Incorporate the following changes from 0.9.8-dev:
authorRichard Levitte <levitte@openssl.org>
Mon, 8 Mar 2004 02:53:46 +0000 (02:53 +0000)
committerRichard Levitte <levitte@openssl.org>
Mon, 8 Mar 2004 02:53:46 +0000 (02:53 +0000)
2003-04-04 17:10  levitte

* apps/: apps.c (1.72), apps.h (1.56), ca.c (1.135), x509.c (1.82):
  Convert save_serial() to work like save_index(), and add a
  rotate_serial() that works like rotate_index().

2003-04-03 20:07  levitte

* apps/: apps.c (1.69), ca.c (1.130): Conditionalise all debug
  strings.

2003-04-03 18:33  levitte

* apps/apps.c (1.68), apps/apps.h (1.55), apps/ca.c (1.129),
  apps/ocsp.c (1.31), apps/openssl.cnf (1.24), apps/x509.c (1.80),
  CHANGES (1.1139): Make it possible to have multiple active
  certificates with the same subject.

CHANGES
apps/apps.c
apps/apps.h
apps/ca.c
apps/ocsp.c
apps/openssl.cnf
apps/x509.c

diff --git a/CHANGES b/CHANGES
index 0227b9a8d2f5c3eae3557d1a4b501f6bb1a2bbf4..c2ad5a196b802cbad125478bc44bb117dbb6124d 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,14 @@
 
  Changes between 0.9.7c and 0.9.7d  [xx XXX XXXX]
 
+  *) Make it possible to have multiple active certificates with the same
+     subject in the CA index file.  This is done only if the keyword
+     'unique_subject' is set to 'no' in the main CA section (default
+     if 'CA_default') of the configuration file.  The value is saved
+     with the database itself in a separate index attribute file,
+     named like the index file with '.attr' appended to the name.
+     [Richard Levitte]
+
   *) X509 verify fixes. Disable broken certificate workarounds when 
      X509_V_FLAGS_X509_STRICT is set. Check CRL issuer has cRLSign set if
      keyUsage extension present. Don't accept CRLs with unhandled critical
index 7667ebef68b016a302ddb48d2cc17233d27fc01b..93a665e788a33c7f06f099dee1ea84a09ce4b046 100644 (file)
@@ -1424,3 +1424,552 @@ char *make_config_name()
 
        return p;
        }
+
+static unsigned long index_serial_hash(const char **a)
+       {
+       const char *n;
+
+       n=a[DB_serial];
+       while (*n == '0') n++;
+       return(lh_strhash(n));
+       }
+
+static int index_serial_cmp(const char **a, const char **b)
+       {
+       const char *aa,*bb;
+
+       for (aa=a[DB_serial]; *aa == '0'; aa++);
+       for (bb=b[DB_serial]; *bb == '0'; bb++);
+       return(strcmp(aa,bb));
+       }
+
+static int index_name_qual(char **a)
+       { return(a[0][0] == 'V'); }
+
+static unsigned long index_name_hash(const char **a)
+       { return(lh_strhash(a[DB_name])); }
+
+int index_name_cmp(const char **a, const char **b)
+       { return(strcmp(a[DB_name],
+            b[DB_name])); }
+
+static IMPLEMENT_LHASH_HASH_FN(index_serial_hash,const char **)
+static IMPLEMENT_LHASH_COMP_FN(index_serial_cmp,const char **)
+static IMPLEMENT_LHASH_HASH_FN(index_name_hash,const char **)
+static IMPLEMENT_LHASH_COMP_FN(index_name_cmp,const char **)
+
+#undef BSIZE
+#define BSIZE 256
+
+BIGNUM *load_serial(char *serialfile, int create, ASN1_INTEGER **retai)
+       {
+       BIO *in=NULL;
+       BIGNUM *ret=NULL;
+       MS_STATIC char buf[1024];
+       ASN1_INTEGER *ai=NULL;
+
+       ai=ASN1_INTEGER_new();
+       if (ai == NULL) goto err;
+
+       if ((in=BIO_new(BIO_s_file())) == NULL)
+               {
+               ERR_print_errors(bio_err);
+               goto err;
+               }
+
+       if (BIO_read_filename(in,serialfile) <= 0)
+               {
+               if (!create)
+                       {
+                       perror(serialfile);
+                       goto err;
+                       }
+               else
+                       {
+                       ASN1_INTEGER_set(ai,1);
+                       ret=BN_new();
+                       if (ret == NULL)
+                               BIO_printf(bio_err, "Out of memory\n");
+                       else
+                               BN_one(ret);
+                       }
+               }
+       else
+               {
+               if (!a2i_ASN1_INTEGER(in,ai,buf,1024))
+                       {
+                       BIO_printf(bio_err,"unable to load number from %s\n",
+                               serialfile);
+                       goto err;
+                       }
+               ret=ASN1_INTEGER_to_BN(ai,NULL);
+               if (ret == NULL)
+                       {
+                       BIO_printf(bio_err,"error converting number from bin to BIGNUM\n");
+                       goto err;
+                       }
+               }
+
+       if (ret && retai)
+               {
+               *retai = ai;
+               ai = NULL;
+               }
+ err:
+       if (in != NULL) BIO_free(in);
+       if (ai != NULL) ASN1_INTEGER_free(ai);
+       return(ret);
+       }
+
+int save_serial(char *serialfile, char *suffix, BIGNUM *serial, ASN1_INTEGER **retai)
+       {
+       char buf[1][BSIZE];
+       BIO *out = NULL;
+       int ret=0;
+       ASN1_INTEGER *ai=NULL;
+       int j;
+
+       if (suffix == NULL)
+               j = strlen(serialfile);
+       else
+               j = strlen(serialfile) + strlen(suffix) + 1;
+       if (j >= BSIZE)
+               {
+               BIO_printf(bio_err,"file name too long\n");
+               goto err;
+               }
+
+       if (suffix == NULL)
+               BUF_strlcpy(buf[0], serialfile, BSIZE);
+       else
+               {
+#ifndef OPENSSL_SYS_VMS
+               j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", serialfile, suffix);
+#else
+               j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", serialfile, suffix);
+#endif
+               }
+#ifdef RL_DEBUG
+       BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[0]);
+#endif
+       out=BIO_new(BIO_s_file());
+       if (out == NULL)
+               {
+               ERR_print_errors(bio_err);
+               goto err;
+               }
+       if (BIO_write_filename(out,buf[0]) <= 0)
+               {
+               perror(serialfile);
+               goto err;
+               }
+
+       if ((ai=BN_to_ASN1_INTEGER(serial,NULL)) == NULL)
+               {
+               BIO_printf(bio_err,"error converting serial to ASN.1 format\n");
+               goto err;
+               }
+       i2a_ASN1_INTEGER(out,ai);
+       BIO_puts(out,"\n");
+       ret=1;
+       if (retai)
+               {
+               *retai = ai;
+               ai = NULL;
+               }
+err:
+       if (out != NULL) BIO_free_all(out);
+       if (ai != NULL) ASN1_INTEGER_free(ai);
+       return(ret);
+       }
+
+int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix)
+       {
+       char buf[5][BSIZE];
+       int i,j;
+       struct stat sb;
+
+       i = strlen(serialfile) + strlen(old_suffix);
+       j = strlen(serialfile) + strlen(new_suffix);
+       if (i > j) j = i;
+       if (j + 1 >= BSIZE)
+               {
+               BIO_printf(bio_err,"file name too long\n");
+               goto err;
+               }
+
+#ifndef OPENSSL_SYS_VMS
+       j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s",
+               serialfile, new_suffix);
+#else
+       j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s",
+               serialfile, new_suffix);
+#endif
+#ifndef OPENSSL_SYS_VMS
+       j = BIO_snprintf(buf[1], sizeof buf[1], "%s.%s",
+               serialfile, old_suffix);
+#else
+       j = BIO_snprintf(buf[1], sizeof buf[1], "%s-%s",
+               serialfile, old_suffix);
+#endif
+       if (stat(serialfile,&sb) < 0)
+               {
+               if (errno != ENOENT 
+#ifdef ENOTDIR
+                       && errno != ENOTDIR)
+#endif
+                       goto err;
+               }
+       else
+               {
+#ifdef RL_DEBUG
+               BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n",
+                       serialfile, buf[1]);
+#endif
+               if (rename(serialfile,buf[1]) < 0)
+                       {
+                       BIO_printf(bio_err,
+                               "unable to rename %s to %s\n",
+                               serialfile, buf[1]);
+                       perror("reason");
+                       goto err;
+                       }
+               }
+#ifdef RL_DEBUG
+       BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n",
+               buf[0],serialfile);
+#endif
+       if (rename(buf[0],serialfile) < 0)
+               {
+               BIO_printf(bio_err,
+                       "unable to rename %s to %s\n",
+                       buf[0],serialfile);
+               perror("reason");
+               rename(buf[1],serialfile);
+               goto err;
+               }
+       return 1;
+ err:
+       return 0;
+       }
+
+CA_DB *load_index(char *dbfile, DB_ATTR *db_attr)
+       {
+       CA_DB *retdb = NULL;
+       TXT_DB *tmpdb = NULL;
+       BIO *in = BIO_new(BIO_s_file());
+       CONF *dbattr_conf = NULL;
+       char buf[1][BSIZE];
+       long errorline= -1;
+
+       if (in == NULL)
+               {
+               ERR_print_errors(bio_err);
+               goto err;
+               }
+       if (BIO_read_filename(in,dbfile) <= 0)
+               {
+               perror(dbfile);
+               BIO_printf(bio_err,"unable to open '%s'\n",dbfile);
+               goto err;
+               }
+       if ((tmpdb = TXT_DB_read(in,DB_NUMBER)) == NULL)
+               {
+               if (tmpdb != NULL) TXT_DB_free(tmpdb);
+               goto err;
+               }
+
+#ifndef OPENSSL_SYS_VMS
+       BIO_snprintf(buf[0], sizeof buf[0], "%s.attr", dbfile);
+#else
+       BIO_snprintf(buf[0], sizeof buf[0], "%s-attr", dbfile);
+#endif
+       dbattr_conf = NCONF_new(NULL);
+       if (NCONF_load(dbattr_conf,buf[0],&errorline) <= 0)
+               {
+               if (errorline > 0)
+                       {
+                       BIO_printf(bio_err,
+                               "error on line %ld of db attribute file '%s'\n"
+                               ,errorline,buf[0]);
+                       goto err;
+                       }
+               else
+                       {
+                       NCONF_free(dbattr_conf);
+                       dbattr_conf = NULL;
+                       }
+               }
+
+       if ((retdb = OPENSSL_malloc(sizeof(CA_DB))) == NULL)
+               {
+               fprintf(stderr, "Out of memory\n");
+               goto err;
+               }
+
+       retdb->db = tmpdb;
+       tmpdb = NULL;
+       if (db_attr)
+               retdb->attributes = *db_attr;
+       else
+               {
+               retdb->attributes.unique_subject = 1;
+               }
+
+       if (dbattr_conf)
+               {
+               char *p = NCONF_get_string(dbattr_conf,NULL,"unique_subject");
+               if (p)
+                       {
+                       BIO_printf(bio_err, "DEBUG[load_index]: unique_subject = \"%s\"\n", p);
+                       switch(*p)
+                               {
+                       case 'f': /* false */
+                       case 'F': /* FALSE */
+                       case 'n': /* no */
+                       case 'N': /* NO */
+                               retdb->attributes.unique_subject = 0;
+                               break;
+                       case 't': /* true */
+                       case 'T': /* TRUE */
+                       case 'y': /* yes */
+                       case 'Y': /* YES */
+                       default:
+                               retdb->attributes.unique_subject = 1;
+                               break;
+                               }
+                       }
+               }
+
+ err:
+       if (dbattr_conf) NCONF_free(dbattr_conf);
+       if (tmpdb) TXT_DB_free(tmpdb);
+       if (in) BIO_free_all(in);
+       return retdb;
+       }
+
+int index_index(CA_DB *db)
+       {
+       if (!TXT_DB_create_index(db->db, DB_serial, NULL,
+                               LHASH_HASH_FN(index_serial_hash),
+                               LHASH_COMP_FN(index_serial_cmp)))
+               {
+               BIO_printf(bio_err,
+                 "error creating serial number index:(%ld,%ld,%ld)\n",
+                                       db->db->error,db->db->arg1,db->db->arg2);
+                       return 0;
+               }
+
+       if (db->attributes.unique_subject
+               && !TXT_DB_create_index(db->db, DB_name, index_name_qual,
+                       LHASH_HASH_FN(index_name_hash),
+                       LHASH_COMP_FN(index_name_cmp)))
+               {
+               BIO_printf(bio_err,"error creating name index:(%ld,%ld,%ld)\n",
+                       db->db->error,db->db->arg1,db->db->arg2);
+               return 0;
+               }
+       return 1;
+       }
+
+int save_index(char *dbfile, char *suffix, CA_DB *db)
+       {
+       char buf[3][BSIZE];
+       BIO *out = BIO_new(BIO_s_file());
+       int j;
+
+       if (out == NULL)
+               {
+               ERR_print_errors(bio_err);
+               goto err;
+               }
+
+       j = strlen(dbfile) + strlen(suffix);
+       if (j + 6 >= BSIZE)
+               {
+               BIO_printf(bio_err,"file name too long\n");
+               goto err;
+               }
+
+#ifndef OPENSSL_SYS_VMS
+       j = BIO_snprintf(buf[2], sizeof buf[2], "%s.attr", dbfile);
+#else
+       j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr", dbfile);
+#endif
+#ifndef OPENSSL_SYS_VMS
+       j = BIO_snprintf(buf[1], sizeof buf[1], "%s.attr.%s", dbfile, suffix);
+#else
+       j = BIO_snprintf(buf[1], sizeof buf[1], "%s-attr-%s", dbfile, suffix);
+#endif
+#ifndef OPENSSL_SYS_VMS
+       j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", dbfile, suffix);
+#else
+       j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", dbfile, suffix);
+#endif
+#ifdef RL_DEBUG
+       BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[0]);
+#endif
+       if (BIO_write_filename(out,buf[0]) <= 0)
+               {
+               perror(dbfile);
+               BIO_printf(bio_err,"unable to open '%s'\n", dbfile);
+               goto err;
+               }
+       j=TXT_DB_write(out,db->db);
+       if (j <= 0) goto err;
+                       
+       BIO_free(out);
+
+       out = BIO_new(BIO_s_file());
+#ifdef RL_DEBUG
+       BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[1]);
+#endif
+       if (BIO_write_filename(out,buf[1]) <= 0)
+               {
+               perror(buf[2]);
+               BIO_printf(bio_err,"unable to open '%s'\n", buf[2]);
+               goto err;
+               }
+       BIO_printf(out,"unique_subject = %s\n",
+               db->attributes.unique_subject ? "yes" : "no");
+       BIO_free(out);
+
+       return 1;
+ err:
+       return 0;
+       }
+
+int rotate_index(char *dbfile, char *new_suffix, char *old_suffix)
+       {
+       char buf[5][BSIZE];
+       int i,j;
+       struct stat sb;
+
+       i = strlen(dbfile) + strlen(old_suffix);
+       j = strlen(dbfile) + strlen(new_suffix);
+       if (i > j) j = i;
+       if (j + 6 >= BSIZE)
+               {
+               BIO_printf(bio_err,"file name too long\n");
+               goto err;
+               }
+
+#ifndef OPENSSL_SYS_VMS
+       j = BIO_snprintf(buf[4], sizeof buf[4], "%s.attr", dbfile);
+#else
+       j = BIO_snprintf(buf[4], sizeof buf[4], "%s-attr", dbfile);
+#endif
+#ifndef OPENSSL_SYS_VMS
+       j = BIO_snprintf(buf[2], sizeof buf[2], "%s.attr.%s",
+               dbfile, new_suffix);
+#else
+       j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr-%s",
+               dbfile, new_suffix);
+#endif
+#ifndef OPENSSL_SYS_VMS
+       j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s",
+               dbfile, new_suffix);
+#else
+       j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s",
+               dbfile, new_suffix);
+#endif
+#ifndef OPENSSL_SYS_VMS
+       j = BIO_snprintf(buf[1], sizeof buf[1], "%s.%s",
+               dbfile, old_suffix);
+#else
+       j = BIO_snprintf(buf[1], sizeof buf[1], "%s-%s",
+               dbfile, old_suffix);
+#endif
+#ifndef OPENSSL_SYS_VMS
+       j = BIO_snprintf(buf[3], sizeof buf[3], "%s.attr.%s",
+               dbfile, old_suffix);
+#else
+       j = BIO_snprintf(buf[3], sizeof buf[3], "%s-attr-%s",
+               dbfile, old_suffix);
+#endif
+       if (stat(dbfile,&sb) < 0)
+               {
+               if (errno != ENOENT 
+#ifdef ENOTDIR
+                       && errno != ENOTDIR)
+#endif
+                       goto err;
+               }
+       else
+               {
+#ifdef RL_DEBUG
+               BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n",
+                       dbfile, buf[1]);
+#endif
+               if (rename(dbfile,buf[1]) < 0)
+                       {
+                       BIO_printf(bio_err,
+                               "unable to rename %s to %s\n",
+                               dbfile, buf[1]);
+                       perror("reason");
+                       goto err;
+                       }
+               }
+#ifdef RL_DEBUG
+       BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n",
+               buf[0],dbfile);
+#endif
+       if (rename(buf[0],dbfile) < 0)
+               {
+               BIO_printf(bio_err,
+                       "unable to rename %s to %s\n",
+                       buf[0],dbfile);
+               perror("reason");
+               rename(buf[1],dbfile);
+               goto err;
+               }
+       if (stat(buf[4],&sb) < 0)
+               {
+               if (errno != ENOENT 
+#ifdef ENOTDIR
+                       && errno != ENOTDIR)
+#endif
+                       goto err;
+               }
+       else
+               {
+#ifdef RL_DEBUG
+               BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n",
+                       buf[4],buf[3]);
+#endif
+               if (rename(buf[4],buf[3]) < 0)
+                       {
+                       BIO_printf(bio_err,
+                               "unable to rename %s to %s\n",
+                               buf[4], buf[3]);
+                       perror("reason");
+                       rename(dbfile,buf[0]);
+                       rename(buf[1],dbfile);
+                       goto err;
+                       }
+               }
+#ifdef RL_DEBUG
+       BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n",
+               buf[2],buf[4]);
+#endif
+       if (rename(buf[2],buf[4]) < 0)
+               {
+               BIO_printf(bio_err,
+                       "unable to rename %s to %s\n",
+                       buf[2],buf[4]);
+               perror("reason");
+               rename(buf[3],buf[4]);
+               rename(dbfile,buf[0]);
+               rename(buf[1],dbfile);
+               goto err;
+               }
+       return 1;
+ err:
+       return 0;
+       }
+
+void free_index(CA_DB *db)
+       {
+       TXT_DB_free(db->db);
+       OPENSSL_free(db);
+       }
index c36b9d25665741d5657a23296ba35ff202dc16de..8a9c4ab0a0541dbf57c61baf0729ff27d782f8fe 100644 (file)
@@ -287,7 +287,38 @@ char *make_config_name(void);
 /* Functions defined in ca.c and also used in ocsp.c */
 int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold,
                        ASN1_GENERALIZEDTIME **pinvtm, char *str);
-int make_serial_index(TXT_DB *db);
+
+#define DB_type         0
+#define DB_exp_date     1
+#define DB_rev_date     2
+#define DB_serial       3       /* index - unique */
+#define DB_file         4       
+#define DB_name         5       /* index - unique when active and not disabled */
+#define DB_NUMBER       6
+
+#define DB_TYPE_REV    'R'
+#define DB_TYPE_EXP    'E'
+#define DB_TYPE_VAL    'V'
+
+typedef struct db_attr_st
+       {
+       int unique_subject;
+       } DB_ATTR;
+typedef struct ca_db_st
+       {
+       DB_ATTR attributes;
+       TXT_DB *db;
+       } CA_DB;
+
+BIGNUM *load_serial(char *serialfile, int create, ASN1_INTEGER **retai);
+int save_serial(char *serialfile, char *suffix, BIGNUM *serial, ASN1_INTEGER **retai);
+int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix);
+CA_DB *load_index(char *dbfile, DB_ATTR *dbattr);
+int index_index(CA_DB *db);
+int save_index(char *dbfile, char *suffix, CA_DB *db);
+int rotate_index(char *dbfile, char *new_suffix, char *old_suffix);
+void free_index(CA_DB *db);
+int index_name_cmp(const char **a, const char **b);
 
 X509_NAME *do_subject(char *str, long chtype);
 
index f4573f003ac9126c064ad9d550b04bd4decaedb1..438b26186033a5c05b985c95f2787bdb3af903f6 100644 (file)
--- a/apps/ca.c
+++ b/apps/ca.c
 
 #define ENV_DATABASE           "database"
 
-#define DB_type         0
-#define DB_exp_date     1
-#define DB_rev_date     2
-#define DB_serial       3       /* index - unique */
-#define DB_file         4       
-#define DB_name         5       /* index - unique for active */
-#define DB_NUMBER       6
-
-#define DB_TYPE_REV    'R'
-#define DB_TYPE_EXP    'E'
-#define DB_TYPE_VAL    'V'
-
 /* Additional revocation information types */
 
 #define REV_NONE               0       /* No addditional information */
@@ -211,43 +199,36 @@ extern int EF_ALIGNMENT;
 #endif
 
 static void lookup_fail(char *name,char *tag);
-static unsigned long index_serial_hash(const char **a);
-static int index_serial_cmp(const char **a, const char **b);
-static unsigned long index_name_hash(const char **a);
-static int index_name_qual(char **a);
-static int index_name_cmp(const char **a,const char **b);
-static BIGNUM *load_serial(char *serialfile);
-static int save_serial(char *serialfile, BIGNUM *serial);
 static int certify(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
-                  const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,TXT_DB *db,
+                  const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,CA_DB *db,
                   BIGNUM *serial, char *subj, int email_dn, char *startdate,
                   char *enddate, long days, int batch, char *ext_sect, CONF *conf,
                   int verbose, unsigned long certopt, unsigned long nameopt,
                   int default_op, int ext_copy);
 static int certify_cert(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
                        const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,
-                       TXT_DB *db, BIGNUM *serial, char *subj, int email_dn,
+                       CA_DB *db, BIGNUM *serial, char *subj, int email_dn,
                        char *startdate, char *enddate, long days, int batch,
                        char *ext_sect, CONF *conf,int verbose, unsigned long certopt,
                        unsigned long nameopt, int default_op, int ext_copy,
                        ENGINE *e);
 static int certify_spkac(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
                         const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,
-                        TXT_DB *db, BIGNUM *serial,char *subj, int email_dn,
+                        CA_DB *db, BIGNUM *serial,char *subj, int email_dn,
                         char *startdate, char *enddate, long days, char *ext_sect,
                         CONF *conf, int verbose, unsigned long certopt, 
                         unsigned long nameopt, int default_op, int ext_copy);
 static int fix_data(int nid, int *type);
 static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext);
 static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
-       STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial,char *subj,
+       STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial,char *subj,
        int email_dn, char *startdate, char *enddate, long days, int batch,
                int verbose, X509_REQ *req, char *ext_sect, CONF *conf,
        unsigned long certopt, unsigned long nameopt, int default_op,
        int ext_copy);
-static int do_revoke(X509 *x509, TXT_DB *db, int ext, char *extval);
-static int get_certificate_status(const char *ser_status, TXT_DB *db);
-static int do_updatedb(TXT_DB *db);
+static int do_revoke(X509 *x509, CA_DB *db, int ext, char *extval);
+static int get_certificate_status(const char *ser_status, CA_DB *db);
+static int do_updatedb(CA_DB *db);
 static int check_time_format(char *str);
 char *make_revocation_str(int rev_type, char *rev_arg);
 int make_revoked(X509_REVOKED *rev, char *str);
@@ -259,11 +240,6 @@ static char *section=NULL;
 static int preserve=0;
 static int msie_hack=0;
 
-static IMPLEMENT_LHASH_HASH_FN(index_serial_hash,const char **)
-static IMPLEMENT_LHASH_COMP_FN(index_serial_cmp,const char **)
-static IMPLEMENT_LHASH_HASH_FN(index_name_hash,const char **)
-static IMPLEMENT_LHASH_COMP_FN(index_name_cmp,const char **)
-
 
 int MAIN(int, char **);
 
@@ -320,14 +296,13 @@ int MAIN(int argc, char **argv)
        X509 *x=NULL;
        BIO *in=NULL,*out=NULL,*Sout=NULL,*Cout=NULL;
        char *dbfile=NULL;
-       TXT_DB *db=NULL;
+       CA_DB *db=NULL;
        X509_CRL *crl=NULL;
        X509_REVOKED *r=NULL;
        ASN1_TIME *tmptm;
        ASN1_INTEGER *tmpser;
        char **pp,*p,*f;
        int i,j;
-       long l;
        const EVP_MD *dgst=NULL;
        STACK_OF(CONF_VALUE) *attribs=NULL;
        STACK_OF(X509) *cert_sk=NULL;
@@ -339,6 +314,7 @@ int MAIN(int argc, char **argv)
        char *engine = NULL;
 #endif
        char *tofree=NULL;
+       DB_ATTR db_attr;
 
 #ifdef EFENCE
 EF_PROTECT_FREE=1;
@@ -662,6 +638,39 @@ bad:
        if (randfile == NULL)
                ERR_clear_error();
        app_RAND_load_file(randfile, bio_err, 0);
+
+       db_attr.unique_subject = 1;
+       p = NCONF_get_string(conf, section, "unique_subject");
+       if (p)
+               {
+#ifdef RL_DEBUG
+               BIO_printf(bio_err, "DEBUG: unique_subject = \"%s\"\n", p);
+#endif
+               switch(*p)
+                       {
+               case 'f': /* false */
+               case 'F': /* FALSE */
+               case 'n': /* no */
+               case 'N': /* NO */
+                       db_attr.unique_subject = 0;
+                       break;
+               case 't': /* true */
+               case 'T': /* TRUE */
+               case 'y': /* yes */
+               case 'Y': /* YES */
+               default:
+                       db_attr.unique_subject = 1;
+                       break;
+                       }
+               }
+#ifdef RL_DEBUG
+       else
+               BIO_printf(bio_err, "DEBUG: unique_subject undefined\n", p);
+#endif
+#ifdef RL_DEBUG
+       BIO_printf(bio_err, "DEBUG: configured unique_subject is %d\n",
+               db_attr.unique_subject);
+#endif
        
        in=BIO_new(BIO_s_file());
        out=BIO_new(BIO_s_file());
@@ -682,17 +691,10 @@ bad:
                        lookup_fail(section,ENV_DATABASE);
                        goto err;
                        }
-               if (BIO_read_filename(in,dbfile) <= 0)
-                       {
-                       perror(dbfile);
-                       BIO_printf(bio_err,"unable to open '%s'\n",dbfile);
-                       goto err;
-                       }
-               db=TXT_DB_read(in,DB_NUMBER);
+               db = load_index(dbfile,&db_attr);
                if (db == NULL) goto err;
 
-               if (!make_serial_index(db))
-                       goto err;
+               if (!index_index(db)) goto err;
 
                if (get_certificate_status(ser_status,db) != 1)
                        BIO_printf(bio_err,"Error verifying serial %s!\n",
@@ -852,19 +854,13 @@ bad:
                lookup_fail(section,ENV_DATABASE);
                goto err;
                }
-       if (BIO_read_filename(in,dbfile) <= 0)
-               {
-               perror(dbfile);
-               BIO_printf(bio_err,"unable to open '%s'\n",dbfile);
-               goto err;
-               }
-       db=TXT_DB_read(in,DB_NUMBER);
+       db = load_index(dbfile, &db_attr);
        if (db == NULL) goto err;
 
        /* Lets check some fields */
-       for (i=0; i<sk_num(db->data); i++)
+       for (i=0; i<sk_num(db->db->data); i++)
                {
-               pp=(char **)sk_value(db->data,i);
+               pp=(char **)sk_value(db->db->data,i);
                if ((pp[DB_type][0] != DB_TYPE_REV) &&
                        (pp[DB_rev_date][0] != '\0'))
                        {
@@ -915,23 +911,13 @@ bad:
                out = BIO_push(tmpbio, out);
                }
 #endif
-               TXT_DB_write(out,db);
+               TXT_DB_write(out,db->db);
                BIO_printf(bio_err,"%d entries loaded from the database\n",
-                       db->data->num);
+                       db->db->data->num);
                BIO_printf(bio_err,"generating index\n");
                }
        
-       if (!make_serial_index(db))
-               goto err;
-
-       if (!TXT_DB_create_index(db, DB_name, index_name_qual,
-                       LHASH_HASH_FN(index_name_hash),
-                       LHASH_COMP_FN(index_name_cmp)))
-               {
-               BIO_printf(bio_err,"error creating name index:(%ld,%ld,%ld)\n",
-                       db->error,db->arg1,db->arg2);
-               goto err;
-               }
+       if (!index_index(db)) goto err;
 
        /*****************************************************************/
        /* Update the db file for expired certificates */
@@ -954,62 +940,9 @@ bad:
                        }
                else
                        {
-                       out = BIO_new(BIO_s_file());
-                       if (out == NULL)
-                               {
-                               ERR_print_errors(bio_err);
-                               goto err;
-                               }
-
-#ifndef OPENSSL_SYS_VMS
-                       j = BIO_snprintf(buf[0], sizeof buf[0], "%s.new", dbfile);
-#else
-                       j = BIO_snprintf(buf[0], sizeof buf[0], "%s-new", dbfile);
-#endif
-                       if (j < 0 || j >= sizeof buf[0])
-                               {
-                               BIO_printf(bio_err, "file name too long\n");
-                               goto err;
-                               }
-                       if (BIO_write_filename(out,buf[0]) <= 0)
-                               {
-                               perror(dbfile);
-                               BIO_printf(bio_err,"unable to open '%s'\n",
-                                                                       dbfile);
-                               goto err;
-                               }
-                       j=TXT_DB_write(out,db);
-                       if (j <= 0) goto err;
-                       
-                       BIO_free(out);
-                       out = NULL;
-#ifndef OPENSSL_SYS_VMS
-                       j = BIO_snprintf(buf[1], sizeof buf[1], "%s.old", dbfile);
-#else
-                       j = BIO_snprintf(buf[1], sizeof buf[1], "%s-old", dbfile);
-#endif
-                       if (j < 0 || j >= sizeof buf[1])
-                               {
-                               BIO_printf(bio_err, "file name too long\n");
-                               goto err;
-                               }
-                       if (rename(dbfile,buf[1]) < 0)
-                               {
-                               BIO_printf(bio_err,
-                                               "unable to rename %s to %s\n",
-                                               dbfile, buf[1]);
-                               perror("reason");
-                               goto err;
-                               }
-                       if (rename(buf[0],dbfile) < 0)
-                               {
-                               BIO_printf(bio_err,
-                                               "unable to rename %s to %s\n",
-                                               buf[0],dbfile);
-                               perror("reason");
-                               rename(buf[1],dbfile);
-                               goto err;
-                               }
+                       if (!save_index(dbfile,"new",db)) goto err;
+                               
+                       if (!rotate_index(dbfile,"new","old")) goto err;
                                
                        if (verbose) BIO_printf(bio_err,
                                "Done. %d entries marked as expired\n",i); 
@@ -1170,7 +1103,7 @@ bad:
                        goto err;
                        }
 
-               if ((serial=load_serial(serialfile)) == NULL)
+               if ((serial=load_serial(serialfile, 0, NULL)) == NULL)
                        {
                        BIO_printf(bio_err,"error while loading serial number\n");
                        goto err;
@@ -1304,38 +1237,9 @@ bad:
 
                        BIO_printf(bio_err,"Write out database with %d new entries\n",sk_X509_num(cert_sk));
 
-                       if(strlen(serialfile) > BSIZE-5 || strlen(dbfile) > BSIZE-5)
-                               {
-                               BIO_printf(bio_err,"file name too long\n");
-                               goto err;
-                               }
-
-                       strcpy(buf[0],serialfile);
+                       if (!save_serial(serialfile,"new",serial,NULL)) goto err;
 
-#ifdef OPENSSL_SYS_VMS
-                       strcat(buf[0],"-new");
-#else
-                       BUF_strlcat(buf[0],".new",sizeof(buf[0]));
-#endif
-
-                       if (!save_serial(buf[0],serial)) goto err;
-
-                       strcpy(buf[1],dbfile);
-
-#ifdef OPENSSL_SYS_VMS
-                       strcat(buf[1],"-new");
-#else
-                       BUF_strlcat(buf[1],".new",sizeof(buf[1]));
-#endif
-
-                       if (BIO_write_filename(out,buf[1]) <= 0)
-                               {
-                               perror(dbfile);
-                               BIO_printf(bio_err,"unable to open '%s'\n",dbfile);
-                               goto err;
-                               }
-                       l=TXT_DB_write(out,db);
-                       if (l <= 0) goto err;
+                       if (!save_index(dbfile, "new", db)) goto err;
                        }
        
                if (verbose)
@@ -1397,59 +1301,10 @@ bad:
                if (sk_X509_num(cert_sk))
                        {
                        /* Rename the database and the serial file */
-                       strncpy(buf[2],serialfile,BSIZE-4);
-                       buf[2][BSIZE-4]='\0';
-
-#ifdef OPENSSL_SYS_VMS
-                       strcat(buf[2],"-old");
-#else
-                       BUF_strlcat(buf[2],".old",sizeof(buf[2]));
-#endif
+                       if (!rotate_serial(serialfile,"new","old")) goto err;
 
-                       BIO_free(in);
-                       BIO_free_all(out);
-                       in=NULL;
-                       out=NULL;
-                       if (rename(serialfile,buf[2]) < 0)
-                               {
-                               BIO_printf(bio_err,"unable to rename %s to %s\n",
-                                       serialfile,buf[2]);
-                               perror("reason");
-                               goto err;
-                               }
-                       if (rename(buf[0],serialfile) < 0)
-                               {
-                               BIO_printf(bio_err,"unable to rename %s to %s\n",
-                                       buf[0],serialfile);
-                               perror("reason");
-                               rename(buf[2],serialfile);
-                               goto err;
-                               }
+                       if (!rotate_index(dbfile,"new","old")) goto err;
 
-                       strncpy(buf[2],dbfile,BSIZE-4);
-                       buf[2][BSIZE-4]='\0';
-
-#ifdef OPENSSL_SYS_VMS
-                       strcat(buf[2],"-old");
-#else
-                       BUF_strlcat(buf[2],".old",sizeof(buf[2]));
-#endif
-
-                       if (rename(dbfile,buf[2]) < 0)
-                               {
-                               BIO_printf(bio_err,"unable to rename %s to %s\n",
-                                       dbfile,buf[2]);
-                               perror("reason");
-                               goto err;
-                               }
-                       if (rename(buf[1],dbfile) < 0)
-                               {
-                               BIO_printf(bio_err,"unable to rename %s to %s\n",
-                                       buf[1],dbfile);
-                               perror("reason");
-                               rename(buf[2],dbfile);
-                               goto err;
-                               }
                        BIO_printf(bio_err,"Data Base Updated\n");
                        }
                }
@@ -1508,9 +1363,9 @@ bad:
 
                ASN1_TIME_free(tmptm);
 
-               for (i=0; i<sk_num(db->data); i++)
+               for (i=0; i<sk_num(db->db->data); i++)
                        {
-                       pp=(char **)sk_value(db->data,i);
+                       pp=(char **)sk_value(db->db->data,i);
                        if (pp[DB_type][0] == DB_TYPE_REV)
                                {
                                if ((r=X509_REVOKED_new()) == NULL) goto err;
@@ -1594,50 +1449,10 @@ bad:
                        if (j <= 0) goto err;
                        X509_free(revcert);
 
-                       if(strlen(dbfile) > BSIZE-5)
-                               {
-                               BIO_printf(bio_err,"filename too long\n");
-                               goto err;
-                               }
+                       if (!save_index(dbfile, "new", db)) goto err;
+
+                       if (!rotate_index(dbfile, "new", "old")) goto err;
 
-                       strcpy(buf[0],dbfile);
-#ifndef OPENSSL_SYS_VMS
-                       BUF_strlcat(buf[0],".new",sizeof(buf[0]));
-#else
-                       strcat(buf[0],"-new");
-#endif
-                       if (BIO_write_filename(out,buf[0]) <= 0)
-                               {
-                               perror(dbfile);
-                               BIO_printf(bio_err,"unable to open '%s'\n",dbfile);
-                               goto err;
-                               }
-                       j=TXT_DB_write(out,db);
-                       if (j <= 0) goto err;
-                       BIO_free_all(out);
-                       out = NULL;
-                       BIO_free_all(in);
-                       in = NULL;
-                       strncpy(buf[1],dbfile,BSIZE-4);
-                       buf[1][BSIZE-4]='\0';
-#ifndef OPENSSL_SYS_VMS
-                       BUF_strlcat(buf[1],".old",sizeof(buf[1]));
-#else
-                       strcat(buf[1],"-old");
-#endif
-                       if (rename(dbfile,buf[1]) < 0)
-                               {
-                               BIO_printf(bio_err,"unable to rename %s to %s\n", dbfile, buf[1]);
-                               perror("reason");
-                               goto err;
-                               }
-                       if (rename(buf[0],dbfile) < 0)
-                               {
-                               BIO_printf(bio_err,"unable to rename %s to %s\n", buf[0],dbfile);
-                               perror("reason");
-                               rename(buf[1],dbfile);
-                               goto err;
-                               }
                        BIO_printf(bio_err,"Data Base Updated\n"); 
                        }
                }
@@ -1659,7 +1474,7 @@ err:
        if (free_key && key)
                OPENSSL_free(key);
        BN_free(serial);
-       TXT_DB_free(db);
+       free_index(db);
        EVP_PKEY_free(pkey);
        X509_free(x509);
        X509_CRL_free(crl);
@@ -1674,106 +1489,8 @@ static void lookup_fail(char *name, char *tag)
        BIO_printf(bio_err,"variable lookup failed for %s::%s\n",name,tag);
        }
 
-static unsigned long index_serial_hash(const char **a)
-       {
-       const char *n;
-
-       n=a[DB_serial];
-       while (*n == '0') n++;
-       return(lh_strhash(n));
-       }
-
-static int index_serial_cmp(const char **a, const char **b)
-       {
-       const char *aa,*bb;
-
-       for (aa=a[DB_serial]; *aa == '0'; aa++);
-       for (bb=b[DB_serial]; *bb == '0'; bb++);
-       return(strcmp(aa,bb));
-       }
-
-static unsigned long index_name_hash(const char **a)
-       { return(lh_strhash(a[DB_name])); }
-
-static int index_name_qual(char **a)
-       { return(a[0][0] == 'V'); }
-
-static int index_name_cmp(const char **a, const char **b)
-       { return(strcmp(a[DB_name],
-            b[DB_name])); }
-
-static BIGNUM *load_serial(char *serialfile)
-       {
-       BIO *in=NULL;
-       BIGNUM *ret=NULL;
-       MS_STATIC char buf[1024];
-       ASN1_INTEGER *ai=NULL;
-
-       if ((in=BIO_new(BIO_s_file())) == NULL)
-               {
-               ERR_print_errors(bio_err);
-               goto err;
-               }
-
-       if (BIO_read_filename(in,serialfile) <= 0)
-               {
-               perror(serialfile);
-               goto err;
-               }
-       ai=ASN1_INTEGER_new();
-       if (ai == NULL) goto err;
-       if (!a2i_ASN1_INTEGER(in,ai,buf,1024))
-               {
-               BIO_printf(bio_err,"unable to load number from %s\n",
-                       serialfile);
-               goto err;
-               }
-       ret=ASN1_INTEGER_to_BN(ai,NULL);
-       if (ret == NULL)
-               {
-               BIO_printf(bio_err,"error converting number from bin to BIGNUM\n");
-               goto err;
-               }
-err:
-       if (in != NULL) BIO_free(in);
-       if (ai != NULL) ASN1_INTEGER_free(ai);
-       return(ret);
-       }
-
-static int save_serial(char *serialfile, BIGNUM *serial)
-       {
-       BIO *out;
-       int ret=0;
-       ASN1_INTEGER *ai=NULL;
-
-       out=BIO_new(BIO_s_file());
-       if (out == NULL)
-               {
-               ERR_print_errors(bio_err);
-               goto err;
-               }
-       if (BIO_write_filename(out,serialfile) <= 0)
-               {
-               perror(serialfile);
-               goto err;
-               }
-
-       if ((ai=BN_to_ASN1_INTEGER(serial,NULL)) == NULL)
-               {
-               BIO_printf(bio_err,"error converting serial to ASN.1 format\n");
-               goto err;
-               }
-       i2a_ASN1_INTEGER(out,ai);
-       BIO_puts(out,"\n");
-       ret=1;
-err:
-       if (out != NULL) BIO_free_all(out);
-       if (ai != NULL) ASN1_INTEGER_free(ai);
-       return(ret);
-       }
-
 static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
-            const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db,
+            const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db,
             BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate,
             long days, int batch, char *ext_sect, CONF *lconf, int verbose,
             unsigned long certopt, unsigned long nameopt, int default_op,
@@ -1835,7 +1552,7 @@ err:
        }
 
 static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
-            const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db,
+            const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db,
             BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate,
             long days, int batch, char *ext_sect, CONF *lconf, int verbose,
             unsigned long certopt, unsigned long nameopt, int default_op,
@@ -1889,7 +1606,7 @@ err:
        }
 
 static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
-            STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial, char *subj,
+            STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj,
             int email_dn, char *startdate, char *enddate, long days, int batch,
             int verbose, X509_REQ *req, char *ext_sect, CONF *lconf,
             unsigned long certopt, unsigned long nameopt, int default_op,
@@ -1907,7 +1624,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
        int ok= -1,i,j,last,nid;
        char *p;
        CONF_VALUE *cv;
-       char *row[DB_NUMBER],**rrow,**irow=NULL;
+       char *row[DB_NUMBER],**rrow=NULL,**irow=NULL;
        char buf[25];
 
        tmptm=ASN1_UTCTIME_new();
@@ -2144,15 +1861,19 @@ again2:
                goto err;
                }
 
-       rrow=TXT_DB_get_by_index(db,DB_name,row);
-       if (rrow != NULL)
+       if (db->attributes.unique_subject)
                {
-               BIO_printf(bio_err,"ERROR:There is already a certificate for %s\n",
-                       row[DB_name]);
+               rrow=TXT_DB_get_by_index(db->db,DB_name,row);
+               if (rrow != NULL)
+                       {
+                       BIO_printf(bio_err,
+                               "ERROR:There is already a certificate for %s\n",
+                               row[DB_name]);
+                       }
                }
-       else
+       if (rrow == NULL)
                {
-               rrow=TXT_DB_get_by_index(db,DB_serial,row);
+               rrow=TXT_DB_get_by_index(db->db,DB_serial,row);
                if (rrow != NULL)
                        {
                        BIO_printf(bio_err,"ERROR:Serial number %s has already been issued,\n",
@@ -2376,10 +2097,10 @@ again2:
                }
        irow[DB_NUMBER]=NULL;
 
-       if (!TXT_DB_insert(db,irow))
+       if (!TXT_DB_insert(db->db,irow))
                {
                BIO_printf(bio_err,"failed to update database\n");
-               BIO_printf(bio_err,"TXT_DB error number %ld\n",db->error);
+               BIO_printf(bio_err,"TXT_DB error number %ld\n",db->db->error);
                goto err;
                }
        ok=1;
@@ -2430,7 +2151,7 @@ static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext)
        }
 
 static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
-            const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db,
+            const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db,
             BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate,
             long days, char *ext_sect, CONF *lconf, int verbose, unsigned long certopt,
             unsigned long nameopt, int default_op, int ext_copy)
@@ -2609,7 +2330,7 @@ static int check_time_format(char *str)
        return(ASN1_UTCTIME_check(&tm));
        }
 
-static int do_revoke(X509 *x509, TXT_DB *db, int type, char *value)
+static int do_revoke(X509 *x509, CA_DB *db, int type, char *value)
        {
        ASN1_UTCTIME *tm=NULL;
        char *row[DB_NUMBER],**rrow,**irow;
@@ -2634,10 +2355,10 @@ static int do_revoke(X509 *x509, TXT_DB *db, int type, char *value)
        /* We have to lookup by serial number because name lookup
         * skips revoked certs
         */
-       rrow=TXT_DB_get_by_index(db,DB_serial,row);
+       rrow=TXT_DB_get_by_index(db->db,DB_serial,row);
        if (rrow == NULL)
                {
-               BIO_printf(bio_err,"Adding Entry to DB for %s\n", row[DB_name]);
+               BIO_printf(bio_err,"Adding Entry with serial number %s to DB for %s\n", row[DB_serial], row[DB_name]);
 
                /* We now just add it to the database */
                row[DB_type]=(char *)OPENSSL_malloc(2);
@@ -2677,10 +2398,10 @@ static int do_revoke(X509 *x509, TXT_DB *db, int type, char *value)
                        }
                irow[DB_NUMBER]=NULL;
 
-               if (!TXT_DB_insert(db,irow))
+               if (!TXT_DB_insert(db->db,irow))
                        {
                        BIO_printf(bio_err,"failed to update database\n");
-                       BIO_printf(bio_err,"TXT_DB error number %ld\n",db->error);
+                       BIO_printf(bio_err,"TXT_DB error number %ld\n",db->db->error);
                        goto err;
                        }
 
@@ -2725,7 +2446,7 @@ err:
        return(ok);
        }
 
-static int get_certificate_status(const char *serial, TXT_DB *db)
+static int get_certificate_status(const char *serial, CA_DB *db)
        {
        char *row[DB_NUMBER],**rrow;
        int ok=-1,i;
@@ -2766,7 +2487,7 @@ static int get_certificate_status(const char *serial, TXT_DB *db)
        ok=1;
 
        /* Search for the certificate */
-       rrow=TXT_DB_get_by_index(db,DB_serial,row);
+       rrow=TXT_DB_get_by_index(db->db,DB_serial,row);
        if (rrow == NULL)
                {
                BIO_printf(bio_err,"Serial %s not present in db.\n",
@@ -2813,7 +2534,7 @@ err:
        return(ok);
        }
 
-static int do_updatedb (TXT_DB *db)
+static int do_updatedb (CA_DB *db)
        {
        ASN1_UTCTIME    *a_tm = NULL;
        int i, cnt = 0;
@@ -2839,9 +2560,9 @@ static int do_updatedb (TXT_DB *db)
        else
                a_y2k = 0;
 
-       for (i = 0; i < sk_num(db->data); i++)
+       for (i = 0; i < sk_num(db->db->data); i++)
                {
-               rrow = (char **) sk_value(db->data, i);
+               rrow = (char **) sk_value(db->db->data, i);
 
                if (rrow[DB_type][0] == 'V')
                        {
@@ -3329,16 +3050,3 @@ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, ASN1_G
        return ret;
        }
 
-int make_serial_index(TXT_DB *db)
-       {
-       if (!TXT_DB_create_index(db, DB_serial, NULL,
-                               LHASH_HASH_FN(index_serial_hash),
-                               LHASH_COMP_FN(index_serial_cmp)))
-               {
-               BIO_printf(bio_err,
-                 "error creating serial number index:(%ld,%ld,%ld)\n",
-                                       db->error,db->arg1,db->arg2);
-                       return 0;
-               }
-       return 1;
-       }
index e5f186fd5ea8e1193bb0cae22af2088fe2648aab..856b797b532e1406418442d8a2e935b95f969bcf 100644 (file)
 /* Maximum leeway in validity period: default 5 minutes */
 #define MAX_VALIDITY_PERIOD    (5 * 60)
 
-/* CA index.txt definitions */
-#define DB_type         0
-#define DB_exp_date     1
-#define DB_rev_date     2
-#define DB_serial       3       /* index - unique */
-#define DB_file         4       
-#define DB_name         5       /* index - unique for active */
-#define DB_NUMBER       6
-
-#define DB_TYPE_REV    'R'
-#define DB_TYPE_EXP    'E'
-#define DB_TYPE_VAL    'V'
-
 static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer,
                                STACK_OF(OCSP_CERTID) *ids);
 static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer,
@@ -89,12 +76,12 @@ static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
                                STACK *names, STACK_OF(OCSP_CERTID) *ids,
                                long nsec, long maxage);
 
-static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, TXT_DB *db,
+static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db,
                        X509 *ca, X509 *rcert, EVP_PKEY *rkey,
                        STACK_OF(X509) *rother, unsigned long flags,
                        int nmin, int ndays);
 
-static char **lookup_serial(TXT_DB *db, ASN1_INTEGER *ser);
+static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser);
 static BIO *init_responder(char *port);
 static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port);
 static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp);
@@ -143,7 +130,7 @@ int MAIN(int argc, char **argv)
        X509 *rca_cert = NULL;
        char *ridx_filename = NULL;
        char *rca_filename = NULL;
-       TXT_DB *rdb = NULL;
+       CA_DB *rdb = NULL;
        int nmin = 0, ndays = -1;
 
        if (bio_err == NULL) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
@@ -700,22 +687,9 @@ int MAIN(int argc, char **argv)
 
        if (ridx_filename && !rdb)
                {
-               BIO *db_bio = NULL;
-               db_bio = BIO_new_file(ridx_filename, "r");
-               if (!db_bio)
-                       {
-                       BIO_printf(bio_err, "Error opening index file %s\n", ridx_filename);
-                       goto end;
-                       }
-               rdb = TXT_DB_read(db_bio, DB_NUMBER);
-               BIO_free(db_bio);
-               if (!rdb)
-                       {
-                       BIO_printf(bio_err, "Error reading index file %s\n", ridx_filename);
-                       goto end;
-                       }
-               if (!make_serial_index(rdb))
-                       goto end;
+               rdb = load_index(ridx_filename, NULL);
+               if (!rdb) goto end;
+               if (!index_index(rdb)) goto end;
                }
 
        if (rdb)
@@ -899,7 +873,7 @@ end:
        X509_free(cert);
        X509_free(rsigner);
        X509_free(rca_cert);
-       TXT_DB_free(rdb);
+       free_index(rdb);
        BIO_free_all(cbio);
        BIO_free_all(acbio);
        BIO_free(out);
@@ -1041,7 +1015,7 @@ static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
        }
 
 
-static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, TXT_DB *db,
+static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db,
                        X509 *ca, X509 *rcert, EVP_PKEY *rkey,
                        STACK_OF(X509) *rother, unsigned long flags,
                        int nmin, int ndays)
@@ -1133,7 +1107,7 @@ static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, TXT_DB *d
 
        }
 
-static char **lookup_serial(TXT_DB *db, ASN1_INTEGER *ser)
+static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser)
        {
        int i;
        BIGNUM *bn = NULL;
@@ -1146,7 +1120,7 @@ static char **lookup_serial(TXT_DB *db, ASN1_INTEGER *ser)
                itmp = BN_bn2hex(bn);
        row[DB_serial] = itmp;
        BN_free(bn);
-       rrow=TXT_DB_get_by_index(db,DB_serial,row);
+       rrow=TXT_DB_get_by_index(db->db,DB_serial,row);
        OPENSSL_free(itmp);
        return rrow;
        }
index eca51c3322803c21c213c72516126a869bbc7f80..2696044cf1d9bf0d028f5d6fd79e7e6c28544abe 100644 (file)
@@ -38,6 +38,8 @@ dir           = ./demoCA              # Where everything is kept
 certs          = $dir/certs            # Where the issued certs are kept
 crl_dir                = $dir/crl              # Where the issued crl are kept
 database       = $dir/index.txt        # database index file.
+#unique_subject        = no                    # Set to 'no' to allow creation of
+                                       # several ctificates with same subject.
 new_certs_dir  = $dir/newcerts         # default place for new certs.
 
 certificate    = $dir/cacert.pem       # The CA certificate
index 220fa3c9383b138678624cb2056db5e90d8d394f..58f89de58895bb72aa22e3157ec2c1b1d44734d3 100644 (file)
@@ -1022,12 +1022,11 @@ end:
        OPENSSL_EXIT(ret);
        }
 
-static ASN1_INTEGER *load_serial(char *CAfile, char *serialfile, int create)
+static ASN1_INTEGER *x509_load_serial(char *CAfile, char *serialfile, int create)
        {
        char *buf = NULL, *p;
        MS_STATIC char buf2[1024];
-       ASN1_INTEGER *bs = NULL, *bs2 = NULL;
-       BIO *io = NULL;
+       ASN1_INTEGER *bs = NULL;
        BIGNUM *serial = NULL;
        size_t len;
 
@@ -1057,72 +1056,18 @@ static ASN1_INTEGER *load_serial(char *CAfile, char *serialfile, int create)
                goto end;
                }
 
-       io=BIO_new(BIO_s_file());
-       if (io == NULL)
-               {
-               ERR_print_errors(bio_err);
-               goto end;
-               }
-       
-       if (BIO_read_filename(io,buf) <= 0)
-               {
-               if (!create)
-                       {
-                       perror(buf);
-                       goto end;
-                       }
-               else
-                       {
-                       ASN1_INTEGER_set(bs,1);
-                       BN_one(serial);
-                       }
-               }
-       else 
-               {
-               if (!a2i_ASN1_INTEGER(io,bs,buf2,sizeof buf2))
-                       {
-                       BIO_printf(bio_err,"unable to load serial number from %s\n",buf);
-                       ERR_print_errors(bio_err);
-                       goto end;
-                       }
-               else
-                       {
-                       serial=BN_bin2bn(bs->data,bs->length,serial);
-                       if (serial == NULL)
-                               {
-                               BIO_printf(bio_err,"error converting bin 2 bn");
-                               goto end;
-                               }
-                       }
-               }
+       serial = load_serial(buf, create, NULL);
+       if (serial == NULL) goto end;
 
        if (!BN_add_word(serial,1))
                { BIO_printf(bio_err,"add_word failure\n"); goto end; }
-       if (!(bs2 = BN_to_ASN1_INTEGER(serial, NULL)))
-               { BIO_printf(bio_err,"error converting bn 2 asn1_integer\n"); goto end; }
-       if (BIO_write_filename(io,buf) <= 0)
-               {
-               BIO_printf(bio_err,"error attempting to write serial number file\n");
-               perror(buf);
-               goto end;
-               }
-       i2a_ASN1_INTEGER(io,bs2);
-       BIO_puts(io,"\n");
 
-       BIO_free(io);
-       if (buf) OPENSSL_free(buf);
-       ASN1_INTEGER_free(bs2);
-       BN_free(serial);
-       io=NULL;
-       return bs;
+       if (!save_serial(buf, NULL, serial, &bs)) goto end;
 
      end:
+ end:
        if (buf) OPENSSL_free(buf);
-       BIO_free(io);
-       ASN1_INTEGER_free(bs);
        BN_free(serial);
-       return NULL;
-
+       return bs;
        }
 
 static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
@@ -1144,7 +1089,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
                goto end;
                }
        if (sno) bs = sno;
-       else if (!(bs = load_serial(CAfile, serialfile, create)))
+       else if (!(bs = x509_load_serial(CAfile, serialfile, create)))
                goto end;
 
 /*     if (!X509_STORE_add_cert(ctx,x)) goto end;*/