summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorinoguchi <>2021-07-15 09:56:32 +0000
committerinoguchi <>2021-07-15 09:56:32 +0000
commit174f2ffd983f36fed849facf7e7aaf30866d10d7 (patch)
tree860a45844d2c64d2e36b9fae5d742a245c3c4389 /src
parentecf974d2068ea3567fbffbacf1bb3be466d461c7 (diff)
downloadopenbsd-174f2ffd983f36fed849facf7e7aaf30866d10d7.tar.gz
openbsd-174f2ffd983f36fed849facf7e7aaf30866d10d7.tar.bz2
openbsd-174f2ffd983f36fed849facf7e7aaf30866d10d7.zip
Convert openssl(1) ca option handling
New option handling for openssl(1) ca. This diff is just replacing with new option handling, no functional change. I'm using the word DN or RDN in description as manual uses them, rather than replacing with "Distinguished Name" or "Relative Distinguished Name". I would like to add another fixes below by follow-up diffs. - remove space between '*' and pointer variable - wrap 80+ long lines - explicitly check pointer variable if it is NULL or not comments and ok from jsing@
Diffstat (limited to 'src')
-rw-r--r--src/usr.bin/openssl/ca.c1099
1 files changed, 643 insertions, 456 deletions
diff --git a/src/usr.bin/openssl/ca.c b/src/usr.bin/openssl/ca.c
index 6952226ffb..8d1ea25470 100644
--- a/src/usr.bin/openssl/ca.c
+++ b/src/usr.bin/openssl/ca.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ca.c,v 1.28 2020/12/16 18:53:10 tb Exp $ */ 1/* $OpenBSD: ca.c,v 1.29 2021/07/15 09:56:32 inoguchi Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -120,47 +120,6 @@
120#define REV_KEY_COMPROMISE 3 /* Value is cert key compromise time */ 120#define REV_KEY_COMPROMISE 3 /* Value is cert key compromise time */
121#define REV_CA_COMPROMISE 4 /* Value is CA key compromise time */ 121#define REV_CA_COMPROMISE 4 /* Value is CA key compromise time */
122 122
123static const char *ca_usage[] = {
124 "usage: ca args\n",
125 "\n",
126 " -verbose - Talk a lot while doing things\n",
127 " -config file - A config file\n",
128 " -name arg - The particular CA definition to use\n",
129 " -gencrl - Generate a new CRL\n",
130 " -crldays days - Days is when the next CRL is due\n",
131 " -crlhours hours - Hours is when the next CRL is due\n",
132 " -startdate YYMMDDHHMMSSZ - certificate validity notBefore\n",
133 " -enddate YYMMDDHHMMSSZ - certificate validity notAfter (overrides -days)\n",
134 " -days arg - number of days to certify the certificate for\n",
135 " -md arg - md to use, one of md5 or sha1\n",
136 " -policy arg - The CA 'policy' to support\n",
137 " -keyfile arg - private key file\n",
138 " -keyform arg - private key file format (PEM)\n",
139 " -key arg - key to decode the private key if it is encrypted\n",
140 " -cert file - The CA certificate\n",
141 " -selfsign - sign a certificate with the key associated with it\n",
142 " -in file - The input PEM encoded certificate request(s)\n",
143 " -out file - Where to put the output file(s)\n",
144 " -outdir dir - Where to put output certificates\n",
145 " -infiles .... - The last argument, requests to process\n",
146 " -spkac file - File contains DN and signed public key and challenge\n",
147 " -ss_cert file - File contains a self signed cert to sign\n",
148 " -preserveDN - Don't re-order the DN\n",
149 " -noemailDN - Don't add the EMAIL field into certificate' subject\n",
150 " -batch - Don't ask questions\n",
151 " -msie_hack - msie modifications to handle all those universal strings\n",
152 " -revoke file - Revoke a certificate (given in file)\n",
153 " -subj arg - Use arg instead of request's subject\n",
154 " -utf8 - input characters are UTF8 (default ASCII)\n",
155 " -multivalue-rdn - enable support for multivalued RDNs\n",
156 " -extensions .. - Extension section (override value in config file)\n",
157 " -extfile file - Configuration file with X509v3 extentions to add\n",
158 " -crlexts .. - CRL extension section (override value in config file)\n",
159 " -status serial - Shows certificate status given the serial number\n",
160 " -updatedb - Updates db for expired certificates\n",
161 NULL
162};
163
164static void lookup_fail(const char *name, const char *tag); 123static void lookup_fail(const char *name, const char *tag);
165static int certify(X509 ** xret, char *infile, EVP_PKEY * pkey, X509 * x509, 124static int certify(X509 ** xret, char *infile, EVP_PKEY * pkey, X509 * x509,
166 const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts, 125 const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
@@ -199,13 +158,454 @@ static char * bin2hex(unsigned char *, size_t);
199char *make_revocation_str(int rev_type, char *rev_arg); 158char *make_revocation_str(int rev_type, char *rev_arg);
200int make_revoked(X509_REVOKED * rev, const char *str); 159int make_revoked(X509_REVOKED * rev, const char *str);
201int old_entry_print(BIO * bp, ASN1_OBJECT * obj, ASN1_STRING * str); 160int old_entry_print(BIO * bp, ASN1_OBJECT * obj, ASN1_STRING * str);
161
202static CONF *conf = NULL; 162static CONF *conf = NULL;
203static CONF *extconf = NULL; 163static CONF *extconf = NULL;
204static char *section = NULL;
205 164
206static int preserve = 0; 165static struct {
207static int msie_hack = 0; 166 int batch;
167 char *certfile;
168 unsigned long chtype;
169 char *configfile;
170 int create_ser;
171 char *crl_ext;
172 long crldays;
173 long crlhours;
174 long crlsec;
175 long days;
176 int dorevoke;
177 int doupdatedb;
178 int email_dn;
179 char *enddate;
180 char *extensions;
181 char *extfile;
182 int gencrl;
183 char *infile;
184 char **infiles;
185 int infiles_num;
186 char *key;
187 char *keyfile;
188 int keyform;
189 char *md;
190 int multirdn;
191 int msie_hack;
192 int notext;
193 char *outdir;
194 char *outfile;
195 char *passargin;
196 char *policy;
197 int preserve;
198 int req;
199 char *rev_arg;
200 int rev_type;
201 char *ser_status;
202 char *section;
203 int selfsign;
204 STACK_OF(OPENSSL_STRING) * sigopts;
205 char *spkac_file;
206 char *ss_cert_file;
207 char *startdate;
208 char *subj;
209 int verbose;
210} ca_config;
211
212static int
213ca_opt_chtype_utf8(void)
214{
215 ca_config.chtype = MBSTRING_UTF8;
216 return (0);
217}
218
219static int
220ca_opt_crl_ca_compromise(char *arg)
221{
222 ca_config.rev_arg = arg;
223 ca_config.rev_type = REV_CA_COMPROMISE;
224 return (0);
225}
226
227static int
228ca_opt_crl_compromise(char *arg)
229{
230 ca_config.rev_arg = arg;
231 ca_config.rev_type = REV_KEY_COMPROMISE;
232 return (0);
233}
234
235static int
236ca_opt_crl_hold(char *arg)
237{
238 ca_config.rev_arg = arg;
239 ca_config.rev_type = REV_HOLD;
240 return (0);
241}
242
243static int
244ca_opt_crl_reason(char *arg)
245{
246 ca_config.rev_arg = arg;
247 ca_config.rev_type = REV_CRL_REASON;
248 return (0);
249}
250
251static int
252ca_opt_in(char *arg)
253{
254 ca_config.infile = arg;
255 ca_config.req = 1;
256 return (0);
257}
258
259static int
260ca_opt_infiles(int argc, char **argv, int *argsused)
261{
262 ca_config.infiles_num = argc - 1;
263 if (ca_config.infiles_num < 1)
264 return (1);
265 ca_config.infiles = argv + 1;
266 ca_config.req = 1;
267 *argsused = argc;
268 return (0);
269}
270
271static int
272ca_opt_revoke(char *arg)
273{
274 ca_config.infile = arg;
275 ca_config.dorevoke = 1;
276 return (0);
277}
278
279static int
280ca_opt_sigopt(char *arg)
281{
282 if (ca_config.sigopts == NULL)
283 ca_config.sigopts = sk_OPENSSL_STRING_new_null();
284 if (ca_config.sigopts == NULL)
285 return (1);
286 if (!sk_OPENSSL_STRING_push(ca_config.sigopts, arg))
287 return (1);
288 return (0);
289}
290
291static int
292ca_opt_spkac(char *arg)
293{
294 ca_config.spkac_file = arg;
295 ca_config.req = 1;
296 return (0);
297}
208 298
299static int
300ca_opt_ss_cert(char *arg)
301{
302 ca_config.ss_cert_file = arg;
303 ca_config.req = 1;
304 return (0);
305}
306
307static const struct option ca_options[] = {
308 {
309 .name = "batch",
310 .desc = "Operate in batch mode",
311 .type = OPTION_FLAG,
312 .opt.flag = &ca_config.batch,
313 },
314 {
315 .name = "cert",
316 .argname = "file",
317 .desc = "File containing the CA certificate",
318 .type = OPTION_ARG,
319 .opt.arg = &ca_config.certfile,
320 },
321 {
322 .name = "config",
323 .argname = "file",
324 .desc = "Specify an alternative configuration file",
325 .type = OPTION_ARG,
326 .opt.arg = &ca_config.configfile,
327 },
328 {
329 .name = "create_serial",
330 .desc = "If reading serial fails, create a new random serial",
331 .type = OPTION_FLAG,
332 .opt.flag = &ca_config.create_ser,
333 },
334 {
335 .name = "crl_CA_compromise",
336 .argname = "time",
337 .desc = "Set the compromise time and the revocation reason to\n"
338 "CACompromise",
339 .type = OPTION_ARG_FUNC,
340 .opt.argfunc = ca_opt_crl_ca_compromise,
341 },
342 {
343 .name = "crl_compromise",
344 .argname = "time",
345 .desc = "Set the compromise time and the revocation reason to\n"
346 "keyCompromise",
347 .type = OPTION_ARG_FUNC,
348 .opt.argfunc = ca_opt_crl_compromise,
349 },
350 {
351 .name = "crl_hold",
352 .argname = "instruction",
353 .desc = "Set the hold instruction and the revocation reason to\n"
354 "certificateHold",
355 .type = OPTION_ARG_FUNC,
356 .opt.argfunc = ca_opt_crl_hold,
357 },
358 {
359 .name = "crl_reason",
360 .argname = "reason",
361 .desc = "Revocation reason",
362 .type = OPTION_ARG_FUNC,
363 .opt.argfunc = ca_opt_crl_reason,
364 },
365 {
366 .name = "crldays",
367 .argname = "days",
368 .desc = "Number of days before the next CRL is due",
369 .type = OPTION_ARG_LONG,
370 .opt.lvalue = &ca_config.crldays,
371 },
372 {
373 .name = "crlexts",
374 .argname = "section",
375 .desc = "CRL extension section (override value in config file)",
376 .type = OPTION_ARG,
377 .opt.arg = &ca_config.crl_ext,
378 },
379 {
380 .name = "crlhours",
381 .argname = "hours",
382 .desc = "Number of hours before the next CRL is due",
383 .type = OPTION_ARG_LONG,
384 .opt.lvalue = &ca_config.crlhours,
385 },
386 {
387 .name = "crlsec",
388 .argname = "seconds",
389 .desc = "Number of seconds before the next CRL is due",
390 .type = OPTION_ARG_LONG,
391 .opt.lvalue = &ca_config.crlsec,
392 },
393 {
394 .name = "days",
395 .argname = "arg",
396 .desc = "Number of days to certify the certificate for",
397 .type = OPTION_ARG_LONG,
398 .opt.lvalue = &ca_config.days,
399 },
400 {
401 .name = "enddate",
402 .argname = "YYMMDDHHMMSSZ",
403 .desc = "Certificate validity notAfter (overrides -days)",
404 .type = OPTION_ARG,
405 .opt.arg = &ca_config.enddate,
406 },
407 {
408 .name = "extensions",
409 .argname = "section",
410 .desc = "Extension section (override value in config file)",
411 .type = OPTION_ARG,
412 .opt.arg = &ca_config.extensions,
413 },
414 {
415 .name = "extfile",
416 .argname = "file",
417 .desc = "Configuration file with X509v3 extentions to add",
418 .type = OPTION_ARG,
419 .opt.arg = &ca_config.extfile,
420 },
421 {
422 .name = "gencrl",
423 .desc = "Generate a new CRL",
424 .type = OPTION_FLAG,
425 .opt.flag = &ca_config.gencrl,
426 },
427 {
428 .name = "in",
429 .argname = "file",
430 .desc = "Input file containing a single certificate request",
431 .type = OPTION_ARG_FUNC,
432 .opt.argfunc = ca_opt_in,
433 },
434 {
435 .name = "infiles",
436 .argname = "...",
437 .desc = "The last argument, certificate requests to process",
438 .type = OPTION_ARGV_FUNC,
439 .opt.argvfunc = ca_opt_infiles,
440 },
441 {
442 .name = "key",
443 .argname = "password",
444 .desc = "Key to decode the private key if it is encrypted",
445 .type = OPTION_ARG,
446 .opt.arg = &ca_config.key,
447 },
448 {
449 .name = "keyfile",
450 .argname = "file",
451 .desc = "Private key file",
452 .type = OPTION_ARG,
453 .opt.arg = &ca_config.keyfile,
454 },
455 {
456 .name = "keyform",
457 .argname = "fmt",
458 .desc = "Private key file format (DER or PEM (default))",
459 .type = OPTION_ARG_FORMAT,
460 .opt.value = &ca_config.keyform,
461 },
462 {
463 .name = "md",
464 .argname = "alg",
465 .desc = "Message digest to use",
466 .type = OPTION_ARG,
467 .opt.arg = &ca_config.md,
468 },
469 {
470 .name = "msie_hack",
471 .type = OPTION_FLAG,
472 .opt.flag = &ca_config.msie_hack,
473 },
474 {
475 .name = "multivalue-rdn",
476 .desc = "Enable support for multivalued RDNs",
477 .type = OPTION_FLAG,
478 .opt.flag = &ca_config.multirdn,
479 },
480 {
481 .name = "name",
482 .argname = "section",
483 .desc = "Specifies the configuration file section to use",
484 .type = OPTION_ARG,
485 .opt.arg = &ca_config.section,
486 },
487 {
488 .name = "noemailDN",
489 .desc = "Do not add the EMAIL field to the DN",
490 .type = OPTION_VALUE,
491 .opt.value = &ca_config.email_dn,
492 .value = 0,
493 },
494 {
495 .name = "notext",
496 .desc = "Do not print the generated certificate",
497 .type = OPTION_FLAG,
498 .opt.flag = &ca_config.notext,
499 },
500 {
501 .name = "out",
502 .argname = "file",
503 .desc = "Output file (default stdout)",
504 .type = OPTION_ARG,
505 .opt.arg = &ca_config.outfile,
506 },
507 {
508 .name = "outdir",
509 .argname = "directory",
510 .desc = " Directory to output certificates to",
511 .type = OPTION_ARG,
512 .opt.arg = &ca_config.outdir,
513 },
514 {
515 .name = "passin",
516 .argname = "src",
517 .desc = "Private key input password source",
518 .type = OPTION_ARG,
519 .opt.arg = &ca_config.passargin,
520 },
521 {
522 .name = "policy",
523 .argname = "name",
524 .desc = "The CA 'policy' to support",
525 .type = OPTION_ARG,
526 .opt.arg = &ca_config.policy,
527 },
528 {
529 .name = "preserveDN",
530 .desc = "Do not re-order the DN",
531 .type = OPTION_FLAG,
532 .opt.flag = &ca_config.preserve,
533 },
534 {
535 .name = "revoke",
536 .argname = "file",
537 .desc = "Revoke a certificate (given in file)",
538 .type = OPTION_ARG_FUNC,
539 .opt.argfunc = ca_opt_revoke,
540 },
541 {
542 .name = "selfsign",
543 .desc = "Sign a certificate using the key associated with it",
544 .type = OPTION_FLAG,
545 .opt.flag = &ca_config.selfsign,
546 },
547 {
548 .name = "sigopt",
549 .argname = "nm:v",
550 .desc = "Signature parameter in nm:v form",
551 .type = OPTION_ARG_FUNC,
552 .opt.argfunc = ca_opt_sigopt,
553 },
554 {
555 .name = "spkac",
556 .argname = "file",
557 .desc = "File contains DN and signed public key and challenge",
558 .type = OPTION_ARG_FUNC,
559 .opt.argfunc = ca_opt_spkac,
560 },
561 {
562 .name = "ss_cert",
563 .argname = "file",
564 .desc = "File contains a self signed certificate to sign",
565 .type = OPTION_ARG_FUNC,
566 .opt.argfunc = ca_opt_ss_cert,
567 },
568 {
569 .name = "startdate",
570 .argname = "YYMMDDHHMMSSZ",
571 .desc = "Certificate validity notBefore",
572 .type = OPTION_ARG,
573 .opt.arg = &ca_config.startdate,
574 },
575 {
576 .name = "status",
577 .argname = "serial",
578 .desc = "Shows certificate status given the serial number",
579 .type = OPTION_ARG,
580 .opt.arg = &ca_config.ser_status,
581 },
582 {
583 .name = "subj",
584 .argname = "arg",
585 .desc = "Use arg instead of request's subject",
586 .type = OPTION_ARG,
587 .opt.arg = &ca_config.subj,
588 },
589 {
590 .name = "updatedb",
591 .desc = "Updates db for expired certificates",
592 .type = OPTION_FLAG,
593 .opt.flag = &ca_config.doupdatedb,
594 },
595 {
596 .name = "utf8",
597 .desc = "Input characters are in UTF-8 (default ASCII)",
598 .type = OPTION_FUNC,
599 .opt.func = ca_opt_chtype_utf8,
600 },
601 {
602 .name = "verbose",
603 .desc = "Verbose output during processing",
604 .type = OPTION_FLAG,
605 .opt.flag = &ca_config.verbose,
606 },
607 { NULL },
608};
209 609
210/* 610/*
211 * Set a certificate time based on user provided input. Make sure 611 * Set a certificate time based on user provided input. Make sure
@@ -227,62 +627,45 @@ setCertificateTime(ASN1_TIME *x509time, char *timestring)
227 return 0; 627 return 0;
228} 628}
229 629
630static void
631ca_usage(void)
632{
633 fprintf(stderr,
634 "usage: ca [-batch] [-cert file] [-config file] [-create_serial]\n"
635 " [-crl_CA_compromise time] [-crl_compromise time]\n"
636 " [-crl_hold instruction] [-crl_reason reason] [-crldays days]\n"
637 " [-crlexts section] [-crlhours hours] [-crlsec seconds]\n"
638 " [-days arg] [-enddate date] [-extensions section]\n"
639 " [-extfile file] [-gencrl] [-in file] [-infiles]\n"
640 " [-key password] [-keyfile file] [-keyform pem | der]\n"
641 " [-md alg] [-multivalue-rdn] [-name section]\n"
642 " [-noemailDN] [-notext] [-out file] [-outdir directory]\n"
643 " [-passin arg] [-policy name] [-preserveDN] [-revoke file]\n"
644 " [-selfsign] [-sigopt nm:v] [-spkac file] [-ss_cert file]\n"
645 " [-startdate date] [-status serial] [-subj arg] [-updatedb]\n"
646 " [-utf8] [-verbose]\n\n");
647 options_usage(ca_options);
648 fprintf(stderr, "\n");
649}
650
230int 651int
231ca_main(int argc, char **argv) 652ca_main(int argc, char **argv)
232{ 653{
233 char *key = NULL, *passargin = NULL;
234 int create_ser = 0;
235 int free_key = 0; 654 int free_key = 0;
236 int total = 0; 655 int total = 0;
237 int total_done = 0; 656 int total_done = 0;
238 int badops = 0;
239 int ret = 1; 657 int ret = 1;
240 int email_dn = 1;
241 int req = 0;
242 int verbose = 0;
243 int gencrl = 0;
244 int dorevoke = 0;
245 int doupdatedb = 0;
246 long crldays = 0;
247 long crlhours = 0;
248 long crlsec = 0;
249 long errorline = -1; 658 long errorline = -1;
250 char *configfile = NULL;
251 char *md = NULL;
252 char *policy = NULL;
253 char *keyfile = NULL;
254 char *certfile = NULL;
255 int keyform = FORMAT_PEM;
256 char *infile = NULL;
257 char *spkac_file = NULL;
258 char *ss_cert_file = NULL;
259 char *ser_status = NULL;
260 EVP_PKEY *pkey = NULL; 659 EVP_PKEY *pkey = NULL;
261 int output_der = 0; 660 int output_der = 0;
262 char *outfile = NULL;
263 char *outdir = NULL;
264 char *serialfile = NULL; 661 char *serialfile = NULL;
265 char *crlnumberfile = NULL; 662 char *crlnumberfile = NULL;
266 char *extensions = NULL;
267 char *extfile = NULL;
268 char *subj = NULL;
269 unsigned long chtype = MBSTRING_ASC;
270 int multirdn = 0;
271 char *tmp_email_dn = NULL; 663 char *tmp_email_dn = NULL;
272 char *crl_ext = NULL;
273 int rev_type = REV_NONE;
274 char *rev_arg = NULL;
275 BIGNUM *serial = NULL; 664 BIGNUM *serial = NULL;
276 BIGNUM *crlnumber = NULL; 665 BIGNUM *crlnumber = NULL;
277 char *startdate = NULL;
278 char *enddate = NULL;
279 long days = 0;
280 int batch = 0;
281 int notext = 0;
282 unsigned long nameopt = 0, certopt = 0; 666 unsigned long nameopt = 0, certopt = 0;
283 int default_op = 1; 667 int default_op = 1;
284 int ext_copy = EXT_COPY_NONE; 668 int ext_copy = EXT_COPY_NONE;
285 int selfsign = 0;
286 X509 *x509 = NULL, *x509p = NULL; 669 X509 *x509 = NULL, *x509p = NULL;
287 X509 *x = NULL; 670 X509 *x = NULL;
288 BIO *in = NULL, *out = NULL, *Sout = NULL, *Cout = NULL; 671 BIO *in = NULL, *out = NULL, *Sout = NULL, *Cout = NULL;
@@ -299,9 +682,7 @@ ca_main(int argc, char **argv)
299 const EVP_MD *dgst = NULL; 682 const EVP_MD *dgst = NULL;
300 STACK_OF(CONF_VALUE) * attribs = NULL; 683 STACK_OF(CONF_VALUE) * attribs = NULL;
301 STACK_OF(X509) * cert_sk = NULL; 684 STACK_OF(X509) * cert_sk = NULL;
302 STACK_OF(OPENSSL_STRING) * sigopts = NULL;
303 char *tofree = NULL; 685 char *tofree = NULL;
304 const char *errstr = NULL;
305 DB_ATTR db_attr; 686 DB_ATTR db_attr;
306 687
307 if (single_execution) { 688 if (single_execution) {
@@ -311,244 +692,50 @@ ca_main(int argc, char **argv)
311 } 692 }
312 } 693 }
313 694
314 conf = NULL; 695 memset(&ca_config, 0, sizeof(ca_config));
315 key = NULL; 696 ca_config.email_dn = 1;
316 section = NULL; 697 ca_config.keyform = FORMAT_PEM;
317 698 ca_config.chtype = MBSTRING_ASC;
318 preserve = 0; 699 ca_config.rev_type = REV_NONE;
319 msie_hack = 0;
320
321 argc--;
322 argv++;
323 while (argc >= 1) {
324 if (strcmp(*argv, "-verbose") == 0)
325 verbose = 1;
326 else if (strcmp(*argv, "-config") == 0) {
327 if (--argc < 1)
328 goto bad;
329 configfile = *(++argv);
330 } else if (strcmp(*argv, "-name") == 0) {
331 if (--argc < 1)
332 goto bad;
333 section = *(++argv);
334 } else if (strcmp(*argv, "-subj") == 0) {
335 if (--argc < 1)
336 goto bad;
337 subj = *(++argv);
338 /* preserve=1; */
339 } else if (strcmp(*argv, "-utf8") == 0)
340 chtype = MBSTRING_UTF8;
341 else if (strcmp(*argv, "-create_serial") == 0)
342 create_ser = 1;
343 else if (strcmp(*argv, "-multivalue-rdn") == 0)
344 multirdn = 1;
345 else if (strcmp(*argv, "-startdate") == 0) {
346 if (--argc < 1)
347 goto bad;
348 startdate = *(++argv);
349 } else if (strcmp(*argv, "-enddate") == 0) {
350 if (--argc < 1)
351 goto bad;
352 enddate = *(++argv);
353 } else if (strcmp(*argv, "-days") == 0) {
354 if (--argc < 1)
355 goto bad;
356 days = strtonum(*(++argv), 0, LONG_MAX, &errstr);
357 if (errstr)
358 goto bad;
359 } else if (strcmp(*argv, "-md") == 0) {
360 if (--argc < 1)
361 goto bad;
362 md = *(++argv);
363 } else if (strcmp(*argv, "-policy") == 0) {
364 if (--argc < 1)
365 goto bad;
366 policy = *(++argv);
367 } else if (strcmp(*argv, "-keyfile") == 0) {
368 if (--argc < 1)
369 goto bad;
370 keyfile = *(++argv);
371 } else if (strcmp(*argv, "-keyform") == 0) {
372 if (--argc < 1)
373 goto bad;
374 keyform = str2fmt(*(++argv));
375 } else if (strcmp(*argv, "-passin") == 0) {
376 if (--argc < 1)
377 goto bad;
378 passargin = *(++argv);
379 } else if (strcmp(*argv, "-key") == 0) {
380 if (--argc < 1)
381 goto bad;
382 key = *(++argv);
383 } else if (strcmp(*argv, "-cert") == 0) {
384 if (--argc < 1)
385 goto bad;
386 certfile = *(++argv);
387 } else if (strcmp(*argv, "-selfsign") == 0)
388 selfsign = 1;
389 else if (strcmp(*argv, "-in") == 0) {
390 if (--argc < 1)
391 goto bad;
392 infile = *(++argv);
393 req = 1;
394 } else if (strcmp(*argv, "-out") == 0) {
395 if (--argc < 1)
396 goto bad;
397 outfile = *(++argv);
398 } else if (strcmp(*argv, "-outdir") == 0) {
399 if (--argc < 1)
400 goto bad;
401 outdir = *(++argv);
402 } else if (strcmp(*argv, "-sigopt") == 0) {
403 if (--argc < 1)
404 goto bad;
405 if (!sigopts)
406 sigopts = sk_OPENSSL_STRING_new_null();
407 if (!sigopts ||
408 !sk_OPENSSL_STRING_push(sigopts, *(++argv)))
409 goto bad;
410 } else if (strcmp(*argv, "-notext") == 0)
411 notext = 1;
412 else if (strcmp(*argv, "-batch") == 0)
413 batch = 1;
414 else if (strcmp(*argv, "-preserveDN") == 0)
415 preserve = 1;
416 else if (strcmp(*argv, "-noemailDN") == 0)
417 email_dn = 0;
418 else if (strcmp(*argv, "-gencrl") == 0)
419 gencrl = 1;
420 else if (strcmp(*argv, "-msie_hack") == 0)
421 msie_hack = 1;
422 else if (strcmp(*argv, "-crldays") == 0) {
423 if (--argc < 1)
424 goto bad;
425 crldays = strtonum(*(++argv), 0, LONG_MAX, &errstr);
426 if (errstr)
427 goto bad;
428 } else if (strcmp(*argv, "-crlhours") == 0) {
429 if (--argc < 1)
430 goto bad;
431 crlhours = strtonum(*(++argv), 0, LONG_MAX, &errstr);
432 if (errstr)
433 goto bad;
434 } else if (strcmp(*argv, "-crlsec") == 0) {
435 if (--argc < 1)
436 goto bad;
437 crlsec = strtonum(*(++argv), 0, LONG_MAX, &errstr);
438 if (errstr)
439 goto bad;
440 } else if (strcmp(*argv, "-infiles") == 0) {
441 argc--;
442 argv++;
443 req = 1;
444 break;
445 } else if (strcmp(*argv, "-ss_cert") == 0) {
446 if (--argc < 1)
447 goto bad;
448 ss_cert_file = *(++argv);
449 req = 1;
450 } else if (strcmp(*argv, "-spkac") == 0) {
451 if (--argc < 1)
452 goto bad;
453 spkac_file = *(++argv);
454 req = 1;
455 } else if (strcmp(*argv, "-revoke") == 0) {
456 if (--argc < 1)
457 goto bad;
458 infile = *(++argv);
459 dorevoke = 1;
460 } else if (strcmp(*argv, "-extensions") == 0) {
461 if (--argc < 1)
462 goto bad;
463 extensions = *(++argv);
464 } else if (strcmp(*argv, "-extfile") == 0) {
465 if (--argc < 1)
466 goto bad;
467 extfile = *(++argv);
468 } else if (strcmp(*argv, "-status") == 0) {
469 if (--argc < 1)
470 goto bad;
471 ser_status = *(++argv);
472 } else if (strcmp(*argv, "-updatedb") == 0) {
473 doupdatedb = 1;
474 } else if (strcmp(*argv, "-crlexts") == 0) {
475 if (--argc < 1)
476 goto bad;
477 crl_ext = *(++argv);
478 } else if (strcmp(*argv, "-crl_reason") == 0) {
479 if (--argc < 1)
480 goto bad;
481 rev_arg = *(++argv);
482 rev_type = REV_CRL_REASON;
483 } else if (strcmp(*argv, "-crl_hold") == 0) {
484 if (--argc < 1)
485 goto bad;
486 rev_arg = *(++argv);
487 rev_type = REV_HOLD;
488 } else if (strcmp(*argv, "-crl_compromise") == 0) {
489 if (--argc < 1)
490 goto bad;
491 rev_arg = *(++argv);
492 rev_type = REV_KEY_COMPROMISE;
493 } else if (strcmp(*argv, "-crl_CA_compromise") == 0) {
494 if (--argc < 1)
495 goto bad;
496 rev_arg = *(++argv);
497 rev_type = REV_CA_COMPROMISE;
498 }
499 else {
500 bad:
501 if (errstr)
502 BIO_printf(bio_err, "invalid argument %s: %s\n",
503 *argv, errstr);
504 else
505 BIO_printf(bio_err, "unknown option %s\n", *argv);
506 badops = 1;
507 break;
508 }
509 argc--;
510 argv++;
511 }
512 700
513 if (badops) { 701 conf = NULL;
514 const char **pp2;
515 702
516 for (pp2 = ca_usage; (*pp2 != NULL); pp2++) 703 if (options_parse(argc, argv, ca_options, NULL, NULL) != 0) {
517 BIO_printf(bio_err, "%s", *pp2); 704 ca_usage();
518 goto err; 705 goto err;
519 } 706 }
520 707
521 /*****************************************************************/ 708 /*****************************************************************/
522 tofree = NULL; 709 tofree = NULL;
523 if (configfile == NULL) 710 if (ca_config.configfile == NULL)
524 configfile = getenv("OPENSSL_CONF"); 711 ca_config.configfile = getenv("OPENSSL_CONF");
525 if (configfile == NULL) { 712 if (ca_config.configfile == NULL) {
526 if ((tofree = make_config_name()) == NULL) { 713 if ((tofree = make_config_name()) == NULL) {
527 BIO_printf(bio_err, "error making config file name\n"); 714 BIO_printf(bio_err, "error making config file name\n");
528 goto err; 715 goto err;
529 } 716 }
530 configfile = tofree; 717 ca_config.configfile = tofree;
531 } 718 }
532 BIO_printf(bio_err, "Using configuration from %s\n", configfile); 719 BIO_printf(bio_err, "Using configuration from %s\n", ca_config.configfile);
533 conf = NCONF_new(NULL); 720 conf = NCONF_new(NULL);
534 if (NCONF_load(conf, configfile, &errorline) <= 0) { 721 if (NCONF_load(conf, ca_config.configfile, &errorline) <= 0) {
535 if (errorline <= 0) 722 if (errorline <= 0)
536 BIO_printf(bio_err, 723 BIO_printf(bio_err,
537 "error loading the config file '%s'\n", 724 "error loading the config file '%s'\n",
538 configfile); 725 ca_config.configfile);
539 else 726 else
540 BIO_printf(bio_err, 727 BIO_printf(bio_err,
541 "error on line %ld of config file '%s'\n", 728 "error on line %ld of config file '%s'\n",
542 errorline, configfile); 729 errorline, ca_config.configfile);
543 goto err; 730 goto err;
544 } 731 }
545 free(tofree); 732 free(tofree);
546 tofree = NULL; 733 tofree = NULL;
547 734
548 /* Lets get the config section we are using */ 735 /* Lets get the config section we are using */
549 if (section == NULL) { 736 if (ca_config.section == NULL) {
550 section = NCONF_get_string(conf, BASE_SECTION, ENV_DEFAULT_CA); 737 ca_config.section = NCONF_get_string(conf, BASE_SECTION, ENV_DEFAULT_CA);
551 if (section == NULL) { 738 if (ca_config.section == NULL) {
552 lookup_fail(BASE_SECTION, ENV_DEFAULT_CA); 739 lookup_fail(BASE_SECTION, ENV_DEFAULT_CA);
553 goto err; 740 goto err;
554 } 741 }
@@ -578,7 +765,7 @@ ca_main(int argc, char **argv)
578 goto err; 765 goto err;
579 } 766 }
580 } 767 }
581 f = NCONF_get_string(conf, section, STRING_MASK); 768 f = NCONF_get_string(conf, ca_config.section, STRING_MASK);
582 if (!f) 769 if (!f)
583 ERR_clear_error(); 770 ERR_clear_error();
584 771
@@ -587,15 +774,15 @@ ca_main(int argc, char **argv)
587 "Invalid global string mask setting %s\n", f); 774 "Invalid global string mask setting %s\n", f);
588 goto err; 775 goto err;
589 } 776 }
590 if (chtype != MBSTRING_UTF8) { 777 if (ca_config.chtype != MBSTRING_UTF8) {
591 f = NCONF_get_string(conf, section, UTF8_IN); 778 f = NCONF_get_string(conf, ca_config.section, UTF8_IN);
592 if (!f) 779 if (!f)
593 ERR_clear_error(); 780 ERR_clear_error();
594 else if (!strcmp(f, "yes")) 781 else if (!strcmp(f, "yes"))
595 chtype = MBSTRING_UTF8; 782 ca_config.chtype = MBSTRING_UTF8;
596 } 783 }
597 db_attr.unique_subject = 1; 784 db_attr.unique_subject = 1;
598 p = NCONF_get_string(conf, section, ENV_UNIQUE_SUBJECT); 785 p = NCONF_get_string(conf, ca_config.section, ENV_UNIQUE_SUBJECT);
599 if (p) { 786 if (p) {
600 db_attr.unique_subject = parse_yesno(p, 1); 787 db_attr.unique_subject = parse_yesno(p, 1);
601 } else 788 } else
@@ -611,10 +798,10 @@ ca_main(int argc, char **argv)
611 } 798 }
612 /*****************************************************************/ 799 /*****************************************************************/
613 /* report status of cert with serial number given on command line */ 800 /* report status of cert with serial number given on command line */
614 if (ser_status) { 801 if (ca_config.ser_status) {
615 if ((dbfile = NCONF_get_string(conf, section, 802 if ((dbfile = NCONF_get_string(conf, ca_config.section,
616 ENV_DATABASE)) == NULL) { 803 ENV_DATABASE)) == NULL) {
617 lookup_fail(section, ENV_DATABASE); 804 lookup_fail(ca_config.section, ENV_DATABASE);
618 goto err; 805 goto err;
619 } 806 }
620 db = load_index(dbfile, &db_attr); 807 db = load_index(dbfile, &db_attr);
@@ -624,43 +811,43 @@ ca_main(int argc, char **argv)
624 if (!index_index(db)) 811 if (!index_index(db))
625 goto err; 812 goto err;
626 813
627 if (get_certificate_status(ser_status, db) != 1) 814 if (get_certificate_status(ca_config.ser_status, db) != 1)
628 BIO_printf(bio_err, "Error verifying serial %s!\n", 815 BIO_printf(bio_err, "Error verifying serial %s!\n",
629 ser_status); 816 ca_config.ser_status);
630 goto err; 817 goto err;
631 } 818 }
632 /*****************************************************************/ 819 /*****************************************************************/
633 /* we definitely need a private key, so let's get it */ 820 /* we definitely need a private key, so let's get it */
634 821
635 if ((keyfile == NULL) && ((keyfile = NCONF_get_string(conf, 822 if ((ca_config.keyfile == NULL) && ((ca_config.keyfile = NCONF_get_string(conf,
636 section, ENV_PRIVATE_KEY)) == NULL)) { 823 ca_config.section, ENV_PRIVATE_KEY)) == NULL)) {
637 lookup_fail(section, ENV_PRIVATE_KEY); 824 lookup_fail(ca_config.section, ENV_PRIVATE_KEY);
638 goto err; 825 goto err;
639 } 826 }
640 if (!key) { 827 if (!ca_config.key) {
641 free_key = 1; 828 free_key = 1;
642 if (!app_passwd(bio_err, passargin, NULL, &key, NULL)) { 829 if (!app_passwd(bio_err, ca_config.passargin, NULL, &ca_config.key, NULL)) {
643 BIO_printf(bio_err, "Error getting password\n"); 830 BIO_printf(bio_err, "Error getting password\n");
644 goto err; 831 goto err;
645 } 832 }
646 } 833 }
647 pkey = load_key(bio_err, keyfile, keyform, 0, key, "CA private key"); 834 pkey = load_key(bio_err, ca_config.keyfile, ca_config.keyform, 0, ca_config.key, "CA private key");
648 if (key) 835 if (ca_config.key)
649 explicit_bzero(key, strlen(key)); 836 explicit_bzero(ca_config.key, strlen(ca_config.key));
650 if (pkey == NULL) { 837 if (pkey == NULL) {
651 /* load_key() has already printed an appropriate message */ 838 /* load_key() has already printed an appropriate message */
652 goto err; 839 goto err;
653 } 840 }
654 /*****************************************************************/ 841 /*****************************************************************/
655 /* we need a certificate */ 842 /* we need a certificate */
656 if (!selfsign || spkac_file || ss_cert_file || gencrl) { 843 if (!ca_config.selfsign || ca_config.spkac_file || ca_config.ss_cert_file || ca_config.gencrl) {
657 if ((certfile == NULL) && 844 if ((ca_config.certfile == NULL) &&
658 ((certfile = NCONF_get_string(conf, 845 ((ca_config.certfile = NCONF_get_string(conf,
659 section, ENV_CERTIFICATE)) == NULL)) { 846 ca_config.section, ENV_CERTIFICATE)) == NULL)) {
660 lookup_fail(section, ENV_CERTIFICATE); 847 lookup_fail(ca_config.section, ENV_CERTIFICATE);
661 goto err; 848 goto err;
662 } 849 }
663 x509 = load_cert(bio_err, certfile, FORMAT_PEM, NULL, 850 x509 = load_cert(bio_err, ca_config.certfile, FORMAT_PEM, NULL,
664 "CA certificate"); 851 "CA certificate");
665 if (x509 == NULL) 852 if (x509 == NULL)
666 goto err; 853 goto err;
@@ -671,21 +858,21 @@ ca_main(int argc, char **argv)
671 goto err; 858 goto err;
672 } 859 }
673 } 860 }
674 if (!selfsign) 861 if (!ca_config.selfsign)
675 x509p = x509; 862 x509p = x509;
676 863
677 f = NCONF_get_string(conf, BASE_SECTION, ENV_PRESERVE); 864 f = NCONF_get_string(conf, BASE_SECTION, ENV_PRESERVE);
678 if (f == NULL) 865 if (f == NULL)
679 ERR_clear_error(); 866 ERR_clear_error();
680 if ((f != NULL) && ((*f == 'y') || (*f == 'Y'))) 867 if ((f != NULL) && ((*f == 'y') || (*f == 'Y')))
681 preserve = 1; 868 ca_config.preserve = 1;
682 f = NCONF_get_string(conf, BASE_SECTION, ENV_MSIE_HACK); 869 f = NCONF_get_string(conf, BASE_SECTION, ENV_MSIE_HACK);
683 if (f == NULL) 870 if (f == NULL)
684 ERR_clear_error(); 871 ERR_clear_error();
685 if ((f != NULL) && ((*f == 'y') || (*f == 'Y'))) 872 if ((f != NULL) && ((*f == 'y') || (*f == 'Y')))
686 msie_hack = 1; 873 ca_config.msie_hack = 1;
687 874
688 f = NCONF_get_string(conf, section, ENV_NAMEOPT); 875 f = NCONF_get_string(conf, ca_config.section, ENV_NAMEOPT);
689 876
690 if (f) { 877 if (f) {
691 if (!set_name_ex(&nameopt, f)) { 878 if (!set_name_ex(&nameopt, f)) {
@@ -697,7 +884,7 @@ ca_main(int argc, char **argv)
697 } else 884 } else
698 ERR_clear_error(); 885 ERR_clear_error();
699 886
700 f = NCONF_get_string(conf, section, ENV_CERTOPT); 887 f = NCONF_get_string(conf, ca_config.section, ENV_CERTOPT);
701 888
702 if (f) { 889 if (f) {
703 if (!set_cert_ex(&certopt, f)) { 890 if (!set_cert_ex(&certopt, f)) {
@@ -709,7 +896,7 @@ ca_main(int argc, char **argv)
709 } else 896 } else
710 ERR_clear_error(); 897 ERR_clear_error();
711 898
712 f = NCONF_get_string(conf, section, ENV_EXTCOPY); 899 f = NCONF_get_string(conf, ca_config.section, ENV_EXTCOPY);
713 900
714 if (f) { 901 if (f) {
715 if (!set_ext_copy(&ext_copy, f)) { 902 if (!set_ext_copy(&ext_copy, f)) {
@@ -722,8 +909,8 @@ ca_main(int argc, char **argv)
722 909
723 /*****************************************************************/ 910 /*****************************************************************/
724 /* lookup where to write new certificates */ 911 /* lookup where to write new certificates */
725 if (outdir == NULL && req) { 912 if (ca_config.outdir == NULL && ca_config.req) {
726 if ((outdir = NCONF_get_string(conf, section, 913 if ((ca_config.outdir = NCONF_get_string(conf, ca_config.section,
727 ENV_NEW_CERTS_DIR)) == NULL) { 914 ENV_NEW_CERTS_DIR)) == NULL) {
728 BIO_printf(bio_err, "output directory %s not defined\n", 915 BIO_printf(bio_err, "output directory %s not defined\n",
729 ENV_NEW_CERTS_DIR); 916 ENV_NEW_CERTS_DIR);
@@ -732,8 +919,8 @@ ca_main(int argc, char **argv)
732 } 919 }
733 /*****************************************************************/ 920 /*****************************************************************/
734 /* we need to load the database file */ 921 /* we need to load the database file */
735 if ((dbfile = NCONF_get_string(conf, section, ENV_DATABASE)) == NULL) { 922 if ((dbfile = NCONF_get_string(conf, ca_config.section, ENV_DATABASE)) == NULL) {
736 lookup_fail(section, ENV_DATABASE); 923 lookup_fail(ca_config.section, ENV_DATABASE);
737 goto err; 924 goto err;
738 } 925 }
739 db = load_index(dbfile, &db_attr); 926 db = load_index(dbfile, &db_attr);
@@ -780,7 +967,7 @@ ca_main(int argc, char **argv)
780 p++; 967 p++;
781 } 968 }
782 } 969 }
783 if (verbose) { 970 if (ca_config.verbose) {
784 BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT); /* cannot fail */ 971 BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT); /* cannot fail */
785 TXT_DB_write(out, db->db); 972 TXT_DB_write(out, db->db);
786 BIO_printf(bio_err, "%d entries loaded from the database\n", 973 BIO_printf(bio_err, "%d entries loaded from the database\n",
@@ -792,8 +979,8 @@ ca_main(int argc, char **argv)
792 979
793 /*****************************************************************/ 980 /*****************************************************************/
794 /* Update the db file for expired certificates */ 981 /* Update the db file for expired certificates */
795 if (doupdatedb) { 982 if (ca_config.doupdatedb) {
796 if (verbose) 983 if (ca_config.verbose)
797 BIO_printf(bio_err, "Updating %s ...\n", dbfile); 984 BIO_printf(bio_err, "Updating %s ...\n", dbfile);
798 985
799 i = do_updatedb(db); 986 i = do_updatedb(db);
@@ -801,7 +988,7 @@ ca_main(int argc, char **argv)
801 BIO_printf(bio_err, "Malloc failure\n"); 988 BIO_printf(bio_err, "Malloc failure\n");
802 goto err; 989 goto err;
803 } else if (i == 0) { 990 } else if (i == 0) {
804 if (verbose) 991 if (ca_config.verbose)
805 BIO_printf(bio_err, 992 BIO_printf(bio_err,
806 "No entries found to mark expired\n"); 993 "No entries found to mark expired\n");
807 } else { 994 } else {
@@ -811,86 +998,86 @@ ca_main(int argc, char **argv)
811 if (!rotate_index(dbfile, "new", "old")) 998 if (!rotate_index(dbfile, "new", "old"))
812 goto err; 999 goto err;
813 1000
814 if (verbose) 1001 if (ca_config.verbose)
815 BIO_printf(bio_err, 1002 BIO_printf(bio_err,
816 "Done. %d entries marked as expired\n", i); 1003 "Done. %d entries marked as expired\n", i);
817 } 1004 }
818 } 1005 }
819 /*****************************************************************/ 1006 /*****************************************************************/
820 /* Read extentions config file */ 1007 /* Read extentions config file */
821 if (extfile) { 1008 if (ca_config.extfile) {
822 extconf = NCONF_new(NULL); 1009 extconf = NCONF_new(NULL);
823 if (NCONF_load(extconf, extfile, &errorline) <= 0) { 1010 if (NCONF_load(extconf, ca_config.extfile, &errorline) <= 0) {
824 if (errorline <= 0) 1011 if (errorline <= 0)
825 BIO_printf(bio_err, 1012 BIO_printf(bio_err,
826 "ERROR: loading the config file '%s'\n", 1013 "ERROR: loading the config file '%s'\n",
827 extfile); 1014 ca_config.extfile);
828 else 1015 else
829 BIO_printf(bio_err, 1016 BIO_printf(bio_err,
830 "ERROR: on line %ld of config file '%s'\n", 1017 "ERROR: on line %ld of config file '%s'\n",
831 errorline, extfile); 1018 errorline, ca_config.extfile);
832 ret = 1; 1019 ret = 1;
833 goto err; 1020 goto err;
834 } 1021 }
835 if (verbose) 1022 if (ca_config.verbose)
836 BIO_printf(bio_err, 1023 BIO_printf(bio_err,
837 "Successfully loaded extensions file %s\n", 1024 "Successfully loaded extensions file %s\n",
838 extfile); 1025 ca_config.extfile);
839 1026
840 /* We can have sections in the ext file */ 1027 /* We can have sections in the ext file */
841 if (!extensions && !(extensions = NCONF_get_string(extconf, 1028 if (!ca_config.extensions && !(ca_config.extensions = NCONF_get_string(extconf,
842 "default", "extensions"))) 1029 "default", "extensions")))
843 extensions = "default"; 1030 ca_config.extensions = "default";
844 } 1031 }
845 /*****************************************************************/ 1032 /*****************************************************************/
846 if (req || gencrl) { 1033 if (ca_config.req || ca_config.gencrl) {
847 if (outfile != NULL) { 1034 if (ca_config.outfile != NULL) {
848 if (BIO_write_filename(Sout, outfile) <= 0) { 1035 if (BIO_write_filename(Sout, ca_config.outfile) <= 0) {
849 perror(outfile); 1036 perror(ca_config.outfile);
850 goto err; 1037 goto err;
851 } 1038 }
852 } else { 1039 } else {
853 BIO_set_fp(Sout, stdout, BIO_NOCLOSE | BIO_FP_TEXT); 1040 BIO_set_fp(Sout, stdout, BIO_NOCLOSE | BIO_FP_TEXT);
854 } 1041 }
855 } 1042 }
856 if ((md == NULL) && ((md = NCONF_get_string(conf, section, 1043 if ((ca_config.md == NULL) && ((ca_config.md = NCONF_get_string(conf, ca_config.section,
857 ENV_DEFAULT_MD)) == NULL)) { 1044 ENV_DEFAULT_MD)) == NULL)) {
858 lookup_fail(section, ENV_DEFAULT_MD); 1045 lookup_fail(ca_config.section, ENV_DEFAULT_MD);
859 goto err; 1046 goto err;
860 } 1047 }
861 if (!strcmp(md, "default")) { 1048 if (!strcmp(ca_config.md, "default")) {
862 int def_nid; 1049 int def_nid;
863 if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) <= 0) { 1050 if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) <= 0) {
864 BIO_puts(bio_err, "no default digest\n"); 1051 BIO_puts(bio_err, "no default digest\n");
865 goto err; 1052 goto err;
866 } 1053 }
867 md = (char *) OBJ_nid2sn(def_nid); 1054 ca_config.md = (char *) OBJ_nid2sn(def_nid);
868 } 1055 }
869 if ((dgst = EVP_get_digestbyname(md)) == NULL) { 1056 if ((dgst = EVP_get_digestbyname(ca_config.md)) == NULL) {
870 BIO_printf(bio_err, 1057 BIO_printf(bio_err,
871 "%s is an unsupported message digest type\n", md); 1058 "%s is an unsupported message digest type\n", ca_config.md);
872 goto err; 1059 goto err;
873 } 1060 }
874 if (req) { 1061 if (ca_config.req) {
875 if ((email_dn == 1) && ((tmp_email_dn = NCONF_get_string(conf, 1062 if ((ca_config.email_dn == 1) && ((tmp_email_dn = NCONF_get_string(conf,
876 section, ENV_DEFAULT_EMAIL_DN)) != NULL)) { 1063 ca_config.section, ENV_DEFAULT_EMAIL_DN)) != NULL)) {
877 if (strcmp(tmp_email_dn, "no") == 0) 1064 if (strcmp(tmp_email_dn, "no") == 0)
878 email_dn = 0; 1065 ca_config.email_dn = 0;
879 } 1066 }
880 if (verbose) 1067 if (ca_config.verbose)
881 BIO_printf(bio_err, "message digest is %s\n", 1068 BIO_printf(bio_err, "message digest is %s\n",
882 OBJ_nid2ln(dgst->type)); 1069 OBJ_nid2ln(dgst->type));
883 if ((policy == NULL) && ((policy = NCONF_get_string(conf, 1070 if ((ca_config.policy == NULL) && ((ca_config.policy = NCONF_get_string(conf,
884 section, ENV_POLICY)) == NULL)) { 1071 ca_config.section, ENV_POLICY)) == NULL)) {
885 lookup_fail(section, ENV_POLICY); 1072 lookup_fail(ca_config.section, ENV_POLICY);
886 goto err; 1073 goto err;
887 } 1074 }
888 if (verbose) 1075 if (ca_config.verbose)
889 BIO_printf(bio_err, "policy is %s\n", policy); 1076 BIO_printf(bio_err, "policy is %s\n", ca_config.policy);
890 1077
891 if ((serialfile = NCONF_get_string(conf, section, 1078 if ((serialfile = NCONF_get_string(conf, ca_config.section,
892 ENV_SERIAL)) == NULL) { 1079 ENV_SERIAL)) == NULL) {
893 lookup_fail(section, ENV_SERIAL); 1080 lookup_fail(ca_config.section, ENV_SERIAL);
894 goto err; 1081 goto err;
895 } 1082 }
896 if (!extconf) { 1083 if (!extconf) {
@@ -898,59 +1085,59 @@ ca_main(int argc, char **argv)
898 * no '-extfile' option, so we look for extensions in 1085 * no '-extfile' option, so we look for extensions in
899 * the main configuration file 1086 * the main configuration file
900 */ 1087 */
901 if (!extensions) { 1088 if (!ca_config.extensions) {
902 extensions = NCONF_get_string(conf, section, 1089 ca_config.extensions = NCONF_get_string(conf, ca_config.section,
903 ENV_EXTENSIONS); 1090 ENV_EXTENSIONS);
904 if (!extensions) 1091 if (!ca_config.extensions)
905 ERR_clear_error(); 1092 ERR_clear_error();
906 } 1093 }
907 if (extensions) { 1094 if (ca_config.extensions) {
908 /* Check syntax of file */ 1095 /* Check syntax of file */
909 X509V3_CTX ctx; 1096 X509V3_CTX ctx;
910 X509V3_set_ctx_test(&ctx); 1097 X509V3_set_ctx_test(&ctx);
911 X509V3_set_nconf(&ctx, conf); 1098 X509V3_set_nconf(&ctx, conf);
912 if (!X509V3_EXT_add_nconf(conf, &ctx, 1099 if (!X509V3_EXT_add_nconf(conf, &ctx,
913 extensions, NULL)) { 1100 ca_config.extensions, NULL)) {
914 BIO_printf(bio_err, 1101 BIO_printf(bio_err,
915 "Error Loading extension section %s\n", 1102 "Error Loading extension section %s\n",
916 extensions); 1103 ca_config.extensions);
917 ret = 1; 1104 ret = 1;
918 goto err; 1105 goto err;
919 } 1106 }
920 } 1107 }
921 } 1108 }
922 if (startdate == NULL) { 1109 if (ca_config.startdate == NULL) {
923 startdate = NCONF_get_string(conf, section, 1110 ca_config.startdate = NCONF_get_string(conf, ca_config.section,
924 ENV_DEFAULT_STARTDATE); 1111 ENV_DEFAULT_STARTDATE);
925 if (startdate == NULL) 1112 if (ca_config.startdate == NULL)
926 ERR_clear_error(); 1113 ERR_clear_error();
927 } 1114 }
928 if (startdate == NULL) 1115 if (ca_config.startdate == NULL)
929 startdate = "today"; 1116 ca_config.startdate = "today";
930 1117
931 if (enddate == NULL) { 1118 if (ca_config.enddate == NULL) {
932 enddate = NCONF_get_string(conf, section, 1119 ca_config.enddate = NCONF_get_string(conf, ca_config.section,
933 ENV_DEFAULT_ENDDATE); 1120 ENV_DEFAULT_ENDDATE);
934 if (enddate == NULL) 1121 if (ca_config.enddate == NULL)
935 ERR_clear_error(); 1122 ERR_clear_error();
936 } 1123 }
937 if (days == 0 && enddate == NULL) { 1124 if (ca_config.days == 0 && ca_config.enddate == NULL) {
938 if (!NCONF_get_number(conf, section, 1125 if (!NCONF_get_number(conf, ca_config.section,
939 ENV_DEFAULT_DAYS, &days)) 1126 ENV_DEFAULT_DAYS, &ca_config.days))
940 days = 0; 1127 ca_config.days = 0;
941 } 1128 }
942 if (enddate == NULL && days == 0) { 1129 if (ca_config.enddate == NULL && ca_config.days == 0) {
943 BIO_printf(bio_err, 1130 BIO_printf(bio_err,
944 "cannot lookup how many days to certify for\n"); 1131 "cannot lookup how many days to certify for\n");
945 goto err; 1132 goto err;
946 } 1133 }
947 if ((serial = load_serial(serialfile, create_ser, NULL)) == 1134 if ((serial = load_serial(serialfile, ca_config.create_ser, NULL)) ==
948 NULL) { 1135 NULL) {
949 BIO_printf(bio_err, 1136 BIO_printf(bio_err,
950 "error while loading serial number\n"); 1137 "error while loading serial number\n");
951 goto err; 1138 goto err;
952 } 1139 }
953 if (verbose) { 1140 if (ca_config.verbose) {
954 if (BN_is_zero(serial)) 1141 if (BN_is_zero(serial))
955 BIO_printf(bio_err, 1142 BIO_printf(bio_err,
956 "next serial number is 00\n"); 1143 "next serial number is 00\n");
@@ -962,21 +1149,21 @@ ca_main(int argc, char **argv)
962 free(f); 1149 free(f);
963 } 1150 }
964 } 1151 }
965 if ((attribs = NCONF_get_section(conf, policy)) == NULL) { 1152 if ((attribs = NCONF_get_section(conf, ca_config.policy)) == NULL) {
966 BIO_printf(bio_err, 1153 BIO_printf(bio_err,
967 "unable to find 'section' for %s\n", policy); 1154 "unable to find 'section' for %s\n", ca_config.policy);
968 goto err; 1155 goto err;
969 } 1156 }
970 if ((cert_sk = sk_X509_new_null()) == NULL) { 1157 if ((cert_sk = sk_X509_new_null()) == NULL) {
971 BIO_printf(bio_err, "Memory allocation failure\n"); 1158 BIO_printf(bio_err, "Memory allocation failure\n");
972 goto err; 1159 goto err;
973 } 1160 }
974 if (spkac_file != NULL) { 1161 if (ca_config.spkac_file != NULL) {
975 total++; 1162 total++;
976 j = certify_spkac(&x, spkac_file, pkey, x509, dgst, 1163 j = certify_spkac(&x, ca_config.spkac_file, pkey, x509, dgst,
977 sigopts, attribs, db, serial, subj, chtype, 1164 ca_config.sigopts, attribs, db, serial, ca_config.subj, ca_config.chtype,
978 multirdn, email_dn, startdate, enddate, days, 1165 ca_config.multirdn, ca_config.email_dn, ca_config.startdate, ca_config.enddate, ca_config.days,
979 extensions, conf, verbose, certopt, nameopt, 1166 ca_config.extensions, conf, ca_config.verbose, certopt, nameopt,
980 default_op, ext_copy); 1167 default_op, ext_copy);
981 if (j < 0) 1168 if (j < 0)
982 goto err; 1169 goto err;
@@ -990,18 +1177,18 @@ ca_main(int argc, char **argv)
990 "Memory allocation failure\n"); 1177 "Memory allocation failure\n");
991 goto err; 1178 goto err;
992 } 1179 }
993 if (outfile) { 1180 if (ca_config.outfile) {
994 output_der = 1; 1181 output_der = 1;
995 batch = 1; 1182 ca_config.batch = 1;
996 } 1183 }
997 } 1184 }
998 } 1185 }
999 if (ss_cert_file != NULL) { 1186 if (ca_config.ss_cert_file != NULL) {
1000 total++; 1187 total++;
1001 j = certify_cert(&x, ss_cert_file, pkey, x509, dgst, 1188 j = certify_cert(&x, ca_config.ss_cert_file, pkey, x509, dgst,
1002 sigopts, attribs, db, serial, subj, chtype, 1189 ca_config.sigopts, attribs, db, serial, ca_config.subj, ca_config.chtype,
1003 multirdn, email_dn, startdate, enddate, days, batch, 1190 ca_config.multirdn, ca_config.email_dn, ca_config.startdate, ca_config.enddate, ca_config.days, ca_config.batch,
1004 extensions, conf, verbose, certopt, nameopt, 1191 ca_config.extensions, conf, ca_config.verbose, certopt, nameopt,
1005 default_op, ext_copy); 1192 default_op, ext_copy);
1006 if (j < 0) 1193 if (j < 0)
1007 goto err; 1194 goto err;
@@ -1017,13 +1204,13 @@ ca_main(int argc, char **argv)
1017 } 1204 }
1018 } 1205 }
1019 } 1206 }
1020 if (infile != NULL) { 1207 if (ca_config.infile != NULL) {
1021 total++; 1208 total++;
1022 j = certify(&x, infile, pkey, x509p, dgst, sigopts, 1209 j = certify(&x, ca_config.infile, pkey, x509p, dgst, ca_config.sigopts,
1023 attribs, db, serial, subj, chtype, multirdn, 1210 attribs, db, serial, ca_config.subj, ca_config.chtype, ca_config.multirdn,
1024 email_dn, startdate, enddate, days, batch, 1211 ca_config.email_dn, ca_config.startdate, ca_config.enddate, ca_config.days, ca_config.batch,
1025 extensions, conf, verbose, certopt, nameopt, 1212 ca_config.extensions, conf, ca_config.verbose, certopt, nameopt,
1026 default_op, ext_copy, selfsign); 1213 default_op, ext_copy, ca_config.selfsign);
1027 if (j < 0) 1214 if (j < 0)
1028 goto err; 1215 goto err;
1029 if (j > 0) { 1216 if (j > 0) {
@@ -1038,13 +1225,13 @@ ca_main(int argc, char **argv)
1038 } 1225 }
1039 } 1226 }
1040 } 1227 }
1041 for (i = 0; i < argc; i++) { 1228 for (i = 0; i < ca_config.infiles_num; i++) {
1042 total++; 1229 total++;
1043 j = certify(&x, argv[i], pkey, x509p, dgst, sigopts, 1230 j = certify(&x, ca_config.infiles[i], pkey, x509p, dgst, ca_config.sigopts,
1044 attribs, db, serial, subj, chtype, multirdn, 1231 attribs, db, serial, ca_config.subj, ca_config.chtype, ca_config.multirdn,
1045 email_dn, startdate, enddate, days, batch, 1232 ca_config.email_dn, ca_config.startdate, ca_config.enddate, ca_config.days, ca_config.batch,
1046 extensions, conf, verbose, certopt, nameopt, 1233 ca_config.extensions, conf, ca_config.verbose, certopt, nameopt,
1047 default_op, ext_copy, selfsign); 1234 default_op, ext_copy, ca_config.selfsign);
1048 if (j < 0) 1235 if (j < 0)
1049 goto err; 1236 goto err;
1050 if (j > 0) { 1237 if (j > 0) {
@@ -1065,7 +1252,7 @@ ca_main(int argc, char **argv)
1065 */ 1252 */
1066 1253
1067 if (sk_X509_num(cert_sk) > 0) { 1254 if (sk_X509_num(cert_sk) > 0) {
1068 if (!batch) { 1255 if (!ca_config.batch) {
1069 char answer[10]; 1256 char answer[10];
1070 1257
1071 BIO_printf(bio_err, "\n%d out of %d certificate requests certified, commit? [y/n]", total_done, total); 1258 BIO_printf(bio_err, "\n%d out of %d certificate requests certified, commit? [y/n]", total_done, total);
@@ -1089,7 +1276,7 @@ ca_main(int argc, char **argv)
1089 if (!save_index(dbfile, "new", db)) 1276 if (!save_index(dbfile, "new", db))
1090 goto err; 1277 goto err;
1091 } 1278 }
1092 if (verbose) 1279 if (ca_config.verbose)
1093 BIO_printf(bio_err, "writing new certificates\n"); 1280 BIO_printf(bio_err, "writing new certificates\n");
1094 for (i = 0; i < sk_X509_num(cert_sk); i++) { 1281 for (i = 0; i < sk_X509_num(cert_sk); i++) {
1095 int k; 1282 int k;
@@ -1107,7 +1294,7 @@ ca_main(int argc, char **argv)
1107 serialstr = strdup("00"); 1294 serialstr = strdup("00");
1108 if (serialstr) { 1295 if (serialstr) {
1109 k = snprintf(pempath, sizeof(pempath), 1296 k = snprintf(pempath, sizeof(pempath),
1110 "%s/%s.pem", outdir, serialstr); 1297 "%s/%s.pem", ca_config.outdir, serialstr);
1111 free(serialstr); 1298 free(serialstr);
1112 if (k < 0 || k >= sizeof(pempath)) { 1299 if (k < 0 || k >= sizeof(pempath)) {
1113 BIO_printf(bio_err, 1300 BIO_printf(bio_err,
@@ -1119,15 +1306,15 @@ ca_main(int argc, char **argv)
1119 "memory allocation failed\n"); 1306 "memory allocation failed\n");
1120 goto err; 1307 goto err;
1121 } 1308 }
1122 if (verbose) 1309 if (ca_config.verbose)
1123 BIO_printf(bio_err, "writing %s\n", pempath); 1310 BIO_printf(bio_err, "writing %s\n", pempath);
1124 1311
1125 if (BIO_write_filename(Cout, pempath) <= 0) { 1312 if (BIO_write_filename(Cout, pempath) <= 0) {
1126 perror(pempath); 1313 perror(pempath);
1127 goto err; 1314 goto err;
1128 } 1315 }
1129 write_new_certificate(Cout, x, 0, notext); 1316 write_new_certificate(Cout, x, 0, ca_config.notext);
1130 write_new_certificate(Sout, x, output_der, notext); 1317 write_new_certificate(Sout, x, output_der, ca_config.notext);
1131 } 1318 }
1132 1319
1133 if (sk_X509_num(cert_sk)) { 1320 if (sk_X509_num(cert_sk)) {
@@ -1142,27 +1329,27 @@ ca_main(int argc, char **argv)
1142 } 1329 }
1143 } 1330 }
1144 /*****************************************************************/ 1331 /*****************************************************************/
1145 if (gencrl) { 1332 if (ca_config.gencrl) {
1146 int crl_v2 = 0; 1333 int crl_v2 = 0;
1147 if (!crl_ext) { 1334 if (!ca_config.crl_ext) {
1148 crl_ext = NCONF_get_string(conf, section, ENV_CRLEXT); 1335 ca_config.crl_ext = NCONF_get_string(conf, ca_config.section, ENV_CRLEXT);
1149 if (!crl_ext) 1336 if (!ca_config.crl_ext)
1150 ERR_clear_error(); 1337 ERR_clear_error();
1151 } 1338 }
1152 if (crl_ext) { 1339 if (ca_config.crl_ext) {
1153 /* Check syntax of file */ 1340 /* Check syntax of file */
1154 X509V3_CTX ctx; 1341 X509V3_CTX ctx;
1155 X509V3_set_ctx_test(&ctx); 1342 X509V3_set_ctx_test(&ctx);
1156 X509V3_set_nconf(&ctx, conf); 1343 X509V3_set_nconf(&ctx, conf);
1157 if (!X509V3_EXT_add_nconf(conf, &ctx, crl_ext, NULL)) { 1344 if (!X509V3_EXT_add_nconf(conf, &ctx, ca_config.crl_ext, NULL)) {
1158 BIO_printf(bio_err, 1345 BIO_printf(bio_err,
1159 "Error Loading CRL extension section %s\n", 1346 "Error Loading CRL extension section %s\n",
1160 crl_ext); 1347 ca_config.crl_ext);
1161 ret = 1; 1348 ret = 1;
1162 goto err; 1349 goto err;
1163 } 1350 }
1164 } 1351 }
1165 if ((crlnumberfile = NCONF_get_string(conf, section, 1352 if ((crlnumberfile = NCONF_get_string(conf, ca_config.section,
1166 ENV_CRLNUMBER)) != NULL) 1353 ENV_CRLNUMBER)) != NULL)
1167 if ((crlnumber = load_serial(crlnumberfile, 0, 1354 if ((crlnumber = load_serial(crlnumberfile, 0,
1168 NULL)) == NULL) { 1355 NULL)) == NULL) {
@@ -1170,20 +1357,20 @@ ca_main(int argc, char **argv)
1170 "error while loading CRL number\n"); 1357 "error while loading CRL number\n");
1171 goto err; 1358 goto err;
1172 } 1359 }
1173 if (!crldays && !crlhours && !crlsec) { 1360 if (!ca_config.crldays && !ca_config.crlhours && !ca_config.crlsec) {
1174 if (!NCONF_get_number(conf, section, 1361 if (!NCONF_get_number(conf, ca_config.section,
1175 ENV_DEFAULT_CRL_DAYS, &crldays)) 1362 ENV_DEFAULT_CRL_DAYS, &ca_config.crldays))
1176 crldays = 0; 1363 ca_config.crldays = 0;
1177 if (!NCONF_get_number(conf, section, 1364 if (!NCONF_get_number(conf, ca_config.section,
1178 ENV_DEFAULT_CRL_HOURS, &crlhours)) 1365 ENV_DEFAULT_CRL_HOURS, &ca_config.crlhours))
1179 crlhours = 0; 1366 ca_config.crlhours = 0;
1180 ERR_clear_error(); 1367 ERR_clear_error();
1181 } 1368 }
1182 if ((crldays == 0) && (crlhours == 0) && (crlsec == 0)) { 1369 if ((ca_config.crldays == 0) && (ca_config.crlhours == 0) && (ca_config.crlsec == 0)) {
1183 BIO_printf(bio_err, "cannot lookup how long until the next CRL is issued\n"); 1370 BIO_printf(bio_err, "cannot lookup how long until the next CRL is issued\n");
1184 goto err; 1371 goto err;
1185 } 1372 }
1186 if (verbose) 1373 if (ca_config.verbose)
1187 BIO_printf(bio_err, "making CRL\n"); 1374 BIO_printf(bio_err, "making CRL\n");
1188 if ((crl = X509_CRL_new()) == NULL) 1375 if ((crl = X509_CRL_new()) == NULL)
1189 goto err; 1376 goto err;
@@ -1195,8 +1382,8 @@ ca_main(int argc, char **argv)
1195 goto err; 1382 goto err;
1196 X509_gmtime_adj(tmptm, 0); 1383 X509_gmtime_adj(tmptm, 0);
1197 X509_CRL_set_lastUpdate(crl, tmptm); 1384 X509_CRL_set_lastUpdate(crl, tmptm);
1198 if (!X509_time_adj_ex(tmptm, crldays, 1385 if (!X509_time_adj_ex(tmptm, ca_config.crldays,
1199 crlhours * 60 * 60 + crlsec, NULL)) { 1386 ca_config.crlhours * 60 * 60 + ca_config.crlsec, NULL)) {
1200 BIO_puts(bio_err, "error setting CRL nextUpdate\n"); 1387 BIO_puts(bio_err, "error setting CRL nextUpdate\n");
1201 goto err; 1388 goto err;
1202 } 1389 }
@@ -1233,19 +1420,19 @@ ca_main(int argc, char **argv)
1233 X509_CRL_sort(crl); 1420 X509_CRL_sort(crl);
1234 1421
1235 /* we now have a CRL */ 1422 /* we now have a CRL */
1236 if (verbose) 1423 if (ca_config.verbose)
1237 BIO_printf(bio_err, "signing CRL\n"); 1424 BIO_printf(bio_err, "signing CRL\n");
1238 1425
1239 /* Add any extensions asked for */ 1426 /* Add any extensions asked for */
1240 1427
1241 if (crl_ext || crlnumberfile != NULL) { 1428 if (ca_config.crl_ext || crlnumberfile != NULL) {
1242 X509V3_CTX crlctx; 1429 X509V3_CTX crlctx;
1243 X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0); 1430 X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0);
1244 X509V3_set_nconf(&crlctx, conf); 1431 X509V3_set_nconf(&crlctx, conf);
1245 1432
1246 if (crl_ext) 1433 if (ca_config.crl_ext)
1247 if (!X509V3_EXT_CRL_add_nconf(conf, &crlctx, 1434 if (!X509V3_EXT_CRL_add_nconf(conf, &crlctx,
1248 crl_ext, crl)) 1435 ca_config.crl_ext, crl))
1249 goto err; 1436 goto err;
1250 if (crlnumberfile != NULL) { 1437 if (crlnumberfile != NULL) {
1251 tmpser = BN_to_ASN1_INTEGER(crlnumber, NULL); 1438 tmpser = BN_to_ASN1_INTEGER(crlnumber, NULL);
@@ -1259,7 +1446,7 @@ ca_main(int argc, char **argv)
1259 goto err; 1446 goto err;
1260 } 1447 }
1261 } 1448 }
1262 if (crl_ext || crl_v2) { 1449 if (ca_config.crl_ext || crl_v2) {
1263 if (!X509_CRL_set_version(crl, 1)) 1450 if (!X509_CRL_set_version(crl, 1))
1264 goto err; /* version 2 CRL */ 1451 goto err; /* version 2 CRL */
1265 } 1452 }
@@ -1272,7 +1459,7 @@ ca_main(int argc, char **argv)
1272 BN_free(crlnumber); 1459 BN_free(crlnumber);
1273 crlnumber = NULL; 1460 crlnumber = NULL;
1274 } 1461 }
1275 if (!do_X509_CRL_sign(bio_err, crl, pkey, dgst, sigopts)) 1462 if (!do_X509_CRL_sign(bio_err, crl, pkey, dgst, ca_config.sigopts))
1276 goto err; 1463 goto err;
1277 1464
1278 PEM_write_bio_X509_CRL(Sout, crl); 1465 PEM_write_bio_X509_CRL(Sout, crl);
@@ -1283,17 +1470,17 @@ ca_main(int argc, char **argv)
1283 1470
1284 } 1471 }
1285 /*****************************************************************/ 1472 /*****************************************************************/
1286 if (dorevoke) { 1473 if (ca_config.dorevoke) {
1287 if (infile == NULL) { 1474 if (ca_config.infile == NULL) {
1288 BIO_printf(bio_err, "no input files\n"); 1475 BIO_printf(bio_err, "no input files\n");
1289 goto err; 1476 goto err;
1290 } else { 1477 } else {
1291 X509 *revcert; 1478 X509 *revcert;
1292 revcert = load_cert(bio_err, infile, FORMAT_PEM, 1479 revcert = load_cert(bio_err, ca_config.infile, FORMAT_PEM,
1293 NULL, infile); 1480 NULL, ca_config.infile);
1294 if (revcert == NULL) 1481 if (revcert == NULL)
1295 goto err; 1482 goto err;
1296 j = do_revoke(revcert, db, rev_type, rev_arg); 1483 j = do_revoke(revcert, db, ca_config.rev_type, ca_config.rev_arg);
1297 if (j <= 0) 1484 if (j <= 0)
1298 goto err; 1485 goto err;
1299 X509_free(revcert); 1486 X509_free(revcert);
@@ -1323,13 +1510,13 @@ ca_main(int argc, char **argv)
1323 1510
1324 if (ret) 1511 if (ret)
1325 ERR_print_errors(bio_err); 1512 ERR_print_errors(bio_err);
1326 if (free_key && key) 1513 if (free_key && ca_config.key)
1327 free(key); 1514 free(ca_config.key);
1328 BN_free(serial); 1515 BN_free(serial);
1329 BN_free(crlnumber); 1516 BN_free(crlnumber);
1330 free_index(db); 1517 free_index(db);
1331 if (sigopts) 1518 if (ca_config.sigopts)
1332 sk_OPENSSL_STRING_free(sigopts); 1519 sk_OPENSSL_STRING_free(ca_config.sigopts);
1333 EVP_PKEY_free(pkey); 1520 EVP_PKEY_free(pkey);
1334 if (x509) 1521 if (x509)
1335 X509_free(x509); 1522 X509_free(x509);
@@ -1526,7 +1713,7 @@ do_body(X509 ** xret, EVP_PKEY * pkey, X509 * x509, const EVP_MD * dgst,
1526 str = X509_NAME_ENTRY_get_data(ne); 1713 str = X509_NAME_ENTRY_get_data(ne);
1527 obj = X509_NAME_ENTRY_get_object(ne); 1714 obj = X509_NAME_ENTRY_get_object(ne);
1528 1715
1529 if (msie_hack) { 1716 if (ca_config.msie_hack) {
1530 /* assume all type should be strings */ 1717 /* assume all type should be strings */
1531 nid = OBJ_obj2nid(ne->object); 1718 nid = OBJ_obj2nid(ne->object);
1532 1719
@@ -1659,7 +1846,7 @@ again2:
1659 } 1846 }
1660 } 1847 }
1661 1848
1662 if (preserve) { 1849 if (ca_config.preserve) {
1663 X509_NAME_free(subject); 1850 X509_NAME_free(subject);
1664 /* subject=X509_NAME_dup(X509_REQ_get_subject_name(req)); */ 1851 /* subject=X509_NAME_dup(X509_REQ_get_subject_name(req)); */
1665 subject = X509_NAME_dup(name); 1852 subject = X509_NAME_dup(name);
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-23 23:02:29 +0000