1 /* 2 * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stdio.h> 11 #include <stdlib.h> 12 #include <string.h> 13 #include "apps.h" 14 #include <openssl/bio.h> 15 #include <openssl/asn1.h> 16 #include <openssl/err.h> 17 #include <openssl/bn.h> 18 #include <openssl/evp.h> 19 #include <openssl/x509.h> 20 #include <openssl/x509v3.h> 21 #include <openssl/objects.h> 22 #include <openssl/pem.h> 23 #ifndef OPENSSL_NO_RSA 24 # include <openssl/rsa.h> 25 #endif 26 #ifndef OPENSSL_NO_DSA 27 # include <openssl/dsa.h> 28 #endif 29 30 #undef POSTFIX 31 #define POSTFIX ".srl" 32 #define DEF_DAYS 30 33 34 static int callb(int ok, X509_STORE_CTX *ctx); 35 static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, 36 const EVP_MD *digest, CONF *conf, const char *section); 37 static int x509_certify(X509_STORE *ctx, const char *CAfile, const EVP_MD *digest, 38 X509 *x, X509 *xca, EVP_PKEY *pkey, 39 STACK_OF(OPENSSL_STRING) *sigopts, const char *serialfile, 40 int create, int days, int clrext, CONF *conf, 41 const char *section, ASN1_INTEGER *sno, int reqfile); 42 static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt); 43 44 typedef enum OPTION_choice { 45 OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, 46 OPT_INFORM, OPT_OUTFORM, OPT_KEYFORM, OPT_REQ, OPT_CAFORM, 47 OPT_CAKEYFORM, OPT_SIGOPT, OPT_DAYS, OPT_PASSIN, OPT_EXTFILE, 48 OPT_EXTENSIONS, OPT_IN, OPT_OUT, OPT_SIGNKEY, OPT_CA, 49 OPT_CAKEY, OPT_CASERIAL, OPT_SET_SERIAL, OPT_FORCE_PUBKEY, 50 OPT_ADDTRUST, OPT_ADDREJECT, OPT_SETALIAS, OPT_CERTOPT, OPT_NAMEOPT, 51 OPT_C, OPT_EMAIL, OPT_OCSP_URI, OPT_SERIAL, OPT_NEXT_SERIAL, 52 OPT_MODULUS, OPT_PUBKEY, OPT_X509TOREQ, OPT_TEXT, OPT_HASH, 53 OPT_ISSUER_HASH, OPT_SUBJECT, OPT_ISSUER, OPT_FINGERPRINT, OPT_DATES, 54 OPT_PURPOSE, OPT_STARTDATE, OPT_ENDDATE, OPT_CHECKEND, OPT_CHECKHOST, 55 OPT_CHECKEMAIL, OPT_CHECKIP, OPT_NOOUT, OPT_TRUSTOUT, OPT_CLRTRUST, 56 OPT_CLRREJECT, OPT_ALIAS, OPT_CACREATESERIAL, OPT_CLREXT, OPT_OCSPID, 57 OPT_SUBJECT_HASH_OLD, 58 OPT_ISSUER_HASH_OLD, 59 OPT_BADSIG, OPT_MD, OPT_ENGINE, OPT_NOCERT 60 } OPTION_CHOICE; 61 62 OPTIONS x509_options[] = { 63 {"help", OPT_HELP, '-', "Display this summary"}, 64 {"inform", OPT_INFORM, 'f', 65 "Input format - default PEM (one of DER, NET or PEM)"}, 66 {"in", OPT_IN, '<', "Input file - default stdin"}, 67 {"outform", OPT_OUTFORM, 'f', 68 "Output format - default PEM (one of DER, NET or PEM)"}, 69 {"out", OPT_OUT, '>', "Output file - default stdout"}, 70 {"keyform", OPT_KEYFORM, 'F', "Private key format - default PEM"}, 71 {"passin", OPT_PASSIN, 's', "Private key password/pass-phrase source"}, 72 {"serial", OPT_SERIAL, '-', "Print serial number value"}, 73 {"subject_hash", OPT_HASH, '-', "Print subject hash value"}, 74 {"issuer_hash", OPT_ISSUER_HASH, '-', "Print issuer hash value"}, 75 {"hash", OPT_HASH, '-', "Synonym for -subject_hash"}, 76 {"subject", OPT_SUBJECT, '-', "Print subject DN"}, 77 {"issuer", OPT_ISSUER, '-', "Print issuer DN"}, 78 {"email", OPT_EMAIL, '-', "Print email address(es)"}, 79 {"startdate", OPT_STARTDATE, '-', "Set notBefore field"}, 80 {"enddate", OPT_ENDDATE, '-', "Set notAfter field"}, 81 {"purpose", OPT_PURPOSE, '-', "Print out certificate purposes"}, 82 {"dates", OPT_DATES, '-', "Both Before and After dates"}, 83 {"modulus", OPT_MODULUS, '-', "Print the RSA key modulus"}, 84 {"pubkey", OPT_PUBKEY, '-', "Output the public key"}, 85 {"fingerprint", OPT_FINGERPRINT, '-', 86 "Print the certificate fingerprint"}, 87 {"alias", OPT_ALIAS, '-', "Output certificate alias"}, 88 {"noout", OPT_NOOUT, '-', "No output, just status"}, 89 {"nocert", OPT_NOCERT, '-', "No certificate output"}, 90 {"ocspid", OPT_OCSPID, '-', 91 "Print OCSP hash values for the subject name and public key"}, 92 {"ocsp_uri", OPT_OCSP_URI, '-', "Print OCSP Responder URL(s)"}, 93 {"trustout", OPT_TRUSTOUT, '-', "Output a trusted certificate"}, 94 {"clrtrust", OPT_CLRTRUST, '-', "Clear all trusted purposes"}, 95 {"clrext", OPT_CLREXT, '-', "Clear all certificate extensions"}, 96 {"addtrust", OPT_ADDTRUST, 's', "Trust certificate for a given purpose"}, 97 {"addreject", OPT_ADDREJECT, 's', 98 "Reject certificate for a given purpose"}, 99 {"setalias", OPT_SETALIAS, 's', "Set certificate alias"}, 100 {"days", OPT_DAYS, 'n', 101 "How long till expiry of a signed certificate - def 30 days"}, 102 {"checkend", OPT_CHECKEND, 'M', 103 "Check whether the cert expires in the next arg seconds"}, 104 {OPT_MORE_STR, 1, 1, "Exit 1 if so, 0 if not"}, 105 {"signkey", OPT_SIGNKEY, '<', "Self sign cert with arg"}, 106 {"x509toreq", OPT_X509TOREQ, '-', 107 "Output a certification request object"}, 108 {"req", OPT_REQ, '-', "Input is a certificate request, sign and output"}, 109 {"CA", OPT_CA, '<', "Set the CA certificate, must be PEM format"}, 110 {"CAkey", OPT_CAKEY, 's', 111 "The CA key, must be PEM format; if not in CAfile"}, 112 {"CAcreateserial", OPT_CACREATESERIAL, '-', 113 "Create serial number file if it does not exist"}, 114 {"CAserial", OPT_CASERIAL, 's', "Serial file"}, 115 {"set_serial", OPT_SET_SERIAL, 's', "Serial number to use"}, 116 {"text", OPT_TEXT, '-', "Print the certificate in text form"}, 117 {"C", OPT_C, '-', "Print out C code forms"}, 118 {"extfile", OPT_EXTFILE, '<', "File with X509V3 extensions to add"}, 119 {"extensions", OPT_EXTENSIONS, 's', "Section from config file to use"}, 120 {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"}, 121 {"certopt", OPT_CERTOPT, 's', "Various certificate text options"}, 122 {"checkhost", OPT_CHECKHOST, 's', "Check certificate matches host"}, 123 {"checkemail", OPT_CHECKEMAIL, 's', "Check certificate matches email"}, 124 {"checkip", OPT_CHECKIP, 's', "Check certificate matches ipaddr"}, 125 {"CAform", OPT_CAFORM, 'F', "CA format - default PEM"}, 126 {"CAkeyform", OPT_CAKEYFORM, 'f', "CA key format - default PEM"}, 127 {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"}, 128 {"force_pubkey", OPT_FORCE_PUBKEY, '<', "Force the Key to put inside certificate"}, 129 {"next_serial", OPT_NEXT_SERIAL, '-', "Increment current certificate serial number"}, 130 {"clrreject", OPT_CLRREJECT, '-', 131 "Clears all the prohibited or rejected uses of the certificate"}, 132 {"badsig", OPT_BADSIG, '-', "Corrupt last byte of certificate signature (for test)"}, 133 {"", OPT_MD, '-', "Any supported digest"}, 134 #ifndef OPENSSL_NO_MD5 135 {"subject_hash_old", OPT_SUBJECT_HASH_OLD, '-', 136 "Print old-style (MD5) issuer hash value"}, 137 {"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-', 138 "Print old-style (MD5) subject hash value"}, 139 #endif 140 #ifndef OPENSSL_NO_ENGINE 141 {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, 142 #endif 143 {NULL} 144 }; 145 146 int x509_main(int argc, char **argv) 147 { 148 ASN1_INTEGER *sno = NULL; 149 ASN1_OBJECT *objtmp = NULL; 150 BIO *out = NULL; 151 CONF *extconf = NULL; 152 EVP_PKEY *Upkey = NULL, *CApkey = NULL, *fkey = NULL; 153 STACK_OF(ASN1_OBJECT) *trust = NULL, *reject = NULL; 154 STACK_OF(OPENSSL_STRING) *sigopts = NULL; 155 X509 *x = NULL, *xca = NULL; 156 X509_REQ *req = NULL, *rq = NULL; 157 X509_STORE *ctx = NULL; 158 const EVP_MD *digest = NULL; 159 char *CAkeyfile = NULL, *CAserial = NULL, *fkeyfile = NULL, *alias = NULL; 160 char *checkhost = NULL, *checkemail = NULL, *checkip = NULL; 161 char *extsect = NULL, *extfile = NULL, *passin = NULL, *passinarg = NULL; 162 char *infile = NULL, *outfile = NULL, *keyfile = NULL, *CAfile = NULL; 163 char buf[256], *prog; 164 int x509req = 0, days = DEF_DAYS, modulus = 0, pubkey = 0, pprint = 0; 165 int C = 0, CAformat = FORMAT_PEM, CAkeyformat = FORMAT_PEM; 166 int fingerprint = 0, reqfile = 0, need_rand = 0, checkend = 0; 167 int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyformat = FORMAT_PEM; 168 int next_serial = 0, subject_hash = 0, issuer_hash = 0, ocspid = 0; 169 int noout = 0, sign_flag = 0, CA_flag = 0, CA_createserial = 0, email = 0; 170 int ocsp_uri = 0, trustout = 0, clrtrust = 0, clrreject = 0, aliasout = 0; 171 int ret = 1, i, num = 0, badsig = 0, clrext = 0, nocert = 0; 172 int text = 0, serial = 0, subject = 0, issuer = 0, startdate = 0; 173 int enddate = 0; 174 time_t checkoffset = 0; 175 unsigned long nmflag = 0, certflag = 0; 176 char nmflag_set = 0; 177 OPTION_CHOICE o; 178 ENGINE *e = NULL; 179 #ifndef OPENSSL_NO_MD5 180 int subject_hash_old = 0, issuer_hash_old = 0; 181 #endif 182 183 ctx = X509_STORE_new(); 184 if (ctx == NULL) 185 goto end; 186 X509_STORE_set_verify_cb(ctx, callb); 187 188 prog = opt_init(argc, argv, x509_options); 189 while ((o = opt_next()) != OPT_EOF) { 190 switch (o) { 191 case OPT_EOF: 192 case OPT_ERR: 193 opthelp: 194 BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); 195 goto end; 196 case OPT_HELP: 197 opt_help(x509_options); 198 ret = 0; 199 goto end; 200 case OPT_INFORM: 201 if (!opt_format(opt_arg(), OPT_FMT_ANY, &informat)) 202 goto opthelp; 203 break; 204 case OPT_IN: 205 infile = opt_arg(); 206 break; 207 case OPT_OUTFORM: 208 if (!opt_format(opt_arg(), OPT_FMT_ANY, &outformat)) 209 goto opthelp; 210 break; 211 case OPT_KEYFORM: 212 if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &keyformat)) 213 goto opthelp; 214 break; 215 case OPT_CAFORM: 216 if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &CAformat)) 217 goto opthelp; 218 break; 219 case OPT_CAKEYFORM: 220 if (!opt_format(opt_arg(), OPT_FMT_ANY, &CAkeyformat)) 221 goto opthelp; 222 break; 223 case OPT_OUT: 224 outfile = opt_arg(); 225 break; 226 case OPT_REQ: 227 reqfile = need_rand = 1; 228 break; 229 230 case OPT_SIGOPT: 231 if (!sigopts) 232 sigopts = sk_OPENSSL_STRING_new_null(); 233 if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, opt_arg())) 234 goto opthelp; 235 break; 236 case OPT_DAYS: 237 days = atoi(opt_arg()); 238 break; 239 case OPT_PASSIN: 240 passinarg = opt_arg(); 241 break; 242 case OPT_EXTFILE: 243 extfile = opt_arg(); 244 break; 245 case OPT_EXTENSIONS: 246 extsect = opt_arg(); 247 break; 248 case OPT_SIGNKEY: 249 keyfile = opt_arg(); 250 sign_flag = ++num; 251 need_rand = 1; 252 break; 253 case OPT_CA: 254 CAfile = opt_arg(); 255 CA_flag = ++num; 256 need_rand = 1; 257 break; 258 case OPT_CAKEY: 259 CAkeyfile = opt_arg(); 260 break; 261 case OPT_CASERIAL: 262 CAserial = opt_arg(); 263 break; 264 case OPT_SET_SERIAL: 265 if (sno != NULL) { 266 BIO_printf(bio_err, "Serial number supplied twice\n"); 267 goto opthelp; 268 } 269 if ((sno = s2i_ASN1_INTEGER(NULL, opt_arg())) == NULL) 270 goto opthelp; 271 break; 272 case OPT_FORCE_PUBKEY: 273 fkeyfile = opt_arg(); 274 break; 275 case OPT_ADDTRUST: 276 if ((objtmp = OBJ_txt2obj(opt_arg(), 0)) == NULL) { 277 BIO_printf(bio_err, 278 "%s: Invalid trust object value %s\n", 279 prog, opt_arg()); 280 goto opthelp; 281 } 282 if (trust == NULL && (trust = sk_ASN1_OBJECT_new_null()) == NULL) 283 goto end; 284 sk_ASN1_OBJECT_push(trust, objtmp); 285 objtmp = NULL; 286 trustout = 1; 287 break; 288 case OPT_ADDREJECT: 289 if ((objtmp = OBJ_txt2obj(opt_arg(), 0)) == NULL) { 290 BIO_printf(bio_err, 291 "%s: Invalid reject object value %s\n", 292 prog, opt_arg()); 293 goto opthelp; 294 } 295 if (reject == NULL 296 && (reject = sk_ASN1_OBJECT_new_null()) == NULL) 297 goto end; 298 sk_ASN1_OBJECT_push(reject, objtmp); 299 objtmp = NULL; 300 trustout = 1; 301 break; 302 case OPT_SETALIAS: 303 alias = opt_arg(); 304 trustout = 1; 305 break; 306 case OPT_CERTOPT: 307 if (!set_cert_ex(&certflag, opt_arg())) 308 goto opthelp; 309 break; 310 case OPT_NAMEOPT: 311 nmflag_set = 1; 312 if (!set_name_ex(&nmflag, opt_arg())) 313 goto opthelp; 314 break; 315 case OPT_ENGINE: 316 e = setup_engine(opt_arg(), 0); 317 break; 318 case OPT_C: 319 C = ++num; 320 break; 321 case OPT_EMAIL: 322 email = ++num; 323 break; 324 case OPT_OCSP_URI: 325 ocsp_uri = ++num; 326 break; 327 case OPT_SERIAL: 328 serial = ++num; 329 break; 330 case OPT_NEXT_SERIAL: 331 next_serial = ++num; 332 break; 333 case OPT_MODULUS: 334 modulus = ++num; 335 break; 336 case OPT_PUBKEY: 337 pubkey = ++num; 338 break; 339 case OPT_X509TOREQ: 340 x509req = ++num; 341 break; 342 case OPT_TEXT: 343 text = ++num; 344 break; 345 case OPT_SUBJECT: 346 subject = ++num; 347 break; 348 case OPT_ISSUER: 349 issuer = ++num; 350 break; 351 case OPT_FINGERPRINT: 352 fingerprint = ++num; 353 break; 354 case OPT_HASH: 355 subject_hash = ++num; 356 break; 357 case OPT_ISSUER_HASH: 358 issuer_hash = ++num; 359 break; 360 case OPT_PURPOSE: 361 pprint = ++num; 362 break; 363 case OPT_STARTDATE: 364 startdate = ++num; 365 break; 366 case OPT_ENDDATE: 367 enddate = ++num; 368 break; 369 case OPT_NOOUT: 370 noout = ++num; 371 break; 372 case OPT_NOCERT: 373 nocert = 1; 374 break; 375 case OPT_TRUSTOUT: 376 trustout = 1; 377 break; 378 case OPT_CLRTRUST: 379 clrtrust = ++num; 380 break; 381 case OPT_CLRREJECT: 382 clrreject = ++num; 383 break; 384 case OPT_ALIAS: 385 aliasout = ++num; 386 break; 387 case OPT_CACREATESERIAL: 388 CA_createserial = ++num; 389 break; 390 case OPT_CLREXT: 391 clrext = 1; 392 break; 393 case OPT_OCSPID: 394 ocspid = ++num; 395 break; 396 case OPT_BADSIG: 397 badsig = 1; 398 break; 399 #ifndef OPENSSL_NO_MD5 400 case OPT_SUBJECT_HASH_OLD: 401 subject_hash_old = ++num; 402 break; 403 case OPT_ISSUER_HASH_OLD: 404 issuer_hash_old = ++num; 405 break; 406 #else 407 case OPT_SUBJECT_HASH_OLD: 408 case OPT_ISSUER_HASH_OLD: 409 break; 410 #endif 411 case OPT_DATES: 412 startdate = ++num; 413 enddate = ++num; 414 break; 415 case OPT_CHECKEND: 416 checkend = 1; 417 { 418 intmax_t temp = 0; 419 if (!opt_imax(opt_arg(), &temp)) 420 goto opthelp; 421 checkoffset = (time_t)temp; 422 if ((intmax_t)checkoffset != temp) { 423 BIO_printf(bio_err, "%s: checkend time out of range %s\n", 424 prog, opt_arg()); 425 goto opthelp; 426 } 427 } 428 break; 429 case OPT_CHECKHOST: 430 checkhost = opt_arg(); 431 break; 432 case OPT_CHECKEMAIL: 433 checkemail = opt_arg(); 434 break; 435 case OPT_CHECKIP: 436 checkip = opt_arg(); 437 break; 438 case OPT_MD: 439 if (!opt_md(opt_unknown(), &digest)) 440 goto opthelp; 441 } 442 } 443 argc = opt_num_rest(); 444 argv = opt_rest(); 445 if (argc != 0) { 446 BIO_printf(bio_err, "%s: Unknown parameter %s\n", prog, argv[0]); 447 goto opthelp; 448 } 449 450 if (!nmflag_set) 451 nmflag = XN_FLAG_ONELINE; 452 453 if (need_rand) 454 app_RAND_load_file(NULL, 0); 455 456 if (!app_passwd(passinarg, NULL, &passin, NULL)) { 457 BIO_printf(bio_err, "Error getting password\n"); 458 goto end; 459 } 460 461 if (!X509_STORE_set_default_paths(ctx)) { 462 ERR_print_errors(bio_err); 463 goto end; 464 } 465 466 if (fkeyfile) { 467 fkey = load_pubkey(fkeyfile, keyformat, 0, NULL, e, "Forced key"); 468 if (fkey == NULL) 469 goto end; 470 } 471 472 if ((CAkeyfile == NULL) && (CA_flag) && (CAformat == FORMAT_PEM)) { 473 CAkeyfile = CAfile; 474 } else if ((CA_flag) && (CAkeyfile == NULL)) { 475 BIO_printf(bio_err, 476 "need to specify a CAkey if using the CA command\n"); 477 goto end; 478 } 479 480 if (extfile) { 481 X509V3_CTX ctx2; 482 if ((extconf = app_load_config(extfile)) == NULL) 483 goto end; 484 if (!extsect) { 485 extsect = NCONF_get_string(extconf, "default", "extensions"); 486 if (!extsect) { 487 ERR_clear_error(); 488 extsect = "default"; 489 } 490 } 491 X509V3_set_ctx_test(&ctx2); 492 X509V3_set_nconf(&ctx2, extconf); 493 if (!X509V3_EXT_add_nconf(extconf, &ctx2, extsect, NULL)) { 494 BIO_printf(bio_err, 495 "Error Loading extension section %s\n", extsect); 496 ERR_print_errors(bio_err); 497 goto end; 498 } 499 } 500 501 if (reqfile) { 502 EVP_PKEY *pkey; 503 BIO *in; 504 505 if (!sign_flag && !CA_flag) { 506 BIO_printf(bio_err, "We need a private key to sign with\n"); 507 goto end; 508 } 509 in = bio_open_default(infile, 'r', informat); 510 if (in == NULL) 511 goto end; 512 req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL); 513 BIO_free(in); 514 515 if (req == NULL) { 516 ERR_print_errors(bio_err); 517 goto end; 518 } 519 520 if ((pkey = X509_REQ_get0_pubkey(req)) == NULL) { 521 BIO_printf(bio_err, "error unpacking public key\n"); 522 goto end; 523 } 524 i = X509_REQ_verify(req, pkey); 525 if (i < 0) { 526 BIO_printf(bio_err, "Signature verification error\n"); 527 ERR_print_errors(bio_err); 528 goto end; 529 } 530 if (i == 0) { 531 BIO_printf(bio_err, 532 "Signature did not match the certificate request\n"); 533 goto end; 534 } else 535 BIO_printf(bio_err, "Signature ok\n"); 536 537 print_name(bio_err, "subject=", X509_REQ_get_subject_name(req), 538 nmflag); 539 540 if ((x = X509_new()) == NULL) 541 goto end; 542 543 if (sno == NULL) { 544 sno = ASN1_INTEGER_new(); 545 if (sno == NULL || !rand_serial(NULL, sno)) 546 goto end; 547 if (!X509_set_serialNumber(x, sno)) 548 goto end; 549 ASN1_INTEGER_free(sno); 550 sno = NULL; 551 } else if (!X509_set_serialNumber(x, sno)) 552 goto end; 553 554 if (!X509_set_issuer_name(x, X509_REQ_get_subject_name(req))) 555 goto end; 556 if (!X509_set_subject_name(x, X509_REQ_get_subject_name(req))) 557 goto end; 558 if (!set_cert_times(x, NULL, NULL, days)) 559 goto end; 560 561 if (fkey) 562 X509_set_pubkey(x, fkey); 563 else { 564 pkey = X509_REQ_get0_pubkey(req); 565 X509_set_pubkey(x, pkey); 566 } 567 } else 568 x = load_cert(infile, informat, "Certificate"); 569 570 if (x == NULL) 571 goto end; 572 if (CA_flag) { 573 xca = load_cert(CAfile, CAformat, "CA Certificate"); 574 if (xca == NULL) 575 goto end; 576 } 577 578 out = bio_open_default(outfile, 'w', outformat); 579 if (out == NULL) 580 goto end; 581 582 if (!noout || text || next_serial) 583 OBJ_create("2.99999.3", "SET.ex3", "SET x509v3 extension 3"); 584 585 if (alias) 586 X509_alias_set1(x, (unsigned char *)alias, -1); 587 588 if (clrtrust) 589 X509_trust_clear(x); 590 if (clrreject) 591 X509_reject_clear(x); 592 593 if (trust) { 594 for (i = 0; i < sk_ASN1_OBJECT_num(trust); i++) { 595 objtmp = sk_ASN1_OBJECT_value(trust, i); 596 X509_add1_trust_object(x, objtmp); 597 } 598 objtmp = NULL; 599 } 600 601 if (reject) { 602 for (i = 0; i < sk_ASN1_OBJECT_num(reject); i++) { 603 objtmp = sk_ASN1_OBJECT_value(reject, i); 604 X509_add1_reject_object(x, objtmp); 605 } 606 objtmp = NULL; 607 } 608 609 if (badsig) { 610 const ASN1_BIT_STRING *signature; 611 612 X509_get0_signature(&signature, NULL, x); 613 corrupt_signature(signature); 614 } 615 616 if (num) { 617 for (i = 1; i <= num; i++) { 618 if (issuer == i) { 619 print_name(out, "issuer=", X509_get_issuer_name(x), nmflag); 620 } else if (subject == i) { 621 print_name(out, "subject=", 622 X509_get_subject_name(x), nmflag); 623 } else if (serial == i) { 624 BIO_printf(out, "serial="); 625 i2a_ASN1_INTEGER(out, X509_get_serialNumber(x)); 626 BIO_printf(out, "\n"); 627 } else if (next_serial == i) { 628 ASN1_INTEGER *ser = X509_get_serialNumber(x); 629 BIGNUM *bnser = ASN1_INTEGER_to_BN(ser, NULL); 630 631 if (!bnser) 632 goto end; 633 if (!BN_add_word(bnser, 1)) 634 goto end; 635 ser = BN_to_ASN1_INTEGER(bnser, NULL); 636 if (!ser) 637 goto end; 638 BN_free(bnser); 639 i2a_ASN1_INTEGER(out, ser); 640 ASN1_INTEGER_free(ser); 641 BIO_puts(out, "\n"); 642 } else if ((email == i) || (ocsp_uri == i)) { 643 int j; 644 STACK_OF(OPENSSL_STRING) *emlst; 645 if (email == i) 646 emlst = X509_get1_email(x); 647 else 648 emlst = X509_get1_ocsp(x); 649 for (j = 0; j < sk_OPENSSL_STRING_num(emlst); j++) 650 BIO_printf(out, "%s\n", 651 sk_OPENSSL_STRING_value(emlst, j)); 652 X509_email_free(emlst); 653 } else if (aliasout == i) { 654 unsigned char *alstr; 655 alstr = X509_alias_get0(x, NULL); 656 if (alstr) 657 BIO_printf(out, "%s\n", alstr); 658 else 659 BIO_puts(out, "<No Alias>\n"); 660 } else if (subject_hash == i) { 661 BIO_printf(out, "%08lx\n", X509_subject_name_hash(x)); 662 } 663 #ifndef OPENSSL_NO_MD5 664 else if (subject_hash_old == i) { 665 BIO_printf(out, "%08lx\n", X509_subject_name_hash_old(x)); 666 } 667 #endif 668 else if (issuer_hash == i) { 669 BIO_printf(out, "%08lx\n", X509_issuer_name_hash(x)); 670 } 671 #ifndef OPENSSL_NO_MD5 672 else if (issuer_hash_old == i) { 673 BIO_printf(out, "%08lx\n", X509_issuer_name_hash_old(x)); 674 } 675 #endif 676 else if (pprint == i) { 677 X509_PURPOSE *ptmp; 678 int j; 679 BIO_printf(out, "Certificate purposes:\n"); 680 for (j = 0; j < X509_PURPOSE_get_count(); j++) { 681 ptmp = X509_PURPOSE_get0(j); 682 purpose_print(out, x, ptmp); 683 } 684 } else if (modulus == i) { 685 EVP_PKEY *pkey; 686 687 pkey = X509_get0_pubkey(x); 688 if (pkey == NULL) { 689 BIO_printf(bio_err, "Modulus=unavailable\n"); 690 ERR_print_errors(bio_err); 691 goto end; 692 } 693 BIO_printf(out, "Modulus="); 694 #ifndef OPENSSL_NO_RSA 695 if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) { 696 const BIGNUM *n; 697 RSA_get0_key(EVP_PKEY_get0_RSA(pkey), &n, NULL, NULL); 698 BN_print(out, n); 699 } else 700 #endif 701 #ifndef OPENSSL_NO_DSA 702 if (EVP_PKEY_id(pkey) == EVP_PKEY_DSA) { 703 const BIGNUM *dsapub = NULL; 704 DSA_get0_key(EVP_PKEY_get0_DSA(pkey), &dsapub, NULL); 705 BN_print(out, dsapub); 706 } else 707 #endif 708 { 709 BIO_printf(out, "Wrong Algorithm type"); 710 } 711 BIO_printf(out, "\n"); 712 } else if (pubkey == i) { 713 EVP_PKEY *pkey; 714 715 pkey = X509_get0_pubkey(x); 716 if (pkey == NULL) { 717 BIO_printf(bio_err, "Error getting public key\n"); 718 ERR_print_errors(bio_err); 719 goto end; 720 } 721 PEM_write_bio_PUBKEY(out, pkey); 722 } else if (C == i) { 723 unsigned char *d; 724 char *m; 725 int len; 726 727 X509_NAME_oneline(X509_get_subject_name(x), buf, sizeof(buf)); 728 BIO_printf(out, "/*\n" 729 " * Subject: %s\n", buf); 730 731 X509_NAME_oneline(X509_get_issuer_name(x), buf, sizeof(buf)); 732 BIO_printf(out, " * Issuer: %s\n" 733 " */\n", buf); 734 735 len = i2d_X509(x, NULL); 736 m = app_malloc(len, "x509 name buffer"); 737 d = (unsigned char *)m; 738 len = i2d_X509_NAME(X509_get_subject_name(x), &d); 739 print_array(out, "the_subject_name", len, (unsigned char *)m); 740 d = (unsigned char *)m; 741 len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(x), &d); 742 print_array(out, "the_public_key", len, (unsigned char *)m); 743 d = (unsigned char *)m; 744 len = i2d_X509(x, &d); 745 print_array(out, "the_certificate", len, (unsigned char *)m); 746 OPENSSL_free(m); 747 } else if (text == i) { 748 X509_print_ex(out, x, nmflag, certflag); 749 } else if (startdate == i) { 750 BIO_puts(out, "notBefore="); 751 ASN1_TIME_print(out, X509_get0_notBefore(x)); 752 BIO_puts(out, "\n"); 753 } else if (enddate == i) { 754 BIO_puts(out, "notAfter="); 755 ASN1_TIME_print(out, X509_get0_notAfter(x)); 756 BIO_puts(out, "\n"); 757 } else if (fingerprint == i) { 758 int j; 759 unsigned int n; 760 unsigned char md[EVP_MAX_MD_SIZE]; 761 const EVP_MD *fdig = digest; 762 763 if (!fdig) 764 fdig = EVP_sha1(); 765 766 if (!X509_digest(x, fdig, md, &n)) { 767 BIO_printf(bio_err, "out of memory\n"); 768 goto end; 769 } 770 BIO_printf(out, "%s Fingerprint=", 771 OBJ_nid2sn(EVP_MD_type(fdig))); 772 for (j = 0; j < (int)n; j++) { 773 BIO_printf(out, "%02X%c", md[j], (j + 1 == (int)n) 774 ? '\n' : ':'); 775 } 776 } 777 778 /* should be in the library */ 779 else if ((sign_flag == i) && (x509req == 0)) { 780 BIO_printf(bio_err, "Getting Private key\n"); 781 if (Upkey == NULL) { 782 Upkey = load_key(keyfile, keyformat, 0, 783 passin, e, "Private key"); 784 if (Upkey == NULL) 785 goto end; 786 } 787 788 assert(need_rand); 789 if (!sign(x, Upkey, days, clrext, digest, extconf, extsect)) 790 goto end; 791 } else if (CA_flag == i) { 792 BIO_printf(bio_err, "Getting CA Private Key\n"); 793 if (CAkeyfile != NULL) { 794 CApkey = load_key(CAkeyfile, CAkeyformat, 795 0, passin, e, "CA Private Key"); 796 if (CApkey == NULL) 797 goto end; 798 } 799 800 assert(need_rand); 801 if (!x509_certify(ctx, CAfile, digest, x, xca, 802 CApkey, sigopts, 803 CAserial, CA_createserial, days, clrext, 804 extconf, extsect, sno, reqfile)) 805 goto end; 806 } else if (x509req == i) { 807 EVP_PKEY *pk; 808 809 BIO_printf(bio_err, "Getting request Private Key\n"); 810 if (keyfile == NULL) { 811 BIO_printf(bio_err, "no request key file specified\n"); 812 goto end; 813 } else { 814 pk = load_key(keyfile, keyformat, 0, 815 passin, e, "request key"); 816 if (pk == NULL) 817 goto end; 818 } 819 820 BIO_printf(bio_err, "Generating certificate request\n"); 821 822 rq = X509_to_X509_REQ(x, pk, digest); 823 EVP_PKEY_free(pk); 824 if (rq == NULL) { 825 ERR_print_errors(bio_err); 826 goto end; 827 } 828 if (!noout) { 829 X509_REQ_print(out, rq); 830 PEM_write_bio_X509_REQ(out, rq); 831 } 832 noout = 1; 833 } else if (ocspid == i) { 834 X509_ocspid_print(out, x); 835 } 836 } 837 } 838 839 if (checkend) { 840 time_t tcheck = time(NULL) + checkoffset; 841 842 if (X509_cmp_time(X509_get0_notAfter(x), &tcheck) < 0) { 843 BIO_printf(out, "Certificate will expire\n"); 844 ret = 1; 845 } else { 846 BIO_printf(out, "Certificate will not expire\n"); 847 ret = 0; 848 } 849 goto end; 850 } 851 852 print_cert_checks(out, x, checkhost, checkemail, checkip); 853 854 if (noout || nocert) { 855 ret = 0; 856 goto end; 857 } 858 859 if (outformat == FORMAT_ASN1) 860 i = i2d_X509_bio(out, x); 861 else if (outformat == FORMAT_PEM) { 862 if (trustout) 863 i = PEM_write_bio_X509_AUX(out, x); 864 else 865 i = PEM_write_bio_X509(out, x); 866 } else { 867 BIO_printf(bio_err, "bad output format specified for outfile\n"); 868 goto end; 869 } 870 if (!i) { 871 BIO_printf(bio_err, "unable to write certificate\n"); 872 ERR_print_errors(bio_err); 873 goto end; 874 } 875 ret = 0; 876 end: 877 if (need_rand) 878 app_RAND_write_file(NULL); 879 NCONF_free(extconf); 880 BIO_free_all(out); 881 X509_STORE_free(ctx); 882 X509_REQ_free(req); 883 X509_free(x); 884 X509_free(xca); 885 EVP_PKEY_free(Upkey); 886 EVP_PKEY_free(CApkey); 887 EVP_PKEY_free(fkey); 888 sk_OPENSSL_STRING_free(sigopts); 889 X509_REQ_free(rq); 890 ASN1_INTEGER_free(sno); 891 sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free); 892 sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free); 893 ASN1_OBJECT_free(objtmp); 894 release_engine(e); 895 OPENSSL_free(passin); 896 return (ret); 897 } 898 899 static ASN1_INTEGER *x509_load_serial(const char *CAfile, const char *serialfile, 900 int create) 901 { 902 char *buf = NULL, *p; 903 ASN1_INTEGER *bs = NULL; 904 BIGNUM *serial = NULL; 905 size_t len; 906 907 len = ((serialfile == NULL) 908 ? (strlen(CAfile) + strlen(POSTFIX) + 1) 909 : (strlen(serialfile))) + 1; 910 buf = app_malloc(len, "serial# buffer"); 911 if (serialfile == NULL) { 912 OPENSSL_strlcpy(buf, CAfile, len); 913 for (p = buf; *p; p++) 914 if (*p == '.') { 915 *p = '\0'; 916 break; 917 } 918 OPENSSL_strlcat(buf, POSTFIX, len); 919 } else 920 OPENSSL_strlcpy(buf, serialfile, len); 921 922 serial = load_serial(buf, create, NULL); 923 if (serial == NULL) 924 goto end; 925 926 if (!BN_add_word(serial, 1)) { 927 BIO_printf(bio_err, "add_word failure\n"); 928 goto end; 929 } 930 931 if (!save_serial(buf, NULL, serial, &bs)) 932 goto end; 933 934 end: 935 OPENSSL_free(buf); 936 BN_free(serial); 937 return bs; 938 } 939 940 static int x509_certify(X509_STORE *ctx, const char *CAfile, const EVP_MD *digest, 941 X509 *x, X509 *xca, EVP_PKEY *pkey, 942 STACK_OF(OPENSSL_STRING) *sigopts, 943 const char *serialfile, int create, 944 int days, int clrext, CONF *conf, const char *section, 945 ASN1_INTEGER *sno, int reqfile) 946 { 947 int ret = 0; 948 ASN1_INTEGER *bs = NULL; 949 X509_STORE_CTX *xsc = NULL; 950 EVP_PKEY *upkey; 951 952 upkey = X509_get0_pubkey(xca); 953 if (upkey == NULL) { 954 BIO_printf(bio_err, "Error obtaining CA X509 public key\n"); 955 goto end; 956 } 957 EVP_PKEY_copy_parameters(upkey, pkey); 958 959 xsc = X509_STORE_CTX_new(); 960 if (xsc == NULL || !X509_STORE_CTX_init(xsc, ctx, x, NULL)) { 961 BIO_printf(bio_err, "Error initialising X509 store\n"); 962 goto end; 963 } 964 if (sno) 965 bs = sno; 966 else if ((bs = x509_load_serial(CAfile, serialfile, create)) == NULL) 967 goto end; 968 969 /* 970 * NOTE: this certificate can/should be self signed, unless it was a 971 * certificate request in which case it is not. 972 */ 973 X509_STORE_CTX_set_cert(xsc, x); 974 X509_STORE_CTX_set_flags(xsc, X509_V_FLAG_CHECK_SS_SIGNATURE); 975 if (!reqfile && X509_verify_cert(xsc) <= 0) 976 goto end; 977 978 if (!X509_check_private_key(xca, pkey)) { 979 BIO_printf(bio_err, 980 "CA certificate and CA private key do not match\n"); 981 goto end; 982 } 983 984 if (!X509_set_issuer_name(x, X509_get_subject_name(xca))) 985 goto end; 986 if (!X509_set_serialNumber(x, bs)) 987 goto end; 988 989 if (!set_cert_times(x, NULL, NULL, days)) 990 goto end; 991 992 if (clrext) { 993 while (X509_get_ext_count(x) > 0) 994 X509_delete_ext(x, 0); 995 } 996 997 if (conf) { 998 X509V3_CTX ctx2; 999 X509_set_version(x, 2); /* version 3 certificate */ 1000 X509V3_set_ctx(&ctx2, xca, x, NULL, NULL, 0); 1001 X509V3_set_nconf(&ctx2, conf); 1002 if (!X509V3_EXT_add_nconf(conf, &ctx2, section, x)) 1003 goto end; 1004 } 1005 1006 if (!do_X509_sign(x, pkey, digest, sigopts)) 1007 goto end; 1008 ret = 1; 1009 end: 1010 X509_STORE_CTX_free(xsc); 1011 if (!ret) 1012 ERR_print_errors(bio_err); 1013 if (!sno) 1014 ASN1_INTEGER_free(bs); 1015 return ret; 1016 } 1017 1018 static int callb(int ok, X509_STORE_CTX *ctx) 1019 { 1020 int err; 1021 X509 *err_cert; 1022 1023 /* 1024 * it is ok to use a self signed certificate This case will catch both 1025 * the initial ok == 0 and the final ok == 1 calls to this function 1026 */ 1027 err = X509_STORE_CTX_get_error(ctx); 1028 if (err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) 1029 return 1; 1030 1031 /* 1032 * BAD we should have gotten an error. Normally if everything worked 1033 * X509_STORE_CTX_get_error(ctx) will still be set to 1034 * DEPTH_ZERO_SELF_.... 1035 */ 1036 if (ok) { 1037 BIO_printf(bio_err, 1038 "error with certificate to be certified - should be self signed\n"); 1039 return 0; 1040 } else { 1041 err_cert = X509_STORE_CTX_get_current_cert(ctx); 1042 print_name(bio_err, NULL, X509_get_subject_name(err_cert), 0); 1043 BIO_printf(bio_err, 1044 "error with certificate - error %d at depth %d\n%s\n", err, 1045 X509_STORE_CTX_get_error_depth(ctx), 1046 X509_verify_cert_error_string(err)); 1047 return 1; 1048 } 1049 } 1050 1051 /* self sign */ 1052 static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, 1053 const EVP_MD *digest, CONF *conf, const char *section) 1054 { 1055 1056 if (!X509_set_issuer_name(x, X509_get_subject_name(x))) 1057 goto err; 1058 if (!set_cert_times(x, NULL, NULL, days)) 1059 goto err; 1060 if (!X509_set_pubkey(x, pkey)) 1061 goto err; 1062 if (clrext) { 1063 while (X509_get_ext_count(x) > 0) 1064 X509_delete_ext(x, 0); 1065 } 1066 if (conf) { 1067 X509V3_CTX ctx; 1068 X509_set_version(x, 2); /* version 3 certificate */ 1069 X509V3_set_ctx(&ctx, x, x, NULL, NULL, 0); 1070 X509V3_set_nconf(&ctx, conf); 1071 if (!X509V3_EXT_add_nconf(conf, &ctx, section, x)) 1072 goto err; 1073 } 1074 if (!X509_sign(x, pkey, digest)) 1075 goto err; 1076 return 1; 1077 err: 1078 ERR_print_errors(bio_err); 1079 return 0; 1080 } 1081 1082 static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt) 1083 { 1084 int id, i, idret; 1085 const char *pname; 1086 id = X509_PURPOSE_get_id(pt); 1087 pname = X509_PURPOSE_get0_name(pt); 1088 for (i = 0; i < 2; i++) { 1089 idret = X509_check_purpose(cert, id, i); 1090 BIO_printf(bio, "%s%s : ", pname, i ? " CA" : ""); 1091 if (idret == 1) 1092 BIO_printf(bio, "Yes\n"); 1093 else if (idret == 0) 1094 BIO_printf(bio, "No\n"); 1095 else 1096 BIO_printf(bio, "Yes (WARNING code=%d)\n", idret); 1097 } 1098 return 1; 1099 } 1100