version 1.32, 2021/07/15 11:43:27 |
version 1.33, 2021/07/15 12:41:49 |
|
|
} |
} |
ca_config.configfile = tofree; |
ca_config.configfile = tofree; |
} |
} |
BIO_printf(bio_err, "Using configuration from %s\n", ca_config.configfile); |
BIO_printf(bio_err, "Using configuration from %s\n", |
|
ca_config.configfile); |
conf = NCONF_new(NULL); |
conf = NCONF_new(NULL); |
if (NCONF_load(conf, ca_config.configfile, &errorline) <= 0) { |
if (NCONF_load(conf, ca_config.configfile, &errorline) <= 0) { |
if (errorline <= 0) |
if (errorline <= 0) |
|
|
|
|
/* Lets get the config section we are using */ |
/* Lets get the config section we are using */ |
if (ca_config.section == NULL) { |
if (ca_config.section == NULL) { |
ca_config.section = NCONF_get_string(conf, BASE_SECTION, ENV_DEFAULT_CA); |
ca_config.section = NCONF_get_string(conf, BASE_SECTION, |
|
ENV_DEFAULT_CA); |
if (ca_config.section == NULL) { |
if (ca_config.section == NULL) { |
lookup_fail(BASE_SECTION, ENV_DEFAULT_CA); |
lookup_fail(BASE_SECTION, ENV_DEFAULT_CA); |
goto err; |
goto err; |
|
|
/*****************************************************************/ |
/*****************************************************************/ |
/* we definitely need a private key, so let's get it */ |
/* we definitely need a private key, so let's get it */ |
|
|
if ((ca_config.keyfile == NULL) && ((ca_config.keyfile = NCONF_get_string(conf, |
if ((ca_config.keyfile == NULL) && |
ca_config.section, ENV_PRIVATE_KEY)) == NULL)) { |
((ca_config.keyfile = NCONF_get_string(conf, ca_config.section, |
|
ENV_PRIVATE_KEY)) == NULL)) { |
lookup_fail(ca_config.section, ENV_PRIVATE_KEY); |
lookup_fail(ca_config.section, ENV_PRIVATE_KEY); |
goto err; |
goto err; |
} |
} |
if (ca_config.key == NULL) { |
if (ca_config.key == NULL) { |
free_key = 1; |
free_key = 1; |
if (!app_passwd(bio_err, ca_config.passargin, NULL, &ca_config.key, NULL)) { |
if (!app_passwd(bio_err, ca_config.passargin, NULL, |
|
&ca_config.key, NULL)) { |
BIO_printf(bio_err, "Error getting password\n"); |
BIO_printf(bio_err, "Error getting password\n"); |
goto err; |
goto err; |
} |
} |
} |
} |
pkey = load_key(bio_err, ca_config.keyfile, ca_config.keyform, 0, ca_config.key, "CA private key"); |
pkey = load_key(bio_err, ca_config.keyfile, ca_config.keyform, 0, |
|
ca_config.key, "CA private key"); |
if (ca_config.key != NULL) |
if (ca_config.key != NULL) |
explicit_bzero(ca_config.key, strlen(ca_config.key)); |
explicit_bzero(ca_config.key, strlen(ca_config.key)); |
if (pkey == NULL) { |
if (pkey == NULL) { |
|
|
} |
} |
/*****************************************************************/ |
/*****************************************************************/ |
/* we need a certificate */ |
/* we need a certificate */ |
if (!ca_config.selfsign || ca_config.spkac_file != NULL || ca_config.ss_cert_file != NULL || ca_config.gencrl) { |
if (!ca_config.selfsign || ca_config.spkac_file != NULL || |
|
ca_config.ss_cert_file != NULL || ca_config.gencrl) { |
if ((ca_config.certfile == NULL) && |
if ((ca_config.certfile == NULL) && |
((ca_config.certfile = NCONF_get_string(conf, |
((ca_config.certfile = NCONF_get_string(conf, |
ca_config.section, ENV_CERTIFICATE)) == NULL)) { |
ca_config.section, ENV_CERTIFICATE)) == NULL)) { |
|
|
/*****************************************************************/ |
/*****************************************************************/ |
/* lookup where to write new certificates */ |
/* lookup where to write new certificates */ |
if (ca_config.outdir == NULL && ca_config.req) { |
if (ca_config.outdir == NULL && ca_config.req) { |
if ((ca_config.outdir = NCONF_get_string(conf, ca_config.section, |
if ((ca_config.outdir = NCONF_get_string(conf, |
ENV_NEW_CERTS_DIR)) == NULL) { |
ca_config.section, ENV_NEW_CERTS_DIR)) == NULL) { |
BIO_printf(bio_err, "output directory %s not defined\n", |
BIO_printf(bio_err, "output directory %s not defined\n", |
ENV_NEW_CERTS_DIR); |
ENV_NEW_CERTS_DIR); |
goto err; |
goto err; |
|
|
} |
} |
/*****************************************************************/ |
/*****************************************************************/ |
/* we need to load the database file */ |
/* we need to load the database file */ |
if ((dbfile = NCONF_get_string(conf, ca_config.section, ENV_DATABASE)) == NULL) { |
if ((dbfile = NCONF_get_string(conf, ca_config.section, |
|
ENV_DATABASE)) == NULL) { |
lookup_fail(ca_config.section, ENV_DATABASE); |
lookup_fail(ca_config.section, ENV_DATABASE); |
goto err; |
goto err; |
} |
} |
|
|
pp = sk_OPENSSL_PSTRING_value(db->db->data, i); |
pp = sk_OPENSSL_PSTRING_value(db->db->data, i); |
if ((pp[DB_type][0] != DB_TYPE_REV) && |
if ((pp[DB_type][0] != DB_TYPE_REV) && |
(pp[DB_rev_date][0] != '\0')) { |
(pp[DB_rev_date][0] != '\0')) { |
BIO_printf(bio_err, "entry %d: not revoked yet, but has a revocation date\n", i + 1); |
BIO_printf(bio_err, |
|
"entry %d: not revoked yet, but has a revocation date\n", |
|
i + 1); |
goto err; |
goto err; |
} |
} |
if ((pp[DB_type][0] == DB_TYPE_REV) && |
if ((pp[DB_type][0] == DB_TYPE_REV) && |
|
|
if (!(((*p >= '0') && (*p <= '9')) || |
if (!(((*p >= '0') && (*p <= '9')) || |
((*p >= 'A') && (*p <= 'F')) || |
((*p >= 'A') && (*p <= 'F')) || |
((*p >= 'a') && (*p <= 'f')))) { |
((*p >= 'a') && (*p <= 'f')))) { |
BIO_printf(bio_err, "entry %d: bad serial number characters, char pos %ld, char is '%c'\n", i + 1, (long) (p - pp[DB_serial]), *p); |
BIO_printf(bio_err, |
|
"entry %d: bad serial number characters, char pos %ld, char is '%c'\n", |
|
i + 1, (long) (p - pp[DB_serial]), *p); |
goto err; |
goto err; |
} |
} |
p++; |
p++; |
} |
} |
} |
} |
if (ca_config.verbose) { |
if (ca_config.verbose) { |
BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT); /* cannot fail */ |
BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT); |
TXT_DB_write(out, db->db); |
TXT_DB_write(out, db->db); |
BIO_printf(bio_err, "%d entries loaded from the database\n", |
BIO_printf(bio_err, "%d entries loaded from the database\n", |
sk_OPENSSL_PSTRING_num(db->db->data)); |
sk_OPENSSL_PSTRING_num(db->db->data)); |
|
|
ca_config.extfile); |
ca_config.extfile); |
|
|
/* We can have sections in the ext file */ |
/* We can have sections in the ext file */ |
if (ca_config.extensions == NULL && (ca_config.extensions = NCONF_get_string(extconf, |
if (ca_config.extensions == NULL && |
"default", "extensions")) == NULL) |
(ca_config.extensions = NCONF_get_string(extconf, "default", |
|
"extensions")) == NULL) |
ca_config.extensions = "default"; |
ca_config.extensions = "default"; |
} |
} |
/*****************************************************************/ |
/*****************************************************************/ |
|
|
BIO_set_fp(Sout, stdout, BIO_NOCLOSE | BIO_FP_TEXT); |
BIO_set_fp(Sout, stdout, BIO_NOCLOSE | BIO_FP_TEXT); |
} |
} |
} |
} |
if ((ca_config.md == NULL) && ((ca_config.md = NCONF_get_string(conf, ca_config.section, |
if ((ca_config.md == NULL) && |
|
((ca_config.md = NCONF_get_string(conf, ca_config.section, |
ENV_DEFAULT_MD)) == NULL)) { |
ENV_DEFAULT_MD)) == NULL)) { |
lookup_fail(ca_config.section, ENV_DEFAULT_MD); |
lookup_fail(ca_config.section, ENV_DEFAULT_MD); |
goto err; |
goto err; |
|
|
goto err; |
goto err; |
} |
} |
if (ca_config.req) { |
if (ca_config.req) { |
if ((ca_config.email_dn == 1) && ((tmp_email_dn = NCONF_get_string(conf, |
if ((ca_config.email_dn == 1) && |
ca_config.section, ENV_DEFAULT_EMAIL_DN)) != NULL)) { |
((tmp_email_dn = NCONF_get_string(conf, ca_config.section, |
|
ENV_DEFAULT_EMAIL_DN)) != NULL)) { |
if (strcmp(tmp_email_dn, "no") == 0) |
if (strcmp(tmp_email_dn, "no") == 0) |
ca_config.email_dn = 0; |
ca_config.email_dn = 0; |
} |
} |
if (ca_config.verbose) |
if (ca_config.verbose) |
BIO_printf(bio_err, "message digest is %s\n", |
BIO_printf(bio_err, "message digest is %s\n", |
OBJ_nid2ln(dgst->type)); |
OBJ_nid2ln(dgst->type)); |
if ((ca_config.policy == NULL) && ((ca_config.policy = NCONF_get_string(conf, |
if ((ca_config.policy == NULL) && |
|
((ca_config.policy = NCONF_get_string(conf, |
ca_config.section, ENV_POLICY)) == NULL)) { |
ca_config.section, ENV_POLICY)) == NULL)) { |
lookup_fail(ca_config.section, ENV_POLICY); |
lookup_fail(ca_config.section, ENV_POLICY); |
goto err; |
goto err; |
|
|
* the main configuration file |
* the main configuration file |
*/ |
*/ |
if (ca_config.extensions == NULL) { |
if (ca_config.extensions == NULL) { |
ca_config.extensions = NCONF_get_string(conf, ca_config.section, |
ca_config.extensions = NCONF_get_string(conf, |
ENV_EXTENSIONS); |
ca_config.section, ENV_EXTENSIONS); |
if (ca_config.extensions == NULL) |
if (ca_config.extensions == NULL) |
ERR_clear_error(); |
ERR_clear_error(); |
} |
} |
|
|
} |
} |
} |
} |
if (ca_config.startdate == NULL) { |
if (ca_config.startdate == NULL) { |
ca_config.startdate = NCONF_get_string(conf, ca_config.section, |
ca_config.startdate = NCONF_get_string(conf, |
ENV_DEFAULT_STARTDATE); |
ca_config.section, ENV_DEFAULT_STARTDATE); |
if (ca_config.startdate == NULL) |
if (ca_config.startdate == NULL) |
ERR_clear_error(); |
ERR_clear_error(); |
} |
} |
|
|
ca_config.startdate = "today"; |
ca_config.startdate = "today"; |
|
|
if (ca_config.enddate == NULL) { |
if (ca_config.enddate == NULL) { |
ca_config.enddate = NCONF_get_string(conf, ca_config.section, |
ca_config.enddate = NCONF_get_string(conf, |
ENV_DEFAULT_ENDDATE); |
ca_config.section, ENV_DEFAULT_ENDDATE); |
if (ca_config.enddate == NULL) |
if (ca_config.enddate == NULL) |
ERR_clear_error(); |
ERR_clear_error(); |
} |
} |
|
|
"cannot lookup how many days to certify for\n"); |
"cannot lookup how many days to certify for\n"); |
goto err; |
goto err; |
} |
} |
if ((serial = load_serial(serialfile, ca_config.create_serial, NULL)) == |
if ((serial = load_serial(serialfile, ca_config.create_serial, |
NULL) { |
NULL)) == NULL) { |
BIO_printf(bio_err, |
BIO_printf(bio_err, |
"error while loading serial number\n"); |
"error while loading serial number\n"); |
goto err; |
goto err; |
|
|
free(f); |
free(f); |
} |
} |
} |
} |
if ((attribs = NCONF_get_section(conf, ca_config.policy)) == NULL) { |
if ((attribs = NCONF_get_section(conf, ca_config.policy)) == |
BIO_printf(bio_err, |
NULL) { |
"unable to find 'section' for %s\n", ca_config.policy); |
BIO_printf(bio_err, "unable to find 'section' for %s\n", |
|
ca_config.policy); |
goto err; |
goto err; |
} |
} |
if ((cert_sk = sk_X509_new_null()) == NULL) { |
if ((cert_sk = sk_X509_new_null()) == NULL) { |
|
|
} |
} |
if (ca_config.spkac_file != NULL) { |
if (ca_config.spkac_file != NULL) { |
total++; |
total++; |
j = certify_spkac(&x, ca_config.spkac_file, pkey, x509, dgst, |
j = certify_spkac(&x, ca_config.spkac_file, pkey, x509, |
ca_config.sigopts, attribs, db, serial, ca_config.subj, ca_config.chtype, |
dgst, ca_config.sigopts, attribs, db, serial, |
ca_config.multirdn, ca_config.email_dn, ca_config.startdate, ca_config.enddate, ca_config.days, |
ca_config.subj, ca_config.chtype, |
ca_config.extensions, conf, ca_config.verbose, certopt, nameopt, |
ca_config.multirdn, ca_config.email_dn, |
default_op, ext_copy); |
ca_config.startdate, ca_config.enddate, |
|
ca_config.days, ca_config.extensions, conf, |
|
ca_config.verbose, certopt, nameopt, default_op, |
|
ext_copy); |
if (j < 0) |
if (j < 0) |
goto err; |
goto err; |
if (j > 0) { |
if (j > 0) { |
|
|
} |
} |
if (ca_config.ss_cert_file != NULL) { |
if (ca_config.ss_cert_file != NULL) { |
total++; |
total++; |
j = certify_cert(&x, ca_config.ss_cert_file, pkey, x509, dgst, |
j = certify_cert(&x, ca_config.ss_cert_file, pkey, x509, |
ca_config.sigopts, attribs, db, serial, ca_config.subj, ca_config.chtype, |
dgst, ca_config.sigopts, attribs, db, serial, |
ca_config.multirdn, ca_config.email_dn, ca_config.startdate, ca_config.enddate, ca_config.days, ca_config.batch, |
ca_config.subj, ca_config.chtype, |
ca_config.extensions, conf, ca_config.verbose, certopt, nameopt, |
ca_config.multirdn, ca_config.email_dn, |
default_op, ext_copy); |
ca_config.startdate, ca_config.enddate, |
|
ca_config.days, ca_config.batch, |
|
ca_config.extensions, conf, ca_config.verbose, |
|
certopt, nameopt, default_op, ext_copy); |
if (j < 0) |
if (j < 0) |
goto err; |
goto err; |
if (j > 0) { |
if (j > 0) { |
|
|
} |
} |
if (ca_config.infile != NULL) { |
if (ca_config.infile != NULL) { |
total++; |
total++; |
j = certify(&x, ca_config.infile, pkey, x509p, dgst, ca_config.sigopts, |
j = certify(&x, ca_config.infile, pkey, x509p, dgst, |
attribs, db, serial, ca_config.subj, ca_config.chtype, ca_config.multirdn, |
ca_config.sigopts, attribs, db, serial, |
ca_config.email_dn, ca_config.startdate, ca_config.enddate, ca_config.days, ca_config.batch, |
ca_config.subj, ca_config.chtype, |
ca_config.extensions, conf, ca_config.verbose, certopt, nameopt, |
ca_config.multirdn, ca_config.email_dn, |
default_op, ext_copy, ca_config.selfsign); |
ca_config.startdate, ca_config.enddate, |
|
ca_config.days, ca_config.batch, |
|
ca_config.extensions, conf, ca_config.verbose, |
|
certopt, nameopt, default_op, ext_copy, |
|
ca_config.selfsign); |
if (j < 0) |
if (j < 0) |
goto err; |
goto err; |
if (j > 0) { |
if (j > 0) { |
|
|
} |
} |
for (i = 0; i < ca_config.infiles_num; i++) { |
for (i = 0; i < ca_config.infiles_num; i++) { |
total++; |
total++; |
j = certify(&x, ca_config.infiles[i], pkey, x509p, dgst, ca_config.sigopts, |
j = certify(&x, ca_config.infiles[i], pkey, x509p, dgst, |
attribs, db, serial, ca_config.subj, ca_config.chtype, ca_config.multirdn, |
ca_config.sigopts, attribs, db, serial, |
ca_config.email_dn, ca_config.startdate, ca_config.enddate, ca_config.days, ca_config.batch, |
ca_config.subj, ca_config.chtype, |
ca_config.extensions, conf, ca_config.verbose, certopt, nameopt, |
ca_config.multirdn, ca_config.email_dn, |
default_op, ext_copy, ca_config.selfsign); |
ca_config.startdate, ca_config.enddate, |
|
ca_config.days, ca_config.batch, |
|
ca_config.extensions, conf, ca_config.verbose, |
|
certopt, nameopt, default_op, ext_copy, |
|
ca_config.selfsign); |
if (j < 0) |
if (j < 0) |
goto err; |
goto err; |
if (j > 0) { |
if (j > 0) { |
|
|
if (!ca_config.batch) { |
if (!ca_config.batch) { |
char answer[10]; |
char answer[10]; |
|
|
BIO_printf(bio_err, "\n%d out of %d certificate requests certified, commit? [y/n]", total_done, total); |
BIO_printf(bio_err, |
|
"\n%d out of %d certificate requests certified, commit? [y/n]", |
|
total_done, total); |
(void) BIO_flush(bio_err); |
(void) BIO_flush(bio_err); |
if (fgets(answer, sizeof answer - 1, stdin) == NULL) { |
if (fgets(answer, sizeof answer - 1, stdin) == |
BIO_printf(bio_err, "CERTIFICATION CANCELED: I/O error\n"); |
NULL) { |
|
BIO_printf(bio_err, |
|
"CERTIFICATION CANCELED: I/O error\n"); |
ret = 0; |
ret = 0; |
goto err; |
goto err; |
} |
} |
if ((answer[0] != 'y') && (answer[0] != 'Y')) { |
if ((answer[0] != 'y') && (answer[0] != 'Y')) { |
BIO_printf(bio_err, "CERTIFICATION CANCELED\n"); |
BIO_printf(bio_err, |
|
"CERTIFICATION CANCELED\n"); |
ret = 0; |
ret = 0; |
goto err; |
goto err; |
} |
} |
} |
} |
BIO_printf(bio_err, "Write out database with %d new entries\n", sk_X509_num(cert_sk)); |
BIO_printf(bio_err, |
|
"Write out database with %d new entries\n", |
|
sk_X509_num(cert_sk)); |
|
|
if (!save_serial(serialfile, "new", serial, NULL)) |
if (!save_serial(serialfile, "new", serial, NULL)) |
goto err; |
goto err; |
|
|
goto err; |
goto err; |
} |
} |
write_new_certificate(Cout, x, 0, ca_config.notext); |
write_new_certificate(Cout, x, 0, ca_config.notext); |
write_new_certificate(Sout, x, output_der, ca_config.notext); |
write_new_certificate(Sout, x, output_der, |
|
ca_config.notext); |
} |
} |
|
|
if (sk_X509_num(cert_sk)) { |
if (sk_X509_num(cert_sk)) { |
|
|
if (ca_config.gencrl) { |
if (ca_config.gencrl) { |
int crl_v2 = 0; |
int crl_v2 = 0; |
if (ca_config.crl_ext == NULL) { |
if (ca_config.crl_ext == NULL) { |
ca_config.crl_ext = NCONF_get_string(conf, ca_config.section, ENV_CRLEXT); |
ca_config.crl_ext = NCONF_get_string(conf, |
|
ca_config.section, ENV_CRLEXT); |
if (ca_config.crl_ext == NULL) |
if (ca_config.crl_ext == NULL) |
ERR_clear_error(); |
ERR_clear_error(); |
} |
} |
|
|
X509V3_CTX ctx; |
X509V3_CTX ctx; |
X509V3_set_ctx_test(&ctx); |
X509V3_set_ctx_test(&ctx); |
X509V3_set_nconf(&ctx, conf); |
X509V3_set_nconf(&ctx, conf); |
if (!X509V3_EXT_add_nconf(conf, &ctx, ca_config.crl_ext, NULL)) { |
if (!X509V3_EXT_add_nconf(conf, &ctx, ca_config.crl_ext, |
|
NULL)) { |
BIO_printf(bio_err, |
BIO_printf(bio_err, |
"Error Loading CRL extension section %s\n", |
"Error Loading CRL extension section %s\n", |
ca_config.crl_ext); |
ca_config.crl_ext); |
|
|
"error while loading CRL number\n"); |
"error while loading CRL number\n"); |
goto err; |
goto err; |
} |
} |
if (!ca_config.crldays && !ca_config.crlhours && !ca_config.crlsec) { |
if (!ca_config.crldays && !ca_config.crlhours && |
|
!ca_config.crlsec) { |
if (!NCONF_get_number(conf, ca_config.section, |
if (!NCONF_get_number(conf, ca_config.section, |
ENV_DEFAULT_CRL_DAYS, &ca_config.crldays)) |
ENV_DEFAULT_CRL_DAYS, &ca_config.crldays)) |
ca_config.crldays = 0; |
ca_config.crldays = 0; |
|
|
ca_config.crlhours = 0; |
ca_config.crlhours = 0; |
ERR_clear_error(); |
ERR_clear_error(); |
} |
} |
if ((ca_config.crldays == 0) && (ca_config.crlhours == 0) && (ca_config.crlsec == 0)) { |
if ((ca_config.crldays == 0) && (ca_config.crlhours == 0) && |
BIO_printf(bio_err, "cannot lookup how long until the next CRL is issued\n"); |
(ca_config.crlsec == 0)) { |
|
BIO_printf(bio_err, |
|
"cannot lookup how long until the next CRL is issued\n"); |
goto err; |
goto err; |
} |
} |
if (ca_config.verbose) |
if (ca_config.verbose) |
|
|
X509_gmtime_adj(tmptm, 0); |
X509_gmtime_adj(tmptm, 0); |
X509_CRL_set_lastUpdate(crl, tmptm); |
X509_CRL_set_lastUpdate(crl, tmptm); |
if (X509_time_adj_ex(tmptm, ca_config.crldays, |
if (X509_time_adj_ex(tmptm, ca_config.crldays, |
ca_config.crlhours * 60 * 60 + ca_config.crlsec, NULL) == NULL) { |
ca_config.crlhours * 60 * 60 + ca_config.crlsec, NULL) == |
|
NULL) { |
BIO_puts(bio_err, "error setting CRL nextUpdate\n"); |
BIO_puts(bio_err, "error setting CRL nextUpdate\n"); |
goto err; |
goto err; |
} |
} |
|
|
BN_free(crlnumber); |
BN_free(crlnumber); |
crlnumber = NULL; |
crlnumber = NULL; |
} |
} |
if (!do_X509_CRL_sign(bio_err, crl, pkey, dgst, ca_config.sigopts)) |
if (!do_X509_CRL_sign(bio_err, crl, pkey, dgst, |
|
ca_config.sigopts)) |
goto err; |
goto err; |
|
|
PEM_write_bio_X509_CRL(Sout, crl); |
PEM_write_bio_X509_CRL(Sout, crl); |
|
|
goto err; |
goto err; |
} else { |
} else { |
X509 *revcert; |
X509 *revcert; |
revcert = load_cert(bio_err, ca_config.infile, FORMAT_PEM, |
revcert = load_cert(bio_err, ca_config.infile, |
NULL, ca_config.infile); |
FORMAT_PEM, NULL, ca_config.infile); |
if (revcert == NULL) |
if (revcert == NULL) |
goto err; |
goto err; |
j = do_revoke(revcert, db, ca_config.rev_type, ca_config.rev_arg); |
j = do_revoke(revcert, db, ca_config.rev_type, |
|
ca_config.rev_arg); |
if (j <= 0) |
if (j <= 0) |
goto err; |
goto err; |
X509_free(revcert); |
X509_free(revcert); |
|
|
unsigned long certopt, unsigned long nameopt, int default_op, |
unsigned long certopt, unsigned long nameopt, int default_op, |
int ext_copy, int selfsign) |
int ext_copy, int selfsign) |
{ |
{ |
X509_NAME *name = NULL, *CAname = NULL, *subject = NULL, *dn_subject = NULL; |
X509_NAME *name = NULL, *CAname = NULL; |
|
X509_NAME *subject = NULL, *dn_subject = NULL; |
ASN1_UTCTIME *tm, *tmptm; |
ASN1_UTCTIME *tm, *tmptm; |
ASN1_STRING *str, *str2; |
ASN1_STRING *str, *str2; |
ASN1_OBJECT *obj; |
ASN1_OBJECT *obj; |
|
|
/* check some things */ |
/* check some things */ |
if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) && |
if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) && |
(str->type != V_ASN1_IA5STRING)) { |
(str->type != V_ASN1_IA5STRING)) { |
BIO_printf(bio_err, "\nemailAddress type needs to be of type IA5STRING\n"); |
BIO_printf(bio_err, |
|
"\nemailAddress type needs to be of type IA5STRING\n"); |
goto err; |
goto err; |
} |
} |
if ((str->type != V_ASN1_BMPSTRING) && |
if ((str->type != V_ASN1_BMPSTRING) && |
|
|
(str->type != V_ASN1_T61STRING)) || |
(str->type != V_ASN1_T61STRING)) || |
((j == V_ASN1_IA5STRING) && |
((j == V_ASN1_IA5STRING) && |
(str->type == V_ASN1_PRINTABLESTRING))) { |
(str->type == V_ASN1_PRINTABLESTRING))) { |
BIO_printf(bio_err, "\nThe string contains characters that are illegal for the ASN.1 type\n"); |
BIO_printf(bio_err, |
|
"\nThe string contains characters that are illegal for the ASN.1 type\n"); |
goto err; |
goto err; |
} |
} |
} |
} |
|
|
for (i = 0; i < sk_CONF_VALUE_num(policy); i++) { |
for (i = 0; i < sk_CONF_VALUE_num(policy); i++) { |
cv = sk_CONF_VALUE_value(policy, i); /* get the object id */ |
cv = sk_CONF_VALUE_value(policy, i); /* get the object id */ |
if ((j = OBJ_txt2nid(cv->name)) == NID_undef) { |
if ((j = OBJ_txt2nid(cv->name)) == NID_undef) { |
BIO_printf(bio_err, "%s:unknown object type in 'policy' configuration\n", cv->name); |
BIO_printf(bio_err, |
|
"%s:unknown object type in 'policy' configuration\n", |
|
cv->name); |
goto err; |
goto err; |
} |
} |
obj = OBJ_nid2obj(j); |
obj = OBJ_nid2obj(j); |
|
|
push = tne; |
push = tne; |
} else if (strcmp(cv->value, "supplied") == 0) { |
} else if (strcmp(cv->value, "supplied") == 0) { |
if (tne == NULL) { |
if (tne == NULL) { |
BIO_printf(bio_err, "The %s field needed to be supplied and was missing\n", cv->name); |
BIO_printf(bio_err, |
|
"The %s field needed to be supplied and was missing\n", |
|
cv->name); |
goto err; |
goto err; |
} else |
} else |
push = tne; |
push = tne; |
|
|
int last2; |
int last2; |
|
|
if (tne == NULL) { |
if (tne == NULL) { |
BIO_printf(bio_err, "The mandatory %s field was missing\n", cv->name); |
BIO_printf(bio_err, |
|
"The mandatory %s field was missing\n", |
|
cv->name); |
goto err; |
goto err; |
} |
} |
last2 = -1; |
last2 = -1; |
|
|
again2: |
again2: |
j = X509_NAME_get_index_by_OBJ(CAname, obj, last2); |
j = X509_NAME_get_index_by_OBJ(CAname, obj, |
|
last2); |
if ((j < 0) && (last2 == -1)) { |
if ((j < 0) && (last2 == -1)) { |
BIO_printf(bio_err, "The %s field does not exist in the CA certificate,\nthe 'policy' is misconfigured\n", cv->name); |
BIO_printf(bio_err, |
|
"The %s field does not exist in the CA certificate,\nthe 'policy' is misconfigured\n", |
|
cv->name); |
goto err; |
goto err; |
} |
} |
if (j >= 0) { |
if (j >= 0) { |
|
|
goto again2; |
goto again2; |
} |
} |
if (j < 0) { |
if (j < 0) { |
BIO_printf(bio_err, "The %s field needed to be the same in the\nCA certificate (%s) and the request (%s)\n", cv->name, ((str2 == NULL) ? "NULL" : (char *) str2->data), ((str == NULL) ? "NULL" : (char *) str->data)); |
BIO_printf(bio_err, |
|
"The %s field needed to be the same in the\nCA certificate (%s) and the request (%s)\n", |
|
cv->name, ((str2 == NULL) ? |
|
"NULL" : (char *) str2->data), |
|
((str == NULL) ? |
|
"NULL" : (char *) str->data)); |
goto err; |
goto err; |
} |
} |
} else { |
} else { |
BIO_printf(bio_err, "%s:invalid type in 'policy' configuration\n", cv->value); |
BIO_printf(bio_err, |
|
"%s:invalid type in 'policy' configuration\n", |
|
cv->value); |
goto err; |
goto err; |
} |
} |
|
|
|
|
goto err; |
goto err; |
} |
} |
if (verbose) |
if (verbose) |
BIO_printf(bio_err, "The subject name appears to be ok, checking data base for clashes\n"); |
BIO_printf(bio_err, |
|
"The subject name appears to be ok, checking data base for clashes\n"); |
|
|
/* Build the correct Subject if no email is wanted in the subject */ |
/* Build the correct Subject if no email is wanted in the subject */ |
/* |
/* |
|
|
BIO_printf(bio_err, |
BIO_printf(bio_err, |
"ERROR:Serial number %s has already been issued,\n", |
"ERROR:Serial number %s has already been issued,\n", |
row[DB_serial]); |
row[DB_serial]); |
BIO_printf(bio_err, " check the database/serial_file for corruption\n"); |
BIO_printf(bio_err, |
|
" check the database/serial_file for corruption\n"); |
} |
} |
} |
} |
if (rrow != NULL) { |
if (rrow != NULL) { |
|
|
} |
} |
/* We are now totally happy, lets make and sign the certificate */ |
/* We are now totally happy, lets make and sign the certificate */ |
if (verbose) |
if (verbose) |
BIO_printf(bio_err, "Everything appears to be ok, creating and signing the certificate\n"); |
BIO_printf(bio_err, |
|
"Everything appears to be ok, creating and signing the certificate\n"); |
|
|
if ((ret = X509_new()) == NULL) |
if ((ret = X509_new()) == NULL) |
goto err; |
goto err; |
|
|
goto err; |
goto err; |
} |
} |
if (verbose) |
if (verbose) |
BIO_printf(bio_err, "Successfully added extensions from file.\n"); |
BIO_printf(bio_err, |
|
"Successfully added extensions from file.\n"); |
} else if (ext_sect != NULL) { |
} else if (ext_sect != NULL) { |
/* We found extensions to be set from config file */ |
/* We found extensions to be set from config file */ |
X509V3_set_nconf(&ctx, lconf); |
X509V3_set_nconf(&ctx, lconf); |
|
|
goto err; |
goto err; |
} |
} |
if (verbose) |
if (verbose) |
BIO_printf(bio_err, "Successfully added extensions from config\n"); |
BIO_printf(bio_err, |
|
"Successfully added extensions from config\n"); |
} |
} |
} |
} |
/* Copy extensions from request (if any) */ |
/* Copy extensions from request (if any) */ |
|
|
if (strcmp(type, "SPKAC") == 0) { |
if (strcmp(type, "SPKAC") == 0) { |
spki = NETSCAPE_SPKI_b64_decode(cv->value, -1); |
spki = NETSCAPE_SPKI_b64_decode(cv->value, -1); |
if (spki == NULL) { |
if (spki == NULL) { |
BIO_printf(bio_err, "unable to load Netscape SPKAC structure\n"); |
BIO_printf(bio_err, |
|
"unable to load Netscape SPKAC structure\n"); |
ERR_print_errors(bio_err); |
ERR_print_errors(bio_err); |
goto err; |
goto err; |
} |
} |