2  * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
33 #define UNSET_DAYS         -2 /* -1 may be used for testing expiration checks */
34 #define EXT_COPY_UNSET     -1
63     {"help", OPT_HELP, '-', "Display this summary"},
66      "Certificate input, or CSR input file with -req (default stdin)"},
67     {"passin", OPT_PASSIN, 's', "Private key and cert file pass-phrase source"},
68     {"new", OPT_NEW, '-', "Generate a certificate from scratch"},
69     {"x509toreq", OPT_X509TOREQ, '-',
71     {"req", OPT_REQ, '-', "Input is a CSR file (rather than a certificate)"},
78      "Key for signing, and to include unless using -force_pubkey"},
80      "Same as -key"},
83     {"out", OPT_OUT, '>', "Output file - default stdout"},
85      "Output format (DER or PEM) - default PEM"},
86     {"nocert", OPT_NOCERT, '-',
88     {"noout", OPT_NOOUT, '-', "No output (except for requested printing)"},
91     {"text", OPT_TEXT, '-', "Print the certificate in text form"},
95     {"fingerprint", OPT_FINGERPRINT, '-', "Print the certificate fingerprint"},
96     {"alias", OPT_ALIAS, '-', "Print certificate alias"},
97     {"serial", OPT_SERIAL, '-', "Print serial number value"},
98     {"startdate", OPT_STARTDATE, '-', "Print the notBefore field"},
99     {"enddate", OPT_ENDDATE, '-', "Print the notAfter field"},
100     {"dates", OPT_DATES, '-', "Print both notBefore and notAfter fields"},
101     {"subject", OPT_SUBJECT, '-', "Print subject DN"},
102     {"issuer", OPT_ISSUER, '-', "Print issuer DN"},
105     {"email", OPT_EMAIL, '-', "Print email address(es)"},
106     {"hash", OPT_HASH, '-', "Synonym for -subject_hash (for backward compat)"},
107     {"subject_hash", OPT_HASH, '-', "Print subject hash value"},
109     {"subject_hash_old", OPT_SUBJECT_HASH_OLD, '-',
110      "Print old-style (MD5) subject hash value"},
112     {"issuer_hash", OPT_ISSUER_HASH, '-', "Print issuer hash value"},
114     {"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-',
115      "Print old-style (MD5) issuer hash value"},
119     {"ocspid", OPT_OCSPID, '-',
121     {"ocsp_uri", OPT_OCSP_URI, '-', "Print OCSP Responder URL(s)"},
122     {"purpose", OPT_PURPOSE, '-', "Print out certificate purposes"},
123     {"pubkey", OPT_PUBKEY, '-', "Print the public key in PEM format"},
124     {"modulus", OPT_MODULUS, '-', "Print the RSA key modulus"},
136      "Serial number to use, overrides -CAserial"},
137     {"next_serial", OPT_NEXT_SERIAL, '-',
138      "Increment current certificate serial number"},
142      "[CC]YYMMDDHHMMSSZ value for notAfter certificate field, overrides -days"},
144      "Number of days until newly generated certificate expires - default 30"},
145     {"preserve_dates", OPT_PRESERVE_DATES, '-',
149     {"subj", OPT_SUBJ, 's', "Alias for -set_subject"},
152     {"clrext", OPT_CLREXT, '-',
156      "Section of extfile to use - default: unnamed section"},
158     {"badsig", OPT_BADSIG, '-',
160     {"", OPT_MD, '-', "Any supported digest, used for signing and printing"},
162     OPT_SECTION("Micro-CA"),
164      "Use the given CA certificate, conflicts with -key"},
166     {"CAkey", OPT_CAKEY, 's', "The corresponding CA key; default is -CA arg"},
170      "File that keeps track of CA-generated serial number"},
171     {"CAcreateserial", OPT_CACREATESERIAL, '-',
172      "Create CA serial number file if it does not exist"},
175     {"trustout", OPT_TRUSTOUT, '-', "Mark certificate PEM output as trusted"},
177     {"clrtrust", OPT_CLRTRUST, '-', "Clear all trusted purposes"},
179     {"clrreject", OPT_CLRREJECT, '-',
198                    "Warning: -ext should not specify copying %s extension to CSR; ignoring this\n",  in warn_copying()
215      * Filter out SKID and AKID extensions, which make no sense in a CSR.  in x509_to_req()
266     BIO *out = NULL;  in x509_main()  local
298     int text = 0, serial = 0, subject = 0, issuer = 0, startdate = 0, ext = 0;  in x509_main()  local
321             BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);  in x509_main()
393                 BIO_printf(bio_err, "%s: -days parameter arg must be >= -1\n",  in x509_main()
430                 BIO_printf(bio_err, "Serial number supplied twice\n");  in x509_main()
494             serial = ++num;  in x509_main()
593                     BIO_printf(bio_err, "%s: Checkend time out of range %s\n",  in x509_main()
627         BIO_printf(bio_err, "Cannot use -preserve_dates with -not_before option\n");  in x509_main()
631         BIO_printf(bio_err, "Cannot use -preserve_dates with -not_after option\n");  in x509_main()
635         BIO_printf(bio_err, "Cannot use -preserve_dates with -days option\n");  in x509_main()
641         BIO_printf(bio_err, "Warning: -not_after option overriding -days option\n");  in x509_main()
653         BIO_printf(bio_err, "The -in option cannot be used with -new\n");  in x509_main()
657         BIO_printf(bio_err, "The -req option cannot be used with -new\n");  in x509_main()
674                        "The -new option requires a subject to be set using -subj\n");  in x509_main()
679                        "The -new option requires using the -key or -force_pubkey option\n");  in x509_main()
694             BIO_printf(bio_err, "Cannot use both -key/-signkey and -CA option\n");  in x509_main()
699         "Warning: ignoring " opt " option since -CA option is not given\n");  in x509_main()
701             WARN_NO_CA("-CAkey");  in x509_main()
703             WARN_NO_CA("-CAkeyform");  in x509_main()
705             WARN_NO_CA("-CAform");  in x509_main()
707             WARN_NO_CA("-CAserial");  in x509_main()
709             WARN_NO_CA("-CAcreateserial");  in x509_main()
715                        "Warning: ignoring -extensions option without -extfile\n");  in x509_main()
738                        "Warning: Reading cert request from stdin since no -in option is given\n");  in x509_main()
751                        ? "Error while verifying certificate request self-signature\n"  in x509_main()
752                        : "Certificate request self-signature did not match the contents\n");  in x509_main()
755         BIO_printf(bio_err, "Certificate request self-signature ok\n");  in x509_main()
759 …BIO_printf(bio_err, "Warning: ignoring -copy_extensions since neither -x509toreq nor -req is given…  in x509_main()
765                        "Warning: ignoring -preserve_dates option with -req or -new\n");  in x509_main()
769 …               "We need a private key to sign with, use -key or -CAkey or -CA with private key\n");  in x509_main()
781                 BIO_printf(bio_err, "Must not use -clrext together with -copy_extensions\n");  in x509_main()
791 …                 "Warning: Reading certificate from stdin since no -in or -new option is given\n");  in x509_main()
812     out = bio_open_default(outfile, 'w', outformat);  in x509_main()
813     if (out == NULL)  in x509_main()
817         X509_alias_set1(x, (unsigned char *)alias, -1);  in x509_main()
835         BIO_printf(bio_err, "Warning: Ignoring -ext since -clrext is given\n");  in x509_main()
836     for (i = X509_get_ext_count(x) - 1; i >= 0; i--) {  in x509_main()
897     if (x509toreq) { /* also works in conjunction with -req */  in x509_main()
899             BIO_printf(bio_err, "Must specify request signing key using -key\n");  in x509_main()
903             BIO_printf(bio_err, "Must not use -clrext together with -copy_extensions\n");  in x509_main()
920                 X509_REQ_print_ex(out, rq, get_nameopt(), X509_FLAG_COMPAT);  in x509_main()
921                 i = i2d_X509_bio(out, x);  in x509_main()
923                 i = PEM_write_bio_X509_REQ(out, rq);  in x509_main()
958             print_name(out, "issuer=", X509_get_issuer_name(x));  in x509_main()
960             print_name(out, "subject=", X509_get_subject_name(x));  in x509_main()
961         } else if (i == serial) {  in x509_main()
962             BIO_printf(out, "serial=");  in x509_main()
963             i2a_ASN1_INTEGER(out, X509_get0_serialNumber(x));  in x509_main()
964             BIO_printf(out, "\n");  in x509_main()
977             i2a_ASN1_INTEGER(out, ser);  in x509_main()
979             BIO_puts(out, "\n");  in x509_main()
985                 BIO_printf(out, "%s\n", sk_OPENSSL_STRING_value(emlst, j));  in x509_main()
991                 BIO_printf(out, "%s\n", alstr);  in x509_main()
993                 BIO_puts(out, "<No Alias>\n");  in x509_main()
995             BIO_printf(out, "%08lx\n", X509_subject_name_hash(x));  in x509_main()
998             BIO_printf(out, "%08lx\n", X509_subject_name_hash_old(x));  in x509_main()
1001             BIO_printf(out, "%08lx\n", X509_issuer_name_hash(x));  in x509_main()
1004             BIO_printf(out, "%08lx\n", X509_issuer_name_hash_old(x));  in x509_main()
1007             BIO_printf(out, "Certificate purposes:\n");  in x509_main()
1009                 purpose_print(out, x, X509_PURPOSE_get0(j));  in x509_main()
1011             BIO_printf(out, "Modulus=");  in x509_main()
1012             if (EVP_PKEY_is_a(pkey, "RSA") || EVP_PKEY_is_a(pkey, "RSA-PSS")) {  in x509_main()
1017                 BN_print(out, n);  in x509_main()
1024                 BN_print(out, dsapub);  in x509_main()
1027                 BIO_printf(out, "No modulus for this public key type");  in x509_main()
1029             BIO_printf(out, "\n");  in x509_main()
1031             PEM_write_bio_PUBKEY(out, pkey);  in x509_main()
1033             X509_print_ex(out, x, get_nameopt(), certflag);  in x509_main()
1035             BIO_puts(out, "notBefore=");  in x509_main()
1036             ASN1_TIME_print_ex(out, X509_get0_notBefore(x), dateopt);  in x509_main()
1037             BIO_puts(out, "\n");  in x509_main()
1039             BIO_puts(out, "notAfter=");  in x509_main()
1040             ASN1_TIME_print_ex(out, X509_get0_notAfter(x), dateopt);  in x509_main()
1041             BIO_puts(out, "\n");  in x509_main()
1060                 BIO_printf(bio_err, "Out of memory\n");  in x509_main()
1064             BIO_printf(out, "%s Fingerprint=", fdigname);  in x509_main()
1066                 BIO_printf(out, "%02X%c", md[j], (j + 1 == (int)n) ? '\n' : ':');  in x509_main()
1068             X509_ocspid_print(out, x);  in x509_main()
1070             print_x509v3_exts(out, x, ext_names);  in x509_main()
1079             BIO_printf(out, "Certificate will expire\n");  in x509_main()
1081             BIO_printf(out, "Certificate will not expire\n");  in x509_main()
1085     if (!check_cert_attributes(out, x, checkhost, checkemail, checkip, 1))  in x509_main()
1094         i = i2d_X509_bio(out, x);  in x509_main()
1097             i = PEM_write_bio_X509_AUX(out, x);  in x509_main()
1099             i = PEM_write_bio_X509(out, x);  in x509_main()
1117     BIO_free_all(out);  in x509_main()
1143     BIGNUM *serial = NULL;  in x509_load_serial()  local
1148         size_t len = p != NULL ? (size_t)(p - CAfile) : strlen(CAfile);  in x509_load_serial()
1150         buf = app_malloc(len + sizeof(POSTFIX), "serial# buffer");  in x509_load_serial()
1157     serial = load_serial(serialfile, &file_exists, create || defaultfile, NULL);  in x509_load_serial()
1158     if (serial == NULL)  in x509_load_serial()
1161     if (!BN_add_word(serial, 1)) {  in x509_load_serial()
1162         BIO_printf(bio_err, "Serial number increment failure\n");  in x509_load_serial()
1167         save_serial(serialfile, NULL, serial, &bs);  in x509_load_serial()
1169         bs = BN_to_ASN1_INTEGER(serial, NULL);  in x509_load_serial()
1173     BN_free(serial);  in x509_load_serial()
1183      * It is ok to use a self-signed certificate. This case will catch both  in callb()
1194                    "Error with certificate - error %d at depth %d\n%s\n", err,  in callb()
1230     while (q - names <= len) {  in parse_ext_names()