-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to. The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code. The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- * must display the following acknowledgement:
- * "This product includes cryptographic software written by
- * Eric Young (eay@cryptsoft.com)"
- * The word 'cryptographic' can be left out if the rouines from the library
- * being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- * the apps directory (application code) you must include an acknowledgement:
- * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
+/*
+ * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
*
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed. i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
/* The PPKI stuff has been donated by Jeff Barber <jeffb@issl.atl.hp.com> */
# else
# include <unixlib.h>
# endif
-# elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_NETWARE)
+# elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS)
# include <sys/file.h>
# endif
#endif
#undef BSIZE
#define BSIZE 256
-#define BASE_SECTION "ca"
-#define CONFIG_FILE "openssl.cnf"
+#define BASE_SECTION "ca"
#define ENV_DEFAULT_CA "default_ca"
-#define STRING_MASK "string_mask"
+#define STRING_MASK "string_mask"
#define UTF8_IN "utf8"
-#define ENV_DIR "dir"
-#define ENV_CERTS "certs"
-#define ENV_CRL_DIR "crl_dir"
-#define ENV_CA_DB "CA_DB"
#define ENV_NEW_CERTS_DIR "new_certs_dir"
-#define ENV_CERTIFICATE "certificate"
+#define ENV_CERTIFICATE "certificate"
#define ENV_SERIAL "serial"
#define ENV_CRLNUMBER "crlnumber"
-#define ENV_CRL "crl"
#define ENV_PRIVATE_KEY "private_key"
-#define ENV_RANDFILE "RANDFILE"
#define ENV_DEFAULT_DAYS "default_days"
#define ENV_DEFAULT_STARTDATE "default_startdate"
#define ENV_DEFAULT_ENDDATE "default_enddate"
/* Additional revocation information types */
-#define REV_NONE 0 /* No addditional information */
+#define REV_NONE 0 /* No additional information */
#define REV_CRL_REASON 1 /* Value is CRL reason code */
#define REV_HOLD 2 /* Value is hold instruction */
#define REV_KEY_COMPROMISE 3 /* Value is cert key compromise time */
#define REV_CA_COMPROMISE 4 /* Value is CA key compromise time */
-static void lookup_fail(const char *name, const char *tag);
-static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
+static char *lookup_conf(const CONF *conf, const char *group, const char *tag);
+
+static int certify(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509,
const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(CONF_VALUE) *policy, CA_DB *db,
- BIGNUM *serial, char *subj, unsigned long chtype,
- int multirdn, int email_dn, char *startdate, char *enddate,
- long days, int batch, char *ext_sect, CONF *conf,
+ BIGNUM *serial, const char *subj, unsigned long chtype,
+ int multirdn, int email_dn, const char *startdate,
+ const char *enddate,
+ long days, int batch, const char *ext_sect, CONF *conf,
int verbose, unsigned long certopt, unsigned long nameopt,
int default_op, int ext_copy, int selfsign);
-static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
+static int certify_cert(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509,
const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(CONF_VALUE) *policy, CA_DB *db,
- BIGNUM *serial, char *subj, unsigned long chtype,
- int multirdn, int email_dn, char *startdate,
- char *enddate, long days, int batch, char *ext_sect,
+ BIGNUM *serial, const char *subj, unsigned long chtype,
+ int multirdn, int email_dn, const char *startdate,
+ const char *enddate, long days, int batch, const char *ext_sect,
CONF *conf, int verbose, unsigned long certopt,
- unsigned long nameopt, int default_op, int ext_copy,
- ENGINE *e);
-static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey,
+ unsigned long nameopt, int default_op, int ext_copy);
+static int certify_spkac(X509 **xret, const char *infile, EVP_PKEY *pkey,
X509 *x509, const EVP_MD *dgst,
STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(CONF_VALUE) *policy, CA_DB *db,
- BIGNUM *serial, char *subj, unsigned long chtype,
- int multirdn, int email_dn, char *startdate,
- char *enddate, long days, char *ext_sect, CONF *conf,
+ BIGNUM *serial, const char *subj, unsigned long chtype,
+ int multirdn, int email_dn, const char *startdate,
+ const char *enddate, long days, const char *ext_sect, CONF *conf,
int verbose, unsigned long certopt,
unsigned long nameopt, int default_op, int ext_copy);
-static void write_new_certificate(BIO *bp, X509 *x, int output_der,
- int notext);
+static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext);
static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial,
- char *subj, unsigned long chtype, int multirdn,
- int email_dn, char *startdate, char *enddate, long days,
- int batch, int verbose, X509_REQ *req, char *ext_sect,
+ const char *subj, unsigned long chtype, int multirdn,
+ int email_dn, const char *startdate, const char *enddate, long days,
+ int batch, int verbose, X509_REQ *req, const char *ext_sect,
CONF *conf, unsigned long certopt, unsigned long nameopt,
int default_op, int ext_copy, int selfsign);
static int do_revoke(X509 *x509, CA_DB *db, int ext, char *extval);
static int check_time_format(const char *str);
char *make_revocation_str(int rev_type, char *rev_arg);
int make_revoked(X509_REVOKED *rev, const char *str);
-static int old_entry_print(ASN1_OBJECT *obj, ASN1_STRING *str);
+static int old_entry_print(const ASN1_OBJECT *obj, const ASN1_STRING *str);
-static CONF *conf = NULL;
static CONF *extconf = NULL;
-static char *section = NULL;
static int preserve = 0;
static int msie_hack = 0;
{"name", OPT_NAME, 's', "The particular CA definition to use"},
{"subj", OPT_SUBJ, 's', "Use arg instead of request's subject"},
{"utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)"},
- {"create_serial", OPT_CREATE_SERIAL, '-'},
+ {"create_serial", OPT_CREATE_SERIAL, '-',
+ "If reading serial fails, create a new random serial"},
{"multivalue-rdn", OPT_MULTIVALUE_RDN, '-',
"Enable support for multivalued RDNs"},
{"startdate", OPT_STARTDATE, 's', "Cert notBefore, YYMMDDHHMMSSZ"},
{"days", OPT_DAYS, 'p', "Number of days to certify the cert for"},
{"md", OPT_MD, 's', "md to use; one of md2, md5, sha or sha1"},
{"policy", OPT_POLICY, 's', "The CA 'policy' to support"},
- {"keyfile", OPT_KEYFILE, '<', "Private key file"},
+ {"keyfile", OPT_KEYFILE, 's', "Private key"},
{"keyform", OPT_KEYFORM, 'f', "Private key file format (PEM or ENGINE)"},
- {"passin", OPT_PASSIN, 's'},
+ {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"key", OPT_KEY, 's', "Key to decode the private key if it is encrypted"},
{"cert", OPT_CERT, '<', "The CA cert"},
{"selfsign", OPT_SELFSIGN, '-',
{"in", OPT_IN, '<', "The input PEM encoded cert request(s)"},
{"out", OPT_OUT, '>', "Where to put the output file(s)"},
{"outdir", OPT_OUTDIR, '/', "Where to put output cert"},
- {"sigopt", OPT_SIGOPT, 's'},
- {"notext", OPT_NOTEXT, '-'},
+ {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
+ {"notext", OPT_NOTEXT, '-', "Do not print the generated certificate"},
{"batch", OPT_BATCH, '-', "Don't ask questions"},
{"preserveDN", OPT_PRESERVEDN, '-', "Don't re-order the DN"},
{"noemailDN", OPT_NOEMAILDN, '-', "Don't add the EMAIL field to the DN"},
{"gencrl", OPT_GENCRL, '-', "Generate a new CRL"},
{"msie_hack", OPT_MSIE_HACK, '-',
"msie modifications to handle all those universal strings"},
- {"crldays", OPT_CRLDAYS, 'p', "Days is when the next CRL is due"},
- {"crlhours", OPT_CRLHOURS, 'p', "Hours is when the next CRL is due"},
- {"crlsec", OPT_CRLSEC, 'p'},
+ {"crldays", OPT_CRLDAYS, 'p', "Days until the next CRL is due"},
+ {"crlhours", OPT_CRLHOURS, 'p', "Hours until the next CRL is due"},
+ {"crlsec", OPT_CRLSEC, 'p', "Seconds until the next CRL is due"},
{"infiles", OPT_INFILES, '-', "The last argument, requests to process"},
{"ss_cert", OPT_SS_CERT, '<', "File contains a self signed cert to sign"},
{"spkac", OPT_SPKAC, '<',
"File contains DN and signed public key and challenge"},
{"revoke", OPT_REVOKE, '<', "Revoke a cert (given in file)"},
- {"valid", OPT_VALID, 's'},
+ {"valid", OPT_VALID, 's',
+ "Add a Valid(not-revoked) DB entry about a cert (given in file)"},
{"extensions", OPT_EXTENSIONS, 's',
"Extension section (override value in config file)"},
{"extfile", OPT_EXTFILE, '<',
{"updatedb", OPT_UPDATEDB, '-', "Updates db for expired cert"},
{"crlexts", OPT_CRLEXTS, 's',
"CRL extension section (override value in config file)"},
- {"crl_reason", OPT_CRL_REASON, 's'},
- {"crl_hold", OPT_CRL_HOLD, 's'},
- {"crl_compromise", OPT_CRL_COMPROMISE, 's'},
- {"crl_CA_compromise", OPT_CRL_CA_COMPROMISE, 's'},
+ {"crl_reason", OPT_CRL_REASON, 's', "revocation reason"},
+ {"crl_hold", OPT_CRL_HOLD, 's',
+ "the hold instruction, an OID. Sets revocation reason to certificateHold"},
+ {"crl_compromise", OPT_CRL_COMPROMISE, 's',
+ "sets compromise time to val and the revocation reason to keyCompromise"},
+ {"crl_CA_compromise", OPT_CRL_CA_COMPROMISE, 's',
+ "sets compromise time to val and the revocation reason to CACompromise"},
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
#endif
int ca_main(int argc, char **argv)
{
+ CONF *conf = NULL;
ENGINE *e = NULL;
BIGNUM *crlnumber = NULL, *serial = NULL;
EVP_PKEY *pkey = NULL;
- BIO *in = NULL, *out = NULL, *Sout = NULL, *Cout = NULL;
+ BIO *in = NULL, *out = NULL, *Sout = NULL;
ASN1_INTEGER *tmpser;
ASN1_TIME *tmptm;
CA_DB *db = NULL;
STACK_OF(X509) *cert_sk = NULL;
X509_CRL *crl = NULL;
const EVP_MD *dgst = NULL;
- char *configfile = NULL, *md = NULL, *policy = NULL, *keyfile = NULL;
- char *certfile = NULL, *crl_ext = NULL, *crlnumberfile = NULL;
- char *infile = NULL, *spkac_file = NULL, *ss_cert_file = NULL;
- char *extensions = NULL, *extfile = NULL, *key = NULL, *passinarg = NULL;
+ char *configfile = default_config_file, *section = NULL;
+ char *md = NULL, *policy = NULL, *keyfile = NULL;
+ char *certfile = NULL, *crl_ext = NULL, *crlnumberfile = NULL, *key = NULL;
+ const char *infile = NULL, *spkac_file = NULL, *ss_cert_file = NULL;
+ const char *extensions = NULL, *extfile = NULL, *passinarg = NULL;
char *outdir = NULL, *outfile = NULL, *rev_arg = NULL, *ser_status = NULL;
- char *serialfile = NULL, *startdate = NULL, *subj = NULL;
- char *prog, *enddate = NULL, *tmp_email_dn = NULL;
- char *dbfile = NULL, *f, *randfile = NULL, *tofree = NULL;
+ const char *serialfile = NULL, *subj = NULL;
+ char *prog, *startdate = NULL, *enddate = NULL;
+ char *dbfile = NULL, *f, *randfile = NULL;
char buf[3][BSIZE];
char *const *pp;
const char *p;
int keyformat = FORMAT_PEM, multirdn = 0, notext = 0, output_der = 0;
int ret = 1, email_dn = 1, req = 0, verbose = 0, gencrl = 0, dorevoke = 0;
int i, j, rev_type = REV_NONE, selfsign = 0;
- long crldays = 0, crlhours = 0, crlsec = 0, errorline = -1, days = 0;
+ long crldays = 0, crlhours = 0, crlsec = 0, days = 0;
unsigned long chtype = MBSTRING_ASC, nameopt = 0, certopt = 0;
X509 *x509 = NULL, *x509p = NULL, *x = NULL;
X509_REVOKED *r = NULL;
OPTION_CHOICE o;
- conf = NULL;
- section = NULL;
- preserve = 0;
- msie_hack = 0;
-
prog = opt_init(argc, argv, ca_options);
while ((o = opt_next()) != OPT_EOF) {
switch (o) {
- case OPT_EOF:
- case OPT_ERR:
+ case OPT_EOF:
+ case OPT_ERR:
opthelp:
- BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
- goto end;
- case OPT_HELP:
- opt_help(ca_options);
- ret = 0;
- goto end;
- case OPT_IN:
- infile = opt_arg();
- break;
- case OPT_OUT:
- outfile = opt_arg();
- break;
- case OPT_VERBOSE:
- verbose = 1;
- break;
- case OPT_CONFIG:
- configfile = opt_arg();
- break;
- case OPT_NAME:
- section = opt_arg();
- break;
- case OPT_SUBJ:
- subj = opt_arg();
- /* preserve=1; */
- break;
- case OPT_UTF8:
- chtype = MBSTRING_UTF8;
- break;
+ BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+ goto end;
+ case OPT_HELP:
+ opt_help(ca_options);
+ ret = 0;
+ goto end;
+ case OPT_IN:
+ req = 1;
+ infile = opt_arg();
+ break;
+ case OPT_OUT:
+ outfile = opt_arg();
+ break;
+ case OPT_VERBOSE:
+ verbose = 1;
+ break;
+ case OPT_CONFIG:
+ configfile = opt_arg();
+ break;
+ case OPT_NAME:
+ section = opt_arg();
+ break;
+ case OPT_SUBJ:
+ subj = opt_arg();
+ /* preserve=1; */
+ break;
+ case OPT_UTF8:
+ chtype = MBSTRING_UTF8;
+ break;
case OPT_CREATE_SERIAL:
create_ser = 1;
break;
argc = opt_num_rest();
argv = opt_rest();
- tofree = NULL;
- if (configfile == NULL)
- configfile = getenv("OPENSSL_CONF");
- if (configfile == NULL)
- configfile = getenv("SSLEAY_CONF");
- if (configfile == NULL) {
- const char *s = X509_get_default_cert_area();
- size_t len;
-
-#ifdef OPENSSL_SYS_VMS
- len = strlen(s) + sizeof(CONFIG_FILE);
- tofree = OPENSSL_malloc(len);
- if (!tofree) {
- BIO_printf(bio_err, "Out of memory\n");
- goto end;
- }
- strcpy(tofree, s);
-#else
- len = strlen(s) + sizeof(CONFIG_FILE) + 1;
- tofree = OPENSSL_malloc(len);
- if (!tofree) {
- BIO_printf(bio_err, "Out of memory\n");
- goto end;
- }
- BUF_strlcpy(tofree, s, len);
- BUF_strlcat(tofree, "/", len);
-#endif
- BUF_strlcat(tofree, CONFIG_FILE, len);
- configfile = tofree;
- }
-
BIO_printf(bio_err, "Using configuration from %s\n", configfile);
- conf = NCONF_new(NULL);
- if (NCONF_load(conf, configfile, &errorline) <= 0) {
- if (errorline <= 0)
- BIO_printf(bio_err, "error loading the config file '%s'\n",
- configfile);
- else
- BIO_printf(bio_err, "error on line %ld of config file '%s'\n",
- errorline, configfile);
+
+ if ((conf = app_load_config(configfile)) == NULL)
+ goto end;
+ if (configfile != default_config_file && !app_load_modules(conf))
goto end;
- }
- if (tofree) {
- OPENSSL_free(tofree);
- tofree = NULL;
- }
/* Lets get the config section we are using */
- if (section == NULL) {
- section = NCONF_get_string(conf, BASE_SECTION, ENV_DEFAULT_CA);
- if (section == NULL) {
- lookup_fail(BASE_SECTION, ENV_DEFAULT_CA);
- goto end;
- }
- }
+ if (section == NULL
+ && (section = lookup_conf(conf, BASE_SECTION, ENV_DEFAULT_CA)) == NULL)
+ goto end;
if (conf != NULL) {
p = NCONF_get_string(conf, NULL, "oid_file");
f = NCONF_get_string(conf, section, UTF8_IN);
if (!f)
ERR_clear_error();
- else if (!strcmp(f, "yes"))
+ else if (strcmp(f, "yes") == 0)
chtype = MBSTRING_UTF8;
}
} else
ERR_clear_error();
- /*****************************************************************/
+ /*****************************************************************/
/* report status of cert with serial number given on command line */
if (ser_status) {
- if ((dbfile = NCONF_get_string(conf, section, ENV_DATABASE)) == NULL) {
- lookup_fail(section, ENV_DATABASE);
+ dbfile = lookup_conf(conf, section, ENV_DATABASE);
+ if (dbfile == NULL)
goto end;
- }
+
db = load_index(dbfile, &db_attr);
if (db == NULL)
goto end;
goto end;
}
- /*****************************************************************/
+ /*****************************************************************/
/* we definitely need a private key, so let's get it */
- if ((keyfile == NULL) && ((keyfile = NCONF_get_string(conf,
- section,
- ENV_PRIVATE_KEY)) ==
- NULL)) {
- lookup_fail(section, ENV_PRIVATE_KEY);
+ if (keyfile == NULL
+ && (keyfile = lookup_conf(conf, section, ENV_PRIVATE_KEY)) == NULL)
goto end;
- }
+
if (!key) {
free_key = 1;
if (!app_passwd(passinarg, NULL, &key, NULL)) {
goto end;
}
- /*****************************************************************/
+ /*****************************************************************/
/* we need a certificate */
if (!selfsign || spkac_file || ss_cert_file || gencrl) {
- if ((certfile == NULL)
- && ((certfile = NCONF_get_string(conf,
- section,
- ENV_CERTIFICATE)) == NULL)) {
- lookup_fail(section, ENV_CERTIFICATE);
+ if (certfile == NULL
+ && (certfile = lookup_conf(conf, section, ENV_CERTIFICATE)) == NULL)
goto end;
- }
- x509 = load_cert(certfile, FORMAT_PEM, NULL, e, "CA certificate");
+
+ x509 = load_cert(certfile, FORMAT_PEM, "CA certificate");
if (x509 == NULL)
goto end;
goto end;
}
default_op = 0;
- } else
+ } else {
+ nameopt = XN_FLAG_ONELINE;
ERR_clear_error();
+ }
f = NCONF_get_string(conf, section, ENV_CERTOPT);
} else
ERR_clear_error();
- /*****************************************************************/
+ /*****************************************************************/
/* lookup where to write new certificates */
if ((outdir == NULL) && (req)) {
- if ((outdir = NCONF_get_string(conf, section, ENV_NEW_CERTS_DIR))
- == NULL) {
+ outdir = NCONF_get_string(conf, section, ENV_NEW_CERTS_DIR);
+ if (outdir == NULL) {
BIO_printf(bio_err,
"there needs to be defined a directory for new certificate to be placed in\n");
goto end;
#ifndef OPENSSL_SYS_VMS
/*
* outdir is a directory spec, but access() for VMS demands a
- * filename. In any case, stat(), below, will catch the problem if
- * outdir is not a directory spec, and the fopen() or open() will
- * catch an error if there is no write access.
- *
- * Presumably, this problem could also be solved by using the DEC C
- * routines to convert the directory syntax to Unixly, and give that
- * to access(). However, time's too short to do that just now.
+ * filename. We could use the DEC C routine to convert the
+ * directory syntax to Unixly, and give that to app_isdir,
+ * but for now the fopen will catch the error if it's not a
+ * directory
*/
- if (app_access(outdir, R_OK | W_OK | X_OK) != 0)
- {
- BIO_printf(bio_err, "I am unable to access the %s directory\n",
- outdir);
- perror(outdir);
- goto end;
- }
-
if (app_isdir(outdir) <= 0) {
- BIO_printf(bio_err, "%s need to be a directory\n", outdir);
+ BIO_printf(bio_err, "%s: %s is not a directory\n", prog, outdir);
perror(outdir);
goto end;
}
#endif
}
- /*****************************************************************/
+ /*****************************************************************/
/* we need to load the database file */
- if ((dbfile = NCONF_get_string(conf, section, ENV_DATABASE)) == NULL) {
- lookup_fail(section, ENV_DATABASE);
+ dbfile = lookup_conf(conf, section, ENV_DATABASE);
+ if (dbfile == NULL)
goto end;
- }
+
db = load_index(dbfile, &db_attr);
if (db == NULL)
goto end;
goto end;
}
for ( ; *p; p++) {
- if (!isxdigit(*p)) {
+ if (!isxdigit(_UC(*p))) {
BIO_printf(bio_err,
"entry %d: bad char 0%o '%c' in serial number\n",
i + 1, *p, *p);
if (!index_index(db))
goto end;
- /*****************************************************************/
+ /*****************************************************************/
/* Update the db file for expired certificates */
if (doupdatedb) {
if (verbose)
}
}
- /*****************************************************************/
+ /*****************************************************************/
/* Read extensions config file */
if (extfile) {
- extconf = NCONF_new(NULL);
- if (NCONF_load(extconf, extfile, &errorline) <= 0) {
- if (errorline <= 0)
- BIO_printf(bio_err, "ERROR: loading the config file '%s'\n",
- extfile);
- else
- BIO_printf(bio_err,
- "ERROR: on line %ld of config file '%s'\n",
- errorline, extfile);
+ if ((extconf = app_load_config(extfile)) == NULL) {
ret = 1;
goto end;
}
extfile);
/* We can have sections in the ext file */
- if (!extensions
- && !(extensions =
- NCONF_get_string(extconf, "default", "extensions")))
- extensions = "default";
+ if (extensions == NULL) {
+ extensions = NCONF_get_string(extconf, "default", "extensions");
+ if (extensions == NULL)
+ extensions = "default";
+ }
}
- /*****************************************************************/
+ /*****************************************************************/
if (req || gencrl) {
- Sout = bio_open_default(outfile, "w");
+ /* FIXME: Is it really always text? */
+ Sout = bio_open_default(outfile, 'w', FORMAT_TEXT);
if (Sout == NULL)
goto end;
}
- if ((md == NULL) && ((md = NCONF_get_string(conf,
- section,
- ENV_DEFAULT_MD)) == NULL)) {
- lookup_fail(section, ENV_DEFAULT_MD);
+ if (md == NULL
+ && (md = lookup_conf(conf, section, ENV_DEFAULT_MD)) == NULL)
goto end;
- }
- if (!strcmp(md, "default")) {
+ if (strcmp(md, "default") == 0) {
int def_nid;
if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) <= 0) {
BIO_puts(bio_err, "no default digest\n");
}
if (req) {
- if ((email_dn == 1) && ((tmp_email_dn = NCONF_get_string(conf,
- section,
- ENV_DEFAULT_EMAIL_DN))
- != NULL)) {
- if (strcmp(tmp_email_dn, "no") == 0)
+ if (email_dn == 1) {
+ char *tmp_email_dn = NULL;
+
+ tmp_email_dn = NCONF_get_string(conf, section, ENV_DEFAULT_EMAIL_DN);
+ if (tmp_email_dn != NULL && strcmp(tmp_email_dn, "no") == 0)
email_dn = 0;
}
if (verbose)
BIO_printf(bio_err, "message digest is %s\n",
- OBJ_nid2ln(dgst->type));
- if ((policy == NULL) && ((policy = NCONF_get_string(conf,
- section,
- ENV_POLICY)) ==
- NULL)) {
- lookup_fail(section, ENV_POLICY);
+ OBJ_nid2ln(EVP_MD_type(dgst)));
+ if (policy == NULL
+ && (policy = lookup_conf(conf, section, ENV_POLICY)) == NULL)
goto end;
- }
+
if (verbose)
BIO_printf(bio_err, "policy is %s\n", policy);
- if ((serialfile = NCONF_get_string(conf, section, ENV_SERIAL))
- == NULL) {
- lookup_fail(section, ENV_SERIAL);
+ serialfile = lookup_conf(conf, section, ENV_SERIAL);
+ if (serialfile == NULL)
goto end;
- }
if (!extconf) {
/*
db, serial, subj, chtype, multirdn, email_dn,
startdate, enddate, days, batch, extensions,
conf, verbose, certopt, nameopt, default_op,
- ext_copy, e);
+ ext_copy);
if (j < 0)
goto end;
if (j > 0) {
if (verbose)
BIO_printf(bio_err, "writing new certificates\n");
for (i = 0; i < sk_X509_num(cert_sk); i++) {
+ BIO *Cout = NULL;
+ X509 *xi = sk_X509_value(cert_sk, i);
+ ASN1_INTEGER *serialNumber = X509_get_serialNumber(xi);
int k;
char *n;
- x = sk_X509_value(cert_sk, i);
-
- j = x->cert_info->serialNumber->length;
- p = (const char *)x->cert_info->serialNumber->data;
+ j = ASN1_STRING_length(serialNumber);
+ p = (const char *)ASN1_STRING_get0_data(serialNumber);
if (strlen(outdir) >= (size_t)(j ? BSIZE - j * 2 - 6 : BSIZE - 8)) {
BIO_printf(bio_err, "certificate file name too long\n");
strcpy(buf[2], outdir);
#ifndef OPENSSL_SYS_VMS
- BUF_strlcat(buf[2], "/", sizeof(buf[2]));
+ OPENSSL_strlcat(buf[2], "/", sizeof(buf[2]));
#endif
n = (char *)&(buf[2][strlen(buf[2])]);
perror(buf[2]);
goto end;
}
- write_new_certificate(Cout, x, 0, notext);
- write_new_certificate(Sout, x, output_der, notext);
+ write_new_certificate(Cout, xi, 0, notext);
+ write_new_certificate(Sout, xi, output_der, notext);
+ BIO_free_all(Cout);
}
if (sk_X509_num(cert_sk)) {
}
}
- /*****************************************************************/
+ /*****************************************************************/
if (gencrl) {
int crl_v2 = 0;
if (!crl_ext) {
goto end;
tmptm = ASN1_TIME_new();
- if (!tmptm)
+ if (tmptm == NULL)
goto end;
X509_gmtime_adj(tmptm, 0);
- X509_CRL_set_lastUpdate(crl, tmptm);
+ X509_CRL_set1_lastUpdate(crl, tmptm);
if (!X509_time_adj_ex(tmptm, crldays, crlhours * 60 * 60 + crlsec,
NULL)) {
BIO_puts(bio_err, "error setting CRL nextUpdate\n");
goto end;
}
- X509_CRL_set_nextUpdate(crl, tmptm);
+ X509_CRL_set1_nextUpdate(crl, tmptm);
ASN1_TIME_free(tmptm);
if (!save_serial(crlnumberfile, "new", crlnumber, NULL))
goto end;
- if (crlnumber) {
- BN_free(crlnumber);
- crlnumber = NULL;
- }
+ BN_free(crlnumber);
+ crlnumber = NULL;
if (!do_X509_CRL_sign(crl, pkey, dgst, sigopts))
goto end;
goto end;
}
- /*****************************************************************/
+ /*****************************************************************/
if (dorevoke) {
if (infile == NULL) {
BIO_printf(bio_err, "no input files\n");
goto end;
} else {
X509 *revcert;
- revcert = load_cert(infile, FORMAT_PEM, NULL, e, infile);
+ revcert = load_cert(infile, FORMAT_PEM, infile);
if (revcert == NULL)
goto end;
if (dorevoke == 2)
BIO_printf(bio_err, "Data Base Updated\n");
}
}
- /*****************************************************************/
+ /*****************************************************************/
ret = 0;
end:
- if (tofree)
- OPENSSL_free(tofree);
- BIO_free_all(Cout);
BIO_free_all(Sout);
BIO_free_all(out);
BIO_free_all(in);
-
- if (cert_sk)
- sk_X509_pop_free(cert_sk, X509_free);
+ sk_X509_pop_free(cert_sk, X509_free);
if (ret)
ERR_print_errors(bio_err);
app_RAND_write_file(randfile);
- if (free_key && key)
+ if (free_key)
OPENSSL_free(key);
BN_free(serial);
BN_free(crlnumber);
free_index(db);
- if (sigopts)
- sk_OPENSSL_STRING_free(sigopts);
+ sk_OPENSSL_STRING_free(sigopts);
EVP_PKEY_free(pkey);
- if (x509)
- X509_free(x509);
+ X509_free(x509);
X509_CRL_free(crl);
NCONF_free(conf);
NCONF_free(extconf);
- OBJ_cleanup();
+ release_engine(e);
return (ret);
}
-static void lookup_fail(const char *name, const char *tag)
+static char *lookup_conf(const CONF *conf, const char *section, const char *tag)
{
- BIO_printf(bio_err, "variable lookup failed for %s::%s\n", name, tag);
+ char *entry = NCONF_get_string(conf, section, tag);
+ if (entry == NULL)
+ BIO_printf(bio_err, "variable lookup failed for %s::%s\n", section, tag);
+ return entry;
}
-static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
+static int certify(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509,
const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(CONF_VALUE) *policy, CA_DB *db,
- BIGNUM *serial, char *subj, unsigned long chtype,
- int multirdn, int email_dn, char *startdate, char *enddate,
- long days, int batch, char *ext_sect, CONF *lconf,
+ BIGNUM *serial, const char *subj, unsigned long chtype,
+ int multirdn, int email_dn, const char *startdate,
+ const char *enddate,
+ long days, int batch, const char *ext_sect, CONF *lconf,
int verbose, unsigned long certopt, unsigned long nameopt,
int default_op, int ext_copy, int selfsign)
{
ok = 0;
goto end;
}
- if ((pktmp = X509_REQ_get_pubkey(req)) == NULL) {
+ if ((pktmp = X509_REQ_get0_pubkey(req)) == NULL) {
BIO_printf(bio_err, "error unpacking public key\n");
goto end;
}
i = X509_REQ_verify(req, pktmp);
- EVP_PKEY_free(pktmp);
+ pktmp = NULL;
if (i < 0) {
ok = 0;
BIO_printf(bio_err, "Signature verification problems....\n");
ext_copy, selfsign);
end:
- if (req != NULL)
- X509_REQ_free(req);
+ X509_REQ_free(req);
BIO_free(in);
return (ok);
}
-static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
+static int certify_cert(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509,
const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(CONF_VALUE) *policy, CA_DB *db,
- BIGNUM *serial, char *subj, unsigned long chtype,
- int multirdn, int email_dn, char *startdate,
- char *enddate, long days, int batch, char *ext_sect,
+ BIGNUM *serial, const char *subj, unsigned long chtype,
+ int multirdn, int email_dn, const char *startdate,
+ const char *enddate, long days, int batch, const char *ext_sect,
CONF *lconf, int verbose, unsigned long certopt,
- unsigned long nameopt, int default_op, int ext_copy,
- ENGINE *e)
+ unsigned long nameopt, int default_op, int ext_copy)
{
X509 *req = NULL;
X509_REQ *rreq = NULL;
EVP_PKEY *pktmp = NULL;
int ok = -1, i;
- if ((req = load_cert(infile, FORMAT_PEM, NULL, e, infile)) == NULL)
+ if ((req = load_cert(infile, FORMAT_PEM, infile)) == NULL)
goto end;
if (verbose)
X509_print(bio_err, req);
BIO_printf(bio_err, "Check that the request matches the signature\n");
- if ((pktmp = X509_get_pubkey(req)) == NULL) {
+ if ((pktmp = X509_get0_pubkey(req)) == NULL) {
BIO_printf(bio_err, "error unpacking public key\n");
goto end;
}
i = X509_verify(req, pktmp);
- EVP_PKEY_free(pktmp);
if (i < 0) {
ok = 0;
BIO_printf(bio_err, "Signature verification problems....\n");
} else
BIO_printf(bio_err, "Signature ok\n");
- if ((rreq = X509_to_X509_REQ(req, NULL, EVP_md5())) == NULL)
+ if ((rreq = X509_to_X509_REQ(req, NULL, NULL)) == NULL)
goto end;
ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, subj,
ext_copy, 0);
end:
- if (rreq != NULL)
- X509_REQ_free(rreq);
- if (req != NULL)
- X509_free(req);
+ X509_REQ_free(rreq);
+ X509_free(req);
return (ok);
}
static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial,
- char *subj, unsigned long chtype, int multirdn,
- int email_dn, char *startdate, char *enddate, long days,
- int batch, int verbose, X509_REQ *req, char *ext_sect,
+ const char *subj, unsigned long chtype, int multirdn,
+ int email_dn, const char *startdate, const char *enddate, long days,
+ int batch, int verbose, X509_REQ *req, const char *ext_sect,
CONF *lconf, unsigned long certopt, unsigned long nameopt,
int default_op, int ext_copy, int selfsign)
{
X509_NAME *name = NULL, *CAname = NULL, *subject = NULL, *dn_subject =
NULL;
- ASN1_UTCTIME *tm, *tmptm;
+ const ASN1_TIME *tm;
ASN1_STRING *str, *str2;
ASN1_OBJECT *obj;
X509 *ret = NULL;
- X509_CINF *ci;
X509_NAME_ENTRY *ne;
X509_NAME_ENTRY *tne, *push;
EVP_PKEY *pktmp;
OPENSSL_STRING *rrow = NULL;
char buf[25];
- tmptm = ASN1_UTCTIME_new();
- if (tmptm == NULL) {
- BIO_printf(bio_err, "malloc error\n");
- return (0);
- }
-
for (i = 0; i < DB_NUMBER; i++)
row[i] = NULL;
goto end;
}
X509_REQ_set_subject_name(req, n);
- req->req_info->enc.modified = 1;
X509_NAME_free(n);
}
if (selfsign)
CAname = X509_NAME_dup(name);
else
- CAname = X509_NAME_dup(x509->cert_info->subject);
+ CAname = X509_NAME_dup(X509_get_subject_name(x509));
if (CAname == NULL)
goto end;
str = str2 = NULL;
j = X509_NAME_get_index_by_OBJ(CAname, obj, last2);
if ((j < 0) && (last2 == -1)) {
BIO_printf(bio_err,
- "The %s field does not exist in the CA certificate,\nthe 'policy' is misconfigured\n",
+ "The %s field does not exist in the CA certificate,\n"
+ "the 'policy' is misconfigured\n",
cv->name);
goto end;
}
}
if (j < 0) {
BIO_printf(bio_err,
- "The %s field needed to be the same in the\nCA certificate (%s) and the request (%s)\n",
+ "The %s field is different between\n"
+ "CA certificate (%s) and the request (%s)\n",
cv->name,
((str2 == NULL) ? "NULL" : (char *)str2->data),
((str == NULL) ? "NULL" : (char *)str->data));
if (push != NULL) {
if (!X509_NAME_add_entry(subject, push, -1, 0)) {
- if (push != NULL)
- X509_NAME_ENTRY_free(push);
+ X509_NAME_ENTRY_free(push);
BIO_printf(bio_err, "Memory allocation failure\n");
goto end;
}
* Its best to dup the subject DN and then delete any email addresses
* because this retains its structure.
*/
- if (!(dn_subject = X509_NAME_dup(subject))) {
+ if ((dn_subject = X509_NAME_dup(subject)) == NULL) {
BIO_printf(bio_err, "Memory allocation failure\n");
goto end;
}
}
if (BN_is_zero(serial))
- row[DB_serial] = BUF_strdup("00");
+ row[DB_serial] = OPENSSL_strdup("00");
else
row[DB_serial] = BN_bn2hex(serial);
if (row[DB_serial] == NULL) {
if ((ret = X509_new()) == NULL)
goto end;
- ci = ret->cert_info;
#ifdef X509_V3
/* Make it an X509 v3 certificate. */
goto end;
#endif
- if (BN_to_ASN1_INTEGER(serial, ci->serialNumber) == NULL)
+ if (BN_to_ASN1_INTEGER(serial, X509_get_serialNumber(ret)) == NULL)
goto end;
if (selfsign) {
if (!X509_set_issuer_name(ret, subject))
goto end;
}
- if (strcmp(startdate, "today") == 0)
- X509_gmtime_adj(X509_get_notBefore(ret), 0);
- else
- ASN1_TIME_set_string(X509_get_notBefore(ret), startdate);
+ if (!set_cert_times(ret, startdate, enddate, days))
+ goto end;
- if (enddate == NULL)
- X509_time_adj_ex(X509_get_notAfter(ret), days, 0, NULL);
- else {
+ if (enddate != NULL) {
int tdays;
- ASN1_TIME_set_string(X509_get_notAfter(ret), enddate);
- ASN1_TIME_diff(&tdays, NULL, NULL, X509_get_notAfter(ret));
+ ASN1_TIME_diff(&tdays, NULL, NULL, X509_get0_notAfter(ret));
days = tdays;
}
if (!X509_set_subject_name(ret, subject))
goto end;
- pktmp = X509_REQ_get_pubkey(req);
+ pktmp = X509_REQ_get0_pubkey(req);
i = X509_set_pubkey(ret, pktmp);
- EVP_PKEY_free(pktmp);
if (!i)
goto end;
/* Lets add the extensions, if there are any */
if (ext_sect) {
X509V3_CTX ctx;
- if (ci->version == NULL)
- if ((ci->version = ASN1_INTEGER_new()) == NULL)
- goto end;
- ASN1_INTEGER_set(ci->version, 2); /* version 3 certificate */
-
- /*
- * Free the current entries if any, there should not be any I believe
- */
- if (ci->extensions != NULL)
- sk_X509_EXTENSION_pop_free(ci->extensions, X509_EXTENSION_free);
-
- ci->extensions = NULL;
+ X509_set_version(ret, 2);
/* Initialize the context structure */
if (selfsign)
}
BIO_printf(bio_err, "Certificate is to be certified until ");
- ASN1_TIME_print(bio_err, X509_get_notAfter(ret));
+ ASN1_TIME_print(bio_err, X509_get0_notAfter(ret));
if (days)
BIO_printf(bio_err, " (%ld days)", days);
BIO_printf(bio_err, "\n");
}
}
- pktmp = X509_get_pubkey(ret);
+ pktmp = X509_get0_pubkey(ret);
if (EVP_PKEY_missing_parameters(pktmp) &&
!EVP_PKEY_missing_parameters(pkey))
EVP_PKEY_copy_parameters(pktmp, pkey);
- EVP_PKEY_free(pktmp);
if (!do_X509_sign(ret, pkey, dgst, sigopts))
goto end;
/* We now just add it to the database */
- row[DB_type] = OPENSSL_malloc(2);
-
- tm = X509_get_notAfter(ret);
- row[DB_exp_date] = OPENSSL_malloc(tm->length + 1);
+ row[DB_type] = OPENSSL_strdup("V");
+ tm = X509_get0_notAfter(ret);
+ row[DB_exp_date] = app_malloc(tm->length + 1, "row expdate");
memcpy(row[DB_exp_date], tm->data, tm->length);
row[DB_exp_date][tm->length] = '\0';
-
row[DB_rev_date] = NULL;
-
- /* row[DB_serial] done already */
- row[DB_file] = OPENSSL_malloc(8);
+ row[DB_file] = OPENSSL_strdup("unknown");
row[DB_name] = X509_NAME_oneline(X509_get_subject_name(ret), NULL, 0);
if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
BIO_printf(bio_err, "Memory allocation failure\n");
goto end;
}
- BUF_strlcpy(row[DB_file], "unknown", 8);
- row[DB_type][0] = 'V';
- row[DB_type][1] = '\0';
-
- if ((irow = OPENSSL_malloc(sizeof(char *) * (DB_NUMBER + 1))) == NULL) {
- BIO_printf(bio_err, "Memory allocation failure\n");
- goto end;
- }
+ irow = app_malloc(sizeof(*irow) * (DB_NUMBER + 1), "row space");
for (i = 0; i < DB_NUMBER; i++) {
irow[i] = row[i];
row[i] = NULL;
ok = 1;
end:
for (i = 0; i < DB_NUMBER; i++)
- if (row[i] != NULL)
- OPENSSL_free(row[i]);
+ OPENSSL_free(row[i]);
- if (CAname != NULL)
- X509_NAME_free(CAname);
- if (subject != NULL)
- X509_NAME_free(subject);
- if ((dn_subject != NULL) && !email_dn)
+ X509_NAME_free(CAname);
+ X509_NAME_free(subject);
+ if (dn_subject != subject)
X509_NAME_free(dn_subject);
- if (tmptm != NULL)
- ASN1_UTCTIME_free(tmptm);
- if (ok <= 0) {
- if (ret != NULL)
- X509_free(ret);
- ret = NULL;
- } else
+ if (ok <= 0)
+ X509_free(ret);
+ else
*xret = ret;
return (ok);
}
PEM_write_bio_X509(bp, x);
}
-static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey,
+static int certify_spkac(X509 **xret, const char *infile, EVP_PKEY *pkey,
X509 *x509, const EVP_MD *dgst,
STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(CONF_VALUE) *policy, CA_DB *db,
- BIGNUM *serial, char *subj, unsigned long chtype,
- int multirdn, int email_dn, char *startdate,
- char *enddate, long days, char *ext_sect,
+ BIGNUM *serial, const char *subj, unsigned long chtype,
+ int multirdn, int email_dn, const char *startdate,
+ const char *enddate, long days, const char *ext_sect,
CONF *lconf, int verbose, unsigned long certopt,
unsigned long nameopt, int default_op, int ext_copy)
{
X509_REQ *req = NULL;
CONF_VALUE *cv = NULL;
NETSCAPE_SPKI *spki = NULL;
- X509_REQ_INFO *ri;
char *type, *buf;
EVP_PKEY *pktmp = NULL;
X509_NAME *n = NULL;
sk = CONF_get_section(parms, "default");
if (sk_CONF_VALUE_num(sk) == 0) {
BIO_printf(bio_err, "no name/value pairs found in %s\n", infile);
- CONF_free(parms);
goto end;
}
/*
* Build up the subject name set.
*/
- ri = req->req_info;
- n = ri->subject;
+ n = X509_REQ_get_subject_name(req);
for (i = 0;; i++) {
if (sk_CONF_VALUE_num(sk) <= i)
j = NETSCAPE_SPKI_verify(spki, pktmp);
if (j <= 0) {
+ EVP_PKEY_free(pktmp);
BIO_printf(bio_err,
"signature verification failed on SPKAC public key\n");
goto end;
verbose, req, ext_sect, lconf, certopt, nameopt, default_op,
ext_copy, 0);
end:
- if (req != NULL)
- X509_REQ_free(req);
- if (parms != NULL)
- CONF_free(parms);
- if (spki != NULL)
- NETSCAPE_SPKI_free(spki);
- if (ne != NULL)
- X509_NAME_ENTRY_free(ne);
+ X509_REQ_free(req);
+ CONF_free(parms);
+ NETSCAPE_SPKI_free(spki);
+ X509_NAME_ENTRY_free(ne);
return (ok);
}
static int do_revoke(X509 *x509, CA_DB *db, int type, char *value)
{
- ASN1_UTCTIME *tm = NULL;
+ const ASN1_TIME *tm = NULL;
char *row[DB_NUMBER], **rrow, **irow;
char *rev_str = NULL;
BIGNUM *bn = NULL;
if (!bn)
goto end;
if (BN_is_zero(bn))
- row[DB_serial] = BUF_strdup("00");
+ row[DB_serial] = OPENSSL_strdup("00");
else
row[DB_serial] = BN_bn2hex(bn);
BN_free(bn);
row[DB_serial], row[DB_name]);
/* We now just add it to the database */
- row[DB_type] = OPENSSL_malloc(2);
-
- tm = X509_get_notAfter(x509);
- row[DB_exp_date] = OPENSSL_malloc(tm->length + 1);
+ row[DB_type] = OPENSSL_strdup("V");
+ tm = X509_get0_notAfter(x509);
+ row[DB_exp_date] = app_malloc(tm->length + 1, "row exp_data");
memcpy(row[DB_exp_date], tm->data, tm->length);
row[DB_exp_date][tm->length] = '\0';
-
row[DB_rev_date] = NULL;
+ row[DB_file] = OPENSSL_strdup("unknown");
- /* row[DB_serial] done already */
- row[DB_file] = OPENSSL_malloc(8);
-
- /* row[DB_name] done already */
-
- if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
- (row[DB_file] == NULL)) {
- BIO_printf(bio_err, "Memory allocation failure\n");
- goto end;
- }
- BUF_strlcpy(row[DB_file], "unknown", 8);
- row[DB_type][0] = 'V';
- row[DB_type][1] = '\0';
-
- if ((irow = OPENSSL_malloc(sizeof(char *) * (DB_NUMBER + 1))) == NULL) {
- BIO_printf(bio_err, "Memory allocation failure\n");
- goto end;
- }
-
+ irow = app_malloc(sizeof(*irow) * (DB_NUMBER + 1), "row ptr");
for (i = 0; i < DB_NUMBER; i++) {
irow[i] = row[i];
row[i] = NULL;
ok = 1;
end:
for (i = 0; i < DB_NUMBER; i++) {
- if (row[i] != NULL)
- OPENSSL_free(row[i]);
+ OPENSSL_free(row[i]);
}
return (ok);
}
{
char *row[DB_NUMBER], **rrow;
int ok = -1, i;
+ size_t serial_len = strlen(serial);
/* Free Resources */
for (i = 0; i < DB_NUMBER; i++)
row[i] = NULL;
/* Malloc needed char spaces */
- row[DB_serial] = OPENSSL_malloc(strlen(serial) + 2);
- if (row[DB_serial] == NULL) {
- BIO_printf(bio_err, "Malloc failure\n");
- goto end;
- }
+ row[DB_serial] = app_malloc(serial_len + 2, "row serial#");
- if (strlen(serial) % 2) {
+ if (serial_len % 2) {
/*
* Set the first char to 0
*/ ;
row[DB_serial][0] = '0';
/* Copy String from serial to row[DB_serial] */
- memcpy(row[DB_serial] + 1, serial, strlen(serial));
- row[DB_serial][strlen(serial) + 1] = '\0';
+ memcpy(row[DB_serial] + 1, serial, serial_len);
+ row[DB_serial][serial_len + 1] = '\0';
} else {
/* Copy String from serial to row[DB_serial] */
- memcpy(row[DB_serial], serial, strlen(serial));
- row[DB_serial][strlen(serial)] = '\0';
+ memcpy(row[DB_serial], serial, serial_len);
+ row[DB_serial][serial_len] = '\0';
}
/* Make it Upper Case */
}
end:
for (i = 0; i < DB_NUMBER; i++) {
- if (row[i] != NULL)
- OPENSSL_free(row[i]);
+ OPENSSL_free(row[i]);
}
return (ok);
}
char **rrow, *a_tm_s;
a_tm = ASN1_UTCTIME_new();
+ if (a_tm == NULL)
+ return -1;
/* get actual time and make a string */
a_tm = X509_gmtime_adj(a_tm, 0);
- a_tm_s = OPENSSL_malloc(a_tm->length + 1);
- if (a_tm_s == NULL) {
- cnt = -1;
- goto end;
- }
+ a_tm_s = app_malloc(a_tm->length + 1, "time string");
memcpy(a_tm_s, a_tm->data, a_tm->length);
a_tm_s[a_tm->length] = '\0';
}
}
- end:
-
ASN1_UTCTIME_free(a_tm);
OPENSSL_free(a_tm_s);
-
return (cnt);
}
"CAkeyTime"
};
-#define NUM_REASONS (sizeof(crl_reasons) / sizeof(char *))
+#define NUM_REASONS OSSL_NELEM(crl_reasons)
/*
* Given revocation information convert to a DB string. The format of the
char *make_revocation_str(int rev_type, char *rev_arg)
{
- char *other = NULL, *str;
+ char *str;
+ const char *other = NULL;
const char *reason = NULL;
ASN1_OBJECT *otmp;
ASN1_UTCTIME *revtm = NULL;
case REV_CRL_REASON:
for (i = 0; i < 8; i++) {
- if (!strcasecmp(rev_arg, crl_reasons[i])) {
+ if (strcasecmp(rev_arg, crl_reasons[i]) == 0) {
reason = crl_reasons[i];
break;
}
if (other)
i += strlen(other) + 1;
- str = OPENSSL_malloc(i);
-
- if (!str)
- return NULL;
-
- BUF_strlcpy(str, (char *)revtm->data, i);
+ str = app_malloc(i, "revocation reason");
+ OPENSSL_strlcpy(str, (char *)revtm->data, i);
if (reason) {
- BUF_strlcat(str, ",", i);
- BUF_strlcat(str, reason, i);
+ OPENSSL_strlcat(str, ",", i);
+ OPENSSL_strlcat(str, reason, i);
}
if (other) {
- BUF_strlcat(str, ",", i);
- BUF_strlcat(str, other, i);
+ OPENSSL_strlcat(str, ",", i);
+ OPENSSL_strlcat(str, other, i);
}
ASN1_UTCTIME_free(revtm);
return str;
if (rev && (reason_code != OCSP_REVOKED_STATUS_NOSTATUS)) {
rtmp = ASN1_ENUMERATED_new();
- if (!rtmp || !ASN1_ENUMERATED_set(rtmp, reason_code))
+ if (rtmp == NULL || !ASN1_ENUMERATED_set(rtmp, reason_code))
goto end;
if (!X509_REVOKED_add1_ext_i2d(rev, NID_crl_reason, rtmp, 0, 0))
goto end;
end:
- if (tmp)
- OPENSSL_free(tmp);
+ OPENSSL_free(tmp);
ASN1_OBJECT_free(hold);
ASN1_GENERALIZEDTIME_free(comp_time);
ASN1_ENUMERATED_free(rtmp);
return ret;
}
-static int old_entry_print(ASN1_OBJECT *obj, ASN1_STRING *str)
+static int old_entry_print(const ASN1_OBJECT *obj, const ASN1_STRING *str)
{
- char buf[25], *pbuf, *p;
+ char buf[25], *pbuf;
+ const char *p;
int j;
+
j = i2a_ASN1_OBJECT(bio_err, obj);
pbuf = buf;
for (j = 22 - j; j > 0; j--)
else
BIO_printf(bio_err, "ASN.1 %2d:'", str->type);
- p = (char *)str->data;
+ p = (const char *)str->data;
for (j = str->length; j > 0; j--) {
if ((*p >= ' ') && (*p <= '~'))
BIO_printf(bio_err, "%c", *p);
ASN1_OBJECT *hold = NULL;
ASN1_GENERALIZEDTIME *comp_time = NULL;
- tmp = BUF_strdup(str);
+ tmp = OPENSSL_strdup(str);
if (!tmp) {
BIO_printf(bio_err, "memory allocation failure\n");
goto end;
if (prevtm) {
*prevtm = ASN1_UTCTIME_new();
- if (!*prevtm) {
+ if (*prevtm == NULL) {
BIO_printf(bio_err, "memory allocation failure\n");
goto end;
}
}
if (reason_str) {
for (i = 0; i < NUM_REASONS; i++) {
- if (!strcasecmp(reason_str, crl_reasons[i])) {
+ if (strcasecmp(reason_str, crl_reasons[i]) == 0) {
reason_code = i;
break;
}
}
if (phold)
*phold = hold;
+ else
+ ASN1_OBJECT_free(hold);
} else if ((reason_code == 9) || (reason_code == 10)) {
if (!arg_str) {
BIO_printf(bio_err, "missing compromised time\n");
goto end;
}
comp_time = ASN1_GENERALIZEDTIME_new();
- if (!comp_time) {
+ if (comp_time == NULL) {
BIO_printf(bio_err, "memory allocation failure\n");
goto end;
}
if (preason)
*preason = reason_code;
- if (pinvtm)
+ if (pinvtm) {
*pinvtm = comp_time;
- else
- ASN1_GENERALIZEDTIME_free(comp_time);
+ comp_time = NULL;
+ }
ret = 1;
end:
- if (tmp)
- OPENSSL_free(tmp);
- if (!phold)
- ASN1_OBJECT_free(hold);
- if (!pinvtm)
- ASN1_GENERALIZEDTIME_free(comp_time);
+ OPENSSL_free(tmp);
+ ASN1_GENERALIZEDTIME_free(comp_time);
return ret;
}