4 files changed, 4 insertions, 317 deletions
diff --git a/src/usr.bin/openssl/Makefile b/src/usr.bin/openssl/Makefile
index ac42361932..e35b788500 100644
--- a/src/usr.bin/openssl/Makefile
+++ b/src/usr.bin/openssl/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.13 2024/05/27 16:11:43 tb Exp $
+#       $OpenBSD: Makefile,v 1.14 2024/07/08 05:59:10 tb Exp $
 .include <bsd.own.mk>
@@ -25,7 +25,7 @@ SRCS=	apps.c apps_posix.c asn1pars.c ca.c certhash.c ciphers.c cms.c crl.c \
        errstr.c gendh.c gendsa.c genpkey.c genrsa.c ocsp.c \
        openssl.c passwd.c pkcs12.c pkcs7.c pkcs8.c pkey.c pkeyparam.c \
        pkeyutl.c prime.c rand.c req.c rsa.c rsautl.c s_cb.c s_client.c \
-        s_server.c s_socket.c s_time.c sess_id.c smime.c speed.c spkac.c ts.c \
+        s_server.c s_socket.c s_time.c sess_id.c smime.c speed.c ts.c \
        verify.c version.c x509.c
 .include <bsd.prog.mk>
diff --git a/src/usr.bin/openssl/openssl.c b/src/usr.bin/openssl/openssl.c
index 7a42b70f2b..adafb0bc71 100644
--- a/src/usr.bin/openssl/openssl.c
+++ b/src/usr.bin/openssl/openssl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: openssl.c,v 1.36 2024/02/03 15:58:34 beck Exp $ */
+/* $OpenBSD: openssl.c,v 1.37 2024/07/08 05:59:10 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -184,7 +184,6 @@ FUNCTION functions[] = {
 #ifndef OPENSSL_NO_SPEED
        { FUNC_TYPE_GENERAL, "speed", speed_main },
 #endif
-        { FUNC_TYPE_GENERAL, "spkac", spkac_main },
        { FUNC_TYPE_GENERAL, "ts", ts_main },
        { FUNC_TYPE_GENERAL, "verify", verify_main },
        { FUNC_TYPE_GENERAL, "version", version_main },
diff --git a/src/usr.bin/openssl/progs.h b/src/usr.bin/openssl/progs.h
index 2696f20145..6cbc9d7b5f 100644
--- a/src/usr.bin/openssl/progs.h
+++ b/src/usr.bin/openssl/progs.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: progs.h,v 1.10 2024/05/18 08:47:13 jsg Exp $ */
+/* $OpenBSD: progs.h,v 1.11 2024/07/08 05:59:10 tb Exp $ */
 /* Public domain */
 int asn1parse_main(int argc, char **argv);
@@ -40,7 +40,6 @@ int s_time_main(int argc, char **argv);
 int sess_id_main(int argc, char **argv);
 int smime_main(int argc, char **argv);
 int speed_main(int argc, char **argv);
-int spkac_main(int argc, char **argv);
 int ts_main(int argc, char **argv);
 int verify_main(int argc, char **argv);
 int version_main(int argc, char **argv);
diff --git a/src/usr.bin/openssl/spkac.c b/src/usr.bin/openssl/spkac.c
deleted file mode 100644
index 12d530e3cf..0000000000
--- a/src/usr.bin/openssl/spkac.c
+++ /dev/null
@@ -1,311 +0,0 @@
-/* $OpenBSD: spkac.c,v 1.13 2023/03/06 14:32:06 tb Exp $ */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project 1999. Based on an original idea by Massimiliano Pala
- * (madwolf@openca.org).
- */
-/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
-#include "apps.h"
-#include "progs.h"
-#include <openssl/bio.h>
-#include <openssl/conf.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
-#include <openssl/lhash.h>
-#include <openssl/pem.h>
-#include <openssl/x509.h>
-static struct {
-        char *challenge;
-        char *infile;
-        char *keyfile;
-        int noout;
-        char *outfile;
-        char *passargin;
-        int pubkey;
-        char *spkac;
-        char *spksect;
-        int verify;
-} cfg;
-static const struct option spkac_options[] = {
-        {
-                .name = "challenge",
-                .argname = "string",
-                .desc = "Specify challenge string if SPKAC is generated",
-                .type = OPTION_ARG,
-                .opt.arg = &cfg.challenge,
-        },
-        {
-                .name = "in",
-                .argname = "file",
-                .desc = "Input file (default stdin)",
-                .type = OPTION_ARG,
-                .opt.arg = &cfg.infile,
-        },
-        {
-                .name = "key",
-                .argname = "file",
-                .desc = "Create SPKAC using private key file",
-                .type = OPTION_ARG,
-                .opt.arg = &cfg.keyfile,
-        },
-        {
-                .name = "noout",
-                .desc = "Do not print text version of SPKAC",
-                .type = OPTION_FLAG,
-                .opt.flag = &cfg.noout,
-        },
-        {
-                .name = "out",
-                .argname = "file",
-                .desc = "Output file (default stdout)",
-                .type = OPTION_ARG,
-                .opt.arg = &cfg.outfile,
-        },
-        {
-                .name = "passin",
-                .argname = "src",
-                .desc = "Input file passphrase source",
-                .type = OPTION_ARG,
-                .opt.arg = &cfg.passargin,
-        },
-        {
-                .name = "pubkey",
-                .desc = "Output public key of an SPKAC (not used if creating)",
-                .type = OPTION_FLAG,
-                .opt.flag = &cfg.pubkey,
-        },
-        {
-                .name = "spkac",
-                .argname = "name",
-                .desc = "SPKAC name (default \"SPKAC\")",
-                .type = OPTION_ARG,
-                .opt.arg = &cfg.spkac,
-        },
-        {
-                .name = "spksect",
-                .argname = "name",
-                .desc = "Name of the section containing SPKAC (default"
-                " \"default\")",
-                .type = OPTION_ARG,
-                .opt.arg = &cfg.spksect,
-        },
-        {
-                .name = "verify",
-                .desc = "Verify digital signature on supplied SPKAC",
-                .type = OPTION_FLAG,
-                .opt.flag = &cfg.verify,
-        },
-        { NULL }
-};
-static void
-spkac_usage(void)
-{
-        fprintf(stderr,
-            "usage: spkac [-challenge string] [-in file] "
-            "[-key file] [-noout]\n"
-            "    [-out file] [-passin src] [-pubkey] [-spkac name] "
-            "[-spksect section]\n"
-            "    [-verify]\n\n");
-        options_usage(spkac_options);
-}
-int
-spkac_main(int argc, char **argv)
-{
-        int i, ret = 1;
-        BIO *in = NULL, *out = NULL;
-        char *passin = NULL;
-        char *spkstr = NULL;
-        CONF *conf = NULL;
-        NETSCAPE_SPKI *spki = NULL;
-        EVP_PKEY *pkey = NULL;
-        if (pledge("stdio cpath wpath rpath tty", NULL) == -1) {
-                perror("pledge");
-                exit(1);
-        }
-        memset(&cfg, 0, sizeof(cfg));
-        cfg.spkac = "SPKAC";
-        cfg.spksect = "default";
-        if (options_parse(argc, argv, spkac_options, NULL, NULL) != 0) {
-                spkac_usage();
-                return (1);
-        }
-        if (!app_passwd(bio_err, cfg.passargin, NULL, &passin, NULL)) {
-                BIO_printf(bio_err, "Error getting password\n");
-                goto end;
-        }
-        if (cfg.keyfile) {
-                pkey = load_key(bio_err,
-                    strcmp(cfg.keyfile, "-") ? cfg.keyfile
-                    : NULL, FORMAT_PEM, 1, passin, "private key");
-                if (!pkey) {
-                        goto end;
-                }
-                spki = NETSCAPE_SPKI_new();
-                if (cfg.challenge)
-                        ASN1_STRING_set(spki->spkac->challenge,
-                            cfg.challenge,
-                            (int) strlen(cfg.challenge));
-                NETSCAPE_SPKI_set_pubkey(spki, pkey);
-                NETSCAPE_SPKI_sign(spki, pkey, EVP_md5());
-                spkstr = NETSCAPE_SPKI_b64_encode(spki);
-                if (spkstr == NULL) {
-                        BIO_printf(bio_err, "Error encoding SPKAC\n");
-                        ERR_print_errors(bio_err);
-                        goto end;
-                }
-                if (cfg.outfile)
-                        out = BIO_new_file(cfg.outfile, "w");
-                else
-                        out = BIO_new_fp(stdout, BIO_NOCLOSE);
-                if (!out) {
-                        BIO_printf(bio_err, "Error opening output file\n");
-                        ERR_print_errors(bio_err);
-                } else {
-                        BIO_printf(out, "SPKAC=%s\n", spkstr);
-                        ret = 0;
-                }
-                free(spkstr);
-                goto end;
-        }
-        if (cfg.infile)
-                in = BIO_new_file(cfg.infile, "r");
-        else
-                in = BIO_new_fp(stdin, BIO_NOCLOSE);
-        if (!in) {
-                BIO_printf(bio_err, "Error opening input file\n");
-                ERR_print_errors(bio_err);
-                goto end;
-        }
-        conf = NCONF_new(NULL);
-        i = NCONF_load_bio(conf, in, NULL);
-        if (!i) {
-                BIO_printf(bio_err, "Error parsing config file\n");
-                ERR_print_errors(bio_err);
-                goto end;
-        }
-        spkstr = NCONF_get_string(conf, cfg.spksect,
-            cfg.spkac);
-        if (!spkstr) {
-                BIO_printf(bio_err, "Can't find SPKAC called \"%s\"\n",
-                    cfg.spkac);
-                ERR_print_errors(bio_err);
-                goto end;
-        }
-        spki = NETSCAPE_SPKI_b64_decode(spkstr, -1);
-        if (!spki) {
-                BIO_printf(bio_err, "Error loading SPKAC\n");
-                ERR_print_errors(bio_err);
-                goto end;
-        }
-        if (cfg.outfile)
-                out = BIO_new_file(cfg.outfile, "w");
-        else {
-                out = BIO_new_fp(stdout, BIO_NOCLOSE);
-        }
-        if (!out) {
-                BIO_printf(bio_err, "Error opening output file\n");
-                ERR_print_errors(bio_err);
-                goto end;
-        }
-        if (!cfg.noout)
-                NETSCAPE_SPKI_print(out, spki);
-        pkey = NETSCAPE_SPKI_get_pubkey(spki);
-        if (cfg.verify) {
-                i = NETSCAPE_SPKI_verify(spki, pkey);
-                if (i > 0)
-                        BIO_printf(bio_err, "Signature OK\n");
-                else {
-                        BIO_printf(bio_err, "Signature Failure\n");
-                        ERR_print_errors(bio_err);
-                        goto end;
-                }
-        }
-        if (cfg.pubkey)
-                PEM_write_bio_PUBKEY(out, pkey);
-        ret = 0;
- end:
-        NCONF_free(conf);
-        NETSCAPE_SPKI_free(spki);
-        BIO_free(in);
-        BIO_free_all(out);
-        EVP_PKEY_free(pkey);
-        free(passin);
-        return (ret);
-}

diff --git a/src/usr.bin/openssl/Makefile b/src/usr.bin/openssl/Makefile index ac42361932..e35b788500 100644 --- a/src/usr.bin/openssl/Makefile +++ b/src/usr.bin/openssl/Makefile
@@ -1,4 +1,4 @@
1	# $OpenBSD: Makefile,v 1.13 2024/05/27 16:11:43 tb Exp $	1	# $OpenBSD: Makefile,v 1.14 2024/07/08 05:59:10 tb Exp $
2		2
3	.include <bsd.own.mk>	3	.include <bsd.own.mk>
4		4
@@ -25,7 +25,7 @@ SRCS= apps.c apps_posix.c asn1pars.c ca.c certhash.c ciphers.c cms.c crl.c \
25	errstr.c gendh.c gendsa.c genpkey.c genrsa.c ocsp.c \	25	errstr.c gendh.c gendsa.c genpkey.c genrsa.c ocsp.c \
26	openssl.c passwd.c pkcs12.c pkcs7.c pkcs8.c pkey.c pkeyparam.c \	26	openssl.c passwd.c pkcs12.c pkcs7.c pkcs8.c pkey.c pkeyparam.c \
27	pkeyutl.c prime.c rand.c req.c rsa.c rsautl.c s_cb.c s_client.c \	27	pkeyutl.c prime.c rand.c req.c rsa.c rsautl.c s_cb.c s_client.c \
28	s_server.c s_socket.c s_time.c sess_id.c smime.c speed.c spkac.c ts.c \	28	s_server.c s_socket.c s_time.c sess_id.c smime.c speed.c ts.c \
29	verify.c version.c x509.c	29	verify.c version.c x509.c
30		30
31	.include <bsd.prog.mk>	31	.include <bsd.prog.mk>


diff --git a/src/usr.bin/openssl/openssl.c b/src/usr.bin/openssl/openssl.c index 7a42b70f2b..adafb0bc71 100644 --- a/src/usr.bin/openssl/openssl.c +++ b/src/usr.bin/openssl/openssl.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: openssl.c,v 1.36 2024/02/03 15:58:34 beck Exp $ */	1	/* $OpenBSD: openssl.c,v 1.37 2024/07/08 05:59:10 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -184,7 +184,6 @@ FUNCTION functions[] = {
184	#ifndef OPENSSL_NO_SPEED	184	#ifndef OPENSSL_NO_SPEED
185	{ FUNC_TYPE_GENERAL, "speed", speed_main },	185	{ FUNC_TYPE_GENERAL, "speed", speed_main },
186	#endif	186	#endif
187	{ FUNC_TYPE_GENERAL, "spkac", spkac_main },
188	{ FUNC_TYPE_GENERAL, "ts", ts_main },	187	{ FUNC_TYPE_GENERAL, "ts", ts_main },
189	{ FUNC_TYPE_GENERAL, "verify", verify_main },	188	{ FUNC_TYPE_GENERAL, "verify", verify_main },
190	{ FUNC_TYPE_GENERAL, "version", version_main },	189	{ FUNC_TYPE_GENERAL, "version", version_main },


diff --git a/src/usr.bin/openssl/progs.h b/src/usr.bin/openssl/progs.h index 2696f20145..6cbc9d7b5f 100644 --- a/src/usr.bin/openssl/progs.h +++ b/src/usr.bin/openssl/progs.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: progs.h,v 1.10 2024/05/18 08:47:13 jsg Exp $ */	1	/* $OpenBSD: progs.h,v 1.11 2024/07/08 05:59:10 tb Exp $ */
2	/* Public domain */	2	/* Public domain */
3		3
4	int asn1parse_main(int argc, char **argv);	4	int asn1parse_main(int argc, char **argv);
@@ -40,7 +40,6 @@ int s_time_main(int argc, char **argv);
40	int sess_id_main(int argc, char **argv);	40	int sess_id_main(int argc, char **argv);
41	int smime_main(int argc, char **argv);	41	int smime_main(int argc, char **argv);
42	int speed_main(int argc, char **argv);	42	int speed_main(int argc, char **argv);
43	int spkac_main(int argc, char **argv);
44	int ts_main(int argc, char **argv);	43	int ts_main(int argc, char **argv);
45	int verify_main(int argc, char **argv);	44	int verify_main(int argc, char **argv);
46	int version_main(int argc, char **argv);	45	int version_main(int argc, char **argv);


diff --git a/src/usr.bin/openssl/spkac.c b/src/usr.bin/openssl/spkac.c deleted file mode 100644 index 12d530e3cf..0000000000 --- a/src/usr.bin/openssl/spkac.c +++ /dev/null
@@ -1,311 +0,0 @@
1	/* $OpenBSD: spkac.c,v 1.13 2023/03/06 14:32:06 tb Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 1999. Based on an original idea by Massimiliano Pala
4	* (madwolf@openca.org).
5	*/
6	/* ====================================================================
7	* Copyright (c) 1999 The OpenSSL Project. All rights reserved.
8	*
9	* Redistribution and use in source and binary forms, with or without
10	* modification, are permitted provided that the following conditions
11	* are met:
12	*
13	* 1. Redistributions of source code must retain the above copyright
14	* notice, this list of conditions and the following disclaimer.
15	*
16	* 2. Redistributions in binary form must reproduce the above copyright
17	* notice, this list of conditions and the following disclaimer in
18	* the documentation and/or other materials provided with the
19	* distribution.
20	*
21	* 3. All advertising materials mentioning features or use of this
22	* software must display the following acknowledgment:
23	* "This product includes software developed by the OpenSSL Project
24	* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25	*
26	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27	* endorse or promote products derived from this software without
28	* prior written permission. For written permission, please contact
29	* licensing@OpenSSL.org.
30	*
31	* 5. Products derived from this software may not be called "OpenSSL"
32	* nor may "OpenSSL" appear in their names without prior written
33	* permission of the OpenSSL Project.
34	*
35	* 6. Redistributions of any form whatsoever must retain the following
36	* acknowledgment:
37	* "This product includes software developed by the OpenSSL Project
38	* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39	*
40	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
44	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51	* OF THE POSSIBILITY OF SUCH DAMAGE.
52	* ====================================================================
53	*
54	* This product includes cryptographic software written by Eric Young
55	* (eay@cryptsoft.com). This product includes software written by Tim
56	* Hudson (tjh@cryptsoft.com).
57	*
58	*/
59
60	#include <stdio.h>
61	#include <stdlib.h>
62	#include <string.h>
63	#include <time.h>
64
65	#include "apps.h"
66	#include "progs.h"
67
68	#include <openssl/bio.h>
69	#include <openssl/conf.h>
70	#include <openssl/err.h>
71	#include <openssl/evp.h>
72	#include <openssl/lhash.h>
73	#include <openssl/pem.h>
74	#include <openssl/x509.h>
75
76	static struct {
77	char *challenge;
78	char *infile;
79	char *keyfile;
80	int noout;
81	char *outfile;
82	char *passargin;
83	int pubkey;
84	char *spkac;
85	char *spksect;
86	int verify;
87	} cfg;
88
89	static const struct option spkac_options[] = {
90	{
91	.name = "challenge",
92	.argname = "string",
93	.desc = "Specify challenge string if SPKAC is generated",
94	.type = OPTION_ARG,
95	.opt.arg = &cfg.challenge,
96	},
97	{
98	.name = "in",
99	.argname = "file",
100	.desc = "Input file (default stdin)",
101	.type = OPTION_ARG,
102	.opt.arg = &cfg.infile,
103	},
104	{
105	.name = "key",
106	.argname = "file",
107	.desc = "Create SPKAC using private key file",
108	.type = OPTION_ARG,
109	.opt.arg = &cfg.keyfile,
110	},
111	{
112	.name = "noout",
113	.desc = "Do not print text version of SPKAC",
114	.type = OPTION_FLAG,
115	.opt.flag = &cfg.noout,
116	},
117	{
118	.name = "out",
119	.argname = "file",
120	.desc = "Output file (default stdout)",
121	.type = OPTION_ARG,
122	.opt.arg = &cfg.outfile,
123	},
124	{
125	.name = "passin",
126	.argname = "src",
127	.desc = "Input file passphrase source",
128	.type = OPTION_ARG,
129	.opt.arg = &cfg.passargin,
130	},
131	{
132	.name = "pubkey",
133	.desc = "Output public key of an SPKAC (not used if creating)",
134	.type = OPTION_FLAG,
135	.opt.flag = &cfg.pubkey,
136	},
137	{
138	.name = "spkac",
139	.argname = "name",
140	.desc = "SPKAC name (default \"SPKAC\")",
141	.type = OPTION_ARG,
142	.opt.arg = &cfg.spkac,
143	},
144	{
145	.name = "spksect",
146	.argname = "name",
147	.desc = "Name of the section containing SPKAC (default"
148	" \"default\")",
149	.type = OPTION_ARG,
150	.opt.arg = &cfg.spksect,
151	},
152	{
153	.name = "verify",
154	.desc = "Verify digital signature on supplied SPKAC",
155	.type = OPTION_FLAG,
156	.opt.flag = &cfg.verify,
157	},
158	{ NULL }
159	};
160
161	static void
162	spkac_usage(void)
163	{
164	fprintf(stderr,
165	"usage: spkac [-challenge string] [-in file] "
166	"[-key file] [-noout]\n"
167	" [-out file] [-passin src] [-pubkey] [-spkac name] "
168	"[-spksect section]\n"
169	" [-verify]\n\n");
170	options_usage(spkac_options);
171	}
172
173	int
174	spkac_main(int argc, char **argv)
175	{
176	int i, ret = 1;
177	BIO in = NULL, out = NULL;
178	char *passin = NULL;
179	char *spkstr = NULL;
180	CONF *conf = NULL;
181	NETSCAPE_SPKI *spki = NULL;
182	EVP_PKEY *pkey = NULL;
183
184	if (pledge("stdio cpath wpath rpath tty", NULL) == -1) {
185	perror("pledge");
186	exit(1);
187	}
188
189	memset(&cfg, 0, sizeof(cfg));
190	cfg.spkac = "SPKAC";
191	cfg.spksect = "default";
192
193	if (options_parse(argc, argv, spkac_options, NULL, NULL) != 0) {
194	spkac_usage();
195	return (1);
196	}
197
198	if (!app_passwd(bio_err, cfg.passargin, NULL, &passin, NULL)) {
199	BIO_printf(bio_err, "Error getting password\n");
200	goto end;
201	}
202
203	if (cfg.keyfile) {
204	pkey = load_key(bio_err,
205	strcmp(cfg.keyfile, "-") ? cfg.keyfile
206	: NULL, FORMAT_PEM, 1, passin, "private key");
207	if (!pkey) {
208	goto end;
209	}
210	spki = NETSCAPE_SPKI_new();
211	if (cfg.challenge)
212	ASN1_STRING_set(spki->spkac->challenge,
213	cfg.challenge,
214	(int) strlen(cfg.challenge));
215	NETSCAPE_SPKI_set_pubkey(spki, pkey);
216	NETSCAPE_SPKI_sign(spki, pkey, EVP_md5());
217	spkstr = NETSCAPE_SPKI_b64_encode(spki);
218	if (spkstr == NULL) {
219	BIO_printf(bio_err, "Error encoding SPKAC\n");
220	ERR_print_errors(bio_err);
221	goto end;
222	}
223
224	if (cfg.outfile)
225	out = BIO_new_file(cfg.outfile, "w");
226	else
227	out = BIO_new_fp(stdout, BIO_NOCLOSE);
228
229	if (!out) {
230	BIO_printf(bio_err, "Error opening output file\n");
231	ERR_print_errors(bio_err);
232	} else {
233	BIO_printf(out, "SPKAC=%s\n", spkstr);
234	ret = 0;
235	}
236	free(spkstr);
237	goto end;
238	}
239	if (cfg.infile)
240	in = BIO_new_file(cfg.infile, "r");
241	else
242	in = BIO_new_fp(stdin, BIO_NOCLOSE);
243
244	if (!in) {
245	BIO_printf(bio_err, "Error opening input file\n");
246	ERR_print_errors(bio_err);
247	goto end;
248	}
249	conf = NCONF_new(NULL);
250	i = NCONF_load_bio(conf, in, NULL);
251
252	if (!i) {
253	BIO_printf(bio_err, "Error parsing config file\n");
254	ERR_print_errors(bio_err);
255	goto end;
256	}
257	spkstr = NCONF_get_string(conf, cfg.spksect,
258	cfg.spkac);
259
260	if (!spkstr) {
261	BIO_printf(bio_err, "Can't find SPKAC called \"%s\"\n",
262	cfg.spkac);
263	ERR_print_errors(bio_err);
264	goto end;
265	}
266	spki = NETSCAPE_SPKI_b64_decode(spkstr, -1);
267
268	if (!spki) {
269	BIO_printf(bio_err, "Error loading SPKAC\n");
270	ERR_print_errors(bio_err);
271	goto end;
272	}
273	if (cfg.outfile)
274	out = BIO_new_file(cfg.outfile, "w");
275	else {
276	out = BIO_new_fp(stdout, BIO_NOCLOSE);
277	}
278
279	if (!out) {
280	BIO_printf(bio_err, "Error opening output file\n");
281	ERR_print_errors(bio_err);
282	goto end;
283	}
284	if (!cfg.noout)
285	NETSCAPE_SPKI_print(out, spki);
286	pkey = NETSCAPE_SPKI_get_pubkey(spki);
287	if (cfg.verify) {
288	i = NETSCAPE_SPKI_verify(spki, pkey);
289	if (i > 0)
290	BIO_printf(bio_err, "Signature OK\n");
291	else {
292	BIO_printf(bio_err, "Signature Failure\n");
293	ERR_print_errors(bio_err);
294	goto end;
295	}
296	}
297	if (cfg.pubkey)
298	PEM_write_bio_PUBKEY(out, pkey);
299
300	ret = 0;
301
302	end:
303	NCONF_free(conf);
304	NETSCAPE_SPKI_free(spki);
305	BIO_free(in);
306	BIO_free_all(out);
307	EVP_PKEY_free(pkey);
308	free(passin);
309
310	return (ret);
311	}