41850098b6755e88a9bbd65f42012d49839631dc
[openssl.git] / apps / ca.c
1 /* apps/ca.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58
59 /* The PPKI stuff has been donated by Jeff Barber <jeffb@issl.atl.hp.com> */
60
61 #include <stdio.h>
62 #include <stdlib.h>
63 #include <string.h>
64 #include <ctype.h>
65 #include <sys/types.h>
66 #include <sys/stat.h>
67 #include "apps.h"
68 #include <openssl/conf.h>
69 #include <openssl/bio.h>
70 #include <openssl/err.h>
71 #include <openssl/bn.h>
72 #include <openssl/txt_db.h>
73 #include <openssl/evp.h>
74 #include <openssl/x509.h>
75 #include <openssl/x509v3.h>
76 #include <openssl/objects.h>
77 #include <openssl/ocsp.h>
78 #include <openssl/pem.h>
79 #include <openssl/engine.h>
80
81 #ifdef OPENSSL_SYS_WINDOWS
82 #define strcasecmp _stricmp
83 #else
84 #include <strings.h>
85 #endif
86
87 #ifndef W_OK
88 #  ifdef OPENSSL_SYS_VMS
89 #    if defined(__DECC)
90 #      include <unistd.h>
91 #    else
92 #      include <unixlib.h>
93 #    endif
94 #  else
95 #    include <sys/file.h>
96 #  endif
97 #endif
98
99 #ifndef W_OK
100 #  define F_OK 0
101 #  define X_OK 1
102 #  define W_OK 2
103 #  define R_OK 4
104 #endif
105
106 #undef PROG
107 #define PROG ca_main
108
109 #define BASE_SECTION    "ca"
110 #define CONFIG_FILE "openssl.cnf"
111
112 #define ENV_DEFAULT_CA          "default_ca"
113
114 #define ENV_DIR                 "dir"
115 #define ENV_CERTS               "certs"
116 #define ENV_CRL_DIR             "crl_dir"
117 #define ENV_CA_DB               "CA_DB"
118 #define ENV_NEW_CERTS_DIR       "new_certs_dir"
119 #define ENV_CERTIFICATE         "certificate"
120 #define ENV_SERIAL              "serial"
121 #define ENV_CRL                 "crl"
122 #define ENV_PRIVATE_KEY         "private_key"
123 #define ENV_RANDFILE            "RANDFILE"
124 #define ENV_DEFAULT_DAYS        "default_days"
125 #define ENV_DEFAULT_STARTDATE   "default_startdate"
126 #define ENV_DEFAULT_ENDDATE     "default_enddate"
127 #define ENV_DEFAULT_CRL_DAYS    "default_crl_days"
128 #define ENV_DEFAULT_CRL_HOURS   "default_crl_hours"
129 #define ENV_DEFAULT_MD          "default_md"
130 #define ENV_PRESERVE            "preserve"
131 #define ENV_POLICY              "policy"
132 #define ENV_EXTENSIONS          "x509_extensions"
133 #define ENV_CRLEXT              "crl_extensions"
134 #define ENV_MSIE_HACK           "msie_hack"
135 #define ENV_NAMEOPT             "name_opt"
136 #define ENV_CERTOPT             "cert_opt"
137
138 #define ENV_DATABASE            "database"
139
140 #define DB_type         0
141 #define DB_exp_date     1
142 #define DB_rev_date     2
143 #define DB_serial       3       /* index - unique */
144 #define DB_file         4       
145 #define DB_name         5       /* index - unique for active */
146 #define DB_NUMBER       6
147
148 #define DB_TYPE_REV     'R'
149 #define DB_TYPE_EXP     'E'
150 #define DB_TYPE_VAL     'V'
151
152 /* Additional revocation information types */
153
154 #define REV_NONE                0       /* No addditional information */
155 #define REV_CRL_REASON          1       /* Value is CRL reason code */
156 #define REV_HOLD                2       /* Value is hold instruction */
157 #define REV_KEY_COMPROMISE      3       /* Value is cert key compromise time */
158 #define REV_CA_COMPROMISE       4       /* Value is CA key compromise time */
159
160 static char *ca_usage[]={
161 "usage: ca args\n",
162 "\n",
163 " -verbose        - Talk alot while doing things\n",
164 " -config file    - A config file\n",
165 " -name arg       - The particular CA definition to use\n",
166 " -gencrl         - Generate a new CRL\n",
167 " -crldays days   - Days is when the next CRL is due\n",
168 " -crlhours hours - Hours is when the next CRL is due\n",
169 " -startdate YYMMDDHHMMSSZ  - certificate validity notBefore\n",
170 " -enddate YYMMDDHHMMSSZ    - certificate validity notAfter (overrides -days)\n",
171 " -days arg       - number of days to certify the certificate for\n",
172 " -md arg         - md to use, one of md2, md5, sha or sha1\n",
173 " -policy arg     - The CA 'policy' to support\n",
174 " -keyfile arg    - private key file\n",
175 " -keyform arg    - private key file format (PEM or ENGINE)\n",
176 " -key arg        - key to decode the private key if it is encrypted\n",
177 " -cert file      - The CA certificate\n",
178 " -in file        - The input PEM encoded certificate request(s)\n",
179 " -out file       - Where to put the output file(s)\n",
180 " -outdir dir     - Where to put output certificates\n",
181 " -infiles ....   - The last argument, requests to process\n",
182 " -spkac file     - File contains DN and signed public key and challenge\n",
183 " -ss_cert file   - File contains a self signed cert to sign\n",
184 " -preserveDN     - Don't re-order the DN\n",
185 " -batch          - Don't ask questions\n",
186 " -msie_hack      - msie modifications to handle all those universal strings\n",
187 " -revoke file    - Revoke a certificate (given in file)\n",
188 " -subj arg       - Use arg instead of request's subject\n",
189 " -extensions ..  - Extension section (override value in config file)\n",
190 " -extfile file   - Configuration file with X509v3 extentions to add\n",
191 " -crlexts ..     - CRL extension section (override value in config file)\n",
192 " -engine e       - use engine e, possibly a hardware device.\n",
193 " -status serial  - Shows certificate status given the serial number\n",
194 " -updatedb       - Updates db for expired certificates\n",
195 NULL
196 };
197
198 #ifdef EFENCE
199 extern int EF_PROTECT_FREE;
200 extern int EF_PROTECT_BELOW;
201 extern int EF_ALIGNMENT;
202 #endif
203
204 static void lookup_fail(char *name,char *tag);
205 static unsigned long index_serial_hash(const char **a);
206 static int index_serial_cmp(const char **a, const char **b);
207 static unsigned long index_name_hash(const char **a);
208 static int index_name_qual(char **a);
209 static int index_name_cmp(const char **a,const char **b);
210 static BIGNUM *load_serial(char *serialfile);
211 static int save_serial(char *serialfile, BIGNUM *serial);
212 static int certify(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
213                    const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,TXT_DB *db,
214                    BIGNUM *serial, char *subj, char *startdate,char *enddate,
215                    int days, int batch, char *ext_sect, LHASH *conf,int verbose,
216                    unsigned long certopt, unsigned long nameopt, int default_op,
217                    int ext_copy);
218 static int certify_cert(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
219                         const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,
220                         TXT_DB *db, BIGNUM *serial, char *subj, char *startdate,
221                         char *enddate, int days, int batch, char *ext_sect,
222                         LHASH *conf,int verbose, unsigned long certopt,
223                         unsigned long nameopt, int default_op, int ext_copy);
224 static int certify_spkac(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
225                          const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,
226                          TXT_DB *db, BIGNUM *serial,char *subj, char *startdate,
227                          char *enddate, int days, char *ext_sect,LHASH *conf,
228                          int verbose, unsigned long certopt, unsigned long nameopt,
229                          int default_op, int ext_copy);
230 static int fix_data(int nid, int *type);
231 static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext);
232 static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
233         STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial,char *subj,
234         char *startdate, char *enddate, int days, int batch, int verbose,
235         X509_REQ *req, char *ext_sect, LHASH *conf,
236         unsigned long certopt, unsigned long nameopt, int default_op,
237         int ext_copy);
238 static X509_NAME *do_subject(char *subject);
239 static int do_revoke(X509 *x509, TXT_DB *db, int ext, char *extval);
240 static int get_certificate_status(const char *ser_status, TXT_DB *db);
241 static int do_updatedb(TXT_DB *db);
242 static int check_time_format(char *str);
243 char *make_revocation_str(int rev_type, char *rev_arg);
244 int make_revoked(X509_REVOKED *rev, char *str);
245 int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str);
246 static LHASH *conf=NULL;
247 static LHASH *extconf=NULL;
248 static char *section=NULL;
249
250 static int preserve=0;
251 static int msie_hack=0;
252
253 static IMPLEMENT_LHASH_HASH_FN(index_serial_hash,const char **)
254 static IMPLEMENT_LHASH_COMP_FN(index_serial_cmp,const char **)
255 static IMPLEMENT_LHASH_HASH_FN(index_name_hash,const char **)
256 static IMPLEMENT_LHASH_COMP_FN(index_name_cmp,const char **)
257
258
259 int MAIN(int, char **);
260
261 int MAIN(int argc, char **argv)
262         {
263         ENGINE *e = NULL;
264         char *key=NULL,*passargin=NULL;
265         int total=0;
266         int total_done=0;
267         int badops=0;
268         int ret=1;
269         int req=0;
270         int verbose=0;
271         int gencrl=0;
272         int dorevoke=0;
273         int doupdatedb=0;
274         long crldays=0;
275         long crlhours=0;
276         long errorline= -1;
277         char *configfile=NULL;
278         char *md=NULL;
279         char *policy=NULL;
280         char *keyfile=NULL;
281         char *certfile=NULL;
282         int keyform=FORMAT_PEM;
283         char *infile=NULL;
284         char *spkac_file=NULL;
285         char *ss_cert_file=NULL;
286         char *ser_status=NULL;
287         EVP_PKEY *pkey=NULL;
288         int output_der = 0;
289         char *outfile=NULL;
290         char *outdir=NULL;
291         char *serialfile=NULL;
292         char *extensions=NULL;
293         char *extfile=NULL;
294         char *subj=NULL;
295         char *crl_ext=NULL;
296         int rev_type = REV_NONE;
297         char *rev_arg = NULL;
298         BIGNUM *serial=NULL;
299         char *startdate=NULL;
300         char *enddate=NULL;
301         int days=0;
302         int batch=0;
303         int notext=0;
304         unsigned long nameopt = 0, certopt = 0;
305         int default_op = 1;
306         int ext_copy = 0;
307         X509 *x509=NULL;
308         X509 *x=NULL;
309         BIO *in=NULL,*out=NULL,*Sout=NULL,*Cout=NULL;
310         char *dbfile=NULL;
311         TXT_DB *db=NULL;
312         X509_CRL *crl=NULL;
313         X509_CRL_INFO *ci=NULL;
314         X509_REVOKED *r=NULL;
315         char **pp,*p,*f;
316         int i,j;
317         long l;
318         const EVP_MD *dgst=NULL;
319         STACK_OF(CONF_VALUE) *attribs=NULL;
320         STACK_OF(X509) *cert_sk=NULL;
321 #undef BSIZE
322 #define BSIZE 256
323         MS_STATIC char buf[3][BSIZE];
324         char *randfile=NULL;
325         char *engine = NULL;
326
327 #ifdef EFENCE
328 EF_PROTECT_FREE=1;
329 EF_PROTECT_BELOW=1;
330 EF_ALIGNMENT=0;
331 #endif
332
333         apps_startup();
334
335         conf = NULL;
336         key = NULL;
337         section = NULL;
338
339         preserve=0;
340         msie_hack=0;
341         if (bio_err == NULL)
342                 if ((bio_err=BIO_new(BIO_s_file())) != NULL)
343                         BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
344
345         argc--;
346         argv++;
347         while (argc >= 1)
348                 {
349                 if      (strcmp(*argv,"-verbose") == 0)
350                         verbose=1;
351                 else if (strcmp(*argv,"-config") == 0)
352                         {
353                         if (--argc < 1) goto bad;
354                         configfile= *(++argv);
355                         }
356                 else if (strcmp(*argv,"-name") == 0)
357                         {
358                         if (--argc < 1) goto bad;
359                         section= *(++argv);
360                         }
361                 else if (strcmp(*argv,"-subj") == 0)
362                         {
363                         if (--argc < 1) goto bad;
364                         subj= *(++argv);
365                         /* preserve=1; */
366                         }
367                 else if (strcmp(*argv,"-startdate") == 0)
368                         {
369                         if (--argc < 1) goto bad;
370                         startdate= *(++argv);
371                         }
372                 else if (strcmp(*argv,"-enddate") == 0)
373                         {
374                         if (--argc < 1) goto bad;
375                         enddate= *(++argv);
376                         }
377                 else if (strcmp(*argv,"-days") == 0)
378                         {
379                         if (--argc < 1) goto bad;
380                         days=atoi(*(++argv));
381                         }
382                 else if (strcmp(*argv,"-md") == 0)
383                         {
384                         if (--argc < 1) goto bad;
385                         md= *(++argv);
386                         }
387                 else if (strcmp(*argv,"-policy") == 0)
388                         {
389                         if (--argc < 1) goto bad;
390                         policy= *(++argv);
391                         }
392                 else if (strcmp(*argv,"-keyfile") == 0)
393                         {
394                         if (--argc < 1) goto bad;
395                         keyfile= *(++argv);
396                         }
397                 else if (strcmp(*argv,"-keyform") == 0)
398                         {
399                         if (--argc < 1) goto bad;
400                         keyform=str2fmt(*(++argv));
401                         }
402                 else if (strcmp(*argv,"-passin") == 0)
403                         {
404                         if (--argc < 1) goto bad;
405                         passargin= *(++argv);
406                         }
407                 else if (strcmp(*argv,"-key") == 0)
408                         {
409                         if (--argc < 1) goto bad;
410                         key= *(++argv);
411                         }
412                 else if (strcmp(*argv,"-cert") == 0)
413                         {
414                         if (--argc < 1) goto bad;
415                         certfile= *(++argv);
416                         }
417                 else if (strcmp(*argv,"-in") == 0)
418                         {
419                         if (--argc < 1) goto bad;
420                         infile= *(++argv);
421                         req=1;
422                         }
423                 else if (strcmp(*argv,"-out") == 0)
424                         {
425                         if (--argc < 1) goto bad;
426                         outfile= *(++argv);
427                         }
428                 else if (strcmp(*argv,"-outdir") == 0)
429                         {
430                         if (--argc < 1) goto bad;
431                         outdir= *(++argv);
432                         }
433                 else if (strcmp(*argv,"-notext") == 0)
434                         notext=1;
435                 else if (strcmp(*argv,"-batch") == 0)
436                         batch=1;
437                 else if (strcmp(*argv,"-preserveDN") == 0)
438                         preserve=1;
439                 else if (strcmp(*argv,"-gencrl") == 0)
440                         gencrl=1;
441                 else if (strcmp(*argv,"-msie_hack") == 0)
442                         msie_hack=1;
443                 else if (strcmp(*argv,"-crldays") == 0)
444                         {
445                         if (--argc < 1) goto bad;
446                         crldays= atol(*(++argv));
447                         }
448                 else if (strcmp(*argv,"-crlhours") == 0)
449                         {
450                         if (--argc < 1) goto bad;
451                         crlhours= atol(*(++argv));
452                         }
453                 else if (strcmp(*argv,"-infiles") == 0)
454                         {
455                         argc--;
456                         argv++;
457                         req=1;
458                         break;
459                         }
460                 else if (strcmp(*argv, "-ss_cert") == 0)
461                         {
462                         if (--argc < 1) goto bad;
463                         ss_cert_file = *(++argv);
464                         req=1;
465                         }
466                 else if (strcmp(*argv, "-spkac") == 0)
467                         {
468                         if (--argc < 1) goto bad;
469                         spkac_file = *(++argv);
470                         req=1;
471                         }
472                 else if (strcmp(*argv,"-revoke") == 0)
473                         {
474                         if (--argc < 1) goto bad;
475                         infile= *(++argv);
476                         dorevoke=1;
477                         }
478                 else if (strcmp(*argv,"-extensions") == 0)
479                         {
480                         if (--argc < 1) goto bad;
481                         extensions= *(++argv);
482                         }
483                 else if (strcmp(*argv,"-extfile") == 0)
484                         {
485                         if (--argc < 1) goto bad;
486                         extfile= *(++argv);
487                         }
488                 else if (strcmp(*argv,"-status") == 0)
489                         {
490                         if (--argc < 1) goto bad;
491                         ser_status= *(++argv);
492                         }
493                 else if (strcmp(*argv,"-updatedb") == 0)
494                         {
495                         doupdatedb=1;
496                         }
497                 else if (strcmp(*argv,"-crlexts") == 0)
498                         {
499                         if (--argc < 1) goto bad;
500                         crl_ext= *(++argv);
501                         }
502                 else if (strcmp(*argv,"-crl_reason") == 0)
503                         {
504                         if (--argc < 1) goto bad;
505                         rev_arg = *(++argv);
506                         rev_type = REV_CRL_REASON;
507                         }
508                 else if (strcmp(*argv,"-crl_hold") == 0)
509                         {
510                         if (--argc < 1) goto bad;
511                         rev_arg = *(++argv);
512                         rev_type = REV_HOLD;
513                         }
514                 else if (strcmp(*argv,"-crl_compromise") == 0)
515                         {
516                         if (--argc < 1) goto bad;
517                         rev_arg = *(++argv);
518                         rev_type = REV_KEY_COMPROMISE;
519                         }
520                 else if (strcmp(*argv,"-crl_CA_compromise") == 0)
521                         {
522                         if (--argc < 1) goto bad;
523                         rev_arg = *(++argv);
524                         rev_type = REV_CA_COMPROMISE;
525                         }
526                 else if (strcmp(*argv,"-engine") == 0)
527                         {
528                         if (--argc < 1) goto bad;
529                         engine= *(++argv);
530                         }
531                 else
532                         {
533 bad:
534                         BIO_printf(bio_err,"unknown option %s\n",*argv);
535                         badops=1;
536                         break;
537                         }
538                 argc--;
539                 argv++;
540                 }
541
542         if (badops)
543                 {
544                 for (pp=ca_usage; (*pp != NULL); pp++)
545                         BIO_printf(bio_err,"%s",*pp);
546                 goto err;
547                 }
548
549         ERR_load_crypto_strings();
550
551         if (engine != NULL)
552                 {
553                 if ((e = ENGINE_by_id(engine)) == NULL)
554                         {
555                         BIO_printf(bio_err,"invalid engine \"%s\"\n",
556                                 engine);
557                         goto err;
558                         }
559                 if (!ENGINE_set_default(e, ENGINE_METHOD_ALL))
560                         {
561                         BIO_printf(bio_err,"can't use that engine\n");
562                         goto err;
563                         }
564                 BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
565                 /* Free our "structural" reference. */
566                 ENGINE_free(e);
567                 }
568
569         /*****************************************************************/
570         if (configfile == NULL) configfile = getenv("OPENSSL_CONF");
571         if (configfile == NULL) configfile = getenv("SSLEAY_CONF");
572         if (configfile == NULL)
573                 {
574                 /* We will just use 'buf[0]' as a temporary buffer.  */
575 #ifdef OPENSSL_SYS_VMS
576                 strncpy(buf[0],X509_get_default_cert_area(),
577                         sizeof(buf[0])-1-sizeof(CONFIG_FILE));
578 #else
579                 strncpy(buf[0],X509_get_default_cert_area(),
580                         sizeof(buf[0])-2-sizeof(CONFIG_FILE));
581                 strcat(buf[0],"/");
582 #endif
583                 strcat(buf[0],CONFIG_FILE);
584                 configfile=buf[0];
585                 }
586
587         BIO_printf(bio_err,"Using configuration from %s\n",configfile);
588         if ((conf=CONF_load(NULL,configfile,&errorline)) == NULL)
589                 {
590                 if (errorline <= 0)
591                         BIO_printf(bio_err,"error loading the config file '%s'\n",
592                                 configfile);
593                 else
594                         BIO_printf(bio_err,"error on line %ld of config file '%s'\n"
595                                 ,errorline,configfile);
596                 goto err;
597                 }
598
599         /* Lets get the config section we are using */
600         if (section == NULL)
601                 {
602                 section=CONF_get_string(conf,BASE_SECTION,ENV_DEFAULT_CA);
603                 if (section == NULL)
604                         {
605                         lookup_fail(BASE_SECTION,ENV_DEFAULT_CA);
606                         goto err;
607                         }
608                 }
609
610         if (conf != NULL)
611                 {
612                 p=CONF_get_string(conf,NULL,"oid_file");
613                 if (p == NULL)
614                         ERR_clear_error();
615                 if (p != NULL)
616                         {
617                         BIO *oid_bio;
618
619                         oid_bio=BIO_new_file(p,"r");
620                         if (oid_bio == NULL) 
621                                 {
622                                 /*
623                                 BIO_printf(bio_err,"problems opening %s for extra oid's\n",p);
624                                 ERR_print_errors(bio_err);
625                                 */
626                                 ERR_clear_error();
627                                 }
628                         else
629                                 {
630                                 OBJ_create_objects(oid_bio);
631                                 BIO_free(oid_bio);
632                                 }
633                         }
634                 if (!add_oid_section(bio_err,conf)) 
635                         {
636                         ERR_print_errors(bio_err);
637                         goto err;
638                         }
639                 }
640
641         randfile = CONF_get_string(conf, BASE_SECTION, "RANDFILE");
642         if (randfile == NULL)
643                 ERR_clear_error();
644         app_RAND_load_file(randfile, bio_err, 0);
645         
646         in=BIO_new(BIO_s_file());
647         out=BIO_new(BIO_s_file());
648         Sout=BIO_new(BIO_s_file());
649         Cout=BIO_new(BIO_s_file());
650         if ((in == NULL) || (out == NULL) || (Sout == NULL) || (Cout == NULL))
651                 {
652                 ERR_print_errors(bio_err);
653                 goto err;
654                 }
655
656         /*****************************************************************/
657         /* report status of cert with serial number given on command line */
658         if (ser_status)
659         {
660                 if ((dbfile=CONF_get_string(conf,section,ENV_DATABASE)) == NULL)
661                         {
662                         lookup_fail(section,ENV_DATABASE);
663                         goto err;
664                         }
665                 if (BIO_read_filename(in,dbfile) <= 0)
666                         {
667                         perror(dbfile);
668                         BIO_printf(bio_err,"unable to open '%s'\n",dbfile);
669                         goto err;
670                         }
671                 db=TXT_DB_read(in,DB_NUMBER);
672                 if (db == NULL) goto err;
673
674                 if (!TXT_DB_create_index(db, DB_serial, NULL,
675                                         LHASH_HASH_FN(index_serial_hash),
676                                         LHASH_COMP_FN(index_serial_cmp)))
677                         {
678                         BIO_printf(bio_err,
679                           "error creating serial number index:(%ld,%ld,%ld)\n",
680                                                 db->error,db->arg1,db->arg2);
681                         goto err;
682                         }
683
684                 if (get_certificate_status(ser_status,db) != 1)
685                         BIO_printf(bio_err,"Error verifying serial %s!\n",
686                                  ser_status);
687                 goto err;
688         }
689
690         /*****************************************************************/
691         /* we definitely need a public key, so let's get it */
692
693         if ((keyfile == NULL) && ((keyfile=CONF_get_string(conf,
694                 section,ENV_PRIVATE_KEY)) == NULL))
695                 {
696                 lookup_fail(section,ENV_PRIVATE_KEY);
697                 goto err;
698                 }
699         if (!key && !app_passwd(bio_err, passargin, NULL, &key, NULL))
700                 {
701                 BIO_printf(bio_err,"Error getting password\n");
702                 goto err;
703                 }
704         if (keyform == FORMAT_ENGINE)
705                 {
706                 if (!e)
707                         {
708                         BIO_printf(bio_err,"no engine specified\n");
709                         goto err;
710                         }
711                 pkey = ENGINE_load_private_key(e, keyfile, key);
712                 }
713         else if (keyform == FORMAT_PEM)
714                 {
715                 if (BIO_read_filename(in,keyfile) <= 0)
716                         {
717                         perror(keyfile);
718                         BIO_printf(bio_err,"trying to load CA private key\n");
719                         goto err;
720                         }
721                 pkey=PEM_read_bio_PrivateKey(in,NULL,NULL,key);
722                 }
723         else
724                 {
725                 BIO_printf(bio_err,"bad input format specified for key file\n");
726                 goto err;
727                 }
728         if (key) memset(key,0,strlen(key));
729         if (pkey == NULL)
730                 {
731                 BIO_printf(bio_err,"unable to load CA private key\n");
732                 goto err;
733                 }
734
735         /*****************************************************************/
736         /* we need a certificate */
737         if ((certfile == NULL) && ((certfile=CONF_get_string(conf,
738                 section,ENV_CERTIFICATE)) == NULL))
739                 {
740                 lookup_fail(section,ENV_CERTIFICATE);
741                 goto err;
742                 }
743         if (BIO_read_filename(in,certfile) <= 0)
744                 {
745                 perror(certfile);
746                 BIO_printf(bio_err,"trying to load CA certificate\n");
747                 goto err;
748                 }
749         x509=PEM_read_bio_X509(in,NULL,NULL,NULL);
750         if (x509 == NULL)
751                 {
752                 BIO_printf(bio_err,"unable to load CA certificate\n");
753                 goto err;
754                 }
755
756         if (!X509_check_private_key(x509,pkey))
757                 {
758                 BIO_printf(bio_err,"CA certificate and CA private key do not match\n");
759                 goto err;
760                 }
761
762         f=CONF_get_string(conf,BASE_SECTION,ENV_PRESERVE);
763         if (f == NULL)
764                 ERR_clear_error();
765         if ((f != NULL) && ((*f == 'y') || (*f == 'Y')))
766                 preserve=1;
767         f=CONF_get_string(conf,BASE_SECTION,ENV_MSIE_HACK);
768         if (f == NULL)
769                 ERR_clear_error();
770         if ((f != NULL) && ((*f == 'y') || (*f == 'Y')))
771                 msie_hack=1;
772
773         f=CONF_get_string(conf,section,ENV_NAMEOPT);
774
775         if (f)
776                 {
777                 if (!set_name_ex(&nameopt, f))
778                         {
779                         BIO_printf(bio_err, "Invalid name options: \"%s\"\n", f);
780                         goto err;
781                         }
782                 default_op = 0;
783                 }
784         else
785                 ERR_clear_error();
786
787         f=CONF_get_string(conf,section,ENV_CERTOPT);
788
789         if (f)
790                 {
791                 if (!set_cert_ex(&certopt, f))
792                         {
793                         BIO_printf(bio_err, "Invalid certificate options: \"%s\"\n", f);
794                         goto err;
795                         }
796                 default_op = 0;
797                 }
798         else
799                 ERR_clear_error();
800
801
802         /*****************************************************************/
803         /* lookup where to write new certificates */
804         if ((outdir == NULL) && (req))
805                 {
806                 struct stat sb;
807
808                 if ((outdir=CONF_get_string(conf,section,ENV_NEW_CERTS_DIR))
809                         == NULL)
810                         {
811                         BIO_printf(bio_err,"there needs to be defined a directory for new certificate to be placed in\n");
812                         goto err;
813                         }
814 #ifndef OPENSSL_SYS_VMS
815             /* outdir is a directory spec, but access() for VMS demands a
816                filename.  In any case, stat(), below, will catch the problem
817                if outdir is not a directory spec, and the fopen() or open()
818                will catch an error if there is no write access.
819
820                Presumably, this problem could also be solved by using the DEC
821                C routines to convert the directory syntax to Unixly, and give
822                that to access().  However, time's too short to do that just
823                now.
824             */
825                 if (access(outdir,R_OK|W_OK|X_OK) != 0)
826                         {
827                         BIO_printf(bio_err,"I am unable to access the %s directory\n",outdir);
828                         perror(outdir);
829                         goto err;
830                         }
831
832                 if (stat(outdir,&sb) != 0)
833                         {
834                         BIO_printf(bio_err,"unable to stat(%s)\n",outdir);
835                         perror(outdir);
836                         goto err;
837                         }
838 #ifdef S_IFDIR
839                 if (!(sb.st_mode & S_IFDIR))
840                         {
841                         BIO_printf(bio_err,"%s need to be a directory\n",outdir);
842                         perror(outdir);
843                         goto err;
844                         }
845 #endif
846 #endif
847                 }
848
849         /*****************************************************************/
850         /* we need to load the database file */
851         if ((dbfile=CONF_get_string(conf,section,ENV_DATABASE)) == NULL)
852                 {
853                 lookup_fail(section,ENV_DATABASE);
854                 goto err;
855                 }
856         if (BIO_read_filename(in,dbfile) <= 0)
857                 {
858                 perror(dbfile);
859                 BIO_printf(bio_err,"unable to open '%s'\n",dbfile);
860                 goto err;
861                 }
862         db=TXT_DB_read(in,DB_NUMBER);
863         if (db == NULL) goto err;
864
865         /* Lets check some fields */
866         for (i=0; i<sk_num(db->data); i++)
867                 {
868                 pp=(char **)sk_value(db->data,i);
869                 if ((pp[DB_type][0] != DB_TYPE_REV) &&
870                         (pp[DB_rev_date][0] != '\0'))
871                         {
872                         BIO_printf(bio_err,"entry %d: not revoked yet, but has a revocation date\n",i+1);
873                         goto err;
874                         }
875                 if ((pp[DB_type][0] == DB_TYPE_REV) &&
876                         !make_revoked(NULL, pp[DB_rev_date]))
877                         {
878                         BIO_printf(bio_err," in entry %d\n", i+1);
879                         goto err;
880                         }
881                 if (!check_time_format(pp[DB_exp_date]))
882                         {
883                         BIO_printf(bio_err,"entry %d: invalid expiry date\n",i+1);
884                         goto err;
885                         }
886                 p=pp[DB_serial];
887                 j=strlen(p);
888                 if (*p == '-')
889                         {
890                         p++;
891                         j--;
892                         }
893                 if ((j&1) || (j < 2))
894                         {
895                         BIO_printf(bio_err,"entry %d: bad serial number length (%d)\n",i+1,j);
896                         goto err;
897                         }
898                 while (*p)
899                         {
900                         if (!(  ((*p >= '0') && (*p <= '9')) ||
901                                 ((*p >= 'A') && (*p <= 'F')) ||
902                                 ((*p >= 'a') && (*p <= 'f')))  )
903                                 {
904                                 BIO_printf(bio_err,"entry %d: bad serial number characters, char pos %ld, char is '%c'\n",i+1,(long)(p-pp[DB_serial]),*p);
905                                 goto err;
906                                 }
907                         p++;
908                         }
909                 }
910         if (verbose)
911                 {
912                 BIO_set_fp(out,stdout,BIO_NOCLOSE|BIO_FP_TEXT); /* cannot fail */
913 #ifdef OPENSSL_SYS_VMS
914                 {
915                 BIO *tmpbio = BIO_new(BIO_f_linebuffer());
916                 out = BIO_push(tmpbio, out);
917                 }
918 #endif
919                 TXT_DB_write(out,db);
920                 BIO_printf(bio_err,"%d entries loaded from the database\n",
921                         db->data->num);
922                 BIO_printf(bio_err,"generating index\n");
923                 }
924         
925         if (!TXT_DB_create_index(db, DB_serial, NULL,
926                         LHASH_HASH_FN(index_serial_hash),
927                         LHASH_COMP_FN(index_serial_cmp)))
928                 {
929                 BIO_printf(bio_err,"error creating serial number index:(%ld,%ld,%ld)\n",db->error,db->arg1,db->arg2);
930                 goto err;
931                 }
932
933         if (!TXT_DB_create_index(db, DB_name, index_name_qual,
934                         LHASH_HASH_FN(index_name_hash),
935                         LHASH_COMP_FN(index_name_cmp)))
936                 {
937                 BIO_printf(bio_err,"error creating name index:(%ld,%ld,%ld)\n",
938                         db->error,db->arg1,db->arg2);
939                 goto err;
940                 }
941
942         /*****************************************************************/
943         /* Update the db file for expired certificates */
944         if (doupdatedb)
945                 {
946                 if (verbose)
947                         BIO_printf(bio_err, "Updating %s ...\n",
948                                                         dbfile);
949
950                 i = do_updatedb(db);
951                 if (i == -1)
952                         {
953                         BIO_printf(bio_err,"Malloc failure\n");
954                         goto err;
955                         }
956                 else if (i == 0)
957                         {
958                         if (verbose) BIO_printf(bio_err,
959                                         "No entries found to mark expired\n"); 
960                         }
961                 else
962                         {
963                         out = BIO_new(BIO_s_file());
964                         if (out == NULL)
965                                 {
966                                 ERR_print_errors(bio_err);
967                                 goto err;
968                                 }
969
970                         j = BIO_snprintf(buf[0], sizeof buf[0], "%s.new", dbfile);
971                         if (j < 0 || j >= sizeof buf[0])
972                                 {
973                                 BIO_printf(bio_err, "file name too long\n");
974                                 goto err;
975                                 }
976                         if (BIO_write_filename(out,buf[0]) <= 0)
977                                 {
978                                 perror(dbfile);
979                                 BIO_printf(bio_err,"unable to open '%s'\n",
980                                                                         dbfile);
981                                 goto err;
982                                 }
983                         j=TXT_DB_write(out,db);
984                         if (j <= 0) goto err;
985                         
986                         BIO_free(out);
987                         out = NULL;
988                         j = BIO_snprintf(buf[1], sizeof buf[1], "%s.old", dbfile);
989                         if (j < 0 || j >= sizeof buf[1])
990                                 {
991                                 BIO_printf(bio_err, "file name too long\n");
992                                 goto err;
993                                 }
994                         if (rename(dbfile,buf[1]) < 0)
995                                 {
996                                 BIO_printf(bio_err,
997                                                 "unable to rename %s to %s\n",
998                                                 dbfile, buf[1]);
999                                 perror("reason");
1000                                 goto err;
1001                                 }
1002                         if (rename(buf[0],dbfile) < 0)
1003                                 {
1004                                 BIO_printf(bio_err,
1005                                                 "unable to rename %s to %s\n",
1006                                                 buf[0],dbfile);
1007                                 perror("reason");
1008                                 rename(buf[1],dbfile);
1009                                 goto err;
1010                                 }
1011                                 
1012                         if (verbose) BIO_printf(bio_err,
1013                                 "Done. %d entries marked as expired\n",i); 
1014                         }
1015                         goto err;
1016                 }
1017
1018         /*****************************************************************/
1019         /* Read extentions config file                                   */
1020         if (extfile)
1021                 {
1022                 if (!(extconf=CONF_load(NULL,extfile,&errorline)))
1023                         {
1024                         if (errorline <= 0)
1025                                 BIO_printf(bio_err, "ERROR: loading the config file '%s'\n",
1026                                         extfile);
1027                         else
1028                                 BIO_printf(bio_err, "ERROR: on line %ld of config file '%s'\n",
1029                                         errorline,extfile);
1030                         ret = 1;
1031                         goto err;
1032                         }
1033
1034                 if (verbose)
1035                         BIO_printf(bio_err, "Succesfully loaded extensions file %s\n", extfile);
1036
1037                 /* We can have sections in the ext file */
1038                 if (!extensions && !(extensions = CONF_get_string(extconf, "default", "extensions")))
1039                         extensions = "default";
1040                 }
1041
1042         /*****************************************************************/
1043         if (req || gencrl)
1044                 {
1045                 if (outfile != NULL)
1046                         {
1047                         if (BIO_write_filename(Sout,outfile) <= 0)
1048                                 {
1049                                 perror(outfile);
1050                                 goto err;
1051                                 }
1052                         }
1053                 else
1054                         {
1055                         BIO_set_fp(Sout,stdout,BIO_NOCLOSE|BIO_FP_TEXT);
1056 #ifdef OPENSSL_SYS_VMS
1057                         {
1058                         BIO *tmpbio = BIO_new(BIO_f_linebuffer());
1059                         Sout = BIO_push(tmpbio, Sout);
1060                         }
1061 #endif
1062                         }
1063                 }
1064
1065         if (req)
1066                 {
1067                 if ((md == NULL) && ((md=CONF_get_string(conf,
1068                         section,ENV_DEFAULT_MD)) == NULL))
1069                         {
1070                         lookup_fail(section,ENV_DEFAULT_MD);
1071                         goto err;
1072                         }
1073                 if ((dgst=EVP_get_digestbyname(md)) == NULL)
1074                         {
1075                         BIO_printf(bio_err,"%s is an unsupported message digest type\n",md);
1076                         goto err;
1077                         }
1078                 if (verbose)
1079                         BIO_printf(bio_err,"message digest is %s\n",
1080                                 OBJ_nid2ln(dgst->type));
1081                 if ((policy == NULL) && ((policy=CONF_get_string(conf,
1082                         section,ENV_POLICY)) == NULL))
1083                         {
1084                         lookup_fail(section,ENV_POLICY);
1085                         goto err;
1086                         }
1087                 if (verbose)
1088                         BIO_printf(bio_err,"policy is %s\n",policy);
1089
1090                 if ((serialfile=CONF_get_string(conf,section,ENV_SERIAL))
1091                         == NULL)
1092                         {
1093                         lookup_fail(section,ENV_SERIAL);
1094                         goto err;
1095                         }
1096
1097                 if (!extconf)
1098                         {
1099                         /* no '-extfile' option, so we look for extensions
1100                          * in the main configuration file */
1101                         if (!extensions)
1102                                 {
1103                                 extensions=CONF_get_string(conf,section,
1104                                                                 ENV_EXTENSIONS);
1105                                 if (!extensions)
1106                                         ERR_clear_error();
1107                                 }
1108                         if (extensions)
1109                                 {
1110                                 /* Check syntax of file */
1111                                 X509V3_CTX ctx;
1112                                 X509V3_set_ctx_test(&ctx);
1113                                 X509V3_set_conf_lhash(&ctx, conf);
1114                                 if (!X509V3_EXT_add_conf(conf, &ctx, extensions,
1115                                                                 NULL))
1116                                         {
1117                                         BIO_printf(bio_err,
1118                                         "Error Loading extension section %s\n",
1119                                                                  extensions);
1120                                         ret = 1;
1121                                         goto err;
1122                                         }
1123                                 }
1124                         }
1125
1126                 if (startdate == NULL)
1127                         {
1128                         startdate=CONF_get_string(conf,section,
1129                                 ENV_DEFAULT_STARTDATE);
1130                         if (startdate == NULL)
1131                                 ERR_clear_error();
1132                         }
1133                 if (startdate && !ASN1_UTCTIME_set_string(NULL,startdate))
1134                         {
1135                         BIO_printf(bio_err,"start date is invalid, it should be YYMMDDHHMMSSZ\n");
1136                         goto err;
1137                         }
1138                 if (startdate == NULL) startdate="today";
1139
1140                 if (enddate == NULL)
1141                         {
1142                         enddate=CONF_get_string(conf,section,
1143                                 ENV_DEFAULT_ENDDATE);
1144                         if (enddate == NULL)
1145                                 ERR_clear_error();
1146                         }
1147                 if (enddate && !ASN1_UTCTIME_set_string(NULL,enddate))
1148                         {
1149                         BIO_printf(bio_err,"end date is invalid, it should be YYMMDDHHMMSSZ\n");
1150                         goto err;
1151                         }
1152
1153                 if (days == 0)
1154                         {
1155                         days=(int)CONF_get_number(conf,section,
1156                                 ENV_DEFAULT_DAYS);
1157                         }
1158                 if (!enddate && (days == 0))
1159                         {
1160                         BIO_printf(bio_err,"cannot lookup how many days to certify for\n");
1161                         goto err;
1162                         }
1163
1164                 if ((serial=load_serial(serialfile)) == NULL)
1165                         {
1166                         BIO_printf(bio_err,"error while loading serial number\n");
1167                         goto err;
1168                         }
1169                 if (verbose)
1170                         {
1171                         if ((f=BN_bn2hex(serial)) == NULL) goto err;
1172                         BIO_printf(bio_err,"next serial number is %s\n",f);
1173                         OPENSSL_free(f);
1174                         }
1175
1176                 if ((attribs=CONF_get_section(conf,policy)) == NULL)
1177                         {
1178                         BIO_printf(bio_err,"unable to find 'section' for %s\n",policy);
1179                         goto err;
1180                         }
1181
1182                 if ((cert_sk=sk_X509_new_null()) == NULL)
1183                         {
1184                         BIO_printf(bio_err,"Memory allocation failure\n");
1185                         goto err;
1186                         }
1187                 if (spkac_file != NULL)
1188                         {
1189                         total++;
1190                         j=certify_spkac(&x,spkac_file,pkey,x509,dgst,attribs,db,
1191                                 serial,subj,startdate,enddate, days,extensions,conf,
1192                                 verbose, certopt, nameopt, default_op, ext_copy);
1193                         if (j < 0) goto err;
1194                         if (j > 0)
1195                                 {
1196                                 total_done++;
1197                                 BIO_printf(bio_err,"\n");
1198                                 if (!BN_add_word(serial,1)) goto err;
1199                                 if (!sk_X509_push(cert_sk,x))
1200                                         {
1201                                         BIO_printf(bio_err,"Memory allocation failure\n");
1202                                         goto err;
1203                                         }
1204                                 if (outfile)
1205                                         {
1206                                         output_der = 1;
1207                                         batch = 1;
1208                                         }
1209                                 }
1210                         }
1211                 if (ss_cert_file != NULL)
1212                         {
1213                         total++;
1214                         j=certify_cert(&x,ss_cert_file,pkey,x509,dgst,attribs,
1215                                 db,serial,subj,startdate,enddate,days,batch,
1216                                 extensions,conf,verbose, certopt, nameopt,
1217                                                         default_op, ext_copy);
1218                         if (j < 0) goto err;
1219                         if (j > 0)
1220                                 {
1221                                 total_done++;
1222                                 BIO_printf(bio_err,"\n");
1223                                 if (!BN_add_word(serial,1)) goto err;
1224                                 if (!sk_X509_push(cert_sk,x))
1225                                         {
1226                                         BIO_printf(bio_err,"Memory allocation failure\n");
1227                                         goto err;
1228                                         }
1229                                 }
1230                         }
1231                 if (infile != NULL)
1232                         {
1233                         total++;
1234                         j=certify(&x,infile,pkey,x509,dgst,attribs,db,
1235                                 serial,subj,startdate,enddate,days,batch,
1236                                 extensions,conf,verbose, certopt, nameopt,
1237                                 default_op, ext_copy);
1238                         if (j < 0) goto err;
1239                         if (j > 0)
1240                                 {
1241                                 total_done++;
1242                                 BIO_printf(bio_err,"\n");
1243                                 if (!BN_add_word(serial,1)) goto err;
1244                                 if (!sk_X509_push(cert_sk,x))
1245                                         {
1246                                         BIO_printf(bio_err,"Memory allocation failure\n");
1247                                         goto err;
1248                                         }
1249                                 }
1250                         }
1251                 for (i=0; i<argc; i++)
1252                         {
1253                         total++;
1254                         j=certify(&x,argv[i],pkey,x509,dgst,attribs,db,
1255                                 serial,subj,startdate,enddate,days,batch,
1256                                 extensions,conf,verbose, certopt, nameopt,
1257                                 default_op, ext_copy);
1258                         if (j < 0) goto err;
1259                         if (j > 0)
1260                                 {
1261                                 total_done++;
1262                                 BIO_printf(bio_err,"\n");
1263                                 if (!BN_add_word(serial,1)) goto err;
1264                                 if (!sk_X509_push(cert_sk,x))
1265                                         {
1266                                         BIO_printf(bio_err,"Memory allocation failure\n");
1267                                         goto err;
1268                                         }
1269                                 }
1270                         }       
1271                 /* we have a stack of newly certified certificates
1272                  * and a data base and serial number that need
1273                  * updating */
1274
1275                 if (sk_X509_num(cert_sk) > 0)
1276                         {
1277                         if (!batch)
1278                                 {
1279                                 BIO_printf(bio_err,"\n%d out of %d certificate requests certified, commit? [y/n]",total_done,total);
1280                                 (void)BIO_flush(bio_err);
1281                                 buf[0][0]='\0';
1282                                 fgets(buf[0],10,stdin);
1283                                 if ((buf[0][0] != 'y') && (buf[0][0] != 'Y'))
1284                                         {
1285                                         BIO_printf(bio_err,"CERTIFICATION CANCELED\n"); 
1286                                         ret=0;
1287                                         goto err;
1288                                         }
1289                                 }
1290
1291                         BIO_printf(bio_err,"Write out database with %d new entries\n",sk_X509_num(cert_sk));
1292
1293                         strncpy(buf[0],serialfile,BSIZE-4);
1294
1295 #ifdef OPENSSL_SYS_VMS
1296                         strcat(buf[0],"-new");
1297 #else
1298                         strcat(buf[0],".new");
1299 #endif
1300
1301                         if (!save_serial(buf[0],serial)) goto err;
1302
1303                         strncpy(buf[1],dbfile,BSIZE-4);
1304
1305 #ifdef OPENSSL_SYS_VMS
1306                         strcat(buf[1],"-new");
1307 #else
1308                         strcat(buf[1],".new");
1309 #endif
1310
1311                         if (BIO_write_filename(out,buf[1]) <= 0)
1312                                 {
1313                                 perror(dbfile);
1314                                 BIO_printf(bio_err,"unable to open '%s'\n",dbfile);
1315                                 goto err;
1316                                 }
1317                         l=TXT_DB_write(out,db);
1318                         if (l <= 0) goto err;
1319                         }
1320         
1321                 if (verbose)
1322                         BIO_printf(bio_err,"writing new certificates\n");
1323                 for (i=0; i<sk_X509_num(cert_sk); i++)
1324                         {
1325                         int k;
1326                         unsigned char *n;
1327
1328                         x=sk_X509_value(cert_sk,i);
1329
1330                         j=x->cert_info->serialNumber->length;
1331                         p=(char *)x->cert_info->serialNumber->data;
1332                         
1333                         strncpy(buf[2],outdir,BSIZE-(j*2)-6);
1334
1335 #ifndef OPENSSL_SYS_VMS
1336                         strcat(buf[2],"/");
1337 #endif
1338
1339                         n=(unsigned char *)&(buf[2][strlen(buf[2])]);
1340                         if (j > 0)
1341                                 {
1342                                 for (k=0; k<j; k++)
1343                                         {
1344                                         sprintf((char *)n,"%02X",(unsigned char)*(p++));
1345                                         n+=2;
1346                                         }
1347                                 }
1348                         else
1349                                 {
1350                                 *(n++)='0';
1351                                 *(n++)='0';
1352                                 }
1353                         *(n++)='.'; *(n++)='p'; *(n++)='e'; *(n++)='m';
1354                         *n='\0';
1355                         if (verbose)
1356                                 BIO_printf(bio_err,"writing %s\n",buf[2]);
1357
1358                         if (BIO_write_filename(Cout,buf[2]) <= 0)
1359                                 {
1360                                 perror(buf[2]);
1361                                 goto err;
1362                                 }
1363                         write_new_certificate(Cout,x, 0, notext);
1364                         write_new_certificate(Sout,x, output_der, notext);
1365                         }
1366
1367                 if (sk_X509_num(cert_sk))
1368                         {
1369                         /* Rename the database and the serial file */
1370                         strncpy(buf[2],serialfile,BSIZE-4);
1371
1372 #ifdef OPENSSL_SYS_VMS
1373                         strcat(buf[2],"-old");
1374 #else
1375                         strcat(buf[2],".old");
1376 #endif
1377
1378                         BIO_free(in);
1379                         BIO_free_all(out);
1380                         in=NULL;
1381                         out=NULL;
1382                         if (rename(serialfile,buf[2]) < 0)
1383                                 {
1384                                 BIO_printf(bio_err,"unable to rename %s to %s\n",
1385                                         serialfile,buf[2]);
1386                                 perror("reason");
1387                                 goto err;
1388                                 }
1389                         if (rename(buf[0],serialfile) < 0)
1390                                 {
1391                                 BIO_printf(bio_err,"unable to rename %s to %s\n",
1392                                         buf[0],serialfile);
1393                                 perror("reason");
1394                                 rename(buf[2],serialfile);
1395                                 goto err;
1396                                 }
1397
1398                         strncpy(buf[2],dbfile,BSIZE-4);
1399
1400 #ifdef OPENSSL_SYS_VMS
1401                         strcat(buf[2],"-old");
1402 #else
1403                         strcat(buf[2],".old");
1404 #endif
1405
1406                         if (rename(dbfile,buf[2]) < 0)
1407                                 {
1408                                 BIO_printf(bio_err,"unable to rename %s to %s\n",
1409                                         dbfile,buf[2]);
1410                                 perror("reason");
1411                                 goto err;
1412                                 }
1413                         if (rename(buf[1],dbfile) < 0)
1414                                 {
1415                                 BIO_printf(bio_err,"unable to rename %s to %s\n",
1416                                         buf[1],dbfile);
1417                                 perror("reason");
1418                                 rename(buf[2],dbfile);
1419                                 goto err;
1420                                 }
1421                         BIO_printf(bio_err,"Data Base Updated\n");
1422                         }
1423                 }
1424         
1425         /*****************************************************************/
1426         if (gencrl)
1427                 {
1428                 int crl_v2 = 0;
1429                 if (!crl_ext)
1430                         {
1431                         crl_ext=CONF_get_string(conf,section,ENV_CRLEXT);
1432                         if (!crl_ext)
1433                                 ERR_clear_error();
1434                         }
1435                 if (crl_ext)
1436                         {
1437                         /* Check syntax of file */
1438                         X509V3_CTX ctx;
1439                         X509V3_set_ctx_test(&ctx);
1440                         X509V3_set_conf_lhash(&ctx, conf);
1441                         if (!X509V3_EXT_add_conf(conf, &ctx, crl_ext, NULL))
1442                                 {
1443                                 BIO_printf(bio_err,
1444                                  "Error Loading CRL extension section %s\n",
1445                                                                  crl_ext);
1446                                 ret = 1;
1447                                 goto err;
1448                                 }
1449                         }
1450
1451                 if (!crldays && !crlhours)
1452                         {
1453                         crldays=CONF_get_number(conf,section,
1454                                 ENV_DEFAULT_CRL_DAYS);
1455                         crlhours=CONF_get_number(conf,section,
1456                                 ENV_DEFAULT_CRL_HOURS);
1457                         }
1458                 if ((crldays == 0) && (crlhours == 0))
1459                         {
1460                         BIO_printf(bio_err,"cannot lookup how long until the next CRL is issuer\n");
1461                         goto err;
1462                         }
1463
1464                 if (verbose) BIO_printf(bio_err,"making CRL\n");
1465                 if ((crl=X509_CRL_new()) == NULL) goto err;
1466                 ci=crl->crl;
1467                 X509_NAME_free(ci->issuer);
1468                 ci->issuer=X509_NAME_dup(x509->cert_info->subject);
1469                 if (ci->issuer == NULL) goto err;
1470
1471                 X509_gmtime_adj(ci->lastUpdate,0);
1472                 if (ci->nextUpdate == NULL)
1473                         ci->nextUpdate=ASN1_UTCTIME_new();
1474                 X509_gmtime_adj(ci->nextUpdate,(crldays*24+crlhours)*60*60);
1475
1476                 for (i=0; i<sk_num(db->data); i++)
1477                         {
1478                         pp=(char **)sk_value(db->data,i);
1479                         if (pp[DB_type][0] == DB_TYPE_REV)
1480                                 {
1481                                 if ((r=X509_REVOKED_new()) == NULL) goto err;
1482                                 j = make_revoked(r, pp[DB_rev_date]);
1483                                 if (!j) goto err;
1484                                 if (j == 2) crl_v2 = 1;
1485                                 if (!BN_hex2bn(&serial, pp[DB_serial]))
1486                                         goto err;
1487                                 r->serialNumber = BN_to_ASN1_INTEGER(serial, r->serialNumber);
1488                                 BN_free(serial);
1489                                 serial = NULL;
1490                                 if (!r->serialNumber)
1491                                         goto err;
1492                                 X509_CRL_add0_revoked(crl,r);
1493                                 }
1494                         }
1495                 /* sort the data so it will be written in serial
1496                  * number order */
1497                 sk_X509_REVOKED_sort(ci->revoked);
1498                 for (i=0; i<sk_X509_REVOKED_num(ci->revoked); i++)
1499                         {
1500                         r=sk_X509_REVOKED_value(ci->revoked,i);
1501                         r->sequence=i;
1502                         }
1503
1504                 /* we now have a CRL */
1505                 if (verbose) BIO_printf(bio_err,"signing CRL\n");
1506                 if (md != NULL)
1507                         {
1508                         if ((dgst=EVP_get_digestbyname(md)) == NULL)
1509                                 {
1510                                 BIO_printf(bio_err,"%s is an unsupported message digest type\n",md);
1511                                 goto err;
1512                                 }
1513                         }
1514                 else
1515                         {
1516 #ifndef OPENSSL_NO_DSA
1517                         if (pkey->type == EVP_PKEY_DSA) 
1518                                 dgst=EVP_dss1();
1519                         else
1520 #endif
1521                                 dgst=EVP_md5();
1522                         }
1523
1524                 /* Add any extensions asked for */
1525
1526                 if (crl_ext)
1527                         {
1528                         X509V3_CTX crlctx;
1529                         if (ci->version == NULL)
1530                                 if ((ci->version=ASN1_INTEGER_new()) == NULL) goto err;
1531                         X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0);
1532                         X509V3_set_conf_lhash(&crlctx, conf);
1533
1534                         if (!X509V3_EXT_CRL_add_conf(conf, &crlctx,
1535                                 crl_ext, crl)) goto err;
1536                         }
1537                 if (crl_ext || crl_v2)
1538                         {
1539                         if (ci->version == NULL)
1540                                 if ((ci->version=ASN1_INTEGER_new()) == NULL) goto err;
1541                         ASN1_INTEGER_set(ci->version,1); /* version 2 CRL */
1542                         }
1543
1544                 if (!X509_CRL_sign(crl,pkey,dgst)) goto err;
1545
1546                 PEM_write_bio_X509_CRL(Sout,crl);
1547                 }
1548         /*****************************************************************/
1549         if (dorevoke)
1550                 {
1551                 if (infile == NULL) 
1552                         {
1553                         BIO_printf(bio_err,"no input files\n");
1554                         goto err;
1555                         }
1556                 else
1557                         {
1558                         X509 *revcert;
1559                         if (BIO_read_filename(in,infile) <= 0)
1560                                 {
1561                                 perror(infile);
1562                                 BIO_printf(bio_err,"error trying to load '%s' certificate\n",infile);
1563                                 goto err;
1564                                 }
1565                         revcert=PEM_read_bio_X509(in,NULL,NULL,NULL);
1566                         if (revcert == NULL)
1567                                 {
1568                                 BIO_printf(bio_err,"unable to load '%s' certificate\n",infile);
1569                                 goto err;
1570                                 }
1571                         j=do_revoke(revcert,db, rev_type, rev_arg);
1572                         if (j <= 0) goto err;
1573                         X509_free(revcert);
1574
1575                         strncpy(buf[0],dbfile,BSIZE-4);
1576                         strcat(buf[0],".new");
1577                         if (BIO_write_filename(out,buf[0]) <= 0)
1578                                 {
1579                                 perror(dbfile);
1580                                 BIO_printf(bio_err,"unable to open '%s'\n",dbfile);
1581                                 goto err;
1582                                 }
1583                         j=TXT_DB_write(out,db);
1584                         if (j <= 0) goto err;
1585                         strncpy(buf[1],dbfile,BSIZE-4);
1586                         strcat(buf[1],".old");
1587                         if (rename(dbfile,buf[1]) < 0)
1588                                 {
1589                                 BIO_printf(bio_err,"unable to rename %s to %s\n", dbfile, buf[1]);
1590                                 perror("reason");
1591                                 goto err;
1592                                 }
1593                         if (rename(buf[0],dbfile) < 0)
1594                                 {
1595                                 BIO_printf(bio_err,"unable to rename %s to %s\n", buf[0],dbfile);
1596                                 perror("reason");
1597                                 rename(buf[1],dbfile);
1598                                 goto err;
1599                                 }
1600                         BIO_printf(bio_err,"Data Base Updated\n"); 
1601                         }
1602                 }
1603         /*****************************************************************/
1604         ret=0;
1605 err:
1606         BIO_free_all(Cout);
1607         BIO_free_all(Sout);
1608         BIO_free_all(out);
1609         BIO_free(in);
1610
1611         sk_X509_pop_free(cert_sk,X509_free);
1612
1613         if (ret) ERR_print_errors(bio_err);
1614         app_RAND_write_file(randfile, bio_err);
1615         BN_free(serial);
1616         TXT_DB_free(db);
1617         EVP_PKEY_free(pkey);
1618         X509_free(x509);
1619         X509_CRL_free(crl);
1620         CONF_free(conf);
1621         OBJ_cleanup();
1622         EXIT(ret);
1623         }
1624
1625 static void lookup_fail(char *name, char *tag)
1626         {
1627         BIO_printf(bio_err,"variable lookup failed for %s::%s\n",name,tag);
1628         }
1629
1630 static unsigned long index_serial_hash(const char **a)
1631         {
1632         const char *n;
1633
1634         n=a[DB_serial];
1635         while (*n == '0') n++;
1636         return(lh_strhash(n));
1637         }
1638
1639 static int index_serial_cmp(const char **a, const char **b)
1640         {
1641         const char *aa,*bb;
1642
1643         for (aa=a[DB_serial]; *aa == '0'; aa++);
1644         for (bb=b[DB_serial]; *bb == '0'; bb++);
1645         return(strcmp(aa,bb));
1646         }
1647
1648 static unsigned long index_name_hash(const char **a)
1649         { return(lh_strhash(a[DB_name])); }
1650
1651 static int index_name_qual(char **a)
1652         { return(a[0][0] == 'V'); }
1653
1654 static int index_name_cmp(const char **a, const char **b)
1655         { return(strcmp(a[DB_name],
1656              b[DB_name])); }
1657
1658 static BIGNUM *load_serial(char *serialfile)
1659         {
1660         BIO *in=NULL;
1661         BIGNUM *ret=NULL;
1662         MS_STATIC char buf[1024];
1663         ASN1_INTEGER *ai=NULL;
1664
1665         if ((in=BIO_new(BIO_s_file())) == NULL)
1666                 {
1667                 ERR_print_errors(bio_err);
1668                 goto err;
1669                 }
1670
1671         if (BIO_read_filename(in,serialfile) <= 0)
1672                 {
1673                 perror(serialfile);
1674                 goto err;
1675                 }
1676         ai=ASN1_INTEGER_new();
1677         if (ai == NULL) goto err;
1678         if (!a2i_ASN1_INTEGER(in,ai,buf,1024))
1679                 {
1680                 BIO_printf(bio_err,"unable to load number from %s\n",
1681                         serialfile);
1682                 goto err;
1683                 }
1684         ret=ASN1_INTEGER_to_BN(ai,NULL);
1685         if (ret == NULL)
1686                 {
1687                 BIO_printf(bio_err,"error converting number from bin to BIGNUM");
1688                 goto err;
1689                 }
1690 err:
1691         if (in != NULL) BIO_free(in);
1692         if (ai != NULL) ASN1_INTEGER_free(ai);
1693         return(ret);
1694         }
1695
1696 static int save_serial(char *serialfile, BIGNUM *serial)
1697         {
1698         BIO *out;
1699         int ret=0;
1700         ASN1_INTEGER *ai=NULL;
1701
1702         out=BIO_new(BIO_s_file());
1703         if (out == NULL)
1704                 {
1705                 ERR_print_errors(bio_err);
1706                 goto err;
1707                 }
1708         if (BIO_write_filename(out,serialfile) <= 0)
1709                 {
1710                 perror(serialfile);
1711                 goto err;
1712                 }
1713
1714         if ((ai=BN_to_ASN1_INTEGER(serial,NULL)) == NULL)
1715                 {
1716                 BIO_printf(bio_err,"error converting serial to ASN.1 format\n");
1717                 goto err;
1718                 }
1719         i2a_ASN1_INTEGER(out,ai);
1720         BIO_puts(out,"\n");
1721         ret=1;
1722 err:
1723         if (out != NULL) BIO_free_all(out);
1724         if (ai != NULL) ASN1_INTEGER_free(ai);
1725         return(ret);
1726         }
1727
1728 static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
1729              const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db,
1730              BIGNUM *serial, char *subj, char *startdate, char *enddate, int days,
1731              int batch, char *ext_sect, LHASH *lconf, int verbose,
1732              unsigned long certopt, unsigned long nameopt, int default_op,
1733              int ext_copy)
1734         {
1735         X509_REQ *req=NULL;
1736         BIO *in=NULL;
1737         EVP_PKEY *pktmp=NULL;
1738         int ok= -1,i;
1739
1740         in=BIO_new(BIO_s_file());
1741
1742         if (BIO_read_filename(in,infile) <= 0)
1743                 {
1744                 perror(infile);
1745                 goto err;
1746                 }
1747         if ((req=PEM_read_bio_X509_REQ(in,NULL,NULL,NULL)) == NULL)
1748                 {
1749                 BIO_printf(bio_err,"Error reading certificate request in %s\n",
1750                         infile);
1751                 goto err;
1752                 }
1753         if (verbose)
1754                 X509_REQ_print(bio_err,req);
1755
1756         BIO_printf(bio_err,"Check that the request matches the signature\n");
1757
1758         if ((pktmp=X509_REQ_get_pubkey(req)) == NULL)
1759                 {
1760                 BIO_printf(bio_err,"error unpacking public key\n");
1761                 goto err;
1762                 }
1763         i=X509_REQ_verify(req,pktmp);
1764         EVP_PKEY_free(pktmp);
1765         if (i < 0)
1766                 {
1767                 ok=0;
1768                 BIO_printf(bio_err,"Signature verification problems....\n");
1769                 goto err;
1770                 }
1771         if (i == 0)
1772                 {
1773                 ok=0;
1774                 BIO_printf(bio_err,"Signature did not match the certificate request\n");
1775                 goto err;
1776                 }
1777         else
1778                 BIO_printf(bio_err,"Signature ok\n");
1779
1780         ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,startdate, enddate,
1781                 days,batch,verbose,req,ext_sect,lconf,
1782                 certopt, nameopt, default_op, ext_copy);
1783
1784 err:
1785         if (req != NULL) X509_REQ_free(req);
1786         if (in != NULL) BIO_free(in);
1787         return(ok);
1788         }
1789
1790 static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
1791              const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db,
1792              BIGNUM *serial, char *subj, char *startdate, char *enddate, int days,
1793              int batch, char *ext_sect, LHASH *lconf, int verbose,
1794              unsigned long certopt, unsigned long nameopt, int default_op,
1795              int ext_copy)
1796         {
1797         X509 *req=NULL;
1798         X509_REQ *rreq=NULL;
1799         BIO *in=NULL;
1800         EVP_PKEY *pktmp=NULL;
1801         int ok= -1,i;
1802
1803         in=BIO_new(BIO_s_file());
1804
1805         if (BIO_read_filename(in,infile) <= 0)
1806                 {
1807                 perror(infile);
1808                 goto err;
1809                 }
1810         if ((req=PEM_read_bio_X509(in,NULL,NULL,NULL)) == NULL)
1811                 {
1812                 BIO_printf(bio_err,"Error reading self signed certificate in %s\n",infile);
1813                 goto err;
1814                 }
1815         if (verbose)
1816                 X509_print(bio_err,req);
1817
1818         BIO_printf(bio_err,"Check that the request matches the signature\n");
1819
1820         if ((pktmp=X509_get_pubkey(req)) == NULL)
1821                 {
1822                 BIO_printf(bio_err,"error unpacking public key\n");
1823                 goto err;
1824                 }
1825         i=X509_verify(req,pktmp);
1826         EVP_PKEY_free(pktmp);
1827         if (i < 0)
1828                 {
1829                 ok=0;
1830                 BIO_printf(bio_err,"Signature verification problems....\n");
1831                 goto err;
1832                 }
1833         if (i == 0)
1834                 {
1835                 ok=0;
1836                 BIO_printf(bio_err,"Signature did not match the certificate\n");
1837                 goto err;
1838                 }
1839         else
1840                 BIO_printf(bio_err,"Signature ok\n");
1841
1842         if ((rreq=X509_to_X509_REQ(req,NULL,EVP_md5())) == NULL)
1843                 goto err;
1844
1845         ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,startdate,enddate,days,
1846                 batch,verbose,rreq,ext_sect,lconf, certopt, nameopt, default_op,
1847                         ext_copy);
1848
1849 err:
1850         if (rreq != NULL) X509_REQ_free(rreq);
1851         if (req != NULL) X509_free(req);
1852         if (in != NULL) BIO_free(in);
1853         return(ok);
1854         }
1855
1856 static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
1857              STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial, char *subj,
1858              char *startdate, char *enddate, int days, int batch, int verbose,
1859              X509_REQ *req, char *ext_sect, LHASH *lconf,
1860              unsigned long certopt, unsigned long nameopt, int default_op,
1861              int ext_copy)
1862         {
1863         X509_NAME *name=NULL,*CAname=NULL,*subject=NULL;
1864         ASN1_UTCTIME *tm,*tmptm;
1865         ASN1_STRING *str,*str2;
1866         ASN1_OBJECT *obj;
1867         X509 *ret=NULL;
1868         X509_CINF *ci;
1869         X509_NAME_ENTRY *ne;
1870         X509_NAME_ENTRY *tne,*push;
1871         EVP_PKEY *pktmp;
1872         int ok= -1,i,j,last,nid;
1873         char *p;
1874         CONF_VALUE *cv;
1875         char *row[DB_NUMBER],**rrow,**irow=NULL;
1876         char buf[25];
1877
1878         tmptm=ASN1_UTCTIME_new();
1879         if (tmptm == NULL)
1880                 {
1881                 BIO_printf(bio_err,"malloc error\n");
1882                 return(0);
1883                 }
1884
1885         for (i=0; i<DB_NUMBER; i++)
1886                 row[i]=NULL;
1887
1888         if (subj)
1889                 {
1890                 X509_NAME *n = do_subject(subj);
1891
1892                 if (!n)
1893                         {
1894                         ERR_print_errors(bio_err);
1895                         goto err;
1896                         }
1897                 X509_REQ_set_subject_name(req,n);
1898                 req->req_info->enc.modified = 1;
1899                 X509_NAME_free(n);
1900                 }
1901
1902         if (default_op)
1903                 BIO_printf(bio_err,"The Subject's Distinguished Name is as follows\n");
1904         name=X509_REQ_get_subject_name(req);
1905         for (i=0; i<X509_NAME_entry_count(name); i++)
1906                 {
1907                 ne= X509_NAME_get_entry(name,i);
1908                 str=X509_NAME_ENTRY_get_data(ne);
1909                 obj=X509_NAME_ENTRY_get_object(ne);
1910
1911                 if (msie_hack)
1912                         {
1913                         /* assume all type should be strings */
1914                         nid=OBJ_obj2nid(ne->object);
1915
1916                         if (str->type == V_ASN1_UNIVERSALSTRING)
1917                                 ASN1_UNIVERSALSTRING_to_string(str);
1918
1919                         if ((str->type == V_ASN1_IA5STRING) &&
1920                                 (nid != NID_pkcs9_emailAddress))
1921                                 str->type=V_ASN1_T61STRING;
1922
1923                         if ((nid == NID_pkcs9_emailAddress) &&
1924                                 (str->type == V_ASN1_PRINTABLESTRING))
1925                                 str->type=V_ASN1_IA5STRING;
1926                         }
1927
1928                 /* check some things */
1929                 if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) &&
1930                         (str->type != V_ASN1_IA5STRING))
1931                         {
1932                         BIO_printf(bio_err,"\nemailAddress type needs to be of type IA5STRING\n");
1933                         goto err;
1934                         }
1935                 j=ASN1_PRINTABLE_type(str->data,str->length);
1936                 if (    ((j == V_ASN1_T61STRING) &&
1937                          (str->type != V_ASN1_T61STRING)) ||
1938                         ((j == V_ASN1_IA5STRING) &&
1939                          (str->type == V_ASN1_PRINTABLESTRING)))
1940                         {
1941                         BIO_printf(bio_err,"\nThe string contains characters that are illegal for the ASN.1 type\n");
1942                         goto err;
1943                         }
1944
1945                 if (default_op)
1946                         old_entry_print(bio_err, obj, str);
1947 #if 0
1948                 j=i2a_ASN1_OBJECT(bio_err,obj);
1949                 pbuf=buf;
1950                 for (j=22-j; j>0; j--)
1951                         *(pbuf++)=' ';
1952                 *(pbuf++)=':';
1953                 *(pbuf++)='\0';
1954                 BIO_puts(bio_err,buf);
1955
1956                 if (str->type == V_ASN1_PRINTABLESTRING)
1957                         BIO_printf(bio_err,"PRINTABLE:'");
1958                 else if (str->type == V_ASN1_T61STRING)
1959                         BIO_printf(bio_err,"T61STRING:'");
1960                 else if (str->type == V_ASN1_IA5STRING)
1961                         BIO_printf(bio_err,"IA5STRING:'");
1962                 else if (str->type == V_ASN1_UNIVERSALSTRING)
1963                         BIO_printf(bio_err,"UNIVERSALSTRING:'");
1964                 else
1965                         BIO_printf(bio_err,"ASN.1 %2d:'",str->type);
1966                         
1967                 p=(char *)str->data;
1968                 for (j=str->length; j>0; j--)
1969                         {
1970                         if ((*p >= ' ') && (*p <= '~'))
1971                                 BIO_printf(bio_err,"%c",*p);
1972                         else if (*p & 0x80)
1973                                 BIO_printf(bio_err,"\\0x%02X",*p);
1974                         else if ((unsigned char)*p == 0xf7)
1975                                 BIO_printf(bio_err,"^?");
1976                         else    BIO_printf(bio_err,"^%c",*p+'@');
1977                         p++;
1978                         }
1979                 BIO_printf(bio_err,"'\n");
1980 #endif
1981                 }
1982
1983         /* Ok, now we check the 'policy' stuff. */
1984         if ((subject=X509_NAME_new()) == NULL)
1985                 {
1986                 BIO_printf(bio_err,"Memory allocation failure\n");
1987                 goto err;
1988                 }
1989
1990         /* take a copy of the issuer name before we mess with it. */
1991         CAname=X509_NAME_dup(x509->cert_info->subject);
1992         if (CAname == NULL) goto err;
1993         str=str2=NULL;
1994
1995         for (i=0; i<sk_CONF_VALUE_num(policy); i++)
1996                 {
1997                 cv=sk_CONF_VALUE_value(policy,i); /* get the object id */
1998                 if ((j=OBJ_txt2nid(cv->name)) == NID_undef)
1999                         {
2000                         BIO_printf(bio_err,"%s:unknown object type in 'policy' configuration\n",cv->name);
2001                         goto err;
2002                         }
2003                 obj=OBJ_nid2obj(j);
2004
2005                 last= -1;
2006                 for (;;)
2007                         {
2008                         /* lookup the object in the supplied name list */
2009                         j=X509_NAME_get_index_by_OBJ(name,obj,last);
2010                         if (j < 0)
2011                                 {
2012                                 if (last != -1) break;
2013                                 tne=NULL;
2014                                 }
2015                         else
2016                                 {
2017                                 tne=X509_NAME_get_entry(name,j);
2018                                 }
2019                         last=j;
2020
2021                         /* depending on the 'policy', decide what to do. */
2022                         push=NULL;
2023                         if (strcmp(cv->value,"optional") == 0)
2024                                 {
2025                                 if (tne != NULL)
2026                                         push=tne;
2027                                 }
2028                         else if (strcmp(cv->value,"supplied") == 0)
2029                                 {
2030                                 if (tne == NULL)
2031                                         {
2032                                         BIO_printf(bio_err,"The %s field needed to be supplied and was missing\n",cv->name);
2033                                         goto err;
2034                                         }
2035                                 else
2036                                         push=tne;
2037                                 }
2038                         else if (strcmp(cv->value,"match") == 0)
2039                                 {
2040                                 int last2;
2041
2042                                 if (tne == NULL)
2043                                         {
2044                                         BIO_printf(bio_err,"The mandatory %s field was missing\n",cv->name);
2045                                         goto err;
2046                                         }
2047
2048                                 last2= -1;
2049
2050 again2:
2051                                 j=X509_NAME_get_index_by_OBJ(CAname,obj,last2);
2052                                 if ((j < 0) && (last2 == -1))
2053                                         {
2054                                         BIO_printf(bio_err,"The %s field does not exist in the CA certificate,\nthe 'policy' is misconfigured\n",cv->name);
2055                                         goto err;
2056                                         }
2057                                 if (j >= 0)
2058                                         {
2059                                         push=X509_NAME_get_entry(CAname,j);
2060                                         str=X509_NAME_ENTRY_get_data(tne);
2061                                         str2=X509_NAME_ENTRY_get_data(push);
2062                                         last2=j;
2063                                         if (ASN1_STRING_cmp(str,str2) != 0)
2064                                                 goto again2;
2065                                         }
2066                                 if (j < 0)
2067                                         {
2068                                         BIO_printf(bio_err,"The %s field needed to be the same in the\nCA certificate (%s) and the request (%s)\n",cv->name,((str2 == NULL)?"NULL":(char *)str2->data),((str == NULL)?"NULL":(char *)str->data));
2069                                         goto err;
2070                                         }
2071                                 }
2072                         else
2073                                 {
2074                                 BIO_printf(bio_err,"%s:invalid type in 'policy' configuration\n",cv->value);
2075                                 goto err;
2076                                 }
2077
2078                         if (push != NULL)
2079                                 {
2080                                 if (!X509_NAME_add_entry(subject,push, -1, 0))
2081                                         {
2082                                         if (push != NULL)
2083                                                 X509_NAME_ENTRY_free(push);
2084                                         BIO_printf(bio_err,"Memory allocation failure\n");
2085                                         goto err;
2086                                         }
2087                                 }
2088                         if (j < 0) break;
2089                         }
2090                 }
2091
2092         if (preserve)
2093                 {
2094                 X509_NAME_free(subject);
2095                 subject=X509_NAME_dup(X509_REQ_get_subject_name(req));
2096                 if (subject == NULL) goto err;
2097                 }
2098
2099         if (verbose)
2100                 BIO_printf(bio_err,"The subject name appears to be ok, checking data base for clashes\n");
2101
2102         row[DB_name]=X509_NAME_oneline(subject,NULL,0);
2103         row[DB_serial]=BN_bn2hex(serial);
2104         if ((row[DB_name] == NULL) || (row[DB_serial] == NULL))
2105                 {
2106                 BIO_printf(bio_err,"Memory allocation failure\n");
2107                 goto err;
2108                 }
2109
2110         rrow=TXT_DB_get_by_index(db,DB_name,row);
2111         if (rrow != NULL)
2112                 {
2113                 BIO_printf(bio_err,"ERROR:There is already a certificate for %s\n",
2114                         row[DB_name]);
2115                 }
2116         else
2117                 {
2118                 rrow=TXT_DB_get_by_index(db,DB_serial,row);
2119                 if (rrow != NULL)
2120                         {
2121                         BIO_printf(bio_err,"ERROR:Serial number %s has already been issued,\n",
2122                                 row[DB_serial]);
2123                         BIO_printf(bio_err,"      check the database/serial_file for corruption\n");
2124                         }
2125                 }
2126
2127         if (rrow != NULL)
2128                 {
2129                 BIO_printf(bio_err,
2130                         "The matching entry has the following details\n");
2131                 if (rrow[DB_type][0] == 'E')
2132                         p="Expired";
2133                 else if (rrow[DB_type][0] == 'R')
2134                         p="Revoked";
2135                 else if (rrow[DB_type][0] == 'V')
2136                         p="Valid";
2137                 else
2138                         p="\ninvalid type, Data base error\n";
2139                 BIO_printf(bio_err,"Type          :%s\n",p);;
2140                 if (rrow[DB_type][0] == 'R')
2141                         {
2142                         p=rrow[DB_exp_date]; if (p == NULL) p="undef";
2143                         BIO_printf(bio_err,"Was revoked on:%s\n",p);
2144                         }
2145                 p=rrow[DB_exp_date]; if (p == NULL) p="undef";
2146                 BIO_printf(bio_err,"Expires on    :%s\n",p);
2147                 p=rrow[DB_serial]; if (p == NULL) p="undef";
2148                 BIO_printf(bio_err,"Serial Number :%s\n",p);
2149                 p=rrow[DB_file]; if (p == NULL) p="undef";
2150                 BIO_printf(bio_err,"File name     :%s\n",p);
2151                 p=rrow[DB_name]; if (p == NULL) p="undef";
2152                 BIO_printf(bio_err,"Subject Name  :%s\n",p);
2153                 ok= -1; /* This is now a 'bad' error. */
2154                 goto err;
2155                 }
2156
2157         /* We are now totally happy, lets make and sign the certificate */
2158         if (verbose)
2159                 BIO_printf(bio_err,"Everything appears to be ok, creating and signing the certificate\n");
2160
2161         if ((ret=X509_new()) == NULL) goto err;
2162         ci=ret->cert_info;
2163
2164 #ifdef X509_V3
2165         /* Make it an X509 v3 certificate. */
2166         if (!X509_set_version(x509,2)) goto err;
2167 #endif
2168
2169         if (BN_to_ASN1_INTEGER(serial,ci->serialNumber) == NULL)
2170                 goto err;
2171         if (!X509_set_issuer_name(ret,X509_get_subject_name(x509)))
2172                 goto err;
2173
2174         BIO_printf(bio_err,"Certificate is to be certified until ");
2175         if (strcmp(startdate,"today") == 0)
2176                 X509_gmtime_adj(X509_get_notBefore(ret),0);
2177         else ASN1_UTCTIME_set_string(X509_get_notBefore(ret),startdate);
2178
2179         if (enddate == NULL)
2180                 X509_gmtime_adj(X509_get_notAfter(ret),(long)60*60*24*days);
2181         else ASN1_UTCTIME_set_string(X509_get_notAfter(ret),enddate);
2182
2183         ASN1_UTCTIME_print(bio_err,X509_get_notAfter(ret));
2184         if (days) BIO_printf(bio_err," (%d days)",days);
2185         BIO_printf(bio_err, "\n");
2186
2187         if (!X509_set_subject_name(ret,subject)) goto err;
2188
2189         pktmp=X509_REQ_get_pubkey(req);
2190         i = X509_set_pubkey(ret,pktmp);
2191         EVP_PKEY_free(pktmp);
2192         if (!i) goto err;
2193
2194         /* Lets add the extensions, if there are any */
2195         if (ext_sect)
2196                 {
2197                 X509V3_CTX ctx;
2198                 if (ci->version == NULL)
2199                         if ((ci->version=ASN1_INTEGER_new()) == NULL)
2200                                 goto err;
2201                 ASN1_INTEGER_set(ci->version,2); /* version 3 certificate */
2202
2203                 /* Free the current entries if any, there should not
2204                  * be any I believe */
2205                 if (ci->extensions != NULL)
2206                         sk_X509_EXTENSION_pop_free(ci->extensions,
2207                                                    X509_EXTENSION_free);
2208
2209                 ci->extensions = NULL;
2210
2211                 /* Initialize the context structure */
2212                 X509V3_set_ctx(&ctx, x509, ret, req, NULL, 0);
2213
2214                 if (extconf)
2215                         {
2216                         if (verbose)
2217                                 BIO_printf(bio_err, "Extra configuration file found\n");
2218  
2219                         /* Use the extconf configuration db LHASH */
2220                         X509V3_set_conf_lhash(&ctx, extconf);
2221  
2222                         /* Test the structure (needed?) */
2223                         /* X509V3_set_ctx_test(&ctx); */
2224
2225                         /* Adds exts contained in the configuration file */
2226                         if (!X509V3_EXT_add_conf(extconf, &ctx, ext_sect,ret))
2227                                 {
2228                                 BIO_printf(bio_err,
2229                                     "ERROR: adding extensions in section %s\n",
2230                                                                 ext_sect);
2231                                 ERR_print_errors(bio_err);
2232                                 goto err;
2233                                 }
2234                         if (verbose)
2235                                 BIO_printf(bio_err, "Successfully added extensions from file.\n");
2236                         }
2237                 else if (ext_sect)
2238                         {
2239                         /* We found extensions to be set from config file */
2240                         X509V3_set_conf_lhash(&ctx, lconf);
2241
2242                         if(!X509V3_EXT_add_conf(lconf, &ctx, ext_sect, ret))
2243                                 {
2244                                 BIO_printf(bio_err, "ERROR: adding extensions in section %s\n", ext_sect);
2245                                 ERR_print_errors(bio_err);
2246                                 goto err;
2247                                 }
2248
2249                         if (verbose) 
2250                                 BIO_printf(bio_err, "Successfully added extensions from config\n");
2251                         }
2252                 }
2253
2254
2255         if (!batch)
2256                 {
2257                 if (!default_op)
2258                         {
2259                         BIO_printf(bio_err, "Certificate Details:\n");
2260                         /* Never print signature details because signature not present */
2261                         certopt |= X509_FLAG_NO_SIGDUMP | X509_FLAG_NO_SIGNAME;
2262                         X509_print_ex(bio_err, ret, nameopt, certopt); 
2263                         }
2264                 BIO_printf(bio_err,"Sign the certificate? [y/n]:");
2265                 (void)BIO_flush(bio_err);
2266                 buf[0]='\0';
2267                 fgets(buf,sizeof(buf)-1,stdin);
2268                 if (!((buf[0] == 'y') || (buf[0] == 'Y')))
2269                         {
2270                         BIO_printf(bio_err,"CERTIFICATE WILL NOT BE CERTIFIED\n");
2271                         ok=0;
2272                         goto err;
2273                         }
2274                 }
2275
2276
2277 #ifndef OPENSSL_NO_DSA
2278         if (pkey->type == EVP_PKEY_DSA) dgst=EVP_dss1();
2279         pktmp=X509_get_pubkey(ret);
2280         if (EVP_PKEY_missing_parameters(pktmp) &&
2281                 !EVP_PKEY_missing_parameters(pkey))
2282                 EVP_PKEY_copy_parameters(pktmp,pkey);
2283         EVP_PKEY_free(pktmp);
2284 #endif
2285
2286         if (!X509_sign(ret,pkey,dgst))
2287                 goto err;
2288
2289         /* We now just add it to the database */
2290         row[DB_type]=(char *)OPENSSL_malloc(2);
2291
2292         tm=X509_get_notAfter(ret);
2293         row[DB_exp_date]=(char *)OPENSSL_malloc(tm->length+1);
2294         memcpy(row[DB_exp_date],tm->data,tm->length);
2295         row[DB_exp_date][tm->length]='\0';
2296
2297         row[DB_rev_date]=NULL;
2298
2299         /* row[DB_serial] done already */
2300         row[DB_file]=(char *)OPENSSL_malloc(8);
2301         /* row[DB_name] done already */
2302
2303         if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
2304                 (row[DB_file] == NULL))
2305                 {
2306                 BIO_printf(bio_err,"Memory allocation failure\n");
2307                 goto err;
2308                 }
2309         strcpy(row[DB_file],"unknown");
2310         row[DB_type][0]='V';
2311         row[DB_type][1]='\0';
2312
2313         if ((irow=(char **)OPENSSL_malloc(sizeof(char *)*(DB_NUMBER+1))) == NULL)
2314                 {
2315                 BIO_printf(bio_err,"Memory allocation failure\n");
2316                 goto err;
2317                 }
2318
2319         for (i=0; i<DB_NUMBER; i++)
2320                 {
2321                 irow[i]=row[i];
2322                 row[i]=NULL;
2323                 }
2324         irow[DB_NUMBER]=NULL;
2325
2326         if (!TXT_DB_insert(db,irow))
2327                 {
2328                 BIO_printf(bio_err,"failed to update database\n");
2329                 BIO_printf(bio_err,"TXT_DB error number %ld\n",db->error);
2330                 goto err;
2331                 }
2332         ok=1;
2333 err:
2334         for (i=0; i<DB_NUMBER; i++)
2335                 if (row[i] != NULL) OPENSSL_free(row[i]);
2336
2337         if (CAname != NULL)
2338                 X509_NAME_free(CAname);
2339         if (subject != NULL)
2340                 X509_NAME_free(subject);
2341         if (tmptm != NULL)
2342                 ASN1_UTCTIME_free(tmptm);
2343         if (ok <= 0)
2344                 {
2345                 if (ret != NULL) X509_free(ret);
2346                 ret=NULL;
2347                 }
2348         else
2349                 *xret=ret;
2350         return(ok);
2351         }
2352
2353 static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext)
2354         {
2355
2356         if (output_der)
2357                 {
2358                 (void)i2d_X509_bio(bp,x);
2359                 return;
2360                 }
2361 #if 0
2362         /* ??? Not needed since X509_print prints all this stuff anyway */
2363         f=X509_NAME_oneline(X509_get_issuer_name(x),buf,256);
2364         BIO_printf(bp,"issuer :%s\n",f);
2365
2366         f=X509_NAME_oneline(X509_get_subject_name(x),buf,256);
2367         BIO_printf(bp,"subject:%s\n",f);
2368
2369         BIO_puts(bp,"serial :");
2370         i2a_ASN1_INTEGER(bp,x->cert_info->serialNumber);
2371         BIO_puts(bp,"\n\n");
2372 #endif
2373         if (!notext)X509_print(bp,x);
2374         PEM_write_bio_X509(bp,x);
2375         }
2376
2377 static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
2378              const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db,
2379              BIGNUM *serial, char *subj, char *startdate, char *enddate, int days,
2380              char *ext_sect, LHASH *lconf, int verbose, unsigned long certopt,
2381              unsigned long nameopt, int default_op, int ext_copy)
2382         {
2383         STACK_OF(CONF_VALUE) *sk=NULL;
2384         LHASH *parms=NULL;
2385         X509_REQ *req=NULL;
2386         CONF_VALUE *cv=NULL;
2387         NETSCAPE_SPKI *spki = NULL;
2388         X509_REQ_INFO *ri;
2389         char *type,*buf;
2390         EVP_PKEY *pktmp=NULL;
2391         X509_NAME *n=NULL;
2392         X509_NAME_ENTRY *ne=NULL;
2393         int ok= -1,i,j;
2394         long errline;
2395         int nid;
2396
2397         /*
2398          * Load input file into a hash table.  (This is just an easy
2399          * way to read and parse the file, then put it into a convenient
2400          * STACK format).
2401          */
2402         parms=CONF_load(NULL,infile,&errline);
2403         if (parms == NULL)
2404                 {
2405                 BIO_printf(bio_err,"error on line %ld of %s\n",errline,infile);
2406                 ERR_print_errors(bio_err);
2407                 goto err;
2408                 }
2409
2410         sk=CONF_get_section(parms, "default");
2411         if (sk_CONF_VALUE_num(sk) == 0)
2412                 {
2413                 BIO_printf(bio_err, "no name/value pairs found in %s\n", infile);
2414                 CONF_free(parms);
2415                 goto err;
2416                 }
2417
2418         /*
2419          * Now create a dummy X509 request structure.  We don't actually
2420          * have an X509 request, but we have many of the components
2421          * (a public key, various DN components).  The idea is that we
2422          * put these components into the right X509 request structure
2423          * and we can use the same code as if you had a real X509 request.
2424          */
2425         req=X509_REQ_new();
2426         if (req == NULL)
2427                 {
2428                 ERR_print_errors(bio_err);
2429                 goto err;
2430                 }
2431
2432         /*
2433          * Build up the subject name set.
2434          */
2435         ri=req->req_info;
2436         n = ri->subject;
2437
2438         for (i = 0; ; i++)
2439                 {
2440                 if (sk_CONF_VALUE_num(sk) <= i) break;
2441
2442                 cv=sk_CONF_VALUE_value(sk,i);
2443                 type=cv->name;
2444                 /* Skip past any leading X. X: X, etc to allow for
2445                  * multiple instances
2446                  */
2447                 for (buf = cv->name; *buf ; buf++)
2448                         if ((*buf == ':') || (*buf == ',') || (*buf == '.'))
2449                                 {
2450                                 buf++;
2451                                 if (*buf) type = buf;
2452                                 break;
2453                                 }
2454
2455                 buf=cv->value;
2456                 if ((nid=OBJ_txt2nid(type)) == NID_undef)
2457                         {
2458                         if (strcmp(type, "SPKAC") == 0)
2459                                 {
2460                                 spki = NETSCAPE_SPKI_b64_decode(cv->value, -1);
2461                                 if (spki == NULL)
2462                                         {
2463                                         BIO_printf(bio_err,"unable to load Netscape SPKAC structure\n");
2464                                         ERR_print_errors(bio_err);
2465                                         goto err;
2466                                         }
2467                                 }
2468                         continue;
2469                         }
2470
2471                 j=ASN1_PRINTABLE_type((unsigned char *)buf,-1);
2472                 if (fix_data(nid, &j) == 0)
2473                         {
2474                         BIO_printf(bio_err,
2475                                 "invalid characters in string %s\n",buf);
2476                         goto err;
2477                         }
2478
2479                 if ((ne=X509_NAME_ENTRY_create_by_NID(&ne,nid,j,
2480                         (unsigned char *)buf,
2481                         strlen(buf))) == NULL)
2482                         goto err;
2483
2484                 if (!X509_NAME_add_entry(n,ne,-1, 0)) goto err;
2485                 }
2486         if (spki == NULL)
2487                 {
2488                 BIO_printf(bio_err,"Netscape SPKAC structure not found in %s\n",
2489                         infile);
2490                 goto err;
2491                 }
2492
2493         /*
2494          * Now extract the key from the SPKI structure.
2495          */
2496
2497         BIO_printf(bio_err,"Check that the SPKAC request matches the signature\n");
2498
2499         if ((pktmp=NETSCAPE_SPKI_get_pubkey(spki)) == NULL)
2500                 {
2501                 BIO_printf(bio_err,"error unpacking SPKAC public key\n");
2502                 goto err;
2503                 }
2504
2505         j = NETSCAPE_SPKI_verify(spki, pktmp);
2506         if (j <= 0)
2507                 {
2508                 BIO_printf(bio_err,"signature verification failed on SPKAC public key\n");
2509                 goto err;
2510                 }
2511         BIO_printf(bio_err,"Signature ok\n");
2512
2513         X509_REQ_set_pubkey(req,pktmp);
2514         EVP_PKEY_free(pktmp);
2515         ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,startdate,enddate,
2516                    days,1,verbose,req,ext_sect,lconf, certopt, nameopt, default_op,
2517                         ext_copy);
2518 err:
2519         if (req != NULL) X509_REQ_free(req);
2520         if (parms != NULL) CONF_free(parms);
2521         if (spki != NULL) NETSCAPE_SPKI_free(spki);
2522         if (ne != NULL) X509_NAME_ENTRY_free(ne);
2523
2524         return(ok);
2525         }
2526
2527 static int fix_data(int nid, int *type)
2528         {
2529         if (nid == NID_pkcs9_emailAddress)
2530                 *type=V_ASN1_IA5STRING;
2531         if ((nid == NID_commonName) && (*type == V_ASN1_IA5STRING))
2532                 *type=V_ASN1_T61STRING;
2533         if ((nid == NID_pkcs9_challengePassword) && (*type == V_ASN1_IA5STRING))
2534                 *type=V_ASN1_T61STRING;
2535         if ((nid == NID_pkcs9_unstructuredName) && (*type == V_ASN1_T61STRING))
2536                 return(0);
2537         if (nid == NID_pkcs9_unstructuredName)
2538                 *type=V_ASN1_IA5STRING;
2539         return(1);
2540         }
2541
2542 static int check_time_format(char *str)
2543         {
2544         ASN1_UTCTIME tm;
2545
2546         tm.data=(unsigned char *)str;
2547         tm.length=strlen(str);
2548         tm.type=V_ASN1_UTCTIME;
2549         return(ASN1_UTCTIME_check(&tm));
2550         }
2551
2552 static int do_revoke(X509 *x509, TXT_DB *db, int type, char *value)
2553         {
2554         ASN1_UTCTIME *tm=NULL;
2555         char *row[DB_NUMBER],**rrow,**irow;
2556         char *rev_str = NULL;
2557         BIGNUM *bn = NULL;
2558         int ok=-1,i;
2559
2560         for (i=0; i<DB_NUMBER; i++)
2561                 row[i]=NULL;
2562         row[DB_name]=X509_NAME_oneline(X509_get_subject_name(x509),NULL,0);
2563         bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x509),NULL);
2564         row[DB_serial]=BN_bn2hex(bn);
2565         BN_free(bn);
2566         if ((row[DB_name] == NULL) || (row[DB_serial] == NULL))
2567                 {
2568                 BIO_printf(bio_err,"Memory allocation failure\n");
2569                 goto err;
2570                 }
2571         /* We have to lookup by serial number because name lookup
2572          * skips revoked certs
2573          */
2574         rrow=TXT_DB_get_by_index(db,DB_serial,row);
2575         if (rrow == NULL)
2576                 {
2577                 BIO_printf(bio_err,"Adding Entry to DB for %s\n", row[DB_name]);
2578
2579                 /* We now just add it to the database */
2580                 row[DB_type]=(char *)OPENSSL_malloc(2);
2581
2582                 tm=X509_get_notAfter(x509);
2583                 row[DB_exp_date]=(char *)OPENSSL_malloc(tm->length+1);
2584                 memcpy(row[DB_exp_date],tm->data,tm->length);
2585                 row[DB_exp_date][tm->length]='\0';
2586
2587                 row[DB_rev_date]=NULL;
2588
2589                 /* row[DB_serial] done already */
2590                 row[DB_file]=(char *)OPENSSL_malloc(8);
2591
2592                 /* row[DB_name] done already */
2593
2594                 if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
2595                         (row[DB_file] == NULL))
2596                         {
2597                         BIO_printf(bio_err,"Memory allocation failure\n");
2598                         goto err;
2599                         }
2600                 strcpy(row[DB_file],"unknown");
2601                 row[DB_type][0]='V';
2602                 row[DB_type][1]='\0';
2603
2604                 if ((irow=(char **)OPENSSL_malloc(sizeof(char *)*(DB_NUMBER+1))) == NULL)
2605                         {
2606                         BIO_printf(bio_err,"Memory allocation failure\n");
2607                         goto err;
2608                         }
2609
2610                 for (i=0; i<DB_NUMBER; i++)
2611                         {
2612                         irow[i]=row[i];
2613                         row[i]=NULL;
2614                         }
2615                 irow[DB_NUMBER]=NULL;
2616
2617                 if (!TXT_DB_insert(db,irow))
2618                         {
2619                         BIO_printf(bio_err,"failed to update database\n");
2620                         BIO_printf(bio_err,"TXT_DB error number %ld\n",db->error);
2621                         goto err;
2622                         }
2623
2624                 /* Revoke Certificate */
2625                 ok = do_revoke(x509,db, type, value);
2626
2627                 goto err;
2628
2629                 }
2630         else if (index_name_cmp((const char **)row,(const char **)rrow))
2631                 {
2632                 BIO_printf(bio_err,"ERROR:name does not match %s\n",
2633                            row[DB_name]);
2634                 goto err;
2635                 }
2636         else if (rrow[DB_type][0]=='R')
2637                 {
2638                 BIO_printf(bio_err,"ERROR:Already revoked, serial number %s\n",
2639                            row[DB_serial]);
2640                 goto err;
2641                 }
2642         else
2643                 {
2644                 BIO_printf(bio_err,"Revoking Certificate %s.\n", rrow[DB_serial]);
2645                 rev_str = make_revocation_str(type, value);
2646                 if (!rev_str)
2647                         {
2648                         BIO_printf(bio_err, "Error in revocation arguments\n");
2649                         goto err;
2650                         }
2651                 rrow[DB_type][0]='R';
2652                 rrow[DB_type][1]='\0';
2653                 rrow[DB_rev_date] = rev_str;
2654                 }
2655         ok=1;
2656 err:
2657         for (i=0; i<DB_NUMBER; i++)
2658                 {
2659                 if (row[i] != NULL) 
2660                         OPENSSL_free(row[i]);
2661                 }
2662         return(ok);
2663         }
2664
2665 static int get_certificate_status(const char *serial, TXT_DB *db)
2666         {
2667         char *row[DB_NUMBER],**rrow;
2668         int ok=-1,i;
2669
2670         /* Free Resources */
2671         for (i=0; i<DB_NUMBER; i++)
2672                 row[i]=NULL;
2673
2674         /* Malloc needed char spaces */
2675         row[DB_serial] = OPENSSL_malloc(strlen(serial) + 2);
2676         if (row[DB_serial] == NULL)
2677                 {
2678                 BIO_printf(bio_err,"Malloc failure\n");
2679                 goto err;
2680                 }
2681
2682         if (strlen(serial) % 2)
2683                 {
2684                 /* Set the first char to 0 */;
2685                 row[DB_serial][0]='0';
2686
2687                 /* Copy String from serial to row[DB_serial] */
2688                 memcpy(row[DB_serial]+1, serial, strlen(serial));
2689                 row[DB_serial][strlen(serial)+1]='\0';
2690                 }
2691         else
2692                 {
2693                 /* Copy String from serial to row[DB_serial] */
2694                 memcpy(row[DB_serial], serial, strlen(serial));
2695                 row[DB_serial][strlen(serial)]='\0';
2696                 }
2697                         
2698         /* Make it Upper Case */
2699         for (i=0; row[DB_serial][i] != '\0'; i++)
2700                 row[DB_serial][i] = toupper(row[DB_serial][i]);
2701         
2702
2703         ok=1;
2704
2705         /* Search for the certificate */
2706         rrow=TXT_DB_get_by_index(db,DB_serial,row);
2707         if (rrow == NULL)
2708                 {
2709                 BIO_printf(bio_err,"Serial %s not present in db.\n",
2710                                  row[DB_serial]);
2711                 ok=-1;
2712                 goto err;
2713                 }
2714         else if (rrow[DB_type][0]=='V')
2715                 {
2716                 BIO_printf(bio_err,"%s=Valid (%c)\n",
2717                         row[DB_serial], rrow[DB_type][0]);
2718                 goto err;
2719                 }
2720         else if (rrow[DB_type][0]=='R')
2721                 {
2722                 BIO_printf(bio_err,"%s=Revoked (%c)\n",
2723                         row[DB_serial], rrow[DB_type][0]);
2724                 goto err;
2725                 }
2726         else if (rrow[DB_type][0]=='E')
2727                 {
2728                 BIO_printf(bio_err,"%s=Expired (%c)\n",
2729                         row[DB_serial], rrow[DB_type][0]);
2730                 goto err;
2731                 }
2732         else if (rrow[DB_type][0]=='S')
2733                 {
2734                 BIO_printf(bio_err,"%s=Suspended (%c)\n",
2735                         row[DB_serial], rrow[DB_type][0]);
2736                 goto err;
2737                 }
2738         else
2739                 {
2740                 BIO_printf(bio_err,"%s=Unknown (%c).\n",
2741                         row[DB_serial], rrow[DB_type][0]);
2742                 ok=-1;
2743                 }
2744 err:
2745         for (i=0; i<DB_NUMBER; i++)
2746                 {
2747                 if (row[i] != NULL)
2748                         OPENSSL_free(row[i]);
2749                 }
2750         return(ok);
2751         }
2752
2753 static int do_updatedb (TXT_DB *db)
2754         {
2755         ASN1_UTCTIME    *a_tm = NULL;
2756         int i, cnt = 0;
2757         int db_y2k, a_y2k;  /* flags = 1 if y >= 2000 */ 
2758         char **rrow, *a_tm_s;
2759
2760         a_tm = ASN1_UTCTIME_new();
2761
2762         /* get actual time and make a string */
2763         a_tm = X509_gmtime_adj(a_tm, 0);
2764         a_tm_s = (char *) OPENSSL_malloc(a_tm->length+1);
2765         if (a_tm_s == NULL)
2766                 {
2767                 cnt = -1;
2768                 goto err;
2769                 }
2770
2771         memcpy(a_tm_s, a_tm->data, a_tm->length);
2772         a_tm_s[a_tm->length] = '\0';
2773
2774         if (strncmp(a_tm_s, "49", 2) <= 0)
2775                 a_y2k = 1;
2776         else
2777                 a_y2k = 0;
2778
2779         for (i = 0; i < sk_num(db->data); i++)
2780                 {
2781                 rrow = (char **) sk_value(db->data, i);
2782
2783                 if (rrow[DB_type][0] == 'V')
2784                         {
2785                         /* ignore entries that are not valid */
2786                         if (strncmp(rrow[DB_exp_date], "49", 2) <= 0)
2787                                 db_y2k = 1;
2788                         else
2789                                 db_y2k = 0;
2790
2791                         if (db_y2k == a_y2k)
2792                                 {
2793                                 /* all on the same y2k side */
2794                                 if (strcmp(rrow[DB_exp_date], a_tm_s) <= 0)
2795                                         {
2796                                         rrow[DB_type][0]  = 'E';
2797                                         rrow[DB_type][1]  = '\0';
2798                                         cnt++;
2799
2800                                         BIO_printf(bio_err, "%s=Expired\n",
2801                                                         rrow[DB_serial]);
2802                                         }
2803                                 }
2804                         else if (db_y2k < a_y2k)
2805                                 {
2806                                 rrow[DB_type][0]  = 'E';
2807                                 rrow[DB_type][1]  = '\0';
2808                                 cnt++;
2809
2810                                 BIO_printf(bio_err, "%s=Expired\n",
2811                                                         rrow[DB_serial]);
2812                                 }
2813
2814                         }
2815                 }
2816
2817 err:
2818
2819         ASN1_UTCTIME_free(a_tm);
2820         OPENSSL_free(a_tm_s);
2821
2822         return (cnt);
2823         }
2824
2825 static char *crl_reasons[] = {
2826         /* CRL reason strings */
2827         "unspecified",
2828         "keyCompromise",
2829         "CACompromise",
2830         "affiliationChanged",
2831         "superseded", 
2832         "cessationOfOperation",
2833         "certificateHold",
2834         "removeFromCRL",
2835         /* Additional pseudo reasons */
2836         "holdInstruction",
2837         "keyTime",
2838         "CAkeyTime"
2839 };
2840
2841 #define NUM_REASONS (sizeof(crl_reasons) / sizeof(char *))
2842
2843 /* Given revocation information convert to a DB string.
2844  * The format of the string is:
2845  * revtime[,reason,extra]. Where 'revtime' is the
2846  * revocation time (the current time). 'reason' is the
2847  * optional CRL reason and 'extra' is any additional
2848  * argument
2849  */
2850
2851 char *make_revocation_str(int rev_type, char *rev_arg)
2852         {
2853         char *reason = NULL, *other = NULL, *str;
2854         ASN1_OBJECT *otmp;
2855         ASN1_UTCTIME *revtm = NULL;
2856         int i;
2857         switch (rev_type)
2858                 {
2859         case REV_NONE:
2860                 break;
2861
2862         case REV_CRL_REASON:
2863                 for (i = 0; i < 8; i++)
2864                         {
2865                         if (!strcasecmp(rev_arg, crl_reasons[i]))
2866                                 {
2867                                 reason = crl_reasons[i];
2868                                 break;
2869                                 }
2870                         }
2871                 if (reason == NULL)
2872                         {
2873                         BIO_printf(bio_err, "Unknown CRL reason %s\n", rev_arg);
2874                         return NULL;
2875                         }
2876                 break;
2877
2878         case REV_HOLD:
2879                 /* Argument is an OID */
2880
2881                 otmp = OBJ_txt2obj(rev_arg, 0);
2882                 ASN1_OBJECT_free(otmp);
2883
2884                 if (otmp == NULL)
2885                         {
2886                         BIO_printf(bio_err, "Invalid object identifier %s\n", rev_arg);
2887                         return NULL;
2888                         }
2889
2890                 reason = "holdInstruction";
2891                 other = rev_arg;
2892                 break;
2893                 
2894         case REV_KEY_COMPROMISE:
2895         case REV_CA_COMPROMISE:
2896
2897                 /* Argument is the key compromise time  */
2898                 if (!ASN1_GENERALIZEDTIME_set_string(NULL, rev_arg))
2899                         {       
2900                         BIO_printf(bio_err, "Invalid time format %s. Need YYYYMMDDHHMMSSZ\n", rev_arg);
2901                         return NULL;
2902                         }
2903                 other = rev_arg;
2904                 if (rev_type == REV_KEY_COMPROMISE)
2905                         reason = "keyTime";
2906                 else 
2907                         reason = "CAkeyTime";
2908
2909                 break;
2910
2911                 }
2912
2913         revtm = X509_gmtime_adj(NULL, 0);
2914
2915         i = revtm->length + 1;
2916
2917         if (reason) i += strlen(reason) + 1;
2918         if (other) i += strlen(other) + 1;
2919
2920         str = OPENSSL_malloc(i);
2921
2922         if (!str) return NULL;
2923
2924         strcpy(str, (char *)revtm->data);
2925         if (reason)
2926                 {
2927                 strcat(str, ",");
2928                 strcat(str, reason);
2929                 }
2930         if (other)
2931                 {
2932                 strcat(str, ",");
2933                 strcat(str, other);
2934                 }
2935         ASN1_UTCTIME_free(revtm);
2936         return str;
2937         }
2938
2939 /* Convert revocation field to X509_REVOKED entry 
2940  * return code:
2941  * 0 error
2942  * 1 OK
2943  * 2 OK and some extensions added (i.e. V2 CRL)
2944  */
2945
2946 int make_revoked(X509_REVOKED *rev, char *str)
2947         {
2948         char *tmp = NULL;
2949         char *rtime_str, *reason_str = NULL, *arg_str = NULL, *p;
2950         int reason_code = -1;
2951         int i, ret = 0;
2952         ASN1_OBJECT *hold = NULL;
2953         ASN1_GENERALIZEDTIME *comp_time = NULL;
2954         ASN1_ENUMERATED *rtmp = NULL;
2955         tmp = BUF_strdup(str);
2956
2957         p = strchr(tmp, ',');
2958
2959         rtime_str = tmp;
2960
2961         if (p)
2962                 {
2963                 *p = '\0';
2964                 p++;
2965                 reason_str = p;
2966                 p = strchr(p, ',');
2967                 if (p)
2968                         {
2969                         *p = '\0';
2970                         arg_str = p + 1;
2971                         }
2972                 }
2973
2974         if (rev && !ASN1_UTCTIME_set_string(rev->revocationDate, rtime_str))
2975                 {
2976                 BIO_printf(bio_err, "invalid revocation date %s\n", rtime_str);
2977                 goto err;
2978                 }
2979         if (reason_str)
2980                 {
2981                 for (i = 0; i < NUM_REASONS; i++)
2982                         {
2983                         if(!strcasecmp(reason_str, crl_reasons[i]))
2984                                 {
2985                                 reason_code = i;
2986                                 break;
2987                                 }
2988                         }
2989                 if (reason_code == OCSP_REVOKED_STATUS_NOSTATUS)
2990                         {
2991                         BIO_printf(bio_err, "invalid reason code %s\n", reason_str);
2992                         goto err;
2993                         }
2994
2995                 if (reason_code == 7)
2996                         reason_code = OCSP_REVOKED_STATUS_REMOVEFROMCRL;
2997                 else if (reason_code == 8)              /* Hold instruction */
2998                         {
2999                         if (!arg_str)
3000                                 {       
3001                                 BIO_printf(bio_err, "missing hold instruction\n");
3002                                 goto err;
3003                                 }
3004                         reason_code = OCSP_REVOKED_STATUS_CERTIFICATEHOLD;
3005                         hold = OBJ_txt2obj(arg_str, 0);
3006
3007                         if (!hold)
3008                                 {
3009                                 BIO_printf(bio_err, "invalid object identifier %s\n", arg_str);
3010                                 goto err;
3011                                 }
3012                         }
3013                 else if ((reason_code == 9) || (reason_code == 10))
3014                         {
3015                         if (!arg_str)
3016                                 {       
3017                                 BIO_printf(bio_err, "missing compromised time\n");
3018                                 goto err;
3019                                 }
3020                         comp_time = ASN1_GENERALIZEDTIME_new();
3021                         if (!ASN1_GENERALIZEDTIME_set_string(comp_time, arg_str))
3022                                 {       
3023                                 BIO_printf(bio_err, "invalid compromised time %s\n", arg_str);
3024                                 goto err;
3025                                 }
3026                         if (reason_code == 9)
3027                                 reason_code = OCSP_REVOKED_STATUS_KEYCOMPROMISE;
3028                         else
3029                                 reason_code = OCSP_REVOKED_STATUS_CACOMPROMISE;
3030                         }
3031                 }
3032
3033         if (rev && (reason_code != OCSP_REVOKED_STATUS_NOSTATUS))
3034                 {
3035                 rtmp = ASN1_ENUMERATED_new();
3036                 if (!rtmp || !ASN1_ENUMERATED_set(rtmp, reason_code))
3037                         goto err;
3038                 if (!X509_REVOKED_add1_ext_i2d(rev, NID_crl_reason, rtmp, 0, 0))
3039                         goto err;
3040                 }
3041
3042         if (rev && comp_time)
3043                 {
3044                 if (!X509_REVOKED_add1_ext_i2d(rev, NID_invalidity_date, comp_time, 0, 0))
3045                         goto err;
3046                 }
3047         if (rev && hold)
3048                 {
3049                 if (!X509_REVOKED_add1_ext_i2d(rev, NID_hold_instruction_code, hold, 0, 0))
3050                         goto err;
3051                 }
3052
3053         if (reason_code != OCSP_REVOKED_STATUS_NOSTATUS)
3054                 ret = 2;
3055         else ret = 1;
3056
3057         err:
3058
3059         if (tmp) OPENSSL_free(tmp);
3060         ASN1_OBJECT_free(hold);
3061         ASN1_GENERALIZEDTIME_free(comp_time);
3062         ASN1_ENUMERATED_free(rtmp);
3063
3064         return ret;
3065         }
3066
3067 static X509_NAME *do_subject(char *subject)
3068         {
3069         X509_NAME *n = NULL;
3070
3071         int i, nid, ne_num=0;
3072
3073         char *ne_name = NULL;
3074         char *ne_value = NULL;
3075
3076         char *tmp = NULL;
3077         char *p[2];
3078
3079         char *str_list[256];
3080        
3081         p[0] = ",/";
3082         p[1] = "=";
3083
3084         n = X509_NAME_new();
3085
3086         tmp = strtok(subject, p[0]);
3087         while((tmp != NULL) && (ne_num < (sizeof str_list/sizeof *str_list)))
3088                 {
3089                 char *token = tmp;
3090
3091                 while (token[0] == ' ')
3092                         token++;
3093                 str_list[ne_num] = token;
3094
3095                 tmp = strtok(NULL, p[0]);
3096                 ne_num++;
3097                 }
3098
3099         for (i = 0; i < ne_num; i++)
3100                 {
3101                 ne_name  = strtok(str_list[i], p[1]);
3102                 ne_value = strtok(NULL, p[1]);
3103
3104                 if ((nid=OBJ_txt2nid(ne_name)) == NID_undef)
3105                         {
3106                         BIO_printf(bio_err, "Subject Attribute %s has no known NID, skipped\n", ne_name);
3107                         continue;
3108                         }
3109
3110                 if (ne_value == NULL)
3111                         {
3112                         BIO_printf(bio_err, "No value provided for Subject Attribute %s, skipped\n", ne_name);
3113                         continue;
3114                         }
3115
3116                 if (!X509_NAME_add_entry_by_NID(n, nid, MBSTRING_ASC, (unsigned char*)ne_value, -1,-1,0))
3117                         {
3118                         X509_NAME_free(n);
3119                         return NULL;
3120                         }
3121                 }
3122
3123         return n;
3124         }
3125
3126
3127 int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str)
3128         {
3129         char buf[25],*pbuf, *p;
3130         int j;
3131         j=i2a_ASN1_OBJECT(bp,obj);
3132         pbuf=buf;
3133         for (j=22-j; j>0; j--)
3134                 *(pbuf++)=' ';
3135         *(pbuf++)=':';
3136         *(pbuf++)='\0';
3137         BIO_puts(bp,buf);
3138
3139         if (str->type == V_ASN1_PRINTABLESTRING)
3140                 BIO_printf(bp,"PRINTABLE:'");
3141         else if (str->type == V_ASN1_T61STRING)
3142                 BIO_printf(bp,"T61STRING:'");
3143         else if (str->type == V_ASN1_IA5STRING)
3144                 BIO_printf(bp,"IA5STRING:'");
3145         else if (str->type == V_ASN1_UNIVERSALSTRING)
3146                 BIO_printf(bp,"UNIVERSALSTRING:'");
3147         else
3148                 BIO_printf(bp,"ASN.1 %2d:'",str->type);
3149                         
3150         p=(char *)str->data;
3151         for (j=str->length; j>0; j--)
3152                 {
3153                 if ((*p >= ' ') && (*p <= '~'))
3154                         BIO_printf(bp,"%c",*p);
3155                 else if (*p & 0x80)
3156                         BIO_printf(bp,"\\0x%02X",*p);
3157                 else if ((unsigned char)*p == 0xf7)
3158                         BIO_printf(bp,"^?");
3159                 else    BIO_printf(bp,"^%c",*p+'@');
3160                 p++;
3161                 }
3162         BIO_printf(bp,"'\n");
3163         return 1;
3164         }