1 /* 2 * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 #include <stdio.h> 10 #include <stdlib.h> 11 #include <string.h> 12 #include <ctype.h> 13 #include <sys/types.h> 14 #include <openssl/conf.h> 15 #include <openssl/bio.h> 16 #include <openssl/err.h> 17 #include <openssl/bn.h> 18 #include <openssl/txt_db.h> 19 #include <openssl/evp.h> 20 #include <openssl/x509.h> 21 #include <openssl/x509v3.h> 22 #include <openssl/objects.h> 23 #include <openssl/ocsp.h> 24 #include <openssl/pem.h> 25 26 #ifndef W_OK 27 # ifdef OPENSSL_SYS_VMS 28 # include <unistd.h> 29 # elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_TANDEM) 30 # include <sys/file.h> 31 # endif 32 #endif 33 34 #include "apps.h" 35 #include "progs.h" 36 37 #ifndef W_OK 38 # define F_OK 0 39 # define W_OK 2 40 # define R_OK 4 41 #endif 42 43 #ifndef PATH_MAX 44 # define PATH_MAX 4096 45 #endif 46 47 #define BASE_SECTION "ca" 48 49 #define ENV_DEFAULT_CA "default_ca" 50 51 #define STRING_MASK "string_mask" 52 #define UTF8_IN "utf8" 53 54 #define ENV_NEW_CERTS_DIR "new_certs_dir" 55 #define ENV_CERTIFICATE "certificate" 56 #define ENV_SERIAL "serial" 57 #define ENV_RAND_SERIAL "rand_serial" 58 #define ENV_CRLNUMBER "crlnumber" 59 #define ENV_PRIVATE_KEY "private_key" 60 #define ENV_DEFAULT_DAYS "default_days" 61 #define ENV_DEFAULT_STARTDATE "default_startdate" 62 #define ENV_DEFAULT_ENDDATE "default_enddate" 63 #define ENV_DEFAULT_CRL_DAYS "default_crl_days" 64 #define ENV_DEFAULT_CRL_HOURS "default_crl_hours" 65 #define ENV_DEFAULT_MD "default_md" 66 #define ENV_DEFAULT_EMAIL_DN "email_in_dn" 67 #define ENV_PRESERVE "preserve" 68 #define ENV_POLICY "policy" 69 #define ENV_EXTENSIONS "x509_extensions" 70 #define ENV_CRLEXT "crl_extensions" 71 #define ENV_MSIE_HACK "msie_hack" 72 #define ENV_NAMEOPT "name_opt" 73 #define ENV_CERTOPT "cert_opt" 74 #define ENV_EXTCOPY "copy_extensions" 75 #define ENV_UNIQUE_SUBJECT "unique_subject" 76 77 #define ENV_DATABASE "database" 78 79 /* Additional revocation information types */ 80 typedef enum { 81 REV_VALID = -1, /* Valid (not-revoked) status */ 82 REV_NONE = 0, /* No additional information */ 83 REV_CRL_REASON = 1, /* Value is CRL reason code */ 84 REV_HOLD = 2, /* Value is hold instruction */ 85 REV_KEY_COMPROMISE = 3, /* Value is cert key compromise time */ 86 REV_CA_COMPROMISE = 4 /* Value is CA key compromise time */ 87 } REVINFO_TYPE; 88 89 static char *lookup_conf(const CONF *conf, const char *group, const char *tag); 90 91 static int certify(X509 **xret, const char *infile, int informat, 92 EVP_PKEY *pkey, X509 *x509, 93 const char *dgst, 94 STACK_OF(OPENSSL_STRING) *sigopts, 95 STACK_OF(OPENSSL_STRING) *vfyopts, 96 STACK_OF(CONF_VALUE) *policy, CA_DB *db, 97 BIGNUM *serial, const char *subj, unsigned long chtype, 98 int multirdn, int email_dn, const char *startdate, 99 const char *enddate, 100 long days, int batch, const char *ext_sect, CONF *conf, 101 int verbose, unsigned long certopt, unsigned long nameopt, 102 int default_op, int ext_copy, int selfsign, unsigned long dateopt); 103 static int certify_cert(X509 **xret, const char *infile, int certformat, 104 const char *passin, EVP_PKEY *pkey, X509 *x509, 105 const char *dgst, 106 STACK_OF(OPENSSL_STRING) *sigopts, 107 STACK_OF(OPENSSL_STRING) *vfyopts, 108 STACK_OF(CONF_VALUE) *policy, CA_DB *db, 109 BIGNUM *serial, const char *subj, unsigned long chtype, 110 int multirdn, int email_dn, const char *startdate, 111 const char *enddate, long days, int batch, const char *ext_sect, 112 CONF *conf, int verbose, unsigned long certopt, 113 unsigned long nameopt, int default_op, int ext_copy, unsigned long dateopt); 114 static int certify_spkac(X509 **xret, const char *infile, EVP_PKEY *pkey, 115 X509 *x509, const char *dgst, 116 STACK_OF(OPENSSL_STRING) *sigopts, 117 STACK_OF(CONF_VALUE) *policy, CA_DB *db, 118 BIGNUM *serial, const char *subj, unsigned long chtype, 119 int multirdn, int email_dn, const char *startdate, 120 const char *enddate, long days, const char *ext_sect, CONF *conf, 121 int verbose, unsigned long certopt, 122 unsigned long nameopt, int default_op, int ext_copy, unsigned long dateopt); 123 static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, 124 const char *dgst, STACK_OF(OPENSSL_STRING) *sigopts, 125 STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, 126 const char *subj, unsigned long chtype, int multirdn, 127 int email_dn, const char *startdate, const char *enddate, long days, 128 int batch, int verbose, X509_REQ *req, const char *ext_sect, 129 CONF *conf, unsigned long certopt, unsigned long nameopt, 130 int default_op, int ext_copy, int selfsign, unsigned long dateopt); 131 static int get_certificate_status(const char *ser_status, CA_DB *db); 132 static int do_updatedb(CA_DB *db); 133 static int check_time_format(const char *str); 134 static int do_revoke(X509 *x509, CA_DB *db, REVINFO_TYPE rev_type, 135 const char *extval); 136 static char *make_revocation_str(REVINFO_TYPE rev_type, const char *rev_arg); 137 static int make_revoked(X509_REVOKED *rev, const char *str); 138 static int old_entry_print(const ASN1_OBJECT *obj, const ASN1_STRING *str); 139 static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext); 140 141 static CONF *extfile_conf = NULL; 142 static int preserve = 0; 143 static int msie_hack = 0; 144 145 typedef enum OPTION_choice { 146 OPT_COMMON, 147 OPT_ENGINE, OPT_VERBOSE, OPT_CONFIG, OPT_NAME, OPT_SUBJ, OPT_UTF8, 148 OPT_CREATE_SERIAL, OPT_MULTIVALUE_RDN, OPT_STARTDATE, OPT_ENDDATE, 149 OPT_DAYS, OPT_MD, OPT_POLICY, OPT_KEYFILE, OPT_KEYFORM, OPT_PASSIN, 150 OPT_KEY, OPT_CERT, OPT_CERTFORM, OPT_SELFSIGN, 151 OPT_IN, OPT_INFORM, OPT_OUT, OPT_DATEOPT, OPT_OUTDIR, OPT_VFYOPT, 152 OPT_SIGOPT, OPT_NOTEXT, OPT_BATCH, OPT_PRESERVEDN, OPT_NOEMAILDN, 153 OPT_GENCRL, OPT_MSIE_HACK, OPT_CRL_LASTUPDATE, OPT_CRL_NEXTUPDATE, 154 OPT_CRLDAYS, OPT_CRLHOURS, OPT_CRLSEC, 155 OPT_INFILES, OPT_SS_CERT, OPT_SPKAC, OPT_REVOKE, OPT_VALID, 156 OPT_EXTENSIONS, OPT_EXTFILE, OPT_STATUS, OPT_UPDATEDB, OPT_CRLEXTS, 157 OPT_RAND_SERIAL, 158 OPT_R_ENUM, OPT_PROV_ENUM, 159 /* Do not change the order here; see related case statements below */ 160 OPT_CRL_REASON, OPT_CRL_HOLD, OPT_CRL_COMPROMISE, OPT_CRL_CA_COMPROMISE 161 } OPTION_CHOICE; 162 163 const OPTIONS ca_options[] = { 164 {OPT_HELP_STR, 1, '-', "Usage: %s [options] [certreq...]\n"}, 165 166 OPT_SECTION("General"), 167 {"help", OPT_HELP, '-', "Display this summary"}, 168 {"verbose", OPT_VERBOSE, '-', "Verbose output during processing"}, 169 {"outdir", OPT_OUTDIR, '/', "Where to put output cert"}, 170 {"in", OPT_IN, '<', "The input cert request(s)"}, 171 {"inform", OPT_INFORM, 'F', "CSR input format (DER or PEM); default PEM"}, 172 {"infiles", OPT_INFILES, '-', "The last argument, requests to process"}, 173 {"out", OPT_OUT, '>', "Where to put the output file(s)"}, 174 {"dateopt", OPT_DATEOPT, 's', "Datetime format used for printing. (rfc_822/iso_8601). Default is rfc_822."}, 175 {"notext", OPT_NOTEXT, '-', "Do not print the generated certificate"}, 176 {"batch", OPT_BATCH, '-', "Don't ask questions"}, 177 {"msie_hack", OPT_MSIE_HACK, '-', 178 "msie modifications to handle all Universal Strings"}, 179 {"ss_cert", OPT_SS_CERT, '<', "File contains a self signed cert to sign"}, 180 {"spkac", OPT_SPKAC, '<', 181 "File contains DN and signed public key and challenge"}, 182 #ifndef OPENSSL_NO_ENGINE 183 {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, 184 #endif 185 186 OPT_SECTION("Configuration"), 187 {"config", OPT_CONFIG, 's', "A config file"}, 188 {"name", OPT_NAME, 's', "The particular CA definition to use"}, 189 {"section", OPT_NAME, 's', "An alias for -name"}, 190 {"policy", OPT_POLICY, 's', "The CA 'policy' to support"}, 191 192 OPT_SECTION("Certificate"), 193 {"subj", OPT_SUBJ, 's', "Use arg instead of request's subject"}, 194 {"utf8", OPT_UTF8, '-', "Input characters are UTF8; default ASCII"}, 195 {"create_serial", OPT_CREATE_SERIAL, '-', 196 "If reading serial fails, create a new random serial"}, 197 {"rand_serial", OPT_RAND_SERIAL, '-', 198 "Always create a random serial; do not store it"}, 199 {"multivalue-rdn", OPT_MULTIVALUE_RDN, '-', 200 "Deprecated; multi-valued RDNs support is always on."}, 201 {"startdate", OPT_STARTDATE, 's', "Cert notBefore, YYMMDDHHMMSSZ"}, 202 {"enddate", OPT_ENDDATE, 's', 203 "YYMMDDHHMMSSZ cert notAfter (overrides -days)"}, 204 {"days", OPT_DAYS, 'p', "Number of days to certify the cert for"}, 205 {"extensions", OPT_EXTENSIONS, 's', 206 "Extension section (override value in config file)"}, 207 {"extfile", OPT_EXTFILE, '<', 208 "Configuration file with X509v3 extensions to add"}, 209 {"preserveDN", OPT_PRESERVEDN, '-', "Don't re-order the DN"}, 210 {"noemailDN", OPT_NOEMAILDN, '-', "Don't add the EMAIL field to the DN"}, 211 212 OPT_SECTION("Signing"), 213 {"md", OPT_MD, 's', "Digest to use, such as sha256"}, 214 {"keyfile", OPT_KEYFILE, 's', "The CA private key"}, 215 {"keyform", OPT_KEYFORM, 'f', 216 "Private key file format (ENGINE, other values ignored)"}, 217 {"passin", OPT_PASSIN, 's', "Key and cert input file pass phrase source"}, 218 {"key", OPT_KEY, 's', 219 "Key to decrypt the private key or cert files if encrypted. Better use -passin"}, 220 {"cert", OPT_CERT, '<', "The CA cert"}, 221 {"certform", OPT_CERTFORM, 'F', 222 "Certificate input format (DER/PEM/P12); has no effect"}, 223 {"selfsign", OPT_SELFSIGN, '-', 224 "Sign a cert with the key associated with it"}, 225 {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"}, 226 {"vfyopt", OPT_VFYOPT, 's', "Verification parameter in n:v form"}, 227 228 OPT_SECTION("Revocation"), 229 {"gencrl", OPT_GENCRL, '-', "Generate a new CRL"}, 230 {"valid", OPT_VALID, 's', 231 "Add a Valid(not-revoked) DB entry about a cert (given in file)"}, 232 {"status", OPT_STATUS, 's', "Shows cert status given the serial number"}, 233 {"updatedb", OPT_UPDATEDB, '-', "Updates db for expired cert"}, 234 {"crlexts", OPT_CRLEXTS, 's', 235 "CRL extension section (override value in config file)"}, 236 {"crl_reason", OPT_CRL_REASON, 's', "revocation reason"}, 237 {"crl_hold", OPT_CRL_HOLD, 's', 238 "the hold instruction, an OID. Sets revocation reason to certificateHold"}, 239 {"crl_compromise", OPT_CRL_COMPROMISE, 's', 240 "sets compromise time to val and the revocation reason to keyCompromise"}, 241 {"crl_CA_compromise", OPT_CRL_CA_COMPROMISE, 's', 242 "sets compromise time to val and the revocation reason to CACompromise"}, 243 {"crl_lastupdate", OPT_CRL_LASTUPDATE, 's', 244 "Sets the CRL lastUpdate time to val (YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ)"}, 245 {"crl_nextupdate", OPT_CRL_NEXTUPDATE, 's', 246 "Sets the CRL nextUpdate time to val (YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ)"}, 247 {"crldays", OPT_CRLDAYS, 'p', "Days until the next CRL is due"}, 248 {"crlhours", OPT_CRLHOURS, 'p', "Hours until the next CRL is due"}, 249 {"crlsec", OPT_CRLSEC, 'p', "Seconds until the next CRL is due"}, 250 {"revoke", OPT_REVOKE, '<', "Revoke a cert (given in file)"}, 251 252 OPT_R_OPTIONS, 253 OPT_PROV_OPTIONS, 254 255 OPT_PARAMETERS(), 256 {"certreq", 0, 0, "Certificate requests to be signed (optional)"}, 257 {NULL} 258 }; 259 260 int ca_main(int argc, char **argv) 261 { 262 CONF *conf = NULL; 263 ENGINE *e = NULL; 264 BIGNUM *crlnumber = NULL, *serial = NULL; 265 EVP_PKEY *pkey = NULL; 266 BIO *in = NULL, *out = NULL, *Sout = NULL; 267 ASN1_INTEGER *tmpser; 268 CA_DB *db = NULL; 269 DB_ATTR db_attr; 270 STACK_OF(CONF_VALUE) *attribs = NULL; 271 STACK_OF(OPENSSL_STRING) *sigopts = NULL, *vfyopts = NULL; 272 STACK_OF(X509) *cert_sk = NULL; 273 X509_CRL *crl = NULL; 274 char *configfile = default_config_file, *section = NULL; 275 char def_dgst[80] = ""; 276 char *dgst = NULL, *policy = NULL, *keyfile = NULL; 277 char *certfile = NULL, *crl_ext = NULL, *crlnumberfile = NULL; 278 int certformat = FORMAT_UNDEF, informat = FORMAT_UNDEF; 279 unsigned long dateopt = ASN1_DTFLGS_RFC822; 280 const char *infile = NULL, *spkac_file = NULL, *ss_cert_file = NULL; 281 const char *extensions = NULL, *extfile = NULL, *passinarg = NULL; 282 char *passin = NULL; 283 char *outdir = NULL, *outfile = NULL, *rev_arg = NULL, *ser_status = NULL; 284 const char *serialfile = NULL, *subj = NULL; 285 char *prog, *startdate = NULL, *enddate = NULL; 286 char *dbfile = NULL, *f; 287 char new_cert[PATH_MAX]; 288 char tmp[10 + 1] = "\0"; 289 char *const *pp; 290 const char *p; 291 size_t outdirlen = 0; 292 int create_ser = 0, free_passin = 0, total = 0, total_done = 0; 293 int batch = 0, default_op = 1, doupdatedb = 0, ext_copy = EXT_COPY_NONE; 294 int keyformat = FORMAT_UNDEF, multirdn = 1, notext = 0, output_der = 0; 295 int ret = 1, email_dn = 1, req = 0, verbose = 0, gencrl = 0, dorevoke = 0; 296 int rand_ser = 0, i, j, selfsign = 0, def_ret; 297 char *crl_lastupdate = NULL, *crl_nextupdate = NULL; 298 long crldays = 0, crlhours = 0, crlsec = 0, days = 0; 299 unsigned long chtype = MBSTRING_ASC, certopt = 0; 300 X509 *x509 = NULL, *x509p = NULL, *x = NULL; 301 REVINFO_TYPE rev_type = REV_NONE; 302 X509_REVOKED *r = NULL; 303 OPTION_CHOICE o; 304 305 prog = opt_init(argc, argv, ca_options); 306 while ((o = opt_next()) != OPT_EOF) { 307 switch (o) { 308 case OPT_EOF: 309 case OPT_ERR: 310 opthelp: 311 BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); 312 goto end; 313 case OPT_HELP: 314 opt_help(ca_options); 315 ret = 0; 316 goto end; 317 case OPT_IN: 318 req = 1; 319 infile = opt_arg(); 320 break; 321 case OPT_INFORM: 322 if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat)) 323 goto opthelp; 324 break; 325 case OPT_OUT: 326 outfile = opt_arg(); 327 break; 328 case OPT_DATEOPT: 329 if (!set_dateopt(&dateopt, opt_arg())) 330 goto opthelp; 331 break; 332 case OPT_VERBOSE: 333 verbose = 1; 334 break; 335 case OPT_CONFIG: 336 configfile = opt_arg(); 337 break; 338 case OPT_NAME: 339 section = opt_arg(); 340 break; 341 case OPT_SUBJ: 342 subj = opt_arg(); 343 /* preserve=1; */ 344 break; 345 case OPT_UTF8: 346 chtype = MBSTRING_UTF8; 347 break; 348 case OPT_RAND_SERIAL: 349 rand_ser = 1; 350 break; 351 case OPT_CREATE_SERIAL: 352 create_ser = 1; 353 break; 354 case OPT_MULTIVALUE_RDN: 355 /* obsolete */ 356 break; 357 case OPT_STARTDATE: 358 startdate = opt_arg(); 359 break; 360 case OPT_ENDDATE: 361 enddate = opt_arg(); 362 break; 363 case OPT_DAYS: 364 days = atoi(opt_arg()); 365 break; 366 case OPT_MD: 367 dgst = opt_arg(); 368 break; 369 case OPT_POLICY: 370 policy = opt_arg(); 371 break; 372 case OPT_KEYFILE: 373 keyfile = opt_arg(); 374 break; 375 case OPT_KEYFORM: 376 if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyformat)) 377 goto opthelp; 378 break; 379 case OPT_PASSIN: 380 passinarg = opt_arg(); 381 break; 382 case OPT_R_CASES: 383 if (!opt_rand(o)) 384 goto end; 385 break; 386 case OPT_PROV_CASES: 387 if (!opt_provider(o)) 388 goto end; 389 break; 390 case OPT_KEY: 391 passin = opt_arg(); 392 break; 393 case OPT_CERT: 394 certfile = opt_arg(); 395 break; 396 case OPT_CERTFORM: 397 if (!opt_format(opt_arg(), OPT_FMT_ANY, &certformat)) 398 goto opthelp; 399 break; 400 case OPT_SELFSIGN: 401 selfsign = 1; 402 break; 403 case OPT_OUTDIR: 404 outdir = opt_arg(); 405 break; 406 case OPT_SIGOPT: 407 if (sigopts == NULL) 408 sigopts = sk_OPENSSL_STRING_new_null(); 409 if (sigopts == NULL || !sk_OPENSSL_STRING_push(sigopts, opt_arg())) 410 goto end; 411 break; 412 case OPT_VFYOPT: 413 if (vfyopts == NULL) 414 vfyopts = sk_OPENSSL_STRING_new_null(); 415 if (vfyopts == NULL || !sk_OPENSSL_STRING_push(vfyopts, opt_arg())) 416 goto end; 417 break; 418 case OPT_NOTEXT: 419 notext = 1; 420 break; 421 case OPT_BATCH: 422 batch = 1; 423 break; 424 case OPT_PRESERVEDN: 425 preserve = 1; 426 break; 427 case OPT_NOEMAILDN: 428 email_dn = 0; 429 break; 430 case OPT_GENCRL: 431 gencrl = 1; 432 break; 433 case OPT_MSIE_HACK: 434 msie_hack = 1; 435 break; 436 case OPT_CRL_LASTUPDATE: 437 crl_lastupdate = opt_arg(); 438 break; 439 case OPT_CRL_NEXTUPDATE: 440 crl_nextupdate = opt_arg(); 441 break; 442 case OPT_CRLDAYS: 443 crldays = atol(opt_arg()); 444 break; 445 case OPT_CRLHOURS: 446 crlhours = atol(opt_arg()); 447 break; 448 case OPT_CRLSEC: 449 crlsec = atol(opt_arg()); 450 break; 451 case OPT_INFILES: 452 req = 1; 453 goto end_of_options; 454 case OPT_SS_CERT: 455 ss_cert_file = opt_arg(); 456 req = 1; 457 break; 458 case OPT_SPKAC: 459 spkac_file = opt_arg(); 460 req = 1; 461 break; 462 case OPT_REVOKE: 463 infile = opt_arg(); 464 dorevoke = 1; 465 break; 466 case OPT_VALID: 467 infile = opt_arg(); 468 dorevoke = 2; 469 break; 470 case OPT_EXTENSIONS: 471 extensions = opt_arg(); 472 break; 473 case OPT_EXTFILE: 474 extfile = opt_arg(); 475 break; 476 case OPT_STATUS: 477 ser_status = opt_arg(); 478 break; 479 case OPT_UPDATEDB: 480 doupdatedb = 1; 481 break; 482 case OPT_CRLEXTS: 483 crl_ext = opt_arg(); 484 break; 485 case OPT_CRL_REASON: /* := REV_CRL_REASON */ 486 case OPT_CRL_HOLD: 487 case OPT_CRL_COMPROMISE: 488 case OPT_CRL_CA_COMPROMISE: 489 rev_arg = opt_arg(); 490 rev_type = (o - OPT_CRL_REASON) + REV_CRL_REASON; 491 break; 492 case OPT_ENGINE: 493 e = setup_engine(opt_arg(), 0); 494 break; 495 } 496 } 497 498 end_of_options: 499 /* Remaining args are files to certify. */ 500 argc = opt_num_rest(); 501 argv = opt_rest(); 502 503 if ((conf = app_load_config_verbose(configfile, 1)) == NULL) 504 goto end; 505 if (configfile != default_config_file && !app_load_modules(conf)) 506 goto end; 507 508 /* Lets get the config section we are using */ 509 if (section == NULL 510 && (section = lookup_conf(conf, BASE_SECTION, ENV_DEFAULT_CA)) == NULL) 511 goto end; 512 513 p = NCONF_get_string(conf, NULL, "oid_file"); 514 if (p == NULL) 515 ERR_clear_error(); 516 if (p != NULL) { 517 BIO *oid_bio = BIO_new_file(p, "r"); 518 519 if (oid_bio == NULL) { 520 ERR_clear_error(); 521 } else { 522 OBJ_create_objects(oid_bio); 523 BIO_free(oid_bio); 524 } 525 } 526 if (!add_oid_section(conf)) 527 goto end; 528 529 app_RAND_load_conf(conf, BASE_SECTION); 530 if (!app_RAND_load()) 531 goto end; 532 533 f = NCONF_get_string(conf, section, STRING_MASK); 534 if (f == NULL) 535 ERR_clear_error(); 536 537 if (f != NULL && !ASN1_STRING_set_default_mask_asc(f)) { 538 BIO_printf(bio_err, "Invalid global string mask setting %s\n", f); 539 goto end; 540 } 541 542 if (chtype != MBSTRING_UTF8) { 543 f = NCONF_get_string(conf, section, UTF8_IN); 544 if (f == NULL) 545 ERR_clear_error(); 546 else if (strcmp(f, "yes") == 0) 547 chtype = MBSTRING_UTF8; 548 } 549 550 db_attr.unique_subject = 1; 551 p = NCONF_get_string(conf, section, ENV_UNIQUE_SUBJECT); 552 if (p != NULL) 553 db_attr.unique_subject = parse_yesno(p, 1); 554 else 555 ERR_clear_error(); 556 557 /*****************************************************************/ 558 /* report status of cert with serial number given on command line */ 559 if (ser_status) { 560 dbfile = lookup_conf(conf, section, ENV_DATABASE); 561 if (dbfile == NULL) 562 goto end; 563 564 db = load_index(dbfile, &db_attr); 565 if (db == NULL) { 566 BIO_printf(bio_err, "Problem with index file: %s (could not load/parse file)\n", dbfile); 567 goto end; 568 } 569 570 if (index_index(db) <= 0) 571 goto end; 572 573 if (get_certificate_status(ser_status, db) != 1) 574 BIO_printf(bio_err, "Error verifying serial %s!\n", ser_status); 575 goto end; 576 } 577 578 /*****************************************************************/ 579 /* we definitely need a private key, so let's get it */ 580 581 if (keyfile == NULL 582 && (keyfile = lookup_conf(conf, section, ENV_PRIVATE_KEY)) == NULL) 583 goto end; 584 585 if (passin == NULL) { 586 free_passin = 1; 587 if (!app_passwd(passinarg, NULL, &passin, NULL)) { 588 BIO_printf(bio_err, "Error getting password\n"); 589 goto end; 590 } 591 } 592 pkey = load_key(keyfile, keyformat, 0, passin, e, "CA private key"); 593 cleanse(passin); 594 if (pkey == NULL) 595 /* load_key() has already printed an appropriate message */ 596 goto end; 597 598 /*****************************************************************/ 599 /* we need a certificate */ 600 if (!selfsign || spkac_file || ss_cert_file || gencrl) { 601 if (certfile == NULL 602 && (certfile = lookup_conf(conf, section, ENV_CERTIFICATE)) == NULL) 603 goto end; 604 605 x509 = load_cert_pass(certfile, certformat, 1, passin, "CA certificate"); 606 if (x509 == NULL) 607 goto end; 608 609 if (!X509_check_private_key(x509, pkey)) { 610 BIO_printf(bio_err, 611 "CA certificate and CA private key do not match\n"); 612 goto end; 613 } 614 } 615 if (!selfsign) 616 x509p = x509; 617 618 f = NCONF_get_string(conf, BASE_SECTION, ENV_PRESERVE); 619 if (f == NULL) 620 ERR_clear_error(); 621 if ((f != NULL) && ((*f == 'y') || (*f == 'Y'))) 622 preserve = 1; 623 f = NCONF_get_string(conf, BASE_SECTION, ENV_MSIE_HACK); 624 if (f == NULL) 625 ERR_clear_error(); 626 if ((f != NULL) && ((*f == 'y') || (*f == 'Y'))) 627 msie_hack = 1; 628 629 f = NCONF_get_string(conf, section, ENV_NAMEOPT); 630 631 if (f != NULL) { 632 if (!set_nameopt(f)) { 633 BIO_printf(bio_err, "Invalid name options: \"%s\"\n", f); 634 goto end; 635 } 636 default_op = 0; 637 } 638 639 f = NCONF_get_string(conf, section, ENV_CERTOPT); 640 641 if (f != NULL) { 642 if (!set_cert_ex(&certopt, f)) { 643 BIO_printf(bio_err, "Invalid certificate options: \"%s\"\n", f); 644 goto end; 645 } 646 default_op = 0; 647 } else { 648 ERR_clear_error(); 649 } 650 651 f = NCONF_get_string(conf, section, ENV_EXTCOPY); 652 653 if (f != NULL) { 654 if (!set_ext_copy(&ext_copy, f)) { 655 BIO_printf(bio_err, "Invalid extension copy option: \"%s\"\n", f); 656 goto end; 657 } 658 } else { 659 ERR_clear_error(); 660 } 661 662 /*****************************************************************/ 663 /* lookup where to write new certificates */ 664 if ((outdir == NULL) && (req)) { 665 666 outdir = NCONF_get_string(conf, section, ENV_NEW_CERTS_DIR); 667 if (outdir == NULL) { 668 BIO_printf(bio_err, 669 "there needs to be defined a directory for new certificate to be placed in\n"); 670 goto end; 671 } 672 #ifndef OPENSSL_SYS_VMS 673 /* 674 * outdir is a directory spec, but access() for VMS demands a 675 * filename. We could use the DEC C routine to convert the 676 * directory syntax to Unix, and give that to app_isdir, 677 * but for now the fopen will catch the error if it's not a 678 * directory 679 */ 680 if (app_isdir(outdir) <= 0) { 681 BIO_printf(bio_err, "%s: %s is not a directory\n", prog, outdir); 682 perror(outdir); 683 goto end; 684 } 685 #endif 686 } 687 688 /*****************************************************************/ 689 /* we need to load the database file */ 690 dbfile = lookup_conf(conf, section, ENV_DATABASE); 691 if (dbfile == NULL) 692 goto end; 693 694 db = load_index(dbfile, &db_attr); 695 if (db == NULL) { 696 BIO_printf(bio_err, "Problem with index file: %s (could not load/parse file)\n", dbfile); 697 goto end; 698 } 699 700 /* Lets check some fields */ 701 for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) { 702 pp = sk_OPENSSL_PSTRING_value(db->db->data, i); 703 if ((pp[DB_type][0] != DB_TYPE_REV) && (pp[DB_rev_date][0] != '\0')) { 704 BIO_printf(bio_err, 705 "entry %d: not revoked yet, but has a revocation date\n", 706 i + 1); 707 goto end; 708 } 709 if ((pp[DB_type][0] == DB_TYPE_REV) && 710 !make_revoked(NULL, pp[DB_rev_date])) { 711 BIO_printf(bio_err, " in entry %d\n", i + 1); 712 goto end; 713 } 714 if (!check_time_format((char *)pp[DB_exp_date])) { 715 BIO_printf(bio_err, "entry %d: invalid expiry date\n", i + 1); 716 goto end; 717 } 718 p = pp[DB_serial]; 719 j = strlen(p); 720 if (*p == '-') { 721 p++; 722 j--; 723 } 724 if ((j & 1) || (j < 2)) { 725 BIO_printf(bio_err, "entry %d: bad serial number length (%d)\n", 726 i + 1, j); 727 goto end; 728 } 729 for ( ; *p; p++) { 730 if (!isxdigit(_UC(*p))) { 731 BIO_printf(bio_err, 732 "entry %d: bad char 0%o '%c' in serial number\n", 733 i + 1, *p, *p); 734 goto end; 735 } 736 } 737 } 738 if (verbose) { 739 TXT_DB_write(bio_out, db->db); 740 BIO_printf(bio_err, "%d entries loaded from the database\n", 741 sk_OPENSSL_PSTRING_num(db->db->data)); 742 BIO_printf(bio_err, "generating index\n"); 743 } 744 745 if (index_index(db) <= 0) 746 goto end; 747 748 /*****************************************************************/ 749 /* Update the db file for expired certificates */ 750 if (doupdatedb) { 751 if (verbose) 752 BIO_printf(bio_err, "Updating %s ...\n", dbfile); 753 754 i = do_updatedb(db); 755 if (i == -1) { 756 BIO_printf(bio_err, "Malloc failure\n"); 757 goto end; 758 } else if (i == 0) { 759 if (verbose) 760 BIO_printf(bio_err, "No entries found to mark expired\n"); 761 } else { 762 if (!save_index(dbfile, "new", db)) 763 goto end; 764 765 if (!rotate_index(dbfile, "new", "old")) 766 goto end; 767 768 if (verbose) 769 BIO_printf(bio_err, "Done. %d entries marked as expired\n", i); 770 } 771 } 772 773 /*****************************************************************/ 774 /* Read extensions config file */ 775 if (extfile) { 776 if ((extfile_conf = app_load_config(extfile)) == NULL) { 777 ret = 1; 778 goto end; 779 } 780 781 if (verbose) 782 BIO_printf(bio_err, "Successfully loaded extensions file %s\n", 783 extfile); 784 785 /* We can have sections in the ext file */ 786 if (extensions == NULL) { 787 extensions = NCONF_get_string(extfile_conf, "default", "extensions"); 788 if (extensions == NULL) 789 extensions = "default"; 790 } 791 } 792 793 /*****************************************************************/ 794 if (req || gencrl) { 795 if (spkac_file != NULL && outfile != NULL) { 796 output_der = 1; 797 batch = 1; 798 } 799 } 800 801 def_ret = EVP_PKEY_get_default_digest_name(pkey, def_dgst, sizeof(def_dgst)); 802 /* 803 * EVP_PKEY_get_default_digest_name() returns 2 if the digest is 804 * mandatory for this algorithm. 805 */ 806 if (def_ret == 2 && strcmp(def_dgst, "UNDEF") == 0) { 807 /* The signing algorithm requires there to be no digest */ 808 dgst = NULL; 809 } else if (dgst == NULL 810 && (dgst = lookup_conf(conf, section, ENV_DEFAULT_MD)) == NULL) { 811 goto end; 812 } else { 813 if (strcmp(dgst, "default") == 0) { 814 if (def_ret <= 0) { 815 BIO_puts(bio_err, "no default digest\n"); 816 goto end; 817 } 818 dgst = def_dgst; 819 } 820 } 821 822 if (req) { 823 if (email_dn == 1) { 824 char *tmp_email_dn = NULL; 825 826 tmp_email_dn = NCONF_get_string(conf, section, ENV_DEFAULT_EMAIL_DN); 827 if (tmp_email_dn != NULL && strcmp(tmp_email_dn, "no") == 0) 828 email_dn = 0; 829 } 830 if (verbose) 831 BIO_printf(bio_err, "message digest is %s\n", dgst); 832 if (policy == NULL 833 && (policy = lookup_conf(conf, section, ENV_POLICY)) == NULL) 834 goto end; 835 836 if (verbose) 837 BIO_printf(bio_err, "policy is %s\n", policy); 838 839 if (NCONF_get_string(conf, section, ENV_RAND_SERIAL) != NULL) { 840 rand_ser = 1; 841 } else { 842 serialfile = lookup_conf(conf, section, ENV_SERIAL); 843 if (serialfile == NULL) 844 goto end; 845 } 846 847 if (extfile_conf != NULL) { 848 /* Check syntax of extfile */ 849 X509V3_CTX ctx; 850 851 X509V3_set_ctx_test(&ctx); 852 X509V3_set_nconf(&ctx, extfile_conf); 853 if (!X509V3_EXT_add_nconf(extfile_conf, &ctx, extensions, NULL)) { 854 BIO_printf(bio_err, 855 "Error checking certificate extensions from extfile section %s\n", 856 extensions); 857 ret = 1; 858 goto end; 859 } 860 } else { 861 /* 862 * no '-extfile' option, so we look for extensions in the main 863 * configuration file 864 */ 865 if (extensions == NULL) { 866 extensions = NCONF_get_string(conf, section, ENV_EXTENSIONS); 867 if (extensions == NULL) 868 ERR_clear_error(); 869 } 870 if (extensions != NULL) { 871 /* Check syntax of config file section */ 872 X509V3_CTX ctx; 873 874 X509V3_set_ctx_test(&ctx); 875 X509V3_set_nconf(&ctx, conf); 876 if (!X509V3_EXT_add_nconf(conf, &ctx, extensions, NULL)) { 877 BIO_printf(bio_err, 878 "Error checking certificate extension config section %s\n", 879 extensions); 880 ret = 1; 881 goto end; 882 } 883 } 884 } 885 886 if (startdate == NULL) { 887 startdate = NCONF_get_string(conf, section, ENV_DEFAULT_STARTDATE); 888 if (startdate == NULL) 889 ERR_clear_error(); 890 } 891 if (startdate != NULL && !ASN1_TIME_set_string_X509(NULL, startdate)) { 892 BIO_printf(bio_err, 893 "start date is invalid, it should be YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ\n"); 894 goto end; 895 } 896 if (startdate == NULL) 897 startdate = "today"; 898 899 if (enddate == NULL) { 900 enddate = NCONF_get_string(conf, section, ENV_DEFAULT_ENDDATE); 901 if (enddate == NULL) 902 ERR_clear_error(); 903 } 904 if (enddate != NULL && !ASN1_TIME_set_string_X509(NULL, enddate)) { 905 BIO_printf(bio_err, 906 "end date is invalid, it should be YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ\n"); 907 goto end; 908 } 909 910 if (days == 0) { 911 if (!NCONF_get_number(conf, section, ENV_DEFAULT_DAYS, &days)) 912 days = 0; 913 } 914 if (enddate == NULL && days == 0) { 915 BIO_printf(bio_err, "cannot lookup how many days to certify for\n"); 916 goto end; 917 } 918 919 if (rand_ser) { 920 if ((serial = BN_new()) == NULL || !rand_serial(serial, NULL)) { 921 BIO_printf(bio_err, "error generating serial number\n"); 922 goto end; 923 } 924 } else { 925 serial = load_serial(serialfile, NULL, create_ser, NULL); 926 if (serial == NULL) { 927 BIO_printf(bio_err, "error while loading serial number\n"); 928 goto end; 929 } 930 if (verbose) { 931 if (BN_is_zero(serial)) { 932 BIO_printf(bio_err, "next serial number is 00\n"); 933 } else { 934 if ((f = BN_bn2hex(serial)) == NULL) 935 goto end; 936 BIO_printf(bio_err, "next serial number is %s\n", f); 937 OPENSSL_free(f); 938 } 939 } 940 } 941 942 if ((attribs = NCONF_get_section(conf, policy)) == NULL) { 943 BIO_printf(bio_err, "unable to find 'section' for %s\n", policy); 944 goto end; 945 } 946 947 if ((cert_sk = sk_X509_new_null()) == NULL) { 948 BIO_printf(bio_err, "Memory allocation failure\n"); 949 goto end; 950 } 951 if (spkac_file != NULL) { 952 total++; 953 j = certify_spkac(&x, spkac_file, pkey, x509, dgst, sigopts, 954 attribs, db, serial, subj, chtype, multirdn, 955 email_dn, startdate, enddate, days, extensions, 956 conf, verbose, certopt, get_nameopt(), default_op, 957 ext_copy, dateopt); 958 if (j < 0) 959 goto end; 960 if (j > 0) { 961 total_done++; 962 BIO_printf(bio_err, "\n"); 963 if (!BN_add_word(serial, 1)) 964 goto end; 965 if (!sk_X509_push(cert_sk, x)) { 966 BIO_printf(bio_err, "Memory allocation failure\n"); 967 goto end; 968 } 969 } 970 } 971 if (ss_cert_file != NULL) { 972 total++; 973 j = certify_cert(&x, ss_cert_file, certformat, passin, pkey, 974 x509, dgst, sigopts, vfyopts, attribs, 975 db, serial, subj, chtype, multirdn, email_dn, 976 startdate, enddate, days, batch, extensions, 977 conf, verbose, certopt, get_nameopt(), default_op, 978 ext_copy, dateopt); 979 if (j < 0) 980 goto end; 981 if (j > 0) { 982 total_done++; 983 BIO_printf(bio_err, "\n"); 984 if (!BN_add_word(serial, 1)) 985 goto end; 986 if (!sk_X509_push(cert_sk, x)) { 987 BIO_printf(bio_err, "Memory allocation failure\n"); 988 goto end; 989 } 990 } 991 } 992 if (infile != NULL) { 993 total++; 994 j = certify(&x, infile, informat, pkey, x509p, dgst, 995 sigopts, vfyopts, attribs, db, 996 serial, subj, chtype, multirdn, email_dn, startdate, 997 enddate, days, batch, extensions, conf, verbose, 998 certopt, get_nameopt(), default_op, ext_copy, selfsign, dateopt); 999 if (j < 0) 1000 goto end; 1001 if (j > 0) { 1002 total_done++; 1003 BIO_printf(bio_err, "\n"); 1004 if (!BN_add_word(serial, 1)) 1005 goto end; 1006 if (!sk_X509_push(cert_sk, x)) { 1007 BIO_printf(bio_err, "Memory allocation failure\n"); 1008 goto end; 1009 } 1010 } 1011 } 1012 for (i = 0; i < argc; i++) { 1013 total++; 1014 j = certify(&x, argv[i], informat, pkey, x509p, dgst, 1015 sigopts, vfyopts, 1016 attribs, db, 1017 serial, subj, chtype, multirdn, email_dn, startdate, 1018 enddate, days, batch, extensions, conf, verbose, 1019 certopt, get_nameopt(), default_op, ext_copy, selfsign, dateopt); 1020 if (j < 0) 1021 goto end; 1022 if (j > 0) { 1023 total_done++; 1024 BIO_printf(bio_err, "\n"); 1025 if (!BN_add_word(serial, 1)) { 1026 X509_free(x); 1027 goto end; 1028 } 1029 if (!sk_X509_push(cert_sk, x)) { 1030 BIO_printf(bio_err, "Memory allocation failure\n"); 1031 X509_free(x); 1032 goto end; 1033 } 1034 } 1035 } 1036 /* 1037 * we have a stack of newly certified certificates and a data base 1038 * and serial number that need updating 1039 */ 1040 1041 if (sk_X509_num(cert_sk) > 0) { 1042 if (!batch) { 1043 BIO_printf(bio_err, 1044 "\n%d out of %d certificate requests certified, commit? [y/n]", 1045 total_done, total); 1046 (void)BIO_flush(bio_err); 1047 tmp[0] = '\0'; 1048 if (fgets(tmp, sizeof(tmp), stdin) == NULL) { 1049 BIO_printf(bio_err, "CERTIFICATION CANCELED: I/O error\n"); 1050 ret = 0; 1051 goto end; 1052 } 1053 if (tmp[0] != 'y' && tmp[0] != 'Y') { 1054 BIO_printf(bio_err, "CERTIFICATION CANCELED\n"); 1055 ret = 0; 1056 goto end; 1057 } 1058 } 1059 1060 BIO_printf(bio_err, "Write out database with %d new entries\n", 1061 sk_X509_num(cert_sk)); 1062 1063 if (serialfile != NULL 1064 && !save_serial(serialfile, "new", serial, NULL)) 1065 goto end; 1066 1067 if (!save_index(dbfile, "new", db)) 1068 goto end; 1069 } 1070 1071 outdirlen = OPENSSL_strlcpy(new_cert, outdir, sizeof(new_cert)); 1072 #ifndef OPENSSL_SYS_VMS 1073 outdirlen = OPENSSL_strlcat(new_cert, "/", sizeof(new_cert)); 1074 #endif 1075 1076 if (verbose) 1077 BIO_printf(bio_err, "writing new certificates\n"); 1078 1079 for (i = 0; i < sk_X509_num(cert_sk); i++) { 1080 BIO *Cout = NULL; 1081 X509 *xi = sk_X509_value(cert_sk, i); 1082 const ASN1_INTEGER *serialNumber = X509_get0_serialNumber(xi); 1083 const unsigned char *psn = ASN1_STRING_get0_data(serialNumber); 1084 const int snl = ASN1_STRING_length(serialNumber); 1085 const int filen_len = 2 * (snl > 0 ? snl : 1) + sizeof(".pem"); 1086 char *n = new_cert + outdirlen; 1087 1088 if (outdirlen + filen_len > PATH_MAX) { 1089 BIO_printf(bio_err, "certificate file name too long\n"); 1090 goto end; 1091 } 1092 1093 if (snl > 0) { 1094 static const char HEX_DIGITS[] = "0123456789ABCDEF"; 1095 1096 for (j = 0; j < snl; j++, psn++) { 1097 *n++ = HEX_DIGITS[*psn >> 4]; 1098 *n++ = HEX_DIGITS[*psn & 0x0F]; 1099 } 1100 } else { 1101 *(n++) = '0'; 1102 *(n++) = '0'; 1103 } 1104 *(n++) = '.'; 1105 *(n++) = 'p'; 1106 *(n++) = 'e'; 1107 *(n++) = 'm'; 1108 *n = '\0'; /* closing new_cert */ 1109 if (verbose) 1110 BIO_printf(bio_err, "writing %s\n", new_cert); 1111 1112 Sout = bio_open_default(outfile, 'w', 1113 output_der ? FORMAT_ASN1 : FORMAT_TEXT); 1114 if (Sout == NULL) 1115 goto end; 1116 1117 Cout = BIO_new_file(new_cert, "w"); 1118 if (Cout == NULL) { 1119 perror(new_cert); 1120 goto end; 1121 } 1122 write_new_certificate(Cout, xi, 0, notext); 1123 write_new_certificate(Sout, xi, output_der, notext); 1124 BIO_free_all(Cout); 1125 BIO_free_all(Sout); 1126 Sout = NULL; 1127 } 1128 1129 if (sk_X509_num(cert_sk)) { 1130 /* Rename the database and the serial file */ 1131 if (serialfile != NULL 1132 && !rotate_serial(serialfile, "new", "old")) 1133 goto end; 1134 1135 if (!rotate_index(dbfile, "new", "old")) 1136 goto end; 1137 1138 BIO_printf(bio_err, "Data Base Updated\n"); 1139 } 1140 } 1141 1142 /*****************************************************************/ 1143 if (gencrl) { 1144 int crl_v2 = 0; 1145 if (crl_ext == NULL) { 1146 crl_ext = NCONF_get_string(conf, section, ENV_CRLEXT); 1147 if (crl_ext == NULL) 1148 ERR_clear_error(); 1149 } 1150 if (crl_ext != NULL) { 1151 /* Check syntax of file */ 1152 X509V3_CTX ctx; 1153 1154 X509V3_set_ctx_test(&ctx); 1155 X509V3_set_nconf(&ctx, conf); 1156 if (!X509V3_EXT_add_nconf(conf, &ctx, crl_ext, NULL)) { 1157 BIO_printf(bio_err, 1158 "Error checking CRL extension section %s\n", crl_ext); 1159 ret = 1; 1160 goto end; 1161 } 1162 } 1163 1164 if ((crlnumberfile = NCONF_get_string(conf, section, ENV_CRLNUMBER)) 1165 != NULL) 1166 if ((crlnumber = load_serial(crlnumberfile, NULL, 0, NULL)) 1167 == NULL) { 1168 BIO_printf(bio_err, "error while loading CRL number\n"); 1169 goto end; 1170 } 1171 1172 if (!crldays && !crlhours && !crlsec) { 1173 if (!NCONF_get_number(conf, section, 1174 ENV_DEFAULT_CRL_DAYS, &crldays)) 1175 crldays = 0; 1176 if (!NCONF_get_number(conf, section, 1177 ENV_DEFAULT_CRL_HOURS, &crlhours)) 1178 crlhours = 0; 1179 ERR_clear_error(); 1180 } 1181 if ((crl_nextupdate == NULL) && 1182 (crldays == 0) && (crlhours == 0) && (crlsec == 0)) { 1183 BIO_printf(bio_err, 1184 "cannot lookup how long until the next CRL is issued\n"); 1185 goto end; 1186 } 1187 1188 if (verbose) 1189 BIO_printf(bio_err, "making CRL\n"); 1190 if ((crl = X509_CRL_new_ex(app_get0_libctx(), app_get0_propq())) == NULL) 1191 goto end; 1192 if (!X509_CRL_set_issuer_name(crl, X509_get_subject_name(x509))) 1193 goto end; 1194 1195 if (!set_crl_lastupdate(crl, crl_lastupdate)) { 1196 BIO_puts(bio_err, "error setting CRL lastUpdate\n"); 1197 ret = 1; 1198 goto end; 1199 } 1200 1201 if (!set_crl_nextupdate(crl, crl_nextupdate, 1202 crldays, crlhours, crlsec)) { 1203 BIO_puts(bio_err, "error setting CRL nextUpdate\n"); 1204 ret = 1; 1205 goto end; 1206 } 1207 1208 for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) { 1209 pp = sk_OPENSSL_PSTRING_value(db->db->data, i); 1210 if (pp[DB_type][0] == DB_TYPE_REV) { 1211 if ((r = X509_REVOKED_new()) == NULL) 1212 goto end; 1213 j = make_revoked(r, pp[DB_rev_date]); 1214 if (!j) 1215 goto end; 1216 if (j == 2) 1217 crl_v2 = 1; 1218 if (!BN_hex2bn(&serial, pp[DB_serial])) 1219 goto end; 1220 tmpser = BN_to_ASN1_INTEGER(serial, NULL); 1221 BN_free(serial); 1222 serial = NULL; 1223 if (!tmpser) 1224 goto end; 1225 X509_REVOKED_set_serialNumber(r, tmpser); 1226 ASN1_INTEGER_free(tmpser); 1227 X509_CRL_add0_revoked(crl, r); 1228 } 1229 } 1230 1231 /* 1232 * sort the data so it will be written in serial number order 1233 */ 1234 X509_CRL_sort(crl); 1235 1236 /* we now have a CRL */ 1237 if (verbose) 1238 BIO_printf(bio_err, "signing CRL\n"); 1239 1240 /* Add any extensions asked for */ 1241 1242 if (crl_ext != NULL || crlnumberfile != NULL) { 1243 X509V3_CTX crlctx; 1244 1245 X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0); 1246 X509V3_set_nconf(&crlctx, conf); 1247 1248 if (crl_ext != NULL) 1249 if (!X509V3_EXT_CRL_add_nconf(conf, &crlctx, crl_ext, crl)) { 1250 BIO_printf(bio_err, 1251 "Error adding CRL extensions from section %s\n", crl_ext); 1252 goto end; 1253 } 1254 if (crlnumberfile != NULL) { 1255 tmpser = BN_to_ASN1_INTEGER(crlnumber, NULL); 1256 if (!tmpser) 1257 goto end; 1258 X509_CRL_add1_ext_i2d(crl, NID_crl_number, tmpser, 0, 0); 1259 ASN1_INTEGER_free(tmpser); 1260 crl_v2 = 1; 1261 if (!BN_add_word(crlnumber, 1)) 1262 goto end; 1263 } 1264 } 1265 if (crl_ext != NULL || crl_v2) { 1266 if (!X509_CRL_set_version(crl, X509_CRL_VERSION_2)) 1267 goto end; 1268 } 1269 1270 /* we have a CRL number that need updating */ 1271 if (crlnumberfile != NULL 1272 && !save_serial(crlnumberfile, "new", crlnumber, NULL)) 1273 goto end; 1274 1275 BN_free(crlnumber); 1276 crlnumber = NULL; 1277 1278 if (!do_X509_CRL_sign(crl, pkey, dgst, sigopts)) 1279 goto end; 1280 1281 Sout = bio_open_default(outfile, 'w', 1282 output_der ? FORMAT_ASN1 : FORMAT_TEXT); 1283 if (Sout == NULL) 1284 goto end; 1285 1286 PEM_write_bio_X509_CRL(Sout, crl); 1287 1288 /* Rename the crlnumber file */ 1289 if (crlnumberfile != NULL 1290 && !rotate_serial(crlnumberfile, "new", "old")) 1291 goto end; 1292 1293 } 1294 /*****************************************************************/ 1295 if (dorevoke) { 1296 if (infile == NULL) { 1297 BIO_printf(bio_err, "no input files\n"); 1298 goto end; 1299 } else { 1300 X509 *revcert; 1301 1302 revcert = load_cert_pass(infile, informat, 1, passin, 1303 "certificate to be revoked"); 1304 if (revcert == NULL) 1305 goto end; 1306 if (dorevoke == 2) 1307 rev_type = REV_VALID; 1308 j = do_revoke(revcert, db, rev_type, rev_arg); 1309 if (j <= 0) 1310 goto end; 1311 X509_free(revcert); 1312 1313 if (!save_index(dbfile, "new", db)) 1314 goto end; 1315 1316 if (!rotate_index(dbfile, "new", "old")) 1317 goto end; 1318 1319 BIO_printf(bio_err, "Data Base Updated\n"); 1320 } 1321 } 1322 ret = 0; 1323 1324 end: 1325 if (ret) 1326 ERR_print_errors(bio_err); 1327 BIO_free_all(Sout); 1328 BIO_free_all(out); 1329 BIO_free_all(in); 1330 sk_X509_pop_free(cert_sk, X509_free); 1331 1332 cleanse(passin); 1333 if (free_passin) 1334 OPENSSL_free(passin); 1335 BN_free(serial); 1336 BN_free(crlnumber); 1337 free_index(db); 1338 sk_OPENSSL_STRING_free(sigopts); 1339 sk_OPENSSL_STRING_free(vfyopts); 1340 EVP_PKEY_free(pkey); 1341 X509_free(x509); 1342 X509_CRL_free(crl); 1343 NCONF_free(conf); 1344 NCONF_free(extfile_conf); 1345 release_engine(e); 1346 return ret; 1347 } 1348 1349 static char *lookup_conf(const CONF *conf, const char *section, const char *tag) 1350 { 1351 char *entry = NCONF_get_string(conf, section, tag); 1352 if (entry == NULL) 1353 BIO_printf(bio_err, "variable lookup failed for %s::%s\n", section, tag); 1354 return entry; 1355 } 1356 1357 static int certify(X509 **xret, const char *infile, int informat, 1358 EVP_PKEY *pkey, X509 *x509, 1359 const char *dgst, 1360 STACK_OF(OPENSSL_STRING) *sigopts, 1361 STACK_OF(OPENSSL_STRING) *vfyopts, 1362 STACK_OF(CONF_VALUE) *policy, CA_DB *db, 1363 BIGNUM *serial, const char *subj, unsigned long chtype, 1364 int multirdn, int email_dn, const char *startdate, 1365 const char *enddate, 1366 long days, int batch, const char *ext_sect, CONF *lconf, 1367 int verbose, unsigned long certopt, unsigned long nameopt, 1368 int default_op, int ext_copy, int selfsign, unsigned long dateopt) 1369 { 1370 X509_REQ *req = NULL; 1371 EVP_PKEY *pktmp = NULL; 1372 int ok = -1, i; 1373 1374 req = load_csr(infile, informat, "certificate request"); 1375 if (req == NULL) 1376 goto end; 1377 if ((pktmp = X509_REQ_get0_pubkey(req)) == NULL) { 1378 BIO_printf(bio_err, "Error unpacking public key\n"); 1379 goto end; 1380 } 1381 if (verbose) 1382 X509_REQ_print_ex(bio_err, req, nameopt, X509_FLAG_COMPAT); 1383 1384 BIO_printf(bio_err, "Check that the request matches the signature\n"); 1385 ok = 0; 1386 1387 if (selfsign && !X509_REQ_check_private_key(req, pkey)) { 1388 BIO_printf(bio_err, 1389 "Certificate request and CA private key do not match\n"); 1390 goto end; 1391 } 1392 i = do_X509_REQ_verify(req, pktmp, vfyopts); 1393 if (i < 0) { 1394 BIO_printf(bio_err, "Signature verification problems...\n"); 1395 goto end; 1396 } 1397 if (i == 0) { 1398 BIO_printf(bio_err, 1399 "Signature did not match the certificate request\n"); 1400 goto end; 1401 } 1402 BIO_printf(bio_err, "Signature ok\n"); 1403 1404 ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, subj, 1405 chtype, multirdn, email_dn, startdate, enddate, days, batch, 1406 verbose, req, ext_sect, lconf, certopt, nameopt, default_op, 1407 ext_copy, selfsign, dateopt); 1408 1409 end: 1410 ERR_print_errors(bio_err); 1411 X509_REQ_free(req); 1412 return ok; 1413 } 1414 1415 static int certify_cert(X509 **xret, const char *infile, int certformat, 1416 const char *passin, EVP_PKEY *pkey, X509 *x509, 1417 const char *dgst, 1418 STACK_OF(OPENSSL_STRING) *sigopts, 1419 STACK_OF(OPENSSL_STRING) *vfyopts, 1420 STACK_OF(CONF_VALUE) *policy, CA_DB *db, 1421 BIGNUM *serial, const char *subj, unsigned long chtype, 1422 int multirdn, int email_dn, const char *startdate, 1423 const char *enddate, long days, int batch, const char *ext_sect, 1424 CONF *lconf, int verbose, unsigned long certopt, 1425 unsigned long nameopt, int default_op, int ext_copy, unsigned long dateopt) 1426 { 1427 X509 *template_cert = NULL; 1428 X509_REQ *rreq = NULL; 1429 EVP_PKEY *pktmp = NULL; 1430 int ok = -1, i; 1431 1432 if ((template_cert = load_cert_pass(infile, certformat, 1, passin, 1433 "template certificate")) == NULL) 1434 goto end; 1435 if (verbose) 1436 X509_print(bio_err, template_cert); 1437 1438 BIO_printf(bio_err, "Check that the request matches the signature\n"); 1439 1440 if ((pktmp = X509_get0_pubkey(template_cert)) == NULL) { 1441 BIO_printf(bio_err, "error unpacking public key\n"); 1442 goto end; 1443 } 1444 i = do_X509_verify(template_cert, pktmp, vfyopts); 1445 if (i < 0) { 1446 ok = 0; 1447 BIO_printf(bio_err, "Signature verification problems....\n"); 1448 goto end; 1449 } 1450 if (i == 0) { 1451 ok = 0; 1452 BIO_printf(bio_err, "Signature did not match the certificate\n"); 1453 goto end; 1454 } else { 1455 BIO_printf(bio_err, "Signature ok\n"); 1456 } 1457 1458 if ((rreq = X509_to_X509_REQ(template_cert, NULL, NULL)) == NULL) 1459 goto end; 1460 1461 ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, subj, 1462 chtype, multirdn, email_dn, startdate, enddate, days, batch, 1463 verbose, rreq, ext_sect, lconf, certopt, nameopt, default_op, 1464 ext_copy, 0, dateopt); 1465 1466 end: 1467 X509_REQ_free(rreq); 1468 X509_free(template_cert); 1469 return ok; 1470 } 1471 1472 static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, 1473 const char *dgst, STACK_OF(OPENSSL_STRING) *sigopts, 1474 STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, 1475 const char *subj, unsigned long chtype, int multirdn, 1476 int email_dn, const char *startdate, const char *enddate, long days, 1477 int batch, int verbose, X509_REQ *req, const char *ext_sect, 1478 CONF *lconf, unsigned long certopt, unsigned long nameopt, 1479 int default_op, int ext_copy, int selfsign, unsigned long dateopt) 1480 { 1481 const X509_NAME *name = NULL; 1482 X509_NAME *CAname = NULL, *subject = NULL; 1483 const ASN1_TIME *tm; 1484 ASN1_STRING *str, *str2; 1485 ASN1_OBJECT *obj; 1486 X509 *ret = NULL; 1487 X509_NAME_ENTRY *ne, *tne; 1488 EVP_PKEY *pktmp; 1489 int ok = -1, i, j, last, nid; 1490 const char *p; 1491 CONF_VALUE *cv; 1492 OPENSSL_STRING row[DB_NUMBER]; 1493 OPENSSL_STRING *irow = NULL; 1494 OPENSSL_STRING *rrow = NULL; 1495 char buf[25]; 1496 X509V3_CTX ext_ctx; 1497 1498 for (i = 0; i < DB_NUMBER; i++) 1499 row[i] = NULL; 1500 1501 if (subj) { 1502 X509_NAME *n = parse_name(subj, chtype, multirdn, "subject"); 1503 1504 if (!n) 1505 goto end; 1506 X509_REQ_set_subject_name(req, n); 1507 X509_NAME_free(n); 1508 } 1509 1510 if (default_op) 1511 BIO_printf(bio_err, "The Subject's Distinguished Name is as follows\n"); 1512 1513 name = X509_REQ_get_subject_name(req); 1514 for (i = 0; i < X509_NAME_entry_count(name); i++) { 1515 ne = X509_NAME_get_entry(name, i); 1516 str = X509_NAME_ENTRY_get_data(ne); 1517 obj = X509_NAME_ENTRY_get_object(ne); 1518 nid = OBJ_obj2nid(obj); 1519 1520 if (msie_hack) { 1521 /* assume all type should be strings */ 1522 1523 if (str->type == V_ASN1_UNIVERSALSTRING) 1524 ASN1_UNIVERSALSTRING_to_string(str); 1525 1526 if (str->type == V_ASN1_IA5STRING && nid != NID_pkcs9_emailAddress) 1527 str->type = V_ASN1_T61STRING; 1528 1529 if (nid == NID_pkcs9_emailAddress 1530 && str->type == V_ASN1_PRINTABLESTRING) 1531 str->type = V_ASN1_IA5STRING; 1532 } 1533 1534 /* If no EMAIL is wanted in the subject */ 1535 if (nid == NID_pkcs9_emailAddress && !email_dn) 1536 continue; 1537 1538 /* check some things */ 1539 if (nid == NID_pkcs9_emailAddress && str->type != V_ASN1_IA5STRING) { 1540 BIO_printf(bio_err, 1541 "\nemailAddress type needs to be of type IA5STRING\n"); 1542 goto end; 1543 } 1544 if (str->type != V_ASN1_BMPSTRING && str->type != V_ASN1_UTF8STRING) { 1545 j = ASN1_PRINTABLE_type(str->data, str->length); 1546 if ((j == V_ASN1_T61STRING && str->type != V_ASN1_T61STRING) || 1547 (j == V_ASN1_IA5STRING && str->type == V_ASN1_PRINTABLESTRING)) 1548 { 1549 BIO_printf(bio_err, 1550 "\nThe string contains characters that are illegal for the ASN.1 type\n"); 1551 goto end; 1552 } 1553 } 1554 1555 if (default_op) 1556 old_entry_print(obj, str); 1557 } 1558 1559 /* Ok, now we check the 'policy' stuff. */ 1560 if ((subject = X509_NAME_new()) == NULL) { 1561 BIO_printf(bio_err, "Memory allocation failure\n"); 1562 goto end; 1563 } 1564 1565 /* take a copy of the issuer name before we mess with it. */ 1566 if (selfsign) 1567 CAname = X509_NAME_dup(name); 1568 else 1569 CAname = X509_NAME_dup(X509_get_subject_name(x509)); 1570 if (CAname == NULL) 1571 goto end; 1572 str = str2 = NULL; 1573 1574 for (i = 0; i < sk_CONF_VALUE_num(policy); i++) { 1575 cv = sk_CONF_VALUE_value(policy, i); /* get the object id */ 1576 if ((j = OBJ_txt2nid(cv->name)) == NID_undef) { 1577 BIO_printf(bio_err, 1578 "%s:unknown object type in 'policy' configuration\n", 1579 cv->name); 1580 goto end; 1581 } 1582 obj = OBJ_nid2obj(j); 1583 1584 last = -1; 1585 for (;;) { 1586 X509_NAME_ENTRY *push = NULL; 1587 1588 /* lookup the object in the supplied name list */ 1589 j = X509_NAME_get_index_by_OBJ(name, obj, last); 1590 if (j < 0) { 1591 if (last != -1) 1592 break; 1593 tne = NULL; 1594 } else { 1595 tne = X509_NAME_get_entry(name, j); 1596 } 1597 last = j; 1598 1599 /* depending on the 'policy', decide what to do. */ 1600 if (strcmp(cv->value, "optional") == 0) { 1601 if (tne != NULL) 1602 push = tne; 1603 } else if (strcmp(cv->value, "supplied") == 0) { 1604 if (tne == NULL) { 1605 BIO_printf(bio_err, 1606 "The %s field needed to be supplied and was missing\n", 1607 cv->name); 1608 goto end; 1609 } else { 1610 push = tne; 1611 } 1612 } else if (strcmp(cv->value, "match") == 0) { 1613 int last2; 1614 1615 if (tne == NULL) { 1616 BIO_printf(bio_err, 1617 "The mandatory %s field was missing\n", 1618 cv->name); 1619 goto end; 1620 } 1621 1622 last2 = -1; 1623 1624 again2: 1625 j = X509_NAME_get_index_by_OBJ(CAname, obj, last2); 1626 if ((j < 0) && (last2 == -1)) { 1627 BIO_printf(bio_err, 1628 "The %s field does not exist in the CA certificate,\n" 1629 "the 'policy' is misconfigured\n", cv->name); 1630 goto end; 1631 } 1632 if (j >= 0) { 1633 push = X509_NAME_get_entry(CAname, j); 1634 str = X509_NAME_ENTRY_get_data(tne); 1635 str2 = X509_NAME_ENTRY_get_data(push); 1636 last2 = j; 1637 if (ASN1_STRING_cmp(str, str2) != 0) 1638 goto again2; 1639 } 1640 if (j < 0) { 1641 BIO_printf(bio_err, 1642 "The %s field is different between\n" 1643 "CA certificate (%s) and the request (%s)\n", 1644 cv->name, 1645 ((str2 == NULL) ? "NULL" : (char *)str2->data), 1646 ((str == NULL) ? "NULL" : (char *)str->data)); 1647 goto end; 1648 } 1649 } else { 1650 BIO_printf(bio_err, 1651 "%s:invalid type in 'policy' configuration\n", 1652 cv->value); 1653 goto end; 1654 } 1655 1656 if (push != NULL) { 1657 if (!X509_NAME_add_entry(subject, push, -1, 0)) { 1658 BIO_printf(bio_err, "Memory allocation failure\n"); 1659 goto end; 1660 } 1661 } 1662 if (j < 0) 1663 break; 1664 } 1665 } 1666 1667 if (preserve) { 1668 X509_NAME_free(subject); 1669 /* subject=X509_NAME_dup(X509_REQ_get_subject_name(req)); */ 1670 subject = X509_NAME_dup(name); 1671 if (subject == NULL) 1672 goto end; 1673 } 1674 1675 /* We are now totally happy, lets make and sign the certificate */ 1676 if (verbose) 1677 BIO_printf(bio_err, 1678 "Everything appears to be ok, creating and signing the certificate\n"); 1679 1680 if ((ret = X509_new_ex(app_get0_libctx(), app_get0_propq())) == NULL) 1681 goto end; 1682 1683 if (BN_to_ASN1_INTEGER(serial, X509_get_serialNumber(ret)) == NULL) 1684 goto end; 1685 if (selfsign) { 1686 if (!X509_set_issuer_name(ret, subject)) 1687 goto end; 1688 } else { 1689 if (!X509_set_issuer_name(ret, X509_get_subject_name(x509))) 1690 goto end; 1691 } 1692 1693 if (!set_cert_times(ret, startdate, enddate, days)) 1694 goto end; 1695 1696 if (enddate != NULL) { 1697 int tdays; 1698 1699 if (!ASN1_TIME_diff(&tdays, NULL, NULL, X509_get0_notAfter(ret))) 1700 goto end; 1701 days = tdays; 1702 } 1703 1704 if (!X509_set_subject_name(ret, subject)) 1705 goto end; 1706 1707 pktmp = X509_REQ_get0_pubkey(req); 1708 i = X509_set_pubkey(ret, pktmp); 1709 if (!i) 1710 goto end; 1711 1712 /* Initialize the context structure */ 1713 X509V3_set_ctx(&ext_ctx, selfsign ? ret : x509, 1714 ret, req, NULL, X509V3_CTX_REPLACE); 1715 1716 /* Lets add the extensions, if there are any */ 1717 if (ext_sect) { 1718 if (extfile_conf != NULL) { 1719 if (verbose) 1720 BIO_printf(bio_err, "Extra configuration file found\n"); 1721 1722 /* Use the extfile_conf configuration db LHASH */ 1723 X509V3_set_nconf(&ext_ctx, extfile_conf); 1724 1725 /* Adds exts contained in the configuration file */ 1726 if (!X509V3_EXT_add_nconf(extfile_conf, &ext_ctx, ext_sect, ret)) { 1727 BIO_printf(bio_err, 1728 "Error adding certificate extensions from extfile section %s\n", 1729 ext_sect); 1730 goto end; 1731 } 1732 if (verbose) 1733 BIO_printf(bio_err, 1734 "Successfully added extensions from file.\n"); 1735 } else if (ext_sect) { 1736 /* We found extensions to be set from config file */ 1737 X509V3_set_nconf(&ext_ctx, lconf); 1738 1739 if (!X509V3_EXT_add_nconf(lconf, &ext_ctx, ext_sect, ret)) { 1740 BIO_printf(bio_err, 1741 "Error adding certificate extensions from config section %s\n", 1742 ext_sect); 1743 goto end; 1744 } 1745 1746 if (verbose) 1747 BIO_printf(bio_err, 1748 "Successfully added extensions from config\n"); 1749 } 1750 } 1751 1752 /* Copy extensions from request (if any) */ 1753 1754 if (!copy_extensions(ret, req, ext_copy)) { 1755 BIO_printf(bio_err, "ERROR: adding extensions from request\n"); 1756 goto end; 1757 } 1758 1759 if (verbose) 1760 BIO_printf(bio_err, 1761 "The subject name appears to be ok, checking data base for clashes\n"); 1762 1763 /* Build the correct Subject if no e-mail is wanted in the subject. */ 1764 if (!email_dn) { 1765 X509_NAME_ENTRY *tmpne; 1766 X509_NAME *dn_subject; 1767 1768 /* 1769 * Its best to dup the subject DN and then delete any email addresses 1770 * because this retains its structure. 1771 */ 1772 if ((dn_subject = X509_NAME_dup(subject)) == NULL) { 1773 BIO_printf(bio_err, "Memory allocation failure\n"); 1774 goto end; 1775 } 1776 i = -1; 1777 while ((i = X509_NAME_get_index_by_NID(dn_subject, 1778 NID_pkcs9_emailAddress, 1779 i)) >= 0) { 1780 tmpne = X509_NAME_delete_entry(dn_subject, i--); 1781 X509_NAME_ENTRY_free(tmpne); 1782 } 1783 1784 if (!X509_set_subject_name(ret, dn_subject)) { 1785 X509_NAME_free(dn_subject); 1786 goto end; 1787 } 1788 X509_NAME_free(dn_subject); 1789 } 1790 1791 row[DB_name] = X509_NAME_oneline(X509_get_subject_name(ret), NULL, 0); 1792 if (row[DB_name] == NULL) { 1793 BIO_printf(bio_err, "Memory allocation failure\n"); 1794 goto end; 1795 } 1796 1797 if (BN_is_zero(serial)) 1798 row[DB_serial] = OPENSSL_strdup("00"); 1799 else 1800 row[DB_serial] = BN_bn2hex(serial); 1801 if (row[DB_serial] == NULL) { 1802 BIO_printf(bio_err, "Memory allocation failure\n"); 1803 goto end; 1804 } 1805 1806 if (row[DB_name][0] == '\0') { 1807 /* 1808 * An empty subject! We'll use the serial number instead. If 1809 * unique_subject is in use then we don't want different entries with 1810 * empty subjects matching each other. 1811 */ 1812 OPENSSL_free(row[DB_name]); 1813 row[DB_name] = OPENSSL_strdup(row[DB_serial]); 1814 if (row[DB_name] == NULL) { 1815 BIO_printf(bio_err, "Memory allocation failure\n"); 1816 goto end; 1817 } 1818 } 1819 1820 if (db->attributes.unique_subject) { 1821 OPENSSL_STRING *crow = row; 1822 1823 rrow = TXT_DB_get_by_index(db->db, DB_name, crow); 1824 if (rrow != NULL) { 1825 BIO_printf(bio_err, 1826 "ERROR:There is already a certificate for %s\n", 1827 row[DB_name]); 1828 } 1829 } 1830 if (rrow == NULL) { 1831 rrow = TXT_DB_get_by_index(db->db, DB_serial, row); 1832 if (rrow != NULL) { 1833 BIO_printf(bio_err, 1834 "ERROR:Serial number %s has already been issued,\n", 1835 row[DB_serial]); 1836 BIO_printf(bio_err, 1837 " check the database/serial_file for corruption\n"); 1838 } 1839 } 1840 1841 if (rrow != NULL) { 1842 BIO_printf(bio_err, "The matching entry has the following details\n"); 1843 if (rrow[DB_type][0] == DB_TYPE_EXP) 1844 p = "Expired"; 1845 else if (rrow[DB_type][0] == DB_TYPE_REV) 1846 p = "Revoked"; 1847 else if (rrow[DB_type][0] == DB_TYPE_VAL) 1848 p = "Valid"; 1849 else 1850 p = "\ninvalid type, Data base error\n"; 1851 BIO_printf(bio_err, "Type :%s\n", p);; 1852 if (rrow[DB_type][0] == DB_TYPE_REV) { 1853 p = rrow[DB_exp_date]; 1854 if (p == NULL) 1855 p = "undef"; 1856 BIO_printf(bio_err, "Was revoked on:%s\n", p); 1857 } 1858 p = rrow[DB_exp_date]; 1859 if (p == NULL) 1860 p = "undef"; 1861 BIO_printf(bio_err, "Expires on :%s\n", p); 1862 p = rrow[DB_serial]; 1863 if (p == NULL) 1864 p = "undef"; 1865 BIO_printf(bio_err, "Serial Number :%s\n", p); 1866 p = rrow[DB_file]; 1867 if (p == NULL) 1868 p = "undef"; 1869 BIO_printf(bio_err, "File name :%s\n", p); 1870 p = rrow[DB_name]; 1871 if (p == NULL) 1872 p = "undef"; 1873 BIO_printf(bio_err, "Subject Name :%s\n", p); 1874 ok = -1; /* This is now a 'bad' error. */ 1875 goto end; 1876 } 1877 1878 if (!default_op) { 1879 BIO_printf(bio_err, "Certificate Details:\n"); 1880 /* 1881 * Never print signature details because signature not present 1882 */ 1883 certopt |= X509_FLAG_NO_SIGDUMP | X509_FLAG_NO_SIGNAME; 1884 X509_print_ex(bio_err, ret, nameopt, certopt); 1885 } 1886 1887 BIO_printf(bio_err, "Certificate is to be certified until "); 1888 ASN1_TIME_print_ex(bio_err, X509_get0_notAfter(ret), dateopt); 1889 if (days) 1890 BIO_printf(bio_err, " (%ld days)", days); 1891 BIO_printf(bio_err, "\n"); 1892 1893 if (!batch) { 1894 1895 BIO_printf(bio_err, "Sign the certificate? [y/n]:"); 1896 (void)BIO_flush(bio_err); 1897 buf[0] = '\0'; 1898 if (fgets(buf, sizeof(buf), stdin) == NULL) { 1899 BIO_printf(bio_err, 1900 "CERTIFICATE WILL NOT BE CERTIFIED: I/O error\n"); 1901 ok = 0; 1902 goto end; 1903 } 1904 if (!(buf[0] == 'y' || buf[0] == 'Y')) { 1905 BIO_printf(bio_err, "CERTIFICATE WILL NOT BE CERTIFIED\n"); 1906 ok = 0; 1907 goto end; 1908 } 1909 } 1910 1911 pktmp = X509_get0_pubkey(ret); 1912 if (EVP_PKEY_missing_parameters(pktmp) && 1913 !EVP_PKEY_missing_parameters(pkey)) 1914 EVP_PKEY_copy_parameters(pktmp, pkey); 1915 1916 if (!do_X509_sign(ret, pkey, dgst, sigopts, &ext_ctx)) 1917 goto end; 1918 1919 /* We now just add it to the database as DB_TYPE_VAL('V') */ 1920 row[DB_type] = OPENSSL_strdup("V"); 1921 tm = X509_get0_notAfter(ret); 1922 row[DB_exp_date] = app_malloc(tm->length + 1, "row expdate"); 1923 memcpy(row[DB_exp_date], tm->data, tm->length); 1924 row[DB_exp_date][tm->length] = '\0'; 1925 row[DB_rev_date] = NULL; 1926 row[DB_file] = OPENSSL_strdup("unknown"); 1927 if ((row[DB_type] == NULL) || (row[DB_file] == NULL) 1928 || (row[DB_name] == NULL)) { 1929 BIO_printf(bio_err, "Memory allocation failure\n"); 1930 goto end; 1931 } 1932 1933 irow = app_malloc(sizeof(*irow) * (DB_NUMBER + 1), "row space"); 1934 for (i = 0; i < DB_NUMBER; i++) 1935 irow[i] = row[i]; 1936 irow[DB_NUMBER] = NULL; 1937 1938 if (!TXT_DB_insert(db->db, irow)) { 1939 BIO_printf(bio_err, "failed to update database\n"); 1940 BIO_printf(bio_err, "TXT_DB error number %ld\n", db->db->error); 1941 goto end; 1942 } 1943 irow = NULL; 1944 ok = 1; 1945 end: 1946 if (ok != 1) { 1947 for (i = 0; i < DB_NUMBER; i++) 1948 OPENSSL_free(row[i]); 1949 } 1950 OPENSSL_free(irow); 1951 1952 X509_NAME_free(CAname); 1953 X509_NAME_free(subject); 1954 if (ok <= 0) 1955 X509_free(ret); 1956 else 1957 *xret = ret; 1958 return ok; 1959 } 1960 1961 static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext) 1962 { 1963 1964 if (output_der) { 1965 (void)i2d_X509_bio(bp, x); 1966 return; 1967 } 1968 if (!notext) 1969 X509_print(bp, x); 1970 PEM_write_bio_X509(bp, x); 1971 } 1972 1973 static int certify_spkac(X509 **xret, const char *infile, EVP_PKEY *pkey, 1974 X509 *x509, const char *dgst, 1975 STACK_OF(OPENSSL_STRING) *sigopts, 1976 STACK_OF(CONF_VALUE) *policy, CA_DB *db, 1977 BIGNUM *serial, const char *subj, unsigned long chtype, 1978 int multirdn, int email_dn, const char *startdate, 1979 const char *enddate, long days, const char *ext_sect, 1980 CONF *lconf, int verbose, unsigned long certopt, 1981 unsigned long nameopt, int default_op, int ext_copy, unsigned long dateopt) 1982 { 1983 STACK_OF(CONF_VALUE) *sk = NULL; 1984 LHASH_OF(CONF_VALUE) *parms = NULL; 1985 X509_REQ *req = NULL; 1986 CONF_VALUE *cv = NULL; 1987 NETSCAPE_SPKI *spki = NULL; 1988 char *type, *buf; 1989 EVP_PKEY *pktmp = NULL; 1990 X509_NAME *n = NULL; 1991 X509_NAME_ENTRY *ne = NULL; 1992 int ok = -1, i, j; 1993 long errline; 1994 int nid; 1995 1996 /* 1997 * Load input file into a hash table. (This is just an easy 1998 * way to read and parse the file, then put it into a convenient 1999 * STACK format). 2000 */ 2001 parms = CONF_load(NULL, infile, &errline); 2002 if (parms == NULL) { 2003 BIO_printf(bio_err, "error on line %ld of %s\n", errline, infile); 2004 goto end; 2005 } 2006 2007 sk = CONF_get_section(parms, "default"); 2008 if (sk_CONF_VALUE_num(sk) == 0) { 2009 BIO_printf(bio_err, "no name/value pairs found in %s\n", infile); 2010 goto end; 2011 } 2012 2013 /* 2014 * Now create a dummy X509 request structure. We don't actually 2015 * have an X509 request, but we have many of the components 2016 * (a public key, various DN components). The idea is that we 2017 * put these components into the right X509 request structure 2018 * and we can use the same code as if you had a real X509 request. 2019 */ 2020 req = X509_REQ_new(); 2021 if (req == NULL) 2022 goto end; 2023 2024 /* 2025 * Build up the subject name set. 2026 */ 2027 n = X509_REQ_get_subject_name(req); 2028 2029 for (i = 0;; i++) { 2030 if (sk_CONF_VALUE_num(sk) <= i) 2031 break; 2032 2033 cv = sk_CONF_VALUE_value(sk, i); 2034 type = cv->name; 2035 /* 2036 * Skip past any leading X. X: X, etc to allow for multiple instances 2037 */ 2038 for (buf = cv->name; *buf; buf++) 2039 if ((*buf == ':') || (*buf == ',') || (*buf == '.')) { 2040 buf++; 2041 if (*buf) 2042 type = buf; 2043 break; 2044 } 2045 2046 buf = cv->value; 2047 if ((nid = OBJ_txt2nid(type)) == NID_undef) { 2048 if (strcmp(type, "SPKAC") == 0) { 2049 spki = NETSCAPE_SPKI_b64_decode(cv->value, -1); 2050 if (spki == NULL) { 2051 BIO_printf(bio_err, 2052 "unable to load Netscape SPKAC structure\n"); 2053 goto end; 2054 } 2055 } 2056 continue; 2057 } 2058 2059 if (!X509_NAME_add_entry_by_NID(n, nid, chtype, 2060 (unsigned char *)buf, -1, -1, 0)) 2061 goto end; 2062 } 2063 if (spki == NULL) { 2064 BIO_printf(bio_err, "Netscape SPKAC structure not found in %s\n", 2065 infile); 2066 goto end; 2067 } 2068 2069 /* 2070 * Now extract the key from the SPKI structure. 2071 */ 2072 2073 BIO_printf(bio_err, "Check that the SPKAC request matches the signature\n"); 2074 2075 if ((pktmp = NETSCAPE_SPKI_get_pubkey(spki)) == NULL) { 2076 BIO_printf(bio_err, "error unpacking SPKAC public key\n"); 2077 goto end; 2078 } 2079 2080 j = NETSCAPE_SPKI_verify(spki, pktmp); 2081 if (j <= 0) { 2082 EVP_PKEY_free(pktmp); 2083 BIO_printf(bio_err, 2084 "signature verification failed on SPKAC public key\n"); 2085 goto end; 2086 } 2087 BIO_printf(bio_err, "Signature ok\n"); 2088 2089 X509_REQ_set_pubkey(req, pktmp); 2090 EVP_PKEY_free(pktmp); 2091 ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, subj, 2092 chtype, multirdn, email_dn, startdate, enddate, days, 1, 2093 verbose, req, ext_sect, lconf, certopt, nameopt, default_op, 2094 ext_copy, 0, dateopt); 2095 end: 2096 X509_REQ_free(req); 2097 CONF_free(parms); 2098 NETSCAPE_SPKI_free(spki); 2099 X509_NAME_ENTRY_free(ne); 2100 2101 return ok; 2102 } 2103 2104 static int check_time_format(const char *str) 2105 { 2106 return ASN1_TIME_set_string(NULL, str); 2107 } 2108 2109 static int do_revoke(X509 *x509, CA_DB *db, REVINFO_TYPE rev_type, 2110 const char *value) 2111 { 2112 const ASN1_TIME *tm = NULL; 2113 char *row[DB_NUMBER], **rrow, **irow; 2114 char *rev_str = NULL; 2115 BIGNUM *bn = NULL; 2116 int ok = -1, i; 2117 2118 for (i = 0; i < DB_NUMBER; i++) 2119 row[i] = NULL; 2120 row[DB_name] = X509_NAME_oneline(X509_get_subject_name(x509), NULL, 0); 2121 bn = ASN1_INTEGER_to_BN(X509_get0_serialNumber(x509), NULL); 2122 if (!bn) 2123 goto end; 2124 if (BN_is_zero(bn)) 2125 row[DB_serial] = OPENSSL_strdup("00"); 2126 else 2127 row[DB_serial] = BN_bn2hex(bn); 2128 BN_free(bn); 2129 if (row[DB_name] != NULL && row[DB_name][0] == '\0') { 2130 /* Entries with empty Subjects actually use the serial number instead */ 2131 OPENSSL_free(row[DB_name]); 2132 row[DB_name] = OPENSSL_strdup(row[DB_serial]); 2133 } 2134 if ((row[DB_name] == NULL) || (row[DB_serial] == NULL)) { 2135 BIO_printf(bio_err, "Memory allocation failure\n"); 2136 goto end; 2137 } 2138 /* 2139 * We have to lookup by serial number because name lookup skips revoked 2140 * certs 2141 */ 2142 rrow = TXT_DB_get_by_index(db->db, DB_serial, row); 2143 if (rrow == NULL) { 2144 BIO_printf(bio_err, 2145 "Adding Entry with serial number %s to DB for %s\n", 2146 row[DB_serial], row[DB_name]); 2147 2148 /* We now just add it to the database as DB_TYPE_REV('V') */ 2149 row[DB_type] = OPENSSL_strdup("V"); 2150 tm = X509_get0_notAfter(x509); 2151 row[DB_exp_date] = app_malloc(tm->length + 1, "row exp_data"); 2152 memcpy(row[DB_exp_date], tm->data, tm->length); 2153 row[DB_exp_date][tm->length] = '\0'; 2154 row[DB_rev_date] = NULL; 2155 row[DB_file] = OPENSSL_strdup("unknown"); 2156 2157 if (row[DB_type] == NULL || row[DB_file] == NULL) { 2158 BIO_printf(bio_err, "Memory allocation failure\n"); 2159 goto end; 2160 } 2161 2162 irow = app_malloc(sizeof(*irow) * (DB_NUMBER + 1), "row ptr"); 2163 for (i = 0; i < DB_NUMBER; i++) 2164 irow[i] = row[i]; 2165 irow[DB_NUMBER] = NULL; 2166 2167 if (!TXT_DB_insert(db->db, irow)) { 2168 BIO_printf(bio_err, "failed to update database\n"); 2169 BIO_printf(bio_err, "TXT_DB error number %ld\n", db->db->error); 2170 OPENSSL_free(irow); 2171 goto end; 2172 } 2173 2174 for (i = 0; i < DB_NUMBER; i++) 2175 row[i] = NULL; 2176 2177 /* Revoke Certificate */ 2178 if (rev_type == REV_VALID) 2179 ok = 1; 2180 else 2181 /* Retry revocation after DB insertion */ 2182 ok = do_revoke(x509, db, rev_type, value); 2183 2184 goto end; 2185 2186 } else if (index_name_cmp_noconst(row, rrow)) { 2187 BIO_printf(bio_err, "ERROR:name does not match %s\n", row[DB_name]); 2188 goto end; 2189 } else if (rev_type == REV_VALID) { 2190 BIO_printf(bio_err, "ERROR:Already present, serial number %s\n", 2191 row[DB_serial]); 2192 goto end; 2193 } else if (rrow[DB_type][0] == DB_TYPE_REV) { 2194 BIO_printf(bio_err, "ERROR:Already revoked, serial number %s\n", 2195 row[DB_serial]); 2196 goto end; 2197 } else { 2198 BIO_printf(bio_err, "Revoking Certificate %s.\n", rrow[DB_serial]); 2199 rev_str = make_revocation_str(rev_type, value); 2200 if (!rev_str) { 2201 BIO_printf(bio_err, "Error in revocation arguments\n"); 2202 goto end; 2203 } 2204 rrow[DB_type][0] = DB_TYPE_REV; 2205 rrow[DB_type][1] = '\0'; 2206 rrow[DB_rev_date] = rev_str; 2207 } 2208 ok = 1; 2209 end: 2210 for (i = 0; i < DB_NUMBER; i++) 2211 OPENSSL_free(row[i]); 2212 return ok; 2213 } 2214 2215 static int get_certificate_status(const char *serial, CA_DB *db) 2216 { 2217 char *row[DB_NUMBER], **rrow; 2218 int ok = -1, i; 2219 size_t serial_len = strlen(serial); 2220 2221 /* Free Resources */ 2222 for (i = 0; i < DB_NUMBER; i++) 2223 row[i] = NULL; 2224 2225 /* Malloc needed char spaces */ 2226 row[DB_serial] = app_malloc(serial_len + 2, "row serial#"); 2227 2228 if (serial_len % 2) { 2229 /* 2230 * Set the first char to 0 2231 */ 2232 row[DB_serial][0] = '0'; 2233 2234 /* Copy String from serial to row[DB_serial] */ 2235 memcpy(row[DB_serial] + 1, serial, serial_len); 2236 row[DB_serial][serial_len + 1] = '\0'; 2237 } else { 2238 /* Copy String from serial to row[DB_serial] */ 2239 memcpy(row[DB_serial], serial, serial_len); 2240 row[DB_serial][serial_len] = '\0'; 2241 } 2242 2243 /* Make it Upper Case */ 2244 make_uppercase(row[DB_serial]); 2245 2246 ok = 1; 2247 2248 /* Search for the certificate */ 2249 rrow = TXT_DB_get_by_index(db->db, DB_serial, row); 2250 if (rrow == NULL) { 2251 BIO_printf(bio_err, "Serial %s not present in db.\n", row[DB_serial]); 2252 ok = -1; 2253 goto end; 2254 } else if (rrow[DB_type][0] == DB_TYPE_VAL) { 2255 BIO_printf(bio_err, "%s=Valid (%c)\n", 2256 row[DB_serial], rrow[DB_type][0]); 2257 goto end; 2258 } else if (rrow[DB_type][0] == DB_TYPE_REV) { 2259 BIO_printf(bio_err, "%s=Revoked (%c)\n", 2260 row[DB_serial], rrow[DB_type][0]); 2261 goto end; 2262 } else if (rrow[DB_type][0] == DB_TYPE_EXP) { 2263 BIO_printf(bio_err, "%s=Expired (%c)\n", 2264 row[DB_serial], rrow[DB_type][0]); 2265 goto end; 2266 } else if (rrow[DB_type][0] == DB_TYPE_SUSP) { 2267 BIO_printf(bio_err, "%s=Suspended (%c)\n", 2268 row[DB_serial], rrow[DB_type][0]); 2269 goto end; 2270 } else { 2271 BIO_printf(bio_err, "%s=Unknown (%c).\n", 2272 row[DB_serial], rrow[DB_type][0]); 2273 ok = -1; 2274 } 2275 end: 2276 for (i = 0; i < DB_NUMBER; i++) { 2277 OPENSSL_free(row[i]); 2278 } 2279 return ok; 2280 } 2281 2282 static int do_updatedb(CA_DB *db) 2283 { 2284 ASN1_TIME *a_tm = NULL; 2285 int i, cnt = 0; 2286 char **rrow; 2287 2288 a_tm = ASN1_TIME_new(); 2289 if (a_tm == NULL) 2290 return -1; 2291 2292 /* get actual time */ 2293 if (X509_gmtime_adj(a_tm, 0) == NULL) { 2294 ASN1_TIME_free(a_tm); 2295 return -1; 2296 } 2297 2298 for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) { 2299 rrow = sk_OPENSSL_PSTRING_value(db->db->data, i); 2300 2301 if (rrow[DB_type][0] == DB_TYPE_VAL) { 2302 /* ignore entries that are not valid */ 2303 ASN1_TIME *exp_date = NULL; 2304 2305 exp_date = ASN1_TIME_new(); 2306 if (exp_date == NULL) { 2307 ASN1_TIME_free(a_tm); 2308 return -1; 2309 } 2310 2311 if (!ASN1_TIME_set_string(exp_date, rrow[DB_exp_date])) { 2312 ASN1_TIME_free(a_tm); 2313 ASN1_TIME_free(exp_date); 2314 return -1; 2315 } 2316 2317 if (ASN1_TIME_compare(exp_date, a_tm) <= 0) { 2318 rrow[DB_type][0] = DB_TYPE_EXP; 2319 rrow[DB_type][1] = '\0'; 2320 cnt++; 2321 2322 BIO_printf(bio_err, "%s=Expired\n", rrow[DB_serial]); 2323 } 2324 ASN1_TIME_free(exp_date); 2325 } 2326 } 2327 2328 ASN1_TIME_free(a_tm); 2329 return cnt; 2330 } 2331 2332 static const char *crl_reasons[] = { 2333 /* CRL reason strings */ 2334 "unspecified", 2335 "keyCompromise", 2336 "CACompromise", 2337 "affiliationChanged", 2338 "superseded", 2339 "cessationOfOperation", 2340 "certificateHold", 2341 "removeFromCRL", 2342 /* Additional pseudo reasons */ 2343 "holdInstruction", 2344 "keyTime", 2345 "CAkeyTime" 2346 }; 2347 2348 #define NUM_REASONS OSSL_NELEM(crl_reasons) 2349 2350 /* 2351 * Given revocation information convert to a DB string. The format of the 2352 * string is: revtime[,reason,extra]. Where 'revtime' is the revocation time 2353 * (the current time). 'reason' is the optional CRL reason and 'extra' is any 2354 * additional argument 2355 */ 2356 2357 static char *make_revocation_str(REVINFO_TYPE rev_type, const char *rev_arg) 2358 { 2359 char *str; 2360 const char *reason = NULL, *other = NULL; 2361 ASN1_OBJECT *otmp; 2362 ASN1_UTCTIME *revtm = NULL; 2363 int i; 2364 2365 switch (rev_type) { 2366 case REV_NONE: 2367 case REV_VALID: 2368 break; 2369 2370 case REV_CRL_REASON: 2371 for (i = 0; i < 8; i++) { 2372 if (OPENSSL_strcasecmp(rev_arg, crl_reasons[i]) == 0) { 2373 reason = crl_reasons[i]; 2374 break; 2375 } 2376 } 2377 if (reason == NULL) { 2378 BIO_printf(bio_err, "Unknown CRL reason %s\n", rev_arg); 2379 return NULL; 2380 } 2381 break; 2382 2383 case REV_HOLD: 2384 /* Argument is an OID */ 2385 otmp = OBJ_txt2obj(rev_arg, 0); 2386 ASN1_OBJECT_free(otmp); 2387 2388 if (otmp == NULL) { 2389 BIO_printf(bio_err, "Invalid object identifier %s\n", rev_arg); 2390 return NULL; 2391 } 2392 2393 reason = "holdInstruction"; 2394 other = rev_arg; 2395 break; 2396 2397 case REV_KEY_COMPROMISE: 2398 case REV_CA_COMPROMISE: 2399 /* Argument is the key compromise time */ 2400 if (!ASN1_GENERALIZEDTIME_set_string(NULL, rev_arg)) { 2401 BIO_printf(bio_err, 2402 "Invalid time format %s. Need YYYYMMDDHHMMSSZ\n", 2403 rev_arg); 2404 return NULL; 2405 } 2406 other = rev_arg; 2407 if (rev_type == REV_KEY_COMPROMISE) 2408 reason = "keyTime"; 2409 else 2410 reason = "CAkeyTime"; 2411 2412 break; 2413 } 2414 2415 revtm = X509_gmtime_adj(NULL, 0); 2416 2417 if (!revtm) 2418 return NULL; 2419 2420 i = revtm->length + 1; 2421 2422 if (reason) 2423 i += strlen(reason) + 1; 2424 if (other) 2425 i += strlen(other) + 1; 2426 2427 str = app_malloc(i, "revocation reason"); 2428 OPENSSL_strlcpy(str, (char *)revtm->data, i); 2429 if (reason) { 2430 OPENSSL_strlcat(str, ",", i); 2431 OPENSSL_strlcat(str, reason, i); 2432 } 2433 if (other) { 2434 OPENSSL_strlcat(str, ",", i); 2435 OPENSSL_strlcat(str, other, i); 2436 } 2437 ASN1_UTCTIME_free(revtm); 2438 return str; 2439 } 2440 2441 /*- 2442 * Convert revocation field to X509_REVOKED entry 2443 * return code: 2444 * 0 error 2445 * 1 OK 2446 * 2 OK and some extensions added (i.e. V2 CRL) 2447 */ 2448 2449 static int make_revoked(X509_REVOKED *rev, const char *str) 2450 { 2451 char *tmp = NULL; 2452 int reason_code = -1; 2453 int i, ret = 0; 2454 ASN1_OBJECT *hold = NULL; 2455 ASN1_GENERALIZEDTIME *comp_time = NULL; 2456 ASN1_ENUMERATED *rtmp = NULL; 2457 2458 ASN1_TIME *revDate = NULL; 2459 2460 i = unpack_revinfo(&revDate, &reason_code, &hold, &comp_time, str); 2461 2462 if (i == 0) 2463 goto end; 2464 2465 if (rev && !X509_REVOKED_set_revocationDate(rev, revDate)) 2466 goto end; 2467 2468 if (rev && (reason_code != OCSP_REVOKED_STATUS_NOSTATUS)) { 2469 rtmp = ASN1_ENUMERATED_new(); 2470 if (rtmp == NULL || !ASN1_ENUMERATED_set(rtmp, reason_code)) 2471 goto end; 2472 if (X509_REVOKED_add1_ext_i2d(rev, NID_crl_reason, rtmp, 0, 0) <= 0) 2473 goto end; 2474 } 2475 2476 if (rev && comp_time) { 2477 if (X509_REVOKED_add1_ext_i2d 2478 (rev, NID_invalidity_date, comp_time, 0, 0) <= 0) 2479 goto end; 2480 } 2481 if (rev && hold) { 2482 if (X509_REVOKED_add1_ext_i2d 2483 (rev, NID_hold_instruction_code, hold, 0, 0) <= 0) 2484 goto end; 2485 } 2486 2487 if (reason_code != OCSP_REVOKED_STATUS_NOSTATUS) 2488 ret = 2; 2489 else 2490 ret = 1; 2491 2492 end: 2493 2494 OPENSSL_free(tmp); 2495 ASN1_OBJECT_free(hold); 2496 ASN1_GENERALIZEDTIME_free(comp_time); 2497 ASN1_ENUMERATED_free(rtmp); 2498 ASN1_TIME_free(revDate); 2499 2500 return ret; 2501 } 2502 2503 static int old_entry_print(const ASN1_OBJECT *obj, const ASN1_STRING *str) 2504 { 2505 char buf[25], *pbuf; 2506 const char *p; 2507 int j; 2508 2509 j = i2a_ASN1_OBJECT(bio_err, obj); 2510 pbuf = buf; 2511 for (j = 22 - j; j > 0; j--) 2512 *(pbuf++) = ' '; 2513 *(pbuf++) = ':'; 2514 *(pbuf++) = '\0'; 2515 BIO_puts(bio_err, buf); 2516 2517 if (str->type == V_ASN1_PRINTABLESTRING) 2518 BIO_printf(bio_err, "PRINTABLE:'"); 2519 else if (str->type == V_ASN1_T61STRING) 2520 BIO_printf(bio_err, "T61STRING:'"); 2521 else if (str->type == V_ASN1_IA5STRING) 2522 BIO_printf(bio_err, "IA5STRING:'"); 2523 else if (str->type == V_ASN1_UNIVERSALSTRING) 2524 BIO_printf(bio_err, "UNIVERSALSTRING:'"); 2525 else 2526 BIO_printf(bio_err, "ASN.1 %2d:'", str->type); 2527 2528 p = (const char *)str->data; 2529 for (j = str->length; j > 0; j--) { 2530 if ((*p >= ' ') && (*p <= '~')) 2531 BIO_printf(bio_err, "%c", *p); 2532 else if (*p & 0x80) 2533 BIO_printf(bio_err, "\\0x%02X", *p); 2534 else if ((unsigned char)*p == 0xf7) 2535 BIO_printf(bio_err, "^?"); 2536 else 2537 BIO_printf(bio_err, "^%c", *p + '@'); 2538 p++; 2539 } 2540 BIO_printf(bio_err, "'\n"); 2541 return 1; 2542 } 2543 2544 int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, 2545 ASN1_GENERALIZEDTIME **pinvtm, const char *str) 2546 { 2547 char *tmp; 2548 char *rtime_str, *reason_str = NULL, *arg_str = NULL, *p; 2549 int reason_code = -1; 2550 int ret = 0; 2551 unsigned int i; 2552 ASN1_OBJECT *hold = NULL; 2553 ASN1_GENERALIZEDTIME *comp_time = NULL; 2554 2555 tmp = OPENSSL_strdup(str); 2556 if (!tmp) { 2557 BIO_printf(bio_err, "memory allocation failure\n"); 2558 goto end; 2559 } 2560 2561 p = strchr(tmp, ','); 2562 2563 rtime_str = tmp; 2564 2565 if (p) { 2566 *p = '\0'; 2567 p++; 2568 reason_str = p; 2569 p = strchr(p, ','); 2570 if (p) { 2571 *p = '\0'; 2572 arg_str = p + 1; 2573 } 2574 } 2575 2576 if (prevtm) { 2577 *prevtm = ASN1_UTCTIME_new(); 2578 if (*prevtm == NULL) { 2579 BIO_printf(bio_err, "memory allocation failure\n"); 2580 goto end; 2581 } 2582 if (!ASN1_UTCTIME_set_string(*prevtm, rtime_str)) { 2583 BIO_printf(bio_err, "invalid revocation date %s\n", rtime_str); 2584 goto end; 2585 } 2586 } 2587 if (reason_str) { 2588 for (i = 0; i < NUM_REASONS; i++) { 2589 if (OPENSSL_strcasecmp(reason_str, crl_reasons[i]) == 0) { 2590 reason_code = i; 2591 break; 2592 } 2593 } 2594 if (reason_code == OCSP_REVOKED_STATUS_NOSTATUS) { 2595 BIO_printf(bio_err, "invalid reason code %s\n", reason_str); 2596 goto end; 2597 } 2598 2599 if (reason_code == 7) { 2600 reason_code = OCSP_REVOKED_STATUS_REMOVEFROMCRL; 2601 } else if (reason_code == 8) { /* Hold instruction */ 2602 if (!arg_str) { 2603 BIO_printf(bio_err, "missing hold instruction\n"); 2604 goto end; 2605 } 2606 reason_code = OCSP_REVOKED_STATUS_CERTIFICATEHOLD; 2607 hold = OBJ_txt2obj(arg_str, 0); 2608 2609 if (!hold) { 2610 BIO_printf(bio_err, "invalid object identifier %s\n", arg_str); 2611 goto end; 2612 } 2613 if (phold) 2614 *phold = hold; 2615 else 2616 ASN1_OBJECT_free(hold); 2617 } else if ((reason_code == 9) || (reason_code == 10)) { 2618 if (!arg_str) { 2619 BIO_printf(bio_err, "missing compromised time\n"); 2620 goto end; 2621 } 2622 comp_time = ASN1_GENERALIZEDTIME_new(); 2623 if (comp_time == NULL) { 2624 BIO_printf(bio_err, "memory allocation failure\n"); 2625 goto end; 2626 } 2627 if (!ASN1_GENERALIZEDTIME_set_string(comp_time, arg_str)) { 2628 BIO_printf(bio_err, "invalid compromised time %s\n", arg_str); 2629 goto end; 2630 } 2631 if (reason_code == 9) 2632 reason_code = OCSP_REVOKED_STATUS_KEYCOMPROMISE; 2633 else 2634 reason_code = OCSP_REVOKED_STATUS_CACOMPROMISE; 2635 } 2636 } 2637 2638 if (preason) 2639 *preason = reason_code; 2640 if (pinvtm) { 2641 *pinvtm = comp_time; 2642 comp_time = NULL; 2643 } 2644 2645 ret = 1; 2646 2647 end: 2648 2649 OPENSSL_free(tmp); 2650 ASN1_GENERALIZEDTIME_free(comp_time); 2651 2652 return ret; 2653 } 2654