1 /* 2 * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 #include <stdio.h> 10 #include <stdlib.h> 11 #include <string.h> 12 #include <ctype.h> 13 #include <sys/types.h> 14 #include <openssl/conf.h> 15 #include <openssl/bio.h> 16 #include <openssl/err.h> 17 #include <openssl/bn.h> 18 #include <openssl/txt_db.h> 19 #include <openssl/evp.h> 20 #include <openssl/x509.h> 21 #include <openssl/x509v3.h> 22 #include <openssl/objects.h> 23 #include <openssl/ocsp.h> 24 #include <openssl/pem.h> 25 26 #ifndef W_OK 27 # ifdef OPENSSL_SYS_VMS 28 # include <unistd.h> 29 # elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS) 30 # include <sys/file.h> 31 # endif 32 #endif 33 34 #include "apps.h" 35 #include "progs.h" 36 37 #ifndef W_OK 38 # define F_OK 0 39 # define W_OK 2 40 # define R_OK 4 41 #endif 42 43 #ifndef PATH_MAX 44 # define PATH_MAX 4096 45 #endif 46 47 #define BASE_SECTION "ca" 48 49 #define ENV_DEFAULT_CA "default_ca" 50 51 #define STRING_MASK "string_mask" 52 #define UTF8_IN "utf8" 53 54 #define ENV_NEW_CERTS_DIR "new_certs_dir" 55 #define ENV_CERTIFICATE "certificate" 56 #define ENV_SERIAL "serial" 57 #define ENV_RAND_SERIAL "rand_serial" 58 #define ENV_CRLNUMBER "crlnumber" 59 #define ENV_PRIVATE_KEY "private_key" 60 #define ENV_DEFAULT_DAYS "default_days" 61 #define ENV_DEFAULT_STARTDATE "default_startdate" 62 #define ENV_DEFAULT_ENDDATE "default_enddate" 63 #define ENV_DEFAULT_CRL_DAYS "default_crl_days" 64 #define ENV_DEFAULT_CRL_HOURS "default_crl_hours" 65 #define ENV_DEFAULT_MD "default_md" 66 #define ENV_DEFAULT_EMAIL_DN "email_in_dn" 67 #define ENV_PRESERVE "preserve" 68 #define ENV_POLICY "policy" 69 #define ENV_EXTENSIONS "x509_extensions" 70 #define ENV_CRLEXT "crl_extensions" 71 #define ENV_MSIE_HACK "msie_hack" 72 #define ENV_NAMEOPT "name_opt" 73 #define ENV_CERTOPT "cert_opt" 74 #define ENV_EXTCOPY "copy_extensions" 75 #define ENV_UNIQUE_SUBJECT "unique_subject" 76 77 #define ENV_DATABASE "database" 78 79 /* Additional revocation information types */ 80 typedef enum { 81 REV_VALID = -1, /* Valid (not-revoked) status */ 82 REV_NONE = 0, /* No additional information */ 83 REV_CRL_REASON = 1, /* Value is CRL reason code */ 84 REV_HOLD = 2, /* Value is hold instruction */ 85 REV_KEY_COMPROMISE = 3, /* Value is cert key compromise time */ 86 REV_CA_COMPROMISE = 4 /* Value is CA key compromise time */ 87 } REVINFO_TYPE; 88 89 static char *lookup_conf(const CONF *conf, const char *group, const char *tag); 90 91 static int certify(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509, 92 const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts, 93 STACK_OF(CONF_VALUE) *policy, CA_DB *db, 94 BIGNUM *serial, const char *subj, unsigned long chtype, 95 int multirdn, int email_dn, const char *startdate, 96 const char *enddate, 97 long days, int batch, const char *ext_sect, CONF *conf, 98 int verbose, unsigned long certopt, unsigned long nameopt, 99 int default_op, int ext_copy, int selfsign); 100 static int certify_cert(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509, 101 const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts, 102 STACK_OF(CONF_VALUE) *policy, CA_DB *db, 103 BIGNUM *serial, const char *subj, unsigned long chtype, 104 int multirdn, int email_dn, const char *startdate, 105 const char *enddate, long days, int batch, const char *ext_sect, 106 CONF *conf, int verbose, unsigned long certopt, 107 unsigned long nameopt, int default_op, int ext_copy); 108 static int certify_spkac(X509 **xret, const char *infile, EVP_PKEY *pkey, 109 X509 *x509, const EVP_MD *dgst, 110 STACK_OF(OPENSSL_STRING) *sigopts, 111 STACK_OF(CONF_VALUE) *policy, CA_DB *db, 112 BIGNUM *serial, const char *subj, unsigned long chtype, 113 int multirdn, int email_dn, const char *startdate, 114 const char *enddate, long days, const char *ext_sect, CONF *conf, 115 int verbose, unsigned long certopt, 116 unsigned long nameopt, int default_op, int ext_copy); 117 static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, 118 const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts, 119 STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, 120 const char *subj, unsigned long chtype, int multirdn, 121 int email_dn, const char *startdate, const char *enddate, long days, 122 int batch, int verbose, X509_REQ *req, const char *ext_sect, 123 CONF *conf, unsigned long certopt, unsigned long nameopt, 124 int default_op, int ext_copy, int selfsign); 125 static int get_certificate_status(const char *ser_status, CA_DB *db); 126 static int do_updatedb(CA_DB *db); 127 static int check_time_format(const char *str); 128 static int do_revoke(X509 *x509, CA_DB *db, REVINFO_TYPE rev_type, 129 const char *extval); 130 static char *make_revocation_str(REVINFO_TYPE rev_type, const char *rev_arg); 131 static int make_revoked(X509_REVOKED *rev, const char *str); 132 static int old_entry_print(const ASN1_OBJECT *obj, const ASN1_STRING *str); 133 static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext); 134 135 static CONF *extconf = NULL; 136 static int preserve = 0; 137 static int msie_hack = 0; 138 139 typedef enum OPTION_choice { 140 OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, 141 OPT_ENGINE, OPT_VERBOSE, OPT_CONFIG, OPT_NAME, OPT_SUBJ, OPT_UTF8, 142 OPT_CREATE_SERIAL, OPT_MULTIVALUE_RDN, OPT_STARTDATE, OPT_ENDDATE, 143 OPT_DAYS, OPT_MD, OPT_POLICY, OPT_KEYFILE, OPT_KEYFORM, OPT_PASSIN, 144 OPT_KEY, OPT_CERT, OPT_SELFSIGN, OPT_IN, OPT_OUT, OPT_OUTDIR, 145 OPT_SIGOPT, OPT_NOTEXT, OPT_BATCH, OPT_PRESERVEDN, OPT_NOEMAILDN, 146 OPT_GENCRL, OPT_MSIE_HACK, OPT_CRLDAYS, OPT_CRLHOURS, OPT_CRLSEC, 147 OPT_INFILES, OPT_SS_CERT, OPT_SPKAC, OPT_REVOKE, OPT_VALID, 148 OPT_EXTENSIONS, OPT_EXTFILE, OPT_STATUS, OPT_UPDATEDB, OPT_CRLEXTS, 149 OPT_RAND_SERIAL, 150 OPT_R_ENUM, 151 /* Do not change the order here; see related case statements below */ 152 OPT_CRL_REASON, OPT_CRL_HOLD, OPT_CRL_COMPROMISE, OPT_CRL_CA_COMPROMISE 153 } OPTION_CHOICE; 154 155 const OPTIONS ca_options[] = { 156 {"help", OPT_HELP, '-', "Display this summary"}, 157 {"verbose", OPT_VERBOSE, '-', "Verbose output during processing"}, 158 {"config", OPT_CONFIG, 's', "A config file"}, 159 {"name", OPT_NAME, 's', "The particular CA definition to use"}, 160 {"subj", OPT_SUBJ, 's', "Use arg instead of request's subject"}, 161 {"utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)"}, 162 {"create_serial", OPT_CREATE_SERIAL, '-', 163 "If reading serial fails, create a new random serial"}, 164 {"rand_serial", OPT_RAND_SERIAL, '-', 165 "Always create a random serial; do not store it"}, 166 {"multivalue-rdn", OPT_MULTIVALUE_RDN, '-', 167 "Enable support for multivalued RDNs"}, 168 {"startdate", OPT_STARTDATE, 's', "Cert notBefore, YYMMDDHHMMSSZ"}, 169 {"enddate", OPT_ENDDATE, 's', 170 "YYMMDDHHMMSSZ cert notAfter (overrides -days)"}, 171 {"days", OPT_DAYS, 'p', "Number of days to certify the cert for"}, 172 {"md", OPT_MD, 's', "md to use; one of md2, md5, sha or sha1"}, 173 {"policy", OPT_POLICY, 's', "The CA 'policy' to support"}, 174 {"keyfile", OPT_KEYFILE, 's', "Private key"}, 175 {"keyform", OPT_KEYFORM, 'f', "Private key file format (PEM or ENGINE)"}, 176 {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, 177 {"key", OPT_KEY, 's', "Key to decode the private key if it is encrypted"}, 178 {"cert", OPT_CERT, '<', "The CA cert"}, 179 {"selfsign", OPT_SELFSIGN, '-', 180 "Sign a cert with the key associated with it"}, 181 {"in", OPT_IN, '<', "The input PEM encoded cert request(s)"}, 182 {"out", OPT_OUT, '>', "Where to put the output file(s)"}, 183 {"outdir", OPT_OUTDIR, '/', "Where to put output cert"}, 184 {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"}, 185 {"notext", OPT_NOTEXT, '-', "Do not print the generated certificate"}, 186 {"batch", OPT_BATCH, '-', "Don't ask questions"}, 187 {"preserveDN", OPT_PRESERVEDN, '-', "Don't re-order the DN"}, 188 {"noemailDN", OPT_NOEMAILDN, '-', "Don't add the EMAIL field to the DN"}, 189 {"gencrl", OPT_GENCRL, '-', "Generate a new CRL"}, 190 {"msie_hack", OPT_MSIE_HACK, '-', 191 "msie modifications to handle all those universal strings"}, 192 {"crldays", OPT_CRLDAYS, 'p', "Days until the next CRL is due"}, 193 {"crlhours", OPT_CRLHOURS, 'p', "Hours until the next CRL is due"}, 194 {"crlsec", OPT_CRLSEC, 'p', "Seconds until the next CRL is due"}, 195 {"infiles", OPT_INFILES, '-', "The last argument, requests to process"}, 196 {"ss_cert", OPT_SS_CERT, '<', "File contains a self signed cert to sign"}, 197 {"spkac", OPT_SPKAC, '<', 198 "File contains DN and signed public key and challenge"}, 199 {"revoke", OPT_REVOKE, '<', "Revoke a cert (given in file)"}, 200 {"valid", OPT_VALID, 's', 201 "Add a Valid(not-revoked) DB entry about a cert (given in file)"}, 202 {"extensions", OPT_EXTENSIONS, 's', 203 "Extension section (override value in config file)"}, 204 {"extfile", OPT_EXTFILE, '<', 205 "Configuration file with X509v3 extensions to add"}, 206 {"status", OPT_STATUS, 's', "Shows cert status given the serial number"}, 207 {"updatedb", OPT_UPDATEDB, '-', "Updates db for expired cert"}, 208 {"crlexts", OPT_CRLEXTS, 's', 209 "CRL extension section (override value in config file)"}, 210 {"crl_reason", OPT_CRL_REASON, 's', "revocation reason"}, 211 {"crl_hold", OPT_CRL_HOLD, 's', 212 "the hold instruction, an OID. Sets revocation reason to certificateHold"}, 213 {"crl_compromise", OPT_CRL_COMPROMISE, 's', 214 "sets compromise time to val and the revocation reason to keyCompromise"}, 215 {"crl_CA_compromise", OPT_CRL_CA_COMPROMISE, 's', 216 "sets compromise time to val and the revocation reason to CACompromise"}, 217 OPT_R_OPTIONS, 218 #ifndef OPENSSL_NO_ENGINE 219 {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, 220 #endif 221 {NULL} 222 }; 223 224 int ca_main(int argc, char **argv) 225 { 226 CONF *conf = NULL; 227 ENGINE *e = NULL; 228 BIGNUM *crlnumber = NULL, *serial = NULL; 229 EVP_PKEY *pkey = NULL; 230 BIO *in = NULL, *out = NULL, *Sout = NULL; 231 ASN1_INTEGER *tmpser; 232 ASN1_TIME *tmptm; 233 CA_DB *db = NULL; 234 DB_ATTR db_attr; 235 STACK_OF(CONF_VALUE) *attribs = NULL; 236 STACK_OF(OPENSSL_STRING) *sigopts = NULL; 237 STACK_OF(X509) *cert_sk = NULL; 238 X509_CRL *crl = NULL; 239 const EVP_MD *dgst = NULL; 240 char *configfile = default_config_file, *section = NULL; 241 char *md = NULL, *policy = NULL, *keyfile = NULL; 242 char *certfile = NULL, *crl_ext = NULL, *crlnumberfile = NULL, *key = NULL; 243 const char *infile = NULL, *spkac_file = NULL, *ss_cert_file = NULL; 244 const char *extensions = NULL, *extfile = NULL, *passinarg = NULL; 245 char *outdir = NULL, *outfile = NULL, *rev_arg = NULL, *ser_status = NULL; 246 const char *serialfile = NULL, *subj = NULL; 247 char *prog, *startdate = NULL, *enddate = NULL; 248 char *dbfile = NULL, *f; 249 char new_cert[PATH_MAX]; 250 char tmp[10 + 1] = "\0"; 251 char *const *pp; 252 const char *p; 253 size_t outdirlen = 0; 254 int create_ser = 0, free_key = 0, total = 0, total_done = 0; 255 int batch = 0, default_op = 1, doupdatedb = 0, ext_copy = EXT_COPY_NONE; 256 int keyformat = FORMAT_PEM, multirdn = 0, notext = 0, output_der = 0; 257 int ret = 1, email_dn = 1, req = 0, verbose = 0, gencrl = 0, dorevoke = 0; 258 int rand_ser = 0, i, j, selfsign = 0, def_nid, def_ret; 259 long crldays = 0, crlhours = 0, crlsec = 0, days = 0; 260 unsigned long chtype = MBSTRING_ASC, certopt = 0; 261 X509 *x509 = NULL, *x509p = NULL, *x = NULL; 262 REVINFO_TYPE rev_type = REV_NONE; 263 X509_REVOKED *r = NULL; 264 OPTION_CHOICE o; 265 266 prog = opt_init(argc, argv, ca_options); 267 while ((o = opt_next()) != OPT_EOF) { 268 switch (o) { 269 case OPT_EOF: 270 case OPT_ERR: 271 opthelp: 272 BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); 273 goto end; 274 case OPT_HELP: 275 opt_help(ca_options); 276 ret = 0; 277 goto end; 278 case OPT_IN: 279 req = 1; 280 infile = opt_arg(); 281 break; 282 case OPT_OUT: 283 outfile = opt_arg(); 284 break; 285 case OPT_VERBOSE: 286 verbose = 1; 287 break; 288 case OPT_CONFIG: 289 configfile = opt_arg(); 290 break; 291 case OPT_NAME: 292 section = opt_arg(); 293 break; 294 case OPT_SUBJ: 295 subj = opt_arg(); 296 /* preserve=1; */ 297 break; 298 case OPT_UTF8: 299 chtype = MBSTRING_UTF8; 300 break; 301 case OPT_RAND_SERIAL: 302 rand_ser = 1; 303 break; 304 case OPT_CREATE_SERIAL: 305 create_ser = 1; 306 break; 307 case OPT_MULTIVALUE_RDN: 308 multirdn = 1; 309 break; 310 case OPT_STARTDATE: 311 startdate = opt_arg(); 312 break; 313 case OPT_ENDDATE: 314 enddate = opt_arg(); 315 break; 316 case OPT_DAYS: 317 days = atoi(opt_arg()); 318 break; 319 case OPT_MD: 320 md = opt_arg(); 321 break; 322 case OPT_POLICY: 323 policy = opt_arg(); 324 break; 325 case OPT_KEYFILE: 326 keyfile = opt_arg(); 327 break; 328 case OPT_KEYFORM: 329 if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyformat)) 330 goto opthelp; 331 break; 332 case OPT_PASSIN: 333 passinarg = opt_arg(); 334 break; 335 case OPT_R_CASES: 336 if (!opt_rand(o)) 337 goto end; 338 break; 339 case OPT_KEY: 340 key = opt_arg(); 341 break; 342 case OPT_CERT: 343 certfile = opt_arg(); 344 break; 345 case OPT_SELFSIGN: 346 selfsign = 1; 347 break; 348 case OPT_OUTDIR: 349 outdir = opt_arg(); 350 break; 351 case OPT_SIGOPT: 352 if (sigopts == NULL) 353 sigopts = sk_OPENSSL_STRING_new_null(); 354 if (sigopts == NULL || !sk_OPENSSL_STRING_push(sigopts, opt_arg())) 355 goto end; 356 break; 357 case OPT_NOTEXT: 358 notext = 1; 359 break; 360 case OPT_BATCH: 361 batch = 1; 362 break; 363 case OPT_PRESERVEDN: 364 preserve = 1; 365 break; 366 case OPT_NOEMAILDN: 367 email_dn = 0; 368 break; 369 case OPT_GENCRL: 370 gencrl = 1; 371 break; 372 case OPT_MSIE_HACK: 373 msie_hack = 1; 374 break; 375 case OPT_CRLDAYS: 376 crldays = atol(opt_arg()); 377 break; 378 case OPT_CRLHOURS: 379 crlhours = atol(opt_arg()); 380 break; 381 case OPT_CRLSEC: 382 crlsec = atol(opt_arg()); 383 break; 384 case OPT_INFILES: 385 req = 1; 386 goto end_of_options; 387 case OPT_SS_CERT: 388 ss_cert_file = opt_arg(); 389 req = 1; 390 break; 391 case OPT_SPKAC: 392 spkac_file = opt_arg(); 393 req = 1; 394 break; 395 case OPT_REVOKE: 396 infile = opt_arg(); 397 dorevoke = 1; 398 break; 399 case OPT_VALID: 400 infile = opt_arg(); 401 dorevoke = 2; 402 break; 403 case OPT_EXTENSIONS: 404 extensions = opt_arg(); 405 break; 406 case OPT_EXTFILE: 407 extfile = opt_arg(); 408 break; 409 case OPT_STATUS: 410 ser_status = opt_arg(); 411 break; 412 case OPT_UPDATEDB: 413 doupdatedb = 1; 414 break; 415 case OPT_CRLEXTS: 416 crl_ext = opt_arg(); 417 break; 418 case OPT_CRL_REASON: /* := REV_CRL_REASON */ 419 case OPT_CRL_HOLD: 420 case OPT_CRL_COMPROMISE: 421 case OPT_CRL_CA_COMPROMISE: 422 rev_arg = opt_arg(); 423 rev_type = (o - OPT_CRL_REASON) + REV_CRL_REASON; 424 break; 425 case OPT_ENGINE: 426 e = setup_engine(opt_arg(), 0); 427 break; 428 } 429 } 430 end_of_options: 431 argc = opt_num_rest(); 432 argv = opt_rest(); 433 434 BIO_printf(bio_err, "Using configuration from %s\n", configfile); 435 436 if ((conf = app_load_config(configfile)) == NULL) 437 goto end; 438 if (configfile != default_config_file && !app_load_modules(conf)) 439 goto end; 440 441 /* Lets get the config section we are using */ 442 if (section == NULL 443 && (section = lookup_conf(conf, BASE_SECTION, ENV_DEFAULT_CA)) == NULL) 444 goto end; 445 446 p = NCONF_get_string(conf, NULL, "oid_file"); 447 if (p == NULL) 448 ERR_clear_error(); 449 if (p != NULL) { 450 BIO *oid_bio = BIO_new_file(p, "r"); 451 452 if (oid_bio == NULL) { 453 ERR_clear_error(); 454 } else { 455 OBJ_create_objects(oid_bio); 456 BIO_free(oid_bio); 457 } 458 } 459 if (!add_oid_section(conf)) { 460 ERR_print_errors(bio_err); 461 goto end; 462 } 463 464 app_RAND_load_conf(conf, BASE_SECTION); 465 466 f = NCONF_get_string(conf, section, STRING_MASK); 467 if (f == NULL) 468 ERR_clear_error(); 469 470 if (f != NULL && !ASN1_STRING_set_default_mask_asc(f)) { 471 BIO_printf(bio_err, "Invalid global string mask setting %s\n", f); 472 goto end; 473 } 474 475 if (chtype != MBSTRING_UTF8) { 476 f = NCONF_get_string(conf, section, UTF8_IN); 477 if (f == NULL) 478 ERR_clear_error(); 479 else if (strcmp(f, "yes") == 0) 480 chtype = MBSTRING_UTF8; 481 } 482 483 db_attr.unique_subject = 1; 484 p = NCONF_get_string(conf, section, ENV_UNIQUE_SUBJECT); 485 if (p != NULL) 486 db_attr.unique_subject = parse_yesno(p, 1); 487 else 488 ERR_clear_error(); 489 490 /*****************************************************************/ 491 /* report status of cert with serial number given on command line */ 492 if (ser_status) { 493 dbfile = lookup_conf(conf, section, ENV_DATABASE); 494 if (dbfile == NULL) 495 goto end; 496 497 db = load_index(dbfile, &db_attr); 498 if (db == NULL) 499 goto end; 500 501 if (index_index(db) <= 0) 502 goto end; 503 504 if (get_certificate_status(ser_status, db) != 1) 505 BIO_printf(bio_err, "Error verifying serial %s!\n", ser_status); 506 goto end; 507 } 508 509 /*****************************************************************/ 510 /* we definitely need a private key, so let's get it */ 511 512 if (keyfile == NULL 513 && (keyfile = lookup_conf(conf, section, ENV_PRIVATE_KEY)) == NULL) 514 goto end; 515 516 if (key == NULL) { 517 free_key = 1; 518 if (!app_passwd(passinarg, NULL, &key, NULL)) { 519 BIO_printf(bio_err, "Error getting password\n"); 520 goto end; 521 } 522 } 523 pkey = load_key(keyfile, keyformat, 0, key, e, "CA private key"); 524 if (key != NULL) 525 OPENSSL_cleanse(key, strlen(key)); 526 if (pkey == NULL) 527 /* load_key() has already printed an appropriate message */ 528 goto end; 529 530 /*****************************************************************/ 531 /* we need a certificate */ 532 if (!selfsign || spkac_file || ss_cert_file || gencrl) { 533 if (certfile == NULL 534 && (certfile = lookup_conf(conf, section, ENV_CERTIFICATE)) == NULL) 535 goto end; 536 537 x509 = load_cert(certfile, FORMAT_PEM, "CA certificate"); 538 if (x509 == NULL) 539 goto end; 540 541 if (!X509_check_private_key(x509, pkey)) { 542 BIO_printf(bio_err, 543 "CA certificate and CA private key do not match\n"); 544 goto end; 545 } 546 } 547 if (!selfsign) 548 x509p = x509; 549 550 f = NCONF_get_string(conf, BASE_SECTION, ENV_PRESERVE); 551 if (f == NULL) 552 ERR_clear_error(); 553 if ((f != NULL) && ((*f == 'y') || (*f == 'Y'))) 554 preserve = 1; 555 f = NCONF_get_string(conf, BASE_SECTION, ENV_MSIE_HACK); 556 if (f == NULL) 557 ERR_clear_error(); 558 if ((f != NULL) && ((*f == 'y') || (*f == 'Y'))) 559 msie_hack = 1; 560 561 f = NCONF_get_string(conf, section, ENV_NAMEOPT); 562 563 if (f != NULL) { 564 if (!set_nameopt(f)) { 565 BIO_printf(bio_err, "Invalid name options: \"%s\"\n", f); 566 goto end; 567 } 568 default_op = 0; 569 } 570 571 f = NCONF_get_string(conf, section, ENV_CERTOPT); 572 573 if (f != NULL) { 574 if (!set_cert_ex(&certopt, f)) { 575 BIO_printf(bio_err, "Invalid certificate options: \"%s\"\n", f); 576 goto end; 577 } 578 default_op = 0; 579 } else { 580 ERR_clear_error(); 581 } 582 583 f = NCONF_get_string(conf, section, ENV_EXTCOPY); 584 585 if (f != NULL) { 586 if (!set_ext_copy(&ext_copy, f)) { 587 BIO_printf(bio_err, "Invalid extension copy option: \"%s\"\n", f); 588 goto end; 589 } 590 } else { 591 ERR_clear_error(); 592 } 593 594 /*****************************************************************/ 595 /* lookup where to write new certificates */ 596 if ((outdir == NULL) && (req)) { 597 598 outdir = NCONF_get_string(conf, section, ENV_NEW_CERTS_DIR); 599 if (outdir == NULL) { 600 BIO_printf(bio_err, 601 "there needs to be defined a directory for new certificate to be placed in\n"); 602 goto end; 603 } 604 #ifndef OPENSSL_SYS_VMS 605 /* 606 * outdir is a directory spec, but access() for VMS demands a 607 * filename. We could use the DEC C routine to convert the 608 * directory syntax to Unix, and give that to app_isdir, 609 * but for now the fopen will catch the error if it's not a 610 * directory 611 */ 612 if (app_isdir(outdir) <= 0) { 613 BIO_printf(bio_err, "%s: %s is not a directory\n", prog, outdir); 614 perror(outdir); 615 goto end; 616 } 617 #endif 618 } 619 620 /*****************************************************************/ 621 /* we need to load the database file */ 622 dbfile = lookup_conf(conf, section, ENV_DATABASE); 623 if (dbfile == NULL) 624 goto end; 625 626 db = load_index(dbfile, &db_attr); 627 if (db == NULL) 628 goto end; 629 630 /* Lets check some fields */ 631 for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) { 632 pp = sk_OPENSSL_PSTRING_value(db->db->data, i); 633 if ((pp[DB_type][0] != DB_TYPE_REV) && (pp[DB_rev_date][0] != '\0')) { 634 BIO_printf(bio_err, 635 "entry %d: not revoked yet, but has a revocation date\n", 636 i + 1); 637 goto end; 638 } 639 if ((pp[DB_type][0] == DB_TYPE_REV) && 640 !make_revoked(NULL, pp[DB_rev_date])) { 641 BIO_printf(bio_err, " in entry %d\n", i + 1); 642 goto end; 643 } 644 if (!check_time_format((char *)pp[DB_exp_date])) { 645 BIO_printf(bio_err, "entry %d: invalid expiry date\n", i + 1); 646 goto end; 647 } 648 p = pp[DB_serial]; 649 j = strlen(p); 650 if (*p == '-') { 651 p++; 652 j--; 653 } 654 if ((j & 1) || (j < 2)) { 655 BIO_printf(bio_err, "entry %d: bad serial number length (%d)\n", 656 i + 1, j); 657 goto end; 658 } 659 for ( ; *p; p++) { 660 if (!isxdigit(_UC(*p))) { 661 BIO_printf(bio_err, 662 "entry %d: bad char 0%o '%c' in serial number\n", 663 i + 1, *p, *p); 664 goto end; 665 } 666 } 667 } 668 if (verbose) { 669 TXT_DB_write(bio_out, db->db); 670 BIO_printf(bio_err, "%d entries loaded from the database\n", 671 sk_OPENSSL_PSTRING_num(db->db->data)); 672 BIO_printf(bio_err, "generating index\n"); 673 } 674 675 if (index_index(db) <= 0) 676 goto end; 677 678 /*****************************************************************/ 679 /* Update the db file for expired certificates */ 680 if (doupdatedb) { 681 if (verbose) 682 BIO_printf(bio_err, "Updating %s ...\n", dbfile); 683 684 i = do_updatedb(db); 685 if (i == -1) { 686 BIO_printf(bio_err, "Malloc failure\n"); 687 goto end; 688 } else if (i == 0) { 689 if (verbose) 690 BIO_printf(bio_err, "No entries found to mark expired\n"); 691 } else { 692 if (!save_index(dbfile, "new", db)) 693 goto end; 694 695 if (!rotate_index(dbfile, "new", "old")) 696 goto end; 697 698 if (verbose) 699 BIO_printf(bio_err, "Done. %d entries marked as expired\n", i); 700 } 701 } 702 703 /*****************************************************************/ 704 /* Read extensions config file */ 705 if (extfile) { 706 if ((extconf = app_load_config(extfile)) == NULL) { 707 ret = 1; 708 goto end; 709 } 710 711 if (verbose) 712 BIO_printf(bio_err, "Successfully loaded extensions file %s\n", 713 extfile); 714 715 /* We can have sections in the ext file */ 716 if (extensions == NULL) { 717 extensions = NCONF_get_string(extconf, "default", "extensions"); 718 if (extensions == NULL) 719 extensions = "default"; 720 } 721 } 722 723 /*****************************************************************/ 724 if (req || gencrl) { 725 if (spkac_file != NULL && outfile != NULL) { 726 output_der = 1; 727 batch = 1; 728 } 729 } 730 731 def_ret = EVP_PKEY_get_default_digest_nid(pkey, &def_nid); 732 /* 733 * EVP_PKEY_get_default_digest_nid() returns 2 if the digest is 734 * mandatory for this algorithm. 735 */ 736 if (def_ret == 2 && def_nid == NID_undef) { 737 /* The signing algorithm requires there to be no digest */ 738 dgst = EVP_md_null(); 739 } else if (md == NULL 740 && (md = lookup_conf(conf, section, ENV_DEFAULT_MD)) == NULL) { 741 goto end; 742 } else { 743 if (strcmp(md, "default") == 0) { 744 if (def_ret <= 0) { 745 BIO_puts(bio_err, "no default digest\n"); 746 goto end; 747 } 748 md = (char *)OBJ_nid2sn(def_nid); 749 } 750 751 if (!opt_md(md, &dgst)) 752 goto end; 753 } 754 755 if (req) { 756 if (email_dn == 1) { 757 char *tmp_email_dn = NULL; 758 759 tmp_email_dn = NCONF_get_string(conf, section, ENV_DEFAULT_EMAIL_DN); 760 if (tmp_email_dn != NULL && strcmp(tmp_email_dn, "no") == 0) 761 email_dn = 0; 762 } 763 if (verbose) 764 BIO_printf(bio_err, "message digest is %s\n", 765 OBJ_nid2ln(EVP_MD_type(dgst))); 766 if (policy == NULL 767 && (policy = lookup_conf(conf, section, ENV_POLICY)) == NULL) 768 goto end; 769 770 if (verbose) 771 BIO_printf(bio_err, "policy is %s\n", policy); 772 773 if (NCONF_get_string(conf, section, ENV_RAND_SERIAL) != NULL) { 774 rand_ser = 1; 775 } else { 776 serialfile = lookup_conf(conf, section, ENV_SERIAL); 777 if (serialfile == NULL) 778 goto end; 779 } 780 781 if (extconf == NULL) { 782 /* 783 * no '-extfile' option, so we look for extensions in the main 784 * configuration file 785 */ 786 if (extensions == NULL) { 787 extensions = NCONF_get_string(conf, section, ENV_EXTENSIONS); 788 if (extensions == NULL) 789 ERR_clear_error(); 790 } 791 if (extensions != NULL) { 792 /* Check syntax of file */ 793 X509V3_CTX ctx; 794 X509V3_set_ctx_test(&ctx); 795 X509V3_set_nconf(&ctx, conf); 796 if (!X509V3_EXT_add_nconf(conf, &ctx, extensions, NULL)) { 797 BIO_printf(bio_err, 798 "Error Loading extension section %s\n", 799 extensions); 800 ret = 1; 801 goto end; 802 } 803 } 804 } 805 806 if (startdate == NULL) { 807 startdate = NCONF_get_string(conf, section, ENV_DEFAULT_STARTDATE); 808 if (startdate == NULL) 809 ERR_clear_error(); 810 } 811 if (startdate != NULL && !ASN1_TIME_set_string_X509(NULL, startdate)) { 812 BIO_printf(bio_err, 813 "start date is invalid, it should be YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ\n"); 814 goto end; 815 } 816 if (startdate == NULL) 817 startdate = "today"; 818 819 if (enddate == NULL) { 820 enddate = NCONF_get_string(conf, section, ENV_DEFAULT_ENDDATE); 821 if (enddate == NULL) 822 ERR_clear_error(); 823 } 824 if (enddate != NULL && !ASN1_TIME_set_string_X509(NULL, enddate)) { 825 BIO_printf(bio_err, 826 "end date is invalid, it should be YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ\n"); 827 goto end; 828 } 829 830 if (days == 0) { 831 if (!NCONF_get_number(conf, section, ENV_DEFAULT_DAYS, &days)) 832 days = 0; 833 } 834 if (enddate == NULL && days == 0) { 835 BIO_printf(bio_err, "cannot lookup how many days to certify for\n"); 836 goto end; 837 } 838 839 if (rand_ser) { 840 if ((serial = BN_new()) == NULL || !rand_serial(serial, NULL)) { 841 BIO_printf(bio_err, "error generating serial number\n"); 842 goto end; 843 } 844 } else { 845 if ((serial = load_serial(serialfile, create_ser, NULL)) == NULL) { 846 BIO_printf(bio_err, "error while loading serial number\n"); 847 goto end; 848 } 849 if (verbose) { 850 if (BN_is_zero(serial)) { 851 BIO_printf(bio_err, "next serial number is 00\n"); 852 } else { 853 if ((f = BN_bn2hex(serial)) == NULL) 854 goto end; 855 BIO_printf(bio_err, "next serial number is %s\n", f); 856 OPENSSL_free(f); 857 } 858 } 859 } 860 861 if ((attribs = NCONF_get_section(conf, policy)) == NULL) { 862 BIO_printf(bio_err, "unable to find 'section' for %s\n", policy); 863 goto end; 864 } 865 866 if ((cert_sk = sk_X509_new_null()) == NULL) { 867 BIO_printf(bio_err, "Memory allocation failure\n"); 868 goto end; 869 } 870 if (spkac_file != NULL) { 871 total++; 872 j = certify_spkac(&x, spkac_file, pkey, x509, dgst, sigopts, 873 attribs, db, serial, subj, chtype, multirdn, 874 email_dn, startdate, enddate, days, extensions, 875 conf, verbose, certopt, get_nameopt(), default_op, 876 ext_copy); 877 if (j < 0) 878 goto end; 879 if (j > 0) { 880 total_done++; 881 BIO_printf(bio_err, "\n"); 882 if (!BN_add_word(serial, 1)) 883 goto end; 884 if (!sk_X509_push(cert_sk, x)) { 885 BIO_printf(bio_err, "Memory allocation failure\n"); 886 goto end; 887 } 888 } 889 } 890 if (ss_cert_file != NULL) { 891 total++; 892 j = certify_cert(&x, ss_cert_file, pkey, x509, dgst, sigopts, 893 attribs, 894 db, serial, subj, chtype, multirdn, email_dn, 895 startdate, enddate, days, batch, extensions, 896 conf, verbose, certopt, get_nameopt(), default_op, 897 ext_copy); 898 if (j < 0) 899 goto end; 900 if (j > 0) { 901 total_done++; 902 BIO_printf(bio_err, "\n"); 903 if (!BN_add_word(serial, 1)) 904 goto end; 905 if (!sk_X509_push(cert_sk, x)) { 906 BIO_printf(bio_err, "Memory allocation failure\n"); 907 goto end; 908 } 909 } 910 } 911 if (infile != NULL) { 912 total++; 913 j = certify(&x, infile, pkey, x509p, dgst, sigopts, attribs, db, 914 serial, subj, chtype, multirdn, email_dn, startdate, 915 enddate, days, batch, extensions, conf, verbose, 916 certopt, get_nameopt(), default_op, ext_copy, selfsign); 917 if (j < 0) 918 goto end; 919 if (j > 0) { 920 total_done++; 921 BIO_printf(bio_err, "\n"); 922 if (!BN_add_word(serial, 1)) 923 goto end; 924 if (!sk_X509_push(cert_sk, x)) { 925 BIO_printf(bio_err, "Memory allocation failure\n"); 926 goto end; 927 } 928 } 929 } 930 for (i = 0; i < argc; i++) { 931 total++; 932 j = certify(&x, argv[i], pkey, x509p, dgst, sigopts, attribs, db, 933 serial, subj, chtype, multirdn, email_dn, startdate, 934 enddate, days, batch, extensions, conf, verbose, 935 certopt, get_nameopt(), default_op, ext_copy, selfsign); 936 if (j < 0) 937 goto end; 938 if (j > 0) { 939 total_done++; 940 BIO_printf(bio_err, "\n"); 941 if (!BN_add_word(serial, 1)) { 942 X509_free(x); 943 goto end; 944 } 945 if (!sk_X509_push(cert_sk, x)) { 946 BIO_printf(bio_err, "Memory allocation failure\n"); 947 X509_free(x); 948 goto end; 949 } 950 } 951 } 952 /* 953 * we have a stack of newly certified certificates and a data base 954 * and serial number that need updating 955 */ 956 957 if (sk_X509_num(cert_sk) > 0) { 958 if (!batch) { 959 BIO_printf(bio_err, 960 "\n%d out of %d certificate requests certified, commit? [y/n]", 961 total_done, total); 962 (void)BIO_flush(bio_err); 963 tmp[0] = '\0'; 964 if (fgets(tmp, sizeof(tmp), stdin) == NULL) { 965 BIO_printf(bio_err, "CERTIFICATION CANCELED: I/O error\n"); 966 ret = 0; 967 goto end; 968 } 969 if (tmp[0] != 'y' && tmp[0] != 'Y') { 970 BIO_printf(bio_err, "CERTIFICATION CANCELED\n"); 971 ret = 0; 972 goto end; 973 } 974 } 975 976 BIO_printf(bio_err, "Write out database with %d new entries\n", 977 sk_X509_num(cert_sk)); 978 979 if (serialfile != NULL 980 && !save_serial(serialfile, "new", serial, NULL)) 981 goto end; 982 983 if (!save_index(dbfile, "new", db)) 984 goto end; 985 } 986 987 outdirlen = OPENSSL_strlcpy(new_cert, outdir, sizeof(new_cert)); 988 #ifndef OPENSSL_SYS_VMS 989 outdirlen = OPENSSL_strlcat(new_cert, "/", sizeof(new_cert)); 990 #endif 991 992 if (verbose) 993 BIO_printf(bio_err, "writing new certificates\n"); 994 995 for (i = 0; i < sk_X509_num(cert_sk); i++) { 996 BIO *Cout = NULL; 997 X509 *xi = sk_X509_value(cert_sk, i); 998 ASN1_INTEGER *serialNumber = X509_get_serialNumber(xi); 999 const unsigned char *psn = ASN1_STRING_get0_data(serialNumber); 1000 const int snl = ASN1_STRING_length(serialNumber); 1001 const int filen_len = 2 * (snl > 0 ? snl : 1) + sizeof(".pem"); 1002 char *n = new_cert + outdirlen; 1003 1004 if (outdirlen + filen_len > PATH_MAX) { 1005 BIO_printf(bio_err, "certificate file name too long\n"); 1006 goto end; 1007 } 1008 1009 if (snl > 0) { 1010 static const char HEX_DIGITS[] = "0123456789ABCDEF"; 1011 1012 for (j = 0; j < snl; j++, psn++) { 1013 *n++ = HEX_DIGITS[*psn >> 4]; 1014 *n++ = HEX_DIGITS[*psn & 0x0F]; 1015 } 1016 } else { 1017 *(n++) = '0'; 1018 *(n++) = '0'; 1019 } 1020 *(n++) = '.'; 1021 *(n++) = 'p'; 1022 *(n++) = 'e'; 1023 *(n++) = 'm'; 1024 *n = '\0'; /* closing new_cert */ 1025 if (verbose) 1026 BIO_printf(bio_err, "writing %s\n", new_cert); 1027 1028 Sout = bio_open_default(outfile, 'w', 1029 output_der ? FORMAT_ASN1 : FORMAT_TEXT); 1030 if (Sout == NULL) 1031 goto end; 1032 1033 Cout = BIO_new_file(new_cert, "w"); 1034 if (Cout == NULL) { 1035 perror(new_cert); 1036 goto end; 1037 } 1038 write_new_certificate(Cout, xi, 0, notext); 1039 write_new_certificate(Sout, xi, output_der, notext); 1040 BIO_free_all(Cout); 1041 BIO_free_all(Sout); 1042 Sout = NULL; 1043 } 1044 1045 if (sk_X509_num(cert_sk)) { 1046 /* Rename the database and the serial file */ 1047 if (serialfile != NULL 1048 && !rotate_serial(serialfile, "new", "old")) 1049 goto end; 1050 1051 if (!rotate_index(dbfile, "new", "old")) 1052 goto end; 1053 1054 BIO_printf(bio_err, "Data Base Updated\n"); 1055 } 1056 } 1057 1058 /*****************************************************************/ 1059 if (gencrl) { 1060 int crl_v2 = 0; 1061 if (crl_ext == NULL) { 1062 crl_ext = NCONF_get_string(conf, section, ENV_CRLEXT); 1063 if (crl_ext == NULL) 1064 ERR_clear_error(); 1065 } 1066 if (crl_ext != NULL) { 1067 /* Check syntax of file */ 1068 X509V3_CTX ctx; 1069 X509V3_set_ctx_test(&ctx); 1070 X509V3_set_nconf(&ctx, conf); 1071 if (!X509V3_EXT_add_nconf(conf, &ctx, crl_ext, NULL)) { 1072 BIO_printf(bio_err, 1073 "Error Loading CRL extension section %s\n", crl_ext); 1074 ret = 1; 1075 goto end; 1076 } 1077 } 1078 1079 if ((crlnumberfile = NCONF_get_string(conf, section, ENV_CRLNUMBER)) 1080 != NULL) 1081 if ((crlnumber = load_serial(crlnumberfile, 0, NULL)) == NULL) { 1082 BIO_printf(bio_err, "error while loading CRL number\n"); 1083 goto end; 1084 } 1085 1086 if (!crldays && !crlhours && !crlsec) { 1087 if (!NCONF_get_number(conf, section, 1088 ENV_DEFAULT_CRL_DAYS, &crldays)) 1089 crldays = 0; 1090 if (!NCONF_get_number(conf, section, 1091 ENV_DEFAULT_CRL_HOURS, &crlhours)) 1092 crlhours = 0; 1093 ERR_clear_error(); 1094 } 1095 if ((crldays == 0) && (crlhours == 0) && (crlsec == 0)) { 1096 BIO_printf(bio_err, 1097 "cannot lookup how long until the next CRL is issued\n"); 1098 goto end; 1099 } 1100 1101 if (verbose) 1102 BIO_printf(bio_err, "making CRL\n"); 1103 if ((crl = X509_CRL_new()) == NULL) 1104 goto end; 1105 if (!X509_CRL_set_issuer_name(crl, X509_get_subject_name(x509))) 1106 goto end; 1107 1108 tmptm = ASN1_TIME_new(); 1109 if (tmptm == NULL 1110 || X509_gmtime_adj(tmptm, 0) == NULL 1111 || !X509_CRL_set1_lastUpdate(crl, tmptm) 1112 || X509_time_adj_ex(tmptm, crldays, crlhours * 60 * 60 + crlsec, 1113 NULL) == NULL) { 1114 BIO_puts(bio_err, "error setting CRL nextUpdate\n"); 1115 ASN1_TIME_free(tmptm); 1116 goto end; 1117 } 1118 X509_CRL_set1_nextUpdate(crl, tmptm); 1119 1120 ASN1_TIME_free(tmptm); 1121 1122 for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) { 1123 pp = sk_OPENSSL_PSTRING_value(db->db->data, i); 1124 if (pp[DB_type][0] == DB_TYPE_REV) { 1125 if ((r = X509_REVOKED_new()) == NULL) 1126 goto end; 1127 j = make_revoked(r, pp[DB_rev_date]); 1128 if (!j) 1129 goto end; 1130 if (j == 2) 1131 crl_v2 = 1; 1132 if (!BN_hex2bn(&serial, pp[DB_serial])) 1133 goto end; 1134 tmpser = BN_to_ASN1_INTEGER(serial, NULL); 1135 BN_free(serial); 1136 serial = NULL; 1137 if (!tmpser) 1138 goto end; 1139 X509_REVOKED_set_serialNumber(r, tmpser); 1140 ASN1_INTEGER_free(tmpser); 1141 X509_CRL_add0_revoked(crl, r); 1142 } 1143 } 1144 1145 /* 1146 * sort the data so it will be written in serial number order 1147 */ 1148 X509_CRL_sort(crl); 1149 1150 /* we now have a CRL */ 1151 if (verbose) 1152 BIO_printf(bio_err, "signing CRL\n"); 1153 1154 /* Add any extensions asked for */ 1155 1156 if (crl_ext != NULL || crlnumberfile != NULL) { 1157 X509V3_CTX crlctx; 1158 X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0); 1159 X509V3_set_nconf(&crlctx, conf); 1160 1161 if (crl_ext != NULL) 1162 if (!X509V3_EXT_CRL_add_nconf(conf, &crlctx, crl_ext, crl)) 1163 goto end; 1164 if (crlnumberfile != NULL) { 1165 tmpser = BN_to_ASN1_INTEGER(crlnumber, NULL); 1166 if (!tmpser) 1167 goto end; 1168 X509_CRL_add1_ext_i2d(crl, NID_crl_number, tmpser, 0, 0); 1169 ASN1_INTEGER_free(tmpser); 1170 crl_v2 = 1; 1171 if (!BN_add_word(crlnumber, 1)) 1172 goto end; 1173 } 1174 } 1175 if (crl_ext != NULL || crl_v2) { 1176 if (!X509_CRL_set_version(crl, 1)) 1177 goto end; /* version 2 CRL */ 1178 } 1179 1180 /* we have a CRL number that need updating */ 1181 if (crlnumberfile != NULL 1182 && !save_serial(crlnumberfile, "new", crlnumber, NULL)) 1183 goto end; 1184 1185 BN_free(crlnumber); 1186 crlnumber = NULL; 1187 1188 if (!do_X509_CRL_sign(crl, pkey, dgst, sigopts)) 1189 goto end; 1190 1191 Sout = bio_open_default(outfile, 'w', 1192 output_der ? FORMAT_ASN1 : FORMAT_TEXT); 1193 if (Sout == NULL) 1194 goto end; 1195 1196 PEM_write_bio_X509_CRL(Sout, crl); 1197 1198 /* Rename the crlnumber file */ 1199 if (crlnumberfile != NULL 1200 && !rotate_serial(crlnumberfile, "new", "old")) 1201 goto end; 1202 1203 } 1204 /*****************************************************************/ 1205 if (dorevoke) { 1206 if (infile == NULL) { 1207 BIO_printf(bio_err, "no input files\n"); 1208 goto end; 1209 } else { 1210 X509 *revcert; 1211 revcert = load_cert(infile, FORMAT_PEM, infile); 1212 if (revcert == NULL) 1213 goto end; 1214 if (dorevoke == 2) 1215 rev_type = REV_VALID; 1216 j = do_revoke(revcert, db, rev_type, rev_arg); 1217 if (j <= 0) 1218 goto end; 1219 X509_free(revcert); 1220 1221 if (!save_index(dbfile, "new", db)) 1222 goto end; 1223 1224 if (!rotate_index(dbfile, "new", "old")) 1225 goto end; 1226 1227 BIO_printf(bio_err, "Data Base Updated\n"); 1228 } 1229 } 1230 ret = 0; 1231 1232 end: 1233 if (ret) 1234 ERR_print_errors(bio_err); 1235 BIO_free_all(Sout); 1236 BIO_free_all(out); 1237 BIO_free_all(in); 1238 sk_X509_pop_free(cert_sk, X509_free); 1239 1240 if (free_key) 1241 OPENSSL_free(key); 1242 BN_free(serial); 1243 BN_free(crlnumber); 1244 free_index(db); 1245 sk_OPENSSL_STRING_free(sigopts); 1246 EVP_PKEY_free(pkey); 1247 X509_free(x509); 1248 X509_CRL_free(crl); 1249 NCONF_free(conf); 1250 NCONF_free(extconf); 1251 release_engine(e); 1252 return ret; 1253 } 1254 1255 static char *lookup_conf(const CONF *conf, const char *section, const char *tag) 1256 { 1257 char *entry = NCONF_get_string(conf, section, tag); 1258 if (entry == NULL) 1259 BIO_printf(bio_err, "variable lookup failed for %s::%s\n", section, tag); 1260 return entry; 1261 } 1262 1263 static int certify(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509, 1264 const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts, 1265 STACK_OF(CONF_VALUE) *policy, CA_DB *db, 1266 BIGNUM *serial, const char *subj, unsigned long chtype, 1267 int multirdn, int email_dn, const char *startdate, 1268 const char *enddate, 1269 long days, int batch, const char *ext_sect, CONF *lconf, 1270 int verbose, unsigned long certopt, unsigned long nameopt, 1271 int default_op, int ext_copy, int selfsign) 1272 { 1273 X509_REQ *req = NULL; 1274 BIO *in = NULL; 1275 EVP_PKEY *pktmp = NULL; 1276 int ok = -1, i; 1277 1278 in = BIO_new_file(infile, "r"); 1279 if (in == NULL) { 1280 ERR_print_errors(bio_err); 1281 goto end; 1282 } 1283 if ((req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL)) == NULL) { 1284 BIO_printf(bio_err, "Error reading certificate request in %s\n", 1285 infile); 1286 goto end; 1287 } 1288 if (verbose) 1289 X509_REQ_print_ex(bio_err, req, nameopt, X509_FLAG_COMPAT); 1290 1291 BIO_printf(bio_err, "Check that the request matches the signature\n"); 1292 1293 if (selfsign && !X509_REQ_check_private_key(req, pkey)) { 1294 BIO_printf(bio_err, 1295 "Certificate request and CA private key do not match\n"); 1296 ok = 0; 1297 goto end; 1298 } 1299 if ((pktmp = X509_REQ_get0_pubkey(req)) == NULL) { 1300 BIO_printf(bio_err, "error unpacking public key\n"); 1301 goto end; 1302 } 1303 i = X509_REQ_verify(req, pktmp); 1304 pktmp = NULL; 1305 if (i < 0) { 1306 ok = 0; 1307 BIO_printf(bio_err, "Signature verification problems....\n"); 1308 ERR_print_errors(bio_err); 1309 goto end; 1310 } 1311 if (i == 0) { 1312 ok = 0; 1313 BIO_printf(bio_err, 1314 "Signature did not match the certificate request\n"); 1315 ERR_print_errors(bio_err); 1316 goto end; 1317 } else { 1318 BIO_printf(bio_err, "Signature ok\n"); 1319 } 1320 1321 ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, subj, 1322 chtype, multirdn, email_dn, startdate, enddate, days, batch, 1323 verbose, req, ext_sect, lconf, certopt, nameopt, default_op, 1324 ext_copy, selfsign); 1325 1326 end: 1327 X509_REQ_free(req); 1328 BIO_free(in); 1329 return ok; 1330 } 1331 1332 static int certify_cert(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509, 1333 const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts, 1334 STACK_OF(CONF_VALUE) *policy, CA_DB *db, 1335 BIGNUM *serial, const char *subj, unsigned long chtype, 1336 int multirdn, int email_dn, const char *startdate, 1337 const char *enddate, long days, int batch, const char *ext_sect, 1338 CONF *lconf, int verbose, unsigned long certopt, 1339 unsigned long nameopt, int default_op, int ext_copy) 1340 { 1341 X509 *req = NULL; 1342 X509_REQ *rreq = NULL; 1343 EVP_PKEY *pktmp = NULL; 1344 int ok = -1, i; 1345 1346 if ((req = load_cert(infile, FORMAT_PEM, infile)) == NULL) 1347 goto end; 1348 if (verbose) 1349 X509_print(bio_err, req); 1350 1351 BIO_printf(bio_err, "Check that the request matches the signature\n"); 1352 1353 if ((pktmp = X509_get0_pubkey(req)) == NULL) { 1354 BIO_printf(bio_err, "error unpacking public key\n"); 1355 goto end; 1356 } 1357 i = X509_verify(req, pktmp); 1358 if (i < 0) { 1359 ok = 0; 1360 BIO_printf(bio_err, "Signature verification problems....\n"); 1361 goto end; 1362 } 1363 if (i == 0) { 1364 ok = 0; 1365 BIO_printf(bio_err, "Signature did not match the certificate\n"); 1366 goto end; 1367 } else { 1368 BIO_printf(bio_err, "Signature ok\n"); 1369 } 1370 1371 if ((rreq = X509_to_X509_REQ(req, NULL, NULL)) == NULL) 1372 goto end; 1373 1374 ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, subj, 1375 chtype, multirdn, email_dn, startdate, enddate, days, batch, 1376 verbose, rreq, ext_sect, lconf, certopt, nameopt, default_op, 1377 ext_copy, 0); 1378 1379 end: 1380 X509_REQ_free(rreq); 1381 X509_free(req); 1382 return ok; 1383 } 1384 1385 static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, 1386 const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts, 1387 STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, 1388 const char *subj, unsigned long chtype, int multirdn, 1389 int email_dn, const char *startdate, const char *enddate, long days, 1390 int batch, int verbose, X509_REQ *req, const char *ext_sect, 1391 CONF *lconf, unsigned long certopt, unsigned long nameopt, 1392 int default_op, int ext_copy, int selfsign) 1393 { 1394 X509_NAME *name = NULL, *CAname = NULL, *subject = NULL; 1395 const ASN1_TIME *tm; 1396 ASN1_STRING *str, *str2; 1397 ASN1_OBJECT *obj; 1398 X509 *ret = NULL; 1399 X509_NAME_ENTRY *ne, *tne; 1400 EVP_PKEY *pktmp; 1401 int ok = -1, i, j, last, nid; 1402 const char *p; 1403 CONF_VALUE *cv; 1404 OPENSSL_STRING row[DB_NUMBER]; 1405 OPENSSL_STRING *irow = NULL; 1406 OPENSSL_STRING *rrow = NULL; 1407 char buf[25]; 1408 1409 for (i = 0; i < DB_NUMBER; i++) 1410 row[i] = NULL; 1411 1412 if (subj) { 1413 X509_NAME *n = parse_name(subj, chtype, multirdn); 1414 1415 if (!n) { 1416 ERR_print_errors(bio_err); 1417 goto end; 1418 } 1419 X509_REQ_set_subject_name(req, n); 1420 X509_NAME_free(n); 1421 } 1422 1423 if (default_op) 1424 BIO_printf(bio_err, "The Subject's Distinguished Name is as follows\n"); 1425 1426 name = X509_REQ_get_subject_name(req); 1427 for (i = 0; i < X509_NAME_entry_count(name); i++) { 1428 ne = X509_NAME_get_entry(name, i); 1429 str = X509_NAME_ENTRY_get_data(ne); 1430 obj = X509_NAME_ENTRY_get_object(ne); 1431 nid = OBJ_obj2nid(obj); 1432 1433 if (msie_hack) { 1434 /* assume all type should be strings */ 1435 1436 if (str->type == V_ASN1_UNIVERSALSTRING) 1437 ASN1_UNIVERSALSTRING_to_string(str); 1438 1439 if (str->type == V_ASN1_IA5STRING && nid != NID_pkcs9_emailAddress) 1440 str->type = V_ASN1_T61STRING; 1441 1442 if (nid == NID_pkcs9_emailAddress 1443 && str->type == V_ASN1_PRINTABLESTRING) 1444 str->type = V_ASN1_IA5STRING; 1445 } 1446 1447 /* If no EMAIL is wanted in the subject */ 1448 if (nid == NID_pkcs9_emailAddress && !email_dn) 1449 continue; 1450 1451 /* check some things */ 1452 if (nid == NID_pkcs9_emailAddress && str->type != V_ASN1_IA5STRING) { 1453 BIO_printf(bio_err, 1454 "\nemailAddress type needs to be of type IA5STRING\n"); 1455 goto end; 1456 } 1457 if (str->type != V_ASN1_BMPSTRING && str->type != V_ASN1_UTF8STRING) { 1458 j = ASN1_PRINTABLE_type(str->data, str->length); 1459 if ((j == V_ASN1_T61STRING && str->type != V_ASN1_T61STRING) || 1460 (j == V_ASN1_IA5STRING && str->type == V_ASN1_PRINTABLESTRING)) 1461 { 1462 BIO_printf(bio_err, 1463 "\nThe string contains characters that are illegal for the ASN.1 type\n"); 1464 goto end; 1465 } 1466 } 1467 1468 if (default_op) 1469 old_entry_print(obj, str); 1470 } 1471 1472 /* Ok, now we check the 'policy' stuff. */ 1473 if ((subject = X509_NAME_new()) == NULL) { 1474 BIO_printf(bio_err, "Memory allocation failure\n"); 1475 goto end; 1476 } 1477 1478 /* take a copy of the issuer name before we mess with it. */ 1479 if (selfsign) 1480 CAname = X509_NAME_dup(name); 1481 else 1482 CAname = X509_NAME_dup(X509_get_subject_name(x509)); 1483 if (CAname == NULL) 1484 goto end; 1485 str = str2 = NULL; 1486 1487 for (i = 0; i < sk_CONF_VALUE_num(policy); i++) { 1488 cv = sk_CONF_VALUE_value(policy, i); /* get the object id */ 1489 if ((j = OBJ_txt2nid(cv->name)) == NID_undef) { 1490 BIO_printf(bio_err, 1491 "%s:unknown object type in 'policy' configuration\n", 1492 cv->name); 1493 goto end; 1494 } 1495 obj = OBJ_nid2obj(j); 1496 1497 last = -1; 1498 for (;;) { 1499 X509_NAME_ENTRY *push = NULL; 1500 1501 /* lookup the object in the supplied name list */ 1502 j = X509_NAME_get_index_by_OBJ(name, obj, last); 1503 if (j < 0) { 1504 if (last != -1) 1505 break; 1506 tne = NULL; 1507 } else { 1508 tne = X509_NAME_get_entry(name, j); 1509 } 1510 last = j; 1511 1512 /* depending on the 'policy', decide what to do. */ 1513 if (strcmp(cv->value, "optional") == 0) { 1514 if (tne != NULL) 1515 push = tne; 1516 } else if (strcmp(cv->value, "supplied") == 0) { 1517 if (tne == NULL) { 1518 BIO_printf(bio_err, 1519 "The %s field needed to be supplied and was missing\n", 1520 cv->name); 1521 goto end; 1522 } else { 1523 push = tne; 1524 } 1525 } else if (strcmp(cv->value, "match") == 0) { 1526 int last2; 1527 1528 if (tne == NULL) { 1529 BIO_printf(bio_err, 1530 "The mandatory %s field was missing\n", 1531 cv->name); 1532 goto end; 1533 } 1534 1535 last2 = -1; 1536 1537 again2: 1538 j = X509_NAME_get_index_by_OBJ(CAname, obj, last2); 1539 if ((j < 0) && (last2 == -1)) { 1540 BIO_printf(bio_err, 1541 "The %s field does not exist in the CA certificate,\n" 1542 "the 'policy' is misconfigured\n", cv->name); 1543 goto end; 1544 } 1545 if (j >= 0) { 1546 push = X509_NAME_get_entry(CAname, j); 1547 str = X509_NAME_ENTRY_get_data(tne); 1548 str2 = X509_NAME_ENTRY_get_data(push); 1549 last2 = j; 1550 if (ASN1_STRING_cmp(str, str2) != 0) 1551 goto again2; 1552 } 1553 if (j < 0) { 1554 BIO_printf(bio_err, 1555 "The %s field is different between\n" 1556 "CA certificate (%s) and the request (%s)\n", 1557 cv->name, 1558 ((str2 == NULL) ? "NULL" : (char *)str2->data), 1559 ((str == NULL) ? "NULL" : (char *)str->data)); 1560 goto end; 1561 } 1562 } else { 1563 BIO_printf(bio_err, 1564 "%s:invalid type in 'policy' configuration\n", 1565 cv->value); 1566 goto end; 1567 } 1568 1569 if (push != NULL) { 1570 if (!X509_NAME_add_entry(subject, push, -1, 0)) { 1571 BIO_printf(bio_err, "Memory allocation failure\n"); 1572 goto end; 1573 } 1574 } 1575 if (j < 0) 1576 break; 1577 } 1578 } 1579 1580 if (preserve) { 1581 X509_NAME_free(subject); 1582 /* subject=X509_NAME_dup(X509_REQ_get_subject_name(req)); */ 1583 subject = X509_NAME_dup(name); 1584 if (subject == NULL) 1585 goto end; 1586 } 1587 1588 /* We are now totally happy, lets make and sign the certificate */ 1589 if (verbose) 1590 BIO_printf(bio_err, 1591 "Everything appears to be ok, creating and signing the certificate\n"); 1592 1593 if ((ret = X509_new()) == NULL) 1594 goto end; 1595 1596 #ifdef X509_V3 1597 /* Make it an X509 v3 certificate. */ 1598 if (!X509_set_version(ret, 2)) 1599 goto end; 1600 #endif 1601 1602 if (BN_to_ASN1_INTEGER(serial, X509_get_serialNumber(ret)) == NULL) 1603 goto end; 1604 if (selfsign) { 1605 if (!X509_set_issuer_name(ret, subject)) 1606 goto end; 1607 } else { 1608 if (!X509_set_issuer_name(ret, X509_get_subject_name(x509))) 1609 goto end; 1610 } 1611 1612 if (!set_cert_times(ret, startdate, enddate, days)) 1613 goto end; 1614 1615 if (enddate != NULL) { 1616 int tdays; 1617 1618 if (!ASN1_TIME_diff(&tdays, NULL, NULL, X509_get0_notAfter(ret))) 1619 goto end; 1620 days = tdays; 1621 } 1622 1623 if (!X509_set_subject_name(ret, subject)) 1624 goto end; 1625 1626 pktmp = X509_REQ_get0_pubkey(req); 1627 i = X509_set_pubkey(ret, pktmp); 1628 if (!i) 1629 goto end; 1630 1631 /* Lets add the extensions, if there are any */ 1632 if (ext_sect) { 1633 X509V3_CTX ctx; 1634 1635 /* Initialize the context structure */ 1636 if (selfsign) 1637 X509V3_set_ctx(&ctx, ret, ret, req, NULL, 0); 1638 else 1639 X509V3_set_ctx(&ctx, x509, ret, req, NULL, 0); 1640 1641 if (extconf != NULL) { 1642 if (verbose) 1643 BIO_printf(bio_err, "Extra configuration file found\n"); 1644 1645 /* Use the extconf configuration db LHASH */ 1646 X509V3_set_nconf(&ctx, extconf); 1647 1648 /* Test the structure (needed?) */ 1649 /* X509V3_set_ctx_test(&ctx); */ 1650 1651 /* Adds exts contained in the configuration file */ 1652 if (!X509V3_EXT_add_nconf(extconf, &ctx, ext_sect, ret)) { 1653 BIO_printf(bio_err, 1654 "ERROR: adding extensions in section %s\n", 1655 ext_sect); 1656 ERR_print_errors(bio_err); 1657 goto end; 1658 } 1659 if (verbose) 1660 BIO_printf(bio_err, 1661 "Successfully added extensions from file.\n"); 1662 } else if (ext_sect) { 1663 /* We found extensions to be set from config file */ 1664 X509V3_set_nconf(&ctx, lconf); 1665 1666 if (!X509V3_EXT_add_nconf(lconf, &ctx, ext_sect, ret)) { 1667 BIO_printf(bio_err, 1668 "ERROR: adding extensions in section %s\n", 1669 ext_sect); 1670 ERR_print_errors(bio_err); 1671 goto end; 1672 } 1673 1674 if (verbose) 1675 BIO_printf(bio_err, 1676 "Successfully added extensions from config\n"); 1677 } 1678 } 1679 1680 /* Copy extensions from request (if any) */ 1681 1682 if (!copy_extensions(ret, req, ext_copy)) { 1683 BIO_printf(bio_err, "ERROR: adding extensions from request\n"); 1684 ERR_print_errors(bio_err); 1685 goto end; 1686 } 1687 1688 { 1689 const STACK_OF(X509_EXTENSION) *exts = X509_get0_extensions(ret); 1690 1691 if (exts != NULL && sk_X509_EXTENSION_num(exts) > 0) 1692 /* Make it an X509 v3 certificate. */ 1693 if (!X509_set_version(ret, 2)) 1694 goto end; 1695 } 1696 1697 if (verbose) 1698 BIO_printf(bio_err, 1699 "The subject name appears to be ok, checking data base for clashes\n"); 1700 1701 /* Build the correct Subject if no e-mail is wanted in the subject. */ 1702 if (!email_dn) { 1703 X509_NAME_ENTRY *tmpne; 1704 X509_NAME *dn_subject; 1705 1706 /* 1707 * Its best to dup the subject DN and then delete any email addresses 1708 * because this retains its structure. 1709 */ 1710 if ((dn_subject = X509_NAME_dup(subject)) == NULL) { 1711 BIO_printf(bio_err, "Memory allocation failure\n"); 1712 goto end; 1713 } 1714 i = -1; 1715 while ((i = X509_NAME_get_index_by_NID(dn_subject, 1716 NID_pkcs9_emailAddress, 1717 i)) >= 0) { 1718 tmpne = X509_NAME_delete_entry(dn_subject, i--); 1719 X509_NAME_ENTRY_free(tmpne); 1720 } 1721 1722 if (!X509_set_subject_name(ret, dn_subject)) { 1723 X509_NAME_free(dn_subject); 1724 goto end; 1725 } 1726 X509_NAME_free(dn_subject); 1727 } 1728 1729 row[DB_name] = X509_NAME_oneline(X509_get_subject_name(ret), NULL, 0); 1730 if (row[DB_name] == NULL) { 1731 BIO_printf(bio_err, "Memory allocation failure\n"); 1732 goto end; 1733 } 1734 1735 if (BN_is_zero(serial)) 1736 row[DB_serial] = OPENSSL_strdup("00"); 1737 else 1738 row[DB_serial] = BN_bn2hex(serial); 1739 if (row[DB_serial] == NULL) { 1740 BIO_printf(bio_err, "Memory allocation failure\n"); 1741 goto end; 1742 } 1743 1744 if (row[DB_name][0] == '\0') { 1745 /* 1746 * An empty subject! We'll use the serial number instead. If 1747 * unique_subject is in use then we don't want different entries with 1748 * empty subjects matching each other. 1749 */ 1750 OPENSSL_free(row[DB_name]); 1751 row[DB_name] = OPENSSL_strdup(row[DB_serial]); 1752 if (row[DB_name] == NULL) { 1753 BIO_printf(bio_err, "Memory allocation failure\n"); 1754 goto end; 1755 } 1756 } 1757 1758 if (db->attributes.unique_subject) { 1759 OPENSSL_STRING *crow = row; 1760 1761 rrow = TXT_DB_get_by_index(db->db, DB_name, crow); 1762 if (rrow != NULL) { 1763 BIO_printf(bio_err, 1764 "ERROR:There is already a certificate for %s\n", 1765 row[DB_name]); 1766 } 1767 } 1768 if (rrow == NULL) { 1769 rrow = TXT_DB_get_by_index(db->db, DB_serial, row); 1770 if (rrow != NULL) { 1771 BIO_printf(bio_err, 1772 "ERROR:Serial number %s has already been issued,\n", 1773 row[DB_serial]); 1774 BIO_printf(bio_err, 1775 " check the database/serial_file for corruption\n"); 1776 } 1777 } 1778 1779 if (rrow != NULL) { 1780 BIO_printf(bio_err, "The matching entry has the following details\n"); 1781 if (rrow[DB_type][0] == DB_TYPE_EXP) 1782 p = "Expired"; 1783 else if (rrow[DB_type][0] == DB_TYPE_REV) 1784 p = "Revoked"; 1785 else if (rrow[DB_type][0] == DB_TYPE_VAL) 1786 p = "Valid"; 1787 else 1788 p = "\ninvalid type, Data base error\n"; 1789 BIO_printf(bio_err, "Type :%s\n", p);; 1790 if (rrow[DB_type][0] == DB_TYPE_REV) { 1791 p = rrow[DB_exp_date]; 1792 if (p == NULL) 1793 p = "undef"; 1794 BIO_printf(bio_err, "Was revoked on:%s\n", p); 1795 } 1796 p = rrow[DB_exp_date]; 1797 if (p == NULL) 1798 p = "undef"; 1799 BIO_printf(bio_err, "Expires on :%s\n", p); 1800 p = rrow[DB_serial]; 1801 if (p == NULL) 1802 p = "undef"; 1803 BIO_printf(bio_err, "Serial Number :%s\n", p); 1804 p = rrow[DB_file]; 1805 if (p == NULL) 1806 p = "undef"; 1807 BIO_printf(bio_err, "File name :%s\n", p); 1808 p = rrow[DB_name]; 1809 if (p == NULL) 1810 p = "undef"; 1811 BIO_printf(bio_err, "Subject Name :%s\n", p); 1812 ok = -1; /* This is now a 'bad' error. */ 1813 goto end; 1814 } 1815 1816 if (!default_op) { 1817 BIO_printf(bio_err, "Certificate Details:\n"); 1818 /* 1819 * Never print signature details because signature not present 1820 */ 1821 certopt |= X509_FLAG_NO_SIGDUMP | X509_FLAG_NO_SIGNAME; 1822 X509_print_ex(bio_err, ret, nameopt, certopt); 1823 } 1824 1825 BIO_printf(bio_err, "Certificate is to be certified until "); 1826 ASN1_TIME_print(bio_err, X509_get0_notAfter(ret)); 1827 if (days) 1828 BIO_printf(bio_err, " (%ld days)", days); 1829 BIO_printf(bio_err, "\n"); 1830 1831 if (!batch) { 1832 1833 BIO_printf(bio_err, "Sign the certificate? [y/n]:"); 1834 (void)BIO_flush(bio_err); 1835 buf[0] = '\0'; 1836 if (fgets(buf, sizeof(buf), stdin) == NULL) { 1837 BIO_printf(bio_err, 1838 "CERTIFICATE WILL NOT BE CERTIFIED: I/O error\n"); 1839 ok = 0; 1840 goto end; 1841 } 1842 if (!(buf[0] == 'y' || buf[0] == 'Y')) { 1843 BIO_printf(bio_err, "CERTIFICATE WILL NOT BE CERTIFIED\n"); 1844 ok = 0; 1845 goto end; 1846 } 1847 } 1848 1849 pktmp = X509_get0_pubkey(ret); 1850 if (EVP_PKEY_missing_parameters(pktmp) && 1851 !EVP_PKEY_missing_parameters(pkey)) 1852 EVP_PKEY_copy_parameters(pktmp, pkey); 1853 1854 if (!do_X509_sign(ret, pkey, dgst, sigopts)) 1855 goto end; 1856 1857 /* We now just add it to the database as DB_TYPE_VAL('V') */ 1858 row[DB_type] = OPENSSL_strdup("V"); 1859 tm = X509_get0_notAfter(ret); 1860 row[DB_exp_date] = app_malloc(tm->length + 1, "row expdate"); 1861 memcpy(row[DB_exp_date], tm->data, tm->length); 1862 row[DB_exp_date][tm->length] = '\0'; 1863 row[DB_rev_date] = NULL; 1864 row[DB_file] = OPENSSL_strdup("unknown"); 1865 if ((row[DB_type] == NULL) || (row[DB_file] == NULL) 1866 || (row[DB_name] == NULL)) { 1867 BIO_printf(bio_err, "Memory allocation failure\n"); 1868 goto end; 1869 } 1870 1871 irow = app_malloc(sizeof(*irow) * (DB_NUMBER + 1), "row space"); 1872 for (i = 0; i < DB_NUMBER; i++) 1873 irow[i] = row[i]; 1874 irow[DB_NUMBER] = NULL; 1875 1876 if (!TXT_DB_insert(db->db, irow)) { 1877 BIO_printf(bio_err, "failed to update database\n"); 1878 BIO_printf(bio_err, "TXT_DB error number %ld\n", db->db->error); 1879 goto end; 1880 } 1881 irow = NULL; 1882 ok = 1; 1883 end: 1884 if (ok != 1) { 1885 for (i = 0; i < DB_NUMBER; i++) 1886 OPENSSL_free(row[i]); 1887 } 1888 OPENSSL_free(irow); 1889 1890 X509_NAME_free(CAname); 1891 X509_NAME_free(subject); 1892 if (ok <= 0) 1893 X509_free(ret); 1894 else 1895 *xret = ret; 1896 return ok; 1897 } 1898 1899 static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext) 1900 { 1901 1902 if (output_der) { 1903 (void)i2d_X509_bio(bp, x); 1904 return; 1905 } 1906 if (!notext) 1907 X509_print(bp, x); 1908 PEM_write_bio_X509(bp, x); 1909 } 1910 1911 static int certify_spkac(X509 **xret, const char *infile, EVP_PKEY *pkey, 1912 X509 *x509, const EVP_MD *dgst, 1913 STACK_OF(OPENSSL_STRING) *sigopts, 1914 STACK_OF(CONF_VALUE) *policy, CA_DB *db, 1915 BIGNUM *serial, const char *subj, unsigned long chtype, 1916 int multirdn, int email_dn, const char *startdate, 1917 const char *enddate, long days, const char *ext_sect, 1918 CONF *lconf, int verbose, unsigned long certopt, 1919 unsigned long nameopt, int default_op, int ext_copy) 1920 { 1921 STACK_OF(CONF_VALUE) *sk = NULL; 1922 LHASH_OF(CONF_VALUE) *parms = NULL; 1923 X509_REQ *req = NULL; 1924 CONF_VALUE *cv = NULL; 1925 NETSCAPE_SPKI *spki = NULL; 1926 char *type, *buf; 1927 EVP_PKEY *pktmp = NULL; 1928 X509_NAME *n = NULL; 1929 X509_NAME_ENTRY *ne = NULL; 1930 int ok = -1, i, j; 1931 long errline; 1932 int nid; 1933 1934 /* 1935 * Load input file into a hash table. (This is just an easy 1936 * way to read and parse the file, then put it into a convenient 1937 * STACK format). 1938 */ 1939 parms = CONF_load(NULL, infile, &errline); 1940 if (parms == NULL) { 1941 BIO_printf(bio_err, "error on line %ld of %s\n", errline, infile); 1942 ERR_print_errors(bio_err); 1943 goto end; 1944 } 1945 1946 sk = CONF_get_section(parms, "default"); 1947 if (sk_CONF_VALUE_num(sk) == 0) { 1948 BIO_printf(bio_err, "no name/value pairs found in %s\n", infile); 1949 goto end; 1950 } 1951 1952 /* 1953 * Now create a dummy X509 request structure. We don't actually 1954 * have an X509 request, but we have many of the components 1955 * (a public key, various DN components). The idea is that we 1956 * put these components into the right X509 request structure 1957 * and we can use the same code as if you had a real X509 request. 1958 */ 1959 req = X509_REQ_new(); 1960 if (req == NULL) { 1961 ERR_print_errors(bio_err); 1962 goto end; 1963 } 1964 1965 /* 1966 * Build up the subject name set. 1967 */ 1968 n = X509_REQ_get_subject_name(req); 1969 1970 for (i = 0;; i++) { 1971 if (sk_CONF_VALUE_num(sk) <= i) 1972 break; 1973 1974 cv = sk_CONF_VALUE_value(sk, i); 1975 type = cv->name; 1976 /* 1977 * Skip past any leading X. X: X, etc to allow for multiple instances 1978 */ 1979 for (buf = cv->name; *buf; buf++) 1980 if ((*buf == ':') || (*buf == ',') || (*buf == '.')) { 1981 buf++; 1982 if (*buf) 1983 type = buf; 1984 break; 1985 } 1986 1987 buf = cv->value; 1988 if ((nid = OBJ_txt2nid(type)) == NID_undef) { 1989 if (strcmp(type, "SPKAC") == 0) { 1990 spki = NETSCAPE_SPKI_b64_decode(cv->value, -1); 1991 if (spki == NULL) { 1992 BIO_printf(bio_err, 1993 "unable to load Netscape SPKAC structure\n"); 1994 ERR_print_errors(bio_err); 1995 goto end; 1996 } 1997 } 1998 continue; 1999 } 2000 2001 if (!X509_NAME_add_entry_by_NID(n, nid, chtype, 2002 (unsigned char *)buf, -1, -1, 0)) 2003 goto end; 2004 } 2005 if (spki == NULL) { 2006 BIO_printf(bio_err, "Netscape SPKAC structure not found in %s\n", 2007 infile); 2008 goto end; 2009 } 2010 2011 /* 2012 * Now extract the key from the SPKI structure. 2013 */ 2014 2015 BIO_printf(bio_err, "Check that the SPKAC request matches the signature\n"); 2016 2017 if ((pktmp = NETSCAPE_SPKI_get_pubkey(spki)) == NULL) { 2018 BIO_printf(bio_err, "error unpacking SPKAC public key\n"); 2019 goto end; 2020 } 2021 2022 j = NETSCAPE_SPKI_verify(spki, pktmp); 2023 if (j <= 0) { 2024 EVP_PKEY_free(pktmp); 2025 BIO_printf(bio_err, 2026 "signature verification failed on SPKAC public key\n"); 2027 goto end; 2028 } 2029 BIO_printf(bio_err, "Signature ok\n"); 2030 2031 X509_REQ_set_pubkey(req, pktmp); 2032 EVP_PKEY_free(pktmp); 2033 ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, subj, 2034 chtype, multirdn, email_dn, startdate, enddate, days, 1, 2035 verbose, req, ext_sect, lconf, certopt, nameopt, default_op, 2036 ext_copy, 0); 2037 end: 2038 X509_REQ_free(req); 2039 CONF_free(parms); 2040 NETSCAPE_SPKI_free(spki); 2041 X509_NAME_ENTRY_free(ne); 2042 2043 return ok; 2044 } 2045 2046 static int check_time_format(const char *str) 2047 { 2048 return ASN1_TIME_set_string(NULL, str); 2049 } 2050 2051 static int do_revoke(X509 *x509, CA_DB *db, REVINFO_TYPE rev_type, 2052 const char *value) 2053 { 2054 const ASN1_TIME *tm = NULL; 2055 char *row[DB_NUMBER], **rrow, **irow; 2056 char *rev_str = NULL; 2057 BIGNUM *bn = NULL; 2058 int ok = -1, i; 2059 2060 for (i = 0; i < DB_NUMBER; i++) 2061 row[i] = NULL; 2062 row[DB_name] = X509_NAME_oneline(X509_get_subject_name(x509), NULL, 0); 2063 bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x509), NULL); 2064 if (!bn) 2065 goto end; 2066 if (BN_is_zero(bn)) 2067 row[DB_serial] = OPENSSL_strdup("00"); 2068 else 2069 row[DB_serial] = BN_bn2hex(bn); 2070 BN_free(bn); 2071 if (row[DB_name] != NULL && row[DB_name][0] == '\0') { 2072 /* Entries with empty Subjects actually use the serial number instead */ 2073 OPENSSL_free(row[DB_name]); 2074 row[DB_name] = OPENSSL_strdup(row[DB_serial]); 2075 } 2076 if ((row[DB_name] == NULL) || (row[DB_serial] == NULL)) { 2077 BIO_printf(bio_err, "Memory allocation failure\n"); 2078 goto end; 2079 } 2080 /* 2081 * We have to lookup by serial number because name lookup skips revoked 2082 * certs 2083 */ 2084 rrow = TXT_DB_get_by_index(db->db, DB_serial, row); 2085 if (rrow == NULL) { 2086 BIO_printf(bio_err, 2087 "Adding Entry with serial number %s to DB for %s\n", 2088 row[DB_serial], row[DB_name]); 2089 2090 /* We now just add it to the database as DB_TYPE_REV('V') */ 2091 row[DB_type] = OPENSSL_strdup("V"); 2092 tm = X509_get0_notAfter(x509); 2093 row[DB_exp_date] = app_malloc(tm->length + 1, "row exp_data"); 2094 memcpy(row[DB_exp_date], tm->data, tm->length); 2095 row[DB_exp_date][tm->length] = '\0'; 2096 row[DB_rev_date] = NULL; 2097 row[DB_file] = OPENSSL_strdup("unknown"); 2098 2099 if (row[DB_type] == NULL || row[DB_file] == NULL) { 2100 BIO_printf(bio_err, "Memory allocation failure\n"); 2101 goto end; 2102 } 2103 2104 irow = app_malloc(sizeof(*irow) * (DB_NUMBER + 1), "row ptr"); 2105 for (i = 0; i < DB_NUMBER; i++) 2106 irow[i] = row[i]; 2107 irow[DB_NUMBER] = NULL; 2108 2109 if (!TXT_DB_insert(db->db, irow)) { 2110 BIO_printf(bio_err, "failed to update database\n"); 2111 BIO_printf(bio_err, "TXT_DB error number %ld\n", db->db->error); 2112 OPENSSL_free(irow); 2113 goto end; 2114 } 2115 2116 for (i = 0; i < DB_NUMBER; i++) 2117 row[i] = NULL; 2118 2119 /* Revoke Certificate */ 2120 if (rev_type == REV_VALID) 2121 ok = 1; 2122 else 2123 /* Retry revocation after DB insertion */ 2124 ok = do_revoke(x509, db, rev_type, value); 2125 2126 goto end; 2127 2128 } else if (index_name_cmp_noconst(row, rrow)) { 2129 BIO_printf(bio_err, "ERROR:name does not match %s\n", row[DB_name]); 2130 goto end; 2131 } else if (rev_type == REV_VALID) { 2132 BIO_printf(bio_err, "ERROR:Already present, serial number %s\n", 2133 row[DB_serial]); 2134 goto end; 2135 } else if (rrow[DB_type][0] == DB_TYPE_REV) { 2136 BIO_printf(bio_err, "ERROR:Already revoked, serial number %s\n", 2137 row[DB_serial]); 2138 goto end; 2139 } else { 2140 BIO_printf(bio_err, "Revoking Certificate %s.\n", rrow[DB_serial]); 2141 rev_str = make_revocation_str(rev_type, value); 2142 if (!rev_str) { 2143 BIO_printf(bio_err, "Error in revocation arguments\n"); 2144 goto end; 2145 } 2146 rrow[DB_type][0] = DB_TYPE_REV; 2147 rrow[DB_type][1] = '\0'; 2148 rrow[DB_rev_date] = rev_str; 2149 } 2150 ok = 1; 2151 end: 2152 for (i = 0; i < DB_NUMBER; i++) 2153 OPENSSL_free(row[i]); 2154 return ok; 2155 } 2156 2157 static int get_certificate_status(const char *serial, CA_DB *db) 2158 { 2159 char *row[DB_NUMBER], **rrow; 2160 int ok = -1, i; 2161 size_t serial_len = strlen(serial); 2162 2163 /* Free Resources */ 2164 for (i = 0; i < DB_NUMBER; i++) 2165 row[i] = NULL; 2166 2167 /* Malloc needed char spaces */ 2168 row[DB_serial] = app_malloc(serial_len + 2, "row serial#"); 2169 2170 if (serial_len % 2) { 2171 /* 2172 * Set the first char to 0 2173 */ 2174 row[DB_serial][0] = '0'; 2175 2176 /* Copy String from serial to row[DB_serial] */ 2177 memcpy(row[DB_serial] + 1, serial, serial_len); 2178 row[DB_serial][serial_len + 1] = '\0'; 2179 } else { 2180 /* Copy String from serial to row[DB_serial] */ 2181 memcpy(row[DB_serial], serial, serial_len); 2182 row[DB_serial][serial_len] = '\0'; 2183 } 2184 2185 /* Make it Upper Case */ 2186 make_uppercase(row[DB_serial]); 2187 2188 ok = 1; 2189 2190 /* Search for the certificate */ 2191 rrow = TXT_DB_get_by_index(db->db, DB_serial, row); 2192 if (rrow == NULL) { 2193 BIO_printf(bio_err, "Serial %s not present in db.\n", row[DB_serial]); 2194 ok = -1; 2195 goto end; 2196 } else if (rrow[DB_type][0] == DB_TYPE_VAL) { 2197 BIO_printf(bio_err, "%s=Valid (%c)\n", 2198 row[DB_serial], rrow[DB_type][0]); 2199 goto end; 2200 } else if (rrow[DB_type][0] == DB_TYPE_REV) { 2201 BIO_printf(bio_err, "%s=Revoked (%c)\n", 2202 row[DB_serial], rrow[DB_type][0]); 2203 goto end; 2204 } else if (rrow[DB_type][0] == DB_TYPE_EXP) { 2205 BIO_printf(bio_err, "%s=Expired (%c)\n", 2206 row[DB_serial], rrow[DB_type][0]); 2207 goto end; 2208 } else if (rrow[DB_type][0] == DB_TYPE_SUSP) { 2209 BIO_printf(bio_err, "%s=Suspended (%c)\n", 2210 row[DB_serial], rrow[DB_type][0]); 2211 goto end; 2212 } else { 2213 BIO_printf(bio_err, "%s=Unknown (%c).\n", 2214 row[DB_serial], rrow[DB_type][0]); 2215 ok = -1; 2216 } 2217 end: 2218 for (i = 0; i < DB_NUMBER; i++) { 2219 OPENSSL_free(row[i]); 2220 } 2221 return ok; 2222 } 2223 2224 static int do_updatedb(CA_DB *db) 2225 { 2226 ASN1_TIME *a_tm = NULL; 2227 int i, cnt = 0; 2228 char **rrow; 2229 2230 a_tm = ASN1_TIME_new(); 2231 if (a_tm == NULL) 2232 return -1; 2233 2234 /* get actual time */ 2235 if (X509_gmtime_adj(a_tm, 0) == NULL) { 2236 ASN1_TIME_free(a_tm); 2237 return -1; 2238 } 2239 2240 for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) { 2241 rrow = sk_OPENSSL_PSTRING_value(db->db->data, i); 2242 2243 if (rrow[DB_type][0] == DB_TYPE_VAL) { 2244 /* ignore entries that are not valid */ 2245 ASN1_TIME *exp_date = NULL; 2246 2247 exp_date = ASN1_TIME_new(); 2248 if (exp_date == NULL) { 2249 ASN1_TIME_free(a_tm); 2250 return -1; 2251 } 2252 2253 if (!ASN1_TIME_set_string(exp_date, rrow[DB_exp_date])) { 2254 ASN1_TIME_free(a_tm); 2255 ASN1_TIME_free(exp_date); 2256 return -1; 2257 } 2258 2259 if (ASN1_TIME_compare(exp_date, a_tm) <= 0) { 2260 rrow[DB_type][0] = DB_TYPE_EXP; 2261 rrow[DB_type][1] = '\0'; 2262 cnt++; 2263 2264 BIO_printf(bio_err, "%s=Expired\n", rrow[DB_serial]); 2265 } 2266 ASN1_TIME_free(exp_date); 2267 } 2268 } 2269 2270 ASN1_TIME_free(a_tm); 2271 return cnt; 2272 } 2273 2274 static const char *crl_reasons[] = { 2275 /* CRL reason strings */ 2276 "unspecified", 2277 "keyCompromise", 2278 "CACompromise", 2279 "affiliationChanged", 2280 "superseded", 2281 "cessationOfOperation", 2282 "certificateHold", 2283 "removeFromCRL", 2284 /* Additional pseudo reasons */ 2285 "holdInstruction", 2286 "keyTime", 2287 "CAkeyTime" 2288 }; 2289 2290 #define NUM_REASONS OSSL_NELEM(crl_reasons) 2291 2292 /* 2293 * Given revocation information convert to a DB string. The format of the 2294 * string is: revtime[,reason,extra]. Where 'revtime' is the revocation time 2295 * (the current time). 'reason' is the optional CRL reason and 'extra' is any 2296 * additional argument 2297 */ 2298 2299 static char *make_revocation_str(REVINFO_TYPE rev_type, const char *rev_arg) 2300 { 2301 char *str; 2302 const char *reason = NULL, *other = NULL; 2303 ASN1_OBJECT *otmp; 2304 ASN1_UTCTIME *revtm = NULL; 2305 int i; 2306 2307 switch (rev_type) { 2308 case REV_NONE: 2309 case REV_VALID: 2310 break; 2311 2312 case REV_CRL_REASON: 2313 for (i = 0; i < 8; i++) { 2314 if (strcasecmp(rev_arg, crl_reasons[i]) == 0) { 2315 reason = crl_reasons[i]; 2316 break; 2317 } 2318 } 2319 if (reason == NULL) { 2320 BIO_printf(bio_err, "Unknown CRL reason %s\n", rev_arg); 2321 return NULL; 2322 } 2323 break; 2324 2325 case REV_HOLD: 2326 /* Argument is an OID */ 2327 otmp = OBJ_txt2obj(rev_arg, 0); 2328 ASN1_OBJECT_free(otmp); 2329 2330 if (otmp == NULL) { 2331 BIO_printf(bio_err, "Invalid object identifier %s\n", rev_arg); 2332 return NULL; 2333 } 2334 2335 reason = "holdInstruction"; 2336 other = rev_arg; 2337 break; 2338 2339 case REV_KEY_COMPROMISE: 2340 case REV_CA_COMPROMISE: 2341 /* Argument is the key compromise time */ 2342 if (!ASN1_GENERALIZEDTIME_set_string(NULL, rev_arg)) { 2343 BIO_printf(bio_err, 2344 "Invalid time format %s. Need YYYYMMDDHHMMSSZ\n", 2345 rev_arg); 2346 return NULL; 2347 } 2348 other = rev_arg; 2349 if (rev_type == REV_KEY_COMPROMISE) 2350 reason = "keyTime"; 2351 else 2352 reason = "CAkeyTime"; 2353 2354 break; 2355 } 2356 2357 revtm = X509_gmtime_adj(NULL, 0); 2358 2359 if (!revtm) 2360 return NULL; 2361 2362 i = revtm->length + 1; 2363 2364 if (reason) 2365 i += strlen(reason) + 1; 2366 if (other) 2367 i += strlen(other) + 1; 2368 2369 str = app_malloc(i, "revocation reason"); 2370 OPENSSL_strlcpy(str, (char *)revtm->data, i); 2371 if (reason) { 2372 OPENSSL_strlcat(str, ",", i); 2373 OPENSSL_strlcat(str, reason, i); 2374 } 2375 if (other) { 2376 OPENSSL_strlcat(str, ",", i); 2377 OPENSSL_strlcat(str, other, i); 2378 } 2379 ASN1_UTCTIME_free(revtm); 2380 return str; 2381 } 2382 2383 /*- 2384 * Convert revocation field to X509_REVOKED entry 2385 * return code: 2386 * 0 error 2387 * 1 OK 2388 * 2 OK and some extensions added (i.e. V2 CRL) 2389 */ 2390 2391 static int make_revoked(X509_REVOKED *rev, const char *str) 2392 { 2393 char *tmp = NULL; 2394 int reason_code = -1; 2395 int i, ret = 0; 2396 ASN1_OBJECT *hold = NULL; 2397 ASN1_GENERALIZEDTIME *comp_time = NULL; 2398 ASN1_ENUMERATED *rtmp = NULL; 2399 2400 ASN1_TIME *revDate = NULL; 2401 2402 i = unpack_revinfo(&revDate, &reason_code, &hold, &comp_time, str); 2403 2404 if (i == 0) 2405 goto end; 2406 2407 if (rev && !X509_REVOKED_set_revocationDate(rev, revDate)) 2408 goto end; 2409 2410 if (rev && (reason_code != OCSP_REVOKED_STATUS_NOSTATUS)) { 2411 rtmp = ASN1_ENUMERATED_new(); 2412 if (rtmp == NULL || !ASN1_ENUMERATED_set(rtmp, reason_code)) 2413 goto end; 2414 if (!X509_REVOKED_add1_ext_i2d(rev, NID_crl_reason, rtmp, 0, 0)) 2415 goto end; 2416 } 2417 2418 if (rev && comp_time) { 2419 if (!X509_REVOKED_add1_ext_i2d 2420 (rev, NID_invalidity_date, comp_time, 0, 0)) 2421 goto end; 2422 } 2423 if (rev && hold) { 2424 if (!X509_REVOKED_add1_ext_i2d 2425 (rev, NID_hold_instruction_code, hold, 0, 0)) 2426 goto end; 2427 } 2428 2429 if (reason_code != OCSP_REVOKED_STATUS_NOSTATUS) 2430 ret = 2; 2431 else 2432 ret = 1; 2433 2434 end: 2435 2436 OPENSSL_free(tmp); 2437 ASN1_OBJECT_free(hold); 2438 ASN1_GENERALIZEDTIME_free(comp_time); 2439 ASN1_ENUMERATED_free(rtmp); 2440 ASN1_TIME_free(revDate); 2441 2442 return ret; 2443 } 2444 2445 static int old_entry_print(const ASN1_OBJECT *obj, const ASN1_STRING *str) 2446 { 2447 char buf[25], *pbuf; 2448 const char *p; 2449 int j; 2450 2451 j = i2a_ASN1_OBJECT(bio_err, obj); 2452 pbuf = buf; 2453 for (j = 22 - j; j > 0; j--) 2454 *(pbuf++) = ' '; 2455 *(pbuf++) = ':'; 2456 *(pbuf++) = '\0'; 2457 BIO_puts(bio_err, buf); 2458 2459 if (str->type == V_ASN1_PRINTABLESTRING) 2460 BIO_printf(bio_err, "PRINTABLE:'"); 2461 else if (str->type == V_ASN1_T61STRING) 2462 BIO_printf(bio_err, "T61STRING:'"); 2463 else if (str->type == V_ASN1_IA5STRING) 2464 BIO_printf(bio_err, "IA5STRING:'"); 2465 else if (str->type == V_ASN1_UNIVERSALSTRING) 2466 BIO_printf(bio_err, "UNIVERSALSTRING:'"); 2467 else 2468 BIO_printf(bio_err, "ASN.1 %2d:'", str->type); 2469 2470 p = (const char *)str->data; 2471 for (j = str->length; j > 0; j--) { 2472 if ((*p >= ' ') && (*p <= '~')) 2473 BIO_printf(bio_err, "%c", *p); 2474 else if (*p & 0x80) 2475 BIO_printf(bio_err, "\\0x%02X", *p); 2476 else if ((unsigned char)*p == 0xf7) 2477 BIO_printf(bio_err, "^?"); 2478 else 2479 BIO_printf(bio_err, "^%c", *p + '@'); 2480 p++; 2481 } 2482 BIO_printf(bio_err, "'\n"); 2483 return 1; 2484 } 2485 2486 int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, 2487 ASN1_GENERALIZEDTIME **pinvtm, const char *str) 2488 { 2489 char *tmp; 2490 char *rtime_str, *reason_str = NULL, *arg_str = NULL, *p; 2491 int reason_code = -1; 2492 int ret = 0; 2493 unsigned int i; 2494 ASN1_OBJECT *hold = NULL; 2495 ASN1_GENERALIZEDTIME *comp_time = NULL; 2496 2497 tmp = OPENSSL_strdup(str); 2498 if (!tmp) { 2499 BIO_printf(bio_err, "memory allocation failure\n"); 2500 goto end; 2501 } 2502 2503 p = strchr(tmp, ','); 2504 2505 rtime_str = tmp; 2506 2507 if (p) { 2508 *p = '\0'; 2509 p++; 2510 reason_str = p; 2511 p = strchr(p, ','); 2512 if (p) { 2513 *p = '\0'; 2514 arg_str = p + 1; 2515 } 2516 } 2517 2518 if (prevtm) { 2519 *prevtm = ASN1_UTCTIME_new(); 2520 if (*prevtm == NULL) { 2521 BIO_printf(bio_err, "memory allocation failure\n"); 2522 goto end; 2523 } 2524 if (!ASN1_UTCTIME_set_string(*prevtm, rtime_str)) { 2525 BIO_printf(bio_err, "invalid revocation date %s\n", rtime_str); 2526 goto end; 2527 } 2528 } 2529 if (reason_str) { 2530 for (i = 0; i < NUM_REASONS; i++) { 2531 if (strcasecmp(reason_str, crl_reasons[i]) == 0) { 2532 reason_code = i; 2533 break; 2534 } 2535 } 2536 if (reason_code == OCSP_REVOKED_STATUS_NOSTATUS) { 2537 BIO_printf(bio_err, "invalid reason code %s\n", reason_str); 2538 goto end; 2539 } 2540 2541 if (reason_code == 7) { 2542 reason_code = OCSP_REVOKED_STATUS_REMOVEFROMCRL; 2543 } else if (reason_code == 8) { /* Hold instruction */ 2544 if (!arg_str) { 2545 BIO_printf(bio_err, "missing hold instruction\n"); 2546 goto end; 2547 } 2548 reason_code = OCSP_REVOKED_STATUS_CERTIFICATEHOLD; 2549 hold = OBJ_txt2obj(arg_str, 0); 2550 2551 if (!hold) { 2552 BIO_printf(bio_err, "invalid object identifier %s\n", arg_str); 2553 goto end; 2554 } 2555 if (phold) 2556 *phold = hold; 2557 else 2558 ASN1_OBJECT_free(hold); 2559 } else if ((reason_code == 9) || (reason_code == 10)) { 2560 if (!arg_str) { 2561 BIO_printf(bio_err, "missing compromised time\n"); 2562 goto end; 2563 } 2564 comp_time = ASN1_GENERALIZEDTIME_new(); 2565 if (comp_time == NULL) { 2566 BIO_printf(bio_err, "memory allocation failure\n"); 2567 goto end; 2568 } 2569 if (!ASN1_GENERALIZEDTIME_set_string(comp_time, arg_str)) { 2570 BIO_printf(bio_err, "invalid compromised time %s\n", arg_str); 2571 goto end; 2572 } 2573 if (reason_code == 9) 2574 reason_code = OCSP_REVOKED_STATUS_KEYCOMPROMISE; 2575 else 2576 reason_code = OCSP_REVOKED_STATUS_CACOMPROMISE; 2577 } 2578 } 2579 2580 if (preason) 2581 *preason = reason_code; 2582 if (pinvtm) { 2583 *pinvtm = comp_time; 2584 comp_time = NULL; 2585 } 2586 2587 ret = 1; 2588 2589 end: 2590 2591 OPENSSL_free(tmp); 2592 ASN1_GENERALIZEDTIME_free(comp_time); 2593 2594 return ret; 2595 } 2596