Annotation of src/usr.bin/openssl/ca.c, Revision 1.20
1.20 ! mmcc 1: /* $OpenBSD: ca.c,v 1.19 2015/10/17 15:00:11 doug Exp $ */
1.1 jsing 2: /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3: * All rights reserved.
4: *
5: * This package is an SSL implementation written
6: * by Eric Young (eay@cryptsoft.com).
7: * The implementation was written so as to conform with Netscapes SSL.
8: *
9: * This library is free for commercial and non-commercial use as long as
10: * the following conditions are aheared to. The following conditions
11: * apply to all code found in this distribution, be it the RC4, RSA,
12: * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13: * included with this distribution is covered by the same copyright terms
14: * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15: *
16: * Copyright remains Eric Young's, and as such any Copyright notices in
17: * the code are not to be removed.
18: * If this package is used in a product, Eric Young should be given attribution
19: * as the author of the parts of the library used.
20: * This can be in the form of a textual message at program startup or
21: * in documentation (online or textual) provided with the package.
22: *
23: * Redistribution and use in source and binary forms, with or without
24: * modification, are permitted provided that the following conditions
25: * are met:
26: * 1. Redistributions of source code must retain the copyright
27: * notice, this list of conditions and the following disclaimer.
28: * 2. Redistributions in binary form must reproduce the above copyright
29: * notice, this list of conditions and the following disclaimer in the
30: * documentation and/or other materials provided with the distribution.
31: * 3. All advertising materials mentioning features or use of this software
32: * must display the following acknowledgement:
33: * "This product includes cryptographic software written by
34: * Eric Young (eay@cryptsoft.com)"
35: * The word 'cryptographic' can be left out if the rouines from the library
36: * being used are not cryptographic related :-).
37: * 4. If you include any Windows specific code (or a derivative thereof) from
38: * the apps directory (application code) you must include an acknowledgement:
39: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40: *
41: * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42: * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43: * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44: * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45: * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46: * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47: * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49: * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50: * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51: * SUCH DAMAGE.
52: *
53: * The licence and distribution terms for any publically available version or
54: * derivative of this code cannot be changed. i.e. this code cannot simply be
55: * copied and put under another distribution licence
56: * [including the GNU Public Licence.]
57: */
58:
59: /* The PPKI stuff has been donated by Jeff Barber <jeffb@issl.atl.hp.com> */
60:
61: #include <sys/types.h>
62:
63: #include <ctype.h>
64: #include <stdio.h>
65: #include <stdlib.h>
66: #include <limits.h>
67: #include <string.h>
68: #include <unistd.h>
69:
70: #include "apps.h"
71:
72: #include <openssl/bio.h>
73: #include <openssl/bn.h>
74: #include <openssl/conf.h>
75: #include <openssl/err.h>
76: #include <openssl/evp.h>
77: #include <openssl/objects.h>
78: #include <openssl/ocsp.h>
79: #include <openssl/pem.h>
80: #include <openssl/txt_db.h>
81: #include <openssl/x509.h>
82: #include <openssl/x509v3.h>
83:
84: #define BASE_SECTION "ca"
85:
86: #define ENV_DEFAULT_CA "default_ca"
87:
88: #define STRING_MASK "string_mask"
89: #define UTF8_IN "utf8"
90:
91: #define ENV_NEW_CERTS_DIR "new_certs_dir"
92: #define ENV_CERTIFICATE "certificate"
93: #define ENV_SERIAL "serial"
94: #define ENV_CRLNUMBER "crlnumber"
95: #define ENV_PRIVATE_KEY "private_key"
96: #define ENV_DEFAULT_DAYS "default_days"
97: #define ENV_DEFAULT_STARTDATE "default_startdate"
98: #define ENV_DEFAULT_ENDDATE "default_enddate"
99: #define ENV_DEFAULT_CRL_DAYS "default_crl_days"
100: #define ENV_DEFAULT_CRL_HOURS "default_crl_hours"
101: #define ENV_DEFAULT_MD "default_md"
102: #define ENV_DEFAULT_EMAIL_DN "email_in_dn"
103: #define ENV_PRESERVE "preserve"
104: #define ENV_POLICY "policy"
105: #define ENV_EXTENSIONS "x509_extensions"
106: #define ENV_CRLEXT "crl_extensions"
107: #define ENV_MSIE_HACK "msie_hack"
108: #define ENV_NAMEOPT "name_opt"
109: #define ENV_CERTOPT "cert_opt"
110: #define ENV_EXTCOPY "copy_extensions"
111: #define ENV_UNIQUE_SUBJECT "unique_subject"
112:
113: #define ENV_DATABASE "database"
114:
115: /* Additional revocation information types */
116:
117: #define REV_NONE 0 /* No addditional information */
118: #define REV_CRL_REASON 1 /* Value is CRL reason code */
119: #define REV_HOLD 2 /* Value is hold instruction */
120: #define REV_KEY_COMPROMISE 3 /* Value is cert key compromise time */
121: #define REV_CA_COMPROMISE 4 /* Value is CA key compromise time */
122:
123: static const char *ca_usage[] = {
124: "usage: ca args\n",
125: "\n",
126: " -verbose - Talk a lot while doing things\n",
127: " -config file - A config file\n",
128: " -name arg - The particular CA definition to use\n",
129: " -gencrl - Generate a new CRL\n",
130: " -crldays days - Days is when the next CRL is due\n",
131: " -crlhours hours - Hours is when the next CRL is due\n",
132: " -startdate YYMMDDHHMMSSZ - certificate validity notBefore\n",
133: " -enddate YYMMDDHHMMSSZ - certificate validity notAfter (overrides -days)\n",
134: " -days arg - number of days to certify the certificate for\n",
1.15 bcook 135: " -md arg - md to use, one of md5 or sha1\n",
1.1 jsing 136: " -policy arg - The CA 'policy' to support\n",
137: " -keyfile arg - private key file\n",
1.12 bcook 138: " -keyform arg - private key file format (PEM)\n",
1.1 jsing 139: " -key arg - key to decode the private key if it is encrypted\n",
140: " -cert file - The CA certificate\n",
141: " -selfsign - sign a certificate with the key associated with it\n",
142: " -in file - The input PEM encoded certificate request(s)\n",
143: " -out file - Where to put the output file(s)\n",
144: " -outdir dir - Where to put output certificates\n",
145: " -infiles .... - The last argument, requests to process\n",
146: " -spkac file - File contains DN and signed public key and challenge\n",
147: " -ss_cert file - File contains a self signed cert to sign\n",
148: " -preserveDN - Don't re-order the DN\n",
149: " -noemailDN - Don't add the EMAIL field into certificate' subject\n",
150: " -batch - Don't ask questions\n",
151: " -msie_hack - msie modifications to handle all those universal strings\n",
152: " -revoke file - Revoke a certificate (given in file)\n",
153: " -subj arg - Use arg instead of request's subject\n",
154: " -utf8 - input characters are UTF8 (default ASCII)\n",
155: " -multivalue-rdn - enable support for multivalued RDNs\n",
156: " -extensions .. - Extension section (override value in config file)\n",
157: " -extfile file - Configuration file with X509v3 extentions to add\n",
158: " -crlexts .. - CRL extension section (override value in config file)\n",
159: " -status serial - Shows certificate status given the serial number\n",
160: " -updatedb - Updates db for expired certificates\n",
161: NULL
162: };
163:
164: static void lookup_fail(const char *name, const char *tag);
165: static int certify(X509 ** xret, char *infile, EVP_PKEY * pkey, X509 * x509,
166: const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
167: STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj,
168: unsigned long chtype, int multirdn, int email_dn, char *startdate,
169: char *enddate, long days, int batch, char *ext_sect, CONF * conf,
170: int verbose, unsigned long certopt, unsigned long nameopt,
171: int default_op, int ext_copy, int selfsign);
172: static int certify_cert(X509 ** xret, char *infile, EVP_PKEY * pkey,
173: X509 * x509, const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
174: STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj,
175: unsigned long chtype, int multirdn, int email_dn, char *startdate,
176: char *enddate, long days, int batch, char *ext_sect, CONF * conf,
177: int verbose, unsigned long certopt, unsigned long nameopt, int default_op,
1.12 bcook 178: int ext_copy);
1.1 jsing 179: static int certify_spkac(X509 ** xret, char *infile, EVP_PKEY * pkey,
180: X509 * x509, const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
181: STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj,
182: unsigned long chtype, int multirdn, int email_dn, char *startdate,
183: char *enddate, long days, char *ext_sect, CONF * conf, int verbose,
184: unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy);
185: static void write_new_certificate(BIO * bp, X509 * x, int output_der,
186: int notext);
187: static int do_body(X509 ** xret, EVP_PKEY * pkey, X509 * x509,
188: const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
189: STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj,
190: unsigned long chtype, int multirdn, int email_dn, char *startdate,
191: char *enddate, long days, int batch, int verbose, X509_REQ * req,
192: char *ext_sect, CONF * conf, unsigned long certopt, unsigned long nameopt,
193: int default_op, int ext_copy, int selfsign);
194: static int do_revoke(X509 * x509, CA_DB * db, int ext, char *extval);
195: static int get_certificate_status(const char *ser_status, CA_DB * db);
196: static int do_updatedb(CA_DB * db);
197: static int check_time_format(const char *str);
198: static char * bin2hex(unsigned char *, size_t);
199: char *make_revocation_str(int rev_type, char *rev_arg);
200: int make_revoked(X509_REVOKED * rev, const char *str);
201: int old_entry_print(BIO * bp, ASN1_OBJECT * obj, ASN1_STRING * str);
202: static CONF *conf = NULL;
203: static CONF *extconf = NULL;
204: static char *section = NULL;
205:
206: static int preserve = 0;
207: static int msie_hack = 0;
208:
209:
210: int
211: ca_main(int argc, char **argv)
212: {
213: char *key = NULL, *passargin = NULL;
214: int create_ser = 0;
215: int free_key = 0;
216: int total = 0;
217: int total_done = 0;
218: int badops = 0;
219: int ret = 1;
220: int email_dn = 1;
221: int req = 0;
222: int verbose = 0;
223: int gencrl = 0;
224: int dorevoke = 0;
225: int doupdatedb = 0;
226: long crldays = 0;
227: long crlhours = 0;
228: long crlsec = 0;
229: long errorline = -1;
230: char *configfile = NULL;
231: char *md = NULL;
232: char *policy = NULL;
233: char *keyfile = NULL;
234: char *certfile = NULL;
235: int keyform = FORMAT_PEM;
236: char *infile = NULL;
237: char *spkac_file = NULL;
238: char *ss_cert_file = NULL;
239: char *ser_status = NULL;
240: EVP_PKEY *pkey = NULL;
241: int output_der = 0;
242: char *outfile = NULL;
243: char *outdir = NULL;
244: char *serialfile = NULL;
245: char *crlnumberfile = NULL;
246: char *extensions = NULL;
247: char *extfile = NULL;
248: char *subj = NULL;
249: unsigned long chtype = MBSTRING_ASC;
250: int multirdn = 0;
251: char *tmp_email_dn = NULL;
252: char *crl_ext = NULL;
253: int rev_type = REV_NONE;
254: char *rev_arg = NULL;
255: BIGNUM *serial = NULL;
256: BIGNUM *crlnumber = NULL;
257: char *startdate = NULL;
258: char *enddate = NULL;
259: long days = 0;
260: int batch = 0;
261: int notext = 0;
262: unsigned long nameopt = 0, certopt = 0;
263: int default_op = 1;
264: int ext_copy = EXT_COPY_NONE;
265: int selfsign = 0;
266: X509 *x509 = NULL, *x509p = NULL;
267: X509 *x = NULL;
268: BIO *in = NULL, *out = NULL, *Sout = NULL, *Cout = NULL;
269: char *dbfile = NULL;
270: CA_DB *db = NULL;
271: X509_CRL *crl = NULL;
272: X509_REVOKED *r = NULL;
273: ASN1_TIME *tmptm;
274: ASN1_INTEGER *tmpser;
275: char *f;
276: const char *p;
277: char *const * pp;
278: int i, j;
279: const EVP_MD *dgst = NULL;
280: STACK_OF(CONF_VALUE) * attribs = NULL;
281: STACK_OF(X509) * cert_sk = NULL;
282: STACK_OF(OPENSSL_STRING) * sigopts = NULL;
1.4 bcook 283: #define BUFLEN 256
284: char buf[3][BUFLEN];
1.1 jsing 285: char *tofree = NULL;
286: const char *errstr = NULL;
287: DB_ATTR db_attr;
1.17 doug 288:
289: if (single_execution) {
1.19 doug 290: if (pledge("stdio rpath wpath cpath tty", NULL) == -1) {
1.17 doug 291: perror("pledge");
1.19 doug 292: exit(1);
293: }
1.17 doug 294: }
1.1 jsing 295:
296: conf = NULL;
297: key = NULL;
298: section = NULL;
299:
300: preserve = 0;
301: msie_hack = 0;
302:
303: argc--;
304: argv++;
305: while (argc >= 1) {
306: if (strcmp(*argv, "-verbose") == 0)
307: verbose = 1;
308: else if (strcmp(*argv, "-config") == 0) {
309: if (--argc < 1)
310: goto bad;
311: configfile = *(++argv);
312: } else if (strcmp(*argv, "-name") == 0) {
313: if (--argc < 1)
314: goto bad;
315: section = *(++argv);
316: } else if (strcmp(*argv, "-subj") == 0) {
317: if (--argc < 1)
318: goto bad;
319: subj = *(++argv);
320: /* preserve=1; */
321: } else if (strcmp(*argv, "-utf8") == 0)
322: chtype = MBSTRING_UTF8;
323: else if (strcmp(*argv, "-create_serial") == 0)
324: create_ser = 1;
325: else if (strcmp(*argv, "-multivalue-rdn") == 0)
326: multirdn = 1;
327: else if (strcmp(*argv, "-startdate") == 0) {
328: if (--argc < 1)
329: goto bad;
330: startdate = *(++argv);
331: } else if (strcmp(*argv, "-enddate") == 0) {
332: if (--argc < 1)
333: goto bad;
334: enddate = *(++argv);
335: } else if (strcmp(*argv, "-days") == 0) {
336: if (--argc < 1)
337: goto bad;
338: days = strtonum(*(++argv), 0, LONG_MAX, &errstr);
339: if (errstr)
340: goto bad;
341: } else if (strcmp(*argv, "-md") == 0) {
342: if (--argc < 1)
343: goto bad;
344: md = *(++argv);
345: } else if (strcmp(*argv, "-policy") == 0) {
346: if (--argc < 1)
347: goto bad;
348: policy = *(++argv);
349: } else if (strcmp(*argv, "-keyfile") == 0) {
350: if (--argc < 1)
351: goto bad;
352: keyfile = *(++argv);
353: } else if (strcmp(*argv, "-keyform") == 0) {
354: if (--argc < 1)
355: goto bad;
356: keyform = str2fmt(*(++argv));
357: } else if (strcmp(*argv, "-passin") == 0) {
358: if (--argc < 1)
359: goto bad;
360: passargin = *(++argv);
361: } else if (strcmp(*argv, "-key") == 0) {
362: if (--argc < 1)
363: goto bad;
364: key = *(++argv);
365: } else if (strcmp(*argv, "-cert") == 0) {
366: if (--argc < 1)
367: goto bad;
368: certfile = *(++argv);
369: } else if (strcmp(*argv, "-selfsign") == 0)
370: selfsign = 1;
371: else if (strcmp(*argv, "-in") == 0) {
372: if (--argc < 1)
373: goto bad;
374: infile = *(++argv);
375: req = 1;
376: } else if (strcmp(*argv, "-out") == 0) {
377: if (--argc < 1)
378: goto bad;
379: outfile = *(++argv);
380: } else if (strcmp(*argv, "-outdir") == 0) {
381: if (--argc < 1)
382: goto bad;
383: outdir = *(++argv);
384: } else if (strcmp(*argv, "-sigopt") == 0) {
385: if (--argc < 1)
386: goto bad;
387: if (!sigopts)
388: sigopts = sk_OPENSSL_STRING_new_null();
389: if (!sigopts ||
390: !sk_OPENSSL_STRING_push(sigopts, *(++argv)))
391: goto bad;
392: } else if (strcmp(*argv, "-notext") == 0)
393: notext = 1;
394: else if (strcmp(*argv, "-batch") == 0)
395: batch = 1;
396: else if (strcmp(*argv, "-preserveDN") == 0)
397: preserve = 1;
398: else if (strcmp(*argv, "-noemailDN") == 0)
399: email_dn = 0;
400: else if (strcmp(*argv, "-gencrl") == 0)
401: gencrl = 1;
402: else if (strcmp(*argv, "-msie_hack") == 0)
403: msie_hack = 1;
404: else if (strcmp(*argv, "-crldays") == 0) {
405: if (--argc < 1)
406: goto bad;
407: crldays = strtonum(*(++argv), 0, LONG_MAX, &errstr);
408: if (errstr)
409: goto bad;
410: } else if (strcmp(*argv, "-crlhours") == 0) {
411: if (--argc < 1)
412: goto bad;
413: crlhours = strtonum(*(++argv), 0, LONG_MAX, &errstr);
414: if (errstr)
415: goto bad;
416: } else if (strcmp(*argv, "-crlsec") == 0) {
417: if (--argc < 1)
418: goto bad;
419: crlsec = strtonum(*(++argv), 0, LONG_MAX, &errstr);
420: if (errstr)
421: goto bad;
422: } else if (strcmp(*argv, "-infiles") == 0) {
423: argc--;
424: argv++;
425: req = 1;
426: break;
427: } else if (strcmp(*argv, "-ss_cert") == 0) {
428: if (--argc < 1)
429: goto bad;
430: ss_cert_file = *(++argv);
431: req = 1;
432: } else if (strcmp(*argv, "-spkac") == 0) {
433: if (--argc < 1)
434: goto bad;
435: spkac_file = *(++argv);
436: req = 1;
437: } else if (strcmp(*argv, "-revoke") == 0) {
438: if (--argc < 1)
439: goto bad;
440: infile = *(++argv);
441: dorevoke = 1;
442: } else if (strcmp(*argv, "-extensions") == 0) {
443: if (--argc < 1)
444: goto bad;
445: extensions = *(++argv);
446: } else if (strcmp(*argv, "-extfile") == 0) {
447: if (--argc < 1)
448: goto bad;
449: extfile = *(++argv);
450: } else if (strcmp(*argv, "-status") == 0) {
451: if (--argc < 1)
452: goto bad;
453: ser_status = *(++argv);
454: } else if (strcmp(*argv, "-updatedb") == 0) {
455: doupdatedb = 1;
456: } else if (strcmp(*argv, "-crlexts") == 0) {
457: if (--argc < 1)
458: goto bad;
459: crl_ext = *(++argv);
460: } else if (strcmp(*argv, "-crl_reason") == 0) {
461: if (--argc < 1)
462: goto bad;
463: rev_arg = *(++argv);
464: rev_type = REV_CRL_REASON;
465: } else if (strcmp(*argv, "-crl_hold") == 0) {
466: if (--argc < 1)
467: goto bad;
468: rev_arg = *(++argv);
469: rev_type = REV_HOLD;
470: } else if (strcmp(*argv, "-crl_compromise") == 0) {
471: if (--argc < 1)
472: goto bad;
473: rev_arg = *(++argv);
474: rev_type = REV_KEY_COMPROMISE;
475: } else if (strcmp(*argv, "-crl_CA_compromise") == 0) {
476: if (--argc < 1)
477: goto bad;
478: rev_arg = *(++argv);
479: rev_type = REV_CA_COMPROMISE;
480: }
481: else {
482: bad:
483: if (errstr)
484: BIO_printf(bio_err, "invalid argument %s: %s\n",
485: *argv, errstr);
486: else
487: BIO_printf(bio_err, "unknown option %s\n", *argv);
488: badops = 1;
489: break;
490: }
491: argc--;
492: argv++;
493: }
494:
495: if (badops) {
496: const char **pp2;
497:
498: for (pp2 = ca_usage; (*pp2 != NULL); pp2++)
499: BIO_printf(bio_err, "%s", *pp2);
500: goto err;
501: }
502:
503: /*****************************************************************/
504: tofree = NULL;
505: if (configfile == NULL)
506: configfile = getenv("OPENSSL_CONF");
507: if (configfile == NULL) {
508: if ((tofree = make_config_name()) == NULL) {
509: BIO_printf(bio_err, "error making config file name\n");
510: goto err;
511: }
512: configfile = tofree;
513: }
514: BIO_printf(bio_err, "Using configuration from %s\n", configfile);
515: conf = NCONF_new(NULL);
516: if (NCONF_load(conf, configfile, &errorline) <= 0) {
517: if (errorline <= 0)
518: BIO_printf(bio_err,
519: "error loading the config file '%s'\n",
520: configfile);
521: else
522: BIO_printf(bio_err,
523: "error on line %ld of config file '%s'\n",
524: errorline, configfile);
525: goto err;
526: }
527: free(tofree);
528: tofree = NULL;
529:
530: /* Lets get the config section we are using */
531: if (section == NULL) {
532: section = NCONF_get_string(conf, BASE_SECTION, ENV_DEFAULT_CA);
533: if (section == NULL) {
534: lookup_fail(BASE_SECTION, ENV_DEFAULT_CA);
535: goto err;
536: }
537: }
538: if (conf != NULL) {
539: p = NCONF_get_string(conf, NULL, "oid_file");
540: if (p == NULL)
541: ERR_clear_error();
542: if (p != NULL) {
543: BIO *oid_bio;
544:
545: oid_bio = BIO_new_file(p, "r");
546: if (oid_bio == NULL) {
547: /*
548: BIO_printf(bio_err,
549: "problems opening %s for extra oid's\n", p);
550: ERR_print_errors(bio_err);
551: */
552: ERR_clear_error();
553: } else {
554: OBJ_create_objects(oid_bio);
555: BIO_free(oid_bio);
556: }
557: }
558: if (!add_oid_section(bio_err, conf)) {
559: ERR_print_errors(bio_err);
560: goto err;
561: }
562: }
563: f = NCONF_get_string(conf, section, STRING_MASK);
564: if (!f)
565: ERR_clear_error();
566:
567: if (f && !ASN1_STRING_set_default_mask_asc(f)) {
568: BIO_printf(bio_err,
569: "Invalid global string mask setting %s\n", f);
570: goto err;
571: }
572: if (chtype != MBSTRING_UTF8) {
573: f = NCONF_get_string(conf, section, UTF8_IN);
574: if (!f)
575: ERR_clear_error();
576: else if (!strcmp(f, "yes"))
577: chtype = MBSTRING_UTF8;
578: }
579: db_attr.unique_subject = 1;
580: p = NCONF_get_string(conf, section, ENV_UNIQUE_SUBJECT);
581: if (p) {
582: db_attr.unique_subject = parse_yesno(p, 1);
583: } else
584: ERR_clear_error();
585:
586: in = BIO_new(BIO_s_file());
587: out = BIO_new(BIO_s_file());
588: Sout = BIO_new(BIO_s_file());
589: Cout = BIO_new(BIO_s_file());
590: if ((in == NULL) || (out == NULL) || (Sout == NULL) || (Cout == NULL)) {
591: ERR_print_errors(bio_err);
592: goto err;
593: }
594: /*****************************************************************/
595: /* report status of cert with serial number given on command line */
596: if (ser_status) {
597: if ((dbfile = NCONF_get_string(conf, section,
598: ENV_DATABASE)) == NULL) {
599: lookup_fail(section, ENV_DATABASE);
600: goto err;
601: }
602: db = load_index(dbfile, &db_attr);
603: if (db == NULL)
604: goto err;
605:
606: if (!index_index(db))
607: goto err;
608:
609: if (get_certificate_status(ser_status, db) != 1)
610: BIO_printf(bio_err, "Error verifying serial %s!\n",
611: ser_status);
612: goto err;
613: }
614: /*****************************************************************/
615: /* we definitely need a private key, so let's get it */
616:
617: if ((keyfile == NULL) && ((keyfile = NCONF_get_string(conf,
618: section, ENV_PRIVATE_KEY)) == NULL)) {
619: lookup_fail(section, ENV_PRIVATE_KEY);
620: goto err;
621: }
622: if (!key) {
623: free_key = 1;
624: if (!app_passwd(bio_err, passargin, NULL, &key, NULL)) {
625: BIO_printf(bio_err, "Error getting password\n");
626: goto err;
627: }
628: }
1.12 bcook 629: pkey = load_key(bio_err, keyfile, keyform, 0, key, "CA private key");
1.1 jsing 630: if (key)
1.11 jsing 631: explicit_bzero(key, strlen(key));
1.1 jsing 632: if (pkey == NULL) {
633: /* load_key() has already printed an appropriate message */
634: goto err;
635: }
636: /*****************************************************************/
637: /* we need a certificate */
638: if (!selfsign || spkac_file || ss_cert_file || gencrl) {
639: if ((certfile == NULL) &&
640: ((certfile = NCONF_get_string(conf,
641: section, ENV_CERTIFICATE)) == NULL)) {
642: lookup_fail(section, ENV_CERTIFICATE);
643: goto err;
644: }
1.12 bcook 645: x509 = load_cert(bio_err, certfile, FORMAT_PEM, NULL,
1.1 jsing 646: "CA certificate");
647: if (x509 == NULL)
648: goto err;
649:
650: if (!X509_check_private_key(x509, pkey)) {
651: BIO_printf(bio_err,
652: "CA certificate and CA private key do not match\n");
653: goto err;
654: }
655: }
656: if (!selfsign)
657: x509p = x509;
658:
659: f = NCONF_get_string(conf, BASE_SECTION, ENV_PRESERVE);
660: if (f == NULL)
661: ERR_clear_error();
662: if ((f != NULL) && ((*f == 'y') || (*f == 'Y')))
663: preserve = 1;
664: f = NCONF_get_string(conf, BASE_SECTION, ENV_MSIE_HACK);
665: if (f == NULL)
666: ERR_clear_error();
667: if ((f != NULL) && ((*f == 'y') || (*f == 'Y')))
668: msie_hack = 1;
669:
670: f = NCONF_get_string(conf, section, ENV_NAMEOPT);
671:
672: if (f) {
673: if (!set_name_ex(&nameopt, f)) {
674: BIO_printf(bio_err,
675: "Invalid name options: \"%s\"\n", f);
676: goto err;
677: }
678: default_op = 0;
679: } else
680: ERR_clear_error();
681:
682: f = NCONF_get_string(conf, section, ENV_CERTOPT);
683:
684: if (f) {
685: if (!set_cert_ex(&certopt, f)) {
686: BIO_printf(bio_err,
687: "Invalid certificate options: \"%s\"\n", f);
688: goto err;
689: }
690: default_op = 0;
691: } else
692: ERR_clear_error();
693:
694: f = NCONF_get_string(conf, section, ENV_EXTCOPY);
695:
696: if (f) {
697: if (!set_ext_copy(&ext_copy, f)) {
698: BIO_printf(bio_err,
699: "Invalid extension copy option: \"%s\"\n", f);
700: goto err;
701: }
702: } else
703: ERR_clear_error();
704:
705: /*****************************************************************/
706: /* lookup where to write new certificates */
707: if ((outdir == NULL) && (req)) {
708:
709: if ((outdir = NCONF_get_string(conf, section,
710: ENV_NEW_CERTS_DIR)) == NULL) {
711: BIO_printf(bio_err, "there needs to be defined a directory for new certificate to be placed in\n");
712: goto err;
713: }
714: /*
715: * outdir is a directory spec, but access() for VMS demands a
716: * filename. In any case, stat(), below, will catch the
717: * problem if outdir is not a directory spec, and the fopen()
718: * or open() will catch an error if there is no write access.
719: *
720: * Presumably, this problem could also be solved by using the
721: * DEC C routines to convert the directory syntax to Unixly,
722: * and give that to access(). However, time's too short to
723: * do that just now.
724: */
725: if (access(outdir, R_OK | W_OK | X_OK) != 0) {
726: BIO_printf(bio_err,
727: "I am unable to access the %s directory\n", outdir);
728: perror(outdir);
729: goto err;
730: }
731: if (app_isdir(outdir) <= 0) {
732: BIO_printf(bio_err,
733: "%s need to be a directory\n", outdir);
734: perror(outdir);
735: goto err;
736: }
737: }
738: /*****************************************************************/
739: /* we need to load the database file */
740: if ((dbfile = NCONF_get_string(conf, section, ENV_DATABASE)) == NULL) {
741: lookup_fail(section, ENV_DATABASE);
742: goto err;
743: }
744: db = load_index(dbfile, &db_attr);
745: if (db == NULL)
746: goto err;
747:
748: /* Lets check some fields */
749: for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
750: pp = sk_OPENSSL_PSTRING_value(db->db->data, i);
751: if ((pp[DB_type][0] != DB_TYPE_REV) &&
752: (pp[DB_rev_date][0] != '\0')) {
753: BIO_printf(bio_err, "entry %d: not revoked yet, but has a revocation date\n", i + 1);
754: goto err;
755: }
756: if ((pp[DB_type][0] == DB_TYPE_REV) &&
757: !make_revoked(NULL, pp[DB_rev_date])) {
758: BIO_printf(bio_err, " in entry %d\n", i + 1);
759: goto err;
760: }
761: if (!check_time_format((char *) pp[DB_exp_date])) {
762: BIO_printf(bio_err, "entry %d: invalid expiry date\n",
763: i + 1);
764: goto err;
765: }
766: p = pp[DB_serial];
767: j = strlen(p);
768: if (*p == '-') {
769: p++;
770: j--;
771: }
772: if ((j & 1) || (j < 2)) {
773: BIO_printf(bio_err,
774: "entry %d: bad serial number length (%d)\n",
775: i + 1, j);
776: goto err;
777: }
778: while (*p) {
779: if (!(((*p >= '0') && (*p <= '9')) ||
780: ((*p >= 'A') && (*p <= 'F')) ||
781: ((*p >= 'a') && (*p <= 'f')))) {
782: BIO_printf(bio_err, "entry %d: bad serial number characters, char pos %ld, char is '%c'\n", i + 1, (long) (p - pp[DB_serial]), *p);
783: goto err;
784: }
785: p++;
786: }
787: }
788: if (verbose) {
789: BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT); /* cannot fail */
790: TXT_DB_write(out, db->db);
791: BIO_printf(bio_err, "%d entries loaded from the database\n",
792: sk_OPENSSL_PSTRING_num(db->db->data));
793: BIO_printf(bio_err, "generating index\n");
794: }
795: if (!index_index(db))
796: goto err;
797:
798: /*****************************************************************/
799: /* Update the db file for expired certificates */
800: if (doupdatedb) {
801: if (verbose)
802: BIO_printf(bio_err, "Updating %s ...\n", dbfile);
803:
804: i = do_updatedb(db);
805: if (i == -1) {
806: BIO_printf(bio_err, "Malloc failure\n");
807: goto err;
808: } else if (i == 0) {
809: if (verbose)
810: BIO_printf(bio_err,
811: "No entries found to mark expired\n");
812: } else {
813: if (!save_index(dbfile, "new", db))
814: goto err;
815:
816: if (!rotate_index(dbfile, "new", "old"))
817: goto err;
818:
819: if (verbose)
820: BIO_printf(bio_err,
821: "Done. %d entries marked as expired\n", i);
822: }
823: }
824: /*****************************************************************/
825: /* Read extentions config file */
826: if (extfile) {
827: extconf = NCONF_new(NULL);
828: if (NCONF_load(extconf, extfile, &errorline) <= 0) {
829: if (errorline <= 0)
830: BIO_printf(bio_err,
831: "ERROR: loading the config file '%s'\n",
832: extfile);
833: else
834: BIO_printf(bio_err,
835: "ERROR: on line %ld of config file '%s'\n",
836: errorline, extfile);
837: ret = 1;
838: goto err;
839: }
840: if (verbose)
841: BIO_printf(bio_err,
842: "Successfully loaded extensions file %s\n",
843: extfile);
844:
845: /* We can have sections in the ext file */
846: if (!extensions && !(extensions = NCONF_get_string(extconf,
847: "default", "extensions")))
848: extensions = "default";
849: }
850: /*****************************************************************/
851: if (req || gencrl) {
852: if (outfile != NULL) {
853: if (BIO_write_filename(Sout, outfile) <= 0) {
854: perror(outfile);
855: goto err;
856: }
857: } else {
858: BIO_set_fp(Sout, stdout, BIO_NOCLOSE | BIO_FP_TEXT);
859: }
860: }
861: if ((md == NULL) && ((md = NCONF_get_string(conf, section,
862: ENV_DEFAULT_MD)) == NULL)) {
863: lookup_fail(section, ENV_DEFAULT_MD);
864: goto err;
865: }
866: if (!strcmp(md, "default")) {
867: int def_nid;
868: if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) <= 0) {
869: BIO_puts(bio_err, "no default digest\n");
870: goto err;
871: }
872: md = (char *) OBJ_nid2sn(def_nid);
873: }
874: if ((dgst = EVP_get_digestbyname(md)) == NULL) {
875: BIO_printf(bio_err,
876: "%s is an unsupported message digest type\n", md);
877: goto err;
878: }
879: if (req) {
880: if ((email_dn == 1) && ((tmp_email_dn = NCONF_get_string(conf,
881: section, ENV_DEFAULT_EMAIL_DN)) != NULL)) {
882: if (strcmp(tmp_email_dn, "no") == 0)
883: email_dn = 0;
884: }
885: if (verbose)
886: BIO_printf(bio_err, "message digest is %s\n",
887: OBJ_nid2ln(dgst->type));
888: if ((policy == NULL) && ((policy = NCONF_get_string(conf,
889: section, ENV_POLICY)) == NULL)) {
890: lookup_fail(section, ENV_POLICY);
891: goto err;
892: }
893: if (verbose)
894: BIO_printf(bio_err, "policy is %s\n", policy);
895:
896: if ((serialfile = NCONF_get_string(conf, section,
897: ENV_SERIAL)) == NULL) {
898: lookup_fail(section, ENV_SERIAL);
899: goto err;
900: }
901: if (!extconf) {
902: /*
903: * no '-extfile' option, so we look for extensions in
904: * the main configuration file
905: */
906: if (!extensions) {
907: extensions = NCONF_get_string(conf, section,
908: ENV_EXTENSIONS);
909: if (!extensions)
910: ERR_clear_error();
911: }
912: if (extensions) {
913: /* Check syntax of file */
914: X509V3_CTX ctx;
915: X509V3_set_ctx_test(&ctx);
916: X509V3_set_nconf(&ctx, conf);
917: if (!X509V3_EXT_add_nconf(conf, &ctx,
918: extensions, NULL)) {
919: BIO_printf(bio_err,
920: "Error Loading extension section %s\n",
921: extensions);
922: ret = 1;
923: goto err;
924: }
925: }
926: }
927: if (startdate == NULL) {
928: startdate = NCONF_get_string(conf, section,
929: ENV_DEFAULT_STARTDATE);
930: if (startdate == NULL)
931: ERR_clear_error();
932: }
933: if (startdate && !ASN1_TIME_set_string(NULL, startdate)) {
934: BIO_printf(bio_err, "start date is invalid, it should be YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ\n");
935: goto err;
936: }
937: if (startdate == NULL)
938: startdate = "today";
939:
940: if (enddate == NULL) {
941: enddate = NCONF_get_string(conf, section,
942: ENV_DEFAULT_ENDDATE);
943: if (enddate == NULL)
944: ERR_clear_error();
945: }
946: if (enddate && !ASN1_TIME_set_string(NULL, enddate)) {
947: BIO_printf(bio_err, "end date is invalid, it should be YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ\n");
948: goto err;
949: }
950: if (days == 0) {
951: if (!NCONF_get_number(conf, section,
952: ENV_DEFAULT_DAYS, &days))
953: days = 0;
954: }
955: if (!enddate && (days == 0)) {
956: BIO_printf(bio_err,
957: "cannot lookup how many days to certify for\n");
958: goto err;
959: }
960: if ((serial = load_serial(serialfile, create_ser, NULL)) ==
961: NULL) {
962: BIO_printf(bio_err,
963: "error while loading serial number\n");
964: goto err;
965: }
966: if (verbose) {
967: if (BN_is_zero(serial))
968: BIO_printf(bio_err,
969: "next serial number is 00\n");
970: else {
971: if ((f = BN_bn2hex(serial)) == NULL)
972: goto err;
973: BIO_printf(bio_err,
974: "next serial number is %s\n", f);
975: free(f);
976: }
977: }
978: if ((attribs = NCONF_get_section(conf, policy)) == NULL) {
979: BIO_printf(bio_err,
980: "unable to find 'section' for %s\n", policy);
981: goto err;
982: }
983: if ((cert_sk = sk_X509_new_null()) == NULL) {
984: BIO_printf(bio_err, "Memory allocation failure\n");
985: goto err;
986: }
987: if (spkac_file != NULL) {
988: total++;
989: j = certify_spkac(&x, spkac_file, pkey, x509, dgst,
990: sigopts, attribs, db, serial, subj, chtype,
991: multirdn, email_dn, startdate, enddate, days,
992: extensions, conf, verbose, certopt, nameopt,
993: default_op, ext_copy);
994: if (j < 0)
995: goto err;
996: if (j > 0) {
997: total_done++;
998: BIO_printf(bio_err, "\n");
999: if (!BN_add_word(serial, 1))
1000: goto err;
1001: if (!sk_X509_push(cert_sk, x)) {
1002: BIO_printf(bio_err,
1003: "Memory allocation failure\n");
1004: goto err;
1005: }
1006: if (outfile) {
1007: output_der = 1;
1008: batch = 1;
1009: }
1010: }
1011: }
1012: if (ss_cert_file != NULL) {
1013: total++;
1014: j = certify_cert(&x, ss_cert_file, pkey, x509, dgst,
1015: sigopts, attribs, db, serial, subj, chtype,
1016: multirdn, email_dn, startdate, enddate, days, batch,
1017: extensions, conf, verbose, certopt, nameopt,
1.12 bcook 1018: default_op, ext_copy);
1.1 jsing 1019: if (j < 0)
1020: goto err;
1021: if (j > 0) {
1022: total_done++;
1023: BIO_printf(bio_err, "\n");
1024: if (!BN_add_word(serial, 1))
1025: goto err;
1026: if (!sk_X509_push(cert_sk, x)) {
1027: BIO_printf(bio_err,
1028: "Memory allocation failure\n");
1029: goto err;
1030: }
1031: }
1032: }
1033: if (infile != NULL) {
1034: total++;
1035: j = certify(&x, infile, pkey, x509p, dgst, sigopts,
1036: attribs, db, serial, subj, chtype, multirdn,
1037: email_dn, startdate, enddate, days, batch,
1038: extensions, conf, verbose, certopt, nameopt,
1039: default_op, ext_copy, selfsign);
1040: if (j < 0)
1041: goto err;
1042: if (j > 0) {
1043: total_done++;
1044: BIO_printf(bio_err, "\n");
1045: if (!BN_add_word(serial, 1))
1046: goto err;
1047: if (!sk_X509_push(cert_sk, x)) {
1048: BIO_printf(bio_err,
1049: "Memory allocation failure\n");
1050: goto err;
1051: }
1052: }
1053: }
1054: for (i = 0; i < argc; i++) {
1055: total++;
1056: j = certify(&x, argv[i], pkey, x509p, dgst, sigopts,
1057: attribs, db, serial, subj, chtype, multirdn,
1058: email_dn, startdate, enddate, days, batch,
1059: extensions, conf, verbose, certopt, nameopt,
1060: default_op, ext_copy, selfsign);
1061: if (j < 0)
1062: goto err;
1063: if (j > 0) {
1064: total_done++;
1065: BIO_printf(bio_err, "\n");
1066: if (!BN_add_word(serial, 1))
1067: goto err;
1068: if (!sk_X509_push(cert_sk, x)) {
1069: BIO_printf(bio_err,
1070: "Memory allocation failure\n");
1071: goto err;
1072: }
1073: }
1074: }
1075: /*
1076: * we have a stack of newly certified certificates and a data
1077: * base and serial number that need updating
1078: */
1079:
1080: if (sk_X509_num(cert_sk) > 0) {
1081: if (!batch) {
1082: BIO_printf(bio_err, "\n%d out of %d certificate requests certified, commit? [y/n]", total_done, total);
1083: (void) BIO_flush(bio_err);
1084: buf[0][0] = '\0';
1085: if (!fgets(buf[0], 10, stdin)) {
1086: BIO_printf(bio_err, "CERTIFICATION CANCELED: I/O error\n");
1087: ret = 0;
1088: goto err;
1089: }
1090: if ((buf[0][0] != 'y') && (buf[0][0] != 'Y')) {
1091: BIO_printf(bio_err, "CERTIFICATION CANCELED\n");
1092: ret = 0;
1093: goto err;
1094: }
1095: }
1096: BIO_printf(bio_err, "Write out database with %d new entries\n", sk_X509_num(cert_sk));
1097:
1098: if (!save_serial(serialfile, "new", serial, NULL))
1099: goto err;
1100:
1101: if (!save_index(dbfile, "new", db))
1102: goto err;
1103: }
1104: if (verbose)
1105: BIO_printf(bio_err, "writing new certificates\n");
1106: for (i = 0; i < sk_X509_num(cert_sk); i++) {
1107: int k;
1.3 doug 1108: char *serialstr;
1.1 jsing 1109: unsigned char *data;
1110:
1111: x = sk_X509_value(cert_sk, i);
1112:
1113: j = x->cert_info->serialNumber->length;
1114: data = (unsigned char *)x->cert_info->serialNumber->data;
1115: if (j > 0)
1.3 doug 1116: serialstr = bin2hex(data, j);
1.1 jsing 1117: else
1.3 doug 1118: serialstr = strdup("00");
1119: if (serialstr) {
1.1 jsing 1120: k = snprintf(buf[2], sizeof(buf[2]),
1.3 doug 1121: "%s/%s.pem", outdir, serialstr);
1122: free(serialstr);
1.1 jsing 1123: if (k == -1 || k >= sizeof(buf[2])) {
1124: BIO_printf(bio_err,
1125: "certificate file name too long\n");
1126: goto err;
1127: }
1128: } else {
1129: BIO_printf(bio_err,
1130: "memory allocation failed\n");
1131: goto err;
1132: }
1133: if (verbose)
1134: BIO_printf(bio_err, "writing %s\n", buf[2]);
1135:
1136: if (BIO_write_filename(Cout, buf[2]) <= 0) {
1137: perror(buf[2]);
1138: goto err;
1139: }
1140: write_new_certificate(Cout, x, 0, notext);
1141: write_new_certificate(Sout, x, output_der, notext);
1142: }
1143:
1144: if (sk_X509_num(cert_sk)) {
1145: /* Rename the database and the serial file */
1146: if (!rotate_serial(serialfile, "new", "old"))
1147: goto err;
1148:
1149: if (!rotate_index(dbfile, "new", "old"))
1150: goto err;
1151:
1152: BIO_printf(bio_err, "Data Base Updated\n");
1153: }
1154: }
1155: /*****************************************************************/
1156: if (gencrl) {
1157: int crl_v2 = 0;
1158: if (!crl_ext) {
1159: crl_ext = NCONF_get_string(conf, section, ENV_CRLEXT);
1160: if (!crl_ext)
1161: ERR_clear_error();
1162: }
1163: if (crl_ext) {
1164: /* Check syntax of file */
1165: X509V3_CTX ctx;
1166: X509V3_set_ctx_test(&ctx);
1167: X509V3_set_nconf(&ctx, conf);
1168: if (!X509V3_EXT_add_nconf(conf, &ctx, crl_ext, NULL)) {
1169: BIO_printf(bio_err,
1170: "Error Loading CRL extension section %s\n",
1171: crl_ext);
1172: ret = 1;
1173: goto err;
1174: }
1175: }
1176: if ((crlnumberfile = NCONF_get_string(conf, section,
1177: ENV_CRLNUMBER)) != NULL)
1178: if ((crlnumber = load_serial(crlnumberfile, 0,
1179: NULL)) == NULL) {
1180: BIO_printf(bio_err,
1181: "error while loading CRL number\n");
1182: goto err;
1183: }
1184: if (!crldays && !crlhours && !crlsec) {
1185: if (!NCONF_get_number(conf, section,
1186: ENV_DEFAULT_CRL_DAYS, &crldays))
1187: crldays = 0;
1188: if (!NCONF_get_number(conf, section,
1189: ENV_DEFAULT_CRL_HOURS, &crlhours))
1190: crlhours = 0;
1191: ERR_clear_error();
1192: }
1193: if ((crldays == 0) && (crlhours == 0) && (crlsec == 0)) {
1194: BIO_printf(bio_err, "cannot lookup how long until the next CRL is issued\n");
1195: goto err;
1196: }
1197: if (verbose)
1198: BIO_printf(bio_err, "making CRL\n");
1199: if ((crl = X509_CRL_new()) == NULL)
1200: goto err;
1201: if (!X509_CRL_set_issuer_name(crl, X509_get_subject_name(x509)))
1202: goto err;
1203:
1204: tmptm = ASN1_TIME_new();
1205: if (!tmptm)
1206: goto err;
1207: X509_gmtime_adj(tmptm, 0);
1208: X509_CRL_set_lastUpdate(crl, tmptm);
1209: if (!X509_time_adj_ex(tmptm, crldays,
1210: crlhours * 60 * 60 + crlsec, NULL)) {
1211: BIO_puts(bio_err, "error setting CRL nextUpdate\n");
1212: goto err;
1213: }
1214: X509_CRL_set_nextUpdate(crl, tmptm);
1215:
1216: ASN1_TIME_free(tmptm);
1217:
1218: for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
1219: pp = sk_OPENSSL_PSTRING_value(db->db->data, i);
1220: if (pp[DB_type][0] == DB_TYPE_REV) {
1221: if ((r = X509_REVOKED_new()) == NULL)
1222: goto err;
1223: j = make_revoked(r, pp[DB_rev_date]);
1224: if (!j)
1225: goto err;
1226: if (j == 2)
1227: crl_v2 = 1;
1228: if (!BN_hex2bn(&serial, pp[DB_serial]))
1229: goto err;
1230: tmpser = BN_to_ASN1_INTEGER(serial, NULL);
1231: BN_free(serial);
1232: serial = NULL;
1233: if (!tmpser)
1234: goto err;
1235: X509_REVOKED_set_serialNumber(r, tmpser);
1236: ASN1_INTEGER_free(tmpser);
1237: X509_CRL_add0_revoked(crl, r);
1238: }
1239: }
1240:
1241: /*
1242: * sort the data so it will be written in serial number order
1243: */
1244: X509_CRL_sort(crl);
1245:
1246: /* we now have a CRL */
1247: if (verbose)
1248: BIO_printf(bio_err, "signing CRL\n");
1249:
1250: /* Add any extensions asked for */
1251:
1252: if (crl_ext || crlnumberfile != NULL) {
1253: X509V3_CTX crlctx;
1254: X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0);
1255: X509V3_set_nconf(&crlctx, conf);
1256:
1257: if (crl_ext)
1258: if (!X509V3_EXT_CRL_add_nconf(conf, &crlctx,
1259: crl_ext, crl))
1260: goto err;
1261: if (crlnumberfile != NULL) {
1262: tmpser = BN_to_ASN1_INTEGER(crlnumber, NULL);
1263: if (!tmpser)
1264: goto err;
1265: X509_CRL_add1_ext_i2d(crl, NID_crl_number,
1266: tmpser, 0, 0);
1267: ASN1_INTEGER_free(tmpser);
1268: crl_v2 = 1;
1269: if (!BN_add_word(crlnumber, 1))
1270: goto err;
1271: }
1272: }
1273: if (crl_ext || crl_v2) {
1274: if (!X509_CRL_set_version(crl, 1))
1275: goto err; /* version 2 CRL */
1276: }
1277: if (crlnumberfile != NULL) /* we have a CRL number that
1278: * need updating */
1279: if (!save_serial(crlnumberfile, "new", crlnumber, NULL))
1280: goto err;
1281:
1282: if (crlnumber) {
1283: BN_free(crlnumber);
1284: crlnumber = NULL;
1285: }
1286: if (!do_X509_CRL_sign(bio_err, crl, pkey, dgst, sigopts))
1287: goto err;
1288:
1289: PEM_write_bio_X509_CRL(Sout, crl);
1290:
1291: if (crlnumberfile != NULL) /* Rename the crlnumber file */
1292: if (!rotate_serial(crlnumberfile, "new", "old"))
1293: goto err;
1294:
1295: }
1296: /*****************************************************************/
1297: if (dorevoke) {
1298: if (infile == NULL) {
1299: BIO_printf(bio_err, "no input files\n");
1300: goto err;
1301: } else {
1302: X509 *revcert;
1303: revcert = load_cert(bio_err, infile, FORMAT_PEM,
1.12 bcook 1304: NULL, infile);
1.1 jsing 1305: if (revcert == NULL)
1306: goto err;
1307: j = do_revoke(revcert, db, rev_type, rev_arg);
1308: if (j <= 0)
1309: goto err;
1310: X509_free(revcert);
1311:
1312: if (!save_index(dbfile, "new", db))
1313: goto err;
1314:
1315: if (!rotate_index(dbfile, "new", "old"))
1316: goto err;
1317:
1318: BIO_printf(bio_err, "Data Base Updated\n");
1319: }
1320: }
1321: /*****************************************************************/
1322: ret = 0;
1323:
1324: err:
1325: free(tofree);
1326:
1327: BIO_free_all(Cout);
1328: BIO_free_all(Sout);
1329: BIO_free_all(out);
1330: BIO_free_all(in);
1331:
1332: if (cert_sk)
1333: sk_X509_pop_free(cert_sk, X509_free);
1334:
1335: if (ret)
1336: ERR_print_errors(bio_err);
1337: if (free_key && key)
1338: free(key);
1339: BN_free(serial);
1340: BN_free(crlnumber);
1341: free_index(db);
1342: if (sigopts)
1343: sk_OPENSSL_STRING_free(sigopts);
1344: EVP_PKEY_free(pkey);
1345: if (x509)
1346: X509_free(x509);
1347: X509_CRL_free(crl);
1348: NCONF_free(conf);
1349: NCONF_free(extconf);
1350: OBJ_cleanup();
1351:
1352: return (ret);
1353: }
1354:
1355: static void
1356: lookup_fail(const char *name, const char *tag)
1357: {
1358: BIO_printf(bio_err, "variable lookup failed for %s::%s\n", name, tag);
1359: }
1360:
1361: static int
1362: certify(X509 ** xret, char *infile, EVP_PKEY * pkey, X509 * x509,
1363: const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
1364: STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj,
1365: unsigned long chtype, int multirdn, int email_dn, char *startdate,
1366: char *enddate, long days, int batch, char *ext_sect, CONF * lconf,
1367: int verbose, unsigned long certopt, unsigned long nameopt, int default_op,
1368: int ext_copy, int selfsign)
1369: {
1370: X509_REQ *req = NULL;
1371: BIO *in = NULL;
1372: EVP_PKEY *pktmp = NULL;
1373: int ok = -1, i;
1374:
1375: in = BIO_new(BIO_s_file());
1376:
1377: if (BIO_read_filename(in, infile) <= 0) {
1378: perror(infile);
1379: goto err;
1380: }
1381: if ((req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL)) == NULL) {
1382: BIO_printf(bio_err, "Error reading certificate request in %s\n",
1383: infile);
1384: goto err;
1385: }
1386: if (verbose)
1387: X509_REQ_print(bio_err, req);
1388:
1389: BIO_printf(bio_err, "Check that the request matches the signature\n");
1390:
1391: if (selfsign && !X509_REQ_check_private_key(req, pkey)) {
1392: BIO_printf(bio_err,
1393: "Certificate request and CA private key do not match\n");
1394: ok = 0;
1395: goto err;
1396: }
1397: if ((pktmp = X509_REQ_get_pubkey(req)) == NULL) {
1398: BIO_printf(bio_err, "error unpacking public key\n");
1399: goto err;
1400: }
1401: i = X509_REQ_verify(req, pktmp);
1402: EVP_PKEY_free(pktmp);
1403: if (i < 0) {
1404: ok = 0;
1405: BIO_printf(bio_err, "Signature verification problems....\n");
1406: goto err;
1407: }
1408: if (i == 0) {
1409: ok = 0;
1410: BIO_printf(bio_err,
1411: "Signature did not match the certificate request\n");
1412: goto err;
1413: } else
1414: BIO_printf(bio_err, "Signature ok\n");
1415:
1416: ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial,
1417: subj, chtype, multirdn, email_dn, startdate, enddate, days, batch,
1418: verbose, req, ext_sect, lconf, certopt, nameopt, default_op,
1419: ext_copy, selfsign);
1420:
1421: err:
1422: if (req != NULL)
1423: X509_REQ_free(req);
1424: if (in != NULL)
1425: BIO_free(in);
1426: return (ok);
1427: }
1428:
1429: static int
1430: certify_cert(X509 ** xret, char *infile, EVP_PKEY * pkey, X509 * x509,
1431: const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
1432: STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj,
1433: unsigned long chtype, int multirdn, int email_dn, char *startdate,
1434: char *enddate, long days, int batch, char *ext_sect, CONF * lconf,
1435: int verbose, unsigned long certopt, unsigned long nameopt, int default_op,
1.12 bcook 1436: int ext_copy)
1.1 jsing 1437: {
1438: X509 *req = NULL;
1439: X509_REQ *rreq = NULL;
1440: EVP_PKEY *pktmp = NULL;
1441: int ok = -1, i;
1442:
1.12 bcook 1443: if ((req = load_cert(bio_err, infile, FORMAT_PEM, NULL,
1.1 jsing 1444: infile)) == NULL)
1445: goto err;
1446: if (verbose)
1447: X509_print(bio_err, req);
1448:
1449: BIO_printf(bio_err, "Check that the request matches the signature\n");
1450:
1451: if ((pktmp = X509_get_pubkey(req)) == NULL) {
1452: BIO_printf(bio_err, "error unpacking public key\n");
1453: goto err;
1454: }
1455: i = X509_verify(req, pktmp);
1456: EVP_PKEY_free(pktmp);
1457: if (i < 0) {
1458: ok = 0;
1459: BIO_printf(bio_err, "Signature verification problems....\n");
1460: goto err;
1461: }
1462: if (i == 0) {
1463: ok = 0;
1464: BIO_printf(bio_err,
1465: "Signature did not match the certificate\n");
1466: goto err;
1467: } else
1468: BIO_printf(bio_err, "Signature ok\n");
1469:
1470: if ((rreq = X509_to_X509_REQ(req, NULL, EVP_md5())) == NULL)
1471: goto err;
1472:
1473: ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial,
1474: subj, chtype, multirdn, email_dn, startdate, enddate, days, batch,
1475: verbose, rreq, ext_sect, lconf, certopt, nameopt, default_op,
1476: ext_copy, 0);
1477:
1478: err:
1479: if (rreq != NULL)
1480: X509_REQ_free(rreq);
1481: if (req != NULL)
1482: X509_free(req);
1483: return (ok);
1484: }
1485:
1486: static int
1487: do_body(X509 ** xret, EVP_PKEY * pkey, X509 * x509, const EVP_MD * dgst,
1488: STACK_OF(OPENSSL_STRING) * sigopts, STACK_OF(CONF_VALUE) * policy,
1489: CA_DB * db, BIGNUM * serial, char *subj, unsigned long chtype, int multirdn,
1490: int email_dn, char *startdate, char *enddate, long days, int batch,
1491: int verbose, X509_REQ * req, char *ext_sect, CONF * lconf,
1492: unsigned long certopt, unsigned long nameopt, int default_op,
1493: int ext_copy, int selfsign)
1494: {
1495: X509_NAME *name = NULL, *CAname = NULL, *subject = NULL, *dn_subject = NULL;
1496: ASN1_UTCTIME *tm, *tmptm;
1497: ASN1_STRING *str, *str2;
1498: ASN1_OBJECT *obj;
1499: X509 *ret = NULL;
1500: X509_CINF *ci;
1501: X509_NAME_ENTRY *ne;
1502: X509_NAME_ENTRY *tne, *push;
1503: EVP_PKEY *pktmp;
1504: int ok = -1, i, j, last, nid;
1505: const char *p;
1506: CONF_VALUE *cv;
1507: OPENSSL_STRING row[DB_NUMBER];
1508: OPENSSL_STRING *irow = NULL;
1509: OPENSSL_STRING *rrow = NULL;
1510: char buf[25];
1511:
1512: tmptm = ASN1_UTCTIME_new();
1513: if (tmptm == NULL) {
1514: BIO_printf(bio_err, "malloc error\n");
1515: return (0);
1516: }
1517: for (i = 0; i < DB_NUMBER; i++)
1518: row[i] = NULL;
1519:
1520: if (subj) {
1521: X509_NAME *n = parse_name(subj, chtype, multirdn);
1522:
1523: if (!n) {
1524: ERR_print_errors(bio_err);
1525: goto err;
1526: }
1527: X509_REQ_set_subject_name(req, n);
1528: req->req_info->enc.modified = 1;
1529: X509_NAME_free(n);
1530: }
1531: if (default_op)
1532: BIO_printf(bio_err,
1533: "The Subject's Distinguished Name is as follows\n");
1534:
1535: name = X509_REQ_get_subject_name(req);
1536: for (i = 0; i < X509_NAME_entry_count(name); i++) {
1537: ne = X509_NAME_get_entry(name, i);
1538: str = X509_NAME_ENTRY_get_data(ne);
1539: obj = X509_NAME_ENTRY_get_object(ne);
1540:
1541: if (msie_hack) {
1542: /* assume all type should be strings */
1543: nid = OBJ_obj2nid(ne->object);
1544:
1545: if (str->type == V_ASN1_UNIVERSALSTRING)
1546: ASN1_UNIVERSALSTRING_to_string(str);
1547:
1548: if ((str->type == V_ASN1_IA5STRING) &&
1549: (nid != NID_pkcs9_emailAddress))
1550: str->type = V_ASN1_T61STRING;
1551:
1552: if ((nid == NID_pkcs9_emailAddress) &&
1553: (str->type == V_ASN1_PRINTABLESTRING))
1554: str->type = V_ASN1_IA5STRING;
1555: }
1556: /* If no EMAIL is wanted in the subject */
1557: if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) && (!email_dn))
1558: continue;
1559:
1560: /* check some things */
1561: if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) &&
1562: (str->type != V_ASN1_IA5STRING)) {
1563: BIO_printf(bio_err, "\nemailAddress type needs to be of type IA5STRING\n");
1564: goto err;
1565: }
1566: if ((str->type != V_ASN1_BMPSTRING) &&
1567: (str->type != V_ASN1_UTF8STRING)) {
1568: j = ASN1_PRINTABLE_type(str->data, str->length);
1569: if (((j == V_ASN1_T61STRING) &&
1570: (str->type != V_ASN1_T61STRING)) ||
1571: ((j == V_ASN1_IA5STRING) &&
1572: (str->type == V_ASN1_PRINTABLESTRING))) {
1573: BIO_printf(bio_err, "\nThe string contains characters that are illegal for the ASN.1 type\n");
1574: goto err;
1575: }
1576: }
1577: if (default_op)
1578: old_entry_print(bio_err, obj, str);
1579: }
1580:
1581: /* Ok, now we check the 'policy' stuff. */
1582: if ((subject = X509_NAME_new()) == NULL) {
1583: BIO_printf(bio_err, "Memory allocation failure\n");
1584: goto err;
1585: }
1586: /* take a copy of the issuer name before we mess with it. */
1587: if (selfsign)
1588: CAname = X509_NAME_dup(name);
1589: else
1590: CAname = X509_NAME_dup(x509->cert_info->subject);
1591: if (CAname == NULL)
1592: goto err;
1593: str = str2 = NULL;
1594:
1595: for (i = 0; i < sk_CONF_VALUE_num(policy); i++) {
1596: cv = sk_CONF_VALUE_value(policy, i); /* get the object id */
1597: if ((j = OBJ_txt2nid(cv->name)) == NID_undef) {
1598: BIO_printf(bio_err, "%s:unknown object type in 'policy' configuration\n", cv->name);
1599: goto err;
1600: }
1601: obj = OBJ_nid2obj(j);
1602:
1603: last = -1;
1604: for (;;) {
1605: /* lookup the object in the supplied name list */
1606: j = X509_NAME_get_index_by_OBJ(name, obj, last);
1607: if (j < 0) {
1608: if (last != -1)
1609: break;
1610: tne = NULL;
1611: } else {
1612: tne = X509_NAME_get_entry(name, j);
1613: }
1614: last = j;
1615:
1616: /* depending on the 'policy', decide what to do. */
1617: push = NULL;
1618: if (strcmp(cv->value, "optional") == 0) {
1619: if (tne != NULL)
1620: push = tne;
1621: } else if (strcmp(cv->value, "supplied") == 0) {
1622: if (tne == NULL) {
1623: BIO_printf(bio_err, "The %s field needed to be supplied and was missing\n", cv->name);
1624: goto err;
1625: } else
1626: push = tne;
1627: } else if (strcmp(cv->value, "match") == 0) {
1628: int last2;
1629:
1630: if (tne == NULL) {
1631: BIO_printf(bio_err, "The mandatory %s field was missing\n", cv->name);
1632: goto err;
1633: }
1634: last2 = -1;
1635:
1636: again2:
1637: j = X509_NAME_get_index_by_OBJ(CAname, obj, last2);
1638: if ((j < 0) && (last2 == -1)) {
1639: BIO_printf(bio_err, "The %s field does not exist in the CA certificate,\nthe 'policy' is misconfigured\n", cv->name);
1640: goto err;
1641: }
1642: if (j >= 0) {
1643: push = X509_NAME_get_entry(CAname, j);
1644: str = X509_NAME_ENTRY_get_data(tne);
1645: str2 = X509_NAME_ENTRY_get_data(push);
1646: last2 = j;
1647: if (ASN1_STRING_cmp(str, str2) != 0)
1648: goto again2;
1649: }
1650: if (j < 0) {
1651: BIO_printf(bio_err, "The %s field needed to be the same in the\nCA certificate (%s) and the request (%s)\n", cv->name, ((str2 == NULL) ? "NULL" : (char *) str2->data), ((str == NULL) ? "NULL" : (char *) str->data));
1652: goto err;
1653: }
1654: } else {
1655: BIO_printf(bio_err, "%s:invalid type in 'policy' configuration\n", cv->value);
1656: goto err;
1657: }
1658:
1659: if (push != NULL) {
1660: if (!X509_NAME_add_entry(subject, push,
1661: -1, 0)) {
1662: if (push != NULL)
1663: X509_NAME_ENTRY_free(push);
1664: BIO_printf(bio_err,
1665: "Memory allocation failure\n");
1666: goto err;
1667: }
1668: }
1669: if (j < 0)
1670: break;
1671: }
1672: }
1673:
1674: if (preserve) {
1675: X509_NAME_free(subject);
1676: /* subject=X509_NAME_dup(X509_REQ_get_subject_name(req)); */
1677: subject = X509_NAME_dup(name);
1678: if (subject == NULL)
1679: goto err;
1680: }
1681: if (verbose)
1682: BIO_printf(bio_err, "The subject name appears to be ok, checking data base for clashes\n");
1683:
1.20 ! mmcc 1684: /* Build the correct Subject if no email is wanted in the subject */
1.1 jsing 1685: /*
1686: * and add it later on because of the method extensions are added
1687: * (altName)
1688: */
1689:
1690: if (email_dn)
1691: dn_subject = subject;
1692: else {
1693: X509_NAME_ENTRY *tmpne;
1694: /*
1695: * Its best to dup the subject DN and then delete any email
1696: * addresses because this retains its structure.
1697: */
1698: if (!(dn_subject = X509_NAME_dup(subject))) {
1699: BIO_printf(bio_err, "Memory allocation failure\n");
1700: goto err;
1701: }
1702: while ((i = X509_NAME_get_index_by_NID(dn_subject,
1703: NID_pkcs9_emailAddress, -1)) >= 0) {
1704: tmpne = X509_NAME_get_entry(dn_subject, i);
1705: X509_NAME_delete_entry(dn_subject, i);
1706: X509_NAME_ENTRY_free(tmpne);
1707: }
1708: }
1709:
1710: if (BN_is_zero(serial))
1711: row[DB_serial] = strdup("00");
1712: else
1713: row[DB_serial] = BN_bn2hex(serial);
1714: if (row[DB_serial] == NULL) {
1715: BIO_printf(bio_err, "Memory allocation failure\n");
1716: goto err;
1717: }
1718: if (db->attributes.unique_subject) {
1719: OPENSSL_STRING *crow = row;
1720:
1721: rrow = TXT_DB_get_by_index(db->db, DB_name, crow);
1722: if (rrow != NULL) {
1723: BIO_printf(bio_err,
1724: "ERROR:There is already a certificate for %s\n",
1725: row[DB_name]);
1726: }
1727: }
1728: if (rrow == NULL) {
1729: rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
1730: if (rrow != NULL) {
1731: BIO_printf(bio_err,
1732: "ERROR:Serial number %s has already been issued,\n",
1733: row[DB_serial]);
1734: BIO_printf(bio_err, " check the database/serial_file for corruption\n");
1735: }
1736: }
1737: if (rrow != NULL) {
1738: BIO_printf(bio_err,
1739: "The matching entry has the following details\n");
1740: if (rrow[DB_type][0] == 'E')
1741: p = "Expired";
1742: else if (rrow[DB_type][0] == 'R')
1743: p = "Revoked";
1744: else if (rrow[DB_type][0] == 'V')
1745: p = "Valid";
1746: else
1747: p = "\ninvalid type, Data base error\n";
1748: BIO_printf(bio_err, "Type :%s\n", p);
1749: if (rrow[DB_type][0] == 'R') {
1750: p = rrow[DB_exp_date];
1751: if (p == NULL)
1752: p = "undef";
1753: BIO_printf(bio_err, "Was revoked on:%s\n", p);
1754: }
1755: p = rrow[DB_exp_date];
1756: if (p == NULL)
1757: p = "undef";
1758: BIO_printf(bio_err, "Expires on :%s\n", p);
1759: p = rrow[DB_serial];
1760: if (p == NULL)
1761: p = "undef";
1762: BIO_printf(bio_err, "Serial Number :%s\n", p);
1763: p = rrow[DB_file];
1764: if (p == NULL)
1765: p = "undef";
1766: BIO_printf(bio_err, "File name :%s\n", p);
1767: p = rrow[DB_name];
1768: if (p == NULL)
1769: p = "undef";
1770: BIO_printf(bio_err, "Subject Name :%s\n", p);
1771: ok = -1; /* This is now a 'bad' error. */
1772: goto err;
1773: }
1774: /* We are now totally happy, lets make and sign the certificate */
1775: if (verbose)
1776: BIO_printf(bio_err, "Everything appears to be ok, creating and signing the certificate\n");
1777:
1778: if ((ret = X509_new()) == NULL)
1779: goto err;
1780: ci = ret->cert_info;
1781:
1782: #ifdef X509_V3
1783: /* Make it an X509 v3 certificate. */
1784: if (!X509_set_version(ret, 2))
1785: goto err;
1786: #endif
1.13 beck 1787: if (ci->serialNumber == NULL)
1788: goto err;
1.8 jsing 1789: if (BN_to_ASN1_INTEGER(serial, ci->serialNumber) == NULL)
1.1 jsing 1790: goto err;
1791: if (selfsign) {
1792: if (!X509_set_issuer_name(ret, subject))
1793: goto err;
1794: } else {
1795: if (!X509_set_issuer_name(ret, X509_get_subject_name(x509)))
1796: goto err;
1797: }
1798:
1799: if (strcmp(startdate, "today") == 0)
1800: X509_gmtime_adj(X509_get_notBefore(ret), 0);
1801: else
1802: ASN1_TIME_set_string(X509_get_notBefore(ret), startdate);
1803:
1804: if (enddate == NULL)
1805: X509_time_adj_ex(X509_get_notAfter(ret), days, 0, NULL);
1806: else
1807: ASN1_TIME_set_string(X509_get_notAfter(ret), enddate);
1808:
1809: if (!X509_set_subject_name(ret, subject))
1810: goto err;
1811:
1812: pktmp = X509_REQ_get_pubkey(req);
1813: i = X509_set_pubkey(ret, pktmp);
1814: EVP_PKEY_free(pktmp);
1815: if (!i)
1816: goto err;
1817:
1818: /* Lets add the extensions, if there are any */
1819: if (ext_sect) {
1820: X509V3_CTX ctx;
1821: if (ci->version == NULL)
1822: if ((ci->version = ASN1_INTEGER_new()) == NULL)
1823: goto err;
1824: ASN1_INTEGER_set(ci->version, 2); /* version 3 certificate */
1825:
1826: /*
1827: * Free the current entries if any, there should not be any I
1828: * believe
1829: */
1830: if (ci->extensions != NULL)
1831: sk_X509_EXTENSION_pop_free(ci->extensions,
1832: X509_EXTENSION_free);
1833:
1834: ci->extensions = NULL;
1835:
1836: /* Initialize the context structure */
1837: if (selfsign)
1838: X509V3_set_ctx(&ctx, ret, ret, req, NULL, 0);
1839: else
1840: X509V3_set_ctx(&ctx, x509, ret, req, NULL, 0);
1841:
1842: if (extconf) {
1843: if (verbose)
1844: BIO_printf(bio_err,
1845: "Extra configuration file found\n");
1846:
1847: /* Use the extconf configuration db LHASH */
1848: X509V3_set_nconf(&ctx, extconf);
1849:
1850: /* Test the structure (needed?) */
1851: /* X509V3_set_ctx_test(&ctx); */
1852:
1853: /* Adds exts contained in the configuration file */
1854: if (!X509V3_EXT_add_nconf(extconf, &ctx,
1855: ext_sect, ret)) {
1856: BIO_printf(bio_err,
1857: "ERROR: adding extensions in section %s\n",
1858: ext_sect);
1859: ERR_print_errors(bio_err);
1860: goto err;
1861: }
1862: if (verbose)
1863: BIO_printf(bio_err, "Successfully added extensions from file.\n");
1864: } else if (ext_sect) {
1865: /* We found extensions to be set from config file */
1866: X509V3_set_nconf(&ctx, lconf);
1867:
1868: if (!X509V3_EXT_add_nconf(lconf, &ctx, ext_sect, ret)) {
1869: BIO_printf(bio_err,
1870: "ERROR: adding extensions in section %s\n",
1871: ext_sect);
1872: ERR_print_errors(bio_err);
1873: goto err;
1874: }
1875: if (verbose)
1876: BIO_printf(bio_err, "Successfully added extensions from config\n");
1877: }
1878: }
1879: /* Copy extensions from request (if any) */
1880:
1881: if (!copy_extensions(ret, req, ext_copy)) {
1882: BIO_printf(bio_err, "ERROR: adding extensions from request\n");
1883: ERR_print_errors(bio_err);
1884: goto err;
1885: }
1886: /* Set the right value for the noemailDN option */
1887: if (email_dn == 0) {
1888: if (!X509_set_subject_name(ret, dn_subject))
1889: goto err;
1890: }
1891: if (!default_op) {
1892: BIO_printf(bio_err, "Certificate Details:\n");
1893: /*
1894: * Never print signature details because signature not
1895: * present
1896: */
1897: certopt |= X509_FLAG_NO_SIGDUMP | X509_FLAG_NO_SIGNAME;
1898: X509_print_ex(bio_err, ret, nameopt, certopt);
1899: }
1900: BIO_printf(bio_err, "Certificate is to be certified until ");
1901: ASN1_TIME_print(bio_err, X509_get_notAfter(ret));
1902: if (days)
1903: BIO_printf(bio_err, " (%ld days)", days);
1904: BIO_printf(bio_err, "\n");
1905:
1906: if (!batch) {
1907:
1908: BIO_printf(bio_err, "Sign the certificate? [y/n]:");
1909: (void) BIO_flush(bio_err);
1910: buf[0] = '\0';
1911: if (!fgets(buf, sizeof(buf) - 1, stdin)) {
1912: BIO_printf(bio_err,
1913: "CERTIFICATE WILL NOT BE CERTIFIED: I/O error\n");
1914: ok = 0;
1915: goto err;
1916: }
1917: if (!((buf[0] == 'y') || (buf[0] == 'Y'))) {
1918: BIO_printf(bio_err,
1919: "CERTIFICATE WILL NOT BE CERTIFIED\n");
1920: ok = 0;
1921: goto err;
1922: }
1923: }
1924: pktmp = X509_get_pubkey(ret);
1925: if (EVP_PKEY_missing_parameters(pktmp) &&
1926: !EVP_PKEY_missing_parameters(pkey))
1927: EVP_PKEY_copy_parameters(pktmp, pkey);
1928: EVP_PKEY_free(pktmp);
1929:
1930: if (!do_X509_sign(bio_err, ret, pkey, dgst, sigopts))
1931: goto err;
1932:
1933: /* We now just add it to the database */
1934: row[DB_type] = malloc(2);
1935:
1936: tm = X509_get_notAfter(ret);
1937: row[DB_exp_date] = malloc(tm->length + 1);
1.16 bcook 1938: if (row[DB_type] == NULL || row[DB_exp_date] == NULL) {
1.13 beck 1939: BIO_printf(bio_err, "Memory allocation failure\n");
1940: goto err;
1941: }
1942:
1.1 jsing 1943: memcpy(row[DB_exp_date], tm->data, tm->length);
1944: row[DB_exp_date][tm->length] = '\0';
1945:
1946: row[DB_rev_date] = NULL;
1947:
1948: /* row[DB_serial] done already */
1949: row[DB_file] = malloc(8);
1950: row[DB_name] = X509_NAME_oneline(X509_get_subject_name(ret), NULL, 0);
1951:
1.13 beck 1952: if ((row[DB_type] == NULL) || (row[DB_file] == NULL) ||
1953: (row[DB_name] == NULL)) {
1.1 jsing 1954: BIO_printf(bio_err, "Memory allocation failure\n");
1955: goto err;
1956: }
1957: (void) strlcpy(row[DB_file], "unknown", 8);
1958: row[DB_type][0] = 'V';
1959: row[DB_type][1] = '\0';
1960:
1961: if ((irow = reallocarray(NULL, DB_NUMBER + 1, sizeof(char *))) ==
1962: NULL) {
1963: BIO_printf(bio_err, "Memory allocation failure\n");
1964: goto err;
1965: }
1966: for (i = 0; i < DB_NUMBER; i++) {
1967: irow[i] = row[i];
1968: row[i] = NULL;
1969: }
1970: irow[DB_NUMBER] = NULL;
1971:
1972: if (!TXT_DB_insert(db->db, irow)) {
1973: BIO_printf(bio_err, "failed to update database\n");
1974: BIO_printf(bio_err, "TXT_DB error number %ld\n", db->db->error);
1975: goto err;
1976: }
1977: ok = 1;
1978: err:
1979: for (i = 0; i < DB_NUMBER; i++)
1980: free(row[i]);
1981:
1982: if (CAname != NULL)
1983: X509_NAME_free(CAname);
1984: if (subject != NULL)
1985: X509_NAME_free(subject);
1986: if ((dn_subject != NULL) && !email_dn)
1987: X509_NAME_free(dn_subject);
1988: if (tmptm != NULL)
1989: ASN1_UTCTIME_free(tmptm);
1990: if (ok <= 0) {
1991: if (ret != NULL)
1992: X509_free(ret);
1993: ret = NULL;
1994: } else
1995: *xret = ret;
1996: return (ok);
1997: }
1998:
1999: static void
2000: write_new_certificate(BIO * bp, X509 * x, int output_der, int notext)
2001: {
2002: if (output_der) {
2003: (void) i2d_X509_bio(bp, x);
2004: return;
2005: }
2006: if (!notext)
2007: X509_print(bp, x);
2008: PEM_write_bio_X509(bp, x);
2009: }
2010:
2011: static int
2012: certify_spkac(X509 ** xret, char *infile, EVP_PKEY * pkey, X509 * x509,
2013: const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
2014: STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj,
2015: unsigned long chtype, int multirdn, int email_dn, char *startdate,
2016: char *enddate, long days, char *ext_sect, CONF * lconf, int verbose,
2017: unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy)
2018: {
2019: STACK_OF(CONF_VALUE) * sk = NULL;
2020: LHASH_OF(CONF_VALUE) * parms = NULL;
2021: X509_REQ *req = NULL;
2022: CONF_VALUE *cv = NULL;
2023: NETSCAPE_SPKI *spki = NULL;
2024: X509_REQ_INFO *ri;
2025: char *type, *buf;
2026: EVP_PKEY *pktmp = NULL;
2027: X509_NAME *n = NULL;
2028: int ok = -1, i, j;
2029: long errline;
2030: int nid;
2031:
2032: /*
2033: * Load input file into a hash table. (This is just an easy
2034: * way to read and parse the file, then put it into a convenient
2035: * STACK format).
2036: */
2037: parms = CONF_load(NULL, infile, &errline);
2038: if (parms == NULL) {
2039: BIO_printf(bio_err, "error on line %ld of %s\n",
2040: errline, infile);
2041: ERR_print_errors(bio_err);
2042: goto err;
2043: }
2044: sk = CONF_get_section(parms, "default");
2045: if (sk_CONF_VALUE_num(sk) == 0) {
2046: BIO_printf(bio_err, "no name/value pairs found in %s\n",
2047: infile);
2048: CONF_free(parms);
2049: goto err;
2050: }
2051: /*
2052: * Now create a dummy X509 request structure. We don't actually
2053: * have an X509 request, but we have many of the components
2054: * (a public key, various DN components). The idea is that we
2055: * put these components into the right X509 request structure
2056: * and we can use the same code as if you had a real X509 request.
2057: */
2058: req = X509_REQ_new();
2059: if (req == NULL) {
2060: ERR_print_errors(bio_err);
2061: goto err;
2062: }
2063: /*
2064: * Build up the subject name set.
2065: */
2066: ri = req->req_info;
2067: n = ri->subject;
2068:
2069: for (i = 0;; i++) {
2070: if (sk_CONF_VALUE_num(sk) <= i)
2071: break;
2072:
2073: cv = sk_CONF_VALUE_value(sk, i);
2074: type = cv->name;
2075: /*
2076: * Skip past any leading X. X: X, etc to allow for multiple
2077: * instances
2078: */
2079: for (buf = cv->name; *buf; buf++) {
2080: if ((*buf == ':') || (*buf == ',') || (*buf == '.')) {
2081: buf++;
2082: if (*buf)
2083: type = buf;
2084: break;
2085: }
2086: }
2087:
2088: buf = cv->value;
2089: if ((nid = OBJ_txt2nid(type)) == NID_undef) {
2090: if (strcmp(type, "SPKAC") == 0) {
2091: spki = NETSCAPE_SPKI_b64_decode(cv->value, -1);
2092: if (spki == NULL) {
2093: BIO_printf(bio_err, "unable to load Netscape SPKAC structure\n");
2094: ERR_print_errors(bio_err);
2095: goto err;
2096: }
2097: }
2098: continue;
2099: }
2100: if (!X509_NAME_add_entry_by_NID(n, nid, chtype,
2101: (unsigned char *)buf, -1, -1, 0))
2102: goto err;
2103: }
2104: if (spki == NULL) {
2105: BIO_printf(bio_err,
2106: "Netscape SPKAC structure not found in %s\n", infile);
2107: goto err;
2108: }
2109: /*
2110: * Now extract the key from the SPKI structure.
2111: */
2112:
2113: BIO_printf(bio_err,
2114: "Check that the SPKAC request matches the signature\n");
2115:
2116: if ((pktmp = NETSCAPE_SPKI_get_pubkey(spki)) == NULL) {
2117: BIO_printf(bio_err, "error unpacking SPKAC public key\n");
2118: goto err;
2119: }
2120: j = NETSCAPE_SPKI_verify(spki, pktmp);
2121: if (j <= 0) {
2122: BIO_printf(bio_err,
2123: "signature verification failed on SPKAC public key\n");
2124: goto err;
2125: }
2126: BIO_printf(bio_err, "Signature ok\n");
2127:
2128: X509_REQ_set_pubkey(req, pktmp);
2129: EVP_PKEY_free(pktmp);
2130: ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial,
2131: subj, chtype, multirdn, email_dn, startdate, enddate, days, 1,
2132: verbose, req, ext_sect, lconf, certopt, nameopt, default_op,
2133: ext_copy, 0);
2134:
2135: err:
2136: if (req != NULL)
2137: X509_REQ_free(req);
2138: if (parms != NULL)
2139: CONF_free(parms);
2140: if (spki != NULL)
2141: NETSCAPE_SPKI_free(spki);
2142:
2143: return (ok);
2144: }
2145:
2146: static int
2147: check_time_format(const char *str)
2148: {
2149: return ASN1_TIME_set_string(NULL, str);
2150: }
2151:
2152: static int
2153: do_revoke(X509 * x509, CA_DB * db, int type, char *value)
2154: {
2155: ASN1_UTCTIME *tm = NULL;
2156: char *row[DB_NUMBER], **rrow, **irow;
2157: char *rev_str = NULL;
2158: BIGNUM *bn = NULL;
2159: int ok = -1, i;
2160:
2161: for (i = 0; i < DB_NUMBER; i++)
2162: row[i] = NULL;
2163: row[DB_name] = X509_NAME_oneline(X509_get_subject_name(x509), NULL, 0);
2164: bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x509), NULL);
2165: if (!bn)
2166: goto err;
2167: if (BN_is_zero(bn))
2168: row[DB_serial] = strdup("00");
2169: else
2170: row[DB_serial] = BN_bn2hex(bn);
2171: BN_free(bn);
2172: if ((row[DB_name] == NULL) || (row[DB_serial] == NULL)) {
2173: BIO_printf(bio_err, "Memory allocation failure\n");
2174: goto err;
2175: }
2176: /*
2177: * We have to lookup by serial number because name lookup skips
2178: * revoked certs
2179: */
2180: rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
2181: if (rrow == NULL) {
2182: BIO_printf(bio_err,
2183: "Adding Entry with serial number %s to DB for %s\n",
2184: row[DB_serial], row[DB_name]);
2185:
2186: /* We now just add it to the database */
2187: row[DB_type] = malloc(2);
2188:
2189: tm = X509_get_notAfter(x509);
2190: row[DB_exp_date] = malloc(tm->length + 1);
1.16 bcook 2191: if (row[DB_type] == NULL || row[DB_exp_date] == NULL) {
1.13 beck 2192: BIO_printf(bio_err, "Memory allocation failure\n");
2193: goto err;
2194: }
1.1 jsing 2195: memcpy(row[DB_exp_date], tm->data, tm->length);
2196: row[DB_exp_date][tm->length] = '\0';
2197:
2198: row[DB_rev_date] = NULL;
2199:
2200: /* row[DB_serial] done already */
2201: row[DB_file] = malloc(8);
2202:
2203: /* row[DB_name] done already */
2204:
1.13 beck 2205: if ((row[DB_type] == NULL) || (row[DB_file] == NULL)) {
1.1 jsing 2206: BIO_printf(bio_err, "Memory allocation failure\n");
2207: goto err;
2208: }
2209: (void) strlcpy(row[DB_file], "unknown", 8);
2210: row[DB_type][0] = 'V';
2211: row[DB_type][1] = '\0';
2212:
2213: if ((irow = reallocarray(NULL, sizeof(char *),
2214: (DB_NUMBER + 1))) == NULL) {
2215: BIO_printf(bio_err, "Memory allocation failure\n");
2216: goto err;
2217: }
2218: for (i = 0; i < DB_NUMBER; i++) {
2219: irow[i] = row[i];
2220: row[i] = NULL;
2221: }
2222: irow[DB_NUMBER] = NULL;
2223:
2224: if (!TXT_DB_insert(db->db, irow)) {
2225: BIO_printf(bio_err, "failed to update database\n");
2226: BIO_printf(bio_err, "TXT_DB error number %ld\n",
2227: db->db->error);
2228: goto err;
2229: }
2230: /* Revoke Certificate */
2231: ok = do_revoke(x509, db, type, value);
2232:
2233: goto err;
2234:
2235: } else if (index_name_cmp_noconst(row, rrow)) {
2236: BIO_printf(bio_err, "ERROR:name does not match %s\n",
2237: row[DB_name]);
2238: goto err;
2239: } else if (rrow[DB_type][0] == 'R') {
2240: BIO_printf(bio_err, "ERROR:Already revoked, serial number %s\n",
2241: row[DB_serial]);
2242: goto err;
2243: } else {
2244: BIO_printf(bio_err, "Revoking Certificate %s.\n",
2245: rrow[DB_serial]);
2246: rev_str = make_revocation_str(type, value);
2247: if (!rev_str) {
2248: BIO_printf(bio_err, "Error in revocation arguments\n");
2249: goto err;
2250: }
2251: rrow[DB_type][0] = 'R';
2252: rrow[DB_type][1] = '\0';
2253: rrow[DB_rev_date] = rev_str;
2254: }
2255: ok = 1;
2256:
2257: err:
2258: for (i = 0; i < DB_NUMBER; i++)
2259: free(row[i]);
2260:
2261: return (ok);
2262: }
2263:
2264: static int
2265: get_certificate_status(const char *serial, CA_DB * db)
2266: {
2267: char *row[DB_NUMBER], **rrow;
2268: int ok = -1, i;
2269:
2270: /* Free Resources */
2271: for (i = 0; i < DB_NUMBER; i++)
2272: row[i] = NULL;
2273:
2274: /* Malloc needed char spaces */
2275: row[DB_serial] = malloc(strlen(serial) + 2);
2276: if (row[DB_serial] == NULL) {
2277: BIO_printf(bio_err, "Malloc failure\n");
2278: goto err;
2279: }
2280: if (strlen(serial) % 2) {
2281: /* Set the first char to 0 */ ;
2282: row[DB_serial][0] = '0';
2283:
2284: /* Copy String from serial to row[DB_serial] */
2285: memcpy(row[DB_serial] + 1, serial, strlen(serial));
2286: row[DB_serial][strlen(serial) + 1] = '\0';
2287: } else {
2288: /* Copy String from serial to row[DB_serial] */
2289: memcpy(row[DB_serial], serial, strlen(serial));
2290: row[DB_serial][strlen(serial)] = '\0';
2291: }
2292:
2293: /* Make it Upper Case */
2294: for (i = 0; row[DB_serial][i] != '\0'; i++)
2295: row[DB_serial][i] = toupper((unsigned char) row[DB_serial][i]);
2296:
2297:
2298: ok = 1;
2299:
2300: /* Search for the certificate */
2301: rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
2302: if (rrow == NULL) {
2303: BIO_printf(bio_err, "Serial %s not present in db.\n",
2304: row[DB_serial]);
2305: ok = -1;
2306: goto err;
2307: } else if (rrow[DB_type][0] == 'V') {
2308: BIO_printf(bio_err, "%s=Valid (%c)\n",
2309: row[DB_serial], rrow[DB_type][0]);
2310: goto err;
2311: } else if (rrow[DB_type][0] == 'R') {
2312: BIO_printf(bio_err, "%s=Revoked (%c)\n",
2313: row[DB_serial], rrow[DB_type][0]);
2314: goto err;
2315: } else if (rrow[DB_type][0] == 'E') {
2316: BIO_printf(bio_err, "%s=Expired (%c)\n",
2317: row[DB_serial], rrow[DB_type][0]);
2318: goto err;
2319: } else if (rrow[DB_type][0] == 'S') {
2320: BIO_printf(bio_err, "%s=Suspended (%c)\n",
2321: row[DB_serial], rrow[DB_type][0]);
2322: goto err;
2323: } else {
2324: BIO_printf(bio_err, "%s=Unknown (%c).\n",
2325: row[DB_serial], rrow[DB_type][0]);
2326: ok = -1;
2327: }
2328:
2329: err:
2330: for (i = 0; i < DB_NUMBER; i++)
2331: free(row[i]);
2332:
2333: return (ok);
2334: }
2335:
2336: static int
2337: do_updatedb(CA_DB * db)
2338: {
2339: ASN1_UTCTIME *a_tm = NULL;
2340: int i, cnt = 0;
2341: int db_y2k, a_y2k; /* flags = 1 if y >= 2000 */
2342: char **rrow, *a_tm_s;
2343:
2344: a_tm = ASN1_UTCTIME_new();
2345:
2346: /* get actual time and make a string */
2347: a_tm = X509_gmtime_adj(a_tm, 0);
2348: a_tm_s = malloc(a_tm->length + 1);
2349: if (a_tm_s == NULL) {
2350: cnt = -1;
2351: goto err;
2352: }
2353: memcpy(a_tm_s, a_tm->data, a_tm->length);
2354: a_tm_s[a_tm->length] = '\0';
2355:
2356: if (strncmp(a_tm_s, "49", 2) <= 0)
2357: a_y2k = 1;
2358: else
2359: a_y2k = 0;
2360:
2361: for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
2362: rrow = sk_OPENSSL_PSTRING_value(db->db->data, i);
2363:
2364: if (rrow[DB_type][0] == 'V') {
2365: /* ignore entries that are not valid */
2366: if (strncmp(rrow[DB_exp_date], "49", 2) <= 0)
2367: db_y2k = 1;
2368: else
2369: db_y2k = 0;
2370:
2371: if (db_y2k == a_y2k) {
2372: /* all on the same y2k side */
2373: if (strcmp(rrow[DB_exp_date], a_tm_s) <= 0) {
2374: rrow[DB_type][0] = 'E';
2375: rrow[DB_type][1] = '\0';
2376: cnt++;
2377:
2378: BIO_printf(bio_err, "%s=Expired\n",
2379: rrow[DB_serial]);
2380: }
2381: } else if (db_y2k < a_y2k) {
2382: rrow[DB_type][0] = 'E';
2383: rrow[DB_type][1] = '\0';
2384: cnt++;
2385:
2386: BIO_printf(bio_err, "%s=Expired\n",
2387: rrow[DB_serial]);
2388: }
2389: }
2390: }
2391:
2392: err:
2393: ASN1_UTCTIME_free(a_tm);
2394: free(a_tm_s);
2395:
2396: return (cnt);
2397: }
2398:
2399: static const char *crl_reasons[] = {
2400: /* CRL reason strings */
2401: "unspecified",
2402: "keyCompromise",
2403: "CACompromise",
2404: "affiliationChanged",
2405: "superseded",
2406: "cessationOfOperation",
2407: "certificateHold",
2408: "removeFromCRL",
2409: /* Additional pseudo reasons */
2410: "holdInstruction",
2411: "keyTime",
2412: "CAkeyTime"
2413: };
2414:
2415: #define NUM_REASONS (sizeof(crl_reasons) / sizeof(char *))
2416:
2417: /* Given revocation information convert to a DB string.
2418: * The format of the string is:
2419: * revtime[,reason,extra]. Where 'revtime' is the
2420: * revocation time (the current time). 'reason' is the
2421: * optional CRL reason and 'extra' is any additional
2422: * argument
2423: */
2424:
2425: char *
2426: make_revocation_str(int rev_type, char *rev_arg)
2427: {
2428: char *other = NULL, *str;
2429: const char *reason = NULL;
2430: ASN1_OBJECT *otmp;
2431: ASN1_UTCTIME *revtm = NULL;
2432: int i;
2433: switch (rev_type) {
2434: case REV_NONE:
2435: break;
2436:
2437: case REV_CRL_REASON:
2438: for (i = 0; i < 8; i++) {
2439: if (!strcasecmp(rev_arg, crl_reasons[i])) {
2440: reason = crl_reasons[i];
2441: break;
2442: }
2443: }
2444: if (reason == NULL) {
2445: BIO_printf(bio_err, "Unknown CRL reason %s\n", rev_arg);
2446: return NULL;
2447: }
2448: break;
2449:
2450: case REV_HOLD:
2451: /* Argument is an OID */
2452:
2453: otmp = OBJ_txt2obj(rev_arg, 0);
2454: ASN1_OBJECT_free(otmp);
2455:
2456: if (otmp == NULL) {
2457: BIO_printf(bio_err,
2458: "Invalid object identifier %s\n", rev_arg);
2459: return NULL;
2460: }
2461: reason = "holdInstruction";
2462: other = rev_arg;
2463: break;
2464:
2465: case REV_KEY_COMPROMISE:
2466: case REV_CA_COMPROMISE:
2467:
2468: /* Argument is the key compromise time */
2469: if (!ASN1_GENERALIZEDTIME_set_string(NULL, rev_arg)) {
2470: BIO_printf(bio_err,
2471: "Invalid time format %s. Need YYYYMMDDHHMMSSZ\n",
2472: rev_arg);
2473: return NULL;
2474: }
2475: other = rev_arg;
2476: if (rev_type == REV_KEY_COMPROMISE)
2477: reason = "keyTime";
2478: else
2479: reason = "CAkeyTime";
2480:
2481: break;
2482:
2483: }
2484:
2485: revtm = X509_gmtime_adj(NULL, 0);
2486: if (asprintf(&str, "%s%s%s%s%s", revtm->data,
2487: reason ? "," : "", reason ? reason : "",
2488: other ? "," : "", other ? other : "") == -1)
2489: str = NULL;
2490: ASN1_UTCTIME_free(revtm);
2491: return str;
2492: }
2493:
2494: /* Convert revocation field to X509_REVOKED entry
2495: * return code:
2496: * 0 error
2497: * 1 OK
2498: * 2 OK and some extensions added (i.e. V2 CRL)
2499: */
2500:
2501: int
2502: make_revoked(X509_REVOKED * rev, const char *str)
2503: {
2504: char *tmp = NULL;
2505: int reason_code = -1;
2506: int i, ret = 0;
2507: ASN1_OBJECT *hold = NULL;
2508: ASN1_GENERALIZEDTIME *comp_time = NULL;
2509: ASN1_ENUMERATED *rtmp = NULL;
2510:
2511: ASN1_TIME *revDate = NULL;
2512:
2513: i = unpack_revinfo(&revDate, &reason_code, &hold, &comp_time, str);
2514:
2515: if (i == 0)
2516: goto err;
2517:
2518: if (rev && !X509_REVOKED_set_revocationDate(rev, revDate))
2519: goto err;
2520:
2521: if (rev && (reason_code != OCSP_REVOKED_STATUS_NOSTATUS)) {
2522: rtmp = ASN1_ENUMERATED_new();
2523: if (!rtmp || !ASN1_ENUMERATED_set(rtmp, reason_code))
2524: goto err;
2525: if (!X509_REVOKED_add1_ext_i2d(rev, NID_crl_reason, rtmp, 0, 0))
2526: goto err;
2527: }
2528: if (rev && comp_time) {
2529: if (!X509_REVOKED_add1_ext_i2d(rev, NID_invalidity_date,
2530: comp_time, 0, 0))
2531: goto err;
2532: }
2533: if (rev && hold) {
2534: if (!X509_REVOKED_add1_ext_i2d(rev, NID_hold_instruction_code,
2535: hold, 0, 0))
2536: goto err;
2537: }
2538: if (reason_code != OCSP_REVOKED_STATUS_NOSTATUS)
2539: ret = 2;
2540: else
2541: ret = 1;
2542:
2543: err:
2544: free(tmp);
2545:
2546: ASN1_OBJECT_free(hold);
2547: ASN1_GENERALIZEDTIME_free(comp_time);
2548: ASN1_ENUMERATED_free(rtmp);
2549: ASN1_TIME_free(revDate);
2550:
2551: return ret;
2552: }
2553:
2554: int
2555: old_entry_print(BIO * bp, ASN1_OBJECT * obj, ASN1_STRING * str)
2556: {
2557: char buf[25], *pbuf, *p;
2558: int j;
2559:
2560: j = i2a_ASN1_OBJECT(bp, obj);
2561: pbuf = buf;
2562: for (j = 22 - j; j > 0; j--)
2563: *(pbuf++) = ' ';
2564: *(pbuf++) = ':';
2565: *(pbuf++) = '\0';
2566: BIO_puts(bp, buf);
2567:
2568: if (str->type == V_ASN1_PRINTABLESTRING)
2569: BIO_printf(bp, "PRINTABLE:'");
2570: else if (str->type == V_ASN1_T61STRING)
2571: BIO_printf(bp, "T61STRING:'");
2572: else if (str->type == V_ASN1_IA5STRING)
2573: BIO_printf(bp, "IA5STRING:'");
2574: else if (str->type == V_ASN1_UNIVERSALSTRING)
2575: BIO_printf(bp, "UNIVERSALSTRING:'");
2576: else
2577: BIO_printf(bp, "ASN.1 %2d:'", str->type);
2578:
2579: p = (char *) str->data;
2580: for (j = str->length; j > 0; j--) {
2581: if ((*p >= ' ') && (*p <= '~'))
2582: BIO_printf(bp, "%c", *p);
2583: else if (*p & 0x80)
2584: BIO_printf(bp, "\\0x%02X", *p);
2585: else if ((unsigned char) *p == 0xf7)
2586: BIO_printf(bp, "^?");
2587: else
2588: BIO_printf(bp, "^%c", *p + '@');
2589: p++;
2590: }
2591: BIO_printf(bp, "'\n");
2592: return 1;
2593: }
2594:
2595: int
2596: unpack_revinfo(ASN1_TIME ** prevtm, int *preason, ASN1_OBJECT ** phold,
2597: ASN1_GENERALIZEDTIME ** pinvtm, const char *str)
2598: {
2599: char *tmp = NULL;
2600: char *rtime_str, *reason_str = NULL, *arg_str = NULL, *p;
2601: int reason_code = -1;
2602: int ret = 0;
2603: unsigned int i;
2604: ASN1_OBJECT *hold = NULL;
2605: ASN1_GENERALIZEDTIME *comp_time = NULL;
2606:
2607: if ((tmp = strdup(str)) == NULL) {
2608: BIO_printf(bio_err, "malloc failed\n");
2609: goto err;
2610: }
2611: p = strchr(tmp, ',');
2612: rtime_str = tmp;
2613:
2614: if (p) {
2615: *p = '\0';
2616: p++;
2617: reason_str = p;
2618: p = strchr(p, ',');
2619: if (p) {
2620: *p = '\0';
2621: arg_str = p + 1;
2622: }
2623: }
2624: if (prevtm) {
2625: *prevtm = ASN1_UTCTIME_new();
2626: if (!ASN1_UTCTIME_set_string(*prevtm, rtime_str)) {
2627: BIO_printf(bio_err, "invalid revocation date %s\n",
2628: rtime_str);
2629: goto err;
2630: }
2631: }
2632: if (reason_str) {
2633: for (i = 0; i < NUM_REASONS; i++) {
2634: if (!strcasecmp(reason_str, crl_reasons[i])) {
2635: reason_code = i;
2636: break;
2637: }
2638: }
2639: if (reason_code == OCSP_REVOKED_STATUS_NOSTATUS) {
2640: BIO_printf(bio_err, "invalid reason code %s\n",
2641: reason_str);
2642: goto err;
2643: }
2644: if (reason_code == 7)
2645: reason_code = OCSP_REVOKED_STATUS_REMOVEFROMCRL;
2646: else if (reason_code == 8) { /* Hold instruction */
2647: if (!arg_str) {
2648: BIO_printf(bio_err,
2649: "missing hold instruction\n");
2650: goto err;
2651: }
2652: reason_code = OCSP_REVOKED_STATUS_CERTIFICATEHOLD;
2653: hold = OBJ_txt2obj(arg_str, 0);
2654:
2655: if (!hold) {
2656: BIO_printf(bio_err,
2657: "invalid object identifier %s\n", arg_str);
2658: goto err;
2659: }
2660: if (phold)
2661: *phold = hold;
2662: } else if ((reason_code == 9) || (reason_code == 10)) {
2663: if (!arg_str) {
2664: BIO_printf(bio_err,
2665: "missing compromised time\n");
2666: goto err;
2667: }
2668: comp_time = ASN1_GENERALIZEDTIME_new();
2669: if (!ASN1_GENERALIZEDTIME_set_string(comp_time,
2670: arg_str)) {
2671: BIO_printf(bio_err,
2672: "invalid compromised time %s\n", arg_str);
2673: goto err;
2674: }
2675: if (reason_code == 9)
2676: reason_code = OCSP_REVOKED_STATUS_KEYCOMPROMISE;
2677: else
2678: reason_code = OCSP_REVOKED_STATUS_CACOMPROMISE;
2679: }
2680: }
2681: if (preason)
2682: *preason = reason_code;
2683: if (pinvtm)
2684: *pinvtm = comp_time;
2685: else
2686: ASN1_GENERALIZEDTIME_free(comp_time);
2687:
2688: ret = 1;
2689:
2690: err:
2691: free(tmp);
2692:
2693: if (!phold)
2694: ASN1_OBJECT_free(hold);
2695: if (!pinvtm)
2696: ASN1_GENERALIZEDTIME_free(comp_time);
2697:
2698: return ret;
2699: }
2700:
2701: static char *
2702: bin2hex(unsigned char * data, size_t len)
2703: {
2704: char *ret = NULL;
2705: char hex[] = "0123456789ABCDEF";
2706: int i;
2707:
2708: if ((ret = malloc(len * 2 + 1))) {
2709: for (i = 0; i < len; i++) {
2710: ret[i * 2 + 0] = hex[data[i] >> 4];
2711: ret[i * 2 + 1] = hex[data[i] & 0x0F];
2712: }
2713: ret[len * 2] = '\0';
2714: }
2715: return ret;
2716: }