Annotation of src/usr.bin/openssl/ca.c, Revision 1.10
1.10 ! lteo 1: /* $OpenBSD: ca.c,v 1.9 2015/08/22 16:36:05 jsing Exp $ */
1.1 jsing 2: /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3: * All rights reserved.
4: *
5: * This package is an SSL implementation written
6: * by Eric Young (eay@cryptsoft.com).
7: * The implementation was written so as to conform with Netscapes SSL.
8: *
9: * This library is free for commercial and non-commercial use as long as
10: * the following conditions are aheared to. The following conditions
11: * apply to all code found in this distribution, be it the RC4, RSA,
12: * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13: * included with this distribution is covered by the same copyright terms
14: * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15: *
16: * Copyright remains Eric Young's, and as such any Copyright notices in
17: * the code are not to be removed.
18: * If this package is used in a product, Eric Young should be given attribution
19: * as the author of the parts of the library used.
20: * This can be in the form of a textual message at program startup or
21: * in documentation (online or textual) provided with the package.
22: *
23: * Redistribution and use in source and binary forms, with or without
24: * modification, are permitted provided that the following conditions
25: * are met:
26: * 1. Redistributions of source code must retain the copyright
27: * notice, this list of conditions and the following disclaimer.
28: * 2. Redistributions in binary form must reproduce the above copyright
29: * notice, this list of conditions and the following disclaimer in the
30: * documentation and/or other materials provided with the distribution.
31: * 3. All advertising materials mentioning features or use of this software
32: * must display the following acknowledgement:
33: * "This product includes cryptographic software written by
34: * Eric Young (eay@cryptsoft.com)"
35: * The word 'cryptographic' can be left out if the rouines from the library
36: * being used are not cryptographic related :-).
37: * 4. If you include any Windows specific code (or a derivative thereof) from
38: * the apps directory (application code) you must include an acknowledgement:
39: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40: *
41: * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42: * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43: * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44: * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45: * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46: * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47: * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49: * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50: * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51: * SUCH DAMAGE.
52: *
53: * The licence and distribution terms for any publically available version or
54: * derivative of this code cannot be changed. i.e. this code cannot simply be
55: * copied and put under another distribution licence
56: * [including the GNU Public Licence.]
57: */
58:
59: /* The PPKI stuff has been donated by Jeff Barber <jeffb@issl.atl.hp.com> */
60:
61: #include <sys/types.h>
62:
63: #include <ctype.h>
64: #include <stdio.h>
65: #include <stdlib.h>
66: #include <limits.h>
67: #include <string.h>
68: #include <unistd.h>
69:
70: #include "apps.h"
71:
72: #include <openssl/bio.h>
73: #include <openssl/bn.h>
74: #include <openssl/conf.h>
75: #include <openssl/err.h>
76: #include <openssl/evp.h>
77: #include <openssl/objects.h>
78: #include <openssl/ocsp.h>
79: #include <openssl/pem.h>
80: #include <openssl/txt_db.h>
81: #include <openssl/x509.h>
82: #include <openssl/x509v3.h>
83:
84: #define BASE_SECTION "ca"
85:
86: #define ENV_DEFAULT_CA "default_ca"
87:
88: #define STRING_MASK "string_mask"
89: #define UTF8_IN "utf8"
90:
91: #define ENV_NEW_CERTS_DIR "new_certs_dir"
92: #define ENV_CERTIFICATE "certificate"
93: #define ENV_SERIAL "serial"
94: #define ENV_CRLNUMBER "crlnumber"
95: #define ENV_PRIVATE_KEY "private_key"
96: #define ENV_DEFAULT_DAYS "default_days"
97: #define ENV_DEFAULT_STARTDATE "default_startdate"
98: #define ENV_DEFAULT_ENDDATE "default_enddate"
99: #define ENV_DEFAULT_CRL_DAYS "default_crl_days"
100: #define ENV_DEFAULT_CRL_HOURS "default_crl_hours"
101: #define ENV_DEFAULT_MD "default_md"
102: #define ENV_DEFAULT_EMAIL_DN "email_in_dn"
103: #define ENV_PRESERVE "preserve"
104: #define ENV_POLICY "policy"
105: #define ENV_EXTENSIONS "x509_extensions"
106: #define ENV_CRLEXT "crl_extensions"
107: #define ENV_MSIE_HACK "msie_hack"
108: #define ENV_NAMEOPT "name_opt"
109: #define ENV_CERTOPT "cert_opt"
110: #define ENV_EXTCOPY "copy_extensions"
111: #define ENV_UNIQUE_SUBJECT "unique_subject"
112:
113: #define ENV_DATABASE "database"
114:
115: /* Additional revocation information types */
116:
117: #define REV_NONE 0 /* No addditional information */
118: #define REV_CRL_REASON 1 /* Value is CRL reason code */
119: #define REV_HOLD 2 /* Value is hold instruction */
120: #define REV_KEY_COMPROMISE 3 /* Value is cert key compromise time */
121: #define REV_CA_COMPROMISE 4 /* Value is CA key compromise time */
122:
123: static const char *ca_usage[] = {
124: "usage: ca args\n",
125: "\n",
126: " -verbose - Talk a lot while doing things\n",
127: " -config file - A config file\n",
128: " -name arg - The particular CA definition to use\n",
129: " -gencrl - Generate a new CRL\n",
130: " -crldays days - Days is when the next CRL is due\n",
131: " -crlhours hours - Hours is when the next CRL is due\n",
132: " -startdate YYMMDDHHMMSSZ - certificate validity notBefore\n",
133: " -enddate YYMMDDHHMMSSZ - certificate validity notAfter (overrides -days)\n",
134: " -days arg - number of days to certify the certificate for\n",
135: " -md arg - md to use, one of md2, md5, sha or sha1\n",
136: " -policy arg - The CA 'policy' to support\n",
137: " -keyfile arg - private key file\n",
138: " -keyform arg - private key file format (PEM or ENGINE)\n",
139: " -key arg - key to decode the private key if it is encrypted\n",
140: " -cert file - The CA certificate\n",
141: " -selfsign - sign a certificate with the key associated with it\n",
142: " -in file - The input PEM encoded certificate request(s)\n",
143: " -out file - Where to put the output file(s)\n",
144: " -outdir dir - Where to put output certificates\n",
145: " -infiles .... - The last argument, requests to process\n",
146: " -spkac file - File contains DN and signed public key and challenge\n",
147: " -ss_cert file - File contains a self signed cert to sign\n",
148: " -preserveDN - Don't re-order the DN\n",
149: " -noemailDN - Don't add the EMAIL field into certificate' subject\n",
150: " -batch - Don't ask questions\n",
151: " -msie_hack - msie modifications to handle all those universal strings\n",
152: " -revoke file - Revoke a certificate (given in file)\n",
153: " -subj arg - Use arg instead of request's subject\n",
154: " -utf8 - input characters are UTF8 (default ASCII)\n",
155: " -multivalue-rdn - enable support for multivalued RDNs\n",
156: " -extensions .. - Extension section (override value in config file)\n",
157: " -extfile file - Configuration file with X509v3 extentions to add\n",
158: " -crlexts .. - CRL extension section (override value in config file)\n",
159: #ifndef OPENSSL_NO_ENGINE
160: " -engine e - use engine e, possibly a hardware device.\n",
161: #endif
162: " -status serial - Shows certificate status given the serial number\n",
163: " -updatedb - Updates db for expired certificates\n",
164: NULL
165: };
166:
167: static void lookup_fail(const char *name, const char *tag);
168: static int certify(X509 ** xret, char *infile, EVP_PKEY * pkey, X509 * x509,
169: const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
170: STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj,
171: unsigned long chtype, int multirdn, int email_dn, char *startdate,
172: char *enddate, long days, int batch, char *ext_sect, CONF * conf,
173: int verbose, unsigned long certopt, unsigned long nameopt,
174: int default_op, int ext_copy, int selfsign);
175: static int certify_cert(X509 ** xret, char *infile, EVP_PKEY * pkey,
176: X509 * x509, const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
177: STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj,
178: unsigned long chtype, int multirdn, int email_dn, char *startdate,
179: char *enddate, long days, int batch, char *ext_sect, CONF * conf,
180: int verbose, unsigned long certopt, unsigned long nameopt, int default_op,
181: int ext_copy, ENGINE * e);
182: static int certify_spkac(X509 ** xret, char *infile, EVP_PKEY * pkey,
183: X509 * x509, const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
184: STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj,
185: unsigned long chtype, int multirdn, int email_dn, char *startdate,
186: char *enddate, long days, char *ext_sect, CONF * conf, int verbose,
187: unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy);
188: static void write_new_certificate(BIO * bp, X509 * x, int output_der,
189: int notext);
190: static int do_body(X509 ** xret, EVP_PKEY * pkey, X509 * x509,
191: const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
192: STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj,
193: unsigned long chtype, int multirdn, int email_dn, char *startdate,
194: char *enddate, long days, int batch, int verbose, X509_REQ * req,
195: char *ext_sect, CONF * conf, unsigned long certopt, unsigned long nameopt,
196: int default_op, int ext_copy, int selfsign);
197: static int do_revoke(X509 * x509, CA_DB * db, int ext, char *extval);
198: static int get_certificate_status(const char *ser_status, CA_DB * db);
199: static int do_updatedb(CA_DB * db);
200: static int check_time_format(const char *str);
201: static char * bin2hex(unsigned char *, size_t);
202: char *make_revocation_str(int rev_type, char *rev_arg);
203: int make_revoked(X509_REVOKED * rev, const char *str);
204: int old_entry_print(BIO * bp, ASN1_OBJECT * obj, ASN1_STRING * str);
205: static CONF *conf = NULL;
206: static CONF *extconf = NULL;
207: static char *section = NULL;
208:
209: static int preserve = 0;
210: static int msie_hack = 0;
211:
212:
213: int
214: ca_main(int argc, char **argv)
215: {
216: ENGINE *e = NULL;
217: char *key = NULL, *passargin = NULL;
218: int create_ser = 0;
219: int free_key = 0;
220: int total = 0;
221: int total_done = 0;
222: int badops = 0;
223: int ret = 1;
224: int email_dn = 1;
225: int req = 0;
226: int verbose = 0;
227: int gencrl = 0;
228: int dorevoke = 0;
229: int doupdatedb = 0;
230: long crldays = 0;
231: long crlhours = 0;
232: long crlsec = 0;
233: long errorline = -1;
234: char *configfile = NULL;
235: char *md = NULL;
236: char *policy = NULL;
237: char *keyfile = NULL;
238: char *certfile = NULL;
239: int keyform = FORMAT_PEM;
240: char *infile = NULL;
241: char *spkac_file = NULL;
242: char *ss_cert_file = NULL;
243: char *ser_status = NULL;
244: EVP_PKEY *pkey = NULL;
245: int output_der = 0;
246: char *outfile = NULL;
247: char *outdir = NULL;
248: char *serialfile = NULL;
249: char *crlnumberfile = NULL;
250: char *extensions = NULL;
251: char *extfile = NULL;
252: char *subj = NULL;
253: unsigned long chtype = MBSTRING_ASC;
254: int multirdn = 0;
255: char *tmp_email_dn = NULL;
256: char *crl_ext = NULL;
257: int rev_type = REV_NONE;
258: char *rev_arg = NULL;
259: BIGNUM *serial = NULL;
260: BIGNUM *crlnumber = NULL;
261: char *startdate = NULL;
262: char *enddate = NULL;
263: long days = 0;
264: int batch = 0;
265: int notext = 0;
266: unsigned long nameopt = 0, certopt = 0;
267: int default_op = 1;
268: int ext_copy = EXT_COPY_NONE;
269: int selfsign = 0;
270: X509 *x509 = NULL, *x509p = NULL;
271: X509 *x = NULL;
272: BIO *in = NULL, *out = NULL, *Sout = NULL, *Cout = NULL;
273: char *dbfile = NULL;
274: CA_DB *db = NULL;
275: X509_CRL *crl = NULL;
276: X509_REVOKED *r = NULL;
277: ASN1_TIME *tmptm;
278: ASN1_INTEGER *tmpser;
279: char *f;
280: const char *p;
281: char *const * pp;
282: int i, j;
283: const EVP_MD *dgst = NULL;
284: STACK_OF(CONF_VALUE) * attribs = NULL;
285: STACK_OF(X509) * cert_sk = NULL;
286: STACK_OF(OPENSSL_STRING) * sigopts = NULL;
1.4 bcook 287: #define BUFLEN 256
288: char buf[3][BUFLEN];
1.1 jsing 289: #ifndef OPENSSL_NO_ENGINE
290: char *engine = NULL;
291: #endif
292: char *tofree = NULL;
293: const char *errstr = NULL;
294: DB_ATTR db_attr;
295:
296: conf = NULL;
297: key = NULL;
298: section = NULL;
299:
300: preserve = 0;
301: msie_hack = 0;
302:
303: argc--;
304: argv++;
305: while (argc >= 1) {
306: if (strcmp(*argv, "-verbose") == 0)
307: verbose = 1;
308: else if (strcmp(*argv, "-config") == 0) {
309: if (--argc < 1)
310: goto bad;
311: configfile = *(++argv);
312: } else if (strcmp(*argv, "-name") == 0) {
313: if (--argc < 1)
314: goto bad;
315: section = *(++argv);
316: } else if (strcmp(*argv, "-subj") == 0) {
317: if (--argc < 1)
318: goto bad;
319: subj = *(++argv);
320: /* preserve=1; */
321: } else if (strcmp(*argv, "-utf8") == 0)
322: chtype = MBSTRING_UTF8;
323: else if (strcmp(*argv, "-create_serial") == 0)
324: create_ser = 1;
325: else if (strcmp(*argv, "-multivalue-rdn") == 0)
326: multirdn = 1;
327: else if (strcmp(*argv, "-startdate") == 0) {
328: if (--argc < 1)
329: goto bad;
330: startdate = *(++argv);
331: } else if (strcmp(*argv, "-enddate") == 0) {
332: if (--argc < 1)
333: goto bad;
334: enddate = *(++argv);
335: } else if (strcmp(*argv, "-days") == 0) {
336: if (--argc < 1)
337: goto bad;
338: days = strtonum(*(++argv), 0, LONG_MAX, &errstr);
339: if (errstr)
340: goto bad;
341: } else if (strcmp(*argv, "-md") == 0) {
342: if (--argc < 1)
343: goto bad;
344: md = *(++argv);
345: } else if (strcmp(*argv, "-policy") == 0) {
346: if (--argc < 1)
347: goto bad;
348: policy = *(++argv);
349: } else if (strcmp(*argv, "-keyfile") == 0) {
350: if (--argc < 1)
351: goto bad;
352: keyfile = *(++argv);
353: } else if (strcmp(*argv, "-keyform") == 0) {
354: if (--argc < 1)
355: goto bad;
356: keyform = str2fmt(*(++argv));
357: } else if (strcmp(*argv, "-passin") == 0) {
358: if (--argc < 1)
359: goto bad;
360: passargin = *(++argv);
361: } else if (strcmp(*argv, "-key") == 0) {
362: if (--argc < 1)
363: goto bad;
364: key = *(++argv);
365: } else if (strcmp(*argv, "-cert") == 0) {
366: if (--argc < 1)
367: goto bad;
368: certfile = *(++argv);
369: } else if (strcmp(*argv, "-selfsign") == 0)
370: selfsign = 1;
371: else if (strcmp(*argv, "-in") == 0) {
372: if (--argc < 1)
373: goto bad;
374: infile = *(++argv);
375: req = 1;
376: } else if (strcmp(*argv, "-out") == 0) {
377: if (--argc < 1)
378: goto bad;
379: outfile = *(++argv);
380: } else if (strcmp(*argv, "-outdir") == 0) {
381: if (--argc < 1)
382: goto bad;
383: outdir = *(++argv);
384: } else if (strcmp(*argv, "-sigopt") == 0) {
385: if (--argc < 1)
386: goto bad;
387: if (!sigopts)
388: sigopts = sk_OPENSSL_STRING_new_null();
389: if (!sigopts ||
390: !sk_OPENSSL_STRING_push(sigopts, *(++argv)))
391: goto bad;
392: } else if (strcmp(*argv, "-notext") == 0)
393: notext = 1;
394: else if (strcmp(*argv, "-batch") == 0)
395: batch = 1;
396: else if (strcmp(*argv, "-preserveDN") == 0)
397: preserve = 1;
398: else if (strcmp(*argv, "-noemailDN") == 0)
399: email_dn = 0;
400: else if (strcmp(*argv, "-gencrl") == 0)
401: gencrl = 1;
402: else if (strcmp(*argv, "-msie_hack") == 0)
403: msie_hack = 1;
404: else if (strcmp(*argv, "-crldays") == 0) {
405: if (--argc < 1)
406: goto bad;
407: crldays = strtonum(*(++argv), 0, LONG_MAX, &errstr);
408: if (errstr)
409: goto bad;
410: } else if (strcmp(*argv, "-crlhours") == 0) {
411: if (--argc < 1)
412: goto bad;
413: crlhours = strtonum(*(++argv), 0, LONG_MAX, &errstr);
414: if (errstr)
415: goto bad;
416: } else if (strcmp(*argv, "-crlsec") == 0) {
417: if (--argc < 1)
418: goto bad;
419: crlsec = strtonum(*(++argv), 0, LONG_MAX, &errstr);
420: if (errstr)
421: goto bad;
422: } else if (strcmp(*argv, "-infiles") == 0) {
423: argc--;
424: argv++;
425: req = 1;
426: break;
427: } else if (strcmp(*argv, "-ss_cert") == 0) {
428: if (--argc < 1)
429: goto bad;
430: ss_cert_file = *(++argv);
431: req = 1;
432: } else if (strcmp(*argv, "-spkac") == 0) {
433: if (--argc < 1)
434: goto bad;
435: spkac_file = *(++argv);
436: req = 1;
437: } else if (strcmp(*argv, "-revoke") == 0) {
438: if (--argc < 1)
439: goto bad;
440: infile = *(++argv);
441: dorevoke = 1;
442: } else if (strcmp(*argv, "-extensions") == 0) {
443: if (--argc < 1)
444: goto bad;
445: extensions = *(++argv);
446: } else if (strcmp(*argv, "-extfile") == 0) {
447: if (--argc < 1)
448: goto bad;
449: extfile = *(++argv);
450: } else if (strcmp(*argv, "-status") == 0) {
451: if (--argc < 1)
452: goto bad;
453: ser_status = *(++argv);
454: } else if (strcmp(*argv, "-updatedb") == 0) {
455: doupdatedb = 1;
456: } else if (strcmp(*argv, "-crlexts") == 0) {
457: if (--argc < 1)
458: goto bad;
459: crl_ext = *(++argv);
460: } else if (strcmp(*argv, "-crl_reason") == 0) {
461: if (--argc < 1)
462: goto bad;
463: rev_arg = *(++argv);
464: rev_type = REV_CRL_REASON;
465: } else if (strcmp(*argv, "-crl_hold") == 0) {
466: if (--argc < 1)
467: goto bad;
468: rev_arg = *(++argv);
469: rev_type = REV_HOLD;
470: } else if (strcmp(*argv, "-crl_compromise") == 0) {
471: if (--argc < 1)
472: goto bad;
473: rev_arg = *(++argv);
474: rev_type = REV_KEY_COMPROMISE;
475: } else if (strcmp(*argv, "-crl_CA_compromise") == 0) {
476: if (--argc < 1)
477: goto bad;
478: rev_arg = *(++argv);
479: rev_type = REV_CA_COMPROMISE;
480: }
481: #ifndef OPENSSL_NO_ENGINE
482: else if (strcmp(*argv, "-engine") == 0) {
483: if (--argc < 1)
484: goto bad;
485: engine = *(++argv);
486: }
487: #endif
488: else {
489: bad:
490: if (errstr)
491: BIO_printf(bio_err, "invalid argument %s: %s\n",
492: *argv, errstr);
493: else
494: BIO_printf(bio_err, "unknown option %s\n", *argv);
495: badops = 1;
496: break;
497: }
498: argc--;
499: argv++;
500: }
501:
502: if (badops) {
503: const char **pp2;
504:
505: for (pp2 = ca_usage; (*pp2 != NULL); pp2++)
506: BIO_printf(bio_err, "%s", *pp2);
507: goto err;
508: }
509:
510: /*****************************************************************/
511: tofree = NULL;
512: if (configfile == NULL)
513: configfile = getenv("OPENSSL_CONF");
514: if (configfile == NULL)
515: configfile = getenv("SSLEAY_CONF");
516: if (configfile == NULL) {
517: if ((tofree = make_config_name()) == NULL) {
518: BIO_printf(bio_err, "error making config file name\n");
519: goto err;
520: }
521: configfile = tofree;
522: }
523: BIO_printf(bio_err, "Using configuration from %s\n", configfile);
524: conf = NCONF_new(NULL);
525: if (NCONF_load(conf, configfile, &errorline) <= 0) {
526: if (errorline <= 0)
527: BIO_printf(bio_err,
528: "error loading the config file '%s'\n",
529: configfile);
530: else
531: BIO_printf(bio_err,
532: "error on line %ld of config file '%s'\n",
533: errorline, configfile);
534: goto err;
535: }
536: free(tofree);
537: tofree = NULL;
538:
539: #ifndef OPENSSL_NO_ENGINE
540: e = setup_engine(bio_err, engine, 0);
541: #endif
542:
543: /* Lets get the config section we are using */
544: if (section == NULL) {
545: section = NCONF_get_string(conf, BASE_SECTION, ENV_DEFAULT_CA);
546: if (section == NULL) {
547: lookup_fail(BASE_SECTION, ENV_DEFAULT_CA);
548: goto err;
549: }
550: }
551: if (conf != NULL) {
552: p = NCONF_get_string(conf, NULL, "oid_file");
553: if (p == NULL)
554: ERR_clear_error();
555: if (p != NULL) {
556: BIO *oid_bio;
557:
558: oid_bio = BIO_new_file(p, "r");
559: if (oid_bio == NULL) {
560: /*
561: BIO_printf(bio_err,
562: "problems opening %s for extra oid's\n", p);
563: ERR_print_errors(bio_err);
564: */
565: ERR_clear_error();
566: } else {
567: OBJ_create_objects(oid_bio);
568: BIO_free(oid_bio);
569: }
570: }
571: if (!add_oid_section(bio_err, conf)) {
572: ERR_print_errors(bio_err);
573: goto err;
574: }
575: }
576: f = NCONF_get_string(conf, section, STRING_MASK);
577: if (!f)
578: ERR_clear_error();
579:
580: if (f && !ASN1_STRING_set_default_mask_asc(f)) {
581: BIO_printf(bio_err,
582: "Invalid global string mask setting %s\n", f);
583: goto err;
584: }
585: if (chtype != MBSTRING_UTF8) {
586: f = NCONF_get_string(conf, section, UTF8_IN);
587: if (!f)
588: ERR_clear_error();
589: else if (!strcmp(f, "yes"))
590: chtype = MBSTRING_UTF8;
591: }
592: db_attr.unique_subject = 1;
593: p = NCONF_get_string(conf, section, ENV_UNIQUE_SUBJECT);
594: if (p) {
595: db_attr.unique_subject = parse_yesno(p, 1);
596: } else
597: ERR_clear_error();
598:
599: in = BIO_new(BIO_s_file());
600: out = BIO_new(BIO_s_file());
601: Sout = BIO_new(BIO_s_file());
602: Cout = BIO_new(BIO_s_file());
603: if ((in == NULL) || (out == NULL) || (Sout == NULL) || (Cout == NULL)) {
604: ERR_print_errors(bio_err);
605: goto err;
606: }
607: /*****************************************************************/
608: /* report status of cert with serial number given on command line */
609: if (ser_status) {
610: if ((dbfile = NCONF_get_string(conf, section,
611: ENV_DATABASE)) == NULL) {
612: lookup_fail(section, ENV_DATABASE);
613: goto err;
614: }
615: db = load_index(dbfile, &db_attr);
616: if (db == NULL)
617: goto err;
618:
619: if (!index_index(db))
620: goto err;
621:
622: if (get_certificate_status(ser_status, db) != 1)
623: BIO_printf(bio_err, "Error verifying serial %s!\n",
624: ser_status);
625: goto err;
626: }
627: /*****************************************************************/
628: /* we definitely need a private key, so let's get it */
629:
630: if ((keyfile == NULL) && ((keyfile = NCONF_get_string(conf,
631: section, ENV_PRIVATE_KEY)) == NULL)) {
632: lookup_fail(section, ENV_PRIVATE_KEY);
633: goto err;
634: }
635: if (!key) {
636: free_key = 1;
637: if (!app_passwd(bio_err, passargin, NULL, &key, NULL)) {
638: BIO_printf(bio_err, "Error getting password\n");
639: goto err;
640: }
641: }
642: pkey = load_key(bio_err, keyfile, keyform, 0, key, e, "CA private key");
643: if (key)
644: OPENSSL_cleanse(key, strlen(key));
645: if (pkey == NULL) {
646: /* load_key() has already printed an appropriate message */
647: goto err;
648: }
649: /*****************************************************************/
650: /* we need a certificate */
651: if (!selfsign || spkac_file || ss_cert_file || gencrl) {
652: if ((certfile == NULL) &&
653: ((certfile = NCONF_get_string(conf,
654: section, ENV_CERTIFICATE)) == NULL)) {
655: lookup_fail(section, ENV_CERTIFICATE);
656: goto err;
657: }
658: x509 = load_cert(bio_err, certfile, FORMAT_PEM, NULL, e,
659: "CA certificate");
660: if (x509 == NULL)
661: goto err;
662:
663: if (!X509_check_private_key(x509, pkey)) {
664: BIO_printf(bio_err,
665: "CA certificate and CA private key do not match\n");
666: goto err;
667: }
668: }
669: if (!selfsign)
670: x509p = x509;
671:
672: f = NCONF_get_string(conf, BASE_SECTION, ENV_PRESERVE);
673: if (f == NULL)
674: ERR_clear_error();
675: if ((f != NULL) && ((*f == 'y') || (*f == 'Y')))
676: preserve = 1;
677: f = NCONF_get_string(conf, BASE_SECTION, ENV_MSIE_HACK);
678: if (f == NULL)
679: ERR_clear_error();
680: if ((f != NULL) && ((*f == 'y') || (*f == 'Y')))
681: msie_hack = 1;
682:
683: f = NCONF_get_string(conf, section, ENV_NAMEOPT);
684:
685: if (f) {
686: if (!set_name_ex(&nameopt, f)) {
687: BIO_printf(bio_err,
688: "Invalid name options: \"%s\"\n", f);
689: goto err;
690: }
691: default_op = 0;
692: } else
693: ERR_clear_error();
694:
695: f = NCONF_get_string(conf, section, ENV_CERTOPT);
696:
697: if (f) {
698: if (!set_cert_ex(&certopt, f)) {
699: BIO_printf(bio_err,
700: "Invalid certificate options: \"%s\"\n", f);
701: goto err;
702: }
703: default_op = 0;
704: } else
705: ERR_clear_error();
706:
707: f = NCONF_get_string(conf, section, ENV_EXTCOPY);
708:
709: if (f) {
710: if (!set_ext_copy(&ext_copy, f)) {
711: BIO_printf(bio_err,
712: "Invalid extension copy option: \"%s\"\n", f);
713: goto err;
714: }
715: } else
716: ERR_clear_error();
717:
718: /*****************************************************************/
719: /* lookup where to write new certificates */
720: if ((outdir == NULL) && (req)) {
721:
722: if ((outdir = NCONF_get_string(conf, section,
723: ENV_NEW_CERTS_DIR)) == NULL) {
724: BIO_printf(bio_err, "there needs to be defined a directory for new certificate to be placed in\n");
725: goto err;
726: }
727: /*
728: * outdir is a directory spec, but access() for VMS demands a
729: * filename. In any case, stat(), below, will catch the
730: * problem if outdir is not a directory spec, and the fopen()
731: * or open() will catch an error if there is no write access.
732: *
733: * Presumably, this problem could also be solved by using the
734: * DEC C routines to convert the directory syntax to Unixly,
735: * and give that to access(). However, time's too short to
736: * do that just now.
737: */
738: if (access(outdir, R_OK | W_OK | X_OK) != 0) {
739: BIO_printf(bio_err,
740: "I am unable to access the %s directory\n", outdir);
741: perror(outdir);
742: goto err;
743: }
744: if (app_isdir(outdir) <= 0) {
745: BIO_printf(bio_err,
746: "%s need to be a directory\n", outdir);
747: perror(outdir);
748: goto err;
749: }
750: }
751: /*****************************************************************/
752: /* we need to load the database file */
753: if ((dbfile = NCONF_get_string(conf, section, ENV_DATABASE)) == NULL) {
754: lookup_fail(section, ENV_DATABASE);
755: goto err;
756: }
757: db = load_index(dbfile, &db_attr);
758: if (db == NULL)
759: goto err;
760:
761: /* Lets check some fields */
762: for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
763: pp = sk_OPENSSL_PSTRING_value(db->db->data, i);
764: if ((pp[DB_type][0] != DB_TYPE_REV) &&
765: (pp[DB_rev_date][0] != '\0')) {
766: BIO_printf(bio_err, "entry %d: not revoked yet, but has a revocation date\n", i + 1);
767: goto err;
768: }
769: if ((pp[DB_type][0] == DB_TYPE_REV) &&
770: !make_revoked(NULL, pp[DB_rev_date])) {
771: BIO_printf(bio_err, " in entry %d\n", i + 1);
772: goto err;
773: }
774: if (!check_time_format((char *) pp[DB_exp_date])) {
775: BIO_printf(bio_err, "entry %d: invalid expiry date\n",
776: i + 1);
777: goto err;
778: }
779: p = pp[DB_serial];
780: j = strlen(p);
781: if (*p == '-') {
782: p++;
783: j--;
784: }
785: if ((j & 1) || (j < 2)) {
786: BIO_printf(bio_err,
787: "entry %d: bad serial number length (%d)\n",
788: i + 1, j);
789: goto err;
790: }
791: while (*p) {
792: if (!(((*p >= '0') && (*p <= '9')) ||
793: ((*p >= 'A') && (*p <= 'F')) ||
794: ((*p >= 'a') && (*p <= 'f')))) {
795: BIO_printf(bio_err, "entry %d: bad serial number characters, char pos %ld, char is '%c'\n", i + 1, (long) (p - pp[DB_serial]), *p);
796: goto err;
797: }
798: p++;
799: }
800: }
801: if (verbose) {
802: BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT); /* cannot fail */
803: TXT_DB_write(out, db->db);
804: BIO_printf(bio_err, "%d entries loaded from the database\n",
805: sk_OPENSSL_PSTRING_num(db->db->data));
806: BIO_printf(bio_err, "generating index\n");
807: }
808: if (!index_index(db))
809: goto err;
810:
811: /*****************************************************************/
812: /* Update the db file for expired certificates */
813: if (doupdatedb) {
814: if (verbose)
815: BIO_printf(bio_err, "Updating %s ...\n", dbfile);
816:
817: i = do_updatedb(db);
818: if (i == -1) {
819: BIO_printf(bio_err, "Malloc failure\n");
820: goto err;
821: } else if (i == 0) {
822: if (verbose)
823: BIO_printf(bio_err,
824: "No entries found to mark expired\n");
825: } else {
826: if (!save_index(dbfile, "new", db))
827: goto err;
828:
829: if (!rotate_index(dbfile, "new", "old"))
830: goto err;
831:
832: if (verbose)
833: BIO_printf(bio_err,
834: "Done. %d entries marked as expired\n", i);
835: }
836: }
837: /*****************************************************************/
838: /* Read extentions config file */
839: if (extfile) {
840: extconf = NCONF_new(NULL);
841: if (NCONF_load(extconf, extfile, &errorline) <= 0) {
842: if (errorline <= 0)
843: BIO_printf(bio_err,
844: "ERROR: loading the config file '%s'\n",
845: extfile);
846: else
847: BIO_printf(bio_err,
848: "ERROR: on line %ld of config file '%s'\n",
849: errorline, extfile);
850: ret = 1;
851: goto err;
852: }
853: if (verbose)
854: BIO_printf(bio_err,
855: "Successfully loaded extensions file %s\n",
856: extfile);
857:
858: /* We can have sections in the ext file */
859: if (!extensions && !(extensions = NCONF_get_string(extconf,
860: "default", "extensions")))
861: extensions = "default";
862: }
863: /*****************************************************************/
864: if (req || gencrl) {
865: if (outfile != NULL) {
866: if (BIO_write_filename(Sout, outfile) <= 0) {
867: perror(outfile);
868: goto err;
869: }
870: } else {
871: BIO_set_fp(Sout, stdout, BIO_NOCLOSE | BIO_FP_TEXT);
872: }
873: }
874: if ((md == NULL) && ((md = NCONF_get_string(conf, section,
875: ENV_DEFAULT_MD)) == NULL)) {
876: lookup_fail(section, ENV_DEFAULT_MD);
877: goto err;
878: }
879: if (!strcmp(md, "default")) {
880: int def_nid;
881: if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) <= 0) {
882: BIO_puts(bio_err, "no default digest\n");
883: goto err;
884: }
885: md = (char *) OBJ_nid2sn(def_nid);
886: }
887: if ((dgst = EVP_get_digestbyname(md)) == NULL) {
888: BIO_printf(bio_err,
889: "%s is an unsupported message digest type\n", md);
890: goto err;
891: }
892: if (req) {
893: if ((email_dn == 1) && ((tmp_email_dn = NCONF_get_string(conf,
894: section, ENV_DEFAULT_EMAIL_DN)) != NULL)) {
895: if (strcmp(tmp_email_dn, "no") == 0)
896: email_dn = 0;
897: }
898: if (verbose)
899: BIO_printf(bio_err, "message digest is %s\n",
900: OBJ_nid2ln(dgst->type));
901: if ((policy == NULL) && ((policy = NCONF_get_string(conf,
902: section, ENV_POLICY)) == NULL)) {
903: lookup_fail(section, ENV_POLICY);
904: goto err;
905: }
906: if (verbose)
907: BIO_printf(bio_err, "policy is %s\n", policy);
908:
909: if ((serialfile = NCONF_get_string(conf, section,
910: ENV_SERIAL)) == NULL) {
911: lookup_fail(section, ENV_SERIAL);
912: goto err;
913: }
914: if (!extconf) {
915: /*
916: * no '-extfile' option, so we look for extensions in
917: * the main configuration file
918: */
919: if (!extensions) {
920: extensions = NCONF_get_string(conf, section,
921: ENV_EXTENSIONS);
922: if (!extensions)
923: ERR_clear_error();
924: }
925: if (extensions) {
926: /* Check syntax of file */
927: X509V3_CTX ctx;
928: X509V3_set_ctx_test(&ctx);
929: X509V3_set_nconf(&ctx, conf);
930: if (!X509V3_EXT_add_nconf(conf, &ctx,
931: extensions, NULL)) {
932: BIO_printf(bio_err,
933: "Error Loading extension section %s\n",
934: extensions);
935: ret = 1;
936: goto err;
937: }
938: }
939: }
940: if (startdate == NULL) {
941: startdate = NCONF_get_string(conf, section,
942: ENV_DEFAULT_STARTDATE);
943: if (startdate == NULL)
944: ERR_clear_error();
945: }
946: if (startdate && !ASN1_TIME_set_string(NULL, startdate)) {
947: BIO_printf(bio_err, "start date is invalid, it should be YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ\n");
948: goto err;
949: }
950: if (startdate == NULL)
951: startdate = "today";
952:
953: if (enddate == NULL) {
954: enddate = NCONF_get_string(conf, section,
955: ENV_DEFAULT_ENDDATE);
956: if (enddate == NULL)
957: ERR_clear_error();
958: }
959: if (enddate && !ASN1_TIME_set_string(NULL, enddate)) {
960: BIO_printf(bio_err, "end date is invalid, it should be YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ\n");
961: goto err;
962: }
963: if (days == 0) {
964: if (!NCONF_get_number(conf, section,
965: ENV_DEFAULT_DAYS, &days))
966: days = 0;
967: }
968: if (!enddate && (days == 0)) {
969: BIO_printf(bio_err,
970: "cannot lookup how many days to certify for\n");
971: goto err;
972: }
973: if ((serial = load_serial(serialfile, create_ser, NULL)) ==
974: NULL) {
975: BIO_printf(bio_err,
976: "error while loading serial number\n");
977: goto err;
978: }
979: if (verbose) {
980: if (BN_is_zero(serial))
981: BIO_printf(bio_err,
982: "next serial number is 00\n");
983: else {
984: if ((f = BN_bn2hex(serial)) == NULL)
985: goto err;
986: BIO_printf(bio_err,
987: "next serial number is %s\n", f);
988: free(f);
989: }
990: }
991: if ((attribs = NCONF_get_section(conf, policy)) == NULL) {
992: BIO_printf(bio_err,
993: "unable to find 'section' for %s\n", policy);
994: goto err;
995: }
996: if ((cert_sk = sk_X509_new_null()) == NULL) {
997: BIO_printf(bio_err, "Memory allocation failure\n");
998: goto err;
999: }
1000: if (spkac_file != NULL) {
1001: total++;
1002: j = certify_spkac(&x, spkac_file, pkey, x509, dgst,
1003: sigopts, attribs, db, serial, subj, chtype,
1004: multirdn, email_dn, startdate, enddate, days,
1005: extensions, conf, verbose, certopt, nameopt,
1006: default_op, ext_copy);
1007: if (j < 0)
1008: goto err;
1009: if (j > 0) {
1010: total_done++;
1011: BIO_printf(bio_err, "\n");
1012: if (!BN_add_word(serial, 1))
1013: goto err;
1014: if (!sk_X509_push(cert_sk, x)) {
1015: BIO_printf(bio_err,
1016: "Memory allocation failure\n");
1017: goto err;
1018: }
1019: if (outfile) {
1020: output_der = 1;
1021: batch = 1;
1022: }
1023: }
1024: }
1025: if (ss_cert_file != NULL) {
1026: total++;
1027: j = certify_cert(&x, ss_cert_file, pkey, x509, dgst,
1028: sigopts, attribs, db, serial, subj, chtype,
1029: multirdn, email_dn, startdate, enddate, days, batch,
1030: extensions, conf, verbose, certopt, nameopt,
1031: default_op, ext_copy, e);
1032: if (j < 0)
1033: goto err;
1034: if (j > 0) {
1035: total_done++;
1036: BIO_printf(bio_err, "\n");
1037: if (!BN_add_word(serial, 1))
1038: goto err;
1039: if (!sk_X509_push(cert_sk, x)) {
1040: BIO_printf(bio_err,
1041: "Memory allocation failure\n");
1042: goto err;
1043: }
1044: }
1045: }
1046: if (infile != NULL) {
1047: total++;
1048: j = certify(&x, infile, pkey, x509p, dgst, sigopts,
1049: attribs, db, serial, subj, chtype, multirdn,
1050: email_dn, startdate, enddate, days, batch,
1051: extensions, conf, verbose, certopt, nameopt,
1052: default_op, ext_copy, selfsign);
1053: if (j < 0)
1054: goto err;
1055: if (j > 0) {
1056: total_done++;
1057: BIO_printf(bio_err, "\n");
1058: if (!BN_add_word(serial, 1))
1059: goto err;
1060: if (!sk_X509_push(cert_sk, x)) {
1061: BIO_printf(bio_err,
1062: "Memory allocation failure\n");
1063: goto err;
1064: }
1065: }
1066: }
1067: for (i = 0; i < argc; i++) {
1068: total++;
1069: j = certify(&x, argv[i], pkey, x509p, dgst, sigopts,
1070: attribs, db, serial, subj, chtype, multirdn,
1071: email_dn, startdate, enddate, days, batch,
1072: extensions, conf, verbose, certopt, nameopt,
1073: default_op, ext_copy, selfsign);
1074: if (j < 0)
1075: goto err;
1076: if (j > 0) {
1077: total_done++;
1078: BIO_printf(bio_err, "\n");
1079: if (!BN_add_word(serial, 1))
1080: goto err;
1081: if (!sk_X509_push(cert_sk, x)) {
1082: BIO_printf(bio_err,
1083: "Memory allocation failure\n");
1084: goto err;
1085: }
1086: }
1087: }
1088: /*
1089: * we have a stack of newly certified certificates and a data
1090: * base and serial number that need updating
1091: */
1092:
1093: if (sk_X509_num(cert_sk) > 0) {
1094: if (!batch) {
1095: BIO_printf(bio_err, "\n%d out of %d certificate requests certified, commit? [y/n]", total_done, total);
1096: (void) BIO_flush(bio_err);
1097: buf[0][0] = '\0';
1098: if (!fgets(buf[0], 10, stdin)) {
1099: BIO_printf(bio_err, "CERTIFICATION CANCELED: I/O error\n");
1100: ret = 0;
1101: goto err;
1102: }
1103: if ((buf[0][0] != 'y') && (buf[0][0] != 'Y')) {
1104: BIO_printf(bio_err, "CERTIFICATION CANCELED\n");
1105: ret = 0;
1106: goto err;
1107: }
1108: }
1109: BIO_printf(bio_err, "Write out database with %d new entries\n", sk_X509_num(cert_sk));
1110:
1111: if (!save_serial(serialfile, "new", serial, NULL))
1112: goto err;
1113:
1114: if (!save_index(dbfile, "new", db))
1115: goto err;
1116: }
1117: if (verbose)
1118: BIO_printf(bio_err, "writing new certificates\n");
1119: for (i = 0; i < sk_X509_num(cert_sk); i++) {
1120: int k;
1.3 doug 1121: char *serialstr;
1.1 jsing 1122: unsigned char *data;
1123:
1124: x = sk_X509_value(cert_sk, i);
1125:
1126: j = x->cert_info->serialNumber->length;
1127: data = (unsigned char *)x->cert_info->serialNumber->data;
1128: if (j > 0)
1.3 doug 1129: serialstr = bin2hex(data, j);
1.1 jsing 1130: else
1.3 doug 1131: serialstr = strdup("00");
1132: if (serialstr) {
1.1 jsing 1133: k = snprintf(buf[2], sizeof(buf[2]),
1.3 doug 1134: "%s/%s.pem", outdir, serialstr);
1135: free(serialstr);
1.1 jsing 1136: if (k == -1 || k >= sizeof(buf[2])) {
1137: BIO_printf(bio_err,
1138: "certificate file name too long\n");
1139: goto err;
1140: }
1141: } else {
1142: BIO_printf(bio_err,
1143: "memory allocation failed\n");
1144: goto err;
1145: }
1146: if (verbose)
1147: BIO_printf(bio_err, "writing %s\n", buf[2]);
1148:
1149: if (BIO_write_filename(Cout, buf[2]) <= 0) {
1150: perror(buf[2]);
1151: goto err;
1152: }
1153: write_new_certificate(Cout, x, 0, notext);
1154: write_new_certificate(Sout, x, output_der, notext);
1155: }
1156:
1157: if (sk_X509_num(cert_sk)) {
1158: /* Rename the database and the serial file */
1159: if (!rotate_serial(serialfile, "new", "old"))
1160: goto err;
1161:
1162: if (!rotate_index(dbfile, "new", "old"))
1163: goto err;
1164:
1165: BIO_printf(bio_err, "Data Base Updated\n");
1166: }
1167: }
1168: /*****************************************************************/
1169: if (gencrl) {
1170: int crl_v2 = 0;
1171: if (!crl_ext) {
1172: crl_ext = NCONF_get_string(conf, section, ENV_CRLEXT);
1173: if (!crl_ext)
1174: ERR_clear_error();
1175: }
1176: if (crl_ext) {
1177: /* Check syntax of file */
1178: X509V3_CTX ctx;
1179: X509V3_set_ctx_test(&ctx);
1180: X509V3_set_nconf(&ctx, conf);
1181: if (!X509V3_EXT_add_nconf(conf, &ctx, crl_ext, NULL)) {
1182: BIO_printf(bio_err,
1183: "Error Loading CRL extension section %s\n",
1184: crl_ext);
1185: ret = 1;
1186: goto err;
1187: }
1188: }
1189: if ((crlnumberfile = NCONF_get_string(conf, section,
1190: ENV_CRLNUMBER)) != NULL)
1191: if ((crlnumber = load_serial(crlnumberfile, 0,
1192: NULL)) == NULL) {
1193: BIO_printf(bio_err,
1194: "error while loading CRL number\n");
1195: goto err;
1196: }
1197: if (!crldays && !crlhours && !crlsec) {
1198: if (!NCONF_get_number(conf, section,
1199: ENV_DEFAULT_CRL_DAYS, &crldays))
1200: crldays = 0;
1201: if (!NCONF_get_number(conf, section,
1202: ENV_DEFAULT_CRL_HOURS, &crlhours))
1203: crlhours = 0;
1204: ERR_clear_error();
1205: }
1206: if ((crldays == 0) && (crlhours == 0) && (crlsec == 0)) {
1207: BIO_printf(bio_err, "cannot lookup how long until the next CRL is issued\n");
1208: goto err;
1209: }
1210: if (verbose)
1211: BIO_printf(bio_err, "making CRL\n");
1212: if ((crl = X509_CRL_new()) == NULL)
1213: goto err;
1214: if (!X509_CRL_set_issuer_name(crl, X509_get_subject_name(x509)))
1215: goto err;
1216:
1217: tmptm = ASN1_TIME_new();
1218: if (!tmptm)
1219: goto err;
1220: X509_gmtime_adj(tmptm, 0);
1221: X509_CRL_set_lastUpdate(crl, tmptm);
1222: if (!X509_time_adj_ex(tmptm, crldays,
1223: crlhours * 60 * 60 + crlsec, NULL)) {
1224: BIO_puts(bio_err, "error setting CRL nextUpdate\n");
1225: goto err;
1226: }
1227: X509_CRL_set_nextUpdate(crl, tmptm);
1228:
1229: ASN1_TIME_free(tmptm);
1230:
1231: for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
1232: pp = sk_OPENSSL_PSTRING_value(db->db->data, i);
1233: if (pp[DB_type][0] == DB_TYPE_REV) {
1234: if ((r = X509_REVOKED_new()) == NULL)
1235: goto err;
1236: j = make_revoked(r, pp[DB_rev_date]);
1237: if (!j)
1238: goto err;
1239: if (j == 2)
1240: crl_v2 = 1;
1241: if (!BN_hex2bn(&serial, pp[DB_serial]))
1242: goto err;
1243: tmpser = BN_to_ASN1_INTEGER(serial, NULL);
1244: BN_free(serial);
1245: serial = NULL;
1246: if (!tmpser)
1247: goto err;
1248: X509_REVOKED_set_serialNumber(r, tmpser);
1249: ASN1_INTEGER_free(tmpser);
1250: X509_CRL_add0_revoked(crl, r);
1251: }
1252: }
1253:
1254: /*
1255: * sort the data so it will be written in serial number order
1256: */
1257: X509_CRL_sort(crl);
1258:
1259: /* we now have a CRL */
1260: if (verbose)
1261: BIO_printf(bio_err, "signing CRL\n");
1262:
1263: /* Add any extensions asked for */
1264:
1265: if (crl_ext || crlnumberfile != NULL) {
1266: X509V3_CTX crlctx;
1267: X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0);
1268: X509V3_set_nconf(&crlctx, conf);
1269:
1270: if (crl_ext)
1271: if (!X509V3_EXT_CRL_add_nconf(conf, &crlctx,
1272: crl_ext, crl))
1273: goto err;
1274: if (crlnumberfile != NULL) {
1275: tmpser = BN_to_ASN1_INTEGER(crlnumber, NULL);
1276: if (!tmpser)
1277: goto err;
1278: X509_CRL_add1_ext_i2d(crl, NID_crl_number,
1279: tmpser, 0, 0);
1280: ASN1_INTEGER_free(tmpser);
1281: crl_v2 = 1;
1282: if (!BN_add_word(crlnumber, 1))
1283: goto err;
1284: }
1285: }
1286: if (crl_ext || crl_v2) {
1287: if (!X509_CRL_set_version(crl, 1))
1288: goto err; /* version 2 CRL */
1289: }
1290: if (crlnumberfile != NULL) /* we have a CRL number that
1291: * need updating */
1292: if (!save_serial(crlnumberfile, "new", crlnumber, NULL))
1293: goto err;
1294:
1295: if (crlnumber) {
1296: BN_free(crlnumber);
1297: crlnumber = NULL;
1298: }
1299: if (!do_X509_CRL_sign(bio_err, crl, pkey, dgst, sigopts))
1300: goto err;
1301:
1302: PEM_write_bio_X509_CRL(Sout, crl);
1303:
1304: if (crlnumberfile != NULL) /* Rename the crlnumber file */
1305: if (!rotate_serial(crlnumberfile, "new", "old"))
1306: goto err;
1307:
1308: }
1309: /*****************************************************************/
1310: if (dorevoke) {
1311: if (infile == NULL) {
1312: BIO_printf(bio_err, "no input files\n");
1313: goto err;
1314: } else {
1315: X509 *revcert;
1316: revcert = load_cert(bio_err, infile, FORMAT_PEM,
1317: NULL, e, infile);
1318: if (revcert == NULL)
1319: goto err;
1320: j = do_revoke(revcert, db, rev_type, rev_arg);
1321: if (j <= 0)
1322: goto err;
1323: X509_free(revcert);
1324:
1325: if (!save_index(dbfile, "new", db))
1326: goto err;
1327:
1328: if (!rotate_index(dbfile, "new", "old"))
1329: goto err;
1330:
1331: BIO_printf(bio_err, "Data Base Updated\n");
1332: }
1333: }
1334: /*****************************************************************/
1335: ret = 0;
1336:
1337: err:
1338: free(tofree);
1339:
1340: BIO_free_all(Cout);
1341: BIO_free_all(Sout);
1342: BIO_free_all(out);
1343: BIO_free_all(in);
1344:
1345: if (cert_sk)
1346: sk_X509_pop_free(cert_sk, X509_free);
1347:
1348: if (ret)
1349: ERR_print_errors(bio_err);
1350: if (free_key && key)
1351: free(key);
1352: BN_free(serial);
1353: BN_free(crlnumber);
1354: free_index(db);
1355: if (sigopts)
1356: sk_OPENSSL_STRING_free(sigopts);
1357: EVP_PKEY_free(pkey);
1358: if (x509)
1359: X509_free(x509);
1360: X509_CRL_free(crl);
1361: NCONF_free(conf);
1362: NCONF_free(extconf);
1363: OBJ_cleanup();
1364:
1365: return (ret);
1366: }
1367:
1368: static void
1369: lookup_fail(const char *name, const char *tag)
1370: {
1371: BIO_printf(bio_err, "variable lookup failed for %s::%s\n", name, tag);
1372: }
1373:
1374: static int
1375: certify(X509 ** xret, char *infile, EVP_PKEY * pkey, X509 * x509,
1376: const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
1377: STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj,
1378: unsigned long chtype, int multirdn, int email_dn, char *startdate,
1379: char *enddate, long days, int batch, char *ext_sect, CONF * lconf,
1380: int verbose, unsigned long certopt, unsigned long nameopt, int default_op,
1381: int ext_copy, int selfsign)
1382: {
1383: X509_REQ *req = NULL;
1384: BIO *in = NULL;
1385: EVP_PKEY *pktmp = NULL;
1386: int ok = -1, i;
1387:
1388: in = BIO_new(BIO_s_file());
1389:
1390: if (BIO_read_filename(in, infile) <= 0) {
1391: perror(infile);
1392: goto err;
1393: }
1394: if ((req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL)) == NULL) {
1395: BIO_printf(bio_err, "Error reading certificate request in %s\n",
1396: infile);
1397: goto err;
1398: }
1399: if (verbose)
1400: X509_REQ_print(bio_err, req);
1401:
1402: BIO_printf(bio_err, "Check that the request matches the signature\n");
1403:
1404: if (selfsign && !X509_REQ_check_private_key(req, pkey)) {
1405: BIO_printf(bio_err,
1406: "Certificate request and CA private key do not match\n");
1407: ok = 0;
1408: goto err;
1409: }
1410: if ((pktmp = X509_REQ_get_pubkey(req)) == NULL) {
1411: BIO_printf(bio_err, "error unpacking public key\n");
1412: goto err;
1413: }
1414: i = X509_REQ_verify(req, pktmp);
1415: EVP_PKEY_free(pktmp);
1416: if (i < 0) {
1417: ok = 0;
1418: BIO_printf(bio_err, "Signature verification problems....\n");
1419: goto err;
1420: }
1421: if (i == 0) {
1422: ok = 0;
1423: BIO_printf(bio_err,
1424: "Signature did not match the certificate request\n");
1425: goto err;
1426: } else
1427: BIO_printf(bio_err, "Signature ok\n");
1428:
1429: ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial,
1430: subj, chtype, multirdn, email_dn, startdate, enddate, days, batch,
1431: verbose, req, ext_sect, lconf, certopt, nameopt, default_op,
1432: ext_copy, selfsign);
1433:
1434: err:
1435: if (req != NULL)
1436: X509_REQ_free(req);
1437: if (in != NULL)
1438: BIO_free(in);
1439: return (ok);
1440: }
1441:
1442: static int
1443: certify_cert(X509 ** xret, char *infile, EVP_PKEY * pkey, X509 * x509,
1444: const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
1445: STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj,
1446: unsigned long chtype, int multirdn, int email_dn, char *startdate,
1447: char *enddate, long days, int batch, char *ext_sect, CONF * lconf,
1448: int verbose, unsigned long certopt, unsigned long nameopt, int default_op,
1449: int ext_copy, ENGINE * e)
1450: {
1451: X509 *req = NULL;
1452: X509_REQ *rreq = NULL;
1453: EVP_PKEY *pktmp = NULL;
1454: int ok = -1, i;
1455:
1456: if ((req = load_cert(bio_err, infile, FORMAT_PEM, NULL, e,
1457: infile)) == NULL)
1458: goto err;
1459: if (verbose)
1460: X509_print(bio_err, req);
1461:
1462: BIO_printf(bio_err, "Check that the request matches the signature\n");
1463:
1464: if ((pktmp = X509_get_pubkey(req)) == NULL) {
1465: BIO_printf(bio_err, "error unpacking public key\n");
1466: goto err;
1467: }
1468: i = X509_verify(req, pktmp);
1469: EVP_PKEY_free(pktmp);
1470: if (i < 0) {
1471: ok = 0;
1472: BIO_printf(bio_err, "Signature verification problems....\n");
1473: goto err;
1474: }
1475: if (i == 0) {
1476: ok = 0;
1477: BIO_printf(bio_err,
1478: "Signature did not match the certificate\n");
1479: goto err;
1480: } else
1481: BIO_printf(bio_err, "Signature ok\n");
1482:
1483: if ((rreq = X509_to_X509_REQ(req, NULL, EVP_md5())) == NULL)
1484: goto err;
1485:
1486: ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial,
1487: subj, chtype, multirdn, email_dn, startdate, enddate, days, batch,
1488: verbose, rreq, ext_sect, lconf, certopt, nameopt, default_op,
1489: ext_copy, 0);
1490:
1491: err:
1492: if (rreq != NULL)
1493: X509_REQ_free(rreq);
1494: if (req != NULL)
1495: X509_free(req);
1496: return (ok);
1497: }
1498:
1499: static int
1500: do_body(X509 ** xret, EVP_PKEY * pkey, X509 * x509, const EVP_MD * dgst,
1501: STACK_OF(OPENSSL_STRING) * sigopts, STACK_OF(CONF_VALUE) * policy,
1502: CA_DB * db, BIGNUM * serial, char *subj, unsigned long chtype, int multirdn,
1503: int email_dn, char *startdate, char *enddate, long days, int batch,
1504: int verbose, X509_REQ * req, char *ext_sect, CONF * lconf,
1505: unsigned long certopt, unsigned long nameopt, int default_op,
1506: int ext_copy, int selfsign)
1507: {
1508: X509_NAME *name = NULL, *CAname = NULL, *subject = NULL, *dn_subject = NULL;
1509: ASN1_UTCTIME *tm, *tmptm;
1510: ASN1_STRING *str, *str2;
1511: ASN1_OBJECT *obj;
1512: X509 *ret = NULL;
1513: X509_CINF *ci;
1514: X509_NAME_ENTRY *ne;
1515: X509_NAME_ENTRY *tne, *push;
1516: EVP_PKEY *pktmp;
1517: int ok = -1, i, j, last, nid;
1518: const char *p;
1519: CONF_VALUE *cv;
1520: OPENSSL_STRING row[DB_NUMBER];
1521: OPENSSL_STRING *irow = NULL;
1522: OPENSSL_STRING *rrow = NULL;
1523: char buf[25];
1524:
1525: tmptm = ASN1_UTCTIME_new();
1526: if (tmptm == NULL) {
1527: BIO_printf(bio_err, "malloc error\n");
1528: return (0);
1529: }
1530: for (i = 0; i < DB_NUMBER; i++)
1531: row[i] = NULL;
1532:
1533: if (subj) {
1534: X509_NAME *n = parse_name(subj, chtype, multirdn);
1535:
1536: if (!n) {
1537: ERR_print_errors(bio_err);
1538: goto err;
1539: }
1540: X509_REQ_set_subject_name(req, n);
1541: req->req_info->enc.modified = 1;
1542: X509_NAME_free(n);
1543: }
1544: if (default_op)
1545: BIO_printf(bio_err,
1546: "The Subject's Distinguished Name is as follows\n");
1547:
1548: name = X509_REQ_get_subject_name(req);
1549: for (i = 0; i < X509_NAME_entry_count(name); i++) {
1550: ne = X509_NAME_get_entry(name, i);
1551: str = X509_NAME_ENTRY_get_data(ne);
1552: obj = X509_NAME_ENTRY_get_object(ne);
1553:
1554: if (msie_hack) {
1555: /* assume all type should be strings */
1556: nid = OBJ_obj2nid(ne->object);
1557:
1558: if (str->type == V_ASN1_UNIVERSALSTRING)
1559: ASN1_UNIVERSALSTRING_to_string(str);
1560:
1561: if ((str->type == V_ASN1_IA5STRING) &&
1562: (nid != NID_pkcs9_emailAddress))
1563: str->type = V_ASN1_T61STRING;
1564:
1565: if ((nid == NID_pkcs9_emailAddress) &&
1566: (str->type == V_ASN1_PRINTABLESTRING))
1567: str->type = V_ASN1_IA5STRING;
1568: }
1569: /* If no EMAIL is wanted in the subject */
1570: if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) && (!email_dn))
1571: continue;
1572:
1573: /* check some things */
1574: if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) &&
1575: (str->type != V_ASN1_IA5STRING)) {
1576: BIO_printf(bio_err, "\nemailAddress type needs to be of type IA5STRING\n");
1577: goto err;
1578: }
1579: if ((str->type != V_ASN1_BMPSTRING) &&
1580: (str->type != V_ASN1_UTF8STRING)) {
1581: j = ASN1_PRINTABLE_type(str->data, str->length);
1582: if (((j == V_ASN1_T61STRING) &&
1583: (str->type != V_ASN1_T61STRING)) ||
1584: ((j == V_ASN1_IA5STRING) &&
1585: (str->type == V_ASN1_PRINTABLESTRING))) {
1586: BIO_printf(bio_err, "\nThe string contains characters that are illegal for the ASN.1 type\n");
1587: goto err;
1588: }
1589: }
1590: if (default_op)
1591: old_entry_print(bio_err, obj, str);
1592: }
1593:
1594: /* Ok, now we check the 'policy' stuff. */
1595: if ((subject = X509_NAME_new()) == NULL) {
1596: BIO_printf(bio_err, "Memory allocation failure\n");
1597: goto err;
1598: }
1599: /* take a copy of the issuer name before we mess with it. */
1600: if (selfsign)
1601: CAname = X509_NAME_dup(name);
1602: else
1603: CAname = X509_NAME_dup(x509->cert_info->subject);
1604: if (CAname == NULL)
1605: goto err;
1606: str = str2 = NULL;
1607:
1608: for (i = 0; i < sk_CONF_VALUE_num(policy); i++) {
1609: cv = sk_CONF_VALUE_value(policy, i); /* get the object id */
1610: if ((j = OBJ_txt2nid(cv->name)) == NID_undef) {
1611: BIO_printf(bio_err, "%s:unknown object type in 'policy' configuration\n", cv->name);
1612: goto err;
1613: }
1614: obj = OBJ_nid2obj(j);
1615:
1616: last = -1;
1617: for (;;) {
1618: /* lookup the object in the supplied name list */
1619: j = X509_NAME_get_index_by_OBJ(name, obj, last);
1620: if (j < 0) {
1621: if (last != -1)
1622: break;
1623: tne = NULL;
1624: } else {
1625: tne = X509_NAME_get_entry(name, j);
1626: }
1627: last = j;
1628:
1629: /* depending on the 'policy', decide what to do. */
1630: push = NULL;
1631: if (strcmp(cv->value, "optional") == 0) {
1632: if (tne != NULL)
1633: push = tne;
1634: } else if (strcmp(cv->value, "supplied") == 0) {
1635: if (tne == NULL) {
1636: BIO_printf(bio_err, "The %s field needed to be supplied and was missing\n", cv->name);
1637: goto err;
1638: } else
1639: push = tne;
1640: } else if (strcmp(cv->value, "match") == 0) {
1641: int last2;
1642:
1643: if (tne == NULL) {
1644: BIO_printf(bio_err, "The mandatory %s field was missing\n", cv->name);
1645: goto err;
1646: }
1647: last2 = -1;
1648:
1649: again2:
1650: j = X509_NAME_get_index_by_OBJ(CAname, obj, last2);
1651: if ((j < 0) && (last2 == -1)) {
1652: BIO_printf(bio_err, "The %s field does not exist in the CA certificate,\nthe 'policy' is misconfigured\n", cv->name);
1653: goto err;
1654: }
1655: if (j >= 0) {
1656: push = X509_NAME_get_entry(CAname, j);
1657: str = X509_NAME_ENTRY_get_data(tne);
1658: str2 = X509_NAME_ENTRY_get_data(push);
1659: last2 = j;
1660: if (ASN1_STRING_cmp(str, str2) != 0)
1661: goto again2;
1662: }
1663: if (j < 0) {
1664: BIO_printf(bio_err, "The %s field needed to be the same in the\nCA certificate (%s) and the request (%s)\n", cv->name, ((str2 == NULL) ? "NULL" : (char *) str2->data), ((str == NULL) ? "NULL" : (char *) str->data));
1665: goto err;
1666: }
1667: } else {
1668: BIO_printf(bio_err, "%s:invalid type in 'policy' configuration\n", cv->value);
1669: goto err;
1670: }
1671:
1672: if (push != NULL) {
1673: if (!X509_NAME_add_entry(subject, push,
1674: -1, 0)) {
1675: if (push != NULL)
1676: X509_NAME_ENTRY_free(push);
1677: BIO_printf(bio_err,
1678: "Memory allocation failure\n");
1679: goto err;
1680: }
1681: }
1682: if (j < 0)
1683: break;
1684: }
1685: }
1686:
1687: if (preserve) {
1688: X509_NAME_free(subject);
1689: /* subject=X509_NAME_dup(X509_REQ_get_subject_name(req)); */
1690: subject = X509_NAME_dup(name);
1691: if (subject == NULL)
1692: goto err;
1693: }
1694: if (verbose)
1695: BIO_printf(bio_err, "The subject name appears to be ok, checking data base for clashes\n");
1696:
1697: /* Build the correct Subject if no e-mail is wanted in the subject */
1698: /*
1699: * and add it later on because of the method extensions are added
1700: * (altName)
1701: */
1702:
1703: if (email_dn)
1704: dn_subject = subject;
1705: else {
1706: X509_NAME_ENTRY *tmpne;
1707: /*
1708: * Its best to dup the subject DN and then delete any email
1709: * addresses because this retains its structure.
1710: */
1711: if (!(dn_subject = X509_NAME_dup(subject))) {
1712: BIO_printf(bio_err, "Memory allocation failure\n");
1713: goto err;
1714: }
1715: while ((i = X509_NAME_get_index_by_NID(dn_subject,
1716: NID_pkcs9_emailAddress, -1)) >= 0) {
1717: tmpne = X509_NAME_get_entry(dn_subject, i);
1718: X509_NAME_delete_entry(dn_subject, i);
1719: X509_NAME_ENTRY_free(tmpne);
1720: }
1721: }
1722:
1723: if (BN_is_zero(serial))
1724: row[DB_serial] = strdup("00");
1725: else
1726: row[DB_serial] = BN_bn2hex(serial);
1727: if (row[DB_serial] == NULL) {
1728: BIO_printf(bio_err, "Memory allocation failure\n");
1729: goto err;
1730: }
1731: if (db->attributes.unique_subject) {
1732: OPENSSL_STRING *crow = row;
1733:
1734: rrow = TXT_DB_get_by_index(db->db, DB_name, crow);
1735: if (rrow != NULL) {
1736: BIO_printf(bio_err,
1737: "ERROR:There is already a certificate for %s\n",
1738: row[DB_name]);
1739: }
1740: }
1741: if (rrow == NULL) {
1742: rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
1743: if (rrow != NULL) {
1744: BIO_printf(bio_err,
1745: "ERROR:Serial number %s has already been issued,\n",
1746: row[DB_serial]);
1747: BIO_printf(bio_err, " check the database/serial_file for corruption\n");
1748: }
1749: }
1750: if (rrow != NULL) {
1751: BIO_printf(bio_err,
1752: "The matching entry has the following details\n");
1753: if (rrow[DB_type][0] == 'E')
1754: p = "Expired";
1755: else if (rrow[DB_type][0] == 'R')
1756: p = "Revoked";
1757: else if (rrow[DB_type][0] == 'V')
1758: p = "Valid";
1759: else
1760: p = "\ninvalid type, Data base error\n";
1761: BIO_printf(bio_err, "Type :%s\n", p);
1762: if (rrow[DB_type][0] == 'R') {
1763: p = rrow[DB_exp_date];
1764: if (p == NULL)
1765: p = "undef";
1766: BIO_printf(bio_err, "Was revoked on:%s\n", p);
1767: }
1768: p = rrow[DB_exp_date];
1769: if (p == NULL)
1770: p = "undef";
1771: BIO_printf(bio_err, "Expires on :%s\n", p);
1772: p = rrow[DB_serial];
1773: if (p == NULL)
1774: p = "undef";
1775: BIO_printf(bio_err, "Serial Number :%s\n", p);
1776: p = rrow[DB_file];
1777: if (p == NULL)
1778: p = "undef";
1779: BIO_printf(bio_err, "File name :%s\n", p);
1780: p = rrow[DB_name];
1781: if (p == NULL)
1782: p = "undef";
1783: BIO_printf(bio_err, "Subject Name :%s\n", p);
1784: ok = -1; /* This is now a 'bad' error. */
1785: goto err;
1786: }
1787: /* We are now totally happy, lets make and sign the certificate */
1788: if (verbose)
1789: BIO_printf(bio_err, "Everything appears to be ok, creating and signing the certificate\n");
1790:
1791: if ((ret = X509_new()) == NULL)
1792: goto err;
1793: ci = ret->cert_info;
1794:
1795: #ifdef X509_V3
1796: /* Make it an X509 v3 certificate. */
1797: if (!X509_set_version(ret, 2))
1798: goto err;
1799: #endif
1800:
1.8 jsing 1801: if (BN_to_ASN1_INTEGER(serial, ci->serialNumber) == NULL)
1.1 jsing 1802: goto err;
1803: if (selfsign) {
1804: if (!X509_set_issuer_name(ret, subject))
1805: goto err;
1806: } else {
1807: if (!X509_set_issuer_name(ret, X509_get_subject_name(x509)))
1808: goto err;
1809: }
1810:
1811: if (strcmp(startdate, "today") == 0)
1812: X509_gmtime_adj(X509_get_notBefore(ret), 0);
1813: else
1814: ASN1_TIME_set_string(X509_get_notBefore(ret), startdate);
1815:
1816: if (enddate == NULL)
1817: X509_time_adj_ex(X509_get_notAfter(ret), days, 0, NULL);
1818: else
1819: ASN1_TIME_set_string(X509_get_notAfter(ret), enddate);
1820:
1821: if (!X509_set_subject_name(ret, subject))
1822: goto err;
1823:
1824: pktmp = X509_REQ_get_pubkey(req);
1825: i = X509_set_pubkey(ret, pktmp);
1826: EVP_PKEY_free(pktmp);
1827: if (!i)
1828: goto err;
1829:
1830: /* Lets add the extensions, if there are any */
1831: if (ext_sect) {
1832: X509V3_CTX ctx;
1833: if (ci->version == NULL)
1834: if ((ci->version = ASN1_INTEGER_new()) == NULL)
1835: goto err;
1836: ASN1_INTEGER_set(ci->version, 2); /* version 3 certificate */
1837:
1838: /*
1839: * Free the current entries if any, there should not be any I
1840: * believe
1841: */
1842: if (ci->extensions != NULL)
1843: sk_X509_EXTENSION_pop_free(ci->extensions,
1844: X509_EXTENSION_free);
1845:
1846: ci->extensions = NULL;
1847:
1848: /* Initialize the context structure */
1849: if (selfsign)
1850: X509V3_set_ctx(&ctx, ret, ret, req, NULL, 0);
1851: else
1852: X509V3_set_ctx(&ctx, x509, ret, req, NULL, 0);
1853:
1854: if (extconf) {
1855: if (verbose)
1856: BIO_printf(bio_err,
1857: "Extra configuration file found\n");
1858:
1859: /* Use the extconf configuration db LHASH */
1860: X509V3_set_nconf(&ctx, extconf);
1861:
1862: /* Test the structure (needed?) */
1863: /* X509V3_set_ctx_test(&ctx); */
1864:
1865: /* Adds exts contained in the configuration file */
1866: if (!X509V3_EXT_add_nconf(extconf, &ctx,
1867: ext_sect, ret)) {
1868: BIO_printf(bio_err,
1869: "ERROR: adding extensions in section %s\n",
1870: ext_sect);
1871: ERR_print_errors(bio_err);
1872: goto err;
1873: }
1874: if (verbose)
1875: BIO_printf(bio_err, "Successfully added extensions from file.\n");
1876: } else if (ext_sect) {
1877: /* We found extensions to be set from config file */
1878: X509V3_set_nconf(&ctx, lconf);
1879:
1880: if (!X509V3_EXT_add_nconf(lconf, &ctx, ext_sect, ret)) {
1881: BIO_printf(bio_err,
1882: "ERROR: adding extensions in section %s\n",
1883: ext_sect);
1884: ERR_print_errors(bio_err);
1885: goto err;
1886: }
1887: if (verbose)
1888: BIO_printf(bio_err, "Successfully added extensions from config\n");
1889: }
1890: }
1891: /* Copy extensions from request (if any) */
1892:
1893: if (!copy_extensions(ret, req, ext_copy)) {
1894: BIO_printf(bio_err, "ERROR: adding extensions from request\n");
1895: ERR_print_errors(bio_err);
1896: goto err;
1897: }
1898: /* Set the right value for the noemailDN option */
1899: if (email_dn == 0) {
1900: if (!X509_set_subject_name(ret, dn_subject))
1901: goto err;
1902: }
1903: if (!default_op) {
1904: BIO_printf(bio_err, "Certificate Details:\n");
1905: /*
1906: * Never print signature details because signature not
1907: * present
1908: */
1909: certopt |= X509_FLAG_NO_SIGDUMP | X509_FLAG_NO_SIGNAME;
1910: X509_print_ex(bio_err, ret, nameopt, certopt);
1911: }
1912: BIO_printf(bio_err, "Certificate is to be certified until ");
1913: ASN1_TIME_print(bio_err, X509_get_notAfter(ret));
1914: if (days)
1915: BIO_printf(bio_err, " (%ld days)", days);
1916: BIO_printf(bio_err, "\n");
1917:
1918: if (!batch) {
1919:
1920: BIO_printf(bio_err, "Sign the certificate? [y/n]:");
1921: (void) BIO_flush(bio_err);
1922: buf[0] = '\0';
1923: if (!fgets(buf, sizeof(buf) - 1, stdin)) {
1924: BIO_printf(bio_err,
1925: "CERTIFICATE WILL NOT BE CERTIFIED: I/O error\n");
1926: ok = 0;
1927: goto err;
1928: }
1929: if (!((buf[0] == 'y') || (buf[0] == 'Y'))) {
1930: BIO_printf(bio_err,
1931: "CERTIFICATE WILL NOT BE CERTIFIED\n");
1932: ok = 0;
1933: goto err;
1934: }
1935: }
1936: pktmp = X509_get_pubkey(ret);
1937: if (EVP_PKEY_missing_parameters(pktmp) &&
1938: !EVP_PKEY_missing_parameters(pkey))
1939: EVP_PKEY_copy_parameters(pktmp, pkey);
1940: EVP_PKEY_free(pktmp);
1941:
1942: if (!do_X509_sign(bio_err, ret, pkey, dgst, sigopts))
1943: goto err;
1944:
1945: /* We now just add it to the database */
1946: row[DB_type] = malloc(2);
1947:
1948: tm = X509_get_notAfter(ret);
1949: row[DB_exp_date] = malloc(tm->length + 1);
1950: memcpy(row[DB_exp_date], tm->data, tm->length);
1951: row[DB_exp_date][tm->length] = '\0';
1952:
1953: row[DB_rev_date] = NULL;
1954:
1955: /* row[DB_serial] done already */
1956: row[DB_file] = malloc(8);
1957: row[DB_name] = X509_NAME_oneline(X509_get_subject_name(ret), NULL, 0);
1958:
1959: if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
1960: (row[DB_file] == NULL) || (row[DB_name] == NULL)) {
1961: BIO_printf(bio_err, "Memory allocation failure\n");
1962: goto err;
1963: }
1964: (void) strlcpy(row[DB_file], "unknown", 8);
1965: row[DB_type][0] = 'V';
1966: row[DB_type][1] = '\0';
1967:
1968: if ((irow = reallocarray(NULL, DB_NUMBER + 1, sizeof(char *))) ==
1969: NULL) {
1970: BIO_printf(bio_err, "Memory allocation failure\n");
1971: goto err;
1972: }
1973: for (i = 0; i < DB_NUMBER; i++) {
1974: irow[i] = row[i];
1975: row[i] = NULL;
1976: }
1977: irow[DB_NUMBER] = NULL;
1978:
1979: if (!TXT_DB_insert(db->db, irow)) {
1980: BIO_printf(bio_err, "failed to update database\n");
1981: BIO_printf(bio_err, "TXT_DB error number %ld\n", db->db->error);
1982: goto err;
1983: }
1984: ok = 1;
1985: err:
1986: for (i = 0; i < DB_NUMBER; i++)
1987: free(row[i]);
1988:
1989: if (CAname != NULL)
1990: X509_NAME_free(CAname);
1991: if (subject != NULL)
1992: X509_NAME_free(subject);
1993: if ((dn_subject != NULL) && !email_dn)
1994: X509_NAME_free(dn_subject);
1995: if (tmptm != NULL)
1996: ASN1_UTCTIME_free(tmptm);
1997: if (ok <= 0) {
1998: if (ret != NULL)
1999: X509_free(ret);
2000: ret = NULL;
2001: } else
2002: *xret = ret;
2003: return (ok);
2004: }
2005:
2006: static void
2007: write_new_certificate(BIO * bp, X509 * x, int output_der, int notext)
2008: {
2009: if (output_der) {
2010: (void) i2d_X509_bio(bp, x);
2011: return;
2012: }
2013: if (!notext)
2014: X509_print(bp, x);
2015: PEM_write_bio_X509(bp, x);
2016: }
2017:
2018: static int
2019: certify_spkac(X509 ** xret, char *infile, EVP_PKEY * pkey, X509 * x509,
2020: const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
2021: STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj,
2022: unsigned long chtype, int multirdn, int email_dn, char *startdate,
2023: char *enddate, long days, char *ext_sect, CONF * lconf, int verbose,
2024: unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy)
2025: {
2026: STACK_OF(CONF_VALUE) * sk = NULL;
2027: LHASH_OF(CONF_VALUE) * parms = NULL;
2028: X509_REQ *req = NULL;
2029: CONF_VALUE *cv = NULL;
2030: NETSCAPE_SPKI *spki = NULL;
2031: X509_REQ_INFO *ri;
2032: char *type, *buf;
2033: EVP_PKEY *pktmp = NULL;
2034: X509_NAME *n = NULL;
2035: int ok = -1, i, j;
2036: long errline;
2037: int nid;
2038:
2039: /*
2040: * Load input file into a hash table. (This is just an easy
2041: * way to read and parse the file, then put it into a convenient
2042: * STACK format).
2043: */
2044: parms = CONF_load(NULL, infile, &errline);
2045: if (parms == NULL) {
2046: BIO_printf(bio_err, "error on line %ld of %s\n",
2047: errline, infile);
2048: ERR_print_errors(bio_err);
2049: goto err;
2050: }
2051: sk = CONF_get_section(parms, "default");
2052: if (sk_CONF_VALUE_num(sk) == 0) {
2053: BIO_printf(bio_err, "no name/value pairs found in %s\n",
2054: infile);
2055: CONF_free(parms);
2056: goto err;
2057: }
2058: /*
2059: * Now create a dummy X509 request structure. We don't actually
2060: * have an X509 request, but we have many of the components
2061: * (a public key, various DN components). The idea is that we
2062: * put these components into the right X509 request structure
2063: * and we can use the same code as if you had a real X509 request.
2064: */
2065: req = X509_REQ_new();
2066: if (req == NULL) {
2067: ERR_print_errors(bio_err);
2068: goto err;
2069: }
2070: /*
2071: * Build up the subject name set.
2072: */
2073: ri = req->req_info;
2074: n = ri->subject;
2075:
2076: for (i = 0;; i++) {
2077: if (sk_CONF_VALUE_num(sk) <= i)
2078: break;
2079:
2080: cv = sk_CONF_VALUE_value(sk, i);
2081: type = cv->name;
2082: /*
2083: * Skip past any leading X. X: X, etc to allow for multiple
2084: * instances
2085: */
2086: for (buf = cv->name; *buf; buf++) {
2087: if ((*buf == ':') || (*buf == ',') || (*buf == '.')) {
2088: buf++;
2089: if (*buf)
2090: type = buf;
2091: break;
2092: }
2093: }
2094:
2095: buf = cv->value;
2096: if ((nid = OBJ_txt2nid(type)) == NID_undef) {
2097: if (strcmp(type, "SPKAC") == 0) {
2098: spki = NETSCAPE_SPKI_b64_decode(cv->value, -1);
2099: if (spki == NULL) {
2100: BIO_printf(bio_err, "unable to load Netscape SPKAC structure\n");
2101: ERR_print_errors(bio_err);
2102: goto err;
2103: }
2104: }
2105: continue;
2106: }
2107: if (!X509_NAME_add_entry_by_NID(n, nid, chtype,
2108: (unsigned char *)buf, -1, -1, 0))
2109: goto err;
2110: }
2111: if (spki == NULL) {
2112: BIO_printf(bio_err,
2113: "Netscape SPKAC structure not found in %s\n", infile);
2114: goto err;
2115: }
2116: /*
2117: * Now extract the key from the SPKI structure.
2118: */
2119:
2120: BIO_printf(bio_err,
2121: "Check that the SPKAC request matches the signature\n");
2122:
2123: if ((pktmp = NETSCAPE_SPKI_get_pubkey(spki)) == NULL) {
2124: BIO_printf(bio_err, "error unpacking SPKAC public key\n");
2125: goto err;
2126: }
2127: j = NETSCAPE_SPKI_verify(spki, pktmp);
2128: if (j <= 0) {
2129: BIO_printf(bio_err,
2130: "signature verification failed on SPKAC public key\n");
2131: goto err;
2132: }
2133: BIO_printf(bio_err, "Signature ok\n");
2134:
2135: X509_REQ_set_pubkey(req, pktmp);
2136: EVP_PKEY_free(pktmp);
2137: ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial,
2138: subj, chtype, multirdn, email_dn, startdate, enddate, days, 1,
2139: verbose, req, ext_sect, lconf, certopt, nameopt, default_op,
2140: ext_copy, 0);
2141:
2142: err:
2143: if (req != NULL)
2144: X509_REQ_free(req);
2145: if (parms != NULL)
2146: CONF_free(parms);
2147: if (spki != NULL)
2148: NETSCAPE_SPKI_free(spki);
2149:
2150: return (ok);
2151: }
2152:
2153: static int
2154: check_time_format(const char *str)
2155: {
2156: return ASN1_TIME_set_string(NULL, str);
2157: }
2158:
2159: static int
2160: do_revoke(X509 * x509, CA_DB * db, int type, char *value)
2161: {
2162: ASN1_UTCTIME *tm = NULL;
2163: char *row[DB_NUMBER], **rrow, **irow;
2164: char *rev_str = NULL;
2165: BIGNUM *bn = NULL;
2166: int ok = -1, i;
2167:
2168: for (i = 0; i < DB_NUMBER; i++)
2169: row[i] = NULL;
2170: row[DB_name] = X509_NAME_oneline(X509_get_subject_name(x509), NULL, 0);
2171: bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x509), NULL);
2172: if (!bn)
2173: goto err;
2174: if (BN_is_zero(bn))
2175: row[DB_serial] = strdup("00");
2176: else
2177: row[DB_serial] = BN_bn2hex(bn);
2178: BN_free(bn);
2179: if ((row[DB_name] == NULL) || (row[DB_serial] == NULL)) {
2180: BIO_printf(bio_err, "Memory allocation failure\n");
2181: goto err;
2182: }
2183: /*
2184: * We have to lookup by serial number because name lookup skips
2185: * revoked certs
2186: */
2187: rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
2188: if (rrow == NULL) {
2189: BIO_printf(bio_err,
2190: "Adding Entry with serial number %s to DB for %s\n",
2191: row[DB_serial], row[DB_name]);
2192:
2193: /* We now just add it to the database */
2194: row[DB_type] = malloc(2);
2195:
2196: tm = X509_get_notAfter(x509);
2197: row[DB_exp_date] = malloc(tm->length + 1);
2198: memcpy(row[DB_exp_date], tm->data, tm->length);
2199: row[DB_exp_date][tm->length] = '\0';
2200:
2201: row[DB_rev_date] = NULL;
2202:
2203: /* row[DB_serial] done already */
2204: row[DB_file] = malloc(8);
2205:
2206: /* row[DB_name] done already */
2207:
2208: if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
2209: (row[DB_file] == NULL)) {
2210: BIO_printf(bio_err, "Memory allocation failure\n");
2211: goto err;
2212: }
2213: (void) strlcpy(row[DB_file], "unknown", 8);
2214: row[DB_type][0] = 'V';
2215: row[DB_type][1] = '\0';
2216:
2217: if ((irow = reallocarray(NULL, sizeof(char *),
2218: (DB_NUMBER + 1))) == NULL) {
2219: BIO_printf(bio_err, "Memory allocation failure\n");
2220: goto err;
2221: }
2222: for (i = 0; i < DB_NUMBER; i++) {
2223: irow[i] = row[i];
2224: row[i] = NULL;
2225: }
2226: irow[DB_NUMBER] = NULL;
2227:
2228: if (!TXT_DB_insert(db->db, irow)) {
2229: BIO_printf(bio_err, "failed to update database\n");
2230: BIO_printf(bio_err, "TXT_DB error number %ld\n",
2231: db->db->error);
2232: goto err;
2233: }
2234: /* Revoke Certificate */
2235: ok = do_revoke(x509, db, type, value);
2236:
2237: goto err;
2238:
2239: } else if (index_name_cmp_noconst(row, rrow)) {
2240: BIO_printf(bio_err, "ERROR:name does not match %s\n",
2241: row[DB_name]);
2242: goto err;
2243: } else if (rrow[DB_type][0] == 'R') {
2244: BIO_printf(bio_err, "ERROR:Already revoked, serial number %s\n",
2245: row[DB_serial]);
2246: goto err;
2247: } else {
2248: BIO_printf(bio_err, "Revoking Certificate %s.\n",
2249: rrow[DB_serial]);
2250: rev_str = make_revocation_str(type, value);
2251: if (!rev_str) {
2252: BIO_printf(bio_err, "Error in revocation arguments\n");
2253: goto err;
2254: }
2255: rrow[DB_type][0] = 'R';
2256: rrow[DB_type][1] = '\0';
2257: rrow[DB_rev_date] = rev_str;
2258: }
2259: ok = 1;
2260:
2261: err:
2262: for (i = 0; i < DB_NUMBER; i++)
2263: free(row[i]);
2264:
2265: return (ok);
2266: }
2267:
2268: static int
2269: get_certificate_status(const char *serial, CA_DB * db)
2270: {
2271: char *row[DB_NUMBER], **rrow;
2272: int ok = -1, i;
2273:
2274: /* Free Resources */
2275: for (i = 0; i < DB_NUMBER; i++)
2276: row[i] = NULL;
2277:
2278: /* Malloc needed char spaces */
2279: row[DB_serial] = malloc(strlen(serial) + 2);
2280: if (row[DB_serial] == NULL) {
2281: BIO_printf(bio_err, "Malloc failure\n");
2282: goto err;
2283: }
2284: if (strlen(serial) % 2) {
2285: /* Set the first char to 0 */ ;
2286: row[DB_serial][0] = '0';
2287:
2288: /* Copy String from serial to row[DB_serial] */
2289: memcpy(row[DB_serial] + 1, serial, strlen(serial));
2290: row[DB_serial][strlen(serial) + 1] = '\0';
2291: } else {
2292: /* Copy String from serial to row[DB_serial] */
2293: memcpy(row[DB_serial], serial, strlen(serial));
2294: row[DB_serial][strlen(serial)] = '\0';
2295: }
2296:
2297: /* Make it Upper Case */
2298: for (i = 0; row[DB_serial][i] != '\0'; i++)
2299: row[DB_serial][i] = toupper((unsigned char) row[DB_serial][i]);
2300:
2301:
2302: ok = 1;
2303:
2304: /* Search for the certificate */
2305: rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
2306: if (rrow == NULL) {
2307: BIO_printf(bio_err, "Serial %s not present in db.\n",
2308: row[DB_serial]);
2309: ok = -1;
2310: goto err;
2311: } else if (rrow[DB_type][0] == 'V') {
2312: BIO_printf(bio_err, "%s=Valid (%c)\n",
2313: row[DB_serial], rrow[DB_type][0]);
2314: goto err;
2315: } else if (rrow[DB_type][0] == 'R') {
2316: BIO_printf(bio_err, "%s=Revoked (%c)\n",
2317: row[DB_serial], rrow[DB_type][0]);
2318: goto err;
2319: } else if (rrow[DB_type][0] == 'E') {
2320: BIO_printf(bio_err, "%s=Expired (%c)\n",
2321: row[DB_serial], rrow[DB_type][0]);
2322: goto err;
2323: } else if (rrow[DB_type][0] == 'S') {
2324: BIO_printf(bio_err, "%s=Suspended (%c)\n",
2325: row[DB_serial], rrow[DB_type][0]);
2326: goto err;
2327: } else {
2328: BIO_printf(bio_err, "%s=Unknown (%c).\n",
2329: row[DB_serial], rrow[DB_type][0]);
2330: ok = -1;
2331: }
2332:
2333: err:
2334: for (i = 0; i < DB_NUMBER; i++)
2335: free(row[i]);
2336:
2337: return (ok);
2338: }
2339:
2340: static int
2341: do_updatedb(CA_DB * db)
2342: {
2343: ASN1_UTCTIME *a_tm = NULL;
2344: int i, cnt = 0;
2345: int db_y2k, a_y2k; /* flags = 1 if y >= 2000 */
2346: char **rrow, *a_tm_s;
2347:
2348: a_tm = ASN1_UTCTIME_new();
2349:
2350: /* get actual time and make a string */
2351: a_tm = X509_gmtime_adj(a_tm, 0);
2352: a_tm_s = malloc(a_tm->length + 1);
2353: if (a_tm_s == NULL) {
2354: cnt = -1;
2355: goto err;
2356: }
2357: memcpy(a_tm_s, a_tm->data, a_tm->length);
2358: a_tm_s[a_tm->length] = '\0';
2359:
2360: if (strncmp(a_tm_s, "49", 2) <= 0)
2361: a_y2k = 1;
2362: else
2363: a_y2k = 0;
2364:
2365: for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
2366: rrow = sk_OPENSSL_PSTRING_value(db->db->data, i);
2367:
2368: if (rrow[DB_type][0] == 'V') {
2369: /* ignore entries that are not valid */
2370: if (strncmp(rrow[DB_exp_date], "49", 2) <= 0)
2371: db_y2k = 1;
2372: else
2373: db_y2k = 0;
2374:
2375: if (db_y2k == a_y2k) {
2376: /* all on the same y2k side */
2377: if (strcmp(rrow[DB_exp_date], a_tm_s) <= 0) {
2378: rrow[DB_type][0] = 'E';
2379: rrow[DB_type][1] = '\0';
2380: cnt++;
2381:
2382: BIO_printf(bio_err, "%s=Expired\n",
2383: rrow[DB_serial]);
2384: }
2385: } else if (db_y2k < a_y2k) {
2386: rrow[DB_type][0] = 'E';
2387: rrow[DB_type][1] = '\0';
2388: cnt++;
2389:
2390: BIO_printf(bio_err, "%s=Expired\n",
2391: rrow[DB_serial]);
2392: }
2393: }
2394: }
2395:
2396: err:
2397: ASN1_UTCTIME_free(a_tm);
2398: free(a_tm_s);
2399:
2400: return (cnt);
2401: }
2402:
2403: static const char *crl_reasons[] = {
2404: /* CRL reason strings */
2405: "unspecified",
2406: "keyCompromise",
2407: "CACompromise",
2408: "affiliationChanged",
2409: "superseded",
2410: "cessationOfOperation",
2411: "certificateHold",
2412: "removeFromCRL",
2413: /* Additional pseudo reasons */
2414: "holdInstruction",
2415: "keyTime",
2416: "CAkeyTime"
2417: };
2418:
2419: #define NUM_REASONS (sizeof(crl_reasons) / sizeof(char *))
2420:
2421: /* Given revocation information convert to a DB string.
2422: * The format of the string is:
2423: * revtime[,reason,extra]. Where 'revtime' is the
2424: * revocation time (the current time). 'reason' is the
2425: * optional CRL reason and 'extra' is any additional
2426: * argument
2427: */
2428:
2429: char *
2430: make_revocation_str(int rev_type, char *rev_arg)
2431: {
2432: char *other = NULL, *str;
2433: const char *reason = NULL;
2434: ASN1_OBJECT *otmp;
2435: ASN1_UTCTIME *revtm = NULL;
2436: int i;
2437: switch (rev_type) {
2438: case REV_NONE:
2439: break;
2440:
2441: case REV_CRL_REASON:
2442: for (i = 0; i < 8; i++) {
2443: if (!strcasecmp(rev_arg, crl_reasons[i])) {
2444: reason = crl_reasons[i];
2445: break;
2446: }
2447: }
2448: if (reason == NULL) {
2449: BIO_printf(bio_err, "Unknown CRL reason %s\n", rev_arg);
2450: return NULL;
2451: }
2452: break;
2453:
2454: case REV_HOLD:
2455: /* Argument is an OID */
2456:
2457: otmp = OBJ_txt2obj(rev_arg, 0);
2458: ASN1_OBJECT_free(otmp);
2459:
2460: if (otmp == NULL) {
2461: BIO_printf(bio_err,
2462: "Invalid object identifier %s\n", rev_arg);
2463: return NULL;
2464: }
2465: reason = "holdInstruction";
2466: other = rev_arg;
2467: break;
2468:
2469: case REV_KEY_COMPROMISE:
2470: case REV_CA_COMPROMISE:
2471:
2472: /* Argument is the key compromise time */
2473: if (!ASN1_GENERALIZEDTIME_set_string(NULL, rev_arg)) {
2474: BIO_printf(bio_err,
2475: "Invalid time format %s. Need YYYYMMDDHHMMSSZ\n",
2476: rev_arg);
2477: return NULL;
2478: }
2479: other = rev_arg;
2480: if (rev_type == REV_KEY_COMPROMISE)
2481: reason = "keyTime";
2482: else
2483: reason = "CAkeyTime";
2484:
2485: break;
2486:
2487: }
2488:
2489: revtm = X509_gmtime_adj(NULL, 0);
2490: if (asprintf(&str, "%s%s%s%s%s", revtm->data,
2491: reason ? "," : "", reason ? reason : "",
2492: other ? "," : "", other ? other : "") == -1)
2493: str = NULL;
2494: ASN1_UTCTIME_free(revtm);
2495: return str;
2496: }
2497:
2498: /* Convert revocation field to X509_REVOKED entry
2499: * return code:
2500: * 0 error
2501: * 1 OK
2502: * 2 OK and some extensions added (i.e. V2 CRL)
2503: */
2504:
2505: int
2506: make_revoked(X509_REVOKED * rev, const char *str)
2507: {
2508: char *tmp = NULL;
2509: int reason_code = -1;
2510: int i, ret = 0;
2511: ASN1_OBJECT *hold = NULL;
2512: ASN1_GENERALIZEDTIME *comp_time = NULL;
2513: ASN1_ENUMERATED *rtmp = NULL;
2514:
2515: ASN1_TIME *revDate = NULL;
2516:
2517: i = unpack_revinfo(&revDate, &reason_code, &hold, &comp_time, str);
2518:
2519: if (i == 0)
2520: goto err;
2521:
2522: if (rev && !X509_REVOKED_set_revocationDate(rev, revDate))
2523: goto err;
2524:
2525: if (rev && (reason_code != OCSP_REVOKED_STATUS_NOSTATUS)) {
2526: rtmp = ASN1_ENUMERATED_new();
2527: if (!rtmp || !ASN1_ENUMERATED_set(rtmp, reason_code))
2528: goto err;
2529: if (!X509_REVOKED_add1_ext_i2d(rev, NID_crl_reason, rtmp, 0, 0))
2530: goto err;
2531: }
2532: if (rev && comp_time) {
2533: if (!X509_REVOKED_add1_ext_i2d(rev, NID_invalidity_date,
2534: comp_time, 0, 0))
2535: goto err;
2536: }
2537: if (rev && hold) {
2538: if (!X509_REVOKED_add1_ext_i2d(rev, NID_hold_instruction_code,
2539: hold, 0, 0))
2540: goto err;
2541: }
2542: if (reason_code != OCSP_REVOKED_STATUS_NOSTATUS)
2543: ret = 2;
2544: else
2545: ret = 1;
2546:
2547: err:
2548: free(tmp);
2549:
2550: ASN1_OBJECT_free(hold);
2551: ASN1_GENERALIZEDTIME_free(comp_time);
2552: ASN1_ENUMERATED_free(rtmp);
2553: ASN1_TIME_free(revDate);
2554:
2555: return ret;
2556: }
2557:
2558: int
2559: old_entry_print(BIO * bp, ASN1_OBJECT * obj, ASN1_STRING * str)
2560: {
2561: char buf[25], *pbuf, *p;
2562: int j;
2563:
2564: j = i2a_ASN1_OBJECT(bp, obj);
2565: pbuf = buf;
2566: for (j = 22 - j; j > 0; j--)
2567: *(pbuf++) = ' ';
2568: *(pbuf++) = ':';
2569: *(pbuf++) = '\0';
2570: BIO_puts(bp, buf);
2571:
2572: if (str->type == V_ASN1_PRINTABLESTRING)
2573: BIO_printf(bp, "PRINTABLE:'");
2574: else if (str->type == V_ASN1_T61STRING)
2575: BIO_printf(bp, "T61STRING:'");
2576: else if (str->type == V_ASN1_IA5STRING)
2577: BIO_printf(bp, "IA5STRING:'");
2578: else if (str->type == V_ASN1_UNIVERSALSTRING)
2579: BIO_printf(bp, "UNIVERSALSTRING:'");
2580: else
2581: BIO_printf(bp, "ASN.1 %2d:'", str->type);
2582:
2583: p = (char *) str->data;
2584: for (j = str->length; j > 0; j--) {
2585: if ((*p >= ' ') && (*p <= '~'))
2586: BIO_printf(bp, "%c", *p);
2587: else if (*p & 0x80)
2588: BIO_printf(bp, "\\0x%02X", *p);
2589: else if ((unsigned char) *p == 0xf7)
2590: BIO_printf(bp, "^?");
2591: else
2592: BIO_printf(bp, "^%c", *p + '@');
2593: p++;
2594: }
2595: BIO_printf(bp, "'\n");
2596: return 1;
2597: }
2598:
2599: int
2600: unpack_revinfo(ASN1_TIME ** prevtm, int *preason, ASN1_OBJECT ** phold,
2601: ASN1_GENERALIZEDTIME ** pinvtm, const char *str)
2602: {
2603: char *tmp = NULL;
2604: char *rtime_str, *reason_str = NULL, *arg_str = NULL, *p;
2605: int reason_code = -1;
2606: int ret = 0;
2607: unsigned int i;
2608: ASN1_OBJECT *hold = NULL;
2609: ASN1_GENERALIZEDTIME *comp_time = NULL;
2610:
2611: if ((tmp = strdup(str)) == NULL) {
2612: BIO_printf(bio_err, "malloc failed\n");
2613: goto err;
2614: }
2615: p = strchr(tmp, ',');
2616: rtime_str = tmp;
2617:
2618: if (p) {
2619: *p = '\0';
2620: p++;
2621: reason_str = p;
2622: p = strchr(p, ',');
2623: if (p) {
2624: *p = '\0';
2625: arg_str = p + 1;
2626: }
2627: }
2628: if (prevtm) {
2629: *prevtm = ASN1_UTCTIME_new();
2630: if (!ASN1_UTCTIME_set_string(*prevtm, rtime_str)) {
2631: BIO_printf(bio_err, "invalid revocation date %s\n",
2632: rtime_str);
2633: goto err;
2634: }
2635: }
2636: if (reason_str) {
2637: for (i = 0; i < NUM_REASONS; i++) {
2638: if (!strcasecmp(reason_str, crl_reasons[i])) {
2639: reason_code = i;
2640: break;
2641: }
2642: }
2643: if (reason_code == OCSP_REVOKED_STATUS_NOSTATUS) {
2644: BIO_printf(bio_err, "invalid reason code %s\n",
2645: reason_str);
2646: goto err;
2647: }
2648: if (reason_code == 7)
2649: reason_code = OCSP_REVOKED_STATUS_REMOVEFROMCRL;
2650: else if (reason_code == 8) { /* Hold instruction */
2651: if (!arg_str) {
2652: BIO_printf(bio_err,
2653: "missing hold instruction\n");
2654: goto err;
2655: }
2656: reason_code = OCSP_REVOKED_STATUS_CERTIFICATEHOLD;
2657: hold = OBJ_txt2obj(arg_str, 0);
2658:
2659: if (!hold) {
2660: BIO_printf(bio_err,
2661: "invalid object identifier %s\n", arg_str);
2662: goto err;
2663: }
2664: if (phold)
2665: *phold = hold;
2666: } else if ((reason_code == 9) || (reason_code == 10)) {
2667: if (!arg_str) {
2668: BIO_printf(bio_err,
2669: "missing compromised time\n");
2670: goto err;
2671: }
2672: comp_time = ASN1_GENERALIZEDTIME_new();
2673: if (!ASN1_GENERALIZEDTIME_set_string(comp_time,
2674: arg_str)) {
2675: BIO_printf(bio_err,
2676: "invalid compromised time %s\n", arg_str);
2677: goto err;
2678: }
2679: if (reason_code == 9)
2680: reason_code = OCSP_REVOKED_STATUS_KEYCOMPROMISE;
2681: else
2682: reason_code = OCSP_REVOKED_STATUS_CACOMPROMISE;
2683: }
2684: }
2685: if (preason)
2686: *preason = reason_code;
2687: if (pinvtm)
2688: *pinvtm = comp_time;
2689: else
2690: ASN1_GENERALIZEDTIME_free(comp_time);
2691:
2692: ret = 1;
2693:
2694: err:
2695: free(tmp);
2696:
2697: if (!phold)
2698: ASN1_OBJECT_free(hold);
2699: if (!pinvtm)
2700: ASN1_GENERALIZEDTIME_free(comp_time);
2701:
2702: return ret;
2703: }
2704:
2705: static char *
2706: bin2hex(unsigned char * data, size_t len)
2707: {
2708: char *ret = NULL;
2709: char hex[] = "0123456789ABCDEF";
2710: int i;
2711:
2712: if ((ret = malloc(len * 2 + 1))) {
2713: for (i = 0; i < len; i++) {
2714: ret[i * 2 + 0] = hex[data[i] >> 4];
2715: ret[i * 2 + 1] = hex[data[i] & 0x0F];
2716: }
2717: ret[len * 2] = '\0';
2718: }
2719: return ret;
2720: }