Annotation of src/usr.bin/openssl/ca.c, Revision 1.25
1.25 ! beck 1: /* $OpenBSD: ca.c,v 1.24 2017/05/04 12:36:13 beck Exp $ */
1.1 jsing 2: /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3: * All rights reserved.
4: *
5: * This package is an SSL implementation written
6: * by Eric Young (eay@cryptsoft.com).
7: * The implementation was written so as to conform with Netscapes SSL.
8: *
9: * This library is free for commercial and non-commercial use as long as
10: * the following conditions are aheared to. The following conditions
11: * apply to all code found in this distribution, be it the RC4, RSA,
12: * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13: * included with this distribution is covered by the same copyright terms
14: * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15: *
16: * Copyright remains Eric Young's, and as such any Copyright notices in
17: * the code are not to be removed.
18: * If this package is used in a product, Eric Young should be given attribution
19: * as the author of the parts of the library used.
20: * This can be in the form of a textual message at program startup or
21: * in documentation (online or textual) provided with the package.
22: *
23: * Redistribution and use in source and binary forms, with or without
24: * modification, are permitted provided that the following conditions
25: * are met:
26: * 1. Redistributions of source code must retain the copyright
27: * notice, this list of conditions and the following disclaimer.
28: * 2. Redistributions in binary form must reproduce the above copyright
29: * notice, this list of conditions and the following disclaimer in the
30: * documentation and/or other materials provided with the distribution.
31: * 3. All advertising materials mentioning features or use of this software
32: * must display the following acknowledgement:
33: * "This product includes cryptographic software written by
34: * Eric Young (eay@cryptsoft.com)"
35: * The word 'cryptographic' can be left out if the rouines from the library
36: * being used are not cryptographic related :-).
37: * 4. If you include any Windows specific code (or a derivative thereof) from
38: * the apps directory (application code) you must include an acknowledgement:
39: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40: *
41: * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42: * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43: * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44: * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45: * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46: * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47: * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49: * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50: * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51: * SUCH DAMAGE.
52: *
53: * The licence and distribution terms for any publically available version or
54: * derivative of this code cannot be changed. i.e. this code cannot simply be
55: * copied and put under another distribution licence
56: * [including the GNU Public Licence.]
57: */
58:
59: /* The PPKI stuff has been donated by Jeff Barber <jeffb@issl.atl.hp.com> */
60:
61: #include <sys/types.h>
62:
63: #include <ctype.h>
64: #include <stdio.h>
65: #include <stdlib.h>
66: #include <limits.h>
67: #include <string.h>
68: #include <unistd.h>
69:
70: #include "apps.h"
71:
72: #include <openssl/bio.h>
73: #include <openssl/bn.h>
74: #include <openssl/conf.h>
75: #include <openssl/err.h>
76: #include <openssl/evp.h>
77: #include <openssl/objects.h>
78: #include <openssl/ocsp.h>
79: #include <openssl/pem.h>
80: #include <openssl/txt_db.h>
81: #include <openssl/x509.h>
82: #include <openssl/x509v3.h>
83:
84: #define BASE_SECTION "ca"
85:
86: #define ENV_DEFAULT_CA "default_ca"
87:
88: #define STRING_MASK "string_mask"
89: #define UTF8_IN "utf8"
90:
91: #define ENV_NEW_CERTS_DIR "new_certs_dir"
92: #define ENV_CERTIFICATE "certificate"
93: #define ENV_SERIAL "serial"
94: #define ENV_CRLNUMBER "crlnumber"
95: #define ENV_PRIVATE_KEY "private_key"
96: #define ENV_DEFAULT_DAYS "default_days"
97: #define ENV_DEFAULT_STARTDATE "default_startdate"
98: #define ENV_DEFAULT_ENDDATE "default_enddate"
99: #define ENV_DEFAULT_CRL_DAYS "default_crl_days"
100: #define ENV_DEFAULT_CRL_HOURS "default_crl_hours"
101: #define ENV_DEFAULT_MD "default_md"
102: #define ENV_DEFAULT_EMAIL_DN "email_in_dn"
103: #define ENV_PRESERVE "preserve"
104: #define ENV_POLICY "policy"
105: #define ENV_EXTENSIONS "x509_extensions"
106: #define ENV_CRLEXT "crl_extensions"
107: #define ENV_MSIE_HACK "msie_hack"
108: #define ENV_NAMEOPT "name_opt"
109: #define ENV_CERTOPT "cert_opt"
110: #define ENV_EXTCOPY "copy_extensions"
111: #define ENV_UNIQUE_SUBJECT "unique_subject"
112:
113: #define ENV_DATABASE "database"
114:
115: /* Additional revocation information types */
116:
117: #define REV_NONE 0 /* No addditional information */
118: #define REV_CRL_REASON 1 /* Value is CRL reason code */
119: #define REV_HOLD 2 /* Value is hold instruction */
120: #define REV_KEY_COMPROMISE 3 /* Value is cert key compromise time */
121: #define REV_CA_COMPROMISE 4 /* Value is CA key compromise time */
122:
123: static const char *ca_usage[] = {
124: "usage: ca args\n",
125: "\n",
126: " -verbose - Talk a lot while doing things\n",
127: " -config file - A config file\n",
128: " -name arg - The particular CA definition to use\n",
129: " -gencrl - Generate a new CRL\n",
130: " -crldays days - Days is when the next CRL is due\n",
131: " -crlhours hours - Hours is when the next CRL is due\n",
132: " -startdate YYMMDDHHMMSSZ - certificate validity notBefore\n",
133: " -enddate YYMMDDHHMMSSZ - certificate validity notAfter (overrides -days)\n",
134: " -days arg - number of days to certify the certificate for\n",
1.15 bcook 135: " -md arg - md to use, one of md5 or sha1\n",
1.1 jsing 136: " -policy arg - The CA 'policy' to support\n",
137: " -keyfile arg - private key file\n",
1.12 bcook 138: " -keyform arg - private key file format (PEM)\n",
1.1 jsing 139: " -key arg - key to decode the private key if it is encrypted\n",
140: " -cert file - The CA certificate\n",
141: " -selfsign - sign a certificate with the key associated with it\n",
142: " -in file - The input PEM encoded certificate request(s)\n",
143: " -out file - Where to put the output file(s)\n",
144: " -outdir dir - Where to put output certificates\n",
145: " -infiles .... - The last argument, requests to process\n",
146: " -spkac file - File contains DN and signed public key and challenge\n",
147: " -ss_cert file - File contains a self signed cert to sign\n",
148: " -preserveDN - Don't re-order the DN\n",
149: " -noemailDN - Don't add the EMAIL field into certificate' subject\n",
150: " -batch - Don't ask questions\n",
151: " -msie_hack - msie modifications to handle all those universal strings\n",
152: " -revoke file - Revoke a certificate (given in file)\n",
153: " -subj arg - Use arg instead of request's subject\n",
154: " -utf8 - input characters are UTF8 (default ASCII)\n",
155: " -multivalue-rdn - enable support for multivalued RDNs\n",
156: " -extensions .. - Extension section (override value in config file)\n",
157: " -extfile file - Configuration file with X509v3 extentions to add\n",
158: " -crlexts .. - CRL extension section (override value in config file)\n",
159: " -status serial - Shows certificate status given the serial number\n",
160: " -updatedb - Updates db for expired certificates\n",
161: NULL
162: };
163:
164: static void lookup_fail(const char *name, const char *tag);
165: static int certify(X509 ** xret, char *infile, EVP_PKEY * pkey, X509 * x509,
166: const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
167: STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj,
168: unsigned long chtype, int multirdn, int email_dn, char *startdate,
169: char *enddate, long days, int batch, char *ext_sect, CONF * conf,
170: int verbose, unsigned long certopt, unsigned long nameopt,
171: int default_op, int ext_copy, int selfsign);
172: static int certify_cert(X509 ** xret, char *infile, EVP_PKEY * pkey,
173: X509 * x509, const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
174: STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj,
175: unsigned long chtype, int multirdn, int email_dn, char *startdate,
176: char *enddate, long days, int batch, char *ext_sect, CONF * conf,
177: int verbose, unsigned long certopt, unsigned long nameopt, int default_op,
1.12 bcook 178: int ext_copy);
1.1 jsing 179: static int certify_spkac(X509 ** xret, char *infile, EVP_PKEY * pkey,
180: X509 * x509, const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
181: STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj,
182: unsigned long chtype, int multirdn, int email_dn, char *startdate,
183: char *enddate, long days, char *ext_sect, CONF * conf, int verbose,
184: unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy);
185: static void write_new_certificate(BIO * bp, X509 * x, int output_der,
186: int notext);
187: static int do_body(X509 ** xret, EVP_PKEY * pkey, X509 * x509,
188: const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
189: STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj,
190: unsigned long chtype, int multirdn, int email_dn, char *startdate,
191: char *enddate, long days, int batch, int verbose, X509_REQ * req,
192: char *ext_sect, CONF * conf, unsigned long certopt, unsigned long nameopt,
193: int default_op, int ext_copy, int selfsign);
194: static int do_revoke(X509 * x509, CA_DB * db, int ext, char *extval);
195: static int get_certificate_status(const char *ser_status, CA_DB * db);
196: static int do_updatedb(CA_DB * db);
197: static int check_time_format(const char *str);
198: static char * bin2hex(unsigned char *, size_t);
199: char *make_revocation_str(int rev_type, char *rev_arg);
200: int make_revoked(X509_REVOKED * rev, const char *str);
201: int old_entry_print(BIO * bp, ASN1_OBJECT * obj, ASN1_STRING * str);
202: static CONF *conf = NULL;
203: static CONF *extconf = NULL;
204: static char *section = NULL;
205:
206: static int preserve = 0;
207: static int msie_hack = 0;
208:
209:
1.24 beck 210: /*
211: * Set a certificate time based on user provided input. Make sure
212: * what we put in the certificate is legit for RFC 5280. Returns
213: * 0 on success, -1 on an invalid time string. Strings must be
214: * YYYYMMDDHHMMSSZ for post 2050 dates. YYYYMMDDHHMMSSZ or
215: * YYMMDDHHMMSSZ is accepted for pre 2050 dates, and fixed up to
216: * be the correct format in the certificate.
217: */
218: static int
219: setCertificateTime(ASN1_TIME *x509time, char *timestring)
220: {
1.25 ! beck 221: struct tm tm1;
1.24 beck 222: memset(&tm1, 0, sizeof(tm1));
1.25 ! beck 223: if (ASN1_time_parse(timestring, strlen(timestring), &tm1, 0) == -1)
1.24 beck 224: return (-1);
1.25 ! beck 225: if (!ASN1_TIME_set_tm(x509time, &tm1))
1.24 beck 226: return (-1);
1.25 ! beck 227: return 0;
1.24 beck 228: }
229:
1.1 jsing 230: int
231: ca_main(int argc, char **argv)
232: {
233: char *key = NULL, *passargin = NULL;
234: int create_ser = 0;
235: int free_key = 0;
236: int total = 0;
237: int total_done = 0;
238: int badops = 0;
239: int ret = 1;
240: int email_dn = 1;
241: int req = 0;
242: int verbose = 0;
243: int gencrl = 0;
244: int dorevoke = 0;
245: int doupdatedb = 0;
246: long crldays = 0;
247: long crlhours = 0;
248: long crlsec = 0;
249: long errorline = -1;
250: char *configfile = NULL;
251: char *md = NULL;
252: char *policy = NULL;
253: char *keyfile = NULL;
254: char *certfile = NULL;
255: int keyform = FORMAT_PEM;
256: char *infile = NULL;
257: char *spkac_file = NULL;
258: char *ss_cert_file = NULL;
259: char *ser_status = NULL;
260: EVP_PKEY *pkey = NULL;
261: int output_der = 0;
262: char *outfile = NULL;
263: char *outdir = NULL;
264: char *serialfile = NULL;
265: char *crlnumberfile = NULL;
266: char *extensions = NULL;
267: char *extfile = NULL;
268: char *subj = NULL;
269: unsigned long chtype = MBSTRING_ASC;
270: int multirdn = 0;
271: char *tmp_email_dn = NULL;
272: char *crl_ext = NULL;
273: int rev_type = REV_NONE;
274: char *rev_arg = NULL;
275: BIGNUM *serial = NULL;
276: BIGNUM *crlnumber = NULL;
277: char *startdate = NULL;
278: char *enddate = NULL;
279: long days = 0;
280: int batch = 0;
281: int notext = 0;
282: unsigned long nameopt = 0, certopt = 0;
283: int default_op = 1;
284: int ext_copy = EXT_COPY_NONE;
285: int selfsign = 0;
286: X509 *x509 = NULL, *x509p = NULL;
287: X509 *x = NULL;
288: BIO *in = NULL, *out = NULL, *Sout = NULL, *Cout = NULL;
289: char *dbfile = NULL;
290: CA_DB *db = NULL;
291: X509_CRL *crl = NULL;
292: X509_REVOKED *r = NULL;
293: ASN1_TIME *tmptm;
294: ASN1_INTEGER *tmpser;
295: char *f;
296: const char *p;
297: char *const * pp;
298: int i, j;
299: const EVP_MD *dgst = NULL;
300: STACK_OF(CONF_VALUE) * attribs = NULL;
301: STACK_OF(X509) * cert_sk = NULL;
302: STACK_OF(OPENSSL_STRING) * sigopts = NULL;
303: char *tofree = NULL;
304: const char *errstr = NULL;
305: DB_ATTR db_attr;
1.17 doug 306:
307: if (single_execution) {
1.23 deraadt 308: if (pledge("stdio cpath wpath rpath tty", NULL) == -1) {
1.17 doug 309: perror("pledge");
1.19 doug 310: exit(1);
311: }
1.17 doug 312: }
1.1 jsing 313:
314: conf = NULL;
315: key = NULL;
316: section = NULL;
317:
318: preserve = 0;
319: msie_hack = 0;
320:
321: argc--;
322: argv++;
323: while (argc >= 1) {
324: if (strcmp(*argv, "-verbose") == 0)
325: verbose = 1;
326: else if (strcmp(*argv, "-config") == 0) {
327: if (--argc < 1)
328: goto bad;
329: configfile = *(++argv);
330: } else if (strcmp(*argv, "-name") == 0) {
331: if (--argc < 1)
332: goto bad;
333: section = *(++argv);
334: } else if (strcmp(*argv, "-subj") == 0) {
335: if (--argc < 1)
336: goto bad;
337: subj = *(++argv);
338: /* preserve=1; */
339: } else if (strcmp(*argv, "-utf8") == 0)
340: chtype = MBSTRING_UTF8;
341: else if (strcmp(*argv, "-create_serial") == 0)
342: create_ser = 1;
343: else if (strcmp(*argv, "-multivalue-rdn") == 0)
344: multirdn = 1;
345: else if (strcmp(*argv, "-startdate") == 0) {
346: if (--argc < 1)
347: goto bad;
348: startdate = *(++argv);
349: } else if (strcmp(*argv, "-enddate") == 0) {
350: if (--argc < 1)
351: goto bad;
352: enddate = *(++argv);
353: } else if (strcmp(*argv, "-days") == 0) {
354: if (--argc < 1)
355: goto bad;
356: days = strtonum(*(++argv), 0, LONG_MAX, &errstr);
357: if (errstr)
358: goto bad;
359: } else if (strcmp(*argv, "-md") == 0) {
360: if (--argc < 1)
361: goto bad;
362: md = *(++argv);
363: } else if (strcmp(*argv, "-policy") == 0) {
364: if (--argc < 1)
365: goto bad;
366: policy = *(++argv);
367: } else if (strcmp(*argv, "-keyfile") == 0) {
368: if (--argc < 1)
369: goto bad;
370: keyfile = *(++argv);
371: } else if (strcmp(*argv, "-keyform") == 0) {
372: if (--argc < 1)
373: goto bad;
374: keyform = str2fmt(*(++argv));
375: } else if (strcmp(*argv, "-passin") == 0) {
376: if (--argc < 1)
377: goto bad;
378: passargin = *(++argv);
379: } else if (strcmp(*argv, "-key") == 0) {
380: if (--argc < 1)
381: goto bad;
382: key = *(++argv);
383: } else if (strcmp(*argv, "-cert") == 0) {
384: if (--argc < 1)
385: goto bad;
386: certfile = *(++argv);
387: } else if (strcmp(*argv, "-selfsign") == 0)
388: selfsign = 1;
389: else if (strcmp(*argv, "-in") == 0) {
390: if (--argc < 1)
391: goto bad;
392: infile = *(++argv);
393: req = 1;
394: } else if (strcmp(*argv, "-out") == 0) {
395: if (--argc < 1)
396: goto bad;
397: outfile = *(++argv);
398: } else if (strcmp(*argv, "-outdir") == 0) {
399: if (--argc < 1)
400: goto bad;
401: outdir = *(++argv);
402: } else if (strcmp(*argv, "-sigopt") == 0) {
403: if (--argc < 1)
404: goto bad;
405: if (!sigopts)
406: sigopts = sk_OPENSSL_STRING_new_null();
407: if (!sigopts ||
408: !sk_OPENSSL_STRING_push(sigopts, *(++argv)))
409: goto bad;
410: } else if (strcmp(*argv, "-notext") == 0)
411: notext = 1;
412: else if (strcmp(*argv, "-batch") == 0)
413: batch = 1;
414: else if (strcmp(*argv, "-preserveDN") == 0)
415: preserve = 1;
416: else if (strcmp(*argv, "-noemailDN") == 0)
417: email_dn = 0;
418: else if (strcmp(*argv, "-gencrl") == 0)
419: gencrl = 1;
420: else if (strcmp(*argv, "-msie_hack") == 0)
421: msie_hack = 1;
422: else if (strcmp(*argv, "-crldays") == 0) {
423: if (--argc < 1)
424: goto bad;
425: crldays = strtonum(*(++argv), 0, LONG_MAX, &errstr);
426: if (errstr)
427: goto bad;
428: } else if (strcmp(*argv, "-crlhours") == 0) {
429: if (--argc < 1)
430: goto bad;
431: crlhours = strtonum(*(++argv), 0, LONG_MAX, &errstr);
432: if (errstr)
433: goto bad;
434: } else if (strcmp(*argv, "-crlsec") == 0) {
435: if (--argc < 1)
436: goto bad;
437: crlsec = strtonum(*(++argv), 0, LONG_MAX, &errstr);
438: if (errstr)
439: goto bad;
440: } else if (strcmp(*argv, "-infiles") == 0) {
441: argc--;
442: argv++;
443: req = 1;
444: break;
445: } else if (strcmp(*argv, "-ss_cert") == 0) {
446: if (--argc < 1)
447: goto bad;
448: ss_cert_file = *(++argv);
449: req = 1;
450: } else if (strcmp(*argv, "-spkac") == 0) {
451: if (--argc < 1)
452: goto bad;
453: spkac_file = *(++argv);
454: req = 1;
455: } else if (strcmp(*argv, "-revoke") == 0) {
456: if (--argc < 1)
457: goto bad;
458: infile = *(++argv);
459: dorevoke = 1;
460: } else if (strcmp(*argv, "-extensions") == 0) {
461: if (--argc < 1)
462: goto bad;
463: extensions = *(++argv);
464: } else if (strcmp(*argv, "-extfile") == 0) {
465: if (--argc < 1)
466: goto bad;
467: extfile = *(++argv);
468: } else if (strcmp(*argv, "-status") == 0) {
469: if (--argc < 1)
470: goto bad;
471: ser_status = *(++argv);
472: } else if (strcmp(*argv, "-updatedb") == 0) {
473: doupdatedb = 1;
474: } else if (strcmp(*argv, "-crlexts") == 0) {
475: if (--argc < 1)
476: goto bad;
477: crl_ext = *(++argv);
478: } else if (strcmp(*argv, "-crl_reason") == 0) {
479: if (--argc < 1)
480: goto bad;
481: rev_arg = *(++argv);
482: rev_type = REV_CRL_REASON;
483: } else if (strcmp(*argv, "-crl_hold") == 0) {
484: if (--argc < 1)
485: goto bad;
486: rev_arg = *(++argv);
487: rev_type = REV_HOLD;
488: } else if (strcmp(*argv, "-crl_compromise") == 0) {
489: if (--argc < 1)
490: goto bad;
491: rev_arg = *(++argv);
492: rev_type = REV_KEY_COMPROMISE;
493: } else if (strcmp(*argv, "-crl_CA_compromise") == 0) {
494: if (--argc < 1)
495: goto bad;
496: rev_arg = *(++argv);
497: rev_type = REV_CA_COMPROMISE;
498: }
499: else {
500: bad:
501: if (errstr)
502: BIO_printf(bio_err, "invalid argument %s: %s\n",
503: *argv, errstr);
504: else
505: BIO_printf(bio_err, "unknown option %s\n", *argv);
506: badops = 1;
507: break;
508: }
509: argc--;
510: argv++;
511: }
512:
513: if (badops) {
514: const char **pp2;
515:
516: for (pp2 = ca_usage; (*pp2 != NULL); pp2++)
517: BIO_printf(bio_err, "%s", *pp2);
518: goto err;
519: }
520:
521: /*****************************************************************/
522: tofree = NULL;
523: if (configfile == NULL)
524: configfile = getenv("OPENSSL_CONF");
525: if (configfile == NULL) {
526: if ((tofree = make_config_name()) == NULL) {
527: BIO_printf(bio_err, "error making config file name\n");
528: goto err;
529: }
530: configfile = tofree;
531: }
532: BIO_printf(bio_err, "Using configuration from %s\n", configfile);
533: conf = NCONF_new(NULL);
534: if (NCONF_load(conf, configfile, &errorline) <= 0) {
535: if (errorline <= 0)
536: BIO_printf(bio_err,
537: "error loading the config file '%s'\n",
538: configfile);
539: else
540: BIO_printf(bio_err,
541: "error on line %ld of config file '%s'\n",
542: errorline, configfile);
543: goto err;
544: }
545: free(tofree);
546: tofree = NULL;
547:
548: /* Lets get the config section we are using */
549: if (section == NULL) {
550: section = NCONF_get_string(conf, BASE_SECTION, ENV_DEFAULT_CA);
551: if (section == NULL) {
552: lookup_fail(BASE_SECTION, ENV_DEFAULT_CA);
553: goto err;
554: }
555: }
556: if (conf != NULL) {
557: p = NCONF_get_string(conf, NULL, "oid_file");
558: if (p == NULL)
559: ERR_clear_error();
560: if (p != NULL) {
561: BIO *oid_bio;
562:
563: oid_bio = BIO_new_file(p, "r");
564: if (oid_bio == NULL) {
565: /*
566: BIO_printf(bio_err,
567: "problems opening %s for extra oid's\n", p);
568: ERR_print_errors(bio_err);
569: */
570: ERR_clear_error();
571: } else {
572: OBJ_create_objects(oid_bio);
573: BIO_free(oid_bio);
574: }
575: }
576: if (!add_oid_section(bio_err, conf)) {
577: ERR_print_errors(bio_err);
578: goto err;
579: }
580: }
581: f = NCONF_get_string(conf, section, STRING_MASK);
582: if (!f)
583: ERR_clear_error();
584:
585: if (f && !ASN1_STRING_set_default_mask_asc(f)) {
586: BIO_printf(bio_err,
587: "Invalid global string mask setting %s\n", f);
588: goto err;
589: }
590: if (chtype != MBSTRING_UTF8) {
591: f = NCONF_get_string(conf, section, UTF8_IN);
592: if (!f)
593: ERR_clear_error();
594: else if (!strcmp(f, "yes"))
595: chtype = MBSTRING_UTF8;
596: }
597: db_attr.unique_subject = 1;
598: p = NCONF_get_string(conf, section, ENV_UNIQUE_SUBJECT);
599: if (p) {
600: db_attr.unique_subject = parse_yesno(p, 1);
601: } else
602: ERR_clear_error();
603:
604: in = BIO_new(BIO_s_file());
605: out = BIO_new(BIO_s_file());
606: Sout = BIO_new(BIO_s_file());
607: Cout = BIO_new(BIO_s_file());
608: if ((in == NULL) || (out == NULL) || (Sout == NULL) || (Cout == NULL)) {
609: ERR_print_errors(bio_err);
610: goto err;
611: }
612: /*****************************************************************/
613: /* report status of cert with serial number given on command line */
614: if (ser_status) {
615: if ((dbfile = NCONF_get_string(conf, section,
616: ENV_DATABASE)) == NULL) {
617: lookup_fail(section, ENV_DATABASE);
618: goto err;
619: }
620: db = load_index(dbfile, &db_attr);
621: if (db == NULL)
622: goto err;
623:
624: if (!index_index(db))
625: goto err;
626:
627: if (get_certificate_status(ser_status, db) != 1)
628: BIO_printf(bio_err, "Error verifying serial %s!\n",
629: ser_status);
630: goto err;
631: }
632: /*****************************************************************/
633: /* we definitely need a private key, so let's get it */
634:
635: if ((keyfile == NULL) && ((keyfile = NCONF_get_string(conf,
636: section, ENV_PRIVATE_KEY)) == NULL)) {
637: lookup_fail(section, ENV_PRIVATE_KEY);
638: goto err;
639: }
640: if (!key) {
641: free_key = 1;
642: if (!app_passwd(bio_err, passargin, NULL, &key, NULL)) {
643: BIO_printf(bio_err, "Error getting password\n");
644: goto err;
645: }
646: }
1.12 bcook 647: pkey = load_key(bio_err, keyfile, keyform, 0, key, "CA private key");
1.1 jsing 648: if (key)
1.11 jsing 649: explicit_bzero(key, strlen(key));
1.1 jsing 650: if (pkey == NULL) {
651: /* load_key() has already printed an appropriate message */
652: goto err;
653: }
654: /*****************************************************************/
655: /* we need a certificate */
656: if (!selfsign || spkac_file || ss_cert_file || gencrl) {
657: if ((certfile == NULL) &&
658: ((certfile = NCONF_get_string(conf,
659: section, ENV_CERTIFICATE)) == NULL)) {
660: lookup_fail(section, ENV_CERTIFICATE);
661: goto err;
662: }
1.12 bcook 663: x509 = load_cert(bio_err, certfile, FORMAT_PEM, NULL,
1.1 jsing 664: "CA certificate");
665: if (x509 == NULL)
666: goto err;
667:
668: if (!X509_check_private_key(x509, pkey)) {
669: BIO_printf(bio_err,
670: "CA certificate and CA private key do not match\n");
671: goto err;
672: }
673: }
674: if (!selfsign)
675: x509p = x509;
676:
677: f = NCONF_get_string(conf, BASE_SECTION, ENV_PRESERVE);
678: if (f == NULL)
679: ERR_clear_error();
680: if ((f != NULL) && ((*f == 'y') || (*f == 'Y')))
681: preserve = 1;
682: f = NCONF_get_string(conf, BASE_SECTION, ENV_MSIE_HACK);
683: if (f == NULL)
684: ERR_clear_error();
685: if ((f != NULL) && ((*f == 'y') || (*f == 'Y')))
686: msie_hack = 1;
687:
688: f = NCONF_get_string(conf, section, ENV_NAMEOPT);
689:
690: if (f) {
691: if (!set_name_ex(&nameopt, f)) {
692: BIO_printf(bio_err,
693: "Invalid name options: \"%s\"\n", f);
694: goto err;
695: }
696: default_op = 0;
697: } else
698: ERR_clear_error();
699:
700: f = NCONF_get_string(conf, section, ENV_CERTOPT);
701:
702: if (f) {
703: if (!set_cert_ex(&certopt, f)) {
704: BIO_printf(bio_err,
705: "Invalid certificate options: \"%s\"\n", f);
706: goto err;
707: }
708: default_op = 0;
709: } else
710: ERR_clear_error();
711:
712: f = NCONF_get_string(conf, section, ENV_EXTCOPY);
713:
714: if (f) {
715: if (!set_ext_copy(&ext_copy, f)) {
716: BIO_printf(bio_err,
717: "Invalid extension copy option: \"%s\"\n", f);
718: goto err;
719: }
720: } else
721: ERR_clear_error();
722:
723: /*****************************************************************/
724: /* lookup where to write new certificates */
1.22 deraadt 725: if (outdir == NULL && req) {
1.1 jsing 726: if ((outdir = NCONF_get_string(conf, section,
727: ENV_NEW_CERTS_DIR)) == NULL) {
1.22 deraadt 728: BIO_printf(bio_err, "output directory %s not defined\n",
729: ENV_NEW_CERTS_DIR);
1.1 jsing 730: goto err;
731: }
732: }
733: /*****************************************************************/
734: /* we need to load the database file */
735: if ((dbfile = NCONF_get_string(conf, section, ENV_DATABASE)) == NULL) {
736: lookup_fail(section, ENV_DATABASE);
737: goto err;
738: }
739: db = load_index(dbfile, &db_attr);
740: if (db == NULL)
741: goto err;
742:
743: /* Lets check some fields */
744: for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
745: pp = sk_OPENSSL_PSTRING_value(db->db->data, i);
746: if ((pp[DB_type][0] != DB_TYPE_REV) &&
747: (pp[DB_rev_date][0] != '\0')) {
748: BIO_printf(bio_err, "entry %d: not revoked yet, but has a revocation date\n", i + 1);
749: goto err;
750: }
751: if ((pp[DB_type][0] == DB_TYPE_REV) &&
752: !make_revoked(NULL, pp[DB_rev_date])) {
753: BIO_printf(bio_err, " in entry %d\n", i + 1);
754: goto err;
755: }
756: if (!check_time_format((char *) pp[DB_exp_date])) {
757: BIO_printf(bio_err, "entry %d: invalid expiry date\n",
758: i + 1);
759: goto err;
760: }
761: p = pp[DB_serial];
762: j = strlen(p);
763: if (*p == '-') {
764: p++;
765: j--;
766: }
767: if ((j & 1) || (j < 2)) {
768: BIO_printf(bio_err,
769: "entry %d: bad serial number length (%d)\n",
770: i + 1, j);
771: goto err;
772: }
773: while (*p) {
774: if (!(((*p >= '0') && (*p <= '9')) ||
775: ((*p >= 'A') && (*p <= 'F')) ||
776: ((*p >= 'a') && (*p <= 'f')))) {
777: BIO_printf(bio_err, "entry %d: bad serial number characters, char pos %ld, char is '%c'\n", i + 1, (long) (p - pp[DB_serial]), *p);
778: goto err;
779: }
780: p++;
781: }
782: }
783: if (verbose) {
784: BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT); /* cannot fail */
785: TXT_DB_write(out, db->db);
786: BIO_printf(bio_err, "%d entries loaded from the database\n",
787: sk_OPENSSL_PSTRING_num(db->db->data));
788: BIO_printf(bio_err, "generating index\n");
789: }
790: if (!index_index(db))
791: goto err;
792:
793: /*****************************************************************/
794: /* Update the db file for expired certificates */
795: if (doupdatedb) {
796: if (verbose)
797: BIO_printf(bio_err, "Updating %s ...\n", dbfile);
798:
799: i = do_updatedb(db);
800: if (i == -1) {
801: BIO_printf(bio_err, "Malloc failure\n");
802: goto err;
803: } else if (i == 0) {
804: if (verbose)
805: BIO_printf(bio_err,
806: "No entries found to mark expired\n");
807: } else {
808: if (!save_index(dbfile, "new", db))
809: goto err;
810:
811: if (!rotate_index(dbfile, "new", "old"))
812: goto err;
813:
814: if (verbose)
815: BIO_printf(bio_err,
816: "Done. %d entries marked as expired\n", i);
817: }
818: }
819: /*****************************************************************/
820: /* Read extentions config file */
821: if (extfile) {
822: extconf = NCONF_new(NULL);
823: if (NCONF_load(extconf, extfile, &errorline) <= 0) {
824: if (errorline <= 0)
825: BIO_printf(bio_err,
826: "ERROR: loading the config file '%s'\n",
827: extfile);
828: else
829: BIO_printf(bio_err,
830: "ERROR: on line %ld of config file '%s'\n",
831: errorline, extfile);
832: ret = 1;
833: goto err;
834: }
835: if (verbose)
836: BIO_printf(bio_err,
837: "Successfully loaded extensions file %s\n",
838: extfile);
839:
840: /* We can have sections in the ext file */
841: if (!extensions && !(extensions = NCONF_get_string(extconf,
842: "default", "extensions")))
843: extensions = "default";
844: }
845: /*****************************************************************/
846: if (req || gencrl) {
847: if (outfile != NULL) {
848: if (BIO_write_filename(Sout, outfile) <= 0) {
849: perror(outfile);
850: goto err;
851: }
852: } else {
853: BIO_set_fp(Sout, stdout, BIO_NOCLOSE | BIO_FP_TEXT);
854: }
855: }
856: if ((md == NULL) && ((md = NCONF_get_string(conf, section,
857: ENV_DEFAULT_MD)) == NULL)) {
858: lookup_fail(section, ENV_DEFAULT_MD);
859: goto err;
860: }
861: if (!strcmp(md, "default")) {
862: int def_nid;
863: if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) <= 0) {
864: BIO_puts(bio_err, "no default digest\n");
865: goto err;
866: }
867: md = (char *) OBJ_nid2sn(def_nid);
868: }
869: if ((dgst = EVP_get_digestbyname(md)) == NULL) {
870: BIO_printf(bio_err,
871: "%s is an unsupported message digest type\n", md);
872: goto err;
873: }
874: if (req) {
875: if ((email_dn == 1) && ((tmp_email_dn = NCONF_get_string(conf,
876: section, ENV_DEFAULT_EMAIL_DN)) != NULL)) {
877: if (strcmp(tmp_email_dn, "no") == 0)
878: email_dn = 0;
879: }
880: if (verbose)
881: BIO_printf(bio_err, "message digest is %s\n",
882: OBJ_nid2ln(dgst->type));
883: if ((policy == NULL) && ((policy = NCONF_get_string(conf,
884: section, ENV_POLICY)) == NULL)) {
885: lookup_fail(section, ENV_POLICY);
886: goto err;
887: }
888: if (verbose)
889: BIO_printf(bio_err, "policy is %s\n", policy);
890:
891: if ((serialfile = NCONF_get_string(conf, section,
892: ENV_SERIAL)) == NULL) {
893: lookup_fail(section, ENV_SERIAL);
894: goto err;
895: }
896: if (!extconf) {
897: /*
898: * no '-extfile' option, so we look for extensions in
899: * the main configuration file
900: */
901: if (!extensions) {
902: extensions = NCONF_get_string(conf, section,
903: ENV_EXTENSIONS);
904: if (!extensions)
905: ERR_clear_error();
906: }
907: if (extensions) {
908: /* Check syntax of file */
909: X509V3_CTX ctx;
910: X509V3_set_ctx_test(&ctx);
911: X509V3_set_nconf(&ctx, conf);
912: if (!X509V3_EXT_add_nconf(conf, &ctx,
913: extensions, NULL)) {
914: BIO_printf(bio_err,
915: "Error Loading extension section %s\n",
916: extensions);
917: ret = 1;
918: goto err;
919: }
920: }
921: }
922: if (startdate == NULL) {
923: startdate = NCONF_get_string(conf, section,
924: ENV_DEFAULT_STARTDATE);
925: if (startdate == NULL)
926: ERR_clear_error();
927: }
928: if (startdate == NULL)
929: startdate = "today";
930:
931: if (enddate == NULL) {
932: enddate = NCONF_get_string(conf, section,
933: ENV_DEFAULT_ENDDATE);
934: if (enddate == NULL)
935: ERR_clear_error();
936: }
1.24 beck 937: if (days == 0 && enddate == NULL) {
1.1 jsing 938: if (!NCONF_get_number(conf, section,
1.24 beck 939: ENV_DEFAULT_DAYS, &days))
1.1 jsing 940: days = 0;
941: }
1.24 beck 942: if (enddate == NULL && days == 0) {
1.1 jsing 943: BIO_printf(bio_err,
944: "cannot lookup how many days to certify for\n");
945: goto err;
946: }
947: if ((serial = load_serial(serialfile, create_ser, NULL)) ==
948: NULL) {
949: BIO_printf(bio_err,
950: "error while loading serial number\n");
951: goto err;
952: }
953: if (verbose) {
954: if (BN_is_zero(serial))
955: BIO_printf(bio_err,
956: "next serial number is 00\n");
957: else {
958: if ((f = BN_bn2hex(serial)) == NULL)
959: goto err;
960: BIO_printf(bio_err,
961: "next serial number is %s\n", f);
962: free(f);
963: }
964: }
965: if ((attribs = NCONF_get_section(conf, policy)) == NULL) {
966: BIO_printf(bio_err,
967: "unable to find 'section' for %s\n", policy);
968: goto err;
969: }
970: if ((cert_sk = sk_X509_new_null()) == NULL) {
971: BIO_printf(bio_err, "Memory allocation failure\n");
972: goto err;
973: }
974: if (spkac_file != NULL) {
975: total++;
976: j = certify_spkac(&x, spkac_file, pkey, x509, dgst,
977: sigopts, attribs, db, serial, subj, chtype,
978: multirdn, email_dn, startdate, enddate, days,
979: extensions, conf, verbose, certopt, nameopt,
980: default_op, ext_copy);
981: if (j < 0)
982: goto err;
983: if (j > 0) {
984: total_done++;
985: BIO_printf(bio_err, "\n");
986: if (!BN_add_word(serial, 1))
987: goto err;
988: if (!sk_X509_push(cert_sk, x)) {
989: BIO_printf(bio_err,
990: "Memory allocation failure\n");
991: goto err;
992: }
993: if (outfile) {
994: output_der = 1;
995: batch = 1;
996: }
997: }
998: }
999: if (ss_cert_file != NULL) {
1000: total++;
1001: j = certify_cert(&x, ss_cert_file, pkey, x509, dgst,
1002: sigopts, attribs, db, serial, subj, chtype,
1003: multirdn, email_dn, startdate, enddate, days, batch,
1004: extensions, conf, verbose, certopt, nameopt,
1.12 bcook 1005: default_op, ext_copy);
1.1 jsing 1006: if (j < 0)
1007: goto err;
1008: if (j > 0) {
1009: total_done++;
1010: BIO_printf(bio_err, "\n");
1011: if (!BN_add_word(serial, 1))
1012: goto err;
1013: if (!sk_X509_push(cert_sk, x)) {
1014: BIO_printf(bio_err,
1015: "Memory allocation failure\n");
1016: goto err;
1017: }
1018: }
1019: }
1020: if (infile != NULL) {
1021: total++;
1022: j = certify(&x, infile, pkey, x509p, dgst, sigopts,
1023: attribs, db, serial, subj, chtype, multirdn,
1024: email_dn, startdate, enddate, days, batch,
1025: extensions, conf, verbose, certopt, nameopt,
1026: default_op, ext_copy, selfsign);
1027: if (j < 0)
1028: goto err;
1029: if (j > 0) {
1030: total_done++;
1031: BIO_printf(bio_err, "\n");
1032: if (!BN_add_word(serial, 1))
1033: goto err;
1034: if (!sk_X509_push(cert_sk, x)) {
1035: BIO_printf(bio_err,
1036: "Memory allocation failure\n");
1037: goto err;
1038: }
1039: }
1040: }
1041: for (i = 0; i < argc; i++) {
1042: total++;
1043: j = certify(&x, argv[i], pkey, x509p, dgst, sigopts,
1044: attribs, db, serial, subj, chtype, multirdn,
1045: email_dn, startdate, enddate, days, batch,
1046: extensions, conf, verbose, certopt, nameopt,
1047: default_op, ext_copy, selfsign);
1048: if (j < 0)
1049: goto err;
1050: if (j > 0) {
1051: total_done++;
1052: BIO_printf(bio_err, "\n");
1053: if (!BN_add_word(serial, 1))
1054: goto err;
1055: if (!sk_X509_push(cert_sk, x)) {
1056: BIO_printf(bio_err,
1057: "Memory allocation failure\n");
1058: goto err;
1059: }
1060: }
1061: }
1062: /*
1063: * we have a stack of newly certified certificates and a data
1064: * base and serial number that need updating
1065: */
1066:
1067: if (sk_X509_num(cert_sk) > 0) {
1068: if (!batch) {
1.21 deraadt 1069: char answer[10];
1070:
1.1 jsing 1071: BIO_printf(bio_err, "\n%d out of %d certificate requests certified, commit? [y/n]", total_done, total);
1072: (void) BIO_flush(bio_err);
1.21 deraadt 1073: if (!fgets(answer, sizeof answer - 1, stdin)) {
1.1 jsing 1074: BIO_printf(bio_err, "CERTIFICATION CANCELED: I/O error\n");
1075: ret = 0;
1076: goto err;
1077: }
1.21 deraadt 1078: if ((answer[0] != 'y') && (answer[0] != 'Y')) {
1.1 jsing 1079: BIO_printf(bio_err, "CERTIFICATION CANCELED\n");
1080: ret = 0;
1081: goto err;
1082: }
1083: }
1084: BIO_printf(bio_err, "Write out database with %d new entries\n", sk_X509_num(cert_sk));
1085:
1086: if (!save_serial(serialfile, "new", serial, NULL))
1087: goto err;
1088:
1089: if (!save_index(dbfile, "new", db))
1090: goto err;
1091: }
1092: if (verbose)
1093: BIO_printf(bio_err, "writing new certificates\n");
1094: for (i = 0; i < sk_X509_num(cert_sk); i++) {
1095: int k;
1.3 doug 1096: char *serialstr;
1.1 jsing 1097: unsigned char *data;
1.21 deraadt 1098: char pempath[PATH_MAX];
1.1 jsing 1099:
1100: x = sk_X509_value(cert_sk, i);
1101:
1102: j = x->cert_info->serialNumber->length;
1103: data = (unsigned char *)x->cert_info->serialNumber->data;
1104: if (j > 0)
1.3 doug 1105: serialstr = bin2hex(data, j);
1.1 jsing 1106: else
1.3 doug 1107: serialstr = strdup("00");
1108: if (serialstr) {
1.21 deraadt 1109: k = snprintf(pempath, sizeof(pempath),
1.3 doug 1110: "%s/%s.pem", outdir, serialstr);
1111: free(serialstr);
1.21 deraadt 1112: if (k == -1 || k >= sizeof(pempath)) {
1.1 jsing 1113: BIO_printf(bio_err,
1114: "certificate file name too long\n");
1115: goto err;
1116: }
1117: } else {
1118: BIO_printf(bio_err,
1119: "memory allocation failed\n");
1120: goto err;
1121: }
1122: if (verbose)
1.21 deraadt 1123: BIO_printf(bio_err, "writing %s\n", pempath);
1.1 jsing 1124:
1.21 deraadt 1125: if (BIO_write_filename(Cout, pempath) <= 0) {
1126: perror(pempath);
1.1 jsing 1127: goto err;
1128: }
1129: write_new_certificate(Cout, x, 0, notext);
1130: write_new_certificate(Sout, x, output_der, notext);
1131: }
1132:
1133: if (sk_X509_num(cert_sk)) {
1134: /* Rename the database and the serial file */
1135: if (!rotate_serial(serialfile, "new", "old"))
1136: goto err;
1137:
1138: if (!rotate_index(dbfile, "new", "old"))
1139: goto err;
1140:
1141: BIO_printf(bio_err, "Data Base Updated\n");
1142: }
1143: }
1144: /*****************************************************************/
1145: if (gencrl) {
1146: int crl_v2 = 0;
1147: if (!crl_ext) {
1148: crl_ext = NCONF_get_string(conf, section, ENV_CRLEXT);
1149: if (!crl_ext)
1150: ERR_clear_error();
1151: }
1152: if (crl_ext) {
1153: /* Check syntax of file */
1154: X509V3_CTX ctx;
1155: X509V3_set_ctx_test(&ctx);
1156: X509V3_set_nconf(&ctx, conf);
1157: if (!X509V3_EXT_add_nconf(conf, &ctx, crl_ext, NULL)) {
1158: BIO_printf(bio_err,
1159: "Error Loading CRL extension section %s\n",
1160: crl_ext);
1161: ret = 1;
1162: goto err;
1163: }
1164: }
1165: if ((crlnumberfile = NCONF_get_string(conf, section,
1166: ENV_CRLNUMBER)) != NULL)
1167: if ((crlnumber = load_serial(crlnumberfile, 0,
1168: NULL)) == NULL) {
1169: BIO_printf(bio_err,
1170: "error while loading CRL number\n");
1171: goto err;
1172: }
1173: if (!crldays && !crlhours && !crlsec) {
1174: if (!NCONF_get_number(conf, section,
1175: ENV_DEFAULT_CRL_DAYS, &crldays))
1176: crldays = 0;
1177: if (!NCONF_get_number(conf, section,
1178: ENV_DEFAULT_CRL_HOURS, &crlhours))
1179: crlhours = 0;
1180: ERR_clear_error();
1181: }
1182: if ((crldays == 0) && (crlhours == 0) && (crlsec == 0)) {
1183: BIO_printf(bio_err, "cannot lookup how long until the next CRL is issued\n");
1184: goto err;
1185: }
1186: if (verbose)
1187: BIO_printf(bio_err, "making CRL\n");
1188: if ((crl = X509_CRL_new()) == NULL)
1189: goto err;
1190: if (!X509_CRL_set_issuer_name(crl, X509_get_subject_name(x509)))
1191: goto err;
1192:
1193: tmptm = ASN1_TIME_new();
1194: if (!tmptm)
1195: goto err;
1196: X509_gmtime_adj(tmptm, 0);
1197: X509_CRL_set_lastUpdate(crl, tmptm);
1198: if (!X509_time_adj_ex(tmptm, crldays,
1199: crlhours * 60 * 60 + crlsec, NULL)) {
1200: BIO_puts(bio_err, "error setting CRL nextUpdate\n");
1201: goto err;
1202: }
1203: X509_CRL_set_nextUpdate(crl, tmptm);
1204:
1205: ASN1_TIME_free(tmptm);
1206:
1207: for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
1208: pp = sk_OPENSSL_PSTRING_value(db->db->data, i);
1209: if (pp[DB_type][0] == DB_TYPE_REV) {
1210: if ((r = X509_REVOKED_new()) == NULL)
1211: goto err;
1212: j = make_revoked(r, pp[DB_rev_date]);
1213: if (!j)
1214: goto err;
1215: if (j == 2)
1216: crl_v2 = 1;
1217: if (!BN_hex2bn(&serial, pp[DB_serial]))
1218: goto err;
1219: tmpser = BN_to_ASN1_INTEGER(serial, NULL);
1220: BN_free(serial);
1221: serial = NULL;
1222: if (!tmpser)
1223: goto err;
1224: X509_REVOKED_set_serialNumber(r, tmpser);
1225: ASN1_INTEGER_free(tmpser);
1226: X509_CRL_add0_revoked(crl, r);
1227: }
1228: }
1229:
1230: /*
1231: * sort the data so it will be written in serial number order
1232: */
1233: X509_CRL_sort(crl);
1234:
1235: /* we now have a CRL */
1236: if (verbose)
1237: BIO_printf(bio_err, "signing CRL\n");
1238:
1239: /* Add any extensions asked for */
1240:
1241: if (crl_ext || crlnumberfile != NULL) {
1242: X509V3_CTX crlctx;
1243: X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0);
1244: X509V3_set_nconf(&crlctx, conf);
1245:
1246: if (crl_ext)
1247: if (!X509V3_EXT_CRL_add_nconf(conf, &crlctx,
1248: crl_ext, crl))
1249: goto err;
1250: if (crlnumberfile != NULL) {
1251: tmpser = BN_to_ASN1_INTEGER(crlnumber, NULL);
1252: if (!tmpser)
1253: goto err;
1254: X509_CRL_add1_ext_i2d(crl, NID_crl_number,
1255: tmpser, 0, 0);
1256: ASN1_INTEGER_free(tmpser);
1257: crl_v2 = 1;
1258: if (!BN_add_word(crlnumber, 1))
1259: goto err;
1260: }
1261: }
1262: if (crl_ext || crl_v2) {
1263: if (!X509_CRL_set_version(crl, 1))
1264: goto err; /* version 2 CRL */
1265: }
1266: if (crlnumberfile != NULL) /* we have a CRL number that
1267: * need updating */
1268: if (!save_serial(crlnumberfile, "new", crlnumber, NULL))
1269: goto err;
1270:
1271: if (crlnumber) {
1272: BN_free(crlnumber);
1273: crlnumber = NULL;
1274: }
1275: if (!do_X509_CRL_sign(bio_err, crl, pkey, dgst, sigopts))
1276: goto err;
1277:
1278: PEM_write_bio_X509_CRL(Sout, crl);
1279:
1280: if (crlnumberfile != NULL) /* Rename the crlnumber file */
1281: if (!rotate_serial(crlnumberfile, "new", "old"))
1282: goto err;
1283:
1284: }
1285: /*****************************************************************/
1286: if (dorevoke) {
1287: if (infile == NULL) {
1288: BIO_printf(bio_err, "no input files\n");
1289: goto err;
1290: } else {
1291: X509 *revcert;
1292: revcert = load_cert(bio_err, infile, FORMAT_PEM,
1.12 bcook 1293: NULL, infile);
1.1 jsing 1294: if (revcert == NULL)
1295: goto err;
1296: j = do_revoke(revcert, db, rev_type, rev_arg);
1297: if (j <= 0)
1298: goto err;
1299: X509_free(revcert);
1300:
1301: if (!save_index(dbfile, "new", db))
1302: goto err;
1303:
1304: if (!rotate_index(dbfile, "new", "old"))
1305: goto err;
1306:
1307: BIO_printf(bio_err, "Data Base Updated\n");
1308: }
1309: }
1310: /*****************************************************************/
1311: ret = 0;
1312:
1313: err:
1314: free(tofree);
1315:
1316: BIO_free_all(Cout);
1317: BIO_free_all(Sout);
1318: BIO_free_all(out);
1319: BIO_free_all(in);
1320:
1321: if (cert_sk)
1322: sk_X509_pop_free(cert_sk, X509_free);
1323:
1324: if (ret)
1325: ERR_print_errors(bio_err);
1326: if (free_key && key)
1327: free(key);
1328: BN_free(serial);
1329: BN_free(crlnumber);
1330: free_index(db);
1331: if (sigopts)
1332: sk_OPENSSL_STRING_free(sigopts);
1333: EVP_PKEY_free(pkey);
1334: if (x509)
1335: X509_free(x509);
1336: X509_CRL_free(crl);
1337: NCONF_free(conf);
1338: NCONF_free(extconf);
1339: OBJ_cleanup();
1340:
1341: return (ret);
1342: }
1343:
1344: static void
1345: lookup_fail(const char *name, const char *tag)
1346: {
1347: BIO_printf(bio_err, "variable lookup failed for %s::%s\n", name, tag);
1348: }
1349:
1350: static int
1351: certify(X509 ** xret, char *infile, EVP_PKEY * pkey, X509 * x509,
1352: const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
1353: STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj,
1354: unsigned long chtype, int multirdn, int email_dn, char *startdate,
1355: char *enddate, long days, int batch, char *ext_sect, CONF * lconf,
1356: int verbose, unsigned long certopt, unsigned long nameopt, int default_op,
1357: int ext_copy, int selfsign)
1358: {
1359: X509_REQ *req = NULL;
1360: BIO *in = NULL;
1361: EVP_PKEY *pktmp = NULL;
1362: int ok = -1, i;
1363:
1364: in = BIO_new(BIO_s_file());
1365:
1366: if (BIO_read_filename(in, infile) <= 0) {
1367: perror(infile);
1368: goto err;
1369: }
1370: if ((req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL)) == NULL) {
1371: BIO_printf(bio_err, "Error reading certificate request in %s\n",
1372: infile);
1373: goto err;
1374: }
1375: if (verbose)
1376: X509_REQ_print(bio_err, req);
1377:
1378: BIO_printf(bio_err, "Check that the request matches the signature\n");
1379:
1380: if (selfsign && !X509_REQ_check_private_key(req, pkey)) {
1381: BIO_printf(bio_err,
1382: "Certificate request and CA private key do not match\n");
1383: ok = 0;
1384: goto err;
1385: }
1386: if ((pktmp = X509_REQ_get_pubkey(req)) == NULL) {
1387: BIO_printf(bio_err, "error unpacking public key\n");
1388: goto err;
1389: }
1390: i = X509_REQ_verify(req, pktmp);
1391: EVP_PKEY_free(pktmp);
1392: if (i < 0) {
1393: ok = 0;
1394: BIO_printf(bio_err, "Signature verification problems....\n");
1395: goto err;
1396: }
1397: if (i == 0) {
1398: ok = 0;
1399: BIO_printf(bio_err,
1400: "Signature did not match the certificate request\n");
1401: goto err;
1402: } else
1403: BIO_printf(bio_err, "Signature ok\n");
1404:
1405: ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial,
1406: subj, chtype, multirdn, email_dn, startdate, enddate, days, batch,
1407: verbose, req, ext_sect, lconf, certopt, nameopt, default_op,
1408: ext_copy, selfsign);
1409:
1410: err:
1411: if (req != NULL)
1412: X509_REQ_free(req);
1413: if (in != NULL)
1414: BIO_free(in);
1415: return (ok);
1416: }
1417:
1418: static int
1419: certify_cert(X509 ** xret, char *infile, EVP_PKEY * pkey, X509 * x509,
1420: const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
1421: STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj,
1422: unsigned long chtype, int multirdn, int email_dn, char *startdate,
1423: char *enddate, long days, int batch, char *ext_sect, CONF * lconf,
1424: int verbose, unsigned long certopt, unsigned long nameopt, int default_op,
1.12 bcook 1425: int ext_copy)
1.1 jsing 1426: {
1427: X509 *req = NULL;
1428: X509_REQ *rreq = NULL;
1429: EVP_PKEY *pktmp = NULL;
1430: int ok = -1, i;
1431:
1.12 bcook 1432: if ((req = load_cert(bio_err, infile, FORMAT_PEM, NULL,
1.1 jsing 1433: infile)) == NULL)
1434: goto err;
1435: if (verbose)
1436: X509_print(bio_err, req);
1437:
1438: BIO_printf(bio_err, "Check that the request matches the signature\n");
1439:
1440: if ((pktmp = X509_get_pubkey(req)) == NULL) {
1441: BIO_printf(bio_err, "error unpacking public key\n");
1442: goto err;
1443: }
1444: i = X509_verify(req, pktmp);
1445: EVP_PKEY_free(pktmp);
1446: if (i < 0) {
1447: ok = 0;
1448: BIO_printf(bio_err, "Signature verification problems....\n");
1449: goto err;
1450: }
1451: if (i == 0) {
1452: ok = 0;
1453: BIO_printf(bio_err,
1454: "Signature did not match the certificate\n");
1455: goto err;
1456: } else
1457: BIO_printf(bio_err, "Signature ok\n");
1458:
1459: if ((rreq = X509_to_X509_REQ(req, NULL, EVP_md5())) == NULL)
1460: goto err;
1461:
1462: ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial,
1463: subj, chtype, multirdn, email_dn, startdate, enddate, days, batch,
1464: verbose, rreq, ext_sect, lconf, certopt, nameopt, default_op,
1465: ext_copy, 0);
1466:
1467: err:
1468: if (rreq != NULL)
1469: X509_REQ_free(rreq);
1470: if (req != NULL)
1471: X509_free(req);
1472: return (ok);
1473: }
1474:
1475: static int
1476: do_body(X509 ** xret, EVP_PKEY * pkey, X509 * x509, const EVP_MD * dgst,
1477: STACK_OF(OPENSSL_STRING) * sigopts, STACK_OF(CONF_VALUE) * policy,
1478: CA_DB * db, BIGNUM * serial, char *subj, unsigned long chtype, int multirdn,
1479: int email_dn, char *startdate, char *enddate, long days, int batch,
1480: int verbose, X509_REQ * req, char *ext_sect, CONF * lconf,
1481: unsigned long certopt, unsigned long nameopt, int default_op,
1482: int ext_copy, int selfsign)
1483: {
1484: X509_NAME *name = NULL, *CAname = NULL, *subject = NULL, *dn_subject = NULL;
1485: ASN1_UTCTIME *tm, *tmptm;
1486: ASN1_STRING *str, *str2;
1487: ASN1_OBJECT *obj;
1488: X509 *ret = NULL;
1489: X509_CINF *ci;
1490: X509_NAME_ENTRY *ne;
1491: X509_NAME_ENTRY *tne, *push;
1492: EVP_PKEY *pktmp;
1493: int ok = -1, i, j, last, nid;
1494: const char *p;
1495: CONF_VALUE *cv;
1496: OPENSSL_STRING row[DB_NUMBER];
1497: OPENSSL_STRING *irow = NULL;
1498: OPENSSL_STRING *rrow = NULL;
1499:
1500: tmptm = ASN1_UTCTIME_new();
1501: if (tmptm == NULL) {
1502: BIO_printf(bio_err, "malloc error\n");
1503: return (0);
1504: }
1505: for (i = 0; i < DB_NUMBER; i++)
1506: row[i] = NULL;
1507:
1508: if (subj) {
1509: X509_NAME *n = parse_name(subj, chtype, multirdn);
1510:
1511: if (!n) {
1512: ERR_print_errors(bio_err);
1513: goto err;
1514: }
1515: X509_REQ_set_subject_name(req, n);
1516: req->req_info->enc.modified = 1;
1517: X509_NAME_free(n);
1518: }
1519: if (default_op)
1520: BIO_printf(bio_err,
1521: "The Subject's Distinguished Name is as follows\n");
1522:
1523: name = X509_REQ_get_subject_name(req);
1524: for (i = 0; i < X509_NAME_entry_count(name); i++) {
1525: ne = X509_NAME_get_entry(name, i);
1526: str = X509_NAME_ENTRY_get_data(ne);
1527: obj = X509_NAME_ENTRY_get_object(ne);
1528:
1529: if (msie_hack) {
1530: /* assume all type should be strings */
1531: nid = OBJ_obj2nid(ne->object);
1532:
1533: if (str->type == V_ASN1_UNIVERSALSTRING)
1534: ASN1_UNIVERSALSTRING_to_string(str);
1535:
1536: if ((str->type == V_ASN1_IA5STRING) &&
1537: (nid != NID_pkcs9_emailAddress))
1538: str->type = V_ASN1_T61STRING;
1539:
1540: if ((nid == NID_pkcs9_emailAddress) &&
1541: (str->type == V_ASN1_PRINTABLESTRING))
1542: str->type = V_ASN1_IA5STRING;
1543: }
1544: /* If no EMAIL is wanted in the subject */
1545: if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) && (!email_dn))
1546: continue;
1547:
1548: /* check some things */
1549: if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) &&
1550: (str->type != V_ASN1_IA5STRING)) {
1551: BIO_printf(bio_err, "\nemailAddress type needs to be of type IA5STRING\n");
1552: goto err;
1553: }
1554: if ((str->type != V_ASN1_BMPSTRING) &&
1555: (str->type != V_ASN1_UTF8STRING)) {
1556: j = ASN1_PRINTABLE_type(str->data, str->length);
1557: if (((j == V_ASN1_T61STRING) &&
1558: (str->type != V_ASN1_T61STRING)) ||
1559: ((j == V_ASN1_IA5STRING) &&
1560: (str->type == V_ASN1_PRINTABLESTRING))) {
1561: BIO_printf(bio_err, "\nThe string contains characters that are illegal for the ASN.1 type\n");
1562: goto err;
1563: }
1564: }
1565: if (default_op)
1566: old_entry_print(bio_err, obj, str);
1567: }
1568:
1569: /* Ok, now we check the 'policy' stuff. */
1570: if ((subject = X509_NAME_new()) == NULL) {
1571: BIO_printf(bio_err, "Memory allocation failure\n");
1572: goto err;
1573: }
1574: /* take a copy of the issuer name before we mess with it. */
1575: if (selfsign)
1576: CAname = X509_NAME_dup(name);
1577: else
1578: CAname = X509_NAME_dup(x509->cert_info->subject);
1579: if (CAname == NULL)
1580: goto err;
1581: str = str2 = NULL;
1582:
1583: for (i = 0; i < sk_CONF_VALUE_num(policy); i++) {
1584: cv = sk_CONF_VALUE_value(policy, i); /* get the object id */
1585: if ((j = OBJ_txt2nid(cv->name)) == NID_undef) {
1586: BIO_printf(bio_err, "%s:unknown object type in 'policy' configuration\n", cv->name);
1587: goto err;
1588: }
1589: obj = OBJ_nid2obj(j);
1590:
1591: last = -1;
1592: for (;;) {
1593: /* lookup the object in the supplied name list */
1594: j = X509_NAME_get_index_by_OBJ(name, obj, last);
1595: if (j < 0) {
1596: if (last != -1)
1597: break;
1598: tne = NULL;
1599: } else {
1600: tne = X509_NAME_get_entry(name, j);
1601: }
1602: last = j;
1603:
1604: /* depending on the 'policy', decide what to do. */
1605: push = NULL;
1606: if (strcmp(cv->value, "optional") == 0) {
1607: if (tne != NULL)
1608: push = tne;
1609: } else if (strcmp(cv->value, "supplied") == 0) {
1610: if (tne == NULL) {
1611: BIO_printf(bio_err, "The %s field needed to be supplied and was missing\n", cv->name);
1612: goto err;
1613: } else
1614: push = tne;
1615: } else if (strcmp(cv->value, "match") == 0) {
1616: int last2;
1617:
1618: if (tne == NULL) {
1619: BIO_printf(bio_err, "The mandatory %s field was missing\n", cv->name);
1620: goto err;
1621: }
1622: last2 = -1;
1623:
1624: again2:
1625: j = X509_NAME_get_index_by_OBJ(CAname, obj, last2);
1626: if ((j < 0) && (last2 == -1)) {
1627: BIO_printf(bio_err, "The %s field does not exist in the CA certificate,\nthe 'policy' is misconfigured\n", cv->name);
1628: goto err;
1629: }
1630: if (j >= 0) {
1631: push = X509_NAME_get_entry(CAname, j);
1632: str = X509_NAME_ENTRY_get_data(tne);
1633: str2 = X509_NAME_ENTRY_get_data(push);
1634: last2 = j;
1635: if (ASN1_STRING_cmp(str, str2) != 0)
1636: goto again2;
1637: }
1638: if (j < 0) {
1639: BIO_printf(bio_err, "The %s field needed to be the same in the\nCA certificate (%s) and the request (%s)\n", cv->name, ((str2 == NULL) ? "NULL" : (char *) str2->data), ((str == NULL) ? "NULL" : (char *) str->data));
1640: goto err;
1641: }
1642: } else {
1643: BIO_printf(bio_err, "%s:invalid type in 'policy' configuration\n", cv->value);
1644: goto err;
1645: }
1646:
1647: if (push != NULL) {
1648: if (!X509_NAME_add_entry(subject, push,
1649: -1, 0)) {
1650: if (push != NULL)
1651: X509_NAME_ENTRY_free(push);
1652: BIO_printf(bio_err,
1653: "Memory allocation failure\n");
1654: goto err;
1655: }
1656: }
1657: if (j < 0)
1658: break;
1659: }
1660: }
1661:
1662: if (preserve) {
1663: X509_NAME_free(subject);
1664: /* subject=X509_NAME_dup(X509_REQ_get_subject_name(req)); */
1665: subject = X509_NAME_dup(name);
1666: if (subject == NULL)
1667: goto err;
1668: }
1669: if (verbose)
1670: BIO_printf(bio_err, "The subject name appears to be ok, checking data base for clashes\n");
1671:
1.20 mmcc 1672: /* Build the correct Subject if no email is wanted in the subject */
1.1 jsing 1673: /*
1674: * and add it later on because of the method extensions are added
1675: * (altName)
1676: */
1677:
1678: if (email_dn)
1679: dn_subject = subject;
1680: else {
1681: X509_NAME_ENTRY *tmpne;
1682: /*
1683: * Its best to dup the subject DN and then delete any email
1684: * addresses because this retains its structure.
1685: */
1686: if (!(dn_subject = X509_NAME_dup(subject))) {
1687: BIO_printf(bio_err, "Memory allocation failure\n");
1688: goto err;
1689: }
1690: while ((i = X509_NAME_get_index_by_NID(dn_subject,
1691: NID_pkcs9_emailAddress, -1)) >= 0) {
1692: tmpne = X509_NAME_get_entry(dn_subject, i);
1693: X509_NAME_delete_entry(dn_subject, i);
1694: X509_NAME_ENTRY_free(tmpne);
1695: }
1696: }
1697:
1698: if (BN_is_zero(serial))
1699: row[DB_serial] = strdup("00");
1700: else
1701: row[DB_serial] = BN_bn2hex(serial);
1702: if (row[DB_serial] == NULL) {
1703: BIO_printf(bio_err, "Memory allocation failure\n");
1704: goto err;
1705: }
1706: if (db->attributes.unique_subject) {
1707: OPENSSL_STRING *crow = row;
1708:
1709: rrow = TXT_DB_get_by_index(db->db, DB_name, crow);
1710: if (rrow != NULL) {
1711: BIO_printf(bio_err,
1712: "ERROR:There is already a certificate for %s\n",
1713: row[DB_name]);
1714: }
1715: }
1716: if (rrow == NULL) {
1717: rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
1718: if (rrow != NULL) {
1719: BIO_printf(bio_err,
1720: "ERROR:Serial number %s has already been issued,\n",
1721: row[DB_serial]);
1722: BIO_printf(bio_err, " check the database/serial_file for corruption\n");
1723: }
1724: }
1725: if (rrow != NULL) {
1726: BIO_printf(bio_err,
1727: "The matching entry has the following details\n");
1728: if (rrow[DB_type][0] == 'E')
1729: p = "Expired";
1730: else if (rrow[DB_type][0] == 'R')
1731: p = "Revoked";
1732: else if (rrow[DB_type][0] == 'V')
1733: p = "Valid";
1734: else
1735: p = "\ninvalid type, Data base error\n";
1736: BIO_printf(bio_err, "Type :%s\n", p);
1737: if (rrow[DB_type][0] == 'R') {
1738: p = rrow[DB_exp_date];
1739: if (p == NULL)
1740: p = "undef";
1741: BIO_printf(bio_err, "Was revoked on:%s\n", p);
1742: }
1743: p = rrow[DB_exp_date];
1744: if (p == NULL)
1745: p = "undef";
1746: BIO_printf(bio_err, "Expires on :%s\n", p);
1747: p = rrow[DB_serial];
1748: if (p == NULL)
1749: p = "undef";
1750: BIO_printf(bio_err, "Serial Number :%s\n", p);
1751: p = rrow[DB_file];
1752: if (p == NULL)
1753: p = "undef";
1754: BIO_printf(bio_err, "File name :%s\n", p);
1755: p = rrow[DB_name];
1756: if (p == NULL)
1757: p = "undef";
1758: BIO_printf(bio_err, "Subject Name :%s\n", p);
1759: ok = -1; /* This is now a 'bad' error. */
1760: goto err;
1761: }
1762: /* We are now totally happy, lets make and sign the certificate */
1763: if (verbose)
1764: BIO_printf(bio_err, "Everything appears to be ok, creating and signing the certificate\n");
1765:
1766: if ((ret = X509_new()) == NULL)
1767: goto err;
1768: ci = ret->cert_info;
1769:
1770: #ifdef X509_V3
1771: /* Make it an X509 v3 certificate. */
1772: if (!X509_set_version(ret, 2))
1773: goto err;
1774: #endif
1.13 beck 1775: if (ci->serialNumber == NULL)
1776: goto err;
1.8 jsing 1777: if (BN_to_ASN1_INTEGER(serial, ci->serialNumber) == NULL)
1.1 jsing 1778: goto err;
1779: if (selfsign) {
1780: if (!X509_set_issuer_name(ret, subject))
1781: goto err;
1782: } else {
1783: if (!X509_set_issuer_name(ret, X509_get_subject_name(x509)))
1784: goto err;
1785: }
1786:
1787: if (strcmp(startdate, "today") == 0)
1788: X509_gmtime_adj(X509_get_notBefore(ret), 0);
1.24 beck 1789: else if (setCertificateTime(X509_get_notBefore(ret), startdate) == -1) {
1790: BIO_printf(bio_err, "Invalid start date %s\n",
1791: startdate);
1792: goto err;
1793: }
1.1 jsing 1794:
1795: if (enddate == NULL)
1796: X509_time_adj_ex(X509_get_notAfter(ret), days, 0, NULL);
1.24 beck 1797: else if (setCertificateTime(X509_get_notAfter(ret), enddate) == -1) {
1798: BIO_printf(bio_err, "Invalid end date %s\n",
1799: enddate);
1800: goto err;
1801: }
1.1 jsing 1802:
1803: if (!X509_set_subject_name(ret, subject))
1804: goto err;
1805:
1806: pktmp = X509_REQ_get_pubkey(req);
1807: i = X509_set_pubkey(ret, pktmp);
1808: EVP_PKEY_free(pktmp);
1809: if (!i)
1810: goto err;
1811:
1812: /* Lets add the extensions, if there are any */
1813: if (ext_sect) {
1814: X509V3_CTX ctx;
1815: if (ci->version == NULL)
1816: if ((ci->version = ASN1_INTEGER_new()) == NULL)
1817: goto err;
1818: ASN1_INTEGER_set(ci->version, 2); /* version 3 certificate */
1819:
1820: /*
1821: * Free the current entries if any, there should not be any I
1822: * believe
1823: */
1824: if (ci->extensions != NULL)
1825: sk_X509_EXTENSION_pop_free(ci->extensions,
1826: X509_EXTENSION_free);
1827:
1828: ci->extensions = NULL;
1829:
1830: /* Initialize the context structure */
1831: if (selfsign)
1832: X509V3_set_ctx(&ctx, ret, ret, req, NULL, 0);
1833: else
1834: X509V3_set_ctx(&ctx, x509, ret, req, NULL, 0);
1835:
1836: if (extconf) {
1837: if (verbose)
1838: BIO_printf(bio_err,
1839: "Extra configuration file found\n");
1840:
1841: /* Use the extconf configuration db LHASH */
1842: X509V3_set_nconf(&ctx, extconf);
1843:
1844: /* Test the structure (needed?) */
1845: /* X509V3_set_ctx_test(&ctx); */
1846:
1847: /* Adds exts contained in the configuration file */
1848: if (!X509V3_EXT_add_nconf(extconf, &ctx,
1849: ext_sect, ret)) {
1850: BIO_printf(bio_err,
1851: "ERROR: adding extensions in section %s\n",
1852: ext_sect);
1853: ERR_print_errors(bio_err);
1854: goto err;
1855: }
1856: if (verbose)
1857: BIO_printf(bio_err, "Successfully added extensions from file.\n");
1858: } else if (ext_sect) {
1859: /* We found extensions to be set from config file */
1860: X509V3_set_nconf(&ctx, lconf);
1861:
1862: if (!X509V3_EXT_add_nconf(lconf, &ctx, ext_sect, ret)) {
1863: BIO_printf(bio_err,
1864: "ERROR: adding extensions in section %s\n",
1865: ext_sect);
1866: ERR_print_errors(bio_err);
1867: goto err;
1868: }
1869: if (verbose)
1870: BIO_printf(bio_err, "Successfully added extensions from config\n");
1871: }
1872: }
1873: /* Copy extensions from request (if any) */
1874:
1875: if (!copy_extensions(ret, req, ext_copy)) {
1876: BIO_printf(bio_err, "ERROR: adding extensions from request\n");
1877: ERR_print_errors(bio_err);
1878: goto err;
1879: }
1880: /* Set the right value for the noemailDN option */
1881: if (email_dn == 0) {
1882: if (!X509_set_subject_name(ret, dn_subject))
1883: goto err;
1884: }
1885: if (!default_op) {
1886: BIO_printf(bio_err, "Certificate Details:\n");
1887: /*
1888: * Never print signature details because signature not
1889: * present
1890: */
1891: certopt |= X509_FLAG_NO_SIGDUMP | X509_FLAG_NO_SIGNAME;
1892: X509_print_ex(bio_err, ret, nameopt, certopt);
1893: }
1894: BIO_printf(bio_err, "Certificate is to be certified until ");
1895: ASN1_TIME_print(bio_err, X509_get_notAfter(ret));
1896: if (days)
1897: BIO_printf(bio_err, " (%ld days)", days);
1898: BIO_printf(bio_err, "\n");
1899:
1900: if (!batch) {
1.21 deraadt 1901: char answer[25];
1.1 jsing 1902:
1903: BIO_printf(bio_err, "Sign the certificate? [y/n]:");
1904: (void) BIO_flush(bio_err);
1.21 deraadt 1905: if (!fgets(answer, sizeof(answer) - 1, stdin)) {
1.1 jsing 1906: BIO_printf(bio_err,
1907: "CERTIFICATE WILL NOT BE CERTIFIED: I/O error\n");
1908: ok = 0;
1909: goto err;
1910: }
1.21 deraadt 1911: if (!((answer[0] == 'y') || (answer[0] == 'Y'))) {
1.1 jsing 1912: BIO_printf(bio_err,
1913: "CERTIFICATE WILL NOT BE CERTIFIED\n");
1914: ok = 0;
1915: goto err;
1916: }
1917: }
1918: pktmp = X509_get_pubkey(ret);
1919: if (EVP_PKEY_missing_parameters(pktmp) &&
1920: !EVP_PKEY_missing_parameters(pkey))
1921: EVP_PKEY_copy_parameters(pktmp, pkey);
1922: EVP_PKEY_free(pktmp);
1923:
1924: if (!do_X509_sign(bio_err, ret, pkey, dgst, sigopts))
1925: goto err;
1926:
1927: /* We now just add it to the database */
1928: row[DB_type] = malloc(2);
1929:
1930: tm = X509_get_notAfter(ret);
1931: row[DB_exp_date] = malloc(tm->length + 1);
1.16 bcook 1932: if (row[DB_type] == NULL || row[DB_exp_date] == NULL) {
1.13 beck 1933: BIO_printf(bio_err, "Memory allocation failure\n");
1934: goto err;
1935: }
1936:
1.1 jsing 1937: memcpy(row[DB_exp_date], tm->data, tm->length);
1938: row[DB_exp_date][tm->length] = '\0';
1939:
1940: row[DB_rev_date] = NULL;
1941:
1942: /* row[DB_serial] done already */
1943: row[DB_file] = malloc(8);
1944: row[DB_name] = X509_NAME_oneline(X509_get_subject_name(ret), NULL, 0);
1945:
1.13 beck 1946: if ((row[DB_type] == NULL) || (row[DB_file] == NULL) ||
1947: (row[DB_name] == NULL)) {
1.1 jsing 1948: BIO_printf(bio_err, "Memory allocation failure\n");
1949: goto err;
1950: }
1951: (void) strlcpy(row[DB_file], "unknown", 8);
1952: row[DB_type][0] = 'V';
1953: row[DB_type][1] = '\0';
1954:
1955: if ((irow = reallocarray(NULL, DB_NUMBER + 1, sizeof(char *))) ==
1956: NULL) {
1957: BIO_printf(bio_err, "Memory allocation failure\n");
1958: goto err;
1959: }
1960: for (i = 0; i < DB_NUMBER; i++) {
1961: irow[i] = row[i];
1962: row[i] = NULL;
1963: }
1964: irow[DB_NUMBER] = NULL;
1965:
1966: if (!TXT_DB_insert(db->db, irow)) {
1967: BIO_printf(bio_err, "failed to update database\n");
1968: BIO_printf(bio_err, "TXT_DB error number %ld\n", db->db->error);
1969: goto err;
1970: }
1971: ok = 1;
1972: err:
1973: for (i = 0; i < DB_NUMBER; i++)
1974: free(row[i]);
1975:
1976: if (CAname != NULL)
1977: X509_NAME_free(CAname);
1978: if (subject != NULL)
1979: X509_NAME_free(subject);
1980: if ((dn_subject != NULL) && !email_dn)
1981: X509_NAME_free(dn_subject);
1982: if (tmptm != NULL)
1983: ASN1_UTCTIME_free(tmptm);
1984: if (ok <= 0) {
1985: if (ret != NULL)
1986: X509_free(ret);
1987: ret = NULL;
1988: } else
1989: *xret = ret;
1990: return (ok);
1991: }
1992:
1993: static void
1994: write_new_certificate(BIO * bp, X509 * x, int output_der, int notext)
1995: {
1996: if (output_der) {
1997: (void) i2d_X509_bio(bp, x);
1998: return;
1999: }
2000: if (!notext)
2001: X509_print(bp, x);
2002: PEM_write_bio_X509(bp, x);
2003: }
2004:
2005: static int
2006: certify_spkac(X509 ** xret, char *infile, EVP_PKEY * pkey, X509 * x509,
2007: const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
2008: STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj,
2009: unsigned long chtype, int multirdn, int email_dn, char *startdate,
2010: char *enddate, long days, char *ext_sect, CONF * lconf, int verbose,
2011: unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy)
2012: {
2013: STACK_OF(CONF_VALUE) * sk = NULL;
2014: LHASH_OF(CONF_VALUE) * parms = NULL;
2015: X509_REQ *req = NULL;
2016: CONF_VALUE *cv = NULL;
2017: NETSCAPE_SPKI *spki = NULL;
2018: X509_REQ_INFO *ri;
2019: char *type, *buf;
2020: EVP_PKEY *pktmp = NULL;
2021: X509_NAME *n = NULL;
2022: int ok = -1, i, j;
2023: long errline;
2024: int nid;
2025:
2026: /*
2027: * Load input file into a hash table. (This is just an easy
2028: * way to read and parse the file, then put it into a convenient
2029: * STACK format).
2030: */
2031: parms = CONF_load(NULL, infile, &errline);
2032: if (parms == NULL) {
2033: BIO_printf(bio_err, "error on line %ld of %s\n",
2034: errline, infile);
2035: ERR_print_errors(bio_err);
2036: goto err;
2037: }
2038: sk = CONF_get_section(parms, "default");
2039: if (sk_CONF_VALUE_num(sk) == 0) {
2040: BIO_printf(bio_err, "no name/value pairs found in %s\n",
2041: infile);
2042: CONF_free(parms);
2043: goto err;
2044: }
2045: /*
2046: * Now create a dummy X509 request structure. We don't actually
2047: * have an X509 request, but we have many of the components
2048: * (a public key, various DN components). The idea is that we
2049: * put these components into the right X509 request structure
2050: * and we can use the same code as if you had a real X509 request.
2051: */
2052: req = X509_REQ_new();
2053: if (req == NULL) {
2054: ERR_print_errors(bio_err);
2055: goto err;
2056: }
2057: /*
2058: * Build up the subject name set.
2059: */
2060: ri = req->req_info;
2061: n = ri->subject;
2062:
2063: for (i = 0;; i++) {
2064: if (sk_CONF_VALUE_num(sk) <= i)
2065: break;
2066:
2067: cv = sk_CONF_VALUE_value(sk, i);
2068: type = cv->name;
2069: /*
2070: * Skip past any leading X. X: X, etc to allow for multiple
2071: * instances
2072: */
2073: for (buf = cv->name; *buf; buf++) {
2074: if ((*buf == ':') || (*buf == ',') || (*buf == '.')) {
2075: buf++;
2076: if (*buf)
2077: type = buf;
2078: break;
2079: }
2080: }
2081:
2082: buf = cv->value;
2083: if ((nid = OBJ_txt2nid(type)) == NID_undef) {
2084: if (strcmp(type, "SPKAC") == 0) {
2085: spki = NETSCAPE_SPKI_b64_decode(cv->value, -1);
2086: if (spki == NULL) {
2087: BIO_printf(bio_err, "unable to load Netscape SPKAC structure\n");
2088: ERR_print_errors(bio_err);
2089: goto err;
2090: }
2091: }
2092: continue;
2093: }
2094: if (!X509_NAME_add_entry_by_NID(n, nid, chtype,
2095: (unsigned char *)buf, -1, -1, 0))
2096: goto err;
2097: }
2098: if (spki == NULL) {
2099: BIO_printf(bio_err,
2100: "Netscape SPKAC structure not found in %s\n", infile);
2101: goto err;
2102: }
2103: /*
2104: * Now extract the key from the SPKI structure.
2105: */
2106:
2107: BIO_printf(bio_err,
2108: "Check that the SPKAC request matches the signature\n");
2109:
2110: if ((pktmp = NETSCAPE_SPKI_get_pubkey(spki)) == NULL) {
2111: BIO_printf(bio_err, "error unpacking SPKAC public key\n");
2112: goto err;
2113: }
2114: j = NETSCAPE_SPKI_verify(spki, pktmp);
2115: if (j <= 0) {
2116: BIO_printf(bio_err,
2117: "signature verification failed on SPKAC public key\n");
2118: goto err;
2119: }
2120: BIO_printf(bio_err, "Signature ok\n");
2121:
2122: X509_REQ_set_pubkey(req, pktmp);
2123: EVP_PKEY_free(pktmp);
2124: ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial,
2125: subj, chtype, multirdn, email_dn, startdate, enddate, days, 1,
2126: verbose, req, ext_sect, lconf, certopt, nameopt, default_op,
2127: ext_copy, 0);
2128:
2129: err:
2130: if (req != NULL)
2131: X509_REQ_free(req);
2132: if (parms != NULL)
2133: CONF_free(parms);
2134: if (spki != NULL)
2135: NETSCAPE_SPKI_free(spki);
2136:
2137: return (ok);
2138: }
2139:
2140: static int
2141: check_time_format(const char *str)
2142: {
2143: return ASN1_TIME_set_string(NULL, str);
2144: }
2145:
2146: static int
2147: do_revoke(X509 * x509, CA_DB * db, int type, char *value)
2148: {
2149: ASN1_UTCTIME *tm = NULL;
2150: char *row[DB_NUMBER], **rrow, **irow;
2151: char *rev_str = NULL;
2152: BIGNUM *bn = NULL;
2153: int ok = -1, i;
2154:
2155: for (i = 0; i < DB_NUMBER; i++)
2156: row[i] = NULL;
2157: row[DB_name] = X509_NAME_oneline(X509_get_subject_name(x509), NULL, 0);
2158: bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x509), NULL);
2159: if (!bn)
2160: goto err;
2161: if (BN_is_zero(bn))
2162: row[DB_serial] = strdup("00");
2163: else
2164: row[DB_serial] = BN_bn2hex(bn);
2165: BN_free(bn);
2166: if ((row[DB_name] == NULL) || (row[DB_serial] == NULL)) {
2167: BIO_printf(bio_err, "Memory allocation failure\n");
2168: goto err;
2169: }
2170: /*
2171: * We have to lookup by serial number because name lookup skips
2172: * revoked certs
2173: */
2174: rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
2175: if (rrow == NULL) {
2176: BIO_printf(bio_err,
2177: "Adding Entry with serial number %s to DB for %s\n",
2178: row[DB_serial], row[DB_name]);
2179:
2180: /* We now just add it to the database */
2181: row[DB_type] = malloc(2);
2182:
2183: tm = X509_get_notAfter(x509);
2184: row[DB_exp_date] = malloc(tm->length + 1);
1.16 bcook 2185: if (row[DB_type] == NULL || row[DB_exp_date] == NULL) {
1.13 beck 2186: BIO_printf(bio_err, "Memory allocation failure\n");
2187: goto err;
2188: }
1.1 jsing 2189: memcpy(row[DB_exp_date], tm->data, tm->length);
2190: row[DB_exp_date][tm->length] = '\0';
2191:
2192: row[DB_rev_date] = NULL;
2193:
2194: /* row[DB_serial] done already */
2195: row[DB_file] = malloc(8);
2196:
2197: /* row[DB_name] done already */
2198:
1.13 beck 2199: if ((row[DB_type] == NULL) || (row[DB_file] == NULL)) {
1.1 jsing 2200: BIO_printf(bio_err, "Memory allocation failure\n");
2201: goto err;
2202: }
2203: (void) strlcpy(row[DB_file], "unknown", 8);
2204: row[DB_type][0] = 'V';
2205: row[DB_type][1] = '\0';
2206:
2207: if ((irow = reallocarray(NULL, sizeof(char *),
2208: (DB_NUMBER + 1))) == NULL) {
2209: BIO_printf(bio_err, "Memory allocation failure\n");
2210: goto err;
2211: }
2212: for (i = 0; i < DB_NUMBER; i++) {
2213: irow[i] = row[i];
2214: row[i] = NULL;
2215: }
2216: irow[DB_NUMBER] = NULL;
2217:
2218: if (!TXT_DB_insert(db->db, irow)) {
2219: BIO_printf(bio_err, "failed to update database\n");
2220: BIO_printf(bio_err, "TXT_DB error number %ld\n",
2221: db->db->error);
2222: goto err;
2223: }
2224: /* Revoke Certificate */
2225: ok = do_revoke(x509, db, type, value);
2226:
2227: goto err;
2228:
2229: } else if (index_name_cmp_noconst(row, rrow)) {
2230: BIO_printf(bio_err, "ERROR:name does not match %s\n",
2231: row[DB_name]);
2232: goto err;
2233: } else if (rrow[DB_type][0] == 'R') {
2234: BIO_printf(bio_err, "ERROR:Already revoked, serial number %s\n",
2235: row[DB_serial]);
2236: goto err;
2237: } else {
2238: BIO_printf(bio_err, "Revoking Certificate %s.\n",
2239: rrow[DB_serial]);
2240: rev_str = make_revocation_str(type, value);
2241: if (!rev_str) {
2242: BIO_printf(bio_err, "Error in revocation arguments\n");
2243: goto err;
2244: }
2245: rrow[DB_type][0] = 'R';
2246: rrow[DB_type][1] = '\0';
2247: rrow[DB_rev_date] = rev_str;
2248: }
2249: ok = 1;
2250:
2251: err:
2252: for (i = 0; i < DB_NUMBER; i++)
2253: free(row[i]);
2254:
2255: return (ok);
2256: }
2257:
2258: static int
2259: get_certificate_status(const char *serial, CA_DB * db)
2260: {
2261: char *row[DB_NUMBER], **rrow;
2262: int ok = -1, i;
2263:
2264: /* Free Resources */
2265: for (i = 0; i < DB_NUMBER; i++)
2266: row[i] = NULL;
2267:
2268: /* Malloc needed char spaces */
2269: row[DB_serial] = malloc(strlen(serial) + 2);
2270: if (row[DB_serial] == NULL) {
2271: BIO_printf(bio_err, "Malloc failure\n");
2272: goto err;
2273: }
2274: if (strlen(serial) % 2) {
2275: /* Set the first char to 0 */ ;
2276: row[DB_serial][0] = '0';
2277:
2278: /* Copy String from serial to row[DB_serial] */
2279: memcpy(row[DB_serial] + 1, serial, strlen(serial));
2280: row[DB_serial][strlen(serial) + 1] = '\0';
2281: } else {
2282: /* Copy String from serial to row[DB_serial] */
2283: memcpy(row[DB_serial], serial, strlen(serial));
2284: row[DB_serial][strlen(serial)] = '\0';
2285: }
2286:
2287: /* Make it Upper Case */
2288: for (i = 0; row[DB_serial][i] != '\0'; i++)
2289: row[DB_serial][i] = toupper((unsigned char) row[DB_serial][i]);
2290:
2291:
2292: ok = 1;
2293:
2294: /* Search for the certificate */
2295: rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
2296: if (rrow == NULL) {
2297: BIO_printf(bio_err, "Serial %s not present in db.\n",
2298: row[DB_serial]);
2299: ok = -1;
2300: goto err;
2301: } else if (rrow[DB_type][0] == 'V') {
2302: BIO_printf(bio_err, "%s=Valid (%c)\n",
2303: row[DB_serial], rrow[DB_type][0]);
2304: goto err;
2305: } else if (rrow[DB_type][0] == 'R') {
2306: BIO_printf(bio_err, "%s=Revoked (%c)\n",
2307: row[DB_serial], rrow[DB_type][0]);
2308: goto err;
2309: } else if (rrow[DB_type][0] == 'E') {
2310: BIO_printf(bio_err, "%s=Expired (%c)\n",
2311: row[DB_serial], rrow[DB_type][0]);
2312: goto err;
2313: } else if (rrow[DB_type][0] == 'S') {
2314: BIO_printf(bio_err, "%s=Suspended (%c)\n",
2315: row[DB_serial], rrow[DB_type][0]);
2316: goto err;
2317: } else {
2318: BIO_printf(bio_err, "%s=Unknown (%c).\n",
2319: row[DB_serial], rrow[DB_type][0]);
2320: ok = -1;
2321: }
2322:
2323: err:
2324: for (i = 0; i < DB_NUMBER; i++)
2325: free(row[i]);
2326:
2327: return (ok);
2328: }
2329:
2330: static int
2331: do_updatedb(CA_DB * db)
2332: {
2333: ASN1_UTCTIME *a_tm = NULL;
2334: int i, cnt = 0;
2335: int db_y2k, a_y2k; /* flags = 1 if y >= 2000 */
2336: char **rrow, *a_tm_s;
2337:
2338: a_tm = ASN1_UTCTIME_new();
2339:
2340: /* get actual time and make a string */
2341: a_tm = X509_gmtime_adj(a_tm, 0);
2342: a_tm_s = malloc(a_tm->length + 1);
2343: if (a_tm_s == NULL) {
2344: cnt = -1;
2345: goto err;
2346: }
2347: memcpy(a_tm_s, a_tm->data, a_tm->length);
2348: a_tm_s[a_tm->length] = '\0';
2349:
2350: if (strncmp(a_tm_s, "49", 2) <= 0)
2351: a_y2k = 1;
2352: else
2353: a_y2k = 0;
2354:
2355: for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
2356: rrow = sk_OPENSSL_PSTRING_value(db->db->data, i);
2357:
2358: if (rrow[DB_type][0] == 'V') {
2359: /* ignore entries that are not valid */
2360: if (strncmp(rrow[DB_exp_date], "49", 2) <= 0)
2361: db_y2k = 1;
2362: else
2363: db_y2k = 0;
2364:
2365: if (db_y2k == a_y2k) {
2366: /* all on the same y2k side */
2367: if (strcmp(rrow[DB_exp_date], a_tm_s) <= 0) {
2368: rrow[DB_type][0] = 'E';
2369: rrow[DB_type][1] = '\0';
2370: cnt++;
2371:
2372: BIO_printf(bio_err, "%s=Expired\n",
2373: rrow[DB_serial]);
2374: }
2375: } else if (db_y2k < a_y2k) {
2376: rrow[DB_type][0] = 'E';
2377: rrow[DB_type][1] = '\0';
2378: cnt++;
2379:
2380: BIO_printf(bio_err, "%s=Expired\n",
2381: rrow[DB_serial]);
2382: }
2383: }
2384: }
2385:
2386: err:
2387: ASN1_UTCTIME_free(a_tm);
2388: free(a_tm_s);
2389:
2390: return (cnt);
2391: }
2392:
2393: static const char *crl_reasons[] = {
2394: /* CRL reason strings */
2395: "unspecified",
2396: "keyCompromise",
2397: "CACompromise",
2398: "affiliationChanged",
2399: "superseded",
2400: "cessationOfOperation",
2401: "certificateHold",
2402: "removeFromCRL",
2403: /* Additional pseudo reasons */
2404: "holdInstruction",
2405: "keyTime",
2406: "CAkeyTime"
2407: };
2408:
2409: #define NUM_REASONS (sizeof(crl_reasons) / sizeof(char *))
2410:
2411: /* Given revocation information convert to a DB string.
2412: * The format of the string is:
2413: * revtime[,reason,extra]. Where 'revtime' is the
2414: * revocation time (the current time). 'reason' is the
2415: * optional CRL reason and 'extra' is any additional
2416: * argument
2417: */
2418:
2419: char *
2420: make_revocation_str(int rev_type, char *rev_arg)
2421: {
2422: char *other = NULL, *str;
2423: const char *reason = NULL;
2424: ASN1_OBJECT *otmp;
2425: ASN1_UTCTIME *revtm = NULL;
2426: int i;
2427: switch (rev_type) {
2428: case REV_NONE:
2429: break;
2430:
2431: case REV_CRL_REASON:
2432: for (i = 0; i < 8; i++) {
2433: if (!strcasecmp(rev_arg, crl_reasons[i])) {
2434: reason = crl_reasons[i];
2435: break;
2436: }
2437: }
2438: if (reason == NULL) {
2439: BIO_printf(bio_err, "Unknown CRL reason %s\n", rev_arg);
2440: return NULL;
2441: }
2442: break;
2443:
2444: case REV_HOLD:
2445: /* Argument is an OID */
2446:
2447: otmp = OBJ_txt2obj(rev_arg, 0);
2448: ASN1_OBJECT_free(otmp);
2449:
2450: if (otmp == NULL) {
2451: BIO_printf(bio_err,
2452: "Invalid object identifier %s\n", rev_arg);
2453: return NULL;
2454: }
2455: reason = "holdInstruction";
2456: other = rev_arg;
2457: break;
2458:
2459: case REV_KEY_COMPROMISE:
2460: case REV_CA_COMPROMISE:
2461:
2462: /* Argument is the key compromise time */
2463: if (!ASN1_GENERALIZEDTIME_set_string(NULL, rev_arg)) {
2464: BIO_printf(bio_err,
2465: "Invalid time format %s. Need YYYYMMDDHHMMSSZ\n",
2466: rev_arg);
2467: return NULL;
2468: }
2469: other = rev_arg;
2470: if (rev_type == REV_KEY_COMPROMISE)
2471: reason = "keyTime";
2472: else
2473: reason = "CAkeyTime";
2474:
2475: break;
2476:
2477: }
2478:
2479: revtm = X509_gmtime_adj(NULL, 0);
2480: if (asprintf(&str, "%s%s%s%s%s", revtm->data,
2481: reason ? "," : "", reason ? reason : "",
2482: other ? "," : "", other ? other : "") == -1)
2483: str = NULL;
2484: ASN1_UTCTIME_free(revtm);
2485: return str;
2486: }
2487:
2488: /* Convert revocation field to X509_REVOKED entry
2489: * return code:
2490: * 0 error
2491: * 1 OK
2492: * 2 OK and some extensions added (i.e. V2 CRL)
2493: */
2494:
2495: int
2496: make_revoked(X509_REVOKED * rev, const char *str)
2497: {
2498: char *tmp = NULL;
2499: int reason_code = -1;
2500: int i, ret = 0;
2501: ASN1_OBJECT *hold = NULL;
2502: ASN1_GENERALIZEDTIME *comp_time = NULL;
2503: ASN1_ENUMERATED *rtmp = NULL;
2504:
2505: ASN1_TIME *revDate = NULL;
2506:
2507: i = unpack_revinfo(&revDate, &reason_code, &hold, &comp_time, str);
2508:
2509: if (i == 0)
2510: goto err;
2511:
2512: if (rev && !X509_REVOKED_set_revocationDate(rev, revDate))
2513: goto err;
2514:
2515: if (rev && (reason_code != OCSP_REVOKED_STATUS_NOSTATUS)) {
2516: rtmp = ASN1_ENUMERATED_new();
2517: if (!rtmp || !ASN1_ENUMERATED_set(rtmp, reason_code))
2518: goto err;
2519: if (!X509_REVOKED_add1_ext_i2d(rev, NID_crl_reason, rtmp, 0, 0))
2520: goto err;
2521: }
2522: if (rev && comp_time) {
2523: if (!X509_REVOKED_add1_ext_i2d(rev, NID_invalidity_date,
2524: comp_time, 0, 0))
2525: goto err;
2526: }
2527: if (rev && hold) {
2528: if (!X509_REVOKED_add1_ext_i2d(rev, NID_hold_instruction_code,
2529: hold, 0, 0))
2530: goto err;
2531: }
2532: if (reason_code != OCSP_REVOKED_STATUS_NOSTATUS)
2533: ret = 2;
2534: else
2535: ret = 1;
2536:
2537: err:
2538: free(tmp);
2539:
2540: ASN1_OBJECT_free(hold);
2541: ASN1_GENERALIZEDTIME_free(comp_time);
2542: ASN1_ENUMERATED_free(rtmp);
2543: ASN1_TIME_free(revDate);
2544:
2545: return ret;
2546: }
2547:
2548: int
2549: old_entry_print(BIO * bp, ASN1_OBJECT * obj, ASN1_STRING * str)
2550: {
2551: char buf[25], *pbuf, *p;
2552: int j;
2553:
2554: j = i2a_ASN1_OBJECT(bp, obj);
2555: pbuf = buf;
2556: for (j = 22 - j; j > 0; j--)
2557: *(pbuf++) = ' ';
2558: *(pbuf++) = ':';
2559: *(pbuf++) = '\0';
2560: BIO_puts(bp, buf);
2561:
2562: if (str->type == V_ASN1_PRINTABLESTRING)
2563: BIO_printf(bp, "PRINTABLE:'");
2564: else if (str->type == V_ASN1_T61STRING)
2565: BIO_printf(bp, "T61STRING:'");
2566: else if (str->type == V_ASN1_IA5STRING)
2567: BIO_printf(bp, "IA5STRING:'");
2568: else if (str->type == V_ASN1_UNIVERSALSTRING)
2569: BIO_printf(bp, "UNIVERSALSTRING:'");
2570: else
2571: BIO_printf(bp, "ASN.1 %2d:'", str->type);
2572:
2573: p = (char *) str->data;
2574: for (j = str->length; j > 0; j--) {
2575: if ((*p >= ' ') && (*p <= '~'))
2576: BIO_printf(bp, "%c", *p);
2577: else if (*p & 0x80)
2578: BIO_printf(bp, "\\0x%02X", *p);
2579: else if ((unsigned char) *p == 0xf7)
2580: BIO_printf(bp, "^?");
2581: else
2582: BIO_printf(bp, "^%c", *p + '@');
2583: p++;
2584: }
2585: BIO_printf(bp, "'\n");
2586: return 1;
2587: }
2588:
2589: int
2590: unpack_revinfo(ASN1_TIME ** prevtm, int *preason, ASN1_OBJECT ** phold,
2591: ASN1_GENERALIZEDTIME ** pinvtm, const char *str)
2592: {
2593: char *tmp = NULL;
2594: char *rtime_str, *reason_str = NULL, *arg_str = NULL, *p;
2595: int reason_code = -1;
2596: int ret = 0;
2597: unsigned int i;
2598: ASN1_OBJECT *hold = NULL;
2599: ASN1_GENERALIZEDTIME *comp_time = NULL;
2600:
2601: if ((tmp = strdup(str)) == NULL) {
2602: BIO_printf(bio_err, "malloc failed\n");
2603: goto err;
2604: }
2605: p = strchr(tmp, ',');
2606: rtime_str = tmp;
2607:
2608: if (p) {
2609: *p = '\0';
2610: p++;
2611: reason_str = p;
2612: p = strchr(p, ',');
2613: if (p) {
2614: *p = '\0';
2615: arg_str = p + 1;
2616: }
2617: }
2618: if (prevtm) {
2619: *prevtm = ASN1_UTCTIME_new();
2620: if (!ASN1_UTCTIME_set_string(*prevtm, rtime_str)) {
2621: BIO_printf(bio_err, "invalid revocation date %s\n",
2622: rtime_str);
2623: goto err;
2624: }
2625: }
2626: if (reason_str) {
2627: for (i = 0; i < NUM_REASONS; i++) {
2628: if (!strcasecmp(reason_str, crl_reasons[i])) {
2629: reason_code = i;
2630: break;
2631: }
2632: }
2633: if (reason_code == OCSP_REVOKED_STATUS_NOSTATUS) {
2634: BIO_printf(bio_err, "invalid reason code %s\n",
2635: reason_str);
2636: goto err;
2637: }
2638: if (reason_code == 7)
2639: reason_code = OCSP_REVOKED_STATUS_REMOVEFROMCRL;
2640: else if (reason_code == 8) { /* Hold instruction */
2641: if (!arg_str) {
2642: BIO_printf(bio_err,
2643: "missing hold instruction\n");
2644: goto err;
2645: }
2646: reason_code = OCSP_REVOKED_STATUS_CERTIFICATEHOLD;
2647: hold = OBJ_txt2obj(arg_str, 0);
2648:
2649: if (!hold) {
2650: BIO_printf(bio_err,
2651: "invalid object identifier %s\n", arg_str);
2652: goto err;
2653: }
2654: if (phold)
2655: *phold = hold;
2656: } else if ((reason_code == 9) || (reason_code == 10)) {
2657: if (!arg_str) {
2658: BIO_printf(bio_err,
2659: "missing compromised time\n");
2660: goto err;
2661: }
2662: comp_time = ASN1_GENERALIZEDTIME_new();
2663: if (!ASN1_GENERALIZEDTIME_set_string(comp_time,
2664: arg_str)) {
2665: BIO_printf(bio_err,
2666: "invalid compromised time %s\n", arg_str);
2667: goto err;
2668: }
2669: if (reason_code == 9)
2670: reason_code = OCSP_REVOKED_STATUS_KEYCOMPROMISE;
2671: else
2672: reason_code = OCSP_REVOKED_STATUS_CACOMPROMISE;
2673: }
2674: }
2675: if (preason)
2676: *preason = reason_code;
2677: if (pinvtm)
2678: *pinvtm = comp_time;
2679: else
2680: ASN1_GENERALIZEDTIME_free(comp_time);
2681:
2682: ret = 1;
2683:
2684: err:
2685: free(tmp);
2686:
2687: if (!phold)
2688: ASN1_OBJECT_free(hold);
2689: if (!pinvtm)
2690: ASN1_GENERALIZEDTIME_free(comp_time);
2691:
2692: return ret;
2693: }
2694:
2695: static char *
2696: bin2hex(unsigned char * data, size_t len)
2697: {
2698: char *ret = NULL;
2699: char hex[] = "0123456789ABCDEF";
2700: int i;
2701:
2702: if ((ret = malloc(len * 2 + 1))) {
2703: for (i = 0; i < len; i++) {
2704: ret[i * 2 + 0] = hex[data[i] >> 4];
2705: ret[i * 2 + 1] = hex[data[i] & 0x0F];
2706: }
2707: ret[len * 2] = '\0';
2708: }
2709: return ret;
2710: }