1 |
|
|
/* $OpenBSD: x509.c,v 1.12 2015/10/17 15:00:11 doug Exp $ */ |
2 |
|
|
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
3 |
|
|
* All rights reserved. |
4 |
|
|
* |
5 |
|
|
* This package is an SSL implementation written |
6 |
|
|
* by Eric Young (eay@cryptsoft.com). |
7 |
|
|
* The implementation was written so as to conform with Netscapes SSL. |
8 |
|
|
* |
9 |
|
|
* This library is free for commercial and non-commercial use as long as |
10 |
|
|
* the following conditions are aheared to. The following conditions |
11 |
|
|
* apply to all code found in this distribution, be it the RC4, RSA, |
12 |
|
|
* lhash, DES, etc., code; not just the SSL code. The SSL documentation |
13 |
|
|
* included with this distribution is covered by the same copyright terms |
14 |
|
|
* except that the holder is Tim Hudson (tjh@cryptsoft.com). |
15 |
|
|
* |
16 |
|
|
* Copyright remains Eric Young's, and as such any Copyright notices in |
17 |
|
|
* the code are not to be removed. |
18 |
|
|
* If this package is used in a product, Eric Young should be given attribution |
19 |
|
|
* as the author of the parts of the library used. |
20 |
|
|
* This can be in the form of a textual message at program startup or |
21 |
|
|
* in documentation (online or textual) provided with the package. |
22 |
|
|
* |
23 |
|
|
* Redistribution and use in source and binary forms, with or without |
24 |
|
|
* modification, are permitted provided that the following conditions |
25 |
|
|
* are met: |
26 |
|
|
* 1. Redistributions of source code must retain the copyright |
27 |
|
|
* notice, this list of conditions and the following disclaimer. |
28 |
|
|
* 2. Redistributions in binary form must reproduce the above copyright |
29 |
|
|
* notice, this list of conditions and the following disclaimer in the |
30 |
|
|
* documentation and/or other materials provided with the distribution. |
31 |
|
|
* 3. All advertising materials mentioning features or use of this software |
32 |
|
|
* must display the following acknowledgement: |
33 |
|
|
* "This product includes cryptographic software written by |
34 |
|
|
* Eric Young (eay@cryptsoft.com)" |
35 |
|
|
* The word 'cryptographic' can be left out if the rouines from the library |
36 |
|
|
* being used are not cryptographic related :-). |
37 |
|
|
* 4. If you include any Windows specific code (or a derivative thereof) from |
38 |
|
|
* the apps directory (application code) you must include an acknowledgement: |
39 |
|
|
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" |
40 |
|
|
* |
41 |
|
|
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
42 |
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
43 |
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
44 |
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
45 |
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
46 |
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
47 |
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
48 |
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
49 |
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
50 |
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
51 |
|
|
* SUCH DAMAGE. |
52 |
|
|
* |
53 |
|
|
* The licence and distribution terms for any publically available version or |
54 |
|
|
* derivative of this code cannot be changed. i.e. this code cannot simply be |
55 |
|
|
* copied and put under another distribution licence |
56 |
|
|
* [including the GNU Public Licence.] |
57 |
|
|
*/ |
58 |
|
|
|
59 |
|
|
#include <assert.h> |
60 |
|
|
#include <stdio.h> |
61 |
|
|
#include <stdlib.h> |
62 |
|
|
#include <limits.h> |
63 |
|
|
#include <string.h> |
64 |
|
|
|
65 |
|
|
#include "apps.h" |
66 |
|
|
|
67 |
|
|
#include <openssl/asn1.h> |
68 |
|
|
#include <openssl/bio.h> |
69 |
|
|
#include <openssl/bn.h> |
70 |
|
|
#include <openssl/err.h> |
71 |
|
|
#include <openssl/evp.h> |
72 |
|
|
#include <openssl/objects.h> |
73 |
|
|
#include <openssl/pem.h> |
74 |
|
|
#include <openssl/x509.h> |
75 |
|
|
#include <openssl/x509v3.h> |
76 |
|
|
|
77 |
|
|
#include <openssl/dsa.h> |
78 |
|
|
|
79 |
|
|
#include <openssl/rsa.h> |
80 |
|
|
|
81 |
|
|
#define POSTFIX ".srl" |
82 |
|
|
#define DEF_DAYS 30 |
83 |
|
|
|
84 |
|
|
static const char *x509_usage[] = { |
85 |
|
|
"usage: x509 args\n", |
86 |
|
|
" -inform arg - input format - default PEM (one of DER, NET or PEM)\n", |
87 |
|
|
" -outform arg - output format - default PEM (one of DER, NET or PEM)\n", |
88 |
|
|
" -keyform arg - private key format - default PEM\n", |
89 |
|
|
" -CAform arg - CA format - default PEM\n", |
90 |
|
|
" -CAkeyform arg - CA key format - default PEM\n", |
91 |
|
|
" -in arg - input file - default stdin\n", |
92 |
|
|
" -out arg - output file - default stdout\n", |
93 |
|
|
" -passin arg - private key password source\n", |
94 |
|
|
" -serial - print serial number value\n", |
95 |
|
|
" -subject_hash - print subject hash value\n", |
96 |
|
|
#ifndef OPENSSL_NO_MD5 |
97 |
|
|
" -subject_hash_old - print old-style (MD5) subject hash value\n", |
98 |
|
|
#endif |
99 |
|
|
" -issuer_hash - print issuer hash value\n", |
100 |
|
|
#ifndef OPENSSL_NO_MD5 |
101 |
|
|
" -issuer_hash_old - print old-style (MD5) issuer hash value\n", |
102 |
|
|
#endif |
103 |
|
|
" -hash - synonym for -subject_hash\n", |
104 |
|
|
" -subject - print subject DN\n", |
105 |
|
|
" -issuer - print issuer DN\n", |
106 |
|
|
" -email - print email address(es)\n", |
107 |
|
|
" -startdate - notBefore field\n", |
108 |
|
|
" -enddate - notAfter field\n", |
109 |
|
|
" -purpose - print out certificate purposes\n", |
110 |
|
|
" -dates - both Before and After dates\n", |
111 |
|
|
" -modulus - print the RSA key modulus\n", |
112 |
|
|
" -pubkey - output the public key\n", |
113 |
|
|
" -fingerprint - print the certificate fingerprint\n", |
114 |
|
|
" -alias - output certificate alias\n", |
115 |
|
|
" -noout - no certificate output\n", |
116 |
|
|
" -ocspid - print OCSP hash values for the subject name and public key\n", |
117 |
|
|
" -ocsp_uri - print OCSP Responder URL(s)\n", |
118 |
|
|
" -trustout - output a \"trusted\" certificate\n", |
119 |
|
|
" -clrtrust - clear all trusted purposes\n", |
120 |
|
|
" -clrreject - clear all rejected purposes\n", |
121 |
|
|
" -addtrust arg - trust certificate for a given purpose\n", |
122 |
|
|
" -addreject arg - reject certificate for a given purpose\n", |
123 |
|
|
" -setalias arg - set certificate alias\n", |
124 |
|
|
" -days arg - How long till expiry of a signed certificate - def 30 days\n", |
125 |
|
|
" -checkend arg - check whether the cert expires in the next arg seconds\n", |
126 |
|
|
" exit 1 if so, 0 if not\n", |
127 |
|
|
" -signkey arg - self sign cert with arg\n", |
128 |
|
|
" -x509toreq - output a certification request object\n", |
129 |
|
|
" -req - input is a certificate request, sign and output.\n", |
130 |
|
|
" -CA arg - set the CA certificate, must be PEM format.\n", |
131 |
|
|
" -CAkey arg - set the CA key, must be PEM format\n", |
132 |
|
|
" missing, it is assumed to be in the CA file.\n", |
133 |
|
|
" -CAcreateserial - create serial number file if it does not exist\n", |
134 |
|
|
" -CAserial arg - serial file\n", |
135 |
|
|
" -set_serial - serial number to use\n", |
136 |
|
|
" -text - print the certificate in text form\n", |
137 |
|
|
" -C - print out C code forms\n", |
138 |
|
|
" -md5/-sha1 - digest to use\n", |
139 |
|
|
" -extfile - configuration file with X509V3 extensions to add\n", |
140 |
|
|
" -extensions - section from config file with X509V3 extensions to add\n", |
141 |
|
|
" -clrext - delete extensions before signing and input certificate\n", |
142 |
|
|
" -nameopt arg - various certificate name options\n", |
143 |
|
|
" -certopt arg - various certificate text options\n", |
144 |
|
|
NULL |
145 |
|
|
}; |
146 |
|
|
|
147 |
|
|
static int callb(int ok, X509_STORE_CTX *ctx); |
148 |
|
|
static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, |
149 |
|
|
const EVP_MD *digest, CONF *conf, char *section); |
150 |
|
|
static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, |
151 |
|
|
X509 *x, X509 *xca, EVP_PKEY *pkey, STACK_OF(OPENSSL_STRING) *sigopts, |
152 |
|
|
char *serial, int create, int days, int clrext, CONF *conf, char *section, |
153 |
|
|
ASN1_INTEGER *sno); |
154 |
|
|
static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt); |
155 |
|
|
static int reqfile = 0; |
156 |
|
|
|
157 |
|
|
int |
158 |
|
|
x509_main(int argc, char **argv) |
159 |
|
|
{ |
160 |
|
|
int ret = 1; |
161 |
|
|
X509_REQ *req = NULL; |
162 |
|
|
X509 *x = NULL, *xca = NULL; |
163 |
|
|
ASN1_OBJECT *objtmp; |
164 |
|
|
STACK_OF(OPENSSL_STRING) *sigopts = NULL; |
165 |
|
|
EVP_PKEY *Upkey = NULL, *CApkey = NULL; |
166 |
|
|
ASN1_INTEGER *sno = NULL; |
167 |
|
|
int i, num, badops = 0; |
168 |
|
|
BIO *out = NULL; |
169 |
|
|
BIO *STDout = NULL; |
170 |
|
|
STACK_OF(ASN1_OBJECT) *trust = NULL, *reject = NULL; |
171 |
|
|
int informat, outformat, keyformat, CAformat, CAkeyformat; |
172 |
|
|
char *infile = NULL, *outfile = NULL, *keyfile = NULL, *CAfile = NULL; |
173 |
|
|
char *CAkeyfile = NULL, *CAserial = NULL; |
174 |
|
|
char *alias = NULL; |
175 |
|
|
int text = 0, serial = 0, subject = 0, issuer = 0, startdate = 0, |
176 |
|
|
enddate = 0; |
177 |
|
|
int next_serial = 0; |
178 |
|
|
int subject_hash = 0, issuer_hash = 0, ocspid = 0; |
179 |
|
|
#ifndef OPENSSL_NO_MD5 |
180 |
|
|
int subject_hash_old = 0, issuer_hash_old = 0; |
181 |
|
|
#endif |
182 |
|
|
int noout = 0, sign_flag = 0, CA_flag = 0, CA_createserial = 0, |
183 |
|
|
email = 0; |
184 |
|
|
int ocsp_uri = 0; |
185 |
|
|
int trustout = 0, clrtrust = 0, clrreject = 0, aliasout = 0, clrext = 0; |
186 |
|
|
int C = 0; |
187 |
|
|
int x509req = 0, days = DEF_DAYS, modulus = 0, pubkey = 0; |
188 |
|
|
int pprint = 0; |
189 |
|
|
const char **pp; |
190 |
|
|
X509_STORE *ctx = NULL; |
191 |
|
|
X509_REQ *rq = NULL; |
192 |
|
|
int fingerprint = 0; |
193 |
|
|
char buf[256]; |
194 |
|
|
const EVP_MD *md_alg, *digest = NULL; |
195 |
|
|
CONF *extconf = NULL; |
196 |
|
|
char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL; |
197 |
|
|
int checkend = 0, checkoffset = 0; |
198 |
|
|
unsigned long nmflag = 0, certflag = 0; |
199 |
|
|
const char *errstr = NULL; |
200 |
|
|
|
201 |
|
|
if (single_execution) { |
202 |
|
|
if (pledge("stdio rpath wpath cpath tty", NULL) == -1) { |
203 |
|
|
perror("pledge"); |
204 |
|
|
exit(1); |
205 |
|
|
} |
206 |
|
|
} |
207 |
|
|
|
208 |
|
|
reqfile = 0; |
209 |
|
|
|
210 |
|
|
STDout = BIO_new_fp(stdout, BIO_NOCLOSE); |
211 |
|
|
|
212 |
|
|
informat = FORMAT_PEM; |
213 |
|
|
outformat = FORMAT_PEM; |
214 |
|
|
keyformat = FORMAT_PEM; |
215 |
|
|
CAformat = FORMAT_PEM; |
216 |
|
|
CAkeyformat = FORMAT_PEM; |
217 |
|
|
|
218 |
|
|
ctx = X509_STORE_new(); |
219 |
|
|
if (ctx == NULL) |
220 |
|
|
goto end; |
221 |
|
|
X509_STORE_set_verify_cb(ctx, callb); |
222 |
|
|
|
223 |
|
|
argc--; |
224 |
|
|
argv++; |
225 |
|
|
num = 0; |
226 |
|
|
while (argc >= 1) { |
227 |
|
|
if (strcmp(*argv, "-inform") == 0) { |
228 |
|
|
if (--argc < 1) |
229 |
|
|
goto bad; |
230 |
|
|
informat = str2fmt(*(++argv)); |
231 |
|
|
} else if (strcmp(*argv, "-outform") == 0) { |
232 |
|
|
if (--argc < 1) |
233 |
|
|
goto bad; |
234 |
|
|
outformat = str2fmt(*(++argv)); |
235 |
|
|
} else if (strcmp(*argv, "-keyform") == 0) { |
236 |
|
|
if (--argc < 1) |
237 |
|
|
goto bad; |
238 |
|
|
keyformat = str2fmt(*(++argv)); |
239 |
|
|
} else if (strcmp(*argv, "-req") == 0) { |
240 |
|
|
reqfile = 1; |
241 |
|
|
} else if (strcmp(*argv, "-CAform") == 0) { |
242 |
|
|
if (--argc < 1) |
243 |
|
|
goto bad; |
244 |
|
|
CAformat = str2fmt(*(++argv)); |
245 |
|
|
} else if (strcmp(*argv, "-CAkeyform") == 0) { |
246 |
|
|
if (--argc < 1) |
247 |
|
|
goto bad; |
248 |
|
|
CAkeyformat = str2fmt(*(++argv)); |
249 |
|
|
} else if (strcmp(*argv, "-sigopt") == 0) { |
250 |
|
|
if (--argc < 1) |
251 |
|
|
goto bad; |
252 |
|
|
if (!sigopts) |
253 |
|
|
sigopts = sk_OPENSSL_STRING_new_null(); |
254 |
|
|
if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv))) |
255 |
|
|
goto bad; |
256 |
|
|
} else if (strcmp(*argv, "-days") == 0) { |
257 |
|
|
if (--argc < 1) |
258 |
|
|
goto bad; |
259 |
|
|
days = strtonum(*(++argv), 1, INT_MAX, &errstr); |
260 |
|
|
if (errstr) { |
261 |
|
|
BIO_printf(bio_err, "bad number of days: %s\n", errstr); |
262 |
|
|
goto bad; |
263 |
|
|
} |
264 |
|
|
} else if (strcmp(*argv, "-passin") == 0) { |
265 |
|
|
if (--argc < 1) |
266 |
|
|
goto bad; |
267 |
|
|
passargin = *(++argv); |
268 |
|
|
} else if (strcmp(*argv, "-extfile") == 0) { |
269 |
|
|
if (--argc < 1) |
270 |
|
|
goto bad; |
271 |
|
|
extfile = *(++argv); |
272 |
|
|
} else if (strcmp(*argv, "-extensions") == 0) { |
273 |
|
|
if (--argc < 1) |
274 |
|
|
goto bad; |
275 |
|
|
extsect = *(++argv); |
276 |
|
|
} else if (strcmp(*argv, "-in") == 0) { |
277 |
|
|
if (--argc < 1) |
278 |
|
|
goto bad; |
279 |
|
|
infile = *(++argv); |
280 |
|
|
} else if (strcmp(*argv, "-out") == 0) { |
281 |
|
|
if (--argc < 1) |
282 |
|
|
goto bad; |
283 |
|
|
outfile = *(++argv); |
284 |
|
|
} else if (strcmp(*argv, "-signkey") == 0) { |
285 |
|
|
if (--argc < 1) |
286 |
|
|
goto bad; |
287 |
|
|
keyfile = *(++argv); |
288 |
|
|
sign_flag = ++num; |
289 |
|
|
} else if (strcmp(*argv, "-CA") == 0) { |
290 |
|
|
if (--argc < 1) |
291 |
|
|
goto bad; |
292 |
|
|
CAfile = *(++argv); |
293 |
|
|
CA_flag = ++num; |
294 |
|
|
} else if (strcmp(*argv, "-CAkey") == 0) { |
295 |
|
|
if (--argc < 1) |
296 |
|
|
goto bad; |
297 |
|
|
CAkeyfile = *(++argv); |
298 |
|
|
} else if (strcmp(*argv, "-CAserial") == 0) { |
299 |
|
|
if (--argc < 1) |
300 |
|
|
goto bad; |
301 |
|
|
CAserial = *(++argv); |
302 |
|
|
} else if (strcmp(*argv, "-set_serial") == 0) { |
303 |
|
|
if (--argc < 1) |
304 |
|
|
goto bad; |
305 |
|
|
ASN1_INTEGER_free(sno); |
306 |
|
|
if (!(sno = s2i_ASN1_INTEGER(NULL, *(++argv)))) |
307 |
|
|
goto bad; |
308 |
|
|
} else if (strcmp(*argv, "-addtrust") == 0) { |
309 |
|
|
if (--argc < 1) |
310 |
|
|
goto bad; |
311 |
|
|
if (!(objtmp = OBJ_txt2obj(*(++argv), 0))) { |
312 |
|
|
BIO_printf(bio_err, |
313 |
|
|
"Invalid trust object value %s\n", *argv); |
314 |
|
|
goto bad; |
315 |
|
|
} |
316 |
|
|
if (!trust) |
317 |
|
|
trust = sk_ASN1_OBJECT_new_null(); |
318 |
|
|
sk_ASN1_OBJECT_push(trust, objtmp); |
319 |
|
|
trustout = 1; |
320 |
|
|
} else if (strcmp(*argv, "-addreject") == 0) { |
321 |
|
|
if (--argc < 1) |
322 |
|
|
goto bad; |
323 |
|
|
if (!(objtmp = OBJ_txt2obj(*(++argv), 0))) { |
324 |
|
|
BIO_printf(bio_err, |
325 |
|
|
"Invalid reject object value %s\n", *argv); |
326 |
|
|
goto bad; |
327 |
|
|
} |
328 |
|
|
if (!reject) |
329 |
|
|
reject = sk_ASN1_OBJECT_new_null(); |
330 |
|
|
sk_ASN1_OBJECT_push(reject, objtmp); |
331 |
|
|
trustout = 1; |
332 |
|
|
} else if (strcmp(*argv, "-setalias") == 0) { |
333 |
|
|
if (--argc < 1) |
334 |
|
|
goto bad; |
335 |
|
|
alias = *(++argv); |
336 |
|
|
trustout = 1; |
337 |
|
|
} else if (strcmp(*argv, "-certopt") == 0) { |
338 |
|
|
if (--argc < 1) |
339 |
|
|
goto bad; |
340 |
|
|
if (!set_cert_ex(&certflag, *(++argv))) |
341 |
|
|
goto bad; |
342 |
|
|
} else if (strcmp(*argv, "-nameopt") == 0) { |
343 |
|
|
if (--argc < 1) |
344 |
|
|
goto bad; |
345 |
|
|
if (!set_name_ex(&nmflag, *(++argv))) |
346 |
|
|
goto bad; |
347 |
|
|
} |
348 |
|
|
else if (strcmp(*argv, "-C") == 0) |
349 |
|
|
C = ++num; |
350 |
|
|
else if (strcmp(*argv, "-email") == 0) |
351 |
|
|
email = ++num; |
352 |
|
|
else if (strcmp(*argv, "-ocsp_uri") == 0) |
353 |
|
|
ocsp_uri = ++num; |
354 |
|
|
else if (strcmp(*argv, "-serial") == 0) |
355 |
|
|
serial = ++num; |
356 |
|
|
else if (strcmp(*argv, "-next_serial") == 0) |
357 |
|
|
next_serial = ++num; |
358 |
|
|
else if (strcmp(*argv, "-modulus") == 0) |
359 |
|
|
modulus = ++num; |
360 |
|
|
else if (strcmp(*argv, "-pubkey") == 0) |
361 |
|
|
pubkey = ++num; |
362 |
|
|
else if (strcmp(*argv, "-x509toreq") == 0) |
363 |
|
|
x509req = ++num; |
364 |
|
|
else if (strcmp(*argv, "-text") == 0) |
365 |
|
|
text = ++num; |
366 |
|
|
else if (strcmp(*argv, "-hash") == 0 || |
367 |
|
|
strcmp(*argv, "-subject_hash") == 0) |
368 |
|
|
subject_hash = ++num; |
369 |
|
|
#ifndef OPENSSL_NO_MD5 |
370 |
|
|
else if (strcmp(*argv, "-subject_hash_old") == 0) |
371 |
|
|
subject_hash_old = ++num; |
372 |
|
|
#endif |
373 |
|
|
else if (strcmp(*argv, "-issuer_hash") == 0) |
374 |
|
|
issuer_hash = ++num; |
375 |
|
|
#ifndef OPENSSL_NO_MD5 |
376 |
|
|
else if (strcmp(*argv, "-issuer_hash_old") == 0) |
377 |
|
|
issuer_hash_old = ++num; |
378 |
|
|
#endif |
379 |
|
|
else if (strcmp(*argv, "-subject") == 0) |
380 |
|
|
subject = ++num; |
381 |
|
|
else if (strcmp(*argv, "-issuer") == 0) |
382 |
|
|
issuer = ++num; |
383 |
|
|
else if (strcmp(*argv, "-fingerprint") == 0) |
384 |
|
|
fingerprint = ++num; |
385 |
|
|
else if (strcmp(*argv, "-dates") == 0) { |
386 |
|
|
startdate = ++num; |
387 |
|
|
enddate = ++num; |
388 |
|
|
} else if (strcmp(*argv, "-purpose") == 0) |
389 |
|
|
pprint = ++num; |
390 |
|
|
else if (strcmp(*argv, "-startdate") == 0) |
391 |
|
|
startdate = ++num; |
392 |
|
|
else if (strcmp(*argv, "-enddate") == 0) |
393 |
|
|
enddate = ++num; |
394 |
|
|
else if (strcmp(*argv, "-checkend") == 0) { |
395 |
|
|
if (--argc < 1) |
396 |
|
|
goto bad; |
397 |
|
|
checkoffset = strtonum(*(++argv), 0, INT_MAX, &errstr); |
398 |
|
|
if (errstr) { |
399 |
|
|
BIO_printf(bio_err, "checkend unusable: %s\n", errstr); |
400 |
|
|
goto bad; |
401 |
|
|
} |
402 |
|
|
checkend = 1; |
403 |
|
|
} else if (strcmp(*argv, "-noout") == 0) |
404 |
|
|
noout = ++num; |
405 |
|
|
else if (strcmp(*argv, "-trustout") == 0) |
406 |
|
|
trustout = 1; |
407 |
|
|
else if (strcmp(*argv, "-clrtrust") == 0) |
408 |
|
|
clrtrust = ++num; |
409 |
|
|
else if (strcmp(*argv, "-clrreject") == 0) |
410 |
|
|
clrreject = ++num; |
411 |
|
|
else if (strcmp(*argv, "-alias") == 0) |
412 |
|
|
aliasout = ++num; |
413 |
|
|
else if (strcmp(*argv, "-CAcreateserial") == 0) |
414 |
|
|
CA_createserial = ++num; |
415 |
|
|
else if (strcmp(*argv, "-clrext") == 0) |
416 |
|
|
clrext = 1; |
417 |
|
|
else if (strcmp(*argv, "-ocspid") == 0) |
418 |
|
|
ocspid = ++num; |
419 |
|
|
else if ((md_alg = EVP_get_digestbyname(*argv + 1))) { |
420 |
|
|
/* ok */ |
421 |
|
|
digest = md_alg; |
422 |
|
|
} else { |
423 |
|
|
BIO_printf(bio_err, "unknown option %s\n", *argv); |
424 |
|
|
badops = 1; |
425 |
|
|
break; |
426 |
|
|
} |
427 |
|
|
argc--; |
428 |
|
|
argv++; |
429 |
|
|
} |
430 |
|
|
|
431 |
|
|
if (badops) { |
432 |
|
|
bad: |
433 |
|
|
for (pp = x509_usage; (*pp != NULL); pp++) |
434 |
|
|
BIO_printf(bio_err, "%s", *pp); |
435 |
|
|
goto end; |
436 |
|
|
} |
437 |
|
|
|
438 |
|
|
if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) { |
439 |
|
|
BIO_printf(bio_err, "Error getting password\n"); |
440 |
|
|
goto end; |
441 |
|
|
} |
442 |
|
|
if (!X509_STORE_set_default_paths(ctx)) { |
443 |
|
|
ERR_print_errors(bio_err); |
444 |
|
|
goto end; |
445 |
|
|
} |
446 |
|
|
if ((CAkeyfile == NULL) && (CA_flag) && (CAformat == FORMAT_PEM)) { |
447 |
|
|
CAkeyfile = CAfile; |
448 |
|
|
} else if ((CA_flag) && (CAkeyfile == NULL)) { |
449 |
|
|
BIO_printf(bio_err, |
450 |
|
|
"need to specify a CAkey if using the CA command\n"); |
451 |
|
|
goto end; |
452 |
|
|
} |
453 |
|
|
if (extfile) { |
454 |
|
|
long errorline = -1; |
455 |
|
|
X509V3_CTX ctx2; |
456 |
|
|
extconf = NCONF_new(NULL); |
457 |
|
|
if (!NCONF_load(extconf, extfile, &errorline)) { |
458 |
|
|
if (errorline <= 0) |
459 |
|
|
BIO_printf(bio_err, |
460 |
|
|
"error loading the config file '%s'\n", |
461 |
|
|
extfile); |
462 |
|
|
else |
463 |
|
|
BIO_printf(bio_err, |
464 |
|
|
"error on line %ld of config file '%s'\n", |
465 |
|
|
errorline, extfile); |
466 |
|
|
goto end; |
467 |
|
|
} |
468 |
|
|
if (!extsect) { |
469 |
|
|
extsect = NCONF_get_string(extconf, "default", |
470 |
|
|
"extensions"); |
471 |
|
|
if (!extsect) { |
472 |
|
|
ERR_clear_error(); |
473 |
|
|
extsect = "default"; |
474 |
|
|
} |
475 |
|
|
} |
476 |
|
|
X509V3_set_ctx_test(&ctx2); |
477 |
|
|
X509V3_set_nconf(&ctx2, extconf); |
478 |
|
|
if (!X509V3_EXT_add_nconf(extconf, &ctx2, extsect, NULL)) { |
479 |
|
|
BIO_printf(bio_err, |
480 |
|
|
"Error Loading extension section %s\n", |
481 |
|
|
extsect); |
482 |
|
|
ERR_print_errors(bio_err); |
483 |
|
|
goto end; |
484 |
|
|
} |
485 |
|
|
} |
486 |
|
|
if (reqfile) { |
487 |
|
|
EVP_PKEY *pkey; |
488 |
|
|
BIO *in; |
489 |
|
|
|
490 |
|
|
if (!sign_flag && !CA_flag) { |
491 |
|
|
BIO_printf(bio_err, "We need a private key to sign with\n"); |
492 |
|
|
goto end; |
493 |
|
|
} |
494 |
|
|
in = BIO_new(BIO_s_file()); |
495 |
|
|
if (in == NULL) { |
496 |
|
|
ERR_print_errors(bio_err); |
497 |
|
|
goto end; |
498 |
|
|
} |
499 |
|
|
if (infile == NULL) |
500 |
|
|
BIO_set_fp(in, stdin, BIO_NOCLOSE | BIO_FP_TEXT); |
501 |
|
|
else { |
502 |
|
|
if (BIO_read_filename(in, infile) <= 0) { |
503 |
|
|
perror(infile); |
504 |
|
|
BIO_free(in); |
505 |
|
|
goto end; |
506 |
|
|
} |
507 |
|
|
} |
508 |
|
|
req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL); |
509 |
|
|
BIO_free(in); |
510 |
|
|
|
511 |
|
|
if (req == NULL) { |
512 |
|
|
ERR_print_errors(bio_err); |
513 |
|
|
goto end; |
514 |
|
|
} |
515 |
|
|
if ((req->req_info == NULL) || |
516 |
|
|
(req->req_info->pubkey == NULL) || |
517 |
|
|
(req->req_info->pubkey->public_key == NULL) || |
518 |
|
|
(req->req_info->pubkey->public_key->data == NULL)) { |
519 |
|
|
BIO_printf(bio_err, "The certificate request appears to corrupted\n"); |
520 |
|
|
BIO_printf(bio_err, "It does not contain a public key\n"); |
521 |
|
|
goto end; |
522 |
|
|
} |
523 |
|
|
if ((pkey = X509_REQ_get_pubkey(req)) == NULL) { |
524 |
|
|
BIO_printf(bio_err, "error unpacking public key\n"); |
525 |
|
|
goto end; |
526 |
|
|
} |
527 |
|
|
i = X509_REQ_verify(req, pkey); |
528 |
|
|
EVP_PKEY_free(pkey); |
529 |
|
|
if (i < 0) { |
530 |
|
|
BIO_printf(bio_err, "Signature verification error\n"); |
531 |
|
|
ERR_print_errors(bio_err); |
532 |
|
|
goto end; |
533 |
|
|
} |
534 |
|
|
if (i == 0) { |
535 |
|
|
BIO_printf(bio_err, "Signature did not match the certificate request\n"); |
536 |
|
|
goto end; |
537 |
|
|
} else |
538 |
|
|
BIO_printf(bio_err, "Signature ok\n"); |
539 |
|
|
|
540 |
|
|
print_name(bio_err, "subject=", X509_REQ_get_subject_name(req), nmflag); |
541 |
|
|
|
542 |
|
|
if ((x = X509_new()) == NULL) |
543 |
|
|
goto end; |
544 |
|
|
|
545 |
|
|
if (sno == NULL) { |
546 |
|
|
sno = ASN1_INTEGER_new(); |
547 |
|
|
if (!sno || !rand_serial(NULL, sno)) |
548 |
|
|
goto end; |
549 |
|
|
if (!X509_set_serialNumber(x, sno)) |
550 |
|
|
goto end; |
551 |
|
|
ASN1_INTEGER_free(sno); |
552 |
|
|
sno = NULL; |
553 |
|
|
} else if (!X509_set_serialNumber(x, sno)) |
554 |
|
|
goto end; |
555 |
|
|
|
556 |
|
|
if (!X509_set_issuer_name(x, req->req_info->subject)) |
557 |
|
|
goto end; |
558 |
|
|
if (!X509_set_subject_name(x, req->req_info->subject)) |
559 |
|
|
goto end; |
560 |
|
|
|
561 |
|
|
X509_gmtime_adj(X509_get_notBefore(x), 0); |
562 |
|
|
X509_time_adj_ex(X509_get_notAfter(x), days, 0, NULL); |
563 |
|
|
|
564 |
|
|
pkey = X509_REQ_get_pubkey(req); |
565 |
|
|
X509_set_pubkey(x, pkey); |
566 |
|
|
EVP_PKEY_free(pkey); |
567 |
|
|
} else |
568 |
|
|
x = load_cert(bio_err, infile, informat, NULL, "Certificate"); |
569 |
|
|
|
570 |
|
|
if (x == NULL) |
571 |
|
|
goto end; |
572 |
|
|
if (CA_flag) { |
573 |
|
|
xca = load_cert(bio_err, CAfile, CAformat, NULL, "CA Certificate"); |
574 |
|
|
if (xca == NULL) |
575 |
|
|
goto end; |
576 |
|
|
} |
577 |
|
|
if (!noout || text || next_serial) { |
578 |
|
|
OBJ_create("2.99999.3", |
579 |
|
|
"SET.ex3", "SET x509v3 extension 3"); |
580 |
|
|
|
581 |
|
|
out = BIO_new(BIO_s_file()); |
582 |
|
|
if (out == NULL) { |
583 |
|
|
ERR_print_errors(bio_err); |
584 |
|
|
goto end; |
585 |
|
|
} |
586 |
|
|
if (outfile == NULL) { |
587 |
|
|
BIO_set_fp(out, stdout, BIO_NOCLOSE); |
588 |
|
|
} else { |
589 |
|
|
if (BIO_write_filename(out, outfile) <= 0) { |
590 |
|
|
perror(outfile); |
591 |
|
|
goto end; |
592 |
|
|
} |
593 |
|
|
} |
594 |
|
|
} |
595 |
|
|
if (alias) |
596 |
|
|
X509_alias_set1(x, (unsigned char *) alias, -1); |
597 |
|
|
|
598 |
|
|
if (clrtrust) |
599 |
|
|
X509_trust_clear(x); |
600 |
|
|
if (clrreject) |
601 |
|
|
X509_reject_clear(x); |
602 |
|
|
|
603 |
|
|
if (trust) { |
604 |
|
|
for (i = 0; i < sk_ASN1_OBJECT_num(trust); i++) { |
605 |
|
|
objtmp = sk_ASN1_OBJECT_value(trust, i); |
606 |
|
|
X509_add1_trust_object(x, objtmp); |
607 |
|
|
} |
608 |
|
|
} |
609 |
|
|
if (reject) { |
610 |
|
|
for (i = 0; i < sk_ASN1_OBJECT_num(reject); i++) { |
611 |
|
|
objtmp = sk_ASN1_OBJECT_value(reject, i); |
612 |
|
|
X509_add1_reject_object(x, objtmp); |
613 |
|
|
} |
614 |
|
|
} |
615 |
|
|
if (num) { |
616 |
|
|
for (i = 1; i <= num; i++) { |
617 |
|
|
if (issuer == i) { |
618 |
|
|
print_name(STDout, "issuer= ", |
619 |
|
|
X509_get_issuer_name(x), nmflag); |
620 |
|
|
} else if (subject == i) { |
621 |
|
|
print_name(STDout, "subject= ", |
622 |
|
|
X509_get_subject_name(x), nmflag); |
623 |
|
|
} else if (serial == i) { |
624 |
|
|
BIO_printf(STDout, "serial="); |
625 |
|
|
i2a_ASN1_INTEGER(STDout, |
626 |
|
|
X509_get_serialNumber(x)); |
627 |
|
|
BIO_printf(STDout, "\n"); |
628 |
|
|
} else if (next_serial == i) { |
629 |
|
|
BIGNUM *bnser; |
630 |
|
|
ASN1_INTEGER *ser; |
631 |
|
|
ser = X509_get_serialNumber(x); |
632 |
|
|
bnser = ASN1_INTEGER_to_BN(ser, NULL); |
633 |
|
|
if (!bnser) |
634 |
|
|
goto end; |
635 |
|
|
if (!BN_add_word(bnser, 1)) |
636 |
|
|
goto end; |
637 |
|
|
ser = BN_to_ASN1_INTEGER(bnser, NULL); |
638 |
|
|
if (!ser) |
639 |
|
|
goto end; |
640 |
|
|
BN_free(bnser); |
641 |
|
|
i2a_ASN1_INTEGER(out, ser); |
642 |
|
|
ASN1_INTEGER_free(ser); |
643 |
|
|
BIO_puts(out, "\n"); |
644 |
|
|
} else if ((email == i) || (ocsp_uri == i)) { |
645 |
|
|
int j; |
646 |
|
|
STACK_OF(OPENSSL_STRING) *emlst; |
647 |
|
|
if (email == i) |
648 |
|
|
emlst = X509_get1_email(x); |
649 |
|
|
else |
650 |
|
|
emlst = X509_get1_ocsp(x); |
651 |
|
|
for (j = 0; j < sk_OPENSSL_STRING_num(emlst); j++) |
652 |
|
|
BIO_printf(STDout, "%s\n", |
653 |
|
|
sk_OPENSSL_STRING_value(emlst, j)); |
654 |
|
|
X509_email_free(emlst); |
655 |
|
|
} else if (aliasout == i) { |
656 |
|
|
unsigned char *alstr; |
657 |
|
|
alstr = X509_alias_get0(x, NULL); |
658 |
|
|
if (alstr) |
659 |
|
|
BIO_printf(STDout, "%s\n", alstr); |
660 |
|
|
else |
661 |
|
|
BIO_puts(STDout, "<No Alias>\n"); |
662 |
|
|
} else if (subject_hash == i) { |
663 |
|
|
BIO_printf(STDout, "%08lx\n", X509_subject_name_hash(x)); |
664 |
|
|
} |
665 |
|
|
#ifndef OPENSSL_NO_MD5 |
666 |
|
|
else if (subject_hash_old == i) { |
667 |
|
|
BIO_printf(STDout, "%08lx\n", X509_subject_name_hash_old(x)); |
668 |
|
|
} |
669 |
|
|
#endif |
670 |
|
|
else if (issuer_hash == i) { |
671 |
|
|
BIO_printf(STDout, "%08lx\n", X509_issuer_name_hash(x)); |
672 |
|
|
} |
673 |
|
|
#ifndef OPENSSL_NO_MD5 |
674 |
|
|
else if (issuer_hash_old == i) { |
675 |
|
|
BIO_printf(STDout, "%08lx\n", X509_issuer_name_hash_old(x)); |
676 |
|
|
} |
677 |
|
|
#endif |
678 |
|
|
else if (pprint == i) { |
679 |
|
|
X509_PURPOSE *ptmp; |
680 |
|
|
int j; |
681 |
|
|
BIO_printf(STDout, "Certificate purposes:\n"); |
682 |
|
|
for (j = 0; j < X509_PURPOSE_get_count(); j++) { |
683 |
|
|
ptmp = X509_PURPOSE_get0(j); |
684 |
|
|
purpose_print(STDout, x, ptmp); |
685 |
|
|
} |
686 |
|
|
} else if (modulus == i) { |
687 |
|
|
EVP_PKEY *pkey; |
688 |
|
|
|
689 |
|
|
pkey = X509_get_pubkey(x); |
690 |
|
|
if (pkey == NULL) { |
691 |
|
|
BIO_printf(bio_err, "Modulus=unavailable\n"); |
692 |
|
|
ERR_print_errors(bio_err); |
693 |
|
|
goto end; |
694 |
|
|
} |
695 |
|
|
BIO_printf(STDout, "Modulus="); |
696 |
|
|
if (pkey->type == EVP_PKEY_RSA) |
697 |
|
|
BN_print(STDout, pkey->pkey.rsa->n); |
698 |
|
|
else |
699 |
|
|
if (pkey->type == EVP_PKEY_DSA) |
700 |
|
|
BN_print(STDout, pkey->pkey.dsa->pub_key); |
701 |
|
|
else |
702 |
|
|
BIO_printf(STDout, "Wrong Algorithm type"); |
703 |
|
|
BIO_printf(STDout, "\n"); |
704 |
|
|
EVP_PKEY_free(pkey); |
705 |
|
|
} else if (pubkey == i) { |
706 |
|
|
EVP_PKEY *pkey; |
707 |
|
|
|
708 |
|
|
pkey = X509_get_pubkey(x); |
709 |
|
|
if (pkey == NULL) { |
710 |
|
|
BIO_printf(bio_err, "Error getting public key\n"); |
711 |
|
|
ERR_print_errors(bio_err); |
712 |
|
|
goto end; |
713 |
|
|
} |
714 |
|
|
PEM_write_bio_PUBKEY(STDout, pkey); |
715 |
|
|
EVP_PKEY_free(pkey); |
716 |
|
|
} else if (C == i) { |
717 |
|
|
unsigned char *d; |
718 |
|
|
char *m; |
719 |
|
|
int y, z; |
720 |
|
|
|
721 |
|
|
X509_NAME_oneline(X509_get_subject_name(x), |
722 |
|
|
buf, sizeof buf); |
723 |
|
|
BIO_printf(STDout, "/* subject:%s */\n", buf); |
724 |
|
|
m = X509_NAME_oneline( |
725 |
|
|
X509_get_issuer_name(x), buf, |
726 |
|
|
sizeof buf); |
727 |
|
|
BIO_printf(STDout, "/* issuer :%s */\n", buf); |
728 |
|
|
|
729 |
|
|
z = i2d_X509(x, NULL); |
730 |
|
|
m = malloc(z); |
731 |
|
|
if (m == NULL) { |
732 |
|
|
BIO_printf(bio_err, "out of mem\n"); |
733 |
|
|
goto end; |
734 |
|
|
} |
735 |
|
|
|
736 |
|
|
d = (unsigned char *) m; |
737 |
|
|
z = i2d_X509_NAME(X509_get_subject_name(x), &d); |
738 |
|
|
BIO_printf(STDout, "unsigned char XXX_subject_name[%d]={\n", z); |
739 |
|
|
d = (unsigned char *) m; |
740 |
|
|
for (y = 0; y < z; y++) { |
741 |
|
|
BIO_printf(STDout, "0x%02X,", d[y]); |
742 |
|
|
if ((y & 0x0f) == 0x0f) |
743 |
|
|
BIO_printf(STDout, "\n"); |
744 |
|
|
} |
745 |
|
|
if (y % 16 != 0) |
746 |
|
|
BIO_printf(STDout, "\n"); |
747 |
|
|
BIO_printf(STDout, "};\n"); |
748 |
|
|
|
749 |
|
|
z = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(x), &d); |
750 |
|
|
BIO_printf(STDout, "unsigned char XXX_public_key[%d]={\n", z); |
751 |
|
|
d = (unsigned char *) m; |
752 |
|
|
for (y = 0; y < z; y++) { |
753 |
|
|
BIO_printf(STDout, "0x%02X,", d[y]); |
754 |
|
|
if ((y & 0x0f) == 0x0f) |
755 |
|
|
BIO_printf(STDout, "\n"); |
756 |
|
|
} |
757 |
|
|
if (y % 16 != 0) |
758 |
|
|
BIO_printf(STDout, "\n"); |
759 |
|
|
BIO_printf(STDout, "};\n"); |
760 |
|
|
|
761 |
|
|
z = i2d_X509(x, &d); |
762 |
|
|
BIO_printf(STDout, "unsigned char XXX_certificate[%d]={\n", z); |
763 |
|
|
d = (unsigned char *) m; |
764 |
|
|
for (y = 0; y < z; y++) { |
765 |
|
|
BIO_printf(STDout, "0x%02X,", d[y]); |
766 |
|
|
if ((y & 0x0f) == 0x0f) |
767 |
|
|
BIO_printf(STDout, "\n"); |
768 |
|
|
} |
769 |
|
|
if (y % 16 != 0) |
770 |
|
|
BIO_printf(STDout, "\n"); |
771 |
|
|
BIO_printf(STDout, "};\n"); |
772 |
|
|
|
773 |
|
|
free(m); |
774 |
|
|
} else if (text == i) { |
775 |
|
|
X509_print_ex(STDout, x, nmflag, certflag); |
776 |
|
|
} else if (startdate == i) { |
777 |
|
|
BIO_puts(STDout, "notBefore="); |
778 |
|
|
ASN1_TIME_print(STDout, X509_get_notBefore(x)); |
779 |
|
|
BIO_puts(STDout, "\n"); |
780 |
|
|
} else if (enddate == i) { |
781 |
|
|
BIO_puts(STDout, "notAfter="); |
782 |
|
|
ASN1_TIME_print(STDout, X509_get_notAfter(x)); |
783 |
|
|
BIO_puts(STDout, "\n"); |
784 |
|
|
} else if (fingerprint == i) { |
785 |
|
|
int j; |
786 |
|
|
unsigned int n; |
787 |
|
|
unsigned char md[EVP_MAX_MD_SIZE]; |
788 |
|
|
const EVP_MD *fdig = digest; |
789 |
|
|
|
790 |
|
|
if (!fdig) |
791 |
|
|
fdig = EVP_sha1(); |
792 |
|
|
|
793 |
|
|
if (!X509_digest(x, fdig, md, &n)) { |
794 |
|
|
BIO_printf(bio_err, "out of memory\n"); |
795 |
|
|
goto end; |
796 |
|
|
} |
797 |
|
|
BIO_printf(STDout, "%s Fingerprint=", |
798 |
|
|
OBJ_nid2sn(EVP_MD_type(fdig))); |
799 |
|
|
for (j = 0; j < (int) n; j++) { |
800 |
|
|
BIO_printf(STDout, "%02X%c", md[j], |
801 |
|
|
(j + 1 == (int)n) ? '\n' : ':'); |
802 |
|
|
} |
803 |
|
|
} |
804 |
|
|
/* should be in the library */ |
805 |
|
|
else if ((sign_flag == i) && (x509req == 0)) { |
806 |
|
|
BIO_printf(bio_err, "Getting Private key\n"); |
807 |
|
|
if (Upkey == NULL) { |
808 |
|
|
Upkey = load_key(bio_err, |
809 |
|
|
keyfile, keyformat, 0, |
810 |
|
|
passin, "Private key"); |
811 |
|
|
if (Upkey == NULL) |
812 |
|
|
goto end; |
813 |
|
|
} |
814 |
|
|
if (!sign(x, Upkey, days, clrext, digest, |
815 |
|
|
extconf, extsect)) |
816 |
|
|
goto end; |
817 |
|
|
} else if (CA_flag == i) { |
818 |
|
|
BIO_printf(bio_err, "Getting CA Private Key\n"); |
819 |
|
|
if (CAkeyfile != NULL) { |
820 |
|
|
CApkey = load_key(bio_err, |
821 |
|
|
CAkeyfile, CAkeyformat, |
822 |
|
|
0, passin, "CA Private Key"); |
823 |
|
|
if (CApkey == NULL) |
824 |
|
|
goto end; |
825 |
|
|
} |
826 |
|
|
if (!x509_certify(ctx, CAfile, digest, x, xca, |
827 |
|
|
CApkey, sigopts, |
828 |
|
|
CAserial, CA_createserial, days, clrext, |
829 |
|
|
extconf, extsect, sno)) |
830 |
|
|
goto end; |
831 |
|
|
} else if (x509req == i) { |
832 |
|
|
EVP_PKEY *pk; |
833 |
|
|
|
834 |
|
|
BIO_printf(bio_err, "Getting request Private Key\n"); |
835 |
|
|
if (keyfile == NULL) { |
836 |
|
|
BIO_printf(bio_err, "no request key file specified\n"); |
837 |
|
|
goto end; |
838 |
|
|
} else { |
839 |
|
|
pk = load_key(bio_err, |
840 |
|
|
keyfile, keyformat, 0, |
841 |
|
|
passin, "request key"); |
842 |
|
|
if (pk == NULL) |
843 |
|
|
goto end; |
844 |
|
|
} |
845 |
|
|
|
846 |
|
|
BIO_printf(bio_err, "Generating certificate request\n"); |
847 |
|
|
|
848 |
|
|
rq = X509_to_X509_REQ(x, pk, digest); |
849 |
|
|
EVP_PKEY_free(pk); |
850 |
|
|
if (rq == NULL) { |
851 |
|
|
ERR_print_errors(bio_err); |
852 |
|
|
goto end; |
853 |
|
|
} |
854 |
|
|
if (!noout) { |
855 |
|
|
X509_REQ_print(out, rq); |
856 |
|
|
PEM_write_bio_X509_REQ(out, rq); |
857 |
|
|
} |
858 |
|
|
noout = 1; |
859 |
|
|
} else if (ocspid == i) { |
860 |
|
|
X509_ocspid_print(out, x); |
861 |
|
|
} |
862 |
|
|
} |
863 |
|
|
} |
864 |
|
|
if (checkend) { |
865 |
|
|
time_t tcheck = time(NULL) + checkoffset; |
866 |
|
|
|
867 |
|
|
if (X509_cmp_time(X509_get_notAfter(x), &tcheck) < 0) { |
868 |
|
|
BIO_printf(out, "Certificate will expire\n"); |
869 |
|
|
ret = 1; |
870 |
|
|
} else { |
871 |
|
|
BIO_printf(out, "Certificate will not expire\n"); |
872 |
|
|
ret = 0; |
873 |
|
|
} |
874 |
|
|
goto end; |
875 |
|
|
} |
876 |
|
|
if (noout) { |
877 |
|
|
ret = 0; |
878 |
|
|
goto end; |
879 |
|
|
} |
880 |
|
|
if (outformat == FORMAT_ASN1) |
881 |
|
|
i = i2d_X509_bio(out, x); |
882 |
|
|
else if (outformat == FORMAT_PEM) { |
883 |
|
|
if (trustout) |
884 |
|
|
i = PEM_write_bio_X509_AUX(out, x); |
885 |
|
|
else |
886 |
|
|
i = PEM_write_bio_X509(out, x); |
887 |
|
|
} else if (outformat == FORMAT_NETSCAPE) { |
888 |
|
|
NETSCAPE_X509 nx; |
889 |
|
|
ASN1_OCTET_STRING hdr; |
890 |
|
|
|
891 |
|
|
hdr.data = (unsigned char *) NETSCAPE_CERT_HDR; |
892 |
|
|
hdr.length = strlen(NETSCAPE_CERT_HDR); |
893 |
|
|
nx.header = &hdr; |
894 |
|
|
nx.cert = x; |
895 |
|
|
|
896 |
|
|
i = ASN1_item_i2d_bio(ASN1_ITEM_rptr(NETSCAPE_X509), out, &nx); |
897 |
|
|
} else { |
898 |
|
|
BIO_printf(bio_err, "bad output format specified for outfile\n"); |
899 |
|
|
goto end; |
900 |
|
|
} |
901 |
|
|
if (!i) { |
902 |
|
|
BIO_printf(bio_err, "unable to write certificate\n"); |
903 |
|
|
ERR_print_errors(bio_err); |
904 |
|
|
goto end; |
905 |
|
|
} |
906 |
|
|
ret = 0; |
907 |
|
|
|
908 |
|
|
end: |
909 |
|
|
OBJ_cleanup(); |
910 |
|
|
NCONF_free(extconf); |
911 |
|
|
BIO_free_all(out); |
912 |
|
|
BIO_free_all(STDout); |
913 |
|
|
X509_STORE_free(ctx); |
914 |
|
|
X509_REQ_free(req); |
915 |
|
|
X509_free(x); |
916 |
|
|
X509_free(xca); |
917 |
|
|
EVP_PKEY_free(Upkey); |
918 |
|
|
EVP_PKEY_free(CApkey); |
919 |
|
|
if (sigopts) |
920 |
|
|
sk_OPENSSL_STRING_free(sigopts); |
921 |
|
|
X509_REQ_free(rq); |
922 |
|
|
ASN1_INTEGER_free(sno); |
923 |
|
|
sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free); |
924 |
|
|
sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free); |
925 |
|
|
free(passin); |
926 |
|
|
|
927 |
|
|
return (ret); |
928 |
|
|
} |
929 |
|
|
|
930 |
|
|
static ASN1_INTEGER * |
931 |
|
|
x509_load_serial(char *CAfile, char *serialfile, int create) |
932 |
|
|
{ |
933 |
|
|
char *buf = NULL, *p; |
934 |
|
|
ASN1_INTEGER *bs = NULL; |
935 |
|
|
BIGNUM *serial = NULL; |
936 |
|
|
size_t len; |
937 |
|
|
|
938 |
|
|
len = ((serialfile == NULL) ? (strlen(CAfile) + strlen(POSTFIX) + 1) : |
939 |
|
|
(strlen(serialfile))) + 1; |
940 |
|
|
buf = malloc(len); |
941 |
|
|
if (buf == NULL) { |
942 |
|
|
BIO_printf(bio_err, "out of mem\n"); |
943 |
|
|
goto end; |
944 |
|
|
} |
945 |
|
|
if (serialfile == NULL) { |
946 |
|
|
strlcpy(buf, CAfile, len); |
947 |
|
|
for (p = buf; *p; p++) |
948 |
|
|
if (*p == '.') { |
949 |
|
|
*p = '\0'; |
950 |
|
|
break; |
951 |
|
|
} |
952 |
|
|
strlcat(buf, POSTFIX, len); |
953 |
|
|
} else |
954 |
|
|
strlcpy(buf, serialfile, len); |
955 |
|
|
|
956 |
|
|
serial = load_serial(buf, create, NULL); |
957 |
|
|
if (serial == NULL) |
958 |
|
|
goto end; |
959 |
|
|
|
960 |
|
|
if (!BN_add_word(serial, 1)) { |
961 |
|
|
BIO_printf(bio_err, "add_word failure\n"); |
962 |
|
|
goto end; |
963 |
|
|
} |
964 |
|
|
if (!save_serial(buf, NULL, serial, &bs)) |
965 |
|
|
goto end; |
966 |
|
|
|
967 |
|
|
end: |
968 |
|
|
free(buf); |
969 |
|
|
BN_free(serial); |
970 |
|
|
|
971 |
|
|
return bs; |
972 |
|
|
} |
973 |
|
|
|
974 |
|
|
static int |
975 |
|
|
x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, X509 *x, |
976 |
|
|
X509 *xca, EVP_PKEY *pkey, STACK_OF(OPENSSL_STRING) *sigopts, |
977 |
|
|
char *serialfile, int create, int days, int clrext, CONF *conf, |
978 |
|
|
char *section, ASN1_INTEGER *sno) |
979 |
|
|
{ |
980 |
|
|
int ret = 0; |
981 |
|
|
ASN1_INTEGER *bs = NULL; |
982 |
|
|
X509_STORE_CTX xsc; |
983 |
|
|
EVP_PKEY *upkey; |
984 |
|
|
|
985 |
|
|
upkey = X509_get_pubkey(xca); |
986 |
|
|
EVP_PKEY_copy_parameters(upkey, pkey); |
987 |
|
|
EVP_PKEY_free(upkey); |
988 |
|
|
|
989 |
|
|
if (!X509_STORE_CTX_init(&xsc, ctx, x, NULL)) { |
990 |
|
|
BIO_printf(bio_err, "Error initialising X509 store\n"); |
991 |
|
|
goto end; |
992 |
|
|
} |
993 |
|
|
if (sno) |
994 |
|
|
bs = sno; |
995 |
|
|
else if (!(bs = x509_load_serial(CAfile, serialfile, create))) |
996 |
|
|
goto end; |
997 |
|
|
|
998 |
|
|
/* if (!X509_STORE_add_cert(ctx,x)) goto end;*/ |
999 |
|
|
|
1000 |
|
|
/* |
1001 |
|
|
* NOTE: this certificate can/should be self signed, unless it was a |
1002 |
|
|
* certificate request in which case it is not. |
1003 |
|
|
*/ |
1004 |
|
|
X509_STORE_CTX_set_cert(&xsc, x); |
1005 |
|
|
X509_STORE_CTX_set_flags(&xsc, X509_V_FLAG_CHECK_SS_SIGNATURE); |
1006 |
|
|
if (!reqfile && X509_verify_cert(&xsc) <= 0) |
1007 |
|
|
goto end; |
1008 |
|
|
|
1009 |
|
|
if (!X509_check_private_key(xca, pkey)) { |
1010 |
|
|
BIO_printf(bio_err, "CA certificate and CA private key do not match\n"); |
1011 |
|
|
goto end; |
1012 |
|
|
} |
1013 |
|
|
if (!X509_set_issuer_name(x, X509_get_subject_name(xca))) |
1014 |
|
|
goto end; |
1015 |
|
|
if (!X509_set_serialNumber(x, bs)) |
1016 |
|
|
goto end; |
1017 |
|
|
|
1018 |
|
|
if (X509_gmtime_adj(X509_get_notBefore(x), 0L) == NULL) |
1019 |
|
|
goto end; |
1020 |
|
|
|
1021 |
|
|
/* hardwired expired */ |
1022 |
|
|
if (X509_time_adj_ex(X509_get_notAfter(x), days, 0, NULL) == NULL) |
1023 |
|
|
goto end; |
1024 |
|
|
|
1025 |
|
|
if (clrext) { |
1026 |
|
|
while (X509_get_ext_count(x) > 0) |
1027 |
|
|
X509_delete_ext(x, 0); |
1028 |
|
|
} |
1029 |
|
|
if (conf) { |
1030 |
|
|
X509V3_CTX ctx2; |
1031 |
|
|
X509_set_version(x, 2); /* version 3 certificate */ |
1032 |
|
|
X509V3_set_ctx(&ctx2, xca, x, NULL, NULL, 0); |
1033 |
|
|
X509V3_set_nconf(&ctx2, conf); |
1034 |
|
|
if (!X509V3_EXT_add_nconf(conf, &ctx2, section, x)) |
1035 |
|
|
goto end; |
1036 |
|
|
} |
1037 |
|
|
if (!do_X509_sign(bio_err, x, pkey, digest, sigopts)) |
1038 |
|
|
goto end; |
1039 |
|
|
ret = 1; |
1040 |
|
|
end: |
1041 |
|
|
X509_STORE_CTX_cleanup(&xsc); |
1042 |
|
|
if (!ret) |
1043 |
|
|
ERR_print_errors(bio_err); |
1044 |
|
|
if (!sno) |
1045 |
|
|
ASN1_INTEGER_free(bs); |
1046 |
|
|
return ret; |
1047 |
|
|
} |
1048 |
|
|
|
1049 |
|
|
static int |
1050 |
|
|
callb(int ok, X509_STORE_CTX *ctx) |
1051 |
|
|
{ |
1052 |
|
|
int err; |
1053 |
|
|
X509 *err_cert; |
1054 |
|
|
|
1055 |
|
|
/* |
1056 |
|
|
* it is ok to use a self signed certificate This case will catch |
1057 |
|
|
* both the initial ok == 0 and the final ok == 1 calls to this |
1058 |
|
|
* function |
1059 |
|
|
*/ |
1060 |
|
|
err = X509_STORE_CTX_get_error(ctx); |
1061 |
|
|
if (err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) |
1062 |
|
|
return 1; |
1063 |
|
|
|
1064 |
|
|
/* |
1065 |
|
|
* BAD we should have gotten an error. Normally if everything worked |
1066 |
|
|
* X509_STORE_CTX_get_error(ctx) will still be set to |
1067 |
|
|
* DEPTH_ZERO_SELF_.... |
1068 |
|
|
*/ |
1069 |
|
|
if (ok) { |
1070 |
|
|
BIO_printf(bio_err, "error with certificate to be certified - should be self signed\n"); |
1071 |
|
|
return 0; |
1072 |
|
|
} else { |
1073 |
|
|
err_cert = X509_STORE_CTX_get_current_cert(ctx); |
1074 |
|
|
print_name(bio_err, NULL, X509_get_subject_name(err_cert), 0); |
1075 |
|
|
BIO_printf(bio_err, "error with certificate - error %d at depth %d\n%s\n", |
1076 |
|
|
err, X509_STORE_CTX_get_error_depth(ctx), |
1077 |
|
|
X509_verify_cert_error_string(err)); |
1078 |
|
|
return 1; |
1079 |
|
|
} |
1080 |
|
|
} |
1081 |
|
|
|
1082 |
|
|
/* self sign */ |
1083 |
|
|
static int |
1084 |
|
|
sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const EVP_MD *digest, |
1085 |
|
|
CONF *conf, char *section) |
1086 |
|
|
{ |
1087 |
|
|
|
1088 |
|
|
EVP_PKEY *pktmp; |
1089 |
|
|
|
1090 |
|
|
pktmp = X509_get_pubkey(x); |
1091 |
|
|
EVP_PKEY_copy_parameters(pktmp, pkey); |
1092 |
|
|
EVP_PKEY_save_parameters(pktmp, 1); |
1093 |
|
|
EVP_PKEY_free(pktmp); |
1094 |
|
|
|
1095 |
|
|
if (!X509_set_issuer_name(x, X509_get_subject_name(x))) |
1096 |
|
|
goto err; |
1097 |
|
|
if (X509_gmtime_adj(X509_get_notBefore(x), 0) == NULL) |
1098 |
|
|
goto err; |
1099 |
|
|
|
1100 |
|
|
/* Lets just make it 12:00am GMT, Jan 1 1970 */ |
1101 |
|
|
/* memcpy(x->cert_info->validity->notBefore,"700101120000Z",13); */ |
1102 |
|
|
/* 28 days to be certified */ |
1103 |
|
|
|
1104 |
|
|
if (X509_gmtime_adj(X509_get_notAfter(x), |
1105 |
|
|
(long) 60 * 60 * 24 * days) == NULL) |
1106 |
|
|
goto err; |
1107 |
|
|
|
1108 |
|
|
if (!X509_set_pubkey(x, pkey)) |
1109 |
|
|
goto err; |
1110 |
|
|
if (clrext) { |
1111 |
|
|
while (X509_get_ext_count(x) > 0) |
1112 |
|
|
X509_delete_ext(x, 0); |
1113 |
|
|
} |
1114 |
|
|
if (conf) { |
1115 |
|
|
X509V3_CTX ctx; |
1116 |
|
|
X509_set_version(x, 2); /* version 3 certificate */ |
1117 |
|
|
X509V3_set_ctx(&ctx, x, x, NULL, NULL, 0); |
1118 |
|
|
X509V3_set_nconf(&ctx, conf); |
1119 |
|
|
if (!X509V3_EXT_add_nconf(conf, &ctx, section, x)) |
1120 |
|
|
goto err; |
1121 |
|
|
} |
1122 |
|
|
if (!X509_sign(x, pkey, digest)) |
1123 |
|
|
goto err; |
1124 |
|
|
return 1; |
1125 |
|
|
|
1126 |
|
|
err: |
1127 |
|
|
ERR_print_errors(bio_err); |
1128 |
|
|
return 0; |
1129 |
|
|
} |
1130 |
|
|
|
1131 |
|
|
static int |
1132 |
|
|
purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt) |
1133 |
|
|
{ |
1134 |
|
|
int id, i, idret; |
1135 |
|
|
char *pname; |
1136 |
|
|
|
1137 |
|
|
id = X509_PURPOSE_get_id(pt); |
1138 |
|
|
pname = X509_PURPOSE_get0_name(pt); |
1139 |
|
|
for (i = 0; i < 2; i++) { |
1140 |
|
|
idret = X509_check_purpose(cert, id, i); |
1141 |
|
|
BIO_printf(bio, "%s%s : ", pname, i ? " CA" : ""); |
1142 |
|
|
if (idret == 1) |
1143 |
|
|
BIO_printf(bio, "Yes\n"); |
1144 |
|
|
else if (idret == 0) |
1145 |
|
|
BIO_printf(bio, "No\n"); |
1146 |
|
|
else |
1147 |
|
|
BIO_printf(bio, "Yes (WARNING code=%d)\n", idret); |
1148 |
|
|
} |
1149 |
|
|
return 1; |
1150 |
|
|
} |