } buf=cv->value; if ((nid=OBJ_txt2nid(type)) == NID_undef) @@ -2446,7 +2087,7 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, X509_REQ_set_pubkey(req,pktmp); EVP_PKEY_free(pktmp); - ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,startdate,enddate, + ok=do_body(xret,pkey,x509,dgst,policy,db,serial,startdate,enddate, days,1,verbose,req,ext_sect,lconf); err: if (req != NULL) X509_REQ_free(req); @@ -2482,11 +2123,10 @@ static int check_time_format(char *str) return(ASN1_UTCTIME_check(&tm)); } -static int do_revoke(X509 *x509, TXT_DB *db, int type, char *value) - { - ASN1_UTCTIME *tm=NULL; +static int do_revoke(X509 *x509, TXT_DB *db) +{ + ASN1_UTCTIME *tm=NULL, *revtm=NULL; char *row[DB_NUMBER],**rrow,**irow; - char *rev_str = NULL; BIGNUM *bn = NULL; int ok=-1,i; @@ -2555,12 +2195,12 @@ static int do_revoke(X509 *x509, TXT_DB *db, int type, char *value) } /* Revoke Certificate */ - ok = do_revoke(x509,db, type, value); + ok = do_revoke(x509,db); goto err; } - else if (index_name_cmp((const char **)row,(const char **)rrow)) + else if (index_name_cmp(row,rrow)) { BIO_printf(bio_err,"ERROR:name does not match %s\n", row[DB_name]); @@ -2575,15 +2215,14 @@ static int do_revoke(X509 *x509, TXT_DB *db, int type, char *value) else { BIO_printf(bio_err,"Revoking Certificate %s.\n", rrow[DB_serial]); - rev_str = make_revocation_str(type, value); - if (!rev_str) - { - BIO_printf(bio_err, "Error in revocation arguments\n"); - goto err; - } + revtm = ASN1_UTCTIME_new(); + revtm=X509_gmtime_adj(revtm,0); rrow[DB_type][0]='R'; rrow[DB_type][1]='\0'; - rrow[DB_rev_date] = rev_str; + rrow[DB_rev_date]=(char *)OPENSSL_malloc(revtm->length+1); + memcpy(rrow[DB_rev_date],revtm->data,revtm->length); + rrow[DB_rev_date][revtm->length]='\0'; + ASN1_UTCTIME_free(revtm); } ok=1; err: @@ -2593,465 +2232,5 @@ err: OPENSSL_free(row[i]); } return(ok); - } - -static int get_certificate_status(const char *serial, TXT_DB *db) - { - char *row[DB_NUMBER],**rrow; - int ok=-1,i; - - /* Free Resources */ - for (i=0; i= 2000 */ - char **rrow, *a_tm_s; +} - a_tm = ASN1_UTCTIME_new(); - - /* get actual time and make a string */ - a_tm = X509_gmtime_adj(a_tm, 0); - a_tm_s = (char *) OPENSSL_malloc(a_tm->length+1); - if (a_tm_s == NULL) - { - cnt = -1; - goto err; - } - - memcpy(a_tm_s, a_tm->data, a_tm->length); - a_tm_s[a_tm->length] = '\0'; - - if (strncmp(a_tm_s, "49", 2) <= 0) - a_y2k = 1; - else - a_y2k = 0; - - for (i = 0; i < sk_num(db->data); i++) - { - rrow = (char **) sk_value(db->data, i); - - if (rrow[DB_type][0] == 'V') - { - /* ignore entries that are not valid */ - if (strncmp(rrow[DB_exp_date], "49", 2) <= 0) - db_y2k = 1; - else - db_y2k = 0; - - if (db_y2k == a_y2k) - { - /* all on the same y2k side */ - if (strcmp(rrow[DB_exp_date], a_tm_s) <= 0) - { - rrow[DB_type][0] = 'E'; - rrow[DB_type][1] = '\0'; - cnt++; - - BIO_printf(bio_err, "%s=Expired\n", - rrow[DB_serial]); - } - } - else if (db_y2k < a_y2k) - { - rrow[DB_type][0] = 'E'; - rrow[DB_type][1] = '\0'; - cnt++; - - BIO_printf(bio_err, "%s=Expired\n", - rrow[DB_serial]); - } - - } - } - -err: - - ASN1_UTCTIME_free(a_tm); - OPENSSL_free(a_tm_s); - - return (cnt); - } - -static char *crl_reasons[] = { - /* CRL reason strings */ - "unspecified", - "keyCompromise", - "CACompromise", - "affiliationChanged", - "superseded", - "cessationOfOperation", - "certificateHold", - "removeFromCRL", - /* Additional pseudo reasons */ - "holdInstruction", - "keyTime", - "CAkeyTime" -}; - -#define NUM_REASONS (sizeof(crl_reasons) / sizeof(char *)) - -/* Given revocation information convert to a DB string. - * The format of the string is: - * revtime[,reason,extra]. Where 'revtime' is the - * revocation time (the current time). 'reason' is the - * optional CRL reason and 'extra' is any additional - * argument - */ - -char *make_revocation_str(int rev_type, char *rev_arg) - { - char *reason = NULL, *other = NULL, *str; - ASN1_OBJECT *otmp; - ASN1_UTCTIME *revtm = NULL; - int i; - switch (rev_type) - { - case REV_NONE: - break; - - case REV_CRL_REASON: - for (i = 0; i < 8; i++) - { - if (!strcasecmp(rev_arg, crl_reasons[i])) - { - reason = crl_reasons[i]; - break; - } - } - if (reason == NULL) - { - BIO_printf(bio_err, "Unknown CRL reason %s\n", rev_arg); - return NULL; - } - break; - - case REV_HOLD: - /* Argument is an OID */ - - otmp = OBJ_txt2obj(rev_arg, 0); - ASN1_OBJECT_free(otmp); - - if (otmp == NULL) - { - BIO_printf(bio_err, "Invalid object identifier %s\n", rev_arg); - return NULL; - } - - reason = "holdInstruction"; - other = rev_arg; - break; - - case REV_KEY_COMPROMISE: - case REV_CA_COMPROMISE: - - /* Argument is the key compromise time */ - if (!ASN1_GENERALIZEDTIME_set_string(NULL, rev_arg)) - { - BIO_printf(bio_err, "Invalid time format %s. Need YYYYMMDDHHMMSSZ\n", rev_arg); - return NULL; - } - other = rev_arg; - if (rev_type == REV_KEY_COMPROMISE) - reason = "keyTime"; - else - reason = "CAkeyTime"; - - break; - - } - - revtm = X509_gmtime_adj(NULL, 0); - - i = revtm->length + 1; - - if (reason) i += strlen(reason) + 1; - if (other) i += strlen(other) + 1; - - str = OPENSSL_malloc(i); - - if (!str) return NULL; - - strcpy(str, (char *)revtm->data); - if (reason) - { - strcat(str, ","); - strcat(str, reason); - } - if (other) - { - strcat(str, ","); - strcat(str, other); - } - ASN1_UTCTIME_free(revtm); - return str; - } - -/* Convert revocation field to X509_REVOKED entry - * return code: - * 0 error - * 1 OK - * 2 OK and some extensions added (i.e. V2 CRL) - */ - -int make_revoked(X509_REVOKED *rev, char *str) - { - char *tmp = NULL; - char *rtime_str, *reason_str = NULL, *arg_str = NULL, *p; - int reason_code = -1; - int i, ret = 0; - ASN1_OBJECT *hold = NULL; - ASN1_GENERALIZEDTIME *comp_time = NULL; - ASN1_ENUMERATED *rtmp = NULL; - tmp = BUF_strdup(str); - - p = strchr(tmp, ','); - - rtime_str = tmp; - - if (p) - { - *p = '\0'; - p++; - reason_str = p; - p = strchr(p, ','); - if (p) - { - *p = '\0'; - arg_str = p + 1; - } - } - - if (rev && !ASN1_UTCTIME_set_string(rev->revocationDate, rtime_str)) - { - BIO_printf(bio_err, "invalid revocation date %s\n", rtime_str); - goto err; - } - if (reason_str) - { - for (i = 0; i < NUM_REASONS; i++) - { - if(!strcasecmp(reason_str, crl_reasons[i])) - { - reason_code = i; - break; - } - } - if (reason_code == OCSP_REVOKED_STATUS_NOSTATUS) - { - BIO_printf(bio_err, "invalid reason code %s\n", reason_str); - goto err; - } - - if (reason_code == 7) - reason_code = OCSP_REVOKED_STATUS_REMOVEFROMCRL; - else if (reason_code == 8) /* Hold instruction */ - { - if (!arg_str) - { - BIO_printf(bio_err, "missing hold instruction\n"); - goto err; - } - reason_code = OCSP_REVOKED_STATUS_CERTIFICATEHOLD; - hold = OBJ_txt2obj(arg_str, 0); - - if (!hold) - { - BIO_printf(bio_err, "invalid object identifier %s\n", arg_str); - goto err; - } - } - else if ((reason_code == 9) || (reason_code == 10)) - { - if (!arg_str) - { - BIO_printf(bio_err, "missing compromised time\n"); - goto err; - } - comp_time = ASN1_GENERALIZEDTIME_new(); - if (!ASN1_GENERALIZEDTIME_set_string(comp_time, arg_str)) - { - BIO_printf(bio_err, "invalid compromised time %s\n", arg_str); - goto err; - } - if (reason_code == 9) - reason_code = OCSP_REVOKED_STATUS_KEYCOMPROMISE; - else - reason_code = OCSP_REVOKED_STATUS_CACOMPROMISE; - } - } - - if (rev && (reason_code != OCSP_REVOKED_STATUS_NOSTATUS)) - { - rtmp = ASN1_ENUMERATED_new(); - if (!rtmp || !ASN1_ENUMERATED_set(rtmp, reason_code)) - goto err; - if (!X509_REVOKED_add1_ext_i2d(rev, NID_crl_reason, rtmp, 0, 0)) - goto err; - } - - if (rev && comp_time) - { - if (!X509_REVOKED_add1_ext_i2d(rev, NID_invalidity_date, comp_time, 0, 0)) - goto err; - } - if (rev && hold) - { - if (!X509_REVOKED_add1_ext_i2d(rev, NID_hold_instruction_code, hold, 0, 0)) - goto err; - } - - if (reason_code != OCSP_REVOKED_STATUS_NOSTATUS) - ret = 2; - else ret = 1; - - err: - - if (tmp) OPENSSL_free(tmp); - ASN1_OBJECT_free(hold); - ASN1_GENERALIZEDTIME_free(comp_time); - ASN1_ENUMERATED_free(rtmp); - - return ret; - } - -static X509_NAME *do_subject(char *subject) - { - X509_NAME *n = NULL; - - int i, nid, ne_num=0; - - char *ne_name = NULL; - char *ne_value = NULL; - - char *tmp = NULL; - char *p[2]; - - char *str_list[256]; - - p[0] = ",/"; - p[1] = "="; - - n = X509_NAME_new(); - - tmp = strtok(subject, p[0]); - while((tmp != NULL) && (ne_num < (sizeof str_list/sizeof *str_list))) - { - char *token = tmp; - - while (token[0] == ' ') - token++; - str_list[ne_num] = token; - - tmp = strtok(NULL, p[0]); - ne_num++; - } - - for (i = 0; i < ne_num; i++) - { - ne_name = strtok(str_list[i], p[1]); - ne_value = strtok(NULL, p[1]); - - if ((nid=OBJ_txt2nid(ne_name)) == NID_undef) - { - BIO_printf(bio_err, "Subject Attribute %s has no known NID, skipped\n", ne_name); - continue; - } - - if (ne_value == NULL) - { - BIO_printf(bio_err, "No value provided for Subject Attribute %s, skipped\n", ne_name); - continue; - } - - if (!X509_NAME_add_entry_by_NID(n, nid, MBSTRING_ASC, (unsigned char*)ne_value, -1,-1,0)) - { - X509_NAME_free(n); - return NULL; - } - } - - return n; - }