format strings
[openssl.git] / apps / x509.c
1 /* apps/x509.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58
59 #include <assert.h>
60 #include <stdio.h>
61 #include <stdlib.h>
62 #include <string.h>
63 #ifdef NO_STDIO
64 #define APPS_WIN16
65 #endif
66 #include "apps.h"
67 #include <openssl/bio.h>
68 #include <openssl/asn1.h>
69 #include <openssl/err.h>
70 #include <openssl/bn.h>
71 #include <openssl/evp.h>
72 #include <openssl/x509.h>
73 #include <openssl/x509v3.h>
74 #include <openssl/objects.h>
75 #include <openssl/pem.h>
76 #include <openssl/engine.h>
77
78 #undef PROG
79 #define PROG x509_main
80
81 #undef POSTFIX
82 #define POSTFIX ".srl"
83 #define DEF_DAYS        30
84
85 static char *x509_usage[]={
86 "usage: x509 args\n",
87 " -inform arg     - input format - default PEM (one of DER, NET or PEM)\n",
88 " -outform arg    - output format - default PEM (one of DER, NET or PEM)\n",
89 " -keyform arg    - private key format - default PEM\n",
90 " -CAform arg     - CA format - default PEM\n",
91 " -CAkeyform arg  - CA key format - default PEM\n",
92 " -in arg         - input file - default stdin\n",
93 " -out arg        - output file - default stdout\n",
94 " -passin arg     - private key password source\n",
95 " -serial         - print serial number value\n",
96 " -hash           - print hash value\n",
97 " -subject        - print subject DN\n",
98 " -issuer         - print issuer DN\n",
99 " -email          - print email address(es)\n",
100 " -startdate      - notBefore field\n",
101 " -enddate        - notAfter field\n",
102 " -purpose        - print out certificate purposes\n",
103 " -dates          - both Before and After dates\n",
104 " -modulus        - print the RSA key modulus\n",
105 " -pubkey         - output the public key\n",
106 " -fingerprint    - print the certificate fingerprint\n",
107 " -alias          - output certificate alias\n",
108 " -noout          - no certificate output\n",
109 " -ocspid         - print OCSP hash values for the subject name and public key\n",
110 " -trustout       - output a \"trusted\" certificate\n",
111 " -clrtrust       - clear all trusted purposes\n",
112 " -clrreject      - clear all rejected purposes\n",
113 " -addtrust arg   - trust certificate for a given purpose\n",
114 " -addreject arg  - reject certificate for a given purpose\n",
115 " -setalias arg   - set certificate alias\n",
116 " -days arg       - How long till expiry of a signed certificate - def 30 days\n",
117 " -checkend arg   - check whether the cert expires in the next arg seconds\n",
118 "                   exit 1 if so, 0 if not\n",
119 " -signkey arg    - self sign cert with arg\n",
120 " -x509toreq      - output a certification request object\n",
121 " -req            - input is a certificate request, sign and output.\n",
122 " -CA arg         - set the CA certificate, must be PEM format.\n",
123 " -CAkey arg      - set the CA key, must be PEM format\n",
124 "                   missing, it is assumed to be in the CA file.\n",
125 " -CAcreateserial - create serial number file if it does not exist\n",
126 " -CAserial       - serial file\n",
127 " -text           - print the certificate in text form\n",
128 " -C              - print out C code forms\n",
129 " -md2/-md5/-sha1/-mdc2 - digest to use\n",
130 " -extfile        - configuration file with X509V3 extensions to add\n",
131 " -extensions     - section from config file with X509V3 extensions to add\n",
132 " -clrext         - delete extensions before signing and input certificate\n",
133 " -nameopt arg    - various certificate name options\n",
134 " -engine e       - use engine e, possibly a hardware device.\n",
135 " -certopt arg    - various certificate text options\n",
136 NULL
137 };
138
139 static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx);
140 static int sign (X509 *x, EVP_PKEY *pkey,int days,int clrext, const EVP_MD *digest,
141                                                 LHASH *conf, char *section);
142 static int x509_certify (X509_STORE *ctx,char *CAfile,const EVP_MD *digest,
143                          X509 *x,X509 *xca,EVP_PKEY *pkey,char *serial,
144                          int create,int days, int clrext, LHASH *conf, char *section);
145 static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt);
146 static int reqfile=0;
147
148 int MAIN(int, char **);
149
150 int MAIN(int argc, char **argv)
151         {
152         ENGINE *e = NULL;
153         int ret=1;
154         X509_REQ *req=NULL;
155         X509 *x=NULL,*xca=NULL;
156         ASN1_OBJECT *objtmp;
157         EVP_PKEY *Upkey=NULL,*CApkey=NULL;
158         int i,num,badops=0;
159         BIO *out=NULL;
160         BIO *STDout=NULL;
161         STACK_OF(ASN1_OBJECT) *trust = NULL, *reject = NULL;
162         int informat,outformat,keyformat,CAformat,CAkeyformat;
163         char *infile=NULL,*outfile=NULL,*keyfile=NULL,*CAfile=NULL;
164         char *CAkeyfile=NULL,*CAserial=NULL;
165         char *alias=NULL;
166         int text=0,serial=0,hash=0,subject=0,issuer=0,startdate=0,enddate=0;
167         int ocspid=0;
168         int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0,email=0;
169         int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0;
170         int C=0;
171         int x509req=0,days=DEF_DAYS,modulus=0,pubkey=0;
172         int pprint = 0;
173         char **pp;
174         X509_STORE *ctx=NULL;
175         X509_REQ *rq=NULL;
176         int fingerprint=0;
177         char buf[256];
178         const EVP_MD *md_alg,*digest=EVP_md5();
179         LHASH *extconf = NULL;
180         char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL;
181         int need_rand = 0;
182         int checkend=0,checkoffset=0;
183         unsigned long nmflag = 0, certflag = 0;
184         char *engine=NULL;
185
186         reqfile=0;
187
188         apps_startup();
189
190         if (bio_err == NULL)
191                 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
192         STDout=BIO_new_fp(stdout,BIO_NOCLOSE);
193 #ifdef VMS
194         {
195         BIO *tmpbio = BIO_new(BIO_f_linebuffer());
196         STDout = BIO_push(tmpbio, STDout);
197         }
198 #endif
199
200         informat=FORMAT_PEM;
201         outformat=FORMAT_PEM;
202         keyformat=FORMAT_PEM;
203         CAformat=FORMAT_PEM;
204         CAkeyformat=FORMAT_PEM;
205
206         ctx=X509_STORE_new();
207         if (ctx == NULL) goto end;
208         X509_STORE_set_verify_cb_func(ctx,callb);
209
210         argc--;
211         argv++;
212         num=0;
213         while (argc >= 1)
214                 {
215                 if      (strcmp(*argv,"-inform") == 0)
216                         {
217                         if (--argc < 1) goto bad;
218                         informat=str2fmt(*(++argv));
219                         }
220                 else if (strcmp(*argv,"-outform") == 0)
221                         {
222                         if (--argc < 1) goto bad;
223                         outformat=str2fmt(*(++argv));
224                         }
225                 else if (strcmp(*argv,"-keyform") == 0)
226                         {
227                         if (--argc < 1) goto bad;
228                         keyformat=str2fmt(*(++argv));
229                         }
230                 else if (strcmp(*argv,"-req") == 0)
231                         {
232                         reqfile=1;
233                         need_rand = 1;
234                         }
235                 else if (strcmp(*argv,"-CAform") == 0)
236                         {
237                         if (--argc < 1) goto bad;
238                         CAformat=str2fmt(*(++argv));
239                         }
240                 else if (strcmp(*argv,"-CAkeyform") == 0)
241                         {
242                         if (--argc < 1) goto bad;
243                         CAformat=str2fmt(*(++argv));
244                         }
245                 else if (strcmp(*argv,"-days") == 0)
246                         {
247                         if (--argc < 1) goto bad;
248                         days=atoi(*(++argv));
249                         if (days == 0)
250                                 {
251                                 BIO_printf(STDout,"bad number of days\n");
252                                 goto bad;
253                                 }
254                         }
255                 else if (strcmp(*argv,"-passin") == 0)
256                         {
257                         if (--argc < 1) goto bad;
258                         passargin= *(++argv);
259                         }
260                 else if (strcmp(*argv,"-extfile") == 0)
261                         {
262                         if (--argc < 1) goto bad;
263                         extfile= *(++argv);
264                         }
265                 else if (strcmp(*argv,"-extensions") == 0)
266                         {
267                         if (--argc < 1) goto bad;
268                         extsect= *(++argv);
269                         }
270                 else if (strcmp(*argv,"-in") == 0)
271                         {
272                         if (--argc < 1) goto bad;
273                         infile= *(++argv);
274                         }
275                 else if (strcmp(*argv,"-out") == 0)
276                         {
277                         if (--argc < 1) goto bad;
278                         outfile= *(++argv);
279                         }
280                 else if (strcmp(*argv,"-signkey") == 0)
281                         {
282                         if (--argc < 1) goto bad;
283                         keyfile= *(++argv);
284                         sign_flag= ++num;
285                         need_rand = 1;
286                         }
287                 else if (strcmp(*argv,"-CA") == 0)
288                         {
289                         if (--argc < 1) goto bad;
290                         CAfile= *(++argv);
291                         CA_flag= ++num;
292                         need_rand = 1;
293                         }
294                 else if (strcmp(*argv,"-CAkey") == 0)
295                         {
296                         if (--argc < 1) goto bad;
297                         CAkeyfile= *(++argv);
298                         }
299                 else if (strcmp(*argv,"-CAserial") == 0)
300                         {
301                         if (--argc < 1) goto bad;
302                         CAserial= *(++argv);
303                         }
304                 else if (strcmp(*argv,"-addtrust") == 0)
305                         {
306                         if (--argc < 1) goto bad;
307                         if (!(objtmp = OBJ_txt2obj(*(++argv), 0)))
308                                 {
309                                 BIO_printf(bio_err,
310                                         "Invalid trust object value %s\n", *argv);
311                                 goto bad;
312                                 }
313                         if (!trust) trust = sk_ASN1_OBJECT_new_null();
314                         sk_ASN1_OBJECT_push(trust, objtmp);
315                         trustout = 1;
316                         }
317                 else if (strcmp(*argv,"-addreject") == 0)
318                         {
319                         if (--argc < 1) goto bad;
320                         if (!(objtmp = OBJ_txt2obj(*(++argv), 0)))
321                                 {
322                                 BIO_printf(bio_err,
323                                         "Invalid reject object value %s\n", *argv);
324                                 goto bad;
325                                 }
326                         if (!reject) reject = sk_ASN1_OBJECT_new_null();
327                         sk_ASN1_OBJECT_push(reject, objtmp);
328                         trustout = 1;
329                         }
330                 else if (strcmp(*argv,"-setalias") == 0)
331                         {
332                         if (--argc < 1) goto bad;
333                         alias= *(++argv);
334                         trustout = 1;
335                         }
336                 else if (strcmp(*argv,"-certopt") == 0)
337                         {
338                         if (--argc < 1) goto bad;
339                         if (!set_cert_ex(&certflag, *(++argv))) goto bad;
340                         }
341                 else if (strcmp(*argv,"-nameopt") == 0)
342                         {
343                         if (--argc < 1) goto bad;
344                         if (!set_name_ex(&nmflag, *(++argv))) goto bad;
345                         }
346                 else if (strcmp(*argv,"-setalias") == 0)
347                         {
348                         if (--argc < 1) goto bad;
349                         alias= *(++argv);
350                         trustout = 1;
351                         }
352                 else if (strcmp(*argv,"-engine") == 0)
353                         {
354                         if (--argc < 1) goto bad;
355                         engine= *(++argv);
356                         }
357                 else if (strcmp(*argv,"-C") == 0)
358                         C= ++num;
359                 else if (strcmp(*argv,"-email") == 0)
360                         email= ++num;
361                 else if (strcmp(*argv,"-serial") == 0)
362                         serial= ++num;
363                 else if (strcmp(*argv,"-modulus") == 0)
364                         modulus= ++num;
365                 else if (strcmp(*argv,"-pubkey") == 0)
366                         pubkey= ++num;
367                 else if (strcmp(*argv,"-x509toreq") == 0)
368                         x509req= ++num;
369                 else if (strcmp(*argv,"-text") == 0)
370                         text= ++num;
371                 else if (strcmp(*argv,"-hash") == 0)
372                         hash= ++num;
373                 else if (strcmp(*argv,"-subject") == 0)
374                         subject= ++num;
375                 else if (strcmp(*argv,"-issuer") == 0)
376                         issuer= ++num;
377                 else if (strcmp(*argv,"-fingerprint") == 0)
378                         fingerprint= ++num;
379                 else if (strcmp(*argv,"-dates") == 0)
380                         {
381                         startdate= ++num;
382                         enddate= ++num;
383                         }
384                 else if (strcmp(*argv,"-purpose") == 0)
385                         pprint= ++num;
386                 else if (strcmp(*argv,"-startdate") == 0)
387                         startdate= ++num;
388                 else if (strcmp(*argv,"-enddate") == 0)
389                         enddate= ++num;
390                 else if (strcmp(*argv,"-checkend") == 0)
391                         {
392                         if (--argc < 1) goto bad;
393                         checkoffset=atoi(*(++argv));
394                         checkend=1;
395                         }
396                 else if (strcmp(*argv,"-noout") == 0)
397                         noout= ++num;
398                 else if (strcmp(*argv,"-trustout") == 0)
399                         trustout= 1;
400                 else if (strcmp(*argv,"-clrtrust") == 0)
401                         clrtrust= ++num;
402                 else if (strcmp(*argv,"-clrreject") == 0)
403                         clrreject= ++num;
404                 else if (strcmp(*argv,"-alias") == 0)
405                         aliasout= ++num;
406                 else if (strcmp(*argv,"-CAcreateserial") == 0)
407                         CA_createserial= ++num;
408                 else if (strcmp(*argv,"-clrext") == 0)
409                         clrext = 1;
410 #if 1 /* stay backwards-compatible with 0.9.5; this should go away soon */
411                 else if (strcmp(*argv,"-crlext") == 0)
412                         {
413                         BIO_printf(bio_err,"use -clrext instead of -crlext\n");
414                         clrext = 1;
415                         }
416 #endif
417                 else if (strcmp(*argv,"-ocspid") == 0)
418                         ocspid= ++num;
419                 else if ((md_alg=EVP_get_digestbyname(*argv + 1)))
420                         {
421                         /* ok */
422                         digest=md_alg;
423                         }
424                 else
425                         {
426                         BIO_printf(bio_err,"unknown option %s\n",*argv);
427                         badops=1;
428                         break;
429                         }
430                 argc--;
431                 argv++;
432                 }
433
434         if (badops)
435                 {
436 bad:
437                 for (pp=x509_usage; (*pp != NULL); pp++)
438                         BIO_printf(bio_err,"%s",*pp);
439                 goto end;
440                 }
441
442         if (engine != NULL)
443                 {
444                 if((e = ENGINE_by_id(engine)) == NULL)
445                         {
446                         BIO_printf(bio_err,"invalid engine \"%s\"\n",
447                                 engine);
448                         goto end;
449                         }
450                 if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
451                         {
452                         BIO_printf(bio_err,"can't use that engine\n");
453                         goto end;
454                         }
455                 BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
456                 /* Free our "structural" reference. */
457                 ENGINE_free(e);
458                 }
459
460         if (need_rand)
461                 app_RAND_load_file(NULL, bio_err, 0);
462
463         ERR_load_crypto_strings();
464
465         if (!app_passwd(bio_err, passargin, NULL, &passin, NULL))
466                 {
467                 BIO_printf(bio_err, "Error getting password\n");
468                 goto end;
469                 }
470
471         if (!X509_STORE_set_default_paths(ctx))
472                 {
473                 ERR_print_errors(bio_err);
474                 goto end;
475                 }
476
477         if ((CAkeyfile == NULL) && (CA_flag) && (CAformat == FORMAT_PEM))
478                 { CAkeyfile=CAfile; }
479         else if ((CA_flag) && (CAkeyfile == NULL))
480                 {
481                 BIO_printf(bio_err,"need to specify a CAkey if using the CA command\n");
482                 goto end;
483                 }
484
485         if (extfile)
486                 {
487                 long errorline;
488                 X509V3_CTX ctx2;
489                 if (!(extconf=CONF_load(NULL,extfile,&errorline)))
490                         {
491                         if (errorline <= 0)
492                                 BIO_printf(bio_err,
493                                         "error loading the config file '%s'\n",
494                                                                 extfile);
495                         else
496                                 BIO_printf(bio_err,
497                                        "error on line %ld of config file '%s'\n"
498                                                         ,errorline,extfile);
499                         goto end;
500                         }
501                 if (!extsect)
502                         {
503                         extsect = CONF_get_string(extconf, "default", "extensions");
504                         if (!extsect)
505                                 {
506                                 ERR_clear_error();
507                                 extsect = "default";
508                                 }
509                         }
510                 X509V3_set_ctx_test(&ctx2);
511                 X509V3_set_conf_lhash(&ctx2, extconf);
512                 if (!X509V3_EXT_add_conf(extconf, &ctx2, extsect, NULL))
513                         {
514                         BIO_printf(bio_err,
515                                 "Error Loading extension section %s\n",
516                                                                  extsect);
517                         ERR_print_errors(bio_err);
518                         goto end;
519                         }
520                 }
521
522
523         if (reqfile)
524                 {
525                 EVP_PKEY *pkey;
526                 X509_CINF *ci;
527                 BIO *in;
528
529                 if (!sign_flag && !CA_flag)
530                         {
531                         BIO_printf(bio_err,"We need a private key to sign with\n");
532                         goto end;
533                         }
534                 in=BIO_new(BIO_s_file());
535                 if (in == NULL)
536                         {
537                         ERR_print_errors(bio_err);
538                         goto end;
539                         }
540
541                 if (infile == NULL)
542                         BIO_set_fp(in,stdin,BIO_NOCLOSE|BIO_FP_TEXT);
543                 else
544                         {
545                         if (BIO_read_filename(in,infile) <= 0)
546                                 {
547                                 perror(infile);
548                                 BIO_free(in);
549                                 goto end;
550                                 }
551                         }
552                 req=PEM_read_bio_X509_REQ(in,NULL,NULL,NULL);
553                 BIO_free(in);
554
555                 if (req == NULL)
556                         {
557                         ERR_print_errors(bio_err);
558                         goto end;
559                         }
560
561                 if (    (req->req_info == NULL) ||
562                         (req->req_info->pubkey == NULL) ||
563                         (req->req_info->pubkey->public_key == NULL) ||
564                         (req->req_info->pubkey->public_key->data == NULL))
565                         {
566                         BIO_printf(bio_err,"The certificate request appears to corrupted\n");
567                         BIO_printf(bio_err,"It does not contain a public key\n");
568                         goto end;
569                         }
570                 if ((pkey=X509_REQ_get_pubkey(req)) == NULL)
571                         {
572                         BIO_printf(bio_err,"error unpacking public key\n");
573                         goto end;
574                         }
575                 i=X509_REQ_verify(req,pkey);
576                 EVP_PKEY_free(pkey);
577                 if (i < 0)
578                         {
579                         BIO_printf(bio_err,"Signature verification error\n");
580                         ERR_print_errors(bio_err);
581                         goto end;
582                         }
583                 if (i == 0)
584                         {
585                         BIO_printf(bio_err,"Signature did not match the certificate request\n");
586                         goto end;
587                         }
588                 else
589                         BIO_printf(bio_err,"Signature ok\n");
590
591                 print_name(bio_err, "subject=", X509_REQ_get_subject_name(req), nmflag);
592
593                 if ((x=X509_new()) == NULL) goto end;
594                 ci=x->cert_info;
595
596                 if (!ASN1_INTEGER_set(X509_get_serialNumber(x),0)) goto end;
597                 if (!X509_set_issuer_name(x,req->req_info->subject)) goto end;
598                 if (!X509_set_subject_name(x,req->req_info->subject)) goto end;
599
600                 X509_gmtime_adj(X509_get_notBefore(x),0);
601                 X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days);
602
603                 pkey = X509_REQ_get_pubkey(req);
604                 X509_set_pubkey(x,pkey);
605                 EVP_PKEY_free(pkey);
606                 }
607         else
608                 x=load_cert(bio_err,infile,informat);
609
610         if (x == NULL) goto end;
611         if (CA_flag)
612                 {
613                 xca=load_cert(bio_err,CAfile,CAformat);
614                 if (xca == NULL) goto end;
615                 }
616
617         if (!noout || text)
618                 {
619                 OBJ_create("2.99999.3",
620                         "SET.ex3","SET x509v3 extension 3");
621
622                 out=BIO_new(BIO_s_file());
623                 if (out == NULL)
624                         {
625                         ERR_print_errors(bio_err);
626                         goto end;
627                         }
628                 if (outfile == NULL)
629                         {
630                         BIO_set_fp(out,stdout,BIO_NOCLOSE);
631 #ifdef VMS
632                         {
633                         BIO *tmpbio = BIO_new(BIO_f_linebuffer());
634                         out = BIO_push(tmpbio, out);
635                         }
636 #endif
637                         }
638                 else
639                         {
640                         if (BIO_write_filename(out,outfile) <= 0)
641                                 {
642                                 perror(outfile);
643                                 goto end;
644                                 }
645                         }
646                 }
647
648         if (alias) X509_alias_set1(x, (unsigned char *)alias, -1);
649
650         if (clrtrust) X509_trust_clear(x);
651         if (clrreject) X509_reject_clear(x);
652
653         if (trust)
654                 {
655                 for (i = 0; i < sk_ASN1_OBJECT_num(trust); i++)
656                         {
657                         objtmp = sk_ASN1_OBJECT_value(trust, i);
658                         X509_add1_trust_object(x, objtmp);
659                         }
660                 }
661
662         if (reject)
663                 {
664                 for (i = 0; i < sk_ASN1_OBJECT_num(reject); i++)
665                         {
666                         objtmp = sk_ASN1_OBJECT_value(reject, i);
667                         X509_add1_reject_object(x, objtmp);
668                         }
669                 }
670
671         if (num)
672                 {
673                 for (i=1; i<=num; i++)
674                         {
675                         if (issuer == i)
676                                 {
677                                 print_name(STDout, "issuer= ",
678                                         X509_get_issuer_name(x), nmflag);
679                                 }
680                         else if (subject == i) 
681                                 {
682                                 print_name(STDout, "subject= ",
683                                         X509_get_subject_name(x), nmflag);
684                                 }
685                         else if (serial == i)
686                                 {
687                                 BIO_printf(STDout,"serial=");
688                                 i2a_ASN1_INTEGER(STDout,x->cert_info->serialNumber);
689                                 BIO_printf(STDout,"\n");
690                                 }
691                         else if (email == i) 
692                                 {
693                                 int j;
694                                 STACK *emlst;
695                                 emlst = X509_get1_email(x);
696                                 for (j = 0; j < sk_num(emlst); j++)
697                                         BIO_printf(STDout, "%s\n", sk_value(emlst, j));
698                                 X509_email_free(emlst);
699                                 }
700                         else if (aliasout == i)
701                                 {
702                                 unsigned char *alstr;
703                                 alstr = X509_alias_get0(x, NULL);
704                                 if (alstr) BIO_printf(STDout,"%s\n", alstr);
705                                 else BIO_puts(STDout,"<No Alias>\n");
706                                 }
707                         else if (hash == i)
708                                 {
709                                 BIO_printf(STDout,"%08lx\n",X509_subject_name_hash(x));
710                                 }
711                         else if (pprint == i)
712                                 {
713                                 X509_PURPOSE *ptmp;
714                                 int j;
715                                 BIO_printf(STDout, "Certificate purposes:\n");
716                                 for (j = 0; j < X509_PURPOSE_get_count(); j++)
717                                         {
718                                         ptmp = X509_PURPOSE_get0(j);
719                                         purpose_print(STDout, x, ptmp);
720                                         }
721                                 }
722                         else
723                                 if (modulus == i)
724                                 {
725                                 EVP_PKEY *pkey;
726
727                                 pkey=X509_get_pubkey(x);
728                                 if (pkey == NULL)
729                                         {
730                                         BIO_printf(bio_err,"Modulus=unavailable\n");
731                                         ERR_print_errors(bio_err);
732                                         goto end;
733                                         }
734                                 BIO_printf(STDout,"Modulus=");
735 #ifndef NO_RSA
736                                 if (pkey->type == EVP_PKEY_RSA)
737                                         BN_print(STDout,pkey->pkey.rsa->n);
738                                 else
739 #endif
740 #ifndef NO_DSA
741                                 if (pkey->type == EVP_PKEY_DSA)
742                                         BN_print(STDout,pkey->pkey.dsa->pub_key);
743                                 else
744 #endif
745                                         BIO_printf(STDout,"Wrong Algorithm type");
746                                 BIO_printf(STDout,"\n");
747                                 EVP_PKEY_free(pkey);
748                                 }
749                         else
750                                 if (pubkey == i)
751                                 {
752                                 EVP_PKEY *pkey;
753
754                                 pkey=X509_get_pubkey(x);
755                                 if (pkey == NULL)
756                                         {
757                                         BIO_printf(bio_err,"Error getting public key\n");
758                                         ERR_print_errors(bio_err);
759                                         goto end;
760                                         }
761                                 PEM_write_bio_PUBKEY(STDout, pkey);
762                                 EVP_PKEY_free(pkey);
763                                 }
764                         else
765                                 if (C == i)
766                                 {
767                                 unsigned char *d;
768                                 char *m;
769                                 int y,z;
770
771                                 X509_NAME_oneline(X509_get_subject_name(x),
772                                         buf,256);
773                                 BIO_printf(STDout,"/* subject:%s */\n",buf);
774                                 m=X509_NAME_oneline(
775                                         X509_get_issuer_name(x),buf,256);
776                                 BIO_printf(STDout,"/* issuer :%s */\n",buf);
777
778                                 z=i2d_X509(x,NULL);
779                                 m=OPENSSL_malloc(z);
780
781                                 d=(unsigned char *)m;
782                                 z=i2d_X509_NAME(X509_get_subject_name(x),&d);
783                                 BIO_printf(STDout,"unsigned char XXX_subject_name[%d]={\n",z);
784                                 d=(unsigned char *)m;
785                                 for (y=0; y<z; y++)
786                                         {
787                                         BIO_printf(STDout,"0x%02X,",d[y]);
788                                         if ((y & 0x0f) == 0x0f) BIO_printf(STDout,"\n");
789                                         }
790                                 if (y%16 != 0) BIO_printf(STDout,"\n");
791                                 BIO_printf(STDout,"};\n");
792
793                                 z=i2d_X509_PUBKEY(X509_get_X509_PUBKEY(x),&d);
794                                 BIO_printf(STDout,"unsigned char XXX_public_key[%d]={\n",z);
795                                 d=(unsigned char *)m;
796                                 for (y=0; y<z; y++)
797                                         {
798                                         BIO_printf(STDout,"0x%02X,",d[y]);
799                                         if ((y & 0x0f) == 0x0f)
800                                                 BIO_printf(STDout,"\n");
801                                         }
802                                 if (y%16 != 0) BIO_printf(STDout,"\n");
803                                 BIO_printf(STDout,"};\n");
804
805                                 z=i2d_X509(x,&d);
806                                 BIO_printf(STDout,"unsigned char XXX_certificate[%d]={\n",z);
807                                 d=(unsigned char *)m;
808                                 for (y=0; y<z; y++)
809                                         {
810                                         BIO_printf(STDout,"0x%02X,",d[y]);
811                                         if ((y & 0x0f) == 0x0f)
812                                                 BIO_printf(STDout,"\n");
813                                         }
814                                 if (y%16 != 0) BIO_printf(STDout,"\n");
815                                 BIO_printf(STDout,"};\n");
816
817                                 OPENSSL_free(m);
818                                 }
819                         else if (text == i)
820                                 {
821                                 X509_print_ex(out,x,nmflag, certflag);
822                                 }
823                         else if (startdate == i)
824                                 {
825                                 BIO_puts(STDout,"notBefore=");
826                                 ASN1_TIME_print(STDout,X509_get_notBefore(x));
827                                 BIO_puts(STDout,"\n");
828                                 }
829                         else if (enddate == i)
830                                 {
831                                 BIO_puts(STDout,"notAfter=");
832                                 ASN1_TIME_print(STDout,X509_get_notAfter(x));
833                                 BIO_puts(STDout,"\n");
834                                 }
835                         else if (fingerprint == i)
836                                 {
837                                 int j;
838                                 unsigned int n;
839                                 unsigned char md[EVP_MAX_MD_SIZE];
840
841                                 if (!X509_digest(x,digest,md,&n))
842                                         {
843                                         BIO_printf(bio_err,"out of memory\n");
844                                         goto end;
845                                         }
846                                 BIO_printf(STDout,"%s Fingerprint=",
847                                                 OBJ_nid2sn(EVP_MD_type(digest)));
848                                 for (j=0; j<(int)n; j++)
849                                         {
850                                         BIO_printf(STDout,"%02X%c",md[j],
851                                                 (j+1 == (int)n)
852                                                 ?'\n':':');
853                                         }
854                                 }
855
856                         /* should be in the library */
857                         else if ((sign_flag == i) && (x509req == 0))
858                                 {
859                                 BIO_printf(bio_err,"Getting Private key\n");
860                                 if (Upkey == NULL)
861                                         {
862                                         Upkey=load_key(bio_err,
863                                                 keyfile,keyformat, passin, e);
864                                         if (Upkey == NULL) goto end;
865                                         }
866 #ifndef NO_DSA
867                                 if (Upkey->type == EVP_PKEY_DSA)
868                                         digest=EVP_dss1();
869 #endif
870
871                                 assert(need_rand);
872                                 if (!sign(x,Upkey,days,clrext,digest,
873                                                  extconf, extsect)) goto end;
874                                 }
875                         else if (CA_flag == i)
876                                 {
877                                 BIO_printf(bio_err,"Getting CA Private Key\n");
878                                 if (CAkeyfile != NULL)
879                                         {
880                                         CApkey=load_key(bio_err,
881                                                 CAkeyfile,CAkeyformat, passin,
882                                                 e);
883                                         if (CApkey == NULL) goto end;
884                                         }
885 #ifndef NO_DSA
886                                 if (CApkey->type == EVP_PKEY_DSA)
887                                         digest=EVP_dss1();
888 #endif
889                                 
890                                 assert(need_rand);
891                                 if (!x509_certify(ctx,CAfile,digest,x,xca,
892                                         CApkey, CAserial,CA_createserial,days, clrext,
893                                         extconf, extsect))
894                                         goto end;
895                                 }
896                         else if (x509req == i)
897                                 {
898                                 EVP_PKEY *pk;
899
900                                 BIO_printf(bio_err,"Getting request Private Key\n");
901                                 if (keyfile == NULL)
902                                         {
903                                         BIO_printf(bio_err,"no request key file specified\n");
904                                         goto end;
905                                         }
906                                 else
907                                         {
908                                         pk=load_key(bio_err,
909                                                 keyfile,FORMAT_PEM, passin, e);
910                                         if (pk == NULL) goto end;
911                                         }
912
913                                 BIO_printf(bio_err,"Generating certificate request\n");
914
915                                 if (pk->type == EVP_PKEY_DSA)
916                                         digest=EVP_dss1();
917
918                                 rq=X509_to_X509_REQ(x,pk,digest);
919                                 EVP_PKEY_free(pk);
920                                 if (rq == NULL)
921                                         {
922                                         ERR_print_errors(bio_err);
923                                         goto end;
924                                         }
925                                 if (!noout)
926                                         {
927                                         X509_REQ_print(out,rq);
928                                         PEM_write_bio_X509_REQ(out,rq);
929                                         }
930                                 noout=1;
931                                 }
932                         else if (ocspid == i)
933                                 {
934                                 X509_ocspid_print(out, x);
935                                 }
936                         }
937                 }
938
939         if (checkend)
940                 {
941                 time_t tnow=time(NULL);
942
943                 if (ASN1_UTCTIME_cmp_time_t(X509_get_notAfter(x), tnow+checkoffset) == -1)
944                         {
945                         BIO_printf(out,"Certificate will expire\n");
946                         ret=1;
947                         }
948                 else
949                         {
950                         BIO_printf(out,"Certificate will not expire\n");
951                         ret=0;
952                         }
953                 goto end;
954                 }
955
956         if (noout)
957                 {
958                 ret=0;
959                 goto end;
960                 }
961
962         if      (outformat == FORMAT_ASN1)
963                 i=i2d_X509_bio(out,x);
964         else if (outformat == FORMAT_PEM)
965                 {
966                 if (trustout) i=PEM_write_bio_X509_AUX(out,x);
967                 else i=PEM_write_bio_X509(out,x);
968                 }
969         else if (outformat == FORMAT_NETSCAPE)
970                 {
971                 ASN1_HEADER ah;
972                 ASN1_OCTET_STRING os;
973
974                 os.data=(unsigned char *)NETSCAPE_CERT_HDR;
975                 os.length=strlen(NETSCAPE_CERT_HDR);
976                 ah.header= &os;
977                 ah.data=(char *)x;
978                 ah.meth=X509_asn1_meth();
979
980                 /* no macro for this one yet */
981                 i=ASN1_i2d_bio(i2d_ASN1_HEADER,out,(unsigned char *)&ah);
982                 }
983         else    {
984                 BIO_printf(bio_err,"bad output format specified for outfile\n");
985                 goto end;
986                 }
987         if (!i)
988                 {
989                 BIO_printf(bio_err,"unable to write certificate\n");
990                 ERR_print_errors(bio_err);
991                 goto end;
992                 }
993         ret=0;
994 end:
995         if (need_rand)
996                 app_RAND_write_file(NULL, bio_err);
997         OBJ_cleanup();
998         CONF_free(extconf);
999         BIO_free_all(out);
1000         BIO_free_all(STDout);
1001         X509_STORE_free(ctx);
1002         X509_REQ_free(req);
1003         X509_free(x);
1004         X509_free(xca);
1005         EVP_PKEY_free(Upkey);
1006         EVP_PKEY_free(CApkey);
1007         X509_REQ_free(rq);
1008         sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free);
1009         sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free);
1010         if (passin) OPENSSL_free(passin);
1011         EXIT(ret);
1012         }
1013
1014 static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
1015              X509 *x, X509 *xca, EVP_PKEY *pkey, char *serialfile, int create,
1016              int days, int clrext, LHASH *conf, char *section)
1017         {
1018         int ret=0;
1019         BIO *io=NULL;
1020         MS_STATIC char buf2[1024];
1021         char *buf=NULL,*p;
1022         BIGNUM *serial=NULL;
1023         ASN1_INTEGER *bs=NULL,bs2;
1024         X509_STORE_CTX xsc;
1025         EVP_PKEY *upkey;
1026
1027         upkey = X509_get_pubkey(xca);
1028         EVP_PKEY_copy_parameters(upkey,pkey);
1029         EVP_PKEY_free(upkey);
1030
1031         X509_STORE_CTX_init(&xsc,ctx,x,NULL);
1032         buf=OPENSSL_malloc(EVP_PKEY_size(pkey)*2+
1033                 ((serialfile == NULL)
1034                         ?(strlen(CAfile)+strlen(POSTFIX)+1)
1035                         :(strlen(serialfile)))+1);
1036         if (buf == NULL) { BIO_printf(bio_err,"out of mem\n"); goto end; }
1037         if (serialfile == NULL)
1038                 {
1039                 strcpy(buf,CAfile);
1040                 for (p=buf; *p; p++)
1041                         if (*p == '.')
1042                                 {
1043                                 *p='\0';
1044                                 break;
1045                                 }
1046                 strcat(buf,POSTFIX);
1047                 }
1048         else
1049                 strcpy(buf,serialfile);
1050         serial=BN_new();
1051         bs=ASN1_INTEGER_new();
1052         if ((serial == NULL) || (bs == NULL))
1053                 {
1054                 ERR_print_errors(bio_err);
1055                 goto end;
1056                 }
1057
1058         io=BIO_new(BIO_s_file());
1059         if (io == NULL)
1060                 {
1061                 ERR_print_errors(bio_err);
1062                 goto end;
1063                 }
1064         
1065         if (BIO_read_filename(io,buf) <= 0)
1066                 {
1067                 if (!create)
1068                         {
1069                         perror(buf);
1070                         goto end;
1071                         }
1072                 else
1073                         {
1074                         ASN1_INTEGER_set(bs,1);
1075                         BN_one(serial);
1076                         }
1077                 }
1078         else 
1079                 {
1080                 if (!a2i_ASN1_INTEGER(io,bs,buf2,1024))
1081                         {
1082                         BIO_printf(bio_err,"unable to load serial number from %s\n",buf);
1083                         ERR_print_errors(bio_err);
1084                         goto end;
1085                         }
1086                 else
1087                         {
1088                         serial=BN_bin2bn(bs->data,bs->length,serial);
1089                         if (serial == NULL)
1090                                 {
1091                                 BIO_printf(bio_err,"error converting bin 2 bn");
1092                                 goto end;
1093                                 }
1094                         }
1095                 }
1096
1097         if (!BN_add_word(serial,1))
1098                 { BIO_printf(bio_err,"add_word failure\n"); goto end; }
1099         bs2.data=(unsigned char *)buf2;
1100         bs2.length=BN_bn2bin(serial,bs2.data);
1101
1102         if (BIO_write_filename(io,buf) <= 0)
1103                 {
1104                 BIO_printf(bio_err,"error attempting to write serial number file\n");
1105                 perror(buf);
1106                 goto end;
1107                 }
1108         i2a_ASN1_INTEGER(io,&bs2);
1109         BIO_puts(io,"\n");
1110         BIO_free(io);
1111         io=NULL;
1112         
1113         if (!X509_STORE_add_cert(ctx,x)) goto end;
1114
1115         /* NOTE: this certificate can/should be self signed, unless it was
1116          * a certificate request in which case it is not. */
1117         X509_STORE_CTX_set_cert(&xsc,x);
1118         if (!reqfile && !X509_verify_cert(&xsc))
1119                 goto end;
1120
1121         if (!X509_check_private_key(xca,pkey))
1122                 {
1123                 BIO_printf(bio_err,"CA certificate and CA private key do not match\n");
1124                 goto end;
1125                 }
1126
1127         if (!X509_set_issuer_name(x,X509_get_subject_name(xca))) goto end;
1128         if (!X509_set_serialNumber(x,bs)) goto end;
1129
1130         if (X509_gmtime_adj(X509_get_notBefore(x),0L) == NULL)
1131                 goto end;
1132
1133         /* hardwired expired */
1134         if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) == NULL)
1135                 goto end;
1136
1137         if (clrext)
1138                 {
1139                 while (X509_get_ext_count(x) > 0) X509_delete_ext(x, 0);
1140                 }
1141
1142         if (conf)
1143                 {
1144                 X509V3_CTX ctx2;
1145                 X509_set_version(x,2); /* version 3 certificate */
1146                 X509V3_set_ctx(&ctx2, xca, x, NULL, NULL, 0);
1147                 X509V3_set_conf_lhash(&ctx2, conf);
1148                 if (!X509V3_EXT_add_conf(conf, &ctx2, section, x)) goto end;
1149                 }
1150
1151         if (!X509_sign(x,pkey,digest)) goto end;
1152         ret=1;
1153 end:
1154         X509_STORE_CTX_cleanup(&xsc);
1155         if (!ret)
1156                 ERR_print_errors(bio_err);
1157         if (buf != NULL) OPENSSL_free(buf);
1158         if (bs != NULL) ASN1_INTEGER_free(bs);
1159         if (io != NULL) BIO_free(io);
1160         if (serial != NULL) BN_free(serial);
1161         return ret;
1162         }
1163
1164 static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx)
1165         {
1166         int err;
1167         X509 *err_cert;
1168
1169         /* it is ok to use a self signed certificate
1170          * This case will catch both the initial ok == 0 and the
1171          * final ok == 1 calls to this function */
1172         err=X509_STORE_CTX_get_error(ctx);
1173         if (err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
1174                 return 1;
1175
1176         /* BAD we should have gotten an error.  Normally if everything
1177          * worked X509_STORE_CTX_get_error(ctx) will still be set to
1178          * DEPTH_ZERO_SELF_.... */
1179         if (ok)
1180                 {
1181                 BIO_printf(bio_err,"error with certificate to be certified - should be self signed\n");
1182                 return 0;
1183                 }
1184         else
1185                 {
1186                 err_cert=X509_STORE_CTX_get_current_cert(ctx);
1187                 print_name(bio_err, NULL, X509_get_subject_name(err_cert),0);
1188                 BIO_printf(bio_err,"error with certificate - error %d at depth %d\n%s\n",
1189                         err,X509_STORE_CTX_get_error_depth(ctx),
1190                         X509_verify_cert_error_string(err));
1191                 return 1;
1192                 }
1193         }
1194
1195 /* self sign */
1196 static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const EVP_MD *digest, 
1197                                                 LHASH *conf, char *section)
1198         {
1199
1200         EVP_PKEY *pktmp;
1201
1202         pktmp = X509_get_pubkey(x);
1203         EVP_PKEY_copy_parameters(pktmp,pkey);
1204         EVP_PKEY_save_parameters(pktmp,1);
1205         EVP_PKEY_free(pktmp);
1206
1207         if (!X509_set_issuer_name(x,X509_get_subject_name(x))) goto err;
1208         if (X509_gmtime_adj(X509_get_notBefore(x),0) == NULL) goto err;
1209
1210         /* Lets just make it 12:00am GMT, Jan 1 1970 */
1211         /* memcpy(x->cert_info->validity->notBefore,"700101120000Z",13); */
1212         /* 28 days to be certified */
1213
1214         if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) == NULL)
1215                 goto err;
1216
1217         if (!X509_set_pubkey(x,pkey)) goto err;
1218         if (clrext)
1219                 {
1220                 while (X509_get_ext_count(x) > 0) X509_delete_ext(x, 0);
1221                 }
1222         if (conf)
1223                 {
1224                 X509V3_CTX ctx;
1225                 X509_set_version(x,2); /* version 3 certificate */
1226                 X509V3_set_ctx(&ctx, x, x, NULL, NULL, 0);
1227                 X509V3_set_conf_lhash(&ctx, conf);
1228                 if (!X509V3_EXT_add_conf(conf, &ctx, section, x)) goto err;
1229                 }
1230         if (!X509_sign(x,pkey,digest)) goto err;
1231         return 1;
1232 err:
1233         ERR_print_errors(bio_err);
1234         return 0;
1235         }
1236
1237 static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt)
1238 {
1239         int id, i, idret;
1240         char *pname;
1241         id = X509_PURPOSE_get_id(pt);
1242         pname = X509_PURPOSE_get0_name(pt);
1243         for (i = 0; i < 2; i++)
1244                 {
1245                 idret = X509_check_purpose(cert, id, i);
1246                 BIO_printf(bio, "%s%s : ", pname, i ? " CA" : ""); 
1247                 if (idret == 1) BIO_printf(bio, "Yes\n");
1248                 else if (idret == 0) BIO_printf(bio, "No\n");
1249                 else BIO_printf(bio, "Yes (WARNING code=%d)\n", idret);
1250                 }
1251         return 1;
1252 }
1253
1254
1255