* [including the GNU Public Licence.]
*/
-#include <assert.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char *section, ASN1_INTEGER *sno, int reqfile);
static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt);
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
-static int force_version = 2;
-#endif
-
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
OPT_INFORM, OPT_OUTFORM, OPT_KEYFORM, OPT_REQ, OPT_CAFORM,
OPT_PURPOSE, OPT_STARTDATE, OPT_ENDDATE, OPT_CHECKEND, OPT_CHECKHOST,
OPT_CHECKEMAIL, OPT_CHECKIP, OPT_NOOUT, OPT_TRUSTOUT, OPT_CLRTRUST,
OPT_CLRREJECT, OPT_ALIAS, OPT_CACREATESERIAL, OPT_CLREXT, OPT_OCSPID,
-#ifndef OPENSSL_NO_MD5
OPT_SUBJECT_HASH_OLD,
OPT_ISSUER_HASH_OLD,
-#endif
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
- OPT_FORCE_VERSION,
-#endif
OPT_BADSIG, OPT_MD, OPT_ENGINE, OPT_NOCERT
} OPTION_CHOICE;
{"serial", OPT_SERIAL, '-', "Print serial number value"},
{"subject_hash", OPT_HASH, '-', "Print subject hash value"},
{"issuer_hash", OPT_ISSUER_HASH, '-', "Print issuer hash value"},
-#ifndef OPENSSL_NO_MD5
- {"subject_hash_old", OPT_SUBJECT_HASH_OLD, '-',
- "Print old-style (MD5) issuer hash value"},
- {"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-',
- "Print old-style (MD5) subject hash value"},
-#endif
{"hash", OPT_HASH, '-', "Synonym for -subject_hash"},
{"subject", OPT_SUBJECT, '-', "Print subject DN"},
{"issuer", OPT_ISSUER, '-', "Print issuer DN"},
{"setalias", OPT_SETALIAS, 's', "Set certificate alias"},
{"days", OPT_DAYS, 'n',
"How long till expiry of a signed certificate - def 30 days"},
- {"checkend", OPT_CHECKEND, 'p',
+ {"checkend", OPT_CHECKEND, 'M',
"Check whether the cert expires in the next arg seconds"},
{OPT_MORE_STR, 1, 1, "Exit 1 if so, 0 if not"},
{"signkey", OPT_SIGNKEY, '<', "Self sign cert with arg"},
"Output a certification request object"},
{"req", OPT_REQ, '-', "Input is a certificate request, sign and output"},
{"CA", OPT_CA, '<', "Set the CA certificate, must be PEM format"},
- {"CAkey", OPT_CAKEY, '<',
+ {"CAkey", OPT_CAKEY, 's',
"The CA key, must be PEM format; if not in CAfile"},
{"CAcreateserial", OPT_CACREATESERIAL, '-',
"Create serial number file if it does not exist"},
- {"CAserial", OPT_CASERIAL, '<', "Serial file"},
+ {"CAserial", OPT_CASERIAL, 's', "Serial file"},
{"set_serial", OPT_SET_SERIAL, 's', "Serial number to use"},
{"text", OPT_TEXT, '-', "Print the certificate in text form"},
{"C", OPT_C, '-', "Print out C code forms"},
{"clrreject", OPT_CLRREJECT, '-'},
{"badsig", OPT_BADSIG, '-'},
{"", OPT_MD, '-', "Any supported digest"},
+#ifndef OPENSSL_NO_MD5
+ {"subject_hash_old", OPT_SUBJECT_HASH_OLD, '-',
+ "Print old-style (MD5) issuer hash value"},
+ {"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-',
+ "Print old-style (MD5) subject hash value"},
+#endif
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
-#endif
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
- {"force_version", OPT_FORCE_VERSION, 'p'},
#endif
{NULL}
};
int ocsp_uri = 0, trustout = 0, clrtrust = 0, clrreject = 0, aliasout = 0;
int ret = 1, i, num = 0, badsig = 0, clrext = 0, nocert = 0;
int text = 0, serial = 0, subject = 0, issuer = 0, startdate = 0;
- int checkoffset = 0, enddate = 0;
+ int enddate = 0;
+ time_t checkoffset = 0;
unsigned long nmflag = 0, certflag = 0;
+ char nmflag_set = 0;
OPTION_CHOICE o;
ENGINE *e = NULL;
#ifndef OPENSSL_NO_MD5
goto opthelp;
break;
case OPT_CAKEYFORM:
- if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &CAkeyformat))
+ if (!opt_format(opt_arg(), OPT_FMT_ANY, &CAkeyformat))
goto opthelp;
break;
case OPT_OUT:
if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, opt_arg()))
goto opthelp;
break;
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
- case OPT_FORCE_VERSION:
- force_version = atoi(opt_arg()) - 1;
- break;
-#endif
case OPT_DAYS:
days = atoi(opt_arg());
break;
goto opthelp;
break;
case OPT_NAMEOPT:
+ nmflag_set = 1;
if (!set_name_ex(&nmflag, opt_arg()))
goto opthelp;
break;
case OPT_ISSUER_HASH_OLD:
issuer_hash_old = ++num;
break;
+#else
+ case OPT_SUBJECT_HASH_OLD:
+ case OPT_ISSUER_HASH_OLD:
+ break;
#endif
case OPT_DATES:
startdate = ++num;
enddate = ++num;
break;
case OPT_CHECKEND:
- checkoffset = atoi(opt_arg());
checkend = 1;
+ {
+ intmax_t temp = 0;
+ if (!opt_imax(opt_arg(), &temp))
+ goto opthelp;
+ checkoffset = (time_t)temp;
+ if ((intmax_t)checkoffset != temp) {
+ BIO_printf(bio_err, "%s: checkend time out of range %s\n",
+ prog, opt_arg());
+ goto opthelp;
+ }
+ }
break;
case OPT_CHECKHOST:
checkhost = opt_arg();
goto opthelp;
}
- out = bio_open_default(outfile, "w");
+ if (!nmflag_set)
+ nmflag = XN_FLAG_ONELINE;
+
+ out = bio_open_default(outfile, 'w', outformat);
if (out == NULL)
goto end;
}
if (extfile) {
- long errorline = -1;
X509V3_CTX ctx2;
- extconf = NCONF_new(NULL);
- if (!NCONF_load(extconf, extfile, &errorline)) {
- if (errorline <= 0)
- BIO_printf(bio_err,
- "error loading the config file '%s'\n", extfile);
- else
- BIO_printf(bio_err,
- "error on line %ld of config file '%s'\n",
- errorline, extfile);
+ if ((extconf = app_load_config(extfile)) == NULL)
goto end;
- }
if (!extsect) {
extsect = NCONF_get_string(extconf, "default", "extensions");
if (!extsect) {
BIO_printf(bio_err, "We need a private key to sign with\n");
goto end;
}
- in = bio_open_default(infile, "r");
+ in = bio_open_default(infile, 'r', informat);
if (in == NULL)
goto end;
req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL);
goto end;
}
- if ((req->req_info == NULL) ||
- (req->req_info->pubkey == NULL) ||
- (req->req_info->pubkey->public_key == NULL) ||
- (req->req_info->pubkey->public_key->data == NULL)) {
- BIO_printf(bio_err,
- "The certificate request appears to corrupted\n");
- BIO_printf(bio_err, "It does not contain a public key\n");
- goto end;
- }
if ((pkey = X509_REQ_get_pubkey(req)) == NULL) {
BIO_printf(bio_err, "error unpacking public key\n");
goto end;
if (sno == NULL) {
sno = ASN1_INTEGER_new();
- if (!sno || !rand_serial(NULL, sno))
+ if (sno == NULL || !rand_serial(NULL, sno))
goto end;
if (!X509_set_serialNumber(x, sno))
goto end;
} else if (!X509_set_serialNumber(x, sno))
goto end;
- if (!X509_set_issuer_name(x, req->req_info->subject))
+ if (!X509_set_issuer_name(x, X509_REQ_get_subject_name(req)))
goto end;
- if (!X509_set_subject_name(x, req->req_info->subject))
+ if (!X509_set_subject_name(x, X509_REQ_get_subject_name(req)))
goto end;
X509_gmtime_adj(X509_get_notBefore(x), 0);
EVP_PKEY_free(pkey);
}
} else
- x = load_cert(infile, informat, NULL, e, "Certificate");
+ x = load_cert(infile, informat, "Certificate");
if (x == NULL)
goto end;
if (CA_flag) {
- xca = load_cert(CAfile, CAformat, NULL, e, "CA Certificate");
+ xca = load_cert(CAfile, CAformat, "CA Certificate");
if (xca == NULL)
goto end;
}
} else if (modulus == i) {
EVP_PKEY *pkey;
- pkey = X509_get_pubkey(x);
+ pkey = X509_get0_pubkey(x);
if (pkey == NULL) {
BIO_printf(bio_err, "Modulus=unavailable\n");
ERR_print_errors(bio_err);
}
BIO_printf(out, "Modulus=");
#ifndef OPENSSL_NO_RSA
- if (pkey->type == EVP_PKEY_RSA)
- BN_print(out, pkey->pkey.rsa->n);
+ if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA)
+ BN_print(out, EVP_PKEY_get0_RSA(pkey)->n);
else
#endif
#ifndef OPENSSL_NO_DSA
- if (pkey->type == EVP_PKEY_DSA)
- BN_print(out, pkey->pkey.dsa->pub_key);
+ if (EVP_PKEY_id(pkey) == EVP_PKEY_DSA)
+ BN_print(out, EVP_PKEY_get0_DSA(pkey)->pub_key);
else
#endif
BIO_printf(out, "Wrong Algorithm type");
BIO_printf(out, "\n");
- EVP_PKEY_free(pkey);
} else if (pubkey == i) {
EVP_PKEY *pkey;
- pkey = X509_get_pubkey(x);
+ pkey = X509_get0_pubkey(x);
if (pkey == NULL) {
BIO_printf(bio_err, "Error getting public key\n");
ERR_print_errors(bio_err);
goto end;
}
PEM_write_bio_PUBKEY(out, pkey);
- EVP_PKEY_free(pkey);
} else if (C == i) {
unsigned char *d;
char *m;
goto end;
}
- if (badsig)
- x->signature->data[x->signature->length - 1] ^= 0x1;
+ if (badsig) {
+ ASN1_BIT_STRING *signature;
+ unsigned char *s;
+ X509_get0_signature(&signature, NULL, x);
+ s = ASN1_STRING_data(signature);
+ s[ASN1_STRING_length(signature) - 1] ^= 0x1;
+ }
if (outformat == FORMAT_ASN1)
i = i2d_X509_bio(out, x);
i = PEM_write_bio_X509_AUX(out, x);
else
i = PEM_write_bio_X509(out, x);
- } else if (outformat == FORMAT_NETSCAPE) {
- NETSCAPE_X509 nx;
- ASN1_OCTET_STRING hdr;
-
- hdr.data = (unsigned char *)NETSCAPE_CERT_HDR;
- hdr.length = strlen(NETSCAPE_CERT_HDR);
- nx.header = &hdr;
- nx.cert = x;
-
- i = ASN1_item_i2d_bio(ASN1_ITEM_rptr(NETSCAPE_X509), out, &nx);
} else {
BIO_printf(bio_err, "bad output format specified for outfile\n");
goto end;
EVP_PKEY_free(Upkey);
EVP_PKEY_free(CApkey);
EVP_PKEY_free(fkey);
- if (sigopts)
- sk_OPENSSL_STRING_free(sigopts);
+ sk_OPENSSL_STRING_free(sigopts);
X509_REQ_free(rq);
ASN1_INTEGER_free(sno);
sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free);
: (strlen(serialfile))) + 1;
buf = app_malloc(len, "serial# buffer");
if (serialfile == NULL) {
- BUF_strlcpy(buf, CAfile, len);
+ OPENSSL_strlcpy(buf, CAfile, len);
for (p = buf; *p; p++)
if (*p == '.') {
*p = '\0';
break;
}
- BUF_strlcat(buf, POSTFIX, len);
+ OPENSSL_strlcat(buf, POSTFIX, len);
} else
- BUF_strlcpy(buf, serialfile, len);
+ OPENSSL_strlcpy(buf, serialfile, len);
serial = load_serial(buf, create, NULL);
if (serial == NULL)
X509_STORE_CTX xsc;
EVP_PKEY *upkey;
- upkey = X509_get_pubkey(xca);
+ upkey = X509_get0_pubkey(xca);
EVP_PKEY_copy_parameters(upkey, pkey);
- EVP_PKEY_free(upkey);
if (!X509_STORE_CTX_init(&xsc, ctx, x, NULL)) {
BIO_printf(bio_err, "Error initialising X509 store\n");
}
if (sno)
bs = sno;
- else if (!(bs = x509_load_serial(CAfile, serialfile, create)))
+ else if ((bs = x509_load_serial(CAfile, serialfile, create)) == NULL)
goto end;
-/* if (!X509_STORE_add_cert(ctx,x)) goto end;*/
-
/*
* NOTE: this certificate can/should be self signed, unless it was a
* certificate request in which case it is not.
if (conf) {
X509V3_CTX ctx2;
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
- X509_set_version(x, force_version);
-#else
X509_set_version(x, 2); /* version 3 certificate */
-#endif
X509V3_set_ctx(&ctx2, xca, x, NULL, NULL, 0);
X509V3_set_nconf(&ctx2, conf);
if (!X509V3_EXT_add_nconf(conf, &ctx2, section, x))
if (X509_gmtime_adj(X509_get_notBefore(x), 0) == NULL)
goto err;
- if (X509_gmtime_adj(X509_get_notAfter(x), (long)60 * 60 * 24 * days) ==
- NULL)
+ if (X509_time_adj_ex(X509_get_notAfter(x), days, 0, NULL) == NULL)
goto err;
if (!X509_set_pubkey(x, pkey))
}
if (conf) {
X509V3_CTX ctx;
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
- X509_set_version(x, force_version);
-#else
X509_set_version(x, 2); /* version 3 certificate */
-#endif
X509V3_set_ctx(&ctx, x, x, NULL, NULL, 0);
X509V3_set_nconf(&ctx, conf);
if (!X509V3_EXT_add_nconf(conf, &ctx, section, x))