src/usr.bin/openssl/x509.c - diff

Return to x509.c CVS log

Up to [local] / src / usr.bin / openssl

Diff for /src/usr.bin/openssl/x509.c between version 1.19 and 1.20

version 1.19, 2021/03/24 12:09:16

version 1.20, 2021/03/26 13:46:25

Line 57

#include <assert.h>

#include <limits.h>

#include <stdio.h>

#include <stdlib.h>

#include <limits.h>

#include <string.h>

#include "apps.h"

Line 67

#include <openssl/asn1.h>

#include <openssl/bio.h>

#include <openssl/bn.h>

#include <openssl/dsa.h>

#include <openssl/err.h>

#include <openssl/evp.h>

#include <openssl/objects.h>

#include <openssl/pem.h>

#include <openssl/rsa.h>

#include <openssl/x509.h>

#include <openssl/x509v3.h>

#include <openssl/dsa.h>

#include <openssl/rsa.h>

#define POSTFIX ".srl"

#define DEF_DAYS 30

Line 776

Line 774

ERR_print_errors(bio_err);

goto end;

}

if ((x509_config.CAkeyfile == NULL) && (x509_config.CA_flag) && (x509_config.CAformat == FORMAT_PEM)) {

if ((x509_config.CAkeyfile == NULL) && (x509_config.CA_flag) &&

(x509_config.CAformat == FORMAT_PEM)) {

x509_config.CAkeyfile = x509_config.CAfile;

} else if ((x509_config.CA_flag) && (x509_config.CAkeyfile == NULL)) {

BIO_printf(bio_err,

Line 799

Line 798

goto end;

}

if (!x509_config.extsect) {

x509_config.extsect = NCONF_get_string(extconf, "default",

x509_config.extsect = NCONF_get_string(extconf,

"extensions");

"default", "extensions");

if (!x509_config.extsect) {

ERR_clear_error();

x509_config.extsect = "default";

Line 808

Line 807

}

X509V3_set_ctx_test(&ctx2);

X509V3_set_nconf(&ctx2, extconf);

if (!X509V3_EXT_add_nconf(extconf, &ctx2, x509_config.extsect, NULL)) {

if (!X509V3_EXT_add_nconf(extconf, &ctx2, x509_config.extsect,

NULL)) {

BIO_printf(bio_err,

"Error Loading extension section %s\n",

x509_config.extsect);

Line 821

BIO *in;

if (!x509_config.sign_flag && !x509_config.CA_flag) {

BIO_printf(bio_err, "We need a private key to sign with\n");

BIO_printf(bio_err,

"We need a private key to sign with\n");

goto end;

}

in = BIO_new(BIO_s_file());

Line 849

Line 850

(req->req_info->pubkey == NULL) ||

(req->req_info->pubkey->public_key == NULL) ||

(req->req_info->pubkey->public_key->data == NULL)) {

BIO_printf(bio_err, "The certificate request appears to corrupted\n");

BIO_printf(bio_err,

BIO_printf(bio_err, "It does not contain a public key\n");

"The certificate request appears to corrupted\n");

BIO_printf(bio_err,

"It does not contain a public key\n");

goto end;

}

if ((pkey = X509_REQ_get_pubkey(req)) == NULL) {

Line 865

Line 868

goto end;

}

if (i == 0) {

BIO_printf(bio_err, "Signature did not match the certificate request\n");

BIO_printf(bio_err,

"Signature did not match the certificate request\n");

goto end;

} else

BIO_printf(bio_err, "Signature ok\n");

print_name(bio_err, "subject=", X509_REQ_get_subject_name(req), x509_config.nmflag);

print_name(bio_err, "subject=", X509_REQ_get_subject_name(req),

x509_config.nmflag);

if ((x = X509_new()) == NULL)

goto end;

if (x509_config.sno == NULL) {

x509_config.sno = ASN1_INTEGER_new();

if (!x509_config.sno || !rand_serial(NULL, x509_config.sno))

if (!x509_config.sno ||

!rand_serial(NULL, x509_config.sno))

goto end;

if (!X509_set_serialNumber(x, x509_config.sno))

goto end;

Line 892

Line 898

goto end;

X509_gmtime_adj(X509_get_notBefore(x), 0);

X509_time_adj_ex(X509_get_notAfter(x), x509_config.days, 0, NULL);

X509_time_adj_ex(X509_get_notAfter(x), x509_config.days, 0,

NULL);

pkey = X509_REQ_get_pubkey(req);

X509_set_pubkey(x, pkey);

EVP_PKEY_free(pkey);

} else

x = load_cert(bio_err, x509_config.infile, x509_config.informat, NULL, "Certificate");

x = load_cert(bio_err, x509_config.infile, x509_config.informat,

NULL, "Certificate");

if (x == NULL)

goto end;

if (x509_config.CA_flag) {

xca = load_cert(bio_err, x509_config.CAfile, x509_config.CAformat, NULL, "CA Certificate");

xca = load_cert(bio_err, x509_config.CAfile,

x509_config.CAformat, NULL, "CA Certificate");

if (xca == NULL)

goto end;

}

if (!x509_config.noout || x509_config.text || x509_config.next_serial) {

OBJ_create("2.99999.3",

OBJ_create("2.99999.3", "SET.ex3", "SET x509v3 extension 3");

"SET.ex3", "SET x509v3 extension 3");

out = BIO_new(BIO_s_file());

if (out == NULL) {

Line 935

Line 943

if (x509_config.trust) {

for (i = 0; i < sk_ASN1_OBJECT_num(x509_config.trust); i++) {

x509_config.objtmp = sk_ASN1_OBJECT_value(x509_config.trust, i);

x509_config.objtmp = sk_ASN1_OBJECT_value(

x509_config.trust, i);

X509_add1_trust_object(x, x509_config.objtmp);

}

if (x509_config.reject) {

for (i = 0; i < sk_ASN1_OBJECT_num(x509_config.reject); i++) {

x509_config.objtmp = sk_ASN1_OBJECT_value(x509_config.reject, i);

x509_config.objtmp = sk_ASN1_OBJECT_value(

x509_config.reject, i);

X509_add1_reject_object(x, x509_config.objtmp);

}

Line 949

Line 959

for (i = 1; i <= x509_config.num; i++) {

if (x509_config.issuer == i) {

print_name(STDout, "issuer= ",

X509_get_issuer_name(x), x509_config.nmflag);

X509_get_issuer_name(x),

x509_config.nmflag);

} else if (x509_config.subject == i) {

print_name(STDout, "subject= ",

X509_get_subject_name(x), x509_config.nmflag);

X509_get_subject_name(x),

x509_config.nmflag);

} else if (x509_config.serial == i) {

BIO_printf(STDout, "serial=");

i2a_ASN1_INTEGER(STDout,

Line 974

Line 986

i2a_ASN1_INTEGER(out, ser);

ASN1_INTEGER_free(ser);

BIO_puts(out, "\n");

} else if ((x509_config.email == i) || (x509_config.ocsp_uri == i)) {

} else if ((x509_config.email == i) ||

(x509_config.ocsp_uri == i)) {

int j;

STACK_OF(OPENSSL_STRING) *emlst;

if (x509_config.email == i)

Line 993

Line 1006

else

BIO_puts(STDout, "<No Alias>\n");

} else if (x509_config.subject_hash == i) {

BIO_printf(STDout, "%08lx\n", X509_subject_name_hash(x));

BIO_printf(STDout, "%08lx\n",

X509_subject_name_hash(x));

}

#ifndef OPENSSL_NO_MD5

else if (x509_config.subject_hash_old == i) {

BIO_printf(STDout, "%08lx\n", X509_subject_name_hash_old(x));

BIO_printf(STDout, "%08lx\n",

X509_subject_name_hash_old(x));

}

#endif

else if (x509_config.issuer_hash == i) {

BIO_printf(STDout, "%08lx\n", X509_issuer_name_hash(x));

BIO_printf(STDout, "%08lx\n",

X509_issuer_name_hash(x));

}

#ifndef OPENSSL_NO_MD5

else if (x509_config.issuer_hash_old == i) {

BIO_printf(STDout, "%08lx\n", X509_issuer_name_hash_old(x));

BIO_printf(STDout, "%08lx\n",

X509_issuer_name_hash_old(x));

}

#endif

else if (x509_config.pprint == i) {

Line 1021

Line 1038

pkey = X509_get_pubkey(x);

if (pkey == NULL) {

BIO_printf(bio_err, "Modulus=unavailable\n");

BIO_printf(bio_err,

"Modulus=unavailable\n");

ERR_print_errors(bio_err);

goto end;

}

BIO_printf(STDout, "Modulus=");

if (pkey->type == EVP_PKEY_RSA)

BN_print(STDout, pkey->pkey.rsa->n);

else if (pkey->type == EVP_PKEY_DSA)

BN_print(STDout,

pkey->pkey.dsa->pub_key);

else

if (pkey->type == EVP_PKEY_DSA)

BIO_printf(STDout,

BN_print(STDout, pkey->pkey.dsa->pub_key);

"Wrong Algorithm type");

else

BIO_printf(STDout, "Wrong Algorithm type");

BIO_printf(STDout, "\n");

EVP_PKEY_free(pkey);

} else if (x509_config.pubkey == i) {

Line 1040

Line 1059

pkey = X509_get_pubkey(x);

if (pkey == NULL) {

BIO_printf(bio_err, "Error getting public key\n");

BIO_printf(bio_err,

"Error getting public key\n");

ERR_print_errors(bio_err);

goto end;

}

Line 1054

Line 1074

X509_NAME_oneline(X509_get_subject_name(x),

buf, sizeof buf);

BIO_printf(STDout, "/* subject:%s */\n", buf);

m = X509_NAME_oneline(

m = X509_NAME_oneline(X509_get_issuer_name(x),

X509_get_issuer_name(x), buf,

buf, sizeof buf);

sizeof buf);

BIO_printf(STDout, "/* issuer :%s */\n", buf);

z = i2d_X509(x, NULL);

Line 1068

Line 1087

d = (unsigned char *) m;

z = i2d_X509_NAME(X509_get_subject_name(x), &d);

BIO_printf(STDout, "unsigned char XXX_subject_name[%d]={\n", z);

BIO_printf(STDout,

"unsigned char XXX_subject_name[%d]={\n", z);

d = (unsigned char *) m;

for (y = 0; y < z; y++) {

BIO_printf(STDout, "0x%02X,", d[y]);

Line 1080

Line 1100

BIO_printf(STDout, "};\n");

z = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(x), &d);

BIO_printf(STDout, "unsigned char XXX_public_key[%d]={\n", z);

BIO_printf(STDout,

"unsigned char XXX_public_key[%d]={\n", z);

d = (unsigned char *) m;

for (y = 0; y < z; y++) {

BIO_printf(STDout, "0x%02X,", d[y]);

Line 1092

Line 1113

BIO_printf(STDout, "};\n");

z = i2d_X509(x, &d);

BIO_printf(STDout, "unsigned char XXX_certificate[%d]={\n", z);

BIO_printf(STDout,

"unsigned char XXX_certificate[%d]={\n", z);

d = (unsigned char *) m;

for (y = 0; y < z; y++) {

BIO_printf(STDout, "0x%02X,", d[y]);

Line 1105

Line 1127

free(m);

} else if (x509_config.text == i) {

X509_print_ex(STDout, x, x509_config.nmflag, x509_config.certflag);

X509_print_ex(STDout, x, x509_config.nmflag,

x509_config.certflag);

} else if (x509_config.startdate == i) {

ASN1_TIME *nB = X509_get_notBefore(x);

BIO_puts(STDout, "notBefore=");

if (ASN1_time_parse(nB->data, nB->length, NULL, 0) == -1)

if (ASN1_time_parse(nB->data, nB->length, NULL,

BIO_puts(STDout, "INVALID RFC5280 TIME");

0) == -1)

BIO_puts(STDout,

"INVALID RFC5280 TIME");

else

ASN1_TIME_print(STDout, nB);

BIO_puts(STDout, "\n");

} else if (x509_config.enddate == i) {

ASN1_TIME *nA = X509_get_notAfter(x);

BIO_puts(STDout, "notAfter=");

if (ASN1_time_parse(nA->data, nA->length, NULL, 0) == -1)

if (ASN1_time_parse(nA->data, nA->length, NULL,

BIO_puts(STDout, "INVALID RFC5280 TIME");

0) == -1)

BIO_puts(STDout,

"INVALID RFC5280 TIME");

else

ASN1_TIME_print(STDout, nA);

BIO_puts(STDout, "\n");

Line 1141

Line 1168

BIO_printf(STDout, "%02X%c", md[j],

(j + 1 == (int)n) ? '\n' : ':');

}

/* should be in the library */

else if ((x509_config.sign_flag == i) && (x509_config.x509req == 0)) {

} else if ((x509_config.sign_flag == i) &&

(x509_config.x509req == 0)) {

BIO_printf(bio_err, "Getting Private key\n");

if (Upkey == NULL) {

Upkey = load_key(bio_err,

x509_config.keyfile, x509_config.keyformat, 0,

x509_config.keyfile,

passin, "Private key");

x509_config.keyformat, 0, passin,

"Private key");

if (Upkey == NULL)

goto end;

}

if (!sign(x, Upkey, x509_config.days, x509_config.clrext, x509_config.digest,

if (!sign(x, Upkey, x509_config.days,

x509_config.clrext, x509_config.digest,

extconf, x509_config.extsect))

goto end;

} else if (x509_config.CA_flag == i) {

BIO_printf(bio_err, "Getting CA Private Key\n");

if (x509_config.CAkeyfile != NULL) {

CApkey = load_key(bio_err,

x509_config.CAkeyfile, x509_config.CAkeyformat,

x509_config.CAkeyfile,

0, passin, "CA Private Key");

x509_config.CAkeyformat, 0, passin,

"CA Private Key");

if (CApkey == NULL)

goto end;

}

if (!x509_certify(ctx, x509_config.CAfile, x509_config.digest, x, xca,

if (!x509_certify(ctx, x509_config.CAfile,

CApkey, x509_config.sigopts,

x509_config.digest, x, xca, CApkey,

x509_config.CAserial, x509_config.CA_createserial, x509_config.days, x509_config.clrext,

x509_config.sigopts, x509_config.CAserial,

extconf, x509_config.extsect, x509_config.sno))

x509_config.CA_createserial,

x509_config.days, x509_config.clrext,

extconf, x509_config.extsect,

x509_config.sno))

goto end;

} else if (x509_config.x509req == i) {

EVP_PKEY *pk;

BIO_printf(bio_err, "Getting request Private Key\n");

BIO_printf(bio_err,

"Getting request Private Key\n");

if (x509_config.keyfile == NULL) {

BIO_printf(bio_err, "no request key file specified\n");

BIO_printf(bio_err,

"no request key file specified\n");

goto end;

} else {

pk = load_key(bio_err,

x509_config.keyfile, x509_config.keyformat, 0,

x509_config.keyfile,

passin, "request key");

x509_config.keyformat, 0, passin,

"request key");

if (pk == NULL)

goto end;

}

BIO_printf(bio_err, "Generating certificate request\n");

BIO_printf(bio_err,

"Generating certificate request\n");

rq = X509_to_X509_REQ(x, pk, x509_config.digest);

EVP_PKEY_free(pk);

Line 1239

Line 1277

i = ASN1_item_i2d_bio(&NETSCAPE_X509_it, out, &nx);

} else {

BIO_printf(bio_err, "bad output format specified for outfile\n");

BIO_printf(bio_err,

"bad output format specified for outfile\n");

goto end;

}

if (!i) {

Line 1350

Line 1389

goto end;

if (!X509_check_private_key(xca, pkey)) {

BIO_printf(bio_err, "CA certificate and CA private key do not match\n");

BIO_printf(bio_err,

"CA certificate and CA private key do not match\n");

goto end;

}

if (!X509_set_issuer_name(x, X509_get_subject_name(xca)))

Line 1410

Line 1450

* DEPTH_ZERO_SELF_....

if (ok) {

BIO_printf(bio_err, "error with certificate to be certified - should be self signed\n");

BIO_printf(bio_err,

"error with certificate to be certified - should be self signed\n");

return 0;

} else {

err_cert = X509_STORE_CTX_get_current_cert(ctx);

print_name(bio_err, NULL, X509_get_subject_name(err_cert), 0);

BIO_printf(bio_err, "error with certificate - error %d at depth %d\n%s\n",

BIO_printf(bio_err,

"error with certificate - error %d at depth %d\n%s\n",

err, X509_STORE_CTX_get_error_depth(ctx),

X509_verify_cert_error_string(err));

return 1;

Line 1464

Line 1506

}

if (!X509_sign(x, pkey, digest))

goto err;

return 1;

err: