/*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
static int certify(X509 **xret, const char *infile, int informat,
EVP_PKEY *pkey, X509 *x509,
- const EVP_MD *dgst,
+ const char *dgst,
STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(OPENSSL_STRING) *vfyopts,
STACK_OF(CONF_VALUE) *policy, CA_DB *db,
const char *enddate,
long days, int batch, const char *ext_sect, CONF *conf,
int verbose, unsigned long certopt, unsigned long nameopt,
- int default_op, int ext_copy, int selfsign);
+ int default_op, int ext_copy, int selfsign, unsigned long dateopt);
static int certify_cert(X509 **xret, const char *infile, int certformat,
const char *passin, EVP_PKEY *pkey, X509 *x509,
- const EVP_MD *dgst,
+ const char *dgst,
STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(OPENSSL_STRING) *vfyopts,
STACK_OF(CONF_VALUE) *policy, CA_DB *db,
int multirdn, int email_dn, const char *startdate,
const char *enddate, long days, int batch, const char *ext_sect,
CONF *conf, int verbose, unsigned long certopt,
- unsigned long nameopt, int default_op, int ext_copy);
+ unsigned long nameopt, int default_op, int ext_copy, unsigned long dateopt);
static int certify_spkac(X509 **xret, const char *infile, EVP_PKEY *pkey,
- X509 *x509, const EVP_MD *dgst,
+ X509 *x509, const char *dgst,
STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(CONF_VALUE) *policy, CA_DB *db,
BIGNUM *serial, const char *subj, unsigned long chtype,
int multirdn, int email_dn, const char *startdate,
const char *enddate, long days, const char *ext_sect, CONF *conf,
int verbose, unsigned long certopt,
- unsigned long nameopt, int default_op, int ext_copy);
+ unsigned long nameopt, int default_op, int ext_copy, unsigned long dateopt);
static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
- const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
+ const char *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial,
const char *subj, unsigned long chtype, int multirdn,
int email_dn, const char *startdate, const char *enddate, long days,
int batch, int verbose, X509_REQ *req, const char *ext_sect,
CONF *conf, unsigned long certopt, unsigned long nameopt,
- int default_op, int ext_copy, int selfsign);
+ int default_op, int ext_copy, int selfsign, unsigned long dateopt);
static int get_certificate_status(const char *ser_status, CA_DB *db);
static int do_updatedb(CA_DB *db);
static int check_time_format(const char *str);
static int msie_hack = 0;
typedef enum OPTION_choice {
- OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+ OPT_COMMON,
OPT_ENGINE, OPT_VERBOSE, OPT_CONFIG, OPT_NAME, OPT_SUBJ, OPT_UTF8,
OPT_CREATE_SERIAL, OPT_MULTIVALUE_RDN, OPT_STARTDATE, OPT_ENDDATE,
OPT_DAYS, OPT_MD, OPT_POLICY, OPT_KEYFILE, OPT_KEYFORM, OPT_PASSIN,
OPT_KEY, OPT_CERT, OPT_CERTFORM, OPT_SELFSIGN,
- OPT_IN, OPT_INFORM, OPT_OUT, OPT_OUTDIR, OPT_VFYOPT,
+ OPT_IN, OPT_INFORM, OPT_OUT, OPT_DATEOPT, OPT_OUTDIR, OPT_VFYOPT,
OPT_SIGOPT, OPT_NOTEXT, OPT_BATCH, OPT_PRESERVEDN, OPT_NOEMAILDN,
OPT_GENCRL, OPT_MSIE_HACK, OPT_CRL_LASTUPDATE, OPT_CRL_NEXTUPDATE,
OPT_CRLDAYS, OPT_CRLHOURS, OPT_CRLSEC,
{"inform", OPT_INFORM, 'F', "CSR input format (DER or PEM); default PEM"},
{"infiles", OPT_INFILES, '-', "The last argument, requests to process"},
{"out", OPT_OUT, '>', "Where to put the output file(s)"},
+ {"dateopt", OPT_DATEOPT, 's', "Datetime format used for printing. (rfc_822/iso_8601). Default is rfc_822."},
{"notext", OPT_NOTEXT, '-', "Do not print the generated certificate"},
{"batch", OPT_BATCH, '-', "Don't ask questions"},
{"msie_hack", OPT_MSIE_HACK, '-',
{"noemailDN", OPT_NOEMAILDN, '-', "Don't add the EMAIL field to the DN"},
OPT_SECTION("Signing"),
- {"md", OPT_MD, 's', "md to use; one of md2, md5, sha or sha1"},
+ {"md", OPT_MD, 's', "Digest to use, such as sha256"},
{"keyfile", OPT_KEYFILE, 's', "The CA private key"},
{"keyform", OPT_KEYFORM, 'f',
"Private key file format (ENGINE, other values ignored)"},
STACK_OF(OPENSSL_STRING) *sigopts = NULL, *vfyopts = NULL;
STACK_OF(X509) *cert_sk = NULL;
X509_CRL *crl = NULL;
- const EVP_MD *dgst = NULL;
char *configfile = default_config_file, *section = NULL;
- char *md = NULL, *policy = NULL, *keyfile = NULL;
+ char def_dgst[80] = "";
+ char *dgst = NULL, *policy = NULL, *keyfile = NULL;
char *certfile = NULL, *crl_ext = NULL, *crlnumberfile = NULL;
- int certformat = FORMAT_PEM, informat = FORMAT_PEM;
+ int certformat = FORMAT_UNDEF, informat = FORMAT_UNDEF;
+ unsigned long dateopt = ASN1_DTFLGS_RFC822;
const char *infile = NULL, *spkac_file = NULL, *ss_cert_file = NULL;
const char *extensions = NULL, *extfile = NULL, *passinarg = NULL;
char *passin = NULL;
size_t outdirlen = 0;
int create_ser = 0, free_passin = 0, total = 0, total_done = 0;
int batch = 0, default_op = 1, doupdatedb = 0, ext_copy = EXT_COPY_NONE;
- int keyformat = FORMAT_PEM, multirdn = 1, notext = 0, output_der = 0;
+ int keyformat = FORMAT_UNDEF, multirdn = 1, notext = 0, output_der = 0;
int ret = 1, email_dn = 1, req = 0, verbose = 0, gencrl = 0, dorevoke = 0;
- int rand_ser = 0, i, j, selfsign = 0, def_nid, def_ret;
+ int rand_ser = 0, i, j, selfsign = 0, def_ret;
char *crl_lastupdate = NULL, *crl_nextupdate = NULL;
long crldays = 0, crlhours = 0, crlsec = 0, days = 0;
unsigned long chtype = MBSTRING_ASC, certopt = 0;
case OPT_OUT:
outfile = opt_arg();
break;
+ case OPT_DATEOPT:
+ if (!set_dateopt(&dateopt, opt_arg()))
+ goto opthelp;
+ break;
case OPT_VERBOSE:
verbose = 1;
break;
days = atoi(opt_arg());
break;
case OPT_MD:
- md = opt_arg();
+ dgst = opt_arg();
break;
case OPT_POLICY:
policy = opt_arg();
goto end;
app_RAND_load_conf(conf, BASE_SECTION);
+ if (!app_RAND_load())
+ goto end;
f = NCONF_get_string(conf, section, STRING_MASK);
if (f == NULL)
goto end;
db = load_index(dbfile, &db_attr);
- if (db == NULL)
+ if (db == NULL) {
+ BIO_printf(bio_err, "Problem with index file: %s (could not load/parse file)\n", dbfile);
goto end;
+ }
if (index_index(db) <= 0)
goto end;
&& (certfile = lookup_conf(conf, section, ENV_CERTIFICATE)) == NULL)
goto end;
- x509 = load_cert_pass(certfile, 1, passin, "CA certificate");
+ x509 = load_cert_pass(certfile, certformat, 1, passin, "CA certificate");
if (x509 == NULL)
goto end;
goto end;
db = load_index(dbfile, &db_attr);
- if (db == NULL)
+ if (db == NULL) {
+ BIO_printf(bio_err, "Problem with index file: %s (could not load/parse file)\n", dbfile);
goto end;
+ }
/* Lets check some fields */
for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
}
}
- def_ret = EVP_PKEY_get_default_digest_nid(pkey, &def_nid);
+ def_ret = EVP_PKEY_get_default_digest_name(pkey, def_dgst, sizeof(def_dgst));
/*
- * EVP_PKEY_get_default_digest_nid() returns 2 if the digest is
+ * EVP_PKEY_get_default_digest_name() returns 2 if the digest is
* mandatory for this algorithm.
*/
- if (def_ret == 2 && def_nid == NID_undef) {
+ if (def_ret == 2 && strcmp(def_dgst, "UNDEF") == 0) {
/* The signing algorithm requires there to be no digest */
- dgst = EVP_md_null();
- } else if (md == NULL
- && (md = lookup_conf(conf, section, ENV_DEFAULT_MD)) == NULL) {
+ dgst = NULL;
+ } else if (dgst == NULL
+ && (dgst = lookup_conf(conf, section, ENV_DEFAULT_MD)) == NULL) {
goto end;
} else {
- if (strcmp(md, "default") == 0) {
+ if (strcmp(dgst, "default") == 0) {
if (def_ret <= 0) {
BIO_puts(bio_err, "no default digest\n");
goto end;
}
- md = (char *)OBJ_nid2sn(def_nid);
+ dgst = def_dgst;
}
-
- if (!opt_md(md, &dgst))
- goto end;
}
if (req) {
email_dn = 0;
}
if (verbose)
- BIO_printf(bio_err, "message digest is %s\n",
- OBJ_nid2ln(EVP_MD_type(dgst)));
+ BIO_printf(bio_err, "message digest is %s\n", dgst);
if (policy == NULL
&& (policy = lookup_conf(conf, section, ENV_POLICY)) == NULL)
goto end;
if (extensions != NULL) {
/* Check syntax of config file section */
X509V3_CTX ctx;
+
X509V3_set_ctx_test(&ctx);
X509V3_set_nconf(&ctx, conf);
if (!X509V3_EXT_add_nconf(conf, &ctx, extensions, NULL)) {
attribs, db, serial, subj, chtype, multirdn,
email_dn, startdate, enddate, days, extensions,
conf, verbose, certopt, get_nameopt(), default_op,
- ext_copy);
+ ext_copy, dateopt);
if (j < 0)
goto end;
if (j > 0) {
db, serial, subj, chtype, multirdn, email_dn,
startdate, enddate, days, batch, extensions,
conf, verbose, certopt, get_nameopt(), default_op,
- ext_copy);
+ ext_copy, dateopt);
if (j < 0)
goto end;
if (j > 0) {
sigopts, vfyopts, attribs, db,
serial, subj, chtype, multirdn, email_dn, startdate,
enddate, days, batch, extensions, conf, verbose,
- certopt, get_nameopt(), default_op, ext_copy, selfsign);
+ certopt, get_nameopt(), default_op, ext_copy, selfsign, dateopt);
if (j < 0)
goto end;
if (j > 0) {
attribs, db,
serial, subj, chtype, multirdn, email_dn, startdate,
enddate, days, batch, extensions, conf, verbose,
- certopt, get_nameopt(), default_op, ext_copy, selfsign);
+ certopt, get_nameopt(), default_op, ext_copy, selfsign, dateopt);
if (j < 0)
goto end;
if (j > 0) {
if (crl_ext != NULL) {
/* Check syntax of file */
X509V3_CTX ctx;
+
X509V3_set_ctx_test(&ctx);
X509V3_set_nconf(&ctx, conf);
if (!X509V3_EXT_add_nconf(conf, &ctx, crl_ext, NULL)) {
if (verbose)
BIO_printf(bio_err, "making CRL\n");
- if ((crl = X509_CRL_new()) == NULL)
+ if ((crl = X509_CRL_new_ex(app_get0_libctx(), app_get0_propq())) == NULL)
goto end;
if (!X509_CRL_set_issuer_name(crl, X509_get_subject_name(x509)))
goto end;
if (crl_ext != NULL || crlnumberfile != NULL) {
X509V3_CTX crlctx;
+
X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0);
X509V3_set_nconf(&crlctx, conf);
}
}
if (crl_ext != NULL || crl_v2) {
- if (!X509_CRL_set_version(crl, 1))
- goto end; /* version 2 CRL */
+ if (!X509_CRL_set_version(crl, X509_CRL_VERSION_2))
+ goto end;
}
/* we have a CRL number that need updating */
} else {
X509 *revcert;
- revcert = load_cert_pass(infile, 1, passin,
+ revcert = load_cert_pass(infile, informat, 1, passin,
"certificate to be revoked");
if (revcert == NULL)
goto end;
BIO_free_all(Sout);
BIO_free_all(out);
BIO_free_all(in);
- sk_X509_pop_free(cert_sk, X509_free);
+ OSSL_STACK_OF_X509_free(cert_sk);
cleanse(passin);
if (free_passin)
static int certify(X509 **xret, const char *infile, int informat,
EVP_PKEY *pkey, X509 *x509,
- const EVP_MD *dgst,
+ const char *dgst,
STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(OPENSSL_STRING) *vfyopts,
STACK_OF(CONF_VALUE) *policy, CA_DB *db,
const char *enddate,
long days, int batch, const char *ext_sect, CONF *lconf,
int verbose, unsigned long certopt, unsigned long nameopt,
- int default_op, int ext_copy, int selfsign)
+ int default_op, int ext_copy, int selfsign, unsigned long dateopt)
{
X509_REQ *req = NULL;
EVP_PKEY *pktmp = NULL;
ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, subj,
chtype, multirdn, email_dn, startdate, enddate, days, batch,
verbose, req, ext_sect, lconf, certopt, nameopt, default_op,
- ext_copy, selfsign);
+ ext_copy, selfsign, dateopt);
end:
ERR_print_errors(bio_err);
static int certify_cert(X509 **xret, const char *infile, int certformat,
const char *passin, EVP_PKEY *pkey, X509 *x509,
- const EVP_MD *dgst,
+ const char *dgst,
STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(OPENSSL_STRING) *vfyopts,
STACK_OF(CONF_VALUE) *policy, CA_DB *db,
int multirdn, int email_dn, const char *startdate,
const char *enddate, long days, int batch, const char *ext_sect,
CONF *lconf, int verbose, unsigned long certopt,
- unsigned long nameopt, int default_op, int ext_copy)
+ unsigned long nameopt, int default_op, int ext_copy, unsigned long dateopt)
{
X509 *template_cert = NULL;
X509_REQ *rreq = NULL;
EVP_PKEY *pktmp = NULL;
int ok = -1, i;
- if ((template_cert = load_cert_pass(infile, 1, passin,
+ if ((template_cert = load_cert_pass(infile, certformat, 1, passin,
"template certificate")) == NULL)
goto end;
if (verbose)
ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, subj,
chtype, multirdn, email_dn, startdate, enddate, days, batch,
verbose, rreq, ext_sect, lconf, certopt, nameopt, default_op,
- ext_copy, 0);
+ ext_copy, 0, dateopt);
end:
X509_REQ_free(rreq);
}
static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
- const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
+ const char *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial,
const char *subj, unsigned long chtype, int multirdn,
int email_dn, const char *startdate, const char *enddate, long days,
int batch, int verbose, X509_REQ *req, const char *ext_sect,
CONF *lconf, unsigned long certopt, unsigned long nameopt,
- int default_op, int ext_copy, int selfsign)
+ int default_op, int ext_copy, int selfsign, unsigned long dateopt)
{
const X509_NAME *name = NULL;
X509_NAME *CAname = NULL, *subject = NULL;
if (!i)
goto end;
+ /* Initialize the context structure */
+ X509V3_set_ctx(&ext_ctx, selfsign ? ret : x509,
+ ret, NULL /* no need to give req, needed info is in ret */,
+ NULL, X509V3_CTX_REPLACE);
+ /* prepare fallback for AKID, but only if issuer cert equals subject cert */
+ if (selfsign) {
+ if (!X509V3_set_issuer_pkey(&ext_ctx, pkey))
+ goto end;
+ if (!cert_matches_key(ret, pkey))
+ BIO_printf(bio_err,
+ "Warning: Signature key and public key of cert do not match\n");
+ }
+
/* Lets add the extensions, if there are any */
if (ext_sect) {
- /* Initialize the context structure */
- X509V3_set_ctx(&ext_ctx, selfsign ? ret : x509,
- ret, req, NULL, X509V3_CTX_REPLACE);
-
if (extfile_conf != NULL) {
if (verbose)
BIO_printf(bio_err, "Extra configuration file found\n");
p = "Valid";
else
p = "\ninvalid type, Data base error\n";
- BIO_printf(bio_err, "Type :%s\n", p);;
+ BIO_printf(bio_err, "Type :%s\n", p);
if (rrow[DB_type][0] == DB_TYPE_REV) {
p = rrow[DB_exp_date];
if (p == NULL)
}
BIO_printf(bio_err, "Certificate is to be certified until ");
- ASN1_TIME_print(bio_err, X509_get0_notAfter(ret));
+ ASN1_TIME_print_ex(bio_err, X509_get0_notAfter(ret), dateopt);
if (days)
BIO_printf(bio_err, " (%ld days)", days);
BIO_printf(bio_err, "\n");
}
static int certify_spkac(X509 **xret, const char *infile, EVP_PKEY *pkey,
- X509 *x509, const EVP_MD *dgst,
+ X509 *x509, const char *dgst,
STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(CONF_VALUE) *policy, CA_DB *db,
BIGNUM *serial, const char *subj, unsigned long chtype,
int multirdn, int email_dn, const char *startdate,
const char *enddate, long days, const char *ext_sect,
CONF *lconf, int verbose, unsigned long certopt,
- unsigned long nameopt, int default_op, int ext_copy)
+ unsigned long nameopt, int default_op, int ext_copy, unsigned long dateopt)
{
STACK_OF(CONF_VALUE) *sk = NULL;
LHASH_OF(CONF_VALUE) *parms = NULL;
ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, subj,
chtype, multirdn, email_dn, startdate, enddate, days, 1,
verbose, req, ext_sect, lconf, certopt, nameopt, default_op,
- ext_copy, 0);
+ ext_copy, 0, dateopt);
end:
X509_REQ_free(req);
CONF_free(parms);
static int do_updatedb(CA_DB *db)
{
- ASN1_UTCTIME *a_tm = NULL;
+ ASN1_TIME *a_tm = NULL;
int i, cnt = 0;
- int db_y2k, a_y2k; /* flags = 1 if y >= 2000 */
- char **rrow, *a_tm_s;
+ char **rrow;
- a_tm = ASN1_UTCTIME_new();
+ a_tm = ASN1_TIME_new();
if (a_tm == NULL)
return -1;
- /* get actual time and make a string */
+ /* get actual time */
if (X509_gmtime_adj(a_tm, 0) == NULL) {
- ASN1_UTCTIME_free(a_tm);
+ ASN1_TIME_free(a_tm);
return -1;
}
- a_tm_s = app_malloc(a_tm->length + 1, "time string");
-
- memcpy(a_tm_s, a_tm->data, a_tm->length);
- a_tm_s[a_tm->length] = '\0';
-
- if (strncmp(a_tm_s, "49", 2) <= 0)
- a_y2k = 1;
- else
- a_y2k = 0;
for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
rrow = sk_OPENSSL_PSTRING_value(db->db->data, i);
if (rrow[DB_type][0] == DB_TYPE_VAL) {
/* ignore entries that are not valid */
- if (strncmp(rrow[DB_exp_date], "49", 2) <= 0)
- db_y2k = 1;
- else
- db_y2k = 0;
+ ASN1_TIME *exp_date = NULL;
- if (db_y2k == a_y2k) {
- /* all on the same y2k side */
- if (strcmp(rrow[DB_exp_date], a_tm_s) <= 0) {
- rrow[DB_type][0] = DB_TYPE_EXP;
- rrow[DB_type][1] = '\0';
- cnt++;
+ exp_date = ASN1_TIME_new();
+ if (exp_date == NULL) {
+ ASN1_TIME_free(a_tm);
+ return -1;
+ }
- BIO_printf(bio_err, "%s=Expired\n", rrow[DB_serial]);
- }
- } else if (db_y2k < a_y2k) {
+ if (!ASN1_TIME_set_string(exp_date, rrow[DB_exp_date])) {
+ ASN1_TIME_free(a_tm);
+ ASN1_TIME_free(exp_date);
+ return -1;
+ }
+
+ if (ASN1_TIME_compare(exp_date, a_tm) <= 0) {
rrow[DB_type][0] = DB_TYPE_EXP;
rrow[DB_type][1] = '\0';
cnt++;
BIO_printf(bio_err, "%s=Expired\n", rrow[DB_serial]);
}
-
+ ASN1_TIME_free(exp_date);
}
}
- ASN1_UTCTIME_free(a_tm);
- OPENSSL_free(a_tm_s);
+ ASN1_TIME_free(a_tm);
return cnt;
}
projects / openssl.git / blobdiff