New 'openssl ca -status <serial>' and 'openssl ca -updatedb'
[openssl.git] / apps / ca.c
index d724d0940776dee0037a3bcf891192116832050f..2ac0db74d6708326e65e08af742842b8bacef15b 100644 (file)
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -61,6 +61,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <ctype.h>
 #include <sys/types.h>
 #include <sys/stat.h>
 #include "apps.h"
@@ -74,6 +75,7 @@
 #include <openssl/x509v3.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
+#include <openssl/engine.h>
 
 #ifndef W_OK
 #  ifdef VMS
@@ -152,7 +154,8 @@ static char *ca_usage[]={
 " -days arg       - number of days to certify the certificate for\n",
 " -md arg         - md to use, one of md2, md5, sha or sha1\n",
 " -policy arg     - The CA 'policy' to support\n",
-" -keyfile arg    - PEM private key file\n",
+" -keyfile arg    - private key file\n",
+" -keyform arg    - private key file format (PEM or ENGINE)\n",
 " -key arg        - key to decode the private key if it is encrypted\n",
 " -cert file      - The CA certificate\n",
 " -in file        - The input PEM encoded certificate request(s)\n",
@@ -167,6 +170,9 @@ static char *ca_usage[]={
 " -revoke file    - Revoke a certificate (given in file)\n",
 " -extensions ..  - Extension section (override value in config file)\n",
 " -crlexts ..     - CRL extension section (override value in config file)\n",
+" -engine e       - use engine e, possibly a hardware device.\n",
+" -status serial  - Shows certificate status given the serial number\n",
+" -updatedb       - Updates db for expired certificates\n",
 NULL
 };
 
@@ -176,13 +182,12 @@ extern int EF_PROTECT_BELOW;
 extern int EF_ALIGNMENT;
 #endif
 
-static int add_oid_section(LHASH *conf);
 static void lookup_fail(char *name,char *tag);
-static unsigned long index_serial_hash(char **a);
-static int index_serial_cmp(char **a, char **b);
-static unsigned long index_name_hash(char **a);
+static unsigned long index_serial_hash(const char **a);
+static int index_serial_cmp(const char **a, const char **b);
+static unsigned long index_name_hash(const char **a);
 static int index_name_qual(char **a);
-static int index_name_cmp(char **a,char **b);
+static int index_name_cmp(const char **a,const char **b);
 static BIGNUM *load_serial(char *serialfile);
 static int save_serial(char *serialfile, BIGNUM *serial);
 static int certify(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
@@ -200,12 +205,14 @@ static int certify_spkac(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
                         char *enddate, int days, char *ext_sect,LHASH *conf,
                                int verbose);
 static int fix_data(int nid, int *type);
-static void write_new_certificate(BIO *bp, X509 *x, int output_der);
+static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext);
 static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
        STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial,
        char *startdate, char *enddate, int days, int batch, int verbose,
        X509_REQ *req, char *ext_sect, LHASH *conf);
 static int do_revoke(X509 *x509, TXT_DB *db);
+static int get_certificate_status(const char *ser_status, TXT_DB *db);
+static int do_updatedb(TXT_DB *db);
 static int check_time_format(char *str);
 static LHASH *conf=NULL;
 static char *section=NULL;
@@ -213,9 +220,18 @@ static char *section=NULL;
 static int preserve=0;
 static int msie_hack=0;
 
+static IMPLEMENT_LHASH_HASH_FN(index_serial_hash,const char **)
+static IMPLEMENT_LHASH_COMP_FN(index_serial_cmp,const char **)
+static IMPLEMENT_LHASH_HASH_FN(index_name_hash,const char **)
+static IMPLEMENT_LHASH_COMP_FN(index_name_cmp,const char **)
+
+
+int MAIN(int, char **);
+
 int MAIN(int argc, char **argv)
        {
-       char *key=NULL;
+       ENGINE *e = NULL;
+       char *key=NULL,*passargin=NULL;
        int total=0;
        int total_done=0;
        int badops=0;
@@ -224,6 +240,7 @@ int MAIN(int argc, char **argv)
        int verbose=0;
        int gencrl=0;
        int dorevoke=0;
+       int doupdatedb=0;
        long crldays=0;
        long crlhours=0;
        long errorline= -1;
@@ -232,9 +249,11 @@ int MAIN(int argc, char **argv)
        char *policy=NULL;
        char *keyfile=NULL;
        char *certfile=NULL;
+       int keyform=FORMAT_PEM;
        char *infile=NULL;
        char *spkac_file=NULL;
        char *ss_cert_file=NULL;
+       char *ser_status=NULL;
        EVP_PKEY *pkey=NULL;
        int output_der = 0;
        char *outfile=NULL;
@@ -247,6 +266,7 @@ int MAIN(int argc, char **argv)
        char *enddate=NULL;
        int days=0;
        int batch=0;
+       int notext=0;
        X509 *x509=NULL;
        X509 *x=NULL;
        BIO *in=NULL,*out=NULL,*Sout=NULL,*Cout=NULL;
@@ -260,12 +280,13 @@ int MAIN(int argc, char **argv)
        long l;
        const EVP_MD *dgst=NULL;
        STACK_OF(CONF_VALUE) *attribs=NULL;
-       STACK *cert_sk=NULL;
+       STACK_OF(X509) *cert_sk=NULL;
        BIO *hex=NULL;
 #undef BSIZE
 #define BSIZE 256
        MS_STATIC char buf[3][BSIZE];
        char *randfile=NULL;
+       char *engine = NULL;
 
 #ifdef EFENCE
 EF_PROTECT_FREE=1;
@@ -279,8 +300,6 @@ EF_ALIGNMENT=0;
        key = NULL;
        section = NULL;
 
-       X509V3_add_standard_extensions();
-
        preserve=0;
        msie_hack=0;
        if (bio_err == NULL)
@@ -333,6 +352,16 @@ EF_ALIGNMENT=0;
                        if (--argc < 1) goto bad;
                        keyfile= *(++argv);
                        }
+               else if (strcmp(*argv,"-keyform") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       keyform=str2fmt(*(++argv));
+                       }
+               else if (strcmp(*argv,"-passin") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       passargin= *(++argv);
+                       }
                else if (strcmp(*argv,"-key") == 0)
                        {
                        if (--argc < 1) goto bad;
@@ -359,6 +388,8 @@ EF_ALIGNMENT=0;
                        if (--argc < 1) goto bad;
                        outdir= *(++argv);
                        }
+               else if (strcmp(*argv,"-notext") == 0)
+                       notext=1;
                else if (strcmp(*argv,"-batch") == 0)
                        batch=1;
                else if (strcmp(*argv,"-preserveDN") == 0)
@@ -407,11 +438,25 @@ EF_ALIGNMENT=0;
                        if (--argc < 1) goto bad;
                        extensions= *(++argv);
                        }
+               else if (strcmp(*argv,"-status") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       ser_status= *(++argv);
+                       }
+               else if (strcmp(*argv,"-updatedb") == 0)
+                       {
+                       doupdatedb=1;
+                       }
                else if (strcmp(*argv,"-crlexts") == 0)
                        {
                        if (--argc < 1) goto bad;
                        crl_ext= *(++argv);
                        }
+               else if (strcmp(*argv,"-engine") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       engine= *(++argv);
+                       }
                else
                        {
 bad:
@@ -432,6 +477,24 @@ bad:
 
        ERR_load_crypto_strings();
 
+       if (engine != NULL)
+               {
+               if ((e = ENGINE_by_id(engine)) == NULL)
+                       {
+                       BIO_printf(bio_err,"invalid engine \"%s\"\n",
+                               engine);
+                       goto err;
+                       }
+               if (!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+                       {
+                       BIO_printf(bio_err,"can't use that engine\n");
+                       goto err;
+                       }
+               BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
+               /* Free our "structural" reference. */
+               ENGINE_free(e);
+               }
+
        /*****************************************************************/
        if (configfile == NULL) configfile = getenv("OPENSSL_CONF");
        if (configfile == NULL) configfile = getenv("SSLEAY_CONF");
@@ -476,6 +539,8 @@ bad:
        if (conf != NULL)
                {
                p=CONF_get_string(conf,NULL,"oid_file");
+               if (p == NULL)
+                       ERR_clear_error();
                if (p != NULL)
                        {
                        BIO *oid_bio;
@@ -495,7 +560,7 @@ bad:
                                BIO_free(oid_bio);
                                }
                        }
-               if(!add_oid_section(conf)) 
+               if (!add_oid_section(bio_err,conf)) 
                        {
                        ERR_print_errors(bio_err);
                        goto err;
@@ -503,6 +568,8 @@ bad:
                }
 
        randfile = CONF_get_string(conf, BASE_SECTION, "RANDFILE");
+       if (randfile == NULL)
+               ERR_clear_error();
        app_RAND_load_file(randfile, bio_err, 0);
        
        in=BIO_new(BIO_s_file());
@@ -516,7 +583,41 @@ bad:
                }
 
        /*****************************************************************/
-       /* we definitly need an public key, so lets get it */
+       /* report status of cert with serial number given on command line */
+       if (ser_status)
+       {
+               if ((dbfile=CONF_get_string(conf,section,ENV_DATABASE)) == NULL)
+                       {
+                       lookup_fail(section,ENV_DATABASE);
+                       goto err;
+                       }
+               if (BIO_read_filename(in,dbfile) <= 0)
+                       {
+                       perror(dbfile);
+                       BIO_printf(bio_err,"unable to open '%s'\n",dbfile);
+                       goto err;
+                       }
+               db=TXT_DB_read(in,DB_NUMBER);
+               if (db == NULL) goto err;
+
+               if (!TXT_DB_create_index(db, DB_serial, NULL,
+                                       LHASH_HASH_FN(index_serial_hash),
+                                       LHASH_COMP_FN(index_serial_cmp)))
+                       {
+                       BIO_printf(bio_err,
+                         "error creating serial number index:(%ld,%ld,%ld)\n",
+                                               db->error,db->arg1,db->arg2);
+                       goto err;
+                       }
+
+               if (get_certificate_status(ser_status,db) != 1)
+                       BIO_printf(bio_err,"Error verifying serial %s!\n",
+                                ser_status);
+               goto err;
+       }
+
+       /*****************************************************************/
+       /* we definitely need a public key, so let's get it */
 
        if ((keyfile == NULL) && ((keyfile=CONF_get_string(conf,
                section,ENV_PRIVATE_KEY)) == NULL))
@@ -524,19 +625,36 @@ bad:
                lookup_fail(section,ENV_PRIVATE_KEY);
                goto err;
                }
-       if (BIO_read_filename(in,keyfile) <= 0)
+       if (!key && !app_passwd(bio_err, passargin, NULL, &key, NULL))
                {
-               perror(keyfile);
-               BIO_printf(bio_err,"trying to load CA private key\n");
+               BIO_printf(bio_err,"Error getting password\n");
                goto err;
                }
-       if (key == NULL)
-               pkey=PEM_read_bio_PrivateKey(in,NULL,NULL,NULL);
+       if (keyform == FORMAT_ENGINE)
+               {
+               if (!e)
+                       {
+                       BIO_printf(bio_err,"no engine specified\n");
+                       goto err;
+                       }
+               pkey = ENGINE_load_private_key(e, keyfile, key);
+               }
+       else if (keyform == FORMAT_PEM)
+               {
+               if (BIO_read_filename(in,keyfile) <= 0)
+                       {
+                       perror(keyfile);
+                       BIO_printf(bio_err,"trying to load CA private key\n");
+                       goto err;
+                       }
+               pkey=PEM_read_bio_PrivateKey(in,NULL,NULL,key);
+               }
        else
                {
-               pkey=PEM_read_bio_PrivateKey(in,NULL,key_callback,key);
-               memset(key,0,strlen(key));
+               BIO_printf(bio_err,"bad input format specified for key file\n");
+               goto err;
                }
+       if (key) memset(key,0,strlen(key));
        if (pkey == NULL)
                {
                BIO_printf(bio_err,"unable to load CA private key\n");
@@ -571,9 +689,13 @@ bad:
                }
 
        f=CONF_get_string(conf,BASE_SECTION,ENV_PRESERVE);
+       if (f == NULL)
+               ERR_clear_error();
        if ((f != NULL) && ((*f == 'y') || (*f == 'Y')))
                preserve=1;
        f=CONF_get_string(conf,BASE_SECTION,ENV_MSIE_HACK);
+       if (f == NULL)
+               ERR_clear_error();
        if ((f != NULL) && ((*f == 'y') || (*f == 'Y')))
                msie_hack=1;
 
@@ -589,14 +711,19 @@ bad:
                        BIO_printf(bio_err,"there needs to be defined a directory for new certificate to be placed in\n");
                        goto err;
                        }
-#ifdef VMS
-               /* For technical reasons, VMS misbehaves with X_OK */
-               if (access(outdir,R_OK|W_OK) != 0)
-#else
+#ifndef VMS /* outdir is a directory spec, but access() for VMS demands a
+              filename.  In any case, stat(), below, will catch the problem
+              if outdir is not a directory spec, and the fopen() or open()
+              will catch an error if there is no write access.
+
+              Presumably, this problem could also be solved by using the DEC
+              C routines to convert the directory syntax to Unixly, and give
+              that to access().  However, time's too short to do that just
+              now.
+            */
                if (access(outdir,R_OK|W_OK|X_OK) != 0)
-#endif
                        {
-                       BIO_printf(bio_err,"I am unable to acces the %s directory\n",outdir);
+                       BIO_printf(bio_err,"I am unable to access the %s directory\n",outdir);
                        perror(outdir);
                        goto err;
                        }
@@ -614,6 +741,7 @@ bad:
                        perror(outdir);
                        goto err;
                        }
+#endif
 #endif
                }
 
@@ -677,27 +805,111 @@ bad:
        if (verbose)
                {
                BIO_set_fp(out,stdout,BIO_NOCLOSE|BIO_FP_TEXT); /* cannot fail */
+#ifdef VMS
+               {
+               BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+               out = BIO_push(tmpbio, out);
+               }
+#endif
                TXT_DB_write(out,db);
                BIO_printf(bio_err,"%d entries loaded from the database\n",
                        db->data->num);
-               BIO_printf(bio_err,"generating indexs\n");
+               BIO_printf(bio_err,"generating index\n");
                }
        
-       if (!TXT_DB_create_index(db,DB_serial,NULL,index_serial_hash,
-               index_serial_cmp))
+       if (!TXT_DB_create_index(db, DB_serial, NULL,
+                       LHASH_HASH_FN(index_serial_hash),
+                       LHASH_COMP_FN(index_serial_cmp)))
                {
                BIO_printf(bio_err,"error creating serial number index:(%ld,%ld,%ld)\n",db->error,db->arg1,db->arg2);
                goto err;
                }
 
-       if (!TXT_DB_create_index(db,DB_name,index_name_qual,index_name_hash,
-               index_name_cmp))
+       if (!TXT_DB_create_index(db, DB_name, index_name_qual,
+                       LHASH_HASH_FN(index_name_hash),
+                       LHASH_COMP_FN(index_name_cmp)))
                {
                BIO_printf(bio_err,"error creating name index:(%ld,%ld,%ld)\n",
                        db->error,db->arg1,db->arg2);
                goto err;
                }
 
+       /*****************************************************************/
+       /* Update the db file for expired certificates */
+       if (doupdatedb)
+               {
+               if (verbose)
+                       BIO_printf(bio_err, "Updating %s ...\n",
+                                                       dbfile);
+
+               i = do_updatedb(db);
+               if (i == -1)
+                       {
+                       BIO_printf(bio_err,"Malloc failure\n");
+                       goto err;
+                       }
+               else if (i == 0)
+                       {
+                       if (verbose) BIO_printf(bio_err,
+                                       "No entries found to mark expired\n"); 
+                       }
+               else
+                       {
+                       out = BIO_new(BIO_s_file());
+                       if (out == NULL)
+                               {
+                               ERR_print_errors(bio_err);
+                               goto err;
+                               }
+
+                       j = BIO_snprintf(buf[0], sizeof buf[0], "%s.new", dbfile);
+                       if (j < 0 || j >= sizeof buf[0])
+                               {
+                               BIO_printf(bio_err, "file name too long\n");
+                               goto err;
+                               }
+                       if (BIO_write_filename(out,buf[0]) <= 0)
+                               {
+                               perror(dbfile);
+                               BIO_printf(bio_err,"unable to open '%s'\n",
+                                                                       dbfile);
+                               goto err;
+                               }
+                       j=TXT_DB_write(out,db);
+                       if (j <= 0) goto err;
+                       
+                       BIO_free(out);
+                       out = NULL;
+                       j = BIO_snprintf(buf[1], sizeof buf[1], "%s.old", dbfile);
+                       if (j < 0 || j >= sizeof buf[1])
+                               {
+                               BIO_printf(bio_err, "file name too long\n");
+                               goto err;
+                               }
+                       if (rename(dbfile,buf[1]) < 0)
+                               {
+                               BIO_printf(bio_err,
+                                               "unable to rename %s to %s\n",
+                                               dbfile, buf[1]);
+                               perror("reason");
+                               goto err;
+                               }
+                       if (rename(buf[0],dbfile) < 0)
+                               {
+                               BIO_printf(bio_err,
+                                               "unable to rename %s to %s\n",
+                                               buf[0],dbfile);
+                               perror("reason");
+                               rename(buf[1],dbfile);
+                               goto err;
+                               }
+                               
+                       if (verbose) BIO_printf(bio_err,
+                               "Done. %d entries marked as expired\n",i); 
+                       }
+                       goto err;
+               }
+
        /*****************************************************************/
        if (req || gencrl)
                {
@@ -711,7 +923,15 @@ bad:
                                }
                        }
                else
+                       {
                        BIO_set_fp(Sout,stdout,BIO_NOCLOSE|BIO_FP_TEXT);
+#ifdef VMS
+                       {
+                       BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+                       Sout = BIO_push(tmpbio, Sout);
+                       }
+#endif
+                       }
                }
 
        if (req)
@@ -745,26 +965,34 @@ bad:
                        lookup_fail(section,ENV_SERIAL);
                        goto err;
                        }
-               if(!extensions)
+               if (!extensions)
+                       {
                        extensions=CONF_get_string(conf,section,ENV_EXTENSIONS);
-               if(extensions) {
+                       if (!extensions)
+                               ERR_clear_error();
+                       }
+               if (extensions)
+                       {
                        /* Check syntax of file */
                        X509V3_CTX ctx;
                        X509V3_set_ctx_test(&ctx);
                        X509V3_set_conf_lhash(&ctx, conf);
-                       if(!X509V3_EXT_add_conf(conf, &ctx, extensions, NULL)) {
+                       if (!X509V3_EXT_add_conf(conf, &ctx, extensions, NULL))
+                               {
                                BIO_printf(bio_err,
                                 "Error Loading extension section %s\n",
                                                                 extensions);
                                ret = 1;
                                goto err;
+                               }
                        }
-               }
 
                if (startdate == NULL)
                        {
                        startdate=CONF_get_string(conf,section,
                                ENV_DEFAULT_STARTDATE);
+                       if (startdate == NULL)
+                               ERR_clear_error();
                        }
                if (startdate && !ASN1_UTCTIME_set_string(NULL,startdate))
                        {
@@ -777,6 +1005,8 @@ bad:
                        {
                        enddate=CONF_get_string(conf,section,
                                ENV_DEFAULT_ENDDATE);
+                       if (enddate == NULL)
+                               ERR_clear_error();
                        }
                if (enddate && !ASN1_UTCTIME_set_string(NULL,enddate))
                        {
@@ -804,7 +1034,7 @@ bad:
                        {
                        if ((f=BN_bn2hex(serial)) == NULL) goto err;
                        BIO_printf(bio_err,"next serial number is %s\n",f);
-                       Free(f);
+                       OPENSSL_free(f);
                        }
 
                if ((attribs=CONF_get_section(conf,policy)) == NULL)
@@ -813,9 +1043,9 @@ bad:
                        goto err;
                        }
 
-               if ((cert_sk=sk_new_null()) == NULL)
+               if ((cert_sk=sk_X509_new_null()) == NULL)
                        {
-                       BIO_printf(bio_err,"Malloc failure\n");
+                       BIO_printf(bio_err,"Memory allocation failure\n");
                        goto err;
                        }
                if (spkac_file != NULL)
@@ -830,9 +1060,9 @@ bad:
                                total_done++;
                                BIO_printf(bio_err,"\n");
                                if (!BN_add_word(serial,1)) goto err;
-                               if (!sk_push(cert_sk,(char *)x))
+                               if (!sk_X509_push(cert_sk,x))
                                        {
-                                       BIO_printf(bio_err,"Malloc failure\n");
+                                       BIO_printf(bio_err,"Memory allocation failure\n");
                                        goto err;
                                        }
                                if (outfile)
@@ -854,9 +1084,9 @@ bad:
                                total_done++;
                                BIO_printf(bio_err,"\n");
                                if (!BN_add_word(serial,1)) goto err;
-                               if (!sk_push(cert_sk,(char *)x))
+                               if (!sk_X509_push(cert_sk,x))
                                        {
-                                       BIO_printf(bio_err,"Malloc failure\n");
+                                       BIO_printf(bio_err,"Memory allocation failure\n");
                                        goto err;
                                        }
                                }
@@ -873,9 +1103,9 @@ bad:
                                total_done++;
                                BIO_printf(bio_err,"\n");
                                if (!BN_add_word(serial,1)) goto err;
-                               if (!sk_push(cert_sk,(char *)x))
+                               if (!sk_X509_push(cert_sk,x))
                                        {
-                                       BIO_printf(bio_err,"Malloc failure\n");
+                                       BIO_printf(bio_err,"Memory allocation failure\n");
                                        goto err;
                                        }
                                }
@@ -892,9 +1122,9 @@ bad:
                                total_done++;
                                BIO_printf(bio_err,"\n");
                                if (!BN_add_word(serial,1)) goto err;
-                               if (!sk_push(cert_sk,(char *)x))
+                               if (!sk_X509_push(cert_sk,x))
                                        {
-                                       BIO_printf(bio_err,"Malloc failure\n");
+                                       BIO_printf(bio_err,"Memory allocation failure\n");
                                        goto err;
                                        }
                                }
@@ -903,7 +1133,7 @@ bad:
                 * and a data base and serial number that need
                 * updating */
 
-               if (sk_num(cert_sk) > 0)
+               if (sk_X509_num(cert_sk) > 0)
                        {
                        if (!batch)
                                {
@@ -919,7 +1149,7 @@ bad:
                                        }
                                }
 
-                       BIO_printf(bio_err,"Write out database with %d new entries\n",sk_num(cert_sk));
+                       BIO_printf(bio_err,"Write out database with %d new entries\n",sk_X509_num(cert_sk));
 
                        strncpy(buf[0],serialfile,BSIZE-4);
 
@@ -951,12 +1181,12 @@ bad:
        
                if (verbose)
                        BIO_printf(bio_err,"writing new certificates\n");
-               for (i=0; i<sk_num(cert_sk); i++)
+               for (i=0; i<sk_X509_num(cert_sk); i++)
                        {
                        int k;
                        unsigned char *n;
 
-                       x=(X509 *)sk_value(cert_sk,i);
+                       x=sk_X509_value(cert_sk,i);
 
                        j=x->cert_info->serialNumber->length;
                        p=(char *)x->cert_info->serialNumber->data;
@@ -991,11 +1221,11 @@ bad:
                                perror(buf[2]);
                                goto err;
                                }
-                       write_new_certificate(Cout,x, 0);
-                       write_new_certificate(Sout,x, output_der);
+                       write_new_certificate(Cout,x, 0, notext);
+                       write_new_certificate(Sout,x, output_der, notext);
                        }
 
-               if (sk_num(cert_sk))
+               if (sk_X509_num(cert_sk))
                        {
                        /* Rename the database and the serial file */
                        strncpy(buf[2],serialfile,BSIZE-4);
@@ -1007,19 +1237,19 @@ bad:
 #endif
 
                        BIO_free(in);
-                       BIO_free(out);
+                       BIO_free_all(out);
                        in=NULL;
                        out=NULL;
                        if (rename(serialfile,buf[2]) < 0)
                                {
-                               BIO_printf(bio_err,"unabel to rename %s to %s\n",
+                               BIO_printf(bio_err,"unable to rename %s to %s\n",
                                        serialfile,buf[2]);
                                perror("reason");
                                goto err;
                                }
                        if (rename(buf[0],serialfile) < 0)
                                {
-                               BIO_printf(bio_err,"unabel to rename %s to %s\n",
+                               BIO_printf(bio_err,"unable to rename %s to %s\n",
                                        buf[0],serialfile);
                                perror("reason");
                                rename(buf[2],serialfile);
@@ -1036,14 +1266,14 @@ bad:
 
                        if (rename(dbfile,buf[2]) < 0)
                                {
-                               BIO_printf(bio_err,"unabel to rename %s to %s\n",
+                               BIO_printf(bio_err,"unable to rename %s to %s\n",
                                        dbfile,buf[2]);
                                perror("reason");
                                goto err;
                                }
                        if (rename(buf[1],dbfile) < 0)
                                {
-                               BIO_printf(bio_err,"unabel to rename %s to %s\n",
+                               BIO_printf(bio_err,"unable to rename %s to %s\n",
                                        buf[1],dbfile);
                                perror("reason");
                                rename(buf[2],dbfile);
@@ -1056,20 +1286,27 @@ bad:
        /*****************************************************************/
        if (gencrl)
                {
-               if(!crl_ext) crl_ext=CONF_get_string(conf,section,ENV_CRLEXT);
-               if(crl_ext) {
+               if (!crl_ext)
+                       {
+                       crl_ext=CONF_get_string(conf,section,ENV_CRLEXT);
+                       if (!crl_ext)
+                               ERR_clear_error();
+                       }
+               if (crl_ext)
+                       {
                        /* Check syntax of file */
                        X509V3_CTX ctx;
                        X509V3_set_ctx_test(&ctx);
                        X509V3_set_conf_lhash(&ctx, conf);
-                       if(!X509V3_EXT_add_conf(conf, &ctx, crl_ext, NULL)) {
+                       if (!X509V3_EXT_add_conf(conf, &ctx, crl_ext, NULL))
+                               {
                                BIO_printf(bio_err,
                                 "Error Loading CRL extension section %s\n",
                                                                 crl_ext);
                                ret = 1;
                                goto err;
+                               }
                        }
-               }
                if ((hex=BIO_new(BIO_s_mem())) == NULL) goto err;
 
                if (!crldays && !crlhours)
@@ -1115,7 +1352,7 @@ bad:
                                if (!a2i_ASN1_INTEGER(hex,r->serialNumber,
                                        buf[0],BSIZE)) goto err;
 
-                               sk_X509_REVOKED_push(ci->revoked,r);
+                               X509_CRL_add0_revoked(crl,r);
                                }
                        }
                /* sort the data so it will be written in serial
@@ -1138,28 +1375,29 @@ bad:
                                }
                        }
                else
-                   {
+                       {
 #ifndef NO_DSA
-                   if (pkey->type == EVP_PKEY_DSA) 
-                       dgst=EVP_dss1();
-                   else
+                       if (pkey->type == EVP_PKEY_DSA) 
+                               dgst=EVP_dss1();
+                       else
 #endif
-                       dgst=EVP_md5();
-                   }
+                               dgst=EVP_md5();
+                       }
 
                /* Add any extensions asked for */
 
-               if(crl_ext) {
-                   X509V3_CTX crlctx;
-                   if (ci->version == NULL)
-                   if ((ci->version=ASN1_INTEGER_new()) == NULL) goto err;
-                   ASN1_INTEGER_set(ci->version,1); /* version 2 CRL */
-                   X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0);
-                   X509V3_set_conf_lhash(&crlctx, conf);
+               if (crl_ext)
+                       {
+                       X509V3_CTX crlctx;
+                       if (ci->version == NULL)
+                               if ((ci->version=ASN1_INTEGER_new()) == NULL) goto err;
+                       ASN1_INTEGER_set(ci->version,1); /* version 2 CRL */
+                       X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0);
+                       X509V3_set_conf_lhash(&crlctx, conf);
 
-                   if(!X509V3_EXT_CRL_add_conf(conf, &crlctx,
-                                                crl_ext, crl)) goto err;
-               }
+                       if (!X509V3_EXT_CRL_add_conf(conf, &crlctx,
+                               crl_ext, crl)) goto err;
+                       }
 
                if (!X509_CRL_sign(crl,pkey,dgst)) goto err;
 
@@ -1224,12 +1462,12 @@ bad:
        ret=0;
 err:
        BIO_free(hex);
-       BIO_free(Cout);
-       BIO_free(Sout);
-       BIO_free(out);
+       BIO_free_all(Cout);
+       BIO_free_all(Sout);
+       BIO_free_all(out);
        BIO_free(in);
 
-       sk_pop_free(cert_sk,X509_free);
+       sk_X509_pop_free(cert_sk,X509_free);
 
        if (ret) ERR_print_errors(bio_err);
        app_RAND_write_file(randfile, bio_err);
@@ -1239,7 +1477,6 @@ err:
        X509_free(x509);
        X509_CRL_free(crl);
        CONF_free(conf);
-       X509V3_EXT_cleanup();
        OBJ_cleanup();
        EXIT(ret);
        }
@@ -1249,31 +1486,31 @@ static void lookup_fail(char *name, char *tag)
        BIO_printf(bio_err,"variable lookup failed for %s::%s\n",name,tag);
        }
 
-static unsigned long index_serial_hash(char **a)
+static unsigned long index_serial_hash(const char **a)
        {
-       char *n;
+       const char *n;
 
        n=a[DB_serial];
        while (*n == '0') n++;
        return(lh_strhash(n));
        }
 
-static int index_serial_cmp(char **a, char **b)
+static int index_serial_cmp(const char **a, const char **b)
        {
-       char *aa,*bb;
+       const char *aa,*bb;
 
        for (aa=a[DB_serial]; *aa == '0'; aa++);
        for (bb=b[DB_serial]; *bb == '0'; bb++);
        return(strcmp(aa,bb));
        }
 
-static unsigned long index_name_hash(char **a)
+static unsigned long index_name_hash(const char **a)
        { return(lh_strhash(a[DB_name])); }
 
 static int index_name_qual(char **a)
        { return(a[0][0] == 'V'); }
 
-static int index_name_cmp(char **a, char **b)
+static int index_name_cmp(const char **a, const char **b)
        { return(strcmp(a[DB_name],
             b[DB_name])); }
 
@@ -1342,7 +1579,7 @@ static int save_serial(char *serialfile, BIGNUM *serial)
        BIO_puts(out,"\n");
        ret=1;
 err:
-       if (out != NULL) BIO_free(out);
+       if (out != NULL) BIO_free_all(out);
        if (ai != NULL) ASN1_INTEGER_free(ai);
        return(ret);
        }
@@ -1577,7 +1814,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
        /* Ok, now we check the 'policy' stuff. */
        if ((subject=X509_NAME_new()) == NULL)
                {
-               BIO_printf(bio_err,"Malloc failure\n");
+               BIO_printf(bio_err,"Memory allocation failure\n");
                goto err;
                }
 
@@ -1659,7 +1896,7 @@ again2:
                                        }
                                if (j < 0)
                                        {
-                                       BIO_printf(bio_err,"The %s field needed to be the same in the\nCA certificate (%s) and the request (%s)\n",cv->name,((str == NULL)?"NULL":(char *)str->data),((str2 == NULL)?"NULL":(char *)str2->data));
+                                       BIO_printf(bio_err,"The %s field needed to be the same in the\nCA certificate (%s) and the request (%s)\n",cv->name,((str2 == NULL)?"NULL":(char *)str2->data),((str == NULL)?"NULL":(char *)str->data));
                                        goto err;
                                        }
                                }
@@ -1675,7 +1912,7 @@ again2:
                                        {
                                        if (push != NULL)
                                                X509_NAME_ENTRY_free(push);
-                                       BIO_printf(bio_err,"Malloc failure\n");
+                                       BIO_printf(bio_err,"Memory allocation failure\n");
                                        goto err;
                                        }
                                }
@@ -1691,13 +1928,13 @@ again2:
                }
 
        if (verbose)
-               BIO_printf(bio_err,"The subject name apears to be ok, checking data base for clashes\n");
+               BIO_printf(bio_err,"The subject name appears to be ok, checking data base for clashes\n");
 
        row[DB_name]=X509_NAME_oneline(subject,NULL,0);
        row[DB_serial]=BN_bn2hex(serial);
        if ((row[DB_name] == NULL) || (row[DB_serial] == NULL))
                {
-               BIO_printf(bio_err,"Malloc failure\n");
+               BIO_printf(bio_err,"Memory allocation failure\n");
                goto err;
                }
 
@@ -1748,7 +1985,7 @@ again2:
                goto err;
                }
 
-       /* We are now totaly happy, lets make and sign the certificate */
+       /* We are now totally happy, lets make and sign the certificate */
        if (verbose)
                BIO_printf(bio_err,"Everything appears to be ok, creating and signing the certificate\n");
 
@@ -1775,7 +2012,7 @@ again2:
        else ASN1_UTCTIME_set_string(X509_get_notAfter(ret),enddate);
 
        ASN1_UTCTIME_print(bio_err,X509_get_notAfter(ret));
-       if(days) BIO_printf(bio_err," (%d days)",days);
+       if (days) BIO_printf(bio_err," (%d days)",days);
        BIO_printf(bio_err, "\n");
 
        if (!X509_set_subject_name(ret,subject)) goto err;
@@ -1795,7 +2032,7 @@ again2:
                ASN1_INTEGER_set(ci->version,2); /* version 3 certificate */
 
                /* Free the current entries if any, there should not
-                * be any I belive */
+                * be any I believe */
                if (ci->extensions != NULL)
                        sk_X509_EXTENSION_pop_free(ci->extensions,
                                                   X509_EXTENSION_free);
@@ -1805,7 +2042,7 @@ again2:
                X509V3_set_ctx(&ctx, x509, ret, req, NULL, 0);
                X509V3_set_conf_lhash(&ctx, lconf);
 
-               if(!X509V3_EXT_add_conf(lconf, &ctx, ext_sect, ret)) goto err;
+               if (!X509V3_EXT_add_conf(lconf, &ctx, ext_sect, ret)) goto err;
 
                }
 
@@ -1838,32 +2075,32 @@ again2:
                goto err;
 
        /* We now just add it to the database */
-       row[DB_type]=(char *)Malloc(2);
+       row[DB_type]=(char *)OPENSSL_malloc(2);
 
        tm=X509_get_notAfter(ret);
-       row[DB_exp_date]=(char *)Malloc(tm->length+1);
+       row[DB_exp_date]=(char *)OPENSSL_malloc(tm->length+1);
        memcpy(row[DB_exp_date],tm->data,tm->length);
        row[DB_exp_date][tm->length]='\0';
 
        row[DB_rev_date]=NULL;
 
        /* row[DB_serial] done already */
-       row[DB_file]=(char *)Malloc(8);
+       row[DB_file]=(char *)OPENSSL_malloc(8);
        /* row[DB_name] done already */
 
        if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
                (row[DB_file] == NULL))
                {
-               BIO_printf(bio_err,"Malloc failure\n");
+               BIO_printf(bio_err,"Memory allocation failure\n");
                goto err;
                }
        strcpy(row[DB_file],"unknown");
        row[DB_type][0]='V';
        row[DB_type][1]='\0';
 
-       if ((irow=(char **)Malloc(sizeof(char *)*(DB_NUMBER+1))) == NULL)
+       if ((irow=(char **)OPENSSL_malloc(sizeof(char *)*(DB_NUMBER+1))) == NULL)
                {
-               BIO_printf(bio_err,"Malloc failure\n");
+               BIO_printf(bio_err,"Memory allocation failure\n");
                goto err;
                }
 
@@ -1883,7 +2120,7 @@ again2:
        ok=1;
 err:
        for (i=0; i<DB_NUMBER; i++)
-               if (row[i] != NULL) Free(row[i]);
+               if (row[i] != NULL) OPENSSL_free(row[i]);
 
        if (CAname != NULL)
                X509_NAME_free(CAname);
@@ -1901,17 +2138,16 @@ err:
        return(ok);
        }
 
-static void write_new_certificate(BIO *bp, X509 *x, int output_der)
+static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext)
        {
-       char *f;
-       char buf[256];
 
        if (output_der)
                {
                (void)i2d_X509_bio(bp,x);
                return;
                }
-
+#if 0
+       /* ??? Not needed since X509_print prints all this stuff anyway */
        f=X509_NAME_oneline(X509_get_issuer_name(x),buf,256);
        BIO_printf(bp,"issuer :%s\n",f);
 
@@ -1921,10 +2157,9 @@ static void write_new_certificate(BIO *bp, X509 *x, int output_der)
        BIO_puts(bp,"serial :");
        i2a_ASN1_INTEGER(bp,x->cert_info->serialNumber);
        BIO_puts(bp,"\n\n");
-       X509_print(bp,x);
-       BIO_puts(bp,"\n");
+#endif
+       if (!notext)X509_print(bp,x);
        PEM_write_bio_X509(bp,x);
-       BIO_puts(bp,"\n");
        }
 
 static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
@@ -1996,12 +2231,13 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
                /* Skip past any leading X. X: X, etc to allow for
                 * multiple instances
                 */
-               for(buf = cv->name; *buf ; buf++)
-                       if ((*buf == ':') || (*buf == ',') || (*buf == '.')) {
-                                       buf++;
-                                       if(*buf) type = buf;
-                                       break;
-               }
+               for (buf = cv->name; *buf ; buf++)
+                       if ((*buf == ':') || (*buf == ',') || (*buf == '.'))
+                               {
+                               buf++;
+                               if (*buf) type = buf;
+                               break;
+                               }
 
                buf=cv->value;
                if ((nid=OBJ_txt2nid(type)) == NID_undef)
@@ -2099,30 +2335,8 @@ static int check_time_format(char *str)
        return(ASN1_UTCTIME_check(&tm));
        }
 
-static int add_oid_section(LHASH *hconf)
-{      
-       char *p;
-       STACK_OF(CONF_VALUE) *sktmp;
-       CONF_VALUE *cnf;
-       int i;
-       if(!(p=CONF_get_string(hconf,NULL,"oid_section"))) return 1;
-       if(!(sktmp = CONF_get_section(hconf, p))) {
-               BIO_printf(bio_err, "problem loading oid section %s\n", p);
-               return 0;
-       }
-       for(i = 0; i < sk_CONF_VALUE_num(sktmp); i++) {
-               cnf = sk_CONF_VALUE_value(sktmp, i);
-               if(OBJ_create(cnf->value, cnf->name, cnf->name) == NID_undef) {
-                       BIO_printf(bio_err, "problem creating object %s=%s\n",
-                                                        cnf->name, cnf->value);
-                       return 0;
-               }
-       }
-       return 1;
-}
-
 static int do_revoke(X509 *x509, TXT_DB *db)
-{
+       {
        ASN1_UTCTIME *tm=NULL, *revtm=NULL;
        char *row[DB_NUMBER],**rrow,**irow;
        BIGNUM *bn = NULL;
@@ -2136,7 +2350,7 @@ static int do_revoke(X509 *x509, TXT_DB *db)
        BN_free(bn);
        if ((row[DB_name] == NULL) || (row[DB_serial] == NULL))
                {
-               BIO_printf(bio_err,"Malloc failure\n");
+               BIO_printf(bio_err,"Memory allocation failure\n");
                goto err;
                }
        /* We have to lookup by serial number because name lookup
@@ -2148,33 +2362,33 @@ static int do_revoke(X509 *x509, TXT_DB *db)
                BIO_printf(bio_err,"Adding Entry to DB for %s\n", row[DB_name]);
 
                /* We now just add it to the database */
-               row[DB_type]=(char *)Malloc(2);
+               row[DB_type]=(char *)OPENSSL_malloc(2);
 
                tm=X509_get_notAfter(x509);
-               row[DB_exp_date]=(char *)Malloc(tm->length+1);
+               row[DB_exp_date]=(char *)OPENSSL_malloc(tm->length+1);
                memcpy(row[DB_exp_date],tm->data,tm->length);
                row[DB_exp_date][tm->length]='\0';
 
                row[DB_rev_date]=NULL;
 
                /* row[DB_serial] done already */
-               row[DB_file]=(char *)Malloc(8);
+               row[DB_file]=(char *)OPENSSL_malloc(8);
 
                /* row[DB_name] done already */
 
                if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
                        (row[DB_file] == NULL))
                        {
-                       BIO_printf(bio_err,"Malloc failure\n");
+                       BIO_printf(bio_err,"Memory allocation failure\n");
                        goto err;
                        }
                strcpy(row[DB_file],"unknown");
                row[DB_type][0]='V';
                row[DB_type][1]='\0';
 
-               if ((irow=(char **)Malloc(sizeof(char *)*(DB_NUMBER+1))) == NULL)
+               if ((irow=(char **)OPENSSL_malloc(sizeof(char *)*(DB_NUMBER+1))) == NULL)
                        {
-                       BIO_printf(bio_err,"Malloc failure\n");
+                       BIO_printf(bio_err,"Memory allocation failure\n");
                        goto err;
                        }
 
@@ -2198,7 +2412,7 @@ static int do_revoke(X509 *x509, TXT_DB *db)
                goto err;
 
                }
-       else if (index_name_cmp(row,rrow))
+       else if (index_name_cmp((const char **)row,(const char **)rrow))
                {
                BIO_printf(bio_err,"ERROR:name does not match %s\n",
                           row[DB_name]);
@@ -2217,7 +2431,7 @@ static int do_revoke(X509 *x509, TXT_DB *db)
                revtm=X509_gmtime_adj(revtm,0);
                rrow[DB_type][0]='R';
                rrow[DB_type][1]='\0';
-               rrow[DB_rev_date]=(char *)Malloc(revtm->length+1);
+               rrow[DB_rev_date]=(char *)OPENSSL_malloc(revtm->length+1);
                memcpy(rrow[DB_rev_date],revtm->data,revtm->length);
                rrow[DB_rev_date][revtm->length]='\0';
                ASN1_UTCTIME_free(revtm);
@@ -2227,8 +2441,166 @@ err:
        for (i=0; i<DB_NUMBER; i++)
                {
                if (row[i] != NULL) 
-                       Free(row[i]);
+                       OPENSSL_free(row[i]);
                }
        return(ok);
-}
+       }
+
+static int get_certificate_status(const char *serial, TXT_DB *db)
+       {
+       unsigned char *row[DB_NUMBER],**rrow;
+       int ok=-1,i;
+
+       /* Free Resources */
+       for (i=0; i<DB_NUMBER; i++)
+               row[i]=NULL;
 
+       /* Malloc needed char spaces */
+       row[DB_serial] = OPENSSL_malloc(strlen(serial) + 2);
+       if (row[DB_serial] == NULL)
+               {
+               BIO_printf(bio_err,"Malloc failure\n");
+               goto err;
+               }
+
+       if (strlen(serial) % 2)
+               {
+               /* Set the first char to 0 */;
+               row[DB_serial][0]='0';
+
+               /* Copy String from serial to row[DB_serial] */
+               memcpy(row[DB_serial]+1, serial, strlen(serial));
+               row[DB_serial][strlen(serial)+1]='\0';
+               }
+       else
+               {
+               /* Copy String from serial to row[DB_serial] */
+               memcpy(row[DB_serial], serial, strlen(serial));
+               row[DB_serial][strlen(serial)]='\0';
+               }
+                       
+       /* Make it Upper Case */
+       for (i=0; row[DB_serial][i] != '\0'; i++)
+               row[DB_serial][i] = toupper(row[DB_serial][i]);
+
+       ok=1;
+
+       /* Search for the certificate */
+       rrow=TXT_DB_get_by_index(db,DB_serial,row);
+       if (rrow == NULL)
+               {
+               BIO_printf(bio_err,"Serial %s not present in db.\n",
+                                row[DB_serial]);
+               ok=-1;
+               goto err;
+               }
+       else if (rrow[DB_type][0]=='V')
+               {
+               BIO_printf(bio_err,"%s=Valid (%c)\n",
+                       row[DB_serial], rrow[DB_type][0]);
+               goto err;
+               }
+       else if (rrow[DB_type][0]=='R')
+               {
+               BIO_printf(bio_err,"%s=Revoked (%c)\n",
+                       row[DB_serial], rrow[DB_type][0]);
+               goto err;
+               }
+       else if (rrow[DB_type][0]=='E')
+               {
+               BIO_printf(bio_err,"%s=Expired (%c)\n",
+                       row[DB_serial], rrow[DB_type][0]);
+               goto err;
+               }
+       else if (rrow[DB_type][0]=='S')
+               {
+               BIO_printf(bio_err,"%s=Suspended (%c)\n",
+                       row[DB_serial], rrow[DB_type][0]);
+               goto err;
+               }
+       else
+               {
+               BIO_printf(bio_err,"%s=Unknown (%c).\n",
+                       row[DB_serial], rrow[DB_type][0]);
+               ok=-1;
+               }
+err:
+       for (i=0; i<DB_NUMBER; i++)
+               {
+               if (row[i] != NULL)
+                       OPENSSL_free(row[i]);
+               }
+       return(ok);
+       }
+
+static int do_updatedb (TXT_DB *db)
+       {
+       ASN1_UTCTIME    *a_tm = NULL;
+       int i, cnt = 0;
+       int db_y2k, a_y2k;  /* flags = 1 if y >= 2000 */ 
+       char **rrow, *a_tm_s;
+
+       a_tm = ASN1_UTCTIME_new();
+
+       /* get actual time and make a string */
+       a_tm = X509_gmtime_adj(a_tm, 0);
+       a_tm_s = (char *) OPENSSL_malloc(a_tm->length+1);
+       if (a_tm_s == NULL)
+               {
+               cnt = -1;
+               goto err;
+               }
+
+       memcpy(a_tm_s, a_tm->data, a_tm->length);
+       a_tm_s[a_tm->length] = '\0';
+
+       if (strncmp(a_tm_s, "49", 2) <= 0)
+               a_y2k = 1;
+       else
+               a_y2k = 0;
+
+       for (i = 0; i < sk_num(db->data); i++)
+               {
+               rrow = (char **) sk_value(db->data, i);
+
+               if (rrow[DB_type][0] == 'V')
+                       {
+                       /* ignore entries that are not valid */
+                       if (strncmp(rrow[DB_exp_date], "49", 2) <= 0)
+                               db_y2k = 1;
+                       else
+                               db_y2k = 0;
+
+                       if (db_y2k == a_y2k)
+                               {
+                               /* all on the same y2k side */
+                               if (strcmp(rrow[DB_exp_date], a_tm_s) <= 0)
+                                       {
+                                       rrow[DB_type][0]  = 'E';
+                                       rrow[DB_type][1]  = '\0';
+                                       cnt++;
+
+                                       BIO_printf(bio_err, "%s=Expired\n",
+                                                       rrow[DB_serial]);
+                                       }
+                               }
+                       else if (db_y2k < a_y2k)
+                               {
+                               rrow[DB_type][0]  = 'E';
+                               rrow[DB_type][1]  = '\0';
+                               cnt++;
+
+                               BIO_printf(bio_err, "%s=Expired\n",
+                                                       rrow[DB_serial]);
+                               }
+
+                       }
+               }
+
+err:
+
+       ASN1_UTCTIME_free(a_tm);
+       OPENSSL_free(a_tm_s);
+
+       return (cnt);
+       }