Symaptic: os/ossrv/ssl/tsrc/topenssl/src/ca.c@260cb5ec6c19 (annotated)

sl@0	1	/* apps/ca.c */
sl@0	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
sl@0	3	* All rights reserved.
sl@0	4	*
sl@0	5	* This package is an SSL implementation written
sl@0	6	* by Eric Young (eay@cryptsoft.com).
sl@0	7	* The implementation was written so as to conform with Netscapes SSL.
sl@0	8	*
sl@0	9	* This library is free for commercial and non-commercial use as long as
sl@0	10	* the following conditions are aheared to. The following conditions
sl@0	11	* apply to all code found in this distribution, be it the RC4, RSA,
sl@0	12	* lhash, DES, etc., code; not just the SSL code. The SSL documentation
sl@0	13	* included with this distribution is covered by the same copyright terms
sl@0	14	* except that the holder is Tim Hudson (tjh@cryptsoft.com).
sl@0	15	*
sl@0	16	* Copyright remains Eric Young's, and as such any Copyright notices in
sl@0	17	* the code are not to be removed.
sl@0	18	* If this package is used in a product, Eric Young should be given attribution
sl@0	19	* as the author of the parts of the library used.
sl@0	20	* This can be in the form of a textual message at program startup or
sl@0	21	* in documentation (online or textual) provided with the package.
sl@0	22	*
sl@0	23	* Redistribution and use in source and binary forms, with or without
sl@0	24	* modification, are permitted provided that the following conditions
sl@0	25	* are met:
sl@0	26	* 1. Redistributions of source code must retain the copyright
sl@0	27	* notice, this list of conditions and the following disclaimer.
sl@0	28	* 2. Redistributions in binary form must reproduce the above copyright
sl@0	29	* notice, this list of conditions and the following disclaimer in the
sl@0	30	* documentation and/or other materials provided with the distribution.
sl@0	31	* 3. All advertising materials mentioning features or use of this software
sl@0	32	* must display the following acknowledgement:
sl@0	33	* "This product includes cryptographic software written by
sl@0	34	* Eric Young (eay@cryptsoft.com)"
sl@0	35	* The word 'cryptographic' can be left out if the rouines from the library
sl@0	36	* being used are not cryptographic related :-).
sl@0	37	* 4. If you include any Windows specific code (or a derivative thereof) from
sl@0	38	* the apps directory (application code) you must include an acknowledgement:
sl@0	39	* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
sl@0	40	*
sl@0	41	* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
sl@0	42	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
sl@0	43	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
sl@0	44	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
sl@0	45	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
sl@0	46	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
sl@0	47	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
sl@0	48	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
sl@0	49	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
sl@0	50	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
sl@0	51	* SUCH DAMAGE.
sl@0	52	*
sl@0	53	* The licence and distribution terms for any publically available version or
sl@0	54	* derivative of this code cannot be changed. i.e. this code cannot simply be
sl@0	55	* copied and put under another distribution licence
sl@0	56	* [including the GNU Public Licence.]
sl@0	57	*/
sl@0	58
sl@0	59	/* The PPKI stuff has been donated by Jeff Barber <jeffb@issl.atl.hp.com> */
sl@0	60
sl@0	61	#include <stdio.h>
sl@0	62	#include <stdlib.h>
sl@0	63	#include <string.h>
sl@0	64	#include <ctype.h>
sl@0	65	#include <sys/types.h>
sl@0	66	#include <sys/stat.h>
sl@0	67	#include <openssl/conf.h>
sl@0	68	#include <openssl/bio.h>
sl@0	69	#include <openssl/err.h>
sl@0	70	#include <openssl/bn.h>
sl@0	71	#include <openssl/txt_db.h>
sl@0	72	#include <openssl/evp.h>
sl@0	73	#include <openssl/x509.h>
sl@0	74	#include <openssl/x509v3.h>
sl@0	75	#include <openssl/objects.h>
sl@0	76	#include <openssl/ocsp.h>
sl@0	77	#include <openssl/pem.h>
sl@0	78
sl@0	79	#ifndef W_OK
sl@0	80	# ifdef OPENSSL_SYS_VMS
sl@0	81	# if defined(__DECC)
sl@0	82	# include <unistd.h>
sl@0	83	# else
sl@0	84	# include <unixlib.h>
sl@0	85	# endif
sl@0	86	# elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_NETWARE)
sl@0	87	# include <sys/file.h>
sl@0	88	# endif
sl@0	89	#endif
sl@0	90
sl@0	91	#include "apps.h"
sl@0	92
sl@0	93	#ifndef W_OK
sl@0	94	# define F_OK 0
sl@0	95	# define X_OK 1
sl@0	96	# define W_OK 2
sl@0	97	# define R_OK 4
sl@0	98	#endif
sl@0	99
sl@0	100	#undef PROG
sl@0	101	#define PROG ca_main
sl@0	102
sl@0	103	#define BASE_SECTION "ca"
sl@0	104	#define CONFIG_FILE "openssl.cnf"
sl@0	105
sl@0	106	#define ENV_DEFAULT_CA "default_ca"
sl@0	107
sl@0	108	#define STRING_MASK "string_mask"
sl@0	109	#define UTF8_IN "utf8"
sl@0	110
sl@0	111	#define ENV_DIR "dir"
sl@0	112	#define ENV_CERTS "certs"
sl@0	113	#define ENV_CRL_DIR "crl_dir"
sl@0	114	#define ENV_CA_DB "CA_DB"
sl@0	115	#define ENV_NEW_CERTS_DIR "new_certs_dir"
sl@0	116	#define ENV_CERTIFICATE "certificate"
sl@0	117	#define ENV_SERIAL "serial"
sl@0	118	#define ENV_CRLNUMBER "crlnumber"
sl@0	119	#define ENV_CRL "crl"
sl@0	120	#define ENV_PRIVATE_KEY "private_key"
sl@0	121	#define ENV_RANDFILE "RANDFILE"
sl@0	122	#define ENV_DEFAULT_DAYS "default_days"
sl@0	123	#define ENV_DEFAULT_STARTDATE "default_startdate"
sl@0	124	#define ENV_DEFAULT_ENDDATE "default_enddate"
sl@0	125	#define ENV_DEFAULT_CRL_DAYS "default_crl_days"
sl@0	126	#define ENV_DEFAULT_CRL_HOURS "default_crl_hours"
sl@0	127	#define ENV_DEFAULT_MD "default_md"
sl@0	128	#define ENV_DEFAULT_EMAIL_DN "email_in_dn"
sl@0	129	#define ENV_PRESERVE "preserve"
sl@0	130	#define ENV_POLICY "policy"
sl@0	131	#define ENV_EXTENSIONS "x509_extensions"
sl@0	132	#define ENV_CRLEXT "crl_extensions"
sl@0	133	#define ENV_MSIE_HACK "msie_hack"
sl@0	134	#define ENV_NAMEOPT "name_opt"
sl@0	135	#define ENV_CERTOPT "cert_opt"
sl@0	136	#define ENV_EXTCOPY "copy_extensions"
sl@0	137	#define ENV_UNIQUE_SUBJECT "unique_subject"
sl@0	138
sl@0	139	#define ENV_DATABASE "database"
sl@0	140
sl@0	141	/* Additional revocation information types */
sl@0	142
sl@0	143	#define REV_NONE 0 /* No addditional information */
sl@0	144	#define REV_CRL_REASON 1 /* Value is CRL reason code */
sl@0	145	#define REV_HOLD 2 /* Value is hold instruction */
sl@0	146	#define REV_KEY_COMPROMISE 3 /* Value is cert key compromise time */
sl@0	147	#define REV_CA_COMPROMISE 4 /* Value is CA key compromise time */
sl@0	148
sl@0	149	static const char *ca_usage[]={
sl@0	150	"usage: ca args\n",
sl@0	151	"\n",
sl@0	152	" -verbose - Talk alot while doing things\n",
sl@0	153	" -config file - A config file\n",
sl@0	154	" -name arg - The particular CA definition to use\n",
sl@0	155	" -gencrl - Generate a new CRL\n",
sl@0	156	" -crldays days - Days is when the next CRL is due\n",
sl@0	157	" -crlhours hours - Hours is when the next CRL is due\n",
sl@0	158	" -startdate YYMMDDHHMMSSZ - certificate validity notBefore\n",
sl@0	159	" -enddate YYMMDDHHMMSSZ - certificate validity notAfter (overrides -days)\n",
sl@0	160	" -days arg - number of days to certify the certificate for\n",
sl@0	161	" -md arg - md to use, one of md2, md5, sha or sha1\n",
sl@0	162	" -policy arg - The CA 'policy' to support\n",
sl@0	163	" -keyfile arg - private key file\n",
sl@0	164	" -keyform arg - private key file format (PEM or ENGINE)\n",
sl@0	165	" -key arg - key to decode the private key if it is encrypted\n",
sl@0	166	" -cert file - The CA certificate\n",
sl@0	167	" -selfsign - sign a certificate with the key associated with it\n",
sl@0	168	" -in file - The input PEM encoded certificate request(s)\n",
sl@0	169	" -out file - Where to put the output file(s)\n",
sl@0	170	" -outdir dir - Where to put output certificates\n",
sl@0	171	" -infiles .... - The last argument, requests to process\n",
sl@0	172	" -spkac file - File contains DN and signed public key and challenge\n",
sl@0	173	" -ss_cert file - File contains a self signed cert to sign\n",
sl@0	174	" -preserveDN - Don't re-order the DN\n",
sl@0	175	" -noemailDN - Don't add the EMAIL field into certificate' subject\n",
sl@0	176	" -batch - Don't ask questions\n",
sl@0	177	" -msie_hack - msie modifications to handle all those universal strings\n",
sl@0	178	" -revoke file - Revoke a certificate (given in file)\n",
sl@0	179	" -subj arg - Use arg instead of request's subject\n",
sl@0	180	" -utf8 - input characters are UTF8 (default ASCII)\n",
sl@0	181	" -multivalue-rdn - enable support for multivalued RDNs\n",
sl@0	182	" -extensions .. - Extension section (override value in config file)\n",
sl@0	183	" -extfile file - Configuration file with X509v3 extentions to add\n",
sl@0	184	" -crlexts .. - CRL extension section (override value in config file)\n",
sl@0	185	#ifndef OPENSSL_NO_ENGINE
sl@0	186	" -engine e - use engine e, possibly a hardware device.\n",
sl@0	187	#endif
sl@0	188	" -status serial - Shows certificate status given the serial number\n",
sl@0	189	" -updatedb - Updates db for expired certificates\n",
sl@0	190	NULL
sl@0	191	};
sl@0	192
sl@0	193	#ifdef EFENCE
sl@0	194	extern int EF_PROTECT_FREE;
sl@0	195	extern int EF_PROTECT_BELOW;
sl@0	196	extern int EF_ALIGNMENT;
sl@0	197	#endif
sl@0	198
sl@0	199	static void lookup_fail(const char name, const char tag);
sl@0	200	static int certify(X509 *xret, char infile,EVP_PKEY pkey,X509 x509,
sl@0	201	const EVP_MD dgst,STACK_OF(CONF_VALUE) policy,CA_DB *db,
sl@0	202	BIGNUM serial, char subj,unsigned long chtype, int multirdn, int email_dn, char *startdate,
sl@0	203	char enddate, long days, int batch, char ext_sect, CONF *conf,
sl@0	204	int verbose, unsigned long certopt, unsigned long nameopt,
sl@0	205	int default_op, int ext_copy, int selfsign);
sl@0	206	static int certify_cert(X509 *xret, char infile,EVP_PKEY pkey,X509 x509,
sl@0	207	const EVP_MD dgst,STACK_OF(CONF_VALUE) policy,
sl@0	208	CA_DB db, BIGNUM serial, char *subj,unsigned long chtype, int multirdn, int email_dn,
sl@0	209	char startdate, char enddate, long days, int batch,
sl@0	210	char ext_sect, CONF conf,int verbose, unsigned long certopt,
sl@0	211	unsigned long nameopt, int default_op, int ext_copy,
sl@0	212	ENGINE *e);
sl@0	213	static int certify_spkac(X509 *xret, char infile,EVP_PKEY pkey,X509 x509,
sl@0	214	const EVP_MD dgst,STACK_OF(CONF_VALUE) policy,
sl@0	215	CA_DB db, BIGNUM serial,char *subj,unsigned long chtype, int multirdn, int email_dn,
sl@0	216	char startdate, char enddate, long days, char *ext_sect,
sl@0	217	CONF *conf, int verbose, unsigned long certopt,
sl@0	218	unsigned long nameopt, int default_op, int ext_copy);
sl@0	219	static int fix_data(int nid, int *type);
sl@0	220	static void write_new_certificate(BIO bp, X509 x, int output_der, int notext);
sl@0	221	static int do_body(X509 *xret, EVP_PKEY pkey, X509 x509, const EVP_MD dgst,
sl@0	222	STACK_OF(CONF_VALUE) policy, CA_DB db, BIGNUM serial,char subj,unsigned long chtype, int multirdn,
sl@0	223	int email_dn, char startdate, char enddate, long days, int batch,
sl@0	224	int verbose, X509_REQ req, char ext_sect, CONF *conf,
sl@0	225	unsigned long certopt, unsigned long nameopt, int default_op,
sl@0	226	int ext_copy, int selfsign);
sl@0	227	static int do_revoke(X509 x509, CA_DB db, int ext, char *extval);
sl@0	228	static int get_certificate_status(const char ser_status, CA_DB db);
sl@0	229	static int do_updatedb(CA_DB *db);
sl@0	230	static int check_time_format(char *str);
sl@0	231	char make_revocation_str(int rev_type, char rev_arg);
sl@0	232	int make_revoked(X509_REVOKED rev, const char str);
sl@0	233	int old_entry_print(BIO bp, ASN1_OBJECT obj, ASN1_STRING *str);
sl@0	234	static CONF *conf=NULL;
sl@0	235	static CONF *extconf=NULL;
sl@0	236	static char *section=NULL;
sl@0	237
sl@0	238	static int preserve=0;
sl@0	239	static int msie_hack=0;
sl@0	240
sl@0	241
sl@0	242
sl@0	243	int MAIN(int, char **);
sl@0	244
sl@0	245	int MAIN(int argc, char **argv)
sl@0	246	{
sl@0	247	ENGINE *e = NULL;
sl@0	248	char key=NULL,passargin=NULL;
sl@0	249	int create_ser = 0;
sl@0	250	int free_key = 0;
sl@0	251	int total=0;
sl@0	252	int total_done=0;
sl@0	253	int badops=0;
sl@0	254	int ret=1;
sl@0	255	int email_dn=1;
sl@0	256	int req=0;
sl@0	257	int verbose=0;
sl@0	258	int gencrl=0;
sl@0	259	int dorevoke=0;
sl@0	260	int doupdatedb=0;
sl@0	261	long crldays=0;
sl@0	262	long crlhours=0;
sl@0	263	long errorline= -1;
sl@0	264	char *configfile=NULL;
sl@0	265	char *md=NULL;
sl@0	266	char *policy=NULL;
sl@0	267	char *keyfile=NULL;
sl@0	268	char *certfile=NULL;
sl@0	269	int keyform=FORMAT_PEM;
sl@0	270	char *infile=NULL;
sl@0	271	char *spkac_file=NULL;
sl@0	272	char *ss_cert_file=NULL;
sl@0	273	char *ser_status=NULL;
sl@0	274	EVP_PKEY *pkey=NULL;
sl@0	275	int output_der = 0;
sl@0	276	char *outfile=NULL;
sl@0	277	char *outdir=NULL;
sl@0	278	char *serialfile=NULL;
sl@0	279	char *crlnumberfile=NULL;
sl@0	280	char *extensions=NULL;
sl@0	281	char *extfile=NULL;
sl@0	282	char *subj=NULL;
sl@0	283	unsigned long chtype = MBSTRING_ASC;
sl@0	284	int multirdn = 0;
sl@0	285	char *tmp_email_dn=NULL;
sl@0	286	char *crl_ext=NULL;
sl@0	287	int rev_type = REV_NONE;
sl@0	288	char *rev_arg = NULL;
sl@0	289	BIGNUM *serial=NULL;
sl@0	290	BIGNUM *crlnumber=NULL;
sl@0	291	char *startdate=NULL;
sl@0	292	char *enddate=NULL;
sl@0	293	long days=0;
sl@0	294	int batch=0;
sl@0	295	int notext=0;
sl@0	296	unsigned long nameopt = 0, certopt = 0;
sl@0	297	int default_op = 1;
sl@0	298	int ext_copy = EXT_COPY_NONE;
sl@0	299	int selfsign = 0;
sl@0	300	X509 x509=NULL, x509p = NULL;
sl@0	301	X509 *x=NULL;
sl@0	302	BIO in=NULL,out=NULL,Sout=NULL,Cout=NULL;
sl@0	303	char *dbfile=NULL;
sl@0	304	CA_DB *db=NULL;
sl@0	305	X509_CRL *crl=NULL;
sl@0	306	X509_REVOKED *r=NULL;
sl@0	307	ASN1_TIME *tmptm;
sl@0	308	ASN1_INTEGER *tmpser;
sl@0	309	char *f;
sl@0	310	const char p, *pp;
sl@0	311	int i,j;
sl@0	312	const EVP_MD *dgst=NULL;
sl@0	313	STACK_OF(CONF_VALUE) *attribs=NULL;
sl@0	314	STACK_OF(X509) *cert_sk=NULL;
sl@0	315	#undef BSIZE
sl@0	316	#define BSIZE 256
sl@0	317	MS_STATIC char buf[3][BSIZE];
sl@0	318	char *randfile=NULL;
sl@0	319	#ifndef OPENSSL_NO_ENGINE
sl@0	320	char *engine = NULL;
sl@0	321	#endif
sl@0	322	char *tofree=NULL;
sl@0	323	DB_ATTR db_attr;
sl@0	324
sl@0	325	#ifdef EFENCE
sl@0	326	EF_PROTECT_FREE=1;
sl@0	327	EF_PROTECT_BELOW=1;
sl@0	328	EF_ALIGNMENT=0;
sl@0	329	#endif
sl@0	330
sl@0	331	apps_startup();
sl@0	332
sl@0	333	conf = NULL;
sl@0	334	key = NULL;
sl@0	335	section = NULL;
sl@0	336
sl@0	337	preserve=0;
sl@0	338	msie_hack=0;
sl@0	339	if (bio_err == NULL)
sl@0	340	if ((bio_err=BIO_new(BIO_s_file())) != NULL)
sl@0	341	BIO_set_fp(bio_err,stderr,BIO_NOCLOSE\|BIO_FP_TEXT);
sl@0	342
sl@0	343	argc--;
sl@0	344	argv++;
sl@0	345	while (argc >= 1)
sl@0	346	{
sl@0	347	if (strcmp(*argv,"-verbose") == 0)
sl@0	348	verbose=1;
sl@0	349	else if (strcmp(*argv,"-config") == 0)
sl@0	350	{
sl@0	351	if (--argc < 1) goto bad;
sl@0	352	configfile= *(++argv);
sl@0	353	}
sl@0	354	else if (strcmp(*argv,"-name") == 0)
sl@0	355	{
sl@0	356	if (--argc < 1) goto bad;
sl@0	357	section= *(++argv);
sl@0	358	}
sl@0	359	else if (strcmp(*argv,"-subj") == 0)
sl@0	360	{
sl@0	361	if (--argc < 1) goto bad;
sl@0	362	subj= *(++argv);
sl@0	363	/* preserve=1; */
sl@0	364	}
sl@0	365	else if (strcmp(*argv,"-utf8") == 0)
sl@0	366	chtype = MBSTRING_UTF8;
sl@0	367	else if (strcmp(*argv,"-create_serial") == 0)
sl@0	368	create_ser = 1;
sl@0	369	else if (strcmp(*argv,"-multivalue-rdn") == 0)
sl@0	370	multirdn=1;
sl@0	371	else if (strcmp(*argv,"-startdate") == 0)
sl@0	372	{
sl@0	373	if (--argc < 1) goto bad;
sl@0	374	startdate= *(++argv);
sl@0	375	}
sl@0	376	else if (strcmp(*argv,"-enddate") == 0)
sl@0	377	{
sl@0	378	if (--argc < 1) goto bad;
sl@0	379	enddate= *(++argv);
sl@0	380	}
sl@0	381	else if (strcmp(*argv,"-days") == 0)
sl@0	382	{
sl@0	383	if (--argc < 1) goto bad;
sl@0	384	days=atoi(*(++argv));
sl@0	385	}
sl@0	386	else if (strcmp(*argv,"-md") == 0)
sl@0	387	{
sl@0	388	if (--argc < 1) goto bad;
sl@0	389	md= *(++argv);
sl@0	390	}
sl@0	391	else if (strcmp(*argv,"-policy") == 0)
sl@0	392	{
sl@0	393	if (--argc < 1) goto bad;
sl@0	394	policy= *(++argv);
sl@0	395	}
sl@0	396	else if (strcmp(*argv,"-keyfile") == 0)
sl@0	397	{
sl@0	398	if (--argc < 1) goto bad;
sl@0	399	keyfile= *(++argv);
sl@0	400	}
sl@0	401	else if (strcmp(*argv,"-keyform") == 0)
sl@0	402	{
sl@0	403	if (--argc < 1) goto bad;
sl@0	404	keyform=str2fmt(*(++argv));
sl@0	405	}
sl@0	406	else if (strcmp(*argv,"-passin") == 0)
sl@0	407	{
sl@0	408	if (--argc < 1) goto bad;
sl@0	409	passargin= *(++argv);
sl@0	410	}
sl@0	411	else if (strcmp(*argv,"-key") == 0)
sl@0	412	{
sl@0	413	if (--argc < 1) goto bad;
sl@0	414	key= *(++argv);
sl@0	415	}
sl@0	416	else if (strcmp(*argv,"-cert") == 0)
sl@0	417	{
sl@0	418	if (--argc < 1) goto bad;
sl@0	419	certfile= *(++argv);
sl@0	420	}
sl@0	421	else if (strcmp(*argv,"-selfsign") == 0)
sl@0	422	selfsign=1;
sl@0	423	else if (strcmp(*argv,"-in") == 0)
sl@0	424	{
sl@0	425	if (--argc < 1) goto bad;
sl@0	426	infile= *(++argv);
sl@0	427	req=1;
sl@0	428	}
sl@0	429	else if (strcmp(*argv,"-out") == 0)
sl@0	430	{
sl@0	431	if (--argc < 1) goto bad;
sl@0	432	outfile= *(++argv);
sl@0	433	}
sl@0	434	else if (strcmp(*argv,"-outdir") == 0)
sl@0	435	{
sl@0	436	if (--argc < 1) goto bad;
sl@0	437	outdir= *(++argv);
sl@0	438	}
sl@0	439	else if (strcmp(*argv,"-notext") == 0)
sl@0	440	notext=1;
sl@0	441	else if (strcmp(*argv,"-batch") == 0)
sl@0	442	batch=1;
sl@0	443	else if (strcmp(*argv,"-preserveDN") == 0)
sl@0	444	preserve=1;
sl@0	445	else if (strcmp(*argv,"-noemailDN") == 0)
sl@0	446	email_dn=0;
sl@0	447	else if (strcmp(*argv,"-gencrl") == 0)
sl@0	448	gencrl=1;
sl@0	449	else if (strcmp(*argv,"-msie_hack") == 0)
sl@0	450	msie_hack=1;
sl@0	451	else if (strcmp(*argv,"-crldays") == 0)
sl@0	452	{
sl@0	453	if (--argc < 1) goto bad;
sl@0	454	crldays= atol(*(++argv));
sl@0	455	}
sl@0	456	else if (strcmp(*argv,"-crlhours") == 0)
sl@0	457	{
sl@0	458	if (--argc < 1) goto bad;
sl@0	459	crlhours= atol(*(++argv));
sl@0	460	}
sl@0	461	else if (strcmp(*argv,"-infiles") == 0)
sl@0	462	{
sl@0	463	argc--;
sl@0	464	argv++;
sl@0	465	req=1;
sl@0	466	break;
sl@0	467	}
sl@0	468	else if (strcmp(*argv, "-ss_cert") == 0)
sl@0	469	{
sl@0	470	if (--argc < 1) goto bad;
sl@0	471	ss_cert_file = *(++argv);
sl@0	472	req=1;
sl@0	473	}
sl@0	474	else if (strcmp(*argv, "-spkac") == 0)
sl@0	475	{
sl@0	476	if (--argc < 1) goto bad;
sl@0	477	spkac_file = *(++argv);
sl@0	478	req=1;
sl@0	479	}
sl@0	480	else if (strcmp(*argv,"-revoke") == 0)
sl@0	481	{
sl@0	482	if (--argc < 1) goto bad;
sl@0	483	infile= *(++argv);
sl@0	484	dorevoke=1;
sl@0	485	}
sl@0	486	else if (strcmp(*argv,"-extensions") == 0)
sl@0	487	{
sl@0	488	if (--argc < 1) goto bad;
sl@0	489	extensions= *(++argv);
sl@0	490	}
sl@0	491	else if (strcmp(*argv,"-extfile") == 0)
sl@0	492	{
sl@0	493	if (--argc < 1) goto bad;
sl@0	494	extfile= *(++argv);
sl@0	495	}
sl@0	496	else if (strcmp(*argv,"-status") == 0)
sl@0	497	{
sl@0	498	if (--argc < 1) goto bad;
sl@0	499	ser_status= *(++argv);
sl@0	500	}
sl@0	501	else if (strcmp(*argv,"-updatedb") == 0)
sl@0	502	{
sl@0	503	doupdatedb=1;
sl@0	504	}
sl@0	505	else if (strcmp(*argv,"-crlexts") == 0)
sl@0	506	{
sl@0	507	if (--argc < 1) goto bad;
sl@0	508	crl_ext= *(++argv);
sl@0	509	}
sl@0	510	else if (strcmp(*argv,"-crl_reason") == 0)
sl@0	511	{
sl@0	512	if (--argc < 1) goto bad;
sl@0	513	rev_arg = *(++argv);
sl@0	514	rev_type = REV_CRL_REASON;
sl@0	515	}
sl@0	516	else if (strcmp(*argv,"-crl_hold") == 0)
sl@0	517	{
sl@0	518	if (--argc < 1) goto bad;
sl@0	519	rev_arg = *(++argv);
sl@0	520	rev_type = REV_HOLD;
sl@0	521	}
sl@0	522	else if (strcmp(*argv,"-crl_compromise") == 0)
sl@0	523	{
sl@0	524	if (--argc < 1) goto bad;
sl@0	525	rev_arg = *(++argv);
sl@0	526	rev_type = REV_KEY_COMPROMISE;
sl@0	527	}
sl@0	528	else if (strcmp(*argv,"-crl_CA_compromise") == 0)
sl@0	529	{
sl@0	530	if (--argc < 1) goto bad;
sl@0	531	rev_arg = *(++argv);
sl@0	532	rev_type = REV_CA_COMPROMISE;
sl@0	533	}
sl@0	534	#ifndef OPENSSL_NO_ENGINE
sl@0	535	else if (strcmp(*argv,"-engine") == 0)
sl@0	536	{
sl@0	537	if (--argc < 1) goto bad;
sl@0	538	engine= *(++argv);
sl@0	539	}
sl@0	540	#endif
sl@0	541	else
sl@0	542	{
sl@0	543	bad:
sl@0	544	BIO_printf(bio_err,"unknown option %s\n",*argv);
sl@0	545	badops=1;
sl@0	546	break;
sl@0	547	}
sl@0	548	argc--;
sl@0	549	argv++;
sl@0	550	}
sl@0	551
sl@0	552	if (badops)
sl@0	553	{
sl@0	554	for (pp=ca_usage; (*pp != NULL); pp++)
sl@0	555	BIO_printf(bio_err,"%s",*pp);
sl@0	556	goto err;
sl@0	557	}
sl@0	558
sl@0	559	ERR_load_crypto_strings();
sl@0	560
sl@0	561	/*****************************************************************/
sl@0	562	tofree=NULL;
sl@0	563	if (configfile == NULL) configfile = getenv("OPENSSL_CONF");
sl@0	564	if (configfile == NULL) configfile = getenv("SSLEAY_CONF");
sl@0	565	if (configfile == NULL)
sl@0	566	{
sl@0	567	const char *s=X509_get_default_cert_area();
sl@0	568	size_t len;
sl@0	569
sl@0	570	#ifdef OPENSSL_SYS_VMS
sl@0	571	len = strlen(s)+sizeof(CONFIG_FILE);
sl@0	572	tofree=OPENSSL_malloc(len);
sl@0	573	strcpy(tofree,s);
sl@0	574	#else
sl@0	575	len = strlen(s)+sizeof(CONFIG_FILE)+1;
sl@0	576	tofree=OPENSSL_malloc(len);
sl@0	577	BUF_strlcpy(tofree,s,len);
sl@0	578	BUF_strlcat(tofree,"/",len);
sl@0	579	#endif
sl@0	580	BUF_strlcat(tofree,CONFIG_FILE,len);
sl@0	581	configfile=tofree;
sl@0	582	}
sl@0	583
sl@0	584	BIO_printf(bio_err,"Using configuration from %s\n",configfile);
sl@0	585	conf = NCONF_new(NULL);
sl@0	586	if (NCONF_load(conf,configfile,&errorline) <= 0)
sl@0	587	{
sl@0	588	if (errorline <= 0)
sl@0	589	BIO_printf(bio_err,"error loading the config file '%s'\n",
sl@0	590	configfile);
sl@0	591	else
sl@0	592	BIO_printf(bio_err,"error on line %ld of config file '%s'\n"
sl@0	593	,errorline,configfile);
sl@0	594	goto err;
sl@0	595	}
sl@0	596	if(tofree)
sl@0	597	{
sl@0	598	OPENSSL_free(tofree);
sl@0	599	tofree = NULL;
sl@0	600	}
sl@0	601
sl@0	602	if (!load_config(bio_err, conf))
sl@0	603	goto err;
sl@0	604
sl@0	605	#ifndef OPENSSL_NO_ENGINE
sl@0	606	e = setup_engine(bio_err, engine, 0);
sl@0	607	#endif
sl@0	608
sl@0	609	/* Lets get the config section we are using */
sl@0	610	if (section == NULL)
sl@0	611	{
sl@0	612	section=NCONF_get_string(conf,BASE_SECTION,ENV_DEFAULT_CA);
sl@0	613	if (section == NULL)
sl@0	614	{
sl@0	615	lookup_fail(BASE_SECTION,ENV_DEFAULT_CA);
sl@0	616	goto err;
sl@0	617	}
sl@0	618	}
sl@0	619
sl@0	620	if (conf != NULL)
sl@0	621	{
sl@0	622	p=NCONF_get_string(conf,NULL,"oid_file");
sl@0	623	if (p == NULL)
sl@0	624	ERR_clear_error();
sl@0	625	if (p != NULL)
sl@0	626	{
sl@0	627	BIO *oid_bio;
sl@0	628
sl@0	629	oid_bio=BIO_new_file(p,"r");
sl@0	630	if (oid_bio == NULL)
sl@0	631	{
sl@0	632	/*
sl@0	633	BIO_printf(bio_err,"problems opening %s for extra oid's\n",p);
sl@0	634	ERR_print_errors(bio_err);
sl@0	635	*/
sl@0	636	ERR_clear_error();
sl@0	637	}
sl@0	638	else
sl@0	639	{
sl@0	640	OBJ_create_objects(oid_bio);
sl@0	641	BIO_free(oid_bio);
sl@0	642	}
sl@0	643	}
sl@0	644	if (!add_oid_section(bio_err,conf))
sl@0	645	{
sl@0	646	ERR_print_errors(bio_err);
sl@0	647	goto err;
sl@0	648	}
sl@0	649	}
sl@0	650
sl@0	651	randfile = NCONF_get_string(conf, BASE_SECTION, "RANDFILE");
sl@0	652	if (randfile == NULL)
sl@0	653	ERR_clear_error();
sl@0	654	app_RAND_load_file(randfile, bio_err, 0);
sl@0	655
sl@0	656	f = NCONF_get_string(conf, section, STRING_MASK);
sl@0	657	if (!f)
sl@0	658	ERR_clear_error();
sl@0	659
sl@0	660	if(f && !ASN1_STRING_set_default_mask_asc(f)) {
sl@0	661	BIO_printf(bio_err, "Invalid global string mask setting %s\n", f);
sl@0	662	goto err;
sl@0	663	}
sl@0	664
sl@0	665	if (chtype != MBSTRING_UTF8){
sl@0	666	f = NCONF_get_string(conf, section, UTF8_IN);
sl@0	667	if (!f)
sl@0	668	ERR_clear_error();
sl@0	669	else if (!strcmp(f, "yes"))
sl@0	670	chtype = MBSTRING_UTF8;
sl@0	671	}
sl@0	672
sl@0	673	db_attr.unique_subject = 1;
sl@0	674	p = NCONF_get_string(conf, section, ENV_UNIQUE_SUBJECT);
sl@0	675	if (p)
sl@0	676	{
sl@0	677	#ifdef RL_DEBUG
sl@0	678	BIO_printf(bio_err, "DEBUG: unique_subject = \"%s\"\n", p);
sl@0	679	#endif
sl@0	680	db_attr.unique_subject = parse_yesno(p,1);
sl@0	681	}
sl@0	682	else
sl@0	683	ERR_clear_error();
sl@0	684	#ifdef RL_DEBUG
sl@0	685	if (!p)
sl@0	686	BIO_printf(bio_err, "DEBUG: unique_subject undefined\n", p);
sl@0	687	#endif
sl@0	688	#ifdef RL_DEBUG
sl@0	689	BIO_printf(bio_err, "DEBUG: configured unique_subject is %d\n",
sl@0	690	db_attr.unique_subject);
sl@0	691	#endif
sl@0	692
sl@0	693	in=BIO_new(BIO_s_file());
sl@0	694	out=BIO_new(BIO_s_file());
sl@0	695	Sout=BIO_new(BIO_s_file());
sl@0	696	Cout=BIO_new(BIO_s_file());
sl@0	697	if ((in == NULL) \|\| (out == NULL) \|\| (Sout == NULL) \|\| (Cout == NULL))
sl@0	698	{
sl@0	699	ERR_print_errors(bio_err);
sl@0	700	goto err;
sl@0	701	}
sl@0	702
sl@0	703	/*****************************************************************/
sl@0	704	/* report status of cert with serial number given on command line */
sl@0	705	if (ser_status)
sl@0	706	{
sl@0	707	if ((dbfile=NCONF_get_string(conf,section,ENV_DATABASE)) == NULL)
sl@0	708	{
sl@0	709	lookup_fail(section,ENV_DATABASE);
sl@0	710	goto err;
sl@0	711	}
sl@0	712	db = load_index(dbfile,&db_attr);
sl@0	713	if (db == NULL) goto err;
sl@0	714
sl@0	715	if (!index_index(db)) goto err;
sl@0	716
sl@0	717	if (get_certificate_status(ser_status,db) != 1)
sl@0	718	BIO_printf(bio_err,"Error verifying serial %s!\n",
sl@0	719	ser_status);
sl@0	720	goto err;
sl@0	721	}
sl@0	722
sl@0	723	/*****************************************************************/
sl@0	724	/* we definitely need a private key, so let's get it */
sl@0	725
sl@0	726	if ((keyfile == NULL) && ((keyfile=NCONF_get_string(conf,
sl@0	727	section,ENV_PRIVATE_KEY)) == NULL))
sl@0	728	{
sl@0	729	lookup_fail(section,ENV_PRIVATE_KEY);
sl@0	730	goto err;
sl@0	731	}
sl@0	732	if (!key)
sl@0	733	{
sl@0	734	free_key = 1;
sl@0	735	if (!app_passwd(bio_err, passargin, NULL, &key, NULL))
sl@0	736	{
sl@0	737	BIO_printf(bio_err,"Error getting password\n");
sl@0	738	goto err;
sl@0	739	}
sl@0	740	}
sl@0	741	pkey = load_key(bio_err, keyfile, keyform, 0, key, e,
sl@0	742	"CA private key");
sl@0	743	if (key) OPENSSL_cleanse(key,strlen(key));
sl@0	744	if (pkey == NULL)
sl@0	745	{
sl@0	746	/* load_key() has already printed an appropriate message */
sl@0	747	goto err;
sl@0	748	}
sl@0	749
sl@0	750	/*****************************************************************/
sl@0	751	/* we need a certificate */
sl@0	752	if (!selfsign \|\| spkac_file \|\| ss_cert_file \|\| gencrl)
sl@0	753	{
sl@0	754	if ((certfile == NULL)
sl@0	755	&& ((certfile=NCONF_get_string(conf,
sl@0	756	section,ENV_CERTIFICATE)) == NULL))
sl@0	757	{
sl@0	758	lookup_fail(section,ENV_CERTIFICATE);
sl@0	759	goto err;
sl@0	760	}
sl@0	761	x509=load_cert(bio_err, certfile, FORMAT_PEM, NULL, e,
sl@0	762	"CA certificate");
sl@0	763	if (x509 == NULL)
sl@0	764	goto err;
sl@0	765
sl@0	766	if (!X509_check_private_key(x509,pkey))
sl@0	767	{
sl@0	768	BIO_printf(bio_err,"CA certificate and CA private key do not match\n");
sl@0	769	goto err;
sl@0	770	}
sl@0	771	}
sl@0	772	if (!selfsign) x509p = x509;
sl@0	773
sl@0	774	f=NCONF_get_string(conf,BASE_SECTION,ENV_PRESERVE);
sl@0	775	if (f == NULL)
sl@0	776	ERR_clear_error();
sl@0	777	if ((f != NULL) && ((f == 'y') \|\| (f == 'Y')))
sl@0	778	preserve=1;
sl@0	779	f=NCONF_get_string(conf,BASE_SECTION,ENV_MSIE_HACK);
sl@0	780	if (f == NULL)
sl@0	781	ERR_clear_error();
sl@0	782	if ((f != NULL) && ((f == 'y') \|\| (f == 'Y')))
sl@0	783	msie_hack=1;
sl@0	784
sl@0	785	f=NCONF_get_string(conf,section,ENV_NAMEOPT);
sl@0	786
sl@0	787	if (f)
sl@0	788	{
sl@0	789	if (!set_name_ex(&nameopt, f))
sl@0	790	{
sl@0	791	BIO_printf(bio_err, "Invalid name options: \"%s\"\n", f);
sl@0	792	goto err;
sl@0	793	}
sl@0	794	default_op = 0;
sl@0	795	}
sl@0	796	else
sl@0	797	ERR_clear_error();
sl@0	798
sl@0	799	f=NCONF_get_string(conf,section,ENV_CERTOPT);
sl@0	800
sl@0	801	if (f)
sl@0	802	{
sl@0	803	if (!set_cert_ex(&certopt, f))
sl@0	804	{
sl@0	805	BIO_printf(bio_err, "Invalid certificate options: \"%s\"\n", f);
sl@0	806	goto err;
sl@0	807	}
sl@0	808	default_op = 0;
sl@0	809	}
sl@0	810	else
sl@0	811	ERR_clear_error();
sl@0	812
sl@0	813	f=NCONF_get_string(conf,section,ENV_EXTCOPY);
sl@0	814
sl@0	815	if (f)
sl@0	816	{
sl@0	817	if (!set_ext_copy(&ext_copy, f))
sl@0	818	{
sl@0	819	BIO_printf(bio_err, "Invalid extension copy option: \"%s\"\n", f);
sl@0	820	goto err;
sl@0	821	}
sl@0	822	}
sl@0	823	else
sl@0	824	ERR_clear_error();
sl@0	825
sl@0	826	/*****************************************************************/
sl@0	827	/* lookup where to write new certificates */
sl@0	828	if ((outdir == NULL) && (req))
sl@0	829	{
sl@0	830	struct stat sb;
sl@0	831
sl@0	832	if ((outdir=NCONF_get_string(conf,section,ENV_NEW_CERTS_DIR))
sl@0	833	== NULL)
sl@0	834	{
sl@0	835	BIO_printf(bio_err,"there needs to be defined a directory for new certificate to be placed in\n");
sl@0	836	goto err;
sl@0	837	}
sl@0	838	#ifndef OPENSSL_SYS_VMS
sl@0	839	/* outdir is a directory spec, but access() for VMS demands a
sl@0	840	filename. In any case, stat(), below, will catch the problem
sl@0	841	if outdir is not a directory spec, and the fopen() or open()
sl@0	842	will catch an error if there is no write access.
sl@0	843
sl@0	844	Presumably, this problem could also be solved by using the DEC
sl@0	845	C routines to convert the directory syntax to Unixly, and give
sl@0	846	that to access(). However, time's too short to do that just
sl@0	847	now.
sl@0	848	*/
sl@0	849	if (access(outdir,R_OK\|W_OK\|X_OK) != 0)
sl@0	850	{
sl@0	851	BIO_printf(bio_err,"I am unable to access the %s directory\n",outdir);
sl@0	852	perror(outdir);
sl@0	853	goto err;
sl@0	854	}
sl@0	855
sl@0	856	if (stat(outdir,&sb) != 0)
sl@0	857	{
sl@0	858	BIO_printf(bio_err,"unable to stat(%s)\n",outdir);
sl@0	859	perror(outdir);
sl@0	860	goto err;
sl@0	861	}
sl@0	862	#ifdef S_IFDIR
sl@0	863	if (!(sb.st_mode & S_IFDIR))
sl@0	864	{
sl@0	865	BIO_printf(bio_err,"%s need to be a directory\n",outdir);
sl@0	866	perror(outdir);
sl@0	867	goto err;
sl@0	868	}
sl@0	869	#endif
sl@0	870	#endif
sl@0	871	}
sl@0	872
sl@0	873	/*****************************************************************/
sl@0	874	/* we need to load the database file */
sl@0	875	if ((dbfile=NCONF_get_string(conf,section,ENV_DATABASE)) == NULL)
sl@0	876	{
sl@0	877	lookup_fail(section,ENV_DATABASE);
sl@0	878	goto err;
sl@0	879	}
sl@0	880	db = load_index(dbfile, &db_attr);
sl@0	881	if (db == NULL) goto err;
sl@0	882
sl@0	883	/* Lets check some fields */
sl@0	884	for (i=0; i<sk_num(db->db->data); i++)
sl@0	885	{
sl@0	886	pp=(const char **)sk_value(db->db->data,i);
sl@0	887	if ((pp[DB_type][0] != DB_TYPE_REV) &&
sl@0	888	(pp[DB_rev_date][0] != '\0'))
sl@0	889	{
sl@0	890	BIO_printf(bio_err,"entry %d: not revoked yet, but has a revocation date\n",i+1);
sl@0	891	goto err;
sl@0	892	}
sl@0	893	if ((pp[DB_type][0] == DB_TYPE_REV) &&
sl@0	894	!make_revoked(NULL, pp[DB_rev_date]))
sl@0	895	{
sl@0	896	BIO_printf(bio_err," in entry %d\n", i+1);
sl@0	897	goto err;
sl@0	898	}
sl@0	899	if (!check_time_format((char *)pp[DB_exp_date]))
sl@0	900	{
sl@0	901	BIO_printf(bio_err,"entry %d: invalid expiry date\n",i+1);
sl@0	902	goto err;
sl@0	903	}
sl@0	904	p=pp[DB_serial];
sl@0	905	j=strlen(p);
sl@0	906	if (*p == '-')
sl@0	907	{
sl@0	908	p++;
sl@0	909	j--;
sl@0	910	}
sl@0	911	if ((j&1) \|\| (j < 2))
sl@0	912	{
sl@0	913	BIO_printf(bio_err,"entry %d: bad serial number length (%d)\n",i+1,j);
sl@0	914	goto err;
sl@0	915	}
sl@0	916	while (*p)
sl@0	917	{
sl@0	918	if (!( ((p >= '0') && (p <= '9')) \|\|
sl@0	919	((p >= 'A') && (p <= 'F')) \|\|
sl@0	920	((p >= 'a') && (p <= 'f'))) )
sl@0	921	{
sl@0	922	BIO_printf(bio_err,"entry %d: bad serial number characters, char pos %ld, char is '%c'\n",i+1,(long)(p-pp[DB_serial]),*p);
sl@0	923	goto err;
sl@0	924	}
sl@0	925	p++;
sl@0	926	}
sl@0	927	}
sl@0	928	if (verbose)
sl@0	929	{
sl@0	930	BIO_set_fp(out,stdout,BIO_NOCLOSE\|BIO_FP_TEXT); /* cannot fail */
sl@0	931	#ifdef OPENSSL_SYS_VMS
sl@0	932	{
sl@0	933	BIO *tmpbio = BIO_new(BIO_f_linebuffer());
sl@0	934	out = BIO_push(tmpbio, out);
sl@0	935	}
sl@0	936	#endif
sl@0	937	TXT_DB_write(out,db->db);
sl@0	938	BIO_printf(bio_err,"%d entries loaded from the database\n",
sl@0	939	db->db->data->num);
sl@0	940	BIO_printf(bio_err,"generating index\n");
sl@0	941	}
sl@0	942
sl@0	943	if (!index_index(db)) goto err;
sl@0	944
sl@0	945	/*****************************************************************/
sl@0	946	/* Update the db file for expired certificates */
sl@0	947	if (doupdatedb)
sl@0	948	{
sl@0	949	if (verbose)
sl@0	950	BIO_printf(bio_err, "Updating %s ...\n",
sl@0	951	dbfile);
sl@0	952
sl@0	953	i = do_updatedb(db);
sl@0	954	if (i == -1)
sl@0	955	{
sl@0	956	BIO_printf(bio_err,"Malloc failure\n");
sl@0	957	goto err;
sl@0	958	}
sl@0	959	else if (i == 0)
sl@0	960	{
sl@0	961	if (verbose) BIO_printf(bio_err,
sl@0	962	"No entries found to mark expired\n");
sl@0	963	}
sl@0	964	else
sl@0	965	{
sl@0	966	if (!save_index(dbfile,"new",db)) goto err;
sl@0	967
sl@0	968	if (!rotate_index(dbfile,"new","old")) goto err;
sl@0	969
sl@0	970	if (verbose) BIO_printf(bio_err,
sl@0	971	"Done. %d entries marked as expired\n",i);
sl@0	972	}
sl@0	973	}
sl@0	974
sl@0	975	/*****************************************************************/
sl@0	976	/* Read extentions config file */
sl@0	977	if (extfile)
sl@0	978	{
sl@0	979	extconf = NCONF_new(NULL);
sl@0	980	if (NCONF_load(extconf,extfile,&errorline) <= 0)
sl@0	981	{
sl@0	982	if (errorline <= 0)
sl@0	983	BIO_printf(bio_err, "ERROR: loading the config file '%s'\n",
sl@0	984	extfile);
sl@0	985	else
sl@0	986	BIO_printf(bio_err, "ERROR: on line %ld of config file '%s'\n",
sl@0	987	errorline,extfile);
sl@0	988	ret = 1;
sl@0	989	goto err;
sl@0	990	}
sl@0	991
sl@0	992	if (verbose)
sl@0	993	BIO_printf(bio_err, "Successfully loaded extensions file %s\n", extfile);
sl@0	994
sl@0	995	/* We can have sections in the ext file */
sl@0	996	if (!extensions && !(extensions = NCONF_get_string(extconf, "default", "extensions")))
sl@0	997	extensions = "default";
sl@0	998	}
sl@0	999
sl@0	1000	/*****************************************************************/
sl@0	1001	if (req \|\| gencrl)
sl@0	1002	{
sl@0	1003	if (outfile != NULL)
sl@0	1004	{
sl@0	1005	if (BIO_write_filename(Sout,outfile) <= 0)
sl@0	1006	{
sl@0	1007	perror(outfile);
sl@0	1008	goto err;
sl@0	1009	}
sl@0	1010	}
sl@0	1011	else
sl@0	1012	{
sl@0	1013	BIO_set_fp(Sout,stdout,BIO_NOCLOSE\|BIO_FP_TEXT);
sl@0	1014	#ifdef OPENSSL_SYS_VMS
sl@0	1015	{
sl@0	1016	BIO *tmpbio = BIO_new(BIO_f_linebuffer());
sl@0	1017	Sout = BIO_push(tmpbio, Sout);
sl@0	1018	}
sl@0	1019	#endif
sl@0	1020	}
sl@0	1021	}
sl@0	1022
sl@0	1023	if ((md == NULL) && ((md=NCONF_get_string(conf,
sl@0	1024	section,ENV_DEFAULT_MD)) == NULL))
sl@0	1025	{
sl@0	1026	lookup_fail(section,ENV_DEFAULT_MD);
sl@0	1027	goto err;
sl@0	1028	}
sl@0	1029
sl@0	1030	if ((dgst=EVP_get_digestbyname(md)) == NULL)
sl@0	1031	{
sl@0	1032	BIO_printf(bio_err,"%s is an unsupported message digest type\n",md);
sl@0	1033	goto err;
sl@0	1034	}
sl@0	1035
sl@0	1036	if (req)
sl@0	1037	{
sl@0	1038	if ((email_dn == 1) && ((tmp_email_dn=NCONF_get_string(conf,
sl@0	1039	section,ENV_DEFAULT_EMAIL_DN)) != NULL ))
sl@0	1040	{
sl@0	1041	if(strcmp(tmp_email_dn,"no") == 0)
sl@0	1042	email_dn=0;
sl@0	1043	}
sl@0	1044	if (verbose)
sl@0	1045	BIO_printf(bio_err,"message digest is %s\n",
sl@0	1046	OBJ_nid2ln(dgst->type));
sl@0	1047	if ((policy == NULL) && ((policy=NCONF_get_string(conf,
sl@0	1048	section,ENV_POLICY)) == NULL))
sl@0	1049	{
sl@0	1050	lookup_fail(section,ENV_POLICY);
sl@0	1051	goto err;
sl@0	1052	}
sl@0	1053	if (verbose)
sl@0	1054	BIO_printf(bio_err,"policy is %s\n",policy);
sl@0	1055
sl@0	1056	if ((serialfile=NCONF_get_string(conf,section,ENV_SERIAL))
sl@0	1057	== NULL)
sl@0	1058	{
sl@0	1059	lookup_fail(section,ENV_SERIAL);
sl@0	1060	goto err;
sl@0	1061	}
sl@0	1062
sl@0	1063	if (!extconf)
sl@0	1064	{
sl@0	1065	/* no '-extfile' option, so we look for extensions
sl@0	1066	* in the main configuration file */
sl@0	1067	if (!extensions)
sl@0	1068	{
sl@0	1069	extensions=NCONF_get_string(conf,section,
sl@0	1070	ENV_EXTENSIONS);
sl@0	1071	if (!extensions)
sl@0	1072	ERR_clear_error();
sl@0	1073	}
sl@0	1074	if (extensions)
sl@0	1075	{
sl@0	1076	/* Check syntax of file */
sl@0	1077	X509V3_CTX ctx;
sl@0	1078	X509V3_set_ctx_test(&ctx);
sl@0	1079	X509V3_set_nconf(&ctx, conf);
sl@0	1080	if (!X509V3_EXT_add_nconf(conf, &ctx, extensions,
sl@0	1081	NULL))
sl@0	1082	{
sl@0	1083	BIO_printf(bio_err,
sl@0	1084	"Error Loading extension section %s\n",
sl@0	1085	extensions);
sl@0	1086	ret = 1;
sl@0	1087	goto err;
sl@0	1088	}
sl@0	1089	}
sl@0	1090	}
sl@0	1091
sl@0	1092	if (startdate == NULL)
sl@0	1093	{
sl@0	1094	startdate=NCONF_get_string(conf,section,
sl@0	1095	ENV_DEFAULT_STARTDATE);
sl@0	1096	if (startdate == NULL)
sl@0	1097	ERR_clear_error();
sl@0	1098	}
sl@0	1099	if (startdate && !ASN1_UTCTIME_set_string(NULL,startdate))
sl@0	1100	{
sl@0	1101	BIO_printf(bio_err,"start date is invalid, it should be YYMMDDHHMMSSZ\n");
sl@0	1102	goto err;
sl@0	1103	}
sl@0	1104	if (startdate == NULL) startdate="today";
sl@0	1105
sl@0	1106	if (enddate == NULL)
sl@0	1107	{
sl@0	1108	enddate=NCONF_get_string(conf,section,
sl@0	1109	ENV_DEFAULT_ENDDATE);
sl@0	1110	if (enddate == NULL)
sl@0	1111	ERR_clear_error();
sl@0	1112	}
sl@0	1113	if (enddate && !ASN1_UTCTIME_set_string(NULL,enddate))
sl@0	1114	{
sl@0	1115	BIO_printf(bio_err,"end date is invalid, it should be YYMMDDHHMMSSZ\n");
sl@0	1116	goto err;
sl@0	1117	}
sl@0	1118
sl@0	1119	if (days == 0)
sl@0	1120	{
sl@0	1121	if(!NCONF_get_number(conf,section, ENV_DEFAULT_DAYS, &days))
sl@0	1122	days = 0;
sl@0	1123	}
sl@0	1124	if (!enddate && (days == 0))
sl@0	1125	{
sl@0	1126	BIO_printf(bio_err,"cannot lookup how many days to certify for\n");
sl@0	1127	goto err;
sl@0	1128	}
sl@0	1129
sl@0	1130	if ((serial=load_serial(serialfile, create_ser, NULL)) == NULL)
sl@0	1131	{
sl@0	1132	BIO_printf(bio_err,"error while loading serial number\n");
sl@0	1133	goto err;
sl@0	1134	}
sl@0	1135	if (verbose)
sl@0	1136	{
sl@0	1137	if (BN_is_zero(serial))
sl@0	1138	BIO_printf(bio_err,"next serial number is 00\n");
sl@0	1139	else
sl@0	1140	{
sl@0	1141	if ((f=BN_bn2hex(serial)) == NULL) goto err;
sl@0	1142	BIO_printf(bio_err,"next serial number is %s\n",f);
sl@0	1143	OPENSSL_free(f);
sl@0	1144	}
sl@0	1145	}
sl@0	1146
sl@0	1147	if ((attribs=NCONF_get_section(conf,policy)) == NULL)
sl@0	1148	{
sl@0	1149	BIO_printf(bio_err,"unable to find 'section' for %s\n",policy);
sl@0	1150	goto err;
sl@0	1151	}
sl@0	1152
sl@0	1153	if ((cert_sk=sk_X509_new_null()) == NULL)
sl@0	1154	{
sl@0	1155	BIO_printf(bio_err,"Memory allocation failure\n");
sl@0	1156	goto err;
sl@0	1157	}
sl@0	1158	if (spkac_file != NULL)
sl@0	1159	{
sl@0	1160	total++;
sl@0	1161	j=certify_spkac(&x,spkac_file,pkey,x509,dgst,attribs,db,
sl@0	1162	serial,subj,chtype,multirdn,email_dn,startdate,enddate,days,extensions,
sl@0	1163	conf,verbose,certopt,nameopt,default_op,ext_copy);
sl@0	1164	if (j < 0) goto err;
sl@0	1165	if (j > 0)
sl@0	1166	{
sl@0	1167	total_done++;
sl@0	1168	BIO_printf(bio_err,"\n");
sl@0	1169	if (!BN_add_word(serial,1)) goto err;
sl@0	1170	if (!sk_X509_push(cert_sk,x))
sl@0	1171	{
sl@0	1172	BIO_printf(bio_err,"Memory allocation failure\n");
sl@0	1173	goto err;
sl@0	1174	}
sl@0	1175	if (outfile)
sl@0	1176	{
sl@0	1177	output_der = 1;
sl@0	1178	batch = 1;
sl@0	1179	}
sl@0	1180	}
sl@0	1181	}
sl@0	1182	if (ss_cert_file != NULL)
sl@0	1183	{
sl@0	1184	total++;
sl@0	1185	j=certify_cert(&x,ss_cert_file,pkey,x509,dgst,attribs,
sl@0	1186	db,serial,subj,chtype,multirdn,email_dn,startdate,enddate,days,batch,
sl@0	1187	extensions,conf,verbose, certopt, nameopt,
sl@0	1188	default_op, ext_copy, e);
sl@0	1189	if (j < 0) goto err;
sl@0	1190	if (j > 0)
sl@0	1191	{
sl@0	1192	total_done++;
sl@0	1193	BIO_printf(bio_err,"\n");
sl@0	1194	if (!BN_add_word(serial,1)) goto err;
sl@0	1195	if (!sk_X509_push(cert_sk,x))
sl@0	1196	{
sl@0	1197	BIO_printf(bio_err,"Memory allocation failure\n");
sl@0	1198	goto err;
sl@0	1199	}
sl@0	1200	}
sl@0	1201	}
sl@0	1202	if (infile != NULL)
sl@0	1203	{
sl@0	1204	total++;
sl@0	1205	j=certify(&x,infile,pkey,x509p,dgst,attribs,db,
sl@0	1206	serial,subj,chtype,multirdn,email_dn,startdate,enddate,days,batch,
sl@0	1207	extensions,conf,verbose, certopt, nameopt,
sl@0	1208	default_op, ext_copy, selfsign);
sl@0	1209	if (j < 0) goto err;
sl@0	1210	if (j > 0)
sl@0	1211	{
sl@0	1212	total_done++;
sl@0	1213	BIO_printf(bio_err,"\n");
sl@0	1214	if (!BN_add_word(serial,1)) goto err;
sl@0	1215	if (!sk_X509_push(cert_sk,x))
sl@0	1216	{
sl@0	1217	BIO_printf(bio_err,"Memory allocation failure\n");
sl@0	1218	goto err;
sl@0	1219	}
sl@0	1220	}
sl@0	1221	}
sl@0	1222	for (i=0; i<argc; i++)
sl@0	1223	{
sl@0	1224	total++;
sl@0	1225	j=certify(&x,argv[i],pkey,x509p,dgst,attribs,db,
sl@0	1226	serial,subj,chtype,multirdn,email_dn,startdate,enddate,days,batch,
sl@0	1227	extensions,conf,verbose, certopt, nameopt,
sl@0	1228	default_op, ext_copy, selfsign);
sl@0	1229	if (j < 0) goto err;
sl@0	1230	if (j > 0)
sl@0	1231	{
sl@0	1232	total_done++;
sl@0	1233	BIO_printf(bio_err,"\n");
sl@0	1234	if (!BN_add_word(serial,1)) goto err;
sl@0	1235	if (!sk_X509_push(cert_sk,x))
sl@0	1236	{
sl@0	1237	BIO_printf(bio_err,"Memory allocation failure\n");
sl@0	1238	goto err;
sl@0	1239	}
sl@0	1240	}
sl@0	1241	}
sl@0	1242	/* we have a stack of newly certified certificates
sl@0	1243	* and a data base and serial number that need
sl@0	1244	* updating */
sl@0	1245
sl@0	1246	if (sk_X509_num(cert_sk) > 0)
sl@0	1247	{
sl@0	1248	if (!batch)
sl@0	1249	{
sl@0	1250	BIO_printf(bio_err,"\n%d out of %d certificate requests certified, commit? [y/n]",total_done,total);
sl@0	1251	(void)BIO_flush(bio_err);
sl@0	1252	buf[0][0]='\0';
sl@0	1253	fgets(buf[0],10,stdin);
sl@0	1254	if ((buf[0][0] != 'y') && (buf[0][0] != 'Y'))
sl@0	1255	{
sl@0	1256	BIO_printf(bio_err,"CERTIFICATION CANCELED\n");
sl@0	1257	ret=0;
sl@0	1258	goto err;
sl@0	1259	}
sl@0	1260	}
sl@0	1261
sl@0	1262	BIO_printf(bio_err,"Write out database with %d new entries\n",sk_X509_num(cert_sk));
sl@0	1263
sl@0	1264	if (!save_serial(serialfile,"new",serial,NULL)) goto err;
sl@0	1265
sl@0	1266	if (!save_index(dbfile, "new", db)) goto err;
sl@0	1267	}
sl@0	1268
sl@0	1269	if (verbose)
sl@0	1270	BIO_printf(bio_err,"writing new certificates\n");
sl@0	1271	for (i=0; i<sk_X509_num(cert_sk); i++)
sl@0	1272	{
sl@0	1273	int k;
sl@0	1274	char *n;
sl@0	1275
sl@0	1276	x=sk_X509_value(cert_sk,i);
sl@0	1277
sl@0	1278	j=x->cert_info->serialNumber->length;
sl@0	1279	p=(const char *)x->cert_info->serialNumber->data;
sl@0	1280
sl@0	1281	if(strlen(outdir) >= (size_t)(j ? BSIZE-j*2-6 : BSIZE-8))
sl@0	1282	{
sl@0	1283	BIO_printf(bio_err,"certificate file name too long\n");
sl@0	1284	goto err;
sl@0	1285	}
sl@0	1286
sl@0	1287	strcpy(buf[2],outdir);
sl@0	1288
sl@0	1289	#ifndef OPENSSL_SYS_VMS
sl@0	1290	BUF_strlcat(buf[2],"/",sizeof(buf[2]));
sl@0	1291	#endif
sl@0	1292
sl@0	1293	n=(char *)&(buf[2][strlen(buf[2])]);
sl@0	1294	if (j > 0)
sl@0	1295	{
sl@0	1296	for (k=0; k<j; k++)
sl@0	1297	{
sl@0	1298	if (n >= &(buf[2][sizeof(buf[2])]))
sl@0	1299	break;
sl@0	1300	BIO_snprintf(n,
sl@0	1301	&buf[2][0] + sizeof(buf[2]) - n,
sl@0	1302	"%02X",(unsigned char)*(p++));
sl@0	1303	n+=2;
sl@0	1304	}
sl@0	1305	}
sl@0	1306	else
sl@0	1307	{
sl@0	1308	*(n++)='0';
sl@0	1309	*(n++)='0';
sl@0	1310	}
sl@0	1311	(n++)='.'; (n++)='p'; (n++)='e'; (n++)='m';
sl@0	1312	*n='\0';
sl@0	1313	if (verbose)
sl@0	1314	BIO_printf(bio_err,"writing %s\n",buf[2]);
sl@0	1315
sl@0	1316	if (BIO_write_filename(Cout,buf[2]) <= 0)
sl@0	1317	{
sl@0	1318	perror(buf[2]);
sl@0	1319	goto err;
sl@0	1320	}
sl@0	1321	write_new_certificate(Cout,x, 0, notext);
sl@0	1322	write_new_certificate(Sout,x, output_der, notext);
sl@0	1323	}
sl@0	1324
sl@0	1325	if (sk_X509_num(cert_sk))
sl@0	1326	{
sl@0	1327	/* Rename the database and the serial file */
sl@0	1328	if (!rotate_serial(serialfile,"new","old")) goto err;
sl@0	1329
sl@0	1330	if (!rotate_index(dbfile,"new","old")) goto err;
sl@0	1331
sl@0	1332	BIO_printf(bio_err,"Data Base Updated\n");
sl@0	1333	}
sl@0	1334	}
sl@0	1335
sl@0	1336	/*****************************************************************/
sl@0	1337	if (gencrl)
sl@0	1338	{
sl@0	1339	int crl_v2 = 0;
sl@0	1340	if (!crl_ext)
sl@0	1341	{
sl@0	1342	crl_ext=NCONF_get_string(conf,section,ENV_CRLEXT);
sl@0	1343	if (!crl_ext)
sl@0	1344	ERR_clear_error();
sl@0	1345	}
sl@0	1346	if (crl_ext)
sl@0	1347	{
sl@0	1348	/* Check syntax of file */
sl@0	1349	X509V3_CTX ctx;
sl@0	1350	X509V3_set_ctx_test(&ctx);
sl@0	1351	X509V3_set_nconf(&ctx, conf);
sl@0	1352	if (!X509V3_EXT_add_nconf(conf, &ctx, crl_ext, NULL))
sl@0	1353	{
sl@0	1354	BIO_printf(bio_err,
sl@0	1355	"Error Loading CRL extension section %s\n",
sl@0	1356	crl_ext);
sl@0	1357	ret = 1;
sl@0	1358	goto err;
sl@0	1359	}
sl@0	1360	}
sl@0	1361
sl@0	1362	if ((crlnumberfile=NCONF_get_string(conf,section,ENV_CRLNUMBER))
sl@0	1363	!= NULL)
sl@0	1364	if ((crlnumber=load_serial(crlnumberfile,0,NULL)) == NULL)
sl@0	1365	{
sl@0	1366	BIO_printf(bio_err,"error while loading CRL number\n");
sl@0	1367	goto err;
sl@0	1368	}
sl@0	1369
sl@0	1370	if (!crldays && !crlhours)
sl@0	1371	{
sl@0	1372	if (!NCONF_get_number(conf,section,
sl@0	1373	ENV_DEFAULT_CRL_DAYS, &crldays))
sl@0	1374	crldays = 0;
sl@0	1375	if (!NCONF_get_number(conf,section,
sl@0	1376	ENV_DEFAULT_CRL_HOURS, &crlhours))
sl@0	1377	crlhours = 0;
sl@0	1378	}
sl@0	1379	if ((crldays == 0) && (crlhours == 0))
sl@0	1380	{
sl@0	1381	BIO_printf(bio_err,"cannot lookup how long until the next CRL is issued\n");
sl@0	1382	goto err;
sl@0	1383	}
sl@0	1384
sl@0	1385	if (verbose) BIO_printf(bio_err,"making CRL\n");
sl@0	1386	if ((crl=X509_CRL_new()) == NULL) goto err;
sl@0	1387	if (!X509_CRL_set_issuer_name(crl, X509_get_subject_name(x509))) goto err;
sl@0	1388
sl@0	1389	tmptm = ASN1_TIME_new();
sl@0	1390	if (!tmptm) goto err;
sl@0	1391	X509_gmtime_adj(tmptm,0);
sl@0	1392	X509_CRL_set_lastUpdate(crl, tmptm);
sl@0	1393	X509_gmtime_adj(tmptm,(crldays24+crlhours)60*60);
sl@0	1394	X509_CRL_set_nextUpdate(crl, tmptm);
sl@0	1395
sl@0	1396	ASN1_TIME_free(tmptm);
sl@0	1397
sl@0	1398	for (i=0; i<sk_num(db->db->data); i++)
sl@0	1399	{
sl@0	1400	pp=(const char **)sk_value(db->db->data,i);
sl@0	1401	if (pp[DB_type][0] == DB_TYPE_REV)
sl@0	1402	{
sl@0	1403	if ((r=X509_REVOKED_new()) == NULL) goto err;
sl@0	1404	j = make_revoked(r, pp[DB_rev_date]);
sl@0	1405	if (!j) goto err;
sl@0	1406	if (j == 2) crl_v2 = 1;
sl@0	1407	if (!BN_hex2bn(&serial, pp[DB_serial]))
sl@0	1408	goto err;
sl@0	1409	tmpser = BN_to_ASN1_INTEGER(serial, NULL);
sl@0	1410	BN_free(serial);
sl@0	1411	serial = NULL;
sl@0	1412	if (!tmpser)
sl@0	1413	goto err;
sl@0	1414	X509_REVOKED_set_serialNumber(r, tmpser);
sl@0	1415	ASN1_INTEGER_free(tmpser);
sl@0	1416	X509_CRL_add0_revoked(crl,r);
sl@0	1417	}
sl@0	1418	}
sl@0	1419
sl@0	1420	/* sort the data so it will be written in serial
sl@0	1421	* number order */
sl@0	1422	X509_CRL_sort(crl);
sl@0	1423
sl@0	1424	/* we now have a CRL */
sl@0	1425	if (verbose) BIO_printf(bio_err,"signing CRL\n");
sl@0	1426	#ifndef OPENSSL_NO_DSA
sl@0	1427	if (pkey->type == EVP_PKEY_DSA)
sl@0	1428	dgst=EVP_dss1();
sl@0	1429	else
sl@0	1430	#endif
sl@0	1431	#ifndef OPENSSL_NO_ECDSA
sl@0	1432	if (pkey->type == EVP_PKEY_EC)
sl@0	1433	dgst=EVP_ecdsa();
sl@0	1434	#endif
sl@0	1435
sl@0	1436	/* Add any extensions asked for */
sl@0	1437
sl@0	1438	if (crl_ext \|\| crlnumberfile != NULL)
sl@0	1439	{
sl@0	1440	X509V3_CTX crlctx;
sl@0	1441	X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0);
sl@0	1442	X509V3_set_nconf(&crlctx, conf);
sl@0	1443
sl@0	1444	if (crl_ext)
sl@0	1445	if (!X509V3_EXT_CRL_add_nconf(conf, &crlctx,
sl@0	1446	crl_ext, crl)) goto err;
sl@0	1447	if (crlnumberfile != NULL)
sl@0	1448	{
sl@0	1449	tmpser = BN_to_ASN1_INTEGER(crlnumber, NULL);
sl@0	1450	if (!tmpser) goto err;
sl@0	1451	X509_CRL_add1_ext_i2d(crl,NID_crl_number,tmpser,0,0);
sl@0	1452	ASN1_INTEGER_free(tmpser);
sl@0	1453	crl_v2 = 1;
sl@0	1454	if (!BN_add_word(crlnumber,1)) goto err;
sl@0	1455	}
sl@0	1456	}
sl@0	1457	if (crl_ext \|\| crl_v2)
sl@0	1458	{
sl@0	1459	if (!X509_CRL_set_version(crl, 1))
sl@0	1460	goto err; /* version 2 CRL */
sl@0	1461	}
sl@0	1462
sl@0	1463
sl@0	1464	if (crlnumberfile != NULL) /* we have a CRL number that need updating */
sl@0	1465	if (!save_serial(crlnumberfile,"new",crlnumber,NULL)) goto err;
sl@0	1466
sl@0	1467	if (!X509_CRL_sign(crl,pkey,dgst)) goto err;
sl@0	1468
sl@0	1469	PEM_write_bio_X509_CRL(Sout,crl);
sl@0	1470
sl@0	1471	if (crlnumberfile != NULL) /* Rename the crlnumber file */
sl@0	1472	if (!rotate_serial(crlnumberfile,"new","old")) goto err;
sl@0	1473
sl@0	1474	}
sl@0	1475	/*****************************************************************/
sl@0	1476	if (dorevoke)
sl@0	1477	{
sl@0	1478	if (infile == NULL)
sl@0	1479	{
sl@0	1480	BIO_printf(bio_err,"no input files\n");
sl@0	1481	goto err;
sl@0	1482	}
sl@0	1483	else
sl@0	1484	{
sl@0	1485	X509 *revcert;
sl@0	1486	revcert=load_cert(bio_err, infile, FORMAT_PEM,
sl@0	1487	NULL, e, infile);
sl@0	1488	if (revcert == NULL)
sl@0	1489	goto err;
sl@0	1490	j=do_revoke(revcert,db, rev_type, rev_arg);
sl@0	1491	if (j <= 0) goto err;
sl@0	1492	X509_free(revcert);
sl@0	1493
sl@0	1494	if (!save_index(dbfile, "new", db)) goto err;
sl@0	1495
sl@0	1496	if (!rotate_index(dbfile, "new", "old")) goto err;
sl@0	1497
sl@0	1498	BIO_printf(bio_err,"Data Base Updated\n");
sl@0	1499	}
sl@0	1500	}
sl@0	1501	/*****************************************************************/
sl@0	1502	ret=0;
sl@0	1503	err:
sl@0	1504	if(tofree)
sl@0	1505	OPENSSL_free(tofree);
sl@0	1506	BIO_free_all(Cout);
sl@0	1507	BIO_free_all(Sout);
sl@0	1508	BIO_free_all(out);
sl@0	1509	BIO_free_all(in);
sl@0	1510
sl@0	1511	if (cert_sk)
sl@0	1512	sk_X509_pop_free(cert_sk,X509_free);
sl@0	1513
sl@0	1514	if (ret) ERR_print_errors(bio_err);
sl@0	1515	app_RAND_write_file(randfile, bio_err);
sl@0	1516	if (free_key && key)
sl@0	1517	OPENSSL_free(key);
sl@0	1518	BN_free(serial);
sl@0	1519	free_index(db);
sl@0	1520	EVP_PKEY_free(pkey);
sl@0	1521	if (x509) X509_free(x509);
sl@0	1522	X509_CRL_free(crl);
sl@0	1523	NCONF_free(conf);
sl@0	1524	NCONF_free(extconf);
sl@0	1525	OBJ_cleanup();
sl@0	1526	apps_shutdown();
sl@0	1527	OPENSSL_EXIT(ret);
sl@0	1528	}
sl@0	1529
sl@0	1530	static void lookup_fail(const char name, const char tag)
sl@0	1531	{
sl@0	1532	BIO_printf(bio_err,"variable lookup failed for %s::%s\n",name,tag);
sl@0	1533	}
sl@0	1534
sl@0	1535	static int certify(X509 *xret, char infile, EVP_PKEY pkey, X509 x509,
sl@0	1536	const EVP_MD dgst, STACK_OF(CONF_VALUE) policy, CA_DB *db,
sl@0	1537	BIGNUM serial, char subj,unsigned long chtype, int multirdn, int email_dn, char startdate, char enddate,
sl@0	1538	long days, int batch, char ext_sect, CONF lconf, int verbose,
sl@0	1539	unsigned long certopt, unsigned long nameopt, int default_op,
sl@0	1540	int ext_copy, int selfsign)
sl@0	1541	{
sl@0	1542	X509_REQ *req=NULL;
sl@0	1543	BIO *in=NULL;
sl@0	1544	EVP_PKEY *pktmp=NULL;
sl@0	1545	int ok= -1,i;
sl@0	1546
sl@0	1547	in=BIO_new(BIO_s_file());
sl@0	1548
sl@0	1549	if (BIO_read_filename(in,infile) <= 0)
sl@0	1550	{
sl@0	1551	perror(infile);
sl@0	1552	goto err;
sl@0	1553	}
sl@0	1554	if ((req=PEM_read_bio_X509_REQ(in,NULL,NULL,NULL)) == NULL)
sl@0	1555	{
sl@0	1556	BIO_printf(bio_err,"Error reading certificate request in %s\n",
sl@0	1557	infile);
sl@0	1558	goto err;
sl@0	1559	}
sl@0	1560	if (verbose)
sl@0	1561	X509_REQ_print(bio_err,req);
sl@0	1562
sl@0	1563	BIO_printf(bio_err,"Check that the request matches the signature\n");
sl@0	1564
sl@0	1565	if (selfsign && !X509_REQ_check_private_key(req,pkey))
sl@0	1566	{
sl@0	1567	BIO_printf(bio_err,"Certificate request and CA private key do not match\n");
sl@0	1568	ok=0;
sl@0	1569	goto err;
sl@0	1570	}
sl@0	1571	if ((pktmp=X509_REQ_get_pubkey(req)) == NULL)
sl@0	1572	{
sl@0	1573	BIO_printf(bio_err,"error unpacking public key\n");
sl@0	1574	goto err;
sl@0	1575	}
sl@0	1576	i=X509_REQ_verify(req,pktmp);
sl@0	1577	EVP_PKEY_free(pktmp);
sl@0	1578	if (i < 0)
sl@0	1579	{
sl@0	1580	ok=0;
sl@0	1581	BIO_printf(bio_err,"Signature verification problems....\n");
sl@0	1582	goto err;
sl@0	1583	}
sl@0	1584	if (i == 0)
sl@0	1585	{
sl@0	1586	ok=0;
sl@0	1587	BIO_printf(bio_err,"Signature did not match the certificate request\n");
sl@0	1588	goto err;
sl@0	1589	}
sl@0	1590	else
sl@0	1591	BIO_printf(bio_err,"Signature ok\n");
sl@0	1592
sl@0	1593	ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,chtype,multirdn, email_dn,
sl@0	1594	startdate,enddate,days,batch,verbose,req,ext_sect,lconf,
sl@0	1595	certopt, nameopt, default_op, ext_copy, selfsign);
sl@0	1596
sl@0	1597	err:
sl@0	1598	if (req != NULL) X509_REQ_free(req);
sl@0	1599	if (in != NULL) BIO_free(in);
sl@0	1600	return(ok);
sl@0	1601	}
sl@0	1602
sl@0	1603	static int certify_cert(X509 *xret, char infile, EVP_PKEY pkey, X509 x509,
sl@0	1604	const EVP_MD dgst, STACK_OF(CONF_VALUE) policy, CA_DB *db,
sl@0	1605	BIGNUM serial, char subj, unsigned long chtype, int multirdn, int email_dn, char startdate, char enddate,
sl@0	1606	long days, int batch, char ext_sect, CONF lconf, int verbose,
sl@0	1607	unsigned long certopt, unsigned long nameopt, int default_op,
sl@0	1608	int ext_copy, ENGINE *e)
sl@0	1609	{
sl@0	1610	X509 *req=NULL;
sl@0	1611	X509_REQ *rreq=NULL;
sl@0	1612	EVP_PKEY *pktmp=NULL;
sl@0	1613	int ok= -1,i;
sl@0	1614
sl@0	1615	if ((req=load_cert(bio_err, infile, FORMAT_PEM, NULL, e, infile)) == NULL)
sl@0	1616	goto err;
sl@0	1617	if (verbose)
sl@0	1618	X509_print(bio_err,req);
sl@0	1619
sl@0	1620	BIO_printf(bio_err,"Check that the request matches the signature\n");
sl@0	1621
sl@0	1622	if ((pktmp=X509_get_pubkey(req)) == NULL)
sl@0	1623	{
sl@0	1624	BIO_printf(bio_err,"error unpacking public key\n");
sl@0	1625	goto err;
sl@0	1626	}
sl@0	1627	i=X509_verify(req,pktmp);
sl@0	1628	EVP_PKEY_free(pktmp);
sl@0	1629	if (i < 0)
sl@0	1630	{
sl@0	1631	ok=0;
sl@0	1632	BIO_printf(bio_err,"Signature verification problems....\n");
sl@0	1633	goto err;
sl@0	1634	}
sl@0	1635	if (i == 0)
sl@0	1636	{
sl@0	1637	ok=0;
sl@0	1638	BIO_printf(bio_err,"Signature did not match the certificate\n");
sl@0	1639	goto err;
sl@0	1640	}
sl@0	1641	else
sl@0	1642	BIO_printf(bio_err,"Signature ok\n");
sl@0	1643
sl@0	1644	if ((rreq=X509_to_X509_REQ(req,NULL,EVP_md5())) == NULL)
sl@0	1645	goto err;
sl@0	1646
sl@0	1647	ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,chtype,multirdn,email_dn,startdate,enddate,
sl@0	1648	days,batch,verbose,rreq,ext_sect,lconf, certopt, nameopt, default_op,
sl@0	1649	ext_copy, 0);
sl@0	1650
sl@0	1651	err:
sl@0	1652	if (rreq != NULL) X509_REQ_free(rreq);
sl@0	1653	if (req != NULL) X509_free(req);
sl@0	1654	return(ok);
sl@0	1655	}
sl@0	1656
sl@0	1657	static int do_body(X509 *xret, EVP_PKEY pkey, X509 x509, const EVP_MD dgst,
sl@0	1658	STACK_OF(CONF_VALUE) policy, CA_DB db, BIGNUM serial, char subj,
sl@0	1659	unsigned long chtype, int multirdn,
sl@0	1660	int email_dn, char startdate, char enddate, long days, int batch,
sl@0	1661	int verbose, X509_REQ req, char ext_sect, CONF *lconf,
sl@0	1662	unsigned long certopt, unsigned long nameopt, int default_op,
sl@0	1663	int ext_copy, int selfsign)
sl@0	1664	{
sl@0	1665	X509_NAME name=NULL,CAname=NULL,subject=NULL, dn_subject=NULL;
sl@0	1666	ASN1_UTCTIME tm,tmptm;
sl@0	1667	ASN1_STRING str,str2;
sl@0	1668	ASN1_OBJECT *obj;
sl@0	1669	X509 *ret=NULL;
sl@0	1670	X509_CINF *ci;
sl@0	1671	X509_NAME_ENTRY *ne;
sl@0	1672	X509_NAME_ENTRY tne,push;
sl@0	1673	EVP_PKEY *pktmp;
sl@0	1674	int ok= -1,i,j,last,nid;
sl@0	1675	const char *p;
sl@0	1676	CONF_VALUE *cv;
sl@0	1677	char row[DB_NUMBER],rrow=NULL,*irow=NULL;
sl@0	1678	char buf[25];
sl@0	1679
sl@0	1680	tmptm=ASN1_UTCTIME_new();
sl@0	1681	if (tmptm == NULL)
sl@0	1682	{
sl@0	1683	BIO_printf(bio_err,"malloc error\n");
sl@0	1684	return(0);
sl@0	1685	}
sl@0	1686
sl@0	1687	for (i=0; i<DB_NUMBER; i++)
sl@0	1688	row[i]=NULL;
sl@0	1689
sl@0	1690	if (subj)
sl@0	1691	{
sl@0	1692	X509_NAME *n = parse_name(subj, chtype, multirdn);
sl@0	1693
sl@0	1694	if (!n)
sl@0	1695	{
sl@0	1696	ERR_print_errors(bio_err);
sl@0	1697	goto err;
sl@0	1698	}
sl@0	1699	X509_REQ_set_subject_name(req,n);
sl@0	1700	req->req_info->enc.modified = 1;
sl@0	1701	X509_NAME_free(n);
sl@0	1702	}
sl@0	1703
sl@0	1704	if (default_op)
sl@0	1705	BIO_printf(bio_err,"The Subject's Distinguished Name is as follows\n");
sl@0	1706
sl@0	1707	name=X509_REQ_get_subject_name(req);
sl@0	1708	for (i=0; i<X509_NAME_entry_count(name); i++)
sl@0	1709	{
sl@0	1710	ne= X509_NAME_get_entry(name,i);
sl@0	1711	str=X509_NAME_ENTRY_get_data(ne);
sl@0	1712	obj=X509_NAME_ENTRY_get_object(ne);
sl@0	1713
sl@0	1714	if (msie_hack)
sl@0	1715	{
sl@0	1716	/* assume all type should be strings */
sl@0	1717	nid=OBJ_obj2nid(ne->object);
sl@0	1718
sl@0	1719	if (str->type == V_ASN1_UNIVERSALSTRING)
sl@0	1720	ASN1_UNIVERSALSTRING_to_string(str);
sl@0	1721
sl@0	1722	if ((str->type == V_ASN1_IA5STRING) &&
sl@0	1723	(nid != NID_pkcs9_emailAddress))
sl@0	1724	str->type=V_ASN1_T61STRING;
sl@0	1725
sl@0	1726	if ((nid == NID_pkcs9_emailAddress) &&
sl@0	1727	(str->type == V_ASN1_PRINTABLESTRING))
sl@0	1728	str->type=V_ASN1_IA5STRING;
sl@0	1729	}
sl@0	1730
sl@0	1731	/* If no EMAIL is wanted in the subject */
sl@0	1732	if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) && (!email_dn))
sl@0	1733	continue;
sl@0	1734
sl@0	1735	/* check some things */
sl@0	1736	if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) &&
sl@0	1737	(str->type != V_ASN1_IA5STRING))
sl@0	1738	{
sl@0	1739	BIO_printf(bio_err,"\nemailAddress type needs to be of type IA5STRING\n");
sl@0	1740	goto err;
sl@0	1741	}
sl@0	1742	if ((str->type != V_ASN1_BMPSTRING) && (str->type != V_ASN1_UTF8STRING))
sl@0	1743	{
sl@0	1744	j=ASN1_PRINTABLE_type(str->data,str->length);
sl@0	1745	if ( ((j == V_ASN1_T61STRING) &&
sl@0	1746	(str->type != V_ASN1_T61STRING)) \|\|
sl@0	1747	((j == V_ASN1_IA5STRING) &&
sl@0	1748	(str->type == V_ASN1_PRINTABLESTRING)))
sl@0	1749	{
sl@0	1750	BIO_printf(bio_err,"\nThe string contains characters that are illegal for the ASN.1 type\n");
sl@0	1751	goto err;
sl@0	1752	}
sl@0	1753	}
sl@0	1754
sl@0	1755	if (default_op)
sl@0	1756	old_entry_print(bio_err, obj, str);
sl@0	1757	}
sl@0	1758
sl@0	1759	/* Ok, now we check the 'policy' stuff. */
sl@0	1760	if ((subject=X509_NAME_new()) == NULL)
sl@0	1761	{
sl@0	1762	BIO_printf(bio_err,"Memory allocation failure\n");
sl@0	1763	goto err;
sl@0	1764	}
sl@0	1765
sl@0	1766	/* take a copy of the issuer name before we mess with it. */
sl@0	1767	if (selfsign)
sl@0	1768	CAname=X509_NAME_dup(name);
sl@0	1769	else
sl@0	1770	CAname=X509_NAME_dup(x509->cert_info->subject);
sl@0	1771	if (CAname == NULL) goto err;
sl@0	1772	str=str2=NULL;
sl@0	1773
sl@0	1774	for (i=0; i<sk_CONF_VALUE_num(policy); i++)
sl@0	1775	{
sl@0	1776	cv=sk_CONF_VALUE_value(policy,i); /* get the object id */
sl@0	1777	if ((j=OBJ_txt2nid(cv->name)) == NID_undef)
sl@0	1778	{
sl@0	1779	BIO_printf(bio_err,"%s:unknown object type in 'policy' configuration\n",cv->name);
sl@0	1780	goto err;
sl@0	1781	}
sl@0	1782	obj=OBJ_nid2obj(j);
sl@0	1783
sl@0	1784	last= -1;
sl@0	1785	for (;;)
sl@0	1786	{
sl@0	1787	/* lookup the object in the supplied name list */
sl@0	1788	j=X509_NAME_get_index_by_OBJ(name,obj,last);
sl@0	1789	if (j < 0)
sl@0	1790	{
sl@0	1791	if (last != -1) break;
sl@0	1792	tne=NULL;
sl@0	1793	}
sl@0	1794	else
sl@0	1795	{
sl@0	1796	tne=X509_NAME_get_entry(name,j);
sl@0	1797	}
sl@0	1798	last=j;
sl@0	1799
sl@0	1800	/* depending on the 'policy', decide what to do. */
sl@0	1801	push=NULL;
sl@0	1802	if (strcmp(cv->value,"optional") == 0)
sl@0	1803	{
sl@0	1804	if (tne != NULL)
sl@0	1805	push=tne;
sl@0	1806	}
sl@0	1807	else if (strcmp(cv->value,"supplied") == 0)
sl@0	1808	{
sl@0	1809	if (tne == NULL)
sl@0	1810	{
sl@0	1811	BIO_printf(bio_err,"The %s field needed to be supplied and was missing\n",cv->name);
sl@0	1812	goto err;
sl@0	1813	}
sl@0	1814	else
sl@0	1815	push=tne;
sl@0	1816	}
sl@0	1817	else if (strcmp(cv->value,"match") == 0)
sl@0	1818	{
sl@0	1819	int last2;
sl@0	1820
sl@0	1821	if (tne == NULL)
sl@0	1822	{
sl@0	1823	BIO_printf(bio_err,"The mandatory %s field was missing\n",cv->name);
sl@0	1824	goto err;
sl@0	1825	}
sl@0	1826
sl@0	1827	last2= -1;
sl@0	1828
sl@0	1829	again2:
sl@0	1830	j=X509_NAME_get_index_by_OBJ(CAname,obj,last2);
sl@0	1831	if ((j < 0) && (last2 == -1))
sl@0	1832	{
sl@0	1833	BIO_printf(bio_err,"The %s field does not exist in the CA certificate,\nthe 'policy' is misconfigured\n",cv->name);
sl@0	1834	goto err;
sl@0	1835	}
sl@0	1836	if (j >= 0)
sl@0	1837	{
sl@0	1838	push=X509_NAME_get_entry(CAname,j);
sl@0	1839	str=X509_NAME_ENTRY_get_data(tne);
sl@0	1840	str2=X509_NAME_ENTRY_get_data(push);
sl@0	1841	last2=j;
sl@0	1842	if (ASN1_STRING_cmp(str,str2) != 0)
sl@0	1843	goto again2;
sl@0	1844	}
sl@0	1845	if (j < 0)
sl@0	1846	{
sl@0	1847	BIO_printf(bio_err,"The %s field needed to be the same in the\nCA certificate (%s) and the request (%s)\n",cv->name,((str2 == NULL)?"NULL":(char )str2->data),((str == NULL)?"NULL":(char )str->data));
sl@0	1848	goto err;
sl@0	1849	}
sl@0	1850	}
sl@0	1851	else
sl@0	1852	{
sl@0	1853	BIO_printf(bio_err,"%s:invalid type in 'policy' configuration\n",cv->value);
sl@0	1854	goto err;
sl@0	1855	}
sl@0	1856
sl@0	1857	if (push != NULL)
sl@0	1858	{
sl@0	1859	if (!X509_NAME_add_entry(subject,push, -1, 0))
sl@0	1860	{
sl@0	1861	if (push != NULL)
sl@0	1862	X509_NAME_ENTRY_free(push);
sl@0	1863	BIO_printf(bio_err,"Memory allocation failure\n");
sl@0	1864	goto err;
sl@0	1865	}
sl@0	1866	}
sl@0	1867	if (j < 0) break;
sl@0	1868	}
sl@0	1869	}
sl@0	1870
sl@0	1871	if (preserve)
sl@0	1872	{
sl@0	1873	X509_NAME_free(subject);
sl@0	1874	/* subject=X509_NAME_dup(X509_REQ_get_subject_name(req)); */
sl@0	1875	subject=X509_NAME_dup(name);
sl@0	1876	if (subject == NULL) goto err;
sl@0	1877	}
sl@0	1878
sl@0	1879	if (verbose)
sl@0	1880	BIO_printf(bio_err,"The subject name appears to be ok, checking data base for clashes\n");
sl@0	1881
sl@0	1882	/* Build the correct Subject if no e-mail is wanted in the subject */
sl@0	1883	/* and add it later on because of the method extensions are added (altName) */
sl@0	1884
sl@0	1885	if (email_dn)
sl@0	1886	dn_subject = subject;
sl@0	1887	else
sl@0	1888	{
sl@0	1889	X509_NAME_ENTRY *tmpne;
sl@0	1890	/* Its best to dup the subject DN and then delete any email
sl@0	1891	* addresses because this retains its structure.
sl@0	1892	*/
sl@0	1893	if (!(dn_subject = X509_NAME_dup(subject)))
sl@0	1894	{
sl@0	1895	BIO_printf(bio_err,"Memory allocation failure\n");
sl@0	1896	goto err;
sl@0	1897	}
sl@0	1898	while((i = X509_NAME_get_index_by_NID(dn_subject,
sl@0	1899	NID_pkcs9_emailAddress, -1)) >= 0)
sl@0	1900	{
sl@0	1901	tmpne = X509_NAME_get_entry(dn_subject, i);
sl@0	1902	X509_NAME_delete_entry(dn_subject, i);
sl@0	1903	X509_NAME_ENTRY_free(tmpne);
sl@0	1904	}
sl@0	1905	}
sl@0	1906
sl@0	1907	if (BN_is_zero(serial))
sl@0	1908	row[DB_serial]=BUF_strdup("00");
sl@0	1909	else
sl@0	1910	row[DB_serial]=BN_bn2hex(serial);
sl@0	1911	if (row[DB_serial] == NULL)
sl@0	1912	{
sl@0	1913	BIO_printf(bio_err,"Memory allocation failure\n");
sl@0	1914	goto err;
sl@0	1915	}
sl@0	1916
sl@0	1917	if (db->attributes.unique_subject)
sl@0	1918	{
sl@0	1919	rrow=TXT_DB_get_by_index(db->db,DB_name,row);
sl@0	1920	if (rrow != NULL)
sl@0	1921	{
sl@0	1922	BIO_printf(bio_err,
sl@0	1923	"ERROR:There is already a certificate for %s\n",
sl@0	1924	row[DB_name]);
sl@0	1925	}
sl@0	1926	}
sl@0	1927	if (rrow == NULL)
sl@0	1928	{
sl@0	1929	rrow=TXT_DB_get_by_index(db->db,DB_serial,row);
sl@0	1930	if (rrow != NULL)
sl@0	1931	{
sl@0	1932	BIO_printf(bio_err,"ERROR:Serial number %s has already been issued,\n",
sl@0	1933	row[DB_serial]);
sl@0	1934	BIO_printf(bio_err," check the database/serial_file for corruption\n");
sl@0	1935	}
sl@0	1936	}
sl@0	1937
sl@0	1938	if (rrow != NULL)
sl@0	1939	{
sl@0	1940	BIO_printf(bio_err,
sl@0	1941	"The matching entry has the following details\n");
sl@0	1942	if (rrow[DB_type][0] == 'E')
sl@0	1943	p="Expired";
sl@0	1944	else if (rrow[DB_type][0] == 'R')
sl@0	1945	p="Revoked";
sl@0	1946	else if (rrow[DB_type][0] == 'V')
sl@0	1947	p="Valid";
sl@0	1948	else
sl@0	1949	p="\ninvalid type, Data base error\n";
sl@0	1950	BIO_printf(bio_err,"Type :%s\n",p);;
sl@0	1951	if (rrow[DB_type][0] == 'R')
sl@0	1952	{
sl@0	1953	p=rrow[DB_exp_date]; if (p == NULL) p="undef";
sl@0	1954	BIO_printf(bio_err,"Was revoked on:%s\n",p);
sl@0	1955	}
sl@0	1956	p=rrow[DB_exp_date]; if (p == NULL) p="undef";
sl@0	1957	BIO_printf(bio_err,"Expires on :%s\n",p);
sl@0	1958	p=rrow[DB_serial]; if (p == NULL) p="undef";
sl@0	1959	BIO_printf(bio_err,"Serial Number :%s\n",p);
sl@0	1960	p=rrow[DB_file]; if (p == NULL) p="undef";
sl@0	1961	BIO_printf(bio_err,"File name :%s\n",p);
sl@0	1962	p=rrow[DB_name]; if (p == NULL) p="undef";
sl@0	1963	BIO_printf(bio_err,"Subject Name :%s\n",p);
sl@0	1964	ok= -1; /* This is now a 'bad' error. */
sl@0	1965	goto err;
sl@0	1966	}
sl@0	1967
sl@0	1968	/* We are now totally happy, lets make and sign the certificate */
sl@0	1969	if (verbose)
sl@0	1970	BIO_printf(bio_err,"Everything appears to be ok, creating and signing the certificate\n");
sl@0	1971
sl@0	1972	if ((ret=X509_new()) == NULL) goto err;
sl@0	1973	ci=ret->cert_info;
sl@0	1974
sl@0	1975	#ifdef X509_V3
sl@0	1976	/* Make it an X509 v3 certificate. */
sl@0	1977	if (!X509_set_version(ret,2)) goto err;
sl@0	1978	#endif
sl@0	1979
sl@0	1980	if (BN_to_ASN1_INTEGER(serial,ci->serialNumber) == NULL)
sl@0	1981	goto err;
sl@0	1982	if (selfsign)
sl@0	1983	{
sl@0	1984	if (!X509_set_issuer_name(ret,subject))
sl@0	1985	goto err;
sl@0	1986	}
sl@0	1987	else
sl@0	1988	{
sl@0	1989	if (!X509_set_issuer_name(ret,X509_get_subject_name(x509)))
sl@0	1990	goto err;
sl@0	1991	}
sl@0	1992
sl@0	1993	if (strcmp(startdate,"today") == 0)
sl@0	1994	X509_gmtime_adj(X509_get_notBefore(ret),0);
sl@0	1995	else ASN1_UTCTIME_set_string(X509_get_notBefore(ret),startdate);
sl@0	1996
sl@0	1997	if (enddate == NULL)
sl@0	1998	X509_gmtime_adj(X509_get_notAfter(ret),(long)606024*days);
sl@0	1999	else ASN1_UTCTIME_set_string(X509_get_notAfter(ret),enddate);
sl@0	2000
sl@0	2001	if (!X509_set_subject_name(ret,subject)) goto err;
sl@0	2002
sl@0	2003	pktmp=X509_REQ_get_pubkey(req);
sl@0	2004	i = X509_set_pubkey(ret,pktmp);
sl@0	2005	EVP_PKEY_free(pktmp);
sl@0	2006	if (!i) goto err;
sl@0	2007
sl@0	2008	/* Lets add the extensions, if there are any */
sl@0	2009	if (ext_sect)
sl@0	2010	{
sl@0	2011	X509V3_CTX ctx;
sl@0	2012	if (ci->version == NULL)
sl@0	2013	if ((ci->version=ASN1_INTEGER_new()) == NULL)
sl@0	2014	goto err;
sl@0	2015	ASN1_INTEGER_set(ci->version,2); /* version 3 certificate */
sl@0	2016
sl@0	2017	/* Free the current entries if any, there should not
sl@0	2018	* be any I believe */
sl@0	2019	if (ci->extensions != NULL)
sl@0	2020	sk_X509_EXTENSION_pop_free(ci->extensions,
sl@0	2021	X509_EXTENSION_free);
sl@0	2022
sl@0	2023	ci->extensions = NULL;
sl@0	2024
sl@0	2025	/* Initialize the context structure */
sl@0	2026	if (selfsign)
sl@0	2027	X509V3_set_ctx(&ctx, ret, ret, req, NULL, 0);
sl@0	2028	else
sl@0	2029	X509V3_set_ctx(&ctx, x509, ret, req, NULL, 0);
sl@0	2030
sl@0	2031	if (extconf)
sl@0	2032	{
sl@0	2033	if (verbose)
sl@0	2034	BIO_printf(bio_err, "Extra configuration file found\n");
sl@0	2035
sl@0	2036	/* Use the extconf configuration db LHASH */
sl@0	2037	X509V3_set_nconf(&ctx, extconf);
sl@0	2038
sl@0	2039	/* Test the structure (needed?) */
sl@0	2040	/* X509V3_set_ctx_test(&ctx); */
sl@0	2041
sl@0	2042	/* Adds exts contained in the configuration file */
sl@0	2043	if (!X509V3_EXT_add_nconf(extconf, &ctx, ext_sect,ret))
sl@0	2044	{
sl@0	2045	BIO_printf(bio_err,
sl@0	2046	"ERROR: adding extensions in section %s\n",
sl@0	2047	ext_sect);
sl@0	2048	ERR_print_errors(bio_err);
sl@0	2049	goto err;
sl@0	2050	}
sl@0	2051	if (verbose)
sl@0	2052	BIO_printf(bio_err, "Successfully added extensions from file.\n");
sl@0	2053	}
sl@0	2054	else if (ext_sect)
sl@0	2055	{
sl@0	2056	/* We found extensions to be set from config file */
sl@0	2057	X509V3_set_nconf(&ctx, lconf);
sl@0	2058
sl@0	2059	if(!X509V3_EXT_add_nconf(lconf, &ctx, ext_sect, ret))
sl@0	2060	{
sl@0	2061	BIO_printf(bio_err, "ERROR: adding extensions in section %s\n", ext_sect);
sl@0	2062	ERR_print_errors(bio_err);
sl@0	2063	goto err;
sl@0	2064	}
sl@0	2065
sl@0	2066	if (verbose)
sl@0	2067	BIO_printf(bio_err, "Successfully added extensions from config\n");
sl@0	2068	}
sl@0	2069	}
sl@0	2070
sl@0	2071	/* Copy extensions from request (if any) */
sl@0	2072
sl@0	2073	if (!copy_extensions(ret, req, ext_copy))
sl@0	2074	{
sl@0	2075	BIO_printf(bio_err, "ERROR: adding extensions from request\n");
sl@0	2076	ERR_print_errors(bio_err);
sl@0	2077	goto err;
sl@0	2078	}
sl@0	2079
sl@0	2080	/* Set the right value for the noemailDN option */
sl@0	2081	if( email_dn == 0 )
sl@0	2082	{
sl@0	2083	if (!X509_set_subject_name(ret,dn_subject)) goto err;
sl@0	2084	}
sl@0	2085
sl@0	2086	if (!default_op)
sl@0	2087	{
sl@0	2088	BIO_printf(bio_err, "Certificate Details:\n");
sl@0	2089	/* Never print signature details because signature not present */
sl@0	2090	certopt \|= X509_FLAG_NO_SIGDUMP \| X509_FLAG_NO_SIGNAME;
sl@0	2091	X509_print_ex(bio_err, ret, nameopt, certopt);
sl@0	2092	}
sl@0	2093
sl@0	2094	BIO_printf(bio_err,"Certificate is to be certified until ");
sl@0	2095	ASN1_UTCTIME_print(bio_err,X509_get_notAfter(ret));
sl@0	2096	if (days) BIO_printf(bio_err," (%ld days)",days);
sl@0	2097	BIO_printf(bio_err, "\n");
sl@0	2098
sl@0	2099	if (!batch)
sl@0	2100	{
sl@0	2101
sl@0	2102	BIO_printf(bio_err,"Sign the certificate? [y/n]:");
sl@0	2103	(void)BIO_flush(bio_err);
sl@0	2104	buf[0]='\0';
sl@0	2105	fgets(buf,sizeof(buf)-1,stdin);
sl@0	2106	if (!((buf[0] == 'y') \|\| (buf[0] == 'Y')))
sl@0	2107	{
sl@0	2108	BIO_printf(bio_err,"CERTIFICATE WILL NOT BE CERTIFIED\n");
sl@0	2109	ok=0;
sl@0	2110	goto err;
sl@0	2111	}
sl@0	2112	}
sl@0	2113
sl@0	2114
sl@0	2115	#ifndef OPENSSL_NO_DSA
sl@0	2116	if (pkey->type == EVP_PKEY_DSA) dgst=EVP_dss1();
sl@0	2117	pktmp=X509_get_pubkey(ret);
sl@0	2118	if (EVP_PKEY_missing_parameters(pktmp) &&
sl@0	2119	!EVP_PKEY_missing_parameters(pkey))
sl@0	2120	EVP_PKEY_copy_parameters(pktmp,pkey);
sl@0	2121	EVP_PKEY_free(pktmp);
sl@0	2122	#endif
sl@0	2123	#ifndef OPENSSL_NO_ECDSA
sl@0	2124	if (pkey->type == EVP_PKEY_EC)
sl@0	2125	dgst = EVP_ecdsa();
sl@0	2126	pktmp = X509_get_pubkey(ret);
sl@0	2127	if (EVP_PKEY_missing_parameters(pktmp) &&
sl@0	2128	!EVP_PKEY_missing_parameters(pkey))
sl@0	2129	EVP_PKEY_copy_parameters(pktmp, pkey);
sl@0	2130	EVP_PKEY_free(pktmp);
sl@0	2131	#endif
sl@0	2132
sl@0	2133
sl@0	2134	if (!X509_sign(ret,pkey,dgst))
sl@0	2135	goto err;
sl@0	2136
sl@0	2137	/* We now just add it to the database */
sl@0	2138	row[DB_type]=(char *)OPENSSL_malloc(2);
sl@0	2139
sl@0	2140	tm=X509_get_notAfter(ret);
sl@0	2141	row[DB_exp_date]=(char *)OPENSSL_malloc(tm->length+1);
sl@0	2142	memcpy(row[DB_exp_date],tm->data,tm->length);
sl@0	2143	row[DB_exp_date][tm->length]='\0';
sl@0	2144
sl@0	2145	row[DB_rev_date]=NULL;
sl@0	2146
sl@0	2147	/* row[DB_serial] done already */
sl@0	2148	row[DB_file]=(char *)OPENSSL_malloc(8);
sl@0	2149	row[DB_name]=X509_NAME_oneline(X509_get_subject_name(ret),NULL,0);
sl@0	2150
sl@0	2151	if ((row[DB_type] == NULL) \|\| (row[DB_exp_date] == NULL) \|\|
sl@0	2152	(row[DB_file] == NULL) \|\| (row[DB_name] == NULL))
sl@0	2153	{
sl@0	2154	BIO_printf(bio_err,"Memory allocation failure\n");
sl@0	2155	goto err;
sl@0	2156	}
sl@0	2157	BUF_strlcpy(row[DB_file],"unknown",8);
sl@0	2158	row[DB_type][0]='V';
sl@0	2159	row[DB_type][1]='\0';
sl@0	2160
sl@0	2161	if ((irow=(char *)OPENSSL_malloc(sizeof(char )*(DB_NUMBER+1))) == NULL)
sl@0	2162	{
sl@0	2163	BIO_printf(bio_err,"Memory allocation failure\n");
sl@0	2164	goto err;
sl@0	2165	}
sl@0	2166
sl@0	2167	for (i=0; i<DB_NUMBER; i++)
sl@0	2168	{
sl@0	2169	irow[i]=row[i];
sl@0	2170	row[i]=NULL;
sl@0	2171	}
sl@0	2172	irow[DB_NUMBER]=NULL;
sl@0	2173
sl@0	2174	if (!TXT_DB_insert(db->db,irow))
sl@0	2175	{
sl@0	2176	BIO_printf(bio_err,"failed to update database\n");
sl@0	2177	BIO_printf(bio_err,"TXT_DB error number %ld\n",db->db->error);
sl@0	2178	goto err;
sl@0	2179	}
sl@0	2180	ok=1;
sl@0	2181	err:
sl@0	2182	for (i=0; i<DB_NUMBER; i++)
sl@0	2183	if (row[i] != NULL) OPENSSL_free(row[i]);
sl@0	2184
sl@0	2185	if (CAname != NULL)
sl@0	2186	X509_NAME_free(CAname);
sl@0	2187	if (subject != NULL)
sl@0	2188	X509_NAME_free(subject);
sl@0	2189	if ((dn_subject != NULL) && !email_dn)
sl@0	2190	X509_NAME_free(dn_subject);
sl@0	2191	if (tmptm != NULL)
sl@0	2192	ASN1_UTCTIME_free(tmptm);
sl@0	2193	if (ok <= 0)
sl@0	2194	{
sl@0	2195	if (ret != NULL) X509_free(ret);
sl@0	2196	ret=NULL;
sl@0	2197	}
sl@0	2198	else
sl@0	2199	*xret=ret;
sl@0	2200	return(ok);
sl@0	2201	}
sl@0	2202
sl@0	2203	static void write_new_certificate(BIO bp, X509 x, int output_der, int notext)
sl@0	2204	{
sl@0	2205
sl@0	2206	if (output_der)
sl@0	2207	{
sl@0	2208	(void)i2d_X509_bio(bp,x);
sl@0	2209	return;
sl@0	2210	}
sl@0	2211	#if 0
sl@0	2212	/* ??? Not needed since X509_print prints all this stuff anyway */
sl@0	2213	f=X509_NAME_oneline(X509_get_issuer_name(x),buf,256);
sl@0	2214	BIO_printf(bp,"issuer :%s\n",f);
sl@0	2215
sl@0	2216	f=X509_NAME_oneline(X509_get_subject_name(x),buf,256);
sl@0	2217	BIO_printf(bp,"subject:%s\n",f);
sl@0	2218
sl@0	2219	BIO_puts(bp,"serial :");
sl@0	2220	i2a_ASN1_INTEGER(bp,x->cert_info->serialNumber);
sl@0	2221	BIO_puts(bp,"\n\n");
sl@0	2222	#endif
sl@0	2223	if (!notext)X509_print(bp,x);
sl@0	2224	PEM_write_bio_X509(bp,x);
sl@0	2225	}
sl@0	2226
sl@0	2227	static int certify_spkac(X509 *xret, char infile, EVP_PKEY pkey, X509 x509,
sl@0	2228	const EVP_MD dgst, STACK_OF(CONF_VALUE) policy, CA_DB *db,
sl@0	2229	BIGNUM serial, char subj,unsigned long chtype, int multirdn, int email_dn, char startdate, char enddate,
sl@0	2230	long days, char ext_sect, CONF lconf, int verbose, unsigned long certopt,
sl@0	2231	unsigned long nameopt, int default_op, int ext_copy)
sl@0	2232	{
sl@0	2233	STACK_OF(CONF_VALUE) *sk=NULL;
sl@0	2234	LHASH *parms=NULL;
sl@0	2235	X509_REQ *req=NULL;
sl@0	2236	CONF_VALUE *cv=NULL;
sl@0	2237	NETSCAPE_SPKI *spki = NULL;
sl@0	2238	X509_REQ_INFO *ri;
sl@0	2239	char type,buf;
sl@0	2240	EVP_PKEY *pktmp=NULL;
sl@0	2241	X509_NAME *n=NULL;
sl@0	2242	X509_NAME_ENTRY *ne=NULL;
sl@0	2243	int ok= -1,i,j;
sl@0	2244	long errline;
sl@0	2245	int nid;
sl@0	2246
sl@0	2247	/*
sl@0	2248	* Load input file into a hash table. (This is just an easy
sl@0	2249	* way to read and parse the file, then put it into a convenient
sl@0	2250	* STACK format).
sl@0	2251	*/
sl@0	2252	parms=CONF_load(NULL,infile,&errline);
sl@0	2253	if (parms == NULL)
sl@0	2254	{
sl@0	2255	BIO_printf(bio_err,"error on line %ld of %s\n",errline,infile);
sl@0	2256	ERR_print_errors(bio_err);
sl@0	2257	goto err;
sl@0	2258	}
sl@0	2259
sl@0	2260	sk=CONF_get_section(parms, "default");
sl@0	2261	if (sk_CONF_VALUE_num(sk) == 0)
sl@0	2262	{
sl@0	2263	BIO_printf(bio_err, "no name/value pairs found in %s\n", infile);
sl@0	2264	CONF_free(parms);
sl@0	2265	goto err;
sl@0	2266	}
sl@0	2267
sl@0	2268	/*
sl@0	2269	* Now create a dummy X509 request structure. We don't actually
sl@0	2270	* have an X509 request, but we have many of the components
sl@0	2271	* (a public key, various DN components). The idea is that we
sl@0	2272	* put these components into the right X509 request structure
sl@0	2273	* and we can use the same code as if you had a real X509 request.
sl@0	2274	*/
sl@0	2275	req=X509_REQ_new();
sl@0	2276	if (req == NULL)
sl@0	2277	{
sl@0	2278	ERR_print_errors(bio_err);
sl@0	2279	goto err;
sl@0	2280	}
sl@0	2281
sl@0	2282	/*
sl@0	2283	* Build up the subject name set.
sl@0	2284	*/
sl@0	2285	ri=req->req_info;
sl@0	2286	n = ri->subject;
sl@0	2287
sl@0	2288	for (i = 0; ; i++)
sl@0	2289	{
sl@0	2290	if (sk_CONF_VALUE_num(sk) <= i) break;
sl@0	2291
sl@0	2292	cv=sk_CONF_VALUE_value(sk,i);
sl@0	2293	type=cv->name;
sl@0	2294	/* Skip past any leading X. X: X, etc to allow for
sl@0	2295	* multiple instances
sl@0	2296	*/
sl@0	2297	for (buf = cv->name; *buf ; buf++)
sl@0	2298	if ((buf == ':') \|\| (buf == ',') \|\| (*buf == '.'))
sl@0	2299	{
sl@0	2300	buf++;
sl@0	2301	if (*buf) type = buf;
sl@0	2302	break;
sl@0	2303	}
sl@0	2304
sl@0	2305	buf=cv->value;
sl@0	2306	if ((nid=OBJ_txt2nid(type)) == NID_undef)
sl@0	2307	{
sl@0	2308	if (strcmp(type, "SPKAC") == 0)
sl@0	2309	{
sl@0	2310	spki = NETSCAPE_SPKI_b64_decode(cv->value, -1);
sl@0	2311	if (spki == NULL)
sl@0	2312	{
sl@0	2313	BIO_printf(bio_err,"unable to load Netscape SPKAC structure\n");
sl@0	2314	ERR_print_errors(bio_err);
sl@0	2315	goto err;
sl@0	2316	}
sl@0	2317	}
sl@0	2318	continue;
sl@0	2319	}
sl@0	2320
sl@0	2321	/*
sl@0	2322	if ((nid == NID_pkcs9_emailAddress) && (email_dn == 0))
sl@0	2323	continue;
sl@0	2324	*/
sl@0	2325
sl@0	2326	j=ASN1_PRINTABLE_type((unsigned char *)buf,-1);
sl@0	2327	if (fix_data(nid, &j) == 0)
sl@0	2328	{
sl@0	2329	BIO_printf(bio_err,
sl@0	2330	"invalid characters in string %s\n",buf);
sl@0	2331	goto err;
sl@0	2332	}
sl@0	2333
sl@0	2334	if ((ne=X509_NAME_ENTRY_create_by_NID(&ne,nid,j,
sl@0	2335	(unsigned char *)buf,
sl@0	2336	strlen(buf))) == NULL)
sl@0	2337	goto err;
sl@0	2338
sl@0	2339	if (!X509_NAME_add_entry(n,ne,-1, 0)) goto err;
sl@0	2340	}
sl@0	2341	if (spki == NULL)
sl@0	2342	{
sl@0	2343	BIO_printf(bio_err,"Netscape SPKAC structure not found in %s\n",
sl@0	2344	infile);
sl@0	2345	goto err;
sl@0	2346	}
sl@0	2347
sl@0	2348	/*
sl@0	2349	* Now extract the key from the SPKI structure.
sl@0	2350	*/
sl@0	2351
sl@0	2352	BIO_printf(bio_err,"Check that the SPKAC request matches the signature\n");
sl@0	2353
sl@0	2354	if ((pktmp=NETSCAPE_SPKI_get_pubkey(spki)) == NULL)
sl@0	2355	{
sl@0	2356	BIO_printf(bio_err,"error unpacking SPKAC public key\n");
sl@0	2357	goto err;
sl@0	2358	}
sl@0	2359
sl@0	2360	j = NETSCAPE_SPKI_verify(spki, pktmp);
sl@0	2361	if (j <= 0)
sl@0	2362	{
sl@0	2363	BIO_printf(bio_err,"signature verification failed on SPKAC public key\n");
sl@0	2364	goto err;
sl@0	2365	}
sl@0	2366	BIO_printf(bio_err,"Signature ok\n");
sl@0	2367
sl@0	2368	X509_REQ_set_pubkey(req,pktmp);
sl@0	2369	EVP_PKEY_free(pktmp);
sl@0	2370	ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,chtype,multirdn,email_dn,startdate,enddate,
sl@0	2371	days,1,verbose,req,ext_sect,lconf, certopt, nameopt, default_op,
sl@0	2372	ext_copy, 0);
sl@0	2373	err:
sl@0	2374	if (req != NULL) X509_REQ_free(req);
sl@0	2375	if (parms != NULL) CONF_free(parms);
sl@0	2376	if (spki != NULL) NETSCAPE_SPKI_free(spki);
sl@0	2377	if (ne != NULL) X509_NAME_ENTRY_free(ne);
sl@0	2378
sl@0	2379	return(ok);
sl@0	2380	}
sl@0	2381
sl@0	2382	static int fix_data(int nid, int *type)
sl@0	2383	{
sl@0	2384	if (nid == NID_pkcs9_emailAddress)
sl@0	2385	*type=V_ASN1_IA5STRING;
sl@0	2386	if ((nid == NID_commonName) && (*type == V_ASN1_IA5STRING))
sl@0	2387	*type=V_ASN1_T61STRING;
sl@0	2388	if ((nid == NID_pkcs9_challengePassword) && (*type == V_ASN1_IA5STRING))
sl@0	2389	*type=V_ASN1_T61STRING;
sl@0	2390	if ((nid == NID_pkcs9_unstructuredName) && (*type == V_ASN1_T61STRING))
sl@0	2391	return(0);
sl@0	2392	if (nid == NID_pkcs9_unstructuredName)
sl@0	2393	*type=V_ASN1_IA5STRING;
sl@0	2394	return(1);
sl@0	2395	}
sl@0	2396
sl@0	2397	static int check_time_format(char *str)
sl@0	2398	{
sl@0	2399	ASN1_UTCTIME tm;
sl@0	2400
sl@0	2401	tm.data=(unsigned char *)str;
sl@0	2402	tm.length=strlen(str);
sl@0	2403	tm.type=V_ASN1_UTCTIME;
sl@0	2404	return(ASN1_UTCTIME_check(&tm));
sl@0	2405	}
sl@0	2406
sl@0	2407	static int do_revoke(X509 x509, CA_DB db, int type, char *value)
sl@0	2408	{
sl@0	2409	ASN1_UTCTIME *tm=NULL;
sl@0	2410	char row[DB_NUMBER],rrow,*irow;
sl@0	2411	char *rev_str = NULL;
sl@0	2412	BIGNUM *bn = NULL;
sl@0	2413	int ok=-1,i;
sl@0	2414
sl@0	2415	for (i=0; i<DB_NUMBER; i++)
sl@0	2416	row[i]=NULL;
sl@0	2417	row[DB_name]=X509_NAME_oneline(X509_get_subject_name(x509),NULL,0);
sl@0	2418	bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x509),NULL);
sl@0	2419	if (BN_is_zero(bn))
sl@0	2420	row[DB_serial]=BUF_strdup("00");
sl@0	2421	else
sl@0	2422	row[DB_serial]=BN_bn2hex(bn);
sl@0	2423	BN_free(bn);
sl@0	2424	if ((row[DB_name] == NULL) \|\| (row[DB_serial] == NULL))
sl@0	2425	{
sl@0	2426	BIO_printf(bio_err,"Memory allocation failure\n");
sl@0	2427	goto err;
sl@0	2428	}
sl@0	2429	/* We have to lookup by serial number because name lookup
sl@0	2430	* skips revoked certs
sl@0	2431	*/
sl@0	2432	rrow=TXT_DB_get_by_index(db->db,DB_serial,row);
sl@0	2433	if (rrow == NULL)
sl@0	2434	{
sl@0	2435	BIO_printf(bio_err,"Adding Entry with serial number %s to DB for %s\n", row[DB_serial], row[DB_name]);
sl@0	2436
sl@0	2437	/* We now just add it to the database */
sl@0	2438	row[DB_type]=(char *)OPENSSL_malloc(2);
sl@0	2439
sl@0	2440	tm=X509_get_notAfter(x509);
sl@0	2441	row[DB_exp_date]=(char *)OPENSSL_malloc(tm->length+1);
sl@0	2442	memcpy(row[DB_exp_date],tm->data,tm->length);
sl@0	2443	row[DB_exp_date][tm->length]='\0';
sl@0	2444
sl@0	2445	row[DB_rev_date]=NULL;
sl@0	2446
sl@0	2447	/* row[DB_serial] done already */
sl@0	2448	row[DB_file]=(char *)OPENSSL_malloc(8);
sl@0	2449
sl@0	2450	/* row[DB_name] done already */
sl@0	2451
sl@0	2452	if ((row[DB_type] == NULL) \|\| (row[DB_exp_date] == NULL) \|\|
sl@0	2453	(row[DB_file] == NULL))
sl@0	2454	{
sl@0	2455	BIO_printf(bio_err,"Memory allocation failure\n");
sl@0	2456	goto err;
sl@0	2457	}
sl@0	2458	BUF_strlcpy(row[DB_file],"unknown",8);
sl@0	2459	row[DB_type][0]='V';
sl@0	2460	row[DB_type][1]='\0';
sl@0	2461
sl@0	2462	if ((irow=(char *)OPENSSL_malloc(sizeof(char )*(DB_NUMBER+1))) == NULL)
sl@0	2463	{
sl@0	2464	BIO_printf(bio_err,"Memory allocation failure\n");
sl@0	2465	goto err;
sl@0	2466	}
sl@0	2467
sl@0	2468	for (i=0; i<DB_NUMBER; i++)
sl@0	2469	{
sl@0	2470	irow[i]=row[i];
sl@0	2471	row[i]=NULL;
sl@0	2472	}
sl@0	2473	irow[DB_NUMBER]=NULL;
sl@0	2474
sl@0	2475	if (!TXT_DB_insert(db->db,irow))
sl@0	2476	{
sl@0	2477	BIO_printf(bio_err,"failed to update database\n");
sl@0	2478	BIO_printf(bio_err,"TXT_DB error number %ld\n",db->db->error);
sl@0	2479	goto err;
sl@0	2480	}
sl@0	2481
sl@0	2482	/* Revoke Certificate */
sl@0	2483	ok = do_revoke(x509,db, type, value);
sl@0	2484
sl@0	2485	goto err;
sl@0	2486
sl@0	2487	}
sl@0	2488	else if (index_name_cmp((const char )row,(const char )rrow))
sl@0	2489	{
sl@0	2490	BIO_printf(bio_err,"ERROR:name does not match %s\n",
sl@0	2491	row[DB_name]);
sl@0	2492	goto err;
sl@0	2493	}
sl@0	2494	else if (rrow[DB_type][0]=='R')
sl@0	2495	{
sl@0	2496	BIO_printf(bio_err,"ERROR:Already revoked, serial number %s\n",
sl@0	2497	row[DB_serial]);
sl@0	2498	goto err;
sl@0	2499	}
sl@0	2500	else
sl@0	2501	{
sl@0	2502	BIO_printf(bio_err,"Revoking Certificate %s.\n", rrow[DB_serial]);
sl@0	2503	rev_str = make_revocation_str(type, value);
sl@0	2504	if (!rev_str)
sl@0	2505	{
sl@0	2506	BIO_printf(bio_err, "Error in revocation arguments\n");
sl@0	2507	goto err;
sl@0	2508	}
sl@0	2509	rrow[DB_type][0]='R';
sl@0	2510	rrow[DB_type][1]='\0';
sl@0	2511	rrow[DB_rev_date] = rev_str;
sl@0	2512	}
sl@0	2513	ok=1;
sl@0	2514	err:
sl@0	2515	for (i=0; i<DB_NUMBER; i++)
sl@0	2516	{
sl@0	2517	if (row[i] != NULL)
sl@0	2518	OPENSSL_free(row[i]);
sl@0	2519	}
sl@0	2520	return(ok);
sl@0	2521	}
sl@0	2522
sl@0	2523	static int get_certificate_status(const char serial, CA_DB db)
sl@0	2524	{
sl@0	2525	char row[DB_NUMBER],*rrow;
sl@0	2526	int ok=-1,i;
sl@0	2527
sl@0	2528	/* Free Resources */
sl@0	2529	for (i=0; i<DB_NUMBER; i++)
sl@0	2530	row[i]=NULL;
sl@0	2531
sl@0	2532	/* Malloc needed char spaces */
sl@0	2533	row[DB_serial] = OPENSSL_malloc(strlen(serial) + 2);
sl@0	2534	if (row[DB_serial] == NULL)
sl@0	2535	{
sl@0	2536	BIO_printf(bio_err,"Malloc failure\n");
sl@0	2537	goto err;
sl@0	2538	}
sl@0	2539
sl@0	2540	if (strlen(serial) % 2)
sl@0	2541	{
sl@0	2542	/* Set the first char to 0 */;
sl@0	2543	row[DB_serial][0]='0';
sl@0	2544
sl@0	2545	/* Copy String from serial to row[DB_serial] */
sl@0	2546	memcpy(row[DB_serial]+1, serial, strlen(serial));
sl@0	2547	row[DB_serial][strlen(serial)+1]='\0';
sl@0	2548	}
sl@0	2549	else
sl@0	2550	{
sl@0	2551	/* Copy String from serial to row[DB_serial] */
sl@0	2552	memcpy(row[DB_serial], serial, strlen(serial));
sl@0	2553	row[DB_serial][strlen(serial)]='\0';
sl@0	2554	}
sl@0	2555
sl@0	2556	/* Make it Upper Case */
sl@0	2557	for (i=0; row[DB_serial][i] != '\0'; i++)
sl@0	2558	row[DB_serial][i] = toupper(row[DB_serial][i]);
sl@0	2559
sl@0	2560
sl@0	2561	ok=1;
sl@0	2562
sl@0	2563	/* Search for the certificate */
sl@0	2564	rrow=TXT_DB_get_by_index(db->db,DB_serial,row);
sl@0	2565	if (rrow == NULL)
sl@0	2566	{
sl@0	2567	BIO_printf(bio_err,"Serial %s not present in db.\n",
sl@0	2568	row[DB_serial]);
sl@0	2569	ok=-1;
sl@0	2570	goto err;
sl@0	2571	}
sl@0	2572	else if (rrow[DB_type][0]=='V')
sl@0	2573	{
sl@0	2574	BIO_printf(bio_err,"%s=Valid (%c)\n",
sl@0	2575	row[DB_serial], rrow[DB_type][0]);
sl@0	2576	goto err;
sl@0	2577	}
sl@0	2578	else if (rrow[DB_type][0]=='R')
sl@0	2579	{
sl@0	2580	BIO_printf(bio_err,"%s=Revoked (%c)\n",
sl@0	2581	row[DB_serial], rrow[DB_type][0]);
sl@0	2582	goto err;
sl@0	2583	}
sl@0	2584	else if (rrow[DB_type][0]=='E')
sl@0	2585	{
sl@0	2586	BIO_printf(bio_err,"%s=Expired (%c)\n",
sl@0	2587	row[DB_serial], rrow[DB_type][0]);
sl@0	2588	goto err;
sl@0	2589	}
sl@0	2590	else if (rrow[DB_type][0]=='S')
sl@0	2591	{
sl@0	2592	BIO_printf(bio_err,"%s=Suspended (%c)\n",
sl@0	2593	row[DB_serial], rrow[DB_type][0]);
sl@0	2594	goto err;
sl@0	2595	}
sl@0	2596	else
sl@0	2597	{
sl@0	2598	BIO_printf(bio_err,"%s=Unknown (%c).\n",
sl@0	2599	row[DB_serial], rrow[DB_type][0]);
sl@0	2600	ok=-1;
sl@0	2601	}
sl@0	2602	err:
sl@0	2603	for (i=0; i<DB_NUMBER; i++)
sl@0	2604	{
sl@0	2605	if (row[i] != NULL)
sl@0	2606	OPENSSL_free(row[i]);
sl@0	2607	}
sl@0	2608	return(ok);
sl@0	2609	}
sl@0	2610
sl@0	2611	static int do_updatedb (CA_DB *db)
sl@0	2612	{
sl@0	2613	ASN1_UTCTIME *a_tm = NULL;
sl@0	2614	int i, cnt = 0;
sl@0	2615	int db_y2k, a_y2k; /* flags = 1 if y >= 2000 */
sl@0	2616	char *rrow, a_tm_s;
sl@0	2617
sl@0	2618	a_tm = ASN1_UTCTIME_new();
sl@0	2619
sl@0	2620	/* get actual time and make a string */
sl@0	2621	a_tm = X509_gmtime_adj(a_tm, 0);
sl@0	2622	a_tm_s = (char *) OPENSSL_malloc(a_tm->length+1);
sl@0	2623	if (a_tm_s == NULL)
sl@0	2624	{
sl@0	2625	cnt = -1;
sl@0	2626	goto err;
sl@0	2627	}
sl@0	2628
sl@0	2629	memcpy(a_tm_s, a_tm->data, a_tm->length);
sl@0	2630	a_tm_s[a_tm->length] = '\0';
sl@0	2631
sl@0	2632	if (strncmp(a_tm_s, "49", 2) <= 0)
sl@0	2633	a_y2k = 1;
sl@0	2634	else
sl@0	2635	a_y2k = 0;
sl@0	2636
sl@0	2637	for (i = 0; i < sk_num(db->db->data); i++)
sl@0	2638	{
sl@0	2639	rrow = (char **) sk_value(db->db->data, i);
sl@0	2640
sl@0	2641	if (rrow[DB_type][0] == 'V')
sl@0	2642	{
sl@0	2643	/* ignore entries that are not valid */
sl@0	2644	if (strncmp(rrow[DB_exp_date], "49", 2) <= 0)
sl@0	2645	db_y2k = 1;
sl@0	2646	else
sl@0	2647	db_y2k = 0;
sl@0	2648
sl@0	2649	if (db_y2k == a_y2k)
sl@0	2650	{
sl@0	2651	/* all on the same y2k side */
sl@0	2652	if (strcmp(rrow[DB_exp_date], a_tm_s) <= 0)
sl@0	2653	{
sl@0	2654	rrow[DB_type][0] = 'E';
sl@0	2655	rrow[DB_type][1] = '\0';
sl@0	2656	cnt++;
sl@0	2657
sl@0	2658	BIO_printf(bio_err, "%s=Expired\n",
sl@0	2659	rrow[DB_serial]);
sl@0	2660	}
sl@0	2661	}
sl@0	2662	else if (db_y2k < a_y2k)
sl@0	2663	{
sl@0	2664	rrow[DB_type][0] = 'E';
sl@0	2665	rrow[DB_type][1] = '\0';
sl@0	2666	cnt++;
sl@0	2667
sl@0	2668	BIO_printf(bio_err, "%s=Expired\n",
sl@0	2669	rrow[DB_serial]);
sl@0	2670	}
sl@0	2671
sl@0	2672	}
sl@0	2673	}
sl@0	2674
sl@0	2675	err:
sl@0	2676
sl@0	2677	ASN1_UTCTIME_free(a_tm);
sl@0	2678	OPENSSL_free(a_tm_s);
sl@0	2679
sl@0	2680	return (cnt);
sl@0	2681	}
sl@0	2682
sl@0	2683	static const char *crl_reasons[] = {
sl@0	2684	/* CRL reason strings */
sl@0	2685	"unspecified",
sl@0	2686	"keyCompromise",
sl@0	2687	"CACompromise",
sl@0	2688	"affiliationChanged",
sl@0	2689	"superseded",
sl@0	2690	"cessationOfOperation",
sl@0	2691	"certificateHold",
sl@0	2692	"removeFromCRL",
sl@0	2693	/* Additional pseudo reasons */
sl@0	2694	"holdInstruction",
sl@0	2695	"keyTime",
sl@0	2696	"CAkeyTime"
sl@0	2697	};
sl@0	2698
sl@0	2699	#define NUM_REASONS (sizeof(crl_reasons) / sizeof(char *))
sl@0	2700
sl@0	2701	/* Given revocation information convert to a DB string.
sl@0	2702	* The format of the string is:
sl@0	2703	* revtime[,reason,extra]. Where 'revtime' is the
sl@0	2704	* revocation time (the current time). 'reason' is the
sl@0	2705	* optional CRL reason and 'extra' is any additional
sl@0	2706	* argument
sl@0	2707	*/
sl@0	2708
sl@0	2709	char make_revocation_str(int rev_type, char rev_arg)
sl@0	2710	{
sl@0	2711	char other = NULL, str;
sl@0	2712	const char *reason = NULL;
sl@0	2713	ASN1_OBJECT *otmp;
sl@0	2714	ASN1_UTCTIME *revtm = NULL;
sl@0	2715	int i;
sl@0	2716	switch (rev_type)
sl@0	2717	{
sl@0	2718	case REV_NONE:
sl@0	2719	break;
sl@0	2720
sl@0	2721	case REV_CRL_REASON:
sl@0	2722	for (i = 0; i < 8; i++)
sl@0	2723	{
sl@0	2724	if (!strcasecmp(rev_arg, crl_reasons[i]))
sl@0	2725	{
sl@0	2726	reason = crl_reasons[i];
sl@0	2727	break;
sl@0	2728	}
sl@0	2729	}
sl@0	2730	if (reason == NULL)
sl@0	2731	{
sl@0	2732	BIO_printf(bio_err, "Unknown CRL reason %s\n", rev_arg);
sl@0	2733	return NULL;
sl@0	2734	}
sl@0	2735	break;
sl@0	2736
sl@0	2737	case REV_HOLD:
sl@0	2738	/* Argument is an OID */
sl@0	2739
sl@0	2740	otmp = OBJ_txt2obj(rev_arg, 0);
sl@0	2741	ASN1_OBJECT_free(otmp);
sl@0	2742
sl@0	2743	if (otmp == NULL)
sl@0	2744	{
sl@0	2745	BIO_printf(bio_err, "Invalid object identifier %s\n", rev_arg);
sl@0	2746	return NULL;
sl@0	2747	}
sl@0	2748
sl@0	2749	reason = "holdInstruction";
sl@0	2750	other = rev_arg;
sl@0	2751	break;
sl@0	2752
sl@0	2753	case REV_KEY_COMPROMISE:
sl@0	2754	case REV_CA_COMPROMISE:
sl@0	2755
sl@0	2756	/* Argument is the key compromise time */
sl@0	2757	if (!ASN1_GENERALIZEDTIME_set_string(NULL, rev_arg))
sl@0	2758	{
sl@0	2759	BIO_printf(bio_err, "Invalid time format %s. Need YYYYMMDDHHMMSSZ\n", rev_arg);
sl@0	2760	return NULL;
sl@0	2761	}
sl@0	2762	other = rev_arg;
sl@0	2763	if (rev_type == REV_KEY_COMPROMISE)
sl@0	2764	reason = "keyTime";
sl@0	2765	else
sl@0	2766	reason = "CAkeyTime";
sl@0	2767
sl@0	2768	break;
sl@0	2769
sl@0	2770	}
sl@0	2771
sl@0	2772	revtm = X509_gmtime_adj(NULL, 0);
sl@0	2773
sl@0	2774	i = revtm->length + 1;
sl@0	2775
sl@0	2776	if (reason) i += strlen(reason) + 1;
sl@0	2777	if (other) i += strlen(other) + 1;
sl@0	2778
sl@0	2779	str = OPENSSL_malloc(i);
sl@0	2780
sl@0	2781	if (!str) return NULL;
sl@0	2782
sl@0	2783	BUF_strlcpy(str, (char *)revtm->data, i);
sl@0	2784	if (reason)
sl@0	2785	{
sl@0	2786	BUF_strlcat(str, ",", i);
sl@0	2787	BUF_strlcat(str, reason, i);
sl@0	2788	}
sl@0	2789	if (other)
sl@0	2790	{
sl@0	2791	BUF_strlcat(str, ",", i);
sl@0	2792	BUF_strlcat(str, other, i);
sl@0	2793	}
sl@0	2794	ASN1_UTCTIME_free(revtm);
sl@0	2795	return str;
sl@0	2796	}
sl@0	2797
sl@0	2798	/* Convert revocation field to X509_REVOKED entry
sl@0	2799	* return code:
sl@0	2800	* 0 error
sl@0	2801	* 1 OK
sl@0	2802	* 2 OK and some extensions added (i.e. V2 CRL)
sl@0	2803	*/
sl@0	2804
sl@0	2805
sl@0	2806	int make_revoked(X509_REVOKED rev, const char str)
sl@0	2807	{
sl@0	2808	char *tmp = NULL;
sl@0	2809	int reason_code = -1;
sl@0	2810	int i, ret = 0;
sl@0	2811	ASN1_OBJECT *hold = NULL;
sl@0	2812	ASN1_GENERALIZEDTIME *comp_time = NULL;
sl@0	2813	ASN1_ENUMERATED *rtmp = NULL;
sl@0	2814
sl@0	2815	ASN1_TIME *revDate = NULL;
sl@0	2816
sl@0	2817	i = unpack_revinfo(&revDate, &reason_code, &hold, &comp_time, str);
sl@0	2818
sl@0	2819	if (i == 0)
sl@0	2820	goto err;
sl@0	2821
sl@0	2822	if (rev && !X509_REVOKED_set_revocationDate(rev, revDate))
sl@0	2823	goto err;
sl@0	2824
sl@0	2825	if (rev && (reason_code != OCSP_REVOKED_STATUS_NOSTATUS))
sl@0	2826	{
sl@0	2827	rtmp = ASN1_ENUMERATED_new();
sl@0	2828	if (!rtmp \|\| !ASN1_ENUMERATED_set(rtmp, reason_code))
sl@0	2829	goto err;
sl@0	2830	if (!X509_REVOKED_add1_ext_i2d(rev, NID_crl_reason, rtmp, 0, 0))
sl@0	2831	goto err;
sl@0	2832	}
sl@0	2833
sl@0	2834	if (rev && comp_time)
sl@0	2835	{
sl@0	2836	if (!X509_REVOKED_add1_ext_i2d(rev, NID_invalidity_date, comp_time, 0, 0))
sl@0	2837	goto err;
sl@0	2838	}
sl@0	2839	if (rev && hold)
sl@0	2840	{
sl@0	2841	if (!X509_REVOKED_add1_ext_i2d(rev, NID_hold_instruction_code, hold, 0, 0))
sl@0	2842	goto err;
sl@0	2843	}
sl@0	2844
sl@0	2845	if (reason_code != OCSP_REVOKED_STATUS_NOSTATUS)
sl@0	2846	ret = 2;
sl@0	2847	else ret = 1;
sl@0	2848
sl@0	2849	err:
sl@0	2850
sl@0	2851	if (tmp) OPENSSL_free(tmp);
sl@0	2852	ASN1_OBJECT_free(hold);
sl@0	2853	ASN1_GENERALIZEDTIME_free(comp_time);
sl@0	2854	ASN1_ENUMERATED_free(rtmp);
sl@0	2855	ASN1_TIME_free(revDate);
sl@0	2856
sl@0	2857	return ret;
sl@0	2858	}
sl@0	2859
sl@0	2860	int old_entry_print(BIO bp, ASN1_OBJECT obj, ASN1_STRING *str)
sl@0	2861	{
sl@0	2862	char buf[25],pbuf, p;
sl@0	2863	int j;
sl@0	2864	j=i2a_ASN1_OBJECT(bp,obj);
sl@0	2865	pbuf=buf;
sl@0	2866	for (j=22-j; j>0; j--)
sl@0	2867	*(pbuf++)=' ';
sl@0	2868	*(pbuf++)=':';
sl@0	2869	*(pbuf++)='\0';
sl@0	2870	BIO_puts(bp,buf);
sl@0	2871
sl@0	2872	if (str->type == V_ASN1_PRINTABLESTRING)
sl@0	2873	BIO_printf(bp,"PRINTABLE:'");
sl@0	2874	else if (str->type == V_ASN1_T61STRING)
sl@0	2875	BIO_printf(bp,"T61STRING:'");
sl@0	2876	else if (str->type == V_ASN1_IA5STRING)
sl@0	2877	BIO_printf(bp,"IA5STRING:'");
sl@0	2878	else if (str->type == V_ASN1_UNIVERSALSTRING)
sl@0	2879	BIO_printf(bp,"UNIVERSALSTRING:'");
sl@0	2880	else
sl@0	2881	BIO_printf(bp,"ASN.1 %2d:'",str->type);
sl@0	2882
sl@0	2883	p=(char *)str->data;
sl@0	2884	for (j=str->length; j>0; j--)
sl@0	2885	{
sl@0	2886	if ((p >= ' ') && (p <= '~'))
sl@0	2887	BIO_printf(bp,"%c",*p);
sl@0	2888	else if (*p & 0x80)
sl@0	2889	BIO_printf(bp,"\\0x%02X",*p);
sl@0	2890	else if ((unsigned char)*p == 0xf7)
sl@0	2891	BIO_printf(bp,"^?");
sl@0	2892	else BIO_printf(bp,"^%c",*p+'@');
sl@0	2893	p++;
sl@0	2894	}
sl@0	2895	BIO_printf(bp,"'\n");
sl@0	2896	return 1;
sl@0	2897	}
sl@0	2898
sl@0	2899	int unpack_revinfo(ASN1_TIME *prevtm, int preason, ASN1_OBJECT phold, ASN1_GENERALIZEDTIME pinvtm, const char *str)
sl@0	2900	{
sl@0	2901	char *tmp = NULL;
sl@0	2902	char rtime_str, reason_str = NULL, arg_str = NULL, p;
sl@0	2903	int reason_code = -1;
sl@0	2904	int ret = 0;
sl@0	2905	unsigned int i;
sl@0	2906	ASN1_OBJECT *hold = NULL;
sl@0	2907	ASN1_GENERALIZEDTIME *comp_time = NULL;
sl@0	2908	tmp = BUF_strdup(str);
sl@0	2909
sl@0	2910	p = strchr(tmp, ',');
sl@0	2911
sl@0	2912	rtime_str = tmp;
sl@0	2913
sl@0	2914	if (p)
sl@0	2915	{
sl@0	2916	*p = '\0';
sl@0	2917	p++;
sl@0	2918	reason_str = p;
sl@0	2919	p = strchr(p, ',');
sl@0	2920	if (p)
sl@0	2921	{
sl@0	2922	*p = '\0';
sl@0	2923	arg_str = p + 1;
sl@0	2924	}
sl@0	2925	}
sl@0	2926
sl@0	2927	if (prevtm)
sl@0	2928	{
sl@0	2929	*prevtm = ASN1_UTCTIME_new();
sl@0	2930	if (!ASN1_UTCTIME_set_string(*prevtm, rtime_str))
sl@0	2931	{
sl@0	2932	BIO_printf(bio_err, "invalid revocation date %s\n", rtime_str);
sl@0	2933	goto err;
sl@0	2934	}
sl@0	2935	}
sl@0	2936	if (reason_str)
sl@0	2937	{
sl@0	2938	for (i = 0; i < NUM_REASONS; i++)
sl@0	2939	{
sl@0	2940	if(!strcasecmp(reason_str, crl_reasons[i]))
sl@0	2941	{
sl@0	2942	reason_code = i;
sl@0	2943	break;
sl@0	2944	}
sl@0	2945	}
sl@0	2946	if (reason_code == OCSP_REVOKED_STATUS_NOSTATUS)
sl@0	2947	{
sl@0	2948	BIO_printf(bio_err, "invalid reason code %s\n", reason_str);
sl@0	2949	goto err;
sl@0	2950	}
sl@0	2951
sl@0	2952	if (reason_code == 7)
sl@0	2953	reason_code = OCSP_REVOKED_STATUS_REMOVEFROMCRL;
sl@0	2954	else if (reason_code == 8) /* Hold instruction */
sl@0	2955	{
sl@0	2956	if (!arg_str)
sl@0	2957	{
sl@0	2958	BIO_printf(bio_err, "missing hold instruction\n");
sl@0	2959	goto err;
sl@0	2960	}
sl@0	2961	reason_code = OCSP_REVOKED_STATUS_CERTIFICATEHOLD;
sl@0	2962	hold = OBJ_txt2obj(arg_str, 0);
sl@0	2963
sl@0	2964	if (!hold)
sl@0	2965	{
sl@0	2966	BIO_printf(bio_err, "invalid object identifier %s\n", arg_str);
sl@0	2967	goto err;
sl@0	2968	}
sl@0	2969	if (phold) *phold = hold;
sl@0	2970	}
sl@0	2971	else if ((reason_code == 9) \|\| (reason_code == 10))
sl@0	2972	{
sl@0	2973	if (!arg_str)
sl@0	2974	{
sl@0	2975	BIO_printf(bio_err, "missing compromised time\n");
sl@0	2976	goto err;
sl@0	2977	}
sl@0	2978	comp_time = ASN1_GENERALIZEDTIME_new();
sl@0	2979	if (!ASN1_GENERALIZEDTIME_set_string(comp_time, arg_str))
sl@0	2980	{
sl@0	2981	BIO_printf(bio_err, "invalid compromised time %s\n", arg_str);
sl@0	2982	goto err;
sl@0	2983	}
sl@0	2984	if (reason_code == 9)
sl@0	2985	reason_code = OCSP_REVOKED_STATUS_KEYCOMPROMISE;
sl@0	2986	else
sl@0	2987	reason_code = OCSP_REVOKED_STATUS_CACOMPROMISE;
sl@0	2988	}
sl@0	2989	}
sl@0	2990
sl@0	2991	if (preason) *preason = reason_code;
sl@0	2992	if (pinvtm) *pinvtm = comp_time;
sl@0	2993	else ASN1_GENERALIZEDTIME_free(comp_time);
sl@0	2994
sl@0	2995	ret = 1;
sl@0	2996
sl@0	2997	err:
sl@0	2998
sl@0	2999	if (tmp) OPENSSL_free(tmp);
sl@0	3000	if (!phold) ASN1_OBJECT_free(hold);
sl@0	3001	if (!pinvtm) ASN1_GENERALIZEDTIME_free(comp_time);
sl@0	3002
sl@0	3003	return ret;
sl@0	3004	}

author	sl
	Tue, 10 Jun 2014 14:32:02 +0200
changeset 1	260cb5ec6c19
permissions	-rw-r--r--