1 /* $OpenBSD: ca.c,v 1.49 2021/09/05 04:05:14 inoguchi Exp $ */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59 /* The PPKI stuff has been donated by Jeff Barber <jeffb@issl.atl.hp.com> */
60
61 #include <sys/types.h>
62
63 #include <ctype.h>
64 #include <stdio.h>
65 #include <stdlib.h>
66 #include <limits.h>
67 #include <string.h>
68 #include <unistd.h>
69
70 #include "apps.h"
71
72 #include <openssl/bio.h>
73 #include <openssl/bn.h>
74 #include <openssl/conf.h>
75 #include <openssl/err.h>
76 #include <openssl/evp.h>
77 #include <openssl/objects.h>
78 #include <openssl/ocsp.h>
79 #include <openssl/pem.h>
80 #include <openssl/txt_db.h>
81 #include <openssl/x509.h>
82 #include <openssl/x509v3.h>
83
84 #define BASE_SECTION "ca"
85
86 #define ENV_DEFAULT_CA "default_ca"
87
88 #define STRING_MASK "string_mask"
89 #define UTF8_IN "utf8"
90
91 #define ENV_NEW_CERTS_DIR "new_certs_dir"
92 #define ENV_CERTIFICATE "certificate"
93 #define ENV_SERIAL "serial"
94 #define ENV_CRLNUMBER "crlnumber"
95 #define ENV_PRIVATE_KEY "private_key"
96 #define ENV_DEFAULT_DAYS "default_days"
97 #define ENV_DEFAULT_STARTDATE "default_startdate"
98 #define ENV_DEFAULT_ENDDATE "default_enddate"
99 #define ENV_DEFAULT_CRL_DAYS "default_crl_days"
100 #define ENV_DEFAULT_CRL_HOURS "default_crl_hours"
101 #define ENV_DEFAULT_MD "default_md"
102 #define ENV_DEFAULT_EMAIL_DN "email_in_dn"
103 #define ENV_PRESERVE "preserve"
104 #define ENV_POLICY "policy"
105 #define ENV_EXTENSIONS "x509_extensions"
106 #define ENV_CRLEXT "crl_extensions"
107 #define ENV_MSIE_HACK "msie_hack"
108 #define ENV_NAMEOPT "name_opt"
109 #define ENV_CERTOPT "cert_opt"
110 #define ENV_EXTCOPY "copy_extensions"
111 #define ENV_UNIQUE_SUBJECT "unique_subject"
112
113 #define ENV_DATABASE "database"
114
115 /* Additional revocation information types */
116
117 #define REV_NONE 0 /* No addditional information */
118 #define REV_CRL_REASON 1 /* Value is CRL reason code */
119 #define REV_HOLD 2 /* Value is hold instruction */
120 #define REV_KEY_COMPROMISE 3 /* Value is cert key compromise time */
121 #define REV_CA_COMPROMISE 4 /* Value is CA key compromise time */
122
123 static void lookup_fail(const char *name, const char *tag);
124 static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
125 const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
126 STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj,
127 unsigned long chtype, int multirdn, int email_dn, char *startdate,
128 char *enddate, long days, int batch, char *ext_sect, CONF *conf,
129 int verbose, unsigned long certopt, unsigned long nameopt,
130 int default_op, int ext_copy, int selfsign);
131 static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey,
132 X509 *x509, const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
133 STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj,
134 unsigned long chtype, int multirdn, int email_dn, char *startdate,
135 char *enddate, long days, int batch, char *ext_sect, CONF *conf,
136 int verbose, unsigned long certopt, unsigned long nameopt, int default_op,
137 int ext_copy);
138 static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey,
139 X509 *x509, const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
140 STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj,
141 unsigned long chtype, int multirdn, int email_dn, char *startdate,
142 char *enddate, long days, char *ext_sect, CONF *conf, int verbose,
143 unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy);
144 static int write_new_certificate(BIO *bp, X509 *x, int output_der,
145 int notext);
146 static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
147 const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
148 STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj,
149 unsigned long chtype, int multirdn, int email_dn, char *startdate,
150 char *enddate, long days, int batch, int verbose, X509_REQ *req,
151 char *ext_sect, CONF *conf, unsigned long certopt, unsigned long nameopt,
152 int default_op, int ext_copy, int selfsign);
153 static int do_revoke(X509 *x509, CA_DB *db, int ext, char *extval);
154 static int get_certificate_status(const char *serial, CA_DB *db);
155 static int do_updatedb(CA_DB *db);
156 static int check_time_format(const char *str);
157 static char *bin2hex(unsigned char *, size_t);
158 char *make_revocation_str(int rev_type, char *rev_arg);
159 int make_revoked(X509_REVOKED *rev, const char *str);
160 int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str);
161
162 static CONF *conf = NULL;
163 static CONF *extconf = NULL;
164
165 static struct {
166 int batch;
167 char *certfile;
168 unsigned long chtype;
169 char *configfile;
170 int create_serial;
171 char *crl_ext;
172 long crldays;
173 long crlhours;
174 long crlsec;
175 long days;
176 int dorevoke;
177 int doupdatedb;
178 int email_dn;
179 char *enddate;
180 char *extensions;
181 char *extfile;
182 int gencrl;
183 char *infile;
184 char **infiles;
185 int infiles_num;
186 char *key;
187 char *keyfile;
188 int keyform;
189 char *md;
190 int multirdn;
191 int msie_hack;
192 int notext;
193 char *outdir;
194 char *outfile;
195 char *passargin;
196 char *policy;
197 int preserve;
198 int req;
199 char *rev_arg;
200 int rev_type;
201 char *serial_status;
202 char *section;
203 int selfsign;
204 STACK_OF(OPENSSL_STRING) *sigopts;
205 char *spkac_file;
206 char *ss_cert_file;
207 char *startdate;
208 char *subj;
209 int verbose;
210 } ca_config;
211
212 static int
ca_opt_chtype_utf8(void)213 ca_opt_chtype_utf8(void)
214 {
215 ca_config.chtype = MBSTRING_UTF8;
216 return (0);
217 }
218
219 static int
ca_opt_crl_ca_compromise(char * arg)220 ca_opt_crl_ca_compromise(char *arg)
221 {
222 ca_config.rev_arg = arg;
223 ca_config.rev_type = REV_CA_COMPROMISE;
224 return (0);
225 }
226
227 static int
ca_opt_crl_compromise(char * arg)228 ca_opt_crl_compromise(char *arg)
229 {
230 ca_config.rev_arg = arg;
231 ca_config.rev_type = REV_KEY_COMPROMISE;
232 return (0);
233 }
234
235 static int
ca_opt_crl_hold(char * arg)236 ca_opt_crl_hold(char *arg)
237 {
238 ca_config.rev_arg = arg;
239 ca_config.rev_type = REV_HOLD;
240 return (0);
241 }
242
243 static int
ca_opt_crl_reason(char * arg)244 ca_opt_crl_reason(char *arg)
245 {
246 ca_config.rev_arg = arg;
247 ca_config.rev_type = REV_CRL_REASON;
248 return (0);
249 }
250
251 static int
ca_opt_in(char * arg)252 ca_opt_in(char *arg)
253 {
254 ca_config.infile = arg;
255 ca_config.req = 1;
256 return (0);
257 }
258
259 static int
ca_opt_infiles(int argc,char ** argv,int * argsused)260 ca_opt_infiles(int argc, char **argv, int *argsused)
261 {
262 ca_config.infiles_num = argc - 1;
263 if (ca_config.infiles_num < 1)
264 return (1);
265 ca_config.infiles = argv + 1;
266 ca_config.req = 1;
267 *argsused = argc;
268 return (0);
269 }
270
271 static int
ca_opt_revoke(char * arg)272 ca_opt_revoke(char *arg)
273 {
274 ca_config.infile = arg;
275 ca_config.dorevoke = 1;
276 return (0);
277 }
278
279 static int
ca_opt_sigopt(char * arg)280 ca_opt_sigopt(char *arg)
281 {
282 if (ca_config.sigopts == NULL)
283 ca_config.sigopts = sk_OPENSSL_STRING_new_null();
284 if (ca_config.sigopts == NULL)
285 return (1);
286 if (!sk_OPENSSL_STRING_push(ca_config.sigopts, arg))
287 return (1);
288 return (0);
289 }
290
291 static int
ca_opt_spkac(char * arg)292 ca_opt_spkac(char *arg)
293 {
294 ca_config.spkac_file = arg;
295 ca_config.req = 1;
296 return (0);
297 }
298
299 static int
ca_opt_ss_cert(char * arg)300 ca_opt_ss_cert(char *arg)
301 {
302 ca_config.ss_cert_file = arg;
303 ca_config.req = 1;
304 return (0);
305 }
306
307 static const struct option ca_options[] = {
308 {
309 .name = "batch",
310 .desc = "Operate in batch mode",
311 .type = OPTION_FLAG,
312 .opt.flag = &ca_config.batch,
313 },
314 {
315 .name = "cert",
316 .argname = "file",
317 .desc = "File containing the CA certificate",
318 .type = OPTION_ARG,
319 .opt.arg = &ca_config.certfile,
320 },
321 {
322 .name = "config",
323 .argname = "file",
324 .desc = "Specify an alternative configuration file",
325 .type = OPTION_ARG,
326 .opt.arg = &ca_config.configfile,
327 },
328 {
329 .name = "create_serial",
330 .desc = "If reading serial fails, create a new random serial",
331 .type = OPTION_FLAG,
332 .opt.flag = &ca_config.create_serial,
333 },
334 {
335 .name = "crl_CA_compromise",
336 .argname = "time",
337 .desc = "Set the compromise time and the revocation reason to\n"
338 "CACompromise",
339 .type = OPTION_ARG_FUNC,
340 .opt.argfunc = ca_opt_crl_ca_compromise,
341 },
342 {
343 .name = "crl_compromise",
344 .argname = "time",
345 .desc = "Set the compromise time and the revocation reason to\n"
346 "keyCompromise",
347 .type = OPTION_ARG_FUNC,
348 .opt.argfunc = ca_opt_crl_compromise,
349 },
350 {
351 .name = "crl_hold",
352 .argname = "instruction",
353 .desc = "Set the hold instruction and the revocation reason to\n"
354 "certificateHold",
355 .type = OPTION_ARG_FUNC,
356 .opt.argfunc = ca_opt_crl_hold,
357 },
358 {
359 .name = "crl_reason",
360 .argname = "reason",
361 .desc = "Revocation reason",
362 .type = OPTION_ARG_FUNC,
363 .opt.argfunc = ca_opt_crl_reason,
364 },
365 {
366 .name = "crldays",
367 .argname = "days",
368 .desc = "Number of days before the next CRL is due",
369 .type = OPTION_ARG_LONG,
370 .opt.lvalue = &ca_config.crldays,
371 },
372 {
373 .name = "crlexts",
374 .argname = "section",
375 .desc = "CRL extension section (override value in config file)",
376 .type = OPTION_ARG,
377 .opt.arg = &ca_config.crl_ext,
378 },
379 {
380 .name = "crlhours",
381 .argname = "hours",
382 .desc = "Number of hours before the next CRL is due",
383 .type = OPTION_ARG_LONG,
384 .opt.lvalue = &ca_config.crlhours,
385 },
386 {
387 .name = "crlsec",
388 .argname = "seconds",
389 .desc = "Number of seconds before the next CRL is due",
390 .type = OPTION_ARG_LONG,
391 .opt.lvalue = &ca_config.crlsec,
392 },
393 {
394 .name = "days",
395 .argname = "arg",
396 .desc = "Number of days to certify the certificate for",
397 .type = OPTION_ARG_LONG,
398 .opt.lvalue = &ca_config.days,
399 },
400 {
401 .name = "enddate",
402 .argname = "YYMMDDHHMMSSZ",
403 .desc = "Certificate validity notAfter (overrides -days)",
404 .type = OPTION_ARG,
405 .opt.arg = &ca_config.enddate,
406 },
407 {
408 .name = "extensions",
409 .argname = "section",
410 .desc = "Extension section (override value in config file)",
411 .type = OPTION_ARG,
412 .opt.arg = &ca_config.extensions,
413 },
414 {
415 .name = "extfile",
416 .argname = "file",
417 .desc = "Configuration file with X509v3 extentions to add",
418 .type = OPTION_ARG,
419 .opt.arg = &ca_config.extfile,
420 },
421 {
422 .name = "gencrl",
423 .desc = "Generate a new CRL",
424 .type = OPTION_FLAG,
425 .opt.flag = &ca_config.gencrl,
426 },
427 {
428 .name = "in",
429 .argname = "file",
430 .desc = "Input file containing a single certificate request",
431 .type = OPTION_ARG_FUNC,
432 .opt.argfunc = ca_opt_in,
433 },
434 {
435 .name = "infiles",
436 .argname = "...",
437 .desc = "The last argument, certificate requests to process",
438 .type = OPTION_ARGV_FUNC,
439 .opt.argvfunc = ca_opt_infiles,
440 },
441 {
442 .name = "key",
443 .argname = "password",
444 .desc = "Key to decode the private key if it is encrypted",
445 .type = OPTION_ARG,
446 .opt.arg = &ca_config.key,
447 },
448 {
449 .name = "keyfile",
450 .argname = "file",
451 .desc = "Private key file",
452 .type = OPTION_ARG,
453 .opt.arg = &ca_config.keyfile,
454 },
455 {
456 .name = "keyform",
457 .argname = "fmt",
458 .desc = "Private key file format (DER or PEM (default))",
459 .type = OPTION_ARG_FORMAT,
460 .opt.value = &ca_config.keyform,
461 },
462 {
463 .name = "md",
464 .argname = "alg",
465 .desc = "Message digest to use",
466 .type = OPTION_ARG,
467 .opt.arg = &ca_config.md,
468 },
469 {
470 .name = "msie_hack",
471 .type = OPTION_FLAG,
472 .opt.flag = &ca_config.msie_hack,
473 },
474 {
475 .name = "multivalue-rdn",
476 .desc = "Enable support for multivalued RDNs",
477 .type = OPTION_FLAG,
478 .opt.flag = &ca_config.multirdn,
479 },
480 {
481 .name = "name",
482 .argname = "section",
483 .desc = "Specifies the configuration file section to use",
484 .type = OPTION_ARG,
485 .opt.arg = &ca_config.section,
486 },
487 {
488 .name = "noemailDN",
489 .desc = "Do not add the EMAIL field to the DN",
490 .type = OPTION_VALUE,
491 .opt.value = &ca_config.email_dn,
492 .value = 0,
493 },
494 {
495 .name = "notext",
496 .desc = "Do not print the generated certificate",
497 .type = OPTION_FLAG,
498 .opt.flag = &ca_config.notext,
499 },
500 {
501 .name = "out",
502 .argname = "file",
503 .desc = "Output file (default stdout)",
504 .type = OPTION_ARG,
505 .opt.arg = &ca_config.outfile,
506 },
507 {
508 .name = "outdir",
509 .argname = "directory",
510 .desc = " Directory to output certificates to",
511 .type = OPTION_ARG,
512 .opt.arg = &ca_config.outdir,
513 },
514 {
515 .name = "passin",
516 .argname = "src",
517 .desc = "Private key input password source",
518 .type = OPTION_ARG,
519 .opt.arg = &ca_config.passargin,
520 },
521 {
522 .name = "policy",
523 .argname = "name",
524 .desc = "The CA 'policy' to support",
525 .type = OPTION_ARG,
526 .opt.arg = &ca_config.policy,
527 },
528 {
529 .name = "preserveDN",
530 .desc = "Do not re-order the DN",
531 .type = OPTION_FLAG,
532 .opt.flag = &ca_config.preserve,
533 },
534 {
535 .name = "revoke",
536 .argname = "file",
537 .desc = "Revoke a certificate (given in file)",
538 .type = OPTION_ARG_FUNC,
539 .opt.argfunc = ca_opt_revoke,
540 },
541 {
542 .name = "selfsign",
543 .desc = "Sign a certificate using the key associated with it",
544 .type = OPTION_FLAG,
545 .opt.flag = &ca_config.selfsign,
546 },
547 {
548 .name = "sigopt",
549 .argname = "nm:v",
550 .desc = "Signature parameter in nm:v form",
551 .type = OPTION_ARG_FUNC,
552 .opt.argfunc = ca_opt_sigopt,
553 },
554 {
555 .name = "spkac",
556 .argname = "file",
557 .desc = "File contains DN and signed public key and challenge",
558 .type = OPTION_ARG_FUNC,
559 .opt.argfunc = ca_opt_spkac,
560 },
561 {
562 .name = "ss_cert",
563 .argname = "file",
564 .desc = "File contains a self signed certificate to sign",
565 .type = OPTION_ARG_FUNC,
566 .opt.argfunc = ca_opt_ss_cert,
567 },
568 {
569 .name = "startdate",
570 .argname = "YYMMDDHHMMSSZ",
571 .desc = "Certificate validity notBefore",
572 .type = OPTION_ARG,
573 .opt.arg = &ca_config.startdate,
574 },
575 {
576 .name = "status",
577 .argname = "serial",
578 .desc = "Shows certificate status given the serial number",
579 .type = OPTION_ARG,
580 .opt.arg = &ca_config.serial_status,
581 },
582 {
583 .name = "subj",
584 .argname = "arg",
585 .desc = "Use arg instead of request's subject",
586 .type = OPTION_ARG,
587 .opt.arg = &ca_config.subj,
588 },
589 {
590 .name = "updatedb",
591 .desc = "Updates db for expired certificates",
592 .type = OPTION_FLAG,
593 .opt.flag = &ca_config.doupdatedb,
594 },
595 {
596 .name = "utf8",
597 .desc = "Input characters are in UTF-8 (default ASCII)",
598 .type = OPTION_FUNC,
599 .opt.func = ca_opt_chtype_utf8,
600 },
601 {
602 .name = "verbose",
603 .desc = "Verbose output during processing",
604 .type = OPTION_FLAG,
605 .opt.flag = &ca_config.verbose,
606 },
607 { NULL },
608 };
609
610 /*
611 * Set a certificate time based on user provided input. Make sure
612 * what we put in the certificate is legit for RFC 5280. Returns
613 * 0 on success, -1 on an invalid time string. Strings must be
614 * YYYYMMDDHHMMSSZ for post 2050 dates. YYYYMMDDHHMMSSZ or
615 * YYMMDDHHMMSSZ is accepted for pre 2050 dates, and fixed up to
616 * be the correct format in the certificate.
617 */
618 static int
setCertificateTime(ASN1_TIME * x509time,char * timestring)619 setCertificateTime(ASN1_TIME *x509time, char *timestring)
620 {
621 struct tm tm1;
622
623 if (ASN1_time_parse(timestring, strlen(timestring), &tm1, 0) == -1)
624 return (-1);
625 if (!ASN1_TIME_set_tm(x509time, &tm1))
626 return (-1);
627 return 0;
628 }
629
630 static void
ca_usage(void)631 ca_usage(void)
632 {
633 fprintf(stderr,
634 "usage: ca [-batch] [-cert file] [-config file] [-create_serial]\n"
635 " [-crl_CA_compromise time] [-crl_compromise time]\n"
636 " [-crl_hold instruction] [-crl_reason reason] [-crldays days]\n"
637 " [-crlexts section] [-crlhours hours] [-crlsec seconds]\n"
638 " [-days arg] [-enddate date] [-extensions section]\n"
639 " [-extfile file] [-gencrl] [-in file] [-infiles]\n"
640 " [-key password] [-keyfile file] [-keyform pem | der]\n"
641 " [-md alg] [-multivalue-rdn] [-name section]\n"
642 " [-noemailDN] [-notext] [-out file] [-outdir directory]\n"
643 " [-passin arg] [-policy name] [-preserveDN] [-revoke file]\n"
644 " [-selfsign] [-sigopt nm:v] [-spkac file] [-ss_cert file]\n"
645 " [-startdate date] [-status serial] [-subj arg] [-updatedb]\n"
646 " [-utf8] [-verbose]\n\n");
647 options_usage(ca_options);
648 fprintf(stderr, "\n");
649 }
650
651 int
ca_main(int argc,char ** argv)652 ca_main(int argc, char **argv)
653 {
654 int free_key = 0;
655 int total = 0;
656 int total_done = 0;
657 int ret = 1;
658 long errorline = -1;
659 EVP_PKEY *pkey = NULL;
660 int output_der = 0;
661 char *serialfile = NULL;
662 char *crlnumberfile = NULL;
663 char *tmp_email_dn = NULL;
664 BIGNUM *serial = NULL;
665 BIGNUM *crlnumber = NULL;
666 unsigned long nameopt = 0, certopt = 0;
667 int default_op = 1;
668 int ext_copy = EXT_COPY_NONE;
669 X509 *x509 = NULL, *x509p = NULL;
670 X509 *x = NULL;
671 BIO *in = NULL, *out = NULL, *Sout = NULL, *Cout = NULL;
672 char *dbfile = NULL;
673 CA_DB *db = NULL;
674 X509_CRL *crl = NULL;
675 X509_REVOKED *r = NULL;
676 ASN1_TIME *tmptm = NULL;
677 ASN1_INTEGER *tmpserial;
678 char *f;
679 const char *p;
680 char *const *pp;
681 int i, j;
682 const EVP_MD *dgst = NULL;
683 STACK_OF(CONF_VALUE) *attribs = NULL;
684 STACK_OF(X509) *cert_sk = NULL;
685 char *tofree = NULL;
686 DB_ATTR db_attr;
687
688 if (single_execution) {
689 if (pledge("stdio cpath wpath rpath tty", NULL) == -1) {
690 perror("pledge");
691 exit(1);
692 }
693 }
694
695 memset(&ca_config, 0, sizeof(ca_config));
696 ca_config.email_dn = 1;
697 ca_config.keyform = FORMAT_PEM;
698 ca_config.chtype = MBSTRING_ASC;
699 ca_config.rev_type = REV_NONE;
700
701 conf = NULL;
702
703 if (options_parse(argc, argv, ca_options, NULL, NULL) != 0) {
704 ca_usage();
705 goto err;
706 }
707
708 /*****************************************************************/
709 tofree = NULL;
710 if (ca_config.configfile == NULL)
711 ca_config.configfile = getenv("OPENSSL_CONF");
712 if (ca_config.configfile == NULL) {
713 if ((tofree = make_config_name()) == NULL) {
714 BIO_printf(bio_err, "error making config file name\n");
715 goto err;
716 }
717 ca_config.configfile = tofree;
718 }
719 BIO_printf(bio_err, "Using configuration from %s\n",
720 ca_config.configfile);
721 conf = NCONF_new(NULL);
722 if (NCONF_load(conf, ca_config.configfile, &errorline) <= 0) {
723 if (errorline <= 0)
724 BIO_printf(bio_err,
725 "error loading the config file '%s'\n",
726 ca_config.configfile);
727 else
728 BIO_printf(bio_err,
729 "error on line %ld of config file '%s'\n",
730 errorline, ca_config.configfile);
731 goto err;
732 }
733 free(tofree);
734 tofree = NULL;
735
736 /* Lets get the config section we are using */
737 if (ca_config.section == NULL) {
738 ca_config.section = NCONF_get_string(conf, BASE_SECTION,
739 ENV_DEFAULT_CA);
740 if (ca_config.section == NULL) {
741 lookup_fail(BASE_SECTION, ENV_DEFAULT_CA);
742 goto err;
743 }
744 }
745 if (conf != NULL) {
746 p = NCONF_get_string(conf, NULL, "oid_file");
747 if (p == NULL)
748 ERR_clear_error();
749 if (p != NULL) {
750 BIO *oid_bio;
751
752 oid_bio = BIO_new_file(p, "r");
753 if (oid_bio == NULL) {
754 /*
755 BIO_printf(bio_err,
756 "problems opening %s for extra oid's\n", p);
757 ERR_print_errors(bio_err);
758 */
759 ERR_clear_error();
760 } else {
761 OBJ_create_objects(oid_bio);
762 BIO_free(oid_bio);
763 }
764 }
765 if (!add_oid_section(bio_err, conf)) {
766 ERR_print_errors(bio_err);
767 goto err;
768 }
769 }
770 f = NCONF_get_string(conf, ca_config.section, STRING_MASK);
771 if (f == NULL)
772 ERR_clear_error();
773
774 if (f != NULL && !ASN1_STRING_set_default_mask_asc(f)) {
775 BIO_printf(bio_err,
776 "Invalid global string mask setting %s\n", f);
777 goto err;
778 }
779 if (ca_config.chtype != MBSTRING_UTF8) {
780 f = NCONF_get_string(conf, ca_config.section, UTF8_IN);
781 if (f == NULL)
782 ERR_clear_error();
783 else if (strcmp(f, "yes") == 0)
784 ca_config.chtype = MBSTRING_UTF8;
785 }
786 db_attr.unique_subject = 1;
787 p = NCONF_get_string(conf, ca_config.section, ENV_UNIQUE_SUBJECT);
788 if (p != NULL) {
789 db_attr.unique_subject = parse_yesno(p, 1);
790 } else
791 ERR_clear_error();
792
793 in = BIO_new(BIO_s_file());
794 out = BIO_new(BIO_s_file());
795 Sout = BIO_new(BIO_s_file());
796 Cout = BIO_new(BIO_s_file());
797 if ((in == NULL) || (out == NULL) || (Sout == NULL) || (Cout == NULL)) {
798 ERR_print_errors(bio_err);
799 goto err;
800 }
801 /*****************************************************************/
802 /* report status of cert with serial number given on command line */
803 if (ca_config.serial_status) {
804 if ((dbfile = NCONF_get_string(conf, ca_config.section,
805 ENV_DATABASE)) == NULL) {
806 lookup_fail(ca_config.section, ENV_DATABASE);
807 goto err;
808 }
809 db = load_index(dbfile, &db_attr);
810 if (db == NULL)
811 goto err;
812
813 if (!index_index(db))
814 goto err;
815
816 if (get_certificate_status(ca_config.serial_status, db) != 1)
817 BIO_printf(bio_err, "Error verifying serial %s!\n",
818 ca_config.serial_status);
819 goto err;
820 }
821 /*****************************************************************/
822 /* we definitely need a private key, so let's get it */
823
824 if ((ca_config.keyfile == NULL) &&
825 ((ca_config.keyfile = NCONF_get_string(conf, ca_config.section,
826 ENV_PRIVATE_KEY)) == NULL)) {
827 lookup_fail(ca_config.section, ENV_PRIVATE_KEY);
828 goto err;
829 }
830 if (ca_config.key == NULL) {
831 free_key = 1;
832 if (!app_passwd(bio_err, ca_config.passargin, NULL,
833 &ca_config.key, NULL)) {
834 BIO_printf(bio_err, "Error getting password\n");
835 goto err;
836 }
837 }
838 pkey = load_key(bio_err, ca_config.keyfile, ca_config.keyform, 0,
839 ca_config.key, "CA private key");
840 if (ca_config.key != NULL)
841 explicit_bzero(ca_config.key, strlen(ca_config.key));
842 if (pkey == NULL) {
843 /* load_key() has already printed an appropriate message */
844 goto err;
845 }
846 /*****************************************************************/
847 /* we need a certificate */
848 if (!ca_config.selfsign || ca_config.spkac_file != NULL ||
849 ca_config.ss_cert_file != NULL || ca_config.gencrl) {
850 if ((ca_config.certfile == NULL) &&
851 ((ca_config.certfile = NCONF_get_string(conf,
852 ca_config.section, ENV_CERTIFICATE)) == NULL)) {
853 lookup_fail(ca_config.section, ENV_CERTIFICATE);
854 goto err;
855 }
856 x509 = load_cert(bio_err, ca_config.certfile, FORMAT_PEM, NULL,
857 "CA certificate");
858 if (x509 == NULL)
859 goto err;
860
861 if (!X509_check_private_key(x509, pkey)) {
862 BIO_printf(bio_err,
863 "CA certificate and CA private key do not match\n");
864 goto err;
865 }
866 }
867 if (!ca_config.selfsign)
868 x509p = x509;
869
870 f = NCONF_get_string(conf, BASE_SECTION, ENV_PRESERVE);
871 if (f == NULL)
872 ERR_clear_error();
873 if ((f != NULL) && ((*f == 'y') || (*f == 'Y')))
874 ca_config.preserve = 1;
875 f = NCONF_get_string(conf, BASE_SECTION, ENV_MSIE_HACK);
876 if (f == NULL)
877 ERR_clear_error();
878 if ((f != NULL) && ((*f == 'y') || (*f == 'Y')))
879 ca_config.msie_hack = 1;
880
881 f = NCONF_get_string(conf, ca_config.section, ENV_NAMEOPT);
882
883 if (f != NULL) {
884 if (!set_name_ex(&nameopt, f)) {
885 BIO_printf(bio_err,
886 "Invalid name options: \"%s\"\n", f);
887 goto err;
888 }
889 default_op = 0;
890 } else
891 ERR_clear_error();
892
893 f = NCONF_get_string(conf, ca_config.section, ENV_CERTOPT);
894
895 if (f != NULL) {
896 if (!set_cert_ex(&certopt, f)) {
897 BIO_printf(bio_err,
898 "Invalid certificate options: \"%s\"\n", f);
899 goto err;
900 }
901 default_op = 0;
902 } else
903 ERR_clear_error();
904
905 f = NCONF_get_string(conf, ca_config.section, ENV_EXTCOPY);
906
907 if (f != NULL) {
908 if (!set_ext_copy(&ext_copy, f)) {
909 BIO_printf(bio_err,
910 "Invalid extension copy option: \"%s\"\n", f);
911 goto err;
912 }
913 } else
914 ERR_clear_error();
915
916 /*****************************************************************/
917 /* lookup where to write new certificates */
918 if (ca_config.outdir == NULL && ca_config.req) {
919 if ((ca_config.outdir = NCONF_get_string(conf,
920 ca_config.section, ENV_NEW_CERTS_DIR)) == NULL) {
921 BIO_printf(bio_err, "output directory %s not defined\n",
922 ENV_NEW_CERTS_DIR);
923 goto err;
924 }
925 }
926 /*****************************************************************/
927 /* we need to load the database file */
928 if ((dbfile = NCONF_get_string(conf, ca_config.section,
929 ENV_DATABASE)) == NULL) {
930 lookup_fail(ca_config.section, ENV_DATABASE);
931 goto err;
932 }
933 db = load_index(dbfile, &db_attr);
934 if (db == NULL)
935 goto err;
936
937 /* Lets check some fields */
938 for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
939 pp = sk_OPENSSL_PSTRING_value(db->db->data, i);
940 if ((pp[DB_type][0] != DB_TYPE_REV) &&
941 (pp[DB_rev_date][0] != '\0')) {
942 BIO_printf(bio_err,
943 "entry %d: not revoked yet, but has a revocation date\n",
944 i + 1);
945 goto err;
946 }
947 if ((pp[DB_type][0] == DB_TYPE_REV) &&
948 !make_revoked(NULL, pp[DB_rev_date])) {
949 BIO_printf(bio_err, " in entry %d\n", i + 1);
950 goto err;
951 }
952 if (!check_time_format((char *) pp[DB_exp_date])) {
953 BIO_printf(bio_err, "entry %d: invalid expiry date\n",
954 i + 1);
955 goto err;
956 }
957 p = pp[DB_serial];
958 j = strlen(p);
959 if (*p == '-') {
960 p++;
961 j--;
962 }
963 if ((j & 1) || (j < 2)) {
964 BIO_printf(bio_err,
965 "entry %d: bad serial number length (%d)\n",
966 i + 1, j);
967 goto err;
968 }
969 while (*p) {
970 if (!(((*p >= '0') && (*p <= '9')) ||
971 ((*p >= 'A') && (*p <= 'F')) ||
972 ((*p >= 'a') && (*p <= 'f')))) {
973 BIO_printf(bio_err,
974 "entry %d: bad serial number characters, char pos %ld, char is '%c'\n",
975 i + 1, (long) (p - pp[DB_serial]), *p);
976 goto err;
977 }
978 p++;
979 }
980 }
981 if (ca_config.verbose) {
982 BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT);
983 TXT_DB_write(out, db->db);
984 BIO_printf(bio_err, "%d entries loaded from the database\n",
985 sk_OPENSSL_PSTRING_num(db->db->data));
986 BIO_printf(bio_err, "generating index\n");
987 }
988 if (!index_index(db))
989 goto err;
990
991 /*****************************************************************/
992 /* Update the db file for expired certificates */
993 if (ca_config.doupdatedb) {
994 if (ca_config.verbose)
995 BIO_printf(bio_err, "Updating %s ...\n", dbfile);
996
997 i = do_updatedb(db);
998 if (i == -1) {
999 BIO_printf(bio_err, "Malloc failure\n");
1000 goto err;
1001 } else if (i == 0) {
1002 if (ca_config.verbose)
1003 BIO_printf(bio_err,
1004 "No entries found to mark expired\n");
1005 } else {
1006 if (!save_index(dbfile, "new", db))
1007 goto err;
1008
1009 if (!rotate_index(dbfile, "new", "old"))
1010 goto err;
1011
1012 if (ca_config.verbose)
1013 BIO_printf(bio_err,
1014 "Done. %d entries marked as expired\n", i);
1015 }
1016 }
1017 /*****************************************************************/
1018 /* Read extentions config file */
1019 if (ca_config.extfile != NULL) {
1020 extconf = NCONF_new(NULL);
1021 if (NCONF_load(extconf, ca_config.extfile, &errorline) <= 0) {
1022 if (errorline <= 0)
1023 BIO_printf(bio_err,
1024 "ERROR: loading the config file '%s'\n",
1025 ca_config.extfile);
1026 else
1027 BIO_printf(bio_err,
1028 "ERROR: on line %ld of config file '%s'\n",
1029 errorline, ca_config.extfile);
1030 ret = 1;
1031 goto err;
1032 }
1033 if (ca_config.verbose)
1034 BIO_printf(bio_err,
1035 "Successfully loaded extensions file %s\n",
1036 ca_config.extfile);
1037
1038 /* We can have sections in the ext file */
1039 if (ca_config.extensions == NULL &&
1040 (ca_config.extensions = NCONF_get_string(extconf, "default",
1041 "extensions")) == NULL)
1042 ca_config.extensions = "default";
1043 }
1044 /*****************************************************************/
1045 if (ca_config.req || ca_config.gencrl) {
1046 if (ca_config.outfile != NULL) {
1047 if (BIO_write_filename(Sout, ca_config.outfile) <= 0) {
1048 perror(ca_config.outfile);
1049 goto err;
1050 }
1051 } else {
1052 BIO_set_fp(Sout, stdout, BIO_NOCLOSE | BIO_FP_TEXT);
1053 }
1054 }
1055 if ((ca_config.md == NULL) &&
1056 ((ca_config.md = NCONF_get_string(conf, ca_config.section,
1057 ENV_DEFAULT_MD)) == NULL)) {
1058 lookup_fail(ca_config.section, ENV_DEFAULT_MD);
1059 goto err;
1060 }
1061 if (strcmp(ca_config.md, "default") == 0) {
1062 int def_nid;
1063 if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) <= 0) {
1064 BIO_puts(bio_err, "no default digest\n");
1065 goto err;
1066 }
1067 ca_config.md = (char *) OBJ_nid2sn(def_nid);
1068 if (ca_config.md == NULL)
1069 goto err;
1070 }
1071 if ((dgst = EVP_get_digestbyname(ca_config.md)) == NULL) {
1072 BIO_printf(bio_err,
1073 "%s is an unsupported message digest type\n", ca_config.md);
1074 goto err;
1075 }
1076 if (ca_config.req) {
1077 if ((ca_config.email_dn == 1) &&
1078 ((tmp_email_dn = NCONF_get_string(conf, ca_config.section,
1079 ENV_DEFAULT_EMAIL_DN)) != NULL)) {
1080 if (strcmp(tmp_email_dn, "no") == 0)
1081 ca_config.email_dn = 0;
1082 }
1083 if (ca_config.verbose)
1084 BIO_printf(bio_err, "message digest is %s\n",
1085 OBJ_nid2ln(dgst->type));
1086 if ((ca_config.policy == NULL) &&
1087 ((ca_config.policy = NCONF_get_string(conf,
1088 ca_config.section, ENV_POLICY)) == NULL)) {
1089 lookup_fail(ca_config.section, ENV_POLICY);
1090 goto err;
1091 }
1092 if (ca_config.verbose)
1093 BIO_printf(bio_err, "policy is %s\n", ca_config.policy);
1094
1095 if ((serialfile = NCONF_get_string(conf, ca_config.section,
1096 ENV_SERIAL)) == NULL) {
1097 lookup_fail(ca_config.section, ENV_SERIAL);
1098 goto err;
1099 }
1100 if (extconf == NULL) {
1101 /*
1102 * no '-extfile' option, so we look for extensions in
1103 * the main configuration file
1104 */
1105 if (ca_config.extensions == NULL) {
1106 ca_config.extensions = NCONF_get_string(conf,
1107 ca_config.section, ENV_EXTENSIONS);
1108 if (ca_config.extensions == NULL)
1109 ERR_clear_error();
1110 }
1111 if (ca_config.extensions != NULL) {
1112 /* Check syntax of file */
1113 X509V3_CTX ctx;
1114 X509V3_set_ctx_test(&ctx);
1115 X509V3_set_nconf(&ctx, conf);
1116 if (!X509V3_EXT_add_nconf(conf, &ctx,
1117 ca_config.extensions, NULL)) {
1118 BIO_printf(bio_err,
1119 "Error Loading extension section %s\n",
1120 ca_config.extensions);
1121 ret = 1;
1122 goto err;
1123 }
1124 }
1125 }
1126 if (ca_config.startdate == NULL) {
1127 ca_config.startdate = NCONF_get_string(conf,
1128 ca_config.section, ENV_DEFAULT_STARTDATE);
1129 if (ca_config.startdate == NULL)
1130 ERR_clear_error();
1131 }
1132 if (ca_config.startdate == NULL)
1133 ca_config.startdate = "today";
1134
1135 if (ca_config.enddate == NULL) {
1136 ca_config.enddate = NCONF_get_string(conf,
1137 ca_config.section, ENV_DEFAULT_ENDDATE);
1138 if (ca_config.enddate == NULL)
1139 ERR_clear_error();
1140 }
1141 if (ca_config.days == 0 && ca_config.enddate == NULL) {
1142 if (!NCONF_get_number(conf, ca_config.section,
1143 ENV_DEFAULT_DAYS, &ca_config.days))
1144 ca_config.days = 0;
1145 }
1146 if (ca_config.enddate == NULL && ca_config.days == 0) {
1147 BIO_printf(bio_err,
1148 "cannot lookup how many days to certify for\n");
1149 goto err;
1150 }
1151 if ((serial = load_serial(serialfile, ca_config.create_serial,
1152 NULL)) == NULL) {
1153 BIO_printf(bio_err,
1154 "error while loading serial number\n");
1155 goto err;
1156 }
1157 if (ca_config.verbose) {
1158 if (BN_is_zero(serial))
1159 BIO_printf(bio_err,
1160 "next serial number is 00\n");
1161 else {
1162 if ((f = BN_bn2hex(serial)) == NULL)
1163 goto err;
1164 BIO_printf(bio_err,
1165 "next serial number is %s\n", f);
1166 free(f);
1167 }
1168 }
1169 if ((attribs = NCONF_get_section(conf, ca_config.policy)) ==
1170 NULL) {
1171 BIO_printf(bio_err, "unable to find 'section' for %s\n",
1172 ca_config.policy);
1173 goto err;
1174 }
1175 if ((cert_sk = sk_X509_new_null()) == NULL) {
1176 BIO_printf(bio_err, "Memory allocation failure\n");
1177 goto err;
1178 }
1179 if (ca_config.spkac_file != NULL) {
1180 total++;
1181 j = certify_spkac(&x, ca_config.spkac_file, pkey, x509,
1182 dgst, ca_config.sigopts, attribs, db, serial,
1183 ca_config.subj, ca_config.chtype,
1184 ca_config.multirdn, ca_config.email_dn,
1185 ca_config.startdate, ca_config.enddate,
1186 ca_config.days, ca_config.extensions, conf,
1187 ca_config.verbose, certopt, nameopt, default_op,
1188 ext_copy);
1189 if (j < 0)
1190 goto err;
1191 if (j > 0) {
1192 total_done++;
1193 BIO_printf(bio_err, "\n");
1194 if (!BN_add_word(serial, 1))
1195 goto err;
1196 if (!sk_X509_push(cert_sk, x)) {
1197 BIO_printf(bio_err,
1198 "Memory allocation failure\n");
1199 goto err;
1200 }
1201 if (ca_config.outfile != NULL) {
1202 output_der = 1;
1203 ca_config.batch = 1;
1204 }
1205 }
1206 }
1207 if (ca_config.ss_cert_file != NULL) {
1208 total++;
1209 j = certify_cert(&x, ca_config.ss_cert_file, pkey, x509,
1210 dgst, ca_config.sigopts, attribs, db, serial,
1211 ca_config.subj, ca_config.chtype,
1212 ca_config.multirdn, ca_config.email_dn,
1213 ca_config.startdate, ca_config.enddate,
1214 ca_config.days, ca_config.batch,
1215 ca_config.extensions, conf, ca_config.verbose,
1216 certopt, nameopt, default_op, ext_copy);
1217 if (j < 0)
1218 goto err;
1219 if (j > 0) {
1220 total_done++;
1221 BIO_printf(bio_err, "\n");
1222 if (!BN_add_word(serial, 1))
1223 goto err;
1224 if (!sk_X509_push(cert_sk, x)) {
1225 BIO_printf(bio_err,
1226 "Memory allocation failure\n");
1227 goto err;
1228 }
1229 }
1230 }
1231 if (ca_config.infile != NULL) {
1232 total++;
1233 j = certify(&x, ca_config.infile, pkey, x509p, dgst,
1234 ca_config.sigopts, attribs, db, serial,
1235 ca_config.subj, ca_config.chtype,
1236 ca_config.multirdn, ca_config.email_dn,
1237 ca_config.startdate, ca_config.enddate,
1238 ca_config.days, ca_config.batch,
1239 ca_config.extensions, conf, ca_config.verbose,
1240 certopt, nameopt, default_op, ext_copy,
1241 ca_config.selfsign);
1242 if (j < 0)
1243 goto err;
1244 if (j > 0) {
1245 total_done++;
1246 BIO_printf(bio_err, "\n");
1247 if (!BN_add_word(serial, 1))
1248 goto err;
1249 if (!sk_X509_push(cert_sk, x)) {
1250 BIO_printf(bio_err,
1251 "Memory allocation failure\n");
1252 goto err;
1253 }
1254 }
1255 }
1256 for (i = 0; i < ca_config.infiles_num; i++) {
1257 total++;
1258 j = certify(&x, ca_config.infiles[i], pkey, x509p, dgst,
1259 ca_config.sigopts, attribs, db, serial,
1260 ca_config.subj, ca_config.chtype,
1261 ca_config.multirdn, ca_config.email_dn,
1262 ca_config.startdate, ca_config.enddate,
1263 ca_config.days, ca_config.batch,
1264 ca_config.extensions, conf, ca_config.verbose,
1265 certopt, nameopt, default_op, ext_copy,
1266 ca_config.selfsign);
1267 if (j < 0)
1268 goto err;
1269 if (j > 0) {
1270 total_done++;
1271 BIO_printf(bio_err, "\n");
1272 if (!BN_add_word(serial, 1))
1273 goto err;
1274 if (!sk_X509_push(cert_sk, x)) {
1275 BIO_printf(bio_err,
1276 "Memory allocation failure\n");
1277 goto err;
1278 }
1279 }
1280 }
1281 /*
1282 * we have a stack of newly certified certificates and a data
1283 * base and serial number that need updating
1284 */
1285
1286 if (sk_X509_num(cert_sk) > 0) {
1287 if (!ca_config.batch) {
1288 char answer[10];
1289
1290 BIO_printf(bio_err,
1291 "\n%d out of %d certificate requests certified, commit? [y/n]",
1292 total_done, total);
1293 (void) BIO_flush(bio_err);
1294 if (fgets(answer, sizeof answer - 1, stdin) ==
1295 NULL) {
1296 BIO_printf(bio_err,
1297 "CERTIFICATION CANCELED: I/O error\n");
1298 ret = 0;
1299 goto err;
1300 }
1301 if ((answer[0] != 'y') && (answer[0] != 'Y')) {
1302 BIO_printf(bio_err,
1303 "CERTIFICATION CANCELED\n");
1304 ret = 0;
1305 goto err;
1306 }
1307 }
1308 BIO_printf(bio_err,
1309 "Write out database with %d new entries\n",
1310 sk_X509_num(cert_sk));
1311
1312 if (!save_serial(serialfile, "new", serial, NULL))
1313 goto err;
1314
1315 if (!save_index(dbfile, "new", db))
1316 goto err;
1317 }
1318 if (ca_config.verbose)
1319 BIO_printf(bio_err, "writing new certificates\n");
1320 for (i = 0; i < sk_X509_num(cert_sk); i++) {
1321 ASN1_INTEGER *serialNumber;
1322 int k;
1323 char *serialstr;
1324 unsigned char *data;
1325 char pempath[PATH_MAX];
1326
1327 x = sk_X509_value(cert_sk, i);
1328
1329 serialNumber = X509_get_serialNumber(x);
1330 j = ASN1_STRING_length(serialNumber);
1331 data = ASN1_STRING_data(serialNumber);
1332
1333 if (j > 0)
1334 serialstr = bin2hex(data, j);
1335 else
1336 serialstr = strdup("00");
1337 if (serialstr != NULL) {
1338 k = snprintf(pempath, sizeof(pempath),
1339 "%s/%s.pem", ca_config.outdir, serialstr);
1340 free(serialstr);
1341 if (k < 0 || k >= sizeof(pempath)) {
1342 BIO_printf(bio_err,
1343 "certificate file name too long\n");
1344 goto err;
1345 }
1346 } else {
1347 BIO_printf(bio_err,
1348 "memory allocation failed\n");
1349 goto err;
1350 }
1351 if (ca_config.verbose)
1352 BIO_printf(bio_err, "writing %s\n", pempath);
1353
1354 if (BIO_write_filename(Cout, pempath) <= 0) {
1355 perror(pempath);
1356 goto err;
1357 }
1358 if (!write_new_certificate(Cout, x, 0,
1359 ca_config.notext))
1360 goto err;
1361 if (!write_new_certificate(Sout, x, output_der,
1362 ca_config.notext))
1363 goto err;
1364 }
1365
1366 if (sk_X509_num(cert_sk)) {
1367 /* Rename the database and the serial file */
1368 if (!rotate_serial(serialfile, "new", "old"))
1369 goto err;
1370
1371 if (!rotate_index(dbfile, "new", "old"))
1372 goto err;
1373
1374 BIO_printf(bio_err, "Data Base Updated\n");
1375 }
1376 }
1377 /*****************************************************************/
1378 if (ca_config.gencrl) {
1379 int crl_v2 = 0;
1380 if (ca_config.crl_ext == NULL) {
1381 ca_config.crl_ext = NCONF_get_string(conf,
1382 ca_config.section, ENV_CRLEXT);
1383 if (ca_config.crl_ext == NULL)
1384 ERR_clear_error();
1385 }
1386 if (ca_config.crl_ext != NULL) {
1387 /* Check syntax of file */
1388 X509V3_CTX ctx;
1389 X509V3_set_ctx_test(&ctx);
1390 X509V3_set_nconf(&ctx, conf);
1391 if (!X509V3_EXT_add_nconf(conf, &ctx, ca_config.crl_ext,
1392 NULL)) {
1393 BIO_printf(bio_err,
1394 "Error Loading CRL extension section %s\n",
1395 ca_config.crl_ext);
1396 ret = 1;
1397 goto err;
1398 }
1399 }
1400 if ((crlnumberfile = NCONF_get_string(conf, ca_config.section,
1401 ENV_CRLNUMBER)) != NULL)
1402 if ((crlnumber = load_serial(crlnumberfile, 0,
1403 NULL)) == NULL) {
1404 BIO_printf(bio_err,
1405 "error while loading CRL number\n");
1406 goto err;
1407 }
1408 if (!ca_config.crldays && !ca_config.crlhours &&
1409 !ca_config.crlsec) {
1410 if (!NCONF_get_number(conf, ca_config.section,
1411 ENV_DEFAULT_CRL_DAYS, &ca_config.crldays))
1412 ca_config.crldays = 0;
1413 if (!NCONF_get_number(conf, ca_config.section,
1414 ENV_DEFAULT_CRL_HOURS, &ca_config.crlhours))
1415 ca_config.crlhours = 0;
1416 ERR_clear_error();
1417 }
1418 if ((ca_config.crldays == 0) && (ca_config.crlhours == 0) &&
1419 (ca_config.crlsec == 0)) {
1420 BIO_printf(bio_err,
1421 "cannot lookup how long until the next CRL is issued\n");
1422 goto err;
1423 }
1424 if (ca_config.verbose)
1425 BIO_printf(bio_err, "making CRL\n");
1426 if ((crl = X509_CRL_new()) == NULL)
1427 goto err;
1428 if (!X509_CRL_set_issuer_name(crl, X509_get_subject_name(x509)))
1429 goto err;
1430
1431 if ((tmptm = X509_gmtime_adj(NULL, 0)) == NULL)
1432 goto err;
1433 if (!X509_CRL_set_lastUpdate(crl, tmptm))
1434 goto err;
1435 if (X509_time_adj_ex(tmptm, ca_config.crldays,
1436 ca_config.crlhours * 60 * 60 + ca_config.crlsec, NULL) ==
1437 NULL) {
1438 BIO_puts(bio_err, "error setting CRL nextUpdate\n");
1439 goto err;
1440 }
1441 if (!X509_CRL_set_nextUpdate(crl, tmptm))
1442 goto err;
1443 ASN1_TIME_free(tmptm);
1444 tmptm = NULL;
1445
1446 for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
1447 pp = sk_OPENSSL_PSTRING_value(db->db->data, i);
1448 if (pp[DB_type][0] == DB_TYPE_REV) {
1449 if ((r = X509_REVOKED_new()) == NULL)
1450 goto err;
1451 j = make_revoked(r, pp[DB_rev_date]);
1452 if (!j)
1453 goto err;
1454 if (j == 2)
1455 crl_v2 = 1;
1456 if (!BN_hex2bn(&serial, pp[DB_serial]))
1457 goto err;
1458 tmpserial = BN_to_ASN1_INTEGER(serial, NULL);
1459 BN_free(serial);
1460 serial = NULL;
1461 if (tmpserial == NULL)
1462 goto err;
1463 if (!X509_REVOKED_set_serialNumber(r, tmpserial)) {
1464 ASN1_INTEGER_free(tmpserial);
1465 goto err;
1466 }
1467 ASN1_INTEGER_free(tmpserial);
1468 if (!X509_CRL_add0_revoked(crl, r))
1469 goto err;
1470 r = NULL;
1471 }
1472 }
1473
1474 /*
1475 * sort the data so it will be written in serial number order
1476 */
1477 X509_CRL_sort(crl);
1478
1479 /* we now have a CRL */
1480 if (ca_config.verbose)
1481 BIO_printf(bio_err, "signing CRL\n");
1482
1483 /* Add any extensions asked for */
1484
1485 if (ca_config.crl_ext != NULL || crlnumberfile != NULL) {
1486 X509V3_CTX crlctx;
1487 X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0);
1488 X509V3_set_nconf(&crlctx, conf);
1489
1490 if (ca_config.crl_ext != NULL)
1491 if (!X509V3_EXT_CRL_add_nconf(conf, &crlctx,
1492 ca_config.crl_ext, crl))
1493 goto err;
1494 if (crlnumberfile != NULL) {
1495 tmpserial = BN_to_ASN1_INTEGER(crlnumber, NULL);
1496 if (tmpserial == NULL)
1497 goto err;
1498 if (!X509_CRL_add1_ext_i2d(crl, NID_crl_number,
1499 tmpserial, 0, 0)) {
1500 ASN1_INTEGER_free(tmpserial);
1501 goto err;
1502 }
1503 ASN1_INTEGER_free(tmpserial);
1504 crl_v2 = 1;
1505 if (!BN_add_word(crlnumber, 1))
1506 goto err;
1507 }
1508 }
1509 if (ca_config.crl_ext != NULL || crl_v2) {
1510 if (!X509_CRL_set_version(crl, 1))
1511 goto err; /* version 2 CRL */
1512 }
1513 if (crlnumberfile != NULL) /* we have a CRL number that
1514 * need updating */
1515 if (!save_serial(crlnumberfile, "new", crlnumber, NULL))
1516 goto err;
1517
1518 BN_free(crlnumber);
1519 crlnumber = NULL;
1520
1521 if (!do_X509_CRL_sign(bio_err, crl, pkey, dgst,
1522 ca_config.sigopts))
1523 goto err;
1524
1525 if (!PEM_write_bio_X509_CRL(Sout, crl))
1526 goto err;
1527
1528 if (crlnumberfile != NULL) /* Rename the crlnumber file */
1529 if (!rotate_serial(crlnumberfile, "new", "old"))
1530 goto err;
1531
1532 }
1533 /*****************************************************************/
1534 if (ca_config.dorevoke) {
1535 if (ca_config.infile == NULL) {
1536 BIO_printf(bio_err, "no input files\n");
1537 goto err;
1538 } else {
1539 X509 *revcert;
1540 revcert = load_cert(bio_err, ca_config.infile,
1541 FORMAT_PEM, NULL, ca_config.infile);
1542 if (revcert == NULL)
1543 goto err;
1544 j = do_revoke(revcert, db, ca_config.rev_type,
1545 ca_config.rev_arg);
1546 if (j <= 0)
1547 goto err;
1548 X509_free(revcert);
1549
1550 if (!save_index(dbfile, "new", db))
1551 goto err;
1552
1553 if (!rotate_index(dbfile, "new", "old"))
1554 goto err;
1555
1556 BIO_printf(bio_err, "Data Base Updated\n");
1557 }
1558 }
1559 /*****************************************************************/
1560 ret = 0;
1561
1562 err:
1563 free(tofree);
1564
1565 BIO_free_all(Cout);
1566 BIO_free_all(Sout);
1567 BIO_free_all(out);
1568 BIO_free_all(in);
1569
1570 sk_X509_pop_free(cert_sk, X509_free);
1571
1572 if (ret)
1573 ERR_print_errors(bio_err);
1574 if (free_key)
1575 free(ca_config.key);
1576 BN_free(serial);
1577 BN_free(crlnumber);
1578 free_index(db);
1579 sk_OPENSSL_STRING_free(ca_config.sigopts);
1580 EVP_PKEY_free(pkey);
1581 X509_free(x509);
1582 X509_CRL_free(crl);
1583 X509_REVOKED_free(r);
1584 ASN1_TIME_free(tmptm);
1585 NCONF_free(conf);
1586 NCONF_free(extconf);
1587 OBJ_cleanup();
1588
1589 return (ret);
1590 }
1591
1592 static void
lookup_fail(const char * name,const char * tag)1593 lookup_fail(const char *name, const char *tag)
1594 {
1595 BIO_printf(bio_err, "variable lookup failed for %s::%s\n", name, tag);
1596 }
1597
1598 static int
certify(X509 ** xret,char * infile,EVP_PKEY * pkey,X509 * x509,const EVP_MD * dgst,STACK_OF (OPENSSL_STRING)* sigopts,STACK_OF (CONF_VALUE)* policy,CA_DB * db,BIGNUM * serial,char * subj,unsigned long chtype,int multirdn,int email_dn,char * startdate,char * enddate,long days,int batch,char * ext_sect,CONF * lconf,int verbose,unsigned long certopt,unsigned long nameopt,int default_op,int ext_copy,int selfsign)1599 certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
1600 const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
1601 STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj,
1602 unsigned long chtype, int multirdn, int email_dn, char *startdate,
1603 char *enddate, long days, int batch, char *ext_sect, CONF *lconf,
1604 int verbose, unsigned long certopt, unsigned long nameopt, int default_op,
1605 int ext_copy, int selfsign)
1606 {
1607 X509_REQ *req = NULL;
1608 BIO *in = NULL;
1609 EVP_PKEY *pktmp = NULL;
1610 int ok = -1, i;
1611
1612 in = BIO_new(BIO_s_file());
1613
1614 if (BIO_read_filename(in, infile) <= 0) {
1615 perror(infile);
1616 goto err;
1617 }
1618 if ((req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL)) == NULL) {
1619 BIO_printf(bio_err, "Error reading certificate request in %s\n",
1620 infile);
1621 goto err;
1622 }
1623 if (verbose) {
1624 if (!X509_REQ_print(bio_err, req))
1625 goto err;
1626 }
1627
1628 BIO_printf(bio_err, "Check that the request matches the signature\n");
1629
1630 if (selfsign && !X509_REQ_check_private_key(req, pkey)) {
1631 BIO_printf(bio_err,
1632 "Certificate request and CA private key do not match\n");
1633 ok = 0;
1634 goto err;
1635 }
1636 if ((pktmp = X509_REQ_get_pubkey(req)) == NULL) {
1637 BIO_printf(bio_err, "error unpacking public key\n");
1638 goto err;
1639 }
1640 i = X509_REQ_verify(req, pktmp);
1641 EVP_PKEY_free(pktmp);
1642 if (i < 0) {
1643 ok = 0;
1644 BIO_printf(bio_err, "Signature verification problems....\n");
1645 goto err;
1646 }
1647 if (i == 0) {
1648 ok = 0;
1649 BIO_printf(bio_err,
1650 "Signature did not match the certificate request\n");
1651 goto err;
1652 } else
1653 BIO_printf(bio_err, "Signature ok\n");
1654
1655 ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial,
1656 subj, chtype, multirdn, email_dn, startdate, enddate, days, batch,
1657 verbose, req, ext_sect, lconf, certopt, nameopt, default_op,
1658 ext_copy, selfsign);
1659
1660 err:
1661 X509_REQ_free(req);
1662 BIO_free(in);
1663
1664 return (ok);
1665 }
1666
1667 static int
certify_cert(X509 ** xret,char * infile,EVP_PKEY * pkey,X509 * x509,const EVP_MD * dgst,STACK_OF (OPENSSL_STRING)* sigopts,STACK_OF (CONF_VALUE)* policy,CA_DB * db,BIGNUM * serial,char * subj,unsigned long chtype,int multirdn,int email_dn,char * startdate,char * enddate,long days,int batch,char * ext_sect,CONF * lconf,int verbose,unsigned long certopt,unsigned long nameopt,int default_op,int ext_copy)1668 certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
1669 const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
1670 STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj,
1671 unsigned long chtype, int multirdn, int email_dn, char *startdate,
1672 char *enddate, long days, int batch, char *ext_sect, CONF *lconf,
1673 int verbose, unsigned long certopt, unsigned long nameopt, int default_op,
1674 int ext_copy)
1675 {
1676 X509 *req = NULL;
1677 X509_REQ *rreq = NULL;
1678 EVP_PKEY *pktmp = NULL;
1679 int ok = -1, i;
1680
1681 if ((req = load_cert(bio_err, infile, FORMAT_PEM, NULL,
1682 infile)) == NULL)
1683 goto err;
1684 if (verbose) {
1685 if (!X509_print(bio_err, req))
1686 goto err;
1687 }
1688
1689 BIO_printf(bio_err, "Check that the request matches the signature\n");
1690
1691 if ((pktmp = X509_get_pubkey(req)) == NULL) {
1692 BIO_printf(bio_err, "error unpacking public key\n");
1693 goto err;
1694 }
1695 i = X509_verify(req, pktmp);
1696 EVP_PKEY_free(pktmp);
1697 if (i < 0) {
1698 ok = 0;
1699 BIO_printf(bio_err, "Signature verification problems....\n");
1700 goto err;
1701 }
1702 if (i == 0) {
1703 ok = 0;
1704 BIO_printf(bio_err,
1705 "Signature did not match the certificate\n");
1706 goto err;
1707 } else
1708 BIO_printf(bio_err, "Signature ok\n");
1709
1710 if ((rreq = X509_to_X509_REQ(req, NULL, EVP_md5())) == NULL)
1711 goto err;
1712
1713 ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial,
1714 subj, chtype, multirdn, email_dn, startdate, enddate, days, batch,
1715 verbose, rreq, ext_sect, lconf, certopt, nameopt, default_op,
1716 ext_copy, 0);
1717
1718 err:
1719 X509_REQ_free(rreq);
1720 X509_free(req);
1721
1722 return (ok);
1723 }
1724
1725 static int
do_body(X509 ** xret,EVP_PKEY * pkey,X509 * x509,const EVP_MD * dgst,STACK_OF (OPENSSL_STRING)* sigopts,STACK_OF (CONF_VALUE)* policy,CA_DB * db,BIGNUM * serial,char * subj,unsigned long chtype,int multirdn,int email_dn,char * startdate,char * enddate,long days,int batch,int verbose,X509_REQ * req,char * ext_sect,CONF * lconf,unsigned long certopt,unsigned long nameopt,int default_op,int ext_copy,int selfsign)1726 do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
1727 STACK_OF(OPENSSL_STRING) *sigopts, STACK_OF(CONF_VALUE) *policy,
1728 CA_DB *db, BIGNUM *serial, char *subj, unsigned long chtype, int multirdn,
1729 int email_dn, char *startdate, char *enddate, long days, int batch,
1730 int verbose, X509_REQ *req, char *ext_sect, CONF *lconf,
1731 unsigned long certopt, unsigned long nameopt, int default_op,
1732 int ext_copy, int selfsign)
1733 {
1734 X509_NAME *name = NULL, *CAname = NULL;
1735 X509_NAME *subject = NULL, *dn_subject = NULL;
1736 ASN1_UTCTIME *tm;
1737 ASN1_STRING *str, *str2;
1738 ASN1_OBJECT *obj;
1739 X509 *ret = NULL;
1740 X509_NAME_ENTRY *ne;
1741 X509_NAME_ENTRY *tne, *push;
1742 EVP_PKEY *pktmp;
1743 int ok = -1, i, j, last, nid;
1744 const char *p;
1745 CONF_VALUE *cv;
1746 OPENSSL_STRING row[DB_NUMBER];
1747 OPENSSL_STRING *irow = NULL;
1748 OPENSSL_STRING *rrow = NULL;
1749 const STACK_OF(X509_EXTENSION) *exts;
1750
1751 *xret = NULL;
1752
1753 for (i = 0; i < DB_NUMBER; i++)
1754 row[i] = NULL;
1755
1756 if (subj != NULL) {
1757 X509_NAME *n = parse_name(subj, chtype, multirdn);
1758
1759 if (n == NULL) {
1760 ERR_print_errors(bio_err);
1761 goto err;
1762 }
1763 if (!X509_REQ_set_subject_name(req, n)) {
1764 X509_NAME_free(n);
1765 goto err;
1766 }
1767 req->req_info->enc.modified = 1;
1768 X509_NAME_free(n);
1769 }
1770 if (default_op)
1771 BIO_printf(bio_err,
1772 "The Subject's Distinguished Name is as follows\n");
1773
1774 name = X509_REQ_get_subject_name(req);
1775 for (i = 0; i < X509_NAME_entry_count(name); i++) {
1776 ne = X509_NAME_get_entry(name, i);
1777 if (ne == NULL)
1778 goto err;
1779 str = X509_NAME_ENTRY_get_data(ne);
1780 if (str == NULL)
1781 goto err;
1782 obj = X509_NAME_ENTRY_get_object(ne);
1783 if (obj == NULL)
1784 goto err;
1785
1786 if (ca_config.msie_hack) {
1787 /* assume all type should be strings */
1788 nid = OBJ_obj2nid(ne->object);
1789 if (nid == NID_undef)
1790 goto err;
1791
1792 if (str->type == V_ASN1_UNIVERSALSTRING)
1793 ASN1_UNIVERSALSTRING_to_string(str);
1794
1795 if ((str->type == V_ASN1_IA5STRING) &&
1796 (nid != NID_pkcs9_emailAddress))
1797 str->type = V_ASN1_T61STRING;
1798
1799 if ((nid == NID_pkcs9_emailAddress) &&
1800 (str->type == V_ASN1_PRINTABLESTRING))
1801 str->type = V_ASN1_IA5STRING;
1802 }
1803 /* If no EMAIL is wanted in the subject */
1804 if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) && (!email_dn))
1805 continue;
1806
1807 /* check some things */
1808 if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) &&
1809 (str->type != V_ASN1_IA5STRING)) {
1810 BIO_printf(bio_err,
1811 "\nemailAddress type needs to be of type IA5STRING\n");
1812 goto err;
1813 }
1814 if ((str->type != V_ASN1_BMPSTRING) &&
1815 (str->type != V_ASN1_UTF8STRING)) {
1816 j = ASN1_PRINTABLE_type(str->data, str->length);
1817 if (((j == V_ASN1_T61STRING) &&
1818 (str->type != V_ASN1_T61STRING)) ||
1819 ((j == V_ASN1_IA5STRING) &&
1820 (str->type == V_ASN1_PRINTABLESTRING))) {
1821 BIO_printf(bio_err,
1822 "\nThe string contains characters that are illegal for the ASN.1 type\n");
1823 goto err;
1824 }
1825 }
1826 if (default_op)
1827 old_entry_print(bio_err, obj, str);
1828 }
1829
1830 /* Ok, now we check the 'policy' stuff. */
1831 if ((subject = X509_NAME_new()) == NULL) {
1832 BIO_printf(bio_err, "Memory allocation failure\n");
1833 goto err;
1834 }
1835 /* take a copy of the issuer name before we mess with it. */
1836 if (selfsign)
1837 CAname = X509_NAME_dup(name);
1838 else
1839 CAname = X509_NAME_dup(X509_get_subject_name(x509));
1840 if (CAname == NULL)
1841 goto err;
1842 str = str2 = NULL;
1843
1844 for (i = 0; i < sk_CONF_VALUE_num(policy); i++) {
1845 cv = sk_CONF_VALUE_value(policy, i); /* get the object id */
1846 if ((j = OBJ_txt2nid(cv->name)) == NID_undef) {
1847 BIO_printf(bio_err,
1848 "%s:unknown object type in 'policy' configuration\n",
1849 cv->name);
1850 goto err;
1851 }
1852 obj = OBJ_nid2obj(j);
1853 if (obj == NULL)
1854 goto err;
1855
1856 last = -1;
1857 for (;;) {
1858 /* lookup the object in the supplied name list */
1859 j = X509_NAME_get_index_by_OBJ(name, obj, last);
1860 if (j < 0) {
1861 if (last != -1)
1862 break;
1863 tne = NULL;
1864 } else {
1865 tne = X509_NAME_get_entry(name, j);
1866 if (tne == NULL)
1867 goto err;
1868 }
1869 last = j;
1870
1871 /* depending on the 'policy', decide what to do. */
1872 push = NULL;
1873 if (strcmp(cv->value, "optional") == 0) {
1874 if (tne != NULL)
1875 push = tne;
1876 } else if (strcmp(cv->value, "supplied") == 0) {
1877 if (tne == NULL) {
1878 BIO_printf(bio_err,
1879 "The %s field needed to be supplied and was missing\n",
1880 cv->name);
1881 goto err;
1882 } else
1883 push = tne;
1884 } else if (strcmp(cv->value, "match") == 0) {
1885 int last2;
1886
1887 if (tne == NULL) {
1888 BIO_printf(bio_err,
1889 "The mandatory %s field was missing\n",
1890 cv->name);
1891 goto err;
1892 }
1893 last2 = -1;
1894
1895 again2:
1896 j = X509_NAME_get_index_by_OBJ(CAname, obj,
1897 last2);
1898 if ((j < 0) && (last2 == -1)) {
1899 BIO_printf(bio_err,
1900 "The %s field does not exist in the CA certificate,\nthe 'policy' is misconfigured\n",
1901 cv->name);
1902 goto err;
1903 }
1904 if (j >= 0) {
1905 push = X509_NAME_get_entry(CAname, j);
1906 if (push == NULL)
1907 goto err;
1908 str = X509_NAME_ENTRY_get_data(tne);
1909 if (str == NULL)
1910 goto err;
1911 str2 = X509_NAME_ENTRY_get_data(push);
1912 if (str2 == NULL)
1913 goto err;
1914 last2 = j;
1915 if (ASN1_STRING_cmp(str, str2) != 0)
1916 goto again2;
1917 }
1918 if (j < 0) {
1919 BIO_printf(bio_err,
1920 "The %s field needed to be the same in the\nCA certificate (%s) and the request (%s)\n",
1921 cv->name, ((str2 == NULL) ?
1922 "NULL" : (char *) str2->data),
1923 ((str == NULL) ?
1924 "NULL" : (char *) str->data));
1925 goto err;
1926 }
1927 } else {
1928 BIO_printf(bio_err,
1929 "%s:invalid type in 'policy' configuration\n",
1930 cv->value);
1931 goto err;
1932 }
1933
1934 if (push != NULL) {
1935 if (!X509_NAME_add_entry(subject, push,
1936 -1, 0)) {
1937 X509_NAME_ENTRY_free(push);
1938 BIO_printf(bio_err,
1939 "Memory allocation failure\n");
1940 goto err;
1941 }
1942 }
1943 if (j < 0)
1944 break;
1945 }
1946 }
1947
1948 if (ca_config.preserve) {
1949 X509_NAME_free(subject);
1950 /* subject=X509_NAME_dup(X509_REQ_get_subject_name(req)); */
1951 subject = X509_NAME_dup(name);
1952 if (subject == NULL)
1953 goto err;
1954 }
1955
1956 /* We are now totally happy, lets make and sign the certificate */
1957 if (verbose)
1958 BIO_printf(bio_err,
1959 "Everything appears to be ok, creating and signing the certificate\n");
1960
1961 if ((ret = X509_new()) == NULL)
1962 goto err;
1963
1964 #ifdef X509_V3
1965 /* Make it an X509 v3 certificate. */
1966 if (!X509_set_version(ret, 2))
1967 goto err;
1968 #endif
1969 if (X509_get_serialNumber(ret) == NULL)
1970 goto err;
1971 if (BN_to_ASN1_INTEGER(serial, X509_get_serialNumber(ret)) == NULL)
1972 goto err;
1973 if (selfsign) {
1974 if (!X509_set_issuer_name(ret, subject))
1975 goto err;
1976 } else {
1977 if (!X509_set_issuer_name(ret, X509_get_subject_name(x509)))
1978 goto err;
1979 }
1980
1981 if (strcmp(startdate, "today") == 0) {
1982 if (X509_gmtime_adj(X509_get_notBefore(ret), 0) == NULL)
1983 goto err;
1984 } else if (setCertificateTime(X509_get_notBefore(ret), startdate) == -1) {
1985 BIO_printf(bio_err, "Invalid start date %s\n", startdate);
1986 goto err;
1987 }
1988
1989 if (enddate == NULL) {
1990 if (X509_time_adj_ex(X509_get_notAfter(ret), days, 0,
1991 NULL) == NULL)
1992 goto err;
1993 } else if (setCertificateTime(X509_get_notAfter(ret), enddate) == -1) {
1994 BIO_printf(bio_err, "Invalid end date %s\n", enddate);
1995 goto err;
1996 }
1997
1998 if (!X509_set_subject_name(ret, subject))
1999 goto err;
2000
2001 pktmp = X509_REQ_get_pubkey(req);
2002 if (pktmp == NULL)
2003 goto err;
2004
2005 i = X509_set_pubkey(ret, pktmp);
2006 EVP_PKEY_free(pktmp);
2007 if (!i)
2008 goto err;
2009
2010 /* Lets add the extensions, if there are any */
2011 if (ext_sect != NULL) {
2012 X509V3_CTX ctx;
2013
2014 /* Initialize the context structure */
2015 if (selfsign)
2016 X509V3_set_ctx(&ctx, ret, ret, req, NULL, 0);
2017 else
2018 X509V3_set_ctx(&ctx, x509, ret, req, NULL, 0);
2019
2020 if (extconf != NULL) {
2021 if (verbose)
2022 BIO_printf(bio_err,
2023 "Extra configuration file found\n");
2024
2025 /* Use the extconf configuration db LHASH */
2026 X509V3_set_nconf(&ctx, extconf);
2027
2028 /* Test the structure (needed?) */
2029 /* X509V3_set_ctx_test(&ctx); */
2030
2031 /* Adds exts contained in the configuration file */
2032 if (!X509V3_EXT_add_nconf(extconf, &ctx,
2033 ext_sect, ret)) {
2034 BIO_printf(bio_err,
2035 "ERROR: adding extensions in section %s\n",
2036 ext_sect);
2037 ERR_print_errors(bio_err);
2038 goto err;
2039 }
2040 if (verbose)
2041 BIO_printf(bio_err,
2042 "Successfully added extensions from file.\n");
2043 } else if (ext_sect != NULL) {
2044 /* We found extensions to be set from config file */
2045 X509V3_set_nconf(&ctx, lconf);
2046
2047 if (!X509V3_EXT_add_nconf(lconf, &ctx, ext_sect, ret)) {
2048 BIO_printf(bio_err,
2049 "ERROR: adding extensions in section %s\n",
2050 ext_sect);
2051 ERR_print_errors(bio_err);
2052 goto err;
2053 }
2054 if (verbose)
2055 BIO_printf(bio_err,
2056 "Successfully added extensions from config\n");
2057 }
2058 }
2059
2060 /* Copy extensions from request (if any) */
2061 if (!copy_extensions(ret, req, ext_copy)) {
2062 BIO_printf(bio_err, "ERROR: adding extensions from request\n");
2063 ERR_print_errors(bio_err);
2064 goto err;
2065 }
2066
2067 exts = X509_get0_extensions(ret);
2068 if (exts != NULL && sk_X509_EXTENSION_num(exts) > 0) {
2069 /* Make it an X509 v3 certificate. */
2070 if (!X509_set_version(ret, 2))
2071 goto err;
2072 }
2073
2074 if (verbose)
2075 BIO_printf(bio_err,
2076 "The subject name appears to be ok, checking data base for clashes\n");
2077
2078 /* Build the correct Subject if no email is wanted in the subject */
2079 if (!email_dn) {
2080 X509_NAME_ENTRY *tmpne;
2081 /*
2082 * Its best to dup the subject DN and then delete any email
2083 * addresses because this retains its structure.
2084 */
2085 if ((dn_subject = X509_NAME_dup(subject)) == NULL) {
2086 BIO_printf(bio_err, "Memory allocation failure\n");
2087 goto err;
2088 }
2089 while ((i = X509_NAME_get_index_by_NID(dn_subject,
2090 NID_pkcs9_emailAddress, -1)) >= 0) {
2091 tmpne = X509_NAME_get_entry(dn_subject, i);
2092 if (tmpne == NULL)
2093 goto err;
2094 if (X509_NAME_delete_entry(dn_subject, i) == NULL) {
2095 X509_NAME_ENTRY_free(tmpne);
2096 goto err;
2097 }
2098 X509_NAME_ENTRY_free(tmpne);
2099 }
2100
2101 if (!X509_set_subject_name(ret, dn_subject))
2102 goto err;
2103
2104 X509_NAME_free(dn_subject);
2105 dn_subject = NULL;
2106 }
2107
2108 row[DB_name] = X509_NAME_oneline(X509_get_subject_name(ret), NULL, 0);
2109 if (row[DB_name] == NULL) {
2110 BIO_printf(bio_err, "Memory allocation failure\n");
2111 goto err;
2112 }
2113
2114 if (BN_is_zero(serial))
2115 row[DB_serial] = strdup("00");
2116 else
2117 row[DB_serial] = BN_bn2hex(serial);
2118 if (row[DB_serial] == NULL) {
2119 BIO_printf(bio_err, "Memory allocation failure\n");
2120 goto err;
2121 }
2122
2123 if (row[DB_name][0] == '\0') {
2124 /*
2125 * An empty subject! We'll use the serial number instead. If
2126 * unique_subject is in use then we don't want different
2127 * entries with empty subjects matching each other.
2128 */
2129 free(row[DB_name]);
2130 row[DB_name] = strdup(row[DB_serial]);
2131 if (row[DB_name] == NULL) {
2132 BIO_printf(bio_err, "Memory allocation failure\n");
2133 goto err;
2134 }
2135 }
2136
2137 if (db->attributes.unique_subject) {
2138 OPENSSL_STRING *crow = row;
2139
2140 rrow = TXT_DB_get_by_index(db->db, DB_name, crow);
2141 if (rrow != NULL) {
2142 BIO_printf(bio_err,
2143 "ERROR:There is already a certificate for %s\n",
2144 row[DB_name]);
2145 }
2146 }
2147 if (rrow == NULL) {
2148 rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
2149 if (rrow != NULL) {
2150 BIO_printf(bio_err,
2151 "ERROR:Serial number %s has already been issued,\n",
2152 row[DB_serial]);
2153 BIO_printf(bio_err,
2154 " check the database/serial_file for corruption\n");
2155 }
2156 }
2157 if (rrow != NULL) {
2158 BIO_printf(bio_err,
2159 "The matching entry has the following details\n");
2160 if (rrow[DB_type][0] == DB_TYPE_EXP)
2161 p = "Expired";
2162 else if (rrow[DB_type][0] == DB_TYPE_REV)
2163 p = "Revoked";
2164 else if (rrow[DB_type][0] == DB_TYPE_VAL)
2165 p = "Valid";
2166 else
2167 p = "\ninvalid type, Data base error\n";
2168 BIO_printf(bio_err, "Type :%s\n", p);
2169 if (rrow[DB_type][0] == DB_TYPE_REV) {
2170 p = rrow[DB_exp_date];
2171 if (p == NULL)
2172 p = "undef";
2173 BIO_printf(bio_err, "Was revoked on:%s\n", p);
2174 }
2175 p = rrow[DB_exp_date];
2176 if (p == NULL)
2177 p = "undef";
2178 BIO_printf(bio_err, "Expires on :%s\n", p);
2179 p = rrow[DB_serial];
2180 if (p == NULL)
2181 p = "undef";
2182 BIO_printf(bio_err, "Serial Number :%s\n", p);
2183 p = rrow[DB_file];
2184 if (p == NULL)
2185 p = "undef";
2186 BIO_printf(bio_err, "File name :%s\n", p);
2187 p = rrow[DB_name];
2188 if (p == NULL)
2189 p = "undef";
2190 BIO_printf(bio_err, "Subject Name :%s\n", p);
2191 ok = -1; /* This is now a 'bad' error. */
2192 goto err;
2193 }
2194
2195 if (!default_op) {
2196 BIO_printf(bio_err, "Certificate Details:\n");
2197 /*
2198 * Never print signature details because signature not
2199 * present
2200 */
2201 certopt |= X509_FLAG_NO_SIGDUMP | X509_FLAG_NO_SIGNAME;
2202 if (!X509_print_ex(bio_err, ret, nameopt, certopt))
2203 goto err;
2204 }
2205 BIO_printf(bio_err, "Certificate is to be certified until ");
2206 ASN1_TIME_print(bio_err, X509_get_notAfter(ret));
2207 if (days)
2208 BIO_printf(bio_err, " (%ld days)", days);
2209 BIO_printf(bio_err, "\n");
2210
2211 if (!batch) {
2212 char answer[25];
2213
2214 BIO_printf(bio_err, "Sign the certificate? [y/n]:");
2215 (void) BIO_flush(bio_err);
2216 if (!fgets(answer, sizeof(answer) - 1, stdin)) {
2217 BIO_printf(bio_err,
2218 "CERTIFICATE WILL NOT BE CERTIFIED: I/O error\n");
2219 ok = 0;
2220 goto err;
2221 }
2222 if (!((answer[0] == 'y') || (answer[0] == 'Y'))) {
2223 BIO_printf(bio_err,
2224 "CERTIFICATE WILL NOT BE CERTIFIED\n");
2225 ok = 0;
2226 goto err;
2227 }
2228 }
2229
2230 pktmp = X509_get_pubkey(ret);
2231 if (pktmp == NULL)
2232 goto err;
2233
2234 if (EVP_PKEY_missing_parameters(pktmp) &&
2235 !EVP_PKEY_missing_parameters(pkey)) {
2236 if (!EVP_PKEY_copy_parameters(pktmp, pkey)) {
2237 EVP_PKEY_free(pktmp);
2238 goto err;
2239 }
2240 }
2241 EVP_PKEY_free(pktmp);
2242
2243 if (!do_X509_sign(bio_err, ret, pkey, dgst, sigopts))
2244 goto err;
2245
2246 /* We now just add it to the database */
2247 row[DB_type] = malloc(2);
2248
2249 if ((tm = X509_get_notAfter(ret)) == NULL)
2250 goto err;
2251 row[DB_exp_date] = strndup(tm->data, tm->length);
2252 if (row[DB_type] == NULL || row[DB_exp_date] == NULL) {
2253 BIO_printf(bio_err, "Memory allocation failure\n");
2254 goto err;
2255 }
2256
2257 row[DB_rev_date] = NULL;
2258
2259 /* row[DB_serial] done already */
2260 row[DB_file] = malloc(8);
2261
2262 if ((row[DB_type] == NULL) || (row[DB_file] == NULL) ||
2263 (row[DB_name] == NULL)) {
2264 BIO_printf(bio_err, "Memory allocation failure\n");
2265 goto err;
2266 }
2267 (void) strlcpy(row[DB_file], "unknown", 8);
2268 row[DB_type][0] = DB_TYPE_VAL;
2269 row[DB_type][1] = '\0';
2270
2271 if ((irow = reallocarray(NULL, DB_NUMBER + 1, sizeof(char *))) ==
2272 NULL) {
2273 BIO_printf(bio_err, "Memory allocation failure\n");
2274 goto err;
2275 }
2276 for (i = 0; i < DB_NUMBER; i++) {
2277 irow[i] = row[i];
2278 row[i] = NULL;
2279 }
2280 irow[DB_NUMBER] = NULL;
2281
2282 if (!TXT_DB_insert(db->db, irow)) {
2283 BIO_printf(bio_err, "failed to update database\n");
2284 BIO_printf(bio_err, "TXT_DB error number %ld\n", db->db->error);
2285 goto err;
2286 }
2287
2288 *xret = ret;
2289 ret = NULL;
2290 ok = 1;
2291
2292 err:
2293 for (i = 0; i < DB_NUMBER; i++)
2294 free(row[i]);
2295
2296 X509_NAME_free(CAname);
2297 X509_NAME_free(subject);
2298 X509_NAME_free(dn_subject);
2299 X509_free(ret);
2300
2301 return (ok);
2302 }
2303
2304 static int
write_new_certificate(BIO * bp,X509 * x,int output_der,int notext)2305 write_new_certificate(BIO *bp, X509 *x, int output_der, int notext)
2306 {
2307 if (output_der) {
2308 if (!i2d_X509_bio(bp, x))
2309 return (0);
2310 }
2311 if (!notext) {
2312 if (!X509_print(bp, x))
2313 return (0);
2314 }
2315
2316 return PEM_write_bio_X509(bp, x);
2317 }
2318
2319 static int
certify_spkac(X509 ** xret,char * infile,EVP_PKEY * pkey,X509 * x509,const EVP_MD * dgst,STACK_OF (OPENSSL_STRING)* sigopts,STACK_OF (CONF_VALUE)* policy,CA_DB * db,BIGNUM * serial,char * subj,unsigned long chtype,int multirdn,int email_dn,char * startdate,char * enddate,long days,char * ext_sect,CONF * lconf,int verbose,unsigned long certopt,unsigned long nameopt,int default_op,int ext_copy)2320 certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
2321 const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
2322 STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj,
2323 unsigned long chtype, int multirdn, int email_dn, char *startdate,
2324 char *enddate, long days, char *ext_sect, CONF *lconf, int verbose,
2325 unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy)
2326 {
2327 STACK_OF(CONF_VALUE) *sk = NULL;
2328 LHASH_OF(CONF_VALUE) *parms = NULL;
2329 X509_REQ *req = NULL;
2330 CONF_VALUE *cv = NULL;
2331 NETSCAPE_SPKI *spki = NULL;
2332 X509_REQ_INFO *ri;
2333 char *type, *buf;
2334 EVP_PKEY *pktmp = NULL;
2335 X509_NAME *n = NULL;
2336 int ok = -1, i, j;
2337 long errline;
2338 int nid;
2339
2340 /*
2341 * Load input file into a hash table. (This is just an easy
2342 * way to read and parse the file, then put it into a convenient
2343 * STACK format).
2344 */
2345 parms = CONF_load(NULL, infile, &errline);
2346 if (parms == NULL) {
2347 BIO_printf(bio_err, "error on line %ld of %s\n",
2348 errline, infile);
2349 ERR_print_errors(bio_err);
2350 goto err;
2351 }
2352 sk = CONF_get_section(parms, "default");
2353 if (sk_CONF_VALUE_num(sk) == 0) {
2354 BIO_printf(bio_err, "no name/value pairs found in %s\n",
2355 infile);
2356 CONF_free(parms);
2357 goto err;
2358 }
2359 /*
2360 * Now create a dummy X509 request structure. We don't actually
2361 * have an X509 request, but we have many of the components
2362 * (a public key, various DN components). The idea is that we
2363 * put these components into the right X509 request structure
2364 * and we can use the same code as if you had a real X509 request.
2365 */
2366 req = X509_REQ_new();
2367 if (req == NULL) {
2368 ERR_print_errors(bio_err);
2369 goto err;
2370 }
2371 /*
2372 * Build up the subject name set.
2373 */
2374 ri = req->req_info;
2375 n = ri->subject;
2376
2377 for (i = 0;; i++) {
2378 if (sk_CONF_VALUE_num(sk) <= i)
2379 break;
2380
2381 cv = sk_CONF_VALUE_value(sk, i);
2382 type = cv->name;
2383 /*
2384 * Skip past any leading X. X: X, etc to allow for multiple
2385 * instances
2386 */
2387 for (buf = cv->name; *buf; buf++) {
2388 if ((*buf == ':') || (*buf == ',') || (*buf == '.')) {
2389 buf++;
2390 if (*buf)
2391 type = buf;
2392 break;
2393 }
2394 }
2395
2396 buf = cv->value;
2397 if ((nid = OBJ_txt2nid(type)) == NID_undef) {
2398 if (strcmp(type, "SPKAC") == 0) {
2399 spki = NETSCAPE_SPKI_b64_decode(cv->value, -1);
2400 if (spki == NULL) {
2401 BIO_printf(bio_err,
2402 "unable to load Netscape SPKAC structure\n");
2403 ERR_print_errors(bio_err);
2404 goto err;
2405 }
2406 }
2407 continue;
2408 }
2409 if (!X509_NAME_add_entry_by_NID(n, nid, chtype,
2410 (unsigned char *)buf, -1, -1, 0))
2411 goto err;
2412 }
2413 if (spki == NULL) {
2414 BIO_printf(bio_err,
2415 "Netscape SPKAC structure not found in %s\n", infile);
2416 goto err;
2417 }
2418 /*
2419 * Now extract the key from the SPKI structure.
2420 */
2421
2422 BIO_printf(bio_err,
2423 "Check that the SPKAC request matches the signature\n");
2424
2425 if ((pktmp = NETSCAPE_SPKI_get_pubkey(spki)) == NULL) {
2426 BIO_printf(bio_err, "error unpacking SPKAC public key\n");
2427 goto err;
2428 }
2429 j = NETSCAPE_SPKI_verify(spki, pktmp);
2430 if (j <= 0) {
2431 BIO_printf(bio_err,
2432 "signature verification failed on SPKAC public key\n");
2433 goto err;
2434 }
2435 BIO_printf(bio_err, "Signature ok\n");
2436
2437 if (!X509_REQ_set_pubkey(req, pktmp)) {
2438 EVP_PKEY_free(pktmp);
2439 goto err;
2440 }
2441 EVP_PKEY_free(pktmp);
2442 ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial,
2443 subj, chtype, multirdn, email_dn, startdate, enddate, days, 1,
2444 verbose, req, ext_sect, lconf, certopt, nameopt, default_op,
2445 ext_copy, 0);
2446
2447 err:
2448 X509_REQ_free(req);
2449 CONF_free(parms);
2450 NETSCAPE_SPKI_free(spki);
2451
2452 return (ok);
2453 }
2454
2455 static int
check_time_format(const char * str)2456 check_time_format(const char *str)
2457 {
2458 return ASN1_TIME_set_string(NULL, str);
2459 }
2460
2461 static int
do_revoke(X509 * x509,CA_DB * db,int type,char * value)2462 do_revoke(X509 *x509, CA_DB *db, int type, char *value)
2463 {
2464 ASN1_UTCTIME *tm = NULL;
2465 char *row[DB_NUMBER], **rrow, **irow;
2466 char *rev_str = NULL;
2467 BIGNUM *bn = NULL;
2468 int ok = -1, i;
2469
2470 for (i = 0; i < DB_NUMBER; i++)
2471 row[i] = NULL;
2472 row[DB_name] = X509_NAME_oneline(X509_get_subject_name(x509), NULL, 0);
2473 bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x509), NULL);
2474 if (bn == NULL)
2475 goto err;
2476 if (BN_is_zero(bn))
2477 row[DB_serial] = strdup("00");
2478 else
2479 row[DB_serial] = BN_bn2hex(bn);
2480 BN_free(bn);
2481
2482 if (row[DB_name] != NULL && row[DB_name][0] == '\0') {
2483 /*
2484 * Entries with empty Subjects actually use the serial number
2485 * instead
2486 */
2487 free(row[DB_name]);
2488 row[DB_name] = strdup(row[DB_serial]);
2489 if (row[DB_name] == NULL) {
2490 BIO_printf(bio_err, "Memory allocation failure\n");
2491 goto err;
2492 }
2493 }
2494
2495 if ((row[DB_name] == NULL) || (row[DB_serial] == NULL)) {
2496 BIO_printf(bio_err, "Memory allocation failure\n");
2497 goto err;
2498 }
2499 /*
2500 * We have to lookup by serial number because name lookup skips
2501 * revoked certs
2502 */
2503 rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
2504 if (rrow == NULL) {
2505 BIO_printf(bio_err,
2506 "Adding Entry with serial number %s to DB for %s\n",
2507 row[DB_serial], row[DB_name]);
2508
2509 /* We now just add it to the database */
2510 row[DB_type] = malloc(2);
2511
2512 if ((tm = X509_get_notAfter(x509)) == NULL)
2513 goto err;
2514 row[DB_exp_date] = strndup(tm->data, tm->length);
2515 if (row[DB_type] == NULL || row[DB_exp_date] == NULL) {
2516 BIO_printf(bio_err, "Memory allocation failure\n");
2517 goto err;
2518 }
2519
2520 row[DB_rev_date] = NULL;
2521
2522 /* row[DB_serial] done already */
2523 row[DB_file] = malloc(8);
2524
2525 /* row[DB_name] done already */
2526
2527 if ((row[DB_type] == NULL) || (row[DB_file] == NULL)) {
2528 BIO_printf(bio_err, "Memory allocation failure\n");
2529 goto err;
2530 }
2531 (void) strlcpy(row[DB_file], "unknown", 8);
2532 row[DB_type][0] = DB_TYPE_VAL;
2533 row[DB_type][1] = '\0';
2534
2535 if ((irow = reallocarray(NULL, sizeof(char *),
2536 (DB_NUMBER + 1))) == NULL) {
2537 BIO_printf(bio_err, "Memory allocation failure\n");
2538 goto err;
2539 }
2540 for (i = 0; i < DB_NUMBER; i++) {
2541 irow[i] = row[i];
2542 row[i] = NULL;
2543 }
2544 irow[DB_NUMBER] = NULL;
2545
2546 if (!TXT_DB_insert(db->db, irow)) {
2547 BIO_printf(bio_err, "failed to update database\n");
2548 BIO_printf(bio_err, "TXT_DB error number %ld\n",
2549 db->db->error);
2550 goto err;
2551 }
2552 /* Revoke Certificate */
2553 ok = do_revoke(x509, db, type, value);
2554
2555 goto err;
2556
2557 } else if (index_name_cmp_noconst(row, rrow)) {
2558 BIO_printf(bio_err, "ERROR:name does not match %s\n",
2559 row[DB_name]);
2560 goto err;
2561 } else if (rrow[DB_type][0] == DB_TYPE_REV) {
2562 BIO_printf(bio_err, "ERROR:Already revoked, serial number %s\n",
2563 row[DB_serial]);
2564 goto err;
2565 } else {
2566 BIO_printf(bio_err, "Revoking Certificate %s.\n",
2567 rrow[DB_serial]);
2568 rev_str = make_revocation_str(type, value);
2569 if (rev_str == NULL) {
2570 BIO_printf(bio_err, "Error in revocation arguments\n");
2571 goto err;
2572 }
2573 rrow[DB_type][0] = DB_TYPE_REV;
2574 rrow[DB_type][1] = '\0';
2575 rrow[DB_rev_date] = rev_str;
2576 }
2577 ok = 1;
2578
2579 err:
2580 for (i = 0; i < DB_NUMBER; i++)
2581 free(row[i]);
2582
2583 return (ok);
2584 }
2585
2586 static int
get_certificate_status(const char * serial,CA_DB * db)2587 get_certificate_status(const char *serial, CA_DB *db)
2588 {
2589 char *row[DB_NUMBER], **rrow;
2590 int ok = -1, i;
2591
2592 /* Free Resources */
2593 for (i = 0; i < DB_NUMBER; i++)
2594 row[i] = NULL;
2595
2596 /* Malloc needed char spaces */
2597 row[DB_serial] = malloc(strlen(serial) + 2);
2598 if (row[DB_serial] == NULL) {
2599 BIO_printf(bio_err, "Malloc failure\n");
2600 goto err;
2601 }
2602 if (strlen(serial) % 2) {
2603 /* Set the first char to 0 */ ;
2604 row[DB_serial][0] = '0';
2605
2606 /* Copy String from serial to row[DB_serial] */
2607 memcpy(row[DB_serial] + 1, serial, strlen(serial));
2608 row[DB_serial][strlen(serial) + 1] = '\0';
2609 } else {
2610 /* Copy String from serial to row[DB_serial] */
2611 memcpy(row[DB_serial], serial, strlen(serial));
2612 row[DB_serial][strlen(serial)] = '\0';
2613 }
2614
2615 /* Make it Upper Case */
2616 for (i = 0; row[DB_serial][i] != '\0'; i++)
2617 row[DB_serial][i] = toupper((unsigned char) row[DB_serial][i]);
2618
2619
2620 ok = 1;
2621
2622 /* Search for the certificate */
2623 rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
2624 if (rrow == NULL) {
2625 BIO_printf(bio_err, "Serial %s not present in db.\n",
2626 row[DB_serial]);
2627 ok = -1;
2628 goto err;
2629 } else if (rrow[DB_type][0] == DB_TYPE_VAL) {
2630 BIO_printf(bio_err, "%s=Valid (%c)\n",
2631 row[DB_serial], rrow[DB_type][0]);
2632 goto err;
2633 } else if (rrow[DB_type][0] == DB_TYPE_REV) {
2634 BIO_printf(bio_err, "%s=Revoked (%c)\n",
2635 row[DB_serial], rrow[DB_type][0]);
2636 goto err;
2637 } else if (rrow[DB_type][0] == DB_TYPE_EXP) {
2638 BIO_printf(bio_err, "%s=Expired (%c)\n",
2639 row[DB_serial], rrow[DB_type][0]);
2640 goto err;
2641 } else if (rrow[DB_type][0] == DB_TYPE_SUSP) {
2642 BIO_printf(bio_err, "%s=Suspended (%c)\n",
2643 row[DB_serial], rrow[DB_type][0]);
2644 goto err;
2645 } else {
2646 BIO_printf(bio_err, "%s=Unknown (%c).\n",
2647 row[DB_serial], rrow[DB_type][0]);
2648 ok = -1;
2649 }
2650
2651 err:
2652 for (i = 0; i < DB_NUMBER; i++)
2653 free(row[i]);
2654
2655 return (ok);
2656 }
2657
2658 static int
do_updatedb(CA_DB * db)2659 do_updatedb(CA_DB *db)
2660 {
2661 ASN1_UTCTIME *a_tm = NULL;
2662 int i, cnt = 0;
2663 int db_y2k, a_y2k; /* flags = 1 if y >= 2000 */
2664 char **rrow, *a_tm_s = NULL;
2665
2666 a_tm = ASN1_UTCTIME_new();
2667 if (a_tm == NULL) {
2668 cnt = -1;
2669 goto err;
2670 }
2671
2672 /* get actual time and make a string */
2673 a_tm = X509_gmtime_adj(a_tm, 0);
2674 if (a_tm == NULL) {
2675 cnt = -1;
2676 goto err;
2677 }
2678 a_tm_s = strndup(a_tm->data, a_tm->length);
2679 if (a_tm_s == NULL) {
2680 cnt = -1;
2681 goto err;
2682 }
2683
2684 if (strncmp(a_tm_s, "49", 2) <= 0)
2685 a_y2k = 1;
2686 else
2687 a_y2k = 0;
2688
2689 for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
2690 rrow = sk_OPENSSL_PSTRING_value(db->db->data, i);
2691
2692 if (rrow[DB_type][0] == DB_TYPE_VAL) {
2693 /* ignore entries that are not valid */
2694 if (strncmp(rrow[DB_exp_date], "49", 2) <= 0)
2695 db_y2k = 1;
2696 else
2697 db_y2k = 0;
2698
2699 if (db_y2k == a_y2k) {
2700 /* all on the same y2k side */
2701 if (strcmp(rrow[DB_exp_date], a_tm_s) <= 0) {
2702 rrow[DB_type][0] = DB_TYPE_EXP;
2703 rrow[DB_type][1] = '\0';
2704 cnt++;
2705
2706 BIO_printf(bio_err, "%s=Expired\n",
2707 rrow[DB_serial]);
2708 }
2709 } else if (db_y2k < a_y2k) {
2710 rrow[DB_type][0] = DB_TYPE_EXP;
2711 rrow[DB_type][1] = '\0';
2712 cnt++;
2713
2714 BIO_printf(bio_err, "%s=Expired\n",
2715 rrow[DB_serial]);
2716 }
2717 }
2718 }
2719
2720 err:
2721 ASN1_UTCTIME_free(a_tm);
2722 free(a_tm_s);
2723
2724 return (cnt);
2725 }
2726
2727 static const char *crl_reasons[] = {
2728 /* CRL reason strings */
2729 "unspecified",
2730 "keyCompromise",
2731 "CACompromise",
2732 "affiliationChanged",
2733 "superseded",
2734 "cessationOfOperation",
2735 "certificateHold",
2736 "removeFromCRL",
2737 /* Additional pseudo reasons */
2738 "holdInstruction",
2739 "keyTime",
2740 "CAkeyTime"
2741 };
2742
2743 #define NUM_REASONS (sizeof(crl_reasons) / sizeof(char *))
2744
2745 /* Given revocation information convert to a DB string.
2746 * The format of the string is:
2747 * revtime[,reason,extra]. Where 'revtime' is the
2748 * revocation time (the current time). 'reason' is the
2749 * optional CRL reason and 'extra' is any additional
2750 * argument
2751 */
2752
2753 char *
make_revocation_str(int rev_type,char * rev_arg)2754 make_revocation_str(int rev_type, char *rev_arg)
2755 {
2756 char *other = NULL, *str;
2757 const char *reason = NULL;
2758 ASN1_OBJECT *otmp;
2759 ASN1_UTCTIME *revtm = NULL;
2760 int i;
2761 switch (rev_type) {
2762 case REV_NONE:
2763 break;
2764
2765 case REV_CRL_REASON:
2766 for (i = 0; i < 8; i++) {
2767 if (strcasecmp(rev_arg, crl_reasons[i]) == 0) {
2768 reason = crl_reasons[i];
2769 break;
2770 }
2771 }
2772 if (reason == NULL) {
2773 BIO_printf(bio_err, "Unknown CRL reason %s\n", rev_arg);
2774 return NULL;
2775 }
2776 break;
2777
2778 case REV_HOLD:
2779 /* Argument is an OID */
2780 otmp = OBJ_txt2obj(rev_arg, 0);
2781 ASN1_OBJECT_free(otmp);
2782
2783 if (otmp == NULL) {
2784 BIO_printf(bio_err,
2785 "Invalid object identifier %s\n", rev_arg);
2786 return NULL;
2787 }
2788 reason = "holdInstruction";
2789 other = rev_arg;
2790 break;
2791
2792 case REV_KEY_COMPROMISE:
2793 case REV_CA_COMPROMISE:
2794 /* Argument is the key compromise time */
2795 if (!ASN1_GENERALIZEDTIME_set_string(NULL, rev_arg)) {
2796 BIO_printf(bio_err,
2797 "Invalid time format %s. Need YYYYMMDDHHMMSSZ\n",
2798 rev_arg);
2799 return NULL;
2800 }
2801 other = rev_arg;
2802 if (rev_type == REV_KEY_COMPROMISE)
2803 reason = "keyTime";
2804 else
2805 reason = "CAkeyTime";
2806
2807 break;
2808 }
2809
2810 revtm = X509_gmtime_adj(NULL, 0);
2811 if (revtm == NULL)
2812 return NULL;
2813
2814 if (asprintf(&str, "%s%s%s%s%s", revtm->data,
2815 reason ? "," : "", reason ? reason : "",
2816 other ? "," : "", other ? other : "") == -1)
2817 str = NULL;
2818
2819 ASN1_UTCTIME_free(revtm);
2820
2821 return str;
2822 }
2823
2824 /* Convert revocation field to X509_REVOKED entry
2825 * return code:
2826 * 0 error
2827 * 1 OK
2828 * 2 OK and some extensions added (i.e. V2 CRL)
2829 */
2830
2831 int
make_revoked(X509_REVOKED * rev,const char * str)2832 make_revoked(X509_REVOKED *rev, const char *str)
2833 {
2834 char *tmp = NULL;
2835 int reason_code = -1;
2836 int i, ret = 0;
2837 ASN1_OBJECT *hold = NULL;
2838 ASN1_GENERALIZEDTIME *comp_time = NULL;
2839 ASN1_ENUMERATED *rtmp = NULL;
2840
2841 ASN1_TIME *revDate = NULL;
2842
2843 i = unpack_revinfo(&revDate, &reason_code, &hold, &comp_time, str);
2844
2845 if (i == 0)
2846 goto err;
2847
2848 if (rev != NULL && !X509_REVOKED_set_revocationDate(rev, revDate))
2849 goto err;
2850
2851 if (rev != NULL && (reason_code != OCSP_REVOKED_STATUS_NOSTATUS)) {
2852 rtmp = ASN1_ENUMERATED_new();
2853 if (rtmp == NULL || !ASN1_ENUMERATED_set(rtmp, reason_code))
2854 goto err;
2855 if (!X509_REVOKED_add1_ext_i2d(rev, NID_crl_reason, rtmp, 0, 0))
2856 goto err;
2857 }
2858 if (rev != NULL && comp_time != NULL) {
2859 if (!X509_REVOKED_add1_ext_i2d(rev, NID_invalidity_date,
2860 comp_time, 0, 0))
2861 goto err;
2862 }
2863 if (rev != NULL && hold != NULL) {
2864 if (!X509_REVOKED_add1_ext_i2d(rev, NID_hold_instruction_code,
2865 hold, 0, 0))
2866 goto err;
2867 }
2868 if (reason_code != OCSP_REVOKED_STATUS_NOSTATUS)
2869 ret = 2;
2870 else
2871 ret = 1;
2872
2873 err:
2874 free(tmp);
2875
2876 ASN1_OBJECT_free(hold);
2877 ASN1_GENERALIZEDTIME_free(comp_time);
2878 ASN1_ENUMERATED_free(rtmp);
2879 ASN1_TIME_free(revDate);
2880
2881 return ret;
2882 }
2883
2884 int
old_entry_print(BIO * bp,ASN1_OBJECT * obj,ASN1_STRING * str)2885 old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str)
2886 {
2887 char buf[25], *pbuf, *p;
2888 int j;
2889
2890 j = i2a_ASN1_OBJECT(bp, obj);
2891 pbuf = buf;
2892 for (j = 22 - j; j > 0; j--)
2893 *(pbuf++) = ' ';
2894 *(pbuf++) = ':';
2895 *(pbuf++) = '\0';
2896 BIO_puts(bp, buf);
2897
2898 if (str->type == V_ASN1_PRINTABLESTRING)
2899 BIO_printf(bp, "PRINTABLE:'");
2900 else if (str->type == V_ASN1_T61STRING)
2901 BIO_printf(bp, "T61STRING:'");
2902 else if (str->type == V_ASN1_IA5STRING)
2903 BIO_printf(bp, "IA5STRING:'");
2904 else if (str->type == V_ASN1_UNIVERSALSTRING)
2905 BIO_printf(bp, "UNIVERSALSTRING:'");
2906 else
2907 BIO_printf(bp, "ASN.1 %2d:'", str->type);
2908
2909 p = (char *) str->data;
2910 for (j = str->length; j > 0; j--) {
2911 if ((*p >= ' ') && (*p <= '~'))
2912 BIO_printf(bp, "%c", *p);
2913 else if (*p & 0x80)
2914 BIO_printf(bp, "\\0x%02X", *p);
2915 else if ((unsigned char) *p == 0xf7)
2916 BIO_printf(bp, "^?");
2917 else
2918 BIO_printf(bp, "^%c", *p + '@');
2919 p++;
2920 }
2921 BIO_printf(bp, "'\n");
2922 return 1;
2923 }
2924
2925 int
unpack_revinfo(ASN1_TIME ** prevtm,int * preason,ASN1_OBJECT ** phold,ASN1_GENERALIZEDTIME ** pinvtm,const char * str)2926 unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold,
2927 ASN1_GENERALIZEDTIME **pinvtm, const char *str)
2928 {
2929 char *tmp = NULL;
2930 char *rtime_str, *reason_str = NULL, *arg_str = NULL, *p;
2931 int reason_code = -1;
2932 int ret = 0;
2933 unsigned int i;
2934 ASN1_OBJECT *hold = NULL;
2935 ASN1_GENERALIZEDTIME *comp_time = NULL;
2936
2937 if ((tmp = strdup(str)) == NULL) {
2938 BIO_printf(bio_err, "malloc failed\n");
2939 goto err;
2940 }
2941 p = strchr(tmp, ',');
2942 rtime_str = tmp;
2943
2944 if (p != NULL) {
2945 *p = '\0';
2946 p++;
2947 reason_str = p;
2948 p = strchr(p, ',');
2949 if (p != NULL) {
2950 *p = '\0';
2951 arg_str = p + 1;
2952 }
2953 }
2954 if (prevtm != NULL) {
2955 *prevtm = ASN1_UTCTIME_new();
2956 if (!ASN1_UTCTIME_set_string(*prevtm, rtime_str)) {
2957 BIO_printf(bio_err, "invalid revocation date %s\n",
2958 rtime_str);
2959 goto err;
2960 }
2961 }
2962 if (reason_str != NULL) {
2963 for (i = 0; i < NUM_REASONS; i++) {
2964 if (strcasecmp(reason_str, crl_reasons[i]) == 0) {
2965 reason_code = i;
2966 break;
2967 }
2968 }
2969 if (reason_code == OCSP_REVOKED_STATUS_NOSTATUS) {
2970 BIO_printf(bio_err, "invalid reason code %s\n",
2971 reason_str);
2972 goto err;
2973 }
2974 if (reason_code == 7)
2975 reason_code = OCSP_REVOKED_STATUS_REMOVEFROMCRL;
2976 else if (reason_code == 8) { /* Hold instruction */
2977 if (arg_str == NULL) {
2978 BIO_printf(bio_err,
2979 "missing hold instruction\n");
2980 goto err;
2981 }
2982 reason_code = OCSP_REVOKED_STATUS_CERTIFICATEHOLD;
2983 hold = OBJ_txt2obj(arg_str, 0);
2984
2985 if (hold == NULL) {
2986 BIO_printf(bio_err,
2987 "invalid object identifier %s\n", arg_str);
2988 goto err;
2989 }
2990 if (phold != NULL)
2991 *phold = hold;
2992 } else if ((reason_code == 9) || (reason_code == 10)) {
2993 if (arg_str == NULL) {
2994 BIO_printf(bio_err,
2995 "missing compromised time\n");
2996 goto err;
2997 }
2998 comp_time = ASN1_GENERALIZEDTIME_new();
2999 if (!ASN1_GENERALIZEDTIME_set_string(comp_time,
3000 arg_str)) {
3001 BIO_printf(bio_err,
3002 "invalid compromised time %s\n", arg_str);
3003 goto err;
3004 }
3005 if (reason_code == 9)
3006 reason_code = OCSP_REVOKED_STATUS_KEYCOMPROMISE;
3007 else
3008 reason_code = OCSP_REVOKED_STATUS_CACOMPROMISE;
3009 }
3010 }
3011 if (preason != NULL)
3012 *preason = reason_code;
3013 if (pinvtm != NULL)
3014 *pinvtm = comp_time;
3015 else
3016 ASN1_GENERALIZEDTIME_free(comp_time);
3017
3018 ret = 1;
3019
3020 err:
3021 free(tmp);
3022
3023 if (phold == NULL)
3024 ASN1_OBJECT_free(hold);
3025 if (pinvtm == NULL)
3026 ASN1_GENERALIZEDTIME_free(comp_time);
3027
3028 return ret;
3029 }
3030
3031 static char *
bin2hex(unsigned char * data,size_t len)3032 bin2hex(unsigned char *data, size_t len)
3033 {
3034 char *ret = NULL;
3035 char hex[] = "0123456789ABCDEF";
3036 int i;
3037
3038 if ((ret = malloc(len * 2 + 1)) != NULL) {
3039 for (i = 0; i < len; i++) {
3040 ret[i * 2 + 0] = hex[data[i] >> 4];
3041 ret[i * 2 + 1] = hex[data[i] & 0x0F];
3042 }
3043 ret[len * 2] = '\0';
3044 }
3045 return ret;
3046 }
3047