X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=apps%2Fx509.c;h=b4ef74c0cfa8b88a319c3f51859259a207af4f64;hp=acce9e9ddd2629699a56deeaaca28ba4afa7987c;hb=5388f9862d9aaf3c7cf7a70c1e36e7e983c26cfc;hpb=a8d8e06b0ac06c421fd11cc1772126dcb98f79ae diff --git a/apps/x509.c b/apps/x509.c index acce9e9ddd..b4ef74c0cf 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -1,64 +1,17 @@ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. +/* + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html */ #include #include #include #include "apps.h" +#include "progs.h" #include #include #include @@ -80,25 +33,24 @@ #define DEF_DAYS 30 static int callb(int ok, X509_STORE_CTX *ctx); -static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, - const EVP_MD *digest, CONF *conf, char *section); -static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, +static int sign(X509 *x, EVP_PKEY *pkey, EVP_PKEY *fkey, int days, int clrext, + const EVP_MD *digest, CONF *conf, const char *section, + int preserve_dates); +static int x509_certify(X509_STORE *ctx, const char *CAfile, const EVP_MD *digest, X509 *x, X509 *xca, EVP_PKEY *pkey, - STACK_OF(OPENSSL_STRING) *sigopts, char *serial, + STACK_OF(OPENSSL_STRING) *sigopts, const char *serialfile, int create, int days, int clrext, CONF *conf, - char *section, ASN1_INTEGER *sno, int reqfile); + const char *section, ASN1_INTEGER *sno, int reqfile, + int preserve_dates); static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt); - -#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL -static int force_version = 2; -#endif +static int print_x509v3_exts(BIO *bio, X509 *x, const char *exts); typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_INFORM, OPT_OUTFORM, OPT_KEYFORM, OPT_REQ, OPT_CAFORM, OPT_CAKEYFORM, OPT_SIGOPT, OPT_DAYS, OPT_PASSIN, OPT_EXTFILE, - OPT_EXTENSIONS, OPT_IN, OPT_OUT, OPT_SIGNKEY, OPT_CA, - OPT_CAKEY, OPT_CASERIAL, OPT_SET_SERIAL, OPT_FORCE_PUBKEY, + OPT_EXTENSIONS, OPT_IN, OPT_OUT, OPT_SIGNKEY, OPT_CA, OPT_CAKEY, + OPT_CASERIAL, OPT_SET_SERIAL, OPT_NEW, OPT_FORCE_PUBKEY, OPT_SUBJ, OPT_ADDTRUST, OPT_ADDREJECT, OPT_SETALIAS, OPT_CERTOPT, OPT_NAMEOPT, OPT_C, OPT_EMAIL, OPT_OCSP_URI, OPT_SERIAL, OPT_NEXT_SERIAL, OPT_MODULUS, OPT_PUBKEY, OPT_X509TOREQ, OPT_TEXT, OPT_HASH, @@ -108,20 +60,28 @@ typedef enum OPTION_choice { OPT_CLRREJECT, OPT_ALIAS, OPT_CACREATESERIAL, OPT_CLREXT, OPT_OCSPID, OPT_SUBJECT_HASH_OLD, OPT_ISSUER_HASH_OLD, - OPT_FORCE_VERSION, - OPT_BADSIG, OPT_MD, OPT_ENGINE, OPT_NOCERT + OPT_BADSIG, OPT_MD, OPT_ENGINE, OPT_NOCERT, OPT_PRESERVE_DATES, + OPT_R_ENUM, OPT_EXT } OPTION_CHOICE; -OPTIONS x509_options[] = { +const OPTIONS x509_options[] = { + OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif + {"inform", OPT_INFORM, 'f', - "Input format - default PEM (one of DER, NET or PEM)"}, + "Input format - default PEM (one of DER or PEM)"}, {"in", OPT_IN, '<', "Input file - default stdin"}, + {"passin", OPT_PASSIN, 's', "Private key password/pass-phrase source"}, {"outform", OPT_OUTFORM, 'f', - "Output format - default PEM (one of DER, NET or PEM)"}, + "Output format - default PEM (one of DER or PEM)"}, {"out", OPT_OUT, '>', "Output file - default stdout"}, {"keyform", OPT_KEYFORM, 'F', "Private key format - default PEM"}, - {"passin", OPT_PASSIN, 's', "Private key password source"}, + {"req", OPT_REQ, '-', "Input is a certificate request, sign and output"}, + + OPT_SECTION("Output"), {"serial", OPT_SERIAL, '-', "Print serial number value"}, {"subject_hash", OPT_HASH, '-', "Print subject hash value"}, {"issuer_hash", OPT_ISSUER_HASH, '-', "Print issuer hash value"}, @@ -129,82 +89,89 @@ OPTIONS x509_options[] = { {"subject", OPT_SUBJECT, '-', "Print subject DN"}, {"issuer", OPT_ISSUER, '-', "Print issuer DN"}, {"email", OPT_EMAIL, '-', "Print email address(es)"}, - {"startdate", OPT_STARTDATE, '-', "Set notBefore field"}, - {"enddate", OPT_ENDDATE, '-', "Set notAfter field"}, {"purpose", OPT_PURPOSE, '-', "Print out certificate purposes"}, - {"dates", OPT_DATES, '-', "Both Before and After dates"}, {"modulus", OPT_MODULUS, '-', "Print the RSA key modulus"}, {"pubkey", OPT_PUBKEY, '-', "Output the public key"}, - {"fingerprint", OPT_FINGERPRINT, '-', - "Print the certificate fingerprint"}, + {"fingerprint", OPT_FINGERPRINT, '-', "Print the certificate fingerprint"}, {"alias", OPT_ALIAS, '-', "Output certificate alias"}, {"noout", OPT_NOOUT, '-', "No output, just status"}, - {"nocert", OPT_NOCERT, '-', "No certificate output"}, {"ocspid", OPT_OCSPID, '-', "Print OCSP hash values for the subject name and public key"}, {"ocsp_uri", OPT_OCSP_URI, '-', "Print OCSP Responder URL(s)"}, + {"nocert", OPT_NOCERT, '-', "No certificate output"}, {"trustout", OPT_TRUSTOUT, '-', "Output a trusted certificate"}, + {"x509toreq", OPT_X509TOREQ, '-', + "Output a certification request object"}, + {"checkend", OPT_CHECKEND, 'M', + "Check whether the cert expires in the next arg seconds"}, + {OPT_MORE_STR, 1, 1, "Exit 1 if so, 0 if not"}, + {"text", OPT_TEXT, '-', "Print the certificate in text form"}, + {"ext", OPT_EXT, 's', "Print various X509V3 extensions"}, + {"C", OPT_C, '-', "Print out C code forms"}, +#ifndef OPENSSL_NO_MD5 + {"subject_hash_old", OPT_SUBJECT_HASH_OLD, '-', + "Print old-style (MD5) issuer hash value"}, + {"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-', + "Print old-style (MD5) subject hash value"}, +#endif + {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"}, + + OPT_SECTION("Certificate"), + {"startdate", OPT_STARTDATE, '-', "Set notBefore field"}, + {"enddate", OPT_ENDDATE, '-', "Set notAfter field"}, + {"dates", OPT_DATES, '-', "Both Before and After dates"}, {"clrtrust", OPT_CLRTRUST, '-', "Clear all trusted purposes"}, - {"clrext", OPT_CLREXT, '-', "Clear all rejected purposes"}, + {"clrext", OPT_CLREXT, '-', "Clear all certificate extensions"}, {"addtrust", OPT_ADDTRUST, 's', "Trust certificate for a given purpose"}, {"addreject", OPT_ADDREJECT, 's', "Reject certificate for a given purpose"}, {"setalias", OPT_SETALIAS, 's', "Set certificate alias"}, {"days", OPT_DAYS, 'n', "How long till expiry of a signed certificate - def 30 days"}, - {"checkend", OPT_CHECKEND, 'p', - "Check whether the cert expires in the next arg seconds"}, - {OPT_MORE_STR, 1, 1, "Exit 1 if so, 0 if not"}, {"signkey", OPT_SIGNKEY, '<', "Self sign cert with arg"}, - {"x509toreq", OPT_X509TOREQ, '-', - "Output a certification request object"}, - {"req", OPT_REQ, '-', "Input is a certificate request, sign and output"}, - {"CA", OPT_CA, '<', "Set the CA certificate, must be PEM format"}, - {"CAkey", OPT_CAKEY, '<', - "The CA key, must be PEM format; if not in CAfile"}, - {"CAcreateserial", OPT_CACREATESERIAL, '-', - "Create serial number file if it does not exist"}, - {"CAserial", OPT_CASERIAL, 's', "Serial file"}, {"set_serial", OPT_SET_SERIAL, 's', "Serial number to use"}, - {"text", OPT_TEXT, '-', "Print the certificate in text form"}, - {"C", OPT_C, '-', "Print out C code forms"}, - {"extfile", OPT_EXTFILE, '<', "File with X509V3 extensions to add"}, {"extensions", OPT_EXTENSIONS, 's', "Section from config file to use"}, - {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"}, {"certopt", OPT_CERTOPT, 's', "Various certificate text options"}, {"checkhost", OPT_CHECKHOST, 's', "Check certificate matches host"}, {"checkemail", OPT_CHECKEMAIL, 's', "Check certificate matches email"}, {"checkip", OPT_CHECKIP, 's', "Check certificate matches ipaddr"}, + {"force_pubkey", OPT_FORCE_PUBKEY, '<', "Force the key to put inside certificate"}, + {"subj", OPT_SUBJ, 's', "Set or override certificate subject (and issuer)"}, + + OPT_SECTION("CA"), + {"CA", OPT_CA, '<', "Set the CA certificate, must be PEM format"}, + {"CAkey", OPT_CAKEY, 's', + "The CA key, must be PEM format; if not in CAfile"}, + {"extfile", OPT_EXTFILE, '<', "File with X509V3 extensions to add"}, + OPT_R_OPTIONS, {"CAform", OPT_CAFORM, 'F', "CA format - default PEM"}, - {"CAkeyform", OPT_CAKEYFORM, 'F', "CA key format - default PEM"}, - {"sigopt", OPT_SIGOPT, 's'}, - {"force_pubkey", OPT_FORCE_PUBKEY, '<'}, - {"next_serial", OPT_NEXT_SERIAL, '-'}, - {"clrreject", OPT_CLRREJECT, '-'}, - {"badsig", OPT_BADSIG, '-'}, + {"CAkeyform", OPT_CAKEYFORM, 'f', "CA key format - default PEM"}, + {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"}, + {"CAcreateserial", OPT_CACREATESERIAL, '-', + "Create serial number file if it does not exist"}, + {"CAserial", OPT_CASERIAL, 's', "Serial file"}, + {"new", OPT_NEW, '-', "Generate a certificate from scratch"}, + {"next_serial", OPT_NEXT_SERIAL, '-', "Increment current certificate serial number"}, + {"clrreject", OPT_CLRREJECT, '-', + "Clears all the prohibited or rejected uses of the certificate"}, + {"badsig", OPT_BADSIG, '-', "Corrupt last byte of certificate signature (for test)"}, {"", OPT_MD, '-', "Any supported digest"}, -#ifndef OPENSSL_NO_MD5 - {"subject_hash_old", OPT_SUBJECT_HASH_OLD, '-', - "Print old-style (MD5) issuer hash value"}, - {"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-', - "Print old-style (MD5) subject hash value"}, -#endif -#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL - {"force_version", OPT_FORCE_VERSION, 'p'}, -#endif -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -#endif + {"preserve_dates", OPT_PRESERVE_DATES, '-', "preserve existing dates when signing"}, {NULL} }; int x509_main(int argc, char **argv) { ASN1_INTEGER *sno = NULL; - ASN1_OBJECT *objtmp; + ASN1_OBJECT *objtmp = NULL; BIO *out = NULL; CONF *extconf = NULL; EVP_PKEY *Upkey = NULL, *CApkey = NULL, *fkey = NULL; + int newcert = 0; + char *subj = NULL; + X509_NAME *fsubj = NULL; + const unsigned long chtype = MBSTRING_ASC; + const int multirdn = 0; STACK_OF(ASN1_OBJECT) *trust = NULL, *reject = NULL; STACK_OF(OPENSSL_STRING) *sigopts = NULL; X509 *x = NULL, *xca = NULL; @@ -212,22 +179,23 @@ int x509_main(int argc, char **argv) X509_STORE *ctx = NULL; const EVP_MD *digest = NULL; char *CAkeyfile = NULL, *CAserial = NULL, *fkeyfile = NULL, *alias = NULL; - char *checkhost = NULL, *checkemail = NULL, *checkip = NULL; + char *checkhost = NULL, *checkemail = NULL, *checkip = NULL, *exts = NULL; char *extsect = NULL, *extfile = NULL, *passin = NULL, *passinarg = NULL; char *infile = NULL, *outfile = NULL, *keyfile = NULL, *CAfile = NULL; - char buf[256], *prog; + char *prog; int x509req = 0, days = DEF_DAYS, modulus = 0, pubkey = 0, pprint = 0; int C = 0, CAformat = FORMAT_PEM, CAkeyformat = FORMAT_PEM; - int fingerprint = 0, reqfile = 0, need_rand = 0, checkend = 0; + int fingerprint = 0, reqfile = 0, checkend = 0; int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyformat = FORMAT_PEM; int next_serial = 0, subject_hash = 0, issuer_hash = 0, ocspid = 0; int noout = 0, sign_flag = 0, CA_flag = 0, CA_createserial = 0, email = 0; int ocsp_uri = 0, trustout = 0, clrtrust = 0, clrreject = 0, aliasout = 0; int ret = 1, i, num = 0, badsig = 0, clrext = 0, nocert = 0; - int text = 0, serial = 0, subject = 0, issuer = 0, startdate = 0; - int checkoffset = 0, enddate = 0; - unsigned long nmflag = 0, certflag = 0; - char nmflag_set = 0; + int text = 0, serial = 0, subject = 0, issuer = 0, startdate = 0, ext = 0; + int enddate = 0; + time_t checkoffset = 0; + unsigned long certflag = 0; + int preserve_dates = 0; OPTION_CHOICE o; ENGINE *e = NULL; #ifndef OPENSSL_NO_MD5 @@ -271,14 +239,14 @@ int x509_main(int argc, char **argv) goto opthelp; break; case OPT_CAKEYFORM: - if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &CAkeyformat)) + if (!opt_format(opt_arg(), OPT_FMT_ANY, &CAkeyformat)) goto opthelp; break; case OPT_OUT: outfile = opt_arg(); break; case OPT_REQ: - reqfile = need_rand = 1; + reqfile = 1; break; case OPT_SIGOPT: @@ -287,12 +255,9 @@ int x509_main(int argc, char **argv) if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, opt_arg())) goto opthelp; break; - case OPT_FORCE_VERSION: -#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL - force_version = atoi(opt_arg()) - 1; -#endif - break; case OPT_DAYS: + if (preserve_dates) + goto opthelp; days = atoi(opt_arg()); break; case OPT_PASSIN: @@ -301,18 +266,20 @@ int x509_main(int argc, char **argv) case OPT_EXTFILE: extfile = opt_arg(); break; + case OPT_R_CASES: + if (!opt_rand(o)) + goto end; + break; case OPT_EXTENSIONS: extsect = opt_arg(); break; case OPT_SIGNKEY: keyfile = opt_arg(); sign_flag = ++num; - need_rand = 1; break; case OPT_CA: CAfile = opt_arg(); CA_flag = ++num; - need_rand = 1; break; case OPT_CAKEY: CAkeyfile = opt_arg(); @@ -321,12 +288,22 @@ int x509_main(int argc, char **argv) CAserial = opt_arg(); break; case OPT_SET_SERIAL: + if (sno != NULL) { + BIO_printf(bio_err, "Serial number supplied twice\n"); + goto opthelp; + } if ((sno = s2i_ASN1_INTEGER(NULL, opt_arg())) == NULL) goto opthelp; break; + case OPT_NEW: + newcert = 1; + break; case OPT_FORCE_PUBKEY: fkeyfile = opt_arg(); break; + case OPT_SUBJ: + subj = opt_arg(); + break; case OPT_ADDTRUST: if ((objtmp = OBJ_txt2obj(opt_arg(), 0)) == NULL) { BIO_printf(bio_err, @@ -337,6 +314,7 @@ int x509_main(int argc, char **argv) if (trust == NULL && (trust = sk_ASN1_OBJECT_new_null()) == NULL) goto end; sk_ASN1_OBJECT_push(trust, objtmp); + objtmp = NULL; trustout = 1; break; case OPT_ADDREJECT: @@ -350,6 +328,7 @@ int x509_main(int argc, char **argv) && (reject = sk_ASN1_OBJECT_new_null()) == NULL) goto end; sk_ASN1_OBJECT_push(reject, objtmp); + objtmp = NULL; trustout = 1; break; case OPT_SETALIAS: @@ -361,8 +340,7 @@ int x509_main(int argc, char **argv) goto opthelp; break; case OPT_NAMEOPT: - nmflag_set = 1; - if (!set_name_ex(&nmflag, opt_arg())) + if (!set_nameopt(opt_arg())) goto opthelp; break; case OPT_ENGINE: @@ -422,6 +400,10 @@ int x509_main(int argc, char **argv) case OPT_NOOUT: noout = ++num; break; + case OPT_EXT: + ext = ++num; + exts = opt_arg(); + break; case OPT_NOCERT: nocert = 1; break; @@ -466,8 +448,18 @@ int x509_main(int argc, char **argv) enddate = ++num; break; case OPT_CHECKEND: - checkoffset = atoi(opt_arg()); checkend = 1; + { + intmax_t temp = 0; + if (!opt_imax(opt_arg(), &temp)) + goto opthelp; + checkoffset = (time_t)temp; + if ((intmax_t)checkoffset != temp) { + BIO_printf(bio_err, "%s: checkend time out of range %s\n", + prog, opt_arg()); + goto opthelp; + } + } break; case OPT_CHECKHOST: checkhost = opt_arg(); @@ -478,6 +470,11 @@ int x509_main(int argc, char **argv) case OPT_CHECKIP: checkip = opt_arg(); break; + case OPT_PRESERVE_DATES: + if (days != DEF_DAYS) + goto opthelp; + preserve_dates = 1; + break; case OPT_MD: if (!opt_md(opt_unknown(), &digest)) goto opthelp; @@ -490,19 +487,6 @@ int x509_main(int argc, char **argv) goto opthelp; } - if (!nmflag_set) - nmflag = XN_FLAG_ONELINE; - - if (!app_load_modules(NULL)) - goto end; - - out = bio_open_default(outfile, "w"); - if (out == NULL) - goto end; - - if (need_rand) - app_RAND_load_file(NULL, 0); - if (!app_passwd(passinarg, NULL, &passin, NULL)) { BIO_printf(bio_err, "Error getting password\n"); goto end; @@ -513,27 +497,47 @@ int x509_main(int argc, char **argv) goto end; } - if (fkeyfile) { + if (newcert && infile != NULL) { + BIO_printf(bio_err, "The -in option must not be used since -new is set\n"); + goto end; + } + if (newcert && fkeyfile == NULL) { + BIO_printf(bio_err, + "The -new option requires a public key to be set using -force_pubkey\n"); + goto end; + } + if (fkeyfile != NULL) { fkey = load_pubkey(fkeyfile, keyformat, 0, NULL, e, "Forced key"); if (fkey == NULL) goto end; } - if ((CAkeyfile == NULL) && (CA_flag) && (CAformat == FORMAT_PEM)) { + if (newcert && subj == NULL) { + BIO_printf(bio_err, + "The -new option requires a subject to be set using -subj\n"); + goto end; + } + if (subj != NULL && (fsubj = parse_name(subj, chtype, multirdn)) == NULL) + goto end; + + if (CAkeyfile == NULL && CA_flag && CAformat == FORMAT_PEM) { CAkeyfile = CAfile; - } else if ((CA_flag) && (CAkeyfile == NULL)) { + } else if (CA_flag && CAkeyfile == NULL) { BIO_printf(bio_err, "need to specify a CAkey if using the CA command\n"); goto end; + } else if (!CA_flag && CAkeyfile != NULL) { + BIO_printf(bio_err, + "ignoring -CAkey option since no -CA option is given\n"); } - if (extfile) { + if (extfile != NULL) { X509V3_CTX ctx2; if ((extconf = app_load_config(extfile)) == NULL) goto end; - if (!extsect) { + if (extsect == NULL) { extsect = NCONF_get_string(extconf, "default", "extensions"); - if (!extsect) { + if (extsect == NULL) { ERR_clear_error(); extsect = "default"; } @@ -552,11 +556,7 @@ int x509_main(int argc, char **argv) EVP_PKEY *pkey; BIO *in; - if (!sign_flag && !CA_flag) { - BIO_printf(bio_err, "We need a private key to sign with\n"); - goto end; - } - in = bio_open_default(infile, "r"); + in = bio_open_default(infile, 'r', informat); if (in == NULL) goto end; req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL); @@ -567,70 +567,81 @@ int x509_main(int argc, char **argv) goto end; } - if ((pkey = X509_REQ_get_pubkey(req)) == NULL) { + if ((pkey = X509_REQ_get0_pubkey(req)) == NULL) { BIO_printf(bio_err, "error unpacking public key\n"); goto end; } i = X509_REQ_verify(req, pkey); - EVP_PKEY_free(pkey); if (i < 0) { - BIO_printf(bio_err, "Signature verification error\n"); + BIO_printf(bio_err, "Request self-signature verification error\n"); ERR_print_errors(bio_err); goto end; } if (i == 0) { BIO_printf(bio_err, - "Signature did not match the certificate request\n"); + "Request self-signature did not match the certificate request\n"); goto end; - } else - BIO_printf(bio_err, "Signature ok\n"); + } else { + BIO_printf(bio_err, "Request self-signature ok\n"); + } print_name(bio_err, "subject=", X509_REQ_get_subject_name(req), - nmflag); + get_nameopt()); + } + if (reqfile || newcert) { + X509_NAME *n; + + if (!sign_flag && CAkeyfile == NULL) { + BIO_printf(bio_err, + "We need a private key to sign with, use -signkey or -CAkey or -CA with private key\n"); + goto end; + } if ((x = X509_new()) == NULL) goto end; if (sno == NULL) { sno = ASN1_INTEGER_new(); - if (!sno || !rand_serial(NULL, sno)) + if (sno == NULL || !rand_serial(NULL, sno)) goto end; if (!X509_set_serialNumber(x, sno)) goto end; ASN1_INTEGER_free(sno); sno = NULL; - } else if (!X509_set_serialNumber(x, sno)) + } else if (!X509_set_serialNumber(x, sno)) { goto end; + } - if (!X509_set_issuer_name(x, X509_REQ_get_subject_name(req))) + n = req == NULL ? fsubj : X509_REQ_get_subject_name(req); + if (!X509_set_issuer_name(x, n) || !X509_set_subject_name(x, n)) goto end; - if (!X509_set_subject_name(x, X509_REQ_get_subject_name(req))) + if (!set_cert_times(x, NULL, NULL, days)) goto end; - X509_gmtime_adj(X509_get_notBefore(x), 0); - X509_time_adj_ex(X509_get_notAfter(x), days, 0, NULL); - if (fkey) - X509_set_pubkey(x, fkey); - else { - pkey = X509_REQ_get_pubkey(req); - X509_set_pubkey(x, pkey); - EVP_PKEY_free(pkey); - } - } else - x = load_cert(infile, informat, NULL, e, "Certificate"); + if (!X509_set_pubkey(x, fkey != NULL ? fkey : X509_REQ_get0_pubkey(req))) + goto end; + } else { + x = load_cert(infile, informat, "Certificate"); + if (x == NULL) + goto end; + if (fkey != NULL && !X509_set_pubkey(x, fkey)) + goto end; + if (fsubj != NULL && !X509_set_subject_name(x, fsubj)) + goto end; + } - if (x == NULL) - goto end; if (CA_flag) { - xca = load_cert(CAfile, CAformat, NULL, e, "CA Certificate"); + xca = load_cert(CAfile, CAformat, "CA Certificate"); if (xca == NULL) goto end; } - if (!noout || text || next_serial) { - OBJ_create("2.99999.3", "SET.ex3", "SET x509v3 extension 3"); + out = bio_open_default(outfile, 'w', outformat); + if (out == NULL) + goto end; - } + if (!noout || text || next_serial) + OBJ_create("2.99999.3", "SET.ex3", "SET x509v3 extension 3"); if (alias) X509_alias_set1(x, (unsigned char *)alias, -1); @@ -640,36 +651,44 @@ int x509_main(int argc, char **argv) if (clrreject) X509_reject_clear(x); - if (trust) { + if (trust != NULL) { for (i = 0; i < sk_ASN1_OBJECT_num(trust); i++) { objtmp = sk_ASN1_OBJECT_value(trust, i); X509_add1_trust_object(x, objtmp); } + objtmp = NULL; } - if (reject) { + if (reject != NULL) { for (i = 0; i < sk_ASN1_OBJECT_num(reject); i++) { objtmp = sk_ASN1_OBJECT_value(reject, i); X509_add1_reject_object(x, objtmp); } + objtmp = NULL; + } + + if (badsig) { + const ASN1_BIT_STRING *signature; + + X509_get0_signature(&signature, NULL, x); + corrupt_signature(signature); } if (num) { for (i = 1; i <= num; i++) { if (issuer == i) { - print_name(out, "issuer= ", X509_get_issuer_name(x), nmflag); + print_name(out, "issuer=", X509_get_issuer_name(x), get_nameopt()); } else if (subject == i) { - print_name(out, "subject= ", - X509_get_subject_name(x), nmflag); + print_name(out, "subject=", + X509_get_subject_name(x), get_nameopt()); } else if (serial == i) { BIO_printf(out, "serial="); i2a_ASN1_INTEGER(out, X509_get_serialNumber(x)); BIO_printf(out, "\n"); } else if (next_serial == i) { - BIGNUM *bnser; - ASN1_INTEGER *ser; - ser = X509_get_serialNumber(x); - bnser = ASN1_INTEGER_to_BN(ser, NULL); + ASN1_INTEGER *ser = X509_get_serialNumber(x); + BIGNUM *bnser = ASN1_INTEGER_to_BN(ser, NULL); + if (!bnser) goto end; if (!BN_add_word(bnser, 1)) @@ -681,7 +700,7 @@ int x509_main(int argc, char **argv) i2a_ASN1_INTEGER(out, ser); ASN1_INTEGER_free(ser); BIO_puts(out, "\n"); - } else if ((email == i) || (ocsp_uri == i)) { + } else if (email == i || ocsp_uri == i) { int j; STACK_OF(OPENSSL_STRING) *emlst; if (email == i) @@ -726,7 +745,7 @@ int x509_main(int argc, char **argv) } else if (modulus == i) { EVP_PKEY *pkey; - pkey = X509_get_pubkey(x); + pkey = X509_get0_pubkey(x); if (pkey == NULL) { BIO_printf(bio_err, "Modulus=unavailable\n"); ERR_print_errors(bio_err); @@ -734,41 +753,42 @@ int x509_main(int argc, char **argv) } BIO_printf(out, "Modulus="); #ifndef OPENSSL_NO_RSA - if (pkey->type == EVP_PKEY_RSA) - BN_print(out, pkey->pkey.rsa->n); - else + if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) { + const BIGNUM *n; + RSA_get0_key(EVP_PKEY_get0_RSA(pkey), &n, NULL, NULL); + BN_print(out, n); + } else #endif #ifndef OPENSSL_NO_DSA - if (pkey->type == EVP_PKEY_DSA) - BN_print(out, pkey->pkey.dsa->pub_key); - else + if (EVP_PKEY_id(pkey) == EVP_PKEY_DSA) { + const BIGNUM *dsapub = NULL; + DSA_get0_key(EVP_PKEY_get0_DSA(pkey), &dsapub, NULL); + BN_print(out, dsapub); + } else #endif + { BIO_printf(out, "Wrong Algorithm type"); + } BIO_printf(out, "\n"); - EVP_PKEY_free(pkey); } else if (pubkey == i) { EVP_PKEY *pkey; - pkey = X509_get_pubkey(x); + pkey = X509_get0_pubkey(x); if (pkey == NULL) { BIO_printf(bio_err, "Error getting public key\n"); ERR_print_errors(bio_err); goto end; } PEM_write_bio_PUBKEY(out, pkey); - EVP_PKEY_free(pkey); } else if (C == i) { unsigned char *d; char *m; int len; - X509_NAME_oneline(X509_get_subject_name(x), buf, sizeof buf); - BIO_printf(out, "/*\n" - " * Subject: %s\n", buf); - - m = X509_NAME_oneline(X509_get_issuer_name(x), buf, sizeof buf); - BIO_printf(out, " * Issuer: %s\n" - " */\n", buf); + print_name(out, "/*\n" + " * Subject: ", X509_get_subject_name(x), get_nameopt()); + print_name(out, " * Issuer: ", X509_get_issuer_name(x), get_nameopt()); + BIO_puts(out, " */\n"); len = i2d_X509(x, NULL); m = app_malloc(len, "x509 name buffer"); @@ -783,14 +803,14 @@ int x509_main(int argc, char **argv) print_array(out, "the_certificate", len, (unsigned char *)m); OPENSSL_free(m); } else if (text == i) { - X509_print_ex(out, x, nmflag, certflag); + X509_print_ex(out, x, get_nameopt(), certflag); } else if (startdate == i) { BIO_puts(out, "notBefore="); - ASN1_TIME_print(out, X509_get_notBefore(x)); + ASN1_TIME_print(out, X509_get0_notBefore(x)); BIO_puts(out, "\n"); } else if (enddate == i) { BIO_puts(out, "notAfter="); - ASN1_TIME_print(out, X509_get_notAfter(x)); + ASN1_TIME_print(out, X509_get0_notAfter(x)); BIO_puts(out, "\n"); } else if (fingerprint == i) { int j; @@ -798,7 +818,7 @@ int x509_main(int argc, char **argv) unsigned char md[EVP_MAX_MD_SIZE]; const EVP_MD *fdig = digest; - if (!fdig) + if (fdig == NULL) fdig = EVP_sha1(); if (!X509_digest(x, fdig, md, &n)) { @@ -814,7 +834,7 @@ int x509_main(int argc, char **argv) } /* should be in the library */ - else if ((sign_flag == i) && (x509req == 0)) { + else if (sign_flag == i && x509req == 0) { BIO_printf(bio_err, "Getting Private key\n"); if (Upkey == NULL) { Upkey = load_key(keyfile, keyformat, 0, @@ -823,8 +843,8 @@ int x509_main(int argc, char **argv) goto end; } - assert(need_rand); - if (!sign(x, Upkey, days, clrext, digest, extconf, extsect)) + if (!sign(x, Upkey, fkey, days, clrext, digest, extconf, + extsect, preserve_dates)) goto end; } else if (CA_flag == i) { BIO_printf(bio_err, "Getting CA Private Key\n"); @@ -835,11 +855,10 @@ int x509_main(int argc, char **argv) goto end; } - assert(need_rand); if (!x509_certify(ctx, CAfile, digest, x, xca, CApkey, sigopts, CAserial, CA_createserial, days, clrext, - extconf, extsect, sno, reqfile)) + extconf, extsect, sno, reqfile, preserve_dates)) goto end; } else if (x509req == i) { EVP_PKEY *pk; @@ -864,12 +883,14 @@ int x509_main(int argc, char **argv) goto end; } if (!noout) { - X509_REQ_print(out, rq); + X509_REQ_print_ex(out, rq, get_nameopt(), X509_FLAG_COMPAT); PEM_write_bio_X509_REQ(out, rq); } noout = 1; } else if (ocspid == i) { X509_ocspid_print(out, x); + } else if (ext == i) { + print_x509v3_exts(out, x, exts); } } } @@ -877,7 +898,7 @@ int x509_main(int argc, char **argv) if (checkend) { time_t tcheck = time(NULL) + checkoffset; - if (X509_cmp_time(X509_get_notAfter(x), &tcheck) < 0) { + if (X509_cmp_time(X509_get0_notAfter(x), &tcheck) < 0) { BIO_printf(out, "Certificate will expire\n"); ret = 1; } else { @@ -894,17 +915,9 @@ int x509_main(int argc, char **argv) goto end; } - if (badsig) { - ASN1_BIT_STRING *signature; - unsigned char *s; - X509_get0_signature(&signature, NULL, x); - s = ASN1_STRING_data(signature); - s[ASN1_STRING_length(signature) - 1] ^= 0x1; - } - - if (outformat == FORMAT_ASN1) + if (outformat == FORMAT_ASN1) { i = i2d_X509_bio(out, x); - else if (outformat == FORMAT_PEM) { + } else if (outformat == FORMAT_PEM) { if (trustout) i = PEM_write_bio_X509_AUX(out, x); else @@ -920,12 +933,10 @@ int x509_main(int argc, char **argv) } ret = 0; end: - if (need_rand) - app_RAND_write_file(NULL); - OBJ_cleanup(); NCONF_free(extconf); BIO_free_all(out); X509_STORE_free(ctx); + X509_NAME_free(fsubj); X509_REQ_free(req); X509_free(x); X509_free(xca); @@ -937,34 +948,30 @@ int x509_main(int argc, char **argv) ASN1_INTEGER_free(sno); sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free); sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free); + ASN1_OBJECT_free(objtmp); + release_engine(e); OPENSSL_free(passin); - return (ret); + return ret; } -static ASN1_INTEGER *x509_load_serial(char *CAfile, char *serialfile, - int create) +static ASN1_INTEGER *x509_load_serial(const char *CAfile, + const char *serialfile, int create) { - char *buf = NULL, *p; + char *buf = NULL; ASN1_INTEGER *bs = NULL; BIGNUM *serial = NULL; - size_t len; - len = ((serialfile == NULL) - ? (strlen(CAfile) + strlen(POSTFIX) + 1) - : (strlen(serialfile))) + 1; - buf = app_malloc(len, "serial# buffer"); if (serialfile == NULL) { - BUF_strlcpy(buf, CAfile, len); - for (p = buf; *p; p++) - if (*p == '.') { - *p = '\0'; - break; - } - BUF_strlcat(buf, POSTFIX, len); - } else - BUF_strlcpy(buf, serialfile, len); + const char *p = strrchr(CAfile, '.'); + size_t len = p != NULL ? (size_t)(p - CAfile) : strlen(CAfile); + + buf = app_malloc(len + sizeof(POSTFIX), "serial# buffer"); + memcpy(buf, CAfile, len); + memcpy(buf + len, POSTFIX, sizeof(POSTFIX)); + serialfile = buf; + } - serial = load_serial(buf, create, NULL); + serial = load_serial(serialfile, create, NULL); if (serial == NULL) goto end; @@ -973,7 +980,7 @@ static ASN1_INTEGER *x509_load_serial(char *CAfile, char *serialfile, goto end; } - if (!save_serial(buf, NULL, serial, &bs)) + if (!save_serial(serialfile, NULL, serial, &bs)) goto end; end: @@ -982,23 +989,27 @@ static ASN1_INTEGER *x509_load_serial(char *CAfile, char *serialfile, return bs; } -static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, +static int x509_certify(X509_STORE *ctx, const char *CAfile, const EVP_MD *digest, X509 *x, X509 *xca, EVP_PKEY *pkey, STACK_OF(OPENSSL_STRING) *sigopts, - char *serialfile, int create, - int days, int clrext, CONF *conf, char *section, - ASN1_INTEGER *sno, int reqfile) + const char *serialfile, int create, + int days, int clrext, CONF *conf, const char *section, + ASN1_INTEGER *sno, int reqfile, int preserve_dates) { int ret = 0; ASN1_INTEGER *bs = NULL; - X509_STORE_CTX xsc; + X509_STORE_CTX *xsc = NULL; EVP_PKEY *upkey; - upkey = X509_get_pubkey(xca); + upkey = X509_get0_pubkey(xca); + if (upkey == NULL) { + BIO_printf(bio_err, "Error obtaining CA X509 public key\n"); + goto end; + } EVP_PKEY_copy_parameters(upkey, pkey); - EVP_PKEY_free(upkey); - if (!X509_STORE_CTX_init(&xsc, ctx, x, NULL)) { + xsc = X509_STORE_CTX_new(); + if (xsc == NULL || !X509_STORE_CTX_init(xsc, ctx, x, NULL)) { BIO_printf(bio_err, "Error initialising X509 store\n"); goto end; } @@ -1011,9 +1022,9 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, * NOTE: this certificate can/should be self signed, unless it was a * certificate request in which case it is not. */ - X509_STORE_CTX_set_cert(&xsc, x); - X509_STORE_CTX_set_flags(&xsc, X509_V_FLAG_CHECK_SS_SIGNATURE); - if (!reqfile && X509_verify_cert(&xsc) <= 0) + X509_STORE_CTX_set_cert(xsc, x); + X509_STORE_CTX_set_flags(xsc, X509_V_FLAG_CHECK_SS_SIGNATURE); + if (!reqfile && X509_verify_cert(xsc) <= 0) goto end; if (!X509_check_private_key(xca, pkey)) { @@ -1027,11 +1038,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, if (!X509_set_serialNumber(x, bs)) goto end; - if (X509_gmtime_adj(X509_get_notBefore(x), 0L) == NULL) - goto end; - - /* hardwired expired */ - if (X509_time_adj_ex(X509_get_notAfter(x), days, 0, NULL) == NULL) + if (!preserve_dates && !set_cert_times(x, NULL, NULL, days)) goto end; if (clrext) { @@ -1039,13 +1046,9 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, X509_delete_ext(x, 0); } - if (conf) { + if (conf != NULL) { X509V3_CTX ctx2; -#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL - X509_set_version(x, force_version); -#else X509_set_version(x, 2); /* version 3 certificate */ -#endif X509V3_set_ctx(&ctx2, xca, x, NULL, NULL, 0); X509V3_set_nconf(&ctx2, conf); if (!X509V3_EXT_add_nconf(conf, &ctx2, section, x)) @@ -1056,7 +1059,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, goto end; ret = 1; end: - X509_STORE_CTX_cleanup(&xsc); + X509_STORE_CTX_free(xsc); if (!ret) ERR_print_errors(bio_err); if (!sno) @@ -1097,33 +1100,25 @@ static int callb(int ok, X509_STORE_CTX *ctx) } } -/* self sign */ -static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, - const EVP_MD *digest, CONF *conf, char *section) +/* self-issue; self-sign unless a forced public key (fkey) is given */ +static int sign(X509 *x, EVP_PKEY *pkey, EVP_PKEY *fkey, int days, int clrext, + const EVP_MD *digest, CONF *conf, const char *section, + int preserve_dates) { if (!X509_set_issuer_name(x, X509_get_subject_name(x))) goto err; - if (X509_gmtime_adj(X509_get_notBefore(x), 0) == NULL) + if (!preserve_dates && !set_cert_times(x, NULL, NULL, days)) goto err; - - if (X509_gmtime_adj(X509_get_notAfter(x), (long)60 * 60 * 24 * days) == - NULL) - goto err; - - if (!X509_set_pubkey(x, pkey)) + if (fkey == NULL && !X509_set_pubkey(x, pkey)) goto err; if (clrext) { while (X509_get_ext_count(x) > 0) X509_delete_ext(x, 0); } - if (conf) { + if (conf != NULL) { X509V3_CTX ctx; -#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL - X509_set_version(x, force_version); -#else X509_set_version(x, 2); /* version 3 certificate */ -#endif X509V3_set_ctx(&ctx, x, x, NULL, NULL, 0); X509V3_set_nconf(&ctx, conf); if (!X509V3_EXT_add_nconf(conf, &ctx, section, x)) @@ -1140,7 +1135,7 @@ static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt) { int id, i, idret; - char *pname; + const char *pname; id = X509_PURPOSE_get_id(pt); pname = X509_PURPOSE_get0_name(pt); for (i = 0; i < 2; i++) { @@ -1155,3 +1150,93 @@ static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt) } return 1; } + +static int parse_ext_names(char *names, const char **result) +{ + char *p, *q; + int cnt = 0, len = 0; + + p = q = names; + len = strlen(names); + + while (q - names <= len) { + if (*q != ',' && *q != '\0') { + q++; + continue; + } + if (p != q) { + /* found */ + if (result != NULL) { + result[cnt] = p; + *q = '\0'; + } + cnt++; + } + p = ++q; + } + + return cnt; +} + +static int print_x509v3_exts(BIO *bio, X509 *x, const char *ext_names) +{ + const STACK_OF(X509_EXTENSION) *exts = NULL; + STACK_OF(X509_EXTENSION) *exts2 = NULL; + X509_EXTENSION *ext = NULL; + ASN1_OBJECT *obj; + int i, j, ret = 0, num, nn = 0; + const char *sn, **names = NULL; + char *tmp_ext_names = NULL; + + exts = X509_get0_extensions(x); + if ((num = sk_X509_EXTENSION_num(exts)) <= 0) { + BIO_printf(bio, "No extensions in certificate\n"); + ret = 1; + goto end; + } + + /* parse comma separated ext name string */ + if ((tmp_ext_names = OPENSSL_strdup(ext_names)) == NULL) + goto end; + if ((nn = parse_ext_names(tmp_ext_names, NULL)) == 0) { + BIO_printf(bio, "Invalid extension names: %s\n", ext_names); + goto end; + } + if ((names = OPENSSL_malloc(sizeof(char *) * nn)) == NULL) + goto end; + parse_ext_names(tmp_ext_names, names); + + for (i = 0; i < num; i++) { + ext = sk_X509_EXTENSION_value(exts, i); + + /* check if this ext is what we want */ + obj = X509_EXTENSION_get_object(ext); + sn = OBJ_nid2sn(OBJ_obj2nid(obj)); + if (sn == NULL || strcmp(sn, "UNDEF") == 0) + continue; + + for (j = 0; j < nn; j++) { + if (strcmp(sn, names[j]) == 0) { + /* push the extension into a new stack */ + if (exts2 == NULL + && (exts2 = sk_X509_EXTENSION_new_null()) == NULL) + goto end; + if (!sk_X509_EXTENSION_push(exts2, ext)) + goto end; + } + } + } + + if (!sk_X509_EXTENSION_num(exts2)) { + BIO_printf(bio, "No extensions matched with %s\n", ext_names); + ret = 1; + goto end; + } + + ret = X509V3_extensions_print(bio, NULL, exts2, 0, 0); + end: + sk_X509_EXTENSION_free(exts2); + OPENSSL_free(names); + OPENSSL_free(tmp_ext_names); + return ret; +}