X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=apps%2Fca.c;h=107c4d2b981c78798c8553ca5ba66c8fbf537b29;hp=e0a9ef9eae26da0d9ad992720d589fc970d12cf2;hb=9b55da73ca195947ed664dbf9f093f05759afdd9;hpb=b7a26e6dafdbf97513e968a45757a4d4e9843ba2 diff --git a/apps/ca.c b/apps/ca.c index e0a9ef9eae..107c4d2b98 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -76,7 +76,6 @@ #include #include #include -#include #ifdef OPENSSL_SYS_WINDOWS #define strcasecmp _stricmp @@ -127,6 +126,7 @@ #define ENV_DEFAULT_CRL_DAYS "default_crl_days" #define ENV_DEFAULT_CRL_HOURS "default_crl_hours" #define ENV_DEFAULT_MD "default_md" +#define ENV_DEFAULT_EMAIL_DN "email_in_dn" #define ENV_PRESERVE "preserve" #define ENV_POLICY "policy" #define ENV_EXTENSIONS "x509_extensions" @@ -183,6 +183,7 @@ static char *ca_usage[]={ " -spkac file - File contains DN and signed public key and challenge\n", " -ss_cert file - File contains a self signed cert to sign\n", " -preserveDN - Don't re-order the DN\n", +" -noemailDN - Don't add the EMAIL field into certificate' subject\n", " -batch - Don't ask questions\n", " -msie_hack - msie modifications to handle all those universal strings\n", " -revoke file - Revoke a certificate (given in file)\n", @@ -212,29 +213,29 @@ static BIGNUM *load_serial(char *serialfile); static int save_serial(char *serialfile, BIGNUM *serial); static int certify(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509, const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,TXT_DB *db, - BIGNUM *serial, char *subj, char *startdate,char *enddate, - long days, int batch, char *ext_sect, CONF *conf,int verbose, - unsigned long certopt, unsigned long nameopt, int default_op, - int ext_copy); + BIGNUM *serial, char *subj, int email_dn, char *startdate, + char *enddate, long days, int batch, char *ext_sect, CONF *conf, + int verbose, unsigned long certopt, unsigned long nameopt, + int default_op, int ext_copy); static int certify_cert(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509, const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy, - TXT_DB *db, BIGNUM *serial, char *subj, char *startdate, - char *enddate, long days, int batch, char *ext_sect, - CONF *conf,int verbose, unsigned long certopt, + TXT_DB *db, BIGNUM *serial, char *subj, int email_dn, + char *startdate, char *enddate, long days, int batch, + char *ext_sect, CONF *conf,int verbose, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy, ENGINE *e); static int certify_spkac(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509, const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy, - TXT_DB *db, BIGNUM *serial,char *subj, char *startdate, - char *enddate, long days, char *ext_sect,CONF *conf, - int verbose, unsigned long certopt, unsigned long nameopt, - int default_op, int ext_copy); + TXT_DB *db, BIGNUM *serial,char *subj, int email_dn, + char *startdate, char *enddate, long days, char *ext_sect, + CONF *conf, int verbose, unsigned long certopt, + unsigned long nameopt, int default_op, int ext_copy); static int fix_data(int nid, int *type); static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext); static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial,char *subj, - char *startdate, char *enddate, long days, int batch, int verbose, - X509_REQ *req, char *ext_sect, CONF *conf, + int email_dn, char *startdate, char *enddate, long days, int batch, + int verbose, X509_REQ *req, char *ext_sect, CONF *conf, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy); static X509_NAME *do_subject(char *subject); @@ -264,10 +265,12 @@ int MAIN(int argc, char **argv) { ENGINE *e = NULL; char *key=NULL,*passargin=NULL; + int free_key = 0; int total=0; int total_done=0; int badops=0; int ret=1; + int email_dn=1; int req=0; int verbose=0; int gencrl=0; @@ -294,6 +297,7 @@ int MAIN(int argc, char **argv) char *extensions=NULL; char *extfile=NULL; char *subj=NULL; + char *tmp_email_dn=NULL; char *crl_ext=NULL; int rev_type = REV_NONE; char *rev_arg = NULL; @@ -312,8 +316,9 @@ int MAIN(int argc, char **argv) char *dbfile=NULL; TXT_DB *db=NULL; X509_CRL *crl=NULL; - X509_CRL_INFO *ci=NULL; X509_REVOKED *r=NULL; + ASN1_TIME *tmptm; + ASN1_INTEGER *tmpser; char **pp,*p,*f; int i,j; long l; @@ -438,6 +443,8 @@ EF_ALIGNMENT=0; batch=1; else if (strcmp(*argv,"-preserveDN") == 0) preserve=1; + else if (strcmp(*argv,"-noemailDN") == 0) + email_dn=0; else if (strcmp(*argv,"-gencrl") == 0) gencrl=1; else if (strcmp(*argv,"-msie_hack") == 0) @@ -658,15 +665,8 @@ bad: db=TXT_DB_read(in,DB_NUMBER); if (db == NULL) goto err; - if (!TXT_DB_create_index(db, DB_serial, NULL, - LHASH_HASH_FN(index_serial_hash), - LHASH_COMP_FN(index_serial_cmp))) - { - BIO_printf(bio_err, - "error creating serial number index:(%ld,%ld,%ld)\n", - db->error,db->arg1,db->arg2); + if (!make_serial_index(db)) goto err; - } if (get_certificate_status(ser_status,db) != 1) BIO_printf(bio_err,"Error verifying serial %s!\n", @@ -683,10 +683,14 @@ bad: lookup_fail(section,ENV_PRIVATE_KEY); goto err; } - if (!key && !app_passwd(bio_err, passargin, NULL, &key, NULL)) + if (!key) { - BIO_printf(bio_err,"Error getting password\n"); - goto err; + free_key = 1; + if (!app_passwd(bio_err, passargin, NULL, &key, NULL)) + { + BIO_printf(bio_err,"Error getting password\n"); + goto err; + } } pkey = load_key(bio_err, keyfile, keyform, key, e, "CA private key"); @@ -891,13 +895,8 @@ bad: BIO_printf(bio_err,"generating index\n"); } - if (!TXT_DB_create_index(db, DB_serial, NULL, - LHASH_HASH_FN(index_serial_hash), - LHASH_COMP_FN(index_serial_cmp))) - { - BIO_printf(bio_err,"error creating serial number index:(%ld,%ld,%ld)\n",db->error,db->arg1,db->arg2); + if (!make_serial_index(db)) goto err; - } if (!TXT_DB_create_index(db, DB_name, index_name_qual, LHASH_HASH_FN(index_name_hash), @@ -1048,6 +1047,12 @@ bad: lookup_fail(section,ENV_DEFAULT_MD); goto err; } + if ((email_dn == 1) && ((tmp_email_dn=NCONF_get_string(conf, + section,ENV_DEFAULT_EMAIL_DN)) != NULL )) + { + if(strcmp(tmp_email_dn,"no") == 0) + email_dn=0; + } if ((dgst=EVP_get_digestbyname(md)) == NULL) { BIO_printf(bio_err,"%s is an unsupported message digest type\n",md); @@ -1166,8 +1171,8 @@ bad: { total++; j=certify_spkac(&x,spkac_file,pkey,x509,dgst,attribs,db, - serial,subj,startdate,enddate, days,extensions,conf, - verbose, certopt, nameopt, default_op, ext_copy); + serial,subj,email_dn,startdate,enddate,days,extensions, + conf,verbose,certopt,nameopt,default_op,ext_copy); if (j < 0) goto err; if (j > 0) { @@ -1190,7 +1195,7 @@ bad: { total++; j=certify_cert(&x,ss_cert_file,pkey,x509,dgst,attribs, - db,serial,subj,startdate,enddate,days,batch, + db,serial,subj,email_dn,startdate,enddate,days,batch, extensions,conf,verbose, certopt, nameopt, default_op, ext_copy, e); if (j < 0) goto err; @@ -1210,7 +1215,7 @@ bad: { total++; j=certify(&x,infile,pkey,x509,dgst,attribs,db, - serial,subj,startdate,enddate,days,batch, + serial,subj,email_dn,startdate,enddate,days,batch, extensions,conf,verbose, certopt, nameopt, default_op, ext_copy); if (j < 0) goto err; @@ -1230,7 +1235,7 @@ bad: { total++; j=certify(&x,argv[i],pkey,x509,dgst,attribs,db, - serial,subj,startdate,enddate,days,batch, + serial,subj,email_dn,startdate,enddate,days,batch, extensions,conf,verbose, certopt, nameopt, default_op, ext_copy); if (j < 0) goto err; @@ -1443,15 +1448,16 @@ bad: if (verbose) BIO_printf(bio_err,"making CRL\n"); if ((crl=X509_CRL_new()) == NULL) goto err; - ci=crl->crl; - X509_NAME_free(ci->issuer); - ci->issuer=X509_NAME_dup(x509->cert_info->subject); - if (ci->issuer == NULL) goto err; + if (!X509_CRL_set_issuer_name(crl, X509_get_issuer_name(x509))) goto err; + + tmptm = ASN1_TIME_new(); + if (!tmptm) goto err; + X509_gmtime_adj(tmptm,0); + X509_CRL_set_lastUpdate(crl, tmptm); + X509_gmtime_adj(tmptm,(crldays*24+crlhours)*60*60); + X509_CRL_set_nextUpdate(crl, tmptm); - X509_gmtime_adj(ci->lastUpdate,0); - if (ci->nextUpdate == NULL) - ci->nextUpdate=ASN1_UTCTIME_new(); - X509_gmtime_adj(ci->nextUpdate,(crldays*24+crlhours)*60*60); + ASN1_TIME_free(tmptm); for (i=0; idata); i++) { @@ -1464,22 +1470,20 @@ bad: if (j == 2) crl_v2 = 1; if (!BN_hex2bn(&serial, pp[DB_serial])) goto err; - r->serialNumber = BN_to_ASN1_INTEGER(serial, r->serialNumber); + tmpser = BN_to_ASN1_INTEGER(serial, NULL); BN_free(serial); serial = NULL; - if (!r->serialNumber) + if (!tmpser) goto err; + X509_REVOKED_set_serialNumber(r, tmpser); + ASN1_INTEGER_free(tmpser); X509_CRL_add0_revoked(crl,r); } } + /* sort the data so it will be written in serial * number order */ - sk_X509_REVOKED_sort(ci->revoked); - for (i=0; irevoked); i++) - { - r=sk_X509_REVOKED_value(ci->revoked,i); - r->sequence=i; - } + X509_CRL_sort(crl); /* we now have a CRL */ if (verbose) BIO_printf(bio_err,"signing CRL\n"); @@ -1506,8 +1510,6 @@ bad: if (crl_ext) { X509V3_CTX crlctx; - if (ci->version == NULL) - if ((ci->version=ASN1_INTEGER_new()) == NULL) goto err; X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0); X509V3_set_nconf(&crlctx, conf); @@ -1516,9 +1518,8 @@ bad: } if (crl_ext || crl_v2) { - if (ci->version == NULL) - if ((ci->version=ASN1_INTEGER_new()) == NULL) goto err; - ASN1_INTEGER_set(ci->version,1); /* version 2 CRL */ + if (!X509_CRL_set_version(crl, 1)) + goto err; /* version 2 CRL */ } if (!X509_CRL_sign(crl,pkey,dgst)) goto err; @@ -1592,6 +1593,8 @@ err: if (ret) ERR_print_errors(bio_err); app_RAND_write_file(randfile, bio_err); + if (free_key) + OPENSSL_free(key); BN_free(serial); TXT_DB_free(db); EVP_PKEY_free(pkey); @@ -1708,8 +1711,8 @@ err: static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db, - BIGNUM *serial, char *subj, char *startdate, char *enddate, long days, - int batch, char *ext_sect, CONF *lconf, int verbose, + BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate, + long days, int batch, char *ext_sect, CONF *lconf, int verbose, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy) { @@ -1758,8 +1761,8 @@ static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, else BIO_printf(bio_err,"Signature ok\n"); - ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,startdate, enddate, - days,batch,verbose,req,ext_sect,lconf, + ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj, email_dn, + startdate,enddate,days,batch,verbose,req,ext_sect,lconf, certopt, nameopt, default_op, ext_copy); err: @@ -1770,8 +1773,8 @@ err: static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db, - BIGNUM *serial, char *subj, char *startdate, char *enddate, long days, - int batch, char *ext_sect, CONF *lconf, int verbose, + BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate, + long days, int batch, char *ext_sect, CONF *lconf, int verbose, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy, ENGINE *e) { @@ -1812,9 +1815,9 @@ static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, if ((rreq=X509_to_X509_REQ(req,NULL,EVP_md5())) == NULL) goto err; - ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,startdate,enddate,days, - batch,verbose,rreq,ext_sect,lconf, certopt, nameopt, default_op, - ext_copy); + ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,email_dn,startdate,enddate, + days,batch,verbose,rreq,ext_sect,lconf, certopt, nameopt, default_op, + ext_copy); err: if (rreq != NULL) X509_REQ_free(rreq); @@ -1824,12 +1827,12 @@ err: static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial, char *subj, - char *startdate, char *enddate, long days, int batch, int verbose, - X509_REQ *req, char *ext_sect, CONF *lconf, + int email_dn, char *startdate, char *enddate, long days, int batch, + int verbose, X509_REQ *req, char *ext_sect, CONF *lconf, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy) { - X509_NAME *name=NULL,*CAname=NULL,*subject=NULL; + X509_NAME *name=NULL,*CAname=NULL,*subject=NULL, *dn_subject=NULL; ASN1_UTCTIME *tm,*tmptm; ASN1_STRING *str,*str2; ASN1_OBJECT *obj; @@ -1870,6 +1873,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, if (default_op) BIO_printf(bio_err,"The Subject's Distinguished Name is as follows\n"); + name=X509_REQ_get_subject_name(req); for (i=0; itype=V_ASN1_IA5STRING; } + /* If no EMAIL is wanted in the subject */ + if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) && (!email_dn)) + continue; + /* check some things */ if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) && (str->type != V_ASN1_IA5STRING)) @@ -1901,14 +1909,17 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, BIO_printf(bio_err,"\nemailAddress type needs to be of type IA5STRING\n"); goto err; } - j=ASN1_PRINTABLE_type(str->data,str->length); - if ( ((j == V_ASN1_T61STRING) && - (str->type != V_ASN1_T61STRING)) || - ((j == V_ASN1_IA5STRING) && - (str->type == V_ASN1_PRINTABLESTRING))) + if ((str->type != V_ASN1_BMPSTRING) && (str->type != V_ASN1_UTF8STRING)) { - BIO_printf(bio_err,"\nThe string contains characters that are illegal for the ASN.1 type\n"); - goto err; + j=ASN1_PRINTABLE_type(str->data,str->length); + if ( ((j == V_ASN1_T61STRING) && + (str->type != V_ASN1_T61STRING)) || + ((j == V_ASN1_IA5STRING) && + (str->type == V_ASN1_PRINTABLESTRING))) + { + BIO_printf(bio_err,"\nThe string contains characters that are illegal for the ASN.1 type\n"); + goto err; + } } if (default_op) @@ -2027,14 +2038,40 @@ again2: if (preserve) { X509_NAME_free(subject); - subject=X509_NAME_dup(X509_REQ_get_subject_name(req)); + /* subject=X509_NAME_dup(X509_REQ_get_subject_name(req)); */ + subject=X509_NAME_dup(name); if (subject == NULL) goto err; } if (verbose) BIO_printf(bio_err,"The subject name appears to be ok, checking data base for clashes\n"); - row[DB_name]=X509_NAME_oneline(subject,NULL,0); + /* Build the correct Subject if no e-mail is wanted in the subject */ + /* and add it later on because of the method extensions are added (altName) */ + + if (email_dn) + dn_subject = subject; + else + { + X509_NAME_ENTRY *tmpne; + /* Its best to dup the subject DN and then delete any email + * addresses because this retains its structure. + */ + if (!(dn_subject = X509_NAME_dup(subject))) + { + BIO_printf(bio_err,"Memory allocation failure\n"); + goto err; + } + while((i = X509_NAME_get_index_by_NID(dn_subject, + NID_pkcs9_emailAddress, -1) >= 0)) + { + tmpne = X509_NAME_get_entry(dn_subject, i); + X509_NAME_delete_entry(dn_subject, i); + X509_NAME_ENTRY_free(tmpne); + } + } + + row[DB_name]=X509_NAME_oneline(dn_subject,NULL,0); row[DB_serial]=BN_bn2hex(serial); if ((row[DB_name] == NULL) || (row[DB_serial] == NULL)) { @@ -2190,6 +2227,11 @@ again2: goto err; } + /* Set the right value for the noemailDN option */ + if( email_dn == 0 ) + { + if (!X509_set_subject_name(ret,dn_subject)) goto err; + } if (!default_op) { @@ -2284,6 +2326,8 @@ err: X509_NAME_free(CAname); if (subject != NULL) X509_NAME_free(subject); + if ((dn_subject != NULL) && !email_dn) + X509_NAME_free(dn_subject); if (tmptm != NULL) ASN1_UTCTIME_free(tmptm); if (ok <= 0) @@ -2322,8 +2366,8 @@ static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext) static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db, - BIGNUM *serial, char *subj, char *startdate, char *enddate, long days, - char *ext_sect, CONF *lconf, int verbose, unsigned long certopt, + BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate, + long days, char *ext_sect, CONF *lconf, int verbose, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy) { STACK_OF(CONF_VALUE) *sk=NULL; @@ -2414,6 +2458,11 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, continue; } + /* + if ((nid == NID_pkcs9_emailAddress) && (email_dn == 0)) + continue; + */ + j=ASN1_PRINTABLE_type((unsigned char *)buf,-1); if (fix_data(nid, &j) == 0) { @@ -2458,7 +2507,7 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, X509_REQ_set_pubkey(req,pktmp); EVP_PKEY_free(pktmp); - ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,startdate,enddate, + ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,email_dn,startdate,enddate, days,1,verbose,req,ext_sect,lconf, certopt, nameopt, default_op, ext_copy); err: @@ -2889,92 +2938,25 @@ char *make_revocation_str(int rev_type, char *rev_arg) * 2 OK and some extensions added (i.e. V2 CRL) */ + int make_revoked(X509_REVOKED *rev, char *str) { char *tmp = NULL; - char *rtime_str, *reason_str = NULL, *arg_str = NULL, *p; int reason_code = -1; int i, ret = 0; ASN1_OBJECT *hold = NULL; ASN1_GENERALIZEDTIME *comp_time = NULL; ASN1_ENUMERATED *rtmp = NULL; - tmp = BUF_strdup(str); - - p = strchr(tmp, ','); - rtime_str = tmp; + ASN1_TIME *revDate = NULL; - if (p) - { - *p = '\0'; - p++; - reason_str = p; - p = strchr(p, ','); - if (p) - { - *p = '\0'; - arg_str = p + 1; - } - } + i = unpack_revinfo(&revDate, &reason_code, &hold, &comp_time, str); - if (rev && !ASN1_UTCTIME_set_string(rev->revocationDate, rtime_str)) - { - BIO_printf(bio_err, "invalid revocation date %s\n", rtime_str); + if (i == 0) goto err; - } - if (reason_str) - { - for (i = 0; i < NUM_REASONS; i++) - { - if(!strcasecmp(reason_str, crl_reasons[i])) - { - reason_code = i; - break; - } - } - if (reason_code == OCSP_REVOKED_STATUS_NOSTATUS) - { - BIO_printf(bio_err, "invalid reason code %s\n", reason_str); - goto err; - } - - if (reason_code == 7) - reason_code = OCSP_REVOKED_STATUS_REMOVEFROMCRL; - else if (reason_code == 8) /* Hold instruction */ - { - if (!arg_str) - { - BIO_printf(bio_err, "missing hold instruction\n"); - goto err; - } - reason_code = OCSP_REVOKED_STATUS_CERTIFICATEHOLD; - hold = OBJ_txt2obj(arg_str, 0); - if (!hold) - { - BIO_printf(bio_err, "invalid object identifier %s\n", arg_str); - goto err; - } - } - else if ((reason_code == 9) || (reason_code == 10)) - { - if (!arg_str) - { - BIO_printf(bio_err, "missing compromised time\n"); - goto err; - } - comp_time = ASN1_GENERALIZEDTIME_new(); - if (!ASN1_GENERALIZEDTIME_set_string(comp_time, arg_str)) - { - BIO_printf(bio_err, "invalid compromised time %s\n", arg_str); - goto err; - } - if (reason_code == 9) - reason_code = OCSP_REVOKED_STATUS_KEYCOMPROMISE; - else - reason_code = OCSP_REVOKED_STATUS_CACOMPROMISE; - } - } + if (rev && !X509_REVOKED_set_revocationDate(rev, revDate)) + goto err; if (rev && (reason_code != OCSP_REVOKED_STATUS_NOSTATUS)) { @@ -3006,6 +2988,7 @@ int make_revoked(X509_REVOKED *rev, char *str) ASN1_OBJECT_free(hold); ASN1_GENERALIZEDTIME_free(comp_time); ASN1_ENUMERATED_free(rtmp); + ASN1_TIME_free(revDate); return ret; } @@ -3108,3 +3091,123 @@ int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str) BIO_printf(bp,"'\n"); return 1; } + +int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, ASN1_GENERALIZEDTIME **pinvtm, char *str) + { + char *tmp = NULL; + char *rtime_str, *reason_str = NULL, *arg_str = NULL, *p; + int reason_code = -1; + int i, ret = 0; + ASN1_OBJECT *hold = NULL; + ASN1_GENERALIZEDTIME *comp_time = NULL; + tmp = BUF_strdup(str); + + p = strchr(tmp, ','); + + rtime_str = tmp; + + if (p) + { + *p = '\0'; + p++; + reason_str = p; + p = strchr(p, ','); + if (p) + { + *p = '\0'; + arg_str = p + 1; + } + } + + if (prevtm) + { + *prevtm = ASN1_UTCTIME_new(); + if (!ASN1_UTCTIME_set_string(*prevtm, rtime_str)) + { + BIO_printf(bio_err, "invalid revocation date %s\n", rtime_str); + goto err; + } + } + if (reason_str) + { + for (i = 0; i < NUM_REASONS; i++) + { + if(!strcasecmp(reason_str, crl_reasons[i])) + { + reason_code = i; + break; + } + } + if (reason_code == OCSP_REVOKED_STATUS_NOSTATUS) + { + BIO_printf(bio_err, "invalid reason code %s\n", reason_str); + goto err; + } + + if (reason_code == 7) + reason_code = OCSP_REVOKED_STATUS_REMOVEFROMCRL; + else if (reason_code == 8) /* Hold instruction */ + { + if (!arg_str) + { + BIO_printf(bio_err, "missing hold instruction\n"); + goto err; + } + reason_code = OCSP_REVOKED_STATUS_CERTIFICATEHOLD; + hold = OBJ_txt2obj(arg_str, 0); + + if (!hold) + { + BIO_printf(bio_err, "invalid object identifier %s\n", arg_str); + goto err; + } + if (phold) *phold = hold; + } + else if ((reason_code == 9) || (reason_code == 10)) + { + if (!arg_str) + { + BIO_printf(bio_err, "missing compromised time\n"); + goto err; + } + comp_time = ASN1_GENERALIZEDTIME_new(); + if (!ASN1_GENERALIZEDTIME_set_string(comp_time, arg_str)) + { + BIO_printf(bio_err, "invalid compromised time %s\n", arg_str); + goto err; + } + if (reason_code == 9) + reason_code = OCSP_REVOKED_STATUS_KEYCOMPROMISE; + else + reason_code = OCSP_REVOKED_STATUS_CACOMPROMISE; + } + } + + if (preason) *preason = reason_code; + if (pinvtm) *pinvtm = comp_time; + else ASN1_GENERALIZEDTIME_free(comp_time); + + ret = 1; + + err: + + if (tmp) OPENSSL_free(tmp); + if (!phold) ASN1_OBJECT_free(hold); + if (!pinvtm) ASN1_GENERALIZEDTIME_free(comp_time); + + return ret; + } + +int make_serial_index(TXT_DB *db) + { + if (!TXT_DB_create_index(db, DB_serial, NULL, + LHASH_HASH_FN(index_serial_hash), + LHASH_COMP_FN(index_serial_cmp))) + { + BIO_printf(bio_err, + "error creating serial number index:(%ld,%ld,%ld)\n", + db->error,db->arg1,db->arg2); + return 0; + } + return 1; + }