summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/usr.bin/openssl/ca.c1099
1 files changed, 643 insertions, 456 deletions
diff --git a/src/usr.bin/openssl/ca.c b/src/usr.bin/openssl/ca.c
index 6952226ffb..8d1ea25470 100644
--- a/src/usr.bin/openssl/ca.c
+++ b/src/usr.bin/openssl/ca.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ca.c,v 1.28 2020/12/16 18:53:10 tb Exp $ */ 1/* $OpenBSD: ca.c,v 1.29 2021/07/15 09:56:32 inoguchi Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -120,47 +120,6 @@
120#define REV_KEY_COMPROMISE 3 /* Value is cert key compromise time */ 120#define REV_KEY_COMPROMISE 3 /* Value is cert key compromise time */
121#define REV_CA_COMPROMISE 4 /* Value is CA key compromise time */ 121#define REV_CA_COMPROMISE 4 /* Value is CA key compromise time */
122 122
123static const char *ca_usage[] = {
124 "usage: ca args\n",
125 "\n",
126 " -verbose - Talk a lot while doing things\n",
127 " -config file - A config file\n",
128 " -name arg - The particular CA definition to use\n",
129 " -gencrl - Generate a new CRL\n",
130 " -crldays days - Days is when the next CRL is due\n",
131 " -crlhours hours - Hours is when the next CRL is due\n",
132 " -startdate YYMMDDHHMMSSZ - certificate validity notBefore\n",
133 " -enddate YYMMDDHHMMSSZ - certificate validity notAfter (overrides -days)\n",
134 " -days arg - number of days to certify the certificate for\n",
135 " -md arg - md to use, one of md5 or sha1\n",
136 " -policy arg - The CA 'policy' to support\n",
137 " -keyfile arg - private key file\n",
138 " -keyform arg - private key file format (PEM)\n",
139 " -key arg - key to decode the private key if it is encrypted\n",
140 " -cert file - The CA certificate\n",
141 " -selfsign - sign a certificate with the key associated with it\n",
142 " -in file - The input PEM encoded certificate request(s)\n",
143 " -out file - Where to put the output file(s)\n",
144 " -outdir dir - Where to put output certificates\n",
145 " -infiles .... - The last argument, requests to process\n",
146 " -spkac file - File contains DN and signed public key and challenge\n",
147 " -ss_cert file - File contains a self signed cert to sign\n",
148 " -preserveDN - Don't re-order the DN\n",
149 " -noemailDN - Don't add the EMAIL field into certificate' subject\n",
150 " -batch - Don't ask questions\n",
151 " -msie_hack - msie modifications to handle all those universal strings\n",
152 " -revoke file - Revoke a certificate (given in file)\n",
153 " -subj arg - Use arg instead of request's subject\n",
154 " -utf8 - input characters are UTF8 (default ASCII)\n",
155 " -multivalue-rdn - enable support for multivalued RDNs\n",
156 " -extensions .. - Extension section (override value in config file)\n",
157 " -extfile file - Configuration file with X509v3 extentions to add\n",
158 " -crlexts .. - CRL extension section (override value in config file)\n",
159 " -status serial - Shows certificate status given the serial number\n",
160 " -updatedb - Updates db for expired certificates\n",
161 NULL
162};
163
164static void lookup_fail(const char *name, const char *tag); 123static void lookup_fail(const char *name, const char *tag);
165static int certify(X509 ** xret, char *infile, EVP_PKEY * pkey, X509 * x509, 124static int certify(X509 ** xret, char *infile, EVP_PKEY * pkey, X509 * x509,
166 const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts, 125 const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
@@ -199,13 +158,454 @@ static char * bin2hex(unsigned char *, size_t);
199char *make_revocation_str(int rev_type, char *rev_arg); 158char *make_revocation_str(int rev_type, char *rev_arg);
200int make_revoked(X509_REVOKED * rev, const char *str); 159int make_revoked(X509_REVOKED * rev, const char *str);
201int old_entry_print(BIO * bp, ASN1_OBJECT * obj, ASN1_STRING * str); 160int old_entry_print(BIO * bp, ASN1_OBJECT * obj, ASN1_STRING * str);
161
202static CONF *conf = NULL; 162static CONF *conf = NULL;
203static CONF *extconf = NULL; 163static CONF *extconf = NULL;
204static char *section = NULL;
205 164
206static int preserve = 0; 165static struct {
207static int msie_hack = 0; 166 int batch;
167 char *certfile;
168 unsigned long chtype;
169 char *configfile;
170 int create_ser;
171 char *crl_ext;
172 long crldays;
173 long crlhours;
174 long crlsec;
175 long days;
176 int dorevoke;
177 int doupdatedb;
178 int email_dn;
179 char *enddate;
180 char *extensions;
181 char *extfile;
182 int gencrl;
183 char *infile;
184 char **infiles;
185 int infiles_num;
186 char *key;
187 char *keyfile;
188 int keyform;
189 char *md;
190 int multirdn;
191 int msie_hack;
192 int notext;
193 char *outdir;
194 char *outfile;
195 char *passargin;
196 char *policy;
197 int preserve;
198 int req;
199 char *rev_arg;
200 int rev_type;
201 char *ser_status;
202 char *section;
203 int selfsign;
204 STACK_OF(OPENSSL_STRING) * sigopts;
205 char *spkac_file;
206 char *ss_cert_file;
207 char *startdate;
208 char *subj;
209 int verbose;
210} ca_config;
211
212static int
213ca_opt_chtype_utf8(void)
214{
215 ca_config.chtype = MBSTRING_UTF8;
216 return (0);
217}
218
219static int
220ca_opt_crl_ca_compromise(char *arg)
221{
222 ca_config.rev_arg = arg;
223 ca_config.rev_type = REV_CA_COMPROMISE;
224 return (0);
225}
226
227static int
228ca_opt_crl_compromise(char *arg)
229{
230 ca_config.rev_arg = arg;
231 ca_config.rev_type = REV_KEY_COMPROMISE;
232 return (0);
233}
234
235static int
236ca_opt_crl_hold(char *arg)
237{
238 ca_config.rev_arg = arg;
239 ca_config.rev_type = REV_HOLD;
240 return (0);
241}
242
243static int
244ca_opt_crl_reason(char *arg)
245{
246 ca_config.rev_arg = arg;
247 ca_config.rev_type = REV_CRL_REASON;
248 return (0);
249}
250
251static int
252ca_opt_in(char *arg)
253{
254 ca_config.infile = arg;
255 ca_config.req = 1;
256 return (0);
257}
258
259static int
260ca_opt_infiles(int argc, char **argv, int *argsused)
261{
262 ca_config.infiles_num = argc - 1;
263 if (ca_config.infiles_num < 1)
264 return (1);
265 ca_config.infiles = argv + 1;
266 ca_config.req = 1;
267 *argsused = argc;
268 return (0);
269}
270
271static int
272ca_opt_revoke(char *arg)
273{
274 ca_config.infile = arg;
275 ca_config.dorevoke = 1;
276 return (0);
277}
278
279static int
280ca_opt_sigopt(char *arg)
281{
282 if (ca_config.sigopts == NULL)
283 ca_config.sigopts = sk_OPENSSL_STRING_new_null();
284 if (ca_config.sigopts == NULL)
285 return (1);
286 if (!sk_OPENSSL_STRING_push(ca_config.sigopts, arg))
287 return (1);
288 return (0);
289}
290
291static int
292ca_opt_spkac(char *arg)
293{
294 ca_config.spkac_file = arg;
295 ca_config.req = 1;
296 return (0);
297}
208 298
299static int
300ca_opt_ss_cert(char *arg)
301{
302 ca_config.ss_cert_file = arg;
303 ca_config.req = 1;
304 return (0);
305}
306
307static const struct option ca_options[] = {
308 {
309 .name = "batch",
310 .desc = "Operate in batch mode",
311 .type = OPTION_FLAG,
312 .opt.flag = &ca_config.batch,
313 },
314 {
315 .name = "cert",
316 .argname = "file",
317 .desc = "File containing the CA certificate",
318 .type = OPTION_ARG,
319 .opt.arg = &ca_config.certfile,
320 },
321 {
322 .name = "config",
323 .argname = "file",
324 .desc = "Specify an alternative configuration file",
325 .type = OPTION_ARG,
326 .opt.arg = &ca_config.configfile,
327 },
328 {
329 .name = "create_serial",
330 .desc = "If reading serial fails, create a new random serial",
331 .type = OPTION_FLAG,
332 .opt.flag = &ca_config.create_ser,
333 },
334 {
335 .name = "crl_CA_compromise",
336 .argname = "time",
337 .desc = "Set the compromise time and the revocation reason to\n"
338 "CACompromise",
339 .type = OPTION_ARG_FUNC,
340 .opt.argfunc = ca_opt_crl_ca_compromise,
341 },
342 {
343 .name = "crl_compromise",
344 .argname = "time",
345 .desc = "Set the compromise time and the revocation reason to\n"
346 "keyCompromise",
347 .type = OPTION_ARG_FUNC,
348 .opt.argfunc = ca_opt_crl_compromise,
349 },
350 {
351 .name = "crl_hold",
352 .argname = "instruction",
353 .desc = "Set the hold instruction and the revocation reason to\n"
354 "certificateHold",
355 .type = OPTION_ARG_FUNC,
356 .opt.argfunc = ca_opt_crl_hold,
357 },
358 {
359 .name = "crl_reason",
360 .argname = "reason",
361 .desc = "Revocation reason",
362 .type = OPTION_ARG_FUNC,
363 .opt.argfunc = ca_opt_crl_reason,
364 },
365 {
366 .name = "crldays",
367 .argname = "days",
368 .desc = "Number of days before the next CRL is due",
369 .type = OPTION_ARG_LONG,
370 .opt.lvalue = &ca_config.crldays,
371 },
372 {
373 .name = "crlexts",
374 .argname = "section",
375 .desc = "CRL extension section (override value in config file)",
376 .type = OPTION_ARG,
377 .opt.arg = &ca_config.crl_ext,
378 },
379 {
380 .name = "crlhours",
381 .argname = "hours",
382 .desc = "Number of hours before the next CRL is due",
383 .type = OPTION_ARG_LONG,
384 .opt.lvalue = &ca_config.crlhours,
385 },
386 {
387 .name = "crlsec",
388 .argname = "seconds",
389 .desc = "Number of seconds before the next CRL is due",
390 .type = OPTION_ARG_LONG,
391 .opt.lvalue = &ca_config.crlsec,
392 },
393 {
394 .name = "days",
395 .argname = "arg",
396 .desc = "Number of days to certify the certificate for",
397 .type = OPTION_ARG_LONG,
398 .opt.lvalue = &ca_config.days,
399 },
400 {
401 .name = "enddate",
402 .argname = "YYMMDDHHMMSSZ",
403 .desc = "Certificate validity notAfter (overrides -days)",
404 .type = OPTION_ARG,
405 .opt.arg = &ca_config.enddate,
406 },
407 {
408 .name = "extensions",
409 .argname = "section",
410 .desc = "Extension section (override value in config file)",
411 .type = OPTION_ARG,
412 .opt.arg = &ca_config.extensions,
413 },
414 {
415 .name = "extfile",
416 .argname = "file",
417 .desc = "Configuration file with X509v3 extentions to add",
418 .type = OPTION_ARG,
419 .opt.arg = &ca_config.extfile,
420 },
421 {
422 .name = "gencrl",
423 .desc = "Generate a new CRL",
424 .type = OPTION_FLAG,
425 .opt.flag = &ca_config.gencrl,
426 },
427 {
428 .name = "in",
429 .argname = "file",
430 .desc = "Input file containing a single certificate request",
431 .type = OPTION_ARG_FUNC,
432 .opt.argfunc = ca_opt_in,
433 },
434 {
435 .name = "infiles",
436 .argname = "...",
437 .desc = "The last argument, certificate requests to process",
438 .type = OPTION_ARGV_FUNC,
439 .opt.argvfunc = ca_opt_infiles,
440 },
441 {
442 .name = "key",
443 .argname = "password",
444 .desc = "Key to decode the private key if it is encrypted",
445 .type = OPTION_ARG,
446 .opt.arg = &ca_config.key,
447 },
448 {
449 .name = "keyfile",
450 .argname = "file",
451 .desc = "Private key file",
452 .type = OPTION_ARG,
453 .opt.arg = &ca_config.keyfile,
454 },
455 {
456 .name = "keyform",
457 .argname = "fmt",
458 .desc = "Private key file format (DER or PEM (default))",
459 .type = OPTION_ARG_FORMAT,
460 .opt.value = &ca_config.keyform,
461 },
462 {
463 .name = "md",
464 .argname = "alg",
465 .desc = "Message digest to use",
466 .type = OPTION_ARG,
467 .opt.arg = &ca_config.md,
468 },
469 {
470 .name = "msie_hack",
471 .type = OPTION_FLAG,
472 .opt.flag = &ca_config.msie_hack,
473 },
474 {
475 .name = "multivalue-rdn",
476 .desc = "Enable support for multivalued RDNs",
477 .type = OPTION_FLAG,
478 .opt.flag = &ca_config.multirdn,
479 },
480 {
481 .name = "name",
482 .argname = "section",
483 .desc = "Specifies the configuration file section to use",
484 .type = OPTION_ARG,
485 .opt.arg = &ca_config.section,
486 },
487 {
488 .name = "noemailDN",
489 .desc = "Do not add the EMAIL field to the DN",
490 .type = OPTION_VALUE,
491 .opt.value = &ca_config.email_dn,
492 .value = 0,
493 },
494 {
495 .name = "notext",
496 .desc = "Do not print the generated certificate",
497 .type = OPTION_FLAG,
498 .opt.flag = &ca_config.notext,
499 },
500 {
501 .name = "out",
502 .argname = "file",
503 .desc = "Output file (default stdout)",
504 .type = OPTION_ARG,
505 .opt.arg = &ca_config.outfile,
506 },
507 {
508 .name = "outdir",
509 .argname = "directory",
510 .desc = " Directory to output certificates to",
511 .type = OPTION_ARG,
512 .opt.arg = &ca_config.outdir,
513 },
514 {
515 .name = "passin",
516 .argname = "src",
517 .desc = "Private key input password source",
518 .type = OPTION_ARG,
519 .opt.arg = &ca_config.passargin,
520 },
521 {
522 .name = "policy",
523 .argname = "name",
524 .desc = "The CA 'policy' to support",
525 .type = OPTION_ARG,
526 .opt.arg = &ca_config.policy,
527 },
528 {
529 .name = "preserveDN",
530 .desc = "Do not re-order the DN",
531 .type = OPTION_FLAG,
532 .opt.flag = &ca_config.preserve,
533 },
534 {
535 .name = "revoke",
536 .argname = "file",
537 .desc = "Revoke a certificate (given in file)",
538 .type = OPTION_ARG_FUNC,
539 .opt.argfunc = ca_opt_revoke,
540 },
541 {
542 .name = "selfsign",
543 .desc = "Sign a certificate using the key associated with it",
544 .type = OPTION_FLAG,
545 .opt.flag = &ca_config.selfsign,
546 },
547 {
548 .name = "sigopt",
549 .argname = "nm:v",
550 .desc = "Signature parameter in nm:v form",
551 .type = OPTION_ARG_FUNC,
552 .opt.argfunc = ca_opt_sigopt,
553 },
554 {
555 .name = "spkac",
556 .argname = "file",
557 .desc = "File contains DN and signed public key and challenge",
558 .type = OPTION_ARG_FUNC,
559 .opt.argfunc = ca_opt_spkac,
560 },
561 {
562 .name = "ss_cert",
563 .argname = "file",
564 .desc = "File contains a self signed certificate to sign",
565 .type = OPTION_ARG_FUNC,
566 .opt.argfunc = ca_opt_ss_cert,
567 },
568 {
569 .name = "startdate",
570 .argname = "YYMMDDHHMMSSZ",
571 .desc = "Certificate validity notBefore",
572 .type = OPTION_ARG,
573 .opt.arg = &ca_config.startdate,
574 },
575 {
576 .name = "status",
577 .argname = "serial",
578 .desc = "Shows certificate status given the serial number",
579 .type = OPTION_ARG,
580 .opt.arg = &ca_config.ser_status,
581 },
582 {
583 .name = "subj",
584 .argname = "arg",
585 .desc = "Use arg instead of request's subject",
586 .type = OPTION_ARG,
587 .opt.arg = &ca_config.subj,
588 },
589 {
590 .name = "updatedb",
591 .desc = "Updates db for expired certificates",
592 .type = OPTION_FLAG,
593 .opt.flag = &ca_config.doupdatedb,
594 },
595 {
596 .name = "utf8",
597 .desc = "Input characters are in UTF-8 (default ASCII)",
598 .type = OPTION_FUNC,
599 .opt.func = ca_opt_chtype_utf8,
600 },
601 {
602 .name = "verbose",
603 .desc = "Verbose output during processing",
604 .type = OPTION_FLAG,
605 .opt.flag = &ca_config.verbose,
606 },
607 { NULL },
608};
209 609
210/* 610/*
211 * Set a certificate time based on user provided input. Make sure 611 * Set a certificate time based on user provided input. Make sure
@@ -227,62 +627,45 @@ setCertificateTime(ASN1_TIME *x509time, char *timestring)
227 return 0; 627 return 0;
228} 628}
229 629
630static void
631ca_usage(void)
632{
633 fprintf(stderr,
634 "usage: ca [-batch] [-cert file] [-config file] [-create_serial]\n"
635 " [-crl_CA_compromise time] [-crl_compromise time]\n"
636 " [-crl_hold instruction] [-crl_reason reason] [-crldays days]\n"
637 " [-crlexts section] [-crlhours hours] [-crlsec seconds]\n"
638 " [-days arg] [-enddate date] [-extensions section]\n"
639 " [-extfile file] [-gencrl] [-in file] [-infiles]\n"
640 " [-key password] [-keyfile file] [-keyform pem | der]\n"
641 " [-md alg] [-multivalue-rdn] [-name section]\n"
642 " [-noemailDN] [-notext] [-out file] [-outdir directory]\n"
643 " [-passin arg] [-policy name] [-preserveDN] [-revoke file]\n"
644 " [-selfsign] [-sigopt nm:v] [-spkac file] [-ss_cert file]\n"
645 " [-startdate date] [-status serial] [-subj arg] [-updatedb]\n"
646 " [-utf8] [-verbose]\n\n");
647 options_usage(ca_options);
648 fprintf(stderr, "\n");
649}
650
230int 651int
231ca_main(int argc, char **argv) 652ca_main(int argc, char **argv)
232{ 653{
233 char *key = NULL, *passargin = NULL;
234 int create_ser = 0;
235 int free_key = 0; 654 int free_key = 0;
236 int total = 0; 655 int total = 0;
237 int total_done = 0; 656 int total_done = 0;
238 int badops = 0;
239 int ret = 1; 657 int ret = 1;
240 int email_dn = 1;
241 int req = 0;
242 int verbose = 0;
243 int gencrl = 0;
244 int dorevoke = 0;
245 int doupdatedb = 0;
246 long crldays = 0;
247 long crlhours = 0;
248 long crlsec = 0;
249 long errorline = -1; 658 long errorline = -1;
250 char *configfile = NULL;
251 char *md = NULL;
252 char *policy = NULL;
253 char *keyfile = NULL;
254 char *certfile = NULL;
255 int keyform = FORMAT_PEM;
256 char *infile = NULL;
257 char *spkac_file = NULL;
258 char *ss_cert_file = NULL;
259 char *ser_status = NULL;
260 EVP_PKEY *pkey = NULL; 659 EVP_PKEY *pkey = NULL;
261 int output_der = 0; 660 int output_der = 0;
262 char *outfile = NULL;
263 char *outdir = NULL;
264 char *serialfile = NULL; 661 char *serialfile = NULL;
265 char *crlnumberfile = NULL; 662 char *crlnumberfile = NULL;
266 char *extensions = NULL;
267 char *extfile = NULL;
268 char *subj = NULL;
269 unsigned long chtype = MBSTRING_ASC;
270 int multirdn = 0;
271 char *tmp_email_dn = NULL; 663 char *tmp_email_dn = NULL;
272 char *crl_ext = NULL;
273 int rev_type = REV_NONE;
274 char *rev_arg = NULL;
275 BIGNUM *serial = NULL; 664 BIGNUM *serial = NULL;
276 BIGNUM *crlnumber = NULL; 665 BIGNUM *crlnumber = NULL;
277 char *startdate = NULL;
278 char *enddate = NULL;
279 long days = 0;
280 int batch = 0;
281 int notext = 0;
282 unsigned long nameopt = 0, certopt = 0; 666 unsigned long nameopt = 0, certopt = 0;
283 int default_op = 1; 667 int default_op = 1;
284 int ext_copy = EXT_COPY_NONE; 668 int ext_copy = EXT_COPY_NONE;
285 int selfsign = 0;
286 X509 *x509 = NULL, *x509p = NULL; 669 X509 *x509 = NULL, *x509p = NULL;
287 X509 *x = NULL; 670 X509 *x = NULL;
288 BIO *in = NULL, *out = NULL, *Sout = NULL, *Cout = NULL; 671 BIO *in = NULL, *out = NULL, *Sout = NULL, *Cout = NULL;
@@ -299,9 +682,7 @@ ca_main(int argc, char **argv)
299 const EVP_MD *dgst = NULL; 682 const EVP_MD *dgst = NULL;
300 STACK_OF(CONF_VALUE) * attribs = NULL; 683 STACK_OF(CONF_VALUE) * attribs = NULL;
301 STACK_OF(X509) * cert_sk = NULL; 684 STACK_OF(X509) * cert_sk = NULL;
302 STACK_OF(OPENSSL_STRING) * sigopts = NULL;
303 char *tofree = NULL; 685 char *tofree = NULL;
304 const char *errstr = NULL;
305 DB_ATTR db_attr; 686 DB_ATTR db_attr;
306 687
307 if (single_execution) { 688 if (single_execution) {
@@ -311,244 +692,50 @@ ca_main(int argc, char **argv)
311 } 692 }
312 } 693 }
313 694
314 conf = NULL; 695 memset(&ca_config, 0, sizeof(ca_config));
315 key = NULL; 696 ca_config.email_dn = 1;
316 section = NULL; 697 ca_config.keyform = FORMAT_PEM;
317 698 ca_config.chtype = MBSTRING_ASC;
318 preserve = 0; 699 ca_config.rev_type = REV_NONE;
319 msie_hack = 0;
320
321 argc--;
322 argv++;
323 while (argc >= 1) {
324 if (strcmp(*argv, "-verbose") == 0)
325 verbose = 1;
326 else if (strcmp(*argv, "-config") == 0) {
327 if (--argc < 1)
328 goto bad;
329 configfile = *(++argv);
330 } else if (strcmp(*argv, "-name") == 0) {
331 if (--argc < 1)
332 goto bad;
333 section = *(++argv);
334 } else if (strcmp(*argv, "-subj") == 0) {
335 if (--argc < 1)
336 goto bad;
337 subj = *(++argv);
338 /* preserve=1; */
339 } else if (strcmp(*argv, "-utf8") == 0)
340 chtype = MBSTRING_UTF8;
341 else if (strcmp(*argv, "-create_serial") == 0)
342 create_ser = 1;
343 else if (strcmp(*argv, "-multivalue-rdn") == 0)
344 multirdn = 1;
345 else if (strcmp(*argv, "-startdate") == 0) {
346 if (--argc < 1)
347 goto bad;
348 startdate = *(++argv);
349 } else if (strcmp(*argv, "-enddate") == 0) {
350 if (--argc < 1)
351 goto bad;
352 enddate = *(++argv);
353 } else if (strcmp(*argv, "-days") == 0) {
354 if (--argc < 1)
355 goto bad;
356 days = strtonum(*(++argv), 0, LONG_MAX, &errstr);
357 if (errstr)
358 goto bad;
359 } else if (strcmp(*argv, "-md") == 0) {
360 if (--argc < 1)
361 goto bad;
362 md = *(++argv);
363 } else if (strcmp(*argv, "-policy") == 0) {
364 if (--argc < 1)
365 goto bad;
366 policy = *(++argv);
367 } else if (strcmp(*argv, "-keyfile") == 0) {
368 if (--argc < 1)
369 goto bad;
370 keyfile = *(++argv);
371 } else if (strcmp(*argv, "-keyform") == 0) {
372 if (--argc < 1)
373 goto bad;
374 keyform = str2fmt(*(++argv));
375 } else if (strcmp(*argv, "-passin") == 0) {
376 if (--argc < 1)
377 goto bad;
378 passargin = *(++argv);
379 } else if (strcmp(*argv, "-key") == 0) {
380 if (--argc < 1)
381 goto bad;
382 key = *(++argv);
383 } else if (strcmp(*argv, "-cert") == 0) {
384 if (--argc < 1)
385 goto bad;
386 certfile = *(++argv);
387 } else if (strcmp(*argv, "-selfsign") == 0)
388 selfsign = 1;
389 else if (strcmp(*argv, "-in") == 0) {
390 if (--argc < 1)
391 goto bad;
392 infile = *(++argv);
393 req = 1;
394 } else if (strcmp(*argv, "-out") == 0) {
395 if (--argc < 1)
396 goto bad;
397 outfile = *(++argv);
398 } else if (strcmp(*argv, "-outdir") == 0) {
399 if (--argc < 1)
400 goto bad;
401 outdir = *(++argv);
402 } else if (strcmp(*argv, "-sigopt") == 0) {
403 if (--argc < 1)
404 goto bad;
405 if (!sigopts)
406 sigopts = sk_OPENSSL_STRING_new_null();
407 if (!sigopts ||
408 !sk_OPENSSL_STRING_push(sigopts, *(++argv)))
409 goto bad;
410 } else if (strcmp(*argv, "-notext") == 0)
411 notext = 1;
412 else if (strcmp(*argv, "-batch") == 0)
413 batch = 1;
414 else if (strcmp(*argv, "-preserveDN") == 0)
415 preserve = 1;
416 else if (strcmp(*argv, "-noemailDN") == 0)
417 email_dn = 0;
418 else if (strcmp(*argv, "-gencrl") == 0)
419 gencrl = 1;
420 else if (strcmp(*argv, "-msie_hack") == 0)
421 msie_hack = 1;
422 else if (strcmp(*argv, "-crldays") == 0) {
423 if (--argc < 1)
424 goto bad;
425 crldays = strtonum(*(++argv), 0, LONG_MAX, &errstr);
426 if (errstr)
427 goto bad;
428 } else if (strcmp(*argv, "-crlhours") == 0) {
429 if (--argc < 1)
430 goto bad;
431 crlhours = strtonum(*(++argv), 0, LONG_MAX, &errstr);
432 if (errstr)
433 goto bad;
434 } else if (strcmp(*argv, "-crlsec") == 0) {
435 if (--argc < 1)
436 goto bad;
437 crlsec = strtonum(*(++argv), 0, LONG_MAX, &errstr);
438 if (errstr)
439 goto bad;
440 } else if (strcmp(*argv, "-infiles") == 0) {
441 argc--;
442 argv++;
443 req = 1;
444 break;
445 } else if (strcmp(*argv, "-ss_cert") == 0) {
446 if (--argc < 1)
447 goto bad;
448 ss_cert_file = *(++argv);
449 req = 1;
450 } else if (strcmp(*argv, "-spkac") == 0) {
451 if (--argc < 1)
452 goto bad;
453 spkac_file = *(++argv);
454 req = 1;
455 } else if (strcmp(*argv, "-revoke") == 0) {
456 if (--argc < 1)
457 goto bad;
458 infile = *(++argv);
459 dorevoke = 1;
460 } else if (strcmp(*argv, "-extensions") == 0) {
461 if (--argc < 1)
462 goto bad;
463 extensions = *(++argv);
464 } else if (strcmp(*argv, "-extfile") == 0) {
465 if (--argc < 1)
466 goto bad;
467 extfile = *(++argv);
468 } else if (strcmp(*argv, "-status") == 0) {
469 if (--argc < 1)
470 goto bad;
471 ser_status = *(++argv);
472 } else if (strcmp(*argv, "-updatedb") == 0) {
473 doupdatedb = 1;
474 } else if (strcmp(*argv, "-crlexts") == 0) {
475 if (--argc < 1)
476 goto bad;
477 crl_ext = *(++argv);
478 } else if (strcmp(*argv, "-crl_reason") == 0) {
479 if (--argc < 1)
480 goto bad;
481 rev_arg = *(++argv);
482 rev_type = REV_CRL_REASON;
483 } else if (strcmp(*argv, "-crl_hold") == 0) {
484 if (--argc < 1)
485 goto bad;
486 rev_arg = *(++argv);
487 rev_type = REV_HOLD;
488 } else if (strcmp(*argv, "-crl_compromise") == 0) {
489 if (--argc < 1)
490 goto bad;
491 rev_arg = *(++argv);
492 rev_type = REV_KEY_COMPROMISE;
493 } else if (strcmp(*argv, "-crl_CA_compromise") == 0) {
494 if (--argc < 1)
495 goto bad;
496 rev_arg = *(++argv);
497 rev_type = REV_CA_COMPROMISE;
498 }
499 else {
500 bad:
501 if (errstr)
502 BIO_printf(bio_err, "invalid argument %s: %s\n",
503 *argv, errstr);
504 else
505 BIO_printf(bio_err, "unknown option %s\n", *argv);
506 badops = 1;
507 break;
508 }
509 argc--;
510 argv++;
511 }
512 700
513 if (badops) { 701 conf = NULL;
514 const char **pp2;
515 702
516 for (pp2 = ca_usage; (*pp2 != NULL); pp2++) 703 if (options_parse(argc, argv, ca_options, NULL, NULL) != 0) {
517 BIO_printf(bio_err, "%s", *pp2); 704 ca_usage();
518 goto err; 705 goto err;
519 } 706 }
520 707
521 /*****************************************************************/ 708 /*****************************************************************/
522 tofree = NULL; 709 tofree = NULL;
523 if (configfile == NULL) 710 if (ca_config.configfile == NULL)
524 configfile = getenv("OPENSSL_CONF"); 711 ca_config.configfile = getenv("OPENSSL_CONF");
525 if (configfile == NULL) { 712 if (ca_config.configfile == NULL) {
526 if ((tofree = make_config_name()) == NULL) { 713 if ((tofree = make_config_name()) == NULL) {
527 BIO_printf(bio_err, "error making config file name\n"); 714 BIO_printf(bio_err, "error making config file name\n");
528 goto err; 715 goto err;
529 } 716 }
530 configfile = tofree; 717 ca_config.configfile = tofree;
531 } 718 }
532 BIO_printf(bio_err, "Using configuration from %s\n", configfile); 719 BIO_printf(bio_err, "Using configuration from %s\n", ca_config.configfile);
533 conf = NCONF_new(NULL); 720 conf = NCONF_new(NULL);
534 if (NCONF_load(conf, configfile, &errorline) <= 0) { 721 if (NCONF_load(conf, ca_config.configfile, &errorline) <= 0) {
535 if (errorline <= 0) 722 if (errorline <= 0)
536 BIO_printf(bio_err, 723 BIO_printf(bio_err,
537 "error loading the config file '%s'\n", 724 "error loading the config file '%s'\n",
538 configfile); 725 ca_config.configfile);
539 else 726 else
540 BIO_printf(bio_err, 727 BIO_printf(bio_err,
541 "error on line %ld of config file '%s'\n", 728 "error on line %ld of config file '%s'\n",
542 errorline, configfile); 729 errorline, ca_config.configfile);
543 goto err; 730 goto err;
544 } 731 }
545 free(tofree); 732 free(tofree);
546 tofree = NULL; 733 tofree = NULL;
547 734
548 /* Lets get the config section we are using */ 735 /* Lets get the config section we are using */
549 if (section == NULL) { 736 if (ca_config.section == NULL) {
550 section = NCONF_get_string(conf, BASE_SECTION, ENV_DEFAULT_CA); 737 ca_config.section = NCONF_get_string(conf, BASE_SECTION, ENV_DEFAULT_CA);
551 if (section == NULL) { 738 if (ca_config.section == NULL) {
552 lookup_fail(BASE_SECTION, ENV_DEFAULT_CA); 739 lookup_fail(BASE_SECTION, ENV_DEFAULT_CA);
553 goto err; 740 goto err;
554 } 741 }
@@ -578,7 +765,7 @@ ca_main(int argc, char **argv)
578 goto err; 765 goto err;
579 } 766 }
580 } 767 }
581 f = NCONF_get_string(conf, section, STRING_MASK); 768 f = NCONF_get_string(conf, ca_config.section, STRING_MASK);
582 if (!f) 769 if (!f)
583 ERR_clear_error(); 770 ERR_clear_error();
584 771
@@ -587,15 +774,15 @@ ca_main(int argc, char **argv)
587 "Invalid global string mask setting %s\n", f); 774 "Invalid global string mask setting %s\n", f);
588 goto err; 775 goto err;
589 } 776 }
590 if (chtype != MBSTRING_UTF8) { 777 if (ca_config.chtype != MBSTRING_UTF8) {
591 f = NCONF_get_string(conf, section, UTF8_IN); 778 f = NCONF_get_string(conf, ca_config.section, UTF8_IN);
592 if (!f) 779 if (!f)
593 ERR_clear_error(); 780 ERR_clear_error();
594 else if (!strcmp(f, "yes")) 781 else if (!strcmp(f, "yes"))
595 chtype = MBSTRING_UTF8; 782 ca_config.chtype = MBSTRING_UTF8;
596 } 783 }
597 db_attr.unique_subject = 1; 784 db_attr.unique_subject = 1;
598 p = NCONF_get_string(conf, section, ENV_UNIQUE_SUBJECT); 785 p = NCONF_get_string(conf, ca_config.section, ENV_UNIQUE_SUBJECT);
599 if (p) { 786 if (p) {
600 db_attr.unique_subject = parse_yesno(p, 1); 787 db_attr.unique_subject = parse_yesno(p, 1);
601 } else 788 } else
@@ -611,10 +798,10 @@ ca_main(int argc, char **argv)
611 } 798 }
612 /*****************************************************************/ 799 /*****************************************************************/
613 /* report status of cert with serial number given on command line */ 800 /* report status of cert with serial number given on command line */
614 if (ser_status) { 801 if (ca_config.ser_status) {
615 if ((dbfile = NCONF_get_string(conf, section, 802 if ((dbfile = NCONF_get_string(conf, ca_config.section,
616 ENV_DATABASE)) == NULL) { 803 ENV_DATABASE)) == NULL) {
617 lookup_fail(section, ENV_DATABASE); 804 lookup_fail(ca_config.section, ENV_DATABASE);
618 goto err; 805 goto err;
619 } 806 }
620 db = load_index(dbfile, &db_attr); 807 db = load_index(dbfile, &db_attr);
@@ -624,43 +811,43 @@ ca_main(int argc, char **argv)
624 if (!index_index(db)) 811 if (!index_index(db))
625 goto err; 812 goto err;
626 813
627 if (get_certificate_status(ser_status, db) != 1) 814 if (get_certificate_status(ca_config.ser_status, db) != 1)
628 BIO_printf(bio_err, "Error verifying serial %s!\n", 815 BIO_printf(bio_err, "Error verifying serial %s!\n",
629 ser_status); 816 ca_config.ser_status);
630 goto err; 817 goto err;
631 } 818 }
632 /*****************************************************************/ 819 /*****************************************************************/
633 /* we definitely need a private key, so let's get it */ 820 /* we definitely need a private key, so let's get it */
634 821
635 if ((keyfile == NULL) && ((keyfile = NCONF_get_string(conf, 822 if ((ca_config.keyfile == NULL) && ((ca_config.keyfile = NCONF_get_string(conf,
636 section, ENV_PRIVATE_KEY)) == NULL)) { 823 ca_config.section, ENV_PRIVATE_KEY)) == NULL)) {
637 lookup_fail(section, ENV_PRIVATE_KEY); 824 lookup_fail(ca_config.section, ENV_PRIVATE_KEY);
638 goto err; 825 goto err;
639 } 826 }
640 if (!key) { 827 if (!ca_config.key) {
641 free_key = 1; 828 free_key = 1;
642 if (!app_passwd(bio_err, passargin, NULL, &key, NULL)) { 829 if (!app_passwd(bio_err, ca_config.passargin, NULL, &ca_config.key, NULL)) {
643 BIO_printf(bio_err, "Error getting password\n"); 830 BIO_printf(bio_err, "Error getting password\n");
644 goto err; 831 goto err;
645 } 832 }
646 } 833 }
647 pkey = load_key(bio_err, keyfile, keyform, 0, key, "CA private key"); 834 pkey = load_key(bio_err, ca_config.keyfile, ca_config.keyform, 0, ca_config.key, "CA private key");
648 if (key) 835 if (ca_config.key)
649 explicit_bzero(key, strlen(key)); 836 explicit_bzero(ca_config.key, strlen(ca_config.key));
650 if (pkey == NULL) { 837 if (pkey == NULL) {
651 /* load_key() has already printed an appropriate message */ 838 /* load_key() has already printed an appropriate message */
652 goto err; 839 goto err;
653 } 840 }
654 /*****************************************************************/ 841 /*****************************************************************/
655 /* we need a certificate */ 842 /* we need a certificate */
656 if (!selfsign || spkac_file || ss_cert_file || gencrl) { 843 if (!ca_config.selfsign || ca_config.spkac_file || ca_config.ss_cert_file || ca_config.gencrl) {
657 if ((certfile == NULL) && 844 if ((ca_config.certfile == NULL) &&
658 ((certfile = NCONF_get_string(conf, 845 ((ca_config.certfile = NCONF_get_string(conf,
659 section, ENV_CERTIFICATE)) == NULL)) { 846 ca_config.section, ENV_CERTIFICATE)) == NULL)) {
660 lookup_fail(section, ENV_CERTIFICATE); 847 lookup_fail(ca_config.section, ENV_CERTIFICATE);
661 goto err; 848 goto err;
662 } 849 }
663 x509 = load_cert(bio_err, certfile, FORMAT_PEM, NULL, 850 x509 = load_cert(bio_err, ca_config.certfile, FORMAT_PEM, NULL,
664 "CA certificate"); 851 "CA certificate");
665 if (x509 == NULL) 852 if (x509 == NULL)
666 goto err; 853 goto err;
@@ -671,21 +858,21 @@ ca_main(int argc, char **argv)
671 goto err; 858 goto err;
672 } 859 }
673 } 860 }
674 if (!selfsign) 861 if (!ca_config.selfsign)
675 x509p = x509; 862 x509p = x509;
676 863
677 f = NCONF_get_string(conf, BASE_SECTION, ENV_PRESERVE); 864 f = NCONF_get_string(conf, BASE_SECTION, ENV_PRESERVE);
678 if (f == NULL) 865 if (f == NULL)
679 ERR_clear_error(); 866 ERR_clear_error();
680 if ((f != NULL) && ((*f == 'y') || (*f == 'Y'))) 867 if ((f != NULL) && ((*f == 'y') || (*f == 'Y')))
681 preserve = 1; 868 ca_config.preserve = 1;
682 f = NCONF_get_string(conf, BASE_SECTION, ENV_MSIE_HACK); 869 f = NCONF_get_string(conf, BASE_SECTION, ENV_MSIE_HACK);
683 if (f == NULL) 870 if (f == NULL)
684 ERR_clear_error(); 871 ERR_clear_error();
685 if ((f != NULL) && ((*f == 'y') || (*f == 'Y'))) 872 if ((f != NULL) && ((*f == 'y') || (*f == 'Y')))
686 msie_hack = 1; 873 ca_config.msie_hack = 1;
687 874
688 f = NCONF_get_string(conf, section, ENV_NAMEOPT); 875 f = NCONF_get_string(conf, ca_config.section, ENV_NAMEOPT);
689 876
690 if (f) { 877 if (f) {
691 if (!set_name_ex(&nameopt, f)) { 878 if (!set_name_ex(&nameopt, f)) {
@@ -697,7 +884,7 @@ ca_main(int argc, char **argv)
697 } else 884 } else
698 ERR_clear_error(); 885 ERR_clear_error();
699 886
700 f = NCONF_get_string(conf, section, ENV_CERTOPT); 887 f = NCONF_get_string(conf, ca_config.section, ENV_CERTOPT);
701 888
702 if (f) { 889 if (f) {
703 if (!set_cert_ex(&certopt, f)) { 890 if (!set_cert_ex(&certopt, f)) {
@@ -709,7 +896,7 @@ ca_main(int argc, char **argv)
709 } else 896 } else
710 ERR_clear_error(); 897 ERR_clear_error();
711 898
712 f = NCONF_get_string(conf, section, ENV_EXTCOPY); 899 f = NCONF_get_string(conf, ca_config.section, ENV_EXTCOPY);
713 900
714 if (f) { 901 if (f) {
715 if (!set_ext_copy(&ext_copy, f)) { 902 if (!set_ext_copy(&ext_copy, f)) {
@@ -722,8 +909,8 @@ ca_main(int argc, char **argv)
722 909
723 /*****************************************************************/ 910 /*****************************************************************/
724 /* lookup where to write new certificates */ 911 /* lookup where to write new certificates */
725 if (outdir == NULL && req) { 912 if (ca_config.outdir == NULL && ca_config.req) {
726 if ((outdir = NCONF_get_string(conf, section, 913 if ((ca_config.outdir = NCONF_get_string(conf, ca_config.section,
727 ENV_NEW_CERTS_DIR)) == NULL) { 914 ENV_NEW_CERTS_DIR)) == NULL) {
728 BIO_printf(bio_err, "output directory %s not defined\n", 915 BIO_printf(bio_err, "output directory %s not defined\n",
729 ENV_NEW_CERTS_DIR); 916 ENV_NEW_CERTS_DIR);
@@ -732,8 +919,8 @@ ca_main(int argc, char **argv)
732 } 919 }
733 /*****************************************************************/ 920 /*****************************************************************/
734 /* we need to load the database file */ 921 /* we need to load the database file */
735 if ((dbfile = NCONF_get_string(conf, section, ENV_DATABASE)) == NULL) { 922 if ((dbfile = NCONF_get_string(conf, ca_config.section, ENV_DATABASE)) == NULL) {
736 lookup_fail(section, ENV_DATABASE); 923 lookup_fail(ca_config.section, ENV_DATABASE);
737 goto err; 924 goto err;
738 } 925 }
739 db = load_index(dbfile, &db_attr); 926 db = load_index(dbfile, &db_attr);
@@ -780,7 +967,7 @@ ca_main(int argc, char **argv)
780 p++; 967 p++;
781 } 968 }
782 } 969 }
783 if (verbose) { 970 if (ca_config.verbose) {
784 BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT); /* cannot fail */ 971 BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT); /* cannot fail */
785 TXT_DB_write(out, db->db); 972 TXT_DB_write(out, db->db);
786 BIO_printf(bio_err, "%d entries loaded from the database\n", 973 BIO_printf(bio_err, "%d entries loaded from the database\n",
@@ -792,8 +979,8 @@ ca_main(int argc, char **argv)
792 979
793 /*****************************************************************/ 980 /*****************************************************************/
794 /* Update the db file for expired certificates */ 981 /* Update the db file for expired certificates */
795 if (doupdatedb) { 982 if (ca_config.doupdatedb) {
796 if (verbose) 983 if (ca_config.verbose)
797 BIO_printf(bio_err, "Updating %s ...\n", dbfile); 984 BIO_printf(bio_err, "Updating %s ...\n", dbfile);
798 985
799 i = do_updatedb(db); 986 i = do_updatedb(db);
@@ -801,7 +988,7 @@ ca_main(int argc, char **argv)
801 BIO_printf(bio_err, "Malloc failure\n"); 988 BIO_printf(bio_err, "Malloc failure\n");
802 goto err; 989 goto err;
803 } else if (i == 0) { 990 } else if (i == 0) {
804 if (verbose) 991 if (ca_config.verbose)
805 BIO_printf(bio_err, 992 BIO_printf(bio_err,
806 "No entries found to mark expired\n"); 993 "No entries found to mark expired\n");
807 } else { 994 } else {
@@ -811,86 +998,86 @@ ca_main(int argc, char **argv)
811 if (!rotate_index(dbfile, "new", "old")) 998 if (!rotate_index(dbfile, "new", "old"))
812 goto err; 999 goto err;
813 1000
814 if (verbose) 1001 if (ca_config.verbose)
815 BIO_printf(bio_err, 1002 BIO_printf(bio_err,
816 "Done. %d entries marked as expired\n", i); 1003 "Done. %d entries marked as expired\n", i);
817 } 1004 }
818 } 1005 }
819 /*****************************************************************/ 1006 /*****************************************************************/
820 /* Read extentions config file */ 1007 /* Read extentions config file */
821 if (extfile) { 1008 if (ca_config.extfile) {
822 extconf = NCONF_new(NULL); 1009 extconf = NCONF_new(NULL);
823 if (NCONF_load(extconf, extfile, &errorline) <= 0) { 1010 if (NCONF_load(extconf, ca_config.extfile, &errorline) <= 0) {
824 if (errorline <= 0) 1011 if (errorline <= 0)
825 BIO_printf(bio_err, 1012 BIO_printf(bio_err,
826 "ERROR: loading the config file '%s'\n", 1013 "ERROR: loading the config file '%s'\n",
827 extfile); 1014 ca_config.extfile);
828 else 1015 else
829 BIO_printf(bio_err, 1016 BIO_printf(bio_err,
830 "ERROR: on line %ld of config file '%s'\n", 1017 "ERROR: on line %ld of config file '%s'\n",
831 errorline, extfile); 1018 errorline, ca_config.extfile);
832 ret = 1; 1019 ret = 1;
833 goto err; 1020 goto err;
834 } 1021 }
835 if (verbose) 1022 if (ca_config.verbose)
836 BIO_printf(bio_err, 1023 BIO_printf(bio_err,
837 "Successfully loaded extensions file %s\n", 1024 "Successfully loaded extensions file %s\n",
838 extfile); 1025 ca_config.extfile);
839 1026
840 /* We can have sections in the ext file */ 1027 /* We can have sections in the ext file */
841 if (!extensions && !(extensions = NCONF_get_string(extconf, 1028 if (!ca_config.extensions && !(ca_config.extensions = NCONF_get_string(extconf,
842 "default", "extensions"))) 1029 "default", "extensions")))
843 extensions = "default"; 1030 ca_config.extensions = "default";
844 } 1031 }
845 /*****************************************************************/ 1032 /*****************************************************************/
846 if (req || gencrl) { 1033 if (ca_config.req || ca_config.gencrl) {
847 if (outfile != NULL) { 1034 if (ca_config.outfile != NULL) {
848 if (BIO_write_filename(Sout, outfile) <= 0) { 1035 if (BIO_write_filename(Sout, ca_config.outfile) <= 0) {
849 perror(outfile); 1036 perror(ca_config.outfile);
850 goto err; 1037 goto err;
851 } 1038 }
852 } else { 1039 } else {
853 BIO_set_fp(Sout, stdout, BIO_NOCLOSE | BIO_FP_TEXT); 1040 BIO_set_fp(Sout, stdout, BIO_NOCLOSE | BIO_FP_TEXT);
854 } 1041 }
855 } 1042 }
856 if ((md == NULL) && ((md = NCONF_get_string(conf, section, 1043 if ((ca_config.md == NULL) && ((ca_config.md = NCONF_get_string(conf, ca_config.section,
857 ENV_DEFAULT_MD)) == NULL)) { 1044 ENV_DEFAULT_MD)) == NULL)) {
858 lookup_fail(section, ENV_DEFAULT_MD); 1045 lookup_fail(ca_config.section, ENV_DEFAULT_MD);
859 goto err; 1046 goto err;
860 } 1047 }
861 if (!strcmp(md, "default")) { 1048 if (!strcmp(ca_config.md, "default")) {
862 int def_nid; 1049 int def_nid;
863 if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) <= 0) { 1050 if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) <= 0) {
864 BIO_puts(bio_err, "no default digest\n"); 1051 BIO_puts(bio_err, "no default digest\n");
865 goto err; 1052 goto err;
866 } 1053 }
867 md = (char *) OBJ_nid2sn(def_nid); 1054 ca_config.md = (char *) OBJ_nid2sn(def_nid);
868 } 1055 }
869 if ((dgst = EVP_get_digestbyname(md)) == NULL) { 1056 if ((dgst = EVP_get_digestbyname(ca_config.md)) == NULL) {
870 BIO_printf(bio_err, 1057 BIO_printf(bio_err,
871 "%s is an unsupported message digest type\n", md); 1058 "%s is an unsupported message digest type\n", ca_config.md);
872 goto err; 1059 goto err;
873 } 1060 }
874 if (req) { 1061 if (ca_config.req) {
875 if ((email_dn == 1) && ((tmp_email_dn = NCONF_get_string(conf, 1062 if ((ca_config.email_dn == 1) && ((tmp_email_dn = NCONF_get_string(conf,
876 section, ENV_DEFAULT_EMAIL_DN)) != NULL)) { 1063 ca_config.section, ENV_DEFAULT_EMAIL_DN)) != NULL)) {
877 if (strcmp(tmp_email_dn, "no") == 0) 1064 if (strcmp(tmp_email_dn, "no") == 0)
878 email_dn = 0; 1065 ca_config.email_dn = 0;
879 } 1066 }
880 if (verbose) 1067 if (ca_config.verbose)
881 BIO_printf(bio_err, "message digest is %s\n", 1068 BIO_printf(bio_err, "message digest is %s\n",
882 OBJ_nid2ln(dgst->type)); 1069 OBJ_nid2ln(dgst->type));
883 if ((policy == NULL) && ((policy = NCONF_get_string(conf, 1070 if ((ca_config.policy == NULL) && ((ca_config.policy = NCONF_get_string(conf,
884 section, ENV_POLICY)) == NULL)) { 1071 ca_config.section, ENV_POLICY)) == NULL)) {
885 lookup_fail(section, ENV_POLICY); 1072 lookup_fail(ca_config.section, ENV_POLICY);
886 goto err; 1073 goto err;
887 } 1074 }
888 if (verbose) 1075 if (ca_config.verbose)
889 BIO_printf(bio_err, "policy is %s\n", policy); 1076 BIO_printf(bio_err, "policy is %s\n", ca_config.policy);
890 1077
891 if ((serialfile = NCONF_get_string(conf, section, 1078 if ((serialfile = NCONF_get_string(conf, ca_config.section,
892 ENV_SERIAL)) == NULL) { 1079 ENV_SERIAL)) == NULL) {
893 lookup_fail(section, ENV_SERIAL); 1080 lookup_fail(ca_config.section, ENV_SERIAL);
894 goto err; 1081 goto err;
895 } 1082 }
896 if (!extconf) { 1083 if (!extconf) {
@@ -898,59 +1085,59 @@ ca_main(int argc, char **argv)
898 * no '-extfile' option, so we look for extensions in 1085 * no '-extfile' option, so we look for extensions in
899 * the main configuration file 1086 * the main configuration file
900 */ 1087 */
901 if (!extensions) { 1088 if (!ca_config.extensions) {
902 extensions = NCONF_get_string(conf, section, 1089 ca_config.extensions = NCONF_get_string(conf, ca_config.section,
903 ENV_EXTENSIONS); 1090 ENV_EXTENSIONS);
904 if (!extensions) 1091 if (!ca_config.extensions)
905 ERR_clear_error(); 1092 ERR_clear_error();
906 } 1093 }
907 if (extensions) { 1094 if (ca_config.extensions) {
908 /* Check syntax of file */ 1095 /* Check syntax of file */
909 X509V3_CTX ctx; 1096 X509V3_CTX ctx;
910 X509V3_set_ctx_test(&ctx); 1097 X509V3_set_ctx_test(&ctx);
911 X509V3_set_nconf(&ctx, conf); 1098 X509V3_set_nconf(&ctx, conf);
912 if (!X509V3_EXT_add_nconf(conf, &ctx, 1099 if (!X509V3_EXT_add_nconf(conf, &ctx,
913 extensions, NULL)) { 1100 ca_config.extensions, NULL)) {
914 BIO_printf(bio_err, 1101 BIO_printf(bio_err,
915 "Error Loading extension section %s\n", 1102 "Error Loading extension section %s\n",
916 extensions); 1103 ca_config.extensions);
917 ret = 1; 1104 ret = 1;
918 goto err; 1105 goto err;
919 } 1106 }
920 } 1107 }
921 } 1108 }
922 if (startdate == NULL) { 1109 if (ca_config.startdate == NULL) {
923 startdate = NCONF_get_string(conf, section, 1110 ca_config.startdate = NCONF_get_string(conf, ca_config.section,
924 ENV_DEFAULT_STARTDATE); 1111 ENV_DEFAULT_STARTDATE);
925 if (startdate == NULL) 1112 if (ca_config.startdate == NULL)
926 ERR_clear_error(); 1113 ERR_clear_error();
927 } 1114 }
928 if (startdate == NULL) 1115 if (ca_config.startdate == NULL)
929 startdate = "today"; 1116 ca_config.startdate = "today";
930 1117
931 if (enddate == NULL) { 1118 if (ca_config.enddate == NULL) {
932 enddate = NCONF_get_string(conf, section, 1119 ca_config.enddate = NCONF_get_string(conf, ca_config.section,
933 ENV_DEFAULT_ENDDATE); 1120 ENV_DEFAULT_ENDDATE);
934 if (enddate == NULL) 1121 if (ca_config.enddate == NULL)
935 ERR_clear_error(); 1122 ERR_clear_error();
936 } 1123 }
937 if (days == 0 && enddate == NULL) { 1124 if (ca_config.days == 0 && ca_config.enddate == NULL) {
938 if (!NCONF_get_number(conf, section, 1125 if (!NCONF_get_number(conf, ca_config.section,
939 ENV_DEFAULT_DAYS, &days)) 1126 ENV_DEFAULT_DAYS, &ca_config.days))
940 days = 0; 1127 ca_config.days = 0;
941 } 1128 }
942 if (enddate == NULL && days == 0) { 1129 if (ca_config.enddate == NULL && ca_config.days == 0) {
943 BIO_printf(bio_err, 1130 BIO_printf(bio_err,
944 "cannot lookup how many days to certify for\n"); 1131 "cannot lookup how many days to certify for\n");
945 goto err; 1132 goto err;
946 } 1133 }
947 if ((serial = load_serial(serialfile, create_ser, NULL)) == 1134 if ((serial = load_serial(serialfile, ca_config.create_ser, NULL)) ==
948 NULL) { 1135 NULL) {
949 BIO_printf(bio_err, 1136 BIO_printf(bio_err,
950 "error while loading serial number\n"); 1137 "error while loading serial number\n");
951 goto err; 1138 goto err;
952 } 1139 }
953 if (verbose) { 1140 if (ca_config.verbose) {
954 if (BN_is_zero(serial)) 1141 if (BN_is_zero(serial))
955 BIO_printf(bio_err, 1142 BIO_printf(bio_err,
956 "next serial number is 00\n"); 1143 "next serial number is 00\n");
@@ -962,21 +1149,21 @@ ca_main(int argc, char **argv)
962 free(f); 1149 free(f);
963 } 1150 }
964 } 1151 }
965 if ((attribs = NCONF_get_section(conf, policy)) == NULL) { 1152 if ((attribs = NCONF_get_section(conf, ca_config.policy)) == NULL) {
966 BIO_printf(bio_err, 1153 BIO_printf(bio_err,
967 "unable to find 'section' for %s\n", policy); 1154 "unable to find 'section' for %s\n", ca_config.policy);
968 goto err; 1155 goto err;
969 } 1156 }
970 if ((cert_sk = sk_X509_new_null()) == NULL) { 1157 if ((cert_sk = sk_X509_new_null()) == NULL) {
971 BIO_printf(bio_err, "Memory allocation failure\n"); 1158 BIO_printf(bio_err, "Memory allocation failure\n");
972 goto err; 1159 goto err;
973 } 1160 }
974 if (spkac_file != NULL) { 1161 if (ca_config.spkac_file != NULL) {
975 total++; 1162 total++;
976 j = certify_spkac(&x, spkac_file, pkey, x509, dgst, 1163 j = certify_spkac(&x, ca_config.spkac_file, pkey, x509, dgst,
977 sigopts, attribs, db, serial, subj, chtype, 1164 ca_config.sigopts, attribs, db, serial, ca_config.subj, ca_config.chtype,
978 multirdn, email_dn, startdate, enddate, days, 1165 ca_config.multirdn, ca_config.email_dn, ca_config.startdate, ca_config.enddate, ca_config.days,
979 extensions, conf, verbose, certopt, nameopt, 1166 ca_config.extensions, conf, ca_config.verbose, certopt, nameopt,
980 default_op, ext_copy); 1167 default_op, ext_copy);
981 if (j < 0) 1168 if (j < 0)
982 goto err; 1169 goto err;
@@ -990,18 +1177,18 @@ ca_main(int argc, char **argv)
990 "Memory allocation failure\n"); 1177 "Memory allocation failure\n");
991 goto err; 1178 goto err;
992 } 1179 }
993 if (outfile) { 1180 if (ca_config.outfile) {
994 output_der = 1; 1181 output_der = 1;
995 batch = 1; 1182 ca_config.batch = 1;
996 } 1183 }
997 } 1184 }
998 } 1185 }
999 if (ss_cert_file != NULL) { 1186 if (ca_config.ss_cert_file != NULL) {
1000 total++; 1187 total++;
1001 j = certify_cert(&x, ss_cert_file, pkey, x509, dgst, 1188 j = certify_cert(&x, ca_config.ss_cert_file, pkey, x509, dgst,
1002 sigopts, attribs, db, serial, subj, chtype, 1189 ca_config.sigopts, attribs, db, serial, ca_config.subj, ca_config.chtype,
1003 multirdn, email_dn, startdate, enddate, days, batch, 1190 ca_config.multirdn, ca_config.email_dn, ca_config.startdate, ca_config.enddate, ca_config.days, ca_config.batch,
1004 extensions, conf, verbose, certopt, nameopt, 1191 ca_config.extensions, conf, ca_config.verbose, certopt, nameopt,
1005 default_op, ext_copy); 1192 default_op, ext_copy);
1006 if (j < 0) 1193 if (j < 0)
1007 goto err; 1194 goto err;
@@ -1017,13 +1204,13 @@ ca_main(int argc, char **argv)
1017 } 1204 }
1018 } 1205 }
1019 } 1206 }
1020 if (infile != NULL) { 1207 if (ca_config.infile != NULL) {
1021 total++; 1208 total++;
1022 j = certify(&x, infile, pkey, x509p, dgst, sigopts, 1209 j = certify(&x, ca_config.infile, pkey, x509p, dgst, ca_config.sigopts,
1023 attribs, db, serial, subj, chtype, multirdn, 1210 attribs, db, serial, ca_config.subj, ca_config.chtype, ca_config.multirdn,
1024 email_dn, startdate, enddate, days, batch, 1211 ca_config.email_dn, ca_config.startdate, ca_config.enddate, ca_config.days, ca_config.batch,
1025 extensions, conf, verbose, certopt, nameopt, 1212 ca_config.extensions, conf, ca_config.verbose, certopt, nameopt,
1026 default_op, ext_copy, selfsign); 1213 default_op, ext_copy, ca_config.selfsign);
1027 if (j < 0) 1214 if (j < 0)
1028 goto err; 1215 goto err;
1029 if (j > 0) { 1216 if (j > 0) {
@@ -1038,13 +1225,13 @@ ca_main(int argc, char **argv)
1038 } 1225 }
1039 } 1226 }
1040 } 1227 }
1041 for (i = 0; i < argc; i++) { 1228 for (i = 0; i < ca_config.infiles_num; i++) {
1042 total++; 1229 total++;
1043 j = certify(&x, argv[i], pkey, x509p, dgst, sigopts, 1230 j = certify(&x, ca_config.infiles[i], pkey, x509p, dgst, ca_config.sigopts,
1044 attribs, db, serial, subj, chtype, multirdn, 1231 attribs, db, serial, ca_config.subj, ca_config.chtype, ca_config.multirdn,
1045 email_dn, startdate, enddate, days, batch, 1232 ca_config.email_dn, ca_config.startdate, ca_config.enddate, ca_config.days, ca_config.batch,
1046 extensions, conf, verbose, certopt, nameopt, 1233 ca_config.extensions, conf, ca_config.verbose, certopt, nameopt,
1047 default_op, ext_copy, selfsign); 1234 default_op, ext_copy, ca_config.selfsign);
1048 if (j < 0) 1235 if (j < 0)
1049 goto err; 1236 goto err;
1050 if (j > 0) { 1237 if (j > 0) {
@@ -1065,7 +1252,7 @@ ca_main(int argc, char **argv)
1065 */ 1252 */
1066 1253
1067 if (sk_X509_num(cert_sk) > 0) { 1254 if (sk_X509_num(cert_sk) > 0) {
1068 if (!batch) { 1255 if (!ca_config.batch) {
1069 char answer[10]; 1256 char answer[10];
1070 1257
1071 BIO_printf(bio_err, "\n%d out of %d certificate requests certified, commit? [y/n]", total_done, total); 1258 BIO_printf(bio_err, "\n%d out of %d certificate requests certified, commit? [y/n]", total_done, total);
@@ -1089,7 +1276,7 @@ ca_main(int argc, char **argv)
1089 if (!save_index(dbfile, "new", db)) 1276 if (!save_index(dbfile, "new", db))
1090 goto err; 1277 goto err;
1091 } 1278 }
1092 if (verbose) 1279 if (ca_config.verbose)
1093 BIO_printf(bio_err, "writing new certificates\n"); 1280 BIO_printf(bio_err, "writing new certificates\n");
1094 for (i = 0; i < sk_X509_num(cert_sk); i++) { 1281 for (i = 0; i < sk_X509_num(cert_sk); i++) {
1095 int k; 1282 int k;
@@ -1107,7 +1294,7 @@ ca_main(int argc, char **argv)
1107 serialstr = strdup("00"); 1294 serialstr = strdup("00");
1108 if (serialstr) { 1295 if (serialstr) {
1109 k = snprintf(pempath, sizeof(pempath), 1296 k = snprintf(pempath, sizeof(pempath),
1110 "%s/%s.pem", outdir, serialstr); 1297 "%s/%s.pem", ca_config.outdir, serialstr);
1111 free(serialstr); 1298 free(serialstr);
1112 if (k < 0 || k >= sizeof(pempath)) { 1299 if (k < 0 || k >= sizeof(pempath)) {
1113 BIO_printf(bio_err, 1300 BIO_printf(bio_err,
@@ -1119,15 +1306,15 @@ ca_main(int argc, char **argv)
1119 "memory allocation failed\n"); 1306 "memory allocation failed\n");
1120 goto err; 1307 goto err;
1121 } 1308 }
1122 if (verbose) 1309 if (ca_config.verbose)
1123 BIO_printf(bio_err, "writing %s\n", pempath); 1310 BIO_printf(bio_err, "writing %s\n", pempath);
1124 1311
1125 if (BIO_write_filename(Cout, pempath) <= 0) { 1312 if (BIO_write_filename(Cout, pempath) <= 0) {
1126 perror(pempath); 1313 perror(pempath);
1127 goto err; 1314 goto err;
1128 } 1315 }
1129 write_new_certificate(Cout, x, 0, notext); 1316 write_new_certificate(Cout, x, 0, ca_config.notext);
1130 write_new_certificate(Sout, x, output_der, notext); 1317 write_new_certificate(Sout, x, output_der, ca_config.notext);
1131 } 1318 }
1132 1319
1133 if (sk_X509_num(cert_sk)) { 1320 if (sk_X509_num(cert_sk)) {
@@ -1142,27 +1329,27 @@ ca_main(int argc, char **argv)
1142 } 1329 }
1143 } 1330 }
1144 /*****************************************************************/ 1331 /*****************************************************************/
1145 if (gencrl) { 1332 if (ca_config.gencrl) {
1146 int crl_v2 = 0; 1333 int crl_v2 = 0;
1147 if (!crl_ext) { 1334 if (!ca_config.crl_ext) {
1148 crl_ext = NCONF_get_string(conf, section, ENV_CRLEXT); 1335 ca_config.crl_ext = NCONF_get_string(conf, ca_config.section, ENV_CRLEXT);
1149 if (!crl_ext) 1336 if (!ca_config.crl_ext)
1150 ERR_clear_error(); 1337 ERR_clear_error();
1151 } 1338 }
1152 if (crl_ext) { 1339 if (ca_config.crl_ext) {
1153 /* Check syntax of file */ 1340 /* Check syntax of file */
1154 X509V3_CTX ctx; 1341 X509V3_CTX ctx;
1155 X509V3_set_ctx_test(&ctx); 1342 X509V3_set_ctx_test(&ctx);
1156 X509V3_set_nconf(&ctx, conf); 1343 X509V3_set_nconf(&ctx, conf);
1157 if (!X509V3_EXT_add_nconf(conf, &ctx, crl_ext, NULL)) { 1344 if (!X509V3_EXT_add_nconf(conf, &ctx, ca_config.crl_ext, NULL)) {
1158 BIO_printf(bio_err, 1345 BIO_printf(bio_err,
1159 "Error Loading CRL extension section %s\n", 1346 "Error Loading CRL extension section %s\n",
1160 crl_ext); 1347 ca_config.crl_ext);
1161 ret = 1; 1348 ret = 1;
1162 goto err; 1349 goto err;
1163 } 1350 }
1164 } 1351 }
1165 if ((crlnumberfile = NCONF_get_string(conf, section, 1352 if ((crlnumberfile = NCONF_get_string(conf, ca_config.section,
1166 ENV_CRLNUMBER)) != NULL) 1353 ENV_CRLNUMBER)) != NULL)
1167 if ((crlnumber = load_serial(crlnumberfile, 0, 1354 if ((crlnumber = load_serial(crlnumberfile, 0,
1168 NULL)) == NULL) { 1355 NULL)) == NULL) {
@@ -1170,20 +1357,20 @@ ca_main(int argc, char **argv)
1170 "error while loading CRL number\n"); 1357 "error while loading CRL number\n");
1171 goto err; 1358 goto err;
1172 } 1359 }
1173 if (!crldays && !crlhours && !crlsec) { 1360 if (!ca_config.crldays && !ca_config.crlhours && !ca_config.crlsec) {
1174 if (!NCONF_get_number(conf, section, 1361 if (!NCONF_get_number(conf, ca_config.section,
1175 ENV_DEFAULT_CRL_DAYS, &crldays)) 1362 ENV_DEFAULT_CRL_DAYS, &ca_config.crldays))
1176 crldays = 0; 1363 ca_config.crldays = 0;
1177 if (!NCONF_get_number(conf, section, 1364 if (!NCONF_get_number(conf, ca_config.section,
1178 ENV_DEFAULT_CRL_HOURS, &crlhours)) 1365 ENV_DEFAULT_CRL_HOURS, &ca_config.crlhours))
1179 crlhours = 0; 1366 ca_config.crlhours = 0;
1180 ERR_clear_error(); 1367 ERR_clear_error();
1181 } 1368 }
1182 if ((crldays == 0) && (crlhours == 0) && (crlsec == 0)) { 1369 if ((ca_config.crldays == 0) && (ca_config.crlhours == 0) && (ca_config.crlsec == 0)) {
1183 BIO_printf(bio_err, "cannot lookup how long until the next CRL is issued\n"); 1370 BIO_printf(bio_err, "cannot lookup how long until the next CRL is issued\n");
1184 goto err; 1371 goto err;
1185 } 1372 }
1186 if (verbose) 1373 if (ca_config.verbose)
1187 BIO_printf(bio_err, "making CRL\n"); 1374 BIO_printf(bio_err, "making CRL\n");
1188 if ((crl = X509_CRL_new()) == NULL) 1375 if ((crl = X509_CRL_new()) == NULL)
1189 goto err; 1376 goto err;
@@ -1195,8 +1382,8 @@ ca_main(int argc, char **argv)
1195 goto err; 1382 goto err;
1196 X509_gmtime_adj(tmptm, 0); 1383 X509_gmtime_adj(tmptm, 0);
1197 X509_CRL_set_lastUpdate(crl, tmptm); 1384 X509_CRL_set_lastUpdate(crl, tmptm);
1198 if (!X509_time_adj_ex(tmptm, crldays, 1385 if (!X509_time_adj_ex(tmptm, ca_config.crldays,
1199 crlhours * 60 * 60 + crlsec, NULL)) { 1386 ca_config.crlhours * 60 * 60 + ca_config.crlsec, NULL)) {
1200 BIO_puts(bio_err, "error setting CRL nextUpdate\n"); 1387 BIO_puts(bio_err, "error setting CRL nextUpdate\n");
1201 goto err; 1388 goto err;
1202 } 1389 }
@@ -1233,19 +1420,19 @@ ca_main(int argc, char **argv)
1233 X509_CRL_sort(crl); 1420 X509_CRL_sort(crl);
1234 1421
1235 /* we now have a CRL */ 1422 /* we now have a CRL */
1236 if (verbose) 1423 if (ca_config.verbose)
1237 BIO_printf(bio_err, "signing CRL\n"); 1424 BIO_printf(bio_err, "signing CRL\n");
1238 1425
1239 /* Add any extensions asked for */ 1426 /* Add any extensions asked for */
1240 1427
1241 if (crl_ext || crlnumberfile != NULL) { 1428 if (ca_config.crl_ext || crlnumberfile != NULL) {
1242 X509V3_CTX crlctx; 1429 X509V3_CTX crlctx;
1243 X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0); 1430 X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0);
1244 X509V3_set_nconf(&crlctx, conf); 1431 X509V3_set_nconf(&crlctx, conf);
1245 1432
1246 if (crl_ext) 1433 if (ca_config.crl_ext)
1247 if (!X509V3_EXT_CRL_add_nconf(conf, &crlctx, 1434 if (!X509V3_EXT_CRL_add_nconf(conf, &crlctx,
1248 crl_ext, crl)) 1435 ca_config.crl_ext, crl))
1249 goto err; 1436 goto err;
1250 if (crlnumberfile != NULL) { 1437 if (crlnumberfile != NULL) {
1251 tmpser = BN_to_ASN1_INTEGER(crlnumber, NULL); 1438 tmpser = BN_to_ASN1_INTEGER(crlnumber, NULL);
@@ -1259,7 +1446,7 @@ ca_main(int argc, char **argv)
1259 goto err; 1446 goto err;
1260 } 1447 }
1261 } 1448 }
1262 if (crl_ext || crl_v2) { 1449 if (ca_config.crl_ext || crl_v2) {
1263 if (!X509_CRL_set_version(crl, 1)) 1450 if (!X509_CRL_set_version(crl, 1))
1264 goto err; /* version 2 CRL */ 1451 goto err; /* version 2 CRL */
1265 } 1452 }
@@ -1272,7 +1459,7 @@ ca_main(int argc, char **argv)
1272 BN_free(crlnumber); 1459 BN_free(crlnumber);
1273 crlnumber = NULL; 1460 crlnumber = NULL;
1274 } 1461 }
1275 if (!do_X509_CRL_sign(bio_err, crl, pkey, dgst, sigopts)) 1462 if (!do_X509_CRL_sign(bio_err, crl, pkey, dgst, ca_config.sigopts))
1276 goto err; 1463 goto err;
1277 1464
1278 PEM_write_bio_X509_CRL(Sout, crl); 1465 PEM_write_bio_X509_CRL(Sout, crl);
@@ -1283,17 +1470,17 @@ ca_main(int argc, char **argv)
1283 1470
1284 } 1471 }
1285 /*****************************************************************/ 1472 /*****************************************************************/
1286 if (dorevoke) { 1473 if (ca_config.dorevoke) {
1287 if (infile == NULL) { 1474 if (ca_config.infile == NULL) {
1288 BIO_printf(bio_err, "no input files\n"); 1475 BIO_printf(bio_err, "no input files\n");
1289 goto err; 1476 goto err;
1290 } else { 1477 } else {
1291 X509 *revcert; 1478 X509 *revcert;
1292 revcert = load_cert(bio_err, infile, FORMAT_PEM, 1479 revcert = load_cert(bio_err, ca_config.infile, FORMAT_PEM,
1293 NULL, infile); 1480 NULL, ca_config.infile);
1294 if (revcert == NULL) 1481 if (revcert == NULL)
1295 goto err; 1482 goto err;
1296 j = do_revoke(revcert, db, rev_type, rev_arg); 1483 j = do_revoke(revcert, db, ca_config.rev_type, ca_config.rev_arg);
1297 if (j <= 0) 1484 if (j <= 0)
1298 goto err; 1485 goto err;
1299 X509_free(revcert); 1486 X509_free(revcert);
@@ -1323,13 +1510,13 @@ ca_main(int argc, char **argv)
1323 1510
1324 if (ret) 1511 if (ret)
1325 ERR_print_errors(bio_err); 1512 ERR_print_errors(bio_err);
1326 if (free_key && key) 1513 if (free_key && ca_config.key)
1327 free(key); 1514 free(ca_config.key);
1328 BN_free(serial); 1515 BN_free(serial);
1329 BN_free(crlnumber); 1516 BN_free(crlnumber);
1330 free_index(db); 1517 free_index(db);
1331 if (sigopts) 1518 if (ca_config.sigopts)
1332 sk_OPENSSL_STRING_free(sigopts); 1519 sk_OPENSSL_STRING_free(ca_config.sigopts);
1333 EVP_PKEY_free(pkey); 1520 EVP_PKEY_free(pkey);
1334 if (x509) 1521 if (x509)
1335 X509_free(x509); 1522 X509_free(x509);
@@ -1526,7 +1713,7 @@ do_body(X509 ** xret, EVP_PKEY * pkey, X509 * x509, const EVP_MD * dgst,
1526 str = X509_NAME_ENTRY_get_data(ne); 1713 str = X509_NAME_ENTRY_get_data(ne);
1527 obj = X509_NAME_ENTRY_get_object(ne); 1714 obj = X509_NAME_ENTRY_get_object(ne);
1528 1715
1529 if (msie_hack) { 1716 if (ca_config.msie_hack) {
1530 /* assume all type should be strings */ 1717 /* assume all type should be strings */
1531 nid = OBJ_obj2nid(ne->object); 1718 nid = OBJ_obj2nid(ne->object);
1532 1719
@@ -1659,7 +1846,7 @@ again2:
1659 } 1846 }
1660 } 1847 }
1661 1848
1662 if (preserve) { 1849 if (ca_config.preserve) {
1663 X509_NAME_free(subject); 1850 X509_NAME_free(subject);
1664 /* subject=X509_NAME_dup(X509_REQ_get_subject_name(req)); */ 1851 /* subject=X509_NAME_dup(X509_REQ_get_subject_name(req)); */
1665 subject = X509_NAME_dup(name); 1852 subject = X509_NAME_dup(name);
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-11-20 10:54:35 +0000