{"subj", OPT_SUBJ, 's', "Use arg instead of request's subject"},
{"utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)"},
{"create_serial", OPT_CREATE_SERIAL, '-',
- "If reading serial fails, create a new random serial"},
+ "If reading serial fails, create a new random serial"},
{"multivalue-rdn", OPT_MULTIVALUE_RDN, '-',
"Enable support for multivalued RDNs"},
{"startdate", OPT_STARTDATE, 's', "Cert notBefore, YYMMDDHHMMSSZ"},
ENGINE *e = NULL;
BIGNUM *crlnumber = NULL, *serial = NULL;
EVP_PKEY *pkey = NULL;
- BIO *in = NULL, *out = NULL, *Sout = NULL, *Cout = NULL;
+ BIO *in = NULL, *out = NULL, *Sout = NULL;
ASN1_INTEGER *tmpser;
ASN1_TIME *tmptm;
CA_DB *db = NULL;
&& (section = lookup_conf(conf, BASE_SECTION, ENV_DEFAULT_CA)) == NULL)
goto end;
- if (conf != NULL) {
- p = NCONF_get_string(conf, NULL, "oid_file");
- if (p == NULL)
- ERR_clear_error();
- if (p != NULL) {
- BIO *oid_bio;
+ p = NCONF_get_string(conf, NULL, "oid_file");
+ if (p == NULL)
+ ERR_clear_error();
+ if (p != NULL) {
+ BIO *oid_bio = BIO_new_file(p, "r");
- oid_bio = BIO_new_file(p, "r");
- if (oid_bio == NULL) {
- /*-
- BIO_printf(bio_err,"problems opening %s for extra oid's\n",p);
- ERR_print_errors(bio_err);
- */
- ERR_clear_error();
- } else {
- OBJ_create_objects(oid_bio);
- BIO_free(oid_bio);
- }
- }
- if (!add_oid_section(conf)) {
- ERR_print_errors(bio_err);
- goto end;
+ if (oid_bio == NULL) {
+ ERR_clear_error();
+ } else {
+ OBJ_create_objects(oid_bio);
+ BIO_free(oid_bio);
}
}
+ if (!add_oid_section(conf)) {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
randfile = NCONF_get_string(conf, BASE_SECTION, "RANDFILE");
if (randfile == NULL)
/* report status of cert with serial number given on command line */
if (ser_status) {
dbfile = lookup_conf(conf, section, ENV_DATABASE);
- if (dbfile == NULL)
+ if (dbfile == NULL)
goto end;
db = load_index(dbfile, &db_attr);
if (verbose)
BIO_printf(bio_err, "writing new certificates\n");
for (i = 0; i < sk_X509_num(cert_sk); i++) {
- ASN1_INTEGER *serialNumber = X509_get_serialNumber(x);
+ BIO *Cout = NULL;
+ X509 *xi = sk_X509_value(cert_sk, i);
+ ASN1_INTEGER *serialNumber = X509_get_serialNumber(xi);
int k;
char *n;
- x = sk_X509_value(cert_sk, i);
-
j = ASN1_STRING_length(serialNumber);
p = (const char *)ASN1_STRING_get0_data(serialNumber);
perror(buf[2]);
goto end;
}
- write_new_certificate(Cout, x, 0, notext);
- write_new_certificate(Sout, x, output_der, notext);
+ write_new_certificate(Cout, xi, 0, notext);
+ write_new_certificate(Sout, xi, output_der, notext);
+ BIO_free_all(Cout);
}
if (sk_X509_num(cert_sk)) {
goto end;
tmptm = ASN1_TIME_new();
- if (tmptm == NULL)
- goto end;
- X509_gmtime_adj(tmptm, 0);
- X509_CRL_set_lastUpdate(crl, tmptm);
- if (!X509_time_adj_ex(tmptm, crldays, crlhours * 60 * 60 + crlsec,
- NULL)) {
+ if (tmptm == NULL
+ || X509_gmtime_adj(tmptm, 0) == NULL
+ || !X509_CRL_set1_lastUpdate(crl, tmptm)
+ || X509_time_adj_ex(tmptm, crldays, crlhours * 60 * 60 + crlsec,
+ NULL) == NULL) {
BIO_puts(bio_err, "error setting CRL nextUpdate\n");
+ ASN1_TIME_free(tmptm);
goto end;
}
- X509_CRL_set_nextUpdate(crl, tmptm);
+ X509_CRL_set1_nextUpdate(crl, tmptm);
ASN1_TIME_free(tmptm);
/*****************************************************************/
ret = 0;
end:
- BIO_free_all(Cout);
BIO_free_all(Sout);
BIO_free_all(out);
BIO_free_all(in);
X509_CRL_free(crl);
NCONF_free(conf);
NCONF_free(extconf);
+ release_engine(e);
return (ret);
}
CONF *lconf, unsigned long certopt, unsigned long nameopt,
int default_op, int ext_copy, int selfsign)
{
- X509_NAME *name = NULL, *CAname = NULL, *subject = NULL, *dn_subject =
- NULL;
- ASN1_UTCTIME *tm;
+ X509_NAME *name = NULL, *CAname = NULL, *subject = NULL;
+ const ASN1_TIME *tm;
ASN1_STRING *str, *str2;
ASN1_OBJECT *obj;
X509 *ret = NULL;
if (push != NULL) {
if (!X509_NAME_add_entry(subject, push, -1, 0)) {
- X509_NAME_ENTRY_free(push);
BIO_printf(bio_err, "Memory allocation failure\n");
goto end;
}
goto end;
}
- if (verbose)
- BIO_printf(bio_err,
- "The subject name appears to be ok, checking data base for clashes\n");
-
- /* Build the correct Subject if no e-mail is wanted in the subject */
- /*
- * and add it later on because of the method extensions are added
- * (altName)
- */
-
- if (email_dn)
- dn_subject = subject;
- else {
- X509_NAME_ENTRY *tmpne;
- /*
- * Its best to dup the subject DN and then delete any email addresses
- * because this retains its structure.
- */
- if ((dn_subject = X509_NAME_dup(subject)) == NULL) {
- BIO_printf(bio_err, "Memory allocation failure\n");
- goto end;
- }
- while ((i = X509_NAME_get_index_by_NID(dn_subject,
- NID_pkcs9_emailAddress,
- -1)) >= 0) {
- tmpne = X509_NAME_get_entry(dn_subject, i);
- X509_NAME_delete_entry(dn_subject, i);
- X509_NAME_ENTRY_free(tmpne);
- }
- }
-
- if (BN_is_zero(serial))
- row[DB_serial] = OPENSSL_strdup("00");
- else
- row[DB_serial] = BN_bn2hex(serial);
- if (row[DB_serial] == NULL) {
- BIO_printf(bio_err, "Memory allocation failure\n");
- goto end;
- }
-
- if (db->attributes.unique_subject) {
- OPENSSL_STRING *crow = row;
-
- rrow = TXT_DB_get_by_index(db->db, DB_name, crow);
- if (rrow != NULL) {
- BIO_printf(bio_err,
- "ERROR:There is already a certificate for %s\n",
- row[DB_name]);
- }
- }
- if (rrow == NULL) {
- rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
- if (rrow != NULL) {
- BIO_printf(bio_err,
- "ERROR:Serial number %s has already been issued,\n",
- row[DB_serial]);
- BIO_printf(bio_err,
- " check the database/serial_file for corruption\n");
- }
- }
-
- if (rrow != NULL) {
- BIO_printf(bio_err, "The matching entry has the following details\n");
- if (rrow[DB_type][0] == 'E')
- p = "Expired";
- else if (rrow[DB_type][0] == 'R')
- p = "Revoked";
- else if (rrow[DB_type][0] == 'V')
- p = "Valid";
- else
- p = "\ninvalid type, Data base error\n";
- BIO_printf(bio_err, "Type :%s\n", p);;
- if (rrow[DB_type][0] == 'R') {
- p = rrow[DB_exp_date];
- if (p == NULL)
- p = "undef";
- BIO_printf(bio_err, "Was revoked on:%s\n", p);
- }
- p = rrow[DB_exp_date];
- if (p == NULL)
- p = "undef";
- BIO_printf(bio_err, "Expires on :%s\n", p);
- p = rrow[DB_serial];
- if (p == NULL)
- p = "undef";
- BIO_printf(bio_err, "Serial Number :%s\n", p);
- p = rrow[DB_file];
- if (p == NULL)
- p = "undef";
- BIO_printf(bio_err, "File name :%s\n", p);
- p = rrow[DB_name];
- if (p == NULL)
- p = "undef";
- BIO_printf(bio_err, "Subject Name :%s\n", p);
- ok = -1; /* This is now a 'bad' error. */
- goto end;
- }
-
/* We are now totally happy, lets make and sign the certificate */
if (verbose)
BIO_printf(bio_err,
goto end;
}
- if (strcmp(startdate, "today") == 0)
- X509_gmtime_adj(X509_get_notBefore(ret), 0);
- else
- ASN1_TIME_set_string(X509_get_notBefore(ret), startdate);
+ if (!set_cert_times(ret, startdate, enddate, days))
+ goto end;
- if (enddate == NULL)
- X509_time_adj_ex(X509_get_notAfter(ret), days, 0, NULL);
- else {
+ if (enddate != NULL) {
int tdays;
- ASN1_TIME_set_string(X509_get_notAfter(ret), enddate);
- ASN1_TIME_diff(&tdays, NULL, NULL, X509_get_notAfter(ret));
+
+ if (!ASN1_TIME_diff(&tdays, NULL, NULL, X509_get0_notAfter(ret)))
+ goto end;
days = tdays;
}
/* Lets add the extensions, if there are any */
if (ext_sect) {
X509V3_CTX ctx;
- X509_set_version(ret, 2);
/* Initialize the context structure */
if (selfsign)
goto end;
}
- /* Set the right value for the noemailDN option */
- if (email_dn == 0) {
- if (!X509_set_subject_name(ret, dn_subject))
+ {
+ const STACK_OF(X509_EXTENSION) *exts = X509_get0_extensions(ret);
+
+ if (exts != NULL && sk_X509_EXTENSION_num(exts) > 0)
+ /* Make it an X509 v3 certificate. */
+ if (!X509_set_version(ret, 2))
+ goto end;
+ }
+
+ if (verbose)
+ BIO_printf(bio_err,
+ "The subject name appears to be ok, checking data base for clashes\n");
+
+ /* Build the correct Subject if no e-mail is wanted in the subject. */
+ if (!email_dn) {
+ X509_NAME_ENTRY *tmpne;
+ X509_NAME *dn_subject;
+
+ /*
+ * Its best to dup the subject DN and then delete any email addresses
+ * because this retains its structure.
+ */
+ if ((dn_subject = X509_NAME_dup(subject)) == NULL) {
+ BIO_printf(bio_err, "Memory allocation failure\n");
+ goto end;
+ }
+ while ((i = X509_NAME_get_index_by_NID(dn_subject,
+ NID_pkcs9_emailAddress,
+ -1)) >= 0) {
+ tmpne = X509_NAME_get_entry(dn_subject, i);
+ X509_NAME_delete_entry(dn_subject, i);
+ X509_NAME_ENTRY_free(tmpne);
+ }
+
+ if (!X509_set_subject_name(ret, dn_subject)) {
+ X509_NAME_free(dn_subject);
+ goto end;
+ }
+ X509_NAME_free(dn_subject);
+ }
+
+ row[DB_name] = X509_NAME_oneline(X509_get_subject_name(ret), NULL, 0);
+ if (row[DB_name] == NULL) {
+ BIO_printf(bio_err, "Memory allocation failure\n");
+ goto end;
+ }
+
+ if (BN_is_zero(serial))
+ row[DB_serial] = OPENSSL_strdup("00");
+ else
+ row[DB_serial] = BN_bn2hex(serial);
+ if (row[DB_serial] == NULL) {
+ BIO_printf(bio_err, "Memory allocation failure\n");
+ goto end;
+ }
+
+ if (row[DB_name][0] == '\0') {
+ /*
+ * An empty subject! We'll use the serial number instead. If
+ * unique_subject is in use then we don't want different entries with
+ * empty subjects matching each other.
+ */
+ OPENSSL_free(row[DB_name]);
+ row[DB_name] = OPENSSL_strdup(row[DB_serial]);
+ if (row[DB_name] == NULL) {
+ BIO_printf(bio_err, "Memory allocation failure\n");
goto end;
+ }
+ }
+
+ if (db->attributes.unique_subject) {
+ OPENSSL_STRING *crow = row;
+
+ rrow = TXT_DB_get_by_index(db->db, DB_name, crow);
+ if (rrow != NULL) {
+ BIO_printf(bio_err,
+ "ERROR:There is already a certificate for %s\n",
+ row[DB_name]);
+ }
+ }
+ if (rrow == NULL) {
+ rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
+ if (rrow != NULL) {
+ BIO_printf(bio_err,
+ "ERROR:Serial number %s has already been issued,\n",
+ row[DB_serial]);
+ BIO_printf(bio_err,
+ " check the database/serial_file for corruption\n");
+ }
+ }
+
+ if (rrow != NULL) {
+ BIO_printf(bio_err, "The matching entry has the following details\n");
+ if (rrow[DB_type][0] == DB_TYPE_EXP)
+ p = "Expired";
+ else if (rrow[DB_type][0] == DB_TYPE_REV)
+ p = "Revoked";
+ else if (rrow[DB_type][0] == DB_TYPE_VAL)
+ p = "Valid";
+ else
+ p = "\ninvalid type, Data base error\n";
+ BIO_printf(bio_err, "Type :%s\n", p);;
+ if (rrow[DB_type][0] == DB_TYPE_REV) {
+ p = rrow[DB_exp_date];
+ if (p == NULL)
+ p = "undef";
+ BIO_printf(bio_err, "Was revoked on:%s\n", p);
+ }
+ p = rrow[DB_exp_date];
+ if (p == NULL)
+ p = "undef";
+ BIO_printf(bio_err, "Expires on :%s\n", p);
+ p = rrow[DB_serial];
+ if (p == NULL)
+ p = "undef";
+ BIO_printf(bio_err, "Serial Number :%s\n", p);
+ p = rrow[DB_file];
+ if (p == NULL)
+ p = "undef";
+ BIO_printf(bio_err, "File name :%s\n", p);
+ p = rrow[DB_name];
+ if (p == NULL)
+ p = "undef";
+ BIO_printf(bio_err, "Subject Name :%s\n", p);
+ ok = -1; /* This is now a 'bad' error. */
+ goto end;
}
if (!default_op) {
}
BIO_printf(bio_err, "Certificate is to be certified until ");
- ASN1_TIME_print(bio_err, X509_get_notAfter(ret));
+ ASN1_TIME_print(bio_err, X509_get0_notAfter(ret));
if (days)
BIO_printf(bio_err, " (%ld days)", days);
BIO_printf(bio_err, "\n");
/* We now just add it to the database */
row[DB_type] = OPENSSL_strdup("V");
- tm = X509_get_notAfter(ret);
+ tm = X509_get0_notAfter(ret);
row[DB_exp_date] = app_malloc(tm->length + 1, "row expdate");
memcpy(row[DB_exp_date], tm->data, tm->length);
row[DB_exp_date][tm->length] = '\0';
row[DB_rev_date] = NULL;
row[DB_file] = OPENSSL_strdup("unknown");
- row[DB_name] = X509_NAME_oneline(X509_get_subject_name(ret), NULL, 0);
-
if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
(row[DB_file] == NULL) || (row[DB_name] == NULL)) {
BIO_printf(bio_err, "Memory allocation failure\n");
}
irow = app_malloc(sizeof(*irow) * (DB_NUMBER + 1), "row space");
- for (i = 0; i < DB_NUMBER; i++) {
+ for (i = 0; i < DB_NUMBER; i++)
irow[i] = row[i];
- row[i] = NULL;
- }
irow[DB_NUMBER] = NULL;
if (!TXT_DB_insert(db->db, irow)) {
BIO_printf(bio_err, "TXT_DB error number %ld\n", db->db->error);
goto end;
}
+ irow = NULL;
ok = 1;
end:
- for (i = 0; i < DB_NUMBER; i++)
- OPENSSL_free(row[i]);
+ if (ok != 1) {
+ for (i = 0; i < DB_NUMBER; i++)
+ OPENSSL_free(row[i]);
+ }
+ OPENSSL_free(irow);
X509_NAME_free(CAname);
X509_NAME_free(subject);
- if (dn_subject != subject)
- X509_NAME_free(dn_subject);
if (ok <= 0)
X509_free(ret);
else
sk = CONF_get_section(parms, "default");
if (sk_CONF_VALUE_num(sk) == 0) {
BIO_printf(bio_err, "no name/value pairs found in %s\n", infile);
- CONF_free(parms);
goto end;
}
static int do_revoke(X509 *x509, CA_DB *db, int type, char *value)
{
- ASN1_UTCTIME *tm = NULL;
+ const ASN1_TIME *tm = NULL;
char *row[DB_NUMBER], **rrow, **irow;
char *rev_str = NULL;
BIGNUM *bn = NULL;
else
row[DB_serial] = BN_bn2hex(bn);
BN_free(bn);
+ if (row[DB_name] != NULL && row[DB_name][0] == '\0') {
+ /* Entries with empty Subjects actually use the serial number instead */
+ OPENSSL_free(row[DB_name]);
+ row[DB_name] = OPENSSL_strdup(row[DB_serial]);
+ }
if ((row[DB_name] == NULL) || (row[DB_serial] == NULL)) {
BIO_printf(bio_err, "Memory allocation failure\n");
goto end;
/* We now just add it to the database */
row[DB_type] = OPENSSL_strdup("V");
- tm = X509_get_notAfter(x509);
+ tm = X509_get0_notAfter(x509);
row[DB_exp_date] = app_malloc(tm->length + 1, "row exp_data");
memcpy(row[DB_exp_date], tm->data, tm->length);
row[DB_exp_date][tm->length] = '\0';
row[DB_rev_date] = NULL;
row[DB_file] = OPENSSL_strdup("unknown");
+ if (row[DB_type] == NULL || row[DB_file] == NULL) {
+ BIO_printf(bio_err, "Memory allocation failure\n");
+ goto end;
+ }
+
irow = app_malloc(sizeof(*irow) * (DB_NUMBER + 1), "row ptr");
- for (i = 0; i < DB_NUMBER; i++) {
+ for (i = 0; i < DB_NUMBER; i++)
irow[i] = row[i];
- row[i] = NULL;
- }
irow[DB_NUMBER] = NULL;
if (!TXT_DB_insert(db->db, irow)) {
BIO_printf(bio_err, "failed to update database\n");
BIO_printf(bio_err, "TXT_DB error number %ld\n", db->db->error);
+ OPENSSL_free(irow);
goto end;
}
+ for (i = 0; i < DB_NUMBER; i++)
+ row[i] = NULL;
+
/* Revoke Certificate */
if (type == -1)
ok = 1;
}
ok = 1;
end:
- for (i = 0; i < DB_NUMBER; i++) {
+ for (i = 0; i < DB_NUMBER; i++)
OPENSSL_free(row[i]);
- }
return (ok);
}
return -1;
/* get actual time and make a string */
- a_tm = X509_gmtime_adj(a_tm, 0);
+ if (X509_gmtime_adj(a_tm, 0) == NULL) {
+ ASN1_UTCTIME_free(a_tm);
+ return -1;
+ }
a_tm_s = app_malloc(a_tm->length + 1, "time string");
memcpy(a_tm_s, a_tm->data, a_tm->length);