summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/lib/libssl/src/apps/ca.c375
1 files changed, 225 insertions, 150 deletions
diff --git a/src/lib/libssl/src/apps/ca.c b/src/lib/libssl/src/apps/ca.c
index 297ddccded..de858d5a55 100644
--- a/src/lib/libssl/src/apps/ca.c
+++ b/src/lib/libssl/src/apps/ca.c
@@ -186,37 +186,35 @@ extern int EF_ALIGNMENT;
186#endif 186#endif
187 187
188static void lookup_fail(const char *name, const char *tag); 188static void lookup_fail(const char *name, const char *tag);
189static int 189static int certify(X509 ** xret, char *infile, EVP_PKEY * pkey, X509 * x509,
190certify(X509 ** xret, char *infile, EVP_PKEY * pkey, X509 * x509,
191 const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts, 190 const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
192 STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj, 191 STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj,
193 unsigned long chtype, int multirdn, int email_dn, char *startdate, 192 unsigned long chtype, int multirdn, int email_dn, char *startdate,
194 char *enddate, long days, int batch, char *ext_sect, CONF * conf, 193 char *enddate, long days, int batch, char *ext_sect, CONF * conf,
195 int verbose, unsigned long certopt, unsigned long nameopt, 194 int verbose, unsigned long certopt, unsigned long nameopt,
196 int default_op, int ext_copy, int selfsign); 195 int default_op, int ext_copy, int selfsign);
197static int certify_cert(X509 ** xret, char *infile, EVP_PKEY * pkey, X509 * x509, 196static int certify_cert(X509 ** xret, char *infile, EVP_PKEY * pkey,
198 const EVP_MD * dgst, 197 X509 * x509, const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
199 STACK_OF(OPENSSL_STRING) * sigopts,
200 STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj, 198 STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj,
201 unsigned long chtype, int multirdn, int email_dn, char *startdate, 199 unsigned long chtype, int multirdn, int email_dn, char *startdate,
202 char *enddate, long days, int batch, char *ext_sect, CONF * conf, 200 char *enddate, long days, int batch, char *ext_sect, CONF * conf,
203 int verbose, unsigned long certopt, unsigned long nameopt, int default_op, 201 int verbose, unsigned long certopt, unsigned long nameopt, int default_op,
204 int ext_copy, ENGINE * e); 202 int ext_copy, ENGINE * e);
205static int certify_spkac(X509 ** xret, char *infile, EVP_PKEY * pkey, X509 * x509, 203static int certify_spkac(X509 ** xret, char *infile, EVP_PKEY * pkey,
206 const EVP_MD * dgst, 204 X509 * x509, const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
207 STACK_OF(OPENSSL_STRING) * sigopts,
208 STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj, 205 STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj,
209 unsigned long chtype, int multirdn, int email_dn, char *startdate, 206 unsigned long chtype, int multirdn, int email_dn, char *startdate,
210 char *enddate, long days, char *ext_sect, CONF * conf, int verbose, 207 char *enddate, long days, char *ext_sect, CONF * conf, int verbose,
211 unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy); 208 unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy);
212static void write_new_certificate(BIO * bp, X509 * x, int output_der, int notext); 209static void write_new_certificate(BIO * bp, X509 * x, int output_der,
213static int do_body(X509 ** xret, EVP_PKEY * pkey, X509 * x509, const EVP_MD * dgst, 210 int notext);
214 STACK_OF(OPENSSL_STRING) * sigopts, STACK_OF(CONF_VALUE) * policy, CA_DB * db, 211static int do_body(X509 ** xret, EVP_PKEY * pkey, X509 * x509,
215 BIGNUM * serial, char *subj, unsigned long chtype, int multirdn, 212 const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
216 int email_dn, char *startdate, char *enddate, long days, int batch, 213 STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj,
217 int verbose, X509_REQ * req, char *ext_sect, CONF * conf, 214 unsigned long chtype, int multirdn, int email_dn, char *startdate,
218 unsigned long certopt, unsigned long nameopt, int default_op, 215 char *enddate, long days, int batch, int verbose, X509_REQ * req,
219 int ext_copy, int selfsign); 216 char *ext_sect, CONF * conf, unsigned long certopt, unsigned long nameopt,
217 int default_op, int ext_copy, int selfsign);
220static int do_revoke(X509 * x509, CA_DB * db, int ext, char *extval); 218static int do_revoke(X509 * x509, CA_DB * db, int ext, char *extval);
221static int get_certificate_status(const char *ser_status, CA_DB * db); 219static int get_certificate_status(const char *ser_status, CA_DB * db);
222static int do_updatedb(CA_DB * db); 220static int do_updatedb(CA_DB * db);
@@ -420,7 +418,8 @@ ca_main(int argc, char **argv)
420 goto bad; 418 goto bad;
421 if (!sigopts) 419 if (!sigopts)
422 sigopts = sk_OPENSSL_STRING_new_null(); 420 sigopts = sk_OPENSSL_STRING_new_null();
423 if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv))) 421 if (!sigopts ||
422 !sk_OPENSSL_STRING_push(sigopts, *(++argv)))
424 goto bad; 423 goto bad;
425 } else if (strcmp(*argv, "-notext") == 0) 424 } else if (strcmp(*argv, "-notext") == 0)
426 notext = 1; 425 notext = 1;
@@ -513,7 +512,7 @@ ca_main(int argc, char **argv)
513 } 512 }
514#endif 513#endif
515 else { 514 else {
516 bad: 515bad:
517 BIO_printf(bio_err, "unknown option %s\n", *argv); 516 BIO_printf(bio_err, "unknown option %s\n", *argv);
518 badops = 1; 517 badops = 1;
519 break; 518 break;
@@ -548,11 +547,13 @@ ca_main(int argc, char **argv)
548 conf = NCONF_new(NULL); 547 conf = NCONF_new(NULL);
549 if (NCONF_load(conf, configfile, &errorline) <= 0) { 548 if (NCONF_load(conf, configfile, &errorline) <= 0) {
550 if (errorline <= 0) 549 if (errorline <= 0)
551 BIO_printf(bio_err, "error loading the config file '%s'\n", 550 BIO_printf(bio_err,
551 "error loading the config file '%s'\n",
552 configfile); 552 configfile);
553 else 553 else
554 BIO_printf(bio_err, "error on line %ld of config file '%s'\n" 554 BIO_printf(bio_err,
555 ,errorline, configfile); 555 "error on line %ld of config file '%s'\n",
556 errorline, configfile);
556 goto err; 557 goto err;
557 } 558 }
558 if (tofree) { 559 if (tofree) {
@@ -584,7 +585,8 @@ ca_main(int argc, char **argv)
584 oid_bio = BIO_new_file(p, "r"); 585 oid_bio = BIO_new_file(p, "r");
585 if (oid_bio == NULL) { 586 if (oid_bio == NULL) {
586 /* 587 /*
587 BIO_printf(bio_err,"problems opening %s for extra oid's\n",p); 588 BIO_printf(bio_err,
589 "problems opening %s for extra oid's\n", p);
588 ERR_print_errors(bio_err); 590 ERR_print_errors(bio_err);
589 */ 591 */
590 ERR_clear_error(); 592 ERR_clear_error();
@@ -603,7 +605,8 @@ ca_main(int argc, char **argv)
603 ERR_clear_error(); 605 ERR_clear_error();
604 606
605 if (f && !ASN1_STRING_set_default_mask_asc(f)) { 607 if (f && !ASN1_STRING_set_default_mask_asc(f)) {
606 BIO_printf(bio_err, "Invalid global string mask setting %s\n", f); 608 BIO_printf(bio_err,
609 "Invalid global string mask setting %s\n", f);
607 goto err; 610 goto err;
608 } 611 }
609 if (chtype != MBSTRING_UTF8) { 612 if (chtype != MBSTRING_UTF8) {
@@ -642,7 +645,8 @@ ca_main(int argc, char **argv)
642 /*****************************************************************/ 645 /*****************************************************************/
643 /* report status of cert with serial number given on command line */ 646 /* report status of cert with serial number given on command line */
644 if (ser_status) { 647 if (ser_status) {
645 if ((dbfile = NCONF_get_string(conf, section, ENV_DATABASE)) == NULL) { 648 if ((dbfile = NCONF_get_string(conf, section,
649 ENV_DATABASE)) == NULL) {
646 lookup_fail(section, ENV_DATABASE); 650 lookup_fail(section, ENV_DATABASE);
647 goto err; 651 goto err;
648 } 652 }
@@ -662,7 +666,7 @@ ca_main(int argc, char **argv)
662 /* we definitely need a private key, so let's get it */ 666 /* we definitely need a private key, so let's get it */
663 667
664 if ((keyfile == NULL) && ((keyfile = NCONF_get_string(conf, 668 if ((keyfile == NULL) && ((keyfile = NCONF_get_string(conf,
665 section, ENV_PRIVATE_KEY)) == NULL)) { 669 section, ENV_PRIVATE_KEY)) == NULL)) {
666 lookup_fail(section, ENV_PRIVATE_KEY); 670 lookup_fail(section, ENV_PRIVATE_KEY);
667 goto err; 671 goto err;
668 } 672 }
@@ -685,7 +689,7 @@ ca_main(int argc, char **argv)
685 if (!selfsign || spkac_file || ss_cert_file || gencrl) { 689 if (!selfsign || spkac_file || ss_cert_file || gencrl) {
686 if ((certfile == NULL) && 690 if ((certfile == NULL) &&
687 ((certfile = NCONF_get_string(conf, 691 ((certfile = NCONF_get_string(conf,
688 section, ENV_CERTIFICATE)) == NULL)) { 692 section, ENV_CERTIFICATE)) == NULL)) {
689 lookup_fail(section, ENV_CERTIFICATE); 693 lookup_fail(section, ENV_CERTIFICATE);
690 goto err; 694 goto err;
691 } 695 }
@@ -695,7 +699,8 @@ ca_main(int argc, char **argv)
695 goto err; 699 goto err;
696 700
697 if (!X509_check_private_key(x509, pkey)) { 701 if (!X509_check_private_key(x509, pkey)) {
698 BIO_printf(bio_err, "CA certificate and CA private key do not match\n"); 702 BIO_printf(bio_err,
703 "CA certificate and CA private key do not match\n");
699 goto err; 704 goto err;
700 } 705 }
701 } 706 }
@@ -717,7 +722,8 @@ ca_main(int argc, char **argv)
717 722
718 if (f) { 723 if (f) {
719 if (!set_name_ex(&nameopt, f)) { 724 if (!set_name_ex(&nameopt, f)) {
720 BIO_printf(bio_err, "Invalid name options: \"%s\"\n", f); 725 BIO_printf(bio_err,
726 "Invalid name options: \"%s\"\n", f);
721 goto err; 727 goto err;
722 } 728 }
723 default_op = 0; 729 default_op = 0;
@@ -728,7 +734,8 @@ ca_main(int argc, char **argv)
728 734
729 if (f) { 735 if (f) {
730 if (!set_cert_ex(&certopt, f)) { 736 if (!set_cert_ex(&certopt, f)) {
731 BIO_printf(bio_err, "Invalid certificate options: \"%s\"\n", f); 737 BIO_printf(bio_err,
738 "Invalid certificate options: \"%s\"\n", f);
732 goto err; 739 goto err;
733 } 740 }
734 default_op = 0; 741 default_op = 0;
@@ -739,7 +746,8 @@ ca_main(int argc, char **argv)
739 746
740 if (f) { 747 if (f) {
741 if (!set_ext_copy(&ext_copy, f)) { 748 if (!set_ext_copy(&ext_copy, f)) {
742 BIO_printf(bio_err, "Invalid extension copy option: \"%s\"\n", f); 749 BIO_printf(bio_err,
750 "Invalid extension copy option: \"%s\"\n", f);
743 goto err; 751 goto err;
744 } 752 }
745 } else 753 } else
@@ -750,7 +758,7 @@ ca_main(int argc, char **argv)
750 if ((outdir == NULL) && (req)) { 758 if ((outdir == NULL) && (req)) {
751 759
752 if ((outdir = NCONF_get_string(conf, section, 760 if ((outdir = NCONF_get_string(conf, section,
753 ENV_NEW_CERTS_DIR)) == NULL) { 761 ENV_NEW_CERTS_DIR)) == NULL) {
754 BIO_printf(bio_err, "there needs to be defined a directory for new certificate to be placed in\n"); 762 BIO_printf(bio_err, "there needs to be defined a directory for new certificate to be placed in\n");
755 goto err; 763 goto err;
756 } 764 }
@@ -759,19 +767,21 @@ ca_main(int argc, char **argv)
759 * filename. In any case, stat(), below, will catch the 767 * filename. In any case, stat(), below, will catch the
760 * problem if outdir is not a directory spec, and the fopen() 768 * problem if outdir is not a directory spec, and the fopen()
761 * or open() will catch an error if there is no write access. 769 * or open() will catch an error if there is no write access.
762 * 770 *
763 * Presumably, this problem could also be solved by using the 771 * Presumably, this problem could also be solved by using the
764 * DEC C routines to convert the directory syntax to Unixly, 772 * DEC C routines to convert the directory syntax to Unixly,
765 * and give that to access(). However, time's too short to 773 * and give that to access(). However, time's too short to
766 * do that just now. 774 * do that just now.
767 */ 775 */
768 if (access(outdir, R_OK | W_OK | X_OK) != 0) { 776 if (access(outdir, R_OK | W_OK | X_OK) != 0) {
769 BIO_printf(bio_err, "I am unable to access the %s directory\n", outdir); 777 BIO_printf(bio_err,
778 "I am unable to access the %s directory\n", outdir);
770 perror(outdir); 779 perror(outdir);
771 goto err; 780 goto err;
772 } 781 }
773 if (app_isdir(outdir) <= 0) { 782 if (app_isdir(outdir) <= 0) {
774 BIO_printf(bio_err, "%s need to be a directory\n", outdir); 783 BIO_printf(bio_err,
784 "%s need to be a directory\n", outdir);
775 perror(outdir); 785 perror(outdir);
776 goto err; 786 goto err;
777 } 787 }
@@ -800,7 +810,8 @@ ca_main(int argc, char **argv)
800 goto err; 810 goto err;
801 } 811 }
802 if (!check_time_format((char *) pp[DB_exp_date])) { 812 if (!check_time_format((char *) pp[DB_exp_date])) {
803 BIO_printf(bio_err, "entry %d: invalid expiry date\n", i + 1); 813 BIO_printf(bio_err, "entry %d: invalid expiry date\n",
814 i + 1);
804 goto err; 815 goto err;
805 } 816 }
806 p = pp[DB_serial]; 817 p = pp[DB_serial];
@@ -810,13 +821,15 @@ ca_main(int argc, char **argv)
810 j--; 821 j--;
811 } 822 }
812 if ((j & 1) || (j < 2)) { 823 if ((j & 1) || (j < 2)) {
813 BIO_printf(bio_err, "entry %d: bad serial number length (%d)\n", i + 1, j); 824 BIO_printf(bio_err,
825 "entry %d: bad serial number length (%d)\n",
826 i + 1, j);
814 goto err; 827 goto err;
815 } 828 }
816 while (*p) { 829 while (*p) {
817 if (!(((*p >= '0') && (*p <= '9')) || 830 if (!(((*p >= '0') && (*p <= '9')) ||
818 ((*p >= 'A') && (*p <= 'F')) || 831 ((*p >= 'A') && (*p <= 'F')) ||
819 ((*p >= 'a') && (*p <= 'f')))) { 832 ((*p >= 'a') && (*p <= 'f')))) {
820 BIO_printf(bio_err, "entry %d: bad serial number characters, char pos %ld, char is '%c'\n", i + 1, (long) (p - pp[DB_serial]), *p); 833 BIO_printf(bio_err, "entry %d: bad serial number characters, char pos %ld, char is '%c'\n", i + 1, (long) (p - pp[DB_serial]), *p);
821 goto err; 834 goto err;
822 } 835 }
@@ -837,8 +850,7 @@ ca_main(int argc, char **argv)
837 /* Update the db file for expired certificates */ 850 /* Update the db file for expired certificates */
838 if (doupdatedb) { 851 if (doupdatedb) {
839 if (verbose) 852 if (verbose)
840 BIO_printf(bio_err, "Updating %s ...\n", 853 BIO_printf(bio_err, "Updating %s ...\n", dbfile);
841 dbfile);
842 854
843 i = do_updatedb(db); 855 i = do_updatedb(db);
844 if (i == -1) { 856 if (i == -1) {
@@ -866,19 +878,24 @@ ca_main(int argc, char **argv)
866 extconf = NCONF_new(NULL); 878 extconf = NCONF_new(NULL);
867 if (NCONF_load(extconf, extfile, &errorline) <= 0) { 879 if (NCONF_load(extconf, extfile, &errorline) <= 0) {
868 if (errorline <= 0) 880 if (errorline <= 0)
869 BIO_printf(bio_err, "ERROR: loading the config file '%s'\n", 881 BIO_printf(bio_err,
882 "ERROR: loading the config file '%s'\n",
870 extfile); 883 extfile);
871 else 884 else
872 BIO_printf(bio_err, "ERROR: on line %ld of config file '%s'\n", 885 BIO_printf(bio_err,
886 "ERROR: on line %ld of config file '%s'\n",
873 errorline, extfile); 887 errorline, extfile);
874 ret = 1; 888 ret = 1;
875 goto err; 889 goto err;
876 } 890 }
877 if (verbose) 891 if (verbose)
878 BIO_printf(bio_err, "Successfully loaded extensions file %s\n", extfile); 892 BIO_printf(bio_err,
893 "Successfully loaded extensions file %s\n",
894 extfile);
879 895
880 /* We can have sections in the ext file */ 896 /* We can have sections in the ext file */
881 if (!extensions && !(extensions = NCONF_get_string(extconf, "default", "extensions"))) 897 if (!extensions && !(extensions = NCONF_get_string(extconf,
898 "default", "extensions")))
882 extensions = "default"; 899 extensions = "default";
883 } 900 }
884 /*****************************************************************/ 901 /*****************************************************************/
@@ -892,8 +909,8 @@ ca_main(int argc, char **argv)
892 BIO_set_fp(Sout, stdout, BIO_NOCLOSE | BIO_FP_TEXT); 909 BIO_set_fp(Sout, stdout, BIO_NOCLOSE | BIO_FP_TEXT);
893 } 910 }
894 } 911 }
895 if ((md == NULL) && ((md = NCONF_get_string(conf, 912 if ((md == NULL) && ((md = NCONF_get_string(conf, section,
896 section, ENV_DEFAULT_MD)) == NULL)) { 913 ENV_DEFAULT_MD)) == NULL)) {
897 lookup_fail(section, ENV_DEFAULT_MD); 914 lookup_fail(section, ENV_DEFAULT_MD);
898 goto err; 915 goto err;
899 } 916 }
@@ -906,12 +923,13 @@ ca_main(int argc, char **argv)
906 md = (char *) OBJ_nid2sn(def_nid); 923 md = (char *) OBJ_nid2sn(def_nid);
907 } 924 }
908 if ((dgst = EVP_get_digestbyname(md)) == NULL) { 925 if ((dgst = EVP_get_digestbyname(md)) == NULL) {
909 BIO_printf(bio_err, "%s is an unsupported message digest type\n", md); 926 BIO_printf(bio_err,
927 "%s is an unsupported message digest type\n", md);
910 goto err; 928 goto err;
911 } 929 }
912 if (req) { 930 if (req) {
913 if ((email_dn == 1) && ((tmp_email_dn = NCONF_get_string(conf, 931 if ((email_dn == 1) && ((tmp_email_dn = NCONF_get_string(conf,
914 section, ENV_DEFAULT_EMAIL_DN)) != NULL)) { 932 section, ENV_DEFAULT_EMAIL_DN)) != NULL)) {
915 if (strcmp(tmp_email_dn, "no") == 0) 933 if (strcmp(tmp_email_dn, "no") == 0)
916 email_dn = 0; 934 email_dn = 0;
917 } 935 }
@@ -919,15 +937,15 @@ ca_main(int argc, char **argv)
919 BIO_printf(bio_err, "message digest is %s\n", 937 BIO_printf(bio_err, "message digest is %s\n",
920 OBJ_nid2ln(dgst->type)); 938 OBJ_nid2ln(dgst->type));
921 if ((policy == NULL) && ((policy = NCONF_get_string(conf, 939 if ((policy == NULL) && ((policy = NCONF_get_string(conf,
922 section, ENV_POLICY)) == NULL)) { 940 section, ENV_POLICY)) == NULL)) {
923 lookup_fail(section, ENV_POLICY); 941 lookup_fail(section, ENV_POLICY);
924 goto err; 942 goto err;
925 } 943 }
926 if (verbose) 944 if (verbose)
927 BIO_printf(bio_err, "policy is %s\n", policy); 945 BIO_printf(bio_err, "policy is %s\n", policy);
928 946
929 if ((serialfile = NCONF_get_string(conf, section, ENV_SERIAL)) 947 if ((serialfile = NCONF_get_string(conf, section,
930 == NULL) { 948 ENV_SERIAL)) == NULL) {
931 lookup_fail(section, ENV_SERIAL); 949 lookup_fail(section, ENV_SERIAL);
932 goto err; 950 goto err;
933 } 951 }
@@ -947,8 +965,8 @@ ca_main(int argc, char **argv)
947 X509V3_CTX ctx; 965 X509V3_CTX ctx;
948 X509V3_set_ctx_test(&ctx); 966 X509V3_set_ctx_test(&ctx);
949 X509V3_set_nconf(&ctx, conf); 967 X509V3_set_nconf(&ctx, conf);
950 if (!X509V3_EXT_add_nconf(conf, &ctx, extensions, 968 if (!X509V3_EXT_add_nconf(conf, &ctx,
951 NULL)) { 969 extensions, NULL)) {
952 BIO_printf(bio_err, 970 BIO_printf(bio_err,
953 "Error Loading extension section %s\n", 971 "Error Loading extension section %s\n",
954 extensions); 972 extensions);
@@ -981,29 +999,36 @@ ca_main(int argc, char **argv)
981 goto err; 999 goto err;
982 } 1000 }
983 if (days == 0) { 1001 if (days == 0) {
984 if (!NCONF_get_number(conf, section, ENV_DEFAULT_DAYS, &days)) 1002 if (!NCONF_get_number(conf, section,
1003 ENV_DEFAULT_DAYS, &days))
985 days = 0; 1004 days = 0;
986 } 1005 }
987 if (!enddate && (days == 0)) { 1006 if (!enddate && (days == 0)) {
988 BIO_printf(bio_err, "cannot lookup how many days to certify for\n"); 1007 BIO_printf(bio_err,
1008 "cannot lookup how many days to certify for\n");
989 goto err; 1009 goto err;
990 } 1010 }
991 if ((serial = load_serial(serialfile, create_ser, NULL)) == NULL) { 1011 if ((serial = load_serial(serialfile, create_ser, NULL)) ==
992 BIO_printf(bio_err, "error while loading serial number\n"); 1012 NULL) {
1013 BIO_printf(bio_err,
1014 "error while loading serial number\n");
993 goto err; 1015 goto err;
994 } 1016 }
995 if (verbose) { 1017 if (verbose) {
996 if (BN_is_zero(serial)) 1018 if (BN_is_zero(serial))
997 BIO_printf(bio_err, "next serial number is 00\n"); 1019 BIO_printf(bio_err,
1020 "next serial number is 00\n");
998 else { 1021 else {
999 if ((f = BN_bn2hex(serial)) == NULL) 1022 if ((f = BN_bn2hex(serial)) == NULL)
1000 goto err; 1023 goto err;
1001 BIO_printf(bio_err, "next serial number is %s\n", f); 1024 BIO_printf(bio_err,
1025 "next serial number is %s\n", f);
1002 free(f); 1026 free(f);
1003 } 1027 }
1004 } 1028 }
1005 if ((attribs = NCONF_get_section(conf, policy)) == NULL) { 1029 if ((attribs = NCONF_get_section(conf, policy)) == NULL) {
1006 BIO_printf(bio_err, "unable to find 'section' for %s\n", policy); 1030 BIO_printf(bio_err,
1031 "unable to find 'section' for %s\n", policy);
1007 goto err; 1032 goto err;
1008 } 1033 }
1009 if ((cert_sk = sk_X509_new_null()) == NULL) { 1034 if ((cert_sk = sk_X509_new_null()) == NULL) {
@@ -1012,10 +1037,11 @@ ca_main(int argc, char **argv)
1012 } 1037 }
1013 if (spkac_file != NULL) { 1038 if (spkac_file != NULL) {
1014 total++; 1039 total++;
1015 j = certify_spkac(&x, spkac_file, pkey, x509, dgst, sigopts, 1040 j = certify_spkac(&x, spkac_file, pkey, x509, dgst,
1016 attribs, db, serial, subj, chtype, multirdn, 1041 sigopts, attribs, db, serial, subj, chtype,
1017 email_dn, startdate, enddate, days, extensions, 1042 multirdn, email_dn, startdate, enddate, days,
1018 conf, verbose, certopt, nameopt, default_op, ext_copy); 1043 extensions, conf, verbose, certopt, nameopt,
1044 default_op, ext_copy);
1019 if (j < 0) 1045 if (j < 0)
1020 goto err; 1046 goto err;
1021 if (j > 0) { 1047 if (j > 0) {
@@ -1024,7 +1050,8 @@ ca_main(int argc, char **argv)
1024 if (!BN_add_word(serial, 1)) 1050 if (!BN_add_word(serial, 1))
1025 goto err; 1051 goto err;
1026 if (!sk_X509_push(cert_sk, x)) { 1052 if (!sk_X509_push(cert_sk, x)) {
1027 BIO_printf(bio_err, "Memory allocation failure\n"); 1053 BIO_printf(bio_err,
1054 "Memory allocation failure\n");
1028 goto err; 1055 goto err;
1029 } 1056 }
1030 if (outfile) { 1057 if (outfile) {
@@ -1035,9 +1062,9 @@ ca_main(int argc, char **argv)
1035 } 1062 }
1036 if (ss_cert_file != NULL) { 1063 if (ss_cert_file != NULL) {
1037 total++; 1064 total++;
1038 j = certify_cert(&x, ss_cert_file, pkey, x509, dgst, sigopts, 1065 j = certify_cert(&x, ss_cert_file, pkey, x509, dgst,
1039 attribs, 1066 sigopts, attribs, db, serial, subj, chtype,
1040 db, serial, subj, chtype, multirdn, email_dn, startdate, enddate, days, batch, 1067 multirdn, email_dn, startdate, enddate, days, batch,
1041 extensions, conf, verbose, certopt, nameopt, 1068 extensions, conf, verbose, certopt, nameopt,
1042 default_op, ext_copy, e); 1069 default_op, ext_copy, e);
1043 if (j < 0) 1070 if (j < 0)
@@ -1048,15 +1075,17 @@ ca_main(int argc, char **argv)
1048 if (!BN_add_word(serial, 1)) 1075 if (!BN_add_word(serial, 1))
1049 goto err; 1076 goto err;
1050 if (!sk_X509_push(cert_sk, x)) { 1077 if (!sk_X509_push(cert_sk, x)) {
1051 BIO_printf(bio_err, "Memory allocation failure\n"); 1078 BIO_printf(bio_err,
1079 "Memory allocation failure\n");
1052 goto err; 1080 goto err;
1053 } 1081 }
1054 } 1082 }
1055 } 1083 }
1056 if (infile != NULL) { 1084 if (infile != NULL) {
1057 total++; 1085 total++;
1058 j = certify(&x, infile, pkey, x509p, dgst, sigopts, attribs, db, 1086 j = certify(&x, infile, pkey, x509p, dgst, sigopts,
1059 serial, subj, chtype, multirdn, email_dn, startdate, enddate, days, batch, 1087 attribs, db, serial, subj, chtype, multirdn,
1088 email_dn, startdate, enddate, days, batch,
1060 extensions, conf, verbose, certopt, nameopt, 1089 extensions, conf, verbose, certopt, nameopt,
1061 default_op, ext_copy, selfsign); 1090 default_op, ext_copy, selfsign);
1062 if (j < 0) 1091 if (j < 0)
@@ -1067,15 +1096,17 @@ ca_main(int argc, char **argv)
1067 if (!BN_add_word(serial, 1)) 1096 if (!BN_add_word(serial, 1))
1068 goto err; 1097 goto err;
1069 if (!sk_X509_push(cert_sk, x)) { 1098 if (!sk_X509_push(cert_sk, x)) {
1070 BIO_printf(bio_err, "Memory allocation failure\n"); 1099 BIO_printf(bio_err,
1100 "Memory allocation failure\n");
1071 goto err; 1101 goto err;
1072 } 1102 }
1073 } 1103 }
1074 } 1104 }
1075 for (i = 0; i < argc; i++) { 1105 for (i = 0; i < argc; i++) {
1076 total++; 1106 total++;
1077 j = certify(&x, argv[i], pkey, x509p, dgst, sigopts, attribs, db, 1107 j = certify(&x, argv[i], pkey, x509p, dgst, sigopts,
1078 serial, subj, chtype, multirdn, email_dn, startdate, enddate, days, batch, 1108 attribs, db, serial, subj, chtype, multirdn,
1109 email_dn, startdate, enddate, days, batch,
1079 extensions, conf, verbose, certopt, nameopt, 1110 extensions, conf, verbose, certopt, nameopt,
1080 default_op, ext_copy, selfsign); 1111 default_op, ext_copy, selfsign);
1081 if (j < 0) 1112 if (j < 0)
@@ -1086,7 +1117,8 @@ ca_main(int argc, char **argv)
1086 if (!BN_add_word(serial, 1)) 1117 if (!BN_add_word(serial, 1))
1087 goto err; 1118 goto err;
1088 if (!sk_X509_push(cert_sk, x)) { 1119 if (!sk_X509_push(cert_sk, x)) {
1089 BIO_printf(bio_err, "Memory allocation failure\n"); 1120 BIO_printf(bio_err,
1121 "Memory allocation failure\n");
1090 goto err; 1122 goto err;
1091 } 1123 }
1092 } 1124 }
@@ -1130,7 +1162,7 @@ ca_main(int argc, char **argv)
1130 x = sk_X509_value(cert_sk, i); 1162 x = sk_X509_value(cert_sk, i);
1131 1163
1132 j = x->cert_info->serialNumber->length; 1164 j = x->cert_info->serialNumber->length;
1133 data = (unsigned char *) x->cert_info->serialNumber->data; 1165 data = (unsigned char *)x->cert_info->serialNumber->data;
1134 if (j > 0) 1166 if (j > 0)
1135 serial = bin2hex(data, j); 1167 serial = bin2hex(data, j);
1136 else 1168 else
@@ -1192,18 +1224,20 @@ ca_main(int argc, char **argv)
1192 goto err; 1224 goto err;
1193 } 1225 }
1194 } 1226 }
1195 if ((crlnumberfile = NCONF_get_string(conf, section, ENV_CRLNUMBER)) 1227 if ((crlnumberfile = NCONF_get_string(conf, section,
1196 != NULL) 1228 ENV_CRLNUMBER)) != NULL)
1197 if ((crlnumber = load_serial(crlnumberfile, 0, NULL)) == NULL) { 1229 if ((crlnumber = load_serial(crlnumberfile, 0,
1198 BIO_printf(bio_err, "error while loading CRL number\n"); 1230 NULL)) == NULL) {
1231 BIO_printf(bio_err,
1232 "error while loading CRL number\n");
1199 goto err; 1233 goto err;
1200 } 1234 }
1201 if (!crldays && !crlhours && !crlsec) { 1235 if (!crldays && !crlhours && !crlsec) {
1202 if (!NCONF_get_number(conf, section, 1236 if (!NCONF_get_number(conf, section,
1203 ENV_DEFAULT_CRL_DAYS, &crldays)) 1237 ENV_DEFAULT_CRL_DAYS, &crldays))
1204 crldays = 0; 1238 crldays = 0;
1205 if (!NCONF_get_number(conf, section, 1239 if (!NCONF_get_number(conf, section,
1206 ENV_DEFAULT_CRL_HOURS, &crlhours)) 1240 ENV_DEFAULT_CRL_HOURS, &crlhours))
1207 crlhours = 0; 1241 crlhours = 0;
1208 ERR_clear_error(); 1242 ERR_clear_error();
1209 } 1243 }
@@ -1223,8 +1257,8 @@ ca_main(int argc, char **argv)
1223 goto err; 1257 goto err;
1224 X509_gmtime_adj(tmptm, 0); 1258 X509_gmtime_adj(tmptm, 0);
1225 X509_CRL_set_lastUpdate(crl, tmptm); 1259 X509_CRL_set_lastUpdate(crl, tmptm);
1226 if (!X509_time_adj_ex(tmptm, crldays, crlhours * 60 * 60 + crlsec, 1260 if (!X509_time_adj_ex(tmptm, crldays,
1227 NULL)) { 1261 crlhours * 60 * 60 + crlsec, NULL)) {
1228 BIO_puts(bio_err, "error setting CRL nextUpdate\n"); 1262 BIO_puts(bio_err, "error setting CRL nextUpdate\n");
1229 goto err; 1263 goto err;
1230 } 1264 }
@@ -1273,13 +1307,14 @@ ca_main(int argc, char **argv)
1273 1307
1274 if (crl_ext) 1308 if (crl_ext)
1275 if (!X509V3_EXT_CRL_add_nconf(conf, &crlctx, 1309 if (!X509V3_EXT_CRL_add_nconf(conf, &crlctx,
1276 crl_ext, crl)) 1310 crl_ext, crl))
1277 goto err; 1311 goto err;
1278 if (crlnumberfile != NULL) { 1312 if (crlnumberfile != NULL) {
1279 tmpser = BN_to_ASN1_INTEGER(crlnumber, NULL); 1313 tmpser = BN_to_ASN1_INTEGER(crlnumber, NULL);
1280 if (!tmpser) 1314 if (!tmpser)
1281 goto err; 1315 goto err;
1282 X509_CRL_add1_ext_i2d(crl, NID_crl_number, tmpser, 0, 0); 1316 X509_CRL_add1_ext_i2d(crl, NID_crl_number,
1317 tmpser, 0, 0);
1283 ASN1_INTEGER_free(tmpser); 1318 ASN1_INTEGER_free(tmpser);
1284 crl_v2 = 1; 1319 crl_v2 = 1;
1285 if (!BN_add_word(crlnumber, 1)) 1320 if (!BN_add_word(crlnumber, 1))
@@ -1336,6 +1371,7 @@ ca_main(int argc, char **argv)
1336 } 1371 }
1337 /*****************************************************************/ 1372 /*****************************************************************/
1338 ret = 0; 1373 ret = 0;
1374
1339err: 1375err:
1340 if (tofree) 1376 if (tofree)
1341 free(tofree); 1377 free(tofree);
@@ -1404,7 +1440,8 @@ certify(X509 ** xret, char *infile, EVP_PKEY * pkey, X509 * x509,
1404 BIO_printf(bio_err, "Check that the request matches the signature\n"); 1440 BIO_printf(bio_err, "Check that the request matches the signature\n");
1405 1441
1406 if (selfsign && !X509_REQ_check_private_key(req, pkey)) { 1442 if (selfsign && !X509_REQ_check_private_key(req, pkey)) {
1407 BIO_printf(bio_err, "Certificate request and CA private key do not match\n"); 1443 BIO_printf(bio_err,
1444 "Certificate request and CA private key do not match\n");
1408 ok = 0; 1445 ok = 0;
1409 goto err; 1446 goto err;
1410 } 1447 }
@@ -1421,15 +1458,16 @@ certify(X509 ** xret, char *infile, EVP_PKEY * pkey, X509 * x509,
1421 } 1458 }
1422 if (i == 0) { 1459 if (i == 0) {
1423 ok = 0; 1460 ok = 0;
1424 BIO_printf(bio_err, "Signature did not match the certificate request\n"); 1461 BIO_printf(bio_err,
1462 "Signature did not match the certificate request\n");
1425 goto err; 1463 goto err;
1426 } else 1464 } else
1427 BIO_printf(bio_err, "Signature ok\n"); 1465 BIO_printf(bio_err, "Signature ok\n");
1428 1466
1429 ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, subj, chtype, 1467 ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial,
1430 multirdn, email_dn, 1468 subj, chtype, multirdn, email_dn, startdate, enddate, days, batch,
1431 startdate, enddate, days, batch, verbose, req, ext_sect, lconf, 1469 verbose, req, ext_sect, lconf, certopt, nameopt, default_op,
1432 certopt, nameopt, default_op, ext_copy, selfsign); 1470 ext_copy, selfsign);
1433 1471
1434err: 1472err:
1435 if (req != NULL) 1473 if (req != NULL)
@@ -1453,7 +1491,8 @@ certify_cert(X509 ** xret, char *infile, EVP_PKEY * pkey, X509 * x509,
1453 EVP_PKEY *pktmp = NULL; 1491 EVP_PKEY *pktmp = NULL;
1454 int ok = -1, i; 1492 int ok = -1, i;
1455 1493
1456 if ((req = load_cert(bio_err, infile, FORMAT_PEM, NULL, e, infile)) == NULL) 1494 if ((req = load_cert(bio_err, infile, FORMAT_PEM, NULL, e,
1495 infile)) == NULL)
1457 goto err; 1496 goto err;
1458 if (verbose) 1497 if (verbose)
1459 X509_print(bio_err, req); 1498 X509_print(bio_err, req);
@@ -1473,7 +1512,8 @@ certify_cert(X509 ** xret, char *infile, EVP_PKEY * pkey, X509 * x509,
1473 } 1512 }
1474 if (i == 0) { 1513 if (i == 0) {
1475 ok = 0; 1514 ok = 0;
1476 BIO_printf(bio_err, "Signature did not match the certificate\n"); 1515 BIO_printf(bio_err,
1516 "Signature did not match the certificate\n");
1477 goto err; 1517 goto err;
1478 } else 1518 } else
1479 BIO_printf(bio_err, "Signature ok\n"); 1519 BIO_printf(bio_err, "Signature ok\n");
@@ -1481,8 +1521,9 @@ certify_cert(X509 ** xret, char *infile, EVP_PKEY * pkey, X509 * x509,
1481 if ((rreq = X509_to_X509_REQ(req, NULL, EVP_md5())) == NULL) 1521 if ((rreq = X509_to_X509_REQ(req, NULL, EVP_md5())) == NULL)
1482 goto err; 1522 goto err;
1483 1523
1484 ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, subj, chtype, multirdn, email_dn, startdate, enddate, 1524 ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial,
1485 days, batch, verbose, rreq, ext_sect, lconf, certopt, nameopt, default_op, 1525 subj, chtype, multirdn, email_dn, startdate, enddate, days, batch,
1526 verbose, rreq, ext_sect, lconf, certopt, nameopt, default_op,
1486 ext_copy, 0); 1527 ext_copy, 0);
1487 1528
1488err: 1529err:
@@ -1539,7 +1580,8 @@ do_body(X509 ** xret, EVP_PKEY * pkey, X509 * x509, const EVP_MD * dgst,
1539 X509_NAME_free(n); 1580 X509_NAME_free(n);
1540 } 1581 }
1541 if (default_op) 1582 if (default_op)
1542 BIO_printf(bio_err, "The Subject's Distinguished Name is as follows\n"); 1583 BIO_printf(bio_err,
1584 "The Subject's Distinguished Name is as follows\n");
1543 1585
1544 name = X509_REQ_get_subject_name(req); 1586 name = X509_REQ_get_subject_name(req);
1545 for (i = 0; i < X509_NAME_entry_count(name); i++) { 1587 for (i = 0; i < X509_NAME_entry_count(name); i++) {
@@ -1572,12 +1614,13 @@ do_body(X509 ** xret, EVP_PKEY * pkey, X509 * x509, const EVP_MD * dgst,
1572 BIO_printf(bio_err, "\nemailAddress type needs to be of type IA5STRING\n"); 1614 BIO_printf(bio_err, "\nemailAddress type needs to be of type IA5STRING\n");
1573 goto err; 1615 goto err;
1574 } 1616 }
1575 if ((str->type != V_ASN1_BMPSTRING) && (str->type != V_ASN1_UTF8STRING)) { 1617 if ((str->type != V_ASN1_BMPSTRING) &&
1618 (str->type != V_ASN1_UTF8STRING)) {
1576 j = ASN1_PRINTABLE_type(str->data, str->length); 1619 j = ASN1_PRINTABLE_type(str->data, str->length);
1577 if (((j == V_ASN1_T61STRING) && 1620 if (((j == V_ASN1_T61STRING) &&
1578 (str->type != V_ASN1_T61STRING)) || 1621 (str->type != V_ASN1_T61STRING)) ||
1579 ((j == V_ASN1_IA5STRING) && 1622 ((j == V_ASN1_IA5STRING) &&
1580 (str->type == V_ASN1_PRINTABLESTRING))) { 1623 (str->type == V_ASN1_PRINTABLESTRING))) {
1581 BIO_printf(bio_err, "\nThe string contains characters that are illegal for the ASN.1 type\n"); 1624 BIO_printf(bio_err, "\nThe string contains characters that are illegal for the ASN.1 type\n");
1582 goto err; 1625 goto err;
1583 } 1626 }
@@ -1641,7 +1684,7 @@ do_body(X509 ** xret, EVP_PKEY * pkey, X509 * x509, const EVP_MD * dgst,
1641 } 1684 }
1642 last2 = -1; 1685 last2 = -1;
1643 1686
1644 again2: 1687again2:
1645 j = X509_NAME_get_index_by_OBJ(CAname, obj, last2); 1688 j = X509_NAME_get_index_by_OBJ(CAname, obj, last2);
1646 if ((j < 0) && (last2 == -1)) { 1689 if ((j < 0) && (last2 == -1)) {
1647 BIO_printf(bio_err, "The %s field does not exist in the CA certificate,\nthe 'policy' is misconfigured\n", cv->name); 1690 BIO_printf(bio_err, "The %s field does not exist in the CA certificate,\nthe 'policy' is misconfigured\n", cv->name);
@@ -1665,10 +1708,12 @@ do_body(X509 ** xret, EVP_PKEY * pkey, X509 * x509, const EVP_MD * dgst,
1665 } 1708 }
1666 1709
1667 if (push != NULL) { 1710 if (push != NULL) {
1668 if (!X509_NAME_add_entry(subject, push, -1, 0)) { 1711 if (!X509_NAME_add_entry(subject, push,
1712 -1, 0)) {
1669 if (push != NULL) 1713 if (push != NULL)
1670 X509_NAME_ENTRY_free(push); 1714 X509_NAME_ENTRY_free(push);
1671 BIO_printf(bio_err, "Memory allocation failure\n"); 1715 BIO_printf(bio_err,
1716 "Memory allocation failure\n");
1672 goto err; 1717 goto err;
1673 } 1718 }
1674 } 1719 }
@@ -1706,7 +1751,7 @@ do_body(X509 ** xret, EVP_PKEY * pkey, X509 * x509, const EVP_MD * dgst,
1706 goto err; 1751 goto err;
1707 } 1752 }
1708 while ((i = X509_NAME_get_index_by_NID(dn_subject, 1753 while ((i = X509_NAME_get_index_by_NID(dn_subject,
1709 NID_pkcs9_emailAddress, -1)) >= 0) { 1754 NID_pkcs9_emailAddress, -1)) >= 0) {
1710 tmpne = X509_NAME_get_entry(dn_subject, i); 1755 tmpne = X509_NAME_get_entry(dn_subject, i);
1711 X509_NAME_delete_entry(dn_subject, i); 1756 X509_NAME_delete_entry(dn_subject, i);
1712 X509_NAME_ENTRY_free(tmpne); 1757 X509_NAME_ENTRY_free(tmpne);
@@ -1734,7 +1779,8 @@ do_body(X509 ** xret, EVP_PKEY * pkey, X509 * x509, const EVP_MD * dgst,
1734 if (rrow == NULL) { 1779 if (rrow == NULL) {
1735 rrow = TXT_DB_get_by_index(db->db, DB_serial, row); 1780 rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
1736 if (rrow != NULL) { 1781 if (rrow != NULL) {
1737 BIO_printf(bio_err, "ERROR:Serial number %s has already been issued,\n", 1782 BIO_printf(bio_err,
1783 "ERROR:Serial number %s has already been issued,\n",
1738 row[DB_serial]); 1784 row[DB_serial]);
1739 BIO_printf(bio_err, " check the database/serial_file for corruption\n"); 1785 BIO_printf(bio_err, " check the database/serial_file for corruption\n");
1740 } 1786 }
@@ -1845,7 +1891,8 @@ do_body(X509 ** xret, EVP_PKEY * pkey, X509 * x509, const EVP_MD * dgst,
1845 1891
1846 if (extconf) { 1892 if (extconf) {
1847 if (verbose) 1893 if (verbose)
1848 BIO_printf(bio_err, "Extra configuration file found\n"); 1894 BIO_printf(bio_err,
1895 "Extra configuration file found\n");
1849 1896
1850 /* Use the extconf configuration db LHASH */ 1897 /* Use the extconf configuration db LHASH */
1851 X509V3_set_nconf(&ctx, extconf); 1898 X509V3_set_nconf(&ctx, extconf);
@@ -1854,7 +1901,8 @@ do_body(X509 ** xret, EVP_PKEY * pkey, X509 * x509, const EVP_MD * dgst,
1854 /* X509V3_set_ctx_test(&ctx); */ 1901 /* X509V3_set_ctx_test(&ctx); */
1855 1902
1856 /* Adds exts contained in the configuration file */ 1903 /* Adds exts contained in the configuration file */
1857 if (!X509V3_EXT_add_nconf(extconf, &ctx, ext_sect, ret)) { 1904 if (!X509V3_EXT_add_nconf(extconf, &ctx,
1905 ext_sect, ret)) {
1858 BIO_printf(bio_err, 1906 BIO_printf(bio_err,
1859 "ERROR: adding extensions in section %s\n", 1907 "ERROR: adding extensions in section %s\n",
1860 ext_sect); 1908 ext_sect);
@@ -1868,7 +1916,9 @@ do_body(X509 ** xret, EVP_PKEY * pkey, X509 * x509, const EVP_MD * dgst,
1868 X509V3_set_nconf(&ctx, lconf); 1916 X509V3_set_nconf(&ctx, lconf);
1869 1917
1870 if (!X509V3_EXT_add_nconf(lconf, &ctx, ext_sect, ret)) { 1918 if (!X509V3_EXT_add_nconf(lconf, &ctx, ext_sect, ret)) {
1871 BIO_printf(bio_err, "ERROR: adding extensions in section %s\n", ext_sect); 1919 BIO_printf(bio_err,
1920 "ERROR: adding extensions in section %s\n",
1921 ext_sect);
1872 ERR_print_errors(bio_err); 1922 ERR_print_errors(bio_err);
1873 goto err; 1923 goto err;
1874 } 1924 }
@@ -1909,12 +1959,14 @@ do_body(X509 ** xret, EVP_PKEY * pkey, X509 * x509, const EVP_MD * dgst,
1909 (void) BIO_flush(bio_err); 1959 (void) BIO_flush(bio_err);
1910 buf[0] = '\0'; 1960 buf[0] = '\0';
1911 if (!fgets(buf, sizeof(buf) - 1, stdin)) { 1961 if (!fgets(buf, sizeof(buf) - 1, stdin)) {
1912 BIO_printf(bio_err, "CERTIFICATE WILL NOT BE CERTIFIED: I/O error\n"); 1962 BIO_printf(bio_err,
1963 "CERTIFICATE WILL NOT BE CERTIFIED: I/O error\n");
1913 ok = 0; 1964 ok = 0;
1914 goto err; 1965 goto err;
1915 } 1966 }
1916 if (!((buf[0] == 'y') || (buf[0] == 'Y'))) { 1967 if (!((buf[0] == 'y') || (buf[0] == 'Y'))) {
1917 BIO_printf(bio_err, "CERTIFICATE WILL NOT BE CERTIFIED\n"); 1968 BIO_printf(bio_err,
1969 "CERTIFICATE WILL NOT BE CERTIFIED\n");
1918 ok = 0; 1970 ok = 0;
1919 goto err; 1971 goto err;
1920 } 1972 }
@@ -1951,7 +2003,8 @@ do_body(X509 ** xret, EVP_PKEY * pkey, X509 * x509, const EVP_MD * dgst,
1951 row[DB_type][0] = 'V'; 2003 row[DB_type][0] = 'V';
1952 row[DB_type][1] = '\0'; 2004 row[DB_type][1] = '\0';
1953 2005
1954 if ((irow = (char **) malloc(sizeof(char *) * (DB_NUMBER + 1))) == NULL) { 2006 if ((irow = (char **)malloc(sizeof(char *) * (DB_NUMBER + 1))) ==
2007 NULL) {
1955 BIO_printf(bio_err, "Memory allocation failure\n"); 2008 BIO_printf(bio_err, "Memory allocation failure\n");
1956 goto err; 2009 goto err;
1957 } 2010 }
@@ -2042,13 +2095,15 @@ certify_spkac(X509 ** xret, char *infile, EVP_PKEY * pkey, X509 * x509,
2042 */ 2095 */
2043 parms = CONF_load(NULL, infile, &errline); 2096 parms = CONF_load(NULL, infile, &errline);
2044 if (parms == NULL) { 2097 if (parms == NULL) {
2045 BIO_printf(bio_err, "error on line %ld of %s\n", errline, infile); 2098 BIO_printf(bio_err, "error on line %ld of %s\n",
2099 errline, infile);
2046 ERR_print_errors(bio_err); 2100 ERR_print_errors(bio_err);
2047 goto err; 2101 goto err;
2048 } 2102 }
2049 sk = CONF_get_section(parms, "default"); 2103 sk = CONF_get_section(parms, "default");
2050 if (sk_CONF_VALUE_num(sk) == 0) { 2104 if (sk_CONF_VALUE_num(sk) == 0) {
2051 BIO_printf(bio_err, "no name/value pairs found in %s\n", infile); 2105 BIO_printf(bio_err, "no name/value pairs found in %s\n",
2106 infile);
2052 CONF_free(parms); 2107 CONF_free(parms);
2053 goto err; 2108 goto err;
2054 } 2109 }
@@ -2070,7 +2125,7 @@ certify_spkac(X509 ** xret, char *infile, EVP_PKEY * pkey, X509 * x509,
2070 ri = req->req_info; 2125 ri = req->req_info;
2071 n = ri->subject; 2126 n = ri->subject;
2072 2127
2073 for (i = 0;; i++) { 2128 for (i = 0; ; i++) {
2074 if (sk_CONF_VALUE_num(sk) <= i) 2129 if (sk_CONF_VALUE_num(sk) <= i)
2075 break; 2130 break;
2076 2131
@@ -2102,19 +2157,20 @@ certify_spkac(X509 ** xret, char *infile, EVP_PKEY * pkey, X509 * x509,
2102 continue; 2157 continue;
2103 } 2158 }
2104 if (!X509_NAME_add_entry_by_NID(n, nid, chtype, 2159 if (!X509_NAME_add_entry_by_NID(n, nid, chtype,
2105 (unsigned char *) buf, -1, -1, 0)) 2160 (unsigned char *)buf, -1, -1, 0))
2106 goto err; 2161 goto err;
2107 } 2162 }
2108 if (spki == NULL) { 2163 if (spki == NULL) {
2109 BIO_printf(bio_err, "Netscape SPKAC structure not found in %s\n", 2164 BIO_printf(bio_err,
2110 infile); 2165 "Netscape SPKAC structure not found in %s\n", infile);
2111 goto err; 2166 goto err;
2112 } 2167 }
2113 /* 2168 /*
2114 * Now extract the key from the SPKI structure. 2169 * Now extract the key from the SPKI structure.
2115 */ 2170 */
2116 2171
2117 BIO_printf(bio_err, "Check that the SPKAC request matches the signature\n"); 2172 BIO_printf(bio_err,
2173 "Check that the SPKAC request matches the signature\n");
2118 2174
2119 if ((pktmp = NETSCAPE_SPKI_get_pubkey(spki)) == NULL) { 2175 if ((pktmp = NETSCAPE_SPKI_get_pubkey(spki)) == NULL) {
2120 BIO_printf(bio_err, "error unpacking SPKAC public key\n"); 2176 BIO_printf(bio_err, "error unpacking SPKAC public key\n");
@@ -2122,16 +2178,19 @@ certify_spkac(X509 ** xret, char *infile, EVP_PKEY * pkey, X509 * x509,
2122 } 2178 }
2123 j = NETSCAPE_SPKI_verify(spki, pktmp); 2179 j = NETSCAPE_SPKI_verify(spki, pktmp);
2124 if (j <= 0) { 2180 if (j <= 0) {
2125 BIO_printf(bio_err, "signature verification failed on SPKAC public key\n"); 2181 BIO_printf(bio_err,
2182 "signature verification failed on SPKAC public key\n");
2126 goto err; 2183 goto err;
2127 } 2184 }
2128 BIO_printf(bio_err, "Signature ok\n"); 2185 BIO_printf(bio_err, "Signature ok\n");
2129 2186
2130 X509_REQ_set_pubkey(req, pktmp); 2187 X509_REQ_set_pubkey(req, pktmp);
2131 EVP_PKEY_free(pktmp); 2188 EVP_PKEY_free(pktmp);
2132 ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, subj, chtype, 2189 ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial,
2133 multirdn, email_dn, startdate, enddate, days, 1, verbose, req, 2190 subj, chtype, multirdn, email_dn, startdate, enddate, days, 1,
2134 ext_sect, lconf, certopt, nameopt, default_op, ext_copy, 0); 2191 verbose, req, ext_sect, lconf, certopt, nameopt, default_op,
2192 ext_copy, 0);
2193
2135err: 2194err:
2136 if (req != NULL) 2195 if (req != NULL)
2137 X509_REQ_free(req); 2196 X509_REQ_free(req);
@@ -2181,7 +2240,9 @@ do_revoke(X509 * x509, CA_DB * db, int type, char *value)
2181 */ 2240 */
2182 rrow = TXT_DB_get_by_index(db->db, DB_serial, row); 2241 rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
2183 if (rrow == NULL) { 2242 if (rrow == NULL) {
2184 BIO_printf(bio_err, "Adding Entry with serial number %s to DB for %s\n", row[DB_serial], row[DB_name]); 2243 BIO_printf(bio_err,
2244 "Adding Entry with serial number %s to DB for %s\n",
2245 row[DB_serial], row[DB_name]);
2185 2246
2186 /* We now just add it to the database */ 2247 /* We now just add it to the database */
2187 row[DB_type] = (char *) malloc(2); 2248 row[DB_type] = (char *) malloc(2);
@@ -2207,7 +2268,8 @@ do_revoke(X509 * x509, CA_DB * db, int type, char *value)
2207 row[DB_type][0] = 'V'; 2268 row[DB_type][0] = 'V';
2208 row[DB_type][1] = '\0'; 2269 row[DB_type][1] = '\0';
2209 2270
2210 if ((irow = (char **) malloc(sizeof(char *) * (DB_NUMBER + 1))) == NULL) { 2271 if ((irow = (char **)malloc(sizeof(char *) *
2272 (DB_NUMBER + 1))) == NULL) {
2211 BIO_printf(bio_err, "Memory allocation failure\n"); 2273 BIO_printf(bio_err, "Memory allocation failure\n");
2212 goto err; 2274 goto err;
2213 } 2275 }
@@ -2219,7 +2281,8 @@ do_revoke(X509 * x509, CA_DB * db, int type, char *value)
2219 2281
2220 if (!TXT_DB_insert(db->db, irow)) { 2282 if (!TXT_DB_insert(db->db, irow)) {
2221 BIO_printf(bio_err, "failed to update database\n"); 2283 BIO_printf(bio_err, "failed to update database\n");
2222 BIO_printf(bio_err, "TXT_DB error number %ld\n", db->db->error); 2284 BIO_printf(bio_err, "TXT_DB error number %ld\n",
2285 db->db->error);
2223 goto err; 2286 goto err;
2224 } 2287 }
2225 /* Revoke Certificate */ 2288 /* Revoke Certificate */
@@ -2236,7 +2299,8 @@ do_revoke(X509 * x509, CA_DB * db, int type, char *value)
2236 row[DB_serial]); 2299 row[DB_serial]);
2237 goto err; 2300 goto err;
2238 } else { 2301 } else {
2239 BIO_printf(bio_err, "Revoking Certificate %s.\n", rrow[DB_serial]); 2302 BIO_printf(bio_err, "Revoking Certificate %s.\n",
2303 rrow[DB_serial]);
2240 rev_str = make_revocation_str(type, value); 2304 rev_str = make_revocation_str(type, value);
2241 if (!rev_str) { 2305 if (!rev_str) {
2242 BIO_printf(bio_err, "Error in revocation arguments\n"); 2306 BIO_printf(bio_err, "Error in revocation arguments\n");
@@ -2247,6 +2311,7 @@ do_revoke(X509 * x509, CA_DB * db, int type, char *value)
2247 rrow[DB_rev_date] = rev_str; 2311 rrow[DB_rev_date] = rev_str;
2248 } 2312 }
2249 ok = 1; 2313 ok = 1;
2314
2250err: 2315err:
2251 for (i = 0; i < DB_NUMBER; i++) { 2316 for (i = 0; i < DB_NUMBER; i++) {
2252 if (row[i] != NULL) 2317 if (row[i] != NULL)
@@ -2272,7 +2337,7 @@ get_certificate_status(const char *serial, CA_DB * db)
2272 goto err; 2337 goto err;
2273 } 2338 }
2274 if (strlen(serial) % 2) { 2339 if (strlen(serial) % 2) {
2275 /* Set the first char to 0 */ ; 2340 /* Set the first char to 0 */ ;
2276 row[DB_serial][0] = '0'; 2341 row[DB_serial][0] = '0';
2277 2342
2278 /* Copy String from serial to row[DB_serial] */ 2343 /* Copy String from serial to row[DB_serial] */
@@ -2319,6 +2384,7 @@ get_certificate_status(const char *serial, CA_DB * db)
2319 row[DB_serial], rrow[DB_type][0]); 2384 row[DB_serial], rrow[DB_type][0]);
2320 ok = -1; 2385 ok = -1;
2321 } 2386 }
2387
2322err: 2388err:
2323 for (i = 0; i < DB_NUMBER; i++) { 2389 for (i = 0; i < DB_NUMBER; i++) {
2324 if (row[i] != NULL) 2390 if (row[i] != NULL)
@@ -2327,7 +2393,7 @@ err:
2327 return (ok); 2393 return (ok);
2328} 2394}
2329 2395
2330static int 2396static int
2331do_updatedb(CA_DB * db) 2397do_updatedb(CA_DB * db)
2332{ 2398{
2333 ASN1_UTCTIME *a_tm = NULL; 2399 ASN1_UTCTIME *a_tm = NULL;
@@ -2448,7 +2514,8 @@ make_revocation_str(int rev_type, char *rev_arg)
2448 ASN1_OBJECT_free(otmp); 2514 ASN1_OBJECT_free(otmp);
2449 2515
2450 if (otmp == NULL) { 2516 if (otmp == NULL) {
2451 BIO_printf(bio_err, "Invalid object identifier %s\n", rev_arg); 2517 BIO_printf(bio_err,
2518 "Invalid object identifier %s\n", rev_arg);
2452 return NULL; 2519 return NULL;
2453 } 2520 }
2454 reason = "holdInstruction"; 2521 reason = "holdInstruction";
@@ -2460,7 +2527,9 @@ make_revocation_str(int rev_type, char *rev_arg)
2460 2527
2461 /* Argument is the key compromise time */ 2528 /* Argument is the key compromise time */
2462 if (!ASN1_GENERALIZEDTIME_set_string(NULL, rev_arg)) { 2529 if (!ASN1_GENERALIZEDTIME_set_string(NULL, rev_arg)) {
2463 BIO_printf(bio_err, "Invalid time format %s. Need YYYYMMDDHHMMSSZ\n", rev_arg); 2530 BIO_printf(bio_err,
2531 "Invalid time format %s. Need YYYYMMDDHHMMSSZ\n",
2532 rev_arg);
2464 return NULL; 2533 return NULL;
2465 } 2534 }
2466 other = rev_arg; 2535 other = rev_arg;
@@ -2475,9 +2544,9 @@ make_revocation_str(int rev_type, char *rev_arg)
2475 2544
2476 revtm = X509_gmtime_adj(NULL, 0); 2545 revtm = X509_gmtime_adj(NULL, 0);
2477 if (asprintf(&str, "%s%s%s%s%s", revtm->data, 2546 if (asprintf(&str, "%s%s%s%s%s", revtm->data,
2478 reason ? "," : "", reason ? reason : "", 2547 reason ? "," : "", reason ? reason : "",
2479 other ? "," : "", other ? other : "") == -1) 2548 other ? "," : "", other ? other : "") == -1)
2480 str = NULL; 2549 str = NULL;
2481 ASN1_UTCTIME_free(revtm); 2550 ASN1_UTCTIME_free(revtm);
2482 return str; 2551 return str;
2483} 2552}
@@ -2517,11 +2586,13 @@ make_revoked(X509_REVOKED * rev, const char *str)
2517 goto err; 2586 goto err;
2518 } 2587 }
2519 if (rev && comp_time) { 2588 if (rev && comp_time) {
2520 if (!X509_REVOKED_add1_ext_i2d(rev, NID_invalidity_date, comp_time, 0, 0)) 2589 if (!X509_REVOKED_add1_ext_i2d(rev, NID_invalidity_date,
2590 comp_time, 0, 0))
2521 goto err; 2591 goto err;
2522 } 2592 }
2523 if (rev && hold) { 2593 if (rev && hold) {
2524 if (!X509_REVOKED_add1_ext_i2d(rev, NID_hold_instruction_code, hold, 0, 0)) 2594 if (!X509_REVOKED_add1_ext_i2d(rev, NID_hold_instruction_code,
2595 hold, 0, 0))
2525 goto err; 2596 goto err;
2526 } 2597 }
2527 if (reason_code != OCSP_REVOKED_STATUS_NOSTATUS) 2598 if (reason_code != OCSP_REVOKED_STATUS_NOSTATUS)
@@ -2530,7 +2601,6 @@ make_revoked(X509_REVOKED * rev, const char *str)
2530 ret = 1; 2601 ret = 1;
2531 2602
2532err: 2603err:
2533
2534 if (tmp) 2604 if (tmp)
2535 free(tmp); 2605 free(tmp);
2536 ASN1_OBJECT_free(hold); 2606 ASN1_OBJECT_free(hold);
@@ -2546,6 +2616,7 @@ old_entry_print(BIO * bp, ASN1_OBJECT * obj, ASN1_STRING * str)
2546{ 2616{
2547 char buf[25], *pbuf, *p; 2617 char buf[25], *pbuf, *p;
2548 int j; 2618 int j;
2619
2549 j = i2a_ASN1_OBJECT(bp, obj); 2620 j = i2a_ASN1_OBJECT(bp, obj);
2550 pbuf = buf; 2621 pbuf = buf;
2551 for (j = 22 - j; j > 0; j--) 2622 for (j = 22 - j; j > 0; j--)
@@ -2592,10 +2663,9 @@ unpack_revinfo(ASN1_TIME ** prevtm, int *preason, ASN1_OBJECT ** phold,
2592 unsigned int i; 2663 unsigned int i;
2593 ASN1_OBJECT *hold = NULL; 2664 ASN1_OBJECT *hold = NULL;
2594 ASN1_GENERALIZEDTIME *comp_time = NULL; 2665 ASN1_GENERALIZEDTIME *comp_time = NULL;
2595 tmp = BUF_strdup(str);
2596 2666
2667 tmp = BUF_strdup(str);
2597 p = strchr(tmp, ','); 2668 p = strchr(tmp, ',');
2598
2599 rtime_str = tmp; 2669 rtime_str = tmp;
2600 2670
2601 if (p) { 2671 if (p) {
@@ -2611,7 +2681,8 @@ unpack_revinfo(ASN1_TIME ** prevtm, int *preason, ASN1_OBJECT ** phold,
2611 if (prevtm) { 2681 if (prevtm) {
2612 *prevtm = ASN1_UTCTIME_new(); 2682 *prevtm = ASN1_UTCTIME_new();
2613 if (!ASN1_UTCTIME_set_string(*prevtm, rtime_str)) { 2683 if (!ASN1_UTCTIME_set_string(*prevtm, rtime_str)) {
2614 BIO_printf(bio_err, "invalid revocation date %s\n", rtime_str); 2684 BIO_printf(bio_err, "invalid revocation date %s\n",
2685 rtime_str);
2615 goto err; 2686 goto err;
2616 } 2687 }
2617 } 2688 }
@@ -2623,33 +2694,39 @@ unpack_revinfo(ASN1_TIME ** prevtm, int *preason, ASN1_OBJECT ** phold,
2623 } 2694 }
2624 } 2695 }
2625 if (reason_code == OCSP_REVOKED_STATUS_NOSTATUS) { 2696 if (reason_code == OCSP_REVOKED_STATUS_NOSTATUS) {
2626 BIO_printf(bio_err, "invalid reason code %s\n", reason_str); 2697 BIO_printf(bio_err, "invalid reason code %s\n",
2698 reason_str);
2627 goto err; 2699 goto err;
2628 } 2700 }
2629 if (reason_code == 7) 2701 if (reason_code == 7)
2630 reason_code = OCSP_REVOKED_STATUS_REMOVEFROMCRL; 2702 reason_code = OCSP_REVOKED_STATUS_REMOVEFROMCRL;
2631 else if (reason_code == 8) { /* Hold instruction */ 2703 else if (reason_code == 8) { /* Hold instruction */
2632 if (!arg_str) { 2704 if (!arg_str) {
2633 BIO_printf(bio_err, "missing hold instruction\n"); 2705 BIO_printf(bio_err,
2706 "missing hold instruction\n");
2634 goto err; 2707 goto err;
2635 } 2708 }
2636 reason_code = OCSP_REVOKED_STATUS_CERTIFICATEHOLD; 2709 reason_code = OCSP_REVOKED_STATUS_CERTIFICATEHOLD;
2637 hold = OBJ_txt2obj(arg_str, 0); 2710 hold = OBJ_txt2obj(arg_str, 0);
2638 2711
2639 if (!hold) { 2712 if (!hold) {
2640 BIO_printf(bio_err, "invalid object identifier %s\n", arg_str); 2713 BIO_printf(bio_err,
2714 "invalid object identifier %s\n", arg_str);
2641 goto err; 2715 goto err;
2642 } 2716 }
2643 if (phold) 2717 if (phold)
2644 *phold = hold; 2718 *phold = hold;
2645 } else if ((reason_code == 9) || (reason_code == 10)) { 2719 } else if ((reason_code == 9) || (reason_code == 10)) {
2646 if (!arg_str) { 2720 if (!arg_str) {
2647 BIO_printf(bio_err, "missing compromised time\n"); 2721 BIO_printf(bio_err,
2722 "missing compromised time\n");
2648 goto err; 2723 goto err;
2649 } 2724 }
2650 comp_time = ASN1_GENERALIZEDTIME_new(); 2725 comp_time = ASN1_GENERALIZEDTIME_new();
2651 if (!ASN1_GENERALIZEDTIME_set_string(comp_time, arg_str)) { 2726 if (!ASN1_GENERALIZEDTIME_set_string(comp_time,
2652 BIO_printf(bio_err, "invalid compromised time %s\n", arg_str); 2727 arg_str)) {
2728 BIO_printf(bio_err,
2729 "invalid compromised time %s\n", arg_str);
2653 goto err; 2730 goto err;
2654 } 2731 }
2655 if (reason_code == 9) 2732 if (reason_code == 9)
@@ -2678,18 +2755,16 @@ err:
2678 return ret; 2755 return ret;
2679} 2756}
2680 2757
2681
2682static char * 2758static char *
2683bin2hex(unsigned char * data, size_t len) 2759bin2hex(unsigned char * data, size_t len)
2684{ 2760{
2685 char *ret = NULL; 2761 char *ret = NULL;
2686 char hex[]= "0123456789ABCDEF"; 2762 char hex[] = "0123456789ABCDEF";
2687 int i; 2763 int i;
2688 2764
2689 if ((ret = malloc(len * 2 + 1))) { 2765 if ((ret = malloc(len * 2 + 1))) {
2690 for (i = 0; i < len; i++) 2766 for (i = 0; i < len; i++) {
2691 { 2767 ret[i * 2 + 0] = hex[data[i] >> 4];
2692 ret[i * 2 + 0] = hex[data[i] >> 4 ];
2693 ret[i * 2 + 1] = hex[data[i] & 0x0F]; 2768 ret[i * 2 + 1] = hex[data[i] & 0x0F];
2694 } 2769 }
2695 ret[len * 2] = '\0'; 2770 ret[len * 2] = '\0';
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-31 13:14:21 +0000