1 /* $OpenBSD: ca.c,v 1.53 2022/02/03 17:44:04 tb Exp $ */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59 /* The PPKI stuff has been donated by Jeff Barber <jeffb@issl.atl.hp.com> */
60
61 #include <sys/types.h>
62
63 #include <ctype.h>
64 #include <stdio.h>
65 #include <stdlib.h>
66 #include <limits.h>
67 #include <string.h>
68 #include <unistd.h>
69
70 #include "apps.h"
71
72 #include <openssl/bio.h>
73 #include <openssl/bn.h>
74 #include <openssl/conf.h>
75 #include <openssl/err.h>
76 #include <openssl/evp.h>
77 #include <openssl/objects.h>
78 #include <openssl/ocsp.h>
79 #include <openssl/pem.h>
80 #include <openssl/txt_db.h>
81 #include <openssl/x509.h>
82 #include <openssl/x509v3.h>
83
84 #define BASE_SECTION "ca"
85
86 #define ENV_DEFAULT_CA "default_ca"
87
88 #define STRING_MASK "string_mask"
89 #define UTF8_IN "utf8"
90
91 #define ENV_NEW_CERTS_DIR "new_certs_dir"
92 #define ENV_CERTIFICATE "certificate"
93 #define ENV_SERIAL "serial"
94 #define ENV_CRLNUMBER "crlnumber"
95 #define ENV_PRIVATE_KEY "private_key"
96 #define ENV_DEFAULT_DAYS "default_days"
97 #define ENV_DEFAULT_STARTDATE "default_startdate"
98 #define ENV_DEFAULT_ENDDATE "default_enddate"
99 #define ENV_DEFAULT_CRL_DAYS "default_crl_days"
100 #define ENV_DEFAULT_CRL_HOURS "default_crl_hours"
101 #define ENV_DEFAULT_MD "default_md"
102 #define ENV_DEFAULT_EMAIL_DN "email_in_dn"
103 #define ENV_PRESERVE "preserve"
104 #define ENV_POLICY "policy"
105 #define ENV_EXTENSIONS "x509_extensions"
106 #define ENV_CRLEXT "crl_extensions"
107 #define ENV_MSIE_HACK "msie_hack"
108 #define ENV_NAMEOPT "name_opt"
109 #define ENV_CERTOPT "cert_opt"
110 #define ENV_EXTCOPY "copy_extensions"
111 #define ENV_UNIQUE_SUBJECT "unique_subject"
112
113 #define ENV_DATABASE "database"
114
115 /* Additional revocation information types */
116
117 #define REV_NONE 0 /* No addditional information */
118 #define REV_CRL_REASON 1 /* Value is CRL reason code */
119 #define REV_HOLD 2 /* Value is hold instruction */
120 #define REV_KEY_COMPROMISE 3 /* Value is cert key compromise time */
121 #define REV_CA_COMPROMISE 4 /* Value is CA key compromise time */
122
123 static void lookup_fail(const char *name, const char *tag);
124 static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
125 const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
126 STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj,
127 unsigned long chtype, int multirdn, int email_dn, char *startdate,
128 char *enddate, long days, int batch, char *ext_sect, CONF *conf,
129 int verbose, unsigned long certopt, unsigned long nameopt,
130 int default_op, int ext_copy, int selfsign);
131 static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey,
132 X509 *x509, const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
133 STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj,
134 unsigned long chtype, int multirdn, int email_dn, char *startdate,
135 char *enddate, long days, int batch, char *ext_sect, CONF *conf,
136 int verbose, unsigned long certopt, unsigned long nameopt, int default_op,
137 int ext_copy);
138 static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey,
139 X509 *x509, const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
140 STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj,
141 unsigned long chtype, int multirdn, int email_dn, char *startdate,
142 char *enddate, long days, char *ext_sect, CONF *conf, int verbose,
143 unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy);
144 static int write_new_certificate(BIO *bp, X509 *x, int output_der,
145 int notext);
146 static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
147 const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
148 STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj,
149 unsigned long chtype, int multirdn, int email_dn, char *startdate,
150 char *enddate, long days, int batch, int verbose, X509_REQ *req,
151 char *ext_sect, CONF *conf, unsigned long certopt, unsigned long nameopt,
152 int default_op, int ext_copy, int selfsign);
153 static int do_revoke(X509 *x509, CA_DB *db, int ext, char *extval);
154 static int get_certificate_status(const char *serial, CA_DB *db);
155 static int do_updatedb(CA_DB *db);
156 static int check_time_format(const char *str);
157 static char *bin2hex(unsigned char *, size_t);
158 char *make_revocation_str(int rev_type, char *rev_arg);
159 int make_revoked(X509_REVOKED *rev, const char *str);
160 int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str);
161
162 static CONF *conf = NULL;
163 static CONF *extconf = NULL;
164
165 static struct {
166 int batch;
167 char *certfile;
168 unsigned long chtype;
169 char *configfile;
170 int create_serial;
171 char *crl_ext;
172 long crldays;
173 long crlhours;
174 long crlsec;
175 long days;
176 int dorevoke;
177 int doupdatedb;
178 int email_dn;
179 char *enddate;
180 char *extensions;
181 char *extfile;
182 int gencrl;
183 char *infile;
184 char **infiles;
185 int infiles_num;
186 char *key;
187 char *keyfile;
188 int keyform;
189 char *md;
190 int multirdn;
191 int msie_hack;
192 int notext;
193 char *outdir;
194 char *outfile;
195 char *passargin;
196 char *policy;
197 int preserve;
198 int req;
199 char *rev_arg;
200 int rev_type;
201 char *serial_status;
202 char *section;
203 int selfsign;
204 STACK_OF(OPENSSL_STRING) *sigopts;
205 char *spkac_file;
206 char *ss_cert_file;
207 char *startdate;
208 char *subj;
209 int verbose;
210 } ca_config;
211
212 static int
ca_opt_chtype_utf8(void)213 ca_opt_chtype_utf8(void)
214 {
215 ca_config.chtype = MBSTRING_UTF8;
216 return (0);
217 }
218
219 static int
ca_opt_crl_ca_compromise(char * arg)220 ca_opt_crl_ca_compromise(char *arg)
221 {
222 ca_config.rev_arg = arg;
223 ca_config.rev_type = REV_CA_COMPROMISE;
224 return (0);
225 }
226
227 static int
ca_opt_crl_compromise(char * arg)228 ca_opt_crl_compromise(char *arg)
229 {
230 ca_config.rev_arg = arg;
231 ca_config.rev_type = REV_KEY_COMPROMISE;
232 return (0);
233 }
234
235 static int
ca_opt_crl_hold(char * arg)236 ca_opt_crl_hold(char *arg)
237 {
238 ca_config.rev_arg = arg;
239 ca_config.rev_type = REV_HOLD;
240 return (0);
241 }
242
243 static int
ca_opt_crl_reason(char * arg)244 ca_opt_crl_reason(char *arg)
245 {
246 ca_config.rev_arg = arg;
247 ca_config.rev_type = REV_CRL_REASON;
248 return (0);
249 }
250
251 static int
ca_opt_in(char * arg)252 ca_opt_in(char *arg)
253 {
254 ca_config.infile = arg;
255 ca_config.req = 1;
256 return (0);
257 }
258
259 static int
ca_opt_infiles(int argc,char ** argv,int * argsused)260 ca_opt_infiles(int argc, char **argv, int *argsused)
261 {
262 ca_config.infiles_num = argc - 1;
263 if (ca_config.infiles_num < 1)
264 return (1);
265 ca_config.infiles = argv + 1;
266 ca_config.req = 1;
267 *argsused = argc;
268 return (0);
269 }
270
271 static int
ca_opt_revoke(char * arg)272 ca_opt_revoke(char *arg)
273 {
274 ca_config.infile = arg;
275 ca_config.dorevoke = 1;
276 return (0);
277 }
278
279 static int
ca_opt_sigopt(char * arg)280 ca_opt_sigopt(char *arg)
281 {
282 if (ca_config.sigopts == NULL)
283 ca_config.sigopts = sk_OPENSSL_STRING_new_null();
284 if (ca_config.sigopts == NULL)
285 return (1);
286 if (!sk_OPENSSL_STRING_push(ca_config.sigopts, arg))
287 return (1);
288 return (0);
289 }
290
291 static int
ca_opt_spkac(char * arg)292 ca_opt_spkac(char *arg)
293 {
294 ca_config.spkac_file = arg;
295 ca_config.req = 1;
296 return (0);
297 }
298
299 static int
ca_opt_ss_cert(char * arg)300 ca_opt_ss_cert(char *arg)
301 {
302 ca_config.ss_cert_file = arg;
303 ca_config.req = 1;
304 return (0);
305 }
306
307 static const struct option ca_options[] = {
308 {
309 .name = "batch",
310 .desc = "Operate in batch mode",
311 .type = OPTION_FLAG,
312 .opt.flag = &ca_config.batch,
313 },
314 {
315 .name = "cert",
316 .argname = "file",
317 .desc = "File containing the CA certificate",
318 .type = OPTION_ARG,
319 .opt.arg = &ca_config.certfile,
320 },
321 {
322 .name = "config",
323 .argname = "file",
324 .desc = "Specify an alternative configuration file",
325 .type = OPTION_ARG,
326 .opt.arg = &ca_config.configfile,
327 },
328 {
329 .name = "create_serial",
330 .desc = "If reading serial fails, create a new random serial",
331 .type = OPTION_FLAG,
332 .opt.flag = &ca_config.create_serial,
333 },
334 {
335 .name = "crl_CA_compromise",
336 .argname = "time",
337 .desc = "Set the compromise time and the revocation reason to\n"
338 "CACompromise",
339 .type = OPTION_ARG_FUNC,
340 .opt.argfunc = ca_opt_crl_ca_compromise,
341 },
342 {
343 .name = "crl_compromise",
344 .argname = "time",
345 .desc = "Set the compromise time and the revocation reason to\n"
346 "keyCompromise",
347 .type = OPTION_ARG_FUNC,
348 .opt.argfunc = ca_opt_crl_compromise,
349 },
350 {
351 .name = "crl_hold",
352 .argname = "instruction",
353 .desc = "Set the hold instruction and the revocation reason to\n"
354 "certificateHold",
355 .type = OPTION_ARG_FUNC,
356 .opt.argfunc = ca_opt_crl_hold,
357 },
358 {
359 .name = "crl_reason",
360 .argname = "reason",
361 .desc = "Revocation reason",
362 .type = OPTION_ARG_FUNC,
363 .opt.argfunc = ca_opt_crl_reason,
364 },
365 {
366 .name = "crldays",
367 .argname = "days",
368 .desc = "Number of days before the next CRL is due",
369 .type = OPTION_ARG_LONG,
370 .opt.lvalue = &ca_config.crldays,
371 },
372 {
373 .name = "crlexts",
374 .argname = "section",
375 .desc = "CRL extension section (override value in config file)",
376 .type = OPTION_ARG,
377 .opt.arg = &ca_config.crl_ext,
378 },
379 {
380 .name = "crlhours",
381 .argname = "hours",
382 .desc = "Number of hours before the next CRL is due",
383 .type = OPTION_ARG_LONG,
384 .opt.lvalue = &ca_config.crlhours,
385 },
386 {
387 .name = "crlsec",
388 .argname = "seconds",
389 .desc = "Number of seconds before the next CRL is due",
390 .type = OPTION_ARG_LONG,
391 .opt.lvalue = &ca_config.crlsec,
392 },
393 {
394 .name = "days",
395 .argname = "arg",
396 .desc = "Number of days to certify the certificate for",
397 .type = OPTION_ARG_LONG,
398 .opt.lvalue = &ca_config.days,
399 },
400 {
401 .name = "enddate",
402 .argname = "YYMMDDHHMMSSZ",
403 .desc = "Certificate validity notAfter (overrides -days)",
404 .type = OPTION_ARG,
405 .opt.arg = &ca_config.enddate,
406 },
407 {
408 .name = "extensions",
409 .argname = "section",
410 .desc = "Extension section (override value in config file)",
411 .type = OPTION_ARG,
412 .opt.arg = &ca_config.extensions,
413 },
414 {
415 .name = "extfile",
416 .argname = "file",
417 .desc = "Configuration file with X509v3 extentions to add",
418 .type = OPTION_ARG,
419 .opt.arg = &ca_config.extfile,
420 },
421 {
422 .name = "gencrl",
423 .desc = "Generate a new CRL",
424 .type = OPTION_FLAG,
425 .opt.flag = &ca_config.gencrl,
426 },
427 {
428 .name = "in",
429 .argname = "file",
430 .desc = "Input file containing a single certificate request",
431 .type = OPTION_ARG_FUNC,
432 .opt.argfunc = ca_opt_in,
433 },
434 {
435 .name = "infiles",
436 .argname = "...",
437 .desc = "The last argument, certificate requests to process",
438 .type = OPTION_ARGV_FUNC,
439 .opt.argvfunc = ca_opt_infiles,
440 },
441 {
442 .name = "key",
443 .argname = "password",
444 .desc = "Key to decode the private key if it is encrypted",
445 .type = OPTION_ARG,
446 .opt.arg = &ca_config.key,
447 },
448 {
449 .name = "keyfile",
450 .argname = "file",
451 .desc = "Private key file",
452 .type = OPTION_ARG,
453 .opt.arg = &ca_config.keyfile,
454 },
455 {
456 .name = "keyform",
457 .argname = "fmt",
458 .desc = "Private key file format (DER or PEM (default))",
459 .type = OPTION_ARG_FORMAT,
460 .opt.value = &ca_config.keyform,
461 },
462 {
463 .name = "md",
464 .argname = "alg",
465 .desc = "Message digest to use",
466 .type = OPTION_ARG,
467 .opt.arg = &ca_config.md,
468 },
469 {
470 .name = "msie_hack",
471 .type = OPTION_FLAG,
472 .opt.flag = &ca_config.msie_hack,
473 },
474 {
475 .name = "multivalue-rdn",
476 .desc = "Enable support for multivalued RDNs",
477 .type = OPTION_FLAG,
478 .opt.flag = &ca_config.multirdn,
479 },
480 {
481 .name = "name",
482 .argname = "section",
483 .desc = "Specifies the configuration file section to use",
484 .type = OPTION_ARG,
485 .opt.arg = &ca_config.section,
486 },
487 {
488 .name = "noemailDN",
489 .desc = "Do not add the EMAIL field to the DN",
490 .type = OPTION_VALUE,
491 .opt.value = &ca_config.email_dn,
492 .value = 0,
493 },
494 {
495 .name = "notext",
496 .desc = "Do not print the generated certificate",
497 .type = OPTION_FLAG,
498 .opt.flag = &ca_config.notext,
499 },
500 {
501 .name = "out",
502 .argname = "file",
503 .desc = "Output file (default stdout)",
504 .type = OPTION_ARG,
505 .opt.arg = &ca_config.outfile,
506 },
507 {
508 .name = "outdir",
509 .argname = "directory",
510 .desc = " Directory to output certificates to",
511 .type = OPTION_ARG,
512 .opt.arg = &ca_config.outdir,
513 },
514 {
515 .name = "passin",
516 .argname = "src",
517 .desc = "Private key input password source",
518 .type = OPTION_ARG,
519 .opt.arg = &ca_config.passargin,
520 },
521 {
522 .name = "policy",
523 .argname = "name",
524 .desc = "The CA 'policy' to support",
525 .type = OPTION_ARG,
526 .opt.arg = &ca_config.policy,
527 },
528 {
529 .name = "preserveDN",
530 .desc = "Do not re-order the DN",
531 .type = OPTION_FLAG,
532 .opt.flag = &ca_config.preserve,
533 },
534 {
535 .name = "revoke",
536 .argname = "file",
537 .desc = "Revoke a certificate (given in file)",
538 .type = OPTION_ARG_FUNC,
539 .opt.argfunc = ca_opt_revoke,
540 },
541 {
542 .name = "selfsign",
543 .desc = "Sign a certificate using the key associated with it",
544 .type = OPTION_FLAG,
545 .opt.flag = &ca_config.selfsign,
546 },
547 {
548 .name = "sigopt",
549 .argname = "nm:v",
550 .desc = "Signature parameter in nm:v form",
551 .type = OPTION_ARG_FUNC,
552 .opt.argfunc = ca_opt_sigopt,
553 },
554 {
555 .name = "spkac",
556 .argname = "file",
557 .desc = "File contains DN and signed public key and challenge",
558 .type = OPTION_ARG_FUNC,
559 .opt.argfunc = ca_opt_spkac,
560 },
561 {
562 .name = "ss_cert",
563 .argname = "file",
564 .desc = "File contains a self signed certificate to sign",
565 .type = OPTION_ARG_FUNC,
566 .opt.argfunc = ca_opt_ss_cert,
567 },
568 {
569 .name = "startdate",
570 .argname = "YYMMDDHHMMSSZ",
571 .desc = "Certificate validity notBefore",
572 .type = OPTION_ARG,
573 .opt.arg = &ca_config.startdate,
574 },
575 {
576 .name = "status",
577 .argname = "serial",
578 .desc = "Shows certificate status given the serial number",
579 .type = OPTION_ARG,
580 .opt.arg = &ca_config.serial_status,
581 },
582 {
583 .name = "subj",
584 .argname = "arg",
585 .desc = "Use arg instead of request's subject",
586 .type = OPTION_ARG,
587 .opt.arg = &ca_config.subj,
588 },
589 {
590 .name = "updatedb",
591 .desc = "Updates db for expired certificates",
592 .type = OPTION_FLAG,
593 .opt.flag = &ca_config.doupdatedb,
594 },
595 {
596 .name = "utf8",
597 .desc = "Input characters are in UTF-8 (default ASCII)",
598 .type = OPTION_FUNC,
599 .opt.func = ca_opt_chtype_utf8,
600 },
601 {
602 .name = "verbose",
603 .desc = "Verbose output during processing",
604 .type = OPTION_FLAG,
605 .opt.flag = &ca_config.verbose,
606 },
607 { NULL },
608 };
609
610 /*
611 * Set a certificate time based on user provided input. Make sure
612 * what we put in the certificate is legit for RFC 5280. Returns
613 * 0 on success, -1 on an invalid time string. Strings must be
614 * YYYYMMDDHHMMSSZ for post 2050 dates. YYYYMMDDHHMMSSZ or
615 * YYMMDDHHMMSSZ is accepted for pre 2050 dates, and fixed up to
616 * be the correct format in the certificate.
617 */
618 static int
setCertificateTime(ASN1_TIME * x509time,char * timestring)619 setCertificateTime(ASN1_TIME *x509time, char *timestring)
620 {
621 struct tm tm1;
622
623 if (ASN1_time_parse(timestring, strlen(timestring), &tm1, 0) == -1)
624 return (-1);
625 if (!ASN1_TIME_set_tm(x509time, &tm1))
626 return (-1);
627 return 0;
628 }
629
630 static void
ca_usage(void)631 ca_usage(void)
632 {
633 fprintf(stderr,
634 "usage: ca [-batch] [-cert file] [-config file] [-create_serial]\n"
635 " [-crl_CA_compromise time] [-crl_compromise time]\n"
636 " [-crl_hold instruction] [-crl_reason reason] [-crldays days]\n"
637 " [-crlexts section] [-crlhours hours] [-crlsec seconds]\n"
638 " [-days arg] [-enddate date] [-extensions section]\n"
639 " [-extfile file] [-gencrl] [-in file] [-infiles]\n"
640 " [-key password] [-keyfile file] [-keyform pem | der]\n"
641 " [-md alg] [-multivalue-rdn] [-name section]\n"
642 " [-noemailDN] [-notext] [-out file] [-outdir directory]\n"
643 " [-passin arg] [-policy name] [-preserveDN] [-revoke file]\n"
644 " [-selfsign] [-sigopt nm:v] [-spkac file] [-ss_cert file]\n"
645 " [-startdate date] [-status serial] [-subj arg] [-updatedb]\n"
646 " [-utf8] [-verbose]\n\n");
647 options_usage(ca_options);
648 fprintf(stderr, "\n");
649 }
650
651 int
ca_main(int argc,char ** argv)652 ca_main(int argc, char **argv)
653 {
654 int free_key = 0;
655 int total = 0;
656 int total_done = 0;
657 int ret = 1;
658 long errorline = -1;
659 EVP_PKEY *pkey = NULL;
660 int output_der = 0;
661 char *serialfile = NULL;
662 char *crlnumberfile = NULL;
663 char *tmp_email_dn = NULL;
664 BIGNUM *serial = NULL;
665 BIGNUM *crlnumber = NULL;
666 unsigned long nameopt = 0, certopt = 0;
667 int default_op = 1;
668 int ext_copy = EXT_COPY_NONE;
669 X509 *x509 = NULL, *x509p = NULL;
670 X509 *x = NULL;
671 BIO *in = NULL, *out = NULL, *Sout = NULL, *Cout = NULL;
672 char *dbfile = NULL;
673 CA_DB *db = NULL;
674 X509_CRL *crl = NULL;
675 X509_REVOKED *r = NULL;
676 ASN1_TIME *tmptm = NULL;
677 ASN1_INTEGER *tmpserial;
678 char *f;
679 const char *p;
680 char *const *pp;
681 int i, j;
682 const EVP_MD *dgst = NULL;
683 STACK_OF(CONF_VALUE) *attribs = NULL;
684 STACK_OF(X509) *cert_sk = NULL;
685 char *tofree = NULL;
686 DB_ATTR db_attr;
687
688 if (single_execution) {
689 if (pledge("stdio cpath wpath rpath tty", NULL) == -1) {
690 perror("pledge");
691 exit(1);
692 }
693 }
694
695 memset(&ca_config, 0, sizeof(ca_config));
696 ca_config.email_dn = 1;
697 ca_config.keyform = FORMAT_PEM;
698 ca_config.chtype = MBSTRING_ASC;
699 ca_config.rev_type = REV_NONE;
700
701 conf = NULL;
702
703 if (options_parse(argc, argv, ca_options, NULL, NULL) != 0) {
704 ca_usage();
705 goto err;
706 }
707
708 /*****************************************************************/
709 tofree = NULL;
710 if (ca_config.configfile == NULL)
711 ca_config.configfile = getenv("OPENSSL_CONF");
712 if (ca_config.configfile == NULL) {
713 if ((tofree = make_config_name()) == NULL) {
714 BIO_printf(bio_err, "error making config file name\n");
715 goto err;
716 }
717 ca_config.configfile = tofree;
718 }
719 BIO_printf(bio_err, "Using configuration from %s\n",
720 ca_config.configfile);
721 conf = NCONF_new(NULL);
722 if (NCONF_load(conf, ca_config.configfile, &errorline) <= 0) {
723 if (errorline <= 0)
724 BIO_printf(bio_err,
725 "error loading the config file '%s'\n",
726 ca_config.configfile);
727 else
728 BIO_printf(bio_err,
729 "error on line %ld of config file '%s'\n",
730 errorline, ca_config.configfile);
731 goto err;
732 }
733 free(tofree);
734 tofree = NULL;
735
736 /* Lets get the config section we are using */
737 if (ca_config.section == NULL) {
738 ca_config.section = NCONF_get_string(conf, BASE_SECTION,
739 ENV_DEFAULT_CA);
740 if (ca_config.section == NULL) {
741 lookup_fail(BASE_SECTION, ENV_DEFAULT_CA);
742 goto err;
743 }
744 }
745 if (conf != NULL) {
746 p = NCONF_get_string(conf, NULL, "oid_file");
747 if (p == NULL)
748 ERR_clear_error();
749 if (p != NULL) {
750 BIO *oid_bio;
751
752 oid_bio = BIO_new_file(p, "r");
753 if (oid_bio == NULL) {
754 /*
755 BIO_printf(bio_err,
756 "problems opening %s for extra oid's\n", p);
757 ERR_print_errors(bio_err);
758 */
759 ERR_clear_error();
760 } else {
761 OBJ_create_objects(oid_bio);
762 BIO_free(oid_bio);
763 }
764 }
765 if (!add_oid_section(bio_err, conf)) {
766 ERR_print_errors(bio_err);
767 goto err;
768 }
769 }
770 f = NCONF_get_string(conf, ca_config.section, STRING_MASK);
771 if (f == NULL)
772 ERR_clear_error();
773
774 if (f != NULL && !ASN1_STRING_set_default_mask_asc(f)) {
775 BIO_printf(bio_err,
776 "Invalid global string mask setting %s\n", f);
777 goto err;
778 }
779 if (ca_config.chtype != MBSTRING_UTF8) {
780 f = NCONF_get_string(conf, ca_config.section, UTF8_IN);
781 if (f == NULL)
782 ERR_clear_error();
783 else if (strcmp(f, "yes") == 0)
784 ca_config.chtype = MBSTRING_UTF8;
785 }
786 db_attr.unique_subject = 1;
787 p = NCONF_get_string(conf, ca_config.section, ENV_UNIQUE_SUBJECT);
788 if (p != NULL) {
789 db_attr.unique_subject = parse_yesno(p, 1);
790 } else
791 ERR_clear_error();
792
793 in = BIO_new(BIO_s_file());
794 out = BIO_new(BIO_s_file());
795 Sout = BIO_new(BIO_s_file());
796 Cout = BIO_new(BIO_s_file());
797 if ((in == NULL) || (out == NULL) || (Sout == NULL) || (Cout == NULL)) {
798 ERR_print_errors(bio_err);
799 goto err;
800 }
801 /*****************************************************************/
802 /* report status of cert with serial number given on command line */
803 if (ca_config.serial_status) {
804 if ((dbfile = NCONF_get_string(conf, ca_config.section,
805 ENV_DATABASE)) == NULL) {
806 lookup_fail(ca_config.section, ENV_DATABASE);
807 goto err;
808 }
809 db = load_index(dbfile, &db_attr);
810 if (db == NULL)
811 goto err;
812
813 if (!index_index(db))
814 goto err;
815
816 if (get_certificate_status(ca_config.serial_status, db) != 1)
817 BIO_printf(bio_err, "Error verifying serial %s!\n",
818 ca_config.serial_status);
819 goto err;
820 }
821 /*****************************************************************/
822 /* we definitely need a private key, so let's get it */
823
824 if ((ca_config.keyfile == NULL) &&
825 ((ca_config.keyfile = NCONF_get_string(conf, ca_config.section,
826 ENV_PRIVATE_KEY)) == NULL)) {
827 lookup_fail(ca_config.section, ENV_PRIVATE_KEY);
828 goto err;
829 }
830 if (ca_config.key == NULL) {
831 free_key = 1;
832 if (!app_passwd(bio_err, ca_config.passargin, NULL,
833 &ca_config.key, NULL)) {
834 BIO_printf(bio_err, "Error getting password\n");
835 goto err;
836 }
837 }
838 pkey = load_key(bio_err, ca_config.keyfile, ca_config.keyform, 0,
839 ca_config.key, "CA private key");
840 if (ca_config.key != NULL)
841 explicit_bzero(ca_config.key, strlen(ca_config.key));
842 if (pkey == NULL) {
843 /* load_key() has already printed an appropriate message */
844 goto err;
845 }
846 /*****************************************************************/
847 /* we need a certificate */
848 if (!ca_config.selfsign || ca_config.spkac_file != NULL ||
849 ca_config.ss_cert_file != NULL || ca_config.gencrl) {
850 if ((ca_config.certfile == NULL) &&
851 ((ca_config.certfile = NCONF_get_string(conf,
852 ca_config.section, ENV_CERTIFICATE)) == NULL)) {
853 lookup_fail(ca_config.section, ENV_CERTIFICATE);
854 goto err;
855 }
856 x509 = load_cert(bio_err, ca_config.certfile, FORMAT_PEM, NULL,
857 "CA certificate");
858 if (x509 == NULL)
859 goto err;
860
861 if (!X509_check_private_key(x509, pkey)) {
862 BIO_printf(bio_err,
863 "CA certificate and CA private key do not match\n");
864 goto err;
865 }
866 }
867 if (!ca_config.selfsign)
868 x509p = x509;
869
870 f = NCONF_get_string(conf, BASE_SECTION, ENV_PRESERVE);
871 if (f == NULL)
872 ERR_clear_error();
873 if ((f != NULL) && ((*f == 'y') || (*f == 'Y')))
874 ca_config.preserve = 1;
875 f = NCONF_get_string(conf, BASE_SECTION, ENV_MSIE_HACK);
876 if (f == NULL)
877 ERR_clear_error();
878 if ((f != NULL) && ((*f == 'y') || (*f == 'Y')))
879 ca_config.msie_hack = 1;
880
881 f = NCONF_get_string(conf, ca_config.section, ENV_NAMEOPT);
882
883 if (f != NULL) {
884 if (!set_name_ex(&nameopt, f)) {
885 BIO_printf(bio_err,
886 "Invalid name options: \"%s\"\n", f);
887 goto err;
888 }
889 default_op = 0;
890 } else
891 ERR_clear_error();
892
893 f = NCONF_get_string(conf, ca_config.section, ENV_CERTOPT);
894
895 if (f != NULL) {
896 if (!set_cert_ex(&certopt, f)) {
897 BIO_printf(bio_err,
898 "Invalid certificate options: \"%s\"\n", f);
899 goto err;
900 }
901 default_op = 0;
902 } else
903 ERR_clear_error();
904
905 f = NCONF_get_string(conf, ca_config.section, ENV_EXTCOPY);
906
907 if (f != NULL) {
908 if (!set_ext_copy(&ext_copy, f)) {
909 BIO_printf(bio_err,
910 "Invalid extension copy option: \"%s\"\n", f);
911 goto err;
912 }
913 } else
914 ERR_clear_error();
915
916 /*****************************************************************/
917 /* lookup where to write new certificates */
918 if (ca_config.outdir == NULL && ca_config.req) {
919 if ((ca_config.outdir = NCONF_get_string(conf,
920 ca_config.section, ENV_NEW_CERTS_DIR)) == NULL) {
921 BIO_printf(bio_err, "output directory %s not defined\n",
922 ENV_NEW_CERTS_DIR);
923 goto err;
924 }
925 }
926 /*****************************************************************/
927 /* we need to load the database file */
928 if ((dbfile = NCONF_get_string(conf, ca_config.section,
929 ENV_DATABASE)) == NULL) {
930 lookup_fail(ca_config.section, ENV_DATABASE);
931 goto err;
932 }
933 db = load_index(dbfile, &db_attr);
934 if (db == NULL)
935 goto err;
936
937 /* Lets check some fields */
938 for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
939 pp = sk_OPENSSL_PSTRING_value(db->db->data, i);
940 if ((pp[DB_type][0] != DB_TYPE_REV) &&
941 (pp[DB_rev_date][0] != '\0')) {
942 BIO_printf(bio_err,
943 "entry %d: not revoked yet, but has a revocation date\n",
944 i + 1);
945 goto err;
946 }
947 if ((pp[DB_type][0] == DB_TYPE_REV) &&
948 !make_revoked(NULL, pp[DB_rev_date])) {
949 BIO_printf(bio_err, " in entry %d\n", i + 1);
950 goto err;
951 }
952 if (!check_time_format((char *) pp[DB_exp_date])) {
953 BIO_printf(bio_err, "entry %d: invalid expiry date\n",
954 i + 1);
955 goto err;
956 }
957 p = pp[DB_serial];
958 j = strlen(p);
959 if (*p == '-') {
960 p++;
961 j--;
962 }
963 if ((j & 1) || (j < 2)) {
964 BIO_printf(bio_err,
965 "entry %d: bad serial number length (%d)\n",
966 i + 1, j);
967 goto err;
968 }
969 while (*p) {
970 if (!(((*p >= '0') && (*p <= '9')) ||
971 ((*p >= 'A') && (*p <= 'F')) ||
972 ((*p >= 'a') && (*p <= 'f')))) {
973 BIO_printf(bio_err,
974 "entry %d: bad serial number characters, char pos %ld, char is '%c'\n",
975 i + 1, (long) (p - pp[DB_serial]), *p);
976 goto err;
977 }
978 p++;
979 }
980 }
981 if (ca_config.verbose) {
982 BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT);
983 TXT_DB_write(out, db->db);
984 BIO_printf(bio_err, "%d entries loaded from the database\n",
985 sk_OPENSSL_PSTRING_num(db->db->data));
986 BIO_printf(bio_err, "generating index\n");
987 }
988 if (!index_index(db))
989 goto err;
990
991 /*****************************************************************/
992 /* Update the db file for expired certificates */
993 if (ca_config.doupdatedb) {
994 if (ca_config.verbose)
995 BIO_printf(bio_err, "Updating %s ...\n", dbfile);
996
997 i = do_updatedb(db);
998 if (i == -1) {
999 BIO_printf(bio_err, "Malloc failure\n");
1000 goto err;
1001 } else if (i == 0) {
1002 if (ca_config.verbose)
1003 BIO_printf(bio_err,
1004 "No entries found to mark expired\n");
1005 } else {
1006 if (!save_index(dbfile, "new", db))
1007 goto err;
1008
1009 if (!rotate_index(dbfile, "new", "old"))
1010 goto err;
1011
1012 if (ca_config.verbose)
1013 BIO_printf(bio_err,
1014 "Done. %d entries marked as expired\n", i);
1015 }
1016 }
1017 /*****************************************************************/
1018 /* Read extentions config file */
1019 if (ca_config.extfile != NULL) {
1020 extconf = NCONF_new(NULL);
1021 if (NCONF_load(extconf, ca_config.extfile, &errorline) <= 0) {
1022 if (errorline <= 0)
1023 BIO_printf(bio_err,
1024 "ERROR: loading the config file '%s'\n",
1025 ca_config.extfile);
1026 else
1027 BIO_printf(bio_err,
1028 "ERROR: on line %ld of config file '%s'\n",
1029 errorline, ca_config.extfile);
1030 ret = 1;
1031 goto err;
1032 }
1033 if (ca_config.verbose)
1034 BIO_printf(bio_err,
1035 "Successfully loaded extensions file %s\n",
1036 ca_config.extfile);
1037
1038 /* We can have sections in the ext file */
1039 if (ca_config.extensions == NULL &&
1040 (ca_config.extensions = NCONF_get_string(extconf, "default",
1041 "extensions")) == NULL)
1042 ca_config.extensions = "default";
1043 }
1044 /*****************************************************************/
1045 if (ca_config.req || ca_config.gencrl) {
1046 if (ca_config.outfile != NULL) {
1047 if (BIO_write_filename(Sout, ca_config.outfile) <= 0) {
1048 perror(ca_config.outfile);
1049 goto err;
1050 }
1051 } else {
1052 BIO_set_fp(Sout, stdout, BIO_NOCLOSE | BIO_FP_TEXT);
1053 }
1054 }
1055 if ((ca_config.md == NULL) &&
1056 ((ca_config.md = NCONF_get_string(conf, ca_config.section,
1057 ENV_DEFAULT_MD)) == NULL)) {
1058 lookup_fail(ca_config.section, ENV_DEFAULT_MD);
1059 goto err;
1060 }
1061 if (strcmp(ca_config.md, "default") == 0) {
1062 int def_nid;
1063 if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) <= 0) {
1064 BIO_puts(bio_err, "no default digest\n");
1065 goto err;
1066 }
1067 ca_config.md = (char *) OBJ_nid2sn(def_nid);
1068 if (ca_config.md == NULL)
1069 goto err;
1070 }
1071 if ((dgst = EVP_get_digestbyname(ca_config.md)) == NULL) {
1072 BIO_printf(bio_err,
1073 "%s is an unsupported message digest type\n", ca_config.md);
1074 goto err;
1075 }
1076 if (ca_config.req) {
1077 if ((ca_config.email_dn == 1) &&
1078 ((tmp_email_dn = NCONF_get_string(conf, ca_config.section,
1079 ENV_DEFAULT_EMAIL_DN)) != NULL)) {
1080 if (strcmp(tmp_email_dn, "no") == 0)
1081 ca_config.email_dn = 0;
1082 }
1083 if (ca_config.verbose)
1084 BIO_printf(bio_err, "message digest is %s\n",
1085 OBJ_nid2ln(EVP_MD_type(dgst)));
1086 if ((ca_config.policy == NULL) &&
1087 ((ca_config.policy = NCONF_get_string(conf,
1088 ca_config.section, ENV_POLICY)) == NULL)) {
1089 lookup_fail(ca_config.section, ENV_POLICY);
1090 goto err;
1091 }
1092 if (ca_config.verbose)
1093 BIO_printf(bio_err, "policy is %s\n", ca_config.policy);
1094
1095 if ((serialfile = NCONF_get_string(conf, ca_config.section,
1096 ENV_SERIAL)) == NULL) {
1097 lookup_fail(ca_config.section, ENV_SERIAL);
1098 goto err;
1099 }
1100 if (extconf == NULL) {
1101 /*
1102 * no '-extfile' option, so we look for extensions in
1103 * the main configuration file
1104 */
1105 if (ca_config.extensions == NULL) {
1106 ca_config.extensions = NCONF_get_string(conf,
1107 ca_config.section, ENV_EXTENSIONS);
1108 if (ca_config.extensions == NULL)
1109 ERR_clear_error();
1110 }
1111 if (ca_config.extensions != NULL) {
1112 /* Check syntax of file */
1113 X509V3_CTX ctx;
1114 X509V3_set_ctx_test(&ctx);
1115 X509V3_set_nconf(&ctx, conf);
1116 if (!X509V3_EXT_add_nconf(conf, &ctx,
1117 ca_config.extensions, NULL)) {
1118 BIO_printf(bio_err,
1119 "Error Loading extension section %s\n",
1120 ca_config.extensions);
1121 ret = 1;
1122 goto err;
1123 }
1124 }
1125 }
1126 if (ca_config.startdate == NULL) {
1127 ca_config.startdate = NCONF_get_string(conf,
1128 ca_config.section, ENV_DEFAULT_STARTDATE);
1129 if (ca_config.startdate == NULL)
1130 ERR_clear_error();
1131 }
1132 if (ca_config.startdate == NULL)
1133 ca_config.startdate = "today";
1134
1135 if (ca_config.enddate == NULL) {
1136 ca_config.enddate = NCONF_get_string(conf,
1137 ca_config.section, ENV_DEFAULT_ENDDATE);
1138 if (ca_config.enddate == NULL)
1139 ERR_clear_error();
1140 }
1141 if (ca_config.days == 0 && ca_config.enddate == NULL) {
1142 if (!NCONF_get_number(conf, ca_config.section,
1143 ENV_DEFAULT_DAYS, &ca_config.days))
1144 ca_config.days = 0;
1145 }
1146 if (ca_config.enddate == NULL && ca_config.days == 0) {
1147 BIO_printf(bio_err,
1148 "cannot lookup how many days to certify for\n");
1149 goto err;
1150 }
1151 if ((serial = load_serial(serialfile, ca_config.create_serial,
1152 NULL)) == NULL) {
1153 BIO_printf(bio_err,
1154 "error while loading serial number\n");
1155 goto err;
1156 }
1157 if (ca_config.verbose) {
1158 if (BN_is_zero(serial))
1159 BIO_printf(bio_err,
1160 "next serial number is 00\n");
1161 else {
1162 if ((f = BN_bn2hex(serial)) == NULL)
1163 goto err;
1164 BIO_printf(bio_err,
1165 "next serial number is %s\n", f);
1166 free(f);
1167 }
1168 }
1169 if ((attribs = NCONF_get_section(conf, ca_config.policy)) ==
1170 NULL) {
1171 BIO_printf(bio_err, "unable to find 'section' for %s\n",
1172 ca_config.policy);
1173 goto err;
1174 }
1175 if ((cert_sk = sk_X509_new_null()) == NULL) {
1176 BIO_printf(bio_err, "Memory allocation failure\n");
1177 goto err;
1178 }
1179 if (ca_config.spkac_file != NULL) {
1180 total++;
1181 j = certify_spkac(&x, ca_config.spkac_file, pkey, x509,
1182 dgst, ca_config.sigopts, attribs, db, serial,
1183 ca_config.subj, ca_config.chtype,
1184 ca_config.multirdn, ca_config.email_dn,
1185 ca_config.startdate, ca_config.enddate,
1186 ca_config.days, ca_config.extensions, conf,
1187 ca_config.verbose, certopt, nameopt, default_op,
1188 ext_copy);
1189 if (j < 0)
1190 goto err;
1191 if (j > 0) {
1192 total_done++;
1193 BIO_printf(bio_err, "\n");
1194 if (!BN_add_word(serial, 1))
1195 goto err;
1196 if (!sk_X509_push(cert_sk, x)) {
1197 BIO_printf(bio_err,
1198 "Memory allocation failure\n");
1199 goto err;
1200 }
1201 if (ca_config.outfile != NULL) {
1202 output_der = 1;
1203 ca_config.batch = 1;
1204 }
1205 }
1206 }
1207 if (ca_config.ss_cert_file != NULL) {
1208 total++;
1209 j = certify_cert(&x, ca_config.ss_cert_file, pkey, x509,
1210 dgst, ca_config.sigopts, attribs, db, serial,
1211 ca_config.subj, ca_config.chtype,
1212 ca_config.multirdn, ca_config.email_dn,
1213 ca_config.startdate, ca_config.enddate,
1214 ca_config.days, ca_config.batch,
1215 ca_config.extensions, conf, ca_config.verbose,
1216 certopt, nameopt, default_op, ext_copy);
1217 if (j < 0)
1218 goto err;
1219 if (j > 0) {
1220 total_done++;
1221 BIO_printf(bio_err, "\n");
1222 if (!BN_add_word(serial, 1))
1223 goto err;
1224 if (!sk_X509_push(cert_sk, x)) {
1225 BIO_printf(bio_err,
1226 "Memory allocation failure\n");
1227 goto err;
1228 }
1229 }
1230 }
1231 if (ca_config.infile != NULL) {
1232 total++;
1233 j = certify(&x, ca_config.infile, pkey, x509p, dgst,
1234 ca_config.sigopts, attribs, db, serial,
1235 ca_config.subj, ca_config.chtype,
1236 ca_config.multirdn, ca_config.email_dn,
1237 ca_config.startdate, ca_config.enddate,
1238 ca_config.days, ca_config.batch,
1239 ca_config.extensions, conf, ca_config.verbose,
1240 certopt, nameopt, default_op, ext_copy,
1241 ca_config.selfsign);
1242 if (j < 0)
1243 goto err;
1244 if (j > 0) {
1245 total_done++;
1246 BIO_printf(bio_err, "\n");
1247 if (!BN_add_word(serial, 1))
1248 goto err;
1249 if (!sk_X509_push(cert_sk, x)) {
1250 BIO_printf(bio_err,
1251 "Memory allocation failure\n");
1252 goto err;
1253 }
1254 }
1255 }
1256 for (i = 0; i < ca_config.infiles_num; i++) {
1257 total++;
1258 j = certify(&x, ca_config.infiles[i], pkey, x509p, dgst,
1259 ca_config.sigopts, attribs, db, serial,
1260 ca_config.subj, ca_config.chtype,
1261 ca_config.multirdn, ca_config.email_dn,
1262 ca_config.startdate, ca_config.enddate,
1263 ca_config.days, ca_config.batch,
1264 ca_config.extensions, conf, ca_config.verbose,
1265 certopt, nameopt, default_op, ext_copy,
1266 ca_config.selfsign);
1267 if (j < 0)
1268 goto err;
1269 if (j > 0) {
1270 total_done++;
1271 BIO_printf(bio_err, "\n");
1272 if (!BN_add_word(serial, 1))
1273 goto err;
1274 if (!sk_X509_push(cert_sk, x)) {
1275 BIO_printf(bio_err,
1276 "Memory allocation failure\n");
1277 goto err;
1278 }
1279 }
1280 }
1281 /*
1282 * we have a stack of newly certified certificates and a data
1283 * base and serial number that need updating
1284 */
1285
1286 if (sk_X509_num(cert_sk) > 0) {
1287 if (!ca_config.batch) {
1288 char answer[10];
1289
1290 BIO_printf(bio_err,
1291 "\n%d out of %d certificate requests certified, commit? [y/n]",
1292 total_done, total);
1293 (void) BIO_flush(bio_err);
1294 if (fgets(answer, sizeof answer - 1, stdin) ==
1295 NULL) {
1296 BIO_printf(bio_err,
1297 "CERTIFICATION CANCELED: I/O error\n");
1298 ret = 0;
1299 goto err;
1300 }
1301 if ((answer[0] != 'y') && (answer[0] != 'Y')) {
1302 BIO_printf(bio_err,
1303 "CERTIFICATION CANCELED\n");
1304 ret = 0;
1305 goto err;
1306 }
1307 }
1308 BIO_printf(bio_err,
1309 "Write out database with %d new entries\n",
1310 sk_X509_num(cert_sk));
1311
1312 if (!save_serial(serialfile, "new", serial, NULL))
1313 goto err;
1314
1315 if (!save_index(dbfile, "new", db))
1316 goto err;
1317 }
1318 if (ca_config.verbose)
1319 BIO_printf(bio_err, "writing new certificates\n");
1320 for (i = 0; i < sk_X509_num(cert_sk); i++) {
1321 ASN1_INTEGER *serialNumber;
1322 int k;
1323 char *serialstr;
1324 unsigned char *data;
1325 char pempath[PATH_MAX];
1326
1327 x = sk_X509_value(cert_sk, i);
1328
1329 serialNumber = X509_get_serialNumber(x);
1330 j = ASN1_STRING_length(serialNumber);
1331 data = ASN1_STRING_data(serialNumber);
1332
1333 if (j > 0)
1334 serialstr = bin2hex(data, j);
1335 else
1336 serialstr = strdup("00");
1337 if (serialstr != NULL) {
1338 k = snprintf(pempath, sizeof(pempath),
1339 "%s/%s.pem", ca_config.outdir, serialstr);
1340 free(serialstr);
1341 if (k < 0 || k >= sizeof(pempath)) {
1342 BIO_printf(bio_err,
1343 "certificate file name too long\n");
1344 goto err;
1345 }
1346 } else {
1347 BIO_printf(bio_err,
1348 "memory allocation failed\n");
1349 goto err;
1350 }
1351 if (ca_config.verbose)
1352 BIO_printf(bio_err, "writing %s\n", pempath);
1353
1354 if (BIO_write_filename(Cout, pempath) <= 0) {
1355 perror(pempath);
1356 goto err;
1357 }
1358 if (!write_new_certificate(Cout, x, 0,
1359 ca_config.notext))
1360 goto err;
1361 if (!write_new_certificate(Sout, x, output_der,
1362 ca_config.notext))
1363 goto err;
1364 }
1365
1366 if (sk_X509_num(cert_sk)) {
1367 /* Rename the database and the serial file */
1368 if (!rotate_serial(serialfile, "new", "old"))
1369 goto err;
1370
1371 if (!rotate_index(dbfile, "new", "old"))
1372 goto err;
1373
1374 BIO_printf(bio_err, "Data Base Updated\n");
1375 }
1376 }
1377 /*****************************************************************/
1378 if (ca_config.gencrl) {
1379 int crl_v2 = 0;
1380 if (ca_config.crl_ext == NULL) {
1381 ca_config.crl_ext = NCONF_get_string(conf,
1382 ca_config.section, ENV_CRLEXT);
1383 if (ca_config.crl_ext == NULL)
1384 ERR_clear_error();
1385 }
1386 if (ca_config.crl_ext != NULL) {
1387 /* Check syntax of file */
1388 X509V3_CTX ctx;
1389 X509V3_set_ctx_test(&ctx);
1390 X509V3_set_nconf(&ctx, conf);
1391 if (!X509V3_EXT_add_nconf(conf, &ctx, ca_config.crl_ext,
1392 NULL)) {
1393 BIO_printf(bio_err,
1394 "Error Loading CRL extension section %s\n",
1395 ca_config.crl_ext);
1396 ret = 1;
1397 goto err;
1398 }
1399 }
1400 if ((crlnumberfile = NCONF_get_string(conf, ca_config.section,
1401 ENV_CRLNUMBER)) != NULL)
1402 if ((crlnumber = load_serial(crlnumberfile, 0,
1403 NULL)) == NULL) {
1404 BIO_printf(bio_err,
1405 "error while loading CRL number\n");
1406 goto err;
1407 }
1408 if (!ca_config.crldays && !ca_config.crlhours &&
1409 !ca_config.crlsec) {
1410 if (!NCONF_get_number(conf, ca_config.section,
1411 ENV_DEFAULT_CRL_DAYS, &ca_config.crldays))
1412 ca_config.crldays = 0;
1413 if (!NCONF_get_number(conf, ca_config.section,
1414 ENV_DEFAULT_CRL_HOURS, &ca_config.crlhours))
1415 ca_config.crlhours = 0;
1416 ERR_clear_error();
1417 }
1418 if ((ca_config.crldays == 0) && (ca_config.crlhours == 0) &&
1419 (ca_config.crlsec == 0)) {
1420 BIO_printf(bio_err,
1421 "cannot lookup how long until the next CRL is issued\n");
1422 goto err;
1423 }
1424 if (ca_config.verbose)
1425 BIO_printf(bio_err, "making CRL\n");
1426 if ((crl = X509_CRL_new()) == NULL)
1427 goto err;
1428 if (!X509_CRL_set_issuer_name(crl, X509_get_subject_name(x509)))
1429 goto err;
1430
1431 if ((tmptm = X509_gmtime_adj(NULL, 0)) == NULL)
1432 goto err;
1433 if (!X509_CRL_set_lastUpdate(crl, tmptm))
1434 goto err;
1435 if (X509_time_adj_ex(tmptm, ca_config.crldays,
1436 ca_config.crlhours * 60 * 60 + ca_config.crlsec, NULL) ==
1437 NULL) {
1438 BIO_puts(bio_err, "error setting CRL nextUpdate\n");
1439 goto err;
1440 }
1441 if (!X509_CRL_set_nextUpdate(crl, tmptm))
1442 goto err;
1443 ASN1_TIME_free(tmptm);
1444 tmptm = NULL;
1445
1446 for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
1447 pp = sk_OPENSSL_PSTRING_value(db->db->data, i);
1448 if (pp[DB_type][0] == DB_TYPE_REV) {
1449 if ((r = X509_REVOKED_new()) == NULL)
1450 goto err;
1451 j = make_revoked(r, pp[DB_rev_date]);
1452 if (!j)
1453 goto err;
1454 if (j == 2)
1455 crl_v2 = 1;
1456 if (!BN_hex2bn(&serial, pp[DB_serial]))
1457 goto err;
1458 tmpserial = BN_to_ASN1_INTEGER(serial, NULL);
1459 BN_free(serial);
1460 serial = NULL;
1461 if (tmpserial == NULL)
1462 goto err;
1463 if (!X509_REVOKED_set_serialNumber(r, tmpserial)) {
1464 ASN1_INTEGER_free(tmpserial);
1465 goto err;
1466 }
1467 ASN1_INTEGER_free(tmpserial);
1468 if (!X509_CRL_add0_revoked(crl, r))
1469 goto err;
1470 r = NULL;
1471 }
1472 }
1473
1474 /*
1475 * sort the data so it will be written in serial number order
1476 */
1477 X509_CRL_sort(crl);
1478
1479 /* we now have a CRL */
1480 if (ca_config.verbose)
1481 BIO_printf(bio_err, "signing CRL\n");
1482
1483 /* Add any extensions asked for */
1484
1485 if (ca_config.crl_ext != NULL || crlnumberfile != NULL) {
1486 X509V3_CTX crlctx;
1487 X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0);
1488 X509V3_set_nconf(&crlctx, conf);
1489
1490 if (ca_config.crl_ext != NULL)
1491 if (!X509V3_EXT_CRL_add_nconf(conf, &crlctx,
1492 ca_config.crl_ext, crl))
1493 goto err;
1494 if (crlnumberfile != NULL) {
1495 tmpserial = BN_to_ASN1_INTEGER(crlnumber, NULL);
1496 if (tmpserial == NULL)
1497 goto err;
1498 if (!X509_CRL_add1_ext_i2d(crl, NID_crl_number,
1499 tmpserial, 0, 0)) {
1500 ASN1_INTEGER_free(tmpserial);
1501 goto err;
1502 }
1503 ASN1_INTEGER_free(tmpserial);
1504 crl_v2 = 1;
1505 if (!BN_add_word(crlnumber, 1))
1506 goto err;
1507 }
1508 }
1509 if (ca_config.crl_ext != NULL || crl_v2) {
1510 if (!X509_CRL_set_version(crl, 1))
1511 goto err; /* version 2 CRL */
1512 }
1513 if (crlnumberfile != NULL) /* we have a CRL number that
1514 * need updating */
1515 if (!save_serial(crlnumberfile, "new", crlnumber, NULL))
1516 goto err;
1517
1518 BN_free(crlnumber);
1519 crlnumber = NULL;
1520
1521 if (!do_X509_CRL_sign(bio_err, crl, pkey, dgst,
1522 ca_config.sigopts))
1523 goto err;
1524
1525 if (!PEM_write_bio_X509_CRL(Sout, crl))
1526 goto err;
1527
1528 if (crlnumberfile != NULL) /* Rename the crlnumber file */
1529 if (!rotate_serial(crlnumberfile, "new", "old"))
1530 goto err;
1531
1532 }
1533 /*****************************************************************/
1534 if (ca_config.dorevoke) {
1535 if (ca_config.infile == NULL) {
1536 BIO_printf(bio_err, "no input files\n");
1537 goto err;
1538 } else {
1539 X509 *revcert;
1540 revcert = load_cert(bio_err, ca_config.infile,
1541 FORMAT_PEM, NULL, ca_config.infile);
1542 if (revcert == NULL)
1543 goto err;
1544 j = do_revoke(revcert, db, ca_config.rev_type,
1545 ca_config.rev_arg);
1546 if (j <= 0)
1547 goto err;
1548 X509_free(revcert);
1549
1550 if (!save_index(dbfile, "new", db))
1551 goto err;
1552
1553 if (!rotate_index(dbfile, "new", "old"))
1554 goto err;
1555
1556 BIO_printf(bio_err, "Data Base Updated\n");
1557 }
1558 }
1559 /*****************************************************************/
1560 ret = 0;
1561
1562 err:
1563 free(tofree);
1564
1565 BIO_free_all(Cout);
1566 BIO_free_all(Sout);
1567 BIO_free_all(out);
1568 BIO_free_all(in);
1569
1570 sk_X509_pop_free(cert_sk, X509_free);
1571
1572 if (ret)
1573 ERR_print_errors(bio_err);
1574 if (free_key)
1575 free(ca_config.key);
1576 BN_free(serial);
1577 BN_free(crlnumber);
1578 free_index(db);
1579 sk_OPENSSL_STRING_free(ca_config.sigopts);
1580 EVP_PKEY_free(pkey);
1581 X509_free(x509);
1582 X509_CRL_free(crl);
1583 X509_REVOKED_free(r);
1584 ASN1_TIME_free(tmptm);
1585 NCONF_free(conf);
1586 NCONF_free(extconf);
1587 OBJ_cleanup();
1588
1589 return (ret);
1590 }
1591
1592 static void
lookup_fail(const char * name,const char * tag)1593 lookup_fail(const char *name, const char *tag)
1594 {
1595 BIO_printf(bio_err, "variable lookup failed for %s::%s\n", name, tag);
1596 }
1597
1598 static int
certify(X509 ** xret,char * infile,EVP_PKEY * pkey,X509 * x509,const EVP_MD * dgst,STACK_OF (OPENSSL_STRING)* sigopts,STACK_OF (CONF_VALUE)* policy,CA_DB * db,BIGNUM * serial,char * subj,unsigned long chtype,int multirdn,int email_dn,char * startdate,char * enddate,long days,int batch,char * ext_sect,CONF * lconf,int verbose,unsigned long certopt,unsigned long nameopt,int default_op,int ext_copy,int selfsign)1599 certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
1600 const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
1601 STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj,
1602 unsigned long chtype, int multirdn, int email_dn, char *startdate,
1603 char *enddate, long days, int batch, char *ext_sect, CONF *lconf,
1604 int verbose, unsigned long certopt, unsigned long nameopt, int default_op,
1605 int ext_copy, int selfsign)
1606 {
1607 X509_REQ *req = NULL;
1608 BIO *in = NULL;
1609 EVP_PKEY *pktmp = NULL;
1610 int ok = -1, i;
1611
1612 in = BIO_new(BIO_s_file());
1613
1614 if (BIO_read_filename(in, infile) <= 0) {
1615 perror(infile);
1616 goto err;
1617 }
1618 if ((req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL)) == NULL) {
1619 BIO_printf(bio_err, "Error reading certificate request in %s\n",
1620 infile);
1621 goto err;
1622 }
1623 if (verbose) {
1624 if (!X509_REQ_print(bio_err, req))
1625 goto err;
1626 }
1627
1628 BIO_printf(bio_err, "Check that the request matches the signature\n");
1629
1630 if (selfsign && !X509_REQ_check_private_key(req, pkey)) {
1631 BIO_printf(bio_err,
1632 "Certificate request and CA private key do not match\n");
1633 ok = 0;
1634 goto err;
1635 }
1636 if ((pktmp = X509_REQ_get0_pubkey(req)) == NULL) {
1637 BIO_printf(bio_err, "error unpacking public key\n");
1638 goto err;
1639 }
1640 i = X509_REQ_verify(req, pktmp);
1641 if (i < 0) {
1642 ok = 0;
1643 BIO_printf(bio_err, "Signature verification problems....\n");
1644 goto err;
1645 }
1646 if (i == 0) {
1647 ok = 0;
1648 BIO_printf(bio_err,
1649 "Signature did not match the certificate request\n");
1650 goto err;
1651 } else
1652 BIO_printf(bio_err, "Signature ok\n");
1653
1654 ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial,
1655 subj, chtype, multirdn, email_dn, startdate, enddate, days, batch,
1656 verbose, req, ext_sect, lconf, certopt, nameopt, default_op,
1657 ext_copy, selfsign);
1658
1659 err:
1660 X509_REQ_free(req);
1661 BIO_free(in);
1662
1663 return (ok);
1664 }
1665
1666 static int
certify_cert(X509 ** xret,char * infile,EVP_PKEY * pkey,X509 * x509,const EVP_MD * dgst,STACK_OF (OPENSSL_STRING)* sigopts,STACK_OF (CONF_VALUE)* policy,CA_DB * db,BIGNUM * serial,char * subj,unsigned long chtype,int multirdn,int email_dn,char * startdate,char * enddate,long days,int batch,char * ext_sect,CONF * lconf,int verbose,unsigned long certopt,unsigned long nameopt,int default_op,int ext_copy)1667 certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
1668 const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
1669 STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj,
1670 unsigned long chtype, int multirdn, int email_dn, char *startdate,
1671 char *enddate, long days, int batch, char *ext_sect, CONF *lconf,
1672 int verbose, unsigned long certopt, unsigned long nameopt, int default_op,
1673 int ext_copy)
1674 {
1675 X509 *req = NULL;
1676 X509_REQ *rreq = NULL;
1677 EVP_PKEY *pktmp = NULL;
1678 int ok = -1, i;
1679
1680 if ((req = load_cert(bio_err, infile, FORMAT_PEM, NULL,
1681 infile)) == NULL)
1682 goto err;
1683 if (verbose) {
1684 if (!X509_print(bio_err, req))
1685 goto err;
1686 }
1687
1688 BIO_printf(bio_err, "Check that the request matches the signature\n");
1689
1690 if ((pktmp = X509_get0_pubkey(req)) == NULL) {
1691 BIO_printf(bio_err, "error unpacking public key\n");
1692 goto err;
1693 }
1694 i = X509_verify(req, pktmp);
1695 if (i < 0) {
1696 ok = 0;
1697 BIO_printf(bio_err, "Signature verification problems....\n");
1698 goto err;
1699 }
1700 if (i == 0) {
1701 ok = 0;
1702 BIO_printf(bio_err,
1703 "Signature did not match the certificate\n");
1704 goto err;
1705 } else
1706 BIO_printf(bio_err, "Signature ok\n");
1707
1708 if ((rreq = X509_to_X509_REQ(req, NULL, EVP_md5())) == NULL)
1709 goto err;
1710
1711 ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial,
1712 subj, chtype, multirdn, email_dn, startdate, enddate, days, batch,
1713 verbose, rreq, ext_sect, lconf, certopt, nameopt, default_op,
1714 ext_copy, 0);
1715
1716 err:
1717 X509_REQ_free(rreq);
1718 X509_free(req);
1719
1720 return (ok);
1721 }
1722
1723 static int
do_body(X509 ** xret,EVP_PKEY * pkey,X509 * x509,const EVP_MD * dgst,STACK_OF (OPENSSL_STRING)* sigopts,STACK_OF (CONF_VALUE)* policy,CA_DB * db,BIGNUM * serial,char * subj,unsigned long chtype,int multirdn,int email_dn,char * startdate,char * enddate,long days,int batch,int verbose,X509_REQ * req,char * ext_sect,CONF * lconf,unsigned long certopt,unsigned long nameopt,int default_op,int ext_copy,int selfsign)1724 do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
1725 STACK_OF(OPENSSL_STRING) *sigopts, STACK_OF(CONF_VALUE) *policy,
1726 CA_DB *db, BIGNUM *serial, char *subj, unsigned long chtype, int multirdn,
1727 int email_dn, char *startdate, char *enddate, long days, int batch,
1728 int verbose, X509_REQ *req, char *ext_sect, CONF *lconf,
1729 unsigned long certopt, unsigned long nameopt, int default_op,
1730 int ext_copy, int selfsign)
1731 {
1732 X509_NAME *name = NULL, *CAname = NULL;
1733 X509_NAME *subject = NULL, *dn_subject = NULL;
1734 ASN1_UTCTIME *tm;
1735 ASN1_STRING *str, *str2;
1736 ASN1_OBJECT *obj;
1737 X509 *ret = NULL;
1738 X509_NAME_ENTRY *ne;
1739 X509_NAME_ENTRY *tne, *push;
1740 EVP_PKEY *pktmp;
1741 int ok = -1, i, j, last, nid;
1742 const char *p;
1743 CONF_VALUE *cv;
1744 OPENSSL_STRING row[DB_NUMBER];
1745 OPENSSL_STRING *irow = NULL;
1746 OPENSSL_STRING *rrow = NULL;
1747 const STACK_OF(X509_EXTENSION) *exts;
1748
1749 *xret = NULL;
1750
1751 for (i = 0; i < DB_NUMBER; i++)
1752 row[i] = NULL;
1753
1754 if (subj != NULL) {
1755 X509_NAME *n = parse_name(subj, chtype, multirdn);
1756
1757 if (n == NULL) {
1758 ERR_print_errors(bio_err);
1759 goto err;
1760 }
1761 if (!X509_REQ_set_subject_name(req, n)) {
1762 X509_NAME_free(n);
1763 goto err;
1764 }
1765 X509_NAME_free(n);
1766 }
1767 if (default_op)
1768 BIO_printf(bio_err,
1769 "The Subject's Distinguished Name is as follows\n");
1770
1771 name = X509_REQ_get_subject_name(req);
1772 for (i = 0; i < X509_NAME_entry_count(name); i++) {
1773 ne = X509_NAME_get_entry(name, i);
1774 if (ne == NULL)
1775 goto err;
1776 str = X509_NAME_ENTRY_get_data(ne);
1777 if (str == NULL)
1778 goto err;
1779 obj = X509_NAME_ENTRY_get_object(ne);
1780 if (obj == NULL)
1781 goto err;
1782
1783 if (ca_config.msie_hack) {
1784 /* assume all type should be strings */
1785 nid = OBJ_obj2nid(X509_NAME_ENTRY_get_object(ne));
1786 if (nid == NID_undef)
1787 goto err;
1788
1789 if (str->type == V_ASN1_UNIVERSALSTRING)
1790 ASN1_UNIVERSALSTRING_to_string(str);
1791
1792 if ((str->type == V_ASN1_IA5STRING) &&
1793 (nid != NID_pkcs9_emailAddress))
1794 str->type = V_ASN1_T61STRING;
1795
1796 if ((nid == NID_pkcs9_emailAddress) &&
1797 (str->type == V_ASN1_PRINTABLESTRING))
1798 str->type = V_ASN1_IA5STRING;
1799 }
1800 /* If no EMAIL is wanted in the subject */
1801 if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) && (!email_dn))
1802 continue;
1803
1804 /* check some things */
1805 if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) &&
1806 (str->type != V_ASN1_IA5STRING)) {
1807 BIO_printf(bio_err,
1808 "\nemailAddress type needs to be of type IA5STRING\n");
1809 goto err;
1810 }
1811 if ((str->type != V_ASN1_BMPSTRING) &&
1812 (str->type != V_ASN1_UTF8STRING)) {
1813 j = ASN1_PRINTABLE_type(str->data, str->length);
1814 if (((j == V_ASN1_T61STRING) &&
1815 (str->type != V_ASN1_T61STRING)) ||
1816 ((j == V_ASN1_IA5STRING) &&
1817 (str->type == V_ASN1_PRINTABLESTRING))) {
1818 BIO_printf(bio_err,
1819 "\nThe string contains characters that are illegal for the ASN.1 type\n");
1820 goto err;
1821 }
1822 }
1823 if (default_op)
1824 old_entry_print(bio_err, obj, str);
1825 }
1826
1827 /* Ok, now we check the 'policy' stuff. */
1828 if ((subject = X509_NAME_new()) == NULL) {
1829 BIO_printf(bio_err, "Memory allocation failure\n");
1830 goto err;
1831 }
1832 /* take a copy of the issuer name before we mess with it. */
1833 if (selfsign)
1834 CAname = X509_NAME_dup(name);
1835 else
1836 CAname = X509_NAME_dup(X509_get_subject_name(x509));
1837 if (CAname == NULL)
1838 goto err;
1839 str = str2 = NULL;
1840
1841 for (i = 0; i < sk_CONF_VALUE_num(policy); i++) {
1842 cv = sk_CONF_VALUE_value(policy, i); /* get the object id */
1843 if ((j = OBJ_txt2nid(cv->name)) == NID_undef) {
1844 BIO_printf(bio_err,
1845 "%s:unknown object type in 'policy' configuration\n",
1846 cv->name);
1847 goto err;
1848 }
1849 obj = OBJ_nid2obj(j);
1850 if (obj == NULL)
1851 goto err;
1852
1853 last = -1;
1854 for (;;) {
1855 /* lookup the object in the supplied name list */
1856 j = X509_NAME_get_index_by_OBJ(name, obj, last);
1857 if (j < 0) {
1858 if (last != -1)
1859 break;
1860 tne = NULL;
1861 } else {
1862 tne = X509_NAME_get_entry(name, j);
1863 if (tne == NULL)
1864 goto err;
1865 }
1866 last = j;
1867
1868 /* depending on the 'policy', decide what to do. */
1869 push = NULL;
1870 if (strcmp(cv->value, "optional") == 0) {
1871 if (tne != NULL)
1872 push = tne;
1873 } else if (strcmp(cv->value, "supplied") == 0) {
1874 if (tne == NULL) {
1875 BIO_printf(bio_err,
1876 "The %s field needed to be supplied and was missing\n",
1877 cv->name);
1878 goto err;
1879 } else
1880 push = tne;
1881 } else if (strcmp(cv->value, "match") == 0) {
1882 int last2;
1883
1884 if (tne == NULL) {
1885 BIO_printf(bio_err,
1886 "The mandatory %s field was missing\n",
1887 cv->name);
1888 goto err;
1889 }
1890 last2 = -1;
1891
1892 again2:
1893 j = X509_NAME_get_index_by_OBJ(CAname, obj,
1894 last2);
1895 if ((j < 0) && (last2 == -1)) {
1896 BIO_printf(bio_err,
1897 "The %s field does not exist in the CA certificate,\nthe 'policy' is misconfigured\n",
1898 cv->name);
1899 goto err;
1900 }
1901 if (j >= 0) {
1902 push = X509_NAME_get_entry(CAname, j);
1903 if (push == NULL)
1904 goto err;
1905 str = X509_NAME_ENTRY_get_data(tne);
1906 if (str == NULL)
1907 goto err;
1908 str2 = X509_NAME_ENTRY_get_data(push);
1909 if (str2 == NULL)
1910 goto err;
1911 last2 = j;
1912 if (ASN1_STRING_cmp(str, str2) != 0)
1913 goto again2;
1914 }
1915 if (j < 0) {
1916 BIO_printf(bio_err,
1917 "The %s field needed to be the same in the\nCA certificate (%s) and the request (%s)\n",
1918 cv->name, ((str2 == NULL) ?
1919 "NULL" : (char *) str2->data),
1920 ((str == NULL) ?
1921 "NULL" : (char *) str->data));
1922 goto err;
1923 }
1924 } else {
1925 BIO_printf(bio_err,
1926 "%s:invalid type in 'policy' configuration\n",
1927 cv->value);
1928 goto err;
1929 }
1930
1931 if (push != NULL) {
1932 if (!X509_NAME_add_entry(subject, push,
1933 -1, 0)) {
1934 X509_NAME_ENTRY_free(push);
1935 BIO_printf(bio_err,
1936 "Memory allocation failure\n");
1937 goto err;
1938 }
1939 }
1940 if (j < 0)
1941 break;
1942 }
1943 }
1944
1945 if (ca_config.preserve) {
1946 X509_NAME_free(subject);
1947 /* subject=X509_NAME_dup(X509_REQ_get_subject_name(req)); */
1948 subject = X509_NAME_dup(name);
1949 if (subject == NULL)
1950 goto err;
1951 }
1952
1953 /* We are now totally happy, lets make and sign the certificate */
1954 if (verbose)
1955 BIO_printf(bio_err,
1956 "Everything appears to be ok, creating and signing the certificate\n");
1957
1958 if ((ret = X509_new()) == NULL)
1959 goto err;
1960
1961 #ifdef X509_V3
1962 /* Make it an X509 v3 certificate. */
1963 if (!X509_set_version(ret, 2))
1964 goto err;
1965 #endif
1966 if (X509_get_serialNumber(ret) == NULL)
1967 goto err;
1968 if (BN_to_ASN1_INTEGER(serial, X509_get_serialNumber(ret)) == NULL)
1969 goto err;
1970 if (selfsign) {
1971 if (!X509_set_issuer_name(ret, subject))
1972 goto err;
1973 } else {
1974 if (!X509_set_issuer_name(ret, X509_get_subject_name(x509)))
1975 goto err;
1976 }
1977
1978 if (strcmp(startdate, "today") == 0) {
1979 if (X509_gmtime_adj(X509_get_notBefore(ret), 0) == NULL)
1980 goto err;
1981 } else if (setCertificateTime(X509_get_notBefore(ret), startdate) == -1) {
1982 BIO_printf(bio_err, "Invalid start date %s\n", startdate);
1983 goto err;
1984 }
1985
1986 if (enddate == NULL) {
1987 if (X509_time_adj_ex(X509_get_notAfter(ret), days, 0,
1988 NULL) == NULL)
1989 goto err;
1990 } else if (setCertificateTime(X509_get_notAfter(ret), enddate) == -1) {
1991 BIO_printf(bio_err, "Invalid end date %s\n", enddate);
1992 goto err;
1993 }
1994
1995 if (!X509_set_subject_name(ret, subject))
1996 goto err;
1997
1998 if ((pktmp = X509_REQ_get0_pubkey(req)) == NULL)
1999 goto err;
2000
2001 if (!X509_set_pubkey(ret, pktmp))
2002 goto err;
2003
2004 /* Lets add the extensions, if there are any */
2005 if (ext_sect != NULL) {
2006 X509V3_CTX ctx;
2007
2008 /* Initialize the context structure */
2009 if (selfsign)
2010 X509V3_set_ctx(&ctx, ret, ret, req, NULL, 0);
2011 else
2012 X509V3_set_ctx(&ctx, x509, ret, req, NULL, 0);
2013
2014 if (extconf != NULL) {
2015 if (verbose)
2016 BIO_printf(bio_err,
2017 "Extra configuration file found\n");
2018
2019 /* Use the extconf configuration db LHASH */
2020 X509V3_set_nconf(&ctx, extconf);
2021
2022 /* Test the structure (needed?) */
2023 /* X509V3_set_ctx_test(&ctx); */
2024
2025 /* Adds exts contained in the configuration file */
2026 if (!X509V3_EXT_add_nconf(extconf, &ctx,
2027 ext_sect, ret)) {
2028 BIO_printf(bio_err,
2029 "ERROR: adding extensions in section %s\n",
2030 ext_sect);
2031 ERR_print_errors(bio_err);
2032 goto err;
2033 }
2034 if (verbose)
2035 BIO_printf(bio_err,
2036 "Successfully added extensions from file.\n");
2037 } else if (ext_sect != NULL) {
2038 /* We found extensions to be set from config file */
2039 X509V3_set_nconf(&ctx, lconf);
2040
2041 if (!X509V3_EXT_add_nconf(lconf, &ctx, ext_sect, ret)) {
2042 BIO_printf(bio_err,
2043 "ERROR: adding extensions in section %s\n",
2044 ext_sect);
2045 ERR_print_errors(bio_err);
2046 goto err;
2047 }
2048 if (verbose)
2049 BIO_printf(bio_err,
2050 "Successfully added extensions from config\n");
2051 }
2052 }
2053
2054 /* Copy extensions from request (if any) */
2055 if (!copy_extensions(ret, req, ext_copy)) {
2056 BIO_printf(bio_err, "ERROR: adding extensions from request\n");
2057 ERR_print_errors(bio_err);
2058 goto err;
2059 }
2060
2061 exts = X509_get0_extensions(ret);
2062 if (exts != NULL && sk_X509_EXTENSION_num(exts) > 0) {
2063 /* Make it an X509 v3 certificate. */
2064 if (!X509_set_version(ret, 2))
2065 goto err;
2066 }
2067
2068 if (verbose)
2069 BIO_printf(bio_err,
2070 "The subject name appears to be ok, checking data base for clashes\n");
2071
2072 /* Build the correct Subject if no email is wanted in the subject */
2073 if (!email_dn) {
2074 X509_NAME_ENTRY *tmpne;
2075 /*
2076 * Its best to dup the subject DN and then delete any email
2077 * addresses because this retains its structure.
2078 */
2079 if ((dn_subject = X509_NAME_dup(subject)) == NULL) {
2080 BIO_printf(bio_err, "Memory allocation failure\n");
2081 goto err;
2082 }
2083 while ((i = X509_NAME_get_index_by_NID(dn_subject,
2084 NID_pkcs9_emailAddress, -1)) >= 0) {
2085 tmpne = X509_NAME_get_entry(dn_subject, i);
2086 if (tmpne == NULL)
2087 goto err;
2088 if (X509_NAME_delete_entry(dn_subject, i) == NULL) {
2089 X509_NAME_ENTRY_free(tmpne);
2090 goto err;
2091 }
2092 X509_NAME_ENTRY_free(tmpne);
2093 }
2094
2095 if (!X509_set_subject_name(ret, dn_subject))
2096 goto err;
2097
2098 X509_NAME_free(dn_subject);
2099 dn_subject = NULL;
2100 }
2101
2102 row[DB_name] = X509_NAME_oneline(X509_get_subject_name(ret), NULL, 0);
2103 if (row[DB_name] == NULL) {
2104 BIO_printf(bio_err, "Memory allocation failure\n");
2105 goto err;
2106 }
2107
2108 if (BN_is_zero(serial))
2109 row[DB_serial] = strdup("00");
2110 else
2111 row[DB_serial] = BN_bn2hex(serial);
2112 if (row[DB_serial] == NULL) {
2113 BIO_printf(bio_err, "Memory allocation failure\n");
2114 goto err;
2115 }
2116
2117 if (row[DB_name][0] == '\0') {
2118 /*
2119 * An empty subject! We'll use the serial number instead. If
2120 * unique_subject is in use then we don't want different
2121 * entries with empty subjects matching each other.
2122 */
2123 free(row[DB_name]);
2124 row[DB_name] = strdup(row[DB_serial]);
2125 if (row[DB_name] == NULL) {
2126 BIO_printf(bio_err, "Memory allocation failure\n");
2127 goto err;
2128 }
2129 }
2130
2131 if (db->attributes.unique_subject) {
2132 OPENSSL_STRING *crow = row;
2133
2134 rrow = TXT_DB_get_by_index(db->db, DB_name, crow);
2135 if (rrow != NULL) {
2136 BIO_printf(bio_err,
2137 "ERROR:There is already a certificate for %s\n",
2138 row[DB_name]);
2139 }
2140 }
2141 if (rrow == NULL) {
2142 rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
2143 if (rrow != NULL) {
2144 BIO_printf(bio_err,
2145 "ERROR:Serial number %s has already been issued,\n",
2146 row[DB_serial]);
2147 BIO_printf(bio_err,
2148 " check the database/serial_file for corruption\n");
2149 }
2150 }
2151 if (rrow != NULL) {
2152 BIO_printf(bio_err,
2153 "The matching entry has the following details\n");
2154 if (rrow[DB_type][0] == DB_TYPE_EXP)
2155 p = "Expired";
2156 else if (rrow[DB_type][0] == DB_TYPE_REV)
2157 p = "Revoked";
2158 else if (rrow[DB_type][0] == DB_TYPE_VAL)
2159 p = "Valid";
2160 else
2161 p = "\ninvalid type, Data base error\n";
2162 BIO_printf(bio_err, "Type :%s\n", p);
2163 if (rrow[DB_type][0] == DB_TYPE_REV) {
2164 p = rrow[DB_exp_date];
2165 if (p == NULL)
2166 p = "undef";
2167 BIO_printf(bio_err, "Was revoked on:%s\n", p);
2168 }
2169 p = rrow[DB_exp_date];
2170 if (p == NULL)
2171 p = "undef";
2172 BIO_printf(bio_err, "Expires on :%s\n", p);
2173 p = rrow[DB_serial];
2174 if (p == NULL)
2175 p = "undef";
2176 BIO_printf(bio_err, "Serial Number :%s\n", p);
2177 p = rrow[DB_file];
2178 if (p == NULL)
2179 p = "undef";
2180 BIO_printf(bio_err, "File name :%s\n", p);
2181 p = rrow[DB_name];
2182 if (p == NULL)
2183 p = "undef";
2184 BIO_printf(bio_err, "Subject Name :%s\n", p);
2185 ok = -1; /* This is now a 'bad' error. */
2186 goto err;
2187 }
2188
2189 if (!default_op) {
2190 BIO_printf(bio_err, "Certificate Details:\n");
2191 /*
2192 * Never print signature details because signature not
2193 * present
2194 */
2195 certopt |= X509_FLAG_NO_SIGDUMP | X509_FLAG_NO_SIGNAME;
2196 if (!X509_print_ex(bio_err, ret, nameopt, certopt))
2197 goto err;
2198 }
2199 BIO_printf(bio_err, "Certificate is to be certified until ");
2200 ASN1_TIME_print(bio_err, X509_get_notAfter(ret));
2201 if (days)
2202 BIO_printf(bio_err, " (%ld days)", days);
2203 BIO_printf(bio_err, "\n");
2204
2205 if (!batch) {
2206 char answer[25];
2207
2208 BIO_printf(bio_err, "Sign the certificate? [y/n]:");
2209 (void) BIO_flush(bio_err);
2210 if (!fgets(answer, sizeof(answer) - 1, stdin)) {
2211 BIO_printf(bio_err,
2212 "CERTIFICATE WILL NOT BE CERTIFIED: I/O error\n");
2213 ok = 0;
2214 goto err;
2215 }
2216 if (!((answer[0] == 'y') || (answer[0] == 'Y'))) {
2217 BIO_printf(bio_err,
2218 "CERTIFICATE WILL NOT BE CERTIFIED\n");
2219 ok = 0;
2220 goto err;
2221 }
2222 }
2223
2224 if ((pktmp = X509_get0_pubkey(ret)) == NULL)
2225 goto err;
2226
2227 if (EVP_PKEY_missing_parameters(pktmp) &&
2228 !EVP_PKEY_missing_parameters(pkey)) {
2229 if (!EVP_PKEY_copy_parameters(pktmp, pkey)) {
2230 goto err;
2231 }
2232 }
2233
2234 if (!do_X509_sign(bio_err, ret, pkey, dgst, sigopts))
2235 goto err;
2236
2237 /* We now just add it to the database */
2238 row[DB_type] = malloc(2);
2239
2240 if ((tm = X509_get_notAfter(ret)) == NULL)
2241 goto err;
2242 row[DB_exp_date] = strndup(tm->data, tm->length);
2243 if (row[DB_type] == NULL || row[DB_exp_date] == NULL) {
2244 BIO_printf(bio_err, "Memory allocation failure\n");
2245 goto err;
2246 }
2247
2248 row[DB_rev_date] = NULL;
2249
2250 /* row[DB_serial] done already */
2251 row[DB_file] = malloc(8);
2252
2253 if ((row[DB_type] == NULL) || (row[DB_file] == NULL) ||
2254 (row[DB_name] == NULL)) {
2255 BIO_printf(bio_err, "Memory allocation failure\n");
2256 goto err;
2257 }
2258 (void) strlcpy(row[DB_file], "unknown", 8);
2259 row[DB_type][0] = DB_TYPE_VAL;
2260 row[DB_type][1] = '\0';
2261
2262 if ((irow = reallocarray(NULL, DB_NUMBER + 1, sizeof(char *))) ==
2263 NULL) {
2264 BIO_printf(bio_err, "Memory allocation failure\n");
2265 goto err;
2266 }
2267 for (i = 0; i < DB_NUMBER; i++) {
2268 irow[i] = row[i];
2269 row[i] = NULL;
2270 }
2271 irow[DB_NUMBER] = NULL;
2272
2273 if (!TXT_DB_insert(db->db, irow)) {
2274 BIO_printf(bio_err, "failed to update database\n");
2275 BIO_printf(bio_err, "TXT_DB error number %ld\n", db->db->error);
2276 goto err;
2277 }
2278
2279 *xret = ret;
2280 ret = NULL;
2281 ok = 1;
2282
2283 err:
2284 for (i = 0; i < DB_NUMBER; i++)
2285 free(row[i]);
2286
2287 X509_NAME_free(CAname);
2288 X509_NAME_free(subject);
2289 X509_NAME_free(dn_subject);
2290 X509_free(ret);
2291
2292 return (ok);
2293 }
2294
2295 static int
write_new_certificate(BIO * bp,X509 * x,int output_der,int notext)2296 write_new_certificate(BIO *bp, X509 *x, int output_der, int notext)
2297 {
2298 if (output_der) {
2299 if (!i2d_X509_bio(bp, x))
2300 return (0);
2301 }
2302 if (!notext) {
2303 if (!X509_print(bp, x))
2304 return (0);
2305 }
2306
2307 return PEM_write_bio_X509(bp, x);
2308 }
2309
2310 static int
certify_spkac(X509 ** xret,char * infile,EVP_PKEY * pkey,X509 * x509,const EVP_MD * dgst,STACK_OF (OPENSSL_STRING)* sigopts,STACK_OF (CONF_VALUE)* policy,CA_DB * db,BIGNUM * serial,char * subj,unsigned long chtype,int multirdn,int email_dn,char * startdate,char * enddate,long days,char * ext_sect,CONF * lconf,int verbose,unsigned long certopt,unsigned long nameopt,int default_op,int ext_copy)2311 certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
2312 const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
2313 STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj,
2314 unsigned long chtype, int multirdn, int email_dn, char *startdate,
2315 char *enddate, long days, char *ext_sect, CONF *lconf, int verbose,
2316 unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy)
2317 {
2318 STACK_OF(CONF_VALUE) *sk = NULL;
2319 LHASH_OF(CONF_VALUE) *parms = NULL;
2320 X509_REQ *req = NULL;
2321 CONF_VALUE *cv = NULL;
2322 NETSCAPE_SPKI *spki = NULL;
2323 char *type, *buf;
2324 EVP_PKEY *pktmp = NULL;
2325 X509_NAME *n = NULL;
2326 int ok = -1, i, j;
2327 long errline;
2328 int nid;
2329
2330 /*
2331 * Load input file into a hash table. (This is just an easy
2332 * way to read and parse the file, then put it into a convenient
2333 * STACK format).
2334 */
2335 parms = CONF_load(NULL, infile, &errline);
2336 if (parms == NULL) {
2337 BIO_printf(bio_err, "error on line %ld of %s\n",
2338 errline, infile);
2339 ERR_print_errors(bio_err);
2340 goto err;
2341 }
2342 sk = CONF_get_section(parms, "default");
2343 if (sk_CONF_VALUE_num(sk) == 0) {
2344 BIO_printf(bio_err, "no name/value pairs found in %s\n",
2345 infile);
2346 CONF_free(parms);
2347 goto err;
2348 }
2349 /*
2350 * Now create a dummy X509 request structure. We don't actually
2351 * have an X509 request, but we have many of the components
2352 * (a public key, various DN components). The idea is that we
2353 * put these components into the right X509 request structure
2354 * and we can use the same code as if you had a real X509 request.
2355 */
2356 req = X509_REQ_new();
2357 if (req == NULL) {
2358 ERR_print_errors(bio_err);
2359 goto err;
2360 }
2361 /*
2362 * Build up the subject name set.
2363 */
2364 n = X509_REQ_get_subject_name(req);
2365
2366 for (i = 0;; i++) {
2367 if (sk_CONF_VALUE_num(sk) <= i)
2368 break;
2369
2370 cv = sk_CONF_VALUE_value(sk, i);
2371 type = cv->name;
2372 /*
2373 * Skip past any leading X. X: X, etc to allow for multiple
2374 * instances
2375 */
2376 for (buf = cv->name; *buf; buf++) {
2377 if ((*buf == ':') || (*buf == ',') || (*buf == '.')) {
2378 buf++;
2379 if (*buf)
2380 type = buf;
2381 break;
2382 }
2383 }
2384
2385 buf = cv->value;
2386 if ((nid = OBJ_txt2nid(type)) == NID_undef) {
2387 if (strcmp(type, "SPKAC") == 0) {
2388 spki = NETSCAPE_SPKI_b64_decode(cv->value, -1);
2389 if (spki == NULL) {
2390 BIO_printf(bio_err,
2391 "unable to load Netscape SPKAC structure\n");
2392 ERR_print_errors(bio_err);
2393 goto err;
2394 }
2395 }
2396 continue;
2397 }
2398 if (!X509_NAME_add_entry_by_NID(n, nid, chtype,
2399 (unsigned char *)buf, -1, -1, 0))
2400 goto err;
2401 }
2402 if (spki == NULL) {
2403 BIO_printf(bio_err,
2404 "Netscape SPKAC structure not found in %s\n", infile);
2405 goto err;
2406 }
2407 /*
2408 * Now extract the key from the SPKI structure.
2409 */
2410
2411 BIO_printf(bio_err,
2412 "Check that the SPKAC request matches the signature\n");
2413
2414 if ((pktmp = NETSCAPE_SPKI_get_pubkey(spki)) == NULL) {
2415 BIO_printf(bio_err, "error unpacking SPKAC public key\n");
2416 goto err;
2417 }
2418 j = NETSCAPE_SPKI_verify(spki, pktmp);
2419 if (j <= 0) {
2420 BIO_printf(bio_err,
2421 "signature verification failed on SPKAC public key\n");
2422 goto err;
2423 }
2424 BIO_printf(bio_err, "Signature ok\n");
2425
2426 if (!X509_REQ_set_pubkey(req, pktmp)) {
2427 EVP_PKEY_free(pktmp);
2428 goto err;
2429 }
2430 EVP_PKEY_free(pktmp);
2431 ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial,
2432 subj, chtype, multirdn, email_dn, startdate, enddate, days, 1,
2433 verbose, req, ext_sect, lconf, certopt, nameopt, default_op,
2434 ext_copy, 0);
2435
2436 err:
2437 X509_REQ_free(req);
2438 CONF_free(parms);
2439 NETSCAPE_SPKI_free(spki);
2440
2441 return (ok);
2442 }
2443
2444 static int
check_time_format(const char * str)2445 check_time_format(const char *str)
2446 {
2447 return ASN1_TIME_set_string(NULL, str);
2448 }
2449
2450 static int
do_revoke(X509 * x509,CA_DB * db,int type,char * value)2451 do_revoke(X509 *x509, CA_DB *db, int type, char *value)
2452 {
2453 ASN1_UTCTIME *tm = NULL;
2454 char *row[DB_NUMBER], **rrow, **irow;
2455 char *rev_str = NULL;
2456 BIGNUM *bn = NULL;
2457 int ok = -1, i;
2458
2459 for (i = 0; i < DB_NUMBER; i++)
2460 row[i] = NULL;
2461 row[DB_name] = X509_NAME_oneline(X509_get_subject_name(x509), NULL, 0);
2462 bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x509), NULL);
2463 if (bn == NULL)
2464 goto err;
2465 if (BN_is_zero(bn))
2466 row[DB_serial] = strdup("00");
2467 else
2468 row[DB_serial] = BN_bn2hex(bn);
2469 BN_free(bn);
2470
2471 if (row[DB_name] != NULL && row[DB_name][0] == '\0') {
2472 /*
2473 * Entries with empty Subjects actually use the serial number
2474 * instead
2475 */
2476 free(row[DB_name]);
2477 row[DB_name] = strdup(row[DB_serial]);
2478 if (row[DB_name] == NULL) {
2479 BIO_printf(bio_err, "Memory allocation failure\n");
2480 goto err;
2481 }
2482 }
2483
2484 if ((row[DB_name] == NULL) || (row[DB_serial] == NULL)) {
2485 BIO_printf(bio_err, "Memory allocation failure\n");
2486 goto err;
2487 }
2488 /*
2489 * We have to lookup by serial number because name lookup skips
2490 * revoked certs
2491 */
2492 rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
2493 if (rrow == NULL) {
2494 BIO_printf(bio_err,
2495 "Adding Entry with serial number %s to DB for %s\n",
2496 row[DB_serial], row[DB_name]);
2497
2498 /* We now just add it to the database */
2499 row[DB_type] = malloc(2);
2500
2501 if ((tm = X509_get_notAfter(x509)) == NULL)
2502 goto err;
2503 row[DB_exp_date] = strndup(tm->data, tm->length);
2504 if (row[DB_type] == NULL || row[DB_exp_date] == NULL) {
2505 BIO_printf(bio_err, "Memory allocation failure\n");
2506 goto err;
2507 }
2508
2509 row[DB_rev_date] = NULL;
2510
2511 /* row[DB_serial] done already */
2512 row[DB_file] = malloc(8);
2513
2514 /* row[DB_name] done already */
2515
2516 if ((row[DB_type] == NULL) || (row[DB_file] == NULL)) {
2517 BIO_printf(bio_err, "Memory allocation failure\n");
2518 goto err;
2519 }
2520 (void) strlcpy(row[DB_file], "unknown", 8);
2521 row[DB_type][0] = DB_TYPE_VAL;
2522 row[DB_type][1] = '\0';
2523
2524 if ((irow = reallocarray(NULL, sizeof(char *),
2525 (DB_NUMBER + 1))) == NULL) {
2526 BIO_printf(bio_err, "Memory allocation failure\n");
2527 goto err;
2528 }
2529 for (i = 0; i < DB_NUMBER; i++) {
2530 irow[i] = row[i];
2531 row[i] = NULL;
2532 }
2533 irow[DB_NUMBER] = NULL;
2534
2535 if (!TXT_DB_insert(db->db, irow)) {
2536 BIO_printf(bio_err, "failed to update database\n");
2537 BIO_printf(bio_err, "TXT_DB error number %ld\n",
2538 db->db->error);
2539 goto err;
2540 }
2541 /* Revoke Certificate */
2542 ok = do_revoke(x509, db, type, value);
2543
2544 goto err;
2545
2546 } else if (index_name_cmp_noconst(row, rrow)) {
2547 BIO_printf(bio_err, "ERROR:name does not match %s\n",
2548 row[DB_name]);
2549 goto err;
2550 } else if (rrow[DB_type][0] == DB_TYPE_REV) {
2551 BIO_printf(bio_err, "ERROR:Already revoked, serial number %s\n",
2552 row[DB_serial]);
2553 goto err;
2554 } else {
2555 BIO_printf(bio_err, "Revoking Certificate %s.\n",
2556 rrow[DB_serial]);
2557 rev_str = make_revocation_str(type, value);
2558 if (rev_str == NULL) {
2559 BIO_printf(bio_err, "Error in revocation arguments\n");
2560 goto err;
2561 }
2562 rrow[DB_type][0] = DB_TYPE_REV;
2563 rrow[DB_type][1] = '\0';
2564 rrow[DB_rev_date] = rev_str;
2565 }
2566 ok = 1;
2567
2568 err:
2569 for (i = 0; i < DB_NUMBER; i++)
2570 free(row[i]);
2571
2572 return (ok);
2573 }
2574
2575 static int
get_certificate_status(const char * serial,CA_DB * db)2576 get_certificate_status(const char *serial, CA_DB *db)
2577 {
2578 char *row[DB_NUMBER], **rrow;
2579 int ok = -1, i;
2580
2581 /* Free Resources */
2582 for (i = 0; i < DB_NUMBER; i++)
2583 row[i] = NULL;
2584
2585 /* Malloc needed char spaces */
2586 row[DB_serial] = malloc(strlen(serial) + 2);
2587 if (row[DB_serial] == NULL) {
2588 BIO_printf(bio_err, "Malloc failure\n");
2589 goto err;
2590 }
2591 if (strlen(serial) % 2) {
2592 /* Set the first char to 0 */ ;
2593 row[DB_serial][0] = '0';
2594
2595 /* Copy String from serial to row[DB_serial] */
2596 memcpy(row[DB_serial] + 1, serial, strlen(serial));
2597 row[DB_serial][strlen(serial) + 1] = '\0';
2598 } else {
2599 /* Copy String from serial to row[DB_serial] */
2600 memcpy(row[DB_serial], serial, strlen(serial));
2601 row[DB_serial][strlen(serial)] = '\0';
2602 }
2603
2604 /* Make it Upper Case */
2605 for (i = 0; row[DB_serial][i] != '\0'; i++)
2606 row[DB_serial][i] = toupper((unsigned char) row[DB_serial][i]);
2607
2608
2609 ok = 1;
2610
2611 /* Search for the certificate */
2612 rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
2613 if (rrow == NULL) {
2614 BIO_printf(bio_err, "Serial %s not present in db.\n",
2615 row[DB_serial]);
2616 ok = -1;
2617 goto err;
2618 } else if (rrow[DB_type][0] == DB_TYPE_VAL) {
2619 BIO_printf(bio_err, "%s=Valid (%c)\n",
2620 row[DB_serial], rrow[DB_type][0]);
2621 goto err;
2622 } else if (rrow[DB_type][0] == DB_TYPE_REV) {
2623 BIO_printf(bio_err, "%s=Revoked (%c)\n",
2624 row[DB_serial], rrow[DB_type][0]);
2625 goto err;
2626 } else if (rrow[DB_type][0] == DB_TYPE_EXP) {
2627 BIO_printf(bio_err, "%s=Expired (%c)\n",
2628 row[DB_serial], rrow[DB_type][0]);
2629 goto err;
2630 } else if (rrow[DB_type][0] == DB_TYPE_SUSP) {
2631 BIO_printf(bio_err, "%s=Suspended (%c)\n",
2632 row[DB_serial], rrow[DB_type][0]);
2633 goto err;
2634 } else {
2635 BIO_printf(bio_err, "%s=Unknown (%c).\n",
2636 row[DB_serial], rrow[DB_type][0]);
2637 ok = -1;
2638 }
2639
2640 err:
2641 for (i = 0; i < DB_NUMBER; i++)
2642 free(row[i]);
2643
2644 return (ok);
2645 }
2646
2647 static int
do_updatedb(CA_DB * db)2648 do_updatedb(CA_DB *db)
2649 {
2650 ASN1_UTCTIME *a_tm = NULL;
2651 int i, cnt = 0;
2652 int db_y2k, a_y2k; /* flags = 1 if y >= 2000 */
2653 char **rrow, *a_tm_s = NULL;
2654
2655 a_tm = ASN1_UTCTIME_new();
2656 if (a_tm == NULL) {
2657 cnt = -1;
2658 goto err;
2659 }
2660
2661 /* get actual time and make a string */
2662 a_tm = X509_gmtime_adj(a_tm, 0);
2663 if (a_tm == NULL) {
2664 cnt = -1;
2665 goto err;
2666 }
2667 a_tm_s = strndup(a_tm->data, a_tm->length);
2668 if (a_tm_s == NULL) {
2669 cnt = -1;
2670 goto err;
2671 }
2672
2673 if (strncmp(a_tm_s, "49", 2) <= 0)
2674 a_y2k = 1;
2675 else
2676 a_y2k = 0;
2677
2678 for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
2679 rrow = sk_OPENSSL_PSTRING_value(db->db->data, i);
2680
2681 if (rrow[DB_type][0] == DB_TYPE_VAL) {
2682 /* ignore entries that are not valid */
2683 if (strncmp(rrow[DB_exp_date], "49", 2) <= 0)
2684 db_y2k = 1;
2685 else
2686 db_y2k = 0;
2687
2688 if (db_y2k == a_y2k) {
2689 /* all on the same y2k side */
2690 if (strcmp(rrow[DB_exp_date], a_tm_s) <= 0) {
2691 rrow[DB_type][0] = DB_TYPE_EXP;
2692 rrow[DB_type][1] = '\0';
2693 cnt++;
2694
2695 BIO_printf(bio_err, "%s=Expired\n",
2696 rrow[DB_serial]);
2697 }
2698 } else if (db_y2k < a_y2k) {
2699 rrow[DB_type][0] = DB_TYPE_EXP;
2700 rrow[DB_type][1] = '\0';
2701 cnt++;
2702
2703 BIO_printf(bio_err, "%s=Expired\n",
2704 rrow[DB_serial]);
2705 }
2706 }
2707 }
2708
2709 err:
2710 ASN1_UTCTIME_free(a_tm);
2711 free(a_tm_s);
2712
2713 return (cnt);
2714 }
2715
2716 static const char *crl_reasons[] = {
2717 /* CRL reason strings */
2718 "unspecified",
2719 "keyCompromise",
2720 "CACompromise",
2721 "affiliationChanged",
2722 "superseded",
2723 "cessationOfOperation",
2724 "certificateHold",
2725 "removeFromCRL",
2726 /* Additional pseudo reasons */
2727 "holdInstruction",
2728 "keyTime",
2729 "CAkeyTime"
2730 };
2731
2732 #define NUM_REASONS (sizeof(crl_reasons) / sizeof(char *))
2733
2734 /* Given revocation information convert to a DB string.
2735 * The format of the string is:
2736 * revtime[,reason,extra]. Where 'revtime' is the
2737 * revocation time (the current time). 'reason' is the
2738 * optional CRL reason and 'extra' is any additional
2739 * argument
2740 */
2741
2742 char *
make_revocation_str(int rev_type,char * rev_arg)2743 make_revocation_str(int rev_type, char *rev_arg)
2744 {
2745 char *other = NULL, *str;
2746 const char *reason = NULL;
2747 ASN1_OBJECT *otmp;
2748 ASN1_UTCTIME *revtm = NULL;
2749 int i;
2750 switch (rev_type) {
2751 case REV_NONE:
2752 break;
2753
2754 case REV_CRL_REASON:
2755 for (i = 0; i < 8; i++) {
2756 if (strcasecmp(rev_arg, crl_reasons[i]) == 0) {
2757 reason = crl_reasons[i];
2758 break;
2759 }
2760 }
2761 if (reason == NULL) {
2762 BIO_printf(bio_err, "Unknown CRL reason %s\n", rev_arg);
2763 return NULL;
2764 }
2765 break;
2766
2767 case REV_HOLD:
2768 /* Argument is an OID */
2769 otmp = OBJ_txt2obj(rev_arg, 0);
2770 ASN1_OBJECT_free(otmp);
2771
2772 if (otmp == NULL) {
2773 BIO_printf(bio_err,
2774 "Invalid object identifier %s\n", rev_arg);
2775 return NULL;
2776 }
2777 reason = "holdInstruction";
2778 other = rev_arg;
2779 break;
2780
2781 case REV_KEY_COMPROMISE:
2782 case REV_CA_COMPROMISE:
2783 /* Argument is the key compromise time */
2784 if (!ASN1_GENERALIZEDTIME_set_string(NULL, rev_arg)) {
2785 BIO_printf(bio_err,
2786 "Invalid time format %s. Need YYYYMMDDHHMMSSZ\n",
2787 rev_arg);
2788 return NULL;
2789 }
2790 other = rev_arg;
2791 if (rev_type == REV_KEY_COMPROMISE)
2792 reason = "keyTime";
2793 else
2794 reason = "CAkeyTime";
2795
2796 break;
2797 }
2798
2799 revtm = X509_gmtime_adj(NULL, 0);
2800 if (revtm == NULL)
2801 return NULL;
2802
2803 if (asprintf(&str, "%s%s%s%s%s", revtm->data,
2804 reason ? "," : "", reason ? reason : "",
2805 other ? "," : "", other ? other : "") == -1)
2806 str = NULL;
2807
2808 ASN1_UTCTIME_free(revtm);
2809
2810 return str;
2811 }
2812
2813 /* Convert revocation field to X509_REVOKED entry
2814 * return code:
2815 * 0 error
2816 * 1 OK
2817 * 2 OK and some extensions added (i.e. V2 CRL)
2818 */
2819
2820 int
make_revoked(X509_REVOKED * rev,const char * str)2821 make_revoked(X509_REVOKED *rev, const char *str)
2822 {
2823 char *tmp = NULL;
2824 int reason_code = -1;
2825 int i, ret = 0;
2826 ASN1_OBJECT *hold = NULL;
2827 ASN1_GENERALIZEDTIME *comp_time = NULL;
2828 ASN1_ENUMERATED *rtmp = NULL;
2829
2830 ASN1_TIME *revDate = NULL;
2831
2832 i = unpack_revinfo(&revDate, &reason_code, &hold, &comp_time, str);
2833
2834 if (i == 0)
2835 goto err;
2836
2837 if (rev != NULL && !X509_REVOKED_set_revocationDate(rev, revDate))
2838 goto err;
2839
2840 if (rev != NULL && (reason_code != OCSP_REVOKED_STATUS_NOSTATUS)) {
2841 rtmp = ASN1_ENUMERATED_new();
2842 if (rtmp == NULL || !ASN1_ENUMERATED_set(rtmp, reason_code))
2843 goto err;
2844 if (!X509_REVOKED_add1_ext_i2d(rev, NID_crl_reason, rtmp, 0, 0))
2845 goto err;
2846 }
2847 if (rev != NULL && comp_time != NULL) {
2848 if (!X509_REVOKED_add1_ext_i2d(rev, NID_invalidity_date,
2849 comp_time, 0, 0))
2850 goto err;
2851 }
2852 if (rev != NULL && hold != NULL) {
2853 if (!X509_REVOKED_add1_ext_i2d(rev, NID_hold_instruction_code,
2854 hold, 0, 0))
2855 goto err;
2856 }
2857 if (reason_code != OCSP_REVOKED_STATUS_NOSTATUS)
2858 ret = 2;
2859 else
2860 ret = 1;
2861
2862 err:
2863 free(tmp);
2864
2865 ASN1_OBJECT_free(hold);
2866 ASN1_GENERALIZEDTIME_free(comp_time);
2867 ASN1_ENUMERATED_free(rtmp);
2868 ASN1_TIME_free(revDate);
2869
2870 return ret;
2871 }
2872
2873 int
old_entry_print(BIO * bp,ASN1_OBJECT * obj,ASN1_STRING * str)2874 old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str)
2875 {
2876 char buf[25], *pbuf, *p;
2877 int j;
2878
2879 j = i2a_ASN1_OBJECT(bp, obj);
2880 pbuf = buf;
2881 for (j = 22 - j; j > 0; j--)
2882 *(pbuf++) = ' ';
2883 *(pbuf++) = ':';
2884 *(pbuf++) = '\0';
2885 BIO_puts(bp, buf);
2886
2887 if (str->type == V_ASN1_PRINTABLESTRING)
2888 BIO_printf(bp, "PRINTABLE:'");
2889 else if (str->type == V_ASN1_T61STRING)
2890 BIO_printf(bp, "T61STRING:'");
2891 else if (str->type == V_ASN1_IA5STRING)
2892 BIO_printf(bp, "IA5STRING:'");
2893 else if (str->type == V_ASN1_UNIVERSALSTRING)
2894 BIO_printf(bp, "UNIVERSALSTRING:'");
2895 else
2896 BIO_printf(bp, "ASN.1 %2d:'", str->type);
2897
2898 p = (char *) str->data;
2899 for (j = str->length; j > 0; j--) {
2900 if ((*p >= ' ') && (*p <= '~'))
2901 BIO_printf(bp, "%c", *p);
2902 else if (*p & 0x80)
2903 BIO_printf(bp, "\\0x%02X", *p);
2904 else if ((unsigned char) *p == 0xf7)
2905 BIO_printf(bp, "^?");
2906 else
2907 BIO_printf(bp, "^%c", *p + '@');
2908 p++;
2909 }
2910 BIO_printf(bp, "'\n");
2911 return 1;
2912 }
2913
2914 int
unpack_revinfo(ASN1_TIME ** prevtm,int * preason,ASN1_OBJECT ** phold,ASN1_GENERALIZEDTIME ** pinvtm,const char * str)2915 unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold,
2916 ASN1_GENERALIZEDTIME **pinvtm, const char *str)
2917 {
2918 char *tmp = NULL;
2919 char *rtime_str, *reason_str = NULL, *arg_str = NULL, *p;
2920 int reason_code = -1;
2921 int ret = 0;
2922 unsigned int i;
2923 ASN1_OBJECT *hold = NULL;
2924 ASN1_GENERALIZEDTIME *comp_time = NULL;
2925
2926 if ((tmp = strdup(str)) == NULL) {
2927 BIO_printf(bio_err, "malloc failed\n");
2928 goto err;
2929 }
2930 p = strchr(tmp, ',');
2931 rtime_str = tmp;
2932
2933 if (p != NULL) {
2934 *p = '\0';
2935 p++;
2936 reason_str = p;
2937 p = strchr(p, ',');
2938 if (p != NULL) {
2939 *p = '\0';
2940 arg_str = p + 1;
2941 }
2942 }
2943 if (prevtm != NULL) {
2944 *prevtm = ASN1_UTCTIME_new();
2945 if (!ASN1_UTCTIME_set_string(*prevtm, rtime_str)) {
2946 BIO_printf(bio_err, "invalid revocation date %s\n",
2947 rtime_str);
2948 goto err;
2949 }
2950 }
2951 if (reason_str != NULL) {
2952 for (i = 0; i < NUM_REASONS; i++) {
2953 if (strcasecmp(reason_str, crl_reasons[i]) == 0) {
2954 reason_code = i;
2955 break;
2956 }
2957 }
2958 if (reason_code == OCSP_REVOKED_STATUS_NOSTATUS) {
2959 BIO_printf(bio_err, "invalid reason code %s\n",
2960 reason_str);
2961 goto err;
2962 }
2963 if (reason_code == 7)
2964 reason_code = OCSP_REVOKED_STATUS_REMOVEFROMCRL;
2965 else if (reason_code == 8) { /* Hold instruction */
2966 if (arg_str == NULL) {
2967 BIO_printf(bio_err,
2968 "missing hold instruction\n");
2969 goto err;
2970 }
2971 reason_code = OCSP_REVOKED_STATUS_CERTIFICATEHOLD;
2972 hold = OBJ_txt2obj(arg_str, 0);
2973
2974 if (hold == NULL) {
2975 BIO_printf(bio_err,
2976 "invalid object identifier %s\n", arg_str);
2977 goto err;
2978 }
2979 if (phold != NULL)
2980 *phold = hold;
2981 } else if ((reason_code == 9) || (reason_code == 10)) {
2982 if (arg_str == NULL) {
2983 BIO_printf(bio_err,
2984 "missing compromised time\n");
2985 goto err;
2986 }
2987 comp_time = ASN1_GENERALIZEDTIME_new();
2988 if (!ASN1_GENERALIZEDTIME_set_string(comp_time,
2989 arg_str)) {
2990 BIO_printf(bio_err,
2991 "invalid compromised time %s\n", arg_str);
2992 goto err;
2993 }
2994 if (reason_code == 9)
2995 reason_code = OCSP_REVOKED_STATUS_KEYCOMPROMISE;
2996 else
2997 reason_code = OCSP_REVOKED_STATUS_CACOMPROMISE;
2998 }
2999 }
3000 if (preason != NULL)
3001 *preason = reason_code;
3002 if (pinvtm != NULL)
3003 *pinvtm = comp_time;
3004 else
3005 ASN1_GENERALIZEDTIME_free(comp_time);
3006
3007 ret = 1;
3008
3009 err:
3010 free(tmp);
3011
3012 if (phold == NULL)
3013 ASN1_OBJECT_free(hold);
3014 if (pinvtm == NULL)
3015 ASN1_GENERALIZEDTIME_free(comp_time);
3016
3017 return ret;
3018 }
3019
3020 static char *
bin2hex(unsigned char * data,size_t len)3021 bin2hex(unsigned char *data, size_t len)
3022 {
3023 char *ret = NULL;
3024 char hex[] = "0123456789ABCDEF";
3025 int i;
3026
3027 if ((ret = malloc(len * 2 + 1)) != NULL) {
3028 for (i = 0; i < len; i++) {
3029 ret[i * 2 + 0] = hex[data[i] >> 4];
3030 ret[i * 2 + 1] = hex[data[i] & 0x0F];
3031 }
3032 ret[len * 2] = '\0';
3033 }
3034 return ret;
3035 }
3036