/*
- * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
#endif
#include "apps.h"
+#include "progs.h"
#ifndef W_OK
# define F_OK 0
#ifndef PATH_MAX
# define PATH_MAX 4096
#endif
-#ifndef NAME_MAX
-# define NAME_MAX 255
-#endif
-
-#define CERT_MAX (PATH_MAX + NAME_MAX)
#define BASE_SECTION "ca"
const char *serialfile = NULL, *subj = NULL;
char *prog, *startdate = NULL, *enddate = NULL;
char *dbfile = NULL, *f;
- char new_cert[CERT_MAX + 1];
+ char new_cert[PATH_MAX];
char tmp[10 + 1] = "\0";
char *const *pp;
const char *p;
+ size_t outdirlen = 0;
int create_ser = 0, free_key = 0, total = 0, total_done = 0;
int batch = 0, default_op = 1, doupdatedb = 0, ext_copy = EXT_COPY_NONE;
int keyformat = FORMAT_PEM, multirdn = 0, notext = 0, output_der = 0;
X509_REVOKED *r = NULL;
OPTION_CHOICE o;
- new_cert[CERT_MAX] = '\0';
-
prog = opt_init(argc, argv, ca_options);
while ((o = opt_next()) != OPT_EOF) {
switch (o) {
case OPT_SIGOPT:
if (sigopts == NULL)
sigopts = sk_OPENSSL_STRING_new_null();
- if (sigopts == NULL
- || !sk_OPENSSL_STRING_push(sigopts, opt_arg()))
+ if (sigopts == NULL || !sk_OPENSSL_STRING_push(sigopts, opt_arg()))
goto end;
break;
case OPT_NOTEXT:
case OPT_CRLEXTS:
crl_ext = opt_arg();
break;
- case OPT_CRL_REASON: /* := REV_CRL_REASON */
+ case OPT_CRL_REASON: /* := REV_CRL_REASON */
case OPT_CRL_HOLD:
case OPT_CRL_COMPROMISE:
case OPT_CRL_CA_COMPROMISE:
&& (section = lookup_conf(conf, BASE_SECTION, ENV_DEFAULT_CA)) == NULL)
goto end;
- if (conf != NULL) {
- p = NCONF_get_string(conf, NULL, "oid_file");
- if (p == NULL)
- ERR_clear_error();
- if (p != NULL) {
- BIO *oid_bio;
+ p = NCONF_get_string(conf, NULL, "oid_file");
+ if (p == NULL)
+ ERR_clear_error();
+ if (p != NULL) {
+ BIO *oid_bio = BIO_new_file(p, "r");
- oid_bio = BIO_new_file(p, "r");
- if (oid_bio == NULL) {
- /*-
- BIO_printf(bio_err,"problems opening %s for extra oid's\n",p);
- ERR_print_errors(bio_err);
- */
- ERR_clear_error();
- } else {
- OBJ_create_objects(oid_bio);
- BIO_free(oid_bio);
- }
- }
- if (!add_oid_section(conf)) {
- ERR_print_errors(bio_err);
- goto end;
+ if (oid_bio == NULL) {
+ ERR_clear_error();
+ } else {
+ OBJ_create_objects(oid_bio);
+ BIO_free(oid_bio);
}
}
+ if (!add_oid_section(conf)) {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
app_RAND_load_conf(conf, BASE_SECTION);
goto end;
}
}
+ if (pp[DB_name][0] == '\0') {
+ BIO_printf(bio_err, "entry %d: bad Subject\n", i + 1);
+ goto end;
+ }
}
if (verbose) {
TXT_DB_write(bio_out, db->db);
goto end;
if (verbose)
- BIO_printf(bio_err,
- "Done. %d entries marked as expired\n", i);
+ BIO_printf(bio_err, "Done. %d entries marked as expired\n", i);
}
}
goto end;
}
- if (md == NULL
- && (md = lookup_conf(conf, section, ENV_DEFAULT_MD)) == NULL)
+ if (md == NULL && (md = lookup_conf(conf, section, ENV_DEFAULT_MD)) == NULL)
goto end;
if (strcmp(md, "default") == 0) {
}
if (startdate == NULL) {
- startdate = NCONF_get_string(conf, section,
- ENV_DEFAULT_STARTDATE);
+ startdate = NCONF_get_string(conf, section, ENV_DEFAULT_STARTDATE);
if (startdate == NULL)
ERR_clear_error();
}
if (!NCONF_get_number(conf, section, ENV_DEFAULT_DAYS, &days))
days = 0;
}
- if (enddate == NULL && (days == 0)) {
- BIO_printf(bio_err,
- "cannot lookup how many days to certify for\n");
+ if (enddate == NULL && days == 0) {
+ BIO_printf(bio_err, "cannot lookup how many days to certify for\n");
goto end;
}
(void)BIO_flush(bio_err);
tmp[0] = '\0';
if (fgets(tmp, sizeof(tmp), stdin) == NULL) {
- BIO_printf(bio_err,
- "CERTIFICATION CANCELED: I/O error\n");
+ BIO_printf(bio_err, "CERTIFICATION CANCELED: I/O error\n");
ret = 0;
goto end;
}
goto end;
}
+ outdirlen = OPENSSL_strlcpy(new_cert, outdir, sizeof(new_cert));
+#ifndef OPENSSL_SYS_VMS
+ outdirlen = OPENSSL_strlcat(new_cert, "/", sizeof(new_cert));
+#endif
+
if (verbose)
BIO_printf(bio_err, "writing new certificates\n");
+
for (i = 0; i < sk_X509_num(cert_sk); i++) {
BIO *Cout = NULL;
X509 *xi = sk_X509_value(cert_sk, i);
ASN1_INTEGER *serialNumber = X509_get_serialNumber(xi);
- int k;
- char *n;
-
- j = ASN1_STRING_length(serialNumber);
- p = (const char *)ASN1_STRING_get0_data(serialNumber);
+ const unsigned char *psn = ASN1_STRING_get0_data(serialNumber);
+ const int snl = ASN1_STRING_length(serialNumber);
+ const int filen_len = 2 * (snl > 0 ? snl : 1) + sizeof(".pem");
+ char *n = new_cert + outdirlen;
- if (strlen(outdir) >= (size_t)(j ? CERT_MAX - j * 2 - 6 : CERT_MAX - 8)) {
+ if (outdirlen + filen_len > PATH_MAX) {
BIO_printf(bio_err, "certificate file name too long\n");
goto end;
}
- strcpy(new_cert, outdir);
-#ifndef OPENSSL_SYS_VMS
- OPENSSL_strlcat(new_cert, "/", sizeof(new_cert));
-#endif
+ if (snl > 0) {
+ static const char HEX_DIGITS[] = "0123456789ABCDEF";
- n = (char *)&(new_cert[strlen(new_cert)]);
- if (j > 0) {
- for (k = 0; k < j; k++) {
- if (n >= &(new_cert[sizeof(new_cert)]))
- break;
- BIO_snprintf(n,
- &new_cert[0] + sizeof(new_cert) - n,
- "%02X", (unsigned char)*(p++));
- n += 2;
+ for (j = 0; j < snl; j++, psn++) {
+ *n++ = HEX_DIGITS[*psn >> 4];
+ *n++ = HEX_DIGITS[*psn & 0x0F];
}
} else {
*(n++) = '0';
*(n++) = 'p';
*(n++) = 'e';
*(n++) = 'm';
- *n = '\0';
+ *n = '\0'; /* closing new_cert */
if (verbose)
BIO_printf(bio_err, "writing %s\n", new_cert);
X509V3_set_nconf(&ctx, conf);
if (!X509V3_EXT_add_nconf(conf, &ctx, crl_ext, NULL)) {
BIO_printf(bio_err,
- "Error Loading CRL extension section %s\n",
- crl_ext);
+ "Error Loading CRL extension section %s\n", crl_ext);
ret = 1;
goto end;
}
goto end;
tmptm = ASN1_TIME_new();
- if (tmptm == NULL)
- goto end;
- X509_gmtime_adj(tmptm, 0);
- X509_CRL_set1_lastUpdate(crl, tmptm);
- if (!X509_time_adj_ex(tmptm, crldays, crlhours * 60 * 60 + crlsec,
- NULL)) {
+ if (tmptm == NULL
+ || X509_gmtime_adj(tmptm, 0) == NULL
+ || !X509_CRL_set1_lastUpdate(crl, tmptm)
+ || X509_time_adj_ex(tmptm, crldays, crlhours * 60 * 60 + crlsec,
+ NULL) == NULL) {
BIO_puts(bio_err, "error setting CRL nextUpdate\n");
+ ASN1_TIME_free(tmptm);
goto end;
}
X509_CRL_set1_nextUpdate(crl, tmptm);
NCONF_free(conf);
NCONF_free(extconf);
release_engine(e);
- return (ret);
+ return ret;
}
static char *lookup_conf(const CONF *conf, const char *section, const char *tag)
end:
X509_REQ_free(req);
BIO_free(in);
- return (ok);
+ return ok;
}
static int certify_cert(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509,
end:
X509_REQ_free(rreq);
X509_free(req);
- return (ok);
+ return ok;
}
static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
CONF *lconf, unsigned long certopt, unsigned long nameopt,
int default_op, int ext_copy, int selfsign)
{
- X509_NAME *name = NULL, *CAname = NULL, *subject = NULL, *dn_subject =
- NULL;
+ X509_NAME *name = NULL, *CAname = NULL, *subject = NULL, *dn_subject = NULL;
const ASN1_TIME *tm;
ASN1_STRING *str, *str2;
ASN1_OBJECT *obj;
}
if (default_op)
- BIO_printf(bio_err,
- "The Subject's Distinguished Name is as follows\n");
+ BIO_printf(bio_err, "The Subject's Distinguished Name is as follows\n");
name = X509_REQ_get_subject_name(req);
+ if (X509_NAME_entry_count(name) == 0) {
+ BIO_printf(bio_err, "Error: The supplied Subject is empty\n");
+ goto end;
+ }
for (i = 0; i < X509_NAME_entry_count(name); i++) {
ne = X509_NAME_get_entry(name, i);
str = X509_NAME_ENTRY_get_data(ne);
if ((j < 0) && (last2 == -1)) {
BIO_printf(bio_err,
"The %s field does not exist in the CA certificate,\n"
- "the 'policy' is misconfigured\n",
- cv->name);
+ "the 'policy' is misconfigured\n", cv->name);
goto end;
}
if (j >= 0) {
goto end;
}
+ if (X509_NAME_entry_count(subject) == 0) {
+ BIO_printf(bio_err,
+ "Error: After applying policy the Subject is empty\n");
+ goto end;
+ }
+
if (verbose)
BIO_printf(bio_err,
"The subject name appears to be ok, checking data base for clashes\n");
X509_free(ret);
else
*xret = ret;
- return (ok);
+ return ok;
}
-static void write_new_certificate(BIO *bp, X509 *x, int output_der,
- int notext)
+static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext)
{
if (output_der) {
* Now extract the key from the SPKI structure.
*/
- BIO_printf(bio_err,
- "Check that the SPKAC request matches the signature\n");
+ BIO_printf(bio_err, "Check that the SPKAC request matches the signature\n");
if ((pktmp = NETSCAPE_SPKI_get_pubkey(spki)) == NULL) {
BIO_printf(bio_err, "error unpacking SPKAC public key\n");
NETSCAPE_SPKI_free(spki);
X509_NAME_ENTRY_free(ne);
- return (ok);
+ return ok;
}
static int check_time_format(const char *str)
end:
for (i = 0; i < DB_NUMBER; i++)
OPENSSL_free(row[i]);
- return (ok);
+ return ok;
}
static int get_certificate_status(const char *serial, CA_DB *db)
for (i = 0; i < DB_NUMBER; i++) {
OPENSSL_free(row[i]);
}
- return (ok);
+ return ok;
}
static int do_updatedb(CA_DB *db)
return -1;
/* get actual time and make a string */
- a_tm = X509_gmtime_adj(a_tm, 0);
+ if (X509_gmtime_adj(a_tm, 0) == NULL) {
+ ASN1_UTCTIME_free(a_tm);
+ return -1;
+ }
a_tm_s = app_malloc(a_tm->length + 1, "time string");
memcpy(a_tm_s, a_tm->data, a_tm->length);
ASN1_UTCTIME_free(a_tm);
OPENSSL_free(a_tm_s);
- return (cnt);
+ return cnt;
}
static const char *crl_reasons[] = {
hold = OBJ_txt2obj(arg_str, 0);
if (!hold) {
- BIO_printf(bio_err, "invalid object identifier %s\n",
- arg_str);
+ BIO_printf(bio_err, "invalid object identifier %s\n", arg_str);
goto end;
}
if (phold)