1 /* 2 * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stdio.h> 11 #include <stdlib.h> 12 #include <string.h> 13 #include "apps.h" 14 #include "progs.h" 15 #include <openssl/bio.h> 16 #include <openssl/asn1.h> 17 #include <openssl/err.h> 18 #include <openssl/bn.h> 19 #include <openssl/evp.h> 20 #include <openssl/x509.h> 21 #include <openssl/x509v3.h> 22 #include <openssl/objects.h> 23 #include <openssl/pem.h> 24 #ifndef OPENSSL_NO_RSA 25 # include <openssl/rsa.h> 26 #endif 27 #ifndef OPENSSL_NO_DSA 28 # include <openssl/dsa.h> 29 #endif 30 31 #undef POSTFIX 32 #define POSTFIX ".srl" 33 #define DEF_DAYS 30 34 35 static int callb(int ok, X509_STORE_CTX *ctx); 36 static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, 37 const EVP_MD *digest, CONF *conf, const char *section, 38 int preserve_dates); 39 static int x509_certify(X509_STORE *ctx, const char *CAfile, const EVP_MD *digest, 40 X509 *x, X509 *xca, EVP_PKEY *pkey, 41 STACK_OF(OPENSSL_STRING) *sigopts, const char *serialfile, 42 int create, int days, int clrext, CONF *conf, 43 const char *section, ASN1_INTEGER *sno, int reqfile, 44 int preserve_dates); 45 static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt); 46 static int print_x509v3_exts(BIO *bio, X509 *x, const char *exts); 47 48 typedef enum OPTION_choice { 49 OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, 50 OPT_INFORM, OPT_OUTFORM, OPT_KEYFORM, OPT_REQ, OPT_CAFORM, 51 OPT_CAKEYFORM, OPT_SIGOPT, OPT_DAYS, OPT_PASSIN, OPT_EXTFILE, 52 OPT_EXTENSIONS, OPT_IN, OPT_OUT, OPT_SIGNKEY, OPT_CA, 53 OPT_CAKEY, OPT_CASERIAL, OPT_SET_SERIAL, OPT_FORCE_PUBKEY, 54 OPT_ADDTRUST, OPT_ADDREJECT, OPT_SETALIAS, OPT_CERTOPT, OPT_NAMEOPT, 55 OPT_C, OPT_EMAIL, OPT_OCSP_URI, OPT_SERIAL, OPT_NEXT_SERIAL, 56 OPT_MODULUS, OPT_PUBKEY, OPT_X509TOREQ, OPT_TEXT, OPT_HASH, 57 OPT_ISSUER_HASH, OPT_SUBJECT, OPT_ISSUER, OPT_FINGERPRINT, OPT_DATES, 58 OPT_PURPOSE, OPT_STARTDATE, OPT_ENDDATE, OPT_CHECKEND, OPT_CHECKHOST, 59 OPT_CHECKEMAIL, OPT_CHECKIP, OPT_NOOUT, OPT_TRUSTOUT, OPT_CLRTRUST, 60 OPT_CLRREJECT, OPT_ALIAS, OPT_CACREATESERIAL, OPT_CLREXT, OPT_OCSPID, 61 OPT_SUBJECT_HASH_OLD, 62 OPT_ISSUER_HASH_OLD, 63 OPT_BADSIG, OPT_MD, OPT_ENGINE, OPT_NOCERT, OPT_PRESERVE_DATES, 64 OPT_R_ENUM, OPT_EXT 65 } OPTION_CHOICE; 66 67 const OPTIONS x509_options[] = { 68 {"help", OPT_HELP, '-', "Display this summary"}, 69 {"inform", OPT_INFORM, 'f', 70 "Input format - default PEM (one of DER or PEM)"}, 71 {"in", OPT_IN, '<', "Input file - default stdin"}, 72 {"outform", OPT_OUTFORM, 'f', 73 "Output format - default PEM (one of DER or PEM)"}, 74 {"out", OPT_OUT, '>', "Output file - default stdout"}, 75 {"keyform", OPT_KEYFORM, 'E', "Private key format - default PEM"}, 76 {"passin", OPT_PASSIN, 's', "Private key password/pass-phrase source"}, 77 {"serial", OPT_SERIAL, '-', "Print serial number value"}, 78 {"subject_hash", OPT_HASH, '-', "Print subject hash value"}, 79 {"issuer_hash", OPT_ISSUER_HASH, '-', "Print issuer hash value"}, 80 {"hash", OPT_HASH, '-', "Synonym for -subject_hash"}, 81 {"subject", OPT_SUBJECT, '-', "Print subject DN"}, 82 {"issuer", OPT_ISSUER, '-', "Print issuer DN"}, 83 {"email", OPT_EMAIL, '-', "Print email address(es)"}, 84 {"startdate", OPT_STARTDATE, '-', "Set notBefore field"}, 85 {"enddate", OPT_ENDDATE, '-', "Set notAfter field"}, 86 {"purpose", OPT_PURPOSE, '-', "Print out certificate purposes"}, 87 {"dates", OPT_DATES, '-', "Both Before and After dates"}, 88 {"modulus", OPT_MODULUS, '-', "Print the RSA key modulus"}, 89 {"pubkey", OPT_PUBKEY, '-', "Output the public key"}, 90 {"fingerprint", OPT_FINGERPRINT, '-', 91 "Print the certificate fingerprint"}, 92 {"alias", OPT_ALIAS, '-', "Output certificate alias"}, 93 {"noout", OPT_NOOUT, '-', "No output, just status"}, 94 {"nocert", OPT_NOCERT, '-', "No certificate output"}, 95 {"ocspid", OPT_OCSPID, '-', 96 "Print OCSP hash values for the subject name and public key"}, 97 {"ocsp_uri", OPT_OCSP_URI, '-', "Print OCSP Responder URL(s)"}, 98 {"trustout", OPT_TRUSTOUT, '-', "Output a trusted certificate"}, 99 {"clrtrust", OPT_CLRTRUST, '-', "Clear all trusted purposes"}, 100 {"clrext", OPT_CLREXT, '-', "Clear all certificate extensions"}, 101 {"addtrust", OPT_ADDTRUST, 's', "Trust certificate for a given purpose"}, 102 {"addreject", OPT_ADDREJECT, 's', 103 "Reject certificate for a given purpose"}, 104 {"setalias", OPT_SETALIAS, 's', "Set certificate alias"}, 105 {"days", OPT_DAYS, 'n', 106 "How long till expiry of a signed certificate - def 30 days"}, 107 {"checkend", OPT_CHECKEND, 'M', 108 "Check whether the cert expires in the next arg seconds"}, 109 {OPT_MORE_STR, 1, 1, "Exit 1 if so, 0 if not"}, 110 {"signkey", OPT_SIGNKEY, 's', "Self sign cert with arg"}, 111 {"x509toreq", OPT_X509TOREQ, '-', 112 "Output a certification request object"}, 113 {"req", OPT_REQ, '-', "Input is a certificate request, sign and output"}, 114 {"CA", OPT_CA, '<', "Set the CA certificate, must be PEM format"}, 115 {"CAkey", OPT_CAKEY, 's', 116 "The CA key, must be PEM format; if not in CAfile"}, 117 {"CAcreateserial", OPT_CACREATESERIAL, '-', 118 "Create serial number file if it does not exist"}, 119 {"CAserial", OPT_CASERIAL, 's', "Serial file"}, 120 {"set_serial", OPT_SET_SERIAL, 's', "Serial number to use"}, 121 {"text", OPT_TEXT, '-', "Print the certificate in text form"}, 122 {"ext", OPT_EXT, 's', "Print various X509V3 extensions"}, 123 {"C", OPT_C, '-', "Print out C code forms"}, 124 {"extfile", OPT_EXTFILE, '<', "File with X509V3 extensions to add"}, 125 OPT_R_OPTIONS, 126 {"extensions", OPT_EXTENSIONS, 's', "Section from config file to use"}, 127 {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"}, 128 {"certopt", OPT_CERTOPT, 's', "Various certificate text options"}, 129 {"checkhost", OPT_CHECKHOST, 's', "Check certificate matches host"}, 130 {"checkemail", OPT_CHECKEMAIL, 's', "Check certificate matches email"}, 131 {"checkip", OPT_CHECKIP, 's', "Check certificate matches ipaddr"}, 132 {"CAform", OPT_CAFORM, 'F', "CA format - default PEM"}, 133 {"CAkeyform", OPT_CAKEYFORM, 'E', "CA key format - default PEM"}, 134 {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"}, 135 {"force_pubkey", OPT_FORCE_PUBKEY, '<', "Force the Key to put inside certificate"}, 136 {"next_serial", OPT_NEXT_SERIAL, '-', "Increment current certificate serial number"}, 137 {"clrreject", OPT_CLRREJECT, '-', 138 "Clears all the prohibited or rejected uses of the certificate"}, 139 {"badsig", OPT_BADSIG, '-', "Corrupt last byte of certificate signature (for test)"}, 140 {"", OPT_MD, '-', "Any supported digest"}, 141 #ifndef OPENSSL_NO_MD5 142 {"subject_hash_old", OPT_SUBJECT_HASH_OLD, '-', 143 "Print old-style (MD5) subject hash value"}, 144 {"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-', 145 "Print old-style (MD5) issuer hash value"}, 146 #endif 147 #ifndef OPENSSL_NO_ENGINE 148 {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, 149 #endif 150 {"preserve_dates", OPT_PRESERVE_DATES, '-', "preserve existing dates when signing"}, 151 {NULL} 152 }; 153 154 int x509_main(int argc, char **argv) 155 { 156 ASN1_INTEGER *sno = NULL; 157 ASN1_OBJECT *objtmp = NULL; 158 BIO *out = NULL; 159 CONF *extconf = NULL; 160 EVP_PKEY *Upkey = NULL, *CApkey = NULL, *fkey = NULL; 161 STACK_OF(ASN1_OBJECT) *trust = NULL, *reject = NULL; 162 STACK_OF(OPENSSL_STRING) *sigopts = NULL; 163 X509 *x = NULL, *xca = NULL; 164 X509_REQ *req = NULL, *rq = NULL; 165 X509_STORE *ctx = NULL; 166 const EVP_MD *digest = NULL; 167 char *CAkeyfile = NULL, *CAserial = NULL, *fkeyfile = NULL, *alias = NULL; 168 char *checkhost = NULL, *checkemail = NULL, *checkip = NULL, *exts = NULL; 169 char *extsect = NULL, *extfile = NULL, *passin = NULL, *passinarg = NULL; 170 char *infile = NULL, *outfile = NULL, *keyfile = NULL, *CAfile = NULL; 171 char *prog; 172 int x509req = 0, days = DEF_DAYS, modulus = 0, pubkey = 0, pprint = 0; 173 int C = 0, CAformat = FORMAT_PEM, CAkeyformat = FORMAT_PEM; 174 int fingerprint = 0, reqfile = 0, checkend = 0; 175 int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyformat = FORMAT_PEM; 176 int next_serial = 0, subject_hash = 0, issuer_hash = 0, ocspid = 0; 177 int noout = 0, sign_flag = 0, CA_flag = 0, CA_createserial = 0, email = 0; 178 int ocsp_uri = 0, trustout = 0, clrtrust = 0, clrreject = 0, aliasout = 0; 179 int ret = 1, i, num = 0, badsig = 0, clrext = 0, nocert = 0; 180 int text = 0, serial = 0, subject = 0, issuer = 0, startdate = 0, ext = 0; 181 int enddate = 0; 182 time_t checkoffset = 0; 183 unsigned long certflag = 0; 184 int preserve_dates = 0; 185 OPTION_CHOICE o; 186 ENGINE *e = NULL; 187 #ifndef OPENSSL_NO_MD5 188 int subject_hash_old = 0, issuer_hash_old = 0; 189 #endif 190 191 ctx = X509_STORE_new(); 192 if (ctx == NULL) 193 goto end; 194 X509_STORE_set_verify_cb(ctx, callb); 195 196 prog = opt_init(argc, argv, x509_options); 197 while ((o = opt_next()) != OPT_EOF) { 198 switch (o) { 199 case OPT_EOF: 200 case OPT_ERR: 201 opthelp: 202 BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); 203 goto end; 204 case OPT_HELP: 205 opt_help(x509_options); 206 ret = 0; 207 goto end; 208 case OPT_INFORM: 209 if (!opt_format(opt_arg(), OPT_FMT_ANY, &informat)) 210 goto opthelp; 211 break; 212 case OPT_IN: 213 infile = opt_arg(); 214 break; 215 case OPT_OUTFORM: 216 if (!opt_format(opt_arg(), OPT_FMT_ANY, &outformat)) 217 goto opthelp; 218 break; 219 case OPT_KEYFORM: 220 if (!opt_format(opt_arg(), OPT_FMT_PDE, &keyformat)) 221 goto opthelp; 222 break; 223 case OPT_CAFORM: 224 if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &CAformat)) 225 goto opthelp; 226 break; 227 case OPT_CAKEYFORM: 228 if (!opt_format(opt_arg(), OPT_FMT_PDE, &CAkeyformat)) 229 goto opthelp; 230 break; 231 case OPT_OUT: 232 outfile = opt_arg(); 233 break; 234 case OPT_REQ: 235 reqfile = 1; 236 break; 237 238 case OPT_SIGOPT: 239 if (!sigopts) 240 sigopts = sk_OPENSSL_STRING_new_null(); 241 if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, opt_arg())) 242 goto opthelp; 243 break; 244 case OPT_DAYS: 245 if (preserve_dates) 246 goto opthelp; 247 days = atoi(opt_arg()); 248 break; 249 case OPT_PASSIN: 250 passinarg = opt_arg(); 251 break; 252 case OPT_EXTFILE: 253 extfile = opt_arg(); 254 break; 255 case OPT_R_CASES: 256 if (!opt_rand(o)) 257 goto end; 258 break; 259 case OPT_EXTENSIONS: 260 extsect = opt_arg(); 261 break; 262 case OPT_SIGNKEY: 263 keyfile = opt_arg(); 264 sign_flag = ++num; 265 break; 266 case OPT_CA: 267 CAfile = opt_arg(); 268 CA_flag = ++num; 269 break; 270 case OPT_CAKEY: 271 CAkeyfile = opt_arg(); 272 break; 273 case OPT_CASERIAL: 274 CAserial = opt_arg(); 275 break; 276 case OPT_SET_SERIAL: 277 if (sno != NULL) { 278 BIO_printf(bio_err, "Serial number supplied twice\n"); 279 goto opthelp; 280 } 281 if ((sno = s2i_ASN1_INTEGER(NULL, opt_arg())) == NULL) 282 goto opthelp; 283 break; 284 case OPT_FORCE_PUBKEY: 285 fkeyfile = opt_arg(); 286 break; 287 case OPT_ADDTRUST: 288 if ((objtmp = OBJ_txt2obj(opt_arg(), 0)) == NULL) { 289 BIO_printf(bio_err, 290 "%s: Invalid trust object value %s\n", 291 prog, opt_arg()); 292 goto opthelp; 293 } 294 if (trust == NULL && (trust = sk_ASN1_OBJECT_new_null()) == NULL) 295 goto end; 296 sk_ASN1_OBJECT_push(trust, objtmp); 297 objtmp = NULL; 298 trustout = 1; 299 break; 300 case OPT_ADDREJECT: 301 if ((objtmp = OBJ_txt2obj(opt_arg(), 0)) == NULL) { 302 BIO_printf(bio_err, 303 "%s: Invalid reject object value %s\n", 304 prog, opt_arg()); 305 goto opthelp; 306 } 307 if (reject == NULL 308 && (reject = sk_ASN1_OBJECT_new_null()) == NULL) 309 goto end; 310 sk_ASN1_OBJECT_push(reject, objtmp); 311 objtmp = NULL; 312 trustout = 1; 313 break; 314 case OPT_SETALIAS: 315 alias = opt_arg(); 316 trustout = 1; 317 break; 318 case OPT_CERTOPT: 319 if (!set_cert_ex(&certflag, opt_arg())) 320 goto opthelp; 321 break; 322 case OPT_NAMEOPT: 323 if (!set_nameopt(opt_arg())) 324 goto opthelp; 325 break; 326 case OPT_ENGINE: 327 e = setup_engine(opt_arg(), 0); 328 break; 329 case OPT_C: 330 C = ++num; 331 break; 332 case OPT_EMAIL: 333 email = ++num; 334 break; 335 case OPT_OCSP_URI: 336 ocsp_uri = ++num; 337 break; 338 case OPT_SERIAL: 339 serial = ++num; 340 break; 341 case OPT_NEXT_SERIAL: 342 next_serial = ++num; 343 break; 344 case OPT_MODULUS: 345 modulus = ++num; 346 break; 347 case OPT_PUBKEY: 348 pubkey = ++num; 349 break; 350 case OPT_X509TOREQ: 351 x509req = ++num; 352 break; 353 case OPT_TEXT: 354 text = ++num; 355 break; 356 case OPT_SUBJECT: 357 subject = ++num; 358 break; 359 case OPT_ISSUER: 360 issuer = ++num; 361 break; 362 case OPT_FINGERPRINT: 363 fingerprint = ++num; 364 break; 365 case OPT_HASH: 366 subject_hash = ++num; 367 break; 368 case OPT_ISSUER_HASH: 369 issuer_hash = ++num; 370 break; 371 case OPT_PURPOSE: 372 pprint = ++num; 373 break; 374 case OPT_STARTDATE: 375 startdate = ++num; 376 break; 377 case OPT_ENDDATE: 378 enddate = ++num; 379 break; 380 case OPT_NOOUT: 381 noout = ++num; 382 break; 383 case OPT_EXT: 384 ext = ++num; 385 exts = opt_arg(); 386 break; 387 case OPT_NOCERT: 388 nocert = 1; 389 break; 390 case OPT_TRUSTOUT: 391 trustout = 1; 392 break; 393 case OPT_CLRTRUST: 394 clrtrust = ++num; 395 break; 396 case OPT_CLRREJECT: 397 clrreject = ++num; 398 break; 399 case OPT_ALIAS: 400 aliasout = ++num; 401 break; 402 case OPT_CACREATESERIAL: 403 CA_createserial = ++num; 404 break; 405 case OPT_CLREXT: 406 clrext = 1; 407 break; 408 case OPT_OCSPID: 409 ocspid = ++num; 410 break; 411 case OPT_BADSIG: 412 badsig = 1; 413 break; 414 #ifndef OPENSSL_NO_MD5 415 case OPT_SUBJECT_HASH_OLD: 416 subject_hash_old = ++num; 417 break; 418 case OPT_ISSUER_HASH_OLD: 419 issuer_hash_old = ++num; 420 break; 421 #else 422 case OPT_SUBJECT_HASH_OLD: 423 case OPT_ISSUER_HASH_OLD: 424 break; 425 #endif 426 case OPT_DATES: 427 startdate = ++num; 428 enddate = ++num; 429 break; 430 case OPT_CHECKEND: 431 checkend = 1; 432 { 433 intmax_t temp = 0; 434 if (!opt_imax(opt_arg(), &temp)) 435 goto opthelp; 436 checkoffset = (time_t)temp; 437 if ((intmax_t)checkoffset != temp) { 438 BIO_printf(bio_err, "%s: checkend time out of range %s\n", 439 prog, opt_arg()); 440 goto opthelp; 441 } 442 } 443 break; 444 case OPT_CHECKHOST: 445 checkhost = opt_arg(); 446 break; 447 case OPT_CHECKEMAIL: 448 checkemail = opt_arg(); 449 break; 450 case OPT_CHECKIP: 451 checkip = opt_arg(); 452 break; 453 case OPT_PRESERVE_DATES: 454 if (days != DEF_DAYS) 455 goto opthelp; 456 preserve_dates = 1; 457 break; 458 case OPT_MD: 459 if (!opt_md(opt_unknown(), &digest)) 460 goto opthelp; 461 } 462 } 463 argc = opt_num_rest(); 464 argv = opt_rest(); 465 if (argc != 0) { 466 BIO_printf(bio_err, "%s: Unknown parameter %s\n", prog, argv[0]); 467 goto opthelp; 468 } 469 470 if (!app_passwd(passinarg, NULL, &passin, NULL)) { 471 BIO_printf(bio_err, "Error getting password\n"); 472 goto end; 473 } 474 475 if (!X509_STORE_set_default_paths(ctx)) { 476 ERR_print_errors(bio_err); 477 goto end; 478 } 479 480 if (fkeyfile != NULL) { 481 fkey = load_pubkey(fkeyfile, keyformat, 0, NULL, e, "Forced key"); 482 if (fkey == NULL) 483 goto end; 484 } 485 486 if ((CAkeyfile == NULL) && (CA_flag) && (CAformat == FORMAT_PEM)) { 487 CAkeyfile = CAfile; 488 } else if ((CA_flag) && (CAkeyfile == NULL)) { 489 BIO_printf(bio_err, 490 "need to specify a CAkey if using the CA command\n"); 491 goto end; 492 } 493 494 if (extfile != NULL) { 495 X509V3_CTX ctx2; 496 if ((extconf = app_load_config(extfile)) == NULL) 497 goto end; 498 if (extsect == NULL) { 499 extsect = NCONF_get_string(extconf, "default", "extensions"); 500 if (extsect == NULL) { 501 ERR_clear_error(); 502 extsect = "default"; 503 } 504 } 505 X509V3_set_ctx_test(&ctx2); 506 X509V3_set_nconf(&ctx2, extconf); 507 if (!X509V3_EXT_add_nconf(extconf, &ctx2, extsect, NULL)) { 508 BIO_printf(bio_err, 509 "Error Loading extension section %s\n", extsect); 510 ERR_print_errors(bio_err); 511 goto end; 512 } 513 } 514 515 if (reqfile) { 516 EVP_PKEY *pkey; 517 BIO *in; 518 519 if (!sign_flag && !CA_flag) { 520 BIO_printf(bio_err, "We need a private key to sign with\n"); 521 goto end; 522 } 523 in = bio_open_default(infile, 'r', informat); 524 if (in == NULL) 525 goto end; 526 req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL); 527 BIO_free(in); 528 529 if (req == NULL) { 530 ERR_print_errors(bio_err); 531 goto end; 532 } 533 534 if ((pkey = X509_REQ_get0_pubkey(req)) == NULL) { 535 BIO_printf(bio_err, "error unpacking public key\n"); 536 goto end; 537 } 538 i = X509_REQ_verify(req, pkey); 539 if (i < 0) { 540 BIO_printf(bio_err, "Signature verification error\n"); 541 ERR_print_errors(bio_err); 542 goto end; 543 } 544 if (i == 0) { 545 BIO_printf(bio_err, 546 "Signature did not match the certificate request\n"); 547 goto end; 548 } else { 549 BIO_printf(bio_err, "Signature ok\n"); 550 } 551 552 print_name(bio_err, "subject=", X509_REQ_get_subject_name(req), 553 get_nameopt()); 554 555 if ((x = X509_new()) == NULL) 556 goto end; 557 558 if (sno == NULL) { 559 sno = ASN1_INTEGER_new(); 560 if (sno == NULL || !rand_serial(NULL, sno)) 561 goto end; 562 if (!X509_set_serialNumber(x, sno)) 563 goto end; 564 ASN1_INTEGER_free(sno); 565 sno = NULL; 566 } else if (!X509_set_serialNumber(x, sno)) { 567 goto end; 568 } 569 570 if (!X509_set_issuer_name(x, X509_REQ_get_subject_name(req))) 571 goto end; 572 if (!X509_set_subject_name(x, X509_REQ_get_subject_name(req))) 573 goto end; 574 if (!set_cert_times(x, NULL, NULL, days)) 575 goto end; 576 577 if (fkey != NULL) { 578 X509_set_pubkey(x, fkey); 579 } else { 580 pkey = X509_REQ_get0_pubkey(req); 581 X509_set_pubkey(x, pkey); 582 } 583 } else { 584 x = load_cert(infile, informat, "Certificate"); 585 } 586 587 if (x == NULL) 588 goto end; 589 if (CA_flag) { 590 xca = load_cert(CAfile, CAformat, "CA Certificate"); 591 if (xca == NULL) 592 goto end; 593 } 594 595 out = bio_open_default(outfile, 'w', outformat); 596 if (out == NULL) 597 goto end; 598 599 if (!noout || text || next_serial) 600 OBJ_create("2.99999.3", "SET.ex3", "SET x509v3 extension 3"); 601 602 if (alias) 603 X509_alias_set1(x, (unsigned char *)alias, -1); 604 605 if (clrtrust) 606 X509_trust_clear(x); 607 if (clrreject) 608 X509_reject_clear(x); 609 610 if (trust != NULL) { 611 for (i = 0; i < sk_ASN1_OBJECT_num(trust); i++) { 612 objtmp = sk_ASN1_OBJECT_value(trust, i); 613 X509_add1_trust_object(x, objtmp); 614 } 615 objtmp = NULL; 616 } 617 618 if (reject != NULL) { 619 for (i = 0; i < sk_ASN1_OBJECT_num(reject); i++) { 620 objtmp = sk_ASN1_OBJECT_value(reject, i); 621 X509_add1_reject_object(x, objtmp); 622 } 623 objtmp = NULL; 624 } 625 626 if (badsig) { 627 const ASN1_BIT_STRING *signature; 628 629 X509_get0_signature(&signature, NULL, x); 630 corrupt_signature(signature); 631 } 632 633 if (num) { 634 for (i = 1; i <= num; i++) { 635 if (issuer == i) { 636 print_name(out, "issuer=", X509_get_issuer_name(x), get_nameopt()); 637 } else if (subject == i) { 638 print_name(out, "subject=", 639 X509_get_subject_name(x), get_nameopt()); 640 } else if (serial == i) { 641 BIO_printf(out, "serial="); 642 i2a_ASN1_INTEGER(out, X509_get_serialNumber(x)); 643 BIO_printf(out, "\n"); 644 } else if (next_serial == i) { 645 ASN1_INTEGER *ser = X509_get_serialNumber(x); 646 BIGNUM *bnser = ASN1_INTEGER_to_BN(ser, NULL); 647 648 if (!bnser) 649 goto end; 650 if (!BN_add_word(bnser, 1)) 651 goto end; 652 ser = BN_to_ASN1_INTEGER(bnser, NULL); 653 if (!ser) 654 goto end; 655 BN_free(bnser); 656 i2a_ASN1_INTEGER(out, ser); 657 ASN1_INTEGER_free(ser); 658 BIO_puts(out, "\n"); 659 } else if ((email == i) || (ocsp_uri == i)) { 660 int j; 661 STACK_OF(OPENSSL_STRING) *emlst; 662 if (email == i) 663 emlst = X509_get1_email(x); 664 else 665 emlst = X509_get1_ocsp(x); 666 for (j = 0; j < sk_OPENSSL_STRING_num(emlst); j++) 667 BIO_printf(out, "%s\n", 668 sk_OPENSSL_STRING_value(emlst, j)); 669 X509_email_free(emlst); 670 } else if (aliasout == i) { 671 unsigned char *alstr; 672 alstr = X509_alias_get0(x, NULL); 673 if (alstr) 674 BIO_printf(out, "%s\n", alstr); 675 else 676 BIO_puts(out, "<No Alias>\n"); 677 } else if (subject_hash == i) { 678 BIO_printf(out, "%08lx\n", X509_subject_name_hash(x)); 679 } 680 #ifndef OPENSSL_NO_MD5 681 else if (subject_hash_old == i) { 682 BIO_printf(out, "%08lx\n", X509_subject_name_hash_old(x)); 683 } 684 #endif 685 else if (issuer_hash == i) { 686 BIO_printf(out, "%08lx\n", X509_issuer_name_hash(x)); 687 } 688 #ifndef OPENSSL_NO_MD5 689 else if (issuer_hash_old == i) { 690 BIO_printf(out, "%08lx\n", X509_issuer_name_hash_old(x)); 691 } 692 #endif 693 else if (pprint == i) { 694 X509_PURPOSE *ptmp; 695 int j; 696 BIO_printf(out, "Certificate purposes:\n"); 697 for (j = 0; j < X509_PURPOSE_get_count(); j++) { 698 ptmp = X509_PURPOSE_get0(j); 699 purpose_print(out, x, ptmp); 700 } 701 } else if (modulus == i) { 702 EVP_PKEY *pkey; 703 704 pkey = X509_get0_pubkey(x); 705 if (pkey == NULL) { 706 BIO_printf(bio_err, "Modulus=unavailable\n"); 707 ERR_print_errors(bio_err); 708 goto end; 709 } 710 BIO_printf(out, "Modulus="); 711 #ifndef OPENSSL_NO_RSA 712 if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) { 713 const BIGNUM *n; 714 RSA_get0_key(EVP_PKEY_get0_RSA(pkey), &n, NULL, NULL); 715 BN_print(out, n); 716 } else 717 #endif 718 #ifndef OPENSSL_NO_DSA 719 if (EVP_PKEY_id(pkey) == EVP_PKEY_DSA) { 720 const BIGNUM *dsapub = NULL; 721 DSA_get0_key(EVP_PKEY_get0_DSA(pkey), &dsapub, NULL); 722 BN_print(out, dsapub); 723 } else 724 #endif 725 { 726 BIO_printf(out, "Wrong Algorithm type"); 727 } 728 BIO_printf(out, "\n"); 729 } else if (pubkey == i) { 730 EVP_PKEY *pkey; 731 732 pkey = X509_get0_pubkey(x); 733 if (pkey == NULL) { 734 BIO_printf(bio_err, "Error getting public key\n"); 735 ERR_print_errors(bio_err); 736 goto end; 737 } 738 PEM_write_bio_PUBKEY(out, pkey); 739 } else if (C == i) { 740 unsigned char *d; 741 char *m; 742 int len; 743 744 print_name(out, "/*\n" 745 " * Subject: ", X509_get_subject_name(x), get_nameopt()); 746 print_name(out, " * Issuer: ", X509_get_issuer_name(x), get_nameopt()); 747 BIO_puts(out, " */\n"); 748 749 len = i2d_X509(x, NULL); 750 m = app_malloc(len, "x509 name buffer"); 751 d = (unsigned char *)m; 752 len = i2d_X509_NAME(X509_get_subject_name(x), &d); 753 print_array(out, "the_subject_name", len, (unsigned char *)m); 754 d = (unsigned char *)m; 755 len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(x), &d); 756 print_array(out, "the_public_key", len, (unsigned char *)m); 757 d = (unsigned char *)m; 758 len = i2d_X509(x, &d); 759 print_array(out, "the_certificate", len, (unsigned char *)m); 760 OPENSSL_free(m); 761 } else if (text == i) { 762 X509_print_ex(out, x, get_nameopt(), certflag); 763 } else if (startdate == i) { 764 BIO_puts(out, "notBefore="); 765 ASN1_TIME_print(out, X509_get0_notBefore(x)); 766 BIO_puts(out, "\n"); 767 } else if (enddate == i) { 768 BIO_puts(out, "notAfter="); 769 ASN1_TIME_print(out, X509_get0_notAfter(x)); 770 BIO_puts(out, "\n"); 771 } else if (fingerprint == i) { 772 int j; 773 unsigned int n; 774 unsigned char md[EVP_MAX_MD_SIZE]; 775 const EVP_MD *fdig = digest; 776 777 if (fdig == NULL) 778 fdig = EVP_sha1(); 779 780 if (!X509_digest(x, fdig, md, &n)) { 781 BIO_printf(bio_err, "out of memory\n"); 782 goto end; 783 } 784 BIO_printf(out, "%s Fingerprint=", 785 OBJ_nid2sn(EVP_MD_type(fdig))); 786 for (j = 0; j < (int)n; j++) { 787 BIO_printf(out, "%02X%c", md[j], (j + 1 == (int)n) 788 ? '\n' : ':'); 789 } 790 } 791 792 /* should be in the library */ 793 else if ((sign_flag == i) && (x509req == 0)) { 794 BIO_printf(bio_err, "Getting Private key\n"); 795 if (Upkey == NULL) { 796 Upkey = load_key(keyfile, keyformat, 0, 797 passin, e, "Private key"); 798 if (Upkey == NULL) 799 goto end; 800 } 801 802 if (!sign(x, Upkey, days, clrext, digest, extconf, extsect, preserve_dates)) 803 goto end; 804 } else if (CA_flag == i) { 805 BIO_printf(bio_err, "Getting CA Private Key\n"); 806 if (CAkeyfile != NULL) { 807 CApkey = load_key(CAkeyfile, CAkeyformat, 808 0, passin, e, "CA Private Key"); 809 if (CApkey == NULL) 810 goto end; 811 } 812 813 if (!x509_certify(ctx, CAfile, digest, x, xca, 814 CApkey, sigopts, 815 CAserial, CA_createserial, days, clrext, 816 extconf, extsect, sno, reqfile, preserve_dates)) 817 goto end; 818 } else if (x509req == i) { 819 EVP_PKEY *pk; 820 821 BIO_printf(bio_err, "Getting request Private Key\n"); 822 if (keyfile == NULL) { 823 BIO_printf(bio_err, "no request key file specified\n"); 824 goto end; 825 } else { 826 pk = load_key(keyfile, keyformat, 0, 827 passin, e, "request key"); 828 if (pk == NULL) 829 goto end; 830 } 831 832 BIO_printf(bio_err, "Generating certificate request\n"); 833 834 rq = X509_to_X509_REQ(x, pk, digest); 835 EVP_PKEY_free(pk); 836 if (rq == NULL) { 837 ERR_print_errors(bio_err); 838 goto end; 839 } 840 if (!noout) { 841 X509_REQ_print_ex(out, rq, get_nameopt(), X509_FLAG_COMPAT); 842 PEM_write_bio_X509_REQ(out, rq); 843 } 844 noout = 1; 845 } else if (ocspid == i) { 846 X509_ocspid_print(out, x); 847 } else if (ext == i) { 848 print_x509v3_exts(out, x, exts); 849 } 850 } 851 } 852 853 if (checkend) { 854 time_t tcheck = time(NULL) + checkoffset; 855 856 if (X509_cmp_time(X509_get0_notAfter(x), &tcheck) < 0) { 857 BIO_printf(out, "Certificate will expire\n"); 858 ret = 1; 859 } else { 860 BIO_printf(out, "Certificate will not expire\n"); 861 ret = 0; 862 } 863 goto end; 864 } 865 866 print_cert_checks(out, x, checkhost, checkemail, checkip); 867 868 if (noout || nocert) { 869 ret = 0; 870 goto end; 871 } 872 873 if (outformat == FORMAT_ASN1) { 874 i = i2d_X509_bio(out, x); 875 } else if (outformat == FORMAT_PEM) { 876 if (trustout) 877 i = PEM_write_bio_X509_AUX(out, x); 878 else 879 i = PEM_write_bio_X509(out, x); 880 } else { 881 BIO_printf(bio_err, "bad output format specified for outfile\n"); 882 goto end; 883 } 884 if (!i) { 885 BIO_printf(bio_err, "unable to write certificate\n"); 886 ERR_print_errors(bio_err); 887 goto end; 888 } 889 ret = 0; 890 end: 891 NCONF_free(extconf); 892 BIO_free_all(out); 893 X509_STORE_free(ctx); 894 X509_REQ_free(req); 895 X509_free(x); 896 X509_free(xca); 897 EVP_PKEY_free(Upkey); 898 EVP_PKEY_free(CApkey); 899 EVP_PKEY_free(fkey); 900 sk_OPENSSL_STRING_free(sigopts); 901 X509_REQ_free(rq); 902 ASN1_INTEGER_free(sno); 903 sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free); 904 sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free); 905 ASN1_OBJECT_free(objtmp); 906 release_engine(e); 907 OPENSSL_free(passin); 908 return ret; 909 } 910 911 static ASN1_INTEGER *x509_load_serial(const char *CAfile, 912 const char *serialfile, int create) 913 { 914 char *buf = NULL; 915 ASN1_INTEGER *bs = NULL; 916 BIGNUM *serial = NULL; 917 918 if (serialfile == NULL) { 919 const char *p = strrchr(CAfile, '.'); 920 size_t len = p != NULL ? (size_t)(p - CAfile) : strlen(CAfile); 921 922 buf = app_malloc(len + sizeof(POSTFIX), "serial# buffer"); 923 memcpy(buf, CAfile, len); 924 memcpy(buf + len, POSTFIX, sizeof(POSTFIX)); 925 serialfile = buf; 926 } 927 928 serial = load_serial(serialfile, create, NULL); 929 if (serial == NULL) 930 goto end; 931 932 if (!BN_add_word(serial, 1)) { 933 BIO_printf(bio_err, "add_word failure\n"); 934 goto end; 935 } 936 937 if (!save_serial(serialfile, NULL, serial, &bs)) 938 goto end; 939 940 end: 941 OPENSSL_free(buf); 942 BN_free(serial); 943 return bs; 944 } 945 946 static int x509_certify(X509_STORE *ctx, const char *CAfile, const EVP_MD *digest, 947 X509 *x, X509 *xca, EVP_PKEY *pkey, 948 STACK_OF(OPENSSL_STRING) *sigopts, 949 const char *serialfile, int create, 950 int days, int clrext, CONF *conf, const char *section, 951 ASN1_INTEGER *sno, int reqfile, int preserve_dates) 952 { 953 int ret = 0; 954 ASN1_INTEGER *bs = NULL; 955 X509_STORE_CTX *xsc = NULL; 956 EVP_PKEY *upkey; 957 958 upkey = X509_get0_pubkey(xca); 959 if (upkey == NULL) { 960 BIO_printf(bio_err, "Error obtaining CA X509 public key\n"); 961 goto end; 962 } 963 EVP_PKEY_copy_parameters(upkey, pkey); 964 965 xsc = X509_STORE_CTX_new(); 966 if (xsc == NULL || !X509_STORE_CTX_init(xsc, ctx, x, NULL)) { 967 BIO_printf(bio_err, "Error initialising X509 store\n"); 968 goto end; 969 } 970 if (sno) 971 bs = sno; 972 else if ((bs = x509_load_serial(CAfile, serialfile, create)) == NULL) 973 goto end; 974 975 /* 976 * NOTE: this certificate can/should be self signed, unless it was a 977 * certificate request in which case it is not. 978 */ 979 X509_STORE_CTX_set_cert(xsc, x); 980 X509_STORE_CTX_set_flags(xsc, X509_V_FLAG_CHECK_SS_SIGNATURE); 981 if (!reqfile && X509_verify_cert(xsc) <= 0) 982 goto end; 983 984 if (!X509_check_private_key(xca, pkey)) { 985 BIO_printf(bio_err, 986 "CA certificate and CA private key do not match\n"); 987 goto end; 988 } 989 990 if (!X509_set_issuer_name(x, X509_get_subject_name(xca))) 991 goto end; 992 if (!X509_set_serialNumber(x, bs)) 993 goto end; 994 995 if (!preserve_dates && !set_cert_times(x, NULL, NULL, days)) 996 goto end; 997 998 if (clrext) { 999 while (X509_get_ext_count(x) > 0) 1000 X509_delete_ext(x, 0); 1001 } 1002 1003 if (conf != NULL) { 1004 X509V3_CTX ctx2; 1005 X509_set_version(x, 2); /* version 3 certificate */ 1006 X509V3_set_ctx(&ctx2, xca, x, NULL, NULL, 0); 1007 X509V3_set_nconf(&ctx2, conf); 1008 if (!X509V3_EXT_add_nconf(conf, &ctx2, section, x)) 1009 goto end; 1010 } 1011 1012 if (!do_X509_sign(x, pkey, digest, sigopts)) 1013 goto end; 1014 ret = 1; 1015 end: 1016 X509_STORE_CTX_free(xsc); 1017 if (!ret) 1018 ERR_print_errors(bio_err); 1019 if (!sno) 1020 ASN1_INTEGER_free(bs); 1021 return ret; 1022 } 1023 1024 static int callb(int ok, X509_STORE_CTX *ctx) 1025 { 1026 int err; 1027 X509 *err_cert; 1028 1029 /* 1030 * it is ok to use a self signed certificate This case will catch both 1031 * the initial ok == 0 and the final ok == 1 calls to this function 1032 */ 1033 err = X509_STORE_CTX_get_error(ctx); 1034 if (err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) 1035 return 1; 1036 1037 /* 1038 * BAD we should have gotten an error. Normally if everything worked 1039 * X509_STORE_CTX_get_error(ctx) will still be set to 1040 * DEPTH_ZERO_SELF_.... 1041 */ 1042 if (ok) { 1043 BIO_printf(bio_err, 1044 "error with certificate to be certified - should be self signed\n"); 1045 return 0; 1046 } else { 1047 err_cert = X509_STORE_CTX_get_current_cert(ctx); 1048 print_name(bio_err, NULL, X509_get_subject_name(err_cert), 0); 1049 BIO_printf(bio_err, 1050 "error with certificate - error %d at depth %d\n%s\n", err, 1051 X509_STORE_CTX_get_error_depth(ctx), 1052 X509_verify_cert_error_string(err)); 1053 return 1; 1054 } 1055 } 1056 1057 /* self sign */ 1058 static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, 1059 const EVP_MD *digest, CONF *conf, const char *section, 1060 int preserve_dates) 1061 { 1062 1063 if (!X509_set_issuer_name(x, X509_get_subject_name(x))) 1064 goto err; 1065 if (!preserve_dates && !set_cert_times(x, NULL, NULL, days)) 1066 goto err; 1067 if (!X509_set_pubkey(x, pkey)) 1068 goto err; 1069 if (clrext) { 1070 while (X509_get_ext_count(x) > 0) 1071 X509_delete_ext(x, 0); 1072 } 1073 if (conf != NULL) { 1074 X509V3_CTX ctx; 1075 X509_set_version(x, 2); /* version 3 certificate */ 1076 X509V3_set_ctx(&ctx, x, x, NULL, NULL, 0); 1077 X509V3_set_nconf(&ctx, conf); 1078 if (!X509V3_EXT_add_nconf(conf, &ctx, section, x)) 1079 goto err; 1080 } 1081 if (!X509_sign(x, pkey, digest)) 1082 goto err; 1083 return 1; 1084 err: 1085 ERR_print_errors(bio_err); 1086 return 0; 1087 } 1088 1089 static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt) 1090 { 1091 int id, i, idret; 1092 const char *pname; 1093 id = X509_PURPOSE_get_id(pt); 1094 pname = X509_PURPOSE_get0_name(pt); 1095 for (i = 0; i < 2; i++) { 1096 idret = X509_check_purpose(cert, id, i); 1097 BIO_printf(bio, "%s%s : ", pname, i ? " CA" : ""); 1098 if (idret == 1) 1099 BIO_printf(bio, "Yes\n"); 1100 else if (idret == 0) 1101 BIO_printf(bio, "No\n"); 1102 else 1103 BIO_printf(bio, "Yes (WARNING code=%d)\n", idret); 1104 } 1105 return 1; 1106 } 1107 1108 static int parse_ext_names(char *names, const char **result) 1109 { 1110 char *p, *q; 1111 int cnt = 0, len = 0; 1112 1113 p = q = names; 1114 len = strlen(names); 1115 1116 while (q - names <= len) { 1117 if (*q != ',' && *q != '\0') { 1118 q++; 1119 continue; 1120 } 1121 if (p != q) { 1122 /* found */ 1123 if (result != NULL) { 1124 result[cnt] = p; 1125 *q = '\0'; 1126 } 1127 cnt++; 1128 } 1129 p = ++q; 1130 } 1131 1132 return cnt; 1133 } 1134 1135 static int print_x509v3_exts(BIO *bio, X509 *x, const char *ext_names) 1136 { 1137 const STACK_OF(X509_EXTENSION) *exts = NULL; 1138 STACK_OF(X509_EXTENSION) *exts2 = NULL; 1139 X509_EXTENSION *ext = NULL; 1140 ASN1_OBJECT *obj; 1141 int i, j, ret = 0, num, nn = 0; 1142 const char *sn, **names = NULL; 1143 char *tmp_ext_names = NULL; 1144 1145 exts = X509_get0_extensions(x); 1146 if ((num = sk_X509_EXTENSION_num(exts)) <= 0) { 1147 BIO_printf(bio, "No extensions in certificate\n"); 1148 ret = 1; 1149 goto end; 1150 } 1151 1152 /* parse comma separated ext name string */ 1153 if ((tmp_ext_names = OPENSSL_strdup(ext_names)) == NULL) 1154 goto end; 1155 if ((nn = parse_ext_names(tmp_ext_names, NULL)) == 0) { 1156 BIO_printf(bio, "Invalid extension names: %s\n", ext_names); 1157 goto end; 1158 } 1159 if ((names = OPENSSL_malloc(sizeof(char *) * nn)) == NULL) 1160 goto end; 1161 parse_ext_names(tmp_ext_names, names); 1162 1163 for (i = 0; i < num; i++) { 1164 ext = sk_X509_EXTENSION_value(exts, i); 1165 1166 /* check if this ext is what we want */ 1167 obj = X509_EXTENSION_get_object(ext); 1168 sn = OBJ_nid2sn(OBJ_obj2nid(obj)); 1169 if (sn == NULL || strcmp(sn, "UNDEF") == 0) 1170 continue; 1171 1172 for (j = 0; j < nn; j++) { 1173 if (strcmp(sn, names[j]) == 0) { 1174 /* push the extension into a new stack */ 1175 if (exts2 == NULL 1176 && (exts2 = sk_X509_EXTENSION_new_null()) == NULL) 1177 goto end; 1178 if (!sk_X509_EXTENSION_push(exts2, ext)) 1179 goto end; 1180 } 1181 } 1182 } 1183 1184 if (!sk_X509_EXTENSION_num(exts2)) { 1185 BIO_printf(bio, "No extensions matched with %s\n", ext_names); 1186 ret = 1; 1187 goto end; 1188 } 1189 1190 ret = X509V3_extensions_print(bio, NULL, exts2, 0, 0); 1191 end: 1192 sk_X509_EXTENSION_free(exts2); 1193 OPENSSL_free(names); 1194 OPENSSL_free(tmp_ext_names); 1195 return ret; 1196 } 1197