1 /* 2 * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 #include <stdio.h> 10 #include <stdlib.h> 11 #include <string.h> 12 #include <ctype.h> 13 #include <sys/types.h> 14 #include <openssl/conf.h> 15 #include <openssl/bio.h> 16 #include <openssl/err.h> 17 #include <openssl/bn.h> 18 #include <openssl/txt_db.h> 19 #include <openssl/evp.h> 20 #include <openssl/x509.h> 21 #include <openssl/x509v3.h> 22 #include <openssl/objects.h> 23 #include <openssl/ocsp.h> 24 #include <openssl/pem.h> 25 26 #ifndef W_OK 27 # ifdef OPENSSL_SYS_VMS 28 # include <unistd.h> 29 # elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS) 30 # include <sys/file.h> 31 # endif 32 #endif 33 34 #include "apps.h" 35 #include "progs.h" 36 37 #ifndef W_OK 38 # define F_OK 0 39 # define W_OK 2 40 # define R_OK 4 41 #endif 42 43 #ifndef PATH_MAX 44 # define PATH_MAX 4096 45 #endif 46 47 #define BASE_SECTION "ca" 48 49 #define ENV_DEFAULT_CA "default_ca" 50 51 #define STRING_MASK "string_mask" 52 #define UTF8_IN "utf8" 53 54 #define ENV_NEW_CERTS_DIR "new_certs_dir" 55 #define ENV_CERTIFICATE "certificate" 56 #define ENV_SERIAL "serial" 57 #define ENV_RAND_SERIAL "rand_serial" 58 #define ENV_CRLNUMBER "crlnumber" 59 #define ENV_PRIVATE_KEY "private_key" 60 #define ENV_DEFAULT_DAYS "default_days" 61 #define ENV_DEFAULT_STARTDATE "default_startdate" 62 #define ENV_DEFAULT_ENDDATE "default_enddate" 63 #define ENV_DEFAULT_CRL_DAYS "default_crl_days" 64 #define ENV_DEFAULT_CRL_HOURS "default_crl_hours" 65 #define ENV_DEFAULT_MD "default_md" 66 #define ENV_DEFAULT_EMAIL_DN "email_in_dn" 67 #define ENV_PRESERVE "preserve" 68 #define ENV_POLICY "policy" 69 #define ENV_EXTENSIONS "x509_extensions" 70 #define ENV_CRLEXT "crl_extensions" 71 #define ENV_MSIE_HACK "msie_hack" 72 #define ENV_NAMEOPT "name_opt" 73 #define ENV_CERTOPT "cert_opt" 74 #define ENV_EXTCOPY "copy_extensions" 75 #define ENV_UNIQUE_SUBJECT "unique_subject" 76 77 #define ENV_DATABASE "database" 78 79 /* Additional revocation information types */ 80 typedef enum { 81 REV_VALID = -1, /* Valid (not-revoked) status */ 82 REV_NONE = 0, /* No additional information */ 83 REV_CRL_REASON = 1, /* Value is CRL reason code */ 84 REV_HOLD = 2, /* Value is hold instruction */ 85 REV_KEY_COMPROMISE = 3, /* Value is cert key compromise time */ 86 REV_CA_COMPROMISE = 4 /* Value is CA key compromise time */ 87 } REVINFO_TYPE; 88 89 static char *lookup_conf(const CONF *conf, const char *group, const char *tag); 90 91 static int certify(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509, 92 const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts, 93 STACK_OF(CONF_VALUE) *policy, CA_DB *db, 94 BIGNUM *serial, const char *subj, unsigned long chtype, 95 int multirdn, int email_dn, const char *startdate, 96 const char *enddate, 97 long days, int batch, const char *ext_sect, CONF *conf, 98 int verbose, unsigned long certopt, unsigned long nameopt, 99 int default_op, int ext_copy, int selfsign); 100 static int certify_cert(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509, 101 const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts, 102 STACK_OF(CONF_VALUE) *policy, CA_DB *db, 103 BIGNUM *serial, const char *subj, unsigned long chtype, 104 int multirdn, int email_dn, const char *startdate, 105 const char *enddate, long days, int batch, const char *ext_sect, 106 CONF *conf, int verbose, unsigned long certopt, 107 unsigned long nameopt, int default_op, int ext_copy); 108 static int certify_spkac(X509 **xret, const char *infile, EVP_PKEY *pkey, 109 X509 *x509, const EVP_MD *dgst, 110 STACK_OF(OPENSSL_STRING) *sigopts, 111 STACK_OF(CONF_VALUE) *policy, CA_DB *db, 112 BIGNUM *serial, const char *subj, unsigned long chtype, 113 int multirdn, int email_dn, const char *startdate, 114 const char *enddate, long days, const char *ext_sect, CONF *conf, 115 int verbose, unsigned long certopt, 116 unsigned long nameopt, int default_op, int ext_copy); 117 static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, 118 const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts, 119 STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, 120 const char *subj, unsigned long chtype, int multirdn, 121 int email_dn, const char *startdate, const char *enddate, long days, 122 int batch, int verbose, X509_REQ *req, const char *ext_sect, 123 CONF *conf, unsigned long certopt, unsigned long nameopt, 124 int default_op, int ext_copy, int selfsign); 125 static int get_certificate_status(const char *ser_status, CA_DB *db); 126 static int do_updatedb(CA_DB *db); 127 static int check_time_format(const char *str); 128 static int do_revoke(X509 *x509, CA_DB *db, REVINFO_TYPE rev_type, 129 const char *extval); 130 static char *make_revocation_str(REVINFO_TYPE rev_type, const char *rev_arg); 131 static int make_revoked(X509_REVOKED *rev, const char *str); 132 static int old_entry_print(const ASN1_OBJECT *obj, const ASN1_STRING *str); 133 static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext); 134 135 static CONF *extconf = NULL; 136 static int preserve = 0; 137 static int msie_hack = 0; 138 139 typedef enum OPTION_choice { 140 OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, 141 OPT_ENGINE, OPT_VERBOSE, OPT_CONFIG, OPT_NAME, OPT_SUBJ, OPT_UTF8, 142 OPT_CREATE_SERIAL, OPT_MULTIVALUE_RDN, OPT_STARTDATE, OPT_ENDDATE, 143 OPT_DAYS, OPT_MD, OPT_POLICY, OPT_KEYFILE, OPT_KEYFORM, OPT_PASSIN, 144 OPT_KEY, OPT_CERT, OPT_SELFSIGN, OPT_IN, OPT_OUT, OPT_OUTDIR, 145 OPT_SIGOPT, OPT_NOTEXT, OPT_BATCH, OPT_PRESERVEDN, OPT_NOEMAILDN, 146 OPT_GENCRL, OPT_MSIE_HACK, OPT_CRLDAYS, OPT_CRLHOURS, OPT_CRLSEC, 147 OPT_INFILES, OPT_SS_CERT, OPT_SPKAC, OPT_REVOKE, OPT_VALID, 148 OPT_EXTENSIONS, OPT_EXTFILE, OPT_STATUS, OPT_UPDATEDB, OPT_CRLEXTS, 149 OPT_RAND_SERIAL, 150 OPT_R_ENUM, 151 /* Do not change the order here; see related case statements below */ 152 OPT_CRL_REASON, OPT_CRL_HOLD, OPT_CRL_COMPROMISE, OPT_CRL_CA_COMPROMISE 153 } OPTION_CHOICE; 154 155 const OPTIONS ca_options[] = { 156 {"help", OPT_HELP, '-', "Display this summary"}, 157 {"verbose", OPT_VERBOSE, '-', "Verbose output during processing"}, 158 {"config", OPT_CONFIG, 's', "A config file"}, 159 {"name", OPT_NAME, 's', "The particular CA definition to use"}, 160 {"subj", OPT_SUBJ, 's', "Use arg instead of request's subject"}, 161 {"utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)"}, 162 {"create_serial", OPT_CREATE_SERIAL, '-', 163 "If reading serial fails, create a new random serial"}, 164 {"rand_serial", OPT_RAND_SERIAL, '-', 165 "Always create a random serial; do not store it"}, 166 {"multivalue-rdn", OPT_MULTIVALUE_RDN, '-', 167 "Enable support for multivalued RDNs"}, 168 {"startdate", OPT_STARTDATE, 's', "Cert notBefore, YYMMDDHHMMSSZ"}, 169 {"enddate", OPT_ENDDATE, 's', 170 "YYMMDDHHMMSSZ cert notAfter (overrides -days)"}, 171 {"days", OPT_DAYS, 'p', "Number of days to certify the cert for"}, 172 {"md", OPT_MD, 's', "md to use; one of md2, md5, sha or sha1"}, 173 {"policy", OPT_POLICY, 's', "The CA 'policy' to support"}, 174 {"keyfile", OPT_KEYFILE, 's', "Private key"}, 175 {"keyform", OPT_KEYFORM, 'f', "Private key file format (PEM or ENGINE)"}, 176 {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, 177 {"key", OPT_KEY, 's', "Key to decode the private key if it is encrypted"}, 178 {"cert", OPT_CERT, '<', "The CA cert"}, 179 {"selfsign", OPT_SELFSIGN, '-', 180 "Sign a cert with the key associated with it"}, 181 {"in", OPT_IN, '<', "The input PEM encoded cert request(s)"}, 182 {"out", OPT_OUT, '>', "Where to put the output file(s)"}, 183 {"outdir", OPT_OUTDIR, '/', "Where to put output cert"}, 184 {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"}, 185 {"notext", OPT_NOTEXT, '-', "Do not print the generated certificate"}, 186 {"batch", OPT_BATCH, '-', "Don't ask questions"}, 187 {"preserveDN", OPT_PRESERVEDN, '-', "Don't re-order the DN"}, 188 {"noemailDN", OPT_NOEMAILDN, '-', "Don't add the EMAIL field to the DN"}, 189 {"gencrl", OPT_GENCRL, '-', "Generate a new CRL"}, 190 {"msie_hack", OPT_MSIE_HACK, '-', 191 "msie modifications to handle all those universal strings"}, 192 {"crldays", OPT_CRLDAYS, 'p', "Days until the next CRL is due"}, 193 {"crlhours", OPT_CRLHOURS, 'p', "Hours until the next CRL is due"}, 194 {"crlsec", OPT_CRLSEC, 'p', "Seconds until the next CRL is due"}, 195 {"infiles", OPT_INFILES, '-', "The last argument, requests to process"}, 196 {"ss_cert", OPT_SS_CERT, '<', "File contains a self signed cert to sign"}, 197 {"spkac", OPT_SPKAC, '<', 198 "File contains DN and signed public key and challenge"}, 199 {"revoke", OPT_REVOKE, '<', "Revoke a cert (given in file)"}, 200 {"valid", OPT_VALID, 's', 201 "Add a Valid(not-revoked) DB entry about a cert (given in file)"}, 202 {"extensions", OPT_EXTENSIONS, 's', 203 "Extension section (override value in config file)"}, 204 {"extfile", OPT_EXTFILE, '<', 205 "Configuration file with X509v3 extensions to add"}, 206 {"status", OPT_STATUS, 's', "Shows cert status given the serial number"}, 207 {"updatedb", OPT_UPDATEDB, '-', "Updates db for expired cert"}, 208 {"crlexts", OPT_CRLEXTS, 's', 209 "CRL extension section (override value in config file)"}, 210 {"crl_reason", OPT_CRL_REASON, 's', "revocation reason"}, 211 {"crl_hold", OPT_CRL_HOLD, 's', 212 "the hold instruction, an OID. Sets revocation reason to certificateHold"}, 213 {"crl_compromise", OPT_CRL_COMPROMISE, 's', 214 "sets compromise time to val and the revocation reason to keyCompromise"}, 215 {"crl_CA_compromise", OPT_CRL_CA_COMPROMISE, 's', 216 "sets compromise time to val and the revocation reason to CACompromise"}, 217 OPT_R_OPTIONS, 218 #ifndef OPENSSL_NO_ENGINE 219 {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, 220 #endif 221 {NULL} 222 }; 223 224 int ca_main(int argc, char **argv) 225 { 226 CONF *conf = NULL; 227 ENGINE *e = NULL; 228 BIGNUM *crlnumber = NULL, *serial = NULL; 229 EVP_PKEY *pkey = NULL; 230 BIO *in = NULL, *out = NULL, *Sout = NULL; 231 ASN1_INTEGER *tmpser; 232 ASN1_TIME *tmptm; 233 CA_DB *db = NULL; 234 DB_ATTR db_attr; 235 STACK_OF(CONF_VALUE) *attribs = NULL; 236 STACK_OF(OPENSSL_STRING) *sigopts = NULL; 237 STACK_OF(X509) *cert_sk = NULL; 238 X509_CRL *crl = NULL; 239 const EVP_MD *dgst = NULL; 240 char *configfile = default_config_file, *section = NULL; 241 char *md = NULL, *policy = NULL, *keyfile = NULL; 242 char *certfile = NULL, *crl_ext = NULL, *crlnumberfile = NULL, *key = NULL; 243 const char *infile = NULL, *spkac_file = NULL, *ss_cert_file = NULL; 244 const char *extensions = NULL, *extfile = NULL, *passinarg = NULL; 245 char *outdir = NULL, *outfile = NULL, *rev_arg = NULL, *ser_status = NULL; 246 const char *serialfile = NULL, *subj = NULL; 247 char *prog, *startdate = NULL, *enddate = NULL; 248 char *dbfile = NULL, *f; 249 char new_cert[PATH_MAX]; 250 char tmp[10 + 1] = "\0"; 251 char *const *pp; 252 const char *p; 253 size_t outdirlen = 0; 254 int create_ser = 0, free_key = 0, total = 0, total_done = 0; 255 int batch = 0, default_op = 1, doupdatedb = 0, ext_copy = EXT_COPY_NONE; 256 int keyformat = FORMAT_PEM, multirdn = 0, notext = 0, output_der = 0; 257 int ret = 1, email_dn = 1, req = 0, verbose = 0, gencrl = 0, dorevoke = 0; 258 int rand_ser = 0, i, j, selfsign = 0, def_nid, def_ret; 259 long crldays = 0, crlhours = 0, crlsec = 0, days = 0; 260 unsigned long chtype = MBSTRING_ASC, certopt = 0; 261 X509 *x509 = NULL, *x509p = NULL, *x = NULL; 262 REVINFO_TYPE rev_type = REV_NONE; 263 X509_REVOKED *r = NULL; 264 OPTION_CHOICE o; 265 266 prog = opt_init(argc, argv, ca_options); 267 while ((o = opt_next()) != OPT_EOF) { 268 switch (o) { 269 case OPT_EOF: 270 case OPT_ERR: 271 opthelp: 272 BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); 273 goto end; 274 case OPT_HELP: 275 opt_help(ca_options); 276 ret = 0; 277 goto end; 278 case OPT_IN: 279 req = 1; 280 infile = opt_arg(); 281 break; 282 case OPT_OUT: 283 outfile = opt_arg(); 284 break; 285 case OPT_VERBOSE: 286 verbose = 1; 287 break; 288 case OPT_CONFIG: 289 configfile = opt_arg(); 290 break; 291 case OPT_NAME: 292 section = opt_arg(); 293 break; 294 case OPT_SUBJ: 295 subj = opt_arg(); 296 /* preserve=1; */ 297 break; 298 case OPT_UTF8: 299 chtype = MBSTRING_UTF8; 300 break; 301 case OPT_RAND_SERIAL: 302 rand_ser = 1; 303 break; 304 case OPT_CREATE_SERIAL: 305 create_ser = 1; 306 break; 307 case OPT_MULTIVALUE_RDN: 308 multirdn = 1; 309 break; 310 case OPT_STARTDATE: 311 startdate = opt_arg(); 312 break; 313 case OPT_ENDDATE: 314 enddate = opt_arg(); 315 break; 316 case OPT_DAYS: 317 days = atoi(opt_arg()); 318 break; 319 case OPT_MD: 320 md = opt_arg(); 321 break; 322 case OPT_POLICY: 323 policy = opt_arg(); 324 break; 325 case OPT_KEYFILE: 326 keyfile = opt_arg(); 327 break; 328 case OPT_KEYFORM: 329 if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyformat)) 330 goto opthelp; 331 break; 332 case OPT_PASSIN: 333 passinarg = opt_arg(); 334 break; 335 case OPT_R_CASES: 336 if (!opt_rand(o)) 337 goto end; 338 break; 339 case OPT_KEY: 340 key = opt_arg(); 341 break; 342 case OPT_CERT: 343 certfile = opt_arg(); 344 break; 345 case OPT_SELFSIGN: 346 selfsign = 1; 347 break; 348 case OPT_OUTDIR: 349 outdir = opt_arg(); 350 break; 351 case OPT_SIGOPT: 352 if (sigopts == NULL) 353 sigopts = sk_OPENSSL_STRING_new_null(); 354 if (sigopts == NULL || !sk_OPENSSL_STRING_push(sigopts, opt_arg())) 355 goto end; 356 break; 357 case OPT_NOTEXT: 358 notext = 1; 359 break; 360 case OPT_BATCH: 361 batch = 1; 362 break; 363 case OPT_PRESERVEDN: 364 preserve = 1; 365 break; 366 case OPT_NOEMAILDN: 367 email_dn = 0; 368 break; 369 case OPT_GENCRL: 370 gencrl = 1; 371 break; 372 case OPT_MSIE_HACK: 373 msie_hack = 1; 374 break; 375 case OPT_CRLDAYS: 376 crldays = atol(opt_arg()); 377 break; 378 case OPT_CRLHOURS: 379 crlhours = atol(opt_arg()); 380 break; 381 case OPT_CRLSEC: 382 crlsec = atol(opt_arg()); 383 break; 384 case OPT_INFILES: 385 req = 1; 386 goto end_of_options; 387 case OPT_SS_CERT: 388 ss_cert_file = opt_arg(); 389 req = 1; 390 break; 391 case OPT_SPKAC: 392 spkac_file = opt_arg(); 393 req = 1; 394 break; 395 case OPT_REVOKE: 396 infile = opt_arg(); 397 dorevoke = 1; 398 break; 399 case OPT_VALID: 400 infile = opt_arg(); 401 dorevoke = 2; 402 break; 403 case OPT_EXTENSIONS: 404 extensions = opt_arg(); 405 break; 406 case OPT_EXTFILE: 407 extfile = opt_arg(); 408 break; 409 case OPT_STATUS: 410 ser_status = opt_arg(); 411 break; 412 case OPT_UPDATEDB: 413 doupdatedb = 1; 414 break; 415 case OPT_CRLEXTS: 416 crl_ext = opt_arg(); 417 break; 418 case OPT_CRL_REASON: /* := REV_CRL_REASON */ 419 case OPT_CRL_HOLD: 420 case OPT_CRL_COMPROMISE: 421 case OPT_CRL_CA_COMPROMISE: 422 rev_arg = opt_arg(); 423 rev_type = (o - OPT_CRL_REASON) + REV_CRL_REASON; 424 break; 425 case OPT_ENGINE: 426 e = setup_engine(opt_arg(), 0); 427 break; 428 } 429 } 430 end_of_options: 431 argc = opt_num_rest(); 432 argv = opt_rest(); 433 434 BIO_printf(bio_err, "Using configuration from %s\n", configfile); 435 436 if ((conf = app_load_config(configfile)) == NULL) 437 goto end; 438 if (configfile != default_config_file && !app_load_modules(conf)) 439 goto end; 440 441 /* Lets get the config section we are using */ 442 if (section == NULL 443 && (section = lookup_conf(conf, BASE_SECTION, ENV_DEFAULT_CA)) == NULL) 444 goto end; 445 446 p = NCONF_get_string(conf, NULL, "oid_file"); 447 if (p == NULL) 448 ERR_clear_error(); 449 if (p != NULL) { 450 BIO *oid_bio = BIO_new_file(p, "r"); 451 452 if (oid_bio == NULL) { 453 ERR_clear_error(); 454 } else { 455 OBJ_create_objects(oid_bio); 456 BIO_free(oid_bio); 457 } 458 } 459 if (!add_oid_section(conf)) { 460 ERR_print_errors(bio_err); 461 goto end; 462 } 463 464 app_RAND_load_conf(conf, BASE_SECTION); 465 466 f = NCONF_get_string(conf, section, STRING_MASK); 467 if (f == NULL) 468 ERR_clear_error(); 469 470 if (f != NULL && !ASN1_STRING_set_default_mask_asc(f)) { 471 BIO_printf(bio_err, "Invalid global string mask setting %s\n", f); 472 goto end; 473 } 474 475 if (chtype != MBSTRING_UTF8) { 476 f = NCONF_get_string(conf, section, UTF8_IN); 477 if (f == NULL) 478 ERR_clear_error(); 479 else if (strcmp(f, "yes") == 0) 480 chtype = MBSTRING_UTF8; 481 } 482 483 db_attr.unique_subject = 1; 484 p = NCONF_get_string(conf, section, ENV_UNIQUE_SUBJECT); 485 if (p != NULL) 486 db_attr.unique_subject = parse_yesno(p, 1); 487 else 488 ERR_clear_error(); 489 490 /*****************************************************************/ 491 /* report status of cert with serial number given on command line */ 492 if (ser_status) { 493 dbfile = lookup_conf(conf, section, ENV_DATABASE); 494 if (dbfile == NULL) 495 goto end; 496 497 db = load_index(dbfile, &db_attr); 498 if (db == NULL) 499 goto end; 500 501 if (index_index(db) <= 0) 502 goto end; 503 504 if (get_certificate_status(ser_status, db) != 1) 505 BIO_printf(bio_err, "Error verifying serial %s!\n", ser_status); 506 goto end; 507 } 508 509 /*****************************************************************/ 510 /* we definitely need a private key, so let's get it */ 511 512 if (keyfile == NULL 513 && (keyfile = lookup_conf(conf, section, ENV_PRIVATE_KEY)) == NULL) 514 goto end; 515 516 if (key == NULL) { 517 free_key = 1; 518 if (!app_passwd(passinarg, NULL, &key, NULL)) { 519 BIO_printf(bio_err, "Error getting password\n"); 520 goto end; 521 } 522 } 523 pkey = load_key(keyfile, keyformat, 0, key, e, "CA private key"); 524 if (key != NULL) 525 OPENSSL_cleanse(key, strlen(key)); 526 if (pkey == NULL) 527 /* load_key() has already printed an appropriate message */ 528 goto end; 529 530 /*****************************************************************/ 531 /* we need a certificate */ 532 if (!selfsign || spkac_file || ss_cert_file || gencrl) { 533 if (certfile == NULL 534 && (certfile = lookup_conf(conf, section, ENV_CERTIFICATE)) == NULL) 535 goto end; 536 537 x509 = load_cert(certfile, FORMAT_PEM, "CA certificate"); 538 if (x509 == NULL) 539 goto end; 540 541 if (!X509_check_private_key(x509, pkey)) { 542 BIO_printf(bio_err, 543 "CA certificate and CA private key do not match\n"); 544 goto end; 545 } 546 } 547 if (!selfsign) 548 x509p = x509; 549 550 f = NCONF_get_string(conf, BASE_SECTION, ENV_PRESERVE); 551 if (f == NULL) 552 ERR_clear_error(); 553 if ((f != NULL) && ((*f == 'y') || (*f == 'Y'))) 554 preserve = 1; 555 f = NCONF_get_string(conf, BASE_SECTION, ENV_MSIE_HACK); 556 if (f == NULL) 557 ERR_clear_error(); 558 if ((f != NULL) && ((*f == 'y') || (*f == 'Y'))) 559 msie_hack = 1; 560 561 f = NCONF_get_string(conf, section, ENV_NAMEOPT); 562 563 if (f != NULL) { 564 if (!set_nameopt(f)) { 565 BIO_printf(bio_err, "Invalid name options: \"%s\"\n", f); 566 goto end; 567 } 568 default_op = 0; 569 } 570 571 f = NCONF_get_string(conf, section, ENV_CERTOPT); 572 573 if (f != NULL) { 574 if (!set_cert_ex(&certopt, f)) { 575 BIO_printf(bio_err, "Invalid certificate options: \"%s\"\n", f); 576 goto end; 577 } 578 default_op = 0; 579 } else { 580 ERR_clear_error(); 581 } 582 583 f = NCONF_get_string(conf, section, ENV_EXTCOPY); 584 585 if (f != NULL) { 586 if (!set_ext_copy(&ext_copy, f)) { 587 BIO_printf(bio_err, "Invalid extension copy option: \"%s\"\n", f); 588 goto end; 589 } 590 } else { 591 ERR_clear_error(); 592 } 593 594 /*****************************************************************/ 595 /* lookup where to write new certificates */ 596 if ((outdir == NULL) && (req)) { 597 598 outdir = NCONF_get_string(conf, section, ENV_NEW_CERTS_DIR); 599 if (outdir == NULL) { 600 BIO_printf(bio_err, 601 "there needs to be defined a directory for new certificate to be placed in\n"); 602 goto end; 603 } 604 #ifndef OPENSSL_SYS_VMS 605 /* 606 * outdir is a directory spec, but access() for VMS demands a 607 * filename. We could use the DEC C routine to convert the 608 * directory syntax to Unixly, and give that to app_isdir, 609 * but for now the fopen will catch the error if it's not a 610 * directory 611 */ 612 if (app_isdir(outdir) <= 0) { 613 BIO_printf(bio_err, "%s: %s is not a directory\n", prog, outdir); 614 perror(outdir); 615 goto end; 616 } 617 #endif 618 } 619 620 /*****************************************************************/ 621 /* we need to load the database file */ 622 dbfile = lookup_conf(conf, section, ENV_DATABASE); 623 if (dbfile == NULL) 624 goto end; 625 626 db = load_index(dbfile, &db_attr); 627 if (db == NULL) 628 goto end; 629 630 /* Lets check some fields */ 631 for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) { 632 pp = sk_OPENSSL_PSTRING_value(db->db->data, i); 633 if ((pp[DB_type][0] != DB_TYPE_REV) && (pp[DB_rev_date][0] != '\0')) { 634 BIO_printf(bio_err, 635 "entry %d: not revoked yet, but has a revocation date\n", 636 i + 1); 637 goto end; 638 } 639 if ((pp[DB_type][0] == DB_TYPE_REV) && 640 !make_revoked(NULL, pp[DB_rev_date])) { 641 BIO_printf(bio_err, " in entry %d\n", i + 1); 642 goto end; 643 } 644 if (!check_time_format((char *)pp[DB_exp_date])) { 645 BIO_printf(bio_err, "entry %d: invalid expiry date\n", i + 1); 646 goto end; 647 } 648 p = pp[DB_serial]; 649 j = strlen(p); 650 if (*p == '-') { 651 p++; 652 j--; 653 } 654 if ((j & 1) || (j < 2)) { 655 BIO_printf(bio_err, "entry %d: bad serial number length (%d)\n", 656 i + 1, j); 657 goto end; 658 } 659 for ( ; *p; p++) { 660 if (!isxdigit(_UC(*p))) { 661 BIO_printf(bio_err, 662 "entry %d: bad char 0%o '%c' in serial number\n", 663 i + 1, *p, *p); 664 goto end; 665 } 666 } 667 } 668 if (verbose) { 669 TXT_DB_write(bio_out, db->db); 670 BIO_printf(bio_err, "%d entries loaded from the database\n", 671 sk_OPENSSL_PSTRING_num(db->db->data)); 672 BIO_printf(bio_err, "generating index\n"); 673 } 674 675 if (index_index(db) <= 0) 676 goto end; 677 678 /*****************************************************************/ 679 /* Update the db file for expired certificates */ 680 if (doupdatedb) { 681 if (verbose) 682 BIO_printf(bio_err, "Updating %s ...\n", dbfile); 683 684 i = do_updatedb(db); 685 if (i == -1) { 686 BIO_printf(bio_err, "Malloc failure\n"); 687 goto end; 688 } else if (i == 0) { 689 if (verbose) 690 BIO_printf(bio_err, "No entries found to mark expired\n"); 691 } else { 692 if (!save_index(dbfile, "new", db)) 693 goto end; 694 695 if (!rotate_index(dbfile, "new", "old")) 696 goto end; 697 698 if (verbose) 699 BIO_printf(bio_err, "Done. %d entries marked as expired\n", i); 700 } 701 } 702 703 /*****************************************************************/ 704 /* Read extensions config file */ 705 if (extfile) { 706 if ((extconf = app_load_config(extfile)) == NULL) { 707 ret = 1; 708 goto end; 709 } 710 711 if (verbose) 712 BIO_printf(bio_err, "Successfully loaded extensions file %s\n", 713 extfile); 714 715 /* We can have sections in the ext file */ 716 if (extensions == NULL) { 717 extensions = NCONF_get_string(extconf, "default", "extensions"); 718 if (extensions == NULL) 719 extensions = "default"; 720 } 721 } 722 723 /*****************************************************************/ 724 if (req || gencrl) { 725 if (spkac_file != NULL) { 726 output_der = 1; 727 batch = 1; 728 } 729 } 730 731 def_ret = EVP_PKEY_get_default_digest_nid(pkey, &def_nid); 732 /* 733 * EVP_PKEY_get_default_digest_nid() returns 2 if the digest is 734 * mandatory for this algorithm. 735 */ 736 if (def_ret == 2 && def_nid == NID_undef) { 737 /* The signing algorithm requires there to be no digest */ 738 dgst = EVP_md_null(); 739 } else if (md == NULL 740 && (md = lookup_conf(conf, section, ENV_DEFAULT_MD)) == NULL) { 741 goto end; 742 } else { 743 if (strcmp(md, "default") == 0) { 744 if (def_ret <= 0) { 745 BIO_puts(bio_err, "no default digest\n"); 746 goto end; 747 } 748 md = (char *)OBJ_nid2sn(def_nid); 749 } 750 751 if (!opt_md(md, &dgst)) 752 goto end; 753 } 754 755 if (req) { 756 if (email_dn == 1) { 757 char *tmp_email_dn = NULL; 758 759 tmp_email_dn = NCONF_get_string(conf, section, ENV_DEFAULT_EMAIL_DN); 760 if (tmp_email_dn != NULL && strcmp(tmp_email_dn, "no") == 0) 761 email_dn = 0; 762 } 763 if (verbose) 764 BIO_printf(bio_err, "message digest is %s\n", 765 OBJ_nid2ln(EVP_MD_type(dgst))); 766 if (policy == NULL 767 && (policy = lookup_conf(conf, section, ENV_POLICY)) == NULL) 768 goto end; 769 770 if (verbose) 771 BIO_printf(bio_err, "policy is %s\n", policy); 772 773 if (NCONF_get_string(conf, section, ENV_RAND_SERIAL) != NULL) { 774 rand_ser = 1; 775 } else { 776 serialfile = lookup_conf(conf, section, ENV_SERIAL); 777 if (serialfile == NULL) 778 goto end; 779 } 780 781 if (extconf == NULL) { 782 /* 783 * no '-extfile' option, so we look for extensions in the main 784 * configuration file 785 */ 786 if (extensions == NULL) { 787 extensions = NCONF_get_string(conf, section, ENV_EXTENSIONS); 788 if (extensions == NULL) 789 ERR_clear_error(); 790 } 791 if (extensions != NULL) { 792 /* Check syntax of file */ 793 X509V3_CTX ctx; 794 X509V3_set_ctx_test(&ctx); 795 X509V3_set_nconf(&ctx, conf); 796 if (!X509V3_EXT_add_nconf(conf, &ctx, extensions, NULL)) { 797 BIO_printf(bio_err, 798 "Error Loading extension section %s\n", 799 extensions); 800 ret = 1; 801 goto end; 802 } 803 } 804 } 805 806 if (startdate == NULL) { 807 startdate = NCONF_get_string(conf, section, ENV_DEFAULT_STARTDATE); 808 if (startdate == NULL) 809 ERR_clear_error(); 810 } 811 if (startdate != NULL && !ASN1_TIME_set_string_X509(NULL, startdate)) { 812 BIO_printf(bio_err, 813 "start date is invalid, it should be YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ\n"); 814 goto end; 815 } 816 if (startdate == NULL) 817 startdate = "today"; 818 819 if (enddate == NULL) { 820 enddate = NCONF_get_string(conf, section, ENV_DEFAULT_ENDDATE); 821 if (enddate == NULL) 822 ERR_clear_error(); 823 } 824 if (enddate != NULL && !ASN1_TIME_set_string_X509(NULL, enddate)) { 825 BIO_printf(bio_err, 826 "end date is invalid, it should be YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ\n"); 827 goto end; 828 } 829 830 if (days == 0) { 831 if (!NCONF_get_number(conf, section, ENV_DEFAULT_DAYS, &days)) 832 days = 0; 833 } 834 if (enddate == NULL && days == 0) { 835 BIO_printf(bio_err, "cannot lookup how many days to certify for\n"); 836 goto end; 837 } 838 839 if (rand_ser) { 840 if ((serial = BN_new()) == NULL || !rand_serial(serial, NULL)) { 841 BIO_printf(bio_err, "error generating serial number\n"); 842 goto end; 843 } 844 } else { 845 if ((serial = load_serial(serialfile, create_ser, NULL)) == NULL) { 846 BIO_printf(bio_err, "error while loading serial number\n"); 847 goto end; 848 } 849 if (verbose) { 850 if (BN_is_zero(serial)) { 851 BIO_printf(bio_err, "next serial number is 00\n"); 852 } else { 853 if ((f = BN_bn2hex(serial)) == NULL) 854 goto end; 855 BIO_printf(bio_err, "next serial number is %s\n", f); 856 OPENSSL_free(f); 857 } 858 } 859 } 860 861 if ((attribs = NCONF_get_section(conf, policy)) == NULL) { 862 BIO_printf(bio_err, "unable to find 'section' for %s\n", policy); 863 goto end; 864 } 865 866 if ((cert_sk = sk_X509_new_null()) == NULL) { 867 BIO_printf(bio_err, "Memory allocation failure\n"); 868 goto end; 869 } 870 if (spkac_file != NULL) { 871 total++; 872 j = certify_spkac(&x, spkac_file, pkey, x509, dgst, sigopts, 873 attribs, db, serial, subj, chtype, multirdn, 874 email_dn, startdate, enddate, days, extensions, 875 conf, verbose, certopt, get_nameopt(), default_op, 876 ext_copy); 877 if (j < 0) 878 goto end; 879 if (j > 0) { 880 total_done++; 881 BIO_printf(bio_err, "\n"); 882 if (!BN_add_word(serial, 1)) 883 goto end; 884 if (!sk_X509_push(cert_sk, x)) { 885 BIO_printf(bio_err, "Memory allocation failure\n"); 886 goto end; 887 } 888 } 889 } 890 if (ss_cert_file != NULL) { 891 total++; 892 j = certify_cert(&x, ss_cert_file, pkey, x509, dgst, sigopts, 893 attribs, 894 db, serial, subj, chtype, multirdn, email_dn, 895 startdate, enddate, days, batch, extensions, 896 conf, verbose, certopt, get_nameopt(), default_op, 897 ext_copy); 898 if (j < 0) 899 goto end; 900 if (j > 0) { 901 total_done++; 902 BIO_printf(bio_err, "\n"); 903 if (!BN_add_word(serial, 1)) 904 goto end; 905 if (!sk_X509_push(cert_sk, x)) { 906 BIO_printf(bio_err, "Memory allocation failure\n"); 907 goto end; 908 } 909 } 910 } 911 if (infile != NULL) { 912 total++; 913 j = certify(&x, infile, pkey, x509p, dgst, sigopts, attribs, db, 914 serial, subj, chtype, multirdn, email_dn, startdate, 915 enddate, days, batch, extensions, conf, verbose, 916 certopt, get_nameopt(), default_op, ext_copy, selfsign); 917 if (j < 0) 918 goto end; 919 if (j > 0) { 920 total_done++; 921 BIO_printf(bio_err, "\n"); 922 if (!BN_add_word(serial, 1)) 923 goto end; 924 if (!sk_X509_push(cert_sk, x)) { 925 BIO_printf(bio_err, "Memory allocation failure\n"); 926 goto end; 927 } 928 } 929 } 930 for (i = 0; i < argc; i++) { 931 total++; 932 j = certify(&x, argv[i], pkey, x509p, dgst, sigopts, attribs, db, 933 serial, subj, chtype, multirdn, email_dn, startdate, 934 enddate, days, batch, extensions, conf, verbose, 935 certopt, get_nameopt(), default_op, ext_copy, selfsign); 936 if (j < 0) 937 goto end; 938 if (j > 0) { 939 total_done++; 940 BIO_printf(bio_err, "\n"); 941 if (!BN_add_word(serial, 1)) { 942 X509_free(x); 943 goto end; 944 } 945 if (!sk_X509_push(cert_sk, x)) { 946 BIO_printf(bio_err, "Memory allocation failure\n"); 947 X509_free(x); 948 goto end; 949 } 950 } 951 } 952 /* 953 * we have a stack of newly certified certificates and a data base 954 * and serial number that need updating 955 */ 956 957 if (sk_X509_num(cert_sk) > 0) { 958 if (!batch) { 959 BIO_printf(bio_err, 960 "\n%d out of %d certificate requests certified, commit? [y/n]", 961 total_done, total); 962 (void)BIO_flush(bio_err); 963 tmp[0] = '\0'; 964 if (fgets(tmp, sizeof(tmp), stdin) == NULL) { 965 BIO_printf(bio_err, "CERTIFICATION CANCELED: I/O error\n"); 966 ret = 0; 967 goto end; 968 } 969 if (tmp[0] != 'y' && tmp[0] != 'Y') { 970 BIO_printf(bio_err, "CERTIFICATION CANCELED\n"); 971 ret = 0; 972 goto end; 973 } 974 } 975 976 BIO_printf(bio_err, "Write out database with %d new entries\n", 977 sk_X509_num(cert_sk)); 978 979 if (!rand_ser 980 && !save_serial(serialfile, "new", serial, NULL)) 981 goto end; 982 983 if (!save_index(dbfile, "new", db)) 984 goto end; 985 } 986 987 outdirlen = OPENSSL_strlcpy(new_cert, outdir, sizeof(new_cert)); 988 #ifndef OPENSSL_SYS_VMS 989 outdirlen = OPENSSL_strlcat(new_cert, "/", sizeof(new_cert)); 990 #endif 991 992 if (verbose) 993 BIO_printf(bio_err, "writing new certificates\n"); 994 995 for (i = 0; i < sk_X509_num(cert_sk); i++) { 996 BIO *Cout = NULL; 997 X509 *xi = sk_X509_value(cert_sk, i); 998 ASN1_INTEGER *serialNumber = X509_get_serialNumber(xi); 999 const unsigned char *psn = ASN1_STRING_get0_data(serialNumber); 1000 const int snl = ASN1_STRING_length(serialNumber); 1001 const int filen_len = 2 * (snl > 0 ? snl : 1) + sizeof(".pem"); 1002 char *n = new_cert + outdirlen; 1003 1004 if (outdirlen + filen_len > PATH_MAX) { 1005 BIO_printf(bio_err, "certificate file name too long\n"); 1006 goto end; 1007 } 1008 1009 if (snl > 0) { 1010 static const char HEX_DIGITS[] = "0123456789ABCDEF"; 1011 1012 for (j = 0; j < snl; j++, psn++) { 1013 *n++ = HEX_DIGITS[*psn >> 4]; 1014 *n++ = HEX_DIGITS[*psn & 0x0F]; 1015 } 1016 } else { 1017 *(n++) = '0'; 1018 *(n++) = '0'; 1019 } 1020 *(n++) = '.'; 1021 *(n++) = 'p'; 1022 *(n++) = 'e'; 1023 *(n++) = 'm'; 1024 *n = '\0'; /* closing new_cert */ 1025 if (verbose) 1026 BIO_printf(bio_err, "writing %s\n", new_cert); 1027 1028 Sout = bio_open_default(outfile, 'w', 1029 output_der ? FORMAT_ASN1 : FORMAT_TEXT); 1030 if (Sout == NULL) 1031 goto end; 1032 1033 Cout = BIO_new_file(new_cert, "w"); 1034 if (Cout == NULL) { 1035 perror(new_cert); 1036 goto end; 1037 } 1038 write_new_certificate(Cout, xi, 0, notext); 1039 write_new_certificate(Sout, xi, output_der, notext); 1040 BIO_free_all(Cout); 1041 BIO_free_all(Sout); 1042 Sout = NULL; 1043 } 1044 1045 if (sk_X509_num(cert_sk)) { 1046 /* Rename the database and the serial file */ 1047 if (!rotate_serial(serialfile, "new", "old")) 1048 goto end; 1049 1050 if (!rotate_index(dbfile, "new", "old")) 1051 goto end; 1052 1053 BIO_printf(bio_err, "Data Base Updated\n"); 1054 } 1055 } 1056 1057 /*****************************************************************/ 1058 if (gencrl) { 1059 int crl_v2 = 0; 1060 if (crl_ext == NULL) { 1061 crl_ext = NCONF_get_string(conf, section, ENV_CRLEXT); 1062 if (crl_ext == NULL) 1063 ERR_clear_error(); 1064 } 1065 if (crl_ext != NULL) { 1066 /* Check syntax of file */ 1067 X509V3_CTX ctx; 1068 X509V3_set_ctx_test(&ctx); 1069 X509V3_set_nconf(&ctx, conf); 1070 if (!X509V3_EXT_add_nconf(conf, &ctx, crl_ext, NULL)) { 1071 BIO_printf(bio_err, 1072 "Error Loading CRL extension section %s\n", crl_ext); 1073 ret = 1; 1074 goto end; 1075 } 1076 } 1077 1078 if ((crlnumberfile = NCONF_get_string(conf, section, ENV_CRLNUMBER)) 1079 != NULL) 1080 if ((crlnumber = load_serial(crlnumberfile, 0, NULL)) == NULL) { 1081 BIO_printf(bio_err, "error while loading CRL number\n"); 1082 goto end; 1083 } 1084 1085 if (!crldays && !crlhours && !crlsec) { 1086 if (!NCONF_get_number(conf, section, 1087 ENV_DEFAULT_CRL_DAYS, &crldays)) 1088 crldays = 0; 1089 if (!NCONF_get_number(conf, section, 1090 ENV_DEFAULT_CRL_HOURS, &crlhours)) 1091 crlhours = 0; 1092 ERR_clear_error(); 1093 } 1094 if ((crldays == 0) && (crlhours == 0) && (crlsec == 0)) { 1095 BIO_printf(bio_err, 1096 "cannot lookup how long until the next CRL is issued\n"); 1097 goto end; 1098 } 1099 1100 if (verbose) 1101 BIO_printf(bio_err, "making CRL\n"); 1102 if ((crl = X509_CRL_new()) == NULL) 1103 goto end; 1104 if (!X509_CRL_set_issuer_name(crl, X509_get_subject_name(x509))) 1105 goto end; 1106 1107 tmptm = ASN1_TIME_new(); 1108 if (tmptm == NULL 1109 || X509_gmtime_adj(tmptm, 0) == NULL 1110 || !X509_CRL_set1_lastUpdate(crl, tmptm) 1111 || X509_time_adj_ex(tmptm, crldays, crlhours * 60 * 60 + crlsec, 1112 NULL) == NULL) { 1113 BIO_puts(bio_err, "error setting CRL nextUpdate\n"); 1114 ASN1_TIME_free(tmptm); 1115 goto end; 1116 } 1117 X509_CRL_set1_nextUpdate(crl, tmptm); 1118 1119 ASN1_TIME_free(tmptm); 1120 1121 for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) { 1122 pp = sk_OPENSSL_PSTRING_value(db->db->data, i); 1123 if (pp[DB_type][0] == DB_TYPE_REV) { 1124 if ((r = X509_REVOKED_new()) == NULL) 1125 goto end; 1126 j = make_revoked(r, pp[DB_rev_date]); 1127 if (!j) 1128 goto end; 1129 if (j == 2) 1130 crl_v2 = 1; 1131 if (!BN_hex2bn(&serial, pp[DB_serial])) 1132 goto end; 1133 tmpser = BN_to_ASN1_INTEGER(serial, NULL); 1134 BN_free(serial); 1135 serial = NULL; 1136 if (!tmpser) 1137 goto end; 1138 X509_REVOKED_set_serialNumber(r, tmpser); 1139 ASN1_INTEGER_free(tmpser); 1140 X509_CRL_add0_revoked(crl, r); 1141 } 1142 } 1143 1144 /* 1145 * sort the data so it will be written in serial number order 1146 */ 1147 X509_CRL_sort(crl); 1148 1149 /* we now have a CRL */ 1150 if (verbose) 1151 BIO_printf(bio_err, "signing CRL\n"); 1152 1153 /* Add any extensions asked for */ 1154 1155 if (crl_ext != NULL || crlnumberfile != NULL) { 1156 X509V3_CTX crlctx; 1157 X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0); 1158 X509V3_set_nconf(&crlctx, conf); 1159 1160 if (crl_ext != NULL) 1161 if (!X509V3_EXT_CRL_add_nconf(conf, &crlctx, crl_ext, crl)) 1162 goto end; 1163 if (crlnumberfile != NULL) { 1164 tmpser = BN_to_ASN1_INTEGER(crlnumber, NULL); 1165 if (!tmpser) 1166 goto end; 1167 X509_CRL_add1_ext_i2d(crl, NID_crl_number, tmpser, 0, 0); 1168 ASN1_INTEGER_free(tmpser); 1169 crl_v2 = 1; 1170 if (!BN_add_word(crlnumber, 1)) 1171 goto end; 1172 } 1173 } 1174 if (crl_ext != NULL || crl_v2) { 1175 if (!X509_CRL_set_version(crl, 1)) 1176 goto end; /* version 2 CRL */ 1177 } 1178 1179 /* we have a CRL number that need updating */ 1180 if (crlnumberfile != NULL) 1181 if (!rand_ser 1182 && !save_serial(crlnumberfile, "new", crlnumber, NULL)) 1183 goto end; 1184 1185 BN_free(crlnumber); 1186 crlnumber = NULL; 1187 1188 if (!do_X509_CRL_sign(crl, pkey, dgst, sigopts)) 1189 goto end; 1190 1191 Sout = bio_open_default(outfile, 'w', 1192 output_der ? FORMAT_ASN1 : FORMAT_TEXT); 1193 if (Sout == NULL) 1194 goto end; 1195 1196 PEM_write_bio_X509_CRL(Sout, crl); 1197 1198 if (crlnumberfile != NULL) /* Rename the crlnumber file */ 1199 if (!rotate_serial(crlnumberfile, "new", "old")) 1200 goto end; 1201 1202 } 1203 /*****************************************************************/ 1204 if (dorevoke) { 1205 if (infile == NULL) { 1206 BIO_printf(bio_err, "no input files\n"); 1207 goto end; 1208 } else { 1209 X509 *revcert; 1210 revcert = load_cert(infile, FORMAT_PEM, infile); 1211 if (revcert == NULL) 1212 goto end; 1213 if (dorevoke == 2) 1214 rev_type = REV_VALID; 1215 j = do_revoke(revcert, db, rev_type, rev_arg); 1216 if (j <= 0) 1217 goto end; 1218 X509_free(revcert); 1219 1220 if (!save_index(dbfile, "new", db)) 1221 goto end; 1222 1223 if (!rotate_index(dbfile, "new", "old")) 1224 goto end; 1225 1226 BIO_printf(bio_err, "Data Base Updated\n"); 1227 } 1228 } 1229 ret = 0; 1230 1231 end: 1232 if (ret) 1233 ERR_print_errors(bio_err); 1234 BIO_free_all(Sout); 1235 BIO_free_all(out); 1236 BIO_free_all(in); 1237 sk_X509_pop_free(cert_sk, X509_free); 1238 1239 if (free_key) 1240 OPENSSL_free(key); 1241 BN_free(serial); 1242 BN_free(crlnumber); 1243 free_index(db); 1244 sk_OPENSSL_STRING_free(sigopts); 1245 EVP_PKEY_free(pkey); 1246 X509_free(x509); 1247 X509_CRL_free(crl); 1248 NCONF_free(conf); 1249 NCONF_free(extconf); 1250 release_engine(e); 1251 return ret; 1252 } 1253 1254 static char *lookup_conf(const CONF *conf, const char *section, const char *tag) 1255 { 1256 char *entry = NCONF_get_string(conf, section, tag); 1257 if (entry == NULL) 1258 BIO_printf(bio_err, "variable lookup failed for %s::%s\n", section, tag); 1259 return entry; 1260 } 1261 1262 static int certify(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509, 1263 const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts, 1264 STACK_OF(CONF_VALUE) *policy, CA_DB *db, 1265 BIGNUM *serial, const char *subj, unsigned long chtype, 1266 int multirdn, int email_dn, const char *startdate, 1267 const char *enddate, 1268 long days, int batch, const char *ext_sect, CONF *lconf, 1269 int verbose, unsigned long certopt, unsigned long nameopt, 1270 int default_op, int ext_copy, int selfsign) 1271 { 1272 X509_REQ *req = NULL; 1273 BIO *in = NULL; 1274 EVP_PKEY *pktmp = NULL; 1275 int ok = -1, i; 1276 1277 in = BIO_new_file(infile, "r"); 1278 if (in == NULL) { 1279 ERR_print_errors(bio_err); 1280 goto end; 1281 } 1282 if ((req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL)) == NULL) { 1283 BIO_printf(bio_err, "Error reading certificate request in %s\n", 1284 infile); 1285 goto end; 1286 } 1287 if (verbose) 1288 X509_REQ_print_ex(bio_err, req, nameopt, X509_FLAG_COMPAT); 1289 1290 BIO_printf(bio_err, "Check that the request matches the signature\n"); 1291 1292 if (selfsign && !X509_REQ_check_private_key(req, pkey)) { 1293 BIO_printf(bio_err, 1294 "Certificate request and CA private key do not match\n"); 1295 ok = 0; 1296 goto end; 1297 } 1298 if ((pktmp = X509_REQ_get0_pubkey(req)) == NULL) { 1299 BIO_printf(bio_err, "error unpacking public key\n"); 1300 goto end; 1301 } 1302 i = X509_REQ_verify(req, pktmp); 1303 pktmp = NULL; 1304 if (i < 0) { 1305 ok = 0; 1306 BIO_printf(bio_err, "Signature verification problems....\n"); 1307 ERR_print_errors(bio_err); 1308 goto end; 1309 } 1310 if (i == 0) { 1311 ok = 0; 1312 BIO_printf(bio_err, 1313 "Signature did not match the certificate request\n"); 1314 ERR_print_errors(bio_err); 1315 goto end; 1316 } else { 1317 BIO_printf(bio_err, "Signature ok\n"); 1318 } 1319 1320 ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, subj, 1321 chtype, multirdn, email_dn, startdate, enddate, days, batch, 1322 verbose, req, ext_sect, lconf, certopt, nameopt, default_op, 1323 ext_copy, selfsign); 1324 1325 end: 1326 X509_REQ_free(req); 1327 BIO_free(in); 1328 return ok; 1329 } 1330 1331 static int certify_cert(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509, 1332 const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts, 1333 STACK_OF(CONF_VALUE) *policy, CA_DB *db, 1334 BIGNUM *serial, const char *subj, unsigned long chtype, 1335 int multirdn, int email_dn, const char *startdate, 1336 const char *enddate, long days, int batch, const char *ext_sect, 1337 CONF *lconf, int verbose, unsigned long certopt, 1338 unsigned long nameopt, int default_op, int ext_copy) 1339 { 1340 X509 *req = NULL; 1341 X509_REQ *rreq = NULL; 1342 EVP_PKEY *pktmp = NULL; 1343 int ok = -1, i; 1344 1345 if ((req = load_cert(infile, FORMAT_PEM, infile)) == NULL) 1346 goto end; 1347 if (verbose) 1348 X509_print(bio_err, req); 1349 1350 BIO_printf(bio_err, "Check that the request matches the signature\n"); 1351 1352 if ((pktmp = X509_get0_pubkey(req)) == NULL) { 1353 BIO_printf(bio_err, "error unpacking public key\n"); 1354 goto end; 1355 } 1356 i = X509_verify(req, pktmp); 1357 if (i < 0) { 1358 ok = 0; 1359 BIO_printf(bio_err, "Signature verification problems....\n"); 1360 goto end; 1361 } 1362 if (i == 0) { 1363 ok = 0; 1364 BIO_printf(bio_err, "Signature did not match the certificate\n"); 1365 goto end; 1366 } else { 1367 BIO_printf(bio_err, "Signature ok\n"); 1368 } 1369 1370 if ((rreq = X509_to_X509_REQ(req, NULL, NULL)) == NULL) 1371 goto end; 1372 1373 ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, subj, 1374 chtype, multirdn, email_dn, startdate, enddate, days, batch, 1375 verbose, rreq, ext_sect, lconf, certopt, nameopt, default_op, 1376 ext_copy, 0); 1377 1378 end: 1379 X509_REQ_free(rreq); 1380 X509_free(req); 1381 return ok; 1382 } 1383 1384 static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, 1385 const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts, 1386 STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, 1387 const char *subj, unsigned long chtype, int multirdn, 1388 int email_dn, const char *startdate, const char *enddate, long days, 1389 int batch, int verbose, X509_REQ *req, const char *ext_sect, 1390 CONF *lconf, unsigned long certopt, unsigned long nameopt, 1391 int default_op, int ext_copy, int selfsign) 1392 { 1393 X509_NAME *name = NULL, *CAname = NULL, *subject = NULL; 1394 const ASN1_TIME *tm; 1395 ASN1_STRING *str, *str2; 1396 ASN1_OBJECT *obj; 1397 X509 *ret = NULL; 1398 X509_NAME_ENTRY *ne, *tne; 1399 EVP_PKEY *pktmp; 1400 int ok = -1, i, j, last, nid; 1401 const char *p; 1402 CONF_VALUE *cv; 1403 OPENSSL_STRING row[DB_NUMBER]; 1404 OPENSSL_STRING *irow = NULL; 1405 OPENSSL_STRING *rrow = NULL; 1406 char buf[25]; 1407 1408 for (i = 0; i < DB_NUMBER; i++) 1409 row[i] = NULL; 1410 1411 if (subj) { 1412 X509_NAME *n = parse_name(subj, chtype, multirdn); 1413 1414 if (!n) { 1415 ERR_print_errors(bio_err); 1416 goto end; 1417 } 1418 X509_REQ_set_subject_name(req, n); 1419 X509_NAME_free(n); 1420 } 1421 1422 if (default_op) 1423 BIO_printf(bio_err, "The Subject's Distinguished Name is as follows\n"); 1424 1425 name = X509_REQ_get_subject_name(req); 1426 for (i = 0; i < X509_NAME_entry_count(name); i++) { 1427 ne = X509_NAME_get_entry(name, i); 1428 str = X509_NAME_ENTRY_get_data(ne); 1429 obj = X509_NAME_ENTRY_get_object(ne); 1430 nid = OBJ_obj2nid(obj); 1431 1432 if (msie_hack) { 1433 /* assume all type should be strings */ 1434 1435 if (str->type == V_ASN1_UNIVERSALSTRING) 1436 ASN1_UNIVERSALSTRING_to_string(str); 1437 1438 if (str->type == V_ASN1_IA5STRING && nid != NID_pkcs9_emailAddress) 1439 str->type = V_ASN1_T61STRING; 1440 1441 if (nid == NID_pkcs9_emailAddress 1442 && str->type == V_ASN1_PRINTABLESTRING) 1443 str->type = V_ASN1_IA5STRING; 1444 } 1445 1446 /* If no EMAIL is wanted in the subject */ 1447 if (nid == NID_pkcs9_emailAddress && !email_dn) 1448 continue; 1449 1450 /* check some things */ 1451 if (nid == NID_pkcs9_emailAddress && str->type != V_ASN1_IA5STRING) { 1452 BIO_printf(bio_err, 1453 "\nemailAddress type needs to be of type IA5STRING\n"); 1454 goto end; 1455 } 1456 if (str->type != V_ASN1_BMPSTRING && str->type != V_ASN1_UTF8STRING) { 1457 j = ASN1_PRINTABLE_type(str->data, str->length); 1458 if ((j == V_ASN1_T61STRING && str->type != V_ASN1_T61STRING) || 1459 (j == V_ASN1_IA5STRING && str->type == V_ASN1_PRINTABLESTRING)) 1460 { 1461 BIO_printf(bio_err, 1462 "\nThe string contains characters that are illegal for the ASN.1 type\n"); 1463 goto end; 1464 } 1465 } 1466 1467 if (default_op) 1468 old_entry_print(obj, str); 1469 } 1470 1471 /* Ok, now we check the 'policy' stuff. */ 1472 if ((subject = X509_NAME_new()) == NULL) { 1473 BIO_printf(bio_err, "Memory allocation failure\n"); 1474 goto end; 1475 } 1476 1477 /* take a copy of the issuer name before we mess with it. */ 1478 if (selfsign) 1479 CAname = X509_NAME_dup(name); 1480 else 1481 CAname = X509_NAME_dup(X509_get_subject_name(x509)); 1482 if (CAname == NULL) 1483 goto end; 1484 str = str2 = NULL; 1485 1486 for (i = 0; i < sk_CONF_VALUE_num(policy); i++) { 1487 cv = sk_CONF_VALUE_value(policy, i); /* get the object id */ 1488 if ((j = OBJ_txt2nid(cv->name)) == NID_undef) { 1489 BIO_printf(bio_err, 1490 "%s:unknown object type in 'policy' configuration\n", 1491 cv->name); 1492 goto end; 1493 } 1494 obj = OBJ_nid2obj(j); 1495 1496 last = -1; 1497 for (;;) { 1498 X509_NAME_ENTRY *push = NULL; 1499 1500 /* lookup the object in the supplied name list */ 1501 j = X509_NAME_get_index_by_OBJ(name, obj, last); 1502 if (j < 0) { 1503 if (last != -1) 1504 break; 1505 tne = NULL; 1506 } else { 1507 tne = X509_NAME_get_entry(name, j); 1508 } 1509 last = j; 1510 1511 /* depending on the 'policy', decide what to do. */ 1512 if (strcmp(cv->value, "optional") == 0) { 1513 if (tne != NULL) 1514 push = tne; 1515 } else if (strcmp(cv->value, "supplied") == 0) { 1516 if (tne == NULL) { 1517 BIO_printf(bio_err, 1518 "The %s field needed to be supplied and was missing\n", 1519 cv->name); 1520 goto end; 1521 } else { 1522 push = tne; 1523 } 1524 } else if (strcmp(cv->value, "match") == 0) { 1525 int last2; 1526 1527 if (tne == NULL) { 1528 BIO_printf(bio_err, 1529 "The mandatory %s field was missing\n", 1530 cv->name); 1531 goto end; 1532 } 1533 1534 last2 = -1; 1535 1536 again2: 1537 j = X509_NAME_get_index_by_OBJ(CAname, obj, last2); 1538 if ((j < 0) && (last2 == -1)) { 1539 BIO_printf(bio_err, 1540 "The %s field does not exist in the CA certificate,\n" 1541 "the 'policy' is misconfigured\n", cv->name); 1542 goto end; 1543 } 1544 if (j >= 0) { 1545 push = X509_NAME_get_entry(CAname, j); 1546 str = X509_NAME_ENTRY_get_data(tne); 1547 str2 = X509_NAME_ENTRY_get_data(push); 1548 last2 = j; 1549 if (ASN1_STRING_cmp(str, str2) != 0) 1550 goto again2; 1551 } 1552 if (j < 0) { 1553 BIO_printf(bio_err, 1554 "The %s field is different between\n" 1555 "CA certificate (%s) and the request (%s)\n", 1556 cv->name, 1557 ((str2 == NULL) ? "NULL" : (char *)str2->data), 1558 ((str == NULL) ? "NULL" : (char *)str->data)); 1559 goto end; 1560 } 1561 } else { 1562 BIO_printf(bio_err, 1563 "%s:invalid type in 'policy' configuration\n", 1564 cv->value); 1565 goto end; 1566 } 1567 1568 if (push != NULL) { 1569 if (!X509_NAME_add_entry(subject, push, -1, 0)) { 1570 BIO_printf(bio_err, "Memory allocation failure\n"); 1571 goto end; 1572 } 1573 } 1574 if (j < 0) 1575 break; 1576 } 1577 } 1578 1579 if (preserve) { 1580 X509_NAME_free(subject); 1581 /* subject=X509_NAME_dup(X509_REQ_get_subject_name(req)); */ 1582 subject = X509_NAME_dup(name); 1583 if (subject == NULL) 1584 goto end; 1585 } 1586 1587 /* We are now totally happy, lets make and sign the certificate */ 1588 if (verbose) 1589 BIO_printf(bio_err, 1590 "Everything appears to be ok, creating and signing the certificate\n"); 1591 1592 if ((ret = X509_new()) == NULL) 1593 goto end; 1594 1595 #ifdef X509_V3 1596 /* Make it an X509 v3 certificate. */ 1597 if (!X509_set_version(ret, 2)) 1598 goto end; 1599 #endif 1600 1601 if (BN_to_ASN1_INTEGER(serial, X509_get_serialNumber(ret)) == NULL) 1602 goto end; 1603 if (selfsign) { 1604 if (!X509_set_issuer_name(ret, subject)) 1605 goto end; 1606 } else { 1607 if (!X509_set_issuer_name(ret, X509_get_subject_name(x509))) 1608 goto end; 1609 } 1610 1611 if (!set_cert_times(ret, startdate, enddate, days)) 1612 goto end; 1613 1614 if (enddate != NULL) { 1615 int tdays; 1616 1617 if (!ASN1_TIME_diff(&tdays, NULL, NULL, X509_get0_notAfter(ret))) 1618 goto end; 1619 days = tdays; 1620 } 1621 1622 if (!X509_set_subject_name(ret, subject)) 1623 goto end; 1624 1625 pktmp = X509_REQ_get0_pubkey(req); 1626 i = X509_set_pubkey(ret, pktmp); 1627 if (!i) 1628 goto end; 1629 1630 /* Lets add the extensions, if there are any */ 1631 if (ext_sect) { 1632 X509V3_CTX ctx; 1633 1634 /* Initialize the context structure */ 1635 if (selfsign) 1636 X509V3_set_ctx(&ctx, ret, ret, req, NULL, 0); 1637 else 1638 X509V3_set_ctx(&ctx, x509, ret, req, NULL, 0); 1639 1640 if (extconf != NULL) { 1641 if (verbose) 1642 BIO_printf(bio_err, "Extra configuration file found\n"); 1643 1644 /* Use the extconf configuration db LHASH */ 1645 X509V3_set_nconf(&ctx, extconf); 1646 1647 /* Test the structure (needed?) */ 1648 /* X509V3_set_ctx_test(&ctx); */ 1649 1650 /* Adds exts contained in the configuration file */ 1651 if (!X509V3_EXT_add_nconf(extconf, &ctx, ext_sect, ret)) { 1652 BIO_printf(bio_err, 1653 "ERROR: adding extensions in section %s\n", 1654 ext_sect); 1655 ERR_print_errors(bio_err); 1656 goto end; 1657 } 1658 if (verbose) 1659 BIO_printf(bio_err, 1660 "Successfully added extensions from file.\n"); 1661 } else if (ext_sect) { 1662 /* We found extensions to be set from config file */ 1663 X509V3_set_nconf(&ctx, lconf); 1664 1665 if (!X509V3_EXT_add_nconf(lconf, &ctx, ext_sect, ret)) { 1666 BIO_printf(bio_err, 1667 "ERROR: adding extensions in section %s\n", 1668 ext_sect); 1669 ERR_print_errors(bio_err); 1670 goto end; 1671 } 1672 1673 if (verbose) 1674 BIO_printf(bio_err, 1675 "Successfully added extensions from config\n"); 1676 } 1677 } 1678 1679 /* Copy extensions from request (if any) */ 1680 1681 if (!copy_extensions(ret, req, ext_copy)) { 1682 BIO_printf(bio_err, "ERROR: adding extensions from request\n"); 1683 ERR_print_errors(bio_err); 1684 goto end; 1685 } 1686 1687 { 1688 const STACK_OF(X509_EXTENSION) *exts = X509_get0_extensions(ret); 1689 1690 if (exts != NULL && sk_X509_EXTENSION_num(exts) > 0) 1691 /* Make it an X509 v3 certificate. */ 1692 if (!X509_set_version(ret, 2)) 1693 goto end; 1694 } 1695 1696 if (verbose) 1697 BIO_printf(bio_err, 1698 "The subject name appears to be ok, checking data base for clashes\n"); 1699 1700 /* Build the correct Subject if no e-mail is wanted in the subject. */ 1701 if (!email_dn) { 1702 X509_NAME_ENTRY *tmpne; 1703 X509_NAME *dn_subject; 1704 1705 /* 1706 * Its best to dup the subject DN and then delete any email addresses 1707 * because this retains its structure. 1708 */ 1709 if ((dn_subject = X509_NAME_dup(subject)) == NULL) { 1710 BIO_printf(bio_err, "Memory allocation failure\n"); 1711 goto end; 1712 } 1713 i = -1; 1714 while ((i = X509_NAME_get_index_by_NID(dn_subject, 1715 NID_pkcs9_emailAddress, 1716 i)) >= 0) { 1717 tmpne = X509_NAME_delete_entry(dn_subject, i--); 1718 X509_NAME_ENTRY_free(tmpne); 1719 } 1720 1721 if (!X509_set_subject_name(ret, dn_subject)) { 1722 X509_NAME_free(dn_subject); 1723 goto end; 1724 } 1725 X509_NAME_free(dn_subject); 1726 } 1727 1728 row[DB_name] = X509_NAME_oneline(X509_get_subject_name(ret), NULL, 0); 1729 if (row[DB_name] == NULL) { 1730 BIO_printf(bio_err, "Memory allocation failure\n"); 1731 goto end; 1732 } 1733 1734 if (BN_is_zero(serial)) 1735 row[DB_serial] = OPENSSL_strdup("00"); 1736 else 1737 row[DB_serial] = BN_bn2hex(serial); 1738 if (row[DB_serial] == NULL) { 1739 BIO_printf(bio_err, "Memory allocation failure\n"); 1740 goto end; 1741 } 1742 1743 if (row[DB_name][0] == '\0') { 1744 /* 1745 * An empty subject! We'll use the serial number instead. If 1746 * unique_subject is in use then we don't want different entries with 1747 * empty subjects matching each other. 1748 */ 1749 OPENSSL_free(row[DB_name]); 1750 row[DB_name] = OPENSSL_strdup(row[DB_serial]); 1751 if (row[DB_name] == NULL) { 1752 BIO_printf(bio_err, "Memory allocation failure\n"); 1753 goto end; 1754 } 1755 } 1756 1757 if (db->attributes.unique_subject) { 1758 OPENSSL_STRING *crow = row; 1759 1760 rrow = TXT_DB_get_by_index(db->db, DB_name, crow); 1761 if (rrow != NULL) { 1762 BIO_printf(bio_err, 1763 "ERROR:There is already a certificate for %s\n", 1764 row[DB_name]); 1765 } 1766 } 1767 if (rrow == NULL) { 1768 rrow = TXT_DB_get_by_index(db->db, DB_serial, row); 1769 if (rrow != NULL) { 1770 BIO_printf(bio_err, 1771 "ERROR:Serial number %s has already been issued,\n", 1772 row[DB_serial]); 1773 BIO_printf(bio_err, 1774 " check the database/serial_file for corruption\n"); 1775 } 1776 } 1777 1778 if (rrow != NULL) { 1779 BIO_printf(bio_err, "The matching entry has the following details\n"); 1780 if (rrow[DB_type][0] == DB_TYPE_EXP) 1781 p = "Expired"; 1782 else if (rrow[DB_type][0] == DB_TYPE_REV) 1783 p = "Revoked"; 1784 else if (rrow[DB_type][0] == DB_TYPE_VAL) 1785 p = "Valid"; 1786 else 1787 p = "\ninvalid type, Data base error\n"; 1788 BIO_printf(bio_err, "Type :%s\n", p);; 1789 if (rrow[DB_type][0] == DB_TYPE_REV) { 1790 p = rrow[DB_exp_date]; 1791 if (p == NULL) 1792 p = "undef"; 1793 BIO_printf(bio_err, "Was revoked on:%s\n", p); 1794 } 1795 p = rrow[DB_exp_date]; 1796 if (p == NULL) 1797 p = "undef"; 1798 BIO_printf(bio_err, "Expires on :%s\n", p); 1799 p = rrow[DB_serial]; 1800 if (p == NULL) 1801 p = "undef"; 1802 BIO_printf(bio_err, "Serial Number :%s\n", p); 1803 p = rrow[DB_file]; 1804 if (p == NULL) 1805 p = "undef"; 1806 BIO_printf(bio_err, "File name :%s\n", p); 1807 p = rrow[DB_name]; 1808 if (p == NULL) 1809 p = "undef"; 1810 BIO_printf(bio_err, "Subject Name :%s\n", p); 1811 ok = -1; /* This is now a 'bad' error. */ 1812 goto end; 1813 } 1814 1815 if (!default_op) { 1816 BIO_printf(bio_err, "Certificate Details:\n"); 1817 /* 1818 * Never print signature details because signature not present 1819 */ 1820 certopt |= X509_FLAG_NO_SIGDUMP | X509_FLAG_NO_SIGNAME; 1821 X509_print_ex(bio_err, ret, nameopt, certopt); 1822 } 1823 1824 BIO_printf(bio_err, "Certificate is to be certified until "); 1825 ASN1_TIME_print(bio_err, X509_get0_notAfter(ret)); 1826 if (days) 1827 BIO_printf(bio_err, " (%ld days)", days); 1828 BIO_printf(bio_err, "\n"); 1829 1830 if (!batch) { 1831 1832 BIO_printf(bio_err, "Sign the certificate? [y/n]:"); 1833 (void)BIO_flush(bio_err); 1834 buf[0] = '\0'; 1835 if (fgets(buf, sizeof(buf), stdin) == NULL) { 1836 BIO_printf(bio_err, 1837 "CERTIFICATE WILL NOT BE CERTIFIED: I/O error\n"); 1838 ok = 0; 1839 goto end; 1840 } 1841 if (!(buf[0] == 'y' || buf[0] == 'Y')) { 1842 BIO_printf(bio_err, "CERTIFICATE WILL NOT BE CERTIFIED\n"); 1843 ok = 0; 1844 goto end; 1845 } 1846 } 1847 1848 pktmp = X509_get0_pubkey(ret); 1849 if (EVP_PKEY_missing_parameters(pktmp) && 1850 !EVP_PKEY_missing_parameters(pkey)) 1851 EVP_PKEY_copy_parameters(pktmp, pkey); 1852 1853 if (!do_X509_sign(ret, pkey, dgst, sigopts)) 1854 goto end; 1855 1856 /* We now just add it to the database as DB_TYPE_VAL('V') */ 1857 row[DB_type] = OPENSSL_strdup("V"); 1858 tm = X509_get0_notAfter(ret); 1859 row[DB_exp_date] = app_malloc(tm->length + 1, "row expdate"); 1860 memcpy(row[DB_exp_date], tm->data, tm->length); 1861 row[DB_exp_date][tm->length] = '\0'; 1862 row[DB_rev_date] = NULL; 1863 row[DB_file] = OPENSSL_strdup("unknown"); 1864 if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) || 1865 (row[DB_file] == NULL) || (row[DB_name] == NULL)) { 1866 BIO_printf(bio_err, "Memory allocation failure\n"); 1867 goto end; 1868 } 1869 1870 irow = app_malloc(sizeof(*irow) * (DB_NUMBER + 1), "row space"); 1871 for (i = 0; i < DB_NUMBER; i++) 1872 irow[i] = row[i]; 1873 irow[DB_NUMBER] = NULL; 1874 1875 if (!TXT_DB_insert(db->db, irow)) { 1876 BIO_printf(bio_err, "failed to update database\n"); 1877 BIO_printf(bio_err, "TXT_DB error number %ld\n", db->db->error); 1878 goto end; 1879 } 1880 irow = NULL; 1881 ok = 1; 1882 end: 1883 if (ok != 1) { 1884 for (i = 0; i < DB_NUMBER; i++) 1885 OPENSSL_free(row[i]); 1886 } 1887 OPENSSL_free(irow); 1888 1889 X509_NAME_free(CAname); 1890 X509_NAME_free(subject); 1891 if (ok <= 0) 1892 X509_free(ret); 1893 else 1894 *xret = ret; 1895 return ok; 1896 } 1897 1898 static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext) 1899 { 1900 1901 if (output_der) { 1902 (void)i2d_X509_bio(bp, x); 1903 return; 1904 } 1905 if (!notext) 1906 X509_print(bp, x); 1907 PEM_write_bio_X509(bp, x); 1908 } 1909 1910 static int certify_spkac(X509 **xret, const char *infile, EVP_PKEY *pkey, 1911 X509 *x509, const EVP_MD *dgst, 1912 STACK_OF(OPENSSL_STRING) *sigopts, 1913 STACK_OF(CONF_VALUE) *policy, CA_DB *db, 1914 BIGNUM *serial, const char *subj, unsigned long chtype, 1915 int multirdn, int email_dn, const char *startdate, 1916 const char *enddate, long days, const char *ext_sect, 1917 CONF *lconf, int verbose, unsigned long certopt, 1918 unsigned long nameopt, int default_op, int ext_copy) 1919 { 1920 STACK_OF(CONF_VALUE) *sk = NULL; 1921 LHASH_OF(CONF_VALUE) *parms = NULL; 1922 X509_REQ *req = NULL; 1923 CONF_VALUE *cv = NULL; 1924 NETSCAPE_SPKI *spki = NULL; 1925 char *type, *buf; 1926 EVP_PKEY *pktmp = NULL; 1927 X509_NAME *n = NULL; 1928 X509_NAME_ENTRY *ne = NULL; 1929 int ok = -1, i, j; 1930 long errline; 1931 int nid; 1932 1933 /* 1934 * Load input file into a hash table. (This is just an easy 1935 * way to read and parse the file, then put it into a convenient 1936 * STACK format). 1937 */ 1938 parms = CONF_load(NULL, infile, &errline); 1939 if (parms == NULL) { 1940 BIO_printf(bio_err, "error on line %ld of %s\n", errline, infile); 1941 ERR_print_errors(bio_err); 1942 goto end; 1943 } 1944 1945 sk = CONF_get_section(parms, "default"); 1946 if (sk_CONF_VALUE_num(sk) == 0) { 1947 BIO_printf(bio_err, "no name/value pairs found in %s\n", infile); 1948 goto end; 1949 } 1950 1951 /* 1952 * Now create a dummy X509 request structure. We don't actually 1953 * have an X509 request, but we have many of the components 1954 * (a public key, various DN components). The idea is that we 1955 * put these components into the right X509 request structure 1956 * and we can use the same code as if you had a real X509 request. 1957 */ 1958 req = X509_REQ_new(); 1959 if (req == NULL) { 1960 ERR_print_errors(bio_err); 1961 goto end; 1962 } 1963 1964 /* 1965 * Build up the subject name set. 1966 */ 1967 n = X509_REQ_get_subject_name(req); 1968 1969 for (i = 0;; i++) { 1970 if (sk_CONF_VALUE_num(sk) <= i) 1971 break; 1972 1973 cv = sk_CONF_VALUE_value(sk, i); 1974 type = cv->name; 1975 /* 1976 * Skip past any leading X. X: X, etc to allow for multiple instances 1977 */ 1978 for (buf = cv->name; *buf; buf++) 1979 if ((*buf == ':') || (*buf == ',') || (*buf == '.')) { 1980 buf++; 1981 if (*buf) 1982 type = buf; 1983 break; 1984 } 1985 1986 buf = cv->value; 1987 if ((nid = OBJ_txt2nid(type)) == NID_undef) { 1988 if (strcmp(type, "SPKAC") == 0) { 1989 spki = NETSCAPE_SPKI_b64_decode(cv->value, -1); 1990 if (spki == NULL) { 1991 BIO_printf(bio_err, 1992 "unable to load Netscape SPKAC structure\n"); 1993 ERR_print_errors(bio_err); 1994 goto end; 1995 } 1996 } 1997 continue; 1998 } 1999 2000 if (!X509_NAME_add_entry_by_NID(n, nid, chtype, 2001 (unsigned char *)buf, -1, -1, 0)) 2002 goto end; 2003 } 2004 if (spki == NULL) { 2005 BIO_printf(bio_err, "Netscape SPKAC structure not found in %s\n", 2006 infile); 2007 goto end; 2008 } 2009 2010 /* 2011 * Now extract the key from the SPKI structure. 2012 */ 2013 2014 BIO_printf(bio_err, "Check that the SPKAC request matches the signature\n"); 2015 2016 if ((pktmp = NETSCAPE_SPKI_get_pubkey(spki)) == NULL) { 2017 BIO_printf(bio_err, "error unpacking SPKAC public key\n"); 2018 goto end; 2019 } 2020 2021 j = NETSCAPE_SPKI_verify(spki, pktmp); 2022 if (j <= 0) { 2023 EVP_PKEY_free(pktmp); 2024 BIO_printf(bio_err, 2025 "signature verification failed on SPKAC public key\n"); 2026 goto end; 2027 } 2028 BIO_printf(bio_err, "Signature ok\n"); 2029 2030 X509_REQ_set_pubkey(req, pktmp); 2031 EVP_PKEY_free(pktmp); 2032 ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, subj, 2033 chtype, multirdn, email_dn, startdate, enddate, days, 1, 2034 verbose, req, ext_sect, lconf, certopt, nameopt, default_op, 2035 ext_copy, 0); 2036 end: 2037 X509_REQ_free(req); 2038 CONF_free(parms); 2039 NETSCAPE_SPKI_free(spki); 2040 X509_NAME_ENTRY_free(ne); 2041 2042 return ok; 2043 } 2044 2045 static int check_time_format(const char *str) 2046 { 2047 return ASN1_TIME_set_string(NULL, str); 2048 } 2049 2050 static int do_revoke(X509 *x509, CA_DB *db, REVINFO_TYPE rev_type, 2051 const char *value) 2052 { 2053 const ASN1_TIME *tm = NULL; 2054 char *row[DB_NUMBER], **rrow, **irow; 2055 char *rev_str = NULL; 2056 BIGNUM *bn = NULL; 2057 int ok = -1, i; 2058 2059 for (i = 0; i < DB_NUMBER; i++) 2060 row[i] = NULL; 2061 row[DB_name] = X509_NAME_oneline(X509_get_subject_name(x509), NULL, 0); 2062 bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x509), NULL); 2063 if (!bn) 2064 goto end; 2065 if (BN_is_zero(bn)) 2066 row[DB_serial] = OPENSSL_strdup("00"); 2067 else 2068 row[DB_serial] = BN_bn2hex(bn); 2069 BN_free(bn); 2070 if (row[DB_name] != NULL && row[DB_name][0] == '\0') { 2071 /* Entries with empty Subjects actually use the serial number instead */ 2072 OPENSSL_free(row[DB_name]); 2073 row[DB_name] = OPENSSL_strdup(row[DB_serial]); 2074 } 2075 if ((row[DB_name] == NULL) || (row[DB_serial] == NULL)) { 2076 BIO_printf(bio_err, "Memory allocation failure\n"); 2077 goto end; 2078 } 2079 /* 2080 * We have to lookup by serial number because name lookup skips revoked 2081 * certs 2082 */ 2083 rrow = TXT_DB_get_by_index(db->db, DB_serial, row); 2084 if (rrow == NULL) { 2085 BIO_printf(bio_err, 2086 "Adding Entry with serial number %s to DB for %s\n", 2087 row[DB_serial], row[DB_name]); 2088 2089 /* We now just add it to the database as DB_TYPE_REV('V') */ 2090 row[DB_type] = OPENSSL_strdup("V"); 2091 tm = X509_get0_notAfter(x509); 2092 row[DB_exp_date] = app_malloc(tm->length + 1, "row exp_data"); 2093 memcpy(row[DB_exp_date], tm->data, tm->length); 2094 row[DB_exp_date][tm->length] = '\0'; 2095 row[DB_rev_date] = NULL; 2096 row[DB_file] = OPENSSL_strdup("unknown"); 2097 2098 if (row[DB_type] == NULL || row[DB_file] == NULL) { 2099 BIO_printf(bio_err, "Memory allocation failure\n"); 2100 goto end; 2101 } 2102 2103 irow = app_malloc(sizeof(*irow) * (DB_NUMBER + 1), "row ptr"); 2104 for (i = 0; i < DB_NUMBER; i++) 2105 irow[i] = row[i]; 2106 irow[DB_NUMBER] = NULL; 2107 2108 if (!TXT_DB_insert(db->db, irow)) { 2109 BIO_printf(bio_err, "failed to update database\n"); 2110 BIO_printf(bio_err, "TXT_DB error number %ld\n", db->db->error); 2111 OPENSSL_free(irow); 2112 goto end; 2113 } 2114 2115 for (i = 0; i < DB_NUMBER; i++) 2116 row[i] = NULL; 2117 2118 /* Revoke Certificate */ 2119 if (rev_type == REV_VALID) 2120 ok = 1; 2121 else 2122 /* Retry revocation after DB insertion */ 2123 ok = do_revoke(x509, db, rev_type, value); 2124 2125 goto end; 2126 2127 } else if (index_name_cmp_noconst(row, rrow)) { 2128 BIO_printf(bio_err, "ERROR:name does not match %s\n", row[DB_name]); 2129 goto end; 2130 } else if (rev_type == REV_VALID) { 2131 BIO_printf(bio_err, "ERROR:Already present, serial number %s\n", 2132 row[DB_serial]); 2133 goto end; 2134 } else if (rrow[DB_type][0] == DB_TYPE_REV) { 2135 BIO_printf(bio_err, "ERROR:Already revoked, serial number %s\n", 2136 row[DB_serial]); 2137 goto end; 2138 } else { 2139 BIO_printf(bio_err, "Revoking Certificate %s.\n", rrow[DB_serial]); 2140 rev_str = make_revocation_str(rev_type, value); 2141 if (!rev_str) { 2142 BIO_printf(bio_err, "Error in revocation arguments\n"); 2143 goto end; 2144 } 2145 rrow[DB_type][0] = DB_TYPE_REV; 2146 rrow[DB_type][1] = '\0'; 2147 rrow[DB_rev_date] = rev_str; 2148 } 2149 ok = 1; 2150 end: 2151 for (i = 0; i < DB_NUMBER; i++) 2152 OPENSSL_free(row[i]); 2153 return ok; 2154 } 2155 2156 static int get_certificate_status(const char *serial, CA_DB *db) 2157 { 2158 char *row[DB_NUMBER], **rrow; 2159 int ok = -1, i; 2160 size_t serial_len = strlen(serial); 2161 2162 /* Free Resources */ 2163 for (i = 0; i < DB_NUMBER; i++) 2164 row[i] = NULL; 2165 2166 /* Malloc needed char spaces */ 2167 row[DB_serial] = app_malloc(serial_len + 2, "row serial#"); 2168 2169 if (serial_len % 2) { 2170 /* 2171 * Set the first char to 0 2172 */ 2173 row[DB_serial][0] = '0'; 2174 2175 /* Copy String from serial to row[DB_serial] */ 2176 memcpy(row[DB_serial] + 1, serial, serial_len); 2177 row[DB_serial][serial_len + 1] = '\0'; 2178 } else { 2179 /* Copy String from serial to row[DB_serial] */ 2180 memcpy(row[DB_serial], serial, serial_len); 2181 row[DB_serial][serial_len] = '\0'; 2182 } 2183 2184 /* Make it Upper Case */ 2185 make_uppercase(row[DB_serial]); 2186 2187 ok = 1; 2188 2189 /* Search for the certificate */ 2190 rrow = TXT_DB_get_by_index(db->db, DB_serial, row); 2191 if (rrow == NULL) { 2192 BIO_printf(bio_err, "Serial %s not present in db.\n", row[DB_serial]); 2193 ok = -1; 2194 goto end; 2195 } else if (rrow[DB_type][0] == DB_TYPE_VAL) { 2196 BIO_printf(bio_err, "%s=Valid (%c)\n", 2197 row[DB_serial], rrow[DB_type][0]); 2198 goto end; 2199 } else if (rrow[DB_type][0] == DB_TYPE_REV) { 2200 BIO_printf(bio_err, "%s=Revoked (%c)\n", 2201 row[DB_serial], rrow[DB_type][0]); 2202 goto end; 2203 } else if (rrow[DB_type][0] == DB_TYPE_EXP) { 2204 BIO_printf(bio_err, "%s=Expired (%c)\n", 2205 row[DB_serial], rrow[DB_type][0]); 2206 goto end; 2207 } else if (rrow[DB_type][0] == DB_TYPE_SUSP) { 2208 BIO_printf(bio_err, "%s=Suspended (%c)\n", 2209 row[DB_serial], rrow[DB_type][0]); 2210 goto end; 2211 } else { 2212 BIO_printf(bio_err, "%s=Unknown (%c).\n", 2213 row[DB_serial], rrow[DB_type][0]); 2214 ok = -1; 2215 } 2216 end: 2217 for (i = 0; i < DB_NUMBER; i++) { 2218 OPENSSL_free(row[i]); 2219 } 2220 return ok; 2221 } 2222 2223 static int do_updatedb(CA_DB *db) 2224 { 2225 ASN1_UTCTIME *a_tm = NULL; 2226 int i, cnt = 0; 2227 int db_y2k, a_y2k; /* flags = 1 if y >= 2000 */ 2228 char **rrow, *a_tm_s; 2229 2230 a_tm = ASN1_UTCTIME_new(); 2231 if (a_tm == NULL) 2232 return -1; 2233 2234 /* get actual time and make a string */ 2235 if (X509_gmtime_adj(a_tm, 0) == NULL) { 2236 ASN1_UTCTIME_free(a_tm); 2237 return -1; 2238 } 2239 a_tm_s = app_malloc(a_tm->length + 1, "time string"); 2240 2241 memcpy(a_tm_s, a_tm->data, a_tm->length); 2242 a_tm_s[a_tm->length] = '\0'; 2243 2244 if (strncmp(a_tm_s, "49", 2) <= 0) 2245 a_y2k = 1; 2246 else 2247 a_y2k = 0; 2248 2249 for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) { 2250 rrow = sk_OPENSSL_PSTRING_value(db->db->data, i); 2251 2252 if (rrow[DB_type][0] == DB_TYPE_VAL) { 2253 /* ignore entries that are not valid */ 2254 if (strncmp(rrow[DB_exp_date], "49", 2) <= 0) 2255 db_y2k = 1; 2256 else 2257 db_y2k = 0; 2258 2259 if (db_y2k == a_y2k) { 2260 /* all on the same y2k side */ 2261 if (strcmp(rrow[DB_exp_date], a_tm_s) <= 0) { 2262 rrow[DB_type][0] = DB_TYPE_EXP; 2263 rrow[DB_type][1] = '\0'; 2264 cnt++; 2265 2266 BIO_printf(bio_err, "%s=Expired\n", rrow[DB_serial]); 2267 } 2268 } else if (db_y2k < a_y2k) { 2269 rrow[DB_type][0] = DB_TYPE_EXP; 2270 rrow[DB_type][1] = '\0'; 2271 cnt++; 2272 2273 BIO_printf(bio_err, "%s=Expired\n", rrow[DB_serial]); 2274 } 2275 2276 } 2277 } 2278 2279 ASN1_UTCTIME_free(a_tm); 2280 OPENSSL_free(a_tm_s); 2281 return cnt; 2282 } 2283 2284 static const char *crl_reasons[] = { 2285 /* CRL reason strings */ 2286 "unspecified", 2287 "keyCompromise", 2288 "CACompromise", 2289 "affiliationChanged", 2290 "superseded", 2291 "cessationOfOperation", 2292 "certificateHold", 2293 "removeFromCRL", 2294 /* Additional pseudo reasons */ 2295 "holdInstruction", 2296 "keyTime", 2297 "CAkeyTime" 2298 }; 2299 2300 #define NUM_REASONS OSSL_NELEM(crl_reasons) 2301 2302 /* 2303 * Given revocation information convert to a DB string. The format of the 2304 * string is: revtime[,reason,extra]. Where 'revtime' is the revocation time 2305 * (the current time). 'reason' is the optional CRL reason and 'extra' is any 2306 * additional argument 2307 */ 2308 2309 static char *make_revocation_str(REVINFO_TYPE rev_type, const char *rev_arg) 2310 { 2311 char *str; 2312 const char *reason = NULL, *other = NULL; 2313 ASN1_OBJECT *otmp; 2314 ASN1_UTCTIME *revtm = NULL; 2315 int i; 2316 2317 switch (rev_type) { 2318 case REV_NONE: 2319 case REV_VALID: 2320 break; 2321 2322 case REV_CRL_REASON: 2323 for (i = 0; i < 8; i++) { 2324 if (strcasecmp(rev_arg, crl_reasons[i]) == 0) { 2325 reason = crl_reasons[i]; 2326 break; 2327 } 2328 } 2329 if (reason == NULL) { 2330 BIO_printf(bio_err, "Unknown CRL reason %s\n", rev_arg); 2331 return NULL; 2332 } 2333 break; 2334 2335 case REV_HOLD: 2336 /* Argument is an OID */ 2337 otmp = OBJ_txt2obj(rev_arg, 0); 2338 ASN1_OBJECT_free(otmp); 2339 2340 if (otmp == NULL) { 2341 BIO_printf(bio_err, "Invalid object identifier %s\n", rev_arg); 2342 return NULL; 2343 } 2344 2345 reason = "holdInstruction"; 2346 other = rev_arg; 2347 break; 2348 2349 case REV_KEY_COMPROMISE: 2350 case REV_CA_COMPROMISE: 2351 /* Argument is the key compromise time */ 2352 if (!ASN1_GENERALIZEDTIME_set_string(NULL, rev_arg)) { 2353 BIO_printf(bio_err, 2354 "Invalid time format %s. Need YYYYMMDDHHMMSSZ\n", 2355 rev_arg); 2356 return NULL; 2357 } 2358 other = rev_arg; 2359 if (rev_type == REV_KEY_COMPROMISE) 2360 reason = "keyTime"; 2361 else 2362 reason = "CAkeyTime"; 2363 2364 break; 2365 } 2366 2367 revtm = X509_gmtime_adj(NULL, 0); 2368 2369 if (!revtm) 2370 return NULL; 2371 2372 i = revtm->length + 1; 2373 2374 if (reason) 2375 i += strlen(reason) + 1; 2376 if (other) 2377 i += strlen(other) + 1; 2378 2379 str = app_malloc(i, "revocation reason"); 2380 OPENSSL_strlcpy(str, (char *)revtm->data, i); 2381 if (reason) { 2382 OPENSSL_strlcat(str, ",", i); 2383 OPENSSL_strlcat(str, reason, i); 2384 } 2385 if (other) { 2386 OPENSSL_strlcat(str, ",", i); 2387 OPENSSL_strlcat(str, other, i); 2388 } 2389 ASN1_UTCTIME_free(revtm); 2390 return str; 2391 } 2392 2393 /*- 2394 * Convert revocation field to X509_REVOKED entry 2395 * return code: 2396 * 0 error 2397 * 1 OK 2398 * 2 OK and some extensions added (i.e. V2 CRL) 2399 */ 2400 2401 static int make_revoked(X509_REVOKED *rev, const char *str) 2402 { 2403 char *tmp = NULL; 2404 int reason_code = -1; 2405 int i, ret = 0; 2406 ASN1_OBJECT *hold = NULL; 2407 ASN1_GENERALIZEDTIME *comp_time = NULL; 2408 ASN1_ENUMERATED *rtmp = NULL; 2409 2410 ASN1_TIME *revDate = NULL; 2411 2412 i = unpack_revinfo(&revDate, &reason_code, &hold, &comp_time, str); 2413 2414 if (i == 0) 2415 goto end; 2416 2417 if (rev && !X509_REVOKED_set_revocationDate(rev, revDate)) 2418 goto end; 2419 2420 if (rev && (reason_code != OCSP_REVOKED_STATUS_NOSTATUS)) { 2421 rtmp = ASN1_ENUMERATED_new(); 2422 if (rtmp == NULL || !ASN1_ENUMERATED_set(rtmp, reason_code)) 2423 goto end; 2424 if (!X509_REVOKED_add1_ext_i2d(rev, NID_crl_reason, rtmp, 0, 0)) 2425 goto end; 2426 } 2427 2428 if (rev && comp_time) { 2429 if (!X509_REVOKED_add1_ext_i2d 2430 (rev, NID_invalidity_date, comp_time, 0, 0)) 2431 goto end; 2432 } 2433 if (rev && hold) { 2434 if (!X509_REVOKED_add1_ext_i2d 2435 (rev, NID_hold_instruction_code, hold, 0, 0)) 2436 goto end; 2437 } 2438 2439 if (reason_code != OCSP_REVOKED_STATUS_NOSTATUS) 2440 ret = 2; 2441 else 2442 ret = 1; 2443 2444 end: 2445 2446 OPENSSL_free(tmp); 2447 ASN1_OBJECT_free(hold); 2448 ASN1_GENERALIZEDTIME_free(comp_time); 2449 ASN1_ENUMERATED_free(rtmp); 2450 ASN1_TIME_free(revDate); 2451 2452 return ret; 2453 } 2454 2455 static int old_entry_print(const ASN1_OBJECT *obj, const ASN1_STRING *str) 2456 { 2457 char buf[25], *pbuf; 2458 const char *p; 2459 int j; 2460 2461 j = i2a_ASN1_OBJECT(bio_err, obj); 2462 pbuf = buf; 2463 for (j = 22 - j; j > 0; j--) 2464 *(pbuf++) = ' '; 2465 *(pbuf++) = ':'; 2466 *(pbuf++) = '\0'; 2467 BIO_puts(bio_err, buf); 2468 2469 if (str->type == V_ASN1_PRINTABLESTRING) 2470 BIO_printf(bio_err, "PRINTABLE:'"); 2471 else if (str->type == V_ASN1_T61STRING) 2472 BIO_printf(bio_err, "T61STRING:'"); 2473 else if (str->type == V_ASN1_IA5STRING) 2474 BIO_printf(bio_err, "IA5STRING:'"); 2475 else if (str->type == V_ASN1_UNIVERSALSTRING) 2476 BIO_printf(bio_err, "UNIVERSALSTRING:'"); 2477 else 2478 BIO_printf(bio_err, "ASN.1 %2d:'", str->type); 2479 2480 p = (const char *)str->data; 2481 for (j = str->length; j > 0; j--) { 2482 if ((*p >= ' ') && (*p <= '~')) 2483 BIO_printf(bio_err, "%c", *p); 2484 else if (*p & 0x80) 2485 BIO_printf(bio_err, "\\0x%02X", *p); 2486 else if ((unsigned char)*p == 0xf7) 2487 BIO_printf(bio_err, "^?"); 2488 else 2489 BIO_printf(bio_err, "^%c", *p + '@'); 2490 p++; 2491 } 2492 BIO_printf(bio_err, "'\n"); 2493 return 1; 2494 } 2495 2496 int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, 2497 ASN1_GENERALIZEDTIME **pinvtm, const char *str) 2498 { 2499 char *tmp; 2500 char *rtime_str, *reason_str = NULL, *arg_str = NULL, *p; 2501 int reason_code = -1; 2502 int ret = 0; 2503 unsigned int i; 2504 ASN1_OBJECT *hold = NULL; 2505 ASN1_GENERALIZEDTIME *comp_time = NULL; 2506 2507 tmp = OPENSSL_strdup(str); 2508 if (!tmp) { 2509 BIO_printf(bio_err, "memory allocation failure\n"); 2510 goto end; 2511 } 2512 2513 p = strchr(tmp, ','); 2514 2515 rtime_str = tmp; 2516 2517 if (p) { 2518 *p = '\0'; 2519 p++; 2520 reason_str = p; 2521 p = strchr(p, ','); 2522 if (p) { 2523 *p = '\0'; 2524 arg_str = p + 1; 2525 } 2526 } 2527 2528 if (prevtm) { 2529 *prevtm = ASN1_UTCTIME_new(); 2530 if (*prevtm == NULL) { 2531 BIO_printf(bio_err, "memory allocation failure\n"); 2532 goto end; 2533 } 2534 if (!ASN1_UTCTIME_set_string(*prevtm, rtime_str)) { 2535 BIO_printf(bio_err, "invalid revocation date %s\n", rtime_str); 2536 goto end; 2537 } 2538 } 2539 if (reason_str) { 2540 for (i = 0; i < NUM_REASONS; i++) { 2541 if (strcasecmp(reason_str, crl_reasons[i]) == 0) { 2542 reason_code = i; 2543 break; 2544 } 2545 } 2546 if (reason_code == OCSP_REVOKED_STATUS_NOSTATUS) { 2547 BIO_printf(bio_err, "invalid reason code %s\n", reason_str); 2548 goto end; 2549 } 2550 2551 if (reason_code == 7) { 2552 reason_code = OCSP_REVOKED_STATUS_REMOVEFROMCRL; 2553 } else if (reason_code == 8) { /* Hold instruction */ 2554 if (!arg_str) { 2555 BIO_printf(bio_err, "missing hold instruction\n"); 2556 goto end; 2557 } 2558 reason_code = OCSP_REVOKED_STATUS_CERTIFICATEHOLD; 2559 hold = OBJ_txt2obj(arg_str, 0); 2560 2561 if (!hold) { 2562 BIO_printf(bio_err, "invalid object identifier %s\n", arg_str); 2563 goto end; 2564 } 2565 if (phold) 2566 *phold = hold; 2567 else 2568 ASN1_OBJECT_free(hold); 2569 } else if ((reason_code == 9) || (reason_code == 10)) { 2570 if (!arg_str) { 2571 BIO_printf(bio_err, "missing compromised time\n"); 2572 goto end; 2573 } 2574 comp_time = ASN1_GENERALIZEDTIME_new(); 2575 if (comp_time == NULL) { 2576 BIO_printf(bio_err, "memory allocation failure\n"); 2577 goto end; 2578 } 2579 if (!ASN1_GENERALIZEDTIME_set_string(comp_time, arg_str)) { 2580 BIO_printf(bio_err, "invalid compromised time %s\n", arg_str); 2581 goto end; 2582 } 2583 if (reason_code == 9) 2584 reason_code = OCSP_REVOKED_STATUS_KEYCOMPROMISE; 2585 else 2586 reason_code = OCSP_REVOKED_STATUS_CACOMPROMISE; 2587 } 2588 } 2589 2590 if (preason) 2591 *preason = reason_code; 2592 if (pinvtm) { 2593 *pinvtm = comp_time; 2594 comp_time = NULL; 2595 } 2596 2597 ret = 1; 2598 2599 end: 2600 2601 OPENSSL_free(tmp); 2602 ASN1_GENERALIZEDTIME_free(comp_time); 2603 2604 return ret; 2605 } 2606