Initial code to support distinct certificate and CRL signing keys where the

[openssl.git] / apps / ca.c

diff --git a/apps/ca.c b/apps/ca.c
index 9fde400f69aca561c5ae9226da6da3a9783a89ce..0967b34a213d6812ecc6e298fe5827136decd835 100644 (file)
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -226,7 +226,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
 static int do_revoke(X509 *x509, CA_DB *db, int ext, char *extval);
 static int get_certificate_status(const char *ser_status, CA_DB *db);
 static int do_updatedb(CA_DB *db);
-static int check_time_format(char *str);
+static int check_time_format(const char *str);
 char *make_revocation_str(int rev_type, char *rev_arg);
 int make_revoked(X509_REVOKED *rev, const char *str);
 int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str);
@@ -258,6 +258,7 @@ int MAIN(int argc, char **argv)
        int doupdatedb=0;
        long crldays=0;
        long crlhours=0;
+       long crlsec=0;
        long errorline= -1;
        char *configfile=NULL;
        char *md=NULL;
@@ -305,7 +306,8 @@ int MAIN(int argc, char **argv)
        ASN1_TIME *tmptm;
        ASN1_INTEGER *tmpser;
        char *f;
-       const char *p, **pp;
+       const char *p;
+       char * const *pp;
        int i,j;
        const EVP_MD *dgst=NULL;
        STACK_OF(CONF_VALUE) *attribs=NULL;
@@ -456,6 +458,11 @@ EF_ALIGNMENT=0;
                        if (--argc < 1) goto bad;
                        crlhours= atol(*(++argv));
                        }
+               else if (strcmp(*argv,"-crlsec") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       crlsec = atol(*(++argv));
+                       }
                else if (strcmp(*argv,"-infiles") == 0)
                        {
                        argc--;
@@ -549,8 +556,10 @@ bad:
 
        if (badops)
                {
-               for (pp=ca_usage; (*pp != NULL); pp++)
-                       BIO_printf(bio_err,"%s",*pp);
+               const char **pp2;
+
+               for (pp2=ca_usage; (*pp2 != NULL); pp2++)
+                       BIO_printf(bio_err,"%s",*pp2);
                goto err;
                }
 
@@ -870,9 +879,9 @@ bad:
        if (db == NULL) goto err;
 
        /* Lets check some fields */
-       for (i=0; i<sk_num(db->db->data); i++)
+       for (i=0; i<sk_PSTRING_num(db->db->data); i++)
                {
-               pp=(const char **)sk_value(db->db->data,i);
+               pp=sk_PSTRING_value(db->db->data,i);
                if ((pp[DB_type][0] != DB_TYPE_REV) &&
                        (pp[DB_rev_date][0] != '\0'))
                        {
@@ -925,7 +934,7 @@ bad:
 #endif
                TXT_DB_write(out,db->db);
                BIO_printf(bio_err,"%d entries loaded from the database\n",
-                       db->db->data->num);
+                          sk_PSTRING_num(db->db->data));
                BIO_printf(bio_err,"generating index\n");
                }
        
@@ -1367,7 +1376,7 @@ bad:
                                goto err;
                                }
 
-               if (!crldays && !crlhours)
+               if (!crldays && !crlhours && !crlsec)
                        {
                        if (!NCONF_get_number(conf,section,
                                ENV_DEFAULT_CRL_DAYS, &crldays))
@@ -1376,7 +1385,7 @@ bad:
                                ENV_DEFAULT_CRL_HOURS, &crlhours))
                                crlhours = 0;
                        }
-               if ((crldays == 0) && (crlhours == 0))
+               if ((crldays == 0) && (crlhours == 0) && (crlsec == 0))
                        {
                        BIO_printf(bio_err,"cannot lookup how long until the next CRL is issued\n");
                        goto err;
@@ -1390,14 +1399,14 @@ bad:
                if (!tmptm) goto err;
                X509_gmtime_adj(tmptm,0);
                X509_CRL_set_lastUpdate(crl, tmptm);    
-               X509_gmtime_adj(tmptm,(crldays*24+crlhours)*60*60);
+               X509_gmtime_adj(tmptm,(crldays*24+crlhours)*60*60 + crlsec);
                X509_CRL_set_nextUpdate(crl, tmptm);    
 
                ASN1_TIME_free(tmptm);
 
-               for (i=0; i<sk_num(db->db->data); i++)
+               for (i=0; i<sk_PSTRING_num(db->db->data); i++)
                        {
-                       pp=(const char **)sk_value(db->db->data,i);
+                       pp=sk_PSTRING_value(db->db->data,i);
                        if (pp[DB_type][0] == DB_TYPE_REV)
                                {
                                if ((r=X509_REVOKED_new()) == NULL) goto err;
@@ -1455,6 +1464,12 @@ bad:
                if (crlnumberfile != NULL)      /* we have a CRL number that need updating */
                        if (!save_serial(crlnumberfile,"new",crlnumber,NULL)) goto err;
 
+               if (crlnumber)
+                       {
+                       BN_free(crlnumber);
+                       crlnumber = NULL;
+                       }
+
                if (!X509_CRL_sign(crl,pkey,dgst)) goto err;
 
                PEM_write_bio_X509_CRL(Sout,crl);
@@ -1507,11 +1522,13 @@ err:
        if (free_key && key)
                OPENSSL_free(key);
        BN_free(serial);
+       BN_free(crlnumber);
        free_index(db);
        EVP_PKEY_free(pkey);
        if (x509) X509_free(x509);
        X509_CRL_free(crl);
        NCONF_free(conf);
+       NCONF_free(extconf);
        OBJ_cleanup();
        apps_shutdown();
        OPENSSL_EXIT(ret);
@@ -1664,7 +1681,9 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
        int ok= -1,i,j,last,nid;
        const char *p;
        CONF_VALUE *cv;
-       char *row[DB_NUMBER],**rrow=NULL,**irow=NULL;
+       STRING row[DB_NUMBER];
+       STRING *irow=NULL;
+       STRING *rrow=NULL;
        char buf[25];
 
        tmptm=ASN1_UTCTIME_new();
@@ -1906,7 +1925,9 @@ again2:
 
        if (db->attributes.unique_subject)
                {
-               rrow=TXT_DB_get_by_index(db->db,DB_name,row);
+               STRING *crow=row;
+
+               rrow=TXT_DB_get_by_index(db->db,DB_name,crow);
                if (rrow != NULL)
                        {
                        BIO_printf(bio_err,
@@ -2207,7 +2228,7 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
             unsigned long nameopt, int default_op, int ext_copy)
        {
        STACK_OF(CONF_VALUE) *sk=NULL;
-       LHASH *parms=NULL;
+       LHASH_OF(CONF_VALUE) *parms=NULL;
        X509_REQ *req=NULL;
        CONF_VALUE *cv=NULL;
        NETSCAPE_SPKI *spki = NULL;
@@ -2370,7 +2391,7 @@ static int fix_data(int nid, int *type)
        return(1);
        }
 
-static int check_time_format(char *str)
+static int check_time_format(const char *str)
        {
        ASN1_UTCTIME tm;
 
@@ -2392,6 +2413,8 @@ static int do_revoke(X509 *x509, CA_DB *db, int type, char *value)
                row[i]=NULL;
        row[DB_name]=X509_NAME_oneline(X509_get_subject_name(x509),NULL,0);
        bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x509),NULL);
+       if (!bn)
+               goto err;
        if (BN_is_zero(bn))
                row[DB_serial]=BUF_strdup("00");
        else
@@ -2461,7 +2484,7 @@ static int do_revoke(X509 *x509, CA_DB *db, int type, char *value)
                goto err;
 
                }
-       else if (index_name_cmp((const char **)row,(const char **)rrow))
+       else if (index_name_cmp_noconst(row, rrow))
                {
                BIO_printf(bio_err,"ERROR:name does not match %s\n",
                           row[DB_name]);
@@ -2610,9 +2633,9 @@ static int do_updatedb (CA_DB *db)
        else
                a_y2k = 0;
 
-       for (i = 0; i < sk_num(db->db->data); i++)
+       for (i = 0; i < sk_PSTRING_num(db->db->data); i++)
                {
-               rrow = (char **) sk_value(db->db->data, i);
+               rrow = sk_PSTRING_value(db->db->data, i);
 
                if (rrow[DB_type][0] == 'V')
                        {