Show errors on CSR verification failure.

[openssl.git] / apps / ca.c

diff --git a/apps/ca.c b/apps/ca.c
index 2a83d1936e4c016b50a1efbafcd7a2ff07928e2a..5c985434a0ca8499440875f89f7af9e52e187438 100644 (file)
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -501,6 +501,12 @@ EF_ALIGNMENT=0;
                        infile= *(++argv);
                        dorevoke=1;
                        }
+               else if (strcmp(*argv,"-valid") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       infile= *(++argv);
+                       dorevoke=2;
+                       }
                else if (strcmp(*argv,"-extensions") == 0)
                        {
                        if (--argc < 1) goto bad;
@@ -1408,6 +1414,7 @@ bad:
                        if (!NCONF_get_number(conf,section,
                                ENV_DEFAULT_CRL_HOURS, &crlhours))
                                crlhours = 0;
+                       ERR_clear_error();
                        }
                if ((crldays == 0) && (crlhours == 0) && (crlsec == 0))
                        {
@@ -1522,6 +1529,8 @@ bad:
                                NULL, e, infile);
                        if (revcert == NULL)
                                goto err;
+                       if (dorevoke == 2)
+                               rev_type = -1;
                        j=do_revoke(revcert,db, rev_type, rev_arg);
                        if (j <= 0) goto err;
                        X509_free(revcert);
@@ -1619,12 +1628,14 @@ static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
                {
                ok=0;
                BIO_printf(bio_err,"Signature verification problems....\n");
+               ERR_print_errors(bio_err);
                goto err;
                }
        if (i == 0)
                {
                ok=0;
                BIO_printf(bio_err,"Signature did not match the certificate request\n");
+               ERR_print_errors(bio_err);
                goto err;
                }
        else
@@ -2043,7 +2054,13 @@ again2:
 
        if (enddate == NULL)
                X509_time_adj_ex(X509_get_notAfter(ret),days, 0, NULL);
-       else ASN1_TIME_set_string(X509_get_notAfter(ret),enddate);
+       else
+               {
+               int tdays;
+               ASN1_TIME_set_string(X509_get_notAfter(ret),enddate);
+               ASN1_TIME_diff(&tdays, NULL, NULL, X509_get_notAfter(ret));
+               days = tdays;
+               }
 
        if (!X509_set_subject_name(ret,subject)) goto err;
 
@@ -2485,7 +2502,10 @@ static int do_revoke(X509 *x509, CA_DB *db, int type, char *value)
                        }
 
                /* Revoke Certificate */
-               ok = do_revoke(x509,db, type, value);
+               if (type == -1)
+                       ok = 1;
+               else
+                       ok = do_revoke(x509,db, type, value);
 
                goto err;
 
@@ -2496,6 +2516,12 @@ static int do_revoke(X509 *x509, CA_DB *db, int type, char *value)
                           row[DB_name]);
                goto err;
                }
+       else if (type == -1)
+               {
+               BIO_printf(bio_err,"ERROR:Already present, serial number %s\n",
+                          row[DB_serial]);
+               goto err;
+               }
        else if (rrow[DB_type][0]=='R')
                {
                BIO_printf(bio_err,"ERROR:Already revoked, serial number %s\n",
@@ -2776,6 +2802,9 @@ char *make_revocation_str(int rev_type, char *rev_arg)
 
        revtm = X509_gmtime_adj(NULL, 0);
 
+       if (!revtm)
+               return NULL;
+
        i = revtm->length + 1;
 
        if (reason) i += strlen(reason) + 1;