summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/usr.bin/openssl/x509.c1161
1 files changed, 747 insertions, 414 deletions
diff --git a/src/usr.bin/openssl/x509.c b/src/usr.bin/openssl/x509.c
index 14c61261ee..a9155fee36 100644
--- a/src/usr.bin/openssl/x509.c
+++ b/src/usr.bin/openssl/x509.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509.c,v 1.18 2020/05/10 17:13:31 beck Exp $ */ 1/* $OpenBSD: x509.c,v 1.19 2021/03/24 12:09:16 inoguchi Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -81,69 +81,6 @@
81#define POSTFIX ".srl" 81#define POSTFIX ".srl"
82#define DEF_DAYS 30 82#define DEF_DAYS 30
83 83
84static const char *x509_usage[] = {
85 "usage: x509 args\n",
86 " -inform arg - input format - default PEM (one of DER, NET or PEM)\n",
87 " -outform arg - output format - default PEM (one of DER, NET or PEM)\n",
88 " -keyform arg - private key format - default PEM\n",
89 " -CAform arg - CA format - default PEM\n",
90 " -CAkeyform arg - CA key format - default PEM\n",
91 " -in arg - input file - default stdin\n",
92 " -out arg - output file - default stdout\n",
93 " -passin arg - private key password source\n",
94 " -serial - print serial number value\n",
95 " -subject_hash - print subject hash value\n",
96#ifndef OPENSSL_NO_MD5
97 " -subject_hash_old - print old-style (MD5) subject hash value\n",
98#endif
99 " -issuer_hash - print issuer hash value\n",
100#ifndef OPENSSL_NO_MD5
101 " -issuer_hash_old - print old-style (MD5) issuer hash value\n",
102#endif
103 " -hash - synonym for -subject_hash\n",
104 " -subject - print subject DN\n",
105 " -issuer - print issuer DN\n",
106 " -email - print email address(es)\n",
107 " -startdate - notBefore field\n",
108 " -enddate - notAfter field\n",
109 " -purpose - print out certificate purposes\n",
110 " -dates - both Before and After dates\n",
111 " -modulus - print the RSA key modulus\n",
112 " -pubkey - output the public key\n",
113 " -fingerprint - print the certificate fingerprint\n",
114 " -alias - output certificate alias\n",
115 " -noout - no certificate output\n",
116 " -ocspid - print OCSP hash values for the subject name and public key\n",
117 " -ocsp_uri - print OCSP Responder URL(s)\n",
118 " -trustout - output a \"trusted\" certificate\n",
119 " -clrtrust - clear all trusted purposes\n",
120 " -clrreject - clear all rejected purposes\n",
121 " -addtrust arg - trust certificate for a given purpose\n",
122 " -addreject arg - reject certificate for a given purpose\n",
123 " -setalias arg - set certificate alias\n",
124 " -days arg - How long till expiry of a signed certificate - def 30 days\n",
125 " -checkend arg - check whether the cert expires in the next arg seconds\n",
126 " exit 1 if so, 0 if not\n",
127 " -signkey arg - self sign cert with arg\n",
128 " -x509toreq - output a certification request object\n",
129 " -req - input is a certificate request, sign and output.\n",
130 " -CA arg - set the CA certificate, must be PEM format.\n",
131 " -CAkey arg - set the CA key, must be PEM format\n",
132 " missing, it is assumed to be in the CA file.\n",
133 " -CAcreateserial - create serial number file if it does not exist\n",
134 " -CAserial arg - serial file\n",
135 " -set_serial - serial number to use\n",
136 " -text - print the certificate in text form\n",
137 " -C - print out C code forms\n",
138 " -md5/-sha1 - digest to use\n",
139 " -extfile - configuration file with X509V3 extensions to add\n",
140 " -extensions - section from config file with X509V3 extensions to add\n",
141 " -clrext - delete extensions before signing and input certificate\n",
142 " -nameopt arg - various certificate name options\n",
143 " -certopt arg - various certificate text options\n",
144 NULL
145};
146
147static int callb(int ok, X509_STORE_CTX *ctx); 84static int callb(int ok, X509_STORE_CTX *ctx);
148static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, 85static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext,
149 const EVP_MD *digest, CONF *conf, char *section); 86 const EVP_MD *digest, CONF *conf, char *section);
@@ -152,7 +89,637 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
152 char *serial, int create, int days, int clrext, CONF *conf, char *section, 89 char *serial, int create, int days, int clrext, CONF *conf, char *section,
153 ASN1_INTEGER *sno); 90 ASN1_INTEGER *sno);
154static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt); 91static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt);
155static int reqfile = 0; 92
93static struct {
94 char *alias;
95 int aliasout;
96 int badops;
97 int C;
98 int CA_createserial;
99 int CA_flag;
100 char *CAfile;
101 int CAformat;
102 char *CAkeyfile;
103 int CAkeyformat;
104 char *CAserial;
105 unsigned long certflag;
106 int checkend;
107 int checkoffset;
108 int clrext;
109 int clrreject;
110 int clrtrust;
111 int days;
112 const EVP_MD *digest;
113 int email;
114 int enddate;
115 char *extfile;
116 char *extsect;
117 int fingerprint;
118 char *infile;
119 int informat;
120 int issuer;
121 int issuer_hash;
122#ifndef OPENSSL_NO_MD5
123 int issuer_hash_old;
124#endif
125 char *keyfile;
126 int keyformat;
127 const EVP_MD *md_alg;
128 int modulus;
129 int next_serial;
130 unsigned long nmflag;
131 int noout;
132 int num;
133 int ocspid;
134 ASN1_OBJECT *objtmp;
135 int ocsp_uri;
136 char *outfile;
137 int outformat;
138 char *passargin;
139 int pprint;
140 int pubkey;
141 STACK_OF(ASN1_OBJECT) *reject;
142 int reqfile;
143 int serial;
144 int sign_flag;
145 STACK_OF(OPENSSL_STRING) *sigopts;
146 ASN1_INTEGER *sno;
147 int startdate;
148 int subject;
149 int subject_hash;
150#ifndef OPENSSL_NO_MD5
151 int subject_hash_old;
152#endif
153 int text;
154 STACK_OF(ASN1_OBJECT) *trust;
155 int trustout;
156 int x509req;
157} x509_config;
158
159static int
160x509_opt_addreject(char *arg)
161{
162 if ((x509_config.objtmp = OBJ_txt2obj(arg, 0)) == NULL) {
163 BIO_printf(bio_err, "Invalid reject object value %s\n", arg);
164 return (1);
165 }
166
167 if (x509_config.reject == NULL &&
168 (x509_config.reject = sk_ASN1_OBJECT_new_null()) == NULL)
169 return (1);
170
171 if (!sk_ASN1_OBJECT_push(x509_config.reject, x509_config.objtmp))
172 return (1);
173
174 x509_config.trustout = 1;
175 return (0);
176}
177
178static int
179x509_opt_addtrust(char *arg)
180{
181 if ((x509_config.objtmp = OBJ_txt2obj(arg, 0)) == NULL) {
182 BIO_printf(bio_err, "Invalid trust object value %s\n", arg);
183 return (1);
184 }
185
186 if (x509_config.trust == NULL &&
187 (x509_config.trust = sk_ASN1_OBJECT_new_null()) == NULL)
188 return (1);
189
190 if (!sk_ASN1_OBJECT_push(x509_config.trust, x509_config.objtmp))
191 return (1);
192
193 x509_config.trustout = 1;
194 return (0);
195}
196
197static int
198x509_opt_ca(char *arg)
199{
200 x509_config.CAfile = arg;
201 x509_config.CA_flag = ++x509_config.num;
202 return (0);
203}
204
205static int
206x509_opt_certopt(char *arg)
207{
208 if (!set_cert_ex(&x509_config.certflag, arg))
209 return (1);
210
211 return (0);
212}
213
214static int
215x509_opt_checkend(char *arg)
216{
217 const char *errstr;
218
219 x509_config.checkoffset = strtonum(arg, 0, INT_MAX, &errstr);
220 if (errstr != NULL) {
221 BIO_printf(bio_err, "checkend unusable: %s\n", errstr);
222 return (1);
223 }
224 x509_config.checkend = 1;
225 return (0);
226}
227
228static int
229x509_opt_dates(void)
230{
231 x509_config.startdate = ++x509_config.num;
232 x509_config.enddate = ++x509_config.num;
233 return (0);
234}
235
236static int
237x509_opt_days(char *arg)
238{
239 const char *errstr;
240
241 x509_config.days = strtonum(arg, 1, INT_MAX, &errstr);
242 if (errstr != NULL) {
243 BIO_printf(bio_err, "bad number of days: %s\n", errstr);
244 return (1);
245 }
246 return (0);
247}
248
249static int
250x509_opt_digest(int argc, char **argv, int *argsused)
251{
252 char *name = argv[0];
253
254 if (*name++ != '-')
255 return (1);
256
257 if ((x509_config.md_alg = EVP_get_digestbyname(name)) != NULL) {
258 x509_config.digest = x509_config.md_alg;
259 } else {
260 BIO_printf(bio_err, "unknown option %s\n", *argv);
261 x509_config.badops = 1;
262 return (1);
263 }
264
265 *argsused = 1;
266 return (0);
267}
268
269static int
270x509_opt_nameopt(char *arg)
271{
272 if (!set_name_ex(&x509_config.nmflag, arg))
273 return (1);
274
275 return (0);
276}
277
278static int
279x509_opt_set_serial(char *arg)
280{
281 ASN1_INTEGER_free(x509_config.sno);
282 if ((x509_config.sno = s2i_ASN1_INTEGER(NULL, arg)) == NULL)
283 return (1);
284
285 return (0);
286}
287
288static int
289x509_opt_setalias(char *arg)
290{
291 x509_config.alias = arg;
292 x509_config.trustout = 1;
293 return (0);
294}
295
296static int
297x509_opt_signkey(char *arg)
298{
299 x509_config.keyfile = arg;
300 x509_config.sign_flag = ++x509_config.num;
301 return (0);
302}
303
304static int
305x509_opt_sigopt(char *arg)
306{
307 if (x509_config.sigopts == NULL &&
308 (x509_config.sigopts = sk_OPENSSL_STRING_new_null()) == NULL)
309 return (1);
310
311 if (!sk_OPENSSL_STRING_push(x509_config.sigopts, arg))
312 return (1);
313
314 return (0);
315}
316
317static const struct option x509_options[] = {
318 {
319 .name = "C",
320 .desc = "Convert the certificate into C code",
321 .type = OPTION_ORDER,
322 .opt.order = &x509_config.C,
323 .order = &x509_config.num,
324 },
325 {
326 .name = "addreject",
327 .argname = "arg",
328 .desc = "Reject certificate for a given purpose",
329 .type = OPTION_ARG_FUNC,
330 .opt.argfunc = x509_opt_addreject,
331 },
332 {
333 .name = "addtrust",
334 .argname = "arg",
335 .desc = "Trust certificate for a given purpose",
336 .type = OPTION_ARG_FUNC,
337 .opt.argfunc = x509_opt_addtrust,
338 },
339 {
340 .name = "alias",
341 .desc = "Output certificate alias",
342 .type = OPTION_ORDER,
343 .opt.order = &x509_config.aliasout,
344 .order = &x509_config.num,
345 },
346 {
347 .name = "CA",
348 .argname = "file",
349 .desc = "CA certificate in PEM format unless -CAform is specified",
350 .type = OPTION_ARG_FUNC,
351 .opt.argfunc = x509_opt_ca,
352 },
353 {
354 .name = "CAcreateserial",
355 .desc = "Create serial number file if it does not exist",
356 .type = OPTION_ORDER,
357 .opt.order = &x509_config.CA_createserial,
358 .order = &x509_config.num,
359 },
360 {
361 .name = "CAform",
362 .argname = "fmt",
363 .desc = "CA format - default PEM",
364 .type = OPTION_ARG_FORMAT,
365 .opt.value = &x509_config.CAformat,
366 },
367 {
368 .name = "CAkey",
369 .argname = "file",
370 .desc = "CA key in PEM format unless -CAkeyform is specified\n"
371 "if omitted, the key is assumed to be in the CA file",
372 .type = OPTION_ARG,
373 .opt.arg = &x509_config.CAkeyfile,
374 },
375 {
376 .name = "CAkeyform",
377 .argname = "fmt",
378 .desc = "CA key format - default PEM",
379 .type = OPTION_ARG_FORMAT,
380 .opt.value = &x509_config.CAkeyformat,
381 },
382 {
383 .name = "CAserial",
384 .argname = "file",
385 .desc = "Serial file",
386 .type = OPTION_ARG,
387 .opt.arg = &x509_config.CAserial,
388 },
389 {
390 .name = "certopt",
391 .argname = "option",
392 .desc = "Various certificate text options",
393 .type = OPTION_ARG_FUNC,
394 .opt.argfunc = x509_opt_certopt,
395 },
396 {
397 .name = "checkend",
398 .argname = "arg",
399 .desc = "Check whether the cert expires in the next arg seconds\n"
400 "exit 1 if so, 0 if not",
401 .type = OPTION_ARG_FUNC,
402 .opt.argfunc = x509_opt_checkend,
403 },
404 {
405 .name = "clrext",
406 .desc = "Clear all extensions",
407 .type = OPTION_FLAG,
408 .opt.flag = &x509_config.clrext,
409 },
410 {
411 .name = "clrreject",
412 .desc = "Clear all rejected purposes",
413 .type = OPTION_ORDER,
414 .opt.order = &x509_config.clrreject,
415 .order = &x509_config.num,
416 },
417 {
418 .name = "clrtrust",
419 .desc = "Clear all trusted purposes",
420 .type = OPTION_ORDER,
421 .opt.order = &x509_config.clrtrust,
422 .order = &x509_config.num,
423 },
424 {
425 .name = "dates",
426 .desc = "Both Before and After dates",
427 .type = OPTION_FUNC,
428 .opt.func = x509_opt_dates,
429 },
430 {
431 .name = "days",
432 .argname = "arg",
433 .desc = "How long till expiry of a signed certificate - def 30 days",
434 .type = OPTION_ARG_FUNC,
435 .opt.argfunc = x509_opt_days,
436 },
437 {
438 .name = "email",
439 .desc = "Print email address(es)",
440 .type = OPTION_ORDER,
441 .opt.order = &x509_config.email,
442 .order = &x509_config.num,
443 },
444 {
445 .name = "enddate",
446 .desc = "Print notAfter field",
447 .type = OPTION_ORDER,
448 .opt.order = &x509_config.enddate,
449 .order = &x509_config.num,
450 },
451 {
452 .name = "extensions",
453 .argname = "section",
454 .desc = "Section from config file with X509V3 extensions to add",
455 .type = OPTION_ARG,
456 .opt.arg = &x509_config.extsect,
457 },
458 {
459 .name = "extfile",
460 .argname = "file",
461 .desc = "Configuration file with X509V3 extensions to add",
462 .type = OPTION_ARG,
463 .opt.arg = &x509_config.extfile,
464 },
465 {
466 .name = "fingerprint",
467 .desc = "Print the certificate fingerprint",
468 .type = OPTION_ORDER,
469 .opt.order = &x509_config.fingerprint,
470 .order = &x509_config.num,
471 },
472 {
473 .name = "hash",
474 .desc = "Synonym for -subject_hash",
475 .type = OPTION_ORDER,
476 .opt.order = &x509_config.subject_hash,
477 .order = &x509_config.num,
478 },
479 {
480 .name = "in",
481 .argname = "file",
482 .desc = "Input file - default stdin",
483 .type = OPTION_ARG,
484 .opt.arg = &x509_config.infile,
485 },
486 {
487 .name = "inform",
488 .argname = "fmt",
489 .desc = "Input format - default PEM (one of DER, NET or PEM)",
490 .type = OPTION_ARG_FORMAT,
491 .opt.value = &x509_config.informat,
492 },
493 {
494 .name = "issuer",
495 .desc = "Print issuer name",
496 .type = OPTION_ORDER,
497 .opt.order = &x509_config.issuer,
498 .order = &x509_config.num,
499 },
500 {
501 .name = "issuer_hash",
502 .desc = "Print issuer hash value",
503 .type = OPTION_ORDER,
504 .opt.order = &x509_config.issuer_hash,
505 .order = &x509_config.num,
506 },
507#ifndef OPENSSL_NO_MD5
508 {
509 .name = "issuer_hash_old",
510 .desc = "Print old-style (MD5) issuer hash value",
511 .type = OPTION_ORDER,
512 .opt.order = &x509_config.issuer_hash_old,
513 .order = &x509_config.num,
514 },
515#endif
516 {
517 .name = "keyform",
518 .argname = "fmt",
519 .desc = "Private key format - default PEM",
520 .type = OPTION_ARG_FORMAT,
521 .opt.value = &x509_config.keyformat,
522 },
523 {
524 .name = "modulus",
525 .desc = "Print the RSA key modulus",
526 .type = OPTION_ORDER,
527 .opt.order = &x509_config.modulus,
528 .order = &x509_config.num,
529 },
530 {
531 .name = "nameopt",
532 .argname = "option",
533 .desc = "Various certificate name options",
534 .type = OPTION_ARG_FUNC,
535 .opt.argfunc = x509_opt_nameopt,
536 },
537 {
538 .name = "next_serial",
539 .desc = "Print the next serial number",
540 .type = OPTION_ORDER,
541 .opt.order = &x509_config.next_serial,
542 .order = &x509_config.num,
543 },
544 {
545 .name = "noout",
546 .desc = "No certificate output",
547 .type = OPTION_ORDER,
548 .opt.order = &x509_config.noout,
549 .order = &x509_config.num,
550 },
551 {
552 .name = "ocsp_uri",
553 .desc = "Print OCSP Responder URL(s)",
554 .type = OPTION_ORDER,
555 .opt.order = &x509_config.ocsp_uri,
556 .order = &x509_config.num,
557 },
558 {
559 .name = "ocspid",
560 .desc = "Print OCSP hash values for the subject name and public key",
561 .type = OPTION_ORDER,
562 .opt.order = &x509_config.ocspid,
563 .order = &x509_config.num,
564 },
565 {
566 .name = "out",
567 .argname = "file",
568 .desc = "Output file - default stdout",
569 .type = OPTION_ARG,
570 .opt.arg = &x509_config.outfile,
571 },
572 {
573 .name = "outform",
574 .argname = "fmt",
575 .desc = "Output format - default PEM (one of DER, NET or PEM)",
576 .type = OPTION_ARG_FORMAT,
577 .opt.value = &x509_config.outformat,
578 },
579 {
580 .name = "passin",
581 .argname = "src",
582 .desc = "Private key password source",
583 .type = OPTION_ARG,
584 .opt.arg = &x509_config.passargin,
585 },
586 {
587 .name = "pubkey",
588 .desc = "Output the public key",
589 .type = OPTION_ORDER,
590 .opt.order = &x509_config.pubkey,
591 .order = &x509_config.num,
592 },
593 {
594 .name = "purpose",
595 .desc = "Print out certificate purposes",
596 .type = OPTION_ORDER,
597 .opt.order = &x509_config.pprint,
598 .order = &x509_config.num,
599 },
600 {
601 .name = "req",
602 .desc = "Input is a certificate request, sign and output",
603 .type = OPTION_FLAG,
604 .opt.flag = &x509_config.reqfile,
605 },
606 {
607 .name = "serial",
608 .desc = "Print serial number value",
609 .type = OPTION_ORDER,
610 .opt.order = &x509_config.serial,
611 .order = &x509_config.num,
612 },
613 {
614 .name = "set_serial",
615 .argname = "n",
616 .desc = "Serial number to use",
617 .type = OPTION_ARG_FUNC,
618 .opt.argfunc = x509_opt_set_serial,
619 },
620 {
621 .name = "setalias",
622 .argname = "arg",
623 .desc = "Set certificate alias",
624 .type = OPTION_ARG_FUNC,
625 .opt.argfunc = x509_opt_setalias,
626 },
627 {
628 .name = "signkey",
629 .argname = "file",
630 .desc = "Self sign cert with arg",
631 .type = OPTION_ARG_FUNC,
632 .opt.argfunc = x509_opt_signkey,
633 },
634 {
635 .name = "sigopt",
636 .argname = "nm:v",
637 .desc = "Various signature algorithm options",
638 .type = OPTION_ARG_FUNC,
639 .opt.argfunc = x509_opt_sigopt,
640 },
641 {
642 .name = "startdate",
643 .desc = "Print notBefore field",
644 .type = OPTION_ORDER,
645 .opt.order = &x509_config.startdate,
646 .order = &x509_config.num,
647 },
648 {
649 .name = "subject",
650 .desc = "Print subject name",
651 .type = OPTION_ORDER,
652 .opt.order = &x509_config.subject,
653 .order = &x509_config.num,
654 },
655 {
656 .name = "subject_hash",
657 .desc = "Print subject hash value",
658 .type = OPTION_ORDER,
659 .opt.order = &x509_config.subject_hash,
660 .order = &x509_config.num,
661 },
662#ifndef OPENSSL_NO_MD5
663 {
664 .name = "subject_hash_old",
665 .desc = "Print old-style (MD5) subject hash value",
666 .type = OPTION_ORDER,
667 .opt.order = &x509_config.subject_hash_old,
668 .order = &x509_config.num,
669 },
670#endif
671 {
672 .name = "text",
673 .desc = "Print the certificate in text form",
674 .type = OPTION_ORDER,
675 .opt.order = &x509_config.text,
676 .order = &x509_config.num,
677 },
678 {
679 .name = "trustout",
680 .desc = "Output a trusted certificate",
681 .type = OPTION_FLAG,
682 .opt.flag = &x509_config.trustout,
683 },
684 {
685 .name = "x509toreq",
686 .desc = "Output a certification request object",
687 .type = OPTION_ORDER,
688 .opt.order = &x509_config.x509req,
689 .order = &x509_config.num,
690 },
691 {
692 .name = NULL,
693 .desc = "",
694 .type = OPTION_ARGV_FUNC,
695 .opt.argvfunc = x509_opt_digest,
696 },
697 { NULL },
698};
699
700static void
701x509_usage(void)
702{
703 fprintf(stderr, "usage: x509 "
704 "[-C] [-addreject arg] [-addtrust arg] [-alias] [-CA file]\n"
705 " [-CAcreateserial] [-CAform der | pem] [-CAkey file]\n"
706 " [-CAkeyform der | pem] [-CAserial file] [-certopt option]\n"
707 " [-checkend arg] [-clrext] [-clrreject] [-clrtrust] [-dates]\n"
708 " [-days arg] [-email] [-enddate] [-extensions section]\n"
709 " [-extfile file] [-fingerprint] [-hash] [-in file]\n"
710 " [-inform der | net | pem] [-issuer] [-issuer_hash]\n"
711 " [-issuer_hash_old] [-keyform der | pem] [-md5 | -sha1]\n"
712 " [-modulus] [-nameopt option] [-next_serial] [-noout]\n"
713 " [-ocsp_uri] [-ocspid] [-out file]\n"
714 " [-outform der | net | pem] [-passin arg] [-pubkey]\n"
715 " [-purpose] [-req] [-serial] [-set_serial n] [-setalias arg]\n"
716 " [-signkey file] [-sigopt nm:v] [-startdate] [-subject]\n"
717 " [-subject_hash] [-subject_hash_old] [-text] [-trustout]\n"
718 " [-x509toreq]\n");
719 fprintf(stderr, "\n");
720 options_usage(x509_options);
721 fprintf(stderr, "\n");
722}
156 723
157int 724int
158x509_main(int argc, char **argv) 725x509_main(int argc, char **argv)
@@ -160,43 +727,15 @@ x509_main(int argc, char **argv)
160 int ret = 1; 727 int ret = 1;
161 X509_REQ *req = NULL; 728 X509_REQ *req = NULL;
162 X509 *x = NULL, *xca = NULL; 729 X509 *x = NULL, *xca = NULL;
163 ASN1_OBJECT *objtmp;
164 STACK_OF(OPENSSL_STRING) *sigopts = NULL;
165 EVP_PKEY *Upkey = NULL, *CApkey = NULL; 730 EVP_PKEY *Upkey = NULL, *CApkey = NULL;
166 ASN1_INTEGER *sno = NULL; 731 int i;
167 int i, num, badops = 0;
168 BIO *out = NULL; 732 BIO *out = NULL;
169 BIO *STDout = NULL; 733 BIO *STDout = NULL;
170 STACK_OF(ASN1_OBJECT) *trust = NULL, *reject = NULL;
171 int informat, outformat, keyformat, CAformat, CAkeyformat;
172 char *infile = NULL, *outfile = NULL, *keyfile = NULL, *CAfile = NULL;
173 char *CAkeyfile = NULL, *CAserial = NULL;
174 char *alias = NULL;
175 int text = 0, serial = 0, subject = 0, issuer = 0, startdate = 0,
176 enddate = 0;
177 int next_serial = 0;
178 int subject_hash = 0, issuer_hash = 0, ocspid = 0;
179#ifndef OPENSSL_NO_MD5
180 int subject_hash_old = 0, issuer_hash_old = 0;
181#endif
182 int noout = 0, sign_flag = 0, CA_flag = 0, CA_createserial = 0,
183 email = 0;
184 int ocsp_uri = 0;
185 int trustout = 0, clrtrust = 0, clrreject = 0, aliasout = 0, clrext = 0;
186 int C = 0;
187 int x509req = 0, days = DEF_DAYS, modulus = 0, pubkey = 0;
188 int pprint = 0;
189 const char **pp;
190 X509_STORE *ctx = NULL; 734 X509_STORE *ctx = NULL;
191 X509_REQ *rq = NULL; 735 X509_REQ *rq = NULL;
192 int fingerprint = 0;
193 char buf[256]; 736 char buf[256];
194 const EVP_MD *md_alg, *digest = NULL;
195 CONF *extconf = NULL; 737 CONF *extconf = NULL;
196 char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL; 738 char *passin = NULL;
197 int checkend = 0, checkoffset = 0;
198 unsigned long nmflag = 0, certflag = 0;
199 const char *errstr = NULL;
200 739
201 if (single_execution) { 740 if (single_execution) {
202 if (pledge("stdio cpath wpath rpath tty", NULL) == -1) { 741 if (pledge("stdio cpath wpath rpath tty", NULL) == -1) {
@@ -205,237 +744,31 @@ x509_main(int argc, char **argv)
205 } 744 }
206 } 745 }
207 746
208 reqfile = 0; 747 memset(&x509_config, 0, sizeof(x509_config));
748 x509_config.days = DEF_DAYS;
749 x509_config.informat = FORMAT_PEM;
750 x509_config.outformat = FORMAT_PEM;
751 x509_config.keyformat = FORMAT_PEM;
752 x509_config.CAformat = FORMAT_PEM;
753 x509_config.CAkeyformat = FORMAT_PEM;
209 754
210 STDout = BIO_new_fp(stdout, BIO_NOCLOSE); 755 STDout = BIO_new_fp(stdout, BIO_NOCLOSE);
211 756
212 informat = FORMAT_PEM;
213 outformat = FORMAT_PEM;
214 keyformat = FORMAT_PEM;
215 CAformat = FORMAT_PEM;
216 CAkeyformat = FORMAT_PEM;
217
218 ctx = X509_STORE_new(); 757 ctx = X509_STORE_new();
219 if (ctx == NULL) 758 if (ctx == NULL)
220 goto end; 759 goto end;
221 X509_STORE_set_verify_cb(ctx, callb); 760 X509_STORE_set_verify_cb(ctx, callb);
222 761
223 argc--; 762 if (options_parse(argc, argv, x509_options, NULL, NULL) != 0)
224 argv++; 763 goto bad;
225 num = 0;
226 while (argc >= 1) {
227 if (strcmp(*argv, "-inform") == 0) {
228 if (--argc < 1)
229 goto bad;
230 informat = str2fmt(*(++argv));
231 } else if (strcmp(*argv, "-outform") == 0) {
232 if (--argc < 1)
233 goto bad;
234 outformat = str2fmt(*(++argv));
235 } else if (strcmp(*argv, "-keyform") == 0) {
236 if (--argc < 1)
237 goto bad;
238 keyformat = str2fmt(*(++argv));
239 } else if (strcmp(*argv, "-req") == 0) {
240 reqfile = 1;
241 } else if (strcmp(*argv, "-CAform") == 0) {
242 if (--argc < 1)
243 goto bad;
244 CAformat = str2fmt(*(++argv));
245 } else if (strcmp(*argv, "-CAkeyform") == 0) {
246 if (--argc < 1)
247 goto bad;
248 CAkeyformat = str2fmt(*(++argv));
249 } else if (strcmp(*argv, "-sigopt") == 0) {
250 if (--argc < 1)
251 goto bad;
252 if (!sigopts)
253 sigopts = sk_OPENSSL_STRING_new_null();
254 if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv)))
255 goto bad;
256 } else if (strcmp(*argv, "-days") == 0) {
257 if (--argc < 1)
258 goto bad;
259 days = strtonum(*(++argv), 1, INT_MAX, &errstr);
260 if (errstr) {
261 BIO_printf(bio_err, "bad number of days: %s\n", errstr);
262 goto bad;
263 }
264 } else if (strcmp(*argv, "-passin") == 0) {
265 if (--argc < 1)
266 goto bad;
267 passargin = *(++argv);
268 } else if (strcmp(*argv, "-extfile") == 0) {
269 if (--argc < 1)
270 goto bad;
271 extfile = *(++argv);
272 } else if (strcmp(*argv, "-extensions") == 0) {
273 if (--argc < 1)
274 goto bad;
275 extsect = *(++argv);
276 } else if (strcmp(*argv, "-in") == 0) {
277 if (--argc < 1)
278 goto bad;
279 infile = *(++argv);
280 } else if (strcmp(*argv, "-out") == 0) {
281 if (--argc < 1)
282 goto bad;
283 outfile = *(++argv);
284 } else if (strcmp(*argv, "-signkey") == 0) {
285 if (--argc < 1)
286 goto bad;
287 keyfile = *(++argv);
288 sign_flag = ++num;
289 } else if (strcmp(*argv, "-CA") == 0) {
290 if (--argc < 1)
291 goto bad;
292 CAfile = *(++argv);
293 CA_flag = ++num;
294 } else if (strcmp(*argv, "-CAkey") == 0) {
295 if (--argc < 1)
296 goto bad;
297 CAkeyfile = *(++argv);
298 } else if (strcmp(*argv, "-CAserial") == 0) {
299 if (--argc < 1)
300 goto bad;
301 CAserial = *(++argv);
302 } else if (strcmp(*argv, "-set_serial") == 0) {
303 if (--argc < 1)
304 goto bad;
305 ASN1_INTEGER_free(sno);
306 if (!(sno = s2i_ASN1_INTEGER(NULL, *(++argv))))
307 goto bad;
308 } else if (strcmp(*argv, "-addtrust") == 0) {
309 if (--argc < 1)
310 goto bad;
311 if (!(objtmp = OBJ_txt2obj(*(++argv), 0))) {
312 BIO_printf(bio_err,
313 "Invalid trust object value %s\n", *argv);
314 goto bad;
315 }
316 if (!trust)
317 trust = sk_ASN1_OBJECT_new_null();
318 sk_ASN1_OBJECT_push(trust, objtmp);
319 trustout = 1;
320 } else if (strcmp(*argv, "-addreject") == 0) {
321 if (--argc < 1)
322 goto bad;
323 if (!(objtmp = OBJ_txt2obj(*(++argv), 0))) {
324 BIO_printf(bio_err,
325 "Invalid reject object value %s\n", *argv);
326 goto bad;
327 }
328 if (!reject)
329 reject = sk_ASN1_OBJECT_new_null();
330 sk_ASN1_OBJECT_push(reject, objtmp);
331 trustout = 1;
332 } else if (strcmp(*argv, "-setalias") == 0) {
333 if (--argc < 1)
334 goto bad;
335 alias = *(++argv);
336 trustout = 1;
337 } else if (strcmp(*argv, "-certopt") == 0) {
338 if (--argc < 1)
339 goto bad;
340 if (!set_cert_ex(&certflag, *(++argv)))
341 goto bad;
342 } else if (strcmp(*argv, "-nameopt") == 0) {
343 if (--argc < 1)
344 goto bad;
345 if (!set_name_ex(&nmflag, *(++argv)))
346 goto bad;
347 }
348 else if (strcmp(*argv, "-C") == 0)
349 C = ++num;
350 else if (strcmp(*argv, "-email") == 0)
351 email = ++num;
352 else if (strcmp(*argv, "-ocsp_uri") == 0)
353 ocsp_uri = ++num;
354 else if (strcmp(*argv, "-serial") == 0)
355 serial = ++num;
356 else if (strcmp(*argv, "-next_serial") == 0)
357 next_serial = ++num;
358 else if (strcmp(*argv, "-modulus") == 0)
359 modulus = ++num;
360 else if (strcmp(*argv, "-pubkey") == 0)
361 pubkey = ++num;
362 else if (strcmp(*argv, "-x509toreq") == 0)
363 x509req = ++num;
364 else if (strcmp(*argv, "-text") == 0)
365 text = ++num;
366 else if (strcmp(*argv, "-hash") == 0 ||
367 strcmp(*argv, "-subject_hash") == 0)
368 subject_hash = ++num;
369#ifndef OPENSSL_NO_MD5
370 else if (strcmp(*argv, "-subject_hash_old") == 0)
371 subject_hash_old = ++num;
372#endif
373 else if (strcmp(*argv, "-issuer_hash") == 0)
374 issuer_hash = ++num;
375#ifndef OPENSSL_NO_MD5
376 else if (strcmp(*argv, "-issuer_hash_old") == 0)
377 issuer_hash_old = ++num;
378#endif
379 else if (strcmp(*argv, "-subject") == 0)
380 subject = ++num;
381 else if (strcmp(*argv, "-issuer") == 0)
382 issuer = ++num;
383 else if (strcmp(*argv, "-fingerprint") == 0)
384 fingerprint = ++num;
385 else if (strcmp(*argv, "-dates") == 0) {
386 startdate = ++num;
387 enddate = ++num;
388 } else if (strcmp(*argv, "-purpose") == 0)
389 pprint = ++num;
390 else if (strcmp(*argv, "-startdate") == 0)
391 startdate = ++num;
392 else if (strcmp(*argv, "-enddate") == 0)
393 enddate = ++num;
394 else if (strcmp(*argv, "-checkend") == 0) {
395 if (--argc < 1)
396 goto bad;
397 checkoffset = strtonum(*(++argv), 0, INT_MAX, &errstr);
398 if (errstr) {
399 BIO_printf(bio_err, "checkend unusable: %s\n", errstr);
400 goto bad;
401 }
402 checkend = 1;
403 } else if (strcmp(*argv, "-noout") == 0)
404 noout = ++num;
405 else if (strcmp(*argv, "-trustout") == 0)
406 trustout = 1;
407 else if (strcmp(*argv, "-clrtrust") == 0)
408 clrtrust = ++num;
409 else if (strcmp(*argv, "-clrreject") == 0)
410 clrreject = ++num;
411 else if (strcmp(*argv, "-alias") == 0)
412 aliasout = ++num;
413 else if (strcmp(*argv, "-CAcreateserial") == 0)
414 CA_createserial = ++num;
415 else if (strcmp(*argv, "-clrext") == 0)
416 clrext = 1;
417 else if (strcmp(*argv, "-ocspid") == 0)
418 ocspid = ++num;
419 else if ((md_alg = EVP_get_digestbyname(*argv + 1))) {
420 /* ok */
421 digest = md_alg;
422 } else {
423 BIO_printf(bio_err, "unknown option %s\n", *argv);
424 badops = 1;
425 break;
426 }
427 argc--;
428 argv++;
429 }
430 764
431 if (badops) { 765 if (x509_config.badops) {
432 bad: 766 bad:
433 for (pp = x509_usage; (*pp != NULL); pp++) 767 x509_usage();
434 BIO_printf(bio_err, "%s", *pp);
435 goto end; 768 goto end;
436 } 769 }
437 770
438 if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) { 771 if (!app_passwd(bio_err, x509_config.passargin, NULL, &passin, NULL)) {
439 BIO_printf(bio_err, "Error getting password\n"); 772 BIO_printf(bio_err, "Error getting password\n");
440 goto end; 773 goto end;
441 } 774 }
@@ -443,51 +776,51 @@ x509_main(int argc, char **argv)
443 ERR_print_errors(bio_err); 776 ERR_print_errors(bio_err);
444 goto end; 777 goto end;
445 } 778 }
446 if ((CAkeyfile == NULL) && (CA_flag) && (CAformat == FORMAT_PEM)) { 779 if ((x509_config.CAkeyfile == NULL) && (x509_config.CA_flag) && (x509_config.CAformat == FORMAT_PEM)) {
447 CAkeyfile = CAfile; 780 x509_config.CAkeyfile = x509_config.CAfile;
448 } else if ((CA_flag) && (CAkeyfile == NULL)) { 781 } else if ((x509_config.CA_flag) && (x509_config.CAkeyfile == NULL)) {
449 BIO_printf(bio_err, 782 BIO_printf(bio_err,
450 "need to specify a CAkey if using the CA command\n"); 783 "need to specify a CAkey if using the CA command\n");
451 goto end; 784 goto end;
452 } 785 }
453 if (extfile) { 786 if (x509_config.extfile) {
454 long errorline = -1; 787 long errorline = -1;
455 X509V3_CTX ctx2; 788 X509V3_CTX ctx2;
456 extconf = NCONF_new(NULL); 789 extconf = NCONF_new(NULL);
457 if (!NCONF_load(extconf, extfile, &errorline)) { 790 if (!NCONF_load(extconf, x509_config.extfile, &errorline)) {
458 if (errorline <= 0) 791 if (errorline <= 0)
459 BIO_printf(bio_err, 792 BIO_printf(bio_err,
460 "error loading the config file '%s'\n", 793 "error loading the config file '%s'\n",
461 extfile); 794 x509_config.extfile);
462 else 795 else
463 BIO_printf(bio_err, 796 BIO_printf(bio_err,
464 "error on line %ld of config file '%s'\n", 797 "error on line %ld of config file '%s'\n",
465 errorline, extfile); 798 errorline, x509_config.extfile);
466 goto end; 799 goto end;
467 } 800 }
468 if (!extsect) { 801 if (!x509_config.extsect) {
469 extsect = NCONF_get_string(extconf, "default", 802 x509_config.extsect = NCONF_get_string(extconf, "default",
470 "extensions"); 803 "extensions");
471 if (!extsect) { 804 if (!x509_config.extsect) {
472 ERR_clear_error(); 805 ERR_clear_error();
473 extsect = "default"; 806 x509_config.extsect = "default";
474 } 807 }
475 } 808 }
476 X509V3_set_ctx_test(&ctx2); 809 X509V3_set_ctx_test(&ctx2);
477 X509V3_set_nconf(&ctx2, extconf); 810 X509V3_set_nconf(&ctx2, extconf);
478 if (!X509V3_EXT_add_nconf(extconf, &ctx2, extsect, NULL)) { 811 if (!X509V3_EXT_add_nconf(extconf, &ctx2, x509_config.extsect, NULL)) {
479 BIO_printf(bio_err, 812 BIO_printf(bio_err,
480 "Error Loading extension section %s\n", 813 "Error Loading extension section %s\n",
481 extsect); 814 x509_config.extsect);
482 ERR_print_errors(bio_err); 815 ERR_print_errors(bio_err);
483 goto end; 816 goto end;
484 } 817 }
485 } 818 }
486 if (reqfile) { 819 if (x509_config.reqfile) {
487 EVP_PKEY *pkey; 820 EVP_PKEY *pkey;
488 BIO *in; 821 BIO *in;
489 822
490 if (!sign_flag && !CA_flag) { 823 if (!x509_config.sign_flag && !x509_config.CA_flag) {
491 BIO_printf(bio_err, "We need a private key to sign with\n"); 824 BIO_printf(bio_err, "We need a private key to sign with\n");
492 goto end; 825 goto end;
493 } 826 }
@@ -496,11 +829,11 @@ x509_main(int argc, char **argv)
496 ERR_print_errors(bio_err); 829 ERR_print_errors(bio_err);
497 goto end; 830 goto end;
498 } 831 }
499 if (infile == NULL) 832 if (x509_config.infile == NULL)
500 BIO_set_fp(in, stdin, BIO_NOCLOSE | BIO_FP_TEXT); 833 BIO_set_fp(in, stdin, BIO_NOCLOSE | BIO_FP_TEXT);
501 else { 834 else {
502 if (BIO_read_filename(in, infile) <= 0) { 835 if (BIO_read_filename(in, x509_config.infile) <= 0) {
503 perror(infile); 836 perror(x509_config.infile);
504 BIO_free(in); 837 BIO_free(in);
505 goto end; 838 goto end;
506 } 839 }
@@ -537,20 +870,20 @@ x509_main(int argc, char **argv)
537 } else 870 } else
538 BIO_printf(bio_err, "Signature ok\n"); 871 BIO_printf(bio_err, "Signature ok\n");
539 872
540 print_name(bio_err, "subject=", X509_REQ_get_subject_name(req), nmflag); 873 print_name(bio_err, "subject=", X509_REQ_get_subject_name(req), x509_config.nmflag);
541 874
542 if ((x = X509_new()) == NULL) 875 if ((x = X509_new()) == NULL)
543 goto end; 876 goto end;
544 877
545 if (sno == NULL) { 878 if (x509_config.sno == NULL) {
546 sno = ASN1_INTEGER_new(); 879 x509_config.sno = ASN1_INTEGER_new();
547 if (!sno || !rand_serial(NULL, sno)) 880 if (!x509_config.sno || !rand_serial(NULL, x509_config.sno))
548 goto end; 881 goto end;
549 if (!X509_set_serialNumber(x, sno)) 882 if (!X509_set_serialNumber(x, x509_config.sno))
550 goto end; 883 goto end;
551 ASN1_INTEGER_free(sno); 884 ASN1_INTEGER_free(x509_config.sno);
552 sno = NULL; 885 x509_config.sno = NULL;
553 } else if (!X509_set_serialNumber(x, sno)) 886 } else if (!X509_set_serialNumber(x, x509_config.sno))
554 goto end; 887 goto end;
555 888
556 if (!X509_set_issuer_name(x, req->req_info->subject)) 889 if (!X509_set_issuer_name(x, req->req_info->subject))
@@ -559,22 +892,22 @@ x509_main(int argc, char **argv)
559 goto end; 892 goto end;
560 893
561 X509_gmtime_adj(X509_get_notBefore(x), 0); 894 X509_gmtime_adj(X509_get_notBefore(x), 0);
562 X509_time_adj_ex(X509_get_notAfter(x), days, 0, NULL); 895 X509_time_adj_ex(X509_get_notAfter(x), x509_config.days, 0, NULL);
563 896
564 pkey = X509_REQ_get_pubkey(req); 897 pkey = X509_REQ_get_pubkey(req);
565 X509_set_pubkey(x, pkey); 898 X509_set_pubkey(x, pkey);
566 EVP_PKEY_free(pkey); 899 EVP_PKEY_free(pkey);
567 } else 900 } else
568 x = load_cert(bio_err, infile, informat, NULL, "Certificate"); 901 x = load_cert(bio_err, x509_config.infile, x509_config.informat, NULL, "Certificate");
569 902
570 if (x == NULL) 903 if (x == NULL)
571 goto end; 904 goto end;
572 if (CA_flag) { 905 if (x509_config.CA_flag) {
573 xca = load_cert(bio_err, CAfile, CAformat, NULL, "CA Certificate"); 906 xca = load_cert(bio_err, x509_config.CAfile, x509_config.CAformat, NULL, "CA Certificate");
574 if (xca == NULL) 907 if (xca == NULL)
575 goto end; 908 goto end;
576 } 909 }
577 if (!noout || text || next_serial) { 910 if (!x509_config.noout || x509_config.text || x509_config.next_serial) {
578 OBJ_create("2.99999.3", 911 OBJ_create("2.99999.3",
579 "SET.ex3", "SET x509v3 extension 3"); 912 "SET.ex3", "SET x509v3 extension 3");
580 913
@@ -583,49 +916,49 @@ x509_main(int argc, char **argv)
583 ERR_print_errors(bio_err); 916 ERR_print_errors(bio_err);
584 goto end; 917 goto end;
585 } 918 }
586 if (outfile == NULL) { 919 if (x509_config.outfile == NULL) {
587 BIO_set_fp(out, stdout, BIO_NOCLOSE); 920 BIO_set_fp(out, stdout, BIO_NOCLOSE);
588 } else { 921 } else {
589 if (BIO_write_filename(out, outfile) <= 0) { 922 if (BIO_write_filename(out, x509_config.outfile) <= 0) {
590 perror(outfile); 923 perror(x509_config.outfile);
591 goto end; 924 goto end;
592 } 925 }
593 } 926 }
594 } 927 }
595 if (alias) 928 if (x509_config.alias)
596 X509_alias_set1(x, (unsigned char *) alias, -1); 929 X509_alias_set1(x, (unsigned char *) x509_config.alias, -1);
597 930
598 if (clrtrust) 931 if (x509_config.clrtrust)
599 X509_trust_clear(x); 932 X509_trust_clear(x);
600 if (clrreject) 933 if (x509_config.clrreject)
601 X509_reject_clear(x); 934 X509_reject_clear(x);
602 935
603 if (trust) { 936 if (x509_config.trust) {
604 for (i = 0; i < sk_ASN1_OBJECT_num(trust); i++) { 937 for (i = 0; i < sk_ASN1_OBJECT_num(x509_config.trust); i++) {
605 objtmp = sk_ASN1_OBJECT_value(trust, i); 938 x509_config.objtmp = sk_ASN1_OBJECT_value(x509_config.trust, i);
606 X509_add1_trust_object(x, objtmp); 939 X509_add1_trust_object(x, x509_config.objtmp);
607 } 940 }
608 } 941 }
609 if (reject) { 942 if (x509_config.reject) {
610 for (i = 0; i < sk_ASN1_OBJECT_num(reject); i++) { 943 for (i = 0; i < sk_ASN1_OBJECT_num(x509_config.reject); i++) {
611 objtmp = sk_ASN1_OBJECT_value(reject, i); 944 x509_config.objtmp = sk_ASN1_OBJECT_value(x509_config.reject, i);
612 X509_add1_reject_object(x, objtmp); 945 X509_add1_reject_object(x, x509_config.objtmp);
613 } 946 }
614 } 947 }
615 if (num) { 948 if (x509_config.num) {
616 for (i = 1; i <= num; i++) { 949 for (i = 1; i <= x509_config.num; i++) {
617 if (issuer == i) { 950 if (x509_config.issuer == i) {
618 print_name(STDout, "issuer= ", 951 print_name(STDout, "issuer= ",
619 X509_get_issuer_name(x), nmflag); 952 X509_get_issuer_name(x), x509_config.nmflag);
620 } else if (subject == i) { 953 } else if (x509_config.subject == i) {
621 print_name(STDout, "subject= ", 954 print_name(STDout, "subject= ",
622 X509_get_subject_name(x), nmflag); 955 X509_get_subject_name(x), x509_config.nmflag);
623 } else if (serial == i) { 956 } else if (x509_config.serial == i) {
624 BIO_printf(STDout, "serial="); 957 BIO_printf(STDout, "serial=");
625 i2a_ASN1_INTEGER(STDout, 958 i2a_ASN1_INTEGER(STDout,
626 X509_get_serialNumber(x)); 959 X509_get_serialNumber(x));
627 BIO_printf(STDout, "\n"); 960 BIO_printf(STDout, "\n");
628 } else if (next_serial == i) { 961 } else if (x509_config.next_serial == i) {
629 BIGNUM *bnser; 962 BIGNUM *bnser;
630 ASN1_INTEGER *ser; 963 ASN1_INTEGER *ser;
631 ser = X509_get_serialNumber(x); 964 ser = X509_get_serialNumber(x);
@@ -641,10 +974,10 @@ x509_main(int argc, char **argv)
641 i2a_ASN1_INTEGER(out, ser); 974 i2a_ASN1_INTEGER(out, ser);
642 ASN1_INTEGER_free(ser); 975 ASN1_INTEGER_free(ser);
643 BIO_puts(out, "\n"); 976 BIO_puts(out, "\n");
644 } else if ((email == i) || (ocsp_uri == i)) { 977 } else if ((x509_config.email == i) || (x509_config.ocsp_uri == i)) {
645 int j; 978 int j;
646 STACK_OF(OPENSSL_STRING) *emlst; 979 STACK_OF(OPENSSL_STRING) *emlst;
647 if (email == i) 980 if (x509_config.email == i)
648 emlst = X509_get1_email(x); 981 emlst = X509_get1_email(x);
649 else 982 else
650 emlst = X509_get1_ocsp(x); 983 emlst = X509_get1_ocsp(x);
@@ -652,30 +985,30 @@ x509_main(int argc, char **argv)
652 BIO_printf(STDout, "%s\n", 985 BIO_printf(STDout, "%s\n",
653 sk_OPENSSL_STRING_value(emlst, j)); 986 sk_OPENSSL_STRING_value(emlst, j));
654 X509_email_free(emlst); 987 X509_email_free(emlst);
655 } else if (aliasout == i) { 988 } else if (x509_config.aliasout == i) {
656 unsigned char *alstr; 989 unsigned char *alstr;
657 alstr = X509_alias_get0(x, NULL); 990 alstr = X509_alias_get0(x, NULL);
658 if (alstr) 991 if (alstr)
659 BIO_printf(STDout, "%s\n", alstr); 992 BIO_printf(STDout, "%s\n", alstr);
660 else 993 else
661 BIO_puts(STDout, "<No Alias>\n"); 994 BIO_puts(STDout, "<No Alias>\n");
662 } else if (subject_hash == i) { 995 } else if (x509_config.subject_hash == i) {
663 BIO_printf(STDout, "%08lx\n", X509_subject_name_hash(x)); 996 BIO_printf(STDout, "%08lx\n", X509_subject_name_hash(x));
664 } 997 }
665#ifndef OPENSSL_NO_MD5 998#ifndef OPENSSL_NO_MD5
666 else if (subject_hash_old == i) { 999 else if (x509_config.subject_hash_old == i) {
667 BIO_printf(STDout, "%08lx\n", X509_subject_name_hash_old(x)); 1000 BIO_printf(STDout, "%08lx\n", X509_subject_name_hash_old(x));
668 } 1001 }
669#endif 1002#endif
670 else if (issuer_hash == i) { 1003 else if (x509_config.issuer_hash == i) {
671 BIO_printf(STDout, "%08lx\n", X509_issuer_name_hash(x)); 1004 BIO_printf(STDout, "%08lx\n", X509_issuer_name_hash(x));
672 } 1005 }
673#ifndef OPENSSL_NO_MD5 1006#ifndef OPENSSL_NO_MD5
674 else if (issuer_hash_old == i) { 1007 else if (x509_config.issuer_hash_old == i) {
675 BIO_printf(STDout, "%08lx\n", X509_issuer_name_hash_old(x)); 1008 BIO_printf(STDout, "%08lx\n", X509_issuer_name_hash_old(x));
676 } 1009 }
677#endif 1010#endif
678 else if (pprint == i) { 1011 else if (x509_config.pprint == i) {
679 X509_PURPOSE *ptmp; 1012 X509_PURPOSE *ptmp;
680 int j; 1013 int j;
681 BIO_printf(STDout, "Certificate purposes:\n"); 1014 BIO_printf(STDout, "Certificate purposes:\n");
@@ -683,7 +1016,7 @@ x509_main(int argc, char **argv)
683 ptmp = X509_PURPOSE_get0(j); 1016 ptmp = X509_PURPOSE_get0(j);
684 purpose_print(STDout, x, ptmp); 1017 purpose_print(STDout, x, ptmp);
685 } 1018 }
686 } else if (modulus == i) { 1019 } else if (x509_config.modulus == i) {
687 EVP_PKEY *pkey; 1020 EVP_PKEY *pkey;
688 1021
689 pkey = X509_get_pubkey(x); 1022 pkey = X509_get_pubkey(x);
@@ -702,7 +1035,7 @@ x509_main(int argc, char **argv)
702 BIO_printf(STDout, "Wrong Algorithm type"); 1035 BIO_printf(STDout, "Wrong Algorithm type");
703 BIO_printf(STDout, "\n"); 1036 BIO_printf(STDout, "\n");
704 EVP_PKEY_free(pkey); 1037 EVP_PKEY_free(pkey);
705 } else if (pubkey == i) { 1038 } else if (x509_config.pubkey == i) {
706 EVP_PKEY *pkey; 1039 EVP_PKEY *pkey;
707 1040
708 pkey = X509_get_pubkey(x); 1041 pkey = X509_get_pubkey(x);
@@ -713,7 +1046,7 @@ x509_main(int argc, char **argv)
713 } 1046 }
714 PEM_write_bio_PUBKEY(STDout, pkey); 1047 PEM_write_bio_PUBKEY(STDout, pkey);
715 EVP_PKEY_free(pkey); 1048 EVP_PKEY_free(pkey);
716 } else if (C == i) { 1049 } else if (x509_config.C == i) {
717 unsigned char *d; 1050 unsigned char *d;
718 char *m; 1051 char *m;
719 int y, z; 1052 int y, z;
@@ -771,9 +1104,9 @@ x509_main(int argc, char **argv)
771 BIO_printf(STDout, "};\n"); 1104 BIO_printf(STDout, "};\n");
772 1105
773 free(m); 1106 free(m);
774 } else if (text == i) { 1107 } else if (x509_config.text == i) {
775 X509_print_ex(STDout, x, nmflag, certflag); 1108 X509_print_ex(STDout, x, x509_config.nmflag, x509_config.certflag);
776 } else if (startdate == i) { 1109 } else if (x509_config.startdate == i) {
777 ASN1_TIME *nB = X509_get_notBefore(x); 1110 ASN1_TIME *nB = X509_get_notBefore(x);
778 BIO_puts(STDout, "notBefore="); 1111 BIO_puts(STDout, "notBefore=");
779 if (ASN1_time_parse(nB->data, nB->length, NULL, 0) == -1) 1112 if (ASN1_time_parse(nB->data, nB->length, NULL, 0) == -1)
@@ -781,7 +1114,7 @@ x509_main(int argc, char **argv)
781 else 1114 else
782 ASN1_TIME_print(STDout, nB); 1115 ASN1_TIME_print(STDout, nB);
783 BIO_puts(STDout, "\n"); 1116 BIO_puts(STDout, "\n");
784 } else if (enddate == i) { 1117 } else if (x509_config.enddate == i) {
785 ASN1_TIME *nA = X509_get_notAfter(x); 1118 ASN1_TIME *nA = X509_get_notAfter(x);
786 BIO_puts(STDout, "notAfter="); 1119 BIO_puts(STDout, "notAfter=");
787 if (ASN1_time_parse(nA->data, nA->length, NULL, 0) == -1) 1120 if (ASN1_time_parse(nA->data, nA->length, NULL, 0) == -1)
@@ -789,11 +1122,11 @@ x509_main(int argc, char **argv)
789 else 1122 else
790 ASN1_TIME_print(STDout, nA); 1123 ASN1_TIME_print(STDout, nA);
791 BIO_puts(STDout, "\n"); 1124 BIO_puts(STDout, "\n");
792 } else if (fingerprint == i) { 1125 } else if (x509_config.fingerprint == i) {
793 int j; 1126 int j;
794 unsigned int n; 1127 unsigned int n;
795 unsigned char md[EVP_MAX_MD_SIZE]; 1128 unsigned char md[EVP_MAX_MD_SIZE];
796 const EVP_MD *fdig = digest; 1129 const EVP_MD *fdig = x509_config.digest;
797 1130
798 if (!fdig) 1131 if (!fdig)
799 fdig = EVP_sha256(); 1132 fdig = EVP_sha256();
@@ -810,42 +1143,42 @@ x509_main(int argc, char **argv)
810 } 1143 }
811 } 1144 }
812 /* should be in the library */ 1145 /* should be in the library */
813 else if ((sign_flag == i) && (x509req == 0)) { 1146 else if ((x509_config.sign_flag == i) && (x509_config.x509req == 0)) {
814 BIO_printf(bio_err, "Getting Private key\n"); 1147 BIO_printf(bio_err, "Getting Private key\n");
815 if (Upkey == NULL) { 1148 if (Upkey == NULL) {
816 Upkey = load_key(bio_err, 1149 Upkey = load_key(bio_err,
817 keyfile, keyformat, 0, 1150 x509_config.keyfile, x509_config.keyformat, 0,
818 passin, "Private key"); 1151 passin, "Private key");
819 if (Upkey == NULL) 1152 if (Upkey == NULL)
820 goto end; 1153 goto end;
821 } 1154 }
822 if (!sign(x, Upkey, days, clrext, digest, 1155 if (!sign(x, Upkey, x509_config.days, x509_config.clrext, x509_config.digest,
823 extconf, extsect)) 1156 extconf, x509_config.extsect))
824 goto end; 1157 goto end;
825 } else if (CA_flag == i) { 1158 } else if (x509_config.CA_flag == i) {
826 BIO_printf(bio_err, "Getting CA Private Key\n"); 1159 BIO_printf(bio_err, "Getting CA Private Key\n");
827 if (CAkeyfile != NULL) { 1160 if (x509_config.CAkeyfile != NULL) {
828 CApkey = load_key(bio_err, 1161 CApkey = load_key(bio_err,
829 CAkeyfile, CAkeyformat, 1162 x509_config.CAkeyfile, x509_config.CAkeyformat,
830 0, passin, "CA Private Key"); 1163 0, passin, "CA Private Key");
831 if (CApkey == NULL) 1164 if (CApkey == NULL)
832 goto end; 1165 goto end;
833 } 1166 }
834 if (!x509_certify(ctx, CAfile, digest, x, xca, 1167 if (!x509_certify(ctx, x509_config.CAfile, x509_config.digest, x, xca,
835 CApkey, sigopts, 1168 CApkey, x509_config.sigopts,
836 CAserial, CA_createserial, days, clrext, 1169 x509_config.CAserial, x509_config.CA_createserial, x509_config.days, x509_config.clrext,
837 extconf, extsect, sno)) 1170 extconf, x509_config.extsect, x509_config.sno))
838 goto end; 1171 goto end;
839 } else if (x509req == i) { 1172 } else if (x509_config.x509req == i) {
840 EVP_PKEY *pk; 1173 EVP_PKEY *pk;
841 1174
842 BIO_printf(bio_err, "Getting request Private Key\n"); 1175 BIO_printf(bio_err, "Getting request Private Key\n");
843 if (keyfile == NULL) { 1176 if (x509_config.keyfile == NULL) {
844 BIO_printf(bio_err, "no request key file specified\n"); 1177 BIO_printf(bio_err, "no request key file specified\n");
845 goto end; 1178 goto end;
846 } else { 1179 } else {
847 pk = load_key(bio_err, 1180 pk = load_key(bio_err,
848 keyfile, keyformat, 0, 1181 x509_config.keyfile, x509_config.keyformat, 0,
849 passin, "request key"); 1182 passin, "request key");
850 if (pk == NULL) 1183 if (pk == NULL)
851 goto end; 1184 goto end;
@@ -853,24 +1186,24 @@ x509_main(int argc, char **argv)
853 1186
854 BIO_printf(bio_err, "Generating certificate request\n"); 1187 BIO_printf(bio_err, "Generating certificate request\n");
855 1188
856 rq = X509_to_X509_REQ(x, pk, digest); 1189 rq = X509_to_X509_REQ(x, pk, x509_config.digest);
857 EVP_PKEY_free(pk); 1190 EVP_PKEY_free(pk);
858 if (rq == NULL) { 1191 if (rq == NULL) {
859 ERR_print_errors(bio_err); 1192 ERR_print_errors(bio_err);
860 goto end; 1193 goto end;
861 } 1194 }
862 if (!noout) { 1195 if (!x509_config.noout) {
863 X509_REQ_print(out, rq); 1196 X509_REQ_print(out, rq);
864 PEM_write_bio_X509_REQ(out, rq); 1197 PEM_write_bio_X509_REQ(out, rq);
865 } 1198 }
866 noout = 1; 1199 x509_config.noout = 1;
867 } else if (ocspid == i) { 1200 } else if (x509_config.ocspid == i) {
868 X509_ocspid_print(out, x); 1201 X509_ocspid_print(out, x);
869 } 1202 }
870 } 1203 }
871 } 1204 }
872 if (checkend) { 1205 if (x509_config.checkend) {
873 time_t tcheck = time(NULL) + checkoffset; 1206 time_t tcheck = time(NULL) + x509_config.checkoffset;
874 int timecheck = X509_cmp_time(X509_get_notAfter(x), &tcheck); 1207 int timecheck = X509_cmp_time(X509_get_notAfter(x), &tcheck);
875 if (timecheck == 0) { 1208 if (timecheck == 0) {
876 BIO_printf(out, "Certificate expiry time is invalid\n"); 1209 BIO_printf(out, "Certificate expiry time is invalid\n");
@@ -884,18 +1217,18 @@ x509_main(int argc, char **argv)
884 } 1217 }
885 goto end; 1218 goto end;
886 } 1219 }
887 if (noout) { 1220 if (x509_config.noout) {
888 ret = 0; 1221 ret = 0;
889 goto end; 1222 goto end;
890 } 1223 }
891 if (outformat == FORMAT_ASN1) 1224 if (x509_config.outformat == FORMAT_ASN1)
892 i = i2d_X509_bio(out, x); 1225 i = i2d_X509_bio(out, x);
893 else if (outformat == FORMAT_PEM) { 1226 else if (x509_config.outformat == FORMAT_PEM) {
894 if (trustout) 1227 if (x509_config.trustout)
895 i = PEM_write_bio_X509_AUX(out, x); 1228 i = PEM_write_bio_X509_AUX(out, x);
896 else 1229 else
897 i = PEM_write_bio_X509(out, x); 1230 i = PEM_write_bio_X509(out, x);
898 } else if (outformat == FORMAT_NETSCAPE) { 1231 } else if (x509_config.outformat == FORMAT_NETSCAPE) {
899 NETSCAPE_X509 nx; 1232 NETSCAPE_X509 nx;
900 ASN1_OCTET_STRING hdr; 1233 ASN1_OCTET_STRING hdr;
901 1234
@@ -927,11 +1260,11 @@ x509_main(int argc, char **argv)
927 X509_free(xca); 1260 X509_free(xca);
928 EVP_PKEY_free(Upkey); 1261 EVP_PKEY_free(Upkey);
929 EVP_PKEY_free(CApkey); 1262 EVP_PKEY_free(CApkey);
930 sk_OPENSSL_STRING_free(sigopts); 1263 sk_OPENSSL_STRING_free(x509_config.sigopts);
931 X509_REQ_free(rq); 1264 X509_REQ_free(rq);
932 ASN1_INTEGER_free(sno); 1265 ASN1_INTEGER_free(x509_config.sno);
933 sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free); 1266 sk_ASN1_OBJECT_pop_free(x509_config.trust, ASN1_OBJECT_free);
934 sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free); 1267 sk_ASN1_OBJECT_pop_free(x509_config.reject, ASN1_OBJECT_free);
935 free(passin); 1268 free(passin);
936 1269
937 return (ret); 1270 return (ret);
@@ -1013,7 +1346,7 @@ x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, X509 *x,
1013 */ 1346 */
1014 X509_STORE_CTX_set_cert(&xsc, x); 1347 X509_STORE_CTX_set_cert(&xsc, x);
1015 X509_STORE_CTX_set_flags(&xsc, X509_V_FLAG_CHECK_SS_SIGNATURE); 1348 X509_STORE_CTX_set_flags(&xsc, X509_V_FLAG_CHECK_SS_SIGNATURE);
1016 if (!reqfile && X509_verify_cert(&xsc) <= 0) 1349 if (!x509_config.reqfile && X509_verify_cert(&xsc) <= 0)
1017 goto end; 1350 goto end;
1018 1351
1019 if (!X509_check_private_key(xca, pkey)) { 1352 if (!X509_check_private_key(xca, pkey)) {
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-11-08 04:31:48 +0000