Support for multiple CRLs with same issuer name in X509_STORE. Modify

[openssl.git] / apps / ca.c

diff --git a/apps/ca.c b/apps/ca.c
index 210b5e1ff47405e3f1141f4d443776264e5b7558..d0fa3d772ef6940efe31b3ea17e4ac5bd890e155 100644 (file)
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -63,7 +63,6 @@
 #include <string.h>
 #include <ctype.h>
 #include <sys/types.h>
-#include <sys/stat.h>
 #include <openssl/conf.h>
 #include <openssl/bio.h>
 #include <openssl/err.h>
@@ -259,6 +258,7 @@ int MAIN(int argc, char **argv)
        int doupdatedb=0;
        long crldays=0;
        long crlhours=0;
+       long crlsec=0;
        long errorline= -1;
        char *configfile=NULL;
        char *md=NULL;
@@ -457,6 +457,11 @@ EF_ALIGNMENT=0;
                        if (--argc < 1) goto bad;
                        crlhours= atol(*(++argv));
                        }
+               else if (strcmp(*argv,"-crlsec") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       crlsec = atol(*(++argv));
+                       }
                else if (strcmp(*argv,"-infiles") == 0)
                        {
                        argc--;
@@ -826,7 +831,6 @@ bad:
        /* lookup where to write new certificates */
        if ((outdir == NULL) && (req))
                {
-               struct stat sb;
 
                if ((outdir=NCONF_get_string(conf,section,ENV_NEW_CERTS_DIR))
                        == NULL)
@@ -852,20 +856,12 @@ bad:
                        goto err;
                        }
 
-               if (stat(outdir,&sb) != 0)
-                       {
-                       BIO_printf(bio_err,"unable to stat(%s)\n",outdir);
-                       perror(outdir);
-                       goto err;
-                       }
-#ifdef S_IFDIR
-               if (!(sb.st_mode & S_IFDIR))
+               if (app_isdir(outdir)<=0)
                        {
                        BIO_printf(bio_err,"%s need to be a directory\n",outdir);
                        perror(outdir);
                        goto err;
                        }
-#endif
 #endif
                }
 
@@ -1026,6 +1022,17 @@ bad:
                goto err;
                }
 
+       if (!strcmp(md, "default"))
+               {
+               int def_nid;
+               if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) <= 0)
+                       {
+                       BIO_puts(bio_err,"no default digest\n");
+                       goto err;
+                       }
+               md = (char *)OBJ_nid2sn(def_nid);
+               }
+
        if ((dgst=EVP_get_digestbyname(md)) == NULL)
                {
                BIO_printf(bio_err,"%s is an unsupported message digest type\n",md);
@@ -1366,7 +1373,7 @@ bad:
                                goto err;
                                }
 
-               if (!crldays && !crlhours)
+               if (!crldays && !crlhours && !crlsec)
                        {
                        if (!NCONF_get_number(conf,section,
                                ENV_DEFAULT_CRL_DAYS, &crldays))
@@ -1375,7 +1382,7 @@ bad:
                                ENV_DEFAULT_CRL_HOURS, &crlhours))
                                crlhours = 0;
                        }
-               if ((crldays == 0) && (crlhours == 0))
+               if ((crldays == 0) && (crlhours == 0) && (crlsec == 0))
                        {
                        BIO_printf(bio_err,"cannot lookup how long until the next CRL is issued\n");
                        goto err;
@@ -1389,7 +1396,7 @@ bad:
                if (!tmptm) goto err;
                X509_gmtime_adj(tmptm,0);
                X509_CRL_set_lastUpdate(crl, tmptm);    
-               X509_gmtime_adj(tmptm,(crldays*24+crlhours)*60*60);
+               X509_gmtime_adj(tmptm,(crldays*24+crlhours)*60*60 + crlsec);
                X509_CRL_set_nextUpdate(crl, tmptm);    
 
                ASN1_TIME_free(tmptm);
@@ -1422,15 +1429,6 @@ bad:
 
                /* we now have a CRL */
                if (verbose) BIO_printf(bio_err,"signing CRL\n");
-#ifndef OPENSSL_NO_DSA
-               if (pkey->type == EVP_PKEY_DSA) 
-                       dgst=EVP_dss1();
-               else
-#endif
-#ifndef OPENSSL_NO_ECDSA
-               if (pkey->type == EVP_PKEY_EC)
-                       dgst=EVP_ecdsa();
-#endif
 
                /* Add any extensions asked for */
 
@@ -1463,6 +1461,12 @@ bad:
                if (crlnumberfile != NULL)      /* we have a CRL number that need updating */
                        if (!save_serial(crlnumberfile,"new",crlnumber,NULL)) goto err;
 
+               if (crlnumber)
+                       {
+                       BN_free(crlnumber);
+                       crlnumber = NULL;
+                       }
+
                if (!X509_CRL_sign(crl,pkey,dgst)) goto err;
 
                PEM_write_bio_X509_CRL(Sout,crl);
@@ -1515,6 +1519,7 @@ err:
        if (free_key && key)
                OPENSSL_free(key);
        BN_free(serial);
+       BN_free(crlnumber);
        free_index(db);
        EVP_PKEY_free(pkey);
        if (x509) X509_free(x509);
@@ -2109,25 +2114,11 @@ again2:
                        }
                }
 
-
-#ifndef OPENSSL_NO_DSA
-       if (pkey->type == EVP_PKEY_DSA) dgst=EVP_dss1();
        pktmp=X509_get_pubkey(ret);
        if (EVP_PKEY_missing_parameters(pktmp) &&
                !EVP_PKEY_missing_parameters(pkey))
                EVP_PKEY_copy_parameters(pktmp,pkey);
        EVP_PKEY_free(pktmp);
-#endif
-#ifndef OPENSSL_NO_ECDSA
-       if (pkey->type == EVP_PKEY_EC)
-               dgst = EVP_ecdsa();
-       pktmp = X509_get_pubkey(ret);
-       if (EVP_PKEY_missing_parameters(pktmp) &&
-               !EVP_PKEY_missing_parameters(pkey))
-               EVP_PKEY_copy_parameters(pktmp, pkey);
-       EVP_PKEY_free(pktmp);
-#endif
-
 
        if (!X509_sign(ret,pkey,dgst))
                goto err;