10Sstevel@tonic-gate /* apps/ca.c */ 20Sstevel@tonic-gate /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 30Sstevel@tonic-gate * All rights reserved. 40Sstevel@tonic-gate * 50Sstevel@tonic-gate * This package is an SSL implementation written 60Sstevel@tonic-gate * by Eric Young (eay@cryptsoft.com). 70Sstevel@tonic-gate * The implementation was written so as to conform with Netscapes SSL. 80Sstevel@tonic-gate * 90Sstevel@tonic-gate * This library is free for commercial and non-commercial use as long as 100Sstevel@tonic-gate * the following conditions are aheared to. The following conditions 110Sstevel@tonic-gate * apply to all code found in this distribution, be it the RC4, RSA, 120Sstevel@tonic-gate * lhash, DES, etc., code; not just the SSL code. The SSL documentation 130Sstevel@tonic-gate * included with this distribution is covered by the same copyright terms 140Sstevel@tonic-gate * except that the holder is Tim Hudson (tjh@cryptsoft.com). 150Sstevel@tonic-gate * 160Sstevel@tonic-gate * Copyright remains Eric Young's, and as such any Copyright notices in 170Sstevel@tonic-gate * the code are not to be removed. 180Sstevel@tonic-gate * If this package is used in a product, Eric Young should be given attribution 190Sstevel@tonic-gate * as the author of the parts of the library used. 200Sstevel@tonic-gate * This can be in the form of a textual message at program startup or 210Sstevel@tonic-gate * in documentation (online or textual) provided with the package. 220Sstevel@tonic-gate * 230Sstevel@tonic-gate * Redistribution and use in source and binary forms, with or without 240Sstevel@tonic-gate * modification, are permitted provided that the following conditions 250Sstevel@tonic-gate * are met: 260Sstevel@tonic-gate * 1. Redistributions of source code must retain the copyright 270Sstevel@tonic-gate * notice, this list of conditions and the following disclaimer. 280Sstevel@tonic-gate * 2. Redistributions in binary form must reproduce the above copyright 290Sstevel@tonic-gate * notice, this list of conditions and the following disclaimer in the 300Sstevel@tonic-gate * documentation and/or other materials provided with the distribution. 310Sstevel@tonic-gate * 3. All advertising materials mentioning features or use of this software 320Sstevel@tonic-gate * must display the following acknowledgement: 330Sstevel@tonic-gate * "This product includes cryptographic software written by 340Sstevel@tonic-gate * Eric Young (eay@cryptsoft.com)" 350Sstevel@tonic-gate * The word 'cryptographic' can be left out if the rouines from the library 360Sstevel@tonic-gate * being used are not cryptographic related :-). 370Sstevel@tonic-gate * 4. If you include any Windows specific code (or a derivative thereof) from 380Sstevel@tonic-gate * the apps directory (application code) you must include an acknowledgement: 390Sstevel@tonic-gate * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 400Sstevel@tonic-gate * 410Sstevel@tonic-gate * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 420Sstevel@tonic-gate * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 430Sstevel@tonic-gate * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 440Sstevel@tonic-gate * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 450Sstevel@tonic-gate * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 460Sstevel@tonic-gate * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 470Sstevel@tonic-gate * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 480Sstevel@tonic-gate * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 490Sstevel@tonic-gate * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 500Sstevel@tonic-gate * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 510Sstevel@tonic-gate * SUCH DAMAGE. 520Sstevel@tonic-gate * 530Sstevel@tonic-gate * The licence and distribution terms for any publically available version or 540Sstevel@tonic-gate * derivative of this code cannot be changed. i.e. this code cannot simply be 550Sstevel@tonic-gate * copied and put under another distribution licence 560Sstevel@tonic-gate * [including the GNU Public Licence.] 570Sstevel@tonic-gate */ 580Sstevel@tonic-gate 590Sstevel@tonic-gate /* The PPKI stuff has been donated by Jeff Barber <jeffb@issl.atl.hp.com> */ 600Sstevel@tonic-gate 610Sstevel@tonic-gate #include <stdio.h> 620Sstevel@tonic-gate #include <stdlib.h> 630Sstevel@tonic-gate #include <string.h> 640Sstevel@tonic-gate #include <ctype.h> 650Sstevel@tonic-gate #include <sys/types.h> 660Sstevel@tonic-gate #include <sys/stat.h> 670Sstevel@tonic-gate #include <openssl/conf.h> 680Sstevel@tonic-gate #include <openssl/bio.h> 690Sstevel@tonic-gate #include <openssl/err.h> 700Sstevel@tonic-gate #include <openssl/bn.h> 710Sstevel@tonic-gate #include <openssl/txt_db.h> 720Sstevel@tonic-gate #include <openssl/evp.h> 730Sstevel@tonic-gate #include <openssl/x509.h> 740Sstevel@tonic-gate #include <openssl/x509v3.h> 750Sstevel@tonic-gate #include <openssl/objects.h> 760Sstevel@tonic-gate #include <openssl/ocsp.h> 770Sstevel@tonic-gate #include <openssl/pem.h> 780Sstevel@tonic-gate 790Sstevel@tonic-gate #ifdef OPENSSL_SYS_WINDOWS 800Sstevel@tonic-gate #define strcasecmp _stricmp 810Sstevel@tonic-gate #else 820Sstevel@tonic-gate # ifdef NO_STRINGS_H 830Sstevel@tonic-gate int strcasecmp(); 840Sstevel@tonic-gate # else 850Sstevel@tonic-gate # include <strings.h> 860Sstevel@tonic-gate # endif /* NO_STRINGS_H */ 870Sstevel@tonic-gate #endif 880Sstevel@tonic-gate 890Sstevel@tonic-gate #ifndef W_OK 900Sstevel@tonic-gate # ifdef OPENSSL_SYS_VMS 910Sstevel@tonic-gate # if defined(__DECC) 920Sstevel@tonic-gate # include <unistd.h> 930Sstevel@tonic-gate # else 940Sstevel@tonic-gate # include <unixlib.h> 950Sstevel@tonic-gate # endif 960Sstevel@tonic-gate # elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS) 970Sstevel@tonic-gate # include <sys/file.h> 980Sstevel@tonic-gate # endif 990Sstevel@tonic-gate #endif 1000Sstevel@tonic-gate 1010Sstevel@tonic-gate #include "apps.h" 1020Sstevel@tonic-gate 1030Sstevel@tonic-gate #ifndef W_OK 1040Sstevel@tonic-gate # define F_OK 0 1050Sstevel@tonic-gate # define X_OK 1 1060Sstevel@tonic-gate # define W_OK 2 1070Sstevel@tonic-gate # define R_OK 4 1080Sstevel@tonic-gate #endif 1090Sstevel@tonic-gate 1100Sstevel@tonic-gate #undef PROG 1110Sstevel@tonic-gate #define PROG ca_main 1120Sstevel@tonic-gate 1130Sstevel@tonic-gate #define BASE_SECTION "ca" 1140Sstevel@tonic-gate #define CONFIG_FILE "openssl.cnf" 1150Sstevel@tonic-gate 1160Sstevel@tonic-gate #define ENV_DEFAULT_CA "default_ca" 1170Sstevel@tonic-gate 1180Sstevel@tonic-gate #define ENV_DIR "dir" 1190Sstevel@tonic-gate #define ENV_CERTS "certs" 1200Sstevel@tonic-gate #define ENV_CRL_DIR "crl_dir" 1210Sstevel@tonic-gate #define ENV_CA_DB "CA_DB" 1220Sstevel@tonic-gate #define ENV_NEW_CERTS_DIR "new_certs_dir" 1230Sstevel@tonic-gate #define ENV_CERTIFICATE "certificate" 1240Sstevel@tonic-gate #define ENV_SERIAL "serial" 1250Sstevel@tonic-gate #define ENV_CRLNUMBER "crlnumber" 1260Sstevel@tonic-gate #define ENV_CRL "crl" 1270Sstevel@tonic-gate #define ENV_PRIVATE_KEY "private_key" 1280Sstevel@tonic-gate #define ENV_RANDFILE "RANDFILE" 1290Sstevel@tonic-gate #define ENV_DEFAULT_DAYS "default_days" 1300Sstevel@tonic-gate #define ENV_DEFAULT_STARTDATE "default_startdate" 1310Sstevel@tonic-gate #define ENV_DEFAULT_ENDDATE "default_enddate" 1320Sstevel@tonic-gate #define ENV_DEFAULT_CRL_DAYS "default_crl_days" 1330Sstevel@tonic-gate #define ENV_DEFAULT_CRL_HOURS "default_crl_hours" 1340Sstevel@tonic-gate #define ENV_DEFAULT_MD "default_md" 1350Sstevel@tonic-gate #define ENV_DEFAULT_EMAIL_DN "email_in_dn" 1360Sstevel@tonic-gate #define ENV_PRESERVE "preserve" 1370Sstevel@tonic-gate #define ENV_POLICY "policy" 1380Sstevel@tonic-gate #define ENV_EXTENSIONS "x509_extensions" 1390Sstevel@tonic-gate #define ENV_CRLEXT "crl_extensions" 1400Sstevel@tonic-gate #define ENV_MSIE_HACK "msie_hack" 1410Sstevel@tonic-gate #define ENV_NAMEOPT "name_opt" 1420Sstevel@tonic-gate #define ENV_CERTOPT "cert_opt" 1430Sstevel@tonic-gate #define ENV_EXTCOPY "copy_extensions" 1440Sstevel@tonic-gate 1450Sstevel@tonic-gate #define ENV_DATABASE "database" 1460Sstevel@tonic-gate 1470Sstevel@tonic-gate /* Additional revocation information types */ 1480Sstevel@tonic-gate 1490Sstevel@tonic-gate #define REV_NONE 0 /* No addditional information */ 1500Sstevel@tonic-gate #define REV_CRL_REASON 1 /* Value is CRL reason code */ 1510Sstevel@tonic-gate #define REV_HOLD 2 /* Value is hold instruction */ 1520Sstevel@tonic-gate #define REV_KEY_COMPROMISE 3 /* Value is cert key compromise time */ 1530Sstevel@tonic-gate #define REV_CA_COMPROMISE 4 /* Value is CA key compromise time */ 1540Sstevel@tonic-gate 1550Sstevel@tonic-gate static char *ca_usage[]={ 1560Sstevel@tonic-gate "usage: ca args\n", 1570Sstevel@tonic-gate "\n", 1580Sstevel@tonic-gate " -verbose - Talk alot while doing things\n", 1590Sstevel@tonic-gate " -config file - A config file\n", 1600Sstevel@tonic-gate " -name arg - The particular CA definition to use\n", 1610Sstevel@tonic-gate " -gencrl - Generate a new CRL\n", 1620Sstevel@tonic-gate " -crldays days - Days is when the next CRL is due\n", 1630Sstevel@tonic-gate " -crlhours hours - Hours is when the next CRL is due\n", 1640Sstevel@tonic-gate " -startdate YYMMDDHHMMSSZ - certificate validity notBefore\n", 1650Sstevel@tonic-gate " -enddate YYMMDDHHMMSSZ - certificate validity notAfter (overrides -days)\n", 1660Sstevel@tonic-gate " -days arg - number of days to certify the certificate for\n", 1670Sstevel@tonic-gate " -md arg - md to use, one of md2, md5, sha or sha1\n", 1680Sstevel@tonic-gate " -policy arg - The CA 'policy' to support\n", 1690Sstevel@tonic-gate " -keyfile arg - private key file\n", 1700Sstevel@tonic-gate " -keyform arg - private key file format (PEM or ENGINE)\n", 1710Sstevel@tonic-gate " -key arg - key to decode the private key if it is encrypted\n", 1720Sstevel@tonic-gate " -cert file - The CA certificate\n", 1730Sstevel@tonic-gate " -in file - The input PEM encoded certificate request(s)\n", 1740Sstevel@tonic-gate " -out file - Where to put the output file(s)\n", 1750Sstevel@tonic-gate " -outdir dir - Where to put output certificates\n", 1760Sstevel@tonic-gate " -infiles .... - The last argument, requests to process\n", 1770Sstevel@tonic-gate " -spkac file - File contains DN and signed public key and challenge\n", 1780Sstevel@tonic-gate " -ss_cert file - File contains a self signed cert to sign\n", 1790Sstevel@tonic-gate " -preserveDN - Don't re-order the DN\n", 1800Sstevel@tonic-gate " -noemailDN - Don't add the EMAIL field into certificate' subject\n", 1810Sstevel@tonic-gate " -batch - Don't ask questions\n", 1820Sstevel@tonic-gate " -msie_hack - msie modifications to handle all those universal strings\n", 1830Sstevel@tonic-gate " -revoke file - Revoke a certificate (given in file)\n", 1840Sstevel@tonic-gate " -subj arg - Use arg instead of request's subject\n", 1850Sstevel@tonic-gate " -extensions .. - Extension section (override value in config file)\n", 1860Sstevel@tonic-gate " -extfile file - Configuration file with X509v3 extentions to add\n", 1870Sstevel@tonic-gate " -crlexts .. - CRL extension section (override value in config file)\n", 1880Sstevel@tonic-gate #ifndef OPENSSL_NO_ENGINE 1890Sstevel@tonic-gate " -engine e - use engine e, possibly a hardware device.\n", 1900Sstevel@tonic-gate #endif 1910Sstevel@tonic-gate " -status serial - Shows certificate status given the serial number\n", 1920Sstevel@tonic-gate " -updatedb - Updates db for expired certificates\n", 1930Sstevel@tonic-gate NULL 1940Sstevel@tonic-gate }; 1950Sstevel@tonic-gate 1960Sstevel@tonic-gate #ifdef EFENCE 1970Sstevel@tonic-gate extern int EF_PROTECT_FREE; 1980Sstevel@tonic-gate extern int EF_PROTECT_BELOW; 1990Sstevel@tonic-gate extern int EF_ALIGNMENT; 2000Sstevel@tonic-gate #endif 2010Sstevel@tonic-gate 2020Sstevel@tonic-gate static void lookup_fail(char *name,char *tag); 2030Sstevel@tonic-gate static int certify(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509, 2040Sstevel@tonic-gate const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,CA_DB *db, 2050Sstevel@tonic-gate BIGNUM *serial, char *subj, int email_dn, char *startdate, 2060Sstevel@tonic-gate char *enddate, long days, int batch, char *ext_sect, CONF *conf, 2070Sstevel@tonic-gate int verbose, unsigned long certopt, unsigned long nameopt, 2080Sstevel@tonic-gate int default_op, int ext_copy); 2090Sstevel@tonic-gate static int certify_cert(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509, 2100Sstevel@tonic-gate const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy, 2110Sstevel@tonic-gate CA_DB *db, BIGNUM *serial, char *subj, int email_dn, 2120Sstevel@tonic-gate char *startdate, char *enddate, long days, int batch, 2130Sstevel@tonic-gate char *ext_sect, CONF *conf,int verbose, unsigned long certopt, 2140Sstevel@tonic-gate unsigned long nameopt, int default_op, int ext_copy, 2150Sstevel@tonic-gate ENGINE *e); 2160Sstevel@tonic-gate static int certify_spkac(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509, 2170Sstevel@tonic-gate const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy, 2180Sstevel@tonic-gate CA_DB *db, BIGNUM *serial,char *subj, int email_dn, 2190Sstevel@tonic-gate char *startdate, char *enddate, long days, char *ext_sect, 2200Sstevel@tonic-gate CONF *conf, int verbose, unsigned long certopt, 2210Sstevel@tonic-gate unsigned long nameopt, int default_op, int ext_copy); 2220Sstevel@tonic-gate static int fix_data(int nid, int *type); 2230Sstevel@tonic-gate static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext); 2240Sstevel@tonic-gate static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, 2250Sstevel@tonic-gate STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial,char *subj, 2260Sstevel@tonic-gate int email_dn, char *startdate, char *enddate, long days, int batch, 2270Sstevel@tonic-gate int verbose, X509_REQ *req, char *ext_sect, CONF *conf, 2280Sstevel@tonic-gate unsigned long certopt, unsigned long nameopt, int default_op, 2290Sstevel@tonic-gate int ext_copy); 2300Sstevel@tonic-gate static int do_revoke(X509 *x509, CA_DB *db, int ext, char *extval); 2310Sstevel@tonic-gate static int get_certificate_status(const char *ser_status, CA_DB *db); 2320Sstevel@tonic-gate static int do_updatedb(CA_DB *db); 2330Sstevel@tonic-gate static int check_time_format(char *str); 2340Sstevel@tonic-gate char *make_revocation_str(int rev_type, char *rev_arg); 2350Sstevel@tonic-gate int make_revoked(X509_REVOKED *rev, char *str); 2360Sstevel@tonic-gate int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str); 2370Sstevel@tonic-gate static CONF *conf=NULL; 2380Sstevel@tonic-gate static CONF *extconf=NULL; 2390Sstevel@tonic-gate static char *section=NULL; 2400Sstevel@tonic-gate 2410Sstevel@tonic-gate static int preserve=0; 2420Sstevel@tonic-gate static int msie_hack=0; 2430Sstevel@tonic-gate 2440Sstevel@tonic-gate 2450Sstevel@tonic-gate int MAIN(int, char **); 2460Sstevel@tonic-gate 2470Sstevel@tonic-gate int MAIN(int argc, char **argv) 2480Sstevel@tonic-gate { 2490Sstevel@tonic-gate ENGINE *e = NULL; 2500Sstevel@tonic-gate char *key=NULL,*passargin=NULL; 2510Sstevel@tonic-gate int free_key = 0; 2520Sstevel@tonic-gate int total=0; 2530Sstevel@tonic-gate int total_done=0; 2540Sstevel@tonic-gate int badops=0; 2550Sstevel@tonic-gate int ret=1; 2560Sstevel@tonic-gate int email_dn=1; 2570Sstevel@tonic-gate int req=0; 2580Sstevel@tonic-gate int verbose=0; 2590Sstevel@tonic-gate int gencrl=0; 2600Sstevel@tonic-gate int dorevoke=0; 2610Sstevel@tonic-gate int doupdatedb=0; 2620Sstevel@tonic-gate long crldays=0; 2630Sstevel@tonic-gate long crlhours=0; 2640Sstevel@tonic-gate long errorline= -1; 2650Sstevel@tonic-gate char *configfile=NULL; 2660Sstevel@tonic-gate char *md=NULL; 2670Sstevel@tonic-gate char *policy=NULL; 2680Sstevel@tonic-gate char *keyfile=NULL; 2690Sstevel@tonic-gate char *certfile=NULL; 2700Sstevel@tonic-gate int keyform=FORMAT_PEM; 2710Sstevel@tonic-gate char *infile=NULL; 2720Sstevel@tonic-gate char *spkac_file=NULL; 2730Sstevel@tonic-gate char *ss_cert_file=NULL; 2740Sstevel@tonic-gate char *ser_status=NULL; 2750Sstevel@tonic-gate EVP_PKEY *pkey=NULL; 2760Sstevel@tonic-gate int output_der = 0; 2770Sstevel@tonic-gate char *outfile=NULL; 2780Sstevel@tonic-gate char *outdir=NULL; 2790Sstevel@tonic-gate char *serialfile=NULL; 2800Sstevel@tonic-gate char *crlnumberfile=NULL; 2810Sstevel@tonic-gate char *extensions=NULL; 2820Sstevel@tonic-gate char *extfile=NULL; 2830Sstevel@tonic-gate char *subj=NULL; 2840Sstevel@tonic-gate char *tmp_email_dn=NULL; 2850Sstevel@tonic-gate char *crl_ext=NULL; 2860Sstevel@tonic-gate int rev_type = REV_NONE; 2870Sstevel@tonic-gate char *rev_arg = NULL; 2880Sstevel@tonic-gate BIGNUM *serial=NULL; 2890Sstevel@tonic-gate BIGNUM *crlnumber=NULL; 2900Sstevel@tonic-gate char *startdate=NULL; 2910Sstevel@tonic-gate char *enddate=NULL; 2920Sstevel@tonic-gate long days=0; 2930Sstevel@tonic-gate int batch=0; 2940Sstevel@tonic-gate int notext=0; 2950Sstevel@tonic-gate unsigned long nameopt = 0, certopt = 0; 2960Sstevel@tonic-gate int default_op = 1; 2970Sstevel@tonic-gate int ext_copy = EXT_COPY_NONE; 2980Sstevel@tonic-gate X509 *x509=NULL; 2990Sstevel@tonic-gate X509 *x=NULL; 3000Sstevel@tonic-gate BIO *in=NULL,*out=NULL,*Sout=NULL,*Cout=NULL; 3010Sstevel@tonic-gate char *dbfile=NULL; 3020Sstevel@tonic-gate CA_DB *db=NULL; 3030Sstevel@tonic-gate X509_CRL *crl=NULL; 3040Sstevel@tonic-gate X509_REVOKED *r=NULL; 3050Sstevel@tonic-gate ASN1_TIME *tmptm; 3060Sstevel@tonic-gate ASN1_INTEGER *tmpser; 3070Sstevel@tonic-gate char **pp,*p,*f; 3080Sstevel@tonic-gate int i,j; 3090Sstevel@tonic-gate const EVP_MD *dgst=NULL; 3100Sstevel@tonic-gate STACK_OF(CONF_VALUE) *attribs=NULL; 3110Sstevel@tonic-gate STACK_OF(X509) *cert_sk=NULL; 3120Sstevel@tonic-gate #undef BSIZE 3130Sstevel@tonic-gate #define BSIZE 256 3140Sstevel@tonic-gate MS_STATIC char buf[3][BSIZE]; 3150Sstevel@tonic-gate char *randfile=NULL; 3160Sstevel@tonic-gate #ifndef OPENSSL_NO_ENGINE 3170Sstevel@tonic-gate char *engine = NULL; 3180Sstevel@tonic-gate #endif 3190Sstevel@tonic-gate char *tofree=NULL; 3200Sstevel@tonic-gate DB_ATTR db_attr; 3210Sstevel@tonic-gate 3220Sstevel@tonic-gate #ifdef EFENCE 3230Sstevel@tonic-gate EF_PROTECT_FREE=1; 3240Sstevel@tonic-gate EF_PROTECT_BELOW=1; 3250Sstevel@tonic-gate EF_ALIGNMENT=0; 3260Sstevel@tonic-gate #endif 3270Sstevel@tonic-gate 3280Sstevel@tonic-gate apps_startup(); 3290Sstevel@tonic-gate 3300Sstevel@tonic-gate conf = NULL; 3310Sstevel@tonic-gate key = NULL; 3320Sstevel@tonic-gate section = NULL; 3330Sstevel@tonic-gate 3340Sstevel@tonic-gate preserve=0; 3350Sstevel@tonic-gate msie_hack=0; 3360Sstevel@tonic-gate if (bio_err == NULL) 3370Sstevel@tonic-gate if ((bio_err=BIO_new(BIO_s_file())) != NULL) 3380Sstevel@tonic-gate BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT); 3390Sstevel@tonic-gate 3400Sstevel@tonic-gate argc--; 3410Sstevel@tonic-gate argv++; 3420Sstevel@tonic-gate while (argc >= 1) 3430Sstevel@tonic-gate { 3440Sstevel@tonic-gate if (strcmp(*argv,"-verbose") == 0) 3450Sstevel@tonic-gate verbose=1; 3460Sstevel@tonic-gate else if (strcmp(*argv,"-config") == 0) 3470Sstevel@tonic-gate { 3480Sstevel@tonic-gate if (--argc < 1) goto bad; 3490Sstevel@tonic-gate configfile= *(++argv); 3500Sstevel@tonic-gate } 3510Sstevel@tonic-gate else if (strcmp(*argv,"-name") == 0) 3520Sstevel@tonic-gate { 3530Sstevel@tonic-gate if (--argc < 1) goto bad; 3540Sstevel@tonic-gate section= *(++argv); 3550Sstevel@tonic-gate } 3560Sstevel@tonic-gate else if (strcmp(*argv,"-subj") == 0) 3570Sstevel@tonic-gate { 3580Sstevel@tonic-gate if (--argc < 1) goto bad; 3590Sstevel@tonic-gate subj= *(++argv); 3600Sstevel@tonic-gate /* preserve=1; */ 3610Sstevel@tonic-gate } 3620Sstevel@tonic-gate else if (strcmp(*argv,"-startdate") == 0) 3630Sstevel@tonic-gate { 3640Sstevel@tonic-gate if (--argc < 1) goto bad; 3650Sstevel@tonic-gate startdate= *(++argv); 3660Sstevel@tonic-gate } 3670Sstevel@tonic-gate else if (strcmp(*argv,"-enddate") == 0) 3680Sstevel@tonic-gate { 3690Sstevel@tonic-gate if (--argc < 1) goto bad; 3700Sstevel@tonic-gate enddate= *(++argv); 3710Sstevel@tonic-gate } 3720Sstevel@tonic-gate else if (strcmp(*argv,"-days") == 0) 3730Sstevel@tonic-gate { 3740Sstevel@tonic-gate if (--argc < 1) goto bad; 3750Sstevel@tonic-gate days=atoi(*(++argv)); 3760Sstevel@tonic-gate } 3770Sstevel@tonic-gate else if (strcmp(*argv,"-md") == 0) 3780Sstevel@tonic-gate { 3790Sstevel@tonic-gate if (--argc < 1) goto bad; 3800Sstevel@tonic-gate md= *(++argv); 3810Sstevel@tonic-gate } 3820Sstevel@tonic-gate else if (strcmp(*argv,"-policy") == 0) 3830Sstevel@tonic-gate { 3840Sstevel@tonic-gate if (--argc < 1) goto bad; 3850Sstevel@tonic-gate policy= *(++argv); 3860Sstevel@tonic-gate } 3870Sstevel@tonic-gate else if (strcmp(*argv,"-keyfile") == 0) 3880Sstevel@tonic-gate { 3890Sstevel@tonic-gate if (--argc < 1) goto bad; 3900Sstevel@tonic-gate keyfile= *(++argv); 3910Sstevel@tonic-gate } 3920Sstevel@tonic-gate else if (strcmp(*argv,"-keyform") == 0) 3930Sstevel@tonic-gate { 3940Sstevel@tonic-gate if (--argc < 1) goto bad; 3950Sstevel@tonic-gate keyform=str2fmt(*(++argv)); 3960Sstevel@tonic-gate } 3970Sstevel@tonic-gate else if (strcmp(*argv,"-passin") == 0) 3980Sstevel@tonic-gate { 3990Sstevel@tonic-gate if (--argc < 1) goto bad; 4000Sstevel@tonic-gate passargin= *(++argv); 4010Sstevel@tonic-gate } 4020Sstevel@tonic-gate else if (strcmp(*argv,"-key") == 0) 4030Sstevel@tonic-gate { 4040Sstevel@tonic-gate if (--argc < 1) goto bad; 4050Sstevel@tonic-gate key= *(++argv); 4060Sstevel@tonic-gate } 4070Sstevel@tonic-gate else if (strcmp(*argv,"-cert") == 0) 4080Sstevel@tonic-gate { 4090Sstevel@tonic-gate if (--argc < 1) goto bad; 4100Sstevel@tonic-gate certfile= *(++argv); 4110Sstevel@tonic-gate } 4120Sstevel@tonic-gate else if (strcmp(*argv,"-in") == 0) 4130Sstevel@tonic-gate { 4140Sstevel@tonic-gate if (--argc < 1) goto bad; 4150Sstevel@tonic-gate infile= *(++argv); 4160Sstevel@tonic-gate req=1; 4170Sstevel@tonic-gate } 4180Sstevel@tonic-gate else if (strcmp(*argv,"-out") == 0) 4190Sstevel@tonic-gate { 4200Sstevel@tonic-gate if (--argc < 1) goto bad; 4210Sstevel@tonic-gate outfile= *(++argv); 4220Sstevel@tonic-gate } 4230Sstevel@tonic-gate else if (strcmp(*argv,"-outdir") == 0) 4240Sstevel@tonic-gate { 4250Sstevel@tonic-gate if (--argc < 1) goto bad; 4260Sstevel@tonic-gate outdir= *(++argv); 4270Sstevel@tonic-gate } 4280Sstevel@tonic-gate else if (strcmp(*argv,"-notext") == 0) 4290Sstevel@tonic-gate notext=1; 4300Sstevel@tonic-gate else if (strcmp(*argv,"-batch") == 0) 4310Sstevel@tonic-gate batch=1; 4320Sstevel@tonic-gate else if (strcmp(*argv,"-preserveDN") == 0) 4330Sstevel@tonic-gate preserve=1; 4340Sstevel@tonic-gate else if (strcmp(*argv,"-noemailDN") == 0) 4350Sstevel@tonic-gate email_dn=0; 4360Sstevel@tonic-gate else if (strcmp(*argv,"-gencrl") == 0) 4370Sstevel@tonic-gate gencrl=1; 4380Sstevel@tonic-gate else if (strcmp(*argv,"-msie_hack") == 0) 4390Sstevel@tonic-gate msie_hack=1; 4400Sstevel@tonic-gate else if (strcmp(*argv,"-crldays") == 0) 4410Sstevel@tonic-gate { 4420Sstevel@tonic-gate if (--argc < 1) goto bad; 4430Sstevel@tonic-gate crldays= atol(*(++argv)); 4440Sstevel@tonic-gate } 4450Sstevel@tonic-gate else if (strcmp(*argv,"-crlhours") == 0) 4460Sstevel@tonic-gate { 4470Sstevel@tonic-gate if (--argc < 1) goto bad; 4480Sstevel@tonic-gate crlhours= atol(*(++argv)); 4490Sstevel@tonic-gate } 4500Sstevel@tonic-gate else if (strcmp(*argv,"-infiles") == 0) 4510Sstevel@tonic-gate { 4520Sstevel@tonic-gate argc--; 4530Sstevel@tonic-gate argv++; 4540Sstevel@tonic-gate req=1; 4550Sstevel@tonic-gate break; 4560Sstevel@tonic-gate } 4570Sstevel@tonic-gate else if (strcmp(*argv, "-ss_cert") == 0) 4580Sstevel@tonic-gate { 4590Sstevel@tonic-gate if (--argc < 1) goto bad; 4600Sstevel@tonic-gate ss_cert_file = *(++argv); 4610Sstevel@tonic-gate req=1; 4620Sstevel@tonic-gate } 4630Sstevel@tonic-gate else if (strcmp(*argv, "-spkac") == 0) 4640Sstevel@tonic-gate { 4650Sstevel@tonic-gate if (--argc < 1) goto bad; 4660Sstevel@tonic-gate spkac_file = *(++argv); 4670Sstevel@tonic-gate req=1; 4680Sstevel@tonic-gate } 4690Sstevel@tonic-gate else if (strcmp(*argv,"-revoke") == 0) 4700Sstevel@tonic-gate { 4710Sstevel@tonic-gate if (--argc < 1) goto bad; 4720Sstevel@tonic-gate infile= *(++argv); 4730Sstevel@tonic-gate dorevoke=1; 4740Sstevel@tonic-gate } 4750Sstevel@tonic-gate else if (strcmp(*argv,"-extensions") == 0) 4760Sstevel@tonic-gate { 4770Sstevel@tonic-gate if (--argc < 1) goto bad; 4780Sstevel@tonic-gate extensions= *(++argv); 4790Sstevel@tonic-gate } 4800Sstevel@tonic-gate else if (strcmp(*argv,"-extfile") == 0) 4810Sstevel@tonic-gate { 4820Sstevel@tonic-gate if (--argc < 1) goto bad; 4830Sstevel@tonic-gate extfile= *(++argv); 4840Sstevel@tonic-gate } 4850Sstevel@tonic-gate else if (strcmp(*argv,"-status") == 0) 4860Sstevel@tonic-gate { 4870Sstevel@tonic-gate if (--argc < 1) goto bad; 4880Sstevel@tonic-gate ser_status= *(++argv); 4890Sstevel@tonic-gate } 4900Sstevel@tonic-gate else if (strcmp(*argv,"-updatedb") == 0) 4910Sstevel@tonic-gate { 4920Sstevel@tonic-gate doupdatedb=1; 4930Sstevel@tonic-gate } 4940Sstevel@tonic-gate else if (strcmp(*argv,"-crlexts") == 0) 4950Sstevel@tonic-gate { 4960Sstevel@tonic-gate if (--argc < 1) goto bad; 4970Sstevel@tonic-gate crl_ext= *(++argv); 4980Sstevel@tonic-gate } 4990Sstevel@tonic-gate else if (strcmp(*argv,"-crl_reason") == 0) 5000Sstevel@tonic-gate { 5010Sstevel@tonic-gate if (--argc < 1) goto bad; 5020Sstevel@tonic-gate rev_arg = *(++argv); 5030Sstevel@tonic-gate rev_type = REV_CRL_REASON; 5040Sstevel@tonic-gate } 5050Sstevel@tonic-gate else if (strcmp(*argv,"-crl_hold") == 0) 5060Sstevel@tonic-gate { 5070Sstevel@tonic-gate if (--argc < 1) goto bad; 5080Sstevel@tonic-gate rev_arg = *(++argv); 5090Sstevel@tonic-gate rev_type = REV_HOLD; 5100Sstevel@tonic-gate } 5110Sstevel@tonic-gate else if (strcmp(*argv,"-crl_compromise") == 0) 5120Sstevel@tonic-gate { 5130Sstevel@tonic-gate if (--argc < 1) goto bad; 5140Sstevel@tonic-gate rev_arg = *(++argv); 5150Sstevel@tonic-gate rev_type = REV_KEY_COMPROMISE; 5160Sstevel@tonic-gate } 5170Sstevel@tonic-gate else if (strcmp(*argv,"-crl_CA_compromise") == 0) 5180Sstevel@tonic-gate { 5190Sstevel@tonic-gate if (--argc < 1) goto bad; 5200Sstevel@tonic-gate rev_arg = *(++argv); 5210Sstevel@tonic-gate rev_type = REV_CA_COMPROMISE; 5220Sstevel@tonic-gate } 5230Sstevel@tonic-gate #ifndef OPENSSL_NO_ENGINE 5240Sstevel@tonic-gate else if (strcmp(*argv,"-engine") == 0) 5250Sstevel@tonic-gate { 5260Sstevel@tonic-gate if (--argc < 1) goto bad; 5270Sstevel@tonic-gate engine= *(++argv); 5280Sstevel@tonic-gate } 5290Sstevel@tonic-gate #endif 5300Sstevel@tonic-gate else 5310Sstevel@tonic-gate { 5320Sstevel@tonic-gate bad: 5330Sstevel@tonic-gate BIO_printf(bio_err,"unknown option %s\n",*argv); 5340Sstevel@tonic-gate badops=1; 5350Sstevel@tonic-gate break; 5360Sstevel@tonic-gate } 5370Sstevel@tonic-gate argc--; 5380Sstevel@tonic-gate argv++; 5390Sstevel@tonic-gate } 5400Sstevel@tonic-gate 5410Sstevel@tonic-gate if (badops) 5420Sstevel@tonic-gate { 5430Sstevel@tonic-gate for (pp=ca_usage; (*pp != NULL); pp++) 5440Sstevel@tonic-gate BIO_printf(bio_err,"%s",*pp); 5450Sstevel@tonic-gate goto err; 5460Sstevel@tonic-gate } 5470Sstevel@tonic-gate 5480Sstevel@tonic-gate ERR_load_crypto_strings(); 5490Sstevel@tonic-gate 5500Sstevel@tonic-gate #ifndef OPENSSL_NO_ENGINE 5510Sstevel@tonic-gate e = setup_engine(bio_err, engine, 0); 5520Sstevel@tonic-gate #endif 5530Sstevel@tonic-gate 5540Sstevel@tonic-gate /*****************************************************************/ 5550Sstevel@tonic-gate tofree=NULL; 5560Sstevel@tonic-gate if (configfile == NULL) configfile = getenv("OPENSSL_CONF"); 5570Sstevel@tonic-gate if (configfile == NULL) configfile = getenv("SSLEAY_CONF"); 5580Sstevel@tonic-gate if (configfile == NULL) 5590Sstevel@tonic-gate { 5600Sstevel@tonic-gate const char *s=X509_get_default_cert_area(); 5610Sstevel@tonic-gate size_t len; 5620Sstevel@tonic-gate 5630Sstevel@tonic-gate #ifdef OPENSSL_SYS_VMS 5640Sstevel@tonic-gate len = strlen(s)+sizeof(CONFIG_FILE); 5650Sstevel@tonic-gate tofree=OPENSSL_malloc(len); 5660Sstevel@tonic-gate strcpy(tofree,s); 5670Sstevel@tonic-gate #else 5680Sstevel@tonic-gate len = strlen(s)+sizeof(CONFIG_FILE)+1; 5690Sstevel@tonic-gate tofree=OPENSSL_malloc(len); 5700Sstevel@tonic-gate BUF_strlcpy(tofree,s,len); 5710Sstevel@tonic-gate BUF_strlcat(tofree,"/",len); 5720Sstevel@tonic-gate #endif 5730Sstevel@tonic-gate BUF_strlcat(tofree,CONFIG_FILE,len); 5740Sstevel@tonic-gate configfile=tofree; 5750Sstevel@tonic-gate } 5760Sstevel@tonic-gate 5770Sstevel@tonic-gate BIO_printf(bio_err,"Using configuration from %s\n",configfile); 5780Sstevel@tonic-gate conf = NCONF_new(NULL); 5790Sstevel@tonic-gate if (NCONF_load(conf,configfile,&errorline) <= 0) 5800Sstevel@tonic-gate { 5810Sstevel@tonic-gate if (errorline <= 0) 5820Sstevel@tonic-gate BIO_printf(bio_err,"error loading the config file '%s'\n", 5830Sstevel@tonic-gate configfile); 5840Sstevel@tonic-gate else 5850Sstevel@tonic-gate BIO_printf(bio_err,"error on line %ld of config file '%s'\n" 5860Sstevel@tonic-gate ,errorline,configfile); 5870Sstevel@tonic-gate goto err; 5880Sstevel@tonic-gate } 5890Sstevel@tonic-gate if(tofree) 5900Sstevel@tonic-gate { 5910Sstevel@tonic-gate OPENSSL_free(tofree); 5920Sstevel@tonic-gate tofree = NULL; 5930Sstevel@tonic-gate } 5940Sstevel@tonic-gate 5950Sstevel@tonic-gate if (!load_config(bio_err, conf)) 5960Sstevel@tonic-gate goto err; 5970Sstevel@tonic-gate 5980Sstevel@tonic-gate /* Lets get the config section we are using */ 5990Sstevel@tonic-gate if (section == NULL) 6000Sstevel@tonic-gate { 6010Sstevel@tonic-gate section=NCONF_get_string(conf,BASE_SECTION,ENV_DEFAULT_CA); 6020Sstevel@tonic-gate if (section == NULL) 6030Sstevel@tonic-gate { 6040Sstevel@tonic-gate lookup_fail(BASE_SECTION,ENV_DEFAULT_CA); 6050Sstevel@tonic-gate goto err; 6060Sstevel@tonic-gate } 6070Sstevel@tonic-gate } 6080Sstevel@tonic-gate 6090Sstevel@tonic-gate if (conf != NULL) 6100Sstevel@tonic-gate { 6110Sstevel@tonic-gate p=NCONF_get_string(conf,NULL,"oid_file"); 6120Sstevel@tonic-gate if (p == NULL) 6130Sstevel@tonic-gate ERR_clear_error(); 6140Sstevel@tonic-gate if (p != NULL) 6150Sstevel@tonic-gate { 6160Sstevel@tonic-gate BIO *oid_bio; 6170Sstevel@tonic-gate 6180Sstevel@tonic-gate oid_bio=BIO_new_file(p,"r"); 6190Sstevel@tonic-gate if (oid_bio == NULL) 6200Sstevel@tonic-gate { 6210Sstevel@tonic-gate /* 6220Sstevel@tonic-gate BIO_printf(bio_err,"problems opening %s for extra oid's\n",p); 6230Sstevel@tonic-gate ERR_print_errors(bio_err); 6240Sstevel@tonic-gate */ 6250Sstevel@tonic-gate ERR_clear_error(); 6260Sstevel@tonic-gate } 6270Sstevel@tonic-gate else 6280Sstevel@tonic-gate { 6290Sstevel@tonic-gate OBJ_create_objects(oid_bio); 6300Sstevel@tonic-gate BIO_free(oid_bio); 6310Sstevel@tonic-gate } 6320Sstevel@tonic-gate } 6330Sstevel@tonic-gate if (!add_oid_section(bio_err,conf)) 6340Sstevel@tonic-gate { 6350Sstevel@tonic-gate ERR_print_errors(bio_err); 6360Sstevel@tonic-gate goto err; 6370Sstevel@tonic-gate } 6380Sstevel@tonic-gate } 6390Sstevel@tonic-gate 6400Sstevel@tonic-gate randfile = NCONF_get_string(conf, BASE_SECTION, "RANDFILE"); 6410Sstevel@tonic-gate if (randfile == NULL) 6420Sstevel@tonic-gate ERR_clear_error(); 6430Sstevel@tonic-gate app_RAND_load_file(randfile, bio_err, 0); 6440Sstevel@tonic-gate 6450Sstevel@tonic-gate db_attr.unique_subject = 1; 6460Sstevel@tonic-gate p = NCONF_get_string(conf, section, "unique_subject"); 6470Sstevel@tonic-gate if (p) 6480Sstevel@tonic-gate { 6490Sstevel@tonic-gate #ifdef RL_DEBUG 6500Sstevel@tonic-gate BIO_printf(bio_err, "DEBUG: unique_subject = \"%s\"\n", p); 6510Sstevel@tonic-gate #endif 6520Sstevel@tonic-gate switch(*p) 6530Sstevel@tonic-gate { 6540Sstevel@tonic-gate case 'f': /* false */ 6550Sstevel@tonic-gate case 'F': /* FALSE */ 6560Sstevel@tonic-gate case 'n': /* no */ 6570Sstevel@tonic-gate case 'N': /* NO */ 6580Sstevel@tonic-gate db_attr.unique_subject = 0; 6590Sstevel@tonic-gate break; 6600Sstevel@tonic-gate case 't': /* true */ 6610Sstevel@tonic-gate case 'T': /* TRUE */ 6620Sstevel@tonic-gate case 'y': /* yes */ 6630Sstevel@tonic-gate case 'Y': /* YES */ 6640Sstevel@tonic-gate default: 6650Sstevel@tonic-gate db_attr.unique_subject = 1; 6660Sstevel@tonic-gate break; 6670Sstevel@tonic-gate } 6680Sstevel@tonic-gate } 6690Sstevel@tonic-gate #ifdef RL_DEBUG 6700Sstevel@tonic-gate else 6710Sstevel@tonic-gate BIO_printf(bio_err, "DEBUG: unique_subject undefined\n", p); 6720Sstevel@tonic-gate #endif 6730Sstevel@tonic-gate #ifdef RL_DEBUG 6740Sstevel@tonic-gate BIO_printf(bio_err, "DEBUG: configured unique_subject is %d\n", 6750Sstevel@tonic-gate db_attr.unique_subject); 6760Sstevel@tonic-gate #endif 6770Sstevel@tonic-gate 6780Sstevel@tonic-gate in=BIO_new(BIO_s_file()); 6790Sstevel@tonic-gate out=BIO_new(BIO_s_file()); 6800Sstevel@tonic-gate Sout=BIO_new(BIO_s_file()); 6810Sstevel@tonic-gate Cout=BIO_new(BIO_s_file()); 6820Sstevel@tonic-gate if ((in == NULL) || (out == NULL) || (Sout == NULL) || (Cout == NULL)) 6830Sstevel@tonic-gate { 6840Sstevel@tonic-gate ERR_print_errors(bio_err); 6850Sstevel@tonic-gate goto err; 6860Sstevel@tonic-gate } 6870Sstevel@tonic-gate 6880Sstevel@tonic-gate /*****************************************************************/ 6890Sstevel@tonic-gate /* report status of cert with serial number given on command line */ 6900Sstevel@tonic-gate if (ser_status) 6910Sstevel@tonic-gate { 6920Sstevel@tonic-gate if ((dbfile=NCONF_get_string(conf,section,ENV_DATABASE)) == NULL) 6930Sstevel@tonic-gate { 6940Sstevel@tonic-gate lookup_fail(section,ENV_DATABASE); 6950Sstevel@tonic-gate goto err; 6960Sstevel@tonic-gate } 6970Sstevel@tonic-gate db = load_index(dbfile,&db_attr); 6980Sstevel@tonic-gate if (db == NULL) goto err; 6990Sstevel@tonic-gate 7000Sstevel@tonic-gate if (!index_index(db)) goto err; 7010Sstevel@tonic-gate 7020Sstevel@tonic-gate if (get_certificate_status(ser_status,db) != 1) 7030Sstevel@tonic-gate BIO_printf(bio_err,"Error verifying serial %s!\n", 7040Sstevel@tonic-gate ser_status); 7050Sstevel@tonic-gate goto err; 7060Sstevel@tonic-gate } 7070Sstevel@tonic-gate 7080Sstevel@tonic-gate /*****************************************************************/ 7090Sstevel@tonic-gate /* we definitely need a public key, so let's get it */ 7100Sstevel@tonic-gate 7110Sstevel@tonic-gate if ((keyfile == NULL) && ((keyfile=NCONF_get_string(conf, 7120Sstevel@tonic-gate section,ENV_PRIVATE_KEY)) == NULL)) 7130Sstevel@tonic-gate { 7140Sstevel@tonic-gate lookup_fail(section,ENV_PRIVATE_KEY); 7150Sstevel@tonic-gate goto err; 7160Sstevel@tonic-gate } 7170Sstevel@tonic-gate if (!key) 7180Sstevel@tonic-gate { 7190Sstevel@tonic-gate free_key = 1; 7200Sstevel@tonic-gate if (!app_passwd(bio_err, passargin, NULL, &key, NULL)) 7210Sstevel@tonic-gate { 7220Sstevel@tonic-gate BIO_printf(bio_err,"Error getting password\n"); 7230Sstevel@tonic-gate goto err; 7240Sstevel@tonic-gate } 7250Sstevel@tonic-gate } 7260Sstevel@tonic-gate pkey = load_key(bio_err, keyfile, keyform, 0, key, e, 7270Sstevel@tonic-gate "CA private key"); 7280Sstevel@tonic-gate if (key) OPENSSL_cleanse(key,strlen(key)); 7290Sstevel@tonic-gate if (pkey == NULL) 7300Sstevel@tonic-gate { 7310Sstevel@tonic-gate /* load_key() has already printed an appropriate message */ 7320Sstevel@tonic-gate goto err; 7330Sstevel@tonic-gate } 7340Sstevel@tonic-gate 7350Sstevel@tonic-gate /*****************************************************************/ 7360Sstevel@tonic-gate /* we need a certificate */ 7370Sstevel@tonic-gate if ((certfile == NULL) && ((certfile=NCONF_get_string(conf, 7380Sstevel@tonic-gate section,ENV_CERTIFICATE)) == NULL)) 7390Sstevel@tonic-gate { 7400Sstevel@tonic-gate lookup_fail(section,ENV_CERTIFICATE); 7410Sstevel@tonic-gate goto err; 7420Sstevel@tonic-gate } 7430Sstevel@tonic-gate x509=load_cert(bio_err, certfile, FORMAT_PEM, NULL, e, 7440Sstevel@tonic-gate "CA certificate"); 7450Sstevel@tonic-gate if (x509 == NULL) 7460Sstevel@tonic-gate goto err; 7470Sstevel@tonic-gate 7480Sstevel@tonic-gate if (!X509_check_private_key(x509,pkey)) 7490Sstevel@tonic-gate { 7500Sstevel@tonic-gate BIO_printf(bio_err,"CA certificate and CA private key do not match\n"); 7510Sstevel@tonic-gate goto err; 7520Sstevel@tonic-gate } 7530Sstevel@tonic-gate 7540Sstevel@tonic-gate f=NCONF_get_string(conf,BASE_SECTION,ENV_PRESERVE); 7550Sstevel@tonic-gate if (f == NULL) 7560Sstevel@tonic-gate ERR_clear_error(); 7570Sstevel@tonic-gate if ((f != NULL) && ((*f == 'y') || (*f == 'Y'))) 7580Sstevel@tonic-gate preserve=1; 7590Sstevel@tonic-gate f=NCONF_get_string(conf,BASE_SECTION,ENV_MSIE_HACK); 7600Sstevel@tonic-gate if (f == NULL) 7610Sstevel@tonic-gate ERR_clear_error(); 7620Sstevel@tonic-gate if ((f != NULL) && ((*f == 'y') || (*f == 'Y'))) 7630Sstevel@tonic-gate msie_hack=1; 7640Sstevel@tonic-gate 7650Sstevel@tonic-gate f=NCONF_get_string(conf,section,ENV_NAMEOPT); 7660Sstevel@tonic-gate 7670Sstevel@tonic-gate if (f) 7680Sstevel@tonic-gate { 7690Sstevel@tonic-gate if (!set_name_ex(&nameopt, f)) 7700Sstevel@tonic-gate { 7710Sstevel@tonic-gate BIO_printf(bio_err, "Invalid name options: \"%s\"\n", f); 7720Sstevel@tonic-gate goto err; 7730Sstevel@tonic-gate } 7740Sstevel@tonic-gate default_op = 0; 7750Sstevel@tonic-gate } 7760Sstevel@tonic-gate else 7770Sstevel@tonic-gate ERR_clear_error(); 7780Sstevel@tonic-gate 7790Sstevel@tonic-gate f=NCONF_get_string(conf,section,ENV_CERTOPT); 7800Sstevel@tonic-gate 7810Sstevel@tonic-gate if (f) 7820Sstevel@tonic-gate { 7830Sstevel@tonic-gate if (!set_cert_ex(&certopt, f)) 7840Sstevel@tonic-gate { 7850Sstevel@tonic-gate BIO_printf(bio_err, "Invalid certificate options: \"%s\"\n", f); 7860Sstevel@tonic-gate goto err; 7870Sstevel@tonic-gate } 7880Sstevel@tonic-gate default_op = 0; 7890Sstevel@tonic-gate } 7900Sstevel@tonic-gate else 7910Sstevel@tonic-gate ERR_clear_error(); 7920Sstevel@tonic-gate 7930Sstevel@tonic-gate f=NCONF_get_string(conf,section,ENV_EXTCOPY); 7940Sstevel@tonic-gate 7950Sstevel@tonic-gate if (f) 7960Sstevel@tonic-gate { 7970Sstevel@tonic-gate if (!set_ext_copy(&ext_copy, f)) 7980Sstevel@tonic-gate { 7990Sstevel@tonic-gate BIO_printf(bio_err, "Invalid extension copy option: \"%s\"\n", f); 8000Sstevel@tonic-gate goto err; 8010Sstevel@tonic-gate } 8020Sstevel@tonic-gate } 8030Sstevel@tonic-gate else 8040Sstevel@tonic-gate ERR_clear_error(); 8050Sstevel@tonic-gate 8060Sstevel@tonic-gate /*****************************************************************/ 8070Sstevel@tonic-gate /* lookup where to write new certificates */ 8080Sstevel@tonic-gate if ((outdir == NULL) && (req)) 8090Sstevel@tonic-gate { 8100Sstevel@tonic-gate struct stat sb; 8110Sstevel@tonic-gate 8120Sstevel@tonic-gate if ((outdir=NCONF_get_string(conf,section,ENV_NEW_CERTS_DIR)) 8130Sstevel@tonic-gate == NULL) 8140Sstevel@tonic-gate { 8150Sstevel@tonic-gate BIO_printf(bio_err,"there needs to be defined a directory for new certificate to be placed in\n"); 8160Sstevel@tonic-gate goto err; 8170Sstevel@tonic-gate } 8180Sstevel@tonic-gate #ifndef OPENSSL_SYS_VMS 8190Sstevel@tonic-gate /* outdir is a directory spec, but access() for VMS demands a 8200Sstevel@tonic-gate filename. In any case, stat(), below, will catch the problem 8210Sstevel@tonic-gate if outdir is not a directory spec, and the fopen() or open() 8220Sstevel@tonic-gate will catch an error if there is no write access. 8230Sstevel@tonic-gate 8240Sstevel@tonic-gate Presumably, this problem could also be solved by using the DEC 8250Sstevel@tonic-gate C routines to convert the directory syntax to Unixly, and give 8260Sstevel@tonic-gate that to access(). However, time's too short to do that just 8270Sstevel@tonic-gate now. 8280Sstevel@tonic-gate */ 8290Sstevel@tonic-gate if (access(outdir,R_OK|W_OK|X_OK) != 0) 8300Sstevel@tonic-gate { 8310Sstevel@tonic-gate BIO_printf(bio_err,"I am unable to access the %s directory\n",outdir); 8320Sstevel@tonic-gate perror(outdir); 8330Sstevel@tonic-gate goto err; 8340Sstevel@tonic-gate } 8350Sstevel@tonic-gate 8360Sstevel@tonic-gate if (stat(outdir,&sb) != 0) 8370Sstevel@tonic-gate { 8380Sstevel@tonic-gate BIO_printf(bio_err,"unable to stat(%s)\n",outdir); 8390Sstevel@tonic-gate perror(outdir); 8400Sstevel@tonic-gate goto err; 8410Sstevel@tonic-gate } 842*871Scasper #ifdef S_ISDIR 843*871Scasper if (!S_ISDIR(sb.st_mode)) 8440Sstevel@tonic-gate { 8450Sstevel@tonic-gate BIO_printf(bio_err,"%s need to be a directory\n",outdir); 8460Sstevel@tonic-gate perror(outdir); 8470Sstevel@tonic-gate goto err; 8480Sstevel@tonic-gate } 8490Sstevel@tonic-gate #endif 8500Sstevel@tonic-gate #endif 8510Sstevel@tonic-gate } 8520Sstevel@tonic-gate 8530Sstevel@tonic-gate /*****************************************************************/ 8540Sstevel@tonic-gate /* we need to load the database file */ 8550Sstevel@tonic-gate if ((dbfile=NCONF_get_string(conf,section,ENV_DATABASE)) == NULL) 8560Sstevel@tonic-gate { 8570Sstevel@tonic-gate lookup_fail(section,ENV_DATABASE); 8580Sstevel@tonic-gate goto err; 8590Sstevel@tonic-gate } 8600Sstevel@tonic-gate db = load_index(dbfile, &db_attr); 8610Sstevel@tonic-gate if (db == NULL) goto err; 8620Sstevel@tonic-gate 8630Sstevel@tonic-gate /* Lets check some fields */ 8640Sstevel@tonic-gate for (i=0; i<sk_num(db->db->data); i++) 8650Sstevel@tonic-gate { 8660Sstevel@tonic-gate pp=(char **)sk_value(db->db->data,i); 8670Sstevel@tonic-gate if ((pp[DB_type][0] != DB_TYPE_REV) && 8680Sstevel@tonic-gate (pp[DB_rev_date][0] != '\0')) 8690Sstevel@tonic-gate { 8700Sstevel@tonic-gate BIO_printf(bio_err,"entry %d: not revoked yet, but has a revocation date\n",i+1); 8710Sstevel@tonic-gate goto err; 8720Sstevel@tonic-gate } 8730Sstevel@tonic-gate if ((pp[DB_type][0] == DB_TYPE_REV) && 8740Sstevel@tonic-gate !make_revoked(NULL, pp[DB_rev_date])) 8750Sstevel@tonic-gate { 8760Sstevel@tonic-gate BIO_printf(bio_err," in entry %d\n", i+1); 8770Sstevel@tonic-gate goto err; 8780Sstevel@tonic-gate } 8790Sstevel@tonic-gate if (!check_time_format(pp[DB_exp_date])) 8800Sstevel@tonic-gate { 8810Sstevel@tonic-gate BIO_printf(bio_err,"entry %d: invalid expiry date\n",i+1); 8820Sstevel@tonic-gate goto err; 8830Sstevel@tonic-gate } 8840Sstevel@tonic-gate p=pp[DB_serial]; 8850Sstevel@tonic-gate j=strlen(p); 8860Sstevel@tonic-gate if (*p == '-') 8870Sstevel@tonic-gate { 8880Sstevel@tonic-gate p++; 8890Sstevel@tonic-gate j--; 8900Sstevel@tonic-gate } 8910Sstevel@tonic-gate if ((j&1) || (j < 2)) 8920Sstevel@tonic-gate { 8930Sstevel@tonic-gate BIO_printf(bio_err,"entry %d: bad serial number length (%d)\n",i+1,j); 8940Sstevel@tonic-gate goto err; 8950Sstevel@tonic-gate } 8960Sstevel@tonic-gate while (*p) 8970Sstevel@tonic-gate { 8980Sstevel@tonic-gate if (!( ((*p >= '0') && (*p <= '9')) || 8990Sstevel@tonic-gate ((*p >= 'A') && (*p <= 'F')) || 9000Sstevel@tonic-gate ((*p >= 'a') && (*p <= 'f'))) ) 9010Sstevel@tonic-gate { 9020Sstevel@tonic-gate BIO_printf(bio_err,"entry %d: bad serial number characters, char pos %ld, char is '%c'\n",i+1,(long)(p-pp[DB_serial]),*p); 9030Sstevel@tonic-gate goto err; 9040Sstevel@tonic-gate } 9050Sstevel@tonic-gate p++; 9060Sstevel@tonic-gate } 9070Sstevel@tonic-gate } 9080Sstevel@tonic-gate if (verbose) 9090Sstevel@tonic-gate { 9100Sstevel@tonic-gate BIO_set_fp(out,stdout,BIO_NOCLOSE|BIO_FP_TEXT); /* cannot fail */ 9110Sstevel@tonic-gate #ifdef OPENSSL_SYS_VMS 9120Sstevel@tonic-gate { 9130Sstevel@tonic-gate BIO *tmpbio = BIO_new(BIO_f_linebuffer()); 9140Sstevel@tonic-gate out = BIO_push(tmpbio, out); 9150Sstevel@tonic-gate } 9160Sstevel@tonic-gate #endif 9170Sstevel@tonic-gate TXT_DB_write(out,db->db); 9180Sstevel@tonic-gate BIO_printf(bio_err,"%d entries loaded from the database\n", 9190Sstevel@tonic-gate db->db->data->num); 9200Sstevel@tonic-gate BIO_printf(bio_err,"generating index\n"); 9210Sstevel@tonic-gate } 9220Sstevel@tonic-gate 9230Sstevel@tonic-gate if (!index_index(db)) goto err; 9240Sstevel@tonic-gate 9250Sstevel@tonic-gate /*****************************************************************/ 9260Sstevel@tonic-gate /* Update the db file for expired certificates */ 9270Sstevel@tonic-gate if (doupdatedb) 9280Sstevel@tonic-gate { 9290Sstevel@tonic-gate if (verbose) 9300Sstevel@tonic-gate BIO_printf(bio_err, "Updating %s ...\n", 9310Sstevel@tonic-gate dbfile); 9320Sstevel@tonic-gate 9330Sstevel@tonic-gate i = do_updatedb(db); 9340Sstevel@tonic-gate if (i == -1) 9350Sstevel@tonic-gate { 9360Sstevel@tonic-gate BIO_printf(bio_err,"Malloc failure\n"); 9370Sstevel@tonic-gate goto err; 9380Sstevel@tonic-gate } 9390Sstevel@tonic-gate else if (i == 0) 9400Sstevel@tonic-gate { 9410Sstevel@tonic-gate if (verbose) BIO_printf(bio_err, 9420Sstevel@tonic-gate "No entries found to mark expired\n"); 9430Sstevel@tonic-gate } 9440Sstevel@tonic-gate else 9450Sstevel@tonic-gate { 9460Sstevel@tonic-gate if (!save_index(dbfile,"new",db)) goto err; 9470Sstevel@tonic-gate 9480Sstevel@tonic-gate if (!rotate_index(dbfile,"new","old")) goto err; 9490Sstevel@tonic-gate 9500Sstevel@tonic-gate if (verbose) BIO_printf(bio_err, 9510Sstevel@tonic-gate "Done. %d entries marked as expired\n",i); 9520Sstevel@tonic-gate } 9530Sstevel@tonic-gate goto err; 9540Sstevel@tonic-gate } 9550Sstevel@tonic-gate 9560Sstevel@tonic-gate /*****************************************************************/ 9570Sstevel@tonic-gate /* Read extentions config file */ 9580Sstevel@tonic-gate if (extfile) 9590Sstevel@tonic-gate { 9600Sstevel@tonic-gate extconf = NCONF_new(NULL); 9610Sstevel@tonic-gate if (NCONF_load(extconf,extfile,&errorline) <= 0) 9620Sstevel@tonic-gate { 9630Sstevel@tonic-gate if (errorline <= 0) 9640Sstevel@tonic-gate BIO_printf(bio_err, "ERROR: loading the config file '%s'\n", 9650Sstevel@tonic-gate extfile); 9660Sstevel@tonic-gate else 9670Sstevel@tonic-gate BIO_printf(bio_err, "ERROR: on line %ld of config file '%s'\n", 9680Sstevel@tonic-gate errorline,extfile); 9690Sstevel@tonic-gate ret = 1; 9700Sstevel@tonic-gate goto err; 9710Sstevel@tonic-gate } 9720Sstevel@tonic-gate 9730Sstevel@tonic-gate if (verbose) 9740Sstevel@tonic-gate BIO_printf(bio_err, "Successfully loaded extensions file %s\n", extfile); 9750Sstevel@tonic-gate 9760Sstevel@tonic-gate /* We can have sections in the ext file */ 9770Sstevel@tonic-gate if (!extensions && !(extensions = NCONF_get_string(extconf, "default", "extensions"))) 9780Sstevel@tonic-gate extensions = "default"; 9790Sstevel@tonic-gate } 9800Sstevel@tonic-gate 9810Sstevel@tonic-gate /*****************************************************************/ 9820Sstevel@tonic-gate if (req || gencrl) 9830Sstevel@tonic-gate { 9840Sstevel@tonic-gate if (outfile != NULL) 9850Sstevel@tonic-gate { 9860Sstevel@tonic-gate if (BIO_write_filename(Sout,outfile) <= 0) 9870Sstevel@tonic-gate { 9880Sstevel@tonic-gate perror(outfile); 9890Sstevel@tonic-gate goto err; 9900Sstevel@tonic-gate } 9910Sstevel@tonic-gate } 9920Sstevel@tonic-gate else 9930Sstevel@tonic-gate { 9940Sstevel@tonic-gate BIO_set_fp(Sout,stdout,BIO_NOCLOSE|BIO_FP_TEXT); 9950Sstevel@tonic-gate #ifdef OPENSSL_SYS_VMS 9960Sstevel@tonic-gate { 9970Sstevel@tonic-gate BIO *tmpbio = BIO_new(BIO_f_linebuffer()); 9980Sstevel@tonic-gate Sout = BIO_push(tmpbio, Sout); 9990Sstevel@tonic-gate } 10000Sstevel@tonic-gate #endif 10010Sstevel@tonic-gate } 10020Sstevel@tonic-gate } 10030Sstevel@tonic-gate 10040Sstevel@tonic-gate if (req) 10050Sstevel@tonic-gate { 10060Sstevel@tonic-gate if ((md == NULL) && ((md=NCONF_get_string(conf, 10070Sstevel@tonic-gate section,ENV_DEFAULT_MD)) == NULL)) 10080Sstevel@tonic-gate { 10090Sstevel@tonic-gate lookup_fail(section,ENV_DEFAULT_MD); 10100Sstevel@tonic-gate goto err; 10110Sstevel@tonic-gate } 10120Sstevel@tonic-gate if ((email_dn == 1) && ((tmp_email_dn=NCONF_get_string(conf, 10130Sstevel@tonic-gate section,ENV_DEFAULT_EMAIL_DN)) != NULL )) 10140Sstevel@tonic-gate { 10150Sstevel@tonic-gate if(strcmp(tmp_email_dn,"no") == 0) 10160Sstevel@tonic-gate email_dn=0; 10170Sstevel@tonic-gate } 10180Sstevel@tonic-gate if ((dgst=EVP_get_digestbyname(md)) == NULL) 10190Sstevel@tonic-gate { 10200Sstevel@tonic-gate BIO_printf(bio_err,"%s is an unsupported message digest type\n",md); 10210Sstevel@tonic-gate goto err; 10220Sstevel@tonic-gate } 10230Sstevel@tonic-gate if (verbose) 10240Sstevel@tonic-gate BIO_printf(bio_err,"message digest is %s\n", 10250Sstevel@tonic-gate OBJ_nid2ln(dgst->type)); 10260Sstevel@tonic-gate if ((policy == NULL) && ((policy=NCONF_get_string(conf, 10270Sstevel@tonic-gate section,ENV_POLICY)) == NULL)) 10280Sstevel@tonic-gate { 10290Sstevel@tonic-gate lookup_fail(section,ENV_POLICY); 10300Sstevel@tonic-gate goto err; 10310Sstevel@tonic-gate } 10320Sstevel@tonic-gate if (verbose) 10330Sstevel@tonic-gate BIO_printf(bio_err,"policy is %s\n",policy); 10340Sstevel@tonic-gate 10350Sstevel@tonic-gate if ((serialfile=NCONF_get_string(conf,section,ENV_SERIAL)) 10360Sstevel@tonic-gate == NULL) 10370Sstevel@tonic-gate { 10380Sstevel@tonic-gate lookup_fail(section,ENV_SERIAL); 10390Sstevel@tonic-gate goto err; 10400Sstevel@tonic-gate } 10410Sstevel@tonic-gate 10420Sstevel@tonic-gate if (!extconf) 10430Sstevel@tonic-gate { 10440Sstevel@tonic-gate /* no '-extfile' option, so we look for extensions 10450Sstevel@tonic-gate * in the main configuration file */ 10460Sstevel@tonic-gate if (!extensions) 10470Sstevel@tonic-gate { 10480Sstevel@tonic-gate extensions=NCONF_get_string(conf,section, 10490Sstevel@tonic-gate ENV_EXTENSIONS); 10500Sstevel@tonic-gate if (!extensions) 10510Sstevel@tonic-gate ERR_clear_error(); 10520Sstevel@tonic-gate } 10530Sstevel@tonic-gate if (extensions) 10540Sstevel@tonic-gate { 10550Sstevel@tonic-gate /* Check syntax of file */ 10560Sstevel@tonic-gate X509V3_CTX ctx; 10570Sstevel@tonic-gate X509V3_set_ctx_test(&ctx); 10580Sstevel@tonic-gate X509V3_set_nconf(&ctx, conf); 10590Sstevel@tonic-gate if (!X509V3_EXT_add_nconf(conf, &ctx, extensions, 10600Sstevel@tonic-gate NULL)) 10610Sstevel@tonic-gate { 10620Sstevel@tonic-gate BIO_printf(bio_err, 10630Sstevel@tonic-gate "Error Loading extension section %s\n", 10640Sstevel@tonic-gate extensions); 10650Sstevel@tonic-gate ret = 1; 10660Sstevel@tonic-gate goto err; 10670Sstevel@tonic-gate } 10680Sstevel@tonic-gate } 10690Sstevel@tonic-gate } 10700Sstevel@tonic-gate 10710Sstevel@tonic-gate if (startdate == NULL) 10720Sstevel@tonic-gate { 10730Sstevel@tonic-gate startdate=NCONF_get_string(conf,section, 10740Sstevel@tonic-gate ENV_DEFAULT_STARTDATE); 10750Sstevel@tonic-gate if (startdate == NULL) 10760Sstevel@tonic-gate ERR_clear_error(); 10770Sstevel@tonic-gate } 10780Sstevel@tonic-gate if (startdate && !ASN1_UTCTIME_set_string(NULL,startdate)) 10790Sstevel@tonic-gate { 10800Sstevel@tonic-gate BIO_printf(bio_err,"start date is invalid, it should be YYMMDDHHMMSSZ\n"); 10810Sstevel@tonic-gate goto err; 10820Sstevel@tonic-gate } 10830Sstevel@tonic-gate if (startdate == NULL) startdate="today"; 10840Sstevel@tonic-gate 10850Sstevel@tonic-gate if (enddate == NULL) 10860Sstevel@tonic-gate { 10870Sstevel@tonic-gate enddate=NCONF_get_string(conf,section, 10880Sstevel@tonic-gate ENV_DEFAULT_ENDDATE); 10890Sstevel@tonic-gate if (enddate == NULL) 10900Sstevel@tonic-gate ERR_clear_error(); 10910Sstevel@tonic-gate } 10920Sstevel@tonic-gate if (enddate && !ASN1_UTCTIME_set_string(NULL,enddate)) 10930Sstevel@tonic-gate { 10940Sstevel@tonic-gate BIO_printf(bio_err,"end date is invalid, it should be YYMMDDHHMMSSZ\n"); 10950Sstevel@tonic-gate goto err; 10960Sstevel@tonic-gate } 10970Sstevel@tonic-gate 10980Sstevel@tonic-gate if (days == 0) 10990Sstevel@tonic-gate { 11000Sstevel@tonic-gate if(!NCONF_get_number(conf,section, ENV_DEFAULT_DAYS, &days)) 11010Sstevel@tonic-gate days = 0; 11020Sstevel@tonic-gate } 11030Sstevel@tonic-gate if (!enddate && (days == 0)) 11040Sstevel@tonic-gate { 11050Sstevel@tonic-gate BIO_printf(bio_err,"cannot lookup how many days to certify for\n"); 11060Sstevel@tonic-gate goto err; 11070Sstevel@tonic-gate } 11080Sstevel@tonic-gate 11090Sstevel@tonic-gate if ((serial=load_serial(serialfile, 0, NULL)) == NULL) 11100Sstevel@tonic-gate { 11110Sstevel@tonic-gate BIO_printf(bio_err,"error while loading serial number\n"); 11120Sstevel@tonic-gate goto err; 11130Sstevel@tonic-gate } 11140Sstevel@tonic-gate if (verbose) 11150Sstevel@tonic-gate { 11160Sstevel@tonic-gate if (BN_is_zero(serial)) 11170Sstevel@tonic-gate BIO_printf(bio_err,"next serial number is 00\n"); 11180Sstevel@tonic-gate else 11190Sstevel@tonic-gate { 11200Sstevel@tonic-gate if ((f=BN_bn2hex(serial)) == NULL) goto err; 11210Sstevel@tonic-gate BIO_printf(bio_err,"next serial number is %s\n",f); 11220Sstevel@tonic-gate OPENSSL_free(f); 11230Sstevel@tonic-gate } 11240Sstevel@tonic-gate } 11250Sstevel@tonic-gate 11260Sstevel@tonic-gate if ((attribs=NCONF_get_section(conf,policy)) == NULL) 11270Sstevel@tonic-gate { 11280Sstevel@tonic-gate BIO_printf(bio_err,"unable to find 'section' for %s\n",policy); 11290Sstevel@tonic-gate goto err; 11300Sstevel@tonic-gate } 11310Sstevel@tonic-gate 11320Sstevel@tonic-gate if ((cert_sk=sk_X509_new_null()) == NULL) 11330Sstevel@tonic-gate { 11340Sstevel@tonic-gate BIO_printf(bio_err,"Memory allocation failure\n"); 11350Sstevel@tonic-gate goto err; 11360Sstevel@tonic-gate } 11370Sstevel@tonic-gate if (spkac_file != NULL) 11380Sstevel@tonic-gate { 11390Sstevel@tonic-gate total++; 11400Sstevel@tonic-gate j=certify_spkac(&x,spkac_file,pkey,x509,dgst,attribs,db, 11410Sstevel@tonic-gate serial,subj,email_dn,startdate,enddate,days,extensions, 11420Sstevel@tonic-gate conf,verbose,certopt,nameopt,default_op,ext_copy); 11430Sstevel@tonic-gate if (j < 0) goto err; 11440Sstevel@tonic-gate if (j > 0) 11450Sstevel@tonic-gate { 11460Sstevel@tonic-gate total_done++; 11470Sstevel@tonic-gate BIO_printf(bio_err,"\n"); 11480Sstevel@tonic-gate if (!BN_add_word(serial,1)) goto err; 11490Sstevel@tonic-gate if (!sk_X509_push(cert_sk,x)) 11500Sstevel@tonic-gate { 11510Sstevel@tonic-gate BIO_printf(bio_err,"Memory allocation failure\n"); 11520Sstevel@tonic-gate goto err; 11530Sstevel@tonic-gate } 11540Sstevel@tonic-gate if (outfile) 11550Sstevel@tonic-gate { 11560Sstevel@tonic-gate output_der = 1; 11570Sstevel@tonic-gate batch = 1; 11580Sstevel@tonic-gate } 11590Sstevel@tonic-gate } 11600Sstevel@tonic-gate } 11610Sstevel@tonic-gate if (ss_cert_file != NULL) 11620Sstevel@tonic-gate { 11630Sstevel@tonic-gate total++; 11640Sstevel@tonic-gate j=certify_cert(&x,ss_cert_file,pkey,x509,dgst,attribs, 11650Sstevel@tonic-gate db,serial,subj,email_dn,startdate,enddate,days,batch, 11660Sstevel@tonic-gate extensions,conf,verbose, certopt, nameopt, 11670Sstevel@tonic-gate default_op, ext_copy, e); 11680Sstevel@tonic-gate if (j < 0) goto err; 11690Sstevel@tonic-gate if (j > 0) 11700Sstevel@tonic-gate { 11710Sstevel@tonic-gate total_done++; 11720Sstevel@tonic-gate BIO_printf(bio_err,"\n"); 11730Sstevel@tonic-gate if (!BN_add_word(serial,1)) goto err; 11740Sstevel@tonic-gate if (!sk_X509_push(cert_sk,x)) 11750Sstevel@tonic-gate { 11760Sstevel@tonic-gate BIO_printf(bio_err,"Memory allocation failure\n"); 11770Sstevel@tonic-gate goto err; 11780Sstevel@tonic-gate } 11790Sstevel@tonic-gate } 11800Sstevel@tonic-gate } 11810Sstevel@tonic-gate if (infile != NULL) 11820Sstevel@tonic-gate { 11830Sstevel@tonic-gate total++; 11840Sstevel@tonic-gate j=certify(&x,infile,pkey,x509,dgst,attribs,db, 11850Sstevel@tonic-gate serial,subj,email_dn,startdate,enddate,days,batch, 11860Sstevel@tonic-gate extensions,conf,verbose, certopt, nameopt, 11870Sstevel@tonic-gate default_op, ext_copy); 11880Sstevel@tonic-gate if (j < 0) goto err; 11890Sstevel@tonic-gate if (j > 0) 11900Sstevel@tonic-gate { 11910Sstevel@tonic-gate total_done++; 11920Sstevel@tonic-gate BIO_printf(bio_err,"\n"); 11930Sstevel@tonic-gate if (!BN_add_word(serial,1)) goto err; 11940Sstevel@tonic-gate if (!sk_X509_push(cert_sk,x)) 11950Sstevel@tonic-gate { 11960Sstevel@tonic-gate BIO_printf(bio_err,"Memory allocation failure\n"); 11970Sstevel@tonic-gate goto err; 11980Sstevel@tonic-gate } 11990Sstevel@tonic-gate } 12000Sstevel@tonic-gate } 12010Sstevel@tonic-gate for (i=0; i<argc; i++) 12020Sstevel@tonic-gate { 12030Sstevel@tonic-gate total++; 12040Sstevel@tonic-gate j=certify(&x,argv[i],pkey,x509,dgst,attribs,db, 12050Sstevel@tonic-gate serial,subj,email_dn,startdate,enddate,days,batch, 12060Sstevel@tonic-gate extensions,conf,verbose, certopt, nameopt, 12070Sstevel@tonic-gate default_op, ext_copy); 12080Sstevel@tonic-gate if (j < 0) goto err; 12090Sstevel@tonic-gate if (j > 0) 12100Sstevel@tonic-gate { 12110Sstevel@tonic-gate total_done++; 12120Sstevel@tonic-gate BIO_printf(bio_err,"\n"); 12130Sstevel@tonic-gate if (!BN_add_word(serial,1)) goto err; 12140Sstevel@tonic-gate if (!sk_X509_push(cert_sk,x)) 12150Sstevel@tonic-gate { 12160Sstevel@tonic-gate BIO_printf(bio_err,"Memory allocation failure\n"); 12170Sstevel@tonic-gate goto err; 12180Sstevel@tonic-gate } 12190Sstevel@tonic-gate } 12200Sstevel@tonic-gate } 12210Sstevel@tonic-gate /* we have a stack of newly certified certificates 12220Sstevel@tonic-gate * and a data base and serial number that need 12230Sstevel@tonic-gate * updating */ 12240Sstevel@tonic-gate 12250Sstevel@tonic-gate if (sk_X509_num(cert_sk) > 0) 12260Sstevel@tonic-gate { 12270Sstevel@tonic-gate if (!batch) 12280Sstevel@tonic-gate { 12290Sstevel@tonic-gate BIO_printf(bio_err,"\n%d out of %d certificate requests certified, commit? [y/n]",total_done,total); 12300Sstevel@tonic-gate (void)BIO_flush(bio_err); 12310Sstevel@tonic-gate buf[0][0]='\0'; 12320Sstevel@tonic-gate fgets(buf[0],10,stdin); 12330Sstevel@tonic-gate if ((buf[0][0] != 'y') && (buf[0][0] != 'Y')) 12340Sstevel@tonic-gate { 12350Sstevel@tonic-gate BIO_printf(bio_err,"CERTIFICATION CANCELED\n"); 12360Sstevel@tonic-gate ret=0; 12370Sstevel@tonic-gate goto err; 12380Sstevel@tonic-gate } 12390Sstevel@tonic-gate } 12400Sstevel@tonic-gate 12410Sstevel@tonic-gate BIO_printf(bio_err,"Write out database with %d new entries\n",sk_X509_num(cert_sk)); 12420Sstevel@tonic-gate 12430Sstevel@tonic-gate if (!save_serial(serialfile,"new",serial,NULL)) goto err; 12440Sstevel@tonic-gate 12450Sstevel@tonic-gate if (!save_index(dbfile, "new", db)) goto err; 12460Sstevel@tonic-gate } 12470Sstevel@tonic-gate 12480Sstevel@tonic-gate if (verbose) 12490Sstevel@tonic-gate BIO_printf(bio_err,"writing new certificates\n"); 12500Sstevel@tonic-gate for (i=0; i<sk_X509_num(cert_sk); i++) 12510Sstevel@tonic-gate { 12520Sstevel@tonic-gate int k; 12530Sstevel@tonic-gate char *n; 12540Sstevel@tonic-gate 12550Sstevel@tonic-gate x=sk_X509_value(cert_sk,i); 12560Sstevel@tonic-gate 12570Sstevel@tonic-gate j=x->cert_info->serialNumber->length; 12580Sstevel@tonic-gate p=(char *)x->cert_info->serialNumber->data; 12590Sstevel@tonic-gate 12600Sstevel@tonic-gate if(strlen(outdir) >= (size_t)(j ? BSIZE-j*2-6 : BSIZE-8)) 12610Sstevel@tonic-gate { 12620Sstevel@tonic-gate BIO_printf(bio_err,"certificate file name too long\n"); 12630Sstevel@tonic-gate goto err; 12640Sstevel@tonic-gate } 12650Sstevel@tonic-gate 12660Sstevel@tonic-gate strcpy(buf[2],outdir); 12670Sstevel@tonic-gate 12680Sstevel@tonic-gate #ifndef OPENSSL_SYS_VMS 12690Sstevel@tonic-gate BUF_strlcat(buf[2],"/",sizeof(buf[2])); 12700Sstevel@tonic-gate #endif 12710Sstevel@tonic-gate 12720Sstevel@tonic-gate n=(char *)&(buf[2][strlen(buf[2])]); 12730Sstevel@tonic-gate if (j > 0) 12740Sstevel@tonic-gate { 12750Sstevel@tonic-gate for (k=0; k<j; k++) 12760Sstevel@tonic-gate { 12770Sstevel@tonic-gate if (n >= &(buf[2][sizeof(buf[2])])) 12780Sstevel@tonic-gate break; 12790Sstevel@tonic-gate BIO_snprintf(n, 12800Sstevel@tonic-gate &buf[2][0] + sizeof(buf[2]) - n, 12810Sstevel@tonic-gate "%02X",(unsigned char)*(p++)); 12820Sstevel@tonic-gate n+=2; 12830Sstevel@tonic-gate } 12840Sstevel@tonic-gate } 12850Sstevel@tonic-gate else 12860Sstevel@tonic-gate { 12870Sstevel@tonic-gate *(n++)='0'; 12880Sstevel@tonic-gate *(n++)='0'; 12890Sstevel@tonic-gate } 12900Sstevel@tonic-gate *(n++)='.'; *(n++)='p'; *(n++)='e'; *(n++)='m'; 12910Sstevel@tonic-gate *n='\0'; 12920Sstevel@tonic-gate if (verbose) 12930Sstevel@tonic-gate BIO_printf(bio_err,"writing %s\n",buf[2]); 12940Sstevel@tonic-gate 12950Sstevel@tonic-gate if (BIO_write_filename(Cout,buf[2]) <= 0) 12960Sstevel@tonic-gate { 12970Sstevel@tonic-gate perror(buf[2]); 12980Sstevel@tonic-gate goto err; 12990Sstevel@tonic-gate } 13000Sstevel@tonic-gate write_new_certificate(Cout,x, 0, notext); 13010Sstevel@tonic-gate write_new_certificate(Sout,x, output_der, notext); 13020Sstevel@tonic-gate } 13030Sstevel@tonic-gate 13040Sstevel@tonic-gate if (sk_X509_num(cert_sk)) 13050Sstevel@tonic-gate { 13060Sstevel@tonic-gate /* Rename the database and the serial file */ 13070Sstevel@tonic-gate if (!rotate_serial(serialfile,"new","old")) goto err; 13080Sstevel@tonic-gate 13090Sstevel@tonic-gate if (!rotate_index(dbfile,"new","old")) goto err; 13100Sstevel@tonic-gate 13110Sstevel@tonic-gate BIO_printf(bio_err,"Data Base Updated\n"); 13120Sstevel@tonic-gate } 13130Sstevel@tonic-gate } 13140Sstevel@tonic-gate 13150Sstevel@tonic-gate /*****************************************************************/ 13160Sstevel@tonic-gate if (gencrl) 13170Sstevel@tonic-gate { 13180Sstevel@tonic-gate int crl_v2 = 0; 13190Sstevel@tonic-gate if (!crl_ext) 13200Sstevel@tonic-gate { 13210Sstevel@tonic-gate crl_ext=NCONF_get_string(conf,section,ENV_CRLEXT); 13220Sstevel@tonic-gate if (!crl_ext) 13230Sstevel@tonic-gate ERR_clear_error(); 13240Sstevel@tonic-gate } 13250Sstevel@tonic-gate if (crl_ext) 13260Sstevel@tonic-gate { 13270Sstevel@tonic-gate /* Check syntax of file */ 13280Sstevel@tonic-gate X509V3_CTX ctx; 13290Sstevel@tonic-gate X509V3_set_ctx_test(&ctx); 13300Sstevel@tonic-gate X509V3_set_nconf(&ctx, conf); 13310Sstevel@tonic-gate if (!X509V3_EXT_add_nconf(conf, &ctx, crl_ext, NULL)) 13320Sstevel@tonic-gate { 13330Sstevel@tonic-gate BIO_printf(bio_err, 13340Sstevel@tonic-gate "Error Loading CRL extension section %s\n", 13350Sstevel@tonic-gate crl_ext); 13360Sstevel@tonic-gate ret = 1; 13370Sstevel@tonic-gate goto err; 13380Sstevel@tonic-gate } 13390Sstevel@tonic-gate } 13400Sstevel@tonic-gate 13410Sstevel@tonic-gate if ((crlnumberfile=NCONF_get_string(conf,section,ENV_CRLNUMBER)) 13420Sstevel@tonic-gate != NULL) 13430Sstevel@tonic-gate if ((crlnumber=load_serial(crlnumberfile,0,NULL)) == NULL) 13440Sstevel@tonic-gate { 13450Sstevel@tonic-gate BIO_printf(bio_err,"error while loading CRL number\n"); 13460Sstevel@tonic-gate goto err; 13470Sstevel@tonic-gate } 13480Sstevel@tonic-gate 13490Sstevel@tonic-gate if (!crldays && !crlhours) 13500Sstevel@tonic-gate { 13510Sstevel@tonic-gate if (!NCONF_get_number(conf,section, 13520Sstevel@tonic-gate ENV_DEFAULT_CRL_DAYS, &crldays)) 13530Sstevel@tonic-gate crldays = 0; 13540Sstevel@tonic-gate if (!NCONF_get_number(conf,section, 13550Sstevel@tonic-gate ENV_DEFAULT_CRL_HOURS, &crlhours)) 13560Sstevel@tonic-gate crlhours = 0; 13570Sstevel@tonic-gate } 13580Sstevel@tonic-gate if ((crldays == 0) && (crlhours == 0)) 13590Sstevel@tonic-gate { 13600Sstevel@tonic-gate BIO_printf(bio_err,"cannot lookup how long until the next CRL is issued\n"); 13610Sstevel@tonic-gate goto err; 13620Sstevel@tonic-gate } 13630Sstevel@tonic-gate 13640Sstevel@tonic-gate if (verbose) BIO_printf(bio_err,"making CRL\n"); 13650Sstevel@tonic-gate if ((crl=X509_CRL_new()) == NULL) goto err; 13660Sstevel@tonic-gate if (!X509_CRL_set_issuer_name(crl, X509_get_subject_name(x509))) goto err; 13670Sstevel@tonic-gate 13680Sstevel@tonic-gate tmptm = ASN1_TIME_new(); 13690Sstevel@tonic-gate if (!tmptm) goto err; 13700Sstevel@tonic-gate X509_gmtime_adj(tmptm,0); 13710Sstevel@tonic-gate X509_CRL_set_lastUpdate(crl, tmptm); 13720Sstevel@tonic-gate X509_gmtime_adj(tmptm,(crldays*24+crlhours)*60*60); 13730Sstevel@tonic-gate X509_CRL_set_nextUpdate(crl, tmptm); 13740Sstevel@tonic-gate 13750Sstevel@tonic-gate ASN1_TIME_free(tmptm); 13760Sstevel@tonic-gate 13770Sstevel@tonic-gate for (i=0; i<sk_num(db->db->data); i++) 13780Sstevel@tonic-gate { 13790Sstevel@tonic-gate pp=(char **)sk_value(db->db->data,i); 13800Sstevel@tonic-gate if (pp[DB_type][0] == DB_TYPE_REV) 13810Sstevel@tonic-gate { 13820Sstevel@tonic-gate if ((r=X509_REVOKED_new()) == NULL) goto err; 13830Sstevel@tonic-gate j = make_revoked(r, pp[DB_rev_date]); 13840Sstevel@tonic-gate if (!j) goto err; 13850Sstevel@tonic-gate if (j == 2) crl_v2 = 1; 13860Sstevel@tonic-gate if (!BN_hex2bn(&serial, pp[DB_serial])) 13870Sstevel@tonic-gate goto err; 13880Sstevel@tonic-gate tmpser = BN_to_ASN1_INTEGER(serial, NULL); 13890Sstevel@tonic-gate BN_free(serial); 13900Sstevel@tonic-gate serial = NULL; 13910Sstevel@tonic-gate if (!tmpser) 13920Sstevel@tonic-gate goto err; 13930Sstevel@tonic-gate X509_REVOKED_set_serialNumber(r, tmpser); 13940Sstevel@tonic-gate ASN1_INTEGER_free(tmpser); 13950Sstevel@tonic-gate X509_CRL_add0_revoked(crl,r); 13960Sstevel@tonic-gate } 13970Sstevel@tonic-gate } 13980Sstevel@tonic-gate 13990Sstevel@tonic-gate /* sort the data so it will be written in serial 14000Sstevel@tonic-gate * number order */ 14010Sstevel@tonic-gate X509_CRL_sort(crl); 14020Sstevel@tonic-gate 14030Sstevel@tonic-gate /* we now have a CRL */ 14040Sstevel@tonic-gate if (verbose) BIO_printf(bio_err,"signing CRL\n"); 14050Sstevel@tonic-gate if (md != NULL) 14060Sstevel@tonic-gate { 14070Sstevel@tonic-gate if ((dgst=EVP_get_digestbyname(md)) == NULL) 14080Sstevel@tonic-gate { 14090Sstevel@tonic-gate BIO_printf(bio_err,"%s is an unsupported message digest type\n",md); 14100Sstevel@tonic-gate goto err; 14110Sstevel@tonic-gate } 14120Sstevel@tonic-gate } 14130Sstevel@tonic-gate else 14140Sstevel@tonic-gate { 14150Sstevel@tonic-gate #ifndef OPENSSL_NO_DSA 14160Sstevel@tonic-gate if (pkey->type == EVP_PKEY_DSA) 14170Sstevel@tonic-gate dgst=EVP_dss1(); 14180Sstevel@tonic-gate else 14190Sstevel@tonic-gate #endif 14200Sstevel@tonic-gate dgst=EVP_md5(); 14210Sstevel@tonic-gate } 14220Sstevel@tonic-gate 14230Sstevel@tonic-gate /* Add any extensions asked for */ 14240Sstevel@tonic-gate 14250Sstevel@tonic-gate if (crl_ext || crlnumberfile != NULL) 14260Sstevel@tonic-gate { 14270Sstevel@tonic-gate X509V3_CTX crlctx; 14280Sstevel@tonic-gate X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0); 14290Sstevel@tonic-gate X509V3_set_nconf(&crlctx, conf); 14300Sstevel@tonic-gate 14310Sstevel@tonic-gate if (crl_ext) 14320Sstevel@tonic-gate if (!X509V3_EXT_CRL_add_nconf(conf, &crlctx, 14330Sstevel@tonic-gate crl_ext, crl)) goto err; 14340Sstevel@tonic-gate if (crlnumberfile != NULL) 14350Sstevel@tonic-gate { 14360Sstevel@tonic-gate tmpser = BN_to_ASN1_INTEGER(crlnumber, NULL); 14370Sstevel@tonic-gate if (!tmpser) goto err; 14380Sstevel@tonic-gate X509_CRL_add1_ext_i2d(crl,NID_crl_number,tmpser,0,0); 14390Sstevel@tonic-gate ASN1_INTEGER_free(tmpser); 14400Sstevel@tonic-gate crl_v2 = 1; 14410Sstevel@tonic-gate if (!BN_add_word(crlnumber,1)) goto err; 14420Sstevel@tonic-gate } 14430Sstevel@tonic-gate } 14440Sstevel@tonic-gate if (crl_ext || crl_v2) 14450Sstevel@tonic-gate { 14460Sstevel@tonic-gate if (!X509_CRL_set_version(crl, 1)) 14470Sstevel@tonic-gate goto err; /* version 2 CRL */ 14480Sstevel@tonic-gate } 14490Sstevel@tonic-gate 14500Sstevel@tonic-gate 14510Sstevel@tonic-gate if (crlnumberfile != NULL) /* we have a CRL number that need updating */ 14520Sstevel@tonic-gate if (!save_serial(crlnumberfile,"new",crlnumber,NULL)) goto err; 14530Sstevel@tonic-gate 14540Sstevel@tonic-gate if (!X509_CRL_sign(crl,pkey,dgst)) goto err; 14550Sstevel@tonic-gate 14560Sstevel@tonic-gate PEM_write_bio_X509_CRL(Sout,crl); 14570Sstevel@tonic-gate 14580Sstevel@tonic-gate if (crlnumberfile != NULL) /* Rename the crlnumber file */ 14590Sstevel@tonic-gate if (!rotate_serial(crlnumberfile,"new","old")) goto err; 14600Sstevel@tonic-gate 14610Sstevel@tonic-gate } 14620Sstevel@tonic-gate /*****************************************************************/ 14630Sstevel@tonic-gate if (dorevoke) 14640Sstevel@tonic-gate { 14650Sstevel@tonic-gate if (infile == NULL) 14660Sstevel@tonic-gate { 14670Sstevel@tonic-gate BIO_printf(bio_err,"no input files\n"); 14680Sstevel@tonic-gate goto err; 14690Sstevel@tonic-gate } 14700Sstevel@tonic-gate else 14710Sstevel@tonic-gate { 14720Sstevel@tonic-gate X509 *revcert; 14730Sstevel@tonic-gate revcert=load_cert(bio_err, infile, FORMAT_PEM, 14740Sstevel@tonic-gate NULL, e, infile); 14750Sstevel@tonic-gate if (revcert == NULL) 14760Sstevel@tonic-gate goto err; 14770Sstevel@tonic-gate j=do_revoke(revcert,db, rev_type, rev_arg); 14780Sstevel@tonic-gate if (j <= 0) goto err; 14790Sstevel@tonic-gate X509_free(revcert); 14800Sstevel@tonic-gate 14810Sstevel@tonic-gate if (!save_index(dbfile, "new", db)) goto err; 14820Sstevel@tonic-gate 14830Sstevel@tonic-gate if (!rotate_index(dbfile, "new", "old")) goto err; 14840Sstevel@tonic-gate 14850Sstevel@tonic-gate BIO_printf(bio_err,"Data Base Updated\n"); 14860Sstevel@tonic-gate } 14870Sstevel@tonic-gate } 14880Sstevel@tonic-gate /*****************************************************************/ 14890Sstevel@tonic-gate ret=0; 14900Sstevel@tonic-gate err: 14910Sstevel@tonic-gate if(tofree) 14920Sstevel@tonic-gate OPENSSL_free(tofree); 14930Sstevel@tonic-gate BIO_free_all(Cout); 14940Sstevel@tonic-gate BIO_free_all(Sout); 14950Sstevel@tonic-gate BIO_free_all(out); 14960Sstevel@tonic-gate BIO_free_all(in); 14970Sstevel@tonic-gate 14980Sstevel@tonic-gate if (cert_sk) 14990Sstevel@tonic-gate sk_X509_pop_free(cert_sk,X509_free); 15000Sstevel@tonic-gate 15010Sstevel@tonic-gate if (ret) ERR_print_errors(bio_err); 15020Sstevel@tonic-gate app_RAND_write_file(randfile, bio_err); 15030Sstevel@tonic-gate if (free_key && key) 15040Sstevel@tonic-gate OPENSSL_free(key); 15050Sstevel@tonic-gate BN_free(serial); 15060Sstevel@tonic-gate if (db) 15070Sstevel@tonic-gate free_index(db); 15080Sstevel@tonic-gate EVP_PKEY_free(pkey); 15090Sstevel@tonic-gate X509_free(x509); 15100Sstevel@tonic-gate X509_CRL_free(crl); 15110Sstevel@tonic-gate NCONF_free(conf); 15120Sstevel@tonic-gate OBJ_cleanup(); 15130Sstevel@tonic-gate apps_shutdown(); 15140Sstevel@tonic-gate OPENSSL_EXIT(ret); 15150Sstevel@tonic-gate } 15160Sstevel@tonic-gate 15170Sstevel@tonic-gate static void lookup_fail(char *name, char *tag) 15180Sstevel@tonic-gate { 15190Sstevel@tonic-gate BIO_printf(bio_err,"variable lookup failed for %s::%s\n",name,tag); 15200Sstevel@tonic-gate } 15210Sstevel@tonic-gate 15220Sstevel@tonic-gate static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, 15230Sstevel@tonic-gate const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db, 15240Sstevel@tonic-gate BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate, 15250Sstevel@tonic-gate long days, int batch, char *ext_sect, CONF *lconf, int verbose, 15260Sstevel@tonic-gate unsigned long certopt, unsigned long nameopt, int default_op, 15270Sstevel@tonic-gate int ext_copy) 15280Sstevel@tonic-gate { 15290Sstevel@tonic-gate X509_REQ *req=NULL; 15300Sstevel@tonic-gate BIO *in=NULL; 15310Sstevel@tonic-gate EVP_PKEY *pktmp=NULL; 15320Sstevel@tonic-gate int ok= -1,i; 15330Sstevel@tonic-gate 15340Sstevel@tonic-gate in=BIO_new(BIO_s_file()); 15350Sstevel@tonic-gate 15360Sstevel@tonic-gate if (BIO_read_filename(in,infile) <= 0) 15370Sstevel@tonic-gate { 15380Sstevel@tonic-gate perror(infile); 15390Sstevel@tonic-gate goto err; 15400Sstevel@tonic-gate } 15410Sstevel@tonic-gate if ((req=PEM_read_bio_X509_REQ(in,NULL,NULL,NULL)) == NULL) 15420Sstevel@tonic-gate { 15430Sstevel@tonic-gate BIO_printf(bio_err,"Error reading certificate request in %s\n", 15440Sstevel@tonic-gate infile); 15450Sstevel@tonic-gate goto err; 15460Sstevel@tonic-gate } 15470Sstevel@tonic-gate if (verbose) 15480Sstevel@tonic-gate X509_REQ_print(bio_err,req); 15490Sstevel@tonic-gate 15500Sstevel@tonic-gate BIO_printf(bio_err,"Check that the request matches the signature\n"); 15510Sstevel@tonic-gate 15520Sstevel@tonic-gate if ((pktmp=X509_REQ_get_pubkey(req)) == NULL) 15530Sstevel@tonic-gate { 15540Sstevel@tonic-gate BIO_printf(bio_err,"error unpacking public key\n"); 15550Sstevel@tonic-gate goto err; 15560Sstevel@tonic-gate } 15570Sstevel@tonic-gate i=X509_REQ_verify(req,pktmp); 15580Sstevel@tonic-gate EVP_PKEY_free(pktmp); 15590Sstevel@tonic-gate if (i < 0) 15600Sstevel@tonic-gate { 15610Sstevel@tonic-gate ok=0; 15620Sstevel@tonic-gate BIO_printf(bio_err,"Signature verification problems....\n"); 15630Sstevel@tonic-gate goto err; 15640Sstevel@tonic-gate } 15650Sstevel@tonic-gate if (i == 0) 15660Sstevel@tonic-gate { 15670Sstevel@tonic-gate ok=0; 15680Sstevel@tonic-gate BIO_printf(bio_err,"Signature did not match the certificate request\n"); 15690Sstevel@tonic-gate goto err; 15700Sstevel@tonic-gate } 15710Sstevel@tonic-gate else 15720Sstevel@tonic-gate BIO_printf(bio_err,"Signature ok\n"); 15730Sstevel@tonic-gate 15740Sstevel@tonic-gate ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj, email_dn, 15750Sstevel@tonic-gate startdate,enddate,days,batch,verbose,req,ext_sect,lconf, 15760Sstevel@tonic-gate certopt, nameopt, default_op, ext_copy); 15770Sstevel@tonic-gate 15780Sstevel@tonic-gate err: 15790Sstevel@tonic-gate if (req != NULL) X509_REQ_free(req); 15800Sstevel@tonic-gate if (in != NULL) BIO_free(in); 15810Sstevel@tonic-gate return(ok); 15820Sstevel@tonic-gate } 15830Sstevel@tonic-gate 15840Sstevel@tonic-gate static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, 15850Sstevel@tonic-gate const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db, 15860Sstevel@tonic-gate BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate, 15870Sstevel@tonic-gate long days, int batch, char *ext_sect, CONF *lconf, int verbose, 15880Sstevel@tonic-gate unsigned long certopt, unsigned long nameopt, int default_op, 15890Sstevel@tonic-gate int ext_copy, ENGINE *e) 15900Sstevel@tonic-gate { 15910Sstevel@tonic-gate X509 *req=NULL; 15920Sstevel@tonic-gate X509_REQ *rreq=NULL; 15930Sstevel@tonic-gate EVP_PKEY *pktmp=NULL; 15940Sstevel@tonic-gate int ok= -1,i; 15950Sstevel@tonic-gate 15960Sstevel@tonic-gate if ((req=load_cert(bio_err, infile, FORMAT_PEM, NULL, e, infile)) == NULL) 15970Sstevel@tonic-gate goto err; 15980Sstevel@tonic-gate if (verbose) 15990Sstevel@tonic-gate X509_print(bio_err,req); 16000Sstevel@tonic-gate 16010Sstevel@tonic-gate BIO_printf(bio_err,"Check that the request matches the signature\n"); 16020Sstevel@tonic-gate 16030Sstevel@tonic-gate if ((pktmp=X509_get_pubkey(req)) == NULL) 16040Sstevel@tonic-gate { 16050Sstevel@tonic-gate BIO_printf(bio_err,"error unpacking public key\n"); 16060Sstevel@tonic-gate goto err; 16070Sstevel@tonic-gate } 16080Sstevel@tonic-gate i=X509_verify(req,pktmp); 16090Sstevel@tonic-gate EVP_PKEY_free(pktmp); 16100Sstevel@tonic-gate if (i < 0) 16110Sstevel@tonic-gate { 16120Sstevel@tonic-gate ok=0; 16130Sstevel@tonic-gate BIO_printf(bio_err,"Signature verification problems....\n"); 16140Sstevel@tonic-gate goto err; 16150Sstevel@tonic-gate } 16160Sstevel@tonic-gate if (i == 0) 16170Sstevel@tonic-gate { 16180Sstevel@tonic-gate ok=0; 16190Sstevel@tonic-gate BIO_printf(bio_err,"Signature did not match the certificate\n"); 16200Sstevel@tonic-gate goto err; 16210Sstevel@tonic-gate } 16220Sstevel@tonic-gate else 16230Sstevel@tonic-gate BIO_printf(bio_err,"Signature ok\n"); 16240Sstevel@tonic-gate 16250Sstevel@tonic-gate if ((rreq=X509_to_X509_REQ(req,NULL,EVP_md5())) == NULL) 16260Sstevel@tonic-gate goto err; 16270Sstevel@tonic-gate 16280Sstevel@tonic-gate ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,email_dn,startdate,enddate, 16290Sstevel@tonic-gate days,batch,verbose,rreq,ext_sect,lconf, certopt, nameopt, default_op, 16300Sstevel@tonic-gate ext_copy); 16310Sstevel@tonic-gate 16320Sstevel@tonic-gate err: 16330Sstevel@tonic-gate if (rreq != NULL) X509_REQ_free(rreq); 16340Sstevel@tonic-gate if (req != NULL) X509_free(req); 16350Sstevel@tonic-gate return(ok); 16360Sstevel@tonic-gate } 16370Sstevel@tonic-gate 16380Sstevel@tonic-gate static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, 16390Sstevel@tonic-gate STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj, 16400Sstevel@tonic-gate int email_dn, char *startdate, char *enddate, long days, int batch, 16410Sstevel@tonic-gate int verbose, X509_REQ *req, char *ext_sect, CONF *lconf, 16420Sstevel@tonic-gate unsigned long certopt, unsigned long nameopt, int default_op, 16430Sstevel@tonic-gate int ext_copy) 16440Sstevel@tonic-gate { 16450Sstevel@tonic-gate X509_NAME *name=NULL,*CAname=NULL,*subject=NULL, *dn_subject=NULL; 16460Sstevel@tonic-gate ASN1_UTCTIME *tm,*tmptm; 16470Sstevel@tonic-gate ASN1_STRING *str,*str2; 16480Sstevel@tonic-gate ASN1_OBJECT *obj; 16490Sstevel@tonic-gate X509 *ret=NULL; 16500Sstevel@tonic-gate X509_CINF *ci; 16510Sstevel@tonic-gate X509_NAME_ENTRY *ne; 16520Sstevel@tonic-gate X509_NAME_ENTRY *tne,*push; 16530Sstevel@tonic-gate EVP_PKEY *pktmp; 16540Sstevel@tonic-gate int ok= -1,i,j,last,nid; 16550Sstevel@tonic-gate char *p; 16560Sstevel@tonic-gate CONF_VALUE *cv; 16570Sstevel@tonic-gate char *row[DB_NUMBER],**rrow=NULL,**irow=NULL; 16580Sstevel@tonic-gate char buf[25]; 16590Sstevel@tonic-gate 16600Sstevel@tonic-gate tmptm=ASN1_UTCTIME_new(); 16610Sstevel@tonic-gate if (tmptm == NULL) 16620Sstevel@tonic-gate { 16630Sstevel@tonic-gate BIO_printf(bio_err,"malloc error\n"); 16640Sstevel@tonic-gate return(0); 16650Sstevel@tonic-gate } 16660Sstevel@tonic-gate 16670Sstevel@tonic-gate for (i=0; i<DB_NUMBER; i++) 16680Sstevel@tonic-gate row[i]=NULL; 16690Sstevel@tonic-gate 16700Sstevel@tonic-gate if (subj) 16710Sstevel@tonic-gate { 16720Sstevel@tonic-gate X509_NAME *n = do_subject(subj, MBSTRING_ASC); 16730Sstevel@tonic-gate 16740Sstevel@tonic-gate if (!n) 16750Sstevel@tonic-gate { 16760Sstevel@tonic-gate ERR_print_errors(bio_err); 16770Sstevel@tonic-gate goto err; 16780Sstevel@tonic-gate } 16790Sstevel@tonic-gate X509_REQ_set_subject_name(req,n); 16800Sstevel@tonic-gate req->req_info->enc.modified = 1; 16810Sstevel@tonic-gate X509_NAME_free(n); 16820Sstevel@tonic-gate } 16830Sstevel@tonic-gate 16840Sstevel@tonic-gate if (default_op) 16850Sstevel@tonic-gate BIO_printf(bio_err,"The Subject's Distinguished Name is as follows\n"); 16860Sstevel@tonic-gate 16870Sstevel@tonic-gate name=X509_REQ_get_subject_name(req); 16880Sstevel@tonic-gate for (i=0; i<X509_NAME_entry_count(name); i++) 16890Sstevel@tonic-gate { 16900Sstevel@tonic-gate ne= X509_NAME_get_entry(name,i); 16910Sstevel@tonic-gate str=X509_NAME_ENTRY_get_data(ne); 16920Sstevel@tonic-gate obj=X509_NAME_ENTRY_get_object(ne); 16930Sstevel@tonic-gate 16940Sstevel@tonic-gate if (msie_hack) 16950Sstevel@tonic-gate { 16960Sstevel@tonic-gate /* assume all type should be strings */ 16970Sstevel@tonic-gate nid=OBJ_obj2nid(ne->object); 16980Sstevel@tonic-gate 16990Sstevel@tonic-gate if (str->type == V_ASN1_UNIVERSALSTRING) 17000Sstevel@tonic-gate ASN1_UNIVERSALSTRING_to_string(str); 17010Sstevel@tonic-gate 17020Sstevel@tonic-gate if ((str->type == V_ASN1_IA5STRING) && 17030Sstevel@tonic-gate (nid != NID_pkcs9_emailAddress)) 17040Sstevel@tonic-gate str->type=V_ASN1_T61STRING; 17050Sstevel@tonic-gate 17060Sstevel@tonic-gate if ((nid == NID_pkcs9_emailAddress) && 17070Sstevel@tonic-gate (str->type == V_ASN1_PRINTABLESTRING)) 17080Sstevel@tonic-gate str->type=V_ASN1_IA5STRING; 17090Sstevel@tonic-gate } 17100Sstevel@tonic-gate 17110Sstevel@tonic-gate /* If no EMAIL is wanted in the subject */ 17120Sstevel@tonic-gate if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) && (!email_dn)) 17130Sstevel@tonic-gate continue; 17140Sstevel@tonic-gate 17150Sstevel@tonic-gate /* check some things */ 17160Sstevel@tonic-gate if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) && 17170Sstevel@tonic-gate (str->type != V_ASN1_IA5STRING)) 17180Sstevel@tonic-gate { 17190Sstevel@tonic-gate BIO_printf(bio_err,"\nemailAddress type needs to be of type IA5STRING\n"); 17200Sstevel@tonic-gate goto err; 17210Sstevel@tonic-gate } 17220Sstevel@tonic-gate if ((str->type != V_ASN1_BMPSTRING) && (str->type != V_ASN1_UTF8STRING)) 17230Sstevel@tonic-gate { 17240Sstevel@tonic-gate j=ASN1_PRINTABLE_type(str->data,str->length); 17250Sstevel@tonic-gate if ( ((j == V_ASN1_T61STRING) && 17260Sstevel@tonic-gate (str->type != V_ASN1_T61STRING)) || 17270Sstevel@tonic-gate ((j == V_ASN1_IA5STRING) && 17280Sstevel@tonic-gate (str->type == V_ASN1_PRINTABLESTRING))) 17290Sstevel@tonic-gate { 17300Sstevel@tonic-gate BIO_printf(bio_err,"\nThe string contains characters that are illegal for the ASN.1 type\n"); 17310Sstevel@tonic-gate goto err; 17320Sstevel@tonic-gate } 17330Sstevel@tonic-gate } 17340Sstevel@tonic-gate 17350Sstevel@tonic-gate if (default_op) 17360Sstevel@tonic-gate old_entry_print(bio_err, obj, str); 17370Sstevel@tonic-gate } 17380Sstevel@tonic-gate 17390Sstevel@tonic-gate /* Ok, now we check the 'policy' stuff. */ 17400Sstevel@tonic-gate if ((subject=X509_NAME_new()) == NULL) 17410Sstevel@tonic-gate { 17420Sstevel@tonic-gate BIO_printf(bio_err,"Memory allocation failure\n"); 17430Sstevel@tonic-gate goto err; 17440Sstevel@tonic-gate } 17450Sstevel@tonic-gate 17460Sstevel@tonic-gate /* take a copy of the issuer name before we mess with it. */ 17470Sstevel@tonic-gate CAname=X509_NAME_dup(x509->cert_info->subject); 17480Sstevel@tonic-gate if (CAname == NULL) goto err; 17490Sstevel@tonic-gate str=str2=NULL; 17500Sstevel@tonic-gate 17510Sstevel@tonic-gate for (i=0; i<sk_CONF_VALUE_num(policy); i++) 17520Sstevel@tonic-gate { 17530Sstevel@tonic-gate cv=sk_CONF_VALUE_value(policy,i); /* get the object id */ 17540Sstevel@tonic-gate if ((j=OBJ_txt2nid(cv->name)) == NID_undef) 17550Sstevel@tonic-gate { 17560Sstevel@tonic-gate BIO_printf(bio_err,"%s:unknown object type in 'policy' configuration\n",cv->name); 17570Sstevel@tonic-gate goto err; 17580Sstevel@tonic-gate } 17590Sstevel@tonic-gate obj=OBJ_nid2obj(j); 17600Sstevel@tonic-gate 17610Sstevel@tonic-gate last= -1; 17620Sstevel@tonic-gate for (;;) 17630Sstevel@tonic-gate { 17640Sstevel@tonic-gate /* lookup the object in the supplied name list */ 17650Sstevel@tonic-gate j=X509_NAME_get_index_by_OBJ(name,obj,last); 17660Sstevel@tonic-gate if (j < 0) 17670Sstevel@tonic-gate { 17680Sstevel@tonic-gate if (last != -1) break; 17690Sstevel@tonic-gate tne=NULL; 17700Sstevel@tonic-gate } 17710Sstevel@tonic-gate else 17720Sstevel@tonic-gate { 17730Sstevel@tonic-gate tne=X509_NAME_get_entry(name,j); 17740Sstevel@tonic-gate } 17750Sstevel@tonic-gate last=j; 17760Sstevel@tonic-gate 17770Sstevel@tonic-gate /* depending on the 'policy', decide what to do. */ 17780Sstevel@tonic-gate push=NULL; 17790Sstevel@tonic-gate if (strcmp(cv->value,"optional") == 0) 17800Sstevel@tonic-gate { 17810Sstevel@tonic-gate if (tne != NULL) 17820Sstevel@tonic-gate push=tne; 17830Sstevel@tonic-gate } 17840Sstevel@tonic-gate else if (strcmp(cv->value,"supplied") == 0) 17850Sstevel@tonic-gate { 17860Sstevel@tonic-gate if (tne == NULL) 17870Sstevel@tonic-gate { 17880Sstevel@tonic-gate BIO_printf(bio_err,"The %s field needed to be supplied and was missing\n",cv->name); 17890Sstevel@tonic-gate goto err; 17900Sstevel@tonic-gate } 17910Sstevel@tonic-gate else 17920Sstevel@tonic-gate push=tne; 17930Sstevel@tonic-gate } 17940Sstevel@tonic-gate else if (strcmp(cv->value,"match") == 0) 17950Sstevel@tonic-gate { 17960Sstevel@tonic-gate int last2; 17970Sstevel@tonic-gate 17980Sstevel@tonic-gate if (tne == NULL) 17990Sstevel@tonic-gate { 18000Sstevel@tonic-gate BIO_printf(bio_err,"The mandatory %s field was missing\n",cv->name); 18010Sstevel@tonic-gate goto err; 18020Sstevel@tonic-gate } 18030Sstevel@tonic-gate 18040Sstevel@tonic-gate last2= -1; 18050Sstevel@tonic-gate 18060Sstevel@tonic-gate again2: 18070Sstevel@tonic-gate j=X509_NAME_get_index_by_OBJ(CAname,obj,last2); 18080Sstevel@tonic-gate if ((j < 0) && (last2 == -1)) 18090Sstevel@tonic-gate { 18100Sstevel@tonic-gate BIO_printf(bio_err,"The %s field does not exist in the CA certificate,\nthe 'policy' is misconfigured\n",cv->name); 18110Sstevel@tonic-gate goto err; 18120Sstevel@tonic-gate } 18130Sstevel@tonic-gate if (j >= 0) 18140Sstevel@tonic-gate { 18150Sstevel@tonic-gate push=X509_NAME_get_entry(CAname,j); 18160Sstevel@tonic-gate str=X509_NAME_ENTRY_get_data(tne); 18170Sstevel@tonic-gate str2=X509_NAME_ENTRY_get_data(push); 18180Sstevel@tonic-gate last2=j; 18190Sstevel@tonic-gate if (ASN1_STRING_cmp(str,str2) != 0) 18200Sstevel@tonic-gate goto again2; 18210Sstevel@tonic-gate } 18220Sstevel@tonic-gate if (j < 0) 18230Sstevel@tonic-gate { 18240Sstevel@tonic-gate BIO_printf(bio_err,"The %s field needed to be the same in the\nCA certificate (%s) and the request (%s)\n",cv->name,((str2 == NULL)?"NULL":(char *)str2->data),((str == NULL)?"NULL":(char *)str->data)); 18250Sstevel@tonic-gate goto err; 18260Sstevel@tonic-gate } 18270Sstevel@tonic-gate } 18280Sstevel@tonic-gate else 18290Sstevel@tonic-gate { 18300Sstevel@tonic-gate BIO_printf(bio_err,"%s:invalid type in 'policy' configuration\n",cv->value); 18310Sstevel@tonic-gate goto err; 18320Sstevel@tonic-gate } 18330Sstevel@tonic-gate 18340Sstevel@tonic-gate if (push != NULL) 18350Sstevel@tonic-gate { 18360Sstevel@tonic-gate if (!X509_NAME_add_entry(subject,push, -1, 0)) 18370Sstevel@tonic-gate { 18380Sstevel@tonic-gate if (push != NULL) 18390Sstevel@tonic-gate X509_NAME_ENTRY_free(push); 18400Sstevel@tonic-gate BIO_printf(bio_err,"Memory allocation failure\n"); 18410Sstevel@tonic-gate goto err; 18420Sstevel@tonic-gate } 18430Sstevel@tonic-gate } 18440Sstevel@tonic-gate if (j < 0) break; 18450Sstevel@tonic-gate } 18460Sstevel@tonic-gate } 18470Sstevel@tonic-gate 18480Sstevel@tonic-gate if (preserve) 18490Sstevel@tonic-gate { 18500Sstevel@tonic-gate X509_NAME_free(subject); 18510Sstevel@tonic-gate /* subject=X509_NAME_dup(X509_REQ_get_subject_name(req)); */ 18520Sstevel@tonic-gate subject=X509_NAME_dup(name); 18530Sstevel@tonic-gate if (subject == NULL) goto err; 18540Sstevel@tonic-gate } 18550Sstevel@tonic-gate 18560Sstevel@tonic-gate if (verbose) 18570Sstevel@tonic-gate BIO_printf(bio_err,"The subject name appears to be ok, checking data base for clashes\n"); 18580Sstevel@tonic-gate 18590Sstevel@tonic-gate /* Build the correct Subject if no e-mail is wanted in the subject */ 18600Sstevel@tonic-gate /* and add it later on because of the method extensions are added (altName) */ 18610Sstevel@tonic-gate 18620Sstevel@tonic-gate if (email_dn) 18630Sstevel@tonic-gate dn_subject = subject; 18640Sstevel@tonic-gate else 18650Sstevel@tonic-gate { 18660Sstevel@tonic-gate X509_NAME_ENTRY *tmpne; 18670Sstevel@tonic-gate /* Its best to dup the subject DN and then delete any email 18680Sstevel@tonic-gate * addresses because this retains its structure. 18690Sstevel@tonic-gate */ 18700Sstevel@tonic-gate if (!(dn_subject = X509_NAME_dup(subject))) 18710Sstevel@tonic-gate { 18720Sstevel@tonic-gate BIO_printf(bio_err,"Memory allocation failure\n"); 18730Sstevel@tonic-gate goto err; 18740Sstevel@tonic-gate } 18750Sstevel@tonic-gate while((i = X509_NAME_get_index_by_NID(dn_subject, 18760Sstevel@tonic-gate NID_pkcs9_emailAddress, -1)) >= 0) 18770Sstevel@tonic-gate { 18780Sstevel@tonic-gate tmpne = X509_NAME_get_entry(dn_subject, i); 18790Sstevel@tonic-gate X509_NAME_delete_entry(dn_subject, i); 18800Sstevel@tonic-gate X509_NAME_ENTRY_free(tmpne); 18810Sstevel@tonic-gate } 18820Sstevel@tonic-gate } 18830Sstevel@tonic-gate 18840Sstevel@tonic-gate if (BN_is_zero(serial)) 18850Sstevel@tonic-gate row[DB_serial]=BUF_strdup("00"); 18860Sstevel@tonic-gate else 18870Sstevel@tonic-gate row[DB_serial]=BN_bn2hex(serial); 18880Sstevel@tonic-gate if (row[DB_serial] == NULL) 18890Sstevel@tonic-gate { 18900Sstevel@tonic-gate BIO_printf(bio_err,"Memory allocation failure\n"); 18910Sstevel@tonic-gate goto err; 18920Sstevel@tonic-gate } 18930Sstevel@tonic-gate 18940Sstevel@tonic-gate if (db->attributes.unique_subject) 18950Sstevel@tonic-gate { 18960Sstevel@tonic-gate rrow=TXT_DB_get_by_index(db->db,DB_name,row); 18970Sstevel@tonic-gate if (rrow != NULL) 18980Sstevel@tonic-gate { 18990Sstevel@tonic-gate BIO_printf(bio_err, 19000Sstevel@tonic-gate "ERROR:There is already a certificate for %s\n", 19010Sstevel@tonic-gate row[DB_name]); 19020Sstevel@tonic-gate } 19030Sstevel@tonic-gate } 19040Sstevel@tonic-gate if (rrow == NULL) 19050Sstevel@tonic-gate { 19060Sstevel@tonic-gate rrow=TXT_DB_get_by_index(db->db,DB_serial,row); 19070Sstevel@tonic-gate if (rrow != NULL) 19080Sstevel@tonic-gate { 19090Sstevel@tonic-gate BIO_printf(bio_err,"ERROR:Serial number %s has already been issued,\n", 19100Sstevel@tonic-gate row[DB_serial]); 19110Sstevel@tonic-gate BIO_printf(bio_err," check the database/serial_file for corruption\n"); 19120Sstevel@tonic-gate } 19130Sstevel@tonic-gate } 19140Sstevel@tonic-gate 19150Sstevel@tonic-gate if (rrow != NULL) 19160Sstevel@tonic-gate { 19170Sstevel@tonic-gate BIO_printf(bio_err, 19180Sstevel@tonic-gate "The matching entry has the following details\n"); 19190Sstevel@tonic-gate if (rrow[DB_type][0] == 'E') 19200Sstevel@tonic-gate p="Expired"; 19210Sstevel@tonic-gate else if (rrow[DB_type][0] == 'R') 19220Sstevel@tonic-gate p="Revoked"; 19230Sstevel@tonic-gate else if (rrow[DB_type][0] == 'V') 19240Sstevel@tonic-gate p="Valid"; 19250Sstevel@tonic-gate else 19260Sstevel@tonic-gate p="\ninvalid type, Data base error\n"; 19270Sstevel@tonic-gate BIO_printf(bio_err,"Type :%s\n",p);; 19280Sstevel@tonic-gate if (rrow[DB_type][0] == 'R') 19290Sstevel@tonic-gate { 19300Sstevel@tonic-gate p=rrow[DB_exp_date]; if (p == NULL) p="undef"; 19310Sstevel@tonic-gate BIO_printf(bio_err,"Was revoked on:%s\n",p); 19320Sstevel@tonic-gate } 19330Sstevel@tonic-gate p=rrow[DB_exp_date]; if (p == NULL) p="undef"; 19340Sstevel@tonic-gate BIO_printf(bio_err,"Expires on :%s\n",p); 19350Sstevel@tonic-gate p=rrow[DB_serial]; if (p == NULL) p="undef"; 19360Sstevel@tonic-gate BIO_printf(bio_err,"Serial Number :%s\n",p); 19370Sstevel@tonic-gate p=rrow[DB_file]; if (p == NULL) p="undef"; 19380Sstevel@tonic-gate BIO_printf(bio_err,"File name :%s\n",p); 19390Sstevel@tonic-gate p=rrow[DB_name]; if (p == NULL) p="undef"; 19400Sstevel@tonic-gate BIO_printf(bio_err,"Subject Name :%s\n",p); 19410Sstevel@tonic-gate ok= -1; /* This is now a 'bad' error. */ 19420Sstevel@tonic-gate goto err; 19430Sstevel@tonic-gate } 19440Sstevel@tonic-gate 19450Sstevel@tonic-gate /* We are now totally happy, lets make and sign the certificate */ 19460Sstevel@tonic-gate if (verbose) 19470Sstevel@tonic-gate BIO_printf(bio_err,"Everything appears to be ok, creating and signing the certificate\n"); 19480Sstevel@tonic-gate 19490Sstevel@tonic-gate if ((ret=X509_new()) == NULL) goto err; 19500Sstevel@tonic-gate ci=ret->cert_info; 19510Sstevel@tonic-gate 19520Sstevel@tonic-gate #ifdef X509_V3 19530Sstevel@tonic-gate /* Make it an X509 v3 certificate. */ 19540Sstevel@tonic-gate if (!X509_set_version(ret,2)) goto err; 19550Sstevel@tonic-gate #endif 19560Sstevel@tonic-gate 19570Sstevel@tonic-gate if (BN_to_ASN1_INTEGER(serial,ci->serialNumber) == NULL) 19580Sstevel@tonic-gate goto err; 19590Sstevel@tonic-gate if (!X509_set_issuer_name(ret,X509_get_subject_name(x509))) 19600Sstevel@tonic-gate goto err; 19610Sstevel@tonic-gate 19620Sstevel@tonic-gate if (strcmp(startdate,"today") == 0) 19630Sstevel@tonic-gate X509_gmtime_adj(X509_get_notBefore(ret),0); 19640Sstevel@tonic-gate else ASN1_UTCTIME_set_string(X509_get_notBefore(ret),startdate); 19650Sstevel@tonic-gate 19660Sstevel@tonic-gate if (enddate == NULL) 19670Sstevel@tonic-gate X509_gmtime_adj(X509_get_notAfter(ret),(long)60*60*24*days); 19680Sstevel@tonic-gate else ASN1_UTCTIME_set_string(X509_get_notAfter(ret),enddate); 19690Sstevel@tonic-gate 19700Sstevel@tonic-gate if (!X509_set_subject_name(ret,subject)) goto err; 19710Sstevel@tonic-gate 19720Sstevel@tonic-gate pktmp=X509_REQ_get_pubkey(req); 19730Sstevel@tonic-gate i = X509_set_pubkey(ret,pktmp); 19740Sstevel@tonic-gate EVP_PKEY_free(pktmp); 19750Sstevel@tonic-gate if (!i) goto err; 19760Sstevel@tonic-gate 19770Sstevel@tonic-gate /* Lets add the extensions, if there are any */ 19780Sstevel@tonic-gate if (ext_sect) 19790Sstevel@tonic-gate { 19800Sstevel@tonic-gate X509V3_CTX ctx; 19810Sstevel@tonic-gate if (ci->version == NULL) 19820Sstevel@tonic-gate if ((ci->version=ASN1_INTEGER_new()) == NULL) 19830Sstevel@tonic-gate goto err; 19840Sstevel@tonic-gate ASN1_INTEGER_set(ci->version,2); /* version 3 certificate */ 19850Sstevel@tonic-gate 19860Sstevel@tonic-gate /* Free the current entries if any, there should not 19870Sstevel@tonic-gate * be any I believe */ 19880Sstevel@tonic-gate if (ci->extensions != NULL) 19890Sstevel@tonic-gate sk_X509_EXTENSION_pop_free(ci->extensions, 19900Sstevel@tonic-gate X509_EXTENSION_free); 19910Sstevel@tonic-gate 19920Sstevel@tonic-gate ci->extensions = NULL; 19930Sstevel@tonic-gate 19940Sstevel@tonic-gate /* Initialize the context structure */ 19950Sstevel@tonic-gate X509V3_set_ctx(&ctx, x509, ret, req, NULL, 0); 19960Sstevel@tonic-gate 19970Sstevel@tonic-gate if (extconf) 19980Sstevel@tonic-gate { 19990Sstevel@tonic-gate if (verbose) 20000Sstevel@tonic-gate BIO_printf(bio_err, "Extra configuration file found\n"); 20010Sstevel@tonic-gate 20020Sstevel@tonic-gate /* Use the extconf configuration db LHASH */ 20030Sstevel@tonic-gate X509V3_set_nconf(&ctx, extconf); 20040Sstevel@tonic-gate 20050Sstevel@tonic-gate /* Test the structure (needed?) */ 20060Sstevel@tonic-gate /* X509V3_set_ctx_test(&ctx); */ 20070Sstevel@tonic-gate 20080Sstevel@tonic-gate /* Adds exts contained in the configuration file */ 20090Sstevel@tonic-gate if (!X509V3_EXT_add_nconf(extconf, &ctx, ext_sect,ret)) 20100Sstevel@tonic-gate { 20110Sstevel@tonic-gate BIO_printf(bio_err, 20120Sstevel@tonic-gate "ERROR: adding extensions in section %s\n", 20130Sstevel@tonic-gate ext_sect); 20140Sstevel@tonic-gate ERR_print_errors(bio_err); 20150Sstevel@tonic-gate goto err; 20160Sstevel@tonic-gate } 20170Sstevel@tonic-gate if (verbose) 20180Sstevel@tonic-gate BIO_printf(bio_err, "Successfully added extensions from file.\n"); 20190Sstevel@tonic-gate } 20200Sstevel@tonic-gate else if (ext_sect) 20210Sstevel@tonic-gate { 20220Sstevel@tonic-gate /* We found extensions to be set from config file */ 20230Sstevel@tonic-gate X509V3_set_nconf(&ctx, lconf); 20240Sstevel@tonic-gate 20250Sstevel@tonic-gate if(!X509V3_EXT_add_nconf(lconf, &ctx, ext_sect, ret)) 20260Sstevel@tonic-gate { 20270Sstevel@tonic-gate BIO_printf(bio_err, "ERROR: adding extensions in section %s\n", ext_sect); 20280Sstevel@tonic-gate ERR_print_errors(bio_err); 20290Sstevel@tonic-gate goto err; 20300Sstevel@tonic-gate } 20310Sstevel@tonic-gate 20320Sstevel@tonic-gate if (verbose) 20330Sstevel@tonic-gate BIO_printf(bio_err, "Successfully added extensions from config\n"); 20340Sstevel@tonic-gate } 20350Sstevel@tonic-gate } 20360Sstevel@tonic-gate 20370Sstevel@tonic-gate /* Copy extensions from request (if any) */ 20380Sstevel@tonic-gate 20390Sstevel@tonic-gate if (!copy_extensions(ret, req, ext_copy)) 20400Sstevel@tonic-gate { 20410Sstevel@tonic-gate BIO_printf(bio_err, "ERROR: adding extensions from request\n"); 20420Sstevel@tonic-gate ERR_print_errors(bio_err); 20430Sstevel@tonic-gate goto err; 20440Sstevel@tonic-gate } 20450Sstevel@tonic-gate 20460Sstevel@tonic-gate /* Set the right value for the noemailDN option */ 20470Sstevel@tonic-gate if( email_dn == 0 ) 20480Sstevel@tonic-gate { 20490Sstevel@tonic-gate if (!X509_set_subject_name(ret,dn_subject)) goto err; 20500Sstevel@tonic-gate } 20510Sstevel@tonic-gate 20520Sstevel@tonic-gate if (!default_op) 20530Sstevel@tonic-gate { 20540Sstevel@tonic-gate BIO_printf(bio_err, "Certificate Details:\n"); 20550Sstevel@tonic-gate /* Never print signature details because signature not present */ 20560Sstevel@tonic-gate certopt |= X509_FLAG_NO_SIGDUMP | X509_FLAG_NO_SIGNAME; 20570Sstevel@tonic-gate X509_print_ex(bio_err, ret, nameopt, certopt); 20580Sstevel@tonic-gate } 20590Sstevel@tonic-gate 20600Sstevel@tonic-gate BIO_printf(bio_err,"Certificate is to be certified until "); 20610Sstevel@tonic-gate ASN1_UTCTIME_print(bio_err,X509_get_notAfter(ret)); 20620Sstevel@tonic-gate if (days) BIO_printf(bio_err," (%d days)",days); 20630Sstevel@tonic-gate BIO_printf(bio_err, "\n"); 20640Sstevel@tonic-gate 20650Sstevel@tonic-gate if (!batch) 20660Sstevel@tonic-gate { 20670Sstevel@tonic-gate 20680Sstevel@tonic-gate BIO_printf(bio_err,"Sign the certificate? [y/n]:"); 20690Sstevel@tonic-gate (void)BIO_flush(bio_err); 20700Sstevel@tonic-gate buf[0]='\0'; 20710Sstevel@tonic-gate fgets(buf,sizeof(buf)-1,stdin); 20720Sstevel@tonic-gate if (!((buf[0] == 'y') || (buf[0] == 'Y'))) 20730Sstevel@tonic-gate { 20740Sstevel@tonic-gate BIO_printf(bio_err,"CERTIFICATE WILL NOT BE CERTIFIED\n"); 20750Sstevel@tonic-gate ok=0; 20760Sstevel@tonic-gate goto err; 20770Sstevel@tonic-gate } 20780Sstevel@tonic-gate } 20790Sstevel@tonic-gate 20800Sstevel@tonic-gate 20810Sstevel@tonic-gate #ifndef OPENSSL_NO_DSA 20820Sstevel@tonic-gate if (pkey->type == EVP_PKEY_DSA) dgst=EVP_dss1(); 20830Sstevel@tonic-gate pktmp=X509_get_pubkey(ret); 20840Sstevel@tonic-gate if (EVP_PKEY_missing_parameters(pktmp) && 20850Sstevel@tonic-gate !EVP_PKEY_missing_parameters(pkey)) 20860Sstevel@tonic-gate EVP_PKEY_copy_parameters(pktmp,pkey); 20870Sstevel@tonic-gate EVP_PKEY_free(pktmp); 20880Sstevel@tonic-gate #endif 20890Sstevel@tonic-gate 20900Sstevel@tonic-gate if (!X509_sign(ret,pkey,dgst)) 20910Sstevel@tonic-gate goto err; 20920Sstevel@tonic-gate 20930Sstevel@tonic-gate /* We now just add it to the database */ 20940Sstevel@tonic-gate row[DB_type]=(char *)OPENSSL_malloc(2); 20950Sstevel@tonic-gate 20960Sstevel@tonic-gate tm=X509_get_notAfter(ret); 20970Sstevel@tonic-gate row[DB_exp_date]=(char *)OPENSSL_malloc(tm->length+1); 20980Sstevel@tonic-gate memcpy(row[DB_exp_date],tm->data,tm->length); 20990Sstevel@tonic-gate row[DB_exp_date][tm->length]='\0'; 21000Sstevel@tonic-gate 21010Sstevel@tonic-gate row[DB_rev_date]=NULL; 21020Sstevel@tonic-gate 21030Sstevel@tonic-gate /* row[DB_serial] done already */ 21040Sstevel@tonic-gate row[DB_file]=(char *)OPENSSL_malloc(8); 21050Sstevel@tonic-gate row[DB_name]=X509_NAME_oneline(X509_get_subject_name(ret),NULL,0); 21060Sstevel@tonic-gate 21070Sstevel@tonic-gate if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) || 21080Sstevel@tonic-gate (row[DB_file] == NULL) || (row[DB_name] == NULL)) 21090Sstevel@tonic-gate { 21100Sstevel@tonic-gate BIO_printf(bio_err,"Memory allocation failure\n"); 21110Sstevel@tonic-gate goto err; 21120Sstevel@tonic-gate } 21130Sstevel@tonic-gate BUF_strlcpy(row[DB_file],"unknown",8); 21140Sstevel@tonic-gate row[DB_type][0]='V'; 21150Sstevel@tonic-gate row[DB_type][1]='\0'; 21160Sstevel@tonic-gate 21170Sstevel@tonic-gate if ((irow=(char **)OPENSSL_malloc(sizeof(char *)*(DB_NUMBER+1))) == NULL) 21180Sstevel@tonic-gate { 21190Sstevel@tonic-gate BIO_printf(bio_err,"Memory allocation failure\n"); 21200Sstevel@tonic-gate goto err; 21210Sstevel@tonic-gate } 21220Sstevel@tonic-gate 21230Sstevel@tonic-gate for (i=0; i<DB_NUMBER; i++) 21240Sstevel@tonic-gate { 21250Sstevel@tonic-gate irow[i]=row[i]; 21260Sstevel@tonic-gate row[i]=NULL; 21270Sstevel@tonic-gate } 21280Sstevel@tonic-gate irow[DB_NUMBER]=NULL; 21290Sstevel@tonic-gate 21300Sstevel@tonic-gate if (!TXT_DB_insert(db->db,irow)) 21310Sstevel@tonic-gate { 21320Sstevel@tonic-gate BIO_printf(bio_err,"failed to update database\n"); 21330Sstevel@tonic-gate BIO_printf(bio_err,"TXT_DB error number %ld\n",db->db->error); 21340Sstevel@tonic-gate goto err; 21350Sstevel@tonic-gate } 21360Sstevel@tonic-gate ok=1; 21370Sstevel@tonic-gate err: 21380Sstevel@tonic-gate for (i=0; i<DB_NUMBER; i++) 21390Sstevel@tonic-gate if (row[i] != NULL) OPENSSL_free(row[i]); 21400Sstevel@tonic-gate 21410Sstevel@tonic-gate if (CAname != NULL) 21420Sstevel@tonic-gate X509_NAME_free(CAname); 21430Sstevel@tonic-gate if (subject != NULL) 21440Sstevel@tonic-gate X509_NAME_free(subject); 21450Sstevel@tonic-gate if ((dn_subject != NULL) && !email_dn) 21460Sstevel@tonic-gate X509_NAME_free(dn_subject); 21470Sstevel@tonic-gate if (tmptm != NULL) 21480Sstevel@tonic-gate ASN1_UTCTIME_free(tmptm); 21490Sstevel@tonic-gate if (ok <= 0) 21500Sstevel@tonic-gate { 21510Sstevel@tonic-gate if (ret != NULL) X509_free(ret); 21520Sstevel@tonic-gate ret=NULL; 21530Sstevel@tonic-gate } 21540Sstevel@tonic-gate else 21550Sstevel@tonic-gate *xret=ret; 21560Sstevel@tonic-gate return(ok); 21570Sstevel@tonic-gate } 21580Sstevel@tonic-gate 21590Sstevel@tonic-gate static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext) 21600Sstevel@tonic-gate { 21610Sstevel@tonic-gate 21620Sstevel@tonic-gate if (output_der) 21630Sstevel@tonic-gate { 21640Sstevel@tonic-gate (void)i2d_X509_bio(bp,x); 21650Sstevel@tonic-gate return; 21660Sstevel@tonic-gate } 21670Sstevel@tonic-gate #if 0 21680Sstevel@tonic-gate /* ??? Not needed since X509_print prints all this stuff anyway */ 21690Sstevel@tonic-gate f=X509_NAME_oneline(X509_get_issuer_name(x),buf,256); 21700Sstevel@tonic-gate BIO_printf(bp,"issuer :%s\n",f); 21710Sstevel@tonic-gate 21720Sstevel@tonic-gate f=X509_NAME_oneline(X509_get_subject_name(x),buf,256); 21730Sstevel@tonic-gate BIO_printf(bp,"subject:%s\n",f); 21740Sstevel@tonic-gate 21750Sstevel@tonic-gate BIO_puts(bp,"serial :"); 21760Sstevel@tonic-gate i2a_ASN1_INTEGER(bp,x->cert_info->serialNumber); 21770Sstevel@tonic-gate BIO_puts(bp,"\n\n"); 21780Sstevel@tonic-gate #endif 21790Sstevel@tonic-gate if (!notext)X509_print(bp,x); 21800Sstevel@tonic-gate PEM_write_bio_X509(bp,x); 21810Sstevel@tonic-gate } 21820Sstevel@tonic-gate 21830Sstevel@tonic-gate static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, 21840Sstevel@tonic-gate const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db, 21850Sstevel@tonic-gate BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate, 21860Sstevel@tonic-gate long days, char *ext_sect, CONF *lconf, int verbose, unsigned long certopt, 21870Sstevel@tonic-gate unsigned long nameopt, int default_op, int ext_copy) 21880Sstevel@tonic-gate { 21890Sstevel@tonic-gate STACK_OF(CONF_VALUE) *sk=NULL; 21900Sstevel@tonic-gate LHASH *parms=NULL; 21910Sstevel@tonic-gate X509_REQ *req=NULL; 21920Sstevel@tonic-gate CONF_VALUE *cv=NULL; 21930Sstevel@tonic-gate NETSCAPE_SPKI *spki = NULL; 21940Sstevel@tonic-gate X509_REQ_INFO *ri; 21950Sstevel@tonic-gate char *type,*buf; 21960Sstevel@tonic-gate EVP_PKEY *pktmp=NULL; 21970Sstevel@tonic-gate X509_NAME *n=NULL; 21980Sstevel@tonic-gate X509_NAME_ENTRY *ne=NULL; 21990Sstevel@tonic-gate int ok= -1,i,j; 22000Sstevel@tonic-gate long errline; 22010Sstevel@tonic-gate int nid; 22020Sstevel@tonic-gate 22030Sstevel@tonic-gate /* 22040Sstevel@tonic-gate * Load input file into a hash table. (This is just an easy 22050Sstevel@tonic-gate * way to read and parse the file, then put it into a convenient 22060Sstevel@tonic-gate * STACK format). 22070Sstevel@tonic-gate */ 22080Sstevel@tonic-gate parms=CONF_load(NULL,infile,&errline); 22090Sstevel@tonic-gate if (parms == NULL) 22100Sstevel@tonic-gate { 22110Sstevel@tonic-gate BIO_printf(bio_err,"error on line %ld of %s\n",errline,infile); 22120Sstevel@tonic-gate ERR_print_errors(bio_err); 22130Sstevel@tonic-gate goto err; 22140Sstevel@tonic-gate } 22150Sstevel@tonic-gate 22160Sstevel@tonic-gate sk=CONF_get_section(parms, "default"); 22170Sstevel@tonic-gate if (sk_CONF_VALUE_num(sk) == 0) 22180Sstevel@tonic-gate { 22190Sstevel@tonic-gate BIO_printf(bio_err, "no name/value pairs found in %s\n", infile); 22200Sstevel@tonic-gate CONF_free(parms); 22210Sstevel@tonic-gate goto err; 22220Sstevel@tonic-gate } 22230Sstevel@tonic-gate 22240Sstevel@tonic-gate /* 22250Sstevel@tonic-gate * Now create a dummy X509 request structure. We don't actually 22260Sstevel@tonic-gate * have an X509 request, but we have many of the components 22270Sstevel@tonic-gate * (a public key, various DN components). The idea is that we 22280Sstevel@tonic-gate * put these components into the right X509 request structure 22290Sstevel@tonic-gate * and we can use the same code as if you had a real X509 request. 22300Sstevel@tonic-gate */ 22310Sstevel@tonic-gate req=X509_REQ_new(); 22320Sstevel@tonic-gate if (req == NULL) 22330Sstevel@tonic-gate { 22340Sstevel@tonic-gate ERR_print_errors(bio_err); 22350Sstevel@tonic-gate goto err; 22360Sstevel@tonic-gate } 22370Sstevel@tonic-gate 22380Sstevel@tonic-gate /* 22390Sstevel@tonic-gate * Build up the subject name set. 22400Sstevel@tonic-gate */ 22410Sstevel@tonic-gate ri=req->req_info; 22420Sstevel@tonic-gate n = ri->subject; 22430Sstevel@tonic-gate 22440Sstevel@tonic-gate for (i = 0; ; i++) 22450Sstevel@tonic-gate { 22460Sstevel@tonic-gate if (sk_CONF_VALUE_num(sk) <= i) break; 22470Sstevel@tonic-gate 22480Sstevel@tonic-gate cv=sk_CONF_VALUE_value(sk,i); 22490Sstevel@tonic-gate type=cv->name; 22500Sstevel@tonic-gate /* Skip past any leading X. X: X, etc to allow for 22510Sstevel@tonic-gate * multiple instances 22520Sstevel@tonic-gate */ 22530Sstevel@tonic-gate for (buf = cv->name; *buf ; buf++) 22540Sstevel@tonic-gate if ((*buf == ':') || (*buf == ',') || (*buf == '.')) 22550Sstevel@tonic-gate { 22560Sstevel@tonic-gate buf++; 22570Sstevel@tonic-gate if (*buf) type = buf; 22580Sstevel@tonic-gate break; 22590Sstevel@tonic-gate } 22600Sstevel@tonic-gate 22610Sstevel@tonic-gate buf=cv->value; 22620Sstevel@tonic-gate if ((nid=OBJ_txt2nid(type)) == NID_undef) 22630Sstevel@tonic-gate { 22640Sstevel@tonic-gate if (strcmp(type, "SPKAC") == 0) 22650Sstevel@tonic-gate { 22660Sstevel@tonic-gate spki = NETSCAPE_SPKI_b64_decode(cv->value, -1); 22670Sstevel@tonic-gate if (spki == NULL) 22680Sstevel@tonic-gate { 22690Sstevel@tonic-gate BIO_printf(bio_err,"unable to load Netscape SPKAC structure\n"); 22700Sstevel@tonic-gate ERR_print_errors(bio_err); 22710Sstevel@tonic-gate goto err; 22720Sstevel@tonic-gate } 22730Sstevel@tonic-gate } 22740Sstevel@tonic-gate continue; 22750Sstevel@tonic-gate } 22760Sstevel@tonic-gate 22770Sstevel@tonic-gate /* 22780Sstevel@tonic-gate if ((nid == NID_pkcs9_emailAddress) && (email_dn == 0)) 22790Sstevel@tonic-gate continue; 22800Sstevel@tonic-gate */ 22810Sstevel@tonic-gate 22820Sstevel@tonic-gate j=ASN1_PRINTABLE_type((unsigned char *)buf,-1); 22830Sstevel@tonic-gate if (fix_data(nid, &j) == 0) 22840Sstevel@tonic-gate { 22850Sstevel@tonic-gate BIO_printf(bio_err, 22860Sstevel@tonic-gate "invalid characters in string %s\n",buf); 22870Sstevel@tonic-gate goto err; 22880Sstevel@tonic-gate } 22890Sstevel@tonic-gate 22900Sstevel@tonic-gate if ((ne=X509_NAME_ENTRY_create_by_NID(&ne,nid,j, 22910Sstevel@tonic-gate (unsigned char *)buf, 22920Sstevel@tonic-gate strlen(buf))) == NULL) 22930Sstevel@tonic-gate goto err; 22940Sstevel@tonic-gate 22950Sstevel@tonic-gate if (!X509_NAME_add_entry(n,ne,-1, 0)) goto err; 22960Sstevel@tonic-gate } 22970Sstevel@tonic-gate if (spki == NULL) 22980Sstevel@tonic-gate { 22990Sstevel@tonic-gate BIO_printf(bio_err,"Netscape SPKAC structure not found in %s\n", 23000Sstevel@tonic-gate infile); 23010Sstevel@tonic-gate goto err; 23020Sstevel@tonic-gate } 23030Sstevel@tonic-gate 23040Sstevel@tonic-gate /* 23050Sstevel@tonic-gate * Now extract the key from the SPKI structure. 23060Sstevel@tonic-gate */ 23070Sstevel@tonic-gate 23080Sstevel@tonic-gate BIO_printf(bio_err,"Check that the SPKAC request matches the signature\n"); 23090Sstevel@tonic-gate 23100Sstevel@tonic-gate if ((pktmp=NETSCAPE_SPKI_get_pubkey(spki)) == NULL) 23110Sstevel@tonic-gate { 23120Sstevel@tonic-gate BIO_printf(bio_err,"error unpacking SPKAC public key\n"); 23130Sstevel@tonic-gate goto err; 23140Sstevel@tonic-gate } 23150Sstevel@tonic-gate 23160Sstevel@tonic-gate j = NETSCAPE_SPKI_verify(spki, pktmp); 23170Sstevel@tonic-gate if (j <= 0) 23180Sstevel@tonic-gate { 23190Sstevel@tonic-gate BIO_printf(bio_err,"signature verification failed on SPKAC public key\n"); 23200Sstevel@tonic-gate goto err; 23210Sstevel@tonic-gate } 23220Sstevel@tonic-gate BIO_printf(bio_err,"Signature ok\n"); 23230Sstevel@tonic-gate 23240Sstevel@tonic-gate X509_REQ_set_pubkey(req,pktmp); 23250Sstevel@tonic-gate EVP_PKEY_free(pktmp); 23260Sstevel@tonic-gate ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,email_dn,startdate,enddate, 23270Sstevel@tonic-gate days,1,verbose,req,ext_sect,lconf, certopt, nameopt, default_op, 23280Sstevel@tonic-gate ext_copy); 23290Sstevel@tonic-gate err: 23300Sstevel@tonic-gate if (req != NULL) X509_REQ_free(req); 23310Sstevel@tonic-gate if (parms != NULL) CONF_free(parms); 23320Sstevel@tonic-gate if (spki != NULL) NETSCAPE_SPKI_free(spki); 23330Sstevel@tonic-gate if (ne != NULL) X509_NAME_ENTRY_free(ne); 23340Sstevel@tonic-gate 23350Sstevel@tonic-gate return(ok); 23360Sstevel@tonic-gate } 23370Sstevel@tonic-gate 23380Sstevel@tonic-gate static int fix_data(int nid, int *type) 23390Sstevel@tonic-gate { 23400Sstevel@tonic-gate if (nid == NID_pkcs9_emailAddress) 23410Sstevel@tonic-gate *type=V_ASN1_IA5STRING; 23420Sstevel@tonic-gate if ((nid == NID_commonName) && (*type == V_ASN1_IA5STRING)) 23430Sstevel@tonic-gate *type=V_ASN1_T61STRING; 23440Sstevel@tonic-gate if ((nid == NID_pkcs9_challengePassword) && (*type == V_ASN1_IA5STRING)) 23450Sstevel@tonic-gate *type=V_ASN1_T61STRING; 23460Sstevel@tonic-gate if ((nid == NID_pkcs9_unstructuredName) && (*type == V_ASN1_T61STRING)) 23470Sstevel@tonic-gate return(0); 23480Sstevel@tonic-gate if (nid == NID_pkcs9_unstructuredName) 23490Sstevel@tonic-gate *type=V_ASN1_IA5STRING; 23500Sstevel@tonic-gate return(1); 23510Sstevel@tonic-gate } 23520Sstevel@tonic-gate 23530Sstevel@tonic-gate static int check_time_format(char *str) 23540Sstevel@tonic-gate { 23550Sstevel@tonic-gate ASN1_UTCTIME tm; 23560Sstevel@tonic-gate 23570Sstevel@tonic-gate tm.data=(unsigned char *)str; 23580Sstevel@tonic-gate tm.length=strlen(str); 23590Sstevel@tonic-gate tm.type=V_ASN1_UTCTIME; 23600Sstevel@tonic-gate return(ASN1_UTCTIME_check(&tm)); 23610Sstevel@tonic-gate } 23620Sstevel@tonic-gate 23630Sstevel@tonic-gate static int do_revoke(X509 *x509, CA_DB *db, int type, char *value) 23640Sstevel@tonic-gate { 23650Sstevel@tonic-gate ASN1_UTCTIME *tm=NULL; 23660Sstevel@tonic-gate char *row[DB_NUMBER],**rrow,**irow; 23670Sstevel@tonic-gate char *rev_str = NULL; 23680Sstevel@tonic-gate BIGNUM *bn = NULL; 23690Sstevel@tonic-gate int ok=-1,i; 23700Sstevel@tonic-gate 23710Sstevel@tonic-gate for (i=0; i<DB_NUMBER; i++) 23720Sstevel@tonic-gate row[i]=NULL; 23730Sstevel@tonic-gate row[DB_name]=X509_NAME_oneline(X509_get_subject_name(x509),NULL,0); 23740Sstevel@tonic-gate bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x509),NULL); 23750Sstevel@tonic-gate if (BN_is_zero(bn)) 23760Sstevel@tonic-gate row[DB_serial]=BUF_strdup("00"); 23770Sstevel@tonic-gate else 23780Sstevel@tonic-gate row[DB_serial]=BN_bn2hex(bn); 23790Sstevel@tonic-gate BN_free(bn); 23800Sstevel@tonic-gate if ((row[DB_name] == NULL) || (row[DB_serial] == NULL)) 23810Sstevel@tonic-gate { 23820Sstevel@tonic-gate BIO_printf(bio_err,"Memory allocation failure\n"); 23830Sstevel@tonic-gate goto err; 23840Sstevel@tonic-gate } 23850Sstevel@tonic-gate /* We have to lookup by serial number because name lookup 23860Sstevel@tonic-gate * skips revoked certs 23870Sstevel@tonic-gate */ 23880Sstevel@tonic-gate rrow=TXT_DB_get_by_index(db->db,DB_serial,row); 23890Sstevel@tonic-gate if (rrow == NULL) 23900Sstevel@tonic-gate { 23910Sstevel@tonic-gate BIO_printf(bio_err,"Adding Entry with serial number %s to DB for %s\n", row[DB_serial], row[DB_name]); 23920Sstevel@tonic-gate 23930Sstevel@tonic-gate /* We now just add it to the database */ 23940Sstevel@tonic-gate row[DB_type]=(char *)OPENSSL_malloc(2); 23950Sstevel@tonic-gate 23960Sstevel@tonic-gate tm=X509_get_notAfter(x509); 23970Sstevel@tonic-gate row[DB_exp_date]=(char *)OPENSSL_malloc(tm->length+1); 23980Sstevel@tonic-gate memcpy(row[DB_exp_date],tm->data,tm->length); 23990Sstevel@tonic-gate row[DB_exp_date][tm->length]='\0'; 24000Sstevel@tonic-gate 24010Sstevel@tonic-gate row[DB_rev_date]=NULL; 24020Sstevel@tonic-gate 24030Sstevel@tonic-gate /* row[DB_serial] done already */ 24040Sstevel@tonic-gate row[DB_file]=(char *)OPENSSL_malloc(8); 24050Sstevel@tonic-gate 24060Sstevel@tonic-gate /* row[DB_name] done already */ 24070Sstevel@tonic-gate 24080Sstevel@tonic-gate if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) || 24090Sstevel@tonic-gate (row[DB_file] == NULL)) 24100Sstevel@tonic-gate { 24110Sstevel@tonic-gate BIO_printf(bio_err,"Memory allocation failure\n"); 24120Sstevel@tonic-gate goto err; 24130Sstevel@tonic-gate } 24140Sstevel@tonic-gate BUF_strlcpy(row[DB_file],"unknown",8); 24150Sstevel@tonic-gate row[DB_type][0]='V'; 24160Sstevel@tonic-gate row[DB_type][1]='\0'; 24170Sstevel@tonic-gate 24180Sstevel@tonic-gate if ((irow=(char **)OPENSSL_malloc(sizeof(char *)*(DB_NUMBER+1))) == NULL) 24190Sstevel@tonic-gate { 24200Sstevel@tonic-gate BIO_printf(bio_err,"Memory allocation failure\n"); 24210Sstevel@tonic-gate goto err; 24220Sstevel@tonic-gate } 24230Sstevel@tonic-gate 24240Sstevel@tonic-gate for (i=0; i<DB_NUMBER; i++) 24250Sstevel@tonic-gate { 24260Sstevel@tonic-gate irow[i]=row[i]; 24270Sstevel@tonic-gate row[i]=NULL; 24280Sstevel@tonic-gate } 24290Sstevel@tonic-gate irow[DB_NUMBER]=NULL; 24300Sstevel@tonic-gate 24310Sstevel@tonic-gate if (!TXT_DB_insert(db->db,irow)) 24320Sstevel@tonic-gate { 24330Sstevel@tonic-gate BIO_printf(bio_err,"failed to update database\n"); 24340Sstevel@tonic-gate BIO_printf(bio_err,"TXT_DB error number %ld\n",db->db->error); 24350Sstevel@tonic-gate goto err; 24360Sstevel@tonic-gate } 24370Sstevel@tonic-gate 24380Sstevel@tonic-gate /* Revoke Certificate */ 24390Sstevel@tonic-gate ok = do_revoke(x509,db, type, value); 24400Sstevel@tonic-gate 24410Sstevel@tonic-gate goto err; 24420Sstevel@tonic-gate 24430Sstevel@tonic-gate } 24440Sstevel@tonic-gate else if (index_name_cmp((const char **)row,(const char **)rrow)) 24450Sstevel@tonic-gate { 24460Sstevel@tonic-gate BIO_printf(bio_err,"ERROR:name does not match %s\n", 24470Sstevel@tonic-gate row[DB_name]); 24480Sstevel@tonic-gate goto err; 24490Sstevel@tonic-gate } 24500Sstevel@tonic-gate else if (rrow[DB_type][0]=='R') 24510Sstevel@tonic-gate { 24520Sstevel@tonic-gate BIO_printf(bio_err,"ERROR:Already revoked, serial number %s\n", 24530Sstevel@tonic-gate row[DB_serial]); 24540Sstevel@tonic-gate goto err; 24550Sstevel@tonic-gate } 24560Sstevel@tonic-gate else 24570Sstevel@tonic-gate { 24580Sstevel@tonic-gate BIO_printf(bio_err,"Revoking Certificate %s.\n", rrow[DB_serial]); 24590Sstevel@tonic-gate rev_str = make_revocation_str(type, value); 24600Sstevel@tonic-gate if (!rev_str) 24610Sstevel@tonic-gate { 24620Sstevel@tonic-gate BIO_printf(bio_err, "Error in revocation arguments\n"); 24630Sstevel@tonic-gate goto err; 24640Sstevel@tonic-gate } 24650Sstevel@tonic-gate rrow[DB_type][0]='R'; 24660Sstevel@tonic-gate rrow[DB_type][1]='\0'; 24670Sstevel@tonic-gate rrow[DB_rev_date] = rev_str; 24680Sstevel@tonic-gate } 24690Sstevel@tonic-gate ok=1; 24700Sstevel@tonic-gate err: 24710Sstevel@tonic-gate for (i=0; i<DB_NUMBER; i++) 24720Sstevel@tonic-gate { 24730Sstevel@tonic-gate if (row[i] != NULL) 24740Sstevel@tonic-gate OPENSSL_free(row[i]); 24750Sstevel@tonic-gate } 24760Sstevel@tonic-gate return(ok); 24770Sstevel@tonic-gate } 24780Sstevel@tonic-gate 24790Sstevel@tonic-gate static int get_certificate_status(const char *serial, CA_DB *db) 24800Sstevel@tonic-gate { 24810Sstevel@tonic-gate char *row[DB_NUMBER],**rrow; 24820Sstevel@tonic-gate int ok=-1,i; 24830Sstevel@tonic-gate 24840Sstevel@tonic-gate /* Free Resources */ 24850Sstevel@tonic-gate for (i=0; i<DB_NUMBER; i++) 24860Sstevel@tonic-gate row[i]=NULL; 24870Sstevel@tonic-gate 24880Sstevel@tonic-gate /* Malloc needed char spaces */ 24890Sstevel@tonic-gate row[DB_serial] = OPENSSL_malloc(strlen(serial) + 2); 24900Sstevel@tonic-gate if (row[DB_serial] == NULL) 24910Sstevel@tonic-gate { 24920Sstevel@tonic-gate BIO_printf(bio_err,"Malloc failure\n"); 24930Sstevel@tonic-gate goto err; 24940Sstevel@tonic-gate } 24950Sstevel@tonic-gate 24960Sstevel@tonic-gate if (strlen(serial) % 2) 24970Sstevel@tonic-gate { 24980Sstevel@tonic-gate /* Set the first char to 0 */; 24990Sstevel@tonic-gate row[DB_serial][0]='0'; 25000Sstevel@tonic-gate 25010Sstevel@tonic-gate /* Copy String from serial to row[DB_serial] */ 25020Sstevel@tonic-gate memcpy(row[DB_serial]+1, serial, strlen(serial)); 25030Sstevel@tonic-gate row[DB_serial][strlen(serial)+1]='\0'; 25040Sstevel@tonic-gate } 25050Sstevel@tonic-gate else 25060Sstevel@tonic-gate { 25070Sstevel@tonic-gate /* Copy String from serial to row[DB_serial] */ 25080Sstevel@tonic-gate memcpy(row[DB_serial], serial, strlen(serial)); 25090Sstevel@tonic-gate row[DB_serial][strlen(serial)]='\0'; 25100Sstevel@tonic-gate } 25110Sstevel@tonic-gate 25120Sstevel@tonic-gate /* Make it Upper Case */ 25130Sstevel@tonic-gate for (i=0; row[DB_serial][i] != '\0'; i++) 25140Sstevel@tonic-gate row[DB_serial][i] = toupper(row[DB_serial][i]); 25150Sstevel@tonic-gate 25160Sstevel@tonic-gate 25170Sstevel@tonic-gate ok=1; 25180Sstevel@tonic-gate 25190Sstevel@tonic-gate /* Search for the certificate */ 25200Sstevel@tonic-gate rrow=TXT_DB_get_by_index(db->db,DB_serial,row); 25210Sstevel@tonic-gate if (rrow == NULL) 25220Sstevel@tonic-gate { 25230Sstevel@tonic-gate BIO_printf(bio_err,"Serial %s not present in db.\n", 25240Sstevel@tonic-gate row[DB_serial]); 25250Sstevel@tonic-gate ok=-1; 25260Sstevel@tonic-gate goto err; 25270Sstevel@tonic-gate } 25280Sstevel@tonic-gate else if (rrow[DB_type][0]=='V') 25290Sstevel@tonic-gate { 25300Sstevel@tonic-gate BIO_printf(bio_err,"%s=Valid (%c)\n", 25310Sstevel@tonic-gate row[DB_serial], rrow[DB_type][0]); 25320Sstevel@tonic-gate goto err; 25330Sstevel@tonic-gate } 25340Sstevel@tonic-gate else if (rrow[DB_type][0]=='R') 25350Sstevel@tonic-gate { 25360Sstevel@tonic-gate BIO_printf(bio_err,"%s=Revoked (%c)\n", 25370Sstevel@tonic-gate row[DB_serial], rrow[DB_type][0]); 25380Sstevel@tonic-gate goto err; 25390Sstevel@tonic-gate } 25400Sstevel@tonic-gate else if (rrow[DB_type][0]=='E') 25410Sstevel@tonic-gate { 25420Sstevel@tonic-gate BIO_printf(bio_err,"%s=Expired (%c)\n", 25430Sstevel@tonic-gate row[DB_serial], rrow[DB_type][0]); 25440Sstevel@tonic-gate goto err; 25450Sstevel@tonic-gate } 25460Sstevel@tonic-gate else if (rrow[DB_type][0]=='S') 25470Sstevel@tonic-gate { 25480Sstevel@tonic-gate BIO_printf(bio_err,"%s=Suspended (%c)\n", 25490Sstevel@tonic-gate row[DB_serial], rrow[DB_type][0]); 25500Sstevel@tonic-gate goto err; 25510Sstevel@tonic-gate } 25520Sstevel@tonic-gate else 25530Sstevel@tonic-gate { 25540Sstevel@tonic-gate BIO_printf(bio_err,"%s=Unknown (%c).\n", 25550Sstevel@tonic-gate row[DB_serial], rrow[DB_type][0]); 25560Sstevel@tonic-gate ok=-1; 25570Sstevel@tonic-gate } 25580Sstevel@tonic-gate err: 25590Sstevel@tonic-gate for (i=0; i<DB_NUMBER; i++) 25600Sstevel@tonic-gate { 25610Sstevel@tonic-gate if (row[i] != NULL) 25620Sstevel@tonic-gate OPENSSL_free(row[i]); 25630Sstevel@tonic-gate } 25640Sstevel@tonic-gate return(ok); 25650Sstevel@tonic-gate } 25660Sstevel@tonic-gate 25670Sstevel@tonic-gate static int do_updatedb (CA_DB *db) 25680Sstevel@tonic-gate { 25690Sstevel@tonic-gate ASN1_UTCTIME *a_tm = NULL; 25700Sstevel@tonic-gate int i, cnt = 0; 25710Sstevel@tonic-gate int db_y2k, a_y2k; /* flags = 1 if y >= 2000 */ 25720Sstevel@tonic-gate char **rrow, *a_tm_s; 25730Sstevel@tonic-gate 25740Sstevel@tonic-gate a_tm = ASN1_UTCTIME_new(); 25750Sstevel@tonic-gate 25760Sstevel@tonic-gate /* get actual time and make a string */ 25770Sstevel@tonic-gate a_tm = X509_gmtime_adj(a_tm, 0); 25780Sstevel@tonic-gate a_tm_s = (char *) OPENSSL_malloc(a_tm->length+1); 25790Sstevel@tonic-gate if (a_tm_s == NULL) 25800Sstevel@tonic-gate { 25810Sstevel@tonic-gate cnt = -1; 25820Sstevel@tonic-gate goto err; 25830Sstevel@tonic-gate } 25840Sstevel@tonic-gate 25850Sstevel@tonic-gate memcpy(a_tm_s, a_tm->data, a_tm->length); 25860Sstevel@tonic-gate a_tm_s[a_tm->length] = '\0'; 25870Sstevel@tonic-gate 25880Sstevel@tonic-gate if (strncmp(a_tm_s, "49", 2) <= 0) 25890Sstevel@tonic-gate a_y2k = 1; 25900Sstevel@tonic-gate else 25910Sstevel@tonic-gate a_y2k = 0; 25920Sstevel@tonic-gate 25930Sstevel@tonic-gate for (i = 0; i < sk_num(db->db->data); i++) 25940Sstevel@tonic-gate { 25950Sstevel@tonic-gate rrow = (char **) sk_value(db->db->data, i); 25960Sstevel@tonic-gate 25970Sstevel@tonic-gate if (rrow[DB_type][0] == 'V') 25980Sstevel@tonic-gate { 25990Sstevel@tonic-gate /* ignore entries that are not valid */ 26000Sstevel@tonic-gate if (strncmp(rrow[DB_exp_date], "49", 2) <= 0) 26010Sstevel@tonic-gate db_y2k = 1; 26020Sstevel@tonic-gate else 26030Sstevel@tonic-gate db_y2k = 0; 26040Sstevel@tonic-gate 26050Sstevel@tonic-gate if (db_y2k == a_y2k) 26060Sstevel@tonic-gate { 26070Sstevel@tonic-gate /* all on the same y2k side */ 26080Sstevel@tonic-gate if (strcmp(rrow[DB_exp_date], a_tm_s) <= 0) 26090Sstevel@tonic-gate { 26100Sstevel@tonic-gate rrow[DB_type][0] = 'E'; 26110Sstevel@tonic-gate rrow[DB_type][1] = '\0'; 26120Sstevel@tonic-gate cnt++; 26130Sstevel@tonic-gate 26140Sstevel@tonic-gate BIO_printf(bio_err, "%s=Expired\n", 26150Sstevel@tonic-gate rrow[DB_serial]); 26160Sstevel@tonic-gate } 26170Sstevel@tonic-gate } 26180Sstevel@tonic-gate else if (db_y2k < a_y2k) 26190Sstevel@tonic-gate { 26200Sstevel@tonic-gate rrow[DB_type][0] = 'E'; 26210Sstevel@tonic-gate rrow[DB_type][1] = '\0'; 26220Sstevel@tonic-gate cnt++; 26230Sstevel@tonic-gate 26240Sstevel@tonic-gate BIO_printf(bio_err, "%s=Expired\n", 26250Sstevel@tonic-gate rrow[DB_serial]); 26260Sstevel@tonic-gate } 26270Sstevel@tonic-gate 26280Sstevel@tonic-gate } 26290Sstevel@tonic-gate } 26300Sstevel@tonic-gate 26310Sstevel@tonic-gate err: 26320Sstevel@tonic-gate 26330Sstevel@tonic-gate ASN1_UTCTIME_free(a_tm); 26340Sstevel@tonic-gate OPENSSL_free(a_tm_s); 26350Sstevel@tonic-gate 26360Sstevel@tonic-gate return (cnt); 26370Sstevel@tonic-gate } 26380Sstevel@tonic-gate 26390Sstevel@tonic-gate static char *crl_reasons[] = { 26400Sstevel@tonic-gate /* CRL reason strings */ 26410Sstevel@tonic-gate "unspecified", 26420Sstevel@tonic-gate "keyCompromise", 26430Sstevel@tonic-gate "CACompromise", 26440Sstevel@tonic-gate "affiliationChanged", 26450Sstevel@tonic-gate "superseded", 26460Sstevel@tonic-gate "cessationOfOperation", 26470Sstevel@tonic-gate "certificateHold", 26480Sstevel@tonic-gate "removeFromCRL", 26490Sstevel@tonic-gate /* Additional pseudo reasons */ 26500Sstevel@tonic-gate "holdInstruction", 26510Sstevel@tonic-gate "keyTime", 26520Sstevel@tonic-gate "CAkeyTime" 26530Sstevel@tonic-gate }; 26540Sstevel@tonic-gate 26550Sstevel@tonic-gate #define NUM_REASONS (sizeof(crl_reasons) / sizeof(char *)) 26560Sstevel@tonic-gate 26570Sstevel@tonic-gate /* Given revocation information convert to a DB string. 26580Sstevel@tonic-gate * The format of the string is: 26590Sstevel@tonic-gate * revtime[,reason,extra]. Where 'revtime' is the 26600Sstevel@tonic-gate * revocation time (the current time). 'reason' is the 26610Sstevel@tonic-gate * optional CRL reason and 'extra' is any additional 26620Sstevel@tonic-gate * argument 26630Sstevel@tonic-gate */ 26640Sstevel@tonic-gate 26650Sstevel@tonic-gate char *make_revocation_str(int rev_type, char *rev_arg) 26660Sstevel@tonic-gate { 26670Sstevel@tonic-gate char *reason = NULL, *other = NULL, *str; 26680Sstevel@tonic-gate ASN1_OBJECT *otmp; 26690Sstevel@tonic-gate ASN1_UTCTIME *revtm = NULL; 26700Sstevel@tonic-gate int i; 26710Sstevel@tonic-gate switch (rev_type) 26720Sstevel@tonic-gate { 26730Sstevel@tonic-gate case REV_NONE: 26740Sstevel@tonic-gate break; 26750Sstevel@tonic-gate 26760Sstevel@tonic-gate case REV_CRL_REASON: 26770Sstevel@tonic-gate for (i = 0; i < 8; i++) 26780Sstevel@tonic-gate { 26790Sstevel@tonic-gate if (!strcasecmp(rev_arg, crl_reasons[i])) 26800Sstevel@tonic-gate { 26810Sstevel@tonic-gate reason = crl_reasons[i]; 26820Sstevel@tonic-gate break; 26830Sstevel@tonic-gate } 26840Sstevel@tonic-gate } 26850Sstevel@tonic-gate if (reason == NULL) 26860Sstevel@tonic-gate { 26870Sstevel@tonic-gate BIO_printf(bio_err, "Unknown CRL reason %s\n", rev_arg); 26880Sstevel@tonic-gate return NULL; 26890Sstevel@tonic-gate } 26900Sstevel@tonic-gate break; 26910Sstevel@tonic-gate 26920Sstevel@tonic-gate case REV_HOLD: 26930Sstevel@tonic-gate /* Argument is an OID */ 26940Sstevel@tonic-gate 26950Sstevel@tonic-gate otmp = OBJ_txt2obj(rev_arg, 0); 26960Sstevel@tonic-gate ASN1_OBJECT_free(otmp); 26970Sstevel@tonic-gate 26980Sstevel@tonic-gate if (otmp == NULL) 26990Sstevel@tonic-gate { 27000Sstevel@tonic-gate BIO_printf(bio_err, "Invalid object identifier %s\n", rev_arg); 27010Sstevel@tonic-gate return NULL; 27020Sstevel@tonic-gate } 27030Sstevel@tonic-gate 27040Sstevel@tonic-gate reason = "holdInstruction"; 27050Sstevel@tonic-gate other = rev_arg; 27060Sstevel@tonic-gate break; 27070Sstevel@tonic-gate 27080Sstevel@tonic-gate case REV_KEY_COMPROMISE: 27090Sstevel@tonic-gate case REV_CA_COMPROMISE: 27100Sstevel@tonic-gate 27110Sstevel@tonic-gate /* Argument is the key compromise time */ 27120Sstevel@tonic-gate if (!ASN1_GENERALIZEDTIME_set_string(NULL, rev_arg)) 27130Sstevel@tonic-gate { 27140Sstevel@tonic-gate BIO_printf(bio_err, "Invalid time format %s. Need YYYYMMDDHHMMSSZ\n", rev_arg); 27150Sstevel@tonic-gate return NULL; 27160Sstevel@tonic-gate } 27170Sstevel@tonic-gate other = rev_arg; 27180Sstevel@tonic-gate if (rev_type == REV_KEY_COMPROMISE) 27190Sstevel@tonic-gate reason = "keyTime"; 27200Sstevel@tonic-gate else 27210Sstevel@tonic-gate reason = "CAkeyTime"; 27220Sstevel@tonic-gate 27230Sstevel@tonic-gate break; 27240Sstevel@tonic-gate 27250Sstevel@tonic-gate } 27260Sstevel@tonic-gate 27270Sstevel@tonic-gate revtm = X509_gmtime_adj(NULL, 0); 27280Sstevel@tonic-gate 27290Sstevel@tonic-gate i = revtm->length + 1; 27300Sstevel@tonic-gate 27310Sstevel@tonic-gate if (reason) i += strlen(reason) + 1; 27320Sstevel@tonic-gate if (other) i += strlen(other) + 1; 27330Sstevel@tonic-gate 27340Sstevel@tonic-gate str = OPENSSL_malloc(i); 27350Sstevel@tonic-gate 27360Sstevel@tonic-gate if (!str) return NULL; 27370Sstevel@tonic-gate 27380Sstevel@tonic-gate BUF_strlcpy(str, (char *)revtm->data, i); 27390Sstevel@tonic-gate if (reason) 27400Sstevel@tonic-gate { 27410Sstevel@tonic-gate BUF_strlcat(str, ",", i); 27420Sstevel@tonic-gate BUF_strlcat(str, reason, i); 27430Sstevel@tonic-gate } 27440Sstevel@tonic-gate if (other) 27450Sstevel@tonic-gate { 27460Sstevel@tonic-gate BUF_strlcat(str, ",", i); 27470Sstevel@tonic-gate BUF_strlcat(str, other, i); 27480Sstevel@tonic-gate } 27490Sstevel@tonic-gate ASN1_UTCTIME_free(revtm); 27500Sstevel@tonic-gate return str; 27510Sstevel@tonic-gate } 27520Sstevel@tonic-gate 27530Sstevel@tonic-gate /* Convert revocation field to X509_REVOKED entry 27540Sstevel@tonic-gate * return code: 27550Sstevel@tonic-gate * 0 error 27560Sstevel@tonic-gate * 1 OK 27570Sstevel@tonic-gate * 2 OK and some extensions added (i.e. V2 CRL) 27580Sstevel@tonic-gate */ 27590Sstevel@tonic-gate 27600Sstevel@tonic-gate 27610Sstevel@tonic-gate int make_revoked(X509_REVOKED *rev, char *str) 27620Sstevel@tonic-gate { 27630Sstevel@tonic-gate char *tmp = NULL; 27640Sstevel@tonic-gate int reason_code = -1; 27650Sstevel@tonic-gate int i, ret = 0; 27660Sstevel@tonic-gate ASN1_OBJECT *hold = NULL; 27670Sstevel@tonic-gate ASN1_GENERALIZEDTIME *comp_time = NULL; 27680Sstevel@tonic-gate ASN1_ENUMERATED *rtmp = NULL; 27690Sstevel@tonic-gate 27700Sstevel@tonic-gate ASN1_TIME *revDate = NULL; 27710Sstevel@tonic-gate 27720Sstevel@tonic-gate i = unpack_revinfo(&revDate, &reason_code, &hold, &comp_time, str); 27730Sstevel@tonic-gate 27740Sstevel@tonic-gate if (i == 0) 27750Sstevel@tonic-gate goto err; 27760Sstevel@tonic-gate 27770Sstevel@tonic-gate if (rev && !X509_REVOKED_set_revocationDate(rev, revDate)) 27780Sstevel@tonic-gate goto err; 27790Sstevel@tonic-gate 27800Sstevel@tonic-gate if (rev && (reason_code != OCSP_REVOKED_STATUS_NOSTATUS)) 27810Sstevel@tonic-gate { 27820Sstevel@tonic-gate rtmp = ASN1_ENUMERATED_new(); 27830Sstevel@tonic-gate if (!rtmp || !ASN1_ENUMERATED_set(rtmp, reason_code)) 27840Sstevel@tonic-gate goto err; 27850Sstevel@tonic-gate if (!X509_REVOKED_add1_ext_i2d(rev, NID_crl_reason, rtmp, 0, 0)) 27860Sstevel@tonic-gate goto err; 27870Sstevel@tonic-gate } 27880Sstevel@tonic-gate 27890Sstevel@tonic-gate if (rev && comp_time) 27900Sstevel@tonic-gate { 27910Sstevel@tonic-gate if (!X509_REVOKED_add1_ext_i2d(rev, NID_invalidity_date, comp_time, 0, 0)) 27920Sstevel@tonic-gate goto err; 27930Sstevel@tonic-gate } 27940Sstevel@tonic-gate if (rev && hold) 27950Sstevel@tonic-gate { 27960Sstevel@tonic-gate if (!X509_REVOKED_add1_ext_i2d(rev, NID_hold_instruction_code, hold, 0, 0)) 27970Sstevel@tonic-gate goto err; 27980Sstevel@tonic-gate } 27990Sstevel@tonic-gate 28000Sstevel@tonic-gate if (reason_code != OCSP_REVOKED_STATUS_NOSTATUS) 28010Sstevel@tonic-gate ret = 2; 28020Sstevel@tonic-gate else ret = 1; 28030Sstevel@tonic-gate 28040Sstevel@tonic-gate err: 28050Sstevel@tonic-gate 28060Sstevel@tonic-gate if (tmp) OPENSSL_free(tmp); 28070Sstevel@tonic-gate ASN1_OBJECT_free(hold); 28080Sstevel@tonic-gate ASN1_GENERALIZEDTIME_free(comp_time); 28090Sstevel@tonic-gate ASN1_ENUMERATED_free(rtmp); 28100Sstevel@tonic-gate ASN1_TIME_free(revDate); 28110Sstevel@tonic-gate 28120Sstevel@tonic-gate return ret; 28130Sstevel@tonic-gate } 28140Sstevel@tonic-gate 28150Sstevel@tonic-gate /* 28160Sstevel@tonic-gate * subject is expected to be in the format /type0=value0/type1=value1/type2=... 28170Sstevel@tonic-gate * where characters may be escaped by \ 28180Sstevel@tonic-gate */ 28190Sstevel@tonic-gate X509_NAME *do_subject(char *subject, long chtype) 28200Sstevel@tonic-gate { 28210Sstevel@tonic-gate size_t buflen = strlen(subject)+1; /* to copy the types and values into. due to escaping, the copy can only become shorter */ 28220Sstevel@tonic-gate char *buf = OPENSSL_malloc(buflen); 28230Sstevel@tonic-gate size_t max_ne = buflen / 2 + 1; /* maximum number of name elements */ 28240Sstevel@tonic-gate char **ne_types = OPENSSL_malloc(max_ne * sizeof (char *)); 28250Sstevel@tonic-gate char **ne_values = OPENSSL_malloc(max_ne * sizeof (char *)); 28260Sstevel@tonic-gate 28270Sstevel@tonic-gate char *sp = subject, *bp = buf; 28280Sstevel@tonic-gate int i, ne_num = 0; 28290Sstevel@tonic-gate 28300Sstevel@tonic-gate X509_NAME *n = NULL; 28310Sstevel@tonic-gate int nid; 28320Sstevel@tonic-gate 28330Sstevel@tonic-gate if (!buf || !ne_types || !ne_values) 28340Sstevel@tonic-gate { 28350Sstevel@tonic-gate BIO_printf(bio_err, "malloc error\n"); 28360Sstevel@tonic-gate goto error; 28370Sstevel@tonic-gate } 28380Sstevel@tonic-gate 28390Sstevel@tonic-gate if (*subject != '/') 28400Sstevel@tonic-gate { 28410Sstevel@tonic-gate BIO_printf(bio_err, "Subject does not start with '/'.\n"); 28420Sstevel@tonic-gate goto error; 28430Sstevel@tonic-gate } 28440Sstevel@tonic-gate sp++; /* skip leading / */ 28450Sstevel@tonic-gate 28460Sstevel@tonic-gate while (*sp) 28470Sstevel@tonic-gate { 28480Sstevel@tonic-gate /* collect type */ 28490Sstevel@tonic-gate ne_types[ne_num] = bp; 28500Sstevel@tonic-gate while (*sp) 28510Sstevel@tonic-gate { 28520Sstevel@tonic-gate if (*sp == '\\') /* is there anything to escape in the type...? */ 28530Sstevel@tonic-gate { 28540Sstevel@tonic-gate if (*++sp) 28550Sstevel@tonic-gate *bp++ = *sp++; 28560Sstevel@tonic-gate else 28570Sstevel@tonic-gate { 28580Sstevel@tonic-gate BIO_printf(bio_err, "escape character at end of string\n"); 28590Sstevel@tonic-gate goto error; 28600Sstevel@tonic-gate } 28610Sstevel@tonic-gate } 28620Sstevel@tonic-gate else if (*sp == '=') 28630Sstevel@tonic-gate { 28640Sstevel@tonic-gate sp++; 28650Sstevel@tonic-gate *bp++ = '\0'; 28660Sstevel@tonic-gate break; 28670Sstevel@tonic-gate } 28680Sstevel@tonic-gate else 28690Sstevel@tonic-gate *bp++ = *sp++; 28700Sstevel@tonic-gate } 28710Sstevel@tonic-gate if (!*sp) 28720Sstevel@tonic-gate { 28730Sstevel@tonic-gate BIO_printf(bio_err, "end of string encountered while processing type of subject name element #%d\n", ne_num); 28740Sstevel@tonic-gate goto error; 28750Sstevel@tonic-gate } 28760Sstevel@tonic-gate ne_values[ne_num] = bp; 28770Sstevel@tonic-gate while (*sp) 28780Sstevel@tonic-gate { 28790Sstevel@tonic-gate if (*sp == '\\') 28800Sstevel@tonic-gate { 28810Sstevel@tonic-gate if (*++sp) 28820Sstevel@tonic-gate *bp++ = *sp++; 28830Sstevel@tonic-gate else 28840Sstevel@tonic-gate { 28850Sstevel@tonic-gate BIO_printf(bio_err, "escape character at end of string\n"); 28860Sstevel@tonic-gate goto error; 28870Sstevel@tonic-gate } 28880Sstevel@tonic-gate } 28890Sstevel@tonic-gate else if (*sp == '/') 28900Sstevel@tonic-gate { 28910Sstevel@tonic-gate sp++; 28920Sstevel@tonic-gate break; 28930Sstevel@tonic-gate } 28940Sstevel@tonic-gate else 28950Sstevel@tonic-gate *bp++ = *sp++; 28960Sstevel@tonic-gate } 28970Sstevel@tonic-gate *bp++ = '\0'; 28980Sstevel@tonic-gate ne_num++; 28990Sstevel@tonic-gate } 29000Sstevel@tonic-gate 29010Sstevel@tonic-gate if (!(n = X509_NAME_new())) 29020Sstevel@tonic-gate goto error; 29030Sstevel@tonic-gate 29040Sstevel@tonic-gate for (i = 0; i < ne_num; i++) 29050Sstevel@tonic-gate { 29060Sstevel@tonic-gate if ((nid=OBJ_txt2nid(ne_types[i])) == NID_undef) 29070Sstevel@tonic-gate { 29080Sstevel@tonic-gate BIO_printf(bio_err, "Subject Attribute %s has no known NID, skipped\n", ne_types[i]); 29090Sstevel@tonic-gate continue; 29100Sstevel@tonic-gate } 29110Sstevel@tonic-gate 29120Sstevel@tonic-gate if (!*ne_values[i]) 29130Sstevel@tonic-gate { 29140Sstevel@tonic-gate BIO_printf(bio_err, "No value provided for Subject Attribute %s, skipped\n", ne_types[i]); 29150Sstevel@tonic-gate continue; 29160Sstevel@tonic-gate } 29170Sstevel@tonic-gate 29180Sstevel@tonic-gate if (!X509_NAME_add_entry_by_NID(n, nid, chtype, (unsigned char*)ne_values[i], -1,-1,0)) 29190Sstevel@tonic-gate goto error; 29200Sstevel@tonic-gate } 29210Sstevel@tonic-gate 29220Sstevel@tonic-gate OPENSSL_free(ne_values); 29230Sstevel@tonic-gate OPENSSL_free(ne_types); 29240Sstevel@tonic-gate OPENSSL_free(buf); 29250Sstevel@tonic-gate return n; 29260Sstevel@tonic-gate 29270Sstevel@tonic-gate error: 29280Sstevel@tonic-gate X509_NAME_free(n); 29290Sstevel@tonic-gate if (ne_values) 29300Sstevel@tonic-gate OPENSSL_free(ne_values); 29310Sstevel@tonic-gate if (ne_types) 29320Sstevel@tonic-gate OPENSSL_free(ne_types); 29330Sstevel@tonic-gate if (buf) 29340Sstevel@tonic-gate OPENSSL_free(buf); 29350Sstevel@tonic-gate return NULL; 29360Sstevel@tonic-gate } 29370Sstevel@tonic-gate 29380Sstevel@tonic-gate int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str) 29390Sstevel@tonic-gate { 29400Sstevel@tonic-gate char buf[25],*pbuf, *p; 29410Sstevel@tonic-gate int j; 29420Sstevel@tonic-gate j=i2a_ASN1_OBJECT(bp,obj); 29430Sstevel@tonic-gate pbuf=buf; 29440Sstevel@tonic-gate for (j=22-j; j>0; j--) 29450Sstevel@tonic-gate *(pbuf++)=' '; 29460Sstevel@tonic-gate *(pbuf++)=':'; 29470Sstevel@tonic-gate *(pbuf++)='\0'; 29480Sstevel@tonic-gate BIO_puts(bp,buf); 29490Sstevel@tonic-gate 29500Sstevel@tonic-gate if (str->type == V_ASN1_PRINTABLESTRING) 29510Sstevel@tonic-gate BIO_printf(bp,"PRINTABLE:'"); 29520Sstevel@tonic-gate else if (str->type == V_ASN1_T61STRING) 29530Sstevel@tonic-gate BIO_printf(bp,"T61STRING:'"); 29540Sstevel@tonic-gate else if (str->type == V_ASN1_IA5STRING) 29550Sstevel@tonic-gate BIO_printf(bp,"IA5STRING:'"); 29560Sstevel@tonic-gate else if (str->type == V_ASN1_UNIVERSALSTRING) 29570Sstevel@tonic-gate BIO_printf(bp,"UNIVERSALSTRING:'"); 29580Sstevel@tonic-gate else 29590Sstevel@tonic-gate BIO_printf(bp,"ASN.1 %2d:'",str->type); 29600Sstevel@tonic-gate 29610Sstevel@tonic-gate p=(char *)str->data; 29620Sstevel@tonic-gate for (j=str->length; j>0; j--) 29630Sstevel@tonic-gate { 29640Sstevel@tonic-gate if ((*p >= ' ') && (*p <= '~')) 29650Sstevel@tonic-gate BIO_printf(bp,"%c",*p); 29660Sstevel@tonic-gate else if (*p & 0x80) 29670Sstevel@tonic-gate BIO_printf(bp,"\\0x%02X",*p); 29680Sstevel@tonic-gate else if ((unsigned char)*p == 0xf7) 29690Sstevel@tonic-gate BIO_printf(bp,"^?"); 29700Sstevel@tonic-gate else BIO_printf(bp,"^%c",*p+'@'); 29710Sstevel@tonic-gate p++; 29720Sstevel@tonic-gate } 29730Sstevel@tonic-gate BIO_printf(bp,"'\n"); 29740Sstevel@tonic-gate return 1; 29750Sstevel@tonic-gate } 29760Sstevel@tonic-gate 29770Sstevel@tonic-gate int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, ASN1_GENERALIZEDTIME **pinvtm, char *str) 29780Sstevel@tonic-gate { 29790Sstevel@tonic-gate char *tmp = NULL; 29800Sstevel@tonic-gate char *rtime_str, *reason_str = NULL, *arg_str = NULL, *p; 29810Sstevel@tonic-gate int reason_code = -1; 29820Sstevel@tonic-gate int i, ret = 0; 29830Sstevel@tonic-gate ASN1_OBJECT *hold = NULL; 29840Sstevel@tonic-gate ASN1_GENERALIZEDTIME *comp_time = NULL; 29850Sstevel@tonic-gate tmp = BUF_strdup(str); 29860Sstevel@tonic-gate 29870Sstevel@tonic-gate p = strchr(tmp, ','); 29880Sstevel@tonic-gate 29890Sstevel@tonic-gate rtime_str = tmp; 29900Sstevel@tonic-gate 29910Sstevel@tonic-gate if (p) 29920Sstevel@tonic-gate { 29930Sstevel@tonic-gate *p = '\0'; 29940Sstevel@tonic-gate p++; 29950Sstevel@tonic-gate reason_str = p; 29960Sstevel@tonic-gate p = strchr(p, ','); 29970Sstevel@tonic-gate if (p) 29980Sstevel@tonic-gate { 29990Sstevel@tonic-gate *p = '\0'; 30000Sstevel@tonic-gate arg_str = p + 1; 30010Sstevel@tonic-gate } 30020Sstevel@tonic-gate } 30030Sstevel@tonic-gate 30040Sstevel@tonic-gate if (prevtm) 30050Sstevel@tonic-gate { 30060Sstevel@tonic-gate *prevtm = ASN1_UTCTIME_new(); 30070Sstevel@tonic-gate if (!ASN1_UTCTIME_set_string(*prevtm, rtime_str)) 30080Sstevel@tonic-gate { 30090Sstevel@tonic-gate BIO_printf(bio_err, "invalid revocation date %s\n", rtime_str); 30100Sstevel@tonic-gate goto err; 30110Sstevel@tonic-gate } 30120Sstevel@tonic-gate } 30130Sstevel@tonic-gate if (reason_str) 30140Sstevel@tonic-gate { 30150Sstevel@tonic-gate for (i = 0; i < NUM_REASONS; i++) 30160Sstevel@tonic-gate { 30170Sstevel@tonic-gate if(!strcasecmp(reason_str, crl_reasons[i])) 30180Sstevel@tonic-gate { 30190Sstevel@tonic-gate reason_code = i; 30200Sstevel@tonic-gate break; 30210Sstevel@tonic-gate } 30220Sstevel@tonic-gate } 30230Sstevel@tonic-gate if (reason_code == OCSP_REVOKED_STATUS_NOSTATUS) 30240Sstevel@tonic-gate { 30250Sstevel@tonic-gate BIO_printf(bio_err, "invalid reason code %s\n", reason_str); 30260Sstevel@tonic-gate goto err; 30270Sstevel@tonic-gate } 30280Sstevel@tonic-gate 30290Sstevel@tonic-gate if (reason_code == 7) 30300Sstevel@tonic-gate reason_code = OCSP_REVOKED_STATUS_REMOVEFROMCRL; 30310Sstevel@tonic-gate else if (reason_code == 8) /* Hold instruction */ 30320Sstevel@tonic-gate { 30330Sstevel@tonic-gate if (!arg_str) 30340Sstevel@tonic-gate { 30350Sstevel@tonic-gate BIO_printf(bio_err, "missing hold instruction\n"); 30360Sstevel@tonic-gate goto err; 30370Sstevel@tonic-gate } 30380Sstevel@tonic-gate reason_code = OCSP_REVOKED_STATUS_CERTIFICATEHOLD; 30390Sstevel@tonic-gate hold = OBJ_txt2obj(arg_str, 0); 30400Sstevel@tonic-gate 30410Sstevel@tonic-gate if (!hold) 30420Sstevel@tonic-gate { 30430Sstevel@tonic-gate BIO_printf(bio_err, "invalid object identifier %s\n", arg_str); 30440Sstevel@tonic-gate goto err; 30450Sstevel@tonic-gate } 30460Sstevel@tonic-gate if (phold) *phold = hold; 30470Sstevel@tonic-gate } 30480Sstevel@tonic-gate else if ((reason_code == 9) || (reason_code == 10)) 30490Sstevel@tonic-gate { 30500Sstevel@tonic-gate if (!arg_str) 30510Sstevel@tonic-gate { 30520Sstevel@tonic-gate BIO_printf(bio_err, "missing compromised time\n"); 30530Sstevel@tonic-gate goto err; 30540Sstevel@tonic-gate } 30550Sstevel@tonic-gate comp_time = ASN1_GENERALIZEDTIME_new(); 30560Sstevel@tonic-gate if (!ASN1_GENERALIZEDTIME_set_string(comp_time, arg_str)) 30570Sstevel@tonic-gate { 30580Sstevel@tonic-gate BIO_printf(bio_err, "invalid compromised time %s\n", arg_str); 30590Sstevel@tonic-gate goto err; 30600Sstevel@tonic-gate } 30610Sstevel@tonic-gate if (reason_code == 9) 30620Sstevel@tonic-gate reason_code = OCSP_REVOKED_STATUS_KEYCOMPROMISE; 30630Sstevel@tonic-gate else 30640Sstevel@tonic-gate reason_code = OCSP_REVOKED_STATUS_CACOMPROMISE; 30650Sstevel@tonic-gate } 30660Sstevel@tonic-gate } 30670Sstevel@tonic-gate 30680Sstevel@tonic-gate if (preason) *preason = reason_code; 30690Sstevel@tonic-gate if (pinvtm) *pinvtm = comp_time; 30700Sstevel@tonic-gate else ASN1_GENERALIZEDTIME_free(comp_time); 30710Sstevel@tonic-gate 30720Sstevel@tonic-gate ret = 1; 30730Sstevel@tonic-gate 30740Sstevel@tonic-gate err: 30750Sstevel@tonic-gate 30760Sstevel@tonic-gate if (tmp) OPENSSL_free(tmp); 30770Sstevel@tonic-gate if (!phold) ASN1_OBJECT_free(hold); 30780Sstevel@tonic-gate if (!pinvtm) ASN1_GENERALIZEDTIME_free(comp_time); 30790Sstevel@tonic-gate 30800Sstevel@tonic-gate return ret; 30810Sstevel@tonic-gate } 3082