X-Git-Url: https://git.openssl.org/?a=blobdiff_plain;f=apps%2Fx509.c;h=182cfb055d82123114ab2a8c5e8fb77de126c1a5;hb=5114d8227e0516fffc0c8653f5118290709f6494;hp=4bf7cdb9c51380fa4721f71512b25a388cd5c37d;hpb=846e33c729311169d9c988ceba29484b3783f244;p=openssl.git diff --git a/apps/x509.c b/apps/x509.c index 4bf7cdb9c5..182cfb055d 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -33,12 +33,12 @@ static int callb(int ok, X509_STORE_CTX *ctx); static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, - const EVP_MD *digest, CONF *conf, char *section); -static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, + const EVP_MD *digest, CONF *conf, const char *section); +static int x509_certify(X509_STORE *ctx, const char *CAfile, const EVP_MD *digest, X509 *x, X509 *xca, EVP_PKEY *pkey, - STACK_OF(OPENSSL_STRING) *sigopts, char *serial, + STACK_OF(OPENSSL_STRING) *sigopts, const char *serialfile, int create, int days, int clrext, CONF *conf, - char *section, ASN1_INTEGER *sno, int reqfile); + const char *section, ASN1_INTEGER *sno, int reqfile); static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt); typedef enum OPTION_choice { @@ -59,7 +59,7 @@ typedef enum OPTION_choice { OPT_BADSIG, OPT_MD, OPT_ENGINE, OPT_NOCERT } OPTION_CHOICE; -OPTIONS x509_options[] = { +const OPTIONS x509_options[] = { {"help", OPT_HELP, '-', "Display this summary"}, {"inform", OPT_INFORM, 'f', "Input format - default PEM (one of DER, NET or PEM)"}, @@ -92,7 +92,7 @@ OPTIONS x509_options[] = { {"ocsp_uri", OPT_OCSP_URI, '-', "Print OCSP Responder URL(s)"}, {"trustout", OPT_TRUSTOUT, '-', "Output a trusted certificate"}, {"clrtrust", OPT_CLRTRUST, '-', "Clear all trusted purposes"}, - {"clrext", OPT_CLREXT, '-', "Clear all rejected purposes"}, + {"clrext", OPT_CLREXT, '-', "Clear all certificate extensions"}, {"addtrust", OPT_ADDTRUST, 's', "Trust certificate for a given purpose"}, {"addreject", OPT_ADDREJECT, 's', "Reject certificate for a given purpose"}, @@ -125,9 +125,10 @@ OPTIONS x509_options[] = { {"CAform", OPT_CAFORM, 'F', "CA format - default PEM"}, {"CAkeyform", OPT_CAKEYFORM, 'F', "CA key format - default PEM"}, {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"}, - {"force_pubkey", OPT_FORCE_PUBKEY, '<'}, - {"next_serial", OPT_NEXT_SERIAL, '-'}, - {"clrreject", OPT_CLRREJECT, '-'}, + {"force_pubkey", OPT_FORCE_PUBKEY, '<', "Force the Key to put inside certificate"}, + {"next_serial", OPT_NEXT_SERIAL, '-', "Increment current certificate serial number"}, + {"clrreject", OPT_CLRREJECT, '-', + "Clears all the prohibited or rejected uses of the certificate"}, {"badsig", OPT_BADSIG, '-', "Corrupt last byte of certificate signature (for test)"}, {"", OPT_MD, '-', "Any supported digest"}, #ifndef OPENSSL_NO_MD5 @@ -145,7 +146,7 @@ OPTIONS x509_options[] = { int x509_main(int argc, char **argv) { ASN1_INTEGER *sno = NULL; - ASN1_OBJECT *objtmp; + ASN1_OBJECT *objtmp = NULL; BIO *out = NULL; CONF *extconf = NULL; EVP_PKEY *Upkey = NULL, *CApkey = NULL, *fkey = NULL; @@ -261,6 +262,10 @@ int x509_main(int argc, char **argv) CAserial = opt_arg(); break; case OPT_SET_SERIAL: + if (sno != NULL) { + BIO_printf(bio_err, "Serial number supplied twice\n"); + goto opthelp; + } if ((sno = s2i_ASN1_INTEGER(NULL, opt_arg())) == NULL) goto opthelp; break; @@ -277,6 +282,7 @@ int x509_main(int argc, char **argv) if (trust == NULL && (trust = sk_ASN1_OBJECT_new_null()) == NULL) goto end; sk_ASN1_OBJECT_push(trust, objtmp); + objtmp = NULL; trustout = 1; break; case OPT_ADDREJECT: @@ -290,6 +296,7 @@ int x509_main(int argc, char **argv) && (reject = sk_ASN1_OBJECT_new_null()) == NULL) goto end; sk_ASN1_OBJECT_push(reject, objtmp); + objtmp = NULL; trustout = 1; break; case OPT_SETALIAS: @@ -552,9 +559,9 @@ int x509_main(int argc, char **argv) goto end; if (!X509_set_subject_name(x, X509_REQ_get_subject_name(req))) goto end; + if (!set_cert_times(x, NULL, NULL, days)) + goto end; - X509_gmtime_adj(X509_get_notBefore(x), 0); - X509_time_adj_ex(X509_get_notAfter(x), days, 0, NULL); if (fkey) X509_set_pubkey(x, fkey); else { @@ -590,6 +597,7 @@ int x509_main(int argc, char **argv) objtmp = sk_ASN1_OBJECT_value(trust, i); X509_add1_trust_object(x, objtmp); } + objtmp = NULL; } if (reject) { @@ -597,24 +605,31 @@ int x509_main(int argc, char **argv) objtmp = sk_ASN1_OBJECT_value(reject, i); X509_add1_reject_object(x, objtmp); } + objtmp = NULL; + } + + if (badsig) { + const ASN1_BIT_STRING *signature; + + X509_get0_signature(&signature, NULL, x); + corrupt_signature(signature); } if (num) { for (i = 1; i <= num; i++) { if (issuer == i) { - print_name(out, "issuer= ", X509_get_issuer_name(x), nmflag); + print_name(out, "issuer=", X509_get_issuer_name(x), nmflag); } else if (subject == i) { - print_name(out, "subject= ", + print_name(out, "subject=", X509_get_subject_name(x), nmflag); } else if (serial == i) { BIO_printf(out, "serial="); i2a_ASN1_INTEGER(out, X509_get_serialNumber(x)); BIO_printf(out, "\n"); } else if (next_serial == i) { - BIGNUM *bnser; - ASN1_INTEGER *ser; - ser = X509_get_serialNumber(x); - bnser = ASN1_INTEGER_to_BN(ser, NULL); + ASN1_INTEGER *ser = X509_get_serialNumber(x); + BIGNUM *bnser = ASN1_INTEGER_to_BN(ser, NULL); + if (!bnser) goto end; if (!BN_add_word(bnser, 1)) @@ -680,14 +695,14 @@ int x509_main(int argc, char **argv) BIO_printf(out, "Modulus="); #ifndef OPENSSL_NO_RSA if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) { - BIGNUM *n; + const BIGNUM *n; RSA_get0_key(EVP_PKEY_get0_RSA(pkey), &n, NULL, NULL); BN_print(out, n); } else #endif #ifndef OPENSSL_NO_DSA if (EVP_PKEY_id(pkey) == EVP_PKEY_DSA) { - BIGNUM *dsapub = NULL; + const BIGNUM *dsapub = NULL; DSA_get0_key(EVP_PKEY_get0_DSA(pkey), &dsapub, NULL); BN_print(out, dsapub); } else @@ -735,11 +750,11 @@ int x509_main(int argc, char **argv) X509_print_ex(out, x, nmflag, certflag); } else if (startdate == i) { BIO_puts(out, "notBefore="); - ASN1_TIME_print(out, X509_get_notBefore(x)); + ASN1_TIME_print(out, X509_get0_notBefore(x)); BIO_puts(out, "\n"); } else if (enddate == i) { BIO_puts(out, "notAfter="); - ASN1_TIME_print(out, X509_get_notAfter(x)); + ASN1_TIME_print(out, X509_get0_notAfter(x)); BIO_puts(out, "\n"); } else if (fingerprint == i) { int j; @@ -826,7 +841,7 @@ int x509_main(int argc, char **argv) if (checkend) { time_t tcheck = time(NULL) + checkoffset; - if (X509_cmp_time(X509_get_notAfter(x), &tcheck) < 0) { + if (X509_cmp_time(X509_get0_notAfter(x), &tcheck) < 0) { BIO_printf(out, "Certificate will expire\n"); ret = 1; } else { @@ -843,14 +858,6 @@ int x509_main(int argc, char **argv) goto end; } - if (badsig) { - ASN1_BIT_STRING *signature; - unsigned char *s; - X509_get0_signature(&signature, NULL, x); - s = ASN1_STRING_data(signature); - s[ASN1_STRING_length(signature) - 1] ^= 0x1; - } - if (outformat == FORMAT_ASN1) i = i2d_X509_bio(out, x); else if (outformat == FORMAT_PEM) { @@ -885,11 +892,13 @@ int x509_main(int argc, char **argv) ASN1_INTEGER_free(sno); sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free); sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free); + ASN1_OBJECT_free(objtmp); + release_engine(e); OPENSSL_free(passin); return (ret); } -static ASN1_INTEGER *x509_load_serial(char *CAfile, char *serialfile, +static ASN1_INTEGER *x509_load_serial(const char *CAfile, const char *serialfile, int create) { char *buf = NULL, *p; @@ -930,11 +939,11 @@ static ASN1_INTEGER *x509_load_serial(char *CAfile, char *serialfile, return bs; } -static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, +static int x509_certify(X509_STORE *ctx, const char *CAfile, const EVP_MD *digest, X509 *x, X509 *xca, EVP_PKEY *pkey, STACK_OF(OPENSSL_STRING) *sigopts, - char *serialfile, int create, - int days, int clrext, CONF *conf, char *section, + const char *serialfile, int create, + int days, int clrext, CONF *conf, const char *section, ASN1_INTEGER *sno, int reqfile) { int ret = 0; @@ -943,6 +952,10 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, EVP_PKEY *upkey; upkey = X509_get0_pubkey(xca); + if (upkey == NULL) { + BIO_printf(bio_err, "Error obtaining CA X509 public key\n"); + goto end; + } EVP_PKEY_copy_parameters(upkey, pkey); xsc = X509_STORE_CTX_new(); @@ -975,11 +988,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, if (!X509_set_serialNumber(x, bs)) goto end; - if (X509_gmtime_adj(X509_get_notBefore(x), 0L) == NULL) - goto end; - - /* hardwired expired */ - if (X509_time_adj_ex(X509_get_notAfter(x), days, 0, NULL) == NULL) + if (!set_cert_times(x, NULL, NULL, days)) goto end; if (clrext) { @@ -1043,17 +1052,13 @@ static int callb(int ok, X509_STORE_CTX *ctx) /* self sign */ static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, - const EVP_MD *digest, CONF *conf, char *section) + const EVP_MD *digest, CONF *conf, const char *section) { if (!X509_set_issuer_name(x, X509_get_subject_name(x))) goto err; - if (X509_gmtime_adj(X509_get_notBefore(x), 0) == NULL) + if (!set_cert_times(x, NULL, NULL, days)) goto err; - - if (X509_time_adj_ex(X509_get_notAfter(x), days, 0, NULL) == NULL) - goto err; - if (!X509_set_pubkey(x, pkey)) goto err; if (clrext) { @@ -1079,7 +1084,7 @@ static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt) { int id, i, idret; - char *pname; + const char *pname; id = X509_PURPOSE_get_id(pt); pname = X509_PURPOSE_get0_name(pt); for (i = 0; i < 2; i++) {