| version 1.32, 2021/07/15 11:43:27 |
version 1.33, 2021/07/15 12:41:49 |
|
|
| } |
} |
| ca_config.configfile = tofree; |
ca_config.configfile = tofree; |
| } |
} |
| BIO_printf(bio_err, "Using configuration from %s\n", ca_config.configfile); |
BIO_printf(bio_err, "Using configuration from %s\n", |
| |
ca_config.configfile); |
| conf = NCONF_new(NULL); |
conf = NCONF_new(NULL); |
| if (NCONF_load(conf, ca_config.configfile, &errorline) <= 0) { |
if (NCONF_load(conf, ca_config.configfile, &errorline) <= 0) { |
| if (errorline <= 0) |
if (errorline <= 0) |
|
|
| |
|
| /* Lets get the config section we are using */ |
/* Lets get the config section we are using */ |
| if (ca_config.section == NULL) { |
if (ca_config.section == NULL) { |
| ca_config.section = NCONF_get_string(conf, BASE_SECTION, ENV_DEFAULT_CA); |
ca_config.section = NCONF_get_string(conf, BASE_SECTION, |
| |
ENV_DEFAULT_CA); |
| if (ca_config.section == NULL) { |
if (ca_config.section == NULL) { |
| lookup_fail(BASE_SECTION, ENV_DEFAULT_CA); |
lookup_fail(BASE_SECTION, ENV_DEFAULT_CA); |
| goto err; |
goto err; |
|
|
| /*****************************************************************/ |
/*****************************************************************/ |
| /* we definitely need a private key, so let's get it */ |
/* we definitely need a private key, so let's get it */ |
| |
|
| if ((ca_config.keyfile == NULL) && ((ca_config.keyfile = NCONF_get_string(conf, |
if ((ca_config.keyfile == NULL) && |
| ca_config.section, ENV_PRIVATE_KEY)) == NULL)) { |
((ca_config.keyfile = NCONF_get_string(conf, ca_config.section, |
| |
ENV_PRIVATE_KEY)) == NULL)) { |
| lookup_fail(ca_config.section, ENV_PRIVATE_KEY); |
lookup_fail(ca_config.section, ENV_PRIVATE_KEY); |
| goto err; |
goto err; |
| } |
} |
| if (ca_config.key == NULL) { |
if (ca_config.key == NULL) { |
| free_key = 1; |
free_key = 1; |
| if (!app_passwd(bio_err, ca_config.passargin, NULL, &ca_config.key, NULL)) { |
if (!app_passwd(bio_err, ca_config.passargin, NULL, |
| |
&ca_config.key, NULL)) { |
| BIO_printf(bio_err, "Error getting password\n"); |
BIO_printf(bio_err, "Error getting password\n"); |
| goto err; |
goto err; |
| } |
} |
| } |
} |
| pkey = load_key(bio_err, ca_config.keyfile, ca_config.keyform, 0, ca_config.key, "CA private key"); |
pkey = load_key(bio_err, ca_config.keyfile, ca_config.keyform, 0, |
| |
ca_config.key, "CA private key"); |
| if (ca_config.key != NULL) |
if (ca_config.key != NULL) |
| explicit_bzero(ca_config.key, strlen(ca_config.key)); |
explicit_bzero(ca_config.key, strlen(ca_config.key)); |
| if (pkey == NULL) { |
if (pkey == NULL) { |
|
|
| } |
} |
| /*****************************************************************/ |
/*****************************************************************/ |
| /* we need a certificate */ |
/* we need a certificate */ |
| if (!ca_config.selfsign || ca_config.spkac_file != NULL || ca_config.ss_cert_file != NULL || ca_config.gencrl) { |
if (!ca_config.selfsign || ca_config.spkac_file != NULL || |
| |
ca_config.ss_cert_file != NULL || ca_config.gencrl) { |
| if ((ca_config.certfile == NULL) && |
if ((ca_config.certfile == NULL) && |
| ((ca_config.certfile = NCONF_get_string(conf, |
((ca_config.certfile = NCONF_get_string(conf, |
| ca_config.section, ENV_CERTIFICATE)) == NULL)) { |
ca_config.section, ENV_CERTIFICATE)) == NULL)) { |
|
|
| /*****************************************************************/ |
/*****************************************************************/ |
| /* lookup where to write new certificates */ |
/* lookup where to write new certificates */ |
| if (ca_config.outdir == NULL && ca_config.req) { |
if (ca_config.outdir == NULL && ca_config.req) { |
| if ((ca_config.outdir = NCONF_get_string(conf, ca_config.section, |
if ((ca_config.outdir = NCONF_get_string(conf, |
| ENV_NEW_CERTS_DIR)) == NULL) { |
ca_config.section, ENV_NEW_CERTS_DIR)) == NULL) { |
| BIO_printf(bio_err, "output directory %s not defined\n", |
BIO_printf(bio_err, "output directory %s not defined\n", |
| ENV_NEW_CERTS_DIR); |
ENV_NEW_CERTS_DIR); |
| goto err; |
goto err; |
|
|
| } |
} |
| /*****************************************************************/ |
/*****************************************************************/ |
| /* we need to load the database file */ |
/* we need to load the database file */ |
| if ((dbfile = NCONF_get_string(conf, ca_config.section, ENV_DATABASE)) == NULL) { |
if ((dbfile = NCONF_get_string(conf, ca_config.section, |
| |
ENV_DATABASE)) == NULL) { |
| lookup_fail(ca_config.section, ENV_DATABASE); |
lookup_fail(ca_config.section, ENV_DATABASE); |
| goto err; |
goto err; |
| } |
} |
|
|
| pp = sk_OPENSSL_PSTRING_value(db->db->data, i); |
pp = sk_OPENSSL_PSTRING_value(db->db->data, i); |
| if ((pp[DB_type][0] != DB_TYPE_REV) && |
if ((pp[DB_type][0] != DB_TYPE_REV) && |
| (pp[DB_rev_date][0] != '\0')) { |
(pp[DB_rev_date][0] != '\0')) { |
| BIO_printf(bio_err, "entry %d: not revoked yet, but has a revocation date\n", i + 1); |
BIO_printf(bio_err, |
| |
"entry %d: not revoked yet, but has a revocation date\n", |
| |
i + 1); |
| goto err; |
goto err; |
| } |
} |
| if ((pp[DB_type][0] == DB_TYPE_REV) && |
if ((pp[DB_type][0] == DB_TYPE_REV) && |
|
|
| if (!(((*p >= '0') && (*p <= '9')) || |
if (!(((*p >= '0') && (*p <= '9')) || |
| ((*p >= 'A') && (*p <= 'F')) || |
((*p >= 'A') && (*p <= 'F')) || |
| ((*p >= 'a') && (*p <= 'f')))) { |
((*p >= 'a') && (*p <= 'f')))) { |
| BIO_printf(bio_err, "entry %d: bad serial number characters, char pos %ld, char is '%c'\n", i + 1, (long) (p - pp[DB_serial]), *p); |
BIO_printf(bio_err, |
| |
"entry %d: bad serial number characters, char pos %ld, char is '%c'\n", |
| |
i + 1, (long) (p - pp[DB_serial]), *p); |
| goto err; |
goto err; |
| } |
} |
| p++; |
p++; |
| } |
} |
| } |
} |
| if (ca_config.verbose) { |
if (ca_config.verbose) { |
| BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT); /* cannot fail */ |
BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT); |
| TXT_DB_write(out, db->db); |
TXT_DB_write(out, db->db); |
| BIO_printf(bio_err, "%d entries loaded from the database\n", |
BIO_printf(bio_err, "%d entries loaded from the database\n", |
| sk_OPENSSL_PSTRING_num(db->db->data)); |
sk_OPENSSL_PSTRING_num(db->db->data)); |
|
|
| ca_config.extfile); |
ca_config.extfile); |
| |
|
| /* We can have sections in the ext file */ |
/* We can have sections in the ext file */ |
| if (ca_config.extensions == NULL && (ca_config.extensions = NCONF_get_string(extconf, |
if (ca_config.extensions == NULL && |
| "default", "extensions")) == NULL) |
(ca_config.extensions = NCONF_get_string(extconf, "default", |
| |
"extensions")) == NULL) |
| ca_config.extensions = "default"; |
ca_config.extensions = "default"; |
| } |
} |
| /*****************************************************************/ |
/*****************************************************************/ |
|
|
| BIO_set_fp(Sout, stdout, BIO_NOCLOSE | BIO_FP_TEXT); |
BIO_set_fp(Sout, stdout, BIO_NOCLOSE | BIO_FP_TEXT); |
| } |
} |
| } |
} |
| if ((ca_config.md == NULL) && ((ca_config.md = NCONF_get_string(conf, ca_config.section, |
if ((ca_config.md == NULL) && |
| |
((ca_config.md = NCONF_get_string(conf, ca_config.section, |
| ENV_DEFAULT_MD)) == NULL)) { |
ENV_DEFAULT_MD)) == NULL)) { |
| lookup_fail(ca_config.section, ENV_DEFAULT_MD); |
lookup_fail(ca_config.section, ENV_DEFAULT_MD); |
| goto err; |
goto err; |
|
|
| goto err; |
goto err; |
| } |
} |
| if (ca_config.req) { |
if (ca_config.req) { |
| if ((ca_config.email_dn == 1) && ((tmp_email_dn = NCONF_get_string(conf, |
if ((ca_config.email_dn == 1) && |
| ca_config.section, ENV_DEFAULT_EMAIL_DN)) != NULL)) { |
((tmp_email_dn = NCONF_get_string(conf, ca_config.section, |
| |
ENV_DEFAULT_EMAIL_DN)) != NULL)) { |
| if (strcmp(tmp_email_dn, "no") == 0) |
if (strcmp(tmp_email_dn, "no") == 0) |
| ca_config.email_dn = 0; |
ca_config.email_dn = 0; |
| } |
} |
| if (ca_config.verbose) |
if (ca_config.verbose) |
| BIO_printf(bio_err, "message digest is %s\n", |
BIO_printf(bio_err, "message digest is %s\n", |
| OBJ_nid2ln(dgst->type)); |
OBJ_nid2ln(dgst->type)); |
| if ((ca_config.policy == NULL) && ((ca_config.policy = NCONF_get_string(conf, |
if ((ca_config.policy == NULL) && |
| |
((ca_config.policy = NCONF_get_string(conf, |
| ca_config.section, ENV_POLICY)) == NULL)) { |
ca_config.section, ENV_POLICY)) == NULL)) { |
| lookup_fail(ca_config.section, ENV_POLICY); |
lookup_fail(ca_config.section, ENV_POLICY); |
| goto err; |
goto err; |
|
|
| * the main configuration file |
* the main configuration file |
| */ |
*/ |
| if (ca_config.extensions == NULL) { |
if (ca_config.extensions == NULL) { |
| ca_config.extensions = NCONF_get_string(conf, ca_config.section, |
ca_config.extensions = NCONF_get_string(conf, |
| ENV_EXTENSIONS); |
ca_config.section, ENV_EXTENSIONS); |
| if (ca_config.extensions == NULL) |
if (ca_config.extensions == NULL) |
| ERR_clear_error(); |
ERR_clear_error(); |
| } |
} |
|
|
| } |
} |
| } |
} |
| if (ca_config.startdate == NULL) { |
if (ca_config.startdate == NULL) { |
| ca_config.startdate = NCONF_get_string(conf, ca_config.section, |
ca_config.startdate = NCONF_get_string(conf, |
| ENV_DEFAULT_STARTDATE); |
ca_config.section, ENV_DEFAULT_STARTDATE); |
| if (ca_config.startdate == NULL) |
if (ca_config.startdate == NULL) |
| ERR_clear_error(); |
ERR_clear_error(); |
| } |
} |
|
|
| ca_config.startdate = "today"; |
ca_config.startdate = "today"; |
| |
|
| if (ca_config.enddate == NULL) { |
if (ca_config.enddate == NULL) { |
| ca_config.enddate = NCONF_get_string(conf, ca_config.section, |
ca_config.enddate = NCONF_get_string(conf, |
| ENV_DEFAULT_ENDDATE); |
ca_config.section, ENV_DEFAULT_ENDDATE); |
| if (ca_config.enddate == NULL) |
if (ca_config.enddate == NULL) |
| ERR_clear_error(); |
ERR_clear_error(); |
| } |
} |
|
|
| "cannot lookup how many days to certify for\n"); |
"cannot lookup how many days to certify for\n"); |
| goto err; |
goto err; |
| } |
} |
| if ((serial = load_serial(serialfile, ca_config.create_serial, NULL)) == |
if ((serial = load_serial(serialfile, ca_config.create_serial, |
| NULL) { |
NULL)) == NULL) { |
| BIO_printf(bio_err, |
BIO_printf(bio_err, |
| "error while loading serial number\n"); |
"error while loading serial number\n"); |
| goto err; |
goto err; |
|
|
| free(f); |
free(f); |
| } |
} |
| } |
} |
| if ((attribs = NCONF_get_section(conf, ca_config.policy)) == NULL) { |
if ((attribs = NCONF_get_section(conf, ca_config.policy)) == |
| BIO_printf(bio_err, |
NULL) { |
| "unable to find 'section' for %s\n", ca_config.policy); |
BIO_printf(bio_err, "unable to find 'section' for %s\n", |
| |
ca_config.policy); |
| goto err; |
goto err; |
| } |
} |
| if ((cert_sk = sk_X509_new_null()) == NULL) { |
if ((cert_sk = sk_X509_new_null()) == NULL) { |
|
|
| } |
} |
| if (ca_config.spkac_file != NULL) { |
if (ca_config.spkac_file != NULL) { |
| total++; |
total++; |
| j = certify_spkac(&x, ca_config.spkac_file, pkey, x509, dgst, |
j = certify_spkac(&x, ca_config.spkac_file, pkey, x509, |
| ca_config.sigopts, attribs, db, serial, ca_config.subj, ca_config.chtype, |
dgst, ca_config.sigopts, attribs, db, serial, |
| ca_config.multirdn, ca_config.email_dn, ca_config.startdate, ca_config.enddate, ca_config.days, |
ca_config.subj, ca_config.chtype, |
| ca_config.extensions, conf, ca_config.verbose, certopt, nameopt, |
ca_config.multirdn, ca_config.email_dn, |
| default_op, ext_copy); |
ca_config.startdate, ca_config.enddate, |
| |
ca_config.days, ca_config.extensions, conf, |
| |
ca_config.verbose, certopt, nameopt, default_op, |
| |
ext_copy); |
| if (j < 0) |
if (j < 0) |
| goto err; |
goto err; |
| if (j > 0) { |
if (j > 0) { |
|
|
| } |
} |
| if (ca_config.ss_cert_file != NULL) { |
if (ca_config.ss_cert_file != NULL) { |
| total++; |
total++; |
| j = certify_cert(&x, ca_config.ss_cert_file, pkey, x509, dgst, |
j = certify_cert(&x, ca_config.ss_cert_file, pkey, x509, |
| ca_config.sigopts, attribs, db, serial, ca_config.subj, ca_config.chtype, |
dgst, ca_config.sigopts, attribs, db, serial, |
| ca_config.multirdn, ca_config.email_dn, ca_config.startdate, ca_config.enddate, ca_config.days, ca_config.batch, |
ca_config.subj, ca_config.chtype, |
| ca_config.extensions, conf, ca_config.verbose, certopt, nameopt, |
ca_config.multirdn, ca_config.email_dn, |
| default_op, ext_copy); |
ca_config.startdate, ca_config.enddate, |
| |
ca_config.days, ca_config.batch, |
| |
ca_config.extensions, conf, ca_config.verbose, |
| |
certopt, nameopt, default_op, ext_copy); |
| if (j < 0) |
if (j < 0) |
| goto err; |
goto err; |
| if (j > 0) { |
if (j > 0) { |
|
|
| } |
} |
| if (ca_config.infile != NULL) { |
if (ca_config.infile != NULL) { |
| total++; |
total++; |
| j = certify(&x, ca_config.infile, pkey, x509p, dgst, ca_config.sigopts, |
j = certify(&x, ca_config.infile, pkey, x509p, dgst, |
| attribs, db, serial, ca_config.subj, ca_config.chtype, ca_config.multirdn, |
ca_config.sigopts, attribs, db, serial, |
| ca_config.email_dn, ca_config.startdate, ca_config.enddate, ca_config.days, ca_config.batch, |
ca_config.subj, ca_config.chtype, |
| ca_config.extensions, conf, ca_config.verbose, certopt, nameopt, |
ca_config.multirdn, ca_config.email_dn, |
| default_op, ext_copy, ca_config.selfsign); |
ca_config.startdate, ca_config.enddate, |
| |
ca_config.days, ca_config.batch, |
| |
ca_config.extensions, conf, ca_config.verbose, |
| |
certopt, nameopt, default_op, ext_copy, |
| |
ca_config.selfsign); |
| if (j < 0) |
if (j < 0) |
| goto err; |
goto err; |
| if (j > 0) { |
if (j > 0) { |
|
|
| } |
} |
| for (i = 0; i < ca_config.infiles_num; i++) { |
for (i = 0; i < ca_config.infiles_num; i++) { |
| total++; |
total++; |
| j = certify(&x, ca_config.infiles[i], pkey, x509p, dgst, ca_config.sigopts, |
j = certify(&x, ca_config.infiles[i], pkey, x509p, dgst, |
| attribs, db, serial, ca_config.subj, ca_config.chtype, ca_config.multirdn, |
ca_config.sigopts, attribs, db, serial, |
| ca_config.email_dn, ca_config.startdate, ca_config.enddate, ca_config.days, ca_config.batch, |
ca_config.subj, ca_config.chtype, |
| ca_config.extensions, conf, ca_config.verbose, certopt, nameopt, |
ca_config.multirdn, ca_config.email_dn, |
| default_op, ext_copy, ca_config.selfsign); |
ca_config.startdate, ca_config.enddate, |
| |
ca_config.days, ca_config.batch, |
| |
ca_config.extensions, conf, ca_config.verbose, |
| |
certopt, nameopt, default_op, ext_copy, |
| |
ca_config.selfsign); |
| if (j < 0) |
if (j < 0) |
| goto err; |
goto err; |
| if (j > 0) { |
if (j > 0) { |
|
|
| if (!ca_config.batch) { |
if (!ca_config.batch) { |
| char answer[10]; |
char answer[10]; |
| |
|
| BIO_printf(bio_err, "\n%d out of %d certificate requests certified, commit? [y/n]", total_done, total); |
BIO_printf(bio_err, |
| |
"\n%d out of %d certificate requests certified, commit? [y/n]", |
| |
total_done, total); |
| (void) BIO_flush(bio_err); |
(void) BIO_flush(bio_err); |
| if (fgets(answer, sizeof answer - 1, stdin) == NULL) { |
if (fgets(answer, sizeof answer - 1, stdin) == |
| BIO_printf(bio_err, "CERTIFICATION CANCELED: I/O error\n"); |
NULL) { |
| |
BIO_printf(bio_err, |
| |
"CERTIFICATION CANCELED: I/O error\n"); |
| ret = 0; |
ret = 0; |
| goto err; |
goto err; |
| } |
} |
| if ((answer[0] != 'y') && (answer[0] != 'Y')) { |
if ((answer[0] != 'y') && (answer[0] != 'Y')) { |
| BIO_printf(bio_err, "CERTIFICATION CANCELED\n"); |
BIO_printf(bio_err, |
| |
"CERTIFICATION CANCELED\n"); |
| ret = 0; |
ret = 0; |
| goto err; |
goto err; |
| } |
} |
| } |
} |
| BIO_printf(bio_err, "Write out database with %d new entries\n", sk_X509_num(cert_sk)); |
BIO_printf(bio_err, |
| |
"Write out database with %d new entries\n", |
| |
sk_X509_num(cert_sk)); |
| |
|
| if (!save_serial(serialfile, "new", serial, NULL)) |
if (!save_serial(serialfile, "new", serial, NULL)) |
| goto err; |
goto err; |
|
|
| goto err; |
goto err; |
| } |
} |
| write_new_certificate(Cout, x, 0, ca_config.notext); |
write_new_certificate(Cout, x, 0, ca_config.notext); |
| write_new_certificate(Sout, x, output_der, ca_config.notext); |
write_new_certificate(Sout, x, output_der, |
| |
ca_config.notext); |
| } |
} |
| |
|
| if (sk_X509_num(cert_sk)) { |
if (sk_X509_num(cert_sk)) { |
|
|
| if (ca_config.gencrl) { |
if (ca_config.gencrl) { |
| int crl_v2 = 0; |
int crl_v2 = 0; |
| if (ca_config.crl_ext == NULL) { |
if (ca_config.crl_ext == NULL) { |
| ca_config.crl_ext = NCONF_get_string(conf, ca_config.section, ENV_CRLEXT); |
ca_config.crl_ext = NCONF_get_string(conf, |
| |
ca_config.section, ENV_CRLEXT); |
| if (ca_config.crl_ext == NULL) |
if (ca_config.crl_ext == NULL) |
| ERR_clear_error(); |
ERR_clear_error(); |
| } |
} |
|
|
| X509V3_CTX ctx; |
X509V3_CTX ctx; |
| X509V3_set_ctx_test(&ctx); |
X509V3_set_ctx_test(&ctx); |
| X509V3_set_nconf(&ctx, conf); |
X509V3_set_nconf(&ctx, conf); |
| if (!X509V3_EXT_add_nconf(conf, &ctx, ca_config.crl_ext, NULL)) { |
if (!X509V3_EXT_add_nconf(conf, &ctx, ca_config.crl_ext, |
| |
NULL)) { |
| BIO_printf(bio_err, |
BIO_printf(bio_err, |
| "Error Loading CRL extension section %s\n", |
"Error Loading CRL extension section %s\n", |
| ca_config.crl_ext); |
ca_config.crl_ext); |
|
|
| "error while loading CRL number\n"); |
"error while loading CRL number\n"); |
| goto err; |
goto err; |
| } |
} |
| if (!ca_config.crldays && !ca_config.crlhours && !ca_config.crlsec) { |
if (!ca_config.crldays && !ca_config.crlhours && |
| |
!ca_config.crlsec) { |
| if (!NCONF_get_number(conf, ca_config.section, |
if (!NCONF_get_number(conf, ca_config.section, |
| ENV_DEFAULT_CRL_DAYS, &ca_config.crldays)) |
ENV_DEFAULT_CRL_DAYS, &ca_config.crldays)) |
| ca_config.crldays = 0; |
ca_config.crldays = 0; |
|
|
| ca_config.crlhours = 0; |
ca_config.crlhours = 0; |
| ERR_clear_error(); |
ERR_clear_error(); |
| } |
} |
| if ((ca_config.crldays == 0) && (ca_config.crlhours == 0) && (ca_config.crlsec == 0)) { |
if ((ca_config.crldays == 0) && (ca_config.crlhours == 0) && |
| BIO_printf(bio_err, "cannot lookup how long until the next CRL is issued\n"); |
(ca_config.crlsec == 0)) { |
| |
BIO_printf(bio_err, |
| |
"cannot lookup how long until the next CRL is issued\n"); |
| goto err; |
goto err; |
| } |
} |
| if (ca_config.verbose) |
if (ca_config.verbose) |
|
|
| X509_gmtime_adj(tmptm, 0); |
X509_gmtime_adj(tmptm, 0); |
| X509_CRL_set_lastUpdate(crl, tmptm); |
X509_CRL_set_lastUpdate(crl, tmptm); |
| if (X509_time_adj_ex(tmptm, ca_config.crldays, |
if (X509_time_adj_ex(tmptm, ca_config.crldays, |
| ca_config.crlhours * 60 * 60 + ca_config.crlsec, NULL) == NULL) { |
ca_config.crlhours * 60 * 60 + ca_config.crlsec, NULL) == |
| |
NULL) { |
| BIO_puts(bio_err, "error setting CRL nextUpdate\n"); |
BIO_puts(bio_err, "error setting CRL nextUpdate\n"); |
| goto err; |
goto err; |
| } |
} |
|
|
| BN_free(crlnumber); |
BN_free(crlnumber); |
| crlnumber = NULL; |
crlnumber = NULL; |
| } |
} |
| if (!do_X509_CRL_sign(bio_err, crl, pkey, dgst, ca_config.sigopts)) |
if (!do_X509_CRL_sign(bio_err, crl, pkey, dgst, |
| |
ca_config.sigopts)) |
| goto err; |
goto err; |
| |
|
| PEM_write_bio_X509_CRL(Sout, crl); |
PEM_write_bio_X509_CRL(Sout, crl); |
|
|
| goto err; |
goto err; |
| } else { |
} else { |
| X509 *revcert; |
X509 *revcert; |
| revcert = load_cert(bio_err, ca_config.infile, FORMAT_PEM, |
revcert = load_cert(bio_err, ca_config.infile, |
| NULL, ca_config.infile); |
FORMAT_PEM, NULL, ca_config.infile); |
| if (revcert == NULL) |
if (revcert == NULL) |
| goto err; |
goto err; |
| j = do_revoke(revcert, db, ca_config.rev_type, ca_config.rev_arg); |
j = do_revoke(revcert, db, ca_config.rev_type, |
| |
ca_config.rev_arg); |
| if (j <= 0) |
if (j <= 0) |
| goto err; |
goto err; |
| X509_free(revcert); |
X509_free(revcert); |
|
|
| unsigned long certopt, unsigned long nameopt, int default_op, |
unsigned long certopt, unsigned long nameopt, int default_op, |
| int ext_copy, int selfsign) |
int ext_copy, int selfsign) |
| { |
{ |
| X509_NAME *name = NULL, *CAname = NULL, *subject = NULL, *dn_subject = NULL; |
X509_NAME *name = NULL, *CAname = NULL; |
| |
X509_NAME *subject = NULL, *dn_subject = NULL; |
| ASN1_UTCTIME *tm, *tmptm; |
ASN1_UTCTIME *tm, *tmptm; |
| ASN1_STRING *str, *str2; |
ASN1_STRING *str, *str2; |
| ASN1_OBJECT *obj; |
ASN1_OBJECT *obj; |
|
|
| /* check some things */ |
/* check some things */ |
| if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) && |
if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) && |
| (str->type != V_ASN1_IA5STRING)) { |
(str->type != V_ASN1_IA5STRING)) { |
| BIO_printf(bio_err, "\nemailAddress type needs to be of type IA5STRING\n"); |
BIO_printf(bio_err, |
| |
"\nemailAddress type needs to be of type IA5STRING\n"); |
| goto err; |
goto err; |
| } |
} |
| if ((str->type != V_ASN1_BMPSTRING) && |
if ((str->type != V_ASN1_BMPSTRING) && |
|
|
| (str->type != V_ASN1_T61STRING)) || |
(str->type != V_ASN1_T61STRING)) || |
| ((j == V_ASN1_IA5STRING) && |
((j == V_ASN1_IA5STRING) && |
| (str->type == V_ASN1_PRINTABLESTRING))) { |
(str->type == V_ASN1_PRINTABLESTRING))) { |
| BIO_printf(bio_err, "\nThe string contains characters that are illegal for the ASN.1 type\n"); |
BIO_printf(bio_err, |
| |
"\nThe string contains characters that are illegal for the ASN.1 type\n"); |
| goto err; |
goto err; |
| } |
} |
| } |
} |
|
|
| for (i = 0; i < sk_CONF_VALUE_num(policy); i++) { |
for (i = 0; i < sk_CONF_VALUE_num(policy); i++) { |
| cv = sk_CONF_VALUE_value(policy, i); /* get the object id */ |
cv = sk_CONF_VALUE_value(policy, i); /* get the object id */ |
| if ((j = OBJ_txt2nid(cv->name)) == NID_undef) { |
if ((j = OBJ_txt2nid(cv->name)) == NID_undef) { |
| BIO_printf(bio_err, "%s:unknown object type in 'policy' configuration\n", cv->name); |
BIO_printf(bio_err, |
| |
"%s:unknown object type in 'policy' configuration\n", |
| |
cv->name); |
| goto err; |
goto err; |
| } |
} |
| obj = OBJ_nid2obj(j); |
obj = OBJ_nid2obj(j); |
|
|
| push = tne; |
push = tne; |
| } else if (strcmp(cv->value, "supplied") == 0) { |
} else if (strcmp(cv->value, "supplied") == 0) { |
| if (tne == NULL) { |
if (tne == NULL) { |
| BIO_printf(bio_err, "The %s field needed to be supplied and was missing\n", cv->name); |
BIO_printf(bio_err, |
| |
"The %s field needed to be supplied and was missing\n", |
| |
cv->name); |
| goto err; |
goto err; |
| } else |
} else |
| push = tne; |
push = tne; |
|
|
| int last2; |
int last2; |
| |
|
| if (tne == NULL) { |
if (tne == NULL) { |
| BIO_printf(bio_err, "The mandatory %s field was missing\n", cv->name); |
BIO_printf(bio_err, |
| |
"The mandatory %s field was missing\n", |
| |
cv->name); |
| goto err; |
goto err; |
| } |
} |
| last2 = -1; |
last2 = -1; |
| |
|
| again2: |
again2: |
| j = X509_NAME_get_index_by_OBJ(CAname, obj, last2); |
j = X509_NAME_get_index_by_OBJ(CAname, obj, |
| |
last2); |
| if ((j < 0) && (last2 == -1)) { |
if ((j < 0) && (last2 == -1)) { |
| BIO_printf(bio_err, "The %s field does not exist in the CA certificate,\nthe 'policy' is misconfigured\n", cv->name); |
BIO_printf(bio_err, |
| |
"The %s field does not exist in the CA certificate,\nthe 'policy' is misconfigured\n", |
| |
cv->name); |
| goto err; |
goto err; |
| } |
} |
| if (j >= 0) { |
if (j >= 0) { |
|
|
| goto again2; |
goto again2; |
| } |
} |
| if (j < 0) { |
if (j < 0) { |
| BIO_printf(bio_err, "The %s field needed to be the same in the\nCA certificate (%s) and the request (%s)\n", cv->name, ((str2 == NULL) ? "NULL" : (char *) str2->data), ((str == NULL) ? "NULL" : (char *) str->data)); |
BIO_printf(bio_err, |
| |
"The %s field needed to be the same in the\nCA certificate (%s) and the request (%s)\n", |
| |
cv->name, ((str2 == NULL) ? |
| |
"NULL" : (char *) str2->data), |
| |
((str == NULL) ? |
| |
"NULL" : (char *) str->data)); |
| goto err; |
goto err; |
| } |
} |
| } else { |
} else { |
| BIO_printf(bio_err, "%s:invalid type in 'policy' configuration\n", cv->value); |
BIO_printf(bio_err, |
| |
"%s:invalid type in 'policy' configuration\n", |
| |
cv->value); |
| goto err; |
goto err; |
| } |
} |
| |
|
|
|
| goto err; |
goto err; |
| } |
} |
| if (verbose) |
if (verbose) |
| BIO_printf(bio_err, "The subject name appears to be ok, checking data base for clashes\n"); |
BIO_printf(bio_err, |
| |
"The subject name appears to be ok, checking data base for clashes\n"); |
| |
|
| /* Build the correct Subject if no email is wanted in the subject */ |
/* Build the correct Subject if no email is wanted in the subject */ |
| /* |
/* |
|
|
| BIO_printf(bio_err, |
BIO_printf(bio_err, |
| "ERROR:Serial number %s has already been issued,\n", |
"ERROR:Serial number %s has already been issued,\n", |
| row[DB_serial]); |
row[DB_serial]); |
| BIO_printf(bio_err, " check the database/serial_file for corruption\n"); |
BIO_printf(bio_err, |
| |
" check the database/serial_file for corruption\n"); |
| } |
} |
| } |
} |
| if (rrow != NULL) { |
if (rrow != NULL) { |
|
|
| } |
} |
| /* We are now totally happy, lets make and sign the certificate */ |
/* We are now totally happy, lets make and sign the certificate */ |
| if (verbose) |
if (verbose) |
| BIO_printf(bio_err, "Everything appears to be ok, creating and signing the certificate\n"); |
BIO_printf(bio_err, |
| |
"Everything appears to be ok, creating and signing the certificate\n"); |
| |
|
| if ((ret = X509_new()) == NULL) |
if ((ret = X509_new()) == NULL) |
| goto err; |
goto err; |
|
|
| goto err; |
goto err; |
| } |
} |
| if (verbose) |
if (verbose) |
| BIO_printf(bio_err, "Successfully added extensions from file.\n"); |
BIO_printf(bio_err, |
| |
"Successfully added extensions from file.\n"); |
| } else if (ext_sect != NULL) { |
} else if (ext_sect != NULL) { |
| /* We found extensions to be set from config file */ |
/* We found extensions to be set from config file */ |
| X509V3_set_nconf(&ctx, lconf); |
X509V3_set_nconf(&ctx, lconf); |
|
|
| goto err; |
goto err; |
| } |
} |
| if (verbose) |
if (verbose) |
| BIO_printf(bio_err, "Successfully added extensions from config\n"); |
BIO_printf(bio_err, |
| |
"Successfully added extensions from config\n"); |
| } |
} |
| } |
} |
| /* Copy extensions from request (if any) */ |
/* Copy extensions from request (if any) */ |
|
|
| if (strcmp(type, "SPKAC") == 0) { |
if (strcmp(type, "SPKAC") == 0) { |
| spki = NETSCAPE_SPKI_b64_decode(cv->value, -1); |
spki = NETSCAPE_SPKI_b64_decode(cv->value, -1); |
| if (spki == NULL) { |
if (spki == NULL) { |
| BIO_printf(bio_err, "unable to load Netscape SPKAC structure\n"); |
BIO_printf(bio_err, |
| |
"unable to load Netscape SPKAC structure\n"); |
| ERR_print_errors(bio_err); |
ERR_print_errors(bio_err); |
| goto err; |
goto err; |
| } |
} |
![[BACK]](/icons/back.gif){kind=icon}
Return to ca.c CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / openssl