- if (BN_to_ASN1_INTEGER(serial,ci->serialNumber) == NULL)
- goto err;
- if (selfsign)
- {
- if (!X509_set_issuer_name(ret,subject))
- goto err;
- }
- else
- {
- if (!X509_set_issuer_name(ret,X509_get_subject_name(x509)))
- goto err;
- }
-
- if (strcmp(startdate,"today") == 0)
- X509_gmtime_adj(X509_get_notBefore(ret),0);
- else ASN1_UTCTIME_set_string(X509_get_notBefore(ret),startdate);
-
- if (enddate == NULL)
- X509_gmtime_adj(X509_get_notAfter(ret),(long)60*60*24*days);
- else ASN1_UTCTIME_set_string(X509_get_notAfter(ret),enddate);
-
- if (!X509_set_subject_name(ret,subject)) goto err;
-
- pktmp=X509_REQ_get_pubkey(req);
- i = X509_set_pubkey(ret,pktmp);
- EVP_PKEY_free(pktmp);
- if (!i) goto err;
-
- /* Lets add the extensions, if there are any */
- if (ext_sect)
- {
- X509V3_CTX ctx;
- if (ci->version == NULL)
- if ((ci->version=ASN1_INTEGER_new()) == NULL)
- goto err;
- ASN1_INTEGER_set(ci->version,2); /* version 3 certificate */
-
- /* Free the current entries if any, there should not
- * be any I believe */
- if (ci->extensions != NULL)
- sk_X509_EXTENSION_pop_free(ci->extensions,
- X509_EXTENSION_free);
-
- ci->extensions = NULL;
-
- /* Initialize the context structure */
- if (selfsign)
- X509V3_set_ctx(&ctx, ret, ret, req, NULL, 0);
- else
- X509V3_set_ctx(&ctx, x509, ret, req, NULL, 0);
-
- if (extconf)
- {
- if (verbose)
- BIO_printf(bio_err, "Extra configuration file found\n");
-
- /* Use the extconf configuration db LHASH */
- X509V3_set_nconf(&ctx, extconf);
-
- /* Test the structure (needed?) */
- /* X509V3_set_ctx_test(&ctx); */
-
- /* Adds exts contained in the configuration file */
- if (!X509V3_EXT_add_nconf(extconf, &ctx, ext_sect,ret))
- {
- BIO_printf(bio_err,
- "ERROR: adding extensions in section %s\n",
- ext_sect);
- ERR_print_errors(bio_err);
- goto err;
- }
- if (verbose)
- BIO_printf(bio_err, "Successfully added extensions from file.\n");
- }
- else if (ext_sect)
- {
- /* We found extensions to be set from config file */
- X509V3_set_nconf(&ctx, lconf);
-
- if(!X509V3_EXT_add_nconf(lconf, &ctx, ext_sect, ret))
- {
- BIO_printf(bio_err, "ERROR: adding extensions in section %s\n", ext_sect);
- ERR_print_errors(bio_err);
- goto err;
- }
-
- if (verbose)
- BIO_printf(bio_err, "Successfully added extensions from config\n");
- }
- }
-
- /* Copy extensions from request (if any) */
-
- if (!copy_extensions(ret, req, ext_copy))
- {
- BIO_printf(bio_err, "ERROR: adding extensions from request\n");
- ERR_print_errors(bio_err);
- goto err;
- }
-
- /* Set the right value for the noemailDN option */
- if( email_dn == 0 )
- {
- if (!X509_set_subject_name(ret,dn_subject)) goto err;
- }
-
- if (!default_op)
- {
- BIO_printf(bio_err, "Certificate Details:\n");
- /* Never print signature details because signature not present */
- certopt |= X509_FLAG_NO_SIGDUMP | X509_FLAG_NO_SIGNAME;
- X509_print_ex(bio_err, ret, nameopt, certopt);
- }
-
- BIO_printf(bio_err,"Certificate is to be certified until ");
- ASN1_UTCTIME_print(bio_err,X509_get_notAfter(ret));
- if (days) BIO_printf(bio_err," (%ld days)",days);
- BIO_printf(bio_err, "\n");
-
- if (!batch)
- {
-
- BIO_printf(bio_err,"Sign the certificate? [y/n]:");
- (void)BIO_flush(bio_err);
- buf[0]='\0';
- fgets(buf,sizeof(buf)-1,stdin);
- if (!((buf[0] == 'y') || (buf[0] == 'Y')))
- {
- BIO_printf(bio_err,"CERTIFICATE WILL NOT BE CERTIFIED\n");
- ok=0;
- goto err;
- }
- }
-
- pktmp=X509_get_pubkey(ret);
- if (EVP_PKEY_missing_parameters(pktmp) &&
- !EVP_PKEY_missing_parameters(pkey))
- EVP_PKEY_copy_parameters(pktmp,pkey);
- EVP_PKEY_free(pktmp);
-
- if (!X509_sign(ret,pkey,dgst))
- goto err;
-
- /* We now just add it to the database */
- row[DB_type]=(char *)OPENSSL_malloc(2);
-
- tm=X509_get_notAfter(ret);
- row[DB_exp_date]=(char *)OPENSSL_malloc(tm->length+1);
- memcpy(row[DB_exp_date],tm->data,tm->length);
- row[DB_exp_date][tm->length]='\0';
-
- row[DB_rev_date]=NULL;
-
- /* row[DB_serial] done already */
- row[DB_file]=(char *)OPENSSL_malloc(8);
- row[DB_name]=X509_NAME_oneline(X509_get_subject_name(ret),NULL,0);
-
- if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
- (row[DB_file] == NULL) || (row[DB_name] == NULL))
- {
- BIO_printf(bio_err,"Memory allocation failure\n");
- goto err;
- }
- BUF_strlcpy(row[DB_file],"unknown",8);
- row[DB_type][0]='V';
- row[DB_type][1]='\0';
-
- if ((irow=(char **)OPENSSL_malloc(sizeof(char *)*(DB_NUMBER+1))) == NULL)
- {
- BIO_printf(bio_err,"Memory allocation failure\n");
- goto err;
- }
-
- for (i=0; i<DB_NUMBER; i++)
- {
- irow[i]=row[i];
- row[i]=NULL;
- }
- irow[DB_NUMBER]=NULL;
-
- if (!TXT_DB_insert(db->db,irow))
- {
- BIO_printf(bio_err,"failed to update database\n");
- BIO_printf(bio_err,"TXT_DB error number %ld\n",db->db->error);
- goto err;
- }
- ok=1;
-err:
- for (i=0; i<DB_NUMBER; i++)
- if (row[i] != NULL) OPENSSL_free(row[i]);
-
- if (CAname != NULL)
- X509_NAME_free(CAname);
- if (subject != NULL)
- X509_NAME_free(subject);
- if ((dn_subject != NULL) && !email_dn)
- X509_NAME_free(dn_subject);
- if (tmptm != NULL)
- ASN1_UTCTIME_free(tmptm);
- if (ok <= 0)
- {
- if (ret != NULL) X509_free(ret);
- ret=NULL;
- }
- else
- *xret=ret;
- return(ok);
- }
-
-static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext)
- {
-
- if (output_der)
- {
- (void)i2d_X509_bio(bp,x);
- return;
- }
-#if 0
- /* ??? Not needed since X509_print prints all this stuff anyway */
- f=X509_NAME_oneline(X509_get_issuer_name(x),buf,256);
- BIO_printf(bp,"issuer :%s\n",f);
-
- f=X509_NAME_oneline(X509_get_subject_name(x),buf,256);
- BIO_printf(bp,"subject:%s\n",f);
-
- BIO_puts(bp,"serial :");
- i2a_ASN1_INTEGER(bp,x->cert_info->serialNumber);
- BIO_puts(bp,"\n\n");
-#endif
- if (!notext)X509_print(bp,x);
- PEM_write_bio_X509(bp,x);
- }
-
-static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
- const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db,
- BIGNUM *serial, char *subj,unsigned long chtype, int multirdn, int email_dn, char *startdate, char *enddate,
- long days, char *ext_sect, CONF *lconf, int verbose, unsigned long certopt,
- unsigned long nameopt, int default_op, int ext_copy)
- {
- STACK_OF(CONF_VALUE) *sk=NULL;
- LHASH *parms=NULL;
- X509_REQ *req=NULL;
- CONF_VALUE *cv=NULL;
- NETSCAPE_SPKI *spki = NULL;
- X509_REQ_INFO *ri;
- char *type,*buf;
- EVP_PKEY *pktmp=NULL;
- X509_NAME *n=NULL;
- X509_NAME_ENTRY *ne=NULL;
- int ok= -1,i,j;
- long errline;
- int nid;
-
- /*
- * Load input file into a hash table. (This is just an easy
- * way to read and parse the file, then put it into a convenient
- * STACK format).
- */
- parms=CONF_load(NULL,infile,&errline);
- if (parms == NULL)
- {
- BIO_printf(bio_err,"error on line %ld of %s\n",errline,infile);
- ERR_print_errors(bio_err);
- goto err;
- }
-
- sk=CONF_get_section(parms, "default");
- if (sk_CONF_VALUE_num(sk) == 0)
- {
- BIO_printf(bio_err, "no name/value pairs found in %s\n", infile);
- CONF_free(parms);
- goto err;
- }
-
- /*
- * Now create a dummy X509 request structure. We don't actually
- * have an X509 request, but we have many of the components
- * (a public key, various DN components). The idea is that we
- * put these components into the right X509 request structure
- * and we can use the same code as if you had a real X509 request.
- */
- req=X509_REQ_new();
- if (req == NULL)
- {
- ERR_print_errors(bio_err);
- goto err;
- }
-
- /*
- * Build up the subject name set.
- */
- ri=req->req_info;
- n = ri->subject;
-
- for (i = 0; ; i++)
- {
- if (sk_CONF_VALUE_num(sk) <= i) break;
-
- cv=sk_CONF_VALUE_value(sk,i);
- type=cv->name;
- /* Skip past any leading X. X: X, etc to allow for
- * multiple instances
- */
- for (buf = cv->name; *buf ; buf++)
- if ((*buf == ':') || (*buf == ',') || (*buf == '.'))
- {
- buf++;
- if (*buf) type = buf;
- break;
- }
-
- buf=cv->value;
- if ((nid=OBJ_txt2nid(type)) == NID_undef)
- {
- if (strcmp(type, "SPKAC") == 0)
- {
- spki = NETSCAPE_SPKI_b64_decode(cv->value, -1);
- if (spki == NULL)
- {
- BIO_printf(bio_err,"unable to load Netscape SPKAC structure\n");
- ERR_print_errors(bio_err);
- goto err;
- }
- }
- continue;
- }
-
- /*
- if ((nid == NID_pkcs9_emailAddress) && (email_dn == 0))
- continue;
- */
-
- j=ASN1_PRINTABLE_type((unsigned char *)buf,-1);
- if (fix_data(nid, &j) == 0)
- {
- BIO_printf(bio_err,
- "invalid characters in string %s\n",buf);
- goto err;
- }
-
- if ((ne=X509_NAME_ENTRY_create_by_NID(&ne,nid,j,
- (unsigned char *)buf,
- strlen(buf))) == NULL)
- goto err;
-
- if (!X509_NAME_add_entry(n,ne,-1, 0)) goto err;
- }
- if (spki == NULL)
- {
- BIO_printf(bio_err,"Netscape SPKAC structure not found in %s\n",
- infile);
- goto err;
- }
-
- /*
- * Now extract the key from the SPKI structure.
- */
-
- BIO_printf(bio_err,"Check that the SPKAC request matches the signature\n");
-
- if ((pktmp=NETSCAPE_SPKI_get_pubkey(spki)) == NULL)
- {
- BIO_printf(bio_err,"error unpacking SPKAC public key\n");
- goto err;
- }
-
- j = NETSCAPE_SPKI_verify(spki, pktmp);
- if (j <= 0)
- {
- BIO_printf(bio_err,"signature verification failed on SPKAC public key\n");
- goto err;
- }
- BIO_printf(bio_err,"Signature ok\n");
-
- X509_REQ_set_pubkey(req,pktmp);
- EVP_PKEY_free(pktmp);
- ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,chtype,multirdn,email_dn,startdate,enddate,
- days,1,verbose,req,ext_sect,lconf, certopt, nameopt, default_op,
- ext_copy, 0);
-err:
- if (req != NULL) X509_REQ_free(req);
- if (parms != NULL) CONF_free(parms);
- if (spki != NULL) NETSCAPE_SPKI_free(spki);
- if (ne != NULL) X509_NAME_ENTRY_free(ne);
-
- return(ok);
- }
-
-static int fix_data(int nid, int *type)
- {
- if (nid == NID_pkcs9_emailAddress)
- *type=V_ASN1_IA5STRING;
- if ((nid == NID_commonName) && (*type == V_ASN1_IA5STRING))
- *type=V_ASN1_T61STRING;
- if ((nid == NID_pkcs9_challengePassword) && (*type == V_ASN1_IA5STRING))
- *type=V_ASN1_T61STRING;
- if ((nid == NID_pkcs9_unstructuredName) && (*type == V_ASN1_T61STRING))
- return(0);
- if (nid == NID_pkcs9_unstructuredName)
- *type=V_ASN1_IA5STRING;
- return(1);
- }
-
-static int check_time_format(char *str)
- {
- ASN1_UTCTIME tm;
-
- tm.data=(unsigned char *)str;
- tm.length=strlen(str);
- tm.type=V_ASN1_UTCTIME;
- return(ASN1_UTCTIME_check(&tm));
- }
+ if (BN_to_ASN1_INTEGER(serial, ci->serialNumber) == NULL)
+ goto end;
+ if (selfsign) {
+ if (!X509_set_issuer_name(ret, subject))
+ goto end;
+ } else {
+ if (!X509_set_issuer_name(ret, X509_get_subject_name(x509)))
+ goto end;
+ }
+
+ if (strcmp(startdate, "today") == 0)
+ X509_gmtime_adj(X509_get_notBefore(ret), 0);
+ else
+ ASN1_TIME_set_string(X509_get_notBefore(ret), startdate);
+
+ if (enddate == NULL)
+ X509_time_adj_ex(X509_get_notAfter(ret), days, 0, NULL);
+ else {
+ int tdays;
+ ASN1_TIME_set_string(X509_get_notAfter(ret), enddate);
+ ASN1_TIME_diff(&tdays, NULL, NULL, X509_get_notAfter(ret));
+ days = tdays;
+ }
+
+ if (!X509_set_subject_name(ret, subject))
+ goto end;
+
+ pktmp = X509_REQ_get_pubkey(req);
+ i = X509_set_pubkey(ret, pktmp);
+ EVP_PKEY_free(pktmp);
+ if (!i)
+ goto end;
+
+ /* Lets add the extensions, if there are any */
+ if (ext_sect) {
+ X509V3_CTX ctx;
+ if (ci->version == NULL)
+ if ((ci->version = ASN1_INTEGER_new()) == NULL)
+ goto end;
+ ASN1_INTEGER_set(ci->version, 2); /* version 3 certificate */
+
+ /*
+ * Free the current entries if any, there should not be any I believe
+ */
+ sk_X509_EXTENSION_pop_free(ci->extensions, X509_EXTENSION_free);
+
+ ci->extensions = NULL;
+
+ /* Initialize the context structure */
+ if (selfsign)
+ X509V3_set_ctx(&ctx, ret, ret, req, NULL, 0);
+ else
+ X509V3_set_ctx(&ctx, x509, ret, req, NULL, 0);
+
+ if (extconf) {
+ if (verbose)
+ BIO_printf(bio_err, "Extra configuration file found\n");
+
+ /* Use the extconf configuration db LHASH */
+ X509V3_set_nconf(&ctx, extconf);
+
+ /* Test the structure (needed?) */
+ /* X509V3_set_ctx_test(&ctx); */
+
+ /* Adds exts contained in the configuration file */
+ if (!X509V3_EXT_add_nconf(extconf, &ctx, ext_sect, ret)) {
+ BIO_printf(bio_err,
+ "ERROR: adding extensions in section %s\n",
+ ext_sect);
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ if (verbose)
+ BIO_printf(bio_err,
+ "Successfully added extensions from file.\n");
+ } else if (ext_sect) {
+ /* We found extensions to be set from config file */
+ X509V3_set_nconf(&ctx, lconf);
+
+ if (!X509V3_EXT_add_nconf(lconf, &ctx, ext_sect, ret)) {
+ BIO_printf(bio_err,
+ "ERROR: adding extensions in section %s\n",
+ ext_sect);
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+
+ if (verbose)
+ BIO_printf(bio_err,
+ "Successfully added extensions from config\n");
+ }
+ }
+
+ /* Copy extensions from request (if any) */
+
+ if (!copy_extensions(ret, req, ext_copy)) {
+ BIO_printf(bio_err, "ERROR: adding extensions from request\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+
+ /* Set the right value for the noemailDN option */
+ if (email_dn == 0) {
+ if (!X509_set_subject_name(ret, dn_subject))
+ goto end;
+ }
+
+ if (!default_op) {
+ BIO_printf(bio_err, "Certificate Details:\n");
+ /*
+ * Never print signature details because signature not present
+ */
+ certopt |= X509_FLAG_NO_SIGDUMP | X509_FLAG_NO_SIGNAME;
+ X509_print_ex(bio_err, ret, nameopt, certopt);
+ }
+
+ BIO_printf(bio_err, "Certificate is to be certified until ");
+ ASN1_TIME_print(bio_err, X509_get_notAfter(ret));
+ if (days)
+ BIO_printf(bio_err, " (%ld days)", days);
+ BIO_printf(bio_err, "\n");
+
+ if (!batch) {
+
+ BIO_printf(bio_err, "Sign the certificate? [y/n]:");
+ (void)BIO_flush(bio_err);
+ buf[0] = '\0';
+ if (!fgets(buf, sizeof(buf) - 1, stdin)) {
+ BIO_printf(bio_err,
+ "CERTIFICATE WILL NOT BE CERTIFIED: I/O error\n");
+ ok = 0;
+ goto end;
+ }
+ if (!((buf[0] == 'y') || (buf[0] == 'Y'))) {
+ BIO_printf(bio_err, "CERTIFICATE WILL NOT BE CERTIFIED\n");
+ ok = 0;
+ goto end;
+ }
+ }
+
+ pktmp = X509_get_pubkey(ret);
+ if (EVP_PKEY_missing_parameters(pktmp) &&
+ !EVP_PKEY_missing_parameters(pkey))
+ EVP_PKEY_copy_parameters(pktmp, pkey);
+ EVP_PKEY_free(pktmp);
+
+ if (!do_X509_sign(ret, pkey, dgst, sigopts))
+ goto end;
+
+ /* We now just add it to the database */
+ row[DB_type] = app_malloc(2, "row db type");
+
+ tm = X509_get_notAfter(ret);
+ row[DB_exp_date] = app_malloc(tm->length + 1, "row expdate");
+ memcpy(row[DB_exp_date], tm->data, tm->length);
+ row[DB_exp_date][tm->length] = '\0';
+
+ row[DB_rev_date] = NULL;
+
+ /* row[DB_serial] done already */
+ row[DB_file] = app_malloc(8, "row file");
+ row[DB_name] = X509_NAME_oneline(X509_get_subject_name(ret), NULL, 0);
+
+ if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
+ (row[DB_file] == NULL) || (row[DB_name] == NULL)) {
+ BIO_printf(bio_err, "Memory allocation failure\n");
+ goto end;
+ }
+ BUF_strlcpy(row[DB_file], "unknown", 8);
+ row[DB_type][0] = 'V';
+ row[DB_type][1] = '\0';
+
+ irow = app_malloc(sizeof(char *) * (DB_NUMBER + 1), "row space");
+ for (i = 0; i < DB_NUMBER; i++) {
+ irow[i] = row[i];
+ row[i] = NULL;
+ }
+ irow[DB_NUMBER] = NULL;
+
+ if (!TXT_DB_insert(db->db, irow)) {
+ BIO_printf(bio_err, "failed to update database\n");
+ BIO_printf(bio_err, "TXT_DB error number %ld\n", db->db->error);
+ goto end;
+ }
+ ok = 1;
+ end:
+ for (i = 0; i < DB_NUMBER; i++)
+ OPENSSL_free(row[i]);
+
+ X509_NAME_free(CAname);
+ X509_NAME_free(subject);
+ if (dn_subject != subject)
+ X509_NAME_free(dn_subject);
+ ASN1_UTCTIME_free(tmptm);
+ if (ok <= 0)
+ X509_free(ret);
+ else
+ *xret = ret;
+ return (ok);
+}
+
+static void write_new_certificate(BIO *bp, X509 *x, int output_der,
+ int notext)
+{
+
+ if (output_der) {
+ (void)i2d_X509_bio(bp, x);
+ return;
+ }
+ if (!notext)
+ X509_print(bp, x);
+ PEM_write_bio_X509(bp, x);
+}
+
+static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey,
+ X509 *x509, const EVP_MD *dgst,
+ STACK_OF(OPENSSL_STRING) *sigopts,
+ STACK_OF(CONF_VALUE) *policy, CA_DB *db,
+ BIGNUM *serial, char *subj, unsigned long chtype,
+ int multirdn, int email_dn, char *startdate,
+ char *enddate, long days, char *ext_sect,
+ CONF *lconf, int verbose, unsigned long certopt,
+ unsigned long nameopt, int default_op, int ext_copy)
+{
+ STACK_OF(CONF_VALUE) *sk = NULL;
+ LHASH_OF(CONF_VALUE) *parms = NULL;
+ X509_REQ *req = NULL;
+ CONF_VALUE *cv = NULL;
+ NETSCAPE_SPKI *spki = NULL;
+ X509_REQ_INFO *ri;
+ char *type, *buf;
+ EVP_PKEY *pktmp = NULL;
+ X509_NAME *n = NULL;
+ X509_NAME_ENTRY *ne = NULL;
+ int ok = -1, i, j;
+ long errline;
+ int nid;
+
+ /*
+ * Load input file into a hash table. (This is just an easy
+ * way to read and parse the file, then put it into a convenient
+ * STACK format).
+ */
+ parms = CONF_load(NULL, infile, &errline);
+ if (parms == NULL) {
+ BIO_printf(bio_err, "error on line %ld of %s\n", errline, infile);
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+
+ sk = CONF_get_section(parms, "default");
+ if (sk_CONF_VALUE_num(sk) == 0) {
+ BIO_printf(bio_err, "no name/value pairs found in %s\n", infile);
+ CONF_free(parms);
+ goto end;
+ }
+
+ /*
+ * Now create a dummy X509 request structure. We don't actually
+ * have an X509 request, but we have many of the components
+ * (a public key, various DN components). The idea is that we
+ * put these components into the right X509 request structure
+ * and we can use the same code as if you had a real X509 request.
+ */
+ req = X509_REQ_new();
+ if (req == NULL) {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+
+ /*
+ * Build up the subject name set.
+ */
+ ri = req->req_info;
+ n = ri->subject;
+
+ for (i = 0;; i++) {
+ if (sk_CONF_VALUE_num(sk) <= i)
+ break;
+
+ cv = sk_CONF_VALUE_value(sk, i);
+ type = cv->name;
+ /*
+ * Skip past any leading X. X: X, etc to allow for multiple instances
+ */
+ for (buf = cv->name; *buf; buf++)
+ if ((*buf == ':') || (*buf == ',') || (*buf == '.')) {
+ buf++;
+ if (*buf)
+ type = buf;
+ break;
+ }
+
+ buf = cv->value;
+ if ((nid = OBJ_txt2nid(type)) == NID_undef) {
+ if (strcmp(type, "SPKAC") == 0) {
+ spki = NETSCAPE_SPKI_b64_decode(cv->value, -1);
+ if (spki == NULL) {
+ BIO_printf(bio_err,
+ "unable to load Netscape SPKAC structure\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ }
+ continue;
+ }
+
+ if (!X509_NAME_add_entry_by_NID(n, nid, chtype,
+ (unsigned char *)buf, -1, -1, 0))
+ goto end;
+ }
+ if (spki == NULL) {
+ BIO_printf(bio_err, "Netscape SPKAC structure not found in %s\n",
+ infile);
+ goto end;
+ }
+
+ /*
+ * Now extract the key from the SPKI structure.
+ */
+
+ BIO_printf(bio_err,
+ "Check that the SPKAC request matches the signature\n");
+
+ if ((pktmp = NETSCAPE_SPKI_get_pubkey(spki)) == NULL) {
+ BIO_printf(bio_err, "error unpacking SPKAC public key\n");
+ goto end;
+ }
+
+ j = NETSCAPE_SPKI_verify(spki, pktmp);
+ if (j <= 0) {
+ BIO_printf(bio_err,
+ "signature verification failed on SPKAC public key\n");
+ goto end;
+ }
+ BIO_printf(bio_err, "Signature ok\n");
+
+ X509_REQ_set_pubkey(req, pktmp);
+ EVP_PKEY_free(pktmp);
+ ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, subj,
+ chtype, multirdn, email_dn, startdate, enddate, days, 1,
+ verbose, req, ext_sect, lconf, certopt, nameopt, default_op,
+ ext_copy, 0);
+ end:
+ X509_REQ_free(req);
+ CONF_free(parms);
+ NETSCAPE_SPKI_free(spki);
+ X509_NAME_ENTRY_free(ne);
+
+ return (ok);
+}
+
+static int check_time_format(const char *str)
+{
+ return ASN1_TIME_set_string(NULL, str);
+}