summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorinoguchi <>2021-03-24 12:09:16 +0000
committerinoguchi <>2021-03-24 12:09:16 +0000
commitfe982f909e3eb95563da8f33820ff38d44f1179f (patch)
tree79069416cd2348e90dfcdccc7e5e4df18d644907 /src
parent5129f427750164d91485e246e88bc28013ac7567 (diff)
downloadopenbsd-fe982f909e3eb95563da8f33820ff38d44f1179f.tar.gz
openbsd-fe982f909e3eb95563da8f33820ff38d44f1179f.tar.bz2
openbsd-fe982f909e3eb95563da8f33820ff38d44f1179f.zip
Convert openssl(1) x509 option handling
Apply new option handling to openssl(1) x509. To handle incremental order value, using newly added OPTION_ORDER. I left the descriptions for -CAform, -inform, and -outform as it was, for now. These description would be fixed. And digest option handler could be consolidated to one between some subcommands in the future. ok and comments from tb@, and "I'd move forward with your current plan." from jsing@
Diffstat (limited to 'src')
-rw-r--r--src/usr.bin/openssl/x509.c1161
1 files changed, 747 insertions, 414 deletions
diff --git a/src/usr.bin/openssl/x509.c b/src/usr.bin/openssl/x509.c
index 14c61261ee..a9155fee36 100644
--- a/src/usr.bin/openssl/x509.c
+++ b/src/usr.bin/openssl/x509.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509.c,v 1.18 2020/05/10 17:13:31 beck Exp $ */ 1/* $OpenBSD: x509.c,v 1.19 2021/03/24 12:09:16 inoguchi Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -81,69 +81,6 @@
81#define POSTFIX ".srl" 81#define POSTFIX ".srl"
82#define DEF_DAYS 30 82#define DEF_DAYS 30
83 83
84static const char *x509_usage[] = {
85 "usage: x509 args\n",
86 " -inform arg - input format - default PEM (one of DER, NET or PEM)\n",
87 " -outform arg - output format - default PEM (one of DER, NET or PEM)\n",
88 " -keyform arg - private key format - default PEM\n",
89 " -CAform arg - CA format - default PEM\n",
90 " -CAkeyform arg - CA key format - default PEM\n",
91 " -in arg - input file - default stdin\n",
92 " -out arg - output file - default stdout\n",
93 " -passin arg - private key password source\n",
94 " -serial - print serial number value\n",
95 " -subject_hash - print subject hash value\n",
96#ifndef OPENSSL_NO_MD5
97 " -subject_hash_old - print old-style (MD5) subject hash value\n",
98#endif
99 " -issuer_hash - print issuer hash value\n",
100#ifndef OPENSSL_NO_MD5
101 " -issuer_hash_old - print old-style (MD5) issuer hash value\n",
102#endif
103 " -hash - synonym for -subject_hash\n",
104 " -subject - print subject DN\n",
105 " -issuer - print issuer DN\n",
106 " -email - print email address(es)\n",
107 " -startdate - notBefore field\n",
108 " -enddate - notAfter field\n",
109 " -purpose - print out certificate purposes\n",
110 " -dates - both Before and After dates\n",
111 " -modulus - print the RSA key modulus\n",
112 " -pubkey - output the public key\n",
113 " -fingerprint - print the certificate fingerprint\n",
114 " -alias - output certificate alias\n",
115 " -noout - no certificate output\n",
116 " -ocspid - print OCSP hash values for the subject name and public key\n",
117 " -ocsp_uri - print OCSP Responder URL(s)\n",
118 " -trustout - output a \"trusted\" certificate\n",
119 " -clrtrust - clear all trusted purposes\n",
120 " -clrreject - clear all rejected purposes\n",
121 " -addtrust arg - trust certificate for a given purpose\n",
122 " -addreject arg - reject certificate for a given purpose\n",
123 " -setalias arg - set certificate alias\n",
124 " -days arg - How long till expiry of a signed certificate - def 30 days\n",
125 " -checkend arg - check whether the cert expires in the next arg seconds\n",
126 " exit 1 if so, 0 if not\n",
127 " -signkey arg - self sign cert with arg\n",
128 " -x509toreq - output a certification request object\n",
129 " -req - input is a certificate request, sign and output.\n",
130 " -CA arg - set the CA certificate, must be PEM format.\n",
131 " -CAkey arg - set the CA key, must be PEM format\n",
132 " missing, it is assumed to be in the CA file.\n",
133 " -CAcreateserial - create serial number file if it does not exist\n",
134 " -CAserial arg - serial file\n",
135 " -set_serial - serial number to use\n",
136 " -text - print the certificate in text form\n",
137 " -C - print out C code forms\n",
138 " -md5/-sha1 - digest to use\n",
139 " -extfile - configuration file with X509V3 extensions to add\n",
140 " -extensions - section from config file with X509V3 extensions to add\n",
141 " -clrext - delete extensions before signing and input certificate\n",
142 " -nameopt arg - various certificate name options\n",
143 " -certopt arg - various certificate text options\n",
144 NULL
145};
146
147static int callb(int ok, X509_STORE_CTX *ctx); 84static int callb(int ok, X509_STORE_CTX *ctx);
148static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, 85static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext,
149 const EVP_MD *digest, CONF *conf, char *section); 86 const EVP_MD *digest, CONF *conf, char *section);
@@ -152,7 +89,637 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
152 char *serial, int create, int days, int clrext, CONF *conf, char *section, 89 char *serial, int create, int days, int clrext, CONF *conf, char *section,
153 ASN1_INTEGER *sno); 90 ASN1_INTEGER *sno);
154static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt); 91static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt);
155static int reqfile = 0; 92
93static struct {
94 char *alias;
95 int aliasout;
96 int badops;
97 int C;
98 int CA_createserial;
99 int CA_flag;
100 char *CAfile;
101 int CAformat;
102 char *CAkeyfile;
103 int CAkeyformat;
104 char *CAserial;
105 unsigned long certflag;
106 int checkend;
107 int checkoffset;
108 int clrext;
109 int clrreject;
110 int clrtrust;
111 int days;
112 const EVP_MD *digest;
113 int email;
114 int enddate;
115 char *extfile;
116 char *extsect;
117 int fingerprint;
118 char *infile;
119 int informat;
120 int issuer;
121 int issuer_hash;
122#ifndef OPENSSL_NO_MD5
123 int issuer_hash_old;
124#endif
125 char *keyfile;
126 int keyformat;
127 const EVP_MD *md_alg;
128 int modulus;
129 int next_serial;
130 unsigned long nmflag;
131 int noout;
132 int num;
133 int ocspid;
134 ASN1_OBJECT *objtmp;
135 int ocsp_uri;
136 char *outfile;
137 int outformat;
138 char *passargin;
139 int pprint;
140 int pubkey;
141 STACK_OF(ASN1_OBJECT) *reject;
142 int reqfile;
143 int serial;
144 int sign_flag;
145 STACK_OF(OPENSSL_STRING) *sigopts;
146 ASN1_INTEGER *sno;
147 int startdate;
148 int subject;
149 int subject_hash;
150#ifndef OPENSSL_NO_MD5
151 int subject_hash_old;
152#endif
153 int text;
154 STACK_OF(ASN1_OBJECT) *trust;
155 int trustout;
156 int x509req;
157} x509_config;
158
159static int
160x509_opt_addreject(char *arg)
161{
162 if ((x509_config.objtmp = OBJ_txt2obj(arg, 0)) == NULL) {
163 BIO_printf(bio_err, "Invalid reject object value %s\n", arg);
164 return (1);
165 }
166
167 if (x509_config.reject == NULL &&
168 (x509_config.reject = sk_ASN1_OBJECT_new_null()) == NULL)
169 return (1);
170
171 if (!sk_ASN1_OBJECT_push(x509_config.reject, x509_config.objtmp))
172 return (1);
173
174 x509_config.trustout = 1;
175 return (0);
176}
177
178static int
179x509_opt_addtrust(char *arg)
180{
181 if ((x509_config.objtmp = OBJ_txt2obj(arg, 0)) == NULL) {
182 BIO_printf(bio_err, "Invalid trust object value %s\n", arg);
183 return (1);
184 }
185
186 if (x509_config.trust == NULL &&
187 (x509_config.trust = sk_ASN1_OBJECT_new_null()) == NULL)
188 return (1);
189
190 if (!sk_ASN1_OBJECT_push(x509_config.trust, x509_config.objtmp))
191 return (1);
192
193 x509_config.trustout = 1;
194 return (0);
195}
196
197static int
198x509_opt_ca(char *arg)
199{
200 x509_config.CAfile = arg;
201 x509_config.CA_flag = ++x509_config.num;
202 return (0);
203}
204
205static int
206x509_opt_certopt(char *arg)
207{
208 if (!set_cert_ex(&x509_config.certflag, arg))
209 return (1);
210
211 return (0);
212}
213
214static int
215x509_opt_checkend(char *arg)
216{
217 const char *errstr;
218
219 x509_config.checkoffset = strtonum(arg, 0, INT_MAX, &errstr);
220 if (errstr != NULL) {
221 BIO_printf(bio_err, "checkend unusable: %s\n", errstr);
222 return (1);
223 }
224 x509_config.checkend = 1;
225 return (0);
226}
227
228static int
229x509_opt_dates(void)
230{
231 x509_config.startdate = ++x509_config.num;
232 x509_config.enddate = ++x509_config.num;
233 return (0);
234}
235
236static int
237x509_opt_days(char *arg)
238{
239 const char *errstr;
240
241 x509_config.days = strtonum(arg, 1, INT_MAX, &errstr);
242 if (errstr != NULL) {
243 BIO_printf(bio_err, "bad number of days: %s\n", errstr);
244 return (1);
245 }
246 return (0);
247}
248
249static int
250x509_opt_digest(int argc, char **argv, int *argsused)
251{
252 char *name = argv[0];
253
254 if (*name++ != '-')
255 return (1);
256
257 if ((x509_config.md_alg = EVP_get_digestbyname(name)) != NULL) {
258 x509_config.digest = x509_config.md_alg;
259 } else {
260 BIO_printf(bio_err, "unknown option %s\n", *argv);
261 x509_config.badops = 1;
262 return (1);
263 }
264
265 *argsused = 1;
266 return (0);
267}
268
269static int
270x509_opt_nameopt(char *arg)
271{
272 if (!set_name_ex(&x509_config.nmflag, arg))
273 return (1);
274
275 return (0);
276}
277
278static int
279x509_opt_set_serial(char *arg)
280{
281 ASN1_INTEGER_free(x509_config.sno);
282 if ((x509_config.sno = s2i_ASN1_INTEGER(NULL, arg)) == NULL)
283 return (1);
284
285 return (0);
286}
287
288static int
289x509_opt_setalias(char *arg)
290{
291 x509_config.alias = arg;
292 x509_config.trustout = 1;
293 return (0);
294}
295
296static int
297x509_opt_signkey(char *arg)
298{
299 x509_config.keyfile = arg;
300 x509_config.sign_flag = ++x509_config.num;
301 return (0);
302}
303
304static int
305x509_opt_sigopt(char *arg)
306{
307 if (x509_config.sigopts == NULL &&
308 (x509_config.sigopts = sk_OPENSSL_STRING_new_null()) == NULL)
309 return (1);
310
311 if (!sk_OPENSSL_STRING_push(x509_config.sigopts, arg))
312 return (1);
313
314 return (0);
315}
316
317static const struct option x509_options[] = {
318 {
319 .name = "C",
320 .desc = "Convert the certificate into C code",
321 .type = OPTION_ORDER,
322 .opt.order = &x509_config.C,
323 .order = &x509_config.num,
324 },
325 {
326 .name = "addreject",
327 .argname = "arg",
328 .desc = "Reject certificate for a given purpose",
329 .type = OPTION_ARG_FUNC,
330 .opt.argfunc = x509_opt_addreject,
331 },
332 {
333 .name = "addtrust",
334 .argname = "arg",
335 .desc = "Trust certificate for a given purpose",
336 .type = OPTION_ARG_FUNC,
337 .opt.argfunc = x509_opt_addtrust,
338 },
339 {
340 .name = "alias",
341 .desc = "Output certificate alias",
342 .type = OPTION_ORDER,
343 .opt.order = &x509_config.aliasout,
344 .order = &x509_config.num,
345 },
346 {
347 .name = "CA",
348 .argname = "file",
349 .desc = "CA certificate in PEM format unless -CAform is specified",
350 .type = OPTION_ARG_FUNC,
351 .opt.argfunc = x509_opt_ca,
352 },
353 {
354 .name = "CAcreateserial",
355 .desc = "Create serial number file if it does not exist",
356 .type = OPTION_ORDER,
357 .opt.order = &x509_config.CA_createserial,
358 .order = &x509_config.num,
359 },
360 {
361 .name = "CAform",
362 .argname = "fmt",
363 .desc = "CA format - default PEM",
364 .type = OPTION_ARG_FORMAT,
365 .opt.value = &x509_config.CAformat,
366 },
367 {
368 .name = "CAkey",
369 .argname = "file",
370 .desc = "CA key in PEM format unless -CAkeyform is specified\n"
371 "if omitted, the key is assumed to be in the CA file",
372 .type = OPTION_ARG,
373 .opt.arg = &x509_config.CAkeyfile,
374 },
375 {
376 .name = "CAkeyform",
377 .argname = "fmt",
378 .desc = "CA key format - default PEM",
379 .type = OPTION_ARG_FORMAT,
380 .opt.value = &x509_config.CAkeyformat,
381 },
382 {
383 .name = "CAserial",
384 .argname = "file",
385 .desc = "Serial file",
386 .type = OPTION_ARG,
387 .opt.arg = &x509_config.CAserial,
388 },
389 {
390 .name = "certopt",
391 .argname = "option",
392 .desc = "Various certificate text options",
393 .type = OPTION_ARG_FUNC,
394 .opt.argfunc = x509_opt_certopt,
395 },
396 {
397 .name = "checkend",
398 .argname = "arg",
399 .desc = "Check whether the cert expires in the next arg seconds\n"
400 "exit 1 if so, 0 if not",
401 .type = OPTION_ARG_FUNC,
402 .opt.argfunc = x509_opt_checkend,
403 },
404 {
405 .name = "clrext",
406 .desc = "Clear all extensions",
407 .type = OPTION_FLAG,
408 .opt.flag = &x509_config.clrext,
409 },
410 {
411 .name = "clrreject",
412 .desc = "Clear all rejected purposes",
413 .type = OPTION_ORDER,
414 .opt.order = &x509_config.clrreject,
415 .order = &x509_config.num,
416 },
417 {
418 .name = "clrtrust",
419 .desc = "Clear all trusted purposes",
420 .type = OPTION_ORDER,
421 .opt.order = &x509_config.clrtrust,
422 .order = &x509_config.num,
423 },
424 {
425 .name = "dates",
426 .desc = "Both Before and After dates",
427 .type = OPTION_FUNC,
428 .opt.func = x509_opt_dates,
429 },
430 {
431 .name = "days",
432 .argname = "arg",
433 .desc = "How long till expiry of a signed certificate - def 30 days",
434 .type = OPTION_ARG_FUNC,
435 .opt.argfunc = x509_opt_days,
436 },
437 {
438 .name = "email",
439 .desc = "Print email address(es)",
440 .type = OPTION_ORDER,
441 .opt.order = &x509_config.email,
442 .order = &x509_config.num,
443 },
444 {
445 .name = "enddate",
446 .desc = "Print notAfter field",
447 .type = OPTION_ORDER,
448 .opt.order = &x509_config.enddate,
449 .order = &x509_config.num,
450 },
451 {
452 .name = "extensions",
453 .argname = "section",
454 .desc = "Section from config file with X509V3 extensions to add",
455 .type = OPTION_ARG,
456 .opt.arg = &x509_config.extsect,
457 },
458 {
459 .name = "extfile",
460 .argname = "file",
461 .desc = "Configuration file with X509V3 extensions to add",
462 .type = OPTION_ARG,
463 .opt.arg = &x509_config.extfile,
464 },
465 {
466 .name = "fingerprint",
467 .desc = "Print the certificate fingerprint",
468 .type = OPTION_ORDER,
469 .opt.order = &x509_config.fingerprint,
470 .order = &x509_config.num,
471 },
472 {
473 .name = "hash",
474 .desc = "Synonym for -subject_hash",
475 .type = OPTION_ORDER,
476 .opt.order = &x509_config.subject_hash,
477 .order = &x509_config.num,
478 },
479 {
480 .name = "in",
481 .argname = "file",
482 .desc = "Input file - default stdin",
483 .type = OPTION_ARG,
484 .opt.arg = &x509_config.infile,
485 },
486 {
487 .name = "inform",
488 .argname = "fmt",
489 .desc = "Input format - default PEM (one of DER, NET or PEM)",
490 .type = OPTION_ARG_FORMAT,
491 .opt.value = &x509_config.informat,
492 },
493 {
494 .name = "issuer",
495 .desc = "Print issuer name",
496 .type = OPTION_ORDER,
497 .opt.order = &x509_config.issuer,
498 .order = &x509_config.num,
499 },
500 {
501 .name = "issuer_hash",
502 .desc = "Print issuer hash value",
503 .type = OPTION_ORDER,
504 .opt.order = &x509_config.issuer_hash,
505 .order = &x509_config.num,
506 },
507#ifndef OPENSSL_NO_MD5
508 {
509 .name = "issuer_hash_old",
510 .desc = "Print old-style (MD5) issuer hash value",
511 .type = OPTION_ORDER,
512 .opt.order = &x509_config.issuer_hash_old,
513 .order = &x509_config.num,
514 },
515#endif
516 {
517 .name = "keyform",
518 .argname = "fmt",
519 .desc = "Private key format - default PEM",
520 .type = OPTION_ARG_FORMAT,
521 .opt.value = &x509_config.keyformat,
522 },
523 {
524 .name = "modulus",
525 .desc = "Print the RSA key modulus",
526 .type = OPTION_ORDER,
527 .opt.order = &x509_config.modulus,
528 .order = &x509_config.num,
529 },
530 {
531 .name = "nameopt",
532 .argname = "option",
533 .desc = "Various certificate name options",
534 .type = OPTION_ARG_FUNC,
535 .opt.argfunc = x509_opt_nameopt,
536 },
537 {
538 .name = "next_serial",
539 .desc = "Print the next serial number",
540 .type = OPTION_ORDER,
541 .opt.order = &x509_config.next_serial,
542 .order = &x509_config.num,
543 },
544 {
545 .name = "noout",
546 .desc = "No certificate output",
547 .type = OPTION_ORDER,
548 .opt.order = &x509_config.noout,
549 .order = &x509_config.num,
550 },
551 {
552 .name = "ocsp_uri",
553 .desc = "Print OCSP Responder URL(s)",
554 .type = OPTION_ORDER,
555 .opt.order = &x509_config.ocsp_uri,
556 .order = &x509_config.num,
557 },
558 {
559 .name = "ocspid",
560 .desc = "Print OCSP hash values for the subject name and public key",
561 .type = OPTION_ORDER,
562 .opt.order = &x509_config.ocspid,
563 .order = &x509_config.num,
564 },
565 {
566 .name = "out",
567 .argname = "file",
568 .desc = "Output file - default stdout",
569 .type = OPTION_ARG,
570 .opt.arg = &x509_config.outfile,
571 },
572 {
573 .name = "outform",
574 .argname = "fmt",
575 .desc = "Output format - default PEM (one of DER, NET or PEM)",
576 .type = OPTION_ARG_FORMAT,
577 .opt.value = &x509_config.outformat,
578 },
579 {
580 .name = "passin",
581 .argname = "src",
582 .desc = "Private key password source",
583 .type = OPTION_ARG,
584 .opt.arg = &x509_config.passargin,
585 },
586 {
587 .name = "pubkey",
588 .desc = "Output the public key",
589 .type = OPTION_ORDER,
590 .opt.order = &x509_config.pubkey,
591 .order = &x509_config.num,
592 },
593 {
594 .name = "purpose",
595 .desc = "Print out certificate purposes",
596 .type = OPTION_ORDER,
597 .opt.order = &x509_config.pprint,
598 .order = &x509_config.num,
599 },
600 {
601 .name = "req",
602 .desc = "Input is a certificate request, sign and output",
603 .type = OPTION_FLAG,
604 .opt.flag = &x509_config.reqfile,
605 },
606 {
607 .name = "serial",
608 .desc = "Print serial number value",
609 .type = OPTION_ORDER,
610 .opt.order = &x509_config.serial,
611 .order = &x509_config.num,
612 },
613 {
614 .name = "set_serial",
615 .argname = "n",
616 .desc = "Serial number to use",
617 .type = OPTION_ARG_FUNC,
618 .opt.argfunc = x509_opt_set_serial,
619 },
620 {
621 .name = "setalias",
622 .argname = "arg",
623 .desc = "Set certificate alias",
624 .type = OPTION_ARG_FUNC,
625 .opt.argfunc = x509_opt_setalias,
626 },
627 {
628 .name = "signkey",
629 .argname = "file",
630 .desc = "Self sign cert with arg",
631 .type = OPTION_ARG_FUNC,
632 .opt.argfunc = x509_opt_signkey,
633 },
634 {
635 .name = "sigopt",
636 .argname = "nm:v",
637 .desc = "Various signature algorithm options",
638 .type = OPTION_ARG_FUNC,
639 .opt.argfunc = x509_opt_sigopt,
640 },
641 {
642 .name = "startdate",
643 .desc = "Print notBefore field",
644 .type = OPTION_ORDER,
645 .opt.order = &x509_config.startdate,
646 .order = &x509_config.num,
647 },
648 {
649 .name = "subject",
650 .desc = "Print subject name",
651 .type = OPTION_ORDER,
652 .opt.order = &x509_config.subject,
653 .order = &x509_config.num,
654 },
655 {
656 .name = "subject_hash",
657 .desc = "Print subject hash value",
658 .type = OPTION_ORDER,
659 .opt.order = &x509_config.subject_hash,
660 .order = &x509_config.num,
661 },
662#ifndef OPENSSL_NO_MD5
663 {
664 .name = "subject_hash_old",
665 .desc = "Print old-style (MD5) subject hash value",
666 .type = OPTION_ORDER,
667 .opt.order = &x509_config.subject_hash_old,
668 .order = &x509_config.num,
669 },
670#endif
671 {
672 .name = "text",
673 .desc = "Print the certificate in text form",
674 .type = OPTION_ORDER,
675 .opt.order = &x509_config.text,
676 .order = &x509_config.num,
677 },
678 {
679 .name = "trustout",
680 .desc = "Output a trusted certificate",
681 .type = OPTION_FLAG,
682 .opt.flag = &x509_config.trustout,
683 },
684 {
685 .name = "x509toreq",
686 .desc = "Output a certification request object",
687 .type = OPTION_ORDER,
688 .opt.order = &x509_config.x509req,
689 .order = &x509_config.num,
690 },
691 {
692 .name = NULL,
693 .desc = "",
694 .type = OPTION_ARGV_FUNC,
695 .opt.argvfunc = x509_opt_digest,
696 },
697 { NULL },
698};
699
700static void
701x509_usage(void)
702{
703 fprintf(stderr, "usage: x509 "
704 "[-C] [-addreject arg] [-addtrust arg] [-alias] [-CA file]\n"
705 " [-CAcreateserial] [-CAform der | pem] [-CAkey file]\n"
706 " [-CAkeyform der | pem] [-CAserial file] [-certopt option]\n"
707 " [-checkend arg] [-clrext] [-clrreject] [-clrtrust] [-dates]\n"
708 " [-days arg] [-email] [-enddate] [-extensions section]\n"
709 " [-extfile file] [-fingerprint] [-hash] [-in file]\n"
710 " [-inform der | net | pem] [-issuer] [-issuer_hash]\n"
711 " [-issuer_hash_old] [-keyform der | pem] [-md5 | -sha1]\n"
712 " [-modulus] [-nameopt option] [-next_serial] [-noout]\n"
713 " [-ocsp_uri] [-ocspid] [-out file]\n"
714 " [-outform der | net | pem] [-passin arg] [-pubkey]\n"
715 " [-purpose] [-req] [-serial] [-set_serial n] [-setalias arg]\n"
716 " [-signkey file] [-sigopt nm:v] [-startdate] [-subject]\n"
717 " [-subject_hash] [-subject_hash_old] [-text] [-trustout]\n"
718 " [-x509toreq]\n");
719 fprintf(stderr, "\n");
720 options_usage(x509_options);
721 fprintf(stderr, "\n");
722}
156 723
157int 724int
158x509_main(int argc, char **argv) 725x509_main(int argc, char **argv)
@@ -160,43 +727,15 @@ x509_main(int argc, char **argv)
160 int ret = 1; 727 int ret = 1;
161 X509_REQ *req = NULL; 728 X509_REQ *req = NULL;
162 X509 *x = NULL, *xca = NULL; 729 X509 *x = NULL, *xca = NULL;
163 ASN1_OBJECT *objtmp;
164 STACK_OF(OPENSSL_STRING) *sigopts = NULL;
165 EVP_PKEY *Upkey = NULL, *CApkey = NULL; 730 EVP_PKEY *Upkey = NULL, *CApkey = NULL;
166 ASN1_INTEGER *sno = NULL; 731 int i;
167 int i, num, badops = 0;
168 BIO *out = NULL; 732 BIO *out = NULL;
169 BIO *STDout = NULL; 733 BIO *STDout = NULL;
170 STACK_OF(ASN1_OBJECT) *trust = NULL, *reject = NULL;
171 int informat, outformat, keyformat, CAformat, CAkeyformat;
172 char *infile = NULL, *outfile = NULL, *keyfile = NULL, *CAfile = NULL;
173 char *CAkeyfile = NULL, *CAserial = NULL;
174 char *alias = NULL;
175 int text = 0, serial = 0, subject = 0, issuer = 0, startdate = 0,
176 enddate = 0;
177 int next_serial = 0;
178 int subject_hash = 0, issuer_hash = 0, ocspid = 0;
179#ifndef OPENSSL_NO_MD5
180 int subject_hash_old = 0, issuer_hash_old = 0;
181#endif
182 int noout = 0, sign_flag = 0, CA_flag = 0, CA_createserial = 0,
183 email = 0;
184 int ocsp_uri = 0;
185 int trustout = 0, clrtrust = 0, clrreject = 0, aliasout = 0, clrext = 0;
186 int C = 0;
187 int x509req = 0, days = DEF_DAYS, modulus = 0, pubkey = 0;
188 int pprint = 0;
189 const char **pp;
190 X509_STORE *ctx = NULL; 734 X509_STORE *ctx = NULL;
191 X509_REQ *rq = NULL; 735 X509_REQ *rq = NULL;
192 int fingerprint = 0;
193 char buf[256]; 736 char buf[256];
194 const EVP_MD *md_alg, *digest = NULL;
195 CONF *extconf = NULL; 737 CONF *extconf = NULL;
196 char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL; 738 char *passin = NULL;
197 int checkend = 0, checkoffset = 0;
198 unsigned long nmflag = 0, certflag = 0;
199 const char *errstr = NULL;
200 739
201 if (single_execution) { 740 if (single_execution) {
202 if (pledge("stdio cpath wpath rpath tty", NULL) == -1) { 741 if (pledge("stdio cpath wpath rpath tty", NULL) == -1) {
@@ -205,237 +744,31 @@ x509_main(int argc, char **argv)
205 } 744 }
206 } 745 }
207 746
208 reqfile = 0; 747 memset(&x509_config, 0, sizeof(x509_config));
748 x509_config.days = DEF_DAYS;
749 x509_config.informat = FORMAT_PEM;
750 x509_config.outformat = FORMAT_PEM;
751 x509_config.keyformat = FORMAT_PEM;
752 x509_config.CAformat = FORMAT_PEM;
753 x509_config.CAkeyformat = FORMAT_PEM;
209 754
210 STDout = BIO_new_fp(stdout, BIO_NOCLOSE); 755 STDout = BIO_new_fp(stdout, BIO_NOCLOSE);
211 756
212 informat = FORMAT_PEM;
213 outformat = FORMAT_PEM;
214 keyformat = FORMAT_PEM;
215 CAformat = FORMAT_PEM;
216 CAkeyformat = FORMAT_PEM;
217
218 ctx = X509_STORE_new(); 757 ctx = X509_STORE_new();
219 if (ctx == NULL) 758 if (ctx == NULL)
220 goto end; 759 goto end;
221 X509_STORE_set_verify_cb(ctx, callb); 760 X509_STORE_set_verify_cb(ctx, callb);
222 761
223 argc--; 762 if (options_parse(argc, argv, x509_options, NULL, NULL) != 0)
224 argv++; 763 goto bad;
225 num = 0;
226 while (argc >= 1) {
227 if (strcmp(*argv, "-inform") == 0) {
228 if (--argc < 1)
229 goto bad;
230 informat = str2fmt(*(++argv));
231 } else if (strcmp(*argv, "-outform") == 0) {
232 if (--argc < 1)
233 goto bad;
234 outformat = str2fmt(*(++argv));
235 } else if (strcmp(*argv, "-keyform") == 0) {
236 if (--argc < 1)
237 goto bad;
238 keyformat = str2fmt(*(++argv));
239 } else if (strcmp(*argv, "-req") == 0) {
240 reqfile = 1;
241 } else if (strcmp(*argv, "-CAform") == 0) {
242 if (--argc < 1)
243 goto bad;
244 CAformat = str2fmt(*(++argv));
245 } else if (strcmp(*argv, "-CAkeyform") == 0) {
246 if (--argc < 1)
247 goto bad;
248 CAkeyformat = str2fmt(*(++argv));
249 } else if (strcmp(*argv, "-sigopt") == 0) {
250 if (--argc < 1)
251 goto bad;
252 if (!sigopts)
253 sigopts = sk_OPENSSL_STRING_new_null();
254 if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv)))
255 goto bad;
256 } else if (strcmp(*argv, "-days") == 0) {
257 if (--argc < 1)
258 goto bad;
259 days = strtonum(*(++argv), 1, INT_MAX, &errstr);
260 if (errstr) {
261 BIO_printf(bio_err, "bad number of days: %s\n", errstr);
262 goto bad;
263 }
264 } else if (strcmp(*argv, "-passin") == 0) {
265 if (--argc < 1)
266 goto bad;
267 passargin = *(++argv);
268 } else if (strcmp(*argv, "-extfile") == 0) {
269 if (--argc < 1)
270 goto bad;
271 extfile = *(++argv);
272 } else if (strcmp(*argv, "-extensions") == 0) {
273 if (--argc < 1)
274 goto bad;
275 extsect = *(++argv);
276 } else if (strcmp(*argv, "-in") == 0) {
277 if (--argc < 1)
278 goto bad;
279 infile = *(++argv);
280 } else if (strcmp(*argv, "-out") == 0) {
281 if (--argc < 1)
282 goto bad;
283 outfile = *(++argv);
284 } else if (strcmp(*argv, "-signkey") == 0) {
285 if (--argc < 1)
286 goto bad;
287 keyfile = *(++argv);
288 sign_flag = ++num;
289 } else if (strcmp(*argv, "-CA") == 0) {
290 if (--argc < 1)
291 goto bad;
292 CAfile = *(++argv);
293 CA_flag = ++num;
294 } else if (strcmp(*argv, "-CAkey") == 0) {
295 if (--argc < 1)
296 goto bad;
297 CAkeyfile = *(++argv);
298 } else if (strcmp(*argv, "-CAserial") == 0) {
299 if (--argc < 1)
300 goto bad;
301 CAserial = *(++argv);
302 } else if (strcmp(*argv, "-set_serial") == 0) {
303 if (--argc < 1)
304 goto bad;
305 ASN1_INTEGER_free(sno);
306 if (!(sno = s2i_ASN1_INTEGER(NULL, *(++argv))))
307 goto bad;
308 } else if (strcmp(*argv, "-addtrust") == 0) {
309 if (--argc < 1)
310 goto bad;
311 if (!(objtmp = OBJ_txt2obj(*(++argv), 0))) {
312 BIO_printf(bio_err,
313 "Invalid trust object value %s\n", *argv);
314 goto bad;
315 }
316 if (!trust)
317 trust = sk_ASN1_OBJECT_new_null();
318 sk_ASN1_OBJECT_push(trust, objtmp);
319 trustout = 1;
320 } else if (strcmp(*argv, "-addreject") == 0) {
321 if (--argc < 1)
322 goto bad;
323 if (!(objtmp = OBJ_txt2obj(*(++argv), 0))) {
324 BIO_printf(bio_err,
325 "Invalid reject object value %s\n", *argv);
326 goto bad;
327 }
328 if (!reject)
329 reject = sk_ASN1_OBJECT_new_null();
330 sk_ASN1_OBJECT_push(reject, objtmp);
331 trustout = 1;
332 } else if (strcmp(*argv, "-setalias") == 0) {
333 if (--argc < 1)
334 goto bad;
335 alias = *(++argv);
336 trustout = 1;
337 } else if (strcmp(*argv, "-certopt") == 0) {
338 if (--argc < 1)
339 goto bad;
340 if (!set_cert_ex(&certflag, *(++argv)))
341 goto bad;
342 } else if (strcmp(*argv, "-nameopt") == 0) {
343 if (--argc < 1)
344 goto bad;
345 if (!set_name_ex(&nmflag, *(++argv)))
346 goto bad;
347 }
348 else if (strcmp(*argv, "-C") == 0)
349 C = ++num;
350 else if (strcmp(*argv, "-email") == 0)
351 email = ++num;
352 else if (strcmp(*argv, "-ocsp_uri") == 0)
353 ocsp_uri = ++num;
354 else if (strcmp(*argv, "-serial") == 0)
355 serial = ++num;
356 else if (strcmp(*argv, "-next_serial") == 0)
357 next_serial = ++num;
358 else if (strcmp(*argv, "-modulus") == 0)
359 modulus = ++num;
360 else if (strcmp(*argv, "-pubkey") == 0)
361 pubkey = ++num;
362 else if (strcmp(*argv, "-x509toreq") == 0)
363 x509req = ++num;
364 else if (strcmp(*argv, "-text") == 0)
365 text = ++num;
366 else if (strcmp(*argv, "-hash") == 0 ||
367 strcmp(*argv, "-subject_hash") == 0)
368 subject_hash = ++num;
369#ifndef OPENSSL_NO_MD5
370 else if (strcmp(*argv, "-subject_hash_old") == 0)
371 subject_hash_old = ++num;
372#endif
373 else if (strcmp(*argv, "-issuer_hash") == 0)
374 issuer_hash = ++num;
375#ifndef OPENSSL_NO_MD5
376 else if (strcmp(*argv, "-issuer_hash_old") == 0)
377 issuer_hash_old = ++num;
378#endif
379 else if (strcmp(*argv, "-subject") == 0)
380 subject = ++num;
381 else if (strcmp(*argv, "-issuer") == 0)
382 issuer = ++num;
383 else if (strcmp(*argv, "-fingerprint") == 0)
384 fingerprint = ++num;
385 else if (strcmp(*argv, "-dates") == 0) {
386 startdate = ++num;
387 enddate = ++num;
388 } else if (strcmp(*argv, "-purpose") == 0)
389 pprint = ++num;
390 else if (strcmp(*argv, "-startdate") == 0)
391 startdate = ++num;
392 else if (strcmp(*argv, "-enddate") == 0)
393 enddate = ++num;
394 else if (strcmp(*argv, "-checkend") == 0) {
395 if (--argc < 1)
396 goto bad;
397 checkoffset = strtonum(*(++argv), 0, INT_MAX, &errstr);
398 if (errstr) {
399 BIO_printf(bio_err, "checkend unusable: %s\n", errstr);
400 goto bad;
401 }
402 checkend = 1;
403 } else if (strcmp(*argv, "-noout") == 0)
404 noout = ++num;
405 else if (strcmp(*argv, "-trustout") == 0)
406 trustout = 1;
407 else if (strcmp(*argv, "-clrtrust") == 0)
408 clrtrust = ++num;
409 else if (strcmp(*argv, "-clrreject") == 0)
410 clrreject = ++num;
411 else if (strcmp(*argv, "-alias") == 0)
412 aliasout = ++num;
413 else if (strcmp(*argv, "-CAcreateserial") == 0)
414 CA_createserial = ++num;
415 else if (strcmp(*argv, "-clrext") == 0)
416 clrext = 1;
417 else if (strcmp(*argv, "-ocspid") == 0)
418 ocspid = ++num;
419 else if ((md_alg = EVP_get_digestbyname(*argv + 1))) {
420 /* ok */
421 digest = md_alg;
422 } else {
423 BIO_printf(bio_err, "unknown option %s\n", *argv);
424 badops = 1;
425 break;
426 }
427 argc--;
428 argv++;
429 }
430 764
431 if (badops) { 765 if (x509_config.badops) {
432 bad: 766 bad:
433 for (pp = x509_usage; (*pp != NULL); pp++) 767 x509_usage();
434 BIO_printf(bio_err, "%s", *pp);
435 goto end; 768 goto end;
436 } 769 }
437 770
438 if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) { 771 if (!app_passwd(bio_err, x509_config.passargin, NULL, &passin, NULL)) {
439 BIO_printf(bio_err, "Error getting password\n"); 772 BIO_printf(bio_err, "Error getting password\n");
440 goto end; 773 goto end;
441 } 774 }
@@ -443,51 +776,51 @@ x509_main(int argc, char **argv)
443 ERR_print_errors(bio_err); 776 ERR_print_errors(bio_err);
444 goto end; 777 goto end;
445 } 778 }
446 if ((CAkeyfile == NULL) && (CA_flag) && (CAformat == FORMAT_PEM)) { 779 if ((x509_config.CAkeyfile == NULL) && (x509_config.CA_flag) && (x509_config.CAformat == FORMAT_PEM)) {
447 CAkeyfile = CAfile; 780 x509_config.CAkeyfile = x509_config.CAfile;
448 } else if ((CA_flag) && (CAkeyfile == NULL)) { 781 } else if ((x509_config.CA_flag) && (x509_config.CAkeyfile == NULL)) {
449 BIO_printf(bio_err, 782 BIO_printf(bio_err,
450 "need to specify a CAkey if using the CA command\n"); 783 "need to specify a CAkey if using the CA command\n");
451 goto end; 784 goto end;
452 } 785 }
453 if (extfile) { 786 if (x509_config.extfile) {
454 long errorline = -1; 787 long errorline = -1;
455 X509V3_CTX ctx2; 788 X509V3_CTX ctx2;
456 extconf = NCONF_new(NULL); 789 extconf = NCONF_new(NULL);
457 if (!NCONF_load(extconf, extfile, &errorline)) { 790 if (!NCONF_load(extconf, x509_config.extfile, &errorline)) {
458 if (errorline <= 0) 791 if (errorline <= 0)
459 BIO_printf(bio_err, 792 BIO_printf(bio_err,
460 "error loading the config file '%s'\n", 793 "error loading the config file '%s'\n",
461 extfile); 794 x509_config.extfile);
462 else 795 else
463 BIO_printf(bio_err, 796 BIO_printf(bio_err,
464 "error on line %ld of config file '%s'\n", 797 "error on line %ld of config file '%s'\n",
465 errorline, extfile); 798 errorline, x509_config.extfile);
466 goto end; 799 goto end;
467 } 800 }
468 if (!extsect) { 801 if (!x509_config.extsect) {
469 extsect = NCONF_get_string(extconf, "default", 802 x509_config.extsect = NCONF_get_string(extconf, "default",
470 "extensions"); 803 "extensions");
471 if (!extsect) { 804 if (!x509_config.extsect) {
472 ERR_clear_error(); 805 ERR_clear_error();
473 extsect = "default"; 806 x509_config.extsect = "default";
474 } 807 }
475 } 808 }
476 X509V3_set_ctx_test(&ctx2); 809 X509V3_set_ctx_test(&ctx2);
477 X509V3_set_nconf(&ctx2, extconf); 810 X509V3_set_nconf(&ctx2, extconf);
478 if (!X509V3_EXT_add_nconf(extconf, &ctx2, extsect, NULL)) { 811 if (!X509V3_EXT_add_nconf(extconf, &ctx2, x509_config.extsect, NULL)) {
479 BIO_printf(bio_err, 812 BIO_printf(bio_err,
480 "Error Loading extension section %s\n", 813 "Error Loading extension section %s\n",
481 extsect); 814 x509_config.extsect);
482 ERR_print_errors(bio_err); 815 ERR_print_errors(bio_err);
483 goto end; 816 goto end;
484 } 817 }
485 } 818 }
486 if (reqfile) { 819 if (x509_config.reqfile) {
487 EVP_PKEY *pkey; 820 EVP_PKEY *pkey;
488 BIO *in; 821 BIO *in;
489 822
490 if (!sign_flag && !CA_flag) { 823 if (!x509_config.sign_flag && !x509_config.CA_flag) {
491 BIO_printf(bio_err, "We need a private key to sign with\n"); 824 BIO_printf(bio_err, "We need a private key to sign with\n");
492 goto end; 825 goto end;
493 } 826 }
@@ -496,11 +829,11 @@ x509_main(int argc, char **argv)
496 ERR_print_errors(bio_err); 829 ERR_print_errors(bio_err);
497 goto end; 830 goto end;
498 } 831 }
499 if (infile == NULL) 832 if (x509_config.infile == NULL)
500 BIO_set_fp(in, stdin, BIO_NOCLOSE | BIO_FP_TEXT); 833 BIO_set_fp(in, stdin, BIO_NOCLOSE | BIO_FP_TEXT);
501 else { 834 else {
502 if (BIO_read_filename(in, infile) <= 0) { 835 if (BIO_read_filename(in, x509_config.infile) <= 0) {
503 perror(infile); 836 perror(x509_config.infile);
504 BIO_free(in); 837 BIO_free(in);
505 goto end; 838 goto end;
506 } 839 }
@@ -537,20 +870,20 @@ x509_main(int argc, char **argv)
537 } else 870 } else
538 BIO_printf(bio_err, "Signature ok\n"); 871 BIO_printf(bio_err, "Signature ok\n");
539 872
540 print_name(bio_err, "subject=", X509_REQ_get_subject_name(req), nmflag); 873 print_name(bio_err, "subject=", X509_REQ_get_subject_name(req), x509_config.nmflag);
541 874
542 if ((x = X509_new()) == NULL) 875 if ((x = X509_new()) == NULL)
543 goto end; 876 goto end;
544 877
545 if (sno == NULL) { 878 if (x509_config.sno == NULL) {
546 sno = ASN1_INTEGER_new(); 879 x509_config.sno = ASN1_INTEGER_new();
547 if (!sno || !rand_serial(NULL, sno)) 880 if (!x509_config.sno || !rand_serial(NULL, x509_config.sno))
548 goto end; 881 goto end;
549 if (!X509_set_serialNumber(x, sno)) 882 if (!X509_set_serialNumber(x, x509_config.sno))
550 goto end; 883 goto end;
551 ASN1_INTEGER_free(sno); 884 ASN1_INTEGER_free(x509_config.sno);
552 sno = NULL; 885 x509_config.sno = NULL;
553 } else if (!X509_set_serialNumber(x, sno)) 886 } else if (!X509_set_serialNumber(x, x509_config.sno))
554 goto end; 887 goto end;
555 888
556 if (!X509_set_issuer_name(x, req->req_info->subject)) 889 if (!X509_set_issuer_name(x, req->req_info->subject))
@@ -559,22 +892,22 @@ x509_main(int argc, char **argv)
559 goto end; 892 goto end;
560 893
561 X509_gmtime_adj(X509_get_notBefore(x), 0); 894 X509_gmtime_adj(X509_get_notBefore(x), 0);
562 X509_time_adj_ex(X509_get_notAfter(x), days, 0, NULL); 895 X509_time_adj_ex(X509_get_notAfter(x), x509_config.days, 0, NULL);
563 896
564 pkey = X509_REQ_get_pubkey(req); 897 pkey = X509_REQ_get_pubkey(req);
565 X509_set_pubkey(x, pkey); 898 X509_set_pubkey(x, pkey);
566 EVP_PKEY_free(pkey); 899 EVP_PKEY_free(pkey);
567 } else 900 } else
568 x = load_cert(bio_err, infile, informat, NULL, "Certificate"); 901 x = load_cert(bio_err, x509_config.infile, x509_config.informat, NULL, "Certificate");
569 902
570 if (x == NULL) 903 if (x == NULL)
571 goto end; 904 goto end;
572 if (CA_flag) { 905 if (x509_config.CA_flag) {
573 xca = load_cert(bio_err, CAfile, CAformat, NULL, "CA Certificate"); 906 xca = load_cert(bio_err, x509_config.CAfile, x509_config.CAformat, NULL, "CA Certificate");
574 if (xca == NULL) 907 if (xca == NULL)
575 goto end; 908 goto end;
576 } 909 }
577 if (!noout || text || next_serial) { 910 if (!x509_config.noout || x509_config.text || x509_config.next_serial) {
578 OBJ_create("2.99999.3", 911 OBJ_create("2.99999.3",
579 "SET.ex3", "SET x509v3 extension 3"); 912 "SET.ex3", "SET x509v3 extension 3");
580 913
@@ -583,49 +916,49 @@ x509_main(int argc, char **argv)
583 ERR_print_errors(bio_err); 916 ERR_print_errors(bio_err);
584 goto end; 917 goto end;
585 } 918 }
586 if (outfile == NULL) { 919 if (x509_config.outfile == NULL) {
587 BIO_set_fp(out, stdout, BIO_NOCLOSE); 920 BIO_set_fp(out, stdout, BIO_NOCLOSE);
588 } else { 921 } else {
589 if (BIO_write_filename(out, outfile) <= 0) { 922 if (BIO_write_filename(out, x509_config.outfile) <= 0) {
590 perror(outfile); 923 perror(x509_config.outfile);
591 goto end; 924 goto end;
592 } 925 }
593 } 926 }
594 } 927 }
595 if (alias) 928 if (x509_config.alias)
596 X509_alias_set1(x, (unsigned char *) alias, -1); 929 X509_alias_set1(x, (unsigned char *) x509_config.alias, -1);
597 930
598 if (clrtrust) 931 if (x509_config.clrtrust)
599 X509_trust_clear(x); 932 X509_trust_clear(x);
600 if (clrreject) 933 if (x509_config.clrreject)
601 X509_reject_clear(x); 934 X509_reject_clear(x);
602 935
603 if (trust) { 936 if (x509_config.trust) {
604 for (i = 0; i < sk_ASN1_OBJECT_num(trust); i++) { 937 for (i = 0; i < sk_ASN1_OBJECT_num(x509_config.trust); i++) {
605 objtmp = sk_ASN1_OBJECT_value(trust, i); 938 x509_config.objtmp = sk_ASN1_OBJECT_value(x509_config.trust, i);
606 X509_add1_trust_object(x, objtmp); 939 X509_add1_trust_object(x, x509_config.objtmp);
607 } 940 }
608 } 941 }
609 if (reject) { 942 if (x509_config.reject) {
610 for (i = 0; i < sk_ASN1_OBJECT_num(reject); i++) { 943 for (i = 0; i < sk_ASN1_OBJECT_num(x509_config.reject); i++) {
611 objtmp = sk_ASN1_OBJECT_value(reject, i); 944 x509_config.objtmp = sk_ASN1_OBJECT_value(x509_config.reject, i);
612 X509_add1_reject_object(x, objtmp); 945 X509_add1_reject_object(x, x509_config.objtmp);
613 } 946 }
614 } 947 }
615 if (num) { 948 if (x509_config.num) {
616 for (i = 1; i <= num; i++) { 949 for (i = 1; i <= x509_config.num; i++) {
617 if (issuer == i) { 950 if (x509_config.issuer == i) {
618 print_name(STDout, "issuer= ", 951 print_name(STDout, "issuer= ",
619 X509_get_issuer_name(x), nmflag); 952 X509_get_issuer_name(x), x509_config.nmflag);
620 } else if (subject == i) { 953 } else if (x509_config.subject == i) {
621 print_name(STDout, "subject= ", 954 print_name(STDout, "subject= ",
622 X509_get_subject_name(x), nmflag); 955 X509_get_subject_name(x), x509_config.nmflag);
623 } else if (serial == i) { 956 } else if (x509_config.serial == i) {
624 BIO_printf(STDout, "serial="); 957 BIO_printf(STDout, "serial=");
625 i2a_ASN1_INTEGER(STDout, 958 i2a_ASN1_INTEGER(STDout,
626 X509_get_serialNumber(x)); 959 X509_get_serialNumber(x));
627 BIO_printf(STDout, "\n"); 960 BIO_printf(STDout, "\n");
628 } else if (next_serial == i) { 961 } else if (x509_config.next_serial == i) {
629 BIGNUM *bnser; 962 BIGNUM *bnser;
630 ASN1_INTEGER *ser; 963 ASN1_INTEGER *ser;
631 ser = X509_get_serialNumber(x); 964 ser = X509_get_serialNumber(x);
@@ -641,10 +974,10 @@ x509_main(int argc, char **argv)
641 i2a_ASN1_INTEGER(out, ser); 974 i2a_ASN1_INTEGER(out, ser);
642 ASN1_INTEGER_free(ser); 975 ASN1_INTEGER_free(ser);
643 BIO_puts(out, "\n"); 976 BIO_puts(out, "\n");
644 } else if ((email == i) || (ocsp_uri == i)) { 977 } else if ((x509_config.email == i) || (x509_config.ocsp_uri == i)) {
645 int j; 978 int j;
646 STACK_OF(OPENSSL_STRING) *emlst; 979 STACK_OF(OPENSSL_STRING) *emlst;
647 if (email == i) 980 if (x509_config.email == i)
648 emlst = X509_get1_email(x); 981 emlst = X509_get1_email(x);
649 else 982 else
650 emlst = X509_get1_ocsp(x); 983 emlst = X509_get1_ocsp(x);
@@ -652,30 +985,30 @@ x509_main(int argc, char **argv)
652 BIO_printf(STDout, "%s\n", 985 BIO_printf(STDout, "%s\n",
653 sk_OPENSSL_STRING_value(emlst, j)); 986 sk_OPENSSL_STRING_value(emlst, j));
654 X509_email_free(emlst); 987 X509_email_free(emlst);
655 } else if (aliasout == i) { 988 } else if (x509_config.aliasout == i) {
656 unsigned char *alstr; 989 unsigned char *alstr;
657 alstr = X509_alias_get0(x, NULL); 990 alstr = X509_alias_get0(x, NULL);
658 if (alstr) 991 if (alstr)
659 BIO_printf(STDout, "%s\n", alstr); 992 BIO_printf(STDout, "%s\n", alstr);
660 else 993 else
661 BIO_puts(STDout, "<No Alias>\n"); 994 BIO_puts(STDout, "<No Alias>\n");
662 } else if (subject_hash == i) { 995 } else if (x509_config.subject_hash == i) {
663 BIO_printf(STDout, "%08lx\n", X509_subject_name_hash(x)); 996 BIO_printf(STDout, "%08lx\n", X509_subject_name_hash(x));
664 } 997 }
665#ifndef OPENSSL_NO_MD5 998#ifndef OPENSSL_NO_MD5
666 else if (subject_hash_old == i) { 999 else if (x509_config.subject_hash_old == i) {
667 BIO_printf(STDout, "%08lx\n", X509_subject_name_hash_old(x)); 1000 BIO_printf(STDout, "%08lx\n", X509_subject_name_hash_old(x));
668 } 1001 }
669#endif 1002#endif
670 else if (issuer_hash == i) { 1003 else if (x509_config.issuer_hash == i) {
671 BIO_printf(STDout, "%08lx\n", X509_issuer_name_hash(x)); 1004 BIO_printf(STDout, "%08lx\n", X509_issuer_name_hash(x));
672 } 1005 }
673#ifndef OPENSSL_NO_MD5 1006#ifndef OPENSSL_NO_MD5
674 else if (issuer_hash_old == i) { 1007 else if (x509_config.issuer_hash_old == i) {
675 BIO_printf(STDout, "%08lx\n", X509_issuer_name_hash_old(x)); 1008 BIO_printf(STDout, "%08lx\n", X509_issuer_name_hash_old(x));
676 } 1009 }
677#endif 1010#endif
678 else if (pprint == i) { 1011 else if (x509_config.pprint == i) {
679 X509_PURPOSE *ptmp; 1012 X509_PURPOSE *ptmp;
680 int j; 1013 int j;
681 BIO_printf(STDout, "Certificate purposes:\n"); 1014 BIO_printf(STDout, "Certificate purposes:\n");
@@ -683,7 +1016,7 @@ x509_main(int argc, char **argv)
683 ptmp = X509_PURPOSE_get0(j); 1016 ptmp = X509_PURPOSE_get0(j);
684 purpose_print(STDout, x, ptmp); 1017 purpose_print(STDout, x, ptmp);
685 } 1018 }
686 } else if (modulus == i) { 1019 } else if (x509_config.modulus == i) {
687 EVP_PKEY *pkey; 1020 EVP_PKEY *pkey;
688 1021
689 pkey = X509_get_pubkey(x); 1022 pkey = X509_get_pubkey(x);
@@ -702,7 +1035,7 @@ x509_main(int argc, char **argv)
702 BIO_printf(STDout, "Wrong Algorithm type"); 1035 BIO_printf(STDout, "Wrong Algorithm type");
703 BIO_printf(STDout, "\n"); 1036 BIO_printf(STDout, "\n");
704 EVP_PKEY_free(pkey); 1037 EVP_PKEY_free(pkey);
705 } else if (pubkey == i) { 1038 } else if (x509_config.pubkey == i) {
706 EVP_PKEY *pkey; 1039 EVP_PKEY *pkey;
707 1040
708 pkey = X509_get_pubkey(x); 1041 pkey = X509_get_pubkey(x);
@@ -713,7 +1046,7 @@ x509_main(int argc, char **argv)
713 } 1046 }
714 PEM_write_bio_PUBKEY(STDout, pkey); 1047 PEM_write_bio_PUBKEY(STDout, pkey);
715 EVP_PKEY_free(pkey); 1048 EVP_PKEY_free(pkey);
716 } else if (C == i) { 1049 } else if (x509_config.C == i) {
717 unsigned char *d; 1050 unsigned char *d;
718 char *m; 1051 char *m;
719 int y, z; 1052 int y, z;
@@ -771,9 +1104,9 @@ x509_main(int argc, char **argv)
771 BIO_printf(STDout, "};\n"); 1104 BIO_printf(STDout, "};\n");
772 1105
773 free(m); 1106 free(m);
774 } else if (text == i) { 1107 } else if (x509_config.text == i) {
775 X509_print_ex(STDout, x, nmflag, certflag); 1108 X509_print_ex(STDout, x, x509_config.nmflag, x509_config.certflag);
776 } else if (startdate == i) { 1109 } else if (x509_config.startdate == i) {
777 ASN1_TIME *nB = X509_get_notBefore(x); 1110 ASN1_TIME *nB = X509_get_notBefore(x);
778 BIO_puts(STDout, "notBefore="); 1111 BIO_puts(STDout, "notBefore=");
779 if (ASN1_time_parse(nB->data, nB->length, NULL, 0) == -1) 1112 if (ASN1_time_parse(nB->data, nB->length, NULL, 0) == -1)
@@ -781,7 +1114,7 @@ x509_main(int argc, char **argv)
781 else 1114 else
782 ASN1_TIME_print(STDout, nB); 1115 ASN1_TIME_print(STDout, nB);
783 BIO_puts(STDout, "\n"); 1116 BIO_puts(STDout, "\n");
784 } else if (enddate == i) { 1117 } else if (x509_config.enddate == i) {
785 ASN1_TIME *nA = X509_get_notAfter(x); 1118 ASN1_TIME *nA = X509_get_notAfter(x);
786 BIO_puts(STDout, "notAfter="); 1119 BIO_puts(STDout, "notAfter=");
787 if (ASN1_time_parse(nA->data, nA->length, NULL, 0) == -1) 1120 if (ASN1_time_parse(nA->data, nA->length, NULL, 0) == -1)
@@ -789,11 +1122,11 @@ x509_main(int argc, char **argv)
789 else 1122 else
790 ASN1_TIME_print(STDout, nA); 1123 ASN1_TIME_print(STDout, nA);
791 BIO_puts(STDout, "\n"); 1124 BIO_puts(STDout, "\n");
792 } else if (fingerprint == i) { 1125 } else if (x509_config.fingerprint == i) {
793 int j; 1126 int j;
794 unsigned int n; 1127 unsigned int n;
795 unsigned char md[EVP_MAX_MD_SIZE]; 1128 unsigned char md[EVP_MAX_MD_SIZE];
796 const EVP_MD *fdig = digest; 1129 const EVP_MD *fdig = x509_config.digest;
797 1130
798 if (!fdig) 1131 if (!fdig)
799 fdig = EVP_sha256(); 1132 fdig = EVP_sha256();
@@ -810,42 +1143,42 @@ x509_main(int argc, char **argv)
810 } 1143 }
811 } 1144 }
812 /* should be in the library */ 1145 /* should be in the library */
813 else if ((sign_flag == i) && (x509req == 0)) { 1146 else if ((x509_config.sign_flag == i) && (x509_config.x509req == 0)) {
814 BIO_printf(bio_err, "Getting Private key\n"); 1147 BIO_printf(bio_err, "Getting Private key\n");
815 if (Upkey == NULL) { 1148 if (Upkey == NULL) {
816 Upkey = load_key(bio_err, 1149 Upkey = load_key(bio_err,
817 keyfile, keyformat, 0, 1150 x509_config.keyfile, x509_config.keyformat, 0,
818 passin, "Private key"); 1151 passin, "Private key");
819 if (Upkey == NULL) 1152 if (Upkey == NULL)
820 goto end; 1153 goto end;
821 } 1154 }
822 if (!sign(x, Upkey, days, clrext, digest, 1155 if (!sign(x, Upkey, x509_config.days, x509_config.clrext, x509_config.digest,
823 extconf, extsect)) 1156 extconf, x509_config.extsect))
824 goto end; 1157 goto end;
825 } else if (CA_flag == i) { 1158 } else if (x509_config.CA_flag == i) {
826 BIO_printf(bio_err, "Getting CA Private Key\n"); 1159 BIO_printf(bio_err, "Getting CA Private Key\n");
827 if (CAkeyfile != NULL) { 1160 if (x509_config.CAkeyfile != NULL) {
828 CApkey = load_key(bio_err, 1161 CApkey = load_key(bio_err,
829 CAkeyfile, CAkeyformat, 1162 x509_config.CAkeyfile, x509_config.CAkeyformat,
830 0, passin, "CA Private Key"); 1163 0, passin, "CA Private Key");
831 if (CApkey == NULL) 1164 if (CApkey == NULL)
832 goto end; 1165 goto end;
833 } 1166 }
834 if (!x509_certify(ctx, CAfile, digest, x, xca, 1167 if (!x509_certify(ctx, x509_config.CAfile, x509_config.digest, x, xca,
835 CApkey, sigopts, 1168 CApkey, x509_config.sigopts,
836 CAserial, CA_createserial, days, clrext, 1169 x509_config.CAserial, x509_config.CA_createserial, x509_config.days, x509_config.clrext,
837 extconf, extsect, sno)) 1170 extconf, x509_config.extsect, x509_config.sno))
838 goto end; 1171 goto end;
839 } else if (x509req == i) { 1172 } else if (x509_config.x509req == i) {
840 EVP_PKEY *pk; 1173 EVP_PKEY *pk;
841 1174
842 BIO_printf(bio_err, "Getting request Private Key\n"); 1175 BIO_printf(bio_err, "Getting request Private Key\n");
843 if (keyfile == NULL) { 1176 if (x509_config.keyfile == NULL) {
844 BIO_printf(bio_err, "no request key file specified\n"); 1177 BIO_printf(bio_err, "no request key file specified\n");
845 goto end; 1178 goto end;
846 } else { 1179 } else {
847 pk = load_key(bio_err, 1180 pk = load_key(bio_err,
848 keyfile, keyformat, 0, 1181 x509_config.keyfile, x509_config.keyformat, 0,
849 passin, "request key"); 1182 passin, "request key");
850 if (pk == NULL) 1183 if (pk == NULL)
851 goto end; 1184 goto end;
@@ -853,24 +1186,24 @@ x509_main(int argc, char **argv)
853 1186
854 BIO_printf(bio_err, "Generating certificate request\n"); 1187 BIO_printf(bio_err, "Generating certificate request\n");
855 1188
856 rq = X509_to_X509_REQ(x, pk, digest); 1189 rq = X509_to_X509_REQ(x, pk, x509_config.digest);
857 EVP_PKEY_free(pk); 1190 EVP_PKEY_free(pk);
858 if (rq == NULL) { 1191 if (rq == NULL) {
859 ERR_print_errors(bio_err); 1192 ERR_print_errors(bio_err);
860 goto end; 1193 goto end;
861 } 1194 }
862 if (!noout) { 1195 if (!x509_config.noout) {
863 X509_REQ_print(out, rq); 1196 X509_REQ_print(out, rq);
864 PEM_write_bio_X509_REQ(out, rq); 1197 PEM_write_bio_X509_REQ(out, rq);
865 } 1198 }
866 noout = 1; 1199 x509_config.noout = 1;
867 } else if (ocspid == i) { 1200 } else if (x509_config.ocspid == i) {
868 X509_ocspid_print(out, x); 1201 X509_ocspid_print(out, x);
869 } 1202 }
870 } 1203 }
871 } 1204 }
872 if (checkend) { 1205 if (x509_config.checkend) {
873 time_t tcheck = time(NULL) + checkoffset; 1206 time_t tcheck = time(NULL) + x509_config.checkoffset;
874 int timecheck = X509_cmp_time(X509_get_notAfter(x), &tcheck); 1207 int timecheck = X509_cmp_time(X509_get_notAfter(x), &tcheck);
875 if (timecheck == 0) { 1208 if (timecheck == 0) {
876 BIO_printf(out, "Certificate expiry time is invalid\n"); 1209 BIO_printf(out, "Certificate expiry time is invalid\n");
@@ -884,18 +1217,18 @@ x509_main(int argc, char **argv)
884 } 1217 }
885 goto end; 1218 goto end;
886 } 1219 }
887 if (noout) { 1220 if (x509_config.noout) {
888 ret = 0; 1221 ret = 0;
889 goto end; 1222 goto end;
890 } 1223 }
891 if (outformat == FORMAT_ASN1) 1224 if (x509_config.outformat == FORMAT_ASN1)
892 i = i2d_X509_bio(out, x); 1225 i = i2d_X509_bio(out, x);
893 else if (outformat == FORMAT_PEM) { 1226 else if (x509_config.outformat == FORMAT_PEM) {
894 if (trustout) 1227 if (x509_config.trustout)
895 i = PEM_write_bio_X509_AUX(out, x); 1228 i = PEM_write_bio_X509_AUX(out, x);
896 else 1229 else
897 i = PEM_write_bio_X509(out, x); 1230 i = PEM_write_bio_X509(out, x);
898 } else if (outformat == FORMAT_NETSCAPE) { 1231 } else if (x509_config.outformat == FORMAT_NETSCAPE) {
899 NETSCAPE_X509 nx; 1232 NETSCAPE_X509 nx;
900 ASN1_OCTET_STRING hdr; 1233 ASN1_OCTET_STRING hdr;
901 1234
@@ -927,11 +1260,11 @@ x509_main(int argc, char **argv)
927 X509_free(xca); 1260 X509_free(xca);
928 EVP_PKEY_free(Upkey); 1261 EVP_PKEY_free(Upkey);
929 EVP_PKEY_free(CApkey); 1262 EVP_PKEY_free(CApkey);
930 sk_OPENSSL_STRING_free(sigopts); 1263 sk_OPENSSL_STRING_free(x509_config.sigopts);
931 X509_REQ_free(rq); 1264 X509_REQ_free(rq);
932 ASN1_INTEGER_free(sno); 1265 ASN1_INTEGER_free(x509_config.sno);
933 sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free); 1266 sk_ASN1_OBJECT_pop_free(x509_config.trust, ASN1_OBJECT_free);
934 sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free); 1267 sk_ASN1_OBJECT_pop_free(x509_config.reject, ASN1_OBJECT_free);
935 free(passin); 1268 free(passin);
936 1269
937 return (ret); 1270 return (ret);
@@ -1013,7 +1346,7 @@ x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, X509 *x,
1013 */ 1346 */
1014 X509_STORE_CTX_set_cert(&xsc, x); 1347 X509_STORE_CTX_set_cert(&xsc, x);
1015 X509_STORE_CTX_set_flags(&xsc, X509_V_FLAG_CHECK_SS_SIGNATURE); 1348 X509_STORE_CTX_set_flags(&xsc, X509_V_FLAG_CHECK_SS_SIGNATURE);
1016 if (!reqfile && X509_verify_cert(&xsc) <= 0) 1349 if (!x509_config.reqfile && X509_verify_cert(&xsc) <= 0)
1017 goto end; 1350 goto end;
1018 1351
1019 if (!X509_check_private_key(xca, pkey)) { 1352 if (!X509_check_private_key(xca, pkey)) {
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-21 01:49:10 +0000