version 1.11, 2015/09/10 16:01:06 |
version 1.12, 2015/09/11 14:30:23 |
|
|
" -md arg - md to use, one of md2, md5, sha or sha1\n", |
" -md arg - md to use, one of md2, md5, sha or sha1\n", |
" -policy arg - The CA 'policy' to support\n", |
" -policy arg - The CA 'policy' to support\n", |
" -keyfile arg - private key file\n", |
" -keyfile arg - private key file\n", |
" -keyform arg - private key file format (PEM or ENGINE)\n", |
" -keyform arg - private key file format (PEM)\n", |
" -key arg - key to decode the private key if it is encrypted\n", |
" -key arg - key to decode the private key if it is encrypted\n", |
" -cert file - The CA certificate\n", |
" -cert file - The CA certificate\n", |
" -selfsign - sign a certificate with the key associated with it\n", |
" -selfsign - sign a certificate with the key associated with it\n", |
|
|
" -extensions .. - Extension section (override value in config file)\n", |
" -extensions .. - Extension section (override value in config file)\n", |
" -extfile file - Configuration file with X509v3 extentions to add\n", |
" -extfile file - Configuration file with X509v3 extentions to add\n", |
" -crlexts .. - CRL extension section (override value in config file)\n", |
" -crlexts .. - CRL extension section (override value in config file)\n", |
#ifndef OPENSSL_NO_ENGINE |
|
" -engine e - use engine e, possibly a hardware device.\n", |
|
#endif |
|
" -status serial - Shows certificate status given the serial number\n", |
" -status serial - Shows certificate status given the serial number\n", |
" -updatedb - Updates db for expired certificates\n", |
" -updatedb - Updates db for expired certificates\n", |
NULL |
NULL |
|
|
unsigned long chtype, int multirdn, int email_dn, char *startdate, |
unsigned long chtype, int multirdn, int email_dn, char *startdate, |
char *enddate, long days, int batch, char *ext_sect, CONF * conf, |
char *enddate, long days, int batch, char *ext_sect, CONF * conf, |
int verbose, unsigned long certopt, unsigned long nameopt, int default_op, |
int verbose, unsigned long certopt, unsigned long nameopt, int default_op, |
int ext_copy, ENGINE * e); |
int ext_copy); |
static int certify_spkac(X509 ** xret, char *infile, EVP_PKEY * pkey, |
static int certify_spkac(X509 ** xret, char *infile, EVP_PKEY * pkey, |
X509 * x509, const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts, |
X509 * x509, const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts, |
STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj, |
STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj, |
|
|
int |
int |
ca_main(int argc, char **argv) |
ca_main(int argc, char **argv) |
{ |
{ |
ENGINE *e = NULL; |
|
char *key = NULL, *passargin = NULL; |
char *key = NULL, *passargin = NULL; |
int create_ser = 0; |
int create_ser = 0; |
int free_key = 0; |
int free_key = 0; |
|
|
STACK_OF(OPENSSL_STRING) * sigopts = NULL; |
STACK_OF(OPENSSL_STRING) * sigopts = NULL; |
#define BUFLEN 256 |
#define BUFLEN 256 |
char buf[3][BUFLEN]; |
char buf[3][BUFLEN]; |
#ifndef OPENSSL_NO_ENGINE |
|
char *engine = NULL; |
|
#endif |
|
char *tofree = NULL; |
char *tofree = NULL; |
const char *errstr = NULL; |
const char *errstr = NULL; |
DB_ATTR db_attr; |
DB_ATTR db_attr; |
|
|
rev_arg = *(++argv); |
rev_arg = *(++argv); |
rev_type = REV_CA_COMPROMISE; |
rev_type = REV_CA_COMPROMISE; |
} |
} |
#ifndef OPENSSL_NO_ENGINE |
|
else if (strcmp(*argv, "-engine") == 0) { |
|
if (--argc < 1) |
|
goto bad; |
|
engine = *(++argv); |
|
} |
|
#endif |
|
else { |
else { |
bad: |
bad: |
if (errstr) |
if (errstr) |
|
|
free(tofree); |
free(tofree); |
tofree = NULL; |
tofree = NULL; |
|
|
#ifndef OPENSSL_NO_ENGINE |
|
e = setup_engine(bio_err, engine, 0); |
|
#endif |
|
|
|
/* Lets get the config section we are using */ |
/* Lets get the config section we are using */ |
if (section == NULL) { |
if (section == NULL) { |
section = NCONF_get_string(conf, BASE_SECTION, ENV_DEFAULT_CA); |
section = NCONF_get_string(conf, BASE_SECTION, ENV_DEFAULT_CA); |
|
|
goto err; |
goto err; |
} |
} |
} |
} |
pkey = load_key(bio_err, keyfile, keyform, 0, key, e, "CA private key"); |
pkey = load_key(bio_err, keyfile, keyform, 0, key, "CA private key"); |
if (key) |
if (key) |
explicit_bzero(key, strlen(key)); |
explicit_bzero(key, strlen(key)); |
if (pkey == NULL) { |
if (pkey == NULL) { |
|
|
lookup_fail(section, ENV_CERTIFICATE); |
lookup_fail(section, ENV_CERTIFICATE); |
goto err; |
goto err; |
} |
} |
x509 = load_cert(bio_err, certfile, FORMAT_PEM, NULL, e, |
x509 = load_cert(bio_err, certfile, FORMAT_PEM, NULL, |
"CA certificate"); |
"CA certificate"); |
if (x509 == NULL) |
if (x509 == NULL) |
goto err; |
goto err; |
|
|
sigopts, attribs, db, serial, subj, chtype, |
sigopts, attribs, db, serial, subj, chtype, |
multirdn, email_dn, startdate, enddate, days, batch, |
multirdn, email_dn, startdate, enddate, days, batch, |
extensions, conf, verbose, certopt, nameopt, |
extensions, conf, verbose, certopt, nameopt, |
default_op, ext_copy, e); |
default_op, ext_copy); |
if (j < 0) |
if (j < 0) |
goto err; |
goto err; |
if (j > 0) { |
if (j > 0) { |
|
|
} else { |
} else { |
X509 *revcert; |
X509 *revcert; |
revcert = load_cert(bio_err, infile, FORMAT_PEM, |
revcert = load_cert(bio_err, infile, FORMAT_PEM, |
NULL, e, infile); |
NULL, infile); |
if (revcert == NULL) |
if (revcert == NULL) |
goto err; |
goto err; |
j = do_revoke(revcert, db, rev_type, rev_arg); |
j = do_revoke(revcert, db, rev_type, rev_arg); |
|
|
unsigned long chtype, int multirdn, int email_dn, char *startdate, |
unsigned long chtype, int multirdn, int email_dn, char *startdate, |
char *enddate, long days, int batch, char *ext_sect, CONF * lconf, |
char *enddate, long days, int batch, char *ext_sect, CONF * lconf, |
int verbose, unsigned long certopt, unsigned long nameopt, int default_op, |
int verbose, unsigned long certopt, unsigned long nameopt, int default_op, |
int ext_copy, ENGINE * e) |
int ext_copy) |
{ |
{ |
X509 *req = NULL; |
X509 *req = NULL; |
X509_REQ *rreq = NULL; |
X509_REQ *rreq = NULL; |
EVP_PKEY *pktmp = NULL; |
EVP_PKEY *pktmp = NULL; |
int ok = -1, i; |
int ok = -1, i; |
|
|
if ((req = load_cert(bio_err, infile, FORMAT_PEM, NULL, e, |
if ((req = load_cert(bio_err, infile, FORMAT_PEM, NULL, |
infile)) == NULL) |
infile)) == NULL) |
goto err; |
goto err; |
if (verbose) |
if (verbose) |