Source code cleanups: Use void * rather than char * in lhash,
[openssl.git] / apps / ca.c
1 /* apps/ca.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58
59 /* The PPKI stuff has been donated by Jeff Barber <jeffb@issl.atl.hp.com> */
60
61 #include <stdio.h>
62 #include <stdlib.h>
63 #include <string.h>
64 #include <sys/types.h>
65 #include <sys/stat.h>
66 #include "apps.h"
67 #include <openssl/conf.h>
68 #include <openssl/bio.h>
69 #include <openssl/err.h>
70 #include <openssl/bn.h>
71 #include <openssl/txt_db.h>
72 #include <openssl/evp.h>
73 #include <openssl/x509.h>
74 #include <openssl/x509v3.h>
75 #include <openssl/objects.h>
76 #include <openssl/pem.h>
77
78 #ifndef W_OK
79 #  ifdef VMS
80 #    if defined(__DECC)
81 #      include <unistd.h>
82 #    else
83 #      include <unixlib.h>
84 #    endif
85 #  else
86 #    include <sys/file.h>
87 #  endif
88 #endif
89
90 #ifndef W_OK
91 #  define F_OK 0
92 #  define X_OK 1
93 #  define W_OK 2
94 #  define R_OK 4
95 #endif
96
97 #undef PROG
98 #define PROG ca_main
99
100 #define BASE_SECTION    "ca"
101 #define CONFIG_FILE "openssl.cnf"
102
103 #define ENV_DEFAULT_CA          "default_ca"
104
105 #define ENV_DIR                 "dir"
106 #define ENV_CERTS               "certs"
107 #define ENV_CRL_DIR             "crl_dir"
108 #define ENV_CA_DB               "CA_DB"
109 #define ENV_NEW_CERTS_DIR       "new_certs_dir"
110 #define ENV_CERTIFICATE         "certificate"
111 #define ENV_SERIAL              "serial"
112 #define ENV_CRL                 "crl"
113 #define ENV_PRIVATE_KEY         "private_key"
114 #define ENV_RANDFILE            "RANDFILE"
115 #define ENV_DEFAULT_DAYS        "default_days"
116 #define ENV_DEFAULT_STARTDATE   "default_startdate"
117 #define ENV_DEFAULT_ENDDATE     "default_enddate"
118 #define ENV_DEFAULT_CRL_DAYS    "default_crl_days"
119 #define ENV_DEFAULT_CRL_HOURS   "default_crl_hours"
120 #define ENV_DEFAULT_MD          "default_md"
121 #define ENV_PRESERVE            "preserve"
122 #define ENV_POLICY              "policy"
123 #define ENV_EXTENSIONS          "x509_extensions"
124 #define ENV_CRLEXT              "crl_extensions"
125 #define ENV_MSIE_HACK           "msie_hack"
126
127 #define ENV_DATABASE            "database"
128
129 #define DB_type         0
130 #define DB_exp_date     1
131 #define DB_rev_date     2
132 #define DB_serial       3       /* index - unique */
133 #define DB_file         4       
134 #define DB_name         5       /* index - unique for active */
135 #define DB_NUMBER       6
136
137 #define DB_TYPE_REV     'R'
138 #define DB_TYPE_EXP     'E'
139 #define DB_TYPE_VAL     'V'
140
141 static char *ca_usage[]={
142 "usage: ca args\n",
143 "\n",
144 " -verbose        - Talk alot while doing things\n",
145 " -config file    - A config file\n",
146 " -name arg       - The particular CA definition to use\n",
147 " -gencrl         - Generate a new CRL\n",
148 " -crldays days   - Days is when the next CRL is due\n",
149 " -crlhours hours - Hours is when the next CRL is due\n",
150 " -startdate YYMMDDHHMMSSZ  - certificate validity notBefore\n",
151 " -enddate YYMMDDHHMMSSZ    - certificate validity notAfter (overrides -days)\n",
152 " -days arg       - number of days to certify the certificate for\n",
153 " -md arg         - md to use, one of md2, md5, sha or sha1\n",
154 " -policy arg     - The CA 'policy' to support\n",
155 " -keyfile arg    - PEM private key file\n",
156 " -key arg        - key to decode the private key if it is encrypted\n",
157 " -cert file      - The CA certificate\n",
158 " -in file        - The input PEM encoded certificate request(s)\n",
159 " -out file       - Where to put the output file(s)\n",
160 " -outdir dir     - Where to put output certificates\n",
161 " -infiles ....   - The last argument, requests to process\n",
162 " -spkac file     - File contains DN and signed public key and challenge\n",
163 " -ss_cert file   - File contains a self signed cert to sign\n",
164 " -preserveDN     - Don't re-order the DN\n",
165 " -batch          - Don't ask questions\n",
166 " -msie_hack      - msie modifications to handle all those universal strings\n",
167 " -revoke file    - Revoke a certificate (given in file)\n",
168 " -extensions ..  - Extension section (override value in config file)\n",
169 " -crlexts ..     - CRL extension section (override value in config file)\n",
170 NULL
171 };
172
173 #ifdef EFENCE
174 extern int EF_PROTECT_FREE;
175 extern int EF_PROTECT_BELOW;
176 extern int EF_ALIGNMENT;
177 #endif
178
179 static int add_oid_section(LHASH *conf);
180 static void lookup_fail(char *name,char *tag);
181 static unsigned long index_serial_hash(char **a);
182 static int index_serial_cmp(char **a, char **b);
183 static unsigned long index_name_hash(char **a);
184 static int index_name_qual(char **a);
185 static int index_name_cmp(char **a,char **b);
186 static BIGNUM *load_serial(char *serialfile);
187 static int save_serial(char *serialfile, BIGNUM *serial);
188 static int certify(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
189                    const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,TXT_DB *db,
190                    BIGNUM *serial, char *startdate,char *enddate, int days,
191                    int batch, char *ext_sect, LHASH *conf,int verbose);
192 static int certify_cert(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
193                         const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,
194                         TXT_DB *db, BIGNUM *serial,char *startdate,
195                         char *enddate, int days, int batch, char *ext_sect,
196                         LHASH *conf,int verbose);
197 static int certify_spkac(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
198                          const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,
199                          TXT_DB *db, BIGNUM *serial,char *startdate,
200                          char *enddate, int days, char *ext_sect,LHASH *conf,
201                                 int verbose);
202 static int fix_data(int nid, int *type);
203 static void write_new_certificate(BIO *bp, X509 *x, int output_der);
204 static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
205         STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial,
206         char *startdate, char *enddate, int days, int batch, int verbose,
207         X509_REQ *req, char *ext_sect, LHASH *conf);
208 static int do_revoke(X509 *x509, TXT_DB *db);
209 static int check_time_format(char *str);
210 static LHASH *conf=NULL;
211 static char *section=NULL;
212
213 static int preserve=0;
214 static int msie_hack=0;
215
216 int MAIN(int argc, char **argv)
217         {
218         char *key=NULL;
219         int total=0;
220         int total_done=0;
221         int badops=0;
222         int ret=1;
223         int req=0;
224         int verbose=0;
225         int gencrl=0;
226         int dorevoke=0;
227         long crldays=0;
228         long crlhours=0;
229         long errorline= -1;
230         char *configfile=NULL;
231         char *md=NULL;
232         char *policy=NULL;
233         char *keyfile=NULL;
234         char *certfile=NULL;
235         char *infile=NULL;
236         char *spkac_file=NULL;
237         char *ss_cert_file=NULL;
238         EVP_PKEY *pkey=NULL;
239         int output_der = 0;
240         char *outfile=NULL;
241         char *outdir=NULL;
242         char *serialfile=NULL;
243         char *extensions=NULL;
244         char *crl_ext=NULL;
245         BIGNUM *serial=NULL;
246         char *startdate=NULL;
247         char *enddate=NULL;
248         int days=0;
249         int batch=0;
250         X509 *x509=NULL;
251         X509 *x=NULL;
252         BIO *in=NULL,*out=NULL,*Sout=NULL,*Cout=NULL;
253         char *dbfile=NULL;
254         TXT_DB *db=NULL;
255         X509_CRL *crl=NULL;
256         X509_CRL_INFO *ci=NULL;
257         X509_REVOKED *r=NULL;
258         char **pp,*p,*f;
259         int i,j;
260         long l;
261         const EVP_MD *dgst=NULL;
262         STACK_OF(CONF_VALUE) *attribs=NULL;
263         STACK *cert_sk=NULL;
264         BIO *hex=NULL;
265 #undef BSIZE
266 #define BSIZE 256
267         MS_STATIC char buf[3][BSIZE];
268         char *randfile=NULL;
269
270 #ifdef EFENCE
271 EF_PROTECT_FREE=1;
272 EF_PROTECT_BELOW=1;
273 EF_ALIGNMENT=0;
274 #endif
275
276         apps_startup();
277
278         conf = NULL;
279         key = NULL;
280         section = NULL;
281
282         preserve=0;
283         msie_hack=0;
284         if (bio_err == NULL)
285                 if ((bio_err=BIO_new(BIO_s_file())) != NULL)
286                         BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
287
288         argc--;
289         argv++;
290         while (argc >= 1)
291                 {
292                 if      (strcmp(*argv,"-verbose") == 0)
293                         verbose=1;
294                 else if (strcmp(*argv,"-config") == 0)
295                         {
296                         if (--argc < 1) goto bad;
297                         configfile= *(++argv);
298                         }
299                 else if (strcmp(*argv,"-name") == 0)
300                         {
301                         if (--argc < 1) goto bad;
302                         section= *(++argv);
303                         }
304                 else if (strcmp(*argv,"-startdate") == 0)
305                         {
306                         if (--argc < 1) goto bad;
307                         startdate= *(++argv);
308                         }
309                 else if (strcmp(*argv,"-enddate") == 0)
310                         {
311                         if (--argc < 1) goto bad;
312                         enddate= *(++argv);
313                         }
314                 else if (strcmp(*argv,"-days") == 0)
315                         {
316                         if (--argc < 1) goto bad;
317                         days=atoi(*(++argv));
318                         }
319                 else if (strcmp(*argv,"-md") == 0)
320                         {
321                         if (--argc < 1) goto bad;
322                         md= *(++argv);
323                         }
324                 else if (strcmp(*argv,"-policy") == 0)
325                         {
326                         if (--argc < 1) goto bad;
327                         policy= *(++argv);
328                         }
329                 else if (strcmp(*argv,"-keyfile") == 0)
330                         {
331                         if (--argc < 1) goto bad;
332                         keyfile= *(++argv);
333                         }
334                 else if (strcmp(*argv,"-key") == 0)
335                         {
336                         if (--argc < 1) goto bad;
337                         key= *(++argv);
338                         }
339                 else if (strcmp(*argv,"-cert") == 0)
340                         {
341                         if (--argc < 1) goto bad;
342                         certfile= *(++argv);
343                         }
344                 else if (strcmp(*argv,"-in") == 0)
345                         {
346                         if (--argc < 1) goto bad;
347                         infile= *(++argv);
348                         req=1;
349                         }
350                 else if (strcmp(*argv,"-out") == 0)
351                         {
352                         if (--argc < 1) goto bad;
353                         outfile= *(++argv);
354                         }
355                 else if (strcmp(*argv,"-outdir") == 0)
356                         {
357                         if (--argc < 1) goto bad;
358                         outdir= *(++argv);
359                         }
360                 else if (strcmp(*argv,"-batch") == 0)
361                         batch=1;
362                 else if (strcmp(*argv,"-preserveDN") == 0)
363                         preserve=1;
364                 else if (strcmp(*argv,"-gencrl") == 0)
365                         gencrl=1;
366                 else if (strcmp(*argv,"-msie_hack") == 0)
367                         msie_hack=1;
368                 else if (strcmp(*argv,"-crldays") == 0)
369                         {
370                         if (--argc < 1) goto bad;
371                         crldays= atol(*(++argv));
372                         }
373                 else if (strcmp(*argv,"-crlhours") == 0)
374                         {
375                         if (--argc < 1) goto bad;
376                         crlhours= atol(*(++argv));
377                         }
378                 else if (strcmp(*argv,"-infiles") == 0)
379                         {
380                         argc--;
381                         argv++;
382                         req=1;
383                         break;
384                         }
385                 else if (strcmp(*argv, "-ss_cert") == 0)
386                         {
387                         if (--argc < 1) goto bad;
388                         ss_cert_file = *(++argv);
389                         req=1;
390                         }
391                 else if (strcmp(*argv, "-spkac") == 0)
392                         {
393                         if (--argc < 1) goto bad;
394                         spkac_file = *(++argv);
395                         req=1;
396                         }
397                 else if (strcmp(*argv,"-revoke") == 0)
398                         {
399                         if (--argc < 1) goto bad;
400                         infile= *(++argv);
401                         dorevoke=1;
402                         }
403                 else if (strcmp(*argv,"-extensions") == 0)
404                         {
405                         if (--argc < 1) goto bad;
406                         extensions= *(++argv);
407                         }
408                 else if (strcmp(*argv,"-crlexts") == 0)
409                         {
410                         if (--argc < 1) goto bad;
411                         crl_ext= *(++argv);
412                         }
413                 else
414                         {
415 bad:
416                         BIO_printf(bio_err,"unknown option %s\n",*argv);
417                         badops=1;
418                         break;
419                         }
420                 argc--;
421                 argv++;
422                 }
423
424         if (badops)
425                 {
426                 for (pp=ca_usage; (*pp != NULL); pp++)
427                         BIO_printf(bio_err,*pp);
428                 goto err;
429                 }
430
431         ERR_load_crypto_strings();
432
433         /*****************************************************************/
434         if (configfile == NULL) configfile = getenv("OPENSSL_CONF");
435         if (configfile == NULL) configfile = getenv("SSLEAY_CONF");
436         if (configfile == NULL)
437                 {
438                 /* We will just use 'buf[0]' as a temporary buffer.  */
439 #ifdef VMS
440                 strncpy(buf[0],X509_get_default_cert_area(),
441                         sizeof(buf[0])-1-sizeof(CONFIG_FILE));
442 #else
443                 strncpy(buf[0],X509_get_default_cert_area(),
444                         sizeof(buf[0])-2-sizeof(CONFIG_FILE));
445                 strcat(buf[0],"/");
446 #endif
447                 strcat(buf[0],CONFIG_FILE);
448                 configfile=buf[0];
449                 }
450
451         BIO_printf(bio_err,"Using configuration from %s\n",configfile);
452         if ((conf=CONF_load(NULL,configfile,&errorline)) == NULL)
453                 {
454                 if (errorline <= 0)
455                         BIO_printf(bio_err,"error loading the config file '%s'\n",
456                                 configfile);
457                 else
458                         BIO_printf(bio_err,"error on line %ld of config file '%s'\n"
459                                 ,errorline,configfile);
460                 goto err;
461                 }
462
463         /* Lets get the config section we are using */
464         if (section == NULL)
465                 {
466                 section=CONF_get_string(conf,BASE_SECTION,ENV_DEFAULT_CA);
467                 if (section == NULL)
468                         {
469                         lookup_fail(BASE_SECTION,ENV_DEFAULT_CA);
470                         goto err;
471                         }
472                 }
473
474         if (conf != NULL)
475                 {
476                 p=CONF_get_string(conf,NULL,"oid_file");
477                 if (p != NULL)
478                         {
479                         BIO *oid_bio;
480
481                         oid_bio=BIO_new_file(p,"r");
482                         if (oid_bio == NULL) 
483                                 {
484                                 /*
485                                 BIO_printf(bio_err,"problems opening %s for extra oid's\n",p);
486                                 ERR_print_errors(bio_err);
487                                 */
488                                 ERR_clear_error();
489                                 }
490                         else
491                                 {
492                                 OBJ_create_objects(oid_bio);
493                                 BIO_free(oid_bio);
494                                 }
495                         }
496                 if(!add_oid_section(conf)) 
497                         {
498                         ERR_print_errors(bio_err);
499                         goto err;
500                         }
501                 }
502
503         randfile = CONF_get_string(conf, BASE_SECTION, "RANDFILE");
504         app_RAND_load_file(randfile, bio_err, 0);
505         
506         in=BIO_new(BIO_s_file());
507         out=BIO_new(BIO_s_file());
508         Sout=BIO_new(BIO_s_file());
509         Cout=BIO_new(BIO_s_file());
510         if ((in == NULL) || (out == NULL) || (Sout == NULL) || (Cout == NULL))
511                 {
512                 ERR_print_errors(bio_err);
513                 goto err;
514                 }
515
516         /*****************************************************************/
517         /* we definitly need an public key, so lets get it */
518
519         if ((keyfile == NULL) && ((keyfile=CONF_get_string(conf,
520                 section,ENV_PRIVATE_KEY)) == NULL))
521                 {
522                 lookup_fail(section,ENV_PRIVATE_KEY);
523                 goto err;
524                 }
525         if (BIO_read_filename(in,keyfile) <= 0)
526                 {
527                 perror(keyfile);
528                 BIO_printf(bio_err,"trying to load CA private key\n");
529                 goto err;
530                 }
531                 pkey=PEM_read_bio_PrivateKey(in,NULL,PEM_cb,key);
532                 if(key) memset(key,0,strlen(key));
533         if (pkey == NULL)
534                 {
535                 BIO_printf(bio_err,"unable to load CA private key\n");
536                 goto err;
537                 }
538
539         /*****************************************************************/
540         /* we need a certificate */
541         if ((certfile == NULL) && ((certfile=CONF_get_string(conf,
542                 section,ENV_CERTIFICATE)) == NULL))
543                 {
544                 lookup_fail(section,ENV_CERTIFICATE);
545                 goto err;
546                 }
547         if (BIO_read_filename(in,certfile) <= 0)
548                 {
549                 perror(certfile);
550                 BIO_printf(bio_err,"trying to load CA certificate\n");
551                 goto err;
552                 }
553         x509=PEM_read_bio_X509(in,NULL,NULL,NULL);
554         if (x509 == NULL)
555                 {
556                 BIO_printf(bio_err,"unable to load CA certificate\n");
557                 goto err;
558                 }
559
560         if (!X509_check_private_key(x509,pkey))
561                 {
562                 BIO_printf(bio_err,"CA certificate and CA private key do not match\n");
563                 goto err;
564                 }
565
566         f=CONF_get_string(conf,BASE_SECTION,ENV_PRESERVE);
567         if ((f != NULL) && ((*f == 'y') || (*f == 'Y')))
568                 preserve=1;
569         f=CONF_get_string(conf,BASE_SECTION,ENV_MSIE_HACK);
570         if ((f != NULL) && ((*f == 'y') || (*f == 'Y')))
571                 msie_hack=1;
572
573         /*****************************************************************/
574         /* lookup where to write new certificates */
575         if ((outdir == NULL) && (req))
576                 {
577                 struct stat sb;
578
579                 if ((outdir=CONF_get_string(conf,section,ENV_NEW_CERTS_DIR))
580                         == NULL)
581                         {
582                         BIO_printf(bio_err,"there needs to be defined a directory for new certificate to be placed in\n");
583                         goto err;
584                         }
585 #ifdef VMS
586                 /* For technical reasons, VMS misbehaves with X_OK */
587                 if (access(outdir,R_OK|W_OK) != 0)
588 #else
589                 if (access(outdir,R_OK|W_OK|X_OK) != 0)
590 #endif
591                         {
592                         BIO_printf(bio_err,"I am unable to acces the %s directory\n",outdir);
593                         perror(outdir);
594                         goto err;
595                         }
596
597                 if (stat(outdir,&sb) != 0)
598                         {
599                         BIO_printf(bio_err,"unable to stat(%s)\n",outdir);
600                         perror(outdir);
601                         goto err;
602                         }
603 #ifdef S_IFDIR
604                 if (!(sb.st_mode & S_IFDIR))
605                         {
606                         BIO_printf(bio_err,"%s need to be a directory\n",outdir);
607                         perror(outdir);
608                         goto err;
609                         }
610 #endif
611                 }
612
613         /*****************************************************************/
614         /* we need to load the database file */
615         if ((dbfile=CONF_get_string(conf,section,ENV_DATABASE)) == NULL)
616                 {
617                 lookup_fail(section,ENV_DATABASE);
618                 goto err;
619                 }
620         if (BIO_read_filename(in,dbfile) <= 0)
621                 {
622                 perror(dbfile);
623                 BIO_printf(bio_err,"unable to open '%s'\n",dbfile);
624                 goto err;
625                 }
626         db=TXT_DB_read(in,DB_NUMBER);
627         if (db == NULL) goto err;
628
629         /* Lets check some fields */
630         for (i=0; i<sk_num(db->data); i++)
631                 {
632                 pp=(char **)sk_value(db->data,i);
633                 if ((pp[DB_type][0] != DB_TYPE_REV) &&
634                         (pp[DB_rev_date][0] != '\0'))
635                         {
636                         BIO_printf(bio_err,"entry %d: not revoked yet, but has a revocation date\n",i+1);
637                         goto err;
638                         }
639                 if ((pp[DB_type][0] == DB_TYPE_REV) &&
640                         !check_time_format(pp[DB_rev_date]))
641                         {
642                         BIO_printf(bio_err,"entry %d: invalid revocation date\n",
643                                 i+1);
644                         goto err;
645                         }
646                 if (!check_time_format(pp[DB_exp_date]))
647                         {
648                         BIO_printf(bio_err,"entry %d: invalid expiry date\n",i+1);
649                         goto err;
650                         }
651                 p=pp[DB_serial];
652                 j=strlen(p);
653                 if ((j&1) || (j < 2))
654                         {
655                         BIO_printf(bio_err,"entry %d: bad serial number length (%d)\n",i+1,j);
656                         goto err;
657                         }
658                 while (*p)
659                         {
660                         if (!(  ((*p >= '0') && (*p <= '9')) ||
661                                 ((*p >= 'A') && (*p <= 'F')) ||
662                                 ((*p >= 'a') && (*p <= 'f')))  )
663                                 {
664                                 BIO_printf(bio_err,"entry %d: bad serial number characters, char pos %ld, char is '%c'\n",i+1,(long)(p-pp[DB_serial]),*p);
665                                 goto err;
666                                 }
667                         p++;
668                         }
669                 }
670         if (verbose)
671                 {
672                 BIO_set_fp(out,stdout,BIO_NOCLOSE|BIO_FP_TEXT); /* cannot fail */
673                 TXT_DB_write(out,db);
674                 BIO_printf(bio_err,"%d entries loaded from the database\n",
675                         db->data->num);
676                 BIO_printf(bio_err,"generating indexs\n");
677                 }
678         
679         if (!TXT_DB_create_index(db,DB_serial,NULL,index_serial_hash,
680                 index_serial_cmp))
681                 {
682                 BIO_printf(bio_err,"error creating serial number index:(%ld,%ld,%ld)\n",db->error,db->arg1,db->arg2);
683                 goto err;
684                 }
685
686         if (!TXT_DB_create_index(db,DB_name,index_name_qual,index_name_hash,
687                 index_name_cmp))
688                 {
689                 BIO_printf(bio_err,"error creating name index:(%ld,%ld,%ld)\n",
690                         db->error,db->arg1,db->arg2);
691                 goto err;
692                 }
693
694         /*****************************************************************/
695         if (req || gencrl)
696                 {
697                 if (outfile != NULL)
698                         {
699
700                         if (BIO_write_filename(Sout,outfile) <= 0)
701                                 {
702                                 perror(outfile);
703                                 goto err;
704                                 }
705                         }
706                 else
707                         BIO_set_fp(Sout,stdout,BIO_NOCLOSE|BIO_FP_TEXT);
708                 }
709
710         if (req)
711                 {
712                 if ((md == NULL) && ((md=CONF_get_string(conf,
713                         section,ENV_DEFAULT_MD)) == NULL))
714                         {
715                         lookup_fail(section,ENV_DEFAULT_MD);
716                         goto err;
717                         }
718                 if ((dgst=EVP_get_digestbyname(md)) == NULL)
719                         {
720                         BIO_printf(bio_err,"%s is an unsupported message digest type\n",md);
721                         goto err;
722                         }
723                 if (verbose)
724                         BIO_printf(bio_err,"message digest is %s\n",
725                                 OBJ_nid2ln(dgst->type));
726                 if ((policy == NULL) && ((policy=CONF_get_string(conf,
727                         section,ENV_POLICY)) == NULL))
728                         {
729                         lookup_fail(section,ENV_POLICY);
730                         goto err;
731                         }
732                 if (verbose)
733                         BIO_printf(bio_err,"policy is %s\n",policy);
734
735                 if ((serialfile=CONF_get_string(conf,section,ENV_SERIAL))
736                         == NULL)
737                         {
738                         lookup_fail(section,ENV_SERIAL);
739                         goto err;
740                         }
741                 if(!extensions)
742                         extensions=CONF_get_string(conf,section,ENV_EXTENSIONS);
743                 if(extensions) {
744                         /* Check syntax of file */
745                         X509V3_CTX ctx;
746                         X509V3_set_ctx_test(&ctx);
747                         X509V3_set_conf_lhash(&ctx, conf);
748                         if(!X509V3_EXT_add_conf(conf, &ctx, extensions, NULL)) {
749                                 BIO_printf(bio_err,
750                                  "Error Loading extension section %s\n",
751                                                                  extensions);
752                                 ret = 1;
753                                 goto err;
754                         }
755                 }
756
757                 if (startdate == NULL)
758                         {
759                         startdate=CONF_get_string(conf,section,
760                                 ENV_DEFAULT_STARTDATE);
761                         }
762                 if (startdate && !ASN1_UTCTIME_set_string(NULL,startdate))
763                         {
764                         BIO_printf(bio_err,"start date is invalid, it should be YYMMDDHHMMSSZ\n");
765                         goto err;
766                         }
767                 if (startdate == NULL) startdate="today";
768
769                 if (enddate == NULL)
770                         {
771                         enddate=CONF_get_string(conf,section,
772                                 ENV_DEFAULT_ENDDATE);
773                         }
774                 if (enddate && !ASN1_UTCTIME_set_string(NULL,enddate))
775                         {
776                         BIO_printf(bio_err,"end date is invalid, it should be YYMMDDHHMMSSZ\n");
777                         goto err;
778                         }
779
780                 if (days == 0)
781                         {
782                         days=(int)CONF_get_number(conf,section,
783                                 ENV_DEFAULT_DAYS);
784                         }
785                 if (!enddate && (days == 0))
786                         {
787                         BIO_printf(bio_err,"cannot lookup how many days to certify for\n");
788                         goto err;
789                         }
790
791                 if ((serial=load_serial(serialfile)) == NULL)
792                         {
793                         BIO_printf(bio_err,"error while loading serial number\n");
794                         goto err;
795                         }
796                 if (verbose)
797                         {
798                         if ((f=BN_bn2hex(serial)) == NULL) goto err;
799                         BIO_printf(bio_err,"next serial number is %s\n",f);
800                         Free(f);
801                         }
802
803                 if ((attribs=CONF_get_section(conf,policy)) == NULL)
804                         {
805                         BIO_printf(bio_err,"unable to find 'section' for %s\n",policy);
806                         goto err;
807                         }
808
809                 if ((cert_sk=sk_new_null()) == NULL)
810                         {
811                         BIO_printf(bio_err,"Malloc failure\n");
812                         goto err;
813                         }
814                 if (spkac_file != NULL)
815                         {
816                         total++;
817                         j=certify_spkac(&x,spkac_file,pkey,x509,dgst,attribs,db,
818                                 serial,startdate,enddate, days,extensions,conf,
819                                 verbose);
820                         if (j < 0) goto err;
821                         if (j > 0)
822                                 {
823                                 total_done++;
824                                 BIO_printf(bio_err,"\n");
825                                 if (!BN_add_word(serial,1)) goto err;
826                                 if (!sk_push(cert_sk,(char *)x))
827                                         {
828                                         BIO_printf(bio_err,"Malloc failure\n");
829                                         goto err;
830                                         }
831                                 if (outfile)
832                                         {
833                                         output_der = 1;
834                                         batch = 1;
835                                         }
836                                 }
837                         }
838                 if (ss_cert_file != NULL)
839                         {
840                         total++;
841                         j=certify_cert(&x,ss_cert_file,pkey,x509,dgst,attribs,
842                                 db,serial,startdate,enddate,days,batch,
843                                 extensions,conf,verbose);
844                         if (j < 0) goto err;
845                         if (j > 0)
846                                 {
847                                 total_done++;
848                                 BIO_printf(bio_err,"\n");
849                                 if (!BN_add_word(serial,1)) goto err;
850                                 if (!sk_push(cert_sk,(char *)x))
851                                         {
852                                         BIO_printf(bio_err,"Malloc failure\n");
853                                         goto err;
854                                         }
855                                 }
856                         }
857                 if (infile != NULL)
858                         {
859                         total++;
860                         j=certify(&x,infile,pkey,x509,dgst,attribs,db,
861                                 serial,startdate,enddate,days,batch,
862                                 extensions,conf,verbose);
863                         if (j < 0) goto err;
864                         if (j > 0)
865                                 {
866                                 total_done++;
867                                 BIO_printf(bio_err,"\n");
868                                 if (!BN_add_word(serial,1)) goto err;
869                                 if (!sk_push(cert_sk,(char *)x))
870                                         {
871                                         BIO_printf(bio_err,"Malloc failure\n");
872                                         goto err;
873                                         }
874                                 }
875                         }
876                 for (i=0; i<argc; i++)
877                         {
878                         total++;
879                         j=certify(&x,argv[i],pkey,x509,dgst,attribs,db,
880                                 serial,startdate,enddate,days,batch,
881                                 extensions,conf,verbose);
882                         if (j < 0) goto err;
883                         if (j > 0)
884                                 {
885                                 total_done++;
886                                 BIO_printf(bio_err,"\n");
887                                 if (!BN_add_word(serial,1)) goto err;
888                                 if (!sk_push(cert_sk,(char *)x))
889                                         {
890                                         BIO_printf(bio_err,"Malloc failure\n");
891                                         goto err;
892                                         }
893                                 }
894                         }       
895                 /* we have a stack of newly certified certificates
896                  * and a data base and serial number that need
897                  * updating */
898
899                 if (sk_num(cert_sk) > 0)
900                         {
901                         if (!batch)
902                                 {
903                                 BIO_printf(bio_err,"\n%d out of %d certificate requests certified, commit? [y/n]",total_done,total);
904                                 (void)BIO_flush(bio_err);
905                                 buf[0][0]='\0';
906                                 fgets(buf[0],10,stdin);
907                                 if ((buf[0][0] != 'y') && (buf[0][0] != 'Y'))
908                                         {
909                                         BIO_printf(bio_err,"CERTIFICATION CANCELED\n"); 
910                                         ret=0;
911                                         goto err;
912                                         }
913                                 }
914
915                         BIO_printf(bio_err,"Write out database with %d new entries\n",sk_num(cert_sk));
916
917                         strncpy(buf[0],serialfile,BSIZE-4);
918
919 #ifdef VMS
920                         strcat(buf[0],"-new");
921 #else
922                         strcat(buf[0],".new");
923 #endif
924
925                         if (!save_serial(buf[0],serial)) goto err;
926
927                         strncpy(buf[1],dbfile,BSIZE-4);
928
929 #ifdef VMS
930                         strcat(buf[1],"-new");
931 #else
932                         strcat(buf[1],".new");
933 #endif
934
935                         if (BIO_write_filename(out,buf[1]) <= 0)
936                                 {
937                                 perror(dbfile);
938                                 BIO_printf(bio_err,"unable to open '%s'\n",dbfile);
939                                 goto err;
940                                 }
941                         l=TXT_DB_write(out,db);
942                         if (l <= 0) goto err;
943                         }
944         
945                 if (verbose)
946                         BIO_printf(bio_err,"writing new certificates\n");
947                 for (i=0; i<sk_num(cert_sk); i++)
948                         {
949                         int k;
950                         unsigned char *n;
951
952                         x=(X509 *)sk_value(cert_sk,i);
953
954                         j=x->cert_info->serialNumber->length;
955                         p=(char *)x->cert_info->serialNumber->data;
956                         
957                         strncpy(buf[2],outdir,BSIZE-(j*2)-6);
958
959 #ifndef VMS
960                         strcat(buf[2],"/");
961 #endif
962
963                         n=(unsigned char *)&(buf[2][strlen(buf[2])]);
964                         if (j > 0)
965                                 {
966                                 for (k=0; k<j; k++)
967                                         {
968                                         sprintf((char *)n,"%02X",(unsigned char)*(p++));
969                                         n+=2;
970                                         }
971                                 }
972                         else
973                                 {
974                                 *(n++)='0';
975                                 *(n++)='0';
976                                 }
977                         *(n++)='.'; *(n++)='p'; *(n++)='e'; *(n++)='m';
978                         *n='\0';
979                         if (verbose)
980                                 BIO_printf(bio_err,"writing %s\n",buf[2]);
981
982                         if (BIO_write_filename(Cout,buf[2]) <= 0)
983                                 {
984                                 perror(buf[2]);
985                                 goto err;
986                                 }
987                         write_new_certificate(Cout,x, 0);
988                         write_new_certificate(Sout,x, output_der);
989                         }
990
991                 if (sk_num(cert_sk))
992                         {
993                         /* Rename the database and the serial file */
994                         strncpy(buf[2],serialfile,BSIZE-4);
995
996 #ifdef VMS
997                         strcat(buf[2],"-old");
998 #else
999                         strcat(buf[2],".old");
1000 #endif
1001
1002                         BIO_free(in);
1003                         BIO_free(out);
1004                         in=NULL;
1005                         out=NULL;
1006                         if (rename(serialfile,buf[2]) < 0)
1007                                 {
1008                                 BIO_printf(bio_err,"unabel to rename %s to %s\n",
1009                                         serialfile,buf[2]);
1010                                 perror("reason");
1011                                 goto err;
1012                                 }
1013                         if (rename(buf[0],serialfile) < 0)
1014                                 {
1015                                 BIO_printf(bio_err,"unabel to rename %s to %s\n",
1016                                         buf[0],serialfile);
1017                                 perror("reason");
1018                                 rename(buf[2],serialfile);
1019                                 goto err;
1020                                 }
1021
1022                         strncpy(buf[2],dbfile,BSIZE-4);
1023
1024 #ifdef VMS
1025                         strcat(buf[2],"-old");
1026 #else
1027                         strcat(buf[2],".old");
1028 #endif
1029
1030                         if (rename(dbfile,buf[2]) < 0)
1031                                 {
1032                                 BIO_printf(bio_err,"unabel to rename %s to %s\n",
1033                                         dbfile,buf[2]);
1034                                 perror("reason");
1035                                 goto err;
1036                                 }
1037                         if (rename(buf[1],dbfile) < 0)
1038                                 {
1039                                 BIO_printf(bio_err,"unabel to rename %s to %s\n",
1040                                         buf[1],dbfile);
1041                                 perror("reason");
1042                                 rename(buf[2],dbfile);
1043                                 goto err;
1044                                 }
1045                         BIO_printf(bio_err,"Data Base Updated\n");
1046                         }
1047                 }
1048         
1049         /*****************************************************************/
1050         if (gencrl)
1051                 {
1052                 if(!crl_ext) crl_ext=CONF_get_string(conf,section,ENV_CRLEXT);
1053                 if(crl_ext) {
1054                         /* Check syntax of file */
1055                         X509V3_CTX ctx;
1056                         X509V3_set_ctx_test(&ctx);
1057                         X509V3_set_conf_lhash(&ctx, conf);
1058                         if(!X509V3_EXT_add_conf(conf, &ctx, crl_ext, NULL)) {
1059                                 BIO_printf(bio_err,
1060                                  "Error Loading CRL extension section %s\n",
1061                                                                  crl_ext);
1062                                 ret = 1;
1063                                 goto err;
1064                         }
1065                 }
1066                 if ((hex=BIO_new(BIO_s_mem())) == NULL) goto err;
1067
1068                 if (!crldays && !crlhours)
1069                         {
1070                         crldays=CONF_get_number(conf,section,
1071                                 ENV_DEFAULT_CRL_DAYS);
1072                         crlhours=CONF_get_number(conf,section,
1073                                 ENV_DEFAULT_CRL_HOURS);
1074                         }
1075                 if ((crldays == 0) && (crlhours == 0))
1076                         {
1077                         BIO_printf(bio_err,"cannot lookup how long until the next CRL is issuer\n");
1078                         goto err;
1079                         }
1080
1081                 if (verbose) BIO_printf(bio_err,"making CRL\n");
1082                 if ((crl=X509_CRL_new()) == NULL) goto err;
1083                 ci=crl->crl;
1084                 X509_NAME_free(ci->issuer);
1085                 ci->issuer=X509_NAME_dup(x509->cert_info->subject);
1086                 if (ci->issuer == NULL) goto err;
1087
1088                 X509_gmtime_adj(ci->lastUpdate,0);
1089                 if (ci->nextUpdate == NULL)
1090                         ci->nextUpdate=ASN1_UTCTIME_new();
1091                 X509_gmtime_adj(ci->nextUpdate,(crldays*24+crlhours)*60*60);
1092
1093                 for (i=0; i<sk_num(db->data); i++)
1094                         {
1095                         pp=(char **)sk_value(db->data,i);
1096                         if (pp[DB_type][0] == DB_TYPE_REV)
1097                                 {
1098                                 if ((r=X509_REVOKED_new()) == NULL) goto err;
1099                                 ASN1_STRING_set((ASN1_STRING *)
1100                                         r->revocationDate,
1101                                         (unsigned char *)pp[DB_rev_date],
1102                                         strlen(pp[DB_rev_date]));
1103                                 /* strcpy(r->revocationDate,pp[DB_rev_date]);*/
1104
1105                                 (void)BIO_reset(hex);
1106                                 if (!BIO_puts(hex,pp[DB_serial]))
1107                                         goto err;
1108                                 if (!a2i_ASN1_INTEGER(hex,r->serialNumber,
1109                                         buf[0],BSIZE)) goto err;
1110
1111                                 sk_X509_REVOKED_push(ci->revoked,r);
1112                                 }
1113                         }
1114                 /* sort the data so it will be written in serial
1115                  * number order */
1116                 sk_X509_REVOKED_sort(ci->revoked);
1117                 for (i=0; i<sk_X509_REVOKED_num(ci->revoked); i++)
1118                         {
1119                         r=sk_X509_REVOKED_value(ci->revoked,i);
1120                         r->sequence=i;
1121                         }
1122
1123                 /* we now have a CRL */
1124                 if (verbose) BIO_printf(bio_err,"signing CRL\n");
1125                 if (md != NULL)
1126                         {
1127                         if ((dgst=EVP_get_digestbyname(md)) == NULL)
1128                                 {
1129                                 BIO_printf(bio_err,"%s is an unsupported message digest type\n",md);
1130                                 goto err;
1131                                 }
1132                         }
1133                 else
1134                     {
1135 #ifndef NO_DSA
1136                     if (pkey->type == EVP_PKEY_DSA) 
1137                         dgst=EVP_dss1();
1138                     else
1139 #endif
1140                         dgst=EVP_md5();
1141                     }
1142
1143                 /* Add any extensions asked for */
1144
1145                 if(crl_ext) {
1146                     X509V3_CTX crlctx;
1147                     if (ci->version == NULL)
1148                     if ((ci->version=ASN1_INTEGER_new()) == NULL) goto err;
1149                     ASN1_INTEGER_set(ci->version,1); /* version 2 CRL */
1150                     X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0);
1151                     X509V3_set_conf_lhash(&crlctx, conf);
1152
1153                     if(!X509V3_EXT_CRL_add_conf(conf, &crlctx,
1154                                                  crl_ext, crl)) goto err;
1155                 }
1156
1157                 if (!X509_CRL_sign(crl,pkey,dgst)) goto err;
1158
1159                 PEM_write_bio_X509_CRL(Sout,crl);
1160                 }
1161         /*****************************************************************/
1162         if (dorevoke)
1163                 {
1164                 if (infile == NULL) 
1165                         {
1166                         BIO_printf(bio_err,"no input files\n");
1167                         goto err;
1168                         }
1169                 else
1170                         {
1171                         X509 *revcert;
1172                         if (BIO_read_filename(in,infile) <= 0)
1173                                 {
1174                                 perror(infile);
1175                                 BIO_printf(bio_err,"error trying to load '%s' certificate\n",infile);
1176                                 goto err;
1177                                 }
1178                         revcert=PEM_read_bio_X509(in,NULL,NULL,NULL);
1179                         if (revcert == NULL)
1180                                 {
1181                                 BIO_printf(bio_err,"unable to load '%s' certificate\n",infile);
1182                                 goto err;
1183                                 }
1184                         j=do_revoke(revcert,db);
1185                         if (j <= 0) goto err;
1186                         X509_free(revcert);
1187
1188                         strncpy(buf[0],dbfile,BSIZE-4);
1189                         strcat(buf[0],".new");
1190                         if (BIO_write_filename(out,buf[0]) <= 0)
1191                                 {
1192                                 perror(dbfile);
1193                                 BIO_printf(bio_err,"unable to open '%s'\n",dbfile);
1194                                 goto err;
1195                                 }
1196                         j=TXT_DB_write(out,db);
1197                         if (j <= 0) goto err;
1198                         strncpy(buf[1],dbfile,BSIZE-4);
1199                         strcat(buf[1],".old");
1200                         if (rename(dbfile,buf[1]) < 0)
1201                                 {
1202                                 BIO_printf(bio_err,"unable to rename %s to %s\n", dbfile, buf[1]);
1203                                 perror("reason");
1204                                 goto err;
1205                                 }
1206                         if (rename(buf[0],dbfile) < 0)
1207                                 {
1208                                 BIO_printf(bio_err,"unable to rename %s to %s\n", buf[0],dbfile);
1209                                 perror("reason");
1210                                 rename(buf[1],dbfile);
1211                                 goto err;
1212                                 }
1213                         BIO_printf(bio_err,"Data Base Updated\n"); 
1214                         }
1215                 }
1216         /*****************************************************************/
1217         ret=0;
1218 err:
1219         BIO_free(hex);
1220         BIO_free(Cout);
1221         BIO_free(Sout);
1222         BIO_free(out);
1223         BIO_free(in);
1224
1225         sk_pop_free(cert_sk,X509_free);
1226
1227         if (ret) ERR_print_errors(bio_err);
1228         app_RAND_write_file(randfile, bio_err);
1229         BN_free(serial);
1230         TXT_DB_free(db);
1231         EVP_PKEY_free(pkey);
1232         X509_free(x509);
1233         X509_CRL_free(crl);
1234         CONF_free(conf);
1235         OBJ_cleanup();
1236         EXIT(ret);
1237         }
1238
1239 static void lookup_fail(char *name, char *tag)
1240         {
1241         BIO_printf(bio_err,"variable lookup failed for %s::%s\n",name,tag);
1242         }
1243
1244 static unsigned long index_serial_hash(char **a)
1245         {
1246         char *n;
1247
1248         n=a[DB_serial];
1249         while (*n == '0') n++;
1250         return(lh_strhash(n));
1251         }
1252
1253 static int index_serial_cmp(char **a, char **b)
1254         {
1255         char *aa,*bb;
1256
1257         for (aa=a[DB_serial]; *aa == '0'; aa++);
1258         for (bb=b[DB_serial]; *bb == '0'; bb++);
1259         return(strcmp(aa,bb));
1260         }
1261
1262 static unsigned long index_name_hash(char **a)
1263         { return(lh_strhash(a[DB_name])); }
1264
1265 static int index_name_qual(char **a)
1266         { return(a[0][0] == 'V'); }
1267
1268 static int index_name_cmp(char **a, char **b)
1269         { return(strcmp(a[DB_name],
1270              b[DB_name])); }
1271
1272 static BIGNUM *load_serial(char *serialfile)
1273         {
1274         BIO *in=NULL;
1275         BIGNUM *ret=NULL;
1276         MS_STATIC char buf[1024];
1277         ASN1_INTEGER *ai=NULL;
1278
1279         if ((in=BIO_new(BIO_s_file())) == NULL)
1280                 {
1281                 ERR_print_errors(bio_err);
1282                 goto err;
1283                 }
1284
1285         if (BIO_read_filename(in,serialfile) <= 0)
1286                 {
1287                 perror(serialfile);
1288                 goto err;
1289                 }
1290         ai=ASN1_INTEGER_new();
1291         if (ai == NULL) goto err;
1292         if (!a2i_ASN1_INTEGER(in,ai,buf,1024))
1293                 {
1294                 BIO_printf(bio_err,"unable to load number from %s\n",
1295                         serialfile);
1296                 goto err;
1297                 }
1298         ret=ASN1_INTEGER_to_BN(ai,NULL);
1299         if (ret == NULL)
1300                 {
1301                 BIO_printf(bio_err,"error converting number from bin to BIGNUM");
1302                 goto err;
1303                 }
1304 err:
1305         if (in != NULL) BIO_free(in);
1306         if (ai != NULL) ASN1_INTEGER_free(ai);
1307         return(ret);
1308         }
1309
1310 static int save_serial(char *serialfile, BIGNUM *serial)
1311         {
1312         BIO *out;
1313         int ret=0;
1314         ASN1_INTEGER *ai=NULL;
1315
1316         out=BIO_new(BIO_s_file());
1317         if (out == NULL)
1318                 {
1319                 ERR_print_errors(bio_err);
1320                 goto err;
1321                 }
1322         if (BIO_write_filename(out,serialfile) <= 0)
1323                 {
1324                 perror(serialfile);
1325                 goto err;
1326                 }
1327
1328         if ((ai=BN_to_ASN1_INTEGER(serial,NULL)) == NULL)
1329                 {
1330                 BIO_printf(bio_err,"error converting serial to ASN.1 format\n");
1331                 goto err;
1332                 }
1333         i2a_ASN1_INTEGER(out,ai);
1334         BIO_puts(out,"\n");
1335         ret=1;
1336 err:
1337         if (out != NULL) BIO_free(out);
1338         if (ai != NULL) ASN1_INTEGER_free(ai);
1339         return(ret);
1340         }
1341
1342 static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
1343              const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db,
1344              BIGNUM *serial, char *startdate, char *enddate, int days,
1345              int batch, char *ext_sect, LHASH *lconf, int verbose)
1346         {
1347         X509_REQ *req=NULL;
1348         BIO *in=NULL;
1349         EVP_PKEY *pktmp=NULL;
1350         int ok= -1,i;
1351
1352         in=BIO_new(BIO_s_file());
1353
1354         if (BIO_read_filename(in,infile) <= 0)
1355                 {
1356                 perror(infile);
1357                 goto err;
1358                 }
1359         if ((req=PEM_read_bio_X509_REQ(in,NULL,NULL,NULL)) == NULL)
1360                 {
1361                 BIO_printf(bio_err,"Error reading certificate request in %s\n",
1362                         infile);
1363                 goto err;
1364                 }
1365         if (verbose)
1366                 X509_REQ_print(bio_err,req);
1367
1368         BIO_printf(bio_err,"Check that the request matches the signature\n");
1369
1370         if ((pktmp=X509_REQ_get_pubkey(req)) == NULL)
1371                 {
1372                 BIO_printf(bio_err,"error unpacking public key\n");
1373                 goto err;
1374                 }
1375         i=X509_REQ_verify(req,pktmp);
1376         EVP_PKEY_free(pktmp);
1377         if (i < 0)
1378                 {
1379                 ok=0;
1380                 BIO_printf(bio_err,"Signature verification problems....\n");
1381                 goto err;
1382                 }
1383         if (i == 0)
1384                 {
1385                 ok=0;
1386                 BIO_printf(bio_err,"Signature did not match the certificate request\n");
1387                 goto err;
1388                 }
1389         else
1390                 BIO_printf(bio_err,"Signature ok\n");
1391
1392         ok=do_body(xret,pkey,x509,dgst,policy,db,serial,startdate, enddate,
1393                 days,batch,verbose,req,ext_sect,lconf);
1394
1395 err:
1396         if (req != NULL) X509_REQ_free(req);
1397         if (in != NULL) BIO_free(in);
1398         return(ok);
1399         }
1400
1401 static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
1402              const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db,
1403              BIGNUM *serial, char *startdate, char *enddate, int days,
1404              int batch, char *ext_sect, LHASH *lconf, int verbose)
1405         {
1406         X509 *req=NULL;
1407         X509_REQ *rreq=NULL;
1408         BIO *in=NULL;
1409         EVP_PKEY *pktmp=NULL;
1410         int ok= -1,i;
1411
1412         in=BIO_new(BIO_s_file());
1413
1414         if (BIO_read_filename(in,infile) <= 0)
1415                 {
1416                 perror(infile);
1417                 goto err;
1418                 }
1419         if ((req=PEM_read_bio_X509(in,NULL,NULL,NULL)) == NULL)
1420                 {
1421                 BIO_printf(bio_err,"Error reading self signed certificate in %s\n",infile);
1422                 goto err;
1423                 }
1424         if (verbose)
1425                 X509_print(bio_err,req);
1426
1427         BIO_printf(bio_err,"Check that the request matches the signature\n");
1428
1429         if ((pktmp=X509_get_pubkey(req)) == NULL)
1430                 {
1431                 BIO_printf(bio_err,"error unpacking public key\n");
1432                 goto err;
1433                 }
1434         i=X509_verify(req,pktmp);
1435         EVP_PKEY_free(pktmp);
1436         if (i < 0)
1437                 {
1438                 ok=0;
1439                 BIO_printf(bio_err,"Signature verification problems....\n");
1440                 goto err;
1441                 }
1442         if (i == 0)
1443                 {
1444                 ok=0;
1445                 BIO_printf(bio_err,"Signature did not match the certificate\n");
1446                 goto err;
1447                 }
1448         else
1449                 BIO_printf(bio_err,"Signature ok\n");
1450
1451         if ((rreq=X509_to_X509_REQ(req,NULL,EVP_md5())) == NULL)
1452                 goto err;
1453
1454         ok=do_body(xret,pkey,x509,dgst,policy,db,serial,startdate,enddate,days,
1455                 batch,verbose,rreq,ext_sect,lconf);
1456
1457 err:
1458         if (rreq != NULL) X509_REQ_free(rreq);
1459         if (req != NULL) X509_free(req);
1460         if (in != NULL) BIO_free(in);
1461         return(ok);
1462         }
1463
1464 static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
1465              STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial,
1466              char *startdate, char *enddate, int days, int batch, int verbose,
1467              X509_REQ *req, char *ext_sect, LHASH *lconf)
1468         {
1469         X509_NAME *name=NULL,*CAname=NULL,*subject=NULL;
1470         ASN1_UTCTIME *tm,*tmptm;
1471         ASN1_STRING *str,*str2;
1472         ASN1_OBJECT *obj;
1473         X509 *ret=NULL;
1474         X509_CINF *ci;
1475         X509_NAME_ENTRY *ne;
1476         X509_NAME_ENTRY *tne,*push;
1477         EVP_PKEY *pktmp;
1478         int ok= -1,i,j,last,nid;
1479         char *p;
1480         CONF_VALUE *cv;
1481         char *row[DB_NUMBER],**rrow,**irow=NULL;
1482         char buf[25],*pbuf;
1483
1484         tmptm=ASN1_UTCTIME_new();
1485         if (tmptm == NULL)
1486                 {
1487                 BIO_printf(bio_err,"malloc error\n");
1488                 return(0);
1489                 }
1490
1491         for (i=0; i<DB_NUMBER; i++)
1492                 row[i]=NULL;
1493
1494         BIO_printf(bio_err,"The Subjects Distinguished Name is as follows\n");
1495         name=X509_REQ_get_subject_name(req);
1496         for (i=0; i<X509_NAME_entry_count(name); i++)
1497                 {
1498                 ne=(X509_NAME_ENTRY *)X509_NAME_get_entry(name,i);
1499                 obj=X509_NAME_ENTRY_get_object(ne);
1500                 j=i2a_ASN1_OBJECT(bio_err,obj);
1501                 str=X509_NAME_ENTRY_get_data(ne);
1502                 pbuf=buf;
1503                 for (j=22-j; j>0; j--)
1504                         *(pbuf++)=' ';
1505                 *(pbuf++)=':';
1506                 *(pbuf++)='\0';
1507                 BIO_puts(bio_err,buf);
1508
1509                 if (msie_hack)
1510                         {
1511                         /* assume all type should be strings */
1512                         nid=OBJ_obj2nid(ne->object);
1513
1514                         if (str->type == V_ASN1_UNIVERSALSTRING)
1515                                 ASN1_UNIVERSALSTRING_to_string(str);
1516
1517                         if ((str->type == V_ASN1_IA5STRING) &&
1518                                 (nid != NID_pkcs9_emailAddress))
1519                                 str->type=V_ASN1_T61STRING;
1520
1521                         if ((nid == NID_pkcs9_emailAddress) &&
1522                                 (str->type == V_ASN1_PRINTABLESTRING))
1523                                 str->type=V_ASN1_IA5STRING;
1524                         }
1525
1526                 if (str->type == V_ASN1_PRINTABLESTRING)
1527                         BIO_printf(bio_err,"PRINTABLE:'");
1528                 else if (str->type == V_ASN1_T61STRING)
1529                         BIO_printf(bio_err,"T61STRING:'");
1530                 else if (str->type == V_ASN1_IA5STRING)
1531                         BIO_printf(bio_err,"IA5STRING:'");
1532                 else if (str->type == V_ASN1_UNIVERSALSTRING)
1533                         BIO_printf(bio_err,"UNIVERSALSTRING:'");
1534                 else
1535                         BIO_printf(bio_err,"ASN.1 %2d:'",str->type);
1536
1537                 /* check some things */
1538                 if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) &&
1539                         (str->type != V_ASN1_IA5STRING))
1540                         {
1541                         BIO_printf(bio_err,"\nemailAddress type needs to be of type IA5STRING\n");
1542                         goto err;
1543                         }
1544                 j=ASN1_PRINTABLE_type(str->data,str->length);
1545                 if (    ((j == V_ASN1_T61STRING) &&
1546                          (str->type != V_ASN1_T61STRING)) ||
1547                         ((j == V_ASN1_IA5STRING) &&
1548                          (str->type == V_ASN1_PRINTABLESTRING)))
1549                         {
1550                         BIO_printf(bio_err,"\nThe string contains characters that are illegal for the ASN.1 type\n");
1551                         goto err;
1552                         }
1553                         
1554                 p=(char *)str->data;
1555                 for (j=str->length; j>0; j--)
1556                         {
1557                         if ((*p >= ' ') && (*p <= '~'))
1558                                 BIO_printf(bio_err,"%c",*p);
1559                         else if (*p & 0x80)
1560                                 BIO_printf(bio_err,"\\0x%02X",*p);
1561                         else if ((unsigned char)*p == 0xf7)
1562                                 BIO_printf(bio_err,"^?");
1563                         else    BIO_printf(bio_err,"^%c",*p+'@');
1564                         p++;
1565                         }
1566                 BIO_printf(bio_err,"'\n");
1567                 }
1568
1569         /* Ok, now we check the 'policy' stuff. */
1570         if ((subject=X509_NAME_new()) == NULL)
1571                 {
1572                 BIO_printf(bio_err,"Malloc failure\n");
1573                 goto err;
1574                 }
1575
1576         /* take a copy of the issuer name before we mess with it. */
1577         CAname=X509_NAME_dup(x509->cert_info->subject);
1578         if (CAname == NULL) goto err;
1579         str=str2=NULL;
1580
1581         for (i=0; i<sk_CONF_VALUE_num(policy); i++)
1582                 {
1583                 cv=sk_CONF_VALUE_value(policy,i); /* get the object id */
1584                 if ((j=OBJ_txt2nid(cv->name)) == NID_undef)
1585                         {
1586                         BIO_printf(bio_err,"%s:unknown object type in 'policy' configuration\n",cv->name);
1587                         goto err;
1588                         }
1589                 obj=OBJ_nid2obj(j);
1590
1591                 last= -1;
1592                 for (;;)
1593                         {
1594                         /* lookup the object in the supplied name list */
1595                         j=X509_NAME_get_index_by_OBJ(name,obj,last);
1596                         if (j < 0)
1597                                 {
1598                                 if (last != -1) break;
1599                                 tne=NULL;
1600                                 }
1601                         else
1602                                 {
1603                                 tne=X509_NAME_get_entry(name,j);
1604                                 }
1605                         last=j;
1606
1607                         /* depending on the 'policy', decide what to do. */
1608                         push=NULL;
1609                         if (strcmp(cv->value,"optional") == 0)
1610                                 {
1611                                 if (tne != NULL)
1612                                         push=tne;
1613                                 }
1614                         else if (strcmp(cv->value,"supplied") == 0)
1615                                 {
1616                                 if (tne == NULL)
1617                                         {
1618                                         BIO_printf(bio_err,"The %s field needed to be supplied and was missing\n",cv->name);
1619                                         goto err;
1620                                         }
1621                                 else
1622                                         push=tne;
1623                                 }
1624                         else if (strcmp(cv->value,"match") == 0)
1625                                 {
1626                                 int last2;
1627
1628                                 if (tne == NULL)
1629                                         {
1630                                         BIO_printf(bio_err,"The mandatory %s field was missing\n",cv->name);
1631                                         goto err;
1632                                         }
1633
1634                                 last2= -1;
1635
1636 again2:
1637                                 j=X509_NAME_get_index_by_OBJ(CAname,obj,last2);
1638                                 if ((j < 0) && (last2 == -1))
1639                                         {
1640                                         BIO_printf(bio_err,"The %s field does not exist in the CA certificate,\nthe 'policy' is misconfigured\n",cv->name);
1641                                         goto err;
1642                                         }
1643                                 if (j >= 0)
1644                                         {
1645                                         push=X509_NAME_get_entry(CAname,j);
1646                                         str=X509_NAME_ENTRY_get_data(tne);
1647                                         str2=X509_NAME_ENTRY_get_data(push);
1648                                         last2=j;
1649                                         if (ASN1_STRING_cmp(str,str2) != 0)
1650                                                 goto again2;
1651                                         }
1652                                 if (j < 0)
1653                                         {
1654                                         BIO_printf(bio_err,"The %s field needed to be the same in the\nCA certificate (%s) and the request (%s)\n",cv->name,((str == NULL)?"NULL":(char *)str->data),((str2 == NULL)?"NULL":(char *)str2->data));
1655                                         goto err;
1656                                         }
1657                                 }
1658                         else
1659                                 {
1660                                 BIO_printf(bio_err,"%s:invalid type in 'policy' configuration\n",cv->value);
1661                                 goto err;
1662                                 }
1663
1664                         if (push != NULL)
1665                                 {
1666                                 if (!X509_NAME_add_entry(subject,push, -1, 0))
1667                                         {
1668                                         if (push != NULL)
1669                                                 X509_NAME_ENTRY_free(push);
1670                                         BIO_printf(bio_err,"Malloc failure\n");
1671                                         goto err;
1672                                         }
1673                                 }
1674                         if (j < 0) break;
1675                         }
1676                 }
1677
1678         if (preserve)
1679                 {
1680                 X509_NAME_free(subject);
1681                 subject=X509_NAME_dup(X509_REQ_get_subject_name(req));
1682                 if (subject == NULL) goto err;
1683                 }
1684
1685         if (verbose)
1686                 BIO_printf(bio_err,"The subject name apears to be ok, checking data base for clashes\n");
1687
1688         row[DB_name]=X509_NAME_oneline(subject,NULL,0);
1689         row[DB_serial]=BN_bn2hex(serial);
1690         if ((row[DB_name] == NULL) || (row[DB_serial] == NULL))
1691                 {
1692                 BIO_printf(bio_err,"Malloc failure\n");
1693                 goto err;
1694                 }
1695
1696         rrow=TXT_DB_get_by_index(db,DB_name,row);
1697         if (rrow != NULL)
1698                 {
1699                 BIO_printf(bio_err,"ERROR:There is already a certificate for %s\n",
1700                         row[DB_name]);
1701                 }
1702         else
1703                 {
1704                 rrow=TXT_DB_get_by_index(db,DB_serial,row);
1705                 if (rrow != NULL)
1706                         {
1707                         BIO_printf(bio_err,"ERROR:Serial number %s has already been issued,\n",
1708                                 row[DB_serial]);
1709                         BIO_printf(bio_err,"      check the database/serial_file for corruption\n");
1710                         }
1711                 }
1712
1713         if (rrow != NULL)
1714                 {
1715                 BIO_printf(bio_err,
1716                         "The matching entry has the following details\n");
1717                 if (rrow[DB_type][0] == 'E')
1718                         p="Expired";
1719                 else if (rrow[DB_type][0] == 'R')
1720                         p="Revoked";
1721                 else if (rrow[DB_type][0] == 'V')
1722                         p="Valid";
1723                 else
1724                         p="\ninvalid type, Data base error\n";
1725                 BIO_printf(bio_err,"Type          :%s\n",p);;
1726                 if (rrow[DB_type][0] == 'R')
1727                         {
1728                         p=rrow[DB_exp_date]; if (p == NULL) p="undef";
1729                         BIO_printf(bio_err,"Was revoked on:%s\n",p);
1730                         }
1731                 p=rrow[DB_exp_date]; if (p == NULL) p="undef";
1732                 BIO_printf(bio_err,"Expires on    :%s\n",p);
1733                 p=rrow[DB_serial]; if (p == NULL) p="undef";
1734                 BIO_printf(bio_err,"Serial Number :%s\n",p);
1735                 p=rrow[DB_file]; if (p == NULL) p="undef";
1736                 BIO_printf(bio_err,"File name     :%s\n",p);
1737                 p=rrow[DB_name]; if (p == NULL) p="undef";
1738                 BIO_printf(bio_err,"Subject Name  :%s\n",p);
1739                 ok= -1; /* This is now a 'bad' error. */
1740                 goto err;
1741                 }
1742
1743         /* We are now totaly happy, lets make and sign the certificate */
1744         if (verbose)
1745                 BIO_printf(bio_err,"Everything appears to be ok, creating and signing the certificate\n");
1746
1747         if ((ret=X509_new()) == NULL) goto err;
1748         ci=ret->cert_info;
1749
1750 #ifdef X509_V3
1751         /* Make it an X509 v3 certificate. */
1752         if (!X509_set_version(x509,2)) goto err;
1753 #endif
1754
1755         if (BN_to_ASN1_INTEGER(serial,ci->serialNumber) == NULL)
1756                 goto err;
1757         if (!X509_set_issuer_name(ret,X509_get_subject_name(x509)))
1758                 goto err;
1759
1760         BIO_printf(bio_err,"Certificate is to be certified until ");
1761         if (strcmp(startdate,"today") == 0)
1762                 X509_gmtime_adj(X509_get_notBefore(ret),0);
1763         else ASN1_UTCTIME_set_string(X509_get_notBefore(ret),startdate);
1764
1765         if (enddate == NULL)
1766                 X509_gmtime_adj(X509_get_notAfter(ret),(long)60*60*24*days);
1767         else ASN1_UTCTIME_set_string(X509_get_notAfter(ret),enddate);
1768
1769         ASN1_UTCTIME_print(bio_err,X509_get_notAfter(ret));
1770         if(days) BIO_printf(bio_err," (%d days)",days);
1771         BIO_printf(bio_err, "\n");
1772
1773         if (!X509_set_subject_name(ret,subject)) goto err;
1774
1775         pktmp=X509_REQ_get_pubkey(req);
1776         i = X509_set_pubkey(ret,pktmp);
1777         EVP_PKEY_free(pktmp);
1778         if (!i) goto err;
1779
1780         /* Lets add the extensions, if there are any */
1781         if (ext_sect)
1782                 {
1783                 X509V3_CTX ctx;
1784                 if (ci->version == NULL)
1785                         if ((ci->version=ASN1_INTEGER_new()) == NULL)
1786                                 goto err;
1787                 ASN1_INTEGER_set(ci->version,2); /* version 3 certificate */
1788
1789                 /* Free the current entries if any, there should not
1790                  * be any I belive */
1791                 if (ci->extensions != NULL)
1792                         sk_X509_EXTENSION_pop_free(ci->extensions,
1793                                                    X509_EXTENSION_free);
1794
1795                 ci->extensions = NULL;
1796
1797                 X509V3_set_ctx(&ctx, x509, ret, req, NULL, 0);
1798                 X509V3_set_conf_lhash(&ctx, lconf);
1799
1800                 if(!X509V3_EXT_add_conf(lconf, &ctx, ext_sect, ret)) goto err;
1801
1802                 }
1803
1804
1805         if (!batch)
1806                 {
1807                 BIO_printf(bio_err,"Sign the certificate? [y/n]:");
1808                 (void)BIO_flush(bio_err);
1809                 buf[0]='\0';
1810                 fgets(buf,sizeof(buf)-1,stdin);
1811                 if (!((buf[0] == 'y') || (buf[0] == 'Y')))
1812                         {
1813                         BIO_printf(bio_err,"CERTIFICATE WILL NOT BE CERTIFIED\n");
1814                         ok=0;
1815                         goto err;
1816                         }
1817                 }
1818
1819
1820 #ifndef NO_DSA
1821         if (pkey->type == EVP_PKEY_DSA) dgst=EVP_dss1();
1822         pktmp=X509_get_pubkey(ret);
1823         if (EVP_PKEY_missing_parameters(pktmp) &&
1824                 !EVP_PKEY_missing_parameters(pkey))
1825                 EVP_PKEY_copy_parameters(pktmp,pkey);
1826         EVP_PKEY_free(pktmp);
1827 #endif
1828
1829         if (!X509_sign(ret,pkey,dgst))
1830                 goto err;
1831
1832         /* We now just add it to the database */
1833         row[DB_type]=(char *)Malloc(2);
1834
1835         tm=X509_get_notAfter(ret);
1836         row[DB_exp_date]=(char *)Malloc(tm->length+1);
1837         memcpy(row[DB_exp_date],tm->data,tm->length);
1838         row[DB_exp_date][tm->length]='\0';
1839
1840         row[DB_rev_date]=NULL;
1841
1842         /* row[DB_serial] done already */
1843         row[DB_file]=(char *)Malloc(8);
1844         /* row[DB_name] done already */
1845
1846         if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
1847                 (row[DB_file] == NULL))
1848                 {
1849                 BIO_printf(bio_err,"Malloc failure\n");
1850                 goto err;
1851                 }
1852         strcpy(row[DB_file],"unknown");
1853         row[DB_type][0]='V';
1854         row[DB_type][1]='\0';
1855
1856         if ((irow=(char **)Malloc(sizeof(char *)*(DB_NUMBER+1))) == NULL)
1857                 {
1858                 BIO_printf(bio_err,"Malloc failure\n");
1859                 goto err;
1860                 }
1861
1862         for (i=0; i<DB_NUMBER; i++)
1863                 {
1864                 irow[i]=row[i];
1865                 row[i]=NULL;
1866                 }
1867         irow[DB_NUMBER]=NULL;
1868
1869         if (!TXT_DB_insert(db,irow))
1870                 {
1871                 BIO_printf(bio_err,"failed to update database\n");
1872                 BIO_printf(bio_err,"TXT_DB error number %ld\n",db->error);
1873                 goto err;
1874                 }
1875         ok=1;
1876 err:
1877         for (i=0; i<DB_NUMBER; i++)
1878                 if (row[i] != NULL) Free(row[i]);
1879
1880         if (CAname != NULL)
1881                 X509_NAME_free(CAname);
1882         if (subject != NULL)
1883                 X509_NAME_free(subject);
1884         if (tmptm != NULL)
1885                 ASN1_UTCTIME_free(tmptm);
1886         if (ok <= 0)
1887                 {
1888                 if (ret != NULL) X509_free(ret);
1889                 ret=NULL;
1890                 }
1891         else
1892                 *xret=ret;
1893         return(ok);
1894         }
1895
1896 static void write_new_certificate(BIO *bp, X509 *x, int output_der)
1897         {
1898         char *f;
1899         char buf[256];
1900
1901         if (output_der)
1902                 {
1903                 (void)i2d_X509_bio(bp,x);
1904                 return;
1905                 }
1906
1907         f=X509_NAME_oneline(X509_get_issuer_name(x),buf,256);
1908         BIO_printf(bp,"issuer :%s\n",f);
1909
1910         f=X509_NAME_oneline(X509_get_subject_name(x),buf,256);
1911         BIO_printf(bp,"subject:%s\n",f);
1912
1913         BIO_puts(bp,"serial :");
1914         i2a_ASN1_INTEGER(bp,x->cert_info->serialNumber);
1915         BIO_puts(bp,"\n\n");
1916         X509_print(bp,x);
1917         BIO_puts(bp,"\n");
1918         PEM_write_bio_X509(bp,x);
1919         BIO_puts(bp,"\n");
1920         }
1921
1922 static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
1923              const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db,
1924              BIGNUM *serial, char *startdate, char *enddate, int days,
1925              char *ext_sect, LHASH *lconf, int verbose)
1926         {
1927         STACK_OF(CONF_VALUE) *sk=NULL;
1928         LHASH *parms=NULL;
1929         X509_REQ *req=NULL;
1930         CONF_VALUE *cv=NULL;
1931         NETSCAPE_SPKI *spki = NULL;
1932         X509_REQ_INFO *ri;
1933         char *type,*buf;
1934         EVP_PKEY *pktmp=NULL;
1935         X509_NAME *n=NULL;
1936         X509_NAME_ENTRY *ne=NULL;
1937         int ok= -1,i,j;
1938         long errline;
1939         int nid;
1940
1941         /*
1942          * Load input file into a hash table.  (This is just an easy
1943          * way to read and parse the file, then put it into a convenient
1944          * STACK format).
1945          */
1946         parms=CONF_load(NULL,infile,&errline);
1947         if (parms == NULL)
1948                 {
1949                 BIO_printf(bio_err,"error on line %ld of %s\n",errline,infile);
1950                 ERR_print_errors(bio_err);
1951                 goto err;
1952                 }
1953
1954         sk=CONF_get_section(parms, "default");
1955         if (sk_CONF_VALUE_num(sk) == 0)
1956                 {
1957                 BIO_printf(bio_err, "no name/value pairs found in %s\n", infile);
1958                 CONF_free(parms);
1959                 goto err;
1960                 }
1961
1962         /*
1963          * Now create a dummy X509 request structure.  We don't actually
1964          * have an X509 request, but we have many of the components
1965          * (a public key, various DN components).  The idea is that we
1966          * put these components into the right X509 request structure
1967          * and we can use the same code as if you had a real X509 request.
1968          */
1969         req=X509_REQ_new();
1970         if (req == NULL)
1971                 {
1972                 ERR_print_errors(bio_err);
1973                 goto err;
1974                 }
1975
1976         /*
1977          * Build up the subject name set.
1978          */
1979         ri=req->req_info;
1980         n = ri->subject;
1981
1982         for (i = 0; ; i++)
1983                 {
1984                 if (sk_CONF_VALUE_num(sk) <= i) break;
1985
1986                 cv=sk_CONF_VALUE_value(sk,i);
1987                 type=cv->name;
1988                 /* Skip past any leading X. X: X, etc to allow for
1989                  * multiple instances
1990                  */
1991                 for(buf = cv->name; *buf ; buf++)
1992                         if ((*buf == ':') || (*buf == ',') || (*buf == '.')) {
1993                                         buf++;
1994                                         if(*buf) type = buf;
1995                                         break;
1996                 }
1997
1998                 buf=cv->value;
1999                 if ((nid=OBJ_txt2nid(type)) == NID_undef)
2000                         {
2001                         if (strcmp(type, "SPKAC") == 0)
2002                                 {
2003                                 spki = NETSCAPE_SPKI_b64_decode(cv->value, -1);
2004                                 if (spki == NULL)
2005                                         {
2006                                         BIO_printf(bio_err,"unable to load Netscape SPKAC structure\n");
2007                                         ERR_print_errors(bio_err);
2008                                         goto err;
2009                                         }
2010                                 }
2011                         continue;
2012                         }
2013
2014                 j=ASN1_PRINTABLE_type((unsigned char *)buf,-1);
2015                 if (fix_data(nid, &j) == 0)
2016                         {
2017                         BIO_printf(bio_err,
2018                                 "invalid characters in string %s\n",buf);
2019                         goto err;
2020                         }
2021
2022                 if ((ne=X509_NAME_ENTRY_create_by_NID(&ne,nid,j,
2023                         (unsigned char *)buf,
2024                         strlen(buf))) == NULL)
2025                         goto err;
2026
2027                 if (!X509_NAME_add_entry(n,ne,-1, 0)) goto err;
2028                 }
2029         if (spki == NULL)
2030                 {
2031                 BIO_printf(bio_err,"Netscape SPKAC structure not found in %s\n",
2032                         infile);
2033                 goto err;
2034                 }
2035
2036         /*
2037          * Now extract the key from the SPKI structure.
2038          */
2039
2040         BIO_printf(bio_err,"Check that the SPKAC request matches the signature\n");
2041
2042         if ((pktmp=NETSCAPE_SPKI_get_pubkey(spki)) == NULL)
2043                 {
2044                 BIO_printf(bio_err,"error unpacking SPKAC public key\n");
2045                 goto err;
2046                 }
2047
2048         j = NETSCAPE_SPKI_verify(spki, pktmp);
2049         if (j <= 0)
2050                 {
2051                 BIO_printf(bio_err,"signature verification failed on SPKAC public key\n");
2052                 goto err;
2053                 }
2054         BIO_printf(bio_err,"Signature ok\n");
2055
2056         X509_REQ_set_pubkey(req,pktmp);
2057         EVP_PKEY_free(pktmp);
2058         ok=do_body(xret,pkey,x509,dgst,policy,db,serial,startdate,enddate,
2059                    days,1,verbose,req,ext_sect,lconf);
2060 err:
2061         if (req != NULL) X509_REQ_free(req);
2062         if (parms != NULL) CONF_free(parms);
2063         if (spki != NULL) NETSCAPE_SPKI_free(spki);
2064         if (ne != NULL) X509_NAME_ENTRY_free(ne);
2065
2066         return(ok);
2067         }
2068
2069 static int fix_data(int nid, int *type)
2070         {
2071         if (nid == NID_pkcs9_emailAddress)
2072                 *type=V_ASN1_IA5STRING;
2073         if ((nid == NID_commonName) && (*type == V_ASN1_IA5STRING))
2074                 *type=V_ASN1_T61STRING;
2075         if ((nid == NID_pkcs9_challengePassword) && (*type == V_ASN1_IA5STRING))
2076                 *type=V_ASN1_T61STRING;
2077         if ((nid == NID_pkcs9_unstructuredName) && (*type == V_ASN1_T61STRING))
2078                 return(0);
2079         if (nid == NID_pkcs9_unstructuredName)
2080                 *type=V_ASN1_IA5STRING;
2081         return(1);
2082         }
2083
2084 static int check_time_format(char *str)
2085         {
2086         ASN1_UTCTIME tm;
2087
2088         tm.data=(unsigned char *)str;
2089         tm.length=strlen(str);
2090         tm.type=V_ASN1_UTCTIME;
2091         return(ASN1_UTCTIME_check(&tm));
2092         }
2093
2094 static int add_oid_section(LHASH *hconf)
2095 {       
2096         char *p;
2097         STACK_OF(CONF_VALUE) *sktmp;
2098         CONF_VALUE *cnf;
2099         int i;
2100         if(!(p=CONF_get_string(hconf,NULL,"oid_section"))) return 1;
2101         if(!(sktmp = CONF_get_section(hconf, p))) {
2102                 BIO_printf(bio_err, "problem loading oid section %s\n", p);
2103                 return 0;
2104         }
2105         for(i = 0; i < sk_CONF_VALUE_num(sktmp); i++) {
2106                 cnf = sk_CONF_VALUE_value(sktmp, i);
2107                 if(OBJ_create(cnf->value, cnf->name, cnf->name) == NID_undef) {
2108                         BIO_printf(bio_err, "problem creating object %s=%s\n",
2109                                                          cnf->name, cnf->value);
2110                         return 0;
2111                 }
2112         }
2113         return 1;
2114 }
2115
2116 static int do_revoke(X509 *x509, TXT_DB *db)
2117 {
2118         ASN1_UTCTIME *tm=NULL, *revtm=NULL;
2119         char *row[DB_NUMBER],**rrow,**irow;
2120         BIGNUM *bn = NULL;
2121         int ok=-1,i;
2122
2123         for (i=0; i<DB_NUMBER; i++)
2124                 row[i]=NULL;
2125         row[DB_name]=X509_NAME_oneline(X509_get_subject_name(x509),NULL,0);
2126         bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x509),NULL);
2127         row[DB_serial]=BN_bn2hex(bn);
2128         BN_free(bn);
2129         if ((row[DB_name] == NULL) || (row[DB_serial] == NULL))
2130                 {
2131                 BIO_printf(bio_err,"Malloc failure\n");
2132                 goto err;
2133                 }
2134         /* We have to lookup by serial number because name lookup
2135          * skips revoked certs
2136          */
2137         rrow=TXT_DB_get_by_index(db,DB_serial,row);
2138         if (rrow == NULL)
2139                 {
2140                 BIO_printf(bio_err,"Adding Entry to DB for %s\n", row[DB_name]);
2141
2142                 /* We now just add it to the database */
2143                 row[DB_type]=(char *)Malloc(2);
2144
2145                 tm=X509_get_notAfter(x509);
2146                 row[DB_exp_date]=(char *)Malloc(tm->length+1);
2147                 memcpy(row[DB_exp_date],tm->data,tm->length);
2148                 row[DB_exp_date][tm->length]='\0';
2149
2150                 row[DB_rev_date]=NULL;
2151
2152                 /* row[DB_serial] done already */
2153                 row[DB_file]=(char *)Malloc(8);
2154
2155                 /* row[DB_name] done already */
2156
2157                 if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
2158                         (row[DB_file] == NULL))
2159                         {
2160                         BIO_printf(bio_err,"Malloc failure\n");
2161                         goto err;
2162                         }
2163                 strcpy(row[DB_file],"unknown");
2164                 row[DB_type][0]='V';
2165                 row[DB_type][1]='\0';
2166
2167                 if ((irow=(char **)Malloc(sizeof(char *)*(DB_NUMBER+1))) == NULL)
2168                         {
2169                         BIO_printf(bio_err,"Malloc failure\n");
2170                         goto err;
2171                         }
2172
2173                 for (i=0; i<DB_NUMBER; i++)
2174                         {
2175                         irow[i]=row[i];
2176                         row[i]=NULL;
2177                         }
2178                 irow[DB_NUMBER]=NULL;
2179
2180                 if (!TXT_DB_insert(db,irow))
2181                         {
2182                         BIO_printf(bio_err,"failed to update database\n");
2183                         BIO_printf(bio_err,"TXT_DB error number %ld\n",db->error);
2184                         goto err;
2185                         }
2186
2187                 /* Revoke Certificate */
2188                 ok = do_revoke(x509,db);
2189
2190                 goto err;
2191
2192                 }
2193         else if (index_name_cmp(row,rrow))
2194                 {
2195                 BIO_printf(bio_err,"ERROR:name does not match %s\n",
2196                            row[DB_name]);
2197                 goto err;
2198                 }
2199         else if (rrow[DB_type][0]=='R')
2200                 {
2201                 BIO_printf(bio_err,"ERROR:Already revoked, serial number %s\n",
2202                            row[DB_serial]);
2203                 goto err;
2204                 }
2205         else
2206                 {
2207                 BIO_printf(bio_err,"Revoking Certificate %s.\n", rrow[DB_serial]);
2208                 revtm = ASN1_UTCTIME_new();
2209                 revtm=X509_gmtime_adj(revtm,0);
2210                 rrow[DB_type][0]='R';
2211                 rrow[DB_type][1]='\0';
2212                 rrow[DB_rev_date]=(char *)Malloc(revtm->length+1);
2213                 memcpy(rrow[DB_rev_date],revtm->data,revtm->length);
2214                 rrow[DB_rev_date][revtm->length]='\0';
2215                 ASN1_UTCTIME_free(revtm);
2216                 }
2217         ok=1;
2218 err:
2219         for (i=0; i<DB_NUMBER; i++)
2220                 {
2221                 if (row[i] != NULL) 
2222                         Free(row[i]);
2223                 }
2224         return(ok);
2225 }
2226