version 1.29, 2021/07/15 09:56:32 |
version 1.30, 2021/07/15 10:15:22 |
|
|
char *ext_sect, CONF * conf, unsigned long certopt, unsigned long nameopt, |
char *ext_sect, CONF * conf, unsigned long certopt, unsigned long nameopt, |
int default_op, int ext_copy, int selfsign); |
int default_op, int ext_copy, int selfsign); |
static int do_revoke(X509 * x509, CA_DB * db, int ext, char *extval); |
static int do_revoke(X509 * x509, CA_DB * db, int ext, char *extval); |
static int get_certificate_status(const char *ser_status, CA_DB * db); |
static int get_certificate_status(const char *serial, CA_DB * db); |
static int do_updatedb(CA_DB * db); |
static int do_updatedb(CA_DB * db); |
static int check_time_format(const char *str); |
static int check_time_format(const char *str); |
static char * bin2hex(unsigned char *, size_t); |
static char * bin2hex(unsigned char *, size_t); |
|
|
char *certfile; |
char *certfile; |
unsigned long chtype; |
unsigned long chtype; |
char *configfile; |
char *configfile; |
int create_ser; |
int create_serial; |
char *crl_ext; |
char *crl_ext; |
long crldays; |
long crldays; |
long crlhours; |
long crlhours; |
|
|
int req; |
int req; |
char *rev_arg; |
char *rev_arg; |
int rev_type; |
int rev_type; |
char *ser_status; |
char *serial_status; |
char *section; |
char *section; |
int selfsign; |
int selfsign; |
STACK_OF(OPENSSL_STRING) * sigopts; |
STACK_OF(OPENSSL_STRING) * sigopts; |
|
|
.name = "create_serial", |
.name = "create_serial", |
.desc = "If reading serial fails, create a new random serial", |
.desc = "If reading serial fails, create a new random serial", |
.type = OPTION_FLAG, |
.type = OPTION_FLAG, |
.opt.flag = &ca_config.create_ser, |
.opt.flag = &ca_config.create_serial, |
}, |
}, |
{ |
{ |
.name = "crl_CA_compromise", |
.name = "crl_CA_compromise", |
|
|
.argname = "serial", |
.argname = "serial", |
.desc = "Shows certificate status given the serial number", |
.desc = "Shows certificate status given the serial number", |
.type = OPTION_ARG, |
.type = OPTION_ARG, |
.opt.arg = &ca_config.ser_status, |
.opt.arg = &ca_config.serial_status, |
}, |
}, |
{ |
{ |
.name = "subj", |
.name = "subj", |
|
|
X509_CRL *crl = NULL; |
X509_CRL *crl = NULL; |
X509_REVOKED *r = NULL; |
X509_REVOKED *r = NULL; |
ASN1_TIME *tmptm; |
ASN1_TIME *tmptm; |
ASN1_INTEGER *tmpser; |
ASN1_INTEGER *tmpserial; |
char *f; |
char *f; |
const char *p; |
const char *p; |
char *const * pp; |
char *const * pp; |
|
|
} |
} |
/*****************************************************************/ |
/*****************************************************************/ |
/* report status of cert with serial number given on command line */ |
/* report status of cert with serial number given on command line */ |
if (ca_config.ser_status) { |
if (ca_config.serial_status) { |
if ((dbfile = NCONF_get_string(conf, ca_config.section, |
if ((dbfile = NCONF_get_string(conf, ca_config.section, |
ENV_DATABASE)) == NULL) { |
ENV_DATABASE)) == NULL) { |
lookup_fail(ca_config.section, ENV_DATABASE); |
lookup_fail(ca_config.section, ENV_DATABASE); |
|
|
if (!index_index(db)) |
if (!index_index(db)) |
goto err; |
goto err; |
|
|
if (get_certificate_status(ca_config.ser_status, db) != 1) |
if (get_certificate_status(ca_config.serial_status, db) != 1) |
BIO_printf(bio_err, "Error verifying serial %s!\n", |
BIO_printf(bio_err, "Error verifying serial %s!\n", |
ca_config.ser_status); |
ca_config.serial_status); |
goto err; |
goto err; |
} |
} |
/*****************************************************************/ |
/*****************************************************************/ |
|
|
"cannot lookup how many days to certify for\n"); |
"cannot lookup how many days to certify for\n"); |
goto err; |
goto err; |
} |
} |
if ((serial = load_serial(serialfile, ca_config.create_ser, NULL)) == |
if ((serial = load_serial(serialfile, ca_config.create_serial, NULL)) == |
NULL) { |
NULL) { |
BIO_printf(bio_err, |
BIO_printf(bio_err, |
"error while loading serial number\n"); |
"error while loading serial number\n"); |
|
|
crl_v2 = 1; |
crl_v2 = 1; |
if (!BN_hex2bn(&serial, pp[DB_serial])) |
if (!BN_hex2bn(&serial, pp[DB_serial])) |
goto err; |
goto err; |
tmpser = BN_to_ASN1_INTEGER(serial, NULL); |
tmpserial = BN_to_ASN1_INTEGER(serial, NULL); |
BN_free(serial); |
BN_free(serial); |
serial = NULL; |
serial = NULL; |
if (!tmpser) |
if (!tmpserial) |
goto err; |
goto err; |
X509_REVOKED_set_serialNumber(r, tmpser); |
X509_REVOKED_set_serialNumber(r, tmpserial); |
ASN1_INTEGER_free(tmpser); |
ASN1_INTEGER_free(tmpserial); |
X509_CRL_add0_revoked(crl, r); |
X509_CRL_add0_revoked(crl, r); |
} |
} |
} |
} |
|
|
ca_config.crl_ext, crl)) |
ca_config.crl_ext, crl)) |
goto err; |
goto err; |
if (crlnumberfile != NULL) { |
if (crlnumberfile != NULL) { |
tmpser = BN_to_ASN1_INTEGER(crlnumber, NULL); |
tmpserial = BN_to_ASN1_INTEGER(crlnumber, NULL); |
if (!tmpser) |
if (!tmpserial) |
goto err; |
goto err; |
X509_CRL_add1_ext_i2d(crl, NID_crl_number, |
X509_CRL_add1_ext_i2d(crl, NID_crl_number, |
tmpser, 0, 0); |
tmpserial, 0, 0); |
ASN1_INTEGER_free(tmpser); |
ASN1_INTEGER_free(tmpserial); |
crl_v2 = 1; |
crl_v2 = 1; |
if (!BN_add_word(crlnumber, 1)) |
if (!BN_add_word(crlnumber, 1)) |
goto err; |
goto err; |