#include <openssl/objects.h>
#include <openssl/ocsp.h>
#include <openssl/pem.h>
-#include <openssl/engine.h>
#ifdef OPENSSL_SYS_WINDOWS
#define strcasecmp _stricmp
#define ENV_DEFAULT_CRL_DAYS "default_crl_days"
#define ENV_DEFAULT_CRL_HOURS "default_crl_hours"
#define ENV_DEFAULT_MD "default_md"
+#define ENV_DEFAULT_EMAIL_DN "email_in_dn"
#define ENV_PRESERVE "preserve"
#define ENV_POLICY "policy"
#define ENV_EXTENSIONS "x509_extensions"
" -spkac file - File contains DN and signed public key and challenge\n",
" -ss_cert file - File contains a self signed cert to sign\n",
" -preserveDN - Don't re-order the DN\n",
+" -noemailDN - Don't add the EMAIL field into certificate' subject\n",
" -batch - Don't ask questions\n",
" -msie_hack - msie modifications to handle all those universal strings\n",
" -revoke file - Revoke a certificate (given in file)\n",
static int save_serial(char *serialfile, BIGNUM *serial);
static int certify(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,TXT_DB *db,
- BIGNUM *serial, char *subj, char *startdate,char *enddate,
- long days, int batch, char *ext_sect, CONF *conf,int verbose,
- unsigned long certopt, unsigned long nameopt, int default_op,
- int ext_copy);
+ BIGNUM *serial, char *subj, int email_dn, char *startdate,
+ char *enddate, long days, int batch, char *ext_sect, CONF *conf,
+ int verbose, unsigned long certopt, unsigned long nameopt,
+ int default_op, int ext_copy);
static int certify_cert(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,
- TXT_DB *db, BIGNUM *serial, char *subj, char *startdate,
- char *enddate, long days, int batch, char *ext_sect,
- CONF *conf,int verbose, unsigned long certopt,
+ TXT_DB *db, BIGNUM *serial, char *subj, int email_dn,
+ char *startdate, char *enddate, long days, int batch,
+ char *ext_sect, CONF *conf,int verbose, unsigned long certopt,
unsigned long nameopt, int default_op, int ext_copy,
ENGINE *e);
static int certify_spkac(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,
- TXT_DB *db, BIGNUM *serial,char *subj, char *startdate,
- char *enddate, long days, char *ext_sect,CONF *conf,
- int verbose, unsigned long certopt, unsigned long nameopt,
- int default_op, int ext_copy);
+ TXT_DB *db, BIGNUM *serial,char *subj, int email_dn,
+ char *startdate, char *enddate, long days, char *ext_sect,
+ CONF *conf, int verbose, unsigned long certopt,
+ unsigned long nameopt, int default_op, int ext_copy);
static int fix_data(int nid, int *type);
static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext);
static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial,char *subj,
- char *startdate, char *enddate, long days, int batch, int verbose,
- X509_REQ *req, char *ext_sect, CONF *conf,
+ int email_dn, char *startdate, char *enddate, long days, int batch,
+ int verbose, X509_REQ *req, char *ext_sect, CONF *conf,
unsigned long certopt, unsigned long nameopt, int default_op,
int ext_copy);
static X509_NAME *do_subject(char *subject);
{
ENGINE *e = NULL;
char *key=NULL,*passargin=NULL;
+ int free_key = 0;
int total=0;
int total_done=0;
int badops=0;
int ret=1;
+ int email_dn=1;
int req=0;
int verbose=0;
int gencrl=0;
char *extensions=NULL;
char *extfile=NULL;
char *subj=NULL;
+ char *tmp_email_dn=NULL;
char *crl_ext=NULL;
int rev_type = REV_NONE;
char *rev_arg = NULL;
char *dbfile=NULL;
TXT_DB *db=NULL;
X509_CRL *crl=NULL;
- X509_CRL_INFO *ci=NULL;
X509_REVOKED *r=NULL;
+ ASN1_TIME *tmptm;
+ ASN1_INTEGER *tmpser;
char **pp,*p,*f;
int i,j;
long l;
batch=1;
else if (strcmp(*argv,"-preserveDN") == 0)
preserve=1;
+ else if (strcmp(*argv,"-noemailDN") == 0)
+ email_dn=0;
else if (strcmp(*argv,"-gencrl") == 0)
gencrl=1;
else if (strcmp(*argv,"-msie_hack") == 0)
db=TXT_DB_read(in,DB_NUMBER);
if (db == NULL) goto err;
- if (!TXT_DB_create_index(db, DB_serial, NULL,
- LHASH_HASH_FN(index_serial_hash),
- LHASH_COMP_FN(index_serial_cmp)))
- {
- BIO_printf(bio_err,
- "error creating serial number index:(%ld,%ld,%ld)\n",
- db->error,db->arg1,db->arg2);
+ if (!make_serial_index(db))
goto err;
- }
if (get_certificate_status(ser_status,db) != 1)
BIO_printf(bio_err,"Error verifying serial %s!\n",
lookup_fail(section,ENV_PRIVATE_KEY);
goto err;
}
- if (!key && !app_passwd(bio_err, passargin, NULL, &key, NULL))
+ if (!key)
{
- BIO_printf(bio_err,"Error getting password\n");
- goto err;
+ free_key = 1;
+ if (!app_passwd(bio_err, passargin, NULL, &key, NULL))
+ {
+ BIO_printf(bio_err,"Error getting password\n");
+ goto err;
+ }
}
pkey = load_key(bio_err, keyfile, keyform, key, e,
"CA private key");
BIO_printf(bio_err,"generating index\n");
}
- if (!TXT_DB_create_index(db, DB_serial, NULL,
- LHASH_HASH_FN(index_serial_hash),
- LHASH_COMP_FN(index_serial_cmp)))
- {
- BIO_printf(bio_err,"error creating serial number index:(%ld,%ld,%ld)\n",db->error,db->arg1,db->arg2);
+ if (!make_serial_index(db))
goto err;
- }
if (!TXT_DB_create_index(db, DB_name, index_name_qual,
LHASH_HASH_FN(index_name_hash),
lookup_fail(section,ENV_DEFAULT_MD);
goto err;
}
+ if ((email_dn == 1) && ((tmp_email_dn=NCONF_get_string(conf,
+ section,ENV_DEFAULT_EMAIL_DN)) != NULL ))
+ {
+ if(strcmp(tmp_email_dn,"no") == 0)
+ email_dn=0;
+ }
if ((dgst=EVP_get_digestbyname(md)) == NULL)
{
BIO_printf(bio_err,"%s is an unsupported message digest type\n",md);
{
total++;
j=certify_spkac(&x,spkac_file,pkey,x509,dgst,attribs,db,
- serial,subj,startdate,enddate, days,extensions,conf,
- verbose, certopt, nameopt, default_op, ext_copy);
+ serial,subj,email_dn,startdate,enddate,days,extensions,
+ conf,verbose,certopt,nameopt,default_op,ext_copy);
if (j < 0) goto err;
if (j > 0)
{
{
total++;
j=certify_cert(&x,ss_cert_file,pkey,x509,dgst,attribs,
- db,serial,subj,startdate,enddate,days,batch,
+ db,serial,subj,email_dn,startdate,enddate,days,batch,
extensions,conf,verbose, certopt, nameopt,
default_op, ext_copy, e);
if (j < 0) goto err;
{
total++;
j=certify(&x,infile,pkey,x509,dgst,attribs,db,
- serial,subj,startdate,enddate,days,batch,
+ serial,subj,email_dn,startdate,enddate,days,batch,
extensions,conf,verbose, certopt, nameopt,
default_op, ext_copy);
if (j < 0) goto err;
{
total++;
j=certify(&x,argv[i],pkey,x509,dgst,attribs,db,
- serial,subj,startdate,enddate,days,batch,
+ serial,subj,email_dn,startdate,enddate,days,batch,
extensions,conf,verbose, certopt, nameopt,
default_op, ext_copy);
if (j < 0) goto err;
if (verbose) BIO_printf(bio_err,"making CRL\n");
if ((crl=X509_CRL_new()) == NULL) goto err;
- ci=crl->crl;
- X509_NAME_free(ci->issuer);
- ci->issuer=X509_NAME_dup(x509->cert_info->subject);
- if (ci->issuer == NULL) goto err;
+ if (!X509_CRL_set_issuer_name(crl, X509_get_issuer_name(x509))) goto err;
+
+ tmptm = ASN1_TIME_new();
+ if (!tmptm) goto err;
+ X509_gmtime_adj(tmptm,0);
+ X509_CRL_set_lastUpdate(crl, tmptm);
+ X509_gmtime_adj(tmptm,(crldays*24+crlhours)*60*60);
+ X509_CRL_set_nextUpdate(crl, tmptm);
- X509_gmtime_adj(ci->lastUpdate,0);
- if (ci->nextUpdate == NULL)
- ci->nextUpdate=ASN1_UTCTIME_new();
- X509_gmtime_adj(ci->nextUpdate,(crldays*24+crlhours)*60*60);
+ ASN1_TIME_free(tmptm);
for (i=0; i<sk_num(db->data); i++)
{
if (j == 2) crl_v2 = 1;
if (!BN_hex2bn(&serial, pp[DB_serial]))
goto err;
- r->serialNumber = BN_to_ASN1_INTEGER(serial, r->serialNumber);
+ tmpser = BN_to_ASN1_INTEGER(serial, NULL);
BN_free(serial);
serial = NULL;
- if (!r->serialNumber)
+ if (!tmpser)
goto err;
+ X509_REVOKED_set_serialNumber(r, tmpser);
+ ASN1_INTEGER_free(tmpser);
X509_CRL_add0_revoked(crl,r);
}
}
+
/* sort the data so it will be written in serial
* number order */
- sk_X509_REVOKED_sort(ci->revoked);
- for (i=0; i<sk_X509_REVOKED_num(ci->revoked); i++)
- {
- r=sk_X509_REVOKED_value(ci->revoked,i);
- r->sequence=i;
- }
+ X509_CRL_sort(crl);
/* we now have a CRL */
if (verbose) BIO_printf(bio_err,"signing CRL\n");
if (crl_ext)
{
X509V3_CTX crlctx;
- if (ci->version == NULL)
- if ((ci->version=ASN1_INTEGER_new()) == NULL) goto err;
X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0);
X509V3_set_nconf(&crlctx, conf);
}
if (crl_ext || crl_v2)
{
- if (ci->version == NULL)
- if ((ci->version=ASN1_INTEGER_new()) == NULL) goto err;
- ASN1_INTEGER_set(ci->version,1); /* version 2 CRL */
+ if (!X509_CRL_set_version(crl, 1))
+ goto err; /* version 2 CRL */
}
if (!X509_CRL_sign(crl,pkey,dgst)) goto err;
if (ret) ERR_print_errors(bio_err);
app_RAND_write_file(randfile, bio_err);
+ if (free_key)
+ OPENSSL_free(key);
BN_free(serial);
TXT_DB_free(db);
EVP_PKEY_free(pkey);
static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db,
- BIGNUM *serial, char *subj, char *startdate, char *enddate, long days,
- int batch, char *ext_sect, CONF *lconf, int verbose,
+ BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate,
+ long days, int batch, char *ext_sect, CONF *lconf, int verbose,
unsigned long certopt, unsigned long nameopt, int default_op,
int ext_copy)
{
else
BIO_printf(bio_err,"Signature ok\n");
- ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,startdate, enddate,
- days,batch,verbose,req,ext_sect,lconf,
+ ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj, email_dn,
+ startdate,enddate,days,batch,verbose,req,ext_sect,lconf,
certopt, nameopt, default_op, ext_copy);
err:
static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db,
- BIGNUM *serial, char *subj, char *startdate, char *enddate, long days,
- int batch, char *ext_sect, CONF *lconf, int verbose,
+ BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate,
+ long days, int batch, char *ext_sect, CONF *lconf, int verbose,
unsigned long certopt, unsigned long nameopt, int default_op,
int ext_copy, ENGINE *e)
{
if ((rreq=X509_to_X509_REQ(req,NULL,EVP_md5())) == NULL)
goto err;
- ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,startdate,enddate,days,
- batch,verbose,rreq,ext_sect,lconf, certopt, nameopt, default_op,
- ext_copy);
+ ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,email_dn,startdate,enddate,
+ days,batch,verbose,rreq,ext_sect,lconf, certopt, nameopt, default_op,
+ ext_copy);
err:
if (rreq != NULL) X509_REQ_free(rreq);
static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial, char *subj,
- char *startdate, char *enddate, long days, int batch, int verbose,
- X509_REQ *req, char *ext_sect, CONF *lconf,
+ int email_dn, char *startdate, char *enddate, long days, int batch,
+ int verbose, X509_REQ *req, char *ext_sect, CONF *lconf,
unsigned long certopt, unsigned long nameopt, int default_op,
int ext_copy)
{
- X509_NAME *name=NULL,*CAname=NULL,*subject=NULL;
+ X509_NAME *name=NULL,*CAname=NULL,*subject=NULL, *dn_subject=NULL;
ASN1_UTCTIME *tm,*tmptm;
ASN1_STRING *str,*str2;
ASN1_OBJECT *obj;
if (default_op)
BIO_printf(bio_err,"The Subject's Distinguished Name is as follows\n");
+
name=X509_REQ_get_subject_name(req);
for (i=0; i<X509_NAME_entry_count(name); i++)
{
str->type=V_ASN1_IA5STRING;
}
+ /* If no EMAIL is wanted in the subject */
+ if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) && (!email_dn))
+ continue;
+
/* check some things */
if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) &&
(str->type != V_ASN1_IA5STRING))
BIO_printf(bio_err,"\nemailAddress type needs to be of type IA5STRING\n");
goto err;
}
- j=ASN1_PRINTABLE_type(str->data,str->length);
- if ( ((j == V_ASN1_T61STRING) &&
- (str->type != V_ASN1_T61STRING)) ||
- ((j == V_ASN1_IA5STRING) &&
- (str->type == V_ASN1_PRINTABLESTRING)))
+ if ((str->type != V_ASN1_BMPSTRING) && (str->type != V_ASN1_UTF8STRING))
{
- BIO_printf(bio_err,"\nThe string contains characters that are illegal for the ASN.1 type\n");
- goto err;
+ j=ASN1_PRINTABLE_type(str->data,str->length);
+ if ( ((j == V_ASN1_T61STRING) &&
+ (str->type != V_ASN1_T61STRING)) ||
+ ((j == V_ASN1_IA5STRING) &&
+ (str->type == V_ASN1_PRINTABLESTRING)))
+ {
+ BIO_printf(bio_err,"\nThe string contains characters that are illegal for the ASN.1 type\n");
+ goto err;
+ }
}
if (default_op)
if (preserve)
{
X509_NAME_free(subject);
- subject=X509_NAME_dup(X509_REQ_get_subject_name(req));
+ /* subject=X509_NAME_dup(X509_REQ_get_subject_name(req)); */
+ subject=X509_NAME_dup(name);
if (subject == NULL) goto err;
}
if (verbose)
BIO_printf(bio_err,"The subject name appears to be ok, checking data base for clashes\n");
- row[DB_name]=X509_NAME_oneline(subject,NULL,0);
+ /* Build the correct Subject if no e-mail is wanted in the subject */
+ /* and add it later on because of the method extensions are added (altName) */
+
+ if (email_dn)
+ dn_subject = subject;
+ else
+ {
+ X509_NAME_ENTRY *tmpne;
+ /* Its best to dup the subject DN and then delete any email
+ * addresses because this retains its structure.
+ */
+ if (!(dn_subject = X509_NAME_dup(subject)))
+ {
+ BIO_printf(bio_err,"Memory allocation failure\n");
+ goto err;
+ }
+ while((i = X509_NAME_get_index_by_NID(dn_subject,
+ NID_pkcs9_emailAddress, -1) >= 0))
+ {
+ tmpne = X509_NAME_get_entry(dn_subject, i);
+ X509_NAME_delete_entry(dn_subject, i);
+ X509_NAME_ENTRY_free(tmpne);
+ }
+ }
+
+ row[DB_name]=X509_NAME_oneline(dn_subject,NULL,0);
row[DB_serial]=BN_bn2hex(serial);
if ((row[DB_name] == NULL) || (row[DB_serial] == NULL))
{
goto err;
}
+ /* Set the right value for the noemailDN option */
+ if( email_dn == 0 )
+ {
+ if (!X509_set_subject_name(ret,dn_subject)) goto err;
+ }
if (!default_op)
{
X509_NAME_free(CAname);
if (subject != NULL)
X509_NAME_free(subject);
+ if ((dn_subject != NULL) && !email_dn)
+ X509_NAME_free(dn_subject);
if (tmptm != NULL)
ASN1_UTCTIME_free(tmptm);
if (ok <= 0)
static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db,
- BIGNUM *serial, char *subj, char *startdate, char *enddate, long days,
- char *ext_sect, CONF *lconf, int verbose, unsigned long certopt,
+ BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate,
+ long days, char *ext_sect, CONF *lconf, int verbose, unsigned long certopt,
unsigned long nameopt, int default_op, int ext_copy)
{
STACK_OF(CONF_VALUE) *sk=NULL;
continue;
}
+ /*
+ if ((nid == NID_pkcs9_emailAddress) && (email_dn == 0))
+ continue;
+ */
+
j=ASN1_PRINTABLE_type((unsigned char *)buf,-1);
if (fix_data(nid, &j) == 0)
{
X509_REQ_set_pubkey(req,pktmp);
EVP_PKEY_free(pktmp);
- ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,startdate,enddate,
+ ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,email_dn,startdate,enddate,
days,1,verbose,req,ext_sect,lconf, certopt, nameopt, default_op,
ext_copy);
err:
* 2 OK and some extensions added (i.e. V2 CRL)
*/
+
int make_revoked(X509_REVOKED *rev, char *str)
{
char *tmp = NULL;
- char *rtime_str, *reason_str = NULL, *arg_str = NULL, *p;
int reason_code = -1;
int i, ret = 0;
ASN1_OBJECT *hold = NULL;
ASN1_GENERALIZEDTIME *comp_time = NULL;
ASN1_ENUMERATED *rtmp = NULL;
- tmp = BUF_strdup(str);
-
- p = strchr(tmp, ',');
- rtime_str = tmp;
+ ASN1_TIME *revDate = NULL;
- if (p)
- {
- *p = '\0';
- p++;
- reason_str = p;
- p = strchr(p, ',');
- if (p)
- {
- *p = '\0';
- arg_str = p + 1;
- }
- }
+ i = unpack_revinfo(&revDate, &reason_code, &hold, &comp_time, str);
- if (rev && !ASN1_UTCTIME_set_string(rev->revocationDate, rtime_str))
- {
- BIO_printf(bio_err, "invalid revocation date %s\n", rtime_str);
+ if (i == 0)
goto err;
- }
- if (reason_str)
- {
- for (i = 0; i < NUM_REASONS; i++)
- {
- if(!strcasecmp(reason_str, crl_reasons[i]))
- {
- reason_code = i;
- break;
- }
- }
- if (reason_code == OCSP_REVOKED_STATUS_NOSTATUS)
- {
- BIO_printf(bio_err, "invalid reason code %s\n", reason_str);
- goto err;
- }
-
- if (reason_code == 7)
- reason_code = OCSP_REVOKED_STATUS_REMOVEFROMCRL;
- else if (reason_code == 8) /* Hold instruction */
- {
- if (!arg_str)
- {
- BIO_printf(bio_err, "missing hold instruction\n");
- goto err;
- }
- reason_code = OCSP_REVOKED_STATUS_CERTIFICATEHOLD;
- hold = OBJ_txt2obj(arg_str, 0);
- if (!hold)
- {
- BIO_printf(bio_err, "invalid object identifier %s\n", arg_str);
- goto err;
- }
- }
- else if ((reason_code == 9) || (reason_code == 10))
- {
- if (!arg_str)
- {
- BIO_printf(bio_err, "missing compromised time\n");
- goto err;
- }
- comp_time = ASN1_GENERALIZEDTIME_new();
- if (!ASN1_GENERALIZEDTIME_set_string(comp_time, arg_str))
- {
- BIO_printf(bio_err, "invalid compromised time %s\n", arg_str);
- goto err;
- }
- if (reason_code == 9)
- reason_code = OCSP_REVOKED_STATUS_KEYCOMPROMISE;
- else
- reason_code = OCSP_REVOKED_STATUS_CACOMPROMISE;
- }
- }
+ if (rev && !X509_REVOKED_set_revocationDate(rev, revDate))
+ goto err;
if (rev && (reason_code != OCSP_REVOKED_STATUS_NOSTATUS))
{
ASN1_OBJECT_free(hold);
ASN1_GENERALIZEDTIME_free(comp_time);
ASN1_ENUMERATED_free(rtmp);
+ ASN1_TIME_free(revDate);
return ret;
}
BIO_printf(bp,"'\n");
return 1;
}
+
+int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, ASN1_GENERALIZEDTIME **pinvtm, char *str)
+ {
+ char *tmp = NULL;
+ char *rtime_str, *reason_str = NULL, *arg_str = NULL, *p;
+ int reason_code = -1;
+ int i, ret = 0;
+ ASN1_OBJECT *hold = NULL;
+ ASN1_GENERALIZEDTIME *comp_time = NULL;
+ tmp = BUF_strdup(str);
+
+ p = strchr(tmp, ',');
+
+ rtime_str = tmp;
+
+ if (p)
+ {
+ *p = '\0';
+ p++;
+ reason_str = p;
+ p = strchr(p, ',');
+ if (p)
+ {
+ *p = '\0';
+ arg_str = p + 1;
+ }
+ }
+
+ if (prevtm)
+ {
+ *prevtm = ASN1_UTCTIME_new();
+ if (!ASN1_UTCTIME_set_string(*prevtm, rtime_str))
+ {
+ BIO_printf(bio_err, "invalid revocation date %s\n", rtime_str);
+ goto err;
+ }
+ }
+ if (reason_str)
+ {
+ for (i = 0; i < NUM_REASONS; i++)
+ {
+ if(!strcasecmp(reason_str, crl_reasons[i]))
+ {
+ reason_code = i;
+ break;
+ }
+ }
+ if (reason_code == OCSP_REVOKED_STATUS_NOSTATUS)
+ {
+ BIO_printf(bio_err, "invalid reason code %s\n", reason_str);
+ goto err;
+ }
+
+ if (reason_code == 7)
+ reason_code = OCSP_REVOKED_STATUS_REMOVEFROMCRL;
+ else if (reason_code == 8) /* Hold instruction */
+ {
+ if (!arg_str)
+ {
+ BIO_printf(bio_err, "missing hold instruction\n");
+ goto err;
+ }
+ reason_code = OCSP_REVOKED_STATUS_CERTIFICATEHOLD;
+ hold = OBJ_txt2obj(arg_str, 0);
+
+ if (!hold)
+ {
+ BIO_printf(bio_err, "invalid object identifier %s\n", arg_str);
+ goto err;
+ }
+ if (phold) *phold = hold;
+ }
+ else if ((reason_code == 9) || (reason_code == 10))
+ {
+ if (!arg_str)
+ {
+ BIO_printf(bio_err, "missing compromised time\n");
+ goto err;
+ }
+ comp_time = ASN1_GENERALIZEDTIME_new();
+ if (!ASN1_GENERALIZEDTIME_set_string(comp_time, arg_str))
+ {
+ BIO_printf(bio_err, "invalid compromised time %s\n", arg_str);
+ goto err;
+ }
+ if (reason_code == 9)
+ reason_code = OCSP_REVOKED_STATUS_KEYCOMPROMISE;
+ else
+ reason_code = OCSP_REVOKED_STATUS_CACOMPROMISE;
+ }
+ }
+
+ if (preason) *preason = reason_code;
+ if (pinvtm) *pinvtm = comp_time;
+ else ASN1_GENERALIZEDTIME_free(comp_time);
+
+ ret = 1;
+
+ err:
+
+ if (tmp) OPENSSL_free(tmp);
+ if (!phold) ASN1_OBJECT_free(hold);
+ if (!pinvtm) ASN1_GENERALIZEDTIME_free(comp_time);
+
+ return ret;
+ }
+
+int make_serial_index(TXT_DB *db)
+ {
+ if (!TXT_DB_create_index(db, DB_serial, NULL,
+ LHASH_HASH_FN(index_serial_hash),
+ LHASH_COMP_FN(index_serial_cmp)))
+ {
+ BIO_printf(bio_err,
+ "error creating serial number index:(%ld,%ld,%ld)\n",
+ db->error,db->arg1,db->arg2);
+ return 0;
+ }
+ return 1;
+ }