xref: /freebsd/crypto/openssl/apps/ca.c (revision 9f23cbd6cae82fd77edfad7173432fa8dccd0a95)
1 /*
2  * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 #include <stdio.h>
10 #include <stdlib.h>
11 #include <string.h>
12 #include <ctype.h>
13 #include <sys/types.h>
14 #include <openssl/conf.h>
15 #include <openssl/bio.h>
16 #include <openssl/err.h>
17 #include <openssl/bn.h>
18 #include <openssl/txt_db.h>
19 #include <openssl/evp.h>
20 #include <openssl/x509.h>
21 #include <openssl/x509v3.h>
22 #include <openssl/objects.h>
23 #include <openssl/ocsp.h>
24 #include <openssl/pem.h>
25 
26 #ifndef W_OK
27 # ifdef OPENSSL_SYS_VMS
28 #  include <unistd.h>
29 # elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_TANDEM)
30 #  include <sys/file.h>
31 # endif
32 #endif
33 
34 #include "apps.h"
35 #include "progs.h"
36 
37 #ifndef W_OK
38 # define F_OK 0
39 # define W_OK 2
40 # define R_OK 4
41 #endif
42 
43 #ifndef PATH_MAX
44 # define PATH_MAX 4096
45 #endif
46 
47 #define BASE_SECTION            "ca"
48 
49 #define ENV_DEFAULT_CA          "default_ca"
50 
51 #define STRING_MASK             "string_mask"
52 #define UTF8_IN                 "utf8"
53 
54 #define ENV_NEW_CERTS_DIR       "new_certs_dir"
55 #define ENV_CERTIFICATE         "certificate"
56 #define ENV_SERIAL              "serial"
57 #define ENV_RAND_SERIAL         "rand_serial"
58 #define ENV_CRLNUMBER           "crlnumber"
59 #define ENV_PRIVATE_KEY         "private_key"
60 #define ENV_DEFAULT_DAYS        "default_days"
61 #define ENV_DEFAULT_STARTDATE   "default_startdate"
62 #define ENV_DEFAULT_ENDDATE     "default_enddate"
63 #define ENV_DEFAULT_CRL_DAYS    "default_crl_days"
64 #define ENV_DEFAULT_CRL_HOURS   "default_crl_hours"
65 #define ENV_DEFAULT_MD          "default_md"
66 #define ENV_DEFAULT_EMAIL_DN    "email_in_dn"
67 #define ENV_PRESERVE            "preserve"
68 #define ENV_POLICY              "policy"
69 #define ENV_EXTENSIONS          "x509_extensions"
70 #define ENV_CRLEXT              "crl_extensions"
71 #define ENV_MSIE_HACK           "msie_hack"
72 #define ENV_NAMEOPT             "name_opt"
73 #define ENV_CERTOPT             "cert_opt"
74 #define ENV_EXTCOPY             "copy_extensions"
75 #define ENV_UNIQUE_SUBJECT      "unique_subject"
76 
77 #define ENV_DATABASE            "database"
78 
79 /* Additional revocation information types */
80 typedef enum {
81     REV_VALID             = -1, /* Valid (not-revoked) status */
82     REV_NONE              = 0, /* No additional information */
83     REV_CRL_REASON        = 1, /* Value is CRL reason code */
84     REV_HOLD              = 2, /* Value is hold instruction */
85     REV_KEY_COMPROMISE    = 3, /* Value is cert key compromise time */
86     REV_CA_COMPROMISE     = 4  /* Value is CA key compromise time */
87 } REVINFO_TYPE;
88 
89 static char *lookup_conf(const CONF *conf, const char *group, const char *tag);
90 
91 static int certify(X509 **xret, const char *infile, int informat,
92                    EVP_PKEY *pkey, X509 *x509,
93                    const char *dgst,
94                    STACK_OF(OPENSSL_STRING) *sigopts,
95                    STACK_OF(OPENSSL_STRING) *vfyopts,
96                    STACK_OF(CONF_VALUE) *policy, CA_DB *db,
97                    BIGNUM *serial, const char *subj, unsigned long chtype,
98                    int multirdn, int email_dn, const char *startdate,
99                    const char *enddate,
100                    long days, int batch, const char *ext_sect, CONF *conf,
101                    int verbose, unsigned long certopt, unsigned long nameopt,
102                    int default_op, int ext_copy, int selfsign, unsigned long dateopt);
103 static int certify_cert(X509 **xret, const char *infile, int certformat,
104                         const char *passin, EVP_PKEY *pkey, X509 *x509,
105                         const char *dgst,
106                         STACK_OF(OPENSSL_STRING) *sigopts,
107                         STACK_OF(OPENSSL_STRING) *vfyopts,
108                         STACK_OF(CONF_VALUE) *policy, CA_DB *db,
109                         BIGNUM *serial, const char *subj, unsigned long chtype,
110                         int multirdn, int email_dn, const char *startdate,
111                         const char *enddate, long days, int batch, const char *ext_sect,
112                         CONF *conf, int verbose, unsigned long certopt,
113                         unsigned long nameopt, int default_op, int ext_copy, unsigned long dateopt);
114 static int certify_spkac(X509 **xret, const char *infile, EVP_PKEY *pkey,
115                          X509 *x509, const char *dgst,
116                          STACK_OF(OPENSSL_STRING) *sigopts,
117                          STACK_OF(CONF_VALUE) *policy, CA_DB *db,
118                          BIGNUM *serial, const char *subj, unsigned long chtype,
119                          int multirdn, int email_dn, const char *startdate,
120                          const char *enddate, long days, const char *ext_sect, CONF *conf,
121                          int verbose, unsigned long certopt,
122                          unsigned long nameopt, int default_op, int ext_copy, unsigned long dateopt);
123 static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
124                    const char *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
125                    STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial,
126                    const char *subj, unsigned long chtype, int multirdn,
127                    int email_dn, const char *startdate, const char *enddate, long days,
128                    int batch, int verbose, X509_REQ *req, const char *ext_sect,
129                    CONF *conf, unsigned long certopt, unsigned long nameopt,
130                    int default_op, int ext_copy, int selfsign, unsigned long dateopt);
131 static int get_certificate_status(const char *ser_status, CA_DB *db);
132 static int do_updatedb(CA_DB *db);
133 static int check_time_format(const char *str);
134 static int do_revoke(X509 *x509, CA_DB *db, REVINFO_TYPE rev_type,
135                      const char *extval);
136 static char *make_revocation_str(REVINFO_TYPE rev_type, const char *rev_arg);
137 static int make_revoked(X509_REVOKED *rev, const char *str);
138 static int old_entry_print(const ASN1_OBJECT *obj, const ASN1_STRING *str);
139 static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext);
140 
141 static CONF *extfile_conf = NULL;
142 static int preserve = 0;
143 static int msie_hack = 0;
144 
145 typedef enum OPTION_choice {
146     OPT_COMMON,
147     OPT_ENGINE, OPT_VERBOSE, OPT_CONFIG, OPT_NAME, OPT_SUBJ, OPT_UTF8,
148     OPT_CREATE_SERIAL, OPT_MULTIVALUE_RDN, OPT_STARTDATE, OPT_ENDDATE,
149     OPT_DAYS, OPT_MD, OPT_POLICY, OPT_KEYFILE, OPT_KEYFORM, OPT_PASSIN,
150     OPT_KEY, OPT_CERT, OPT_CERTFORM, OPT_SELFSIGN,
151     OPT_IN, OPT_INFORM, OPT_OUT, OPT_DATEOPT, OPT_OUTDIR, OPT_VFYOPT,
152     OPT_SIGOPT, OPT_NOTEXT, OPT_BATCH, OPT_PRESERVEDN, OPT_NOEMAILDN,
153     OPT_GENCRL, OPT_MSIE_HACK, OPT_CRL_LASTUPDATE, OPT_CRL_NEXTUPDATE,
154     OPT_CRLDAYS, OPT_CRLHOURS, OPT_CRLSEC,
155     OPT_INFILES, OPT_SS_CERT, OPT_SPKAC, OPT_REVOKE, OPT_VALID,
156     OPT_EXTENSIONS, OPT_EXTFILE, OPT_STATUS, OPT_UPDATEDB, OPT_CRLEXTS,
157     OPT_RAND_SERIAL,
158     OPT_R_ENUM, OPT_PROV_ENUM,
159     /* Do not change the order here; see related case statements below */
160     OPT_CRL_REASON, OPT_CRL_HOLD, OPT_CRL_COMPROMISE, OPT_CRL_CA_COMPROMISE
161 } OPTION_CHOICE;
162 
163 const OPTIONS ca_options[] = {
164     {OPT_HELP_STR, 1, '-', "Usage: %s [options] [certreq...]\n"},
165 
166     OPT_SECTION("General"),
167     {"help", OPT_HELP, '-', "Display this summary"},
168     {"verbose", OPT_VERBOSE, '-', "Verbose output during processing"},
169     {"outdir", OPT_OUTDIR, '/', "Where to put output cert"},
170     {"in", OPT_IN, '<', "The input cert request(s)"},
171     {"inform", OPT_INFORM, 'F', "CSR input format (DER or PEM); default PEM"},
172     {"infiles", OPT_INFILES, '-', "The last argument, requests to process"},
173     {"out", OPT_OUT, '>', "Where to put the output file(s)"},
174     {"dateopt", OPT_DATEOPT, 's', "Datetime format used for printing. (rfc_822/iso_8601). Default is rfc_822."},
175     {"notext", OPT_NOTEXT, '-', "Do not print the generated certificate"},
176     {"batch", OPT_BATCH, '-', "Don't ask questions"},
177     {"msie_hack", OPT_MSIE_HACK, '-',
178      "msie modifications to handle all Universal Strings"},
179     {"ss_cert", OPT_SS_CERT, '<', "File contains a self signed cert to sign"},
180     {"spkac", OPT_SPKAC, '<',
181      "File contains DN and signed public key and challenge"},
182 #ifndef OPENSSL_NO_ENGINE
183     {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
184 #endif
185 
186     OPT_SECTION("Configuration"),
187     {"config", OPT_CONFIG, 's', "A config file"},
188     {"name", OPT_NAME, 's', "The particular CA definition to use"},
189     {"section", OPT_NAME, 's', "An alias for -name"},
190     {"policy", OPT_POLICY, 's', "The CA 'policy' to support"},
191 
192     OPT_SECTION("Certificate"),
193     {"subj", OPT_SUBJ, 's', "Use arg instead of request's subject"},
194     {"utf8", OPT_UTF8, '-', "Input characters are UTF8; default ASCII"},
195     {"create_serial", OPT_CREATE_SERIAL, '-',
196      "If reading serial fails, create a new random serial"},
197     {"rand_serial", OPT_RAND_SERIAL, '-',
198      "Always create a random serial; do not store it"},
199     {"multivalue-rdn", OPT_MULTIVALUE_RDN, '-',
200      "Deprecated; multi-valued RDNs support is always on."},
201     {"startdate", OPT_STARTDATE, 's', "Cert notBefore, YYMMDDHHMMSSZ"},
202     {"enddate", OPT_ENDDATE, 's',
203      "YYMMDDHHMMSSZ cert notAfter (overrides -days)"},
204     {"days", OPT_DAYS, 'p', "Number of days to certify the cert for"},
205     {"extensions", OPT_EXTENSIONS, 's',
206      "Extension section (override value in config file)"},
207     {"extfile", OPT_EXTFILE, '<',
208      "Configuration file with X509v3 extensions to add"},
209     {"preserveDN", OPT_PRESERVEDN, '-', "Don't re-order the DN"},
210     {"noemailDN", OPT_NOEMAILDN, '-', "Don't add the EMAIL field to the DN"},
211 
212     OPT_SECTION("Signing"),
213     {"md", OPT_MD, 's', "Digest to use, such as sha256"},
214     {"keyfile", OPT_KEYFILE, 's', "The CA private key"},
215     {"keyform", OPT_KEYFORM, 'f',
216      "Private key file format (ENGINE, other values ignored)"},
217     {"passin", OPT_PASSIN, 's', "Key and cert input file pass phrase source"},
218     {"key", OPT_KEY, 's',
219      "Key to decrypt the private key or cert files if encrypted. Better use -passin"},
220     {"cert", OPT_CERT, '<', "The CA cert"},
221     {"certform", OPT_CERTFORM, 'F',
222      "Certificate input format (DER/PEM/P12); has no effect"},
223     {"selfsign", OPT_SELFSIGN, '-',
224      "Sign a cert with the key associated with it"},
225     {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
226     {"vfyopt", OPT_VFYOPT, 's', "Verification parameter in n:v form"},
227 
228     OPT_SECTION("Revocation"),
229     {"gencrl", OPT_GENCRL, '-', "Generate a new CRL"},
230     {"valid", OPT_VALID, 's',
231      "Add a Valid(not-revoked) DB entry about a cert (given in file)"},
232     {"status", OPT_STATUS, 's', "Shows cert status given the serial number"},
233     {"updatedb", OPT_UPDATEDB, '-', "Updates db for expired cert"},
234     {"crlexts", OPT_CRLEXTS, 's',
235      "CRL extension section (override value in config file)"},
236     {"crl_reason", OPT_CRL_REASON, 's', "revocation reason"},
237     {"crl_hold", OPT_CRL_HOLD, 's',
238      "the hold instruction, an OID. Sets revocation reason to certificateHold"},
239     {"crl_compromise", OPT_CRL_COMPROMISE, 's',
240      "sets compromise time to val and the revocation reason to keyCompromise"},
241     {"crl_CA_compromise", OPT_CRL_CA_COMPROMISE, 's',
242      "sets compromise time to val and the revocation reason to CACompromise"},
243     {"crl_lastupdate", OPT_CRL_LASTUPDATE, 's',
244      "Sets the CRL lastUpdate time to val (YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ)"},
245     {"crl_nextupdate", OPT_CRL_NEXTUPDATE, 's',
246      "Sets the CRL nextUpdate time to val (YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ)"},
247     {"crldays", OPT_CRLDAYS, 'p', "Days until the next CRL is due"},
248     {"crlhours", OPT_CRLHOURS, 'p', "Hours until the next CRL is due"},
249     {"crlsec", OPT_CRLSEC, 'p', "Seconds until the next CRL is due"},
250     {"revoke", OPT_REVOKE, '<', "Revoke a cert (given in file)"},
251 
252     OPT_R_OPTIONS,
253     OPT_PROV_OPTIONS,
254 
255     OPT_PARAMETERS(),
256     {"certreq", 0, 0, "Certificate requests to be signed (optional)"},
257     {NULL}
258 };
259 
260 int ca_main(int argc, char **argv)
261 {
262     CONF *conf = NULL;
263     ENGINE *e = NULL;
264     BIGNUM *crlnumber = NULL, *serial = NULL;
265     EVP_PKEY *pkey = NULL;
266     BIO *in = NULL, *out = NULL, *Sout = NULL;
267     ASN1_INTEGER *tmpser;
268     CA_DB *db = NULL;
269     DB_ATTR db_attr;
270     STACK_OF(CONF_VALUE) *attribs = NULL;
271     STACK_OF(OPENSSL_STRING) *sigopts = NULL, *vfyopts = NULL;
272     STACK_OF(X509) *cert_sk = NULL;
273     X509_CRL *crl = NULL;
274     char *configfile = default_config_file, *section = NULL;
275     char def_dgst[80] = "";
276     char *dgst = NULL, *policy = NULL, *keyfile = NULL;
277     char *certfile = NULL, *crl_ext = NULL, *crlnumberfile = NULL;
278     int certformat = FORMAT_UNDEF, informat = FORMAT_UNDEF;
279     unsigned long dateopt = ASN1_DTFLGS_RFC822;
280     const char *infile = NULL, *spkac_file = NULL, *ss_cert_file = NULL;
281     const char *extensions = NULL, *extfile = NULL, *passinarg = NULL;
282     char *passin = NULL;
283     char *outdir = NULL, *outfile = NULL, *rev_arg = NULL, *ser_status = NULL;
284     const char *serialfile = NULL, *subj = NULL;
285     char *prog, *startdate = NULL, *enddate = NULL;
286     char *dbfile = NULL, *f;
287     char new_cert[PATH_MAX];
288     char tmp[10 + 1] = "\0";
289     char *const *pp;
290     const char *p;
291     size_t outdirlen = 0;
292     int create_ser = 0, free_passin = 0, total = 0, total_done = 0;
293     int batch = 0, default_op = 1, doupdatedb = 0, ext_copy = EXT_COPY_NONE;
294     int keyformat = FORMAT_UNDEF, multirdn = 1, notext = 0, output_der = 0;
295     int ret = 1, email_dn = 1, req = 0, verbose = 0, gencrl = 0, dorevoke = 0;
296     int rand_ser = 0, i, j, selfsign = 0, def_ret;
297     char *crl_lastupdate = NULL, *crl_nextupdate = NULL;
298     long crldays = 0, crlhours = 0, crlsec = 0, days = 0;
299     unsigned long chtype = MBSTRING_ASC, certopt = 0;
300     X509 *x509 = NULL, *x509p = NULL, *x = NULL;
301     REVINFO_TYPE rev_type = REV_NONE;
302     X509_REVOKED *r = NULL;
303     OPTION_CHOICE o;
304 
305     prog = opt_init(argc, argv, ca_options);
306     while ((o = opt_next()) != OPT_EOF) {
307         switch (o) {
308         case OPT_EOF:
309         case OPT_ERR:
310 opthelp:
311             BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
312             goto end;
313         case OPT_HELP:
314             opt_help(ca_options);
315             ret = 0;
316             goto end;
317         case OPT_IN:
318             req = 1;
319             infile = opt_arg();
320             break;
321         case OPT_INFORM:
322             if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
323                 goto opthelp;
324             break;
325         case OPT_OUT:
326             outfile = opt_arg();
327             break;
328         case OPT_DATEOPT:
329             if (!set_dateopt(&dateopt, opt_arg()))
330                 goto opthelp;
331             break;
332         case OPT_VERBOSE:
333             verbose = 1;
334             break;
335         case OPT_CONFIG:
336             configfile = opt_arg();
337             break;
338         case OPT_NAME:
339             section = opt_arg();
340             break;
341         case OPT_SUBJ:
342             subj = opt_arg();
343             /* preserve=1; */
344             break;
345         case OPT_UTF8:
346             chtype = MBSTRING_UTF8;
347             break;
348         case OPT_RAND_SERIAL:
349             rand_ser = 1;
350             break;
351         case OPT_CREATE_SERIAL:
352             create_ser = 1;
353             break;
354         case OPT_MULTIVALUE_RDN:
355             /* obsolete */
356             break;
357         case OPT_STARTDATE:
358             startdate = opt_arg();
359             break;
360         case OPT_ENDDATE:
361             enddate = opt_arg();
362             break;
363         case OPT_DAYS:
364             days = atoi(opt_arg());
365             break;
366         case OPT_MD:
367             dgst = opt_arg();
368             break;
369         case OPT_POLICY:
370             policy = opt_arg();
371             break;
372         case OPT_KEYFILE:
373             keyfile = opt_arg();
374             break;
375         case OPT_KEYFORM:
376             if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyformat))
377                 goto opthelp;
378             break;
379         case OPT_PASSIN:
380             passinarg = opt_arg();
381             break;
382         case OPT_R_CASES:
383             if (!opt_rand(o))
384                 goto end;
385             break;
386         case OPT_PROV_CASES:
387             if (!opt_provider(o))
388                 goto end;
389             break;
390         case OPT_KEY:
391             passin = opt_arg();
392             break;
393         case OPT_CERT:
394             certfile = opt_arg();
395             break;
396         case OPT_CERTFORM:
397             if (!opt_format(opt_arg(), OPT_FMT_ANY, &certformat))
398                 goto opthelp;
399             break;
400         case OPT_SELFSIGN:
401             selfsign = 1;
402             break;
403         case OPT_OUTDIR:
404             outdir = opt_arg();
405             break;
406         case OPT_SIGOPT:
407             if (sigopts == NULL)
408                 sigopts = sk_OPENSSL_STRING_new_null();
409             if (sigopts == NULL || !sk_OPENSSL_STRING_push(sigopts, opt_arg()))
410                 goto end;
411             break;
412         case OPT_VFYOPT:
413             if (vfyopts == NULL)
414                 vfyopts = sk_OPENSSL_STRING_new_null();
415             if (vfyopts == NULL || !sk_OPENSSL_STRING_push(vfyopts, opt_arg()))
416                 goto end;
417             break;
418         case OPT_NOTEXT:
419             notext = 1;
420             break;
421         case OPT_BATCH:
422             batch = 1;
423             break;
424         case OPT_PRESERVEDN:
425             preserve = 1;
426             break;
427         case OPT_NOEMAILDN:
428             email_dn = 0;
429             break;
430         case OPT_GENCRL:
431             gencrl = 1;
432             break;
433         case OPT_MSIE_HACK:
434             msie_hack = 1;
435             break;
436         case OPT_CRL_LASTUPDATE:
437             crl_lastupdate = opt_arg();
438             break;
439         case OPT_CRL_NEXTUPDATE:
440             crl_nextupdate = opt_arg();
441             break;
442         case OPT_CRLDAYS:
443             crldays = atol(opt_arg());
444             break;
445         case OPT_CRLHOURS:
446             crlhours = atol(opt_arg());
447             break;
448         case OPT_CRLSEC:
449             crlsec = atol(opt_arg());
450             break;
451         case OPT_INFILES:
452             req = 1;
453             goto end_of_options;
454         case OPT_SS_CERT:
455             ss_cert_file = opt_arg();
456             req = 1;
457             break;
458         case OPT_SPKAC:
459             spkac_file = opt_arg();
460             req = 1;
461             break;
462         case OPT_REVOKE:
463             infile = opt_arg();
464             dorevoke = 1;
465             break;
466         case OPT_VALID:
467             infile = opt_arg();
468             dorevoke = 2;
469             break;
470         case OPT_EXTENSIONS:
471             extensions = opt_arg();
472             break;
473         case OPT_EXTFILE:
474             extfile = opt_arg();
475             break;
476         case OPT_STATUS:
477             ser_status = opt_arg();
478             break;
479         case OPT_UPDATEDB:
480             doupdatedb = 1;
481             break;
482         case OPT_CRLEXTS:
483             crl_ext = opt_arg();
484             break;
485         case OPT_CRL_REASON:   /* := REV_CRL_REASON */
486         case OPT_CRL_HOLD:
487         case OPT_CRL_COMPROMISE:
488         case OPT_CRL_CA_COMPROMISE:
489             rev_arg = opt_arg();
490             rev_type = (o - OPT_CRL_REASON) + REV_CRL_REASON;
491             break;
492         case OPT_ENGINE:
493             e = setup_engine(opt_arg(), 0);
494             break;
495         }
496     }
497 
498 end_of_options:
499     /* Remaining args are files to certify. */
500     argc = opt_num_rest();
501     argv = opt_rest();
502 
503     if ((conf = app_load_config_verbose(configfile, 1)) == NULL)
504         goto end;
505     if (configfile != default_config_file && !app_load_modules(conf))
506         goto end;
507 
508     /* Lets get the config section we are using */
509     if (section == NULL
510         && (section = lookup_conf(conf, BASE_SECTION, ENV_DEFAULT_CA)) == NULL)
511         goto end;
512 
513     p = NCONF_get_string(conf, NULL, "oid_file");
514     if (p == NULL)
515         ERR_clear_error();
516     if (p != NULL) {
517         BIO *oid_bio = BIO_new_file(p, "r");
518 
519         if (oid_bio == NULL) {
520             ERR_clear_error();
521         } else {
522             OBJ_create_objects(oid_bio);
523             BIO_free(oid_bio);
524         }
525     }
526     if (!add_oid_section(conf))
527         goto end;
528 
529     app_RAND_load_conf(conf, BASE_SECTION);
530     if (!app_RAND_load())
531         goto end;
532 
533     f = NCONF_get_string(conf, section, STRING_MASK);
534     if (f == NULL)
535         ERR_clear_error();
536 
537     if (f != NULL && !ASN1_STRING_set_default_mask_asc(f)) {
538         BIO_printf(bio_err, "Invalid global string mask setting %s\n", f);
539         goto end;
540     }
541 
542     if (chtype != MBSTRING_UTF8) {
543         f = NCONF_get_string(conf, section, UTF8_IN);
544         if (f == NULL)
545             ERR_clear_error();
546         else if (strcmp(f, "yes") == 0)
547             chtype = MBSTRING_UTF8;
548     }
549 
550     db_attr.unique_subject = 1;
551     p = NCONF_get_string(conf, section, ENV_UNIQUE_SUBJECT);
552     if (p != NULL)
553         db_attr.unique_subject = parse_yesno(p, 1);
554     else
555         ERR_clear_error();
556 
557     /*****************************************************************/
558     /* report status of cert with serial number given on command line */
559     if (ser_status) {
560         dbfile = lookup_conf(conf, section, ENV_DATABASE);
561         if (dbfile == NULL)
562             goto end;
563 
564         db = load_index(dbfile, &db_attr);
565         if (db == NULL) {
566             BIO_printf(bio_err, "Problem with index file: %s (could not load/parse file)\n", dbfile);
567             goto end;
568         }
569 
570         if (index_index(db) <= 0)
571             goto end;
572 
573         if (get_certificate_status(ser_status, db) != 1)
574             BIO_printf(bio_err, "Error verifying serial %s!\n", ser_status);
575         goto end;
576     }
577 
578     /*****************************************************************/
579     /* we definitely need a private key, so let's get it */
580 
581     if (keyfile == NULL
582         && (keyfile = lookup_conf(conf, section, ENV_PRIVATE_KEY)) == NULL)
583         goto end;
584 
585     if (passin == NULL) {
586         free_passin = 1;
587         if (!app_passwd(passinarg, NULL, &passin, NULL)) {
588             BIO_printf(bio_err, "Error getting password\n");
589             goto end;
590         }
591     }
592     pkey = load_key(keyfile, keyformat, 0, passin, e, "CA private key");
593     cleanse(passin);
594     if (pkey == NULL)
595         /* load_key() has already printed an appropriate message */
596         goto end;
597 
598     /*****************************************************************/
599     /* we need a certificate */
600     if (!selfsign || spkac_file || ss_cert_file || gencrl) {
601         if (certfile == NULL
602             && (certfile = lookup_conf(conf, section, ENV_CERTIFICATE)) == NULL)
603             goto end;
604 
605         x509 = load_cert_pass(certfile, certformat, 1, passin, "CA certificate");
606         if (x509 == NULL)
607             goto end;
608 
609         if (!X509_check_private_key(x509, pkey)) {
610             BIO_printf(bio_err,
611                        "CA certificate and CA private key do not match\n");
612             goto end;
613         }
614     }
615     if (!selfsign)
616         x509p = x509;
617 
618     f = NCONF_get_string(conf, BASE_SECTION, ENV_PRESERVE);
619     if (f == NULL)
620         ERR_clear_error();
621     if ((f != NULL) && ((*f == 'y') || (*f == 'Y')))
622         preserve = 1;
623     f = NCONF_get_string(conf, BASE_SECTION, ENV_MSIE_HACK);
624     if (f == NULL)
625         ERR_clear_error();
626     if ((f != NULL) && ((*f == 'y') || (*f == 'Y')))
627         msie_hack = 1;
628 
629     f = NCONF_get_string(conf, section, ENV_NAMEOPT);
630 
631     if (f != NULL) {
632         if (!set_nameopt(f)) {
633             BIO_printf(bio_err, "Invalid name options: \"%s\"\n", f);
634             goto end;
635         }
636         default_op = 0;
637     }
638 
639     f = NCONF_get_string(conf, section, ENV_CERTOPT);
640 
641     if (f != NULL) {
642         if (!set_cert_ex(&certopt, f)) {
643             BIO_printf(bio_err, "Invalid certificate options: \"%s\"\n", f);
644             goto end;
645         }
646         default_op = 0;
647     } else {
648         ERR_clear_error();
649     }
650 
651     f = NCONF_get_string(conf, section, ENV_EXTCOPY);
652 
653     if (f != NULL) {
654         if (!set_ext_copy(&ext_copy, f)) {
655             BIO_printf(bio_err, "Invalid extension copy option: \"%s\"\n", f);
656             goto end;
657         }
658     } else {
659         ERR_clear_error();
660     }
661 
662     /*****************************************************************/
663     /* lookup where to write new certificates */
664     if ((outdir == NULL) && (req)) {
665 
666         outdir = NCONF_get_string(conf, section, ENV_NEW_CERTS_DIR);
667         if (outdir == NULL) {
668             BIO_printf(bio_err,
669                        "there needs to be defined a directory for new certificate to be placed in\n");
670             goto end;
671         }
672 #ifndef OPENSSL_SYS_VMS
673         /*
674          * outdir is a directory spec, but access() for VMS demands a
675          * filename.  We could use the DEC C routine to convert the
676          * directory syntax to Unix, and give that to app_isdir,
677          * but for now the fopen will catch the error if it's not a
678          * directory
679          */
680         if (app_isdir(outdir) <= 0) {
681             BIO_printf(bio_err, "%s: %s is not a directory\n", prog, outdir);
682             perror(outdir);
683             goto end;
684         }
685 #endif
686     }
687 
688     /*****************************************************************/
689     /* we need to load the database file */
690     dbfile = lookup_conf(conf, section, ENV_DATABASE);
691     if (dbfile == NULL)
692         goto end;
693 
694     db = load_index(dbfile, &db_attr);
695     if (db == NULL) {
696         BIO_printf(bio_err, "Problem with index file: %s (could not load/parse file)\n", dbfile);
697         goto end;
698     }
699 
700     /* Lets check some fields */
701     for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
702         pp = sk_OPENSSL_PSTRING_value(db->db->data, i);
703         if ((pp[DB_type][0] != DB_TYPE_REV) && (pp[DB_rev_date][0] != '\0')) {
704             BIO_printf(bio_err,
705                        "entry %d: not revoked yet, but has a revocation date\n",
706                        i + 1);
707             goto end;
708         }
709         if ((pp[DB_type][0] == DB_TYPE_REV) &&
710             !make_revoked(NULL, pp[DB_rev_date])) {
711             BIO_printf(bio_err, " in entry %d\n", i + 1);
712             goto end;
713         }
714         if (!check_time_format((char *)pp[DB_exp_date])) {
715             BIO_printf(bio_err, "entry %d: invalid expiry date\n", i + 1);
716             goto end;
717         }
718         p = pp[DB_serial];
719         j = strlen(p);
720         if (*p == '-') {
721             p++;
722             j--;
723         }
724         if ((j & 1) || (j < 2)) {
725             BIO_printf(bio_err, "entry %d: bad serial number length (%d)\n",
726                        i + 1, j);
727             goto end;
728         }
729         for ( ; *p; p++) {
730             if (!isxdigit(_UC(*p))) {
731                 BIO_printf(bio_err,
732                            "entry %d: bad char 0%o '%c' in serial number\n",
733                            i + 1, *p, *p);
734                 goto end;
735             }
736         }
737     }
738     if (verbose) {
739         TXT_DB_write(bio_out, db->db);
740         BIO_printf(bio_err, "%d entries loaded from the database\n",
741                    sk_OPENSSL_PSTRING_num(db->db->data));
742         BIO_printf(bio_err, "generating index\n");
743     }
744 
745     if (index_index(db) <= 0)
746         goto end;
747 
748     /*****************************************************************/
749     /* Update the db file for expired certificates */
750     if (doupdatedb) {
751         if (verbose)
752             BIO_printf(bio_err, "Updating %s ...\n", dbfile);
753 
754         i = do_updatedb(db);
755         if (i == -1) {
756             BIO_printf(bio_err, "Malloc failure\n");
757             goto end;
758         } else if (i == 0) {
759             if (verbose)
760                 BIO_printf(bio_err, "No entries found to mark expired\n");
761         } else {
762             if (!save_index(dbfile, "new", db))
763                 goto end;
764 
765             if (!rotate_index(dbfile, "new", "old"))
766                 goto end;
767 
768             if (verbose)
769                 BIO_printf(bio_err, "Done. %d entries marked as expired\n", i);
770         }
771     }
772 
773     /*****************************************************************/
774     /* Read extensions config file                                   */
775     if (extfile) {
776         if ((extfile_conf = app_load_config(extfile)) == NULL) {
777             ret = 1;
778             goto end;
779         }
780 
781         if (verbose)
782             BIO_printf(bio_err, "Successfully loaded extensions file %s\n",
783                        extfile);
784 
785         /* We can have sections in the ext file */
786         if (extensions == NULL) {
787             extensions = NCONF_get_string(extfile_conf, "default", "extensions");
788             if (extensions == NULL)
789                 extensions = "default";
790         }
791     }
792 
793     /*****************************************************************/
794     if (req || gencrl) {
795         if (spkac_file != NULL && outfile != NULL) {
796             output_der = 1;
797             batch = 1;
798         }
799     }
800 
801     def_ret = EVP_PKEY_get_default_digest_name(pkey, def_dgst, sizeof(def_dgst));
802     /*
803      * EVP_PKEY_get_default_digest_name() returns 2 if the digest is
804      * mandatory for this algorithm.
805      */
806     if (def_ret == 2 && strcmp(def_dgst, "UNDEF") == 0) {
807         /* The signing algorithm requires there to be no digest */
808         dgst = NULL;
809     } else if (dgst == NULL
810                && (dgst = lookup_conf(conf, section, ENV_DEFAULT_MD)) == NULL) {
811         goto end;
812     } else {
813         if (strcmp(dgst, "default") == 0) {
814             if (def_ret <= 0) {
815                 BIO_puts(bio_err, "no default digest\n");
816                 goto end;
817             }
818             dgst = def_dgst;
819         }
820     }
821 
822     if (req) {
823         if (email_dn == 1) {
824             char *tmp_email_dn = NULL;
825 
826             tmp_email_dn = NCONF_get_string(conf, section, ENV_DEFAULT_EMAIL_DN);
827             if (tmp_email_dn != NULL && strcmp(tmp_email_dn, "no") == 0)
828                 email_dn = 0;
829         }
830         if (verbose)
831             BIO_printf(bio_err, "message digest is %s\n", dgst);
832         if (policy == NULL
833             && (policy = lookup_conf(conf, section, ENV_POLICY)) == NULL)
834             goto end;
835 
836         if (verbose)
837             BIO_printf(bio_err, "policy is %s\n", policy);
838 
839         if (NCONF_get_string(conf, section, ENV_RAND_SERIAL) != NULL) {
840             rand_ser = 1;
841         } else {
842             serialfile = lookup_conf(conf, section, ENV_SERIAL);
843             if (serialfile == NULL)
844                 goto end;
845         }
846 
847         if (extfile_conf != NULL) {
848             /* Check syntax of extfile */
849             X509V3_CTX ctx;
850 
851             X509V3_set_ctx_test(&ctx);
852             X509V3_set_nconf(&ctx, extfile_conf);
853             if (!X509V3_EXT_add_nconf(extfile_conf, &ctx, extensions, NULL)) {
854                 BIO_printf(bio_err,
855                            "Error checking certificate extensions from extfile section %s\n",
856                            extensions);
857                 ret = 1;
858                 goto end;
859             }
860         } else {
861             /*
862              * no '-extfile' option, so we look for extensions in the main
863              * configuration file
864              */
865             if (extensions == NULL) {
866                 extensions = NCONF_get_string(conf, section, ENV_EXTENSIONS);
867                 if (extensions == NULL)
868                     ERR_clear_error();
869             }
870             if (extensions != NULL) {
871                 /* Check syntax of config file section */
872                 X509V3_CTX ctx;
873 
874                 X509V3_set_ctx_test(&ctx);
875                 X509V3_set_nconf(&ctx, conf);
876                 if (!X509V3_EXT_add_nconf(conf, &ctx, extensions, NULL)) {
877                     BIO_printf(bio_err,
878                                "Error checking certificate extension config section %s\n",
879                                extensions);
880                     ret = 1;
881                     goto end;
882                 }
883             }
884         }
885 
886         if (startdate == NULL) {
887             startdate = NCONF_get_string(conf, section, ENV_DEFAULT_STARTDATE);
888             if (startdate == NULL)
889                 ERR_clear_error();
890         }
891         if (startdate != NULL && !ASN1_TIME_set_string_X509(NULL, startdate)) {
892             BIO_printf(bio_err,
893                        "start date is invalid, it should be YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ\n");
894             goto end;
895         }
896         if (startdate == NULL)
897             startdate = "today";
898 
899         if (enddate == NULL) {
900             enddate = NCONF_get_string(conf, section, ENV_DEFAULT_ENDDATE);
901             if (enddate == NULL)
902                 ERR_clear_error();
903         }
904         if (enddate != NULL && !ASN1_TIME_set_string_X509(NULL, enddate)) {
905             BIO_printf(bio_err,
906                        "end date is invalid, it should be YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ\n");
907             goto end;
908         }
909 
910         if (days == 0) {
911             if (!NCONF_get_number(conf, section, ENV_DEFAULT_DAYS, &days))
912                 days = 0;
913         }
914         if (enddate == NULL && days == 0) {
915             BIO_printf(bio_err, "cannot lookup how many days to certify for\n");
916             goto end;
917         }
918 
919         if (rand_ser) {
920             if ((serial = BN_new()) == NULL || !rand_serial(serial, NULL)) {
921                 BIO_printf(bio_err, "error generating serial number\n");
922                 goto end;
923             }
924         } else {
925             serial = load_serial(serialfile, NULL, create_ser, NULL);
926             if (serial == NULL) {
927                 BIO_printf(bio_err, "error while loading serial number\n");
928                 goto end;
929             }
930             if (verbose) {
931                 if (BN_is_zero(serial)) {
932                     BIO_printf(bio_err, "next serial number is 00\n");
933                 } else {
934                     if ((f = BN_bn2hex(serial)) == NULL)
935                         goto end;
936                     BIO_printf(bio_err, "next serial number is %s\n", f);
937                     OPENSSL_free(f);
938                 }
939             }
940         }
941 
942         if ((attribs = NCONF_get_section(conf, policy)) == NULL) {
943             BIO_printf(bio_err, "unable to find 'section' for %s\n", policy);
944             goto end;
945         }
946 
947         if ((cert_sk = sk_X509_new_null()) == NULL) {
948             BIO_printf(bio_err, "Memory allocation failure\n");
949             goto end;
950         }
951         if (spkac_file != NULL) {
952             total++;
953             j = certify_spkac(&x, spkac_file, pkey, x509, dgst, sigopts,
954                               attribs, db, serial, subj, chtype, multirdn,
955                               email_dn, startdate, enddate, days, extensions,
956                               conf, verbose, certopt, get_nameopt(), default_op,
957                               ext_copy, dateopt);
958             if (j < 0)
959                 goto end;
960             if (j > 0) {
961                 total_done++;
962                 BIO_printf(bio_err, "\n");
963                 if (!BN_add_word(serial, 1))
964                     goto end;
965                 if (!sk_X509_push(cert_sk, x)) {
966                     BIO_printf(bio_err, "Memory allocation failure\n");
967                     goto end;
968                 }
969             }
970         }
971         if (ss_cert_file != NULL) {
972             total++;
973             j = certify_cert(&x, ss_cert_file, certformat, passin, pkey,
974                              x509, dgst, sigopts, vfyopts, attribs,
975                              db, serial, subj, chtype, multirdn, email_dn,
976                              startdate, enddate, days, batch, extensions,
977                              conf, verbose, certopt, get_nameopt(), default_op,
978                              ext_copy, dateopt);
979             if (j < 0)
980                 goto end;
981             if (j > 0) {
982                 total_done++;
983                 BIO_printf(bio_err, "\n");
984                 if (!BN_add_word(serial, 1))
985                     goto end;
986                 if (!sk_X509_push(cert_sk, x)) {
987                     BIO_printf(bio_err, "Memory allocation failure\n");
988                     goto end;
989                 }
990             }
991         }
992         if (infile != NULL) {
993             total++;
994             j = certify(&x, infile, informat, pkey, x509p, dgst,
995                         sigopts, vfyopts, attribs, db,
996                         serial, subj, chtype, multirdn, email_dn, startdate,
997                         enddate, days, batch, extensions, conf, verbose,
998                         certopt, get_nameopt(), default_op, ext_copy, selfsign, dateopt);
999             if (j < 0)
1000                 goto end;
1001             if (j > 0) {
1002                 total_done++;
1003                 BIO_printf(bio_err, "\n");
1004                 if (!BN_add_word(serial, 1))
1005                     goto end;
1006                 if (!sk_X509_push(cert_sk, x)) {
1007                     BIO_printf(bio_err, "Memory allocation failure\n");
1008                     goto end;
1009                 }
1010             }
1011         }
1012         for (i = 0; i < argc; i++) {
1013             total++;
1014             j = certify(&x, argv[i], informat, pkey, x509p, dgst,
1015                         sigopts, vfyopts,
1016                         attribs, db,
1017                         serial, subj, chtype, multirdn, email_dn, startdate,
1018                         enddate, days, batch, extensions, conf, verbose,
1019                         certopt, get_nameopt(), default_op, ext_copy, selfsign, dateopt);
1020             if (j < 0)
1021                 goto end;
1022             if (j > 0) {
1023                 total_done++;
1024                 BIO_printf(bio_err, "\n");
1025                 if (!BN_add_word(serial, 1)) {
1026                     X509_free(x);
1027                     goto end;
1028                 }
1029                 if (!sk_X509_push(cert_sk, x)) {
1030                     BIO_printf(bio_err, "Memory allocation failure\n");
1031                     X509_free(x);
1032                     goto end;
1033                 }
1034             }
1035         }
1036         /*
1037          * we have a stack of newly certified certificates and a data base
1038          * and serial number that need updating
1039          */
1040 
1041         if (sk_X509_num(cert_sk) > 0) {
1042             if (!batch) {
1043                 BIO_printf(bio_err,
1044                            "\n%d out of %d certificate requests certified, commit? [y/n]",
1045                            total_done, total);
1046                 (void)BIO_flush(bio_err);
1047                 tmp[0] = '\0';
1048                 if (fgets(tmp, sizeof(tmp), stdin) == NULL) {
1049                     BIO_printf(bio_err, "CERTIFICATION CANCELED: I/O error\n");
1050                     ret = 0;
1051                     goto end;
1052                 }
1053                 if (tmp[0] != 'y' && tmp[0] != 'Y') {
1054                     BIO_printf(bio_err, "CERTIFICATION CANCELED\n");
1055                     ret = 0;
1056                     goto end;
1057                 }
1058             }
1059 
1060             BIO_printf(bio_err, "Write out database with %d new entries\n",
1061                        sk_X509_num(cert_sk));
1062 
1063             if (serialfile != NULL
1064                     && !save_serial(serialfile, "new", serial, NULL))
1065                 goto end;
1066 
1067             if (!save_index(dbfile, "new", db))
1068                 goto end;
1069         }
1070 
1071         outdirlen = OPENSSL_strlcpy(new_cert, outdir, sizeof(new_cert));
1072 #ifndef OPENSSL_SYS_VMS
1073         outdirlen = OPENSSL_strlcat(new_cert, "/", sizeof(new_cert));
1074 #endif
1075 
1076         if (verbose)
1077             BIO_printf(bio_err, "writing new certificates\n");
1078 
1079         for (i = 0; i < sk_X509_num(cert_sk); i++) {
1080             BIO *Cout = NULL;
1081             X509 *xi = sk_X509_value(cert_sk, i);
1082             const ASN1_INTEGER *serialNumber = X509_get0_serialNumber(xi);
1083             const unsigned char *psn = ASN1_STRING_get0_data(serialNumber);
1084             const int snl = ASN1_STRING_length(serialNumber);
1085             const int filen_len = 2 * (snl > 0 ? snl : 1) + sizeof(".pem");
1086             char *n = new_cert + outdirlen;
1087 
1088             if (outdirlen + filen_len > PATH_MAX) {
1089                 BIO_printf(bio_err, "certificate file name too long\n");
1090                 goto end;
1091             }
1092 
1093             if (snl > 0) {
1094                 static const char HEX_DIGITS[] = "0123456789ABCDEF";
1095 
1096                 for (j = 0; j < snl; j++, psn++) {
1097                     *n++ = HEX_DIGITS[*psn >> 4];
1098                     *n++ = HEX_DIGITS[*psn & 0x0F];
1099                 }
1100             } else {
1101                 *(n++) = '0';
1102                 *(n++) = '0';
1103             }
1104             *(n++) = '.';
1105             *(n++) = 'p';
1106             *(n++) = 'e';
1107             *(n++) = 'm';
1108             *n = '\0';          /* closing new_cert */
1109             if (verbose)
1110                 BIO_printf(bio_err, "writing %s\n", new_cert);
1111 
1112             Sout = bio_open_default(outfile, 'w',
1113                                     output_der ? FORMAT_ASN1 : FORMAT_TEXT);
1114             if (Sout == NULL)
1115                 goto end;
1116 
1117             Cout = BIO_new_file(new_cert, "w");
1118             if (Cout == NULL) {
1119                 perror(new_cert);
1120                 goto end;
1121             }
1122             write_new_certificate(Cout, xi, 0, notext);
1123             write_new_certificate(Sout, xi, output_der, notext);
1124             BIO_free_all(Cout);
1125             BIO_free_all(Sout);
1126             Sout = NULL;
1127         }
1128 
1129         if (sk_X509_num(cert_sk)) {
1130             /* Rename the database and the serial file */
1131             if (serialfile != NULL
1132                     && !rotate_serial(serialfile, "new", "old"))
1133                 goto end;
1134 
1135             if (!rotate_index(dbfile, "new", "old"))
1136                 goto end;
1137 
1138             BIO_printf(bio_err, "Data Base Updated\n");
1139         }
1140     }
1141 
1142     /*****************************************************************/
1143     if (gencrl) {
1144         int crl_v2 = 0;
1145         if (crl_ext == NULL) {
1146             crl_ext = NCONF_get_string(conf, section, ENV_CRLEXT);
1147             if (crl_ext == NULL)
1148                 ERR_clear_error();
1149         }
1150         if (crl_ext != NULL) {
1151             /* Check syntax of file */
1152             X509V3_CTX ctx;
1153 
1154             X509V3_set_ctx_test(&ctx);
1155             X509V3_set_nconf(&ctx, conf);
1156             if (!X509V3_EXT_add_nconf(conf, &ctx, crl_ext, NULL)) {
1157                 BIO_printf(bio_err,
1158                            "Error checking CRL extension section %s\n", crl_ext);
1159                 ret = 1;
1160                 goto end;
1161             }
1162         }
1163 
1164         if ((crlnumberfile = NCONF_get_string(conf, section, ENV_CRLNUMBER))
1165             != NULL)
1166             if ((crlnumber = load_serial(crlnumberfile, NULL, 0, NULL))
1167                 == NULL) {
1168                 BIO_printf(bio_err, "error while loading CRL number\n");
1169                 goto end;
1170             }
1171 
1172         if (!crldays && !crlhours && !crlsec) {
1173             if (!NCONF_get_number(conf, section,
1174                                   ENV_DEFAULT_CRL_DAYS, &crldays))
1175                 crldays = 0;
1176             if (!NCONF_get_number(conf, section,
1177                                   ENV_DEFAULT_CRL_HOURS, &crlhours))
1178                 crlhours = 0;
1179             ERR_clear_error();
1180         }
1181         if ((crl_nextupdate == NULL) &&
1182                 (crldays == 0) && (crlhours == 0) && (crlsec == 0)) {
1183             BIO_printf(bio_err,
1184                        "cannot lookup how long until the next CRL is issued\n");
1185             goto end;
1186         }
1187 
1188         if (verbose)
1189             BIO_printf(bio_err, "making CRL\n");
1190         if ((crl = X509_CRL_new_ex(app_get0_libctx(), app_get0_propq())) == NULL)
1191             goto end;
1192         if (!X509_CRL_set_issuer_name(crl, X509_get_subject_name(x509)))
1193             goto end;
1194 
1195         if (!set_crl_lastupdate(crl, crl_lastupdate)) {
1196             BIO_puts(bio_err, "error setting CRL lastUpdate\n");
1197             ret = 1;
1198             goto end;
1199         }
1200 
1201         if (!set_crl_nextupdate(crl, crl_nextupdate,
1202                                 crldays, crlhours, crlsec)) {
1203             BIO_puts(bio_err, "error setting CRL nextUpdate\n");
1204             ret = 1;
1205             goto end;
1206         }
1207 
1208         for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
1209             pp = sk_OPENSSL_PSTRING_value(db->db->data, i);
1210             if (pp[DB_type][0] == DB_TYPE_REV) {
1211                 if ((r = X509_REVOKED_new()) == NULL)
1212                     goto end;
1213                 j = make_revoked(r, pp[DB_rev_date]);
1214                 if (!j)
1215                     goto end;
1216                 if (j == 2)
1217                     crl_v2 = 1;
1218                 if (!BN_hex2bn(&serial, pp[DB_serial]))
1219                     goto end;
1220                 tmpser = BN_to_ASN1_INTEGER(serial, NULL);
1221                 BN_free(serial);
1222                 serial = NULL;
1223                 if (!tmpser)
1224                     goto end;
1225                 X509_REVOKED_set_serialNumber(r, tmpser);
1226                 ASN1_INTEGER_free(tmpser);
1227                 X509_CRL_add0_revoked(crl, r);
1228             }
1229         }
1230 
1231         /*
1232          * sort the data so it will be written in serial number order
1233          */
1234         X509_CRL_sort(crl);
1235 
1236         /* we now have a CRL */
1237         if (verbose)
1238             BIO_printf(bio_err, "signing CRL\n");
1239 
1240         /* Add any extensions asked for */
1241 
1242         if (crl_ext != NULL || crlnumberfile != NULL) {
1243             X509V3_CTX crlctx;
1244 
1245             X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0);
1246             X509V3_set_nconf(&crlctx, conf);
1247 
1248             if (crl_ext != NULL)
1249                 if (!X509V3_EXT_CRL_add_nconf(conf, &crlctx, crl_ext, crl)) {
1250                     BIO_printf(bio_err,
1251                                "Error adding CRL extensions from section %s\n", crl_ext);
1252                     goto end;
1253                 }
1254             if (crlnumberfile != NULL) {
1255                 tmpser = BN_to_ASN1_INTEGER(crlnumber, NULL);
1256                 if (!tmpser)
1257                     goto end;
1258                 X509_CRL_add1_ext_i2d(crl, NID_crl_number, tmpser, 0, 0);
1259                 ASN1_INTEGER_free(tmpser);
1260                 crl_v2 = 1;
1261                 if (!BN_add_word(crlnumber, 1))
1262                     goto end;
1263             }
1264         }
1265         if (crl_ext != NULL || crl_v2) {
1266             if (!X509_CRL_set_version(crl, X509_CRL_VERSION_2))
1267                 goto end;
1268         }
1269 
1270         /* we have a CRL number that need updating */
1271         if (crlnumberfile != NULL
1272                 && !save_serial(crlnumberfile, "new", crlnumber, NULL))
1273             goto end;
1274 
1275         BN_free(crlnumber);
1276         crlnumber = NULL;
1277 
1278         if (!do_X509_CRL_sign(crl, pkey, dgst, sigopts))
1279             goto end;
1280 
1281         Sout = bio_open_default(outfile, 'w',
1282                                 output_der ? FORMAT_ASN1 : FORMAT_TEXT);
1283         if (Sout == NULL)
1284             goto end;
1285 
1286         PEM_write_bio_X509_CRL(Sout, crl);
1287 
1288         /* Rename the crlnumber file */
1289         if (crlnumberfile != NULL
1290                 && !rotate_serial(crlnumberfile, "new", "old"))
1291             goto end;
1292 
1293     }
1294     /*****************************************************************/
1295     if (dorevoke) {
1296         if (infile == NULL) {
1297             BIO_printf(bio_err, "no input files\n");
1298             goto end;
1299         } else {
1300             X509 *revcert;
1301 
1302             revcert = load_cert_pass(infile, informat, 1, passin,
1303                                      "certificate to be revoked");
1304             if (revcert == NULL)
1305                 goto end;
1306             if (dorevoke == 2)
1307                 rev_type = REV_VALID;
1308             j = do_revoke(revcert, db, rev_type, rev_arg);
1309             if (j <= 0)
1310                 goto end;
1311             X509_free(revcert);
1312 
1313             if (!save_index(dbfile, "new", db))
1314                 goto end;
1315 
1316             if (!rotate_index(dbfile, "new", "old"))
1317                 goto end;
1318 
1319             BIO_printf(bio_err, "Data Base Updated\n");
1320         }
1321     }
1322     ret = 0;
1323 
1324  end:
1325     if (ret)
1326         ERR_print_errors(bio_err);
1327     BIO_free_all(Sout);
1328     BIO_free_all(out);
1329     BIO_free_all(in);
1330     sk_X509_pop_free(cert_sk, X509_free);
1331 
1332     cleanse(passin);
1333     if (free_passin)
1334         OPENSSL_free(passin);
1335     BN_free(serial);
1336     BN_free(crlnumber);
1337     free_index(db);
1338     sk_OPENSSL_STRING_free(sigopts);
1339     sk_OPENSSL_STRING_free(vfyopts);
1340     EVP_PKEY_free(pkey);
1341     X509_free(x509);
1342     X509_CRL_free(crl);
1343     NCONF_free(conf);
1344     NCONF_free(extfile_conf);
1345     release_engine(e);
1346     return ret;
1347 }
1348 
1349 static char *lookup_conf(const CONF *conf, const char *section, const char *tag)
1350 {
1351     char *entry = NCONF_get_string(conf, section, tag);
1352     if (entry == NULL)
1353         BIO_printf(bio_err, "variable lookup failed for %s::%s\n", section, tag);
1354     return entry;
1355 }
1356 
1357 static int certify(X509 **xret, const char *infile, int informat,
1358                    EVP_PKEY *pkey, X509 *x509,
1359                    const char *dgst,
1360                    STACK_OF(OPENSSL_STRING) *sigopts,
1361                    STACK_OF(OPENSSL_STRING) *vfyopts,
1362                    STACK_OF(CONF_VALUE) *policy, CA_DB *db,
1363                    BIGNUM *serial, const char *subj, unsigned long chtype,
1364                    int multirdn, int email_dn, const char *startdate,
1365                    const char *enddate,
1366                    long days, int batch, const char *ext_sect, CONF *lconf,
1367                    int verbose, unsigned long certopt, unsigned long nameopt,
1368                    int default_op, int ext_copy, int selfsign, unsigned long dateopt)
1369 {
1370     X509_REQ *req = NULL;
1371     EVP_PKEY *pktmp = NULL;
1372     int ok = -1, i;
1373 
1374     req = load_csr(infile, informat, "certificate request");
1375     if (req == NULL)
1376         goto end;
1377     if ((pktmp = X509_REQ_get0_pubkey(req)) == NULL) {
1378         BIO_printf(bio_err, "Error unpacking public key\n");
1379         goto end;
1380     }
1381     if (verbose)
1382         X509_REQ_print_ex(bio_err, req, nameopt, X509_FLAG_COMPAT);
1383 
1384     BIO_printf(bio_err, "Check that the request matches the signature\n");
1385     ok = 0;
1386 
1387     if (selfsign && !X509_REQ_check_private_key(req, pkey)) {
1388         BIO_printf(bio_err,
1389                    "Certificate request and CA private key do not match\n");
1390         goto end;
1391     }
1392     i = do_X509_REQ_verify(req, pktmp, vfyopts);
1393     if (i < 0) {
1394         BIO_printf(bio_err, "Signature verification problems...\n");
1395         goto end;
1396     }
1397     if (i == 0) {
1398         BIO_printf(bio_err,
1399                    "Signature did not match the certificate request\n");
1400         goto end;
1401     }
1402     BIO_printf(bio_err, "Signature ok\n");
1403 
1404     ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, subj,
1405                  chtype, multirdn, email_dn, startdate, enddate, days, batch,
1406                  verbose, req, ext_sect, lconf, certopt, nameopt, default_op,
1407                  ext_copy, selfsign, dateopt);
1408 
1409  end:
1410     ERR_print_errors(bio_err);
1411     X509_REQ_free(req);
1412     return ok;
1413 }
1414 
1415 static int certify_cert(X509 **xret, const char *infile, int certformat,
1416                         const char *passin, EVP_PKEY *pkey, X509 *x509,
1417                         const char *dgst,
1418                         STACK_OF(OPENSSL_STRING) *sigopts,
1419                         STACK_OF(OPENSSL_STRING) *vfyopts,
1420                         STACK_OF(CONF_VALUE) *policy, CA_DB *db,
1421                         BIGNUM *serial, const char *subj, unsigned long chtype,
1422                         int multirdn, int email_dn, const char *startdate,
1423                         const char *enddate, long days, int batch, const char *ext_sect,
1424                         CONF *lconf, int verbose, unsigned long certopt,
1425                         unsigned long nameopt, int default_op, int ext_copy, unsigned long dateopt)
1426 {
1427     X509 *template_cert = NULL;
1428     X509_REQ *rreq = NULL;
1429     EVP_PKEY *pktmp = NULL;
1430     int ok = -1, i;
1431 
1432     if ((template_cert = load_cert_pass(infile, certformat, 1, passin,
1433                                         "template certificate")) == NULL)
1434         goto end;
1435     if (verbose)
1436         X509_print(bio_err, template_cert);
1437 
1438     BIO_printf(bio_err, "Check that the request matches the signature\n");
1439 
1440     if ((pktmp = X509_get0_pubkey(template_cert)) == NULL) {
1441         BIO_printf(bio_err, "error unpacking public key\n");
1442         goto end;
1443     }
1444     i = do_X509_verify(template_cert, pktmp, vfyopts);
1445     if (i < 0) {
1446         ok = 0;
1447         BIO_printf(bio_err, "Signature verification problems....\n");
1448         goto end;
1449     }
1450     if (i == 0) {
1451         ok = 0;
1452         BIO_printf(bio_err, "Signature did not match the certificate\n");
1453         goto end;
1454     } else {
1455         BIO_printf(bio_err, "Signature ok\n");
1456     }
1457 
1458     if ((rreq = X509_to_X509_REQ(template_cert, NULL, NULL)) == NULL)
1459         goto end;
1460 
1461     ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, subj,
1462                  chtype, multirdn, email_dn, startdate, enddate, days, batch,
1463                  verbose, rreq, ext_sect, lconf, certopt, nameopt, default_op,
1464                  ext_copy, 0, dateopt);
1465 
1466  end:
1467     X509_REQ_free(rreq);
1468     X509_free(template_cert);
1469     return ok;
1470 }
1471 
1472 static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
1473                    const char *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
1474                    STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial,
1475                    const char *subj, unsigned long chtype, int multirdn,
1476                    int email_dn, const char *startdate, const char *enddate, long days,
1477                    int batch, int verbose, X509_REQ *req, const char *ext_sect,
1478                    CONF *lconf, unsigned long certopt, unsigned long nameopt,
1479                    int default_op, int ext_copy, int selfsign, unsigned long dateopt)
1480 {
1481     const X509_NAME *name = NULL;
1482     X509_NAME *CAname = NULL, *subject = NULL;
1483     const ASN1_TIME *tm;
1484     ASN1_STRING *str, *str2;
1485     ASN1_OBJECT *obj;
1486     X509 *ret = NULL;
1487     X509_NAME_ENTRY *ne, *tne;
1488     EVP_PKEY *pktmp;
1489     int ok = -1, i, j, last, nid;
1490     const char *p;
1491     CONF_VALUE *cv;
1492     OPENSSL_STRING row[DB_NUMBER];
1493     OPENSSL_STRING *irow = NULL;
1494     OPENSSL_STRING *rrow = NULL;
1495     char buf[25];
1496     X509V3_CTX ext_ctx;
1497 
1498     for (i = 0; i < DB_NUMBER; i++)
1499         row[i] = NULL;
1500 
1501     if (subj) {
1502         X509_NAME *n = parse_name(subj, chtype, multirdn, "subject");
1503 
1504         if (!n)
1505             goto end;
1506         X509_REQ_set_subject_name(req, n);
1507         X509_NAME_free(n);
1508     }
1509 
1510     if (default_op)
1511         BIO_printf(bio_err, "The Subject's Distinguished Name is as follows\n");
1512 
1513     name = X509_REQ_get_subject_name(req);
1514     for (i = 0; i < X509_NAME_entry_count(name); i++) {
1515         ne = X509_NAME_get_entry(name, i);
1516         str = X509_NAME_ENTRY_get_data(ne);
1517         obj = X509_NAME_ENTRY_get_object(ne);
1518         nid = OBJ_obj2nid(obj);
1519 
1520         if (msie_hack) {
1521             /* assume all type should be strings */
1522 
1523             if (str->type == V_ASN1_UNIVERSALSTRING)
1524                 ASN1_UNIVERSALSTRING_to_string(str);
1525 
1526             if (str->type == V_ASN1_IA5STRING && nid != NID_pkcs9_emailAddress)
1527                 str->type = V_ASN1_T61STRING;
1528 
1529             if (nid == NID_pkcs9_emailAddress
1530                 && str->type == V_ASN1_PRINTABLESTRING)
1531                 str->type = V_ASN1_IA5STRING;
1532         }
1533 
1534         /* If no EMAIL is wanted in the subject */
1535         if (nid == NID_pkcs9_emailAddress && !email_dn)
1536             continue;
1537 
1538         /* check some things */
1539         if (nid == NID_pkcs9_emailAddress && str->type != V_ASN1_IA5STRING) {
1540             BIO_printf(bio_err,
1541                        "\nemailAddress type needs to be of type IA5STRING\n");
1542             goto end;
1543         }
1544         if (str->type != V_ASN1_BMPSTRING && str->type != V_ASN1_UTF8STRING) {
1545             j = ASN1_PRINTABLE_type(str->data, str->length);
1546             if ((j == V_ASN1_T61STRING && str->type != V_ASN1_T61STRING) ||
1547                 (j == V_ASN1_IA5STRING && str->type == V_ASN1_PRINTABLESTRING))
1548             {
1549                 BIO_printf(bio_err,
1550                            "\nThe string contains characters that are illegal for the ASN.1 type\n");
1551                 goto end;
1552             }
1553         }
1554 
1555         if (default_op)
1556             old_entry_print(obj, str);
1557     }
1558 
1559     /* Ok, now we check the 'policy' stuff. */
1560     if ((subject = X509_NAME_new()) == NULL) {
1561         BIO_printf(bio_err, "Memory allocation failure\n");
1562         goto end;
1563     }
1564 
1565     /* take a copy of the issuer name before we mess with it. */
1566     if (selfsign)
1567         CAname = X509_NAME_dup(name);
1568     else
1569         CAname = X509_NAME_dup(X509_get_subject_name(x509));
1570     if (CAname == NULL)
1571         goto end;
1572     str = str2 = NULL;
1573 
1574     for (i = 0; i < sk_CONF_VALUE_num(policy); i++) {
1575         cv = sk_CONF_VALUE_value(policy, i); /* get the object id */
1576         if ((j = OBJ_txt2nid(cv->name)) == NID_undef) {
1577             BIO_printf(bio_err,
1578                        "%s:unknown object type in 'policy' configuration\n",
1579                        cv->name);
1580             goto end;
1581         }
1582         obj = OBJ_nid2obj(j);
1583 
1584         last = -1;
1585         for (;;) {
1586             X509_NAME_ENTRY *push = NULL;
1587 
1588             /* lookup the object in the supplied name list */
1589             j = X509_NAME_get_index_by_OBJ(name, obj, last);
1590             if (j < 0) {
1591                 if (last != -1)
1592                     break;
1593                 tne = NULL;
1594             } else {
1595                 tne = X509_NAME_get_entry(name, j);
1596             }
1597             last = j;
1598 
1599             /* depending on the 'policy', decide what to do. */
1600             if (strcmp(cv->value, "optional") == 0) {
1601                 if (tne != NULL)
1602                     push = tne;
1603             } else if (strcmp(cv->value, "supplied") == 0) {
1604                 if (tne == NULL) {
1605                     BIO_printf(bio_err,
1606                                "The %s field needed to be supplied and was missing\n",
1607                                cv->name);
1608                     goto end;
1609                 } else {
1610                     push = tne;
1611                 }
1612             } else if (strcmp(cv->value, "match") == 0) {
1613                 int last2;
1614 
1615                 if (tne == NULL) {
1616                     BIO_printf(bio_err,
1617                                "The mandatory %s field was missing\n",
1618                                cv->name);
1619                     goto end;
1620                 }
1621 
1622                 last2 = -1;
1623 
1624  again2:
1625                 j = X509_NAME_get_index_by_OBJ(CAname, obj, last2);
1626                 if ((j < 0) && (last2 == -1)) {
1627                     BIO_printf(bio_err,
1628                                "The %s field does not exist in the CA certificate,\n"
1629                                "the 'policy' is misconfigured\n", cv->name);
1630                     goto end;
1631                 }
1632                 if (j >= 0) {
1633                     push = X509_NAME_get_entry(CAname, j);
1634                     str = X509_NAME_ENTRY_get_data(tne);
1635                     str2 = X509_NAME_ENTRY_get_data(push);
1636                     last2 = j;
1637                     if (ASN1_STRING_cmp(str, str2) != 0)
1638                         goto again2;
1639                 }
1640                 if (j < 0) {
1641                     BIO_printf(bio_err,
1642                                "The %s field is different between\n"
1643                                "CA certificate (%s) and the request (%s)\n",
1644                                cv->name,
1645                                ((str2 == NULL) ? "NULL" : (char *)str2->data),
1646                                ((str == NULL) ? "NULL" : (char *)str->data));
1647                     goto end;
1648                 }
1649             } else {
1650                 BIO_printf(bio_err,
1651                            "%s:invalid type in 'policy' configuration\n",
1652                            cv->value);
1653                 goto end;
1654             }
1655 
1656             if (push != NULL) {
1657                 if (!X509_NAME_add_entry(subject, push, -1, 0)) {
1658                     BIO_printf(bio_err, "Memory allocation failure\n");
1659                     goto end;
1660                 }
1661             }
1662             if (j < 0)
1663                 break;
1664         }
1665     }
1666 
1667     if (preserve) {
1668         X509_NAME_free(subject);
1669         /* subject=X509_NAME_dup(X509_REQ_get_subject_name(req)); */
1670         subject = X509_NAME_dup(name);
1671         if (subject == NULL)
1672             goto end;
1673     }
1674 
1675     /* We are now totally happy, lets make and sign the certificate */
1676     if (verbose)
1677         BIO_printf(bio_err,
1678                    "Everything appears to be ok, creating and signing the certificate\n");
1679 
1680     if ((ret = X509_new_ex(app_get0_libctx(), app_get0_propq())) == NULL)
1681         goto end;
1682 
1683     if (BN_to_ASN1_INTEGER(serial, X509_get_serialNumber(ret)) == NULL)
1684         goto end;
1685     if (selfsign) {
1686         if (!X509_set_issuer_name(ret, subject))
1687             goto end;
1688     } else {
1689         if (!X509_set_issuer_name(ret, X509_get_subject_name(x509)))
1690             goto end;
1691     }
1692 
1693     if (!set_cert_times(ret, startdate, enddate, days))
1694         goto end;
1695 
1696     if (enddate != NULL) {
1697         int tdays;
1698 
1699         if (!ASN1_TIME_diff(&tdays, NULL, NULL, X509_get0_notAfter(ret)))
1700             goto end;
1701         days = tdays;
1702     }
1703 
1704     if (!X509_set_subject_name(ret, subject))
1705         goto end;
1706 
1707     pktmp = X509_REQ_get0_pubkey(req);
1708     i = X509_set_pubkey(ret, pktmp);
1709     if (!i)
1710         goto end;
1711 
1712     /* Initialize the context structure */
1713     X509V3_set_ctx(&ext_ctx, selfsign ? ret : x509,
1714                    ret, req, NULL, X509V3_CTX_REPLACE);
1715 
1716     /* Lets add the extensions, if there are any */
1717     if (ext_sect) {
1718         if (extfile_conf != NULL) {
1719             if (verbose)
1720                 BIO_printf(bio_err, "Extra configuration file found\n");
1721 
1722             /* Use the extfile_conf configuration db LHASH */
1723             X509V3_set_nconf(&ext_ctx, extfile_conf);
1724 
1725             /* Adds exts contained in the configuration file */
1726             if (!X509V3_EXT_add_nconf(extfile_conf, &ext_ctx, ext_sect, ret)) {
1727                 BIO_printf(bio_err,
1728                            "Error adding certificate extensions from extfile section %s\n",
1729                            ext_sect);
1730                 goto end;
1731             }
1732             if (verbose)
1733                 BIO_printf(bio_err,
1734                            "Successfully added extensions from file.\n");
1735         } else if (ext_sect) {
1736             /* We found extensions to be set from config file */
1737             X509V3_set_nconf(&ext_ctx, lconf);
1738 
1739             if (!X509V3_EXT_add_nconf(lconf, &ext_ctx, ext_sect, ret)) {
1740                 BIO_printf(bio_err,
1741                            "Error adding certificate extensions from config section %s\n",
1742                            ext_sect);
1743                 goto end;
1744             }
1745 
1746             if (verbose)
1747                 BIO_printf(bio_err,
1748                            "Successfully added extensions from config\n");
1749         }
1750     }
1751 
1752     /* Copy extensions from request (if any) */
1753 
1754     if (!copy_extensions(ret, req, ext_copy)) {
1755         BIO_printf(bio_err, "ERROR: adding extensions from request\n");
1756         goto end;
1757     }
1758 
1759     if (verbose)
1760         BIO_printf(bio_err,
1761                    "The subject name appears to be ok, checking data base for clashes\n");
1762 
1763     /* Build the correct Subject if no e-mail is wanted in the subject. */
1764     if (!email_dn) {
1765         X509_NAME_ENTRY *tmpne;
1766         X509_NAME *dn_subject;
1767 
1768         /*
1769          * Its best to dup the subject DN and then delete any email addresses
1770          * because this retains its structure.
1771          */
1772         if ((dn_subject = X509_NAME_dup(subject)) == NULL) {
1773             BIO_printf(bio_err, "Memory allocation failure\n");
1774             goto end;
1775         }
1776         i = -1;
1777         while ((i = X509_NAME_get_index_by_NID(dn_subject,
1778                                                NID_pkcs9_emailAddress,
1779                                                i)) >= 0) {
1780             tmpne = X509_NAME_delete_entry(dn_subject, i--);
1781             X509_NAME_ENTRY_free(tmpne);
1782         }
1783 
1784         if (!X509_set_subject_name(ret, dn_subject)) {
1785             X509_NAME_free(dn_subject);
1786             goto end;
1787         }
1788         X509_NAME_free(dn_subject);
1789     }
1790 
1791     row[DB_name] = X509_NAME_oneline(X509_get_subject_name(ret), NULL, 0);
1792     if (row[DB_name] == NULL) {
1793         BIO_printf(bio_err, "Memory allocation failure\n");
1794         goto end;
1795     }
1796 
1797     if (BN_is_zero(serial))
1798         row[DB_serial] = OPENSSL_strdup("00");
1799     else
1800         row[DB_serial] = BN_bn2hex(serial);
1801     if (row[DB_serial] == NULL) {
1802         BIO_printf(bio_err, "Memory allocation failure\n");
1803         goto end;
1804     }
1805 
1806     if (row[DB_name][0] == '\0') {
1807         /*
1808          * An empty subject! We'll use the serial number instead. If
1809          * unique_subject is in use then we don't want different entries with
1810          * empty subjects matching each other.
1811          */
1812         OPENSSL_free(row[DB_name]);
1813         row[DB_name] = OPENSSL_strdup(row[DB_serial]);
1814         if (row[DB_name] == NULL) {
1815             BIO_printf(bio_err, "Memory allocation failure\n");
1816             goto end;
1817         }
1818     }
1819 
1820     if (db->attributes.unique_subject) {
1821         OPENSSL_STRING *crow = row;
1822 
1823         rrow = TXT_DB_get_by_index(db->db, DB_name, crow);
1824         if (rrow != NULL) {
1825             BIO_printf(bio_err,
1826                        "ERROR:There is already a certificate for %s\n",
1827                        row[DB_name]);
1828         }
1829     }
1830     if (rrow == NULL) {
1831         rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
1832         if (rrow != NULL) {
1833             BIO_printf(bio_err,
1834                        "ERROR:Serial number %s has already been issued,\n",
1835                        row[DB_serial]);
1836             BIO_printf(bio_err,
1837                        "      check the database/serial_file for corruption\n");
1838         }
1839     }
1840 
1841     if (rrow != NULL) {
1842         BIO_printf(bio_err, "The matching entry has the following details\n");
1843         if (rrow[DB_type][0] == DB_TYPE_EXP)
1844             p = "Expired";
1845         else if (rrow[DB_type][0] == DB_TYPE_REV)
1846             p = "Revoked";
1847         else if (rrow[DB_type][0] == DB_TYPE_VAL)
1848             p = "Valid";
1849         else
1850             p = "\ninvalid type, Data base error\n";
1851         BIO_printf(bio_err, "Type          :%s\n", p);;
1852         if (rrow[DB_type][0] == DB_TYPE_REV) {
1853             p = rrow[DB_exp_date];
1854             if (p == NULL)
1855                 p = "undef";
1856             BIO_printf(bio_err, "Was revoked on:%s\n", p);
1857         }
1858         p = rrow[DB_exp_date];
1859         if (p == NULL)
1860             p = "undef";
1861         BIO_printf(bio_err, "Expires on    :%s\n", p);
1862         p = rrow[DB_serial];
1863         if (p == NULL)
1864             p = "undef";
1865         BIO_printf(bio_err, "Serial Number :%s\n", p);
1866         p = rrow[DB_file];
1867         if (p == NULL)
1868             p = "undef";
1869         BIO_printf(bio_err, "File name     :%s\n", p);
1870         p = rrow[DB_name];
1871         if (p == NULL)
1872             p = "undef";
1873         BIO_printf(bio_err, "Subject Name  :%s\n", p);
1874         ok = -1;                /* This is now a 'bad' error. */
1875         goto end;
1876     }
1877 
1878     if (!default_op) {
1879         BIO_printf(bio_err, "Certificate Details:\n");
1880         /*
1881          * Never print signature details because signature not present
1882          */
1883         certopt |= X509_FLAG_NO_SIGDUMP | X509_FLAG_NO_SIGNAME;
1884         X509_print_ex(bio_err, ret, nameopt, certopt);
1885     }
1886 
1887     BIO_printf(bio_err, "Certificate is to be certified until ");
1888     ASN1_TIME_print_ex(bio_err, X509_get0_notAfter(ret), dateopt);
1889     if (days)
1890         BIO_printf(bio_err, " (%ld days)", days);
1891     BIO_printf(bio_err, "\n");
1892 
1893     if (!batch) {
1894 
1895         BIO_printf(bio_err, "Sign the certificate? [y/n]:");
1896         (void)BIO_flush(bio_err);
1897         buf[0] = '\0';
1898         if (fgets(buf, sizeof(buf), stdin) == NULL) {
1899             BIO_printf(bio_err,
1900                        "CERTIFICATE WILL NOT BE CERTIFIED: I/O error\n");
1901             ok = 0;
1902             goto end;
1903         }
1904         if (!(buf[0] == 'y' || buf[0] == 'Y')) {
1905             BIO_printf(bio_err, "CERTIFICATE WILL NOT BE CERTIFIED\n");
1906             ok = 0;
1907             goto end;
1908         }
1909     }
1910 
1911     pktmp = X509_get0_pubkey(ret);
1912     if (EVP_PKEY_missing_parameters(pktmp) &&
1913         !EVP_PKEY_missing_parameters(pkey))
1914         EVP_PKEY_copy_parameters(pktmp, pkey);
1915 
1916     if (!do_X509_sign(ret, pkey, dgst, sigopts, &ext_ctx))
1917         goto end;
1918 
1919     /* We now just add it to the database as DB_TYPE_VAL('V') */
1920     row[DB_type] = OPENSSL_strdup("V");
1921     tm = X509_get0_notAfter(ret);
1922     row[DB_exp_date] = app_malloc(tm->length + 1, "row expdate");
1923     memcpy(row[DB_exp_date], tm->data, tm->length);
1924     row[DB_exp_date][tm->length] = '\0';
1925     row[DB_rev_date] = NULL;
1926     row[DB_file] = OPENSSL_strdup("unknown");
1927     if ((row[DB_type] == NULL) || (row[DB_file] == NULL)
1928         || (row[DB_name] == NULL)) {
1929         BIO_printf(bio_err, "Memory allocation failure\n");
1930         goto end;
1931     }
1932 
1933     irow = app_malloc(sizeof(*irow) * (DB_NUMBER + 1), "row space");
1934     for (i = 0; i < DB_NUMBER; i++)
1935         irow[i] = row[i];
1936     irow[DB_NUMBER] = NULL;
1937 
1938     if (!TXT_DB_insert(db->db, irow)) {
1939         BIO_printf(bio_err, "failed to update database\n");
1940         BIO_printf(bio_err, "TXT_DB error number %ld\n", db->db->error);
1941         goto end;
1942     }
1943     irow = NULL;
1944     ok = 1;
1945  end:
1946     if (ok != 1) {
1947         for (i = 0; i < DB_NUMBER; i++)
1948             OPENSSL_free(row[i]);
1949     }
1950     OPENSSL_free(irow);
1951 
1952     X509_NAME_free(CAname);
1953     X509_NAME_free(subject);
1954     if (ok <= 0)
1955         X509_free(ret);
1956     else
1957         *xret = ret;
1958     return ok;
1959 }
1960 
1961 static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext)
1962 {
1963 
1964     if (output_der) {
1965         (void)i2d_X509_bio(bp, x);
1966         return;
1967     }
1968     if (!notext)
1969         X509_print(bp, x);
1970     PEM_write_bio_X509(bp, x);
1971 }
1972 
1973 static int certify_spkac(X509 **xret, const char *infile, EVP_PKEY *pkey,
1974                          X509 *x509, const char *dgst,
1975                          STACK_OF(OPENSSL_STRING) *sigopts,
1976                          STACK_OF(CONF_VALUE) *policy, CA_DB *db,
1977                          BIGNUM *serial, const char *subj, unsigned long chtype,
1978                          int multirdn, int email_dn, const char *startdate,
1979                          const char *enddate, long days, const char *ext_sect,
1980                          CONF *lconf, int verbose, unsigned long certopt,
1981                          unsigned long nameopt, int default_op, int ext_copy, unsigned long dateopt)
1982 {
1983     STACK_OF(CONF_VALUE) *sk = NULL;
1984     LHASH_OF(CONF_VALUE) *parms = NULL;
1985     X509_REQ *req = NULL;
1986     CONF_VALUE *cv = NULL;
1987     NETSCAPE_SPKI *spki = NULL;
1988     char *type, *buf;
1989     EVP_PKEY *pktmp = NULL;
1990     X509_NAME *n = NULL;
1991     X509_NAME_ENTRY *ne = NULL;
1992     int ok = -1, i, j;
1993     long errline;
1994     int nid;
1995 
1996     /*
1997      * Load input file into a hash table.  (This is just an easy
1998      * way to read and parse the file, then put it into a convenient
1999      * STACK format).
2000      */
2001     parms = CONF_load(NULL, infile, &errline);
2002     if (parms == NULL) {
2003         BIO_printf(bio_err, "error on line %ld of %s\n", errline, infile);
2004         goto end;
2005     }
2006 
2007     sk = CONF_get_section(parms, "default");
2008     if (sk_CONF_VALUE_num(sk) == 0) {
2009         BIO_printf(bio_err, "no name/value pairs found in %s\n", infile);
2010         goto end;
2011     }
2012 
2013     /*
2014      * Now create a dummy X509 request structure.  We don't actually
2015      * have an X509 request, but we have many of the components
2016      * (a public key, various DN components).  The idea is that we
2017      * put these components into the right X509 request structure
2018      * and we can use the same code as if you had a real X509 request.
2019      */
2020     req = X509_REQ_new();
2021     if (req == NULL)
2022         goto end;
2023 
2024     /*
2025      * Build up the subject name set.
2026      */
2027     n = X509_REQ_get_subject_name(req);
2028 
2029     for (i = 0;; i++) {
2030         if (sk_CONF_VALUE_num(sk) <= i)
2031             break;
2032 
2033         cv = sk_CONF_VALUE_value(sk, i);
2034         type = cv->name;
2035         /*
2036          * Skip past any leading X. X: X, etc to allow for multiple instances
2037          */
2038         for (buf = cv->name; *buf; buf++)
2039             if ((*buf == ':') || (*buf == ',') || (*buf == '.')) {
2040                 buf++;
2041                 if (*buf)
2042                     type = buf;
2043                 break;
2044             }
2045 
2046         buf = cv->value;
2047         if ((nid = OBJ_txt2nid(type)) == NID_undef) {
2048             if (strcmp(type, "SPKAC") == 0) {
2049                 spki = NETSCAPE_SPKI_b64_decode(cv->value, -1);
2050                 if (spki == NULL) {
2051                     BIO_printf(bio_err,
2052                                "unable to load Netscape SPKAC structure\n");
2053                     goto end;
2054                 }
2055             }
2056             continue;
2057         }
2058 
2059         if (!X509_NAME_add_entry_by_NID(n, nid, chtype,
2060                                         (unsigned char *)buf, -1, -1, 0))
2061             goto end;
2062     }
2063     if (spki == NULL) {
2064         BIO_printf(bio_err, "Netscape SPKAC structure not found in %s\n",
2065                    infile);
2066         goto end;
2067     }
2068 
2069     /*
2070      * Now extract the key from the SPKI structure.
2071      */
2072 
2073     BIO_printf(bio_err, "Check that the SPKAC request matches the signature\n");
2074 
2075     if ((pktmp = NETSCAPE_SPKI_get_pubkey(spki)) == NULL) {
2076         BIO_printf(bio_err, "error unpacking SPKAC public key\n");
2077         goto end;
2078     }
2079 
2080     j = NETSCAPE_SPKI_verify(spki, pktmp);
2081     if (j <= 0) {
2082         EVP_PKEY_free(pktmp);
2083         BIO_printf(bio_err,
2084                    "signature verification failed on SPKAC public key\n");
2085         goto end;
2086     }
2087     BIO_printf(bio_err, "Signature ok\n");
2088 
2089     X509_REQ_set_pubkey(req, pktmp);
2090     EVP_PKEY_free(pktmp);
2091     ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, subj,
2092                  chtype, multirdn, email_dn, startdate, enddate, days, 1,
2093                  verbose, req, ext_sect, lconf, certopt, nameopt, default_op,
2094                  ext_copy, 0, dateopt);
2095  end:
2096     X509_REQ_free(req);
2097     CONF_free(parms);
2098     NETSCAPE_SPKI_free(spki);
2099     X509_NAME_ENTRY_free(ne);
2100 
2101     return ok;
2102 }
2103 
2104 static int check_time_format(const char *str)
2105 {
2106     return ASN1_TIME_set_string(NULL, str);
2107 }
2108 
2109 static int do_revoke(X509 *x509, CA_DB *db, REVINFO_TYPE rev_type,
2110                      const char *value)
2111 {
2112     const ASN1_TIME *tm = NULL;
2113     char *row[DB_NUMBER], **rrow, **irow;
2114     char *rev_str = NULL;
2115     BIGNUM *bn = NULL;
2116     int ok = -1, i;
2117 
2118     for (i = 0; i < DB_NUMBER; i++)
2119         row[i] = NULL;
2120     row[DB_name] = X509_NAME_oneline(X509_get_subject_name(x509), NULL, 0);
2121     bn = ASN1_INTEGER_to_BN(X509_get0_serialNumber(x509), NULL);
2122     if (!bn)
2123         goto end;
2124     if (BN_is_zero(bn))
2125         row[DB_serial] = OPENSSL_strdup("00");
2126     else
2127         row[DB_serial] = BN_bn2hex(bn);
2128     BN_free(bn);
2129     if (row[DB_name] != NULL && row[DB_name][0] == '\0') {
2130         /* Entries with empty Subjects actually use the serial number instead */
2131         OPENSSL_free(row[DB_name]);
2132         row[DB_name] = OPENSSL_strdup(row[DB_serial]);
2133     }
2134     if ((row[DB_name] == NULL) || (row[DB_serial] == NULL)) {
2135         BIO_printf(bio_err, "Memory allocation failure\n");
2136         goto end;
2137     }
2138     /*
2139      * We have to lookup by serial number because name lookup skips revoked
2140      * certs
2141      */
2142     rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
2143     if (rrow == NULL) {
2144         BIO_printf(bio_err,
2145                    "Adding Entry with serial number %s to DB for %s\n",
2146                    row[DB_serial], row[DB_name]);
2147 
2148         /* We now just add it to the database as DB_TYPE_REV('V') */
2149         row[DB_type] = OPENSSL_strdup("V");
2150         tm = X509_get0_notAfter(x509);
2151         row[DB_exp_date] = app_malloc(tm->length + 1, "row exp_data");
2152         memcpy(row[DB_exp_date], tm->data, tm->length);
2153         row[DB_exp_date][tm->length] = '\0';
2154         row[DB_rev_date] = NULL;
2155         row[DB_file] = OPENSSL_strdup("unknown");
2156 
2157         if (row[DB_type] == NULL || row[DB_file] == NULL) {
2158             BIO_printf(bio_err, "Memory allocation failure\n");
2159             goto end;
2160         }
2161 
2162         irow = app_malloc(sizeof(*irow) * (DB_NUMBER + 1), "row ptr");
2163         for (i = 0; i < DB_NUMBER; i++)
2164             irow[i] = row[i];
2165         irow[DB_NUMBER] = NULL;
2166 
2167         if (!TXT_DB_insert(db->db, irow)) {
2168             BIO_printf(bio_err, "failed to update database\n");
2169             BIO_printf(bio_err, "TXT_DB error number %ld\n", db->db->error);
2170             OPENSSL_free(irow);
2171             goto end;
2172         }
2173 
2174         for (i = 0; i < DB_NUMBER; i++)
2175             row[i] = NULL;
2176 
2177         /* Revoke Certificate */
2178         if (rev_type == REV_VALID)
2179             ok = 1;
2180         else
2181             /* Retry revocation after DB insertion */
2182             ok = do_revoke(x509, db, rev_type, value);
2183 
2184         goto end;
2185 
2186     } else if (index_name_cmp_noconst(row, rrow)) {
2187         BIO_printf(bio_err, "ERROR:name does not match %s\n", row[DB_name]);
2188         goto end;
2189     } else if (rev_type == REV_VALID) {
2190         BIO_printf(bio_err, "ERROR:Already present, serial number %s\n",
2191                    row[DB_serial]);
2192         goto end;
2193     } else if (rrow[DB_type][0] == DB_TYPE_REV) {
2194         BIO_printf(bio_err, "ERROR:Already revoked, serial number %s\n",
2195                    row[DB_serial]);
2196         goto end;
2197     } else {
2198         BIO_printf(bio_err, "Revoking Certificate %s.\n", rrow[DB_serial]);
2199         rev_str = make_revocation_str(rev_type, value);
2200         if (!rev_str) {
2201             BIO_printf(bio_err, "Error in revocation arguments\n");
2202             goto end;
2203         }
2204         rrow[DB_type][0] = DB_TYPE_REV;
2205         rrow[DB_type][1] = '\0';
2206         rrow[DB_rev_date] = rev_str;
2207     }
2208     ok = 1;
2209  end:
2210     for (i = 0; i < DB_NUMBER; i++)
2211         OPENSSL_free(row[i]);
2212     return ok;
2213 }
2214 
2215 static int get_certificate_status(const char *serial, CA_DB *db)
2216 {
2217     char *row[DB_NUMBER], **rrow;
2218     int ok = -1, i;
2219     size_t serial_len = strlen(serial);
2220 
2221     /* Free Resources */
2222     for (i = 0; i < DB_NUMBER; i++)
2223         row[i] = NULL;
2224 
2225     /* Malloc needed char spaces */
2226     row[DB_serial] = app_malloc(serial_len + 2, "row serial#");
2227 
2228     if (serial_len % 2) {
2229         /*
2230          * Set the first char to 0
2231          */
2232         row[DB_serial][0] = '0';
2233 
2234         /* Copy String from serial to row[DB_serial] */
2235         memcpy(row[DB_serial] + 1, serial, serial_len);
2236         row[DB_serial][serial_len + 1] = '\0';
2237     } else {
2238         /* Copy String from serial to row[DB_serial] */
2239         memcpy(row[DB_serial], serial, serial_len);
2240         row[DB_serial][serial_len] = '\0';
2241     }
2242 
2243     /* Make it Upper Case */
2244     make_uppercase(row[DB_serial]);
2245 
2246     ok = 1;
2247 
2248     /* Search for the certificate */
2249     rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
2250     if (rrow == NULL) {
2251         BIO_printf(bio_err, "Serial %s not present in db.\n", row[DB_serial]);
2252         ok = -1;
2253         goto end;
2254     } else if (rrow[DB_type][0] == DB_TYPE_VAL) {
2255         BIO_printf(bio_err, "%s=Valid (%c)\n",
2256                    row[DB_serial], rrow[DB_type][0]);
2257         goto end;
2258     } else if (rrow[DB_type][0] == DB_TYPE_REV) {
2259         BIO_printf(bio_err, "%s=Revoked (%c)\n",
2260                    row[DB_serial], rrow[DB_type][0]);
2261         goto end;
2262     } else if (rrow[DB_type][0] == DB_TYPE_EXP) {
2263         BIO_printf(bio_err, "%s=Expired (%c)\n",
2264                    row[DB_serial], rrow[DB_type][0]);
2265         goto end;
2266     } else if (rrow[DB_type][0] == DB_TYPE_SUSP) {
2267         BIO_printf(bio_err, "%s=Suspended (%c)\n",
2268                    row[DB_serial], rrow[DB_type][0]);
2269         goto end;
2270     } else {
2271         BIO_printf(bio_err, "%s=Unknown (%c).\n",
2272                    row[DB_serial], rrow[DB_type][0]);
2273         ok = -1;
2274     }
2275  end:
2276     for (i = 0; i < DB_NUMBER; i++) {
2277         OPENSSL_free(row[i]);
2278     }
2279     return ok;
2280 }
2281 
2282 static int do_updatedb(CA_DB *db)
2283 {
2284     ASN1_TIME *a_tm = NULL;
2285     int i, cnt = 0;
2286     char **rrow;
2287 
2288     a_tm = ASN1_TIME_new();
2289     if (a_tm == NULL)
2290         return -1;
2291 
2292     /* get actual time */
2293     if (X509_gmtime_adj(a_tm, 0) == NULL) {
2294         ASN1_TIME_free(a_tm);
2295         return -1;
2296     }
2297 
2298     for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
2299         rrow = sk_OPENSSL_PSTRING_value(db->db->data, i);
2300 
2301         if (rrow[DB_type][0] == DB_TYPE_VAL) {
2302             /* ignore entries that are not valid */
2303             ASN1_TIME *exp_date = NULL;
2304 
2305             exp_date = ASN1_TIME_new();
2306             if (exp_date == NULL) {
2307                 ASN1_TIME_free(a_tm);
2308                 return -1;
2309             }
2310 
2311             if (!ASN1_TIME_set_string(exp_date, rrow[DB_exp_date])) {
2312                 ASN1_TIME_free(a_tm);
2313                 ASN1_TIME_free(exp_date);
2314                 return -1;
2315             }
2316 
2317             if (ASN1_TIME_compare(exp_date, a_tm) <= 0) {
2318                 rrow[DB_type][0] = DB_TYPE_EXP;
2319                 rrow[DB_type][1] = '\0';
2320                 cnt++;
2321 
2322                 BIO_printf(bio_err, "%s=Expired\n", rrow[DB_serial]);
2323             }
2324             ASN1_TIME_free(exp_date);
2325         }
2326     }
2327 
2328     ASN1_TIME_free(a_tm);
2329     return cnt;
2330 }
2331 
2332 static const char *crl_reasons[] = {
2333     /* CRL reason strings */
2334     "unspecified",
2335     "keyCompromise",
2336     "CACompromise",
2337     "affiliationChanged",
2338     "superseded",
2339     "cessationOfOperation",
2340     "certificateHold",
2341     "removeFromCRL",
2342     /* Additional pseudo reasons */
2343     "holdInstruction",
2344     "keyTime",
2345     "CAkeyTime"
2346 };
2347 
2348 #define NUM_REASONS OSSL_NELEM(crl_reasons)
2349 
2350 /*
2351  * Given revocation information convert to a DB string. The format of the
2352  * string is: revtime[,reason,extra]. Where 'revtime' is the revocation time
2353  * (the current time). 'reason' is the optional CRL reason and 'extra' is any
2354  * additional argument
2355  */
2356 
2357 static char *make_revocation_str(REVINFO_TYPE rev_type, const char *rev_arg)
2358 {
2359     char *str;
2360     const char *reason = NULL, *other = NULL;
2361     ASN1_OBJECT *otmp;
2362     ASN1_UTCTIME *revtm = NULL;
2363     int i;
2364 
2365     switch (rev_type) {
2366     case REV_NONE:
2367     case REV_VALID:
2368         break;
2369 
2370     case REV_CRL_REASON:
2371         for (i = 0; i < 8; i++) {
2372             if (OPENSSL_strcasecmp(rev_arg, crl_reasons[i]) == 0) {
2373                 reason = crl_reasons[i];
2374                 break;
2375             }
2376         }
2377         if (reason == NULL) {
2378             BIO_printf(bio_err, "Unknown CRL reason %s\n", rev_arg);
2379             return NULL;
2380         }
2381         break;
2382 
2383     case REV_HOLD:
2384         /* Argument is an OID */
2385         otmp = OBJ_txt2obj(rev_arg, 0);
2386         ASN1_OBJECT_free(otmp);
2387 
2388         if (otmp == NULL) {
2389             BIO_printf(bio_err, "Invalid object identifier %s\n", rev_arg);
2390             return NULL;
2391         }
2392 
2393         reason = "holdInstruction";
2394         other = rev_arg;
2395         break;
2396 
2397     case REV_KEY_COMPROMISE:
2398     case REV_CA_COMPROMISE:
2399         /* Argument is the key compromise time  */
2400         if (!ASN1_GENERALIZEDTIME_set_string(NULL, rev_arg)) {
2401             BIO_printf(bio_err,
2402                        "Invalid time format %s. Need YYYYMMDDHHMMSSZ\n",
2403                        rev_arg);
2404             return NULL;
2405         }
2406         other = rev_arg;
2407         if (rev_type == REV_KEY_COMPROMISE)
2408             reason = "keyTime";
2409         else
2410             reason = "CAkeyTime";
2411 
2412         break;
2413     }
2414 
2415     revtm = X509_gmtime_adj(NULL, 0);
2416 
2417     if (!revtm)
2418         return NULL;
2419 
2420     i = revtm->length + 1;
2421 
2422     if (reason)
2423         i += strlen(reason) + 1;
2424     if (other)
2425         i += strlen(other) + 1;
2426 
2427     str = app_malloc(i, "revocation reason");
2428     OPENSSL_strlcpy(str, (char *)revtm->data, i);
2429     if (reason) {
2430         OPENSSL_strlcat(str, ",", i);
2431         OPENSSL_strlcat(str, reason, i);
2432     }
2433     if (other) {
2434         OPENSSL_strlcat(str, ",", i);
2435         OPENSSL_strlcat(str, other, i);
2436     }
2437     ASN1_UTCTIME_free(revtm);
2438     return str;
2439 }
2440 
2441 /*-
2442  * Convert revocation field to X509_REVOKED entry
2443  * return code:
2444  * 0 error
2445  * 1 OK
2446  * 2 OK and some extensions added (i.e. V2 CRL)
2447  */
2448 
2449 static int make_revoked(X509_REVOKED *rev, const char *str)
2450 {
2451     char *tmp = NULL;
2452     int reason_code = -1;
2453     int i, ret = 0;
2454     ASN1_OBJECT *hold = NULL;
2455     ASN1_GENERALIZEDTIME *comp_time = NULL;
2456     ASN1_ENUMERATED *rtmp = NULL;
2457 
2458     ASN1_TIME *revDate = NULL;
2459 
2460     i = unpack_revinfo(&revDate, &reason_code, &hold, &comp_time, str);
2461 
2462     if (i == 0)
2463         goto end;
2464 
2465     if (rev && !X509_REVOKED_set_revocationDate(rev, revDate))
2466         goto end;
2467 
2468     if (rev && (reason_code != OCSP_REVOKED_STATUS_NOSTATUS)) {
2469         rtmp = ASN1_ENUMERATED_new();
2470         if (rtmp == NULL || !ASN1_ENUMERATED_set(rtmp, reason_code))
2471             goto end;
2472         if (X509_REVOKED_add1_ext_i2d(rev, NID_crl_reason, rtmp, 0, 0) <= 0)
2473             goto end;
2474     }
2475 
2476     if (rev && comp_time) {
2477         if (X509_REVOKED_add1_ext_i2d
2478             (rev, NID_invalidity_date, comp_time, 0, 0) <= 0)
2479             goto end;
2480     }
2481     if (rev && hold) {
2482         if (X509_REVOKED_add1_ext_i2d
2483             (rev, NID_hold_instruction_code, hold, 0, 0) <= 0)
2484             goto end;
2485     }
2486 
2487     if (reason_code != OCSP_REVOKED_STATUS_NOSTATUS)
2488         ret = 2;
2489     else
2490         ret = 1;
2491 
2492  end:
2493 
2494     OPENSSL_free(tmp);
2495     ASN1_OBJECT_free(hold);
2496     ASN1_GENERALIZEDTIME_free(comp_time);
2497     ASN1_ENUMERATED_free(rtmp);
2498     ASN1_TIME_free(revDate);
2499 
2500     return ret;
2501 }
2502 
2503 static int old_entry_print(const ASN1_OBJECT *obj, const ASN1_STRING *str)
2504 {
2505     char buf[25], *pbuf;
2506     const char *p;
2507     int j;
2508 
2509     j = i2a_ASN1_OBJECT(bio_err, obj);
2510     pbuf = buf;
2511     for (j = 22 - j; j > 0; j--)
2512         *(pbuf++) = ' ';
2513     *(pbuf++) = ':';
2514     *(pbuf++) = '\0';
2515     BIO_puts(bio_err, buf);
2516 
2517     if (str->type == V_ASN1_PRINTABLESTRING)
2518         BIO_printf(bio_err, "PRINTABLE:'");
2519     else if (str->type == V_ASN1_T61STRING)
2520         BIO_printf(bio_err, "T61STRING:'");
2521     else if (str->type == V_ASN1_IA5STRING)
2522         BIO_printf(bio_err, "IA5STRING:'");
2523     else if (str->type == V_ASN1_UNIVERSALSTRING)
2524         BIO_printf(bio_err, "UNIVERSALSTRING:'");
2525     else
2526         BIO_printf(bio_err, "ASN.1 %2d:'", str->type);
2527 
2528     p = (const char *)str->data;
2529     for (j = str->length; j > 0; j--) {
2530         if ((*p >= ' ') && (*p <= '~'))
2531             BIO_printf(bio_err, "%c", *p);
2532         else if (*p & 0x80)
2533             BIO_printf(bio_err, "\\0x%02X", *p);
2534         else if ((unsigned char)*p == 0xf7)
2535             BIO_printf(bio_err, "^?");
2536         else
2537             BIO_printf(bio_err, "^%c", *p + '@');
2538         p++;
2539     }
2540     BIO_printf(bio_err, "'\n");
2541     return 1;
2542 }
2543 
2544 int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold,
2545                    ASN1_GENERALIZEDTIME **pinvtm, const char *str)
2546 {
2547     char *tmp;
2548     char *rtime_str, *reason_str = NULL, *arg_str = NULL, *p;
2549     int reason_code = -1;
2550     int ret = 0;
2551     unsigned int i;
2552     ASN1_OBJECT *hold = NULL;
2553     ASN1_GENERALIZEDTIME *comp_time = NULL;
2554 
2555     tmp = OPENSSL_strdup(str);
2556     if (!tmp) {
2557         BIO_printf(bio_err, "memory allocation failure\n");
2558         goto end;
2559     }
2560 
2561     p = strchr(tmp, ',');
2562 
2563     rtime_str = tmp;
2564 
2565     if (p) {
2566         *p = '\0';
2567         p++;
2568         reason_str = p;
2569         p = strchr(p, ',');
2570         if (p) {
2571             *p = '\0';
2572             arg_str = p + 1;
2573         }
2574     }
2575 
2576     if (prevtm) {
2577         *prevtm = ASN1_UTCTIME_new();
2578         if (*prevtm == NULL) {
2579             BIO_printf(bio_err, "memory allocation failure\n");
2580             goto end;
2581         }
2582         if (!ASN1_UTCTIME_set_string(*prevtm, rtime_str)) {
2583             BIO_printf(bio_err, "invalid revocation date %s\n", rtime_str);
2584             goto end;
2585         }
2586     }
2587     if (reason_str) {
2588         for (i = 0; i < NUM_REASONS; i++) {
2589             if (OPENSSL_strcasecmp(reason_str, crl_reasons[i]) == 0) {
2590                 reason_code = i;
2591                 break;
2592             }
2593         }
2594         if (reason_code == OCSP_REVOKED_STATUS_NOSTATUS) {
2595             BIO_printf(bio_err, "invalid reason code %s\n", reason_str);
2596             goto end;
2597         }
2598 
2599         if (reason_code == 7) {
2600             reason_code = OCSP_REVOKED_STATUS_REMOVEFROMCRL;
2601         } else if (reason_code == 8) { /* Hold instruction */
2602             if (!arg_str) {
2603                 BIO_printf(bio_err, "missing hold instruction\n");
2604                 goto end;
2605             }
2606             reason_code = OCSP_REVOKED_STATUS_CERTIFICATEHOLD;
2607             hold = OBJ_txt2obj(arg_str, 0);
2608 
2609             if (!hold) {
2610                 BIO_printf(bio_err, "invalid object identifier %s\n", arg_str);
2611                 goto end;
2612             }
2613             if (phold)
2614                 *phold = hold;
2615             else
2616                 ASN1_OBJECT_free(hold);
2617         } else if ((reason_code == 9) || (reason_code == 10)) {
2618             if (!arg_str) {
2619                 BIO_printf(bio_err, "missing compromised time\n");
2620                 goto end;
2621             }
2622             comp_time = ASN1_GENERALIZEDTIME_new();
2623             if (comp_time == NULL) {
2624                 BIO_printf(bio_err, "memory allocation failure\n");
2625                 goto end;
2626             }
2627             if (!ASN1_GENERALIZEDTIME_set_string(comp_time, arg_str)) {
2628                 BIO_printf(bio_err, "invalid compromised time %s\n", arg_str);
2629                 goto end;
2630             }
2631             if (reason_code == 9)
2632                 reason_code = OCSP_REVOKED_STATUS_KEYCOMPROMISE;
2633             else
2634                 reason_code = OCSP_REVOKED_STATUS_CACOMPROMISE;
2635         }
2636     }
2637 
2638     if (preason)
2639         *preason = reason_code;
2640     if (pinvtm) {
2641         *pinvtm = comp_time;
2642         comp_time = NULL;
2643     }
2644 
2645     ret = 1;
2646 
2647  end:
2648 
2649     OPENSSL_free(tmp);
2650     ASN1_GENERALIZEDTIME_free(comp_time);
2651 
2652     return ret;
2653 }
2654