#include <openssl/objects.h>
#include <openssl/ocsp.h>
#include <openssl/pem.h>
-#include <openssl/engine.h>
#ifdef OPENSSL_SYS_WINDOWS
#define strcasecmp _stricmp
#else
-#include <strings.h>
+# ifdef NO_STRINGS_H
+ int strcasecmp();
+# else
+# include <strings.h>
+# endif /* NO_STRINGS_H */
#endif
#ifndef W_OK
# else
# include <unixlib.h>
# endif
-# else
+# elif !defined(OPENSSL_SYS_VXWORKS)
# include <sys/file.h>
# endif
#endif
#define ENV_DEFAULT_CRL_DAYS "default_crl_days"
#define ENV_DEFAULT_CRL_HOURS "default_crl_hours"
#define ENV_DEFAULT_MD "default_md"
+#define ENV_DEFAULT_EMAIL_DN "email_in_dn"
#define ENV_PRESERVE "preserve"
#define ENV_POLICY "policy"
#define ENV_EXTENSIONS "x509_extensions"
" -spkac file - File contains DN and signed public key and challenge\n",
" -ss_cert file - File contains a self signed cert to sign\n",
" -preserveDN - Don't re-order the DN\n",
+" -noemailDN - Don't add the EMAIL field into certificate' subject\n",
" -batch - Don't ask questions\n",
" -msie_hack - msie modifications to handle all those universal strings\n",
" -revoke file - Revoke a certificate (given in file)\n",
static int save_serial(char *serialfile, BIGNUM *serial);
static int certify(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,TXT_DB *db,
- BIGNUM *serial, char *subj, char *startdate,char *enddate,
- long days, int batch, char *ext_sect, CONF *conf,int verbose,
- unsigned long certopt, unsigned long nameopt, int default_op,
- int ext_copy);
+ BIGNUM *serial, char *subj, int email_dn, char *startdate,
+ char *enddate, long days, int batch, char *ext_sect, CONF *conf,
+ int verbose, unsigned long certopt, unsigned long nameopt,
+ int default_op, int ext_copy);
static int certify_cert(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,
- TXT_DB *db, BIGNUM *serial, char *subj, char *startdate,
- char *enddate, long days, int batch, char *ext_sect,
- CONF *conf,int verbose, unsigned long certopt,
+ TXT_DB *db, BIGNUM *serial, char *subj, int email_dn,
+ char *startdate, char *enddate, long days, int batch,
+ char *ext_sect, CONF *conf,int verbose, unsigned long certopt,
unsigned long nameopt, int default_op, int ext_copy,
ENGINE *e);
static int certify_spkac(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,
- TXT_DB *db, BIGNUM *serial,char *subj, char *startdate,
- char *enddate, long days, char *ext_sect,CONF *conf,
- int verbose, unsigned long certopt, unsigned long nameopt,
- int default_op, int ext_copy);
+ TXT_DB *db, BIGNUM *serial,char *subj, int email_dn,
+ char *startdate, char *enddate, long days, char *ext_sect,
+ CONF *conf, int verbose, unsigned long certopt,
+ unsigned long nameopt, int default_op, int ext_copy);
static int fix_data(int nid, int *type);
static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext);
static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial,char *subj,
- char *startdate, char *enddate, long days, int batch, int verbose,
- X509_REQ *req, char *ext_sect, CONF *conf,
+ int email_dn, char *startdate, char *enddate, long days, int batch,
+ int verbose, X509_REQ *req, char *ext_sect, CONF *conf,
unsigned long certopt, unsigned long nameopt, int default_op,
int ext_copy);
-static X509_NAME *do_subject(char *subject);
static int do_revoke(X509 *x509, TXT_DB *db, int ext, char *extval);
static int get_certificate_status(const char *ser_status, TXT_DB *db);
static int do_updatedb(TXT_DB *db);
{
ENGINE *e = NULL;
char *key=NULL,*passargin=NULL;
+ int free_key = 0;
int total=0;
int total_done=0;
int badops=0;
int ret=1;
+ int email_dn=1;
int req=0;
int verbose=0;
int gencrl=0;
char *extensions=NULL;
char *extfile=NULL;
char *subj=NULL;
+ char *tmp_email_dn=NULL;
char *crl_ext=NULL;
int rev_type = REV_NONE;
char *rev_arg = NULL;
char *dbfile=NULL;
TXT_DB *db=NULL;
X509_CRL *crl=NULL;
- X509_CRL_INFO *ci=NULL;
X509_REVOKED *r=NULL;
+ ASN1_TIME *tmptm;
+ ASN1_INTEGER *tmpser;
char **pp,*p,*f;
int i,j;
long l;
batch=1;
else if (strcmp(*argv,"-preserveDN") == 0)
preserve=1;
+ else if (strcmp(*argv,"-noemailDN") == 0)
+ email_dn=0;
else if (strcmp(*argv,"-gencrl") == 0)
gencrl=1;
else if (strcmp(*argv,"-msie_hack") == 0)
#else
strncpy(buf[0],X509_get_default_cert_area(),
sizeof(buf[0])-2-sizeof(CONFIG_FILE));
+ buf[0][sizeof(buf[0])-2-sizeof(CONFIG_FILE)]='\0';
strcat(buf[0],"/");
#endif
strcat(buf[0],CONFIG_FILE);
goto err;
}
+ if (!load_config(bio_err, conf))
+ goto err;
+
/* Lets get the config section we are using */
if (section == NULL)
{
db=TXT_DB_read(in,DB_NUMBER);
if (db == NULL) goto err;
- if (!TXT_DB_create_index(db, DB_serial, NULL,
- LHASH_HASH_FN(index_serial_hash),
- LHASH_COMP_FN(index_serial_cmp)))
- {
- BIO_printf(bio_err,
- "error creating serial number index:(%ld,%ld,%ld)\n",
- db->error,db->arg1,db->arg2);
+ if (!make_serial_index(db))
goto err;
- }
if (get_certificate_status(ser_status,db) != 1)
BIO_printf(bio_err,"Error verifying serial %s!\n",
lookup_fail(section,ENV_PRIVATE_KEY);
goto err;
}
- if (!key && !app_passwd(bio_err, passargin, NULL, &key, NULL))
+ if (!key)
{
- BIO_printf(bio_err,"Error getting password\n");
- goto err;
+ free_key = 1;
+ if (!app_passwd(bio_err, passargin, NULL, &key, NULL))
+ {
+ BIO_printf(bio_err,"Error getting password\n");
+ goto err;
+ }
}
pkey = load_key(bio_err, keyfile, keyform, key, e,
"CA private key");
BIO_printf(bio_err,"generating index\n");
}
- if (!TXT_DB_create_index(db, DB_serial, NULL,
- LHASH_HASH_FN(index_serial_hash),
- LHASH_COMP_FN(index_serial_cmp)))
- {
- BIO_printf(bio_err,"error creating serial number index:(%ld,%ld,%ld)\n",db->error,db->arg1,db->arg2);
+ if (!make_serial_index(db))
goto err;
- }
if (!TXT_DB_create_index(db, DB_name, index_name_qual,
LHASH_HASH_FN(index_name_hash),
lookup_fail(section,ENV_DEFAULT_MD);
goto err;
}
+ if ((email_dn == 1) && ((tmp_email_dn=NCONF_get_string(conf,
+ section,ENV_DEFAULT_EMAIL_DN)) != NULL ))
+ {
+ if(strcmp(tmp_email_dn,"no") == 0)
+ email_dn=0;
+ }
if ((dgst=EVP_get_digestbyname(md)) == NULL)
{
BIO_printf(bio_err,"%s is an unsupported message digest type\n",md);
{
total++;
j=certify_spkac(&x,spkac_file,pkey,x509,dgst,attribs,db,
- serial,subj,startdate,enddate, days,extensions,conf,
- verbose, certopt, nameopt, default_op, ext_copy);
+ serial,subj,email_dn,startdate,enddate,days,extensions,
+ conf,verbose,certopt,nameopt,default_op,ext_copy);
if (j < 0) goto err;
if (j > 0)
{
{
total++;
j=certify_cert(&x,ss_cert_file,pkey,x509,dgst,attribs,
- db,serial,subj,startdate,enddate,days,batch,
+ db,serial,subj,email_dn,startdate,enddate,days,batch,
extensions,conf,verbose, certopt, nameopt,
default_op, ext_copy, e);
if (j < 0) goto err;
{
total++;
j=certify(&x,infile,pkey,x509,dgst,attribs,db,
- serial,subj,startdate,enddate,days,batch,
+ serial,subj,email_dn,startdate,enddate,days,batch,
extensions,conf,verbose, certopt, nameopt,
default_op, ext_copy);
if (j < 0) goto err;
{
total++;
j=certify(&x,argv[i],pkey,x509,dgst,attribs,db,
- serial,subj,startdate,enddate,days,batch,
+ serial,subj,email_dn,startdate,enddate,days,batch,
extensions,conf,verbose, certopt, nameopt,
default_op, ext_copy);
if (j < 0) goto err;
BIO_printf(bio_err,"Write out database with %d new entries\n",sk_X509_num(cert_sk));
strncpy(buf[0],serialfile,BSIZE-4);
+ buf[0][BSIZE-4]='\0';
#ifdef OPENSSL_SYS_VMS
strcat(buf[0],"-new");
if (!save_serial(buf[0],serial)) goto err;
strncpy(buf[1],dbfile,BSIZE-4);
+ buf[1][BSIZE-4]='\0';
#ifdef OPENSSL_SYS_VMS
strcat(buf[1],"-new");
p=(char *)x->cert_info->serialNumber->data;
strncpy(buf[2],outdir,BSIZE-(j*2)-6);
+ buf[2][BSIZE-(j*2)-6]='\0';
#ifndef OPENSSL_SYS_VMS
strcat(buf[2],"/");
{
/* Rename the database and the serial file */
strncpy(buf[2],serialfile,BSIZE-4);
+ buf[2][BSIZE-4]='\0';
#ifdef OPENSSL_SYS_VMS
strcat(buf[2],"-old");
}
strncpy(buf[2],dbfile,BSIZE-4);
+ buf[2][BSIZE-4]='\0';
#ifdef OPENSSL_SYS_VMS
strcat(buf[2],"-old");
if (verbose) BIO_printf(bio_err,"making CRL\n");
if ((crl=X509_CRL_new()) == NULL) goto err;
- ci=crl->crl;
- X509_NAME_free(ci->issuer);
- ci->issuer=X509_NAME_dup(x509->cert_info->subject);
- if (ci->issuer == NULL) goto err;
+ if (!X509_CRL_set_issuer_name(crl, X509_get_issuer_name(x509))) goto err;
+
+ tmptm = ASN1_TIME_new();
+ if (!tmptm) goto err;
+ X509_gmtime_adj(tmptm,0);
+ X509_CRL_set_lastUpdate(crl, tmptm);
+ X509_gmtime_adj(tmptm,(crldays*24+crlhours)*60*60);
+ X509_CRL_set_nextUpdate(crl, tmptm);
- X509_gmtime_adj(ci->lastUpdate,0);
- if (ci->nextUpdate == NULL)
- ci->nextUpdate=ASN1_UTCTIME_new();
- X509_gmtime_adj(ci->nextUpdate,(crldays*24+crlhours)*60*60);
+ ASN1_TIME_free(tmptm);
for (i=0; i<sk_num(db->data); i++)
{
if (j == 2) crl_v2 = 1;
if (!BN_hex2bn(&serial, pp[DB_serial]))
goto err;
- r->serialNumber = BN_to_ASN1_INTEGER(serial, r->serialNumber);
+ tmpser = BN_to_ASN1_INTEGER(serial, NULL);
BN_free(serial);
serial = NULL;
- if (!r->serialNumber)
+ if (!tmpser)
goto err;
+ X509_REVOKED_set_serialNumber(r, tmpser);
+ ASN1_INTEGER_free(tmpser);
X509_CRL_add0_revoked(crl,r);
}
}
+
/* sort the data so it will be written in serial
* number order */
- sk_X509_REVOKED_sort(ci->revoked);
- for (i=0; i<sk_X509_REVOKED_num(ci->revoked); i++)
- {
- r=sk_X509_REVOKED_value(ci->revoked,i);
- r->sequence=i;
- }
+ X509_CRL_sort(crl);
/* we now have a CRL */
if (verbose) BIO_printf(bio_err,"signing CRL\n");
if (pkey->type == EVP_PKEY_DSA)
dgst=EVP_dss1();
else
+#endif
+#ifndef OPENSSL_NO_ECDSA
+ if (pkey->type == EVP_PKEY_ECDSA)
+ dgst=EVP_ecdsa();
+ else
#endif
dgst=EVP_md5();
}
if (crl_ext)
{
X509V3_CTX crlctx;
- if (ci->version == NULL)
- if ((ci->version=ASN1_INTEGER_new()) == NULL) goto err;
X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0);
X509V3_set_nconf(&crlctx, conf);
}
if (crl_ext || crl_v2)
{
- if (ci->version == NULL)
- if ((ci->version=ASN1_INTEGER_new()) == NULL) goto err;
- ASN1_INTEGER_set(ci->version,1); /* version 2 CRL */
+ if (!X509_CRL_set_version(crl, 1))
+ goto err; /* version 2 CRL */
}
if (!X509_CRL_sign(crl,pkey,dgst)) goto err;
X509_free(revcert);
strncpy(buf[0],dbfile,BSIZE-4);
+ buf[0][BSIZE-4]='\0';
#ifndef OPENSSL_SYS_VMS
strcat(buf[0],".new");
#else
j=TXT_DB_write(out,db);
if (j <= 0) goto err;
strncpy(buf[1],dbfile,BSIZE-4);
+ buf[1][BSIZE-4]='\0';
#ifndef OPENSSL_SYS_VMS
strcat(buf[1],".old");
#else
strcat(buf[1],"-old");
#endif
+ BIO_free(in);
+ in = NULL;
+ BIO_free(out);
+ out = NULL;
if (rename(dbfile,buf[1]) < 0)
{
BIO_printf(bio_err,"unable to rename %s to %s\n", dbfile, buf[1]);
if (ret) ERR_print_errors(bio_err);
app_RAND_write_file(randfile, bio_err);
+ if (free_key)
+ OPENSSL_free(key);
BN_free(serial);
TXT_DB_free(db);
EVP_PKEY_free(pkey);
static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db,
- BIGNUM *serial, char *subj, char *startdate, char *enddate, long days,
- int batch, char *ext_sect, CONF *lconf, int verbose,
+ BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate,
+ long days, int batch, char *ext_sect, CONF *lconf, int verbose,
unsigned long certopt, unsigned long nameopt, int default_op,
int ext_copy)
{
else
BIO_printf(bio_err,"Signature ok\n");
- ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,startdate, enddate,
- days,batch,verbose,req,ext_sect,lconf,
+ ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj, email_dn,
+ startdate,enddate,days,batch,verbose,req,ext_sect,lconf,
certopt, nameopt, default_op, ext_copy);
err:
static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db,
- BIGNUM *serial, char *subj, char *startdate, char *enddate, long days,
- int batch, char *ext_sect, CONF *lconf, int verbose,
+ BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate,
+ long days, int batch, char *ext_sect, CONF *lconf, int verbose,
unsigned long certopt, unsigned long nameopt, int default_op,
int ext_copy, ENGINE *e)
{
if ((rreq=X509_to_X509_REQ(req,NULL,EVP_md5())) == NULL)
goto err;
- ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,startdate,enddate,days,
- batch,verbose,rreq,ext_sect,lconf, certopt, nameopt, default_op,
- ext_copy);
+ ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,email_dn,startdate,enddate,
+ days,batch,verbose,rreq,ext_sect,lconf, certopt, nameopt, default_op,
+ ext_copy);
err:
if (rreq != NULL) X509_REQ_free(rreq);
static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial, char *subj,
- char *startdate, char *enddate, long days, int batch, int verbose,
- X509_REQ *req, char *ext_sect, CONF *lconf,
+ int email_dn, char *startdate, char *enddate, long days, int batch,
+ int verbose, X509_REQ *req, char *ext_sect, CONF *lconf,
unsigned long certopt, unsigned long nameopt, int default_op,
int ext_copy)
{
- X509_NAME *name=NULL,*CAname=NULL,*subject=NULL;
+ X509_NAME *name=NULL,*CAname=NULL,*subject=NULL, *dn_subject=NULL;
ASN1_UTCTIME *tm,*tmptm;
ASN1_STRING *str,*str2;
ASN1_OBJECT *obj;
if (subj)
{
- X509_NAME *n = do_subject(subj);
+ X509_NAME *n = do_subject(subj, MBSTRING_ASC);
if (!n)
{
if (default_op)
BIO_printf(bio_err,"The Subject's Distinguished Name is as follows\n");
+
name=X509_REQ_get_subject_name(req);
for (i=0; i<X509_NAME_entry_count(name); i++)
{
str->type=V_ASN1_IA5STRING;
}
+ /* If no EMAIL is wanted in the subject */
+ if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) && (!email_dn))
+ continue;
+
/* check some things */
if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) &&
(str->type != V_ASN1_IA5STRING))
BIO_printf(bio_err,"\nemailAddress type needs to be of type IA5STRING\n");
goto err;
}
- j=ASN1_PRINTABLE_type(str->data,str->length);
- if ( ((j == V_ASN1_T61STRING) &&
- (str->type != V_ASN1_T61STRING)) ||
- ((j == V_ASN1_IA5STRING) &&
- (str->type == V_ASN1_PRINTABLESTRING)))
+ if ((str->type != V_ASN1_BMPSTRING) && (str->type != V_ASN1_UTF8STRING))
{
- BIO_printf(bio_err,"\nThe string contains characters that are illegal for the ASN.1 type\n");
- goto err;
+ j=ASN1_PRINTABLE_type(str->data,str->length);
+ if ( ((j == V_ASN1_T61STRING) &&
+ (str->type != V_ASN1_T61STRING)) ||
+ ((j == V_ASN1_IA5STRING) &&
+ (str->type == V_ASN1_PRINTABLESTRING)))
+ {
+ BIO_printf(bio_err,"\nThe string contains characters that are illegal for the ASN.1 type\n");
+ goto err;
+ }
}
if (default_op)
if (preserve)
{
X509_NAME_free(subject);
- subject=X509_NAME_dup(X509_REQ_get_subject_name(req));
+ /* subject=X509_NAME_dup(X509_REQ_get_subject_name(req)); */
+ subject=X509_NAME_dup(name);
if (subject == NULL) goto err;
}
if (verbose)
BIO_printf(bio_err,"The subject name appears to be ok, checking data base for clashes\n");
- row[DB_name]=X509_NAME_oneline(subject,NULL,0);
+ /* Build the correct Subject if no e-mail is wanted in the subject */
+ /* and add it later on because of the method extensions are added (altName) */
+
+ if (email_dn)
+ dn_subject = subject;
+ else
+ {
+ X509_NAME_ENTRY *tmpne;
+ /* Its best to dup the subject DN and then delete any email
+ * addresses because this retains its structure.
+ */
+ if (!(dn_subject = X509_NAME_dup(subject)))
+ {
+ BIO_printf(bio_err,"Memory allocation failure\n");
+ goto err;
+ }
+ while((i = X509_NAME_get_index_by_NID(dn_subject,
+ NID_pkcs9_emailAddress, -1)) >= 0)
+ {
+ tmpne = X509_NAME_get_entry(dn_subject, i);
+ X509_NAME_delete_entry(dn_subject, i);
+ X509_NAME_ENTRY_free(tmpne);
+ }
+ }
+
+ row[DB_name]=X509_NAME_oneline(dn_subject,NULL,0);
row[DB_serial]=BN_bn2hex(serial);
if ((row[DB_name] == NULL) || (row[DB_serial] == NULL))
{
goto err;
}
+ /* Set the right value for the noemailDN option */
+ if( email_dn == 0 )
+ {
+ if (!X509_set_subject_name(ret,dn_subject)) goto err;
+ }
if (!default_op)
{
EVP_PKEY_copy_parameters(pktmp,pkey);
EVP_PKEY_free(pktmp);
#endif
+#ifndef OPENSSL_NO_ECDSA
+ if (pkey->type == EVP_PKEY_ECDSA)
+ dgst = EVP_ecdsa();
+ pktmp = X509_get_pubkey(ret);
+ if (EVP_PKEY_missing_parameters(pktmp) &&
+ !EVP_PKEY_missing_parameters(pkey))
+ EVP_PKEY_copy_parameters(pktmp, pkey);
+ EVP_PKEY_free(pktmp);
+#endif
+
if (!X509_sign(ret,pkey,dgst))
goto err;
X509_NAME_free(CAname);
if (subject != NULL)
X509_NAME_free(subject);
+ if ((dn_subject != NULL) && !email_dn)
+ X509_NAME_free(dn_subject);
if (tmptm != NULL)
ASN1_UTCTIME_free(tmptm);
if (ok <= 0)
static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db,
- BIGNUM *serial, char *subj, char *startdate, char *enddate, long days,
- char *ext_sect, CONF *lconf, int verbose, unsigned long certopt,
+ BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate,
+ long days, char *ext_sect, CONF *lconf, int verbose, unsigned long certopt,
unsigned long nameopt, int default_op, int ext_copy)
{
STACK_OF(CONF_VALUE) *sk=NULL;
continue;
}
+ /*
+ if ((nid == NID_pkcs9_emailAddress) && (email_dn == 0))
+ continue;
+ */
+
j=ASN1_PRINTABLE_type((unsigned char *)buf,-1);
if (fix_data(nid, &j) == 0)
{
X509_REQ_set_pubkey(req,pktmp);
EVP_PKEY_free(pktmp);
- ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,startdate,enddate,
+ ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,email_dn,startdate,enddate,
days,1,verbose,req,ext_sect,lconf, certopt, nameopt, default_op,
ext_copy);
err:
* 2 OK and some extensions added (i.e. V2 CRL)
*/
+
int make_revoked(X509_REVOKED *rev, char *str)
{
char *tmp = NULL;
- char *rtime_str, *reason_str = NULL, *arg_str = NULL, *p;
int reason_code = -1;
int i, ret = 0;
ASN1_OBJECT *hold = NULL;
ASN1_GENERALIZEDTIME *comp_time = NULL;
ASN1_ENUMERATED *rtmp = NULL;
- tmp = BUF_strdup(str);
- p = strchr(tmp, ',');
+ ASN1_TIME *revDate = NULL;
- rtime_str = tmp;
+ i = unpack_revinfo(&revDate, &reason_code, &hold, &comp_time, str);
- if (p)
- {
- *p = '\0';
- p++;
- reason_str = p;
- p = strchr(p, ',');
- if (p)
- {
- *p = '\0';
- arg_str = p + 1;
- }
- }
-
- if (rev && !ASN1_UTCTIME_set_string(rev->revocationDate, rtime_str))
- {
- BIO_printf(bio_err, "invalid revocation date %s\n", rtime_str);
+ if (i == 0)
goto err;
- }
- if (reason_str)
- {
- for (i = 0; i < NUM_REASONS; i++)
- {
- if(!strcasecmp(reason_str, crl_reasons[i]))
- {
- reason_code = i;
- break;
- }
- }
- if (reason_code == OCSP_REVOKED_STATUS_NOSTATUS)
- {
- BIO_printf(bio_err, "invalid reason code %s\n", reason_str);
- goto err;
- }
- if (reason_code == 7)
- reason_code = OCSP_REVOKED_STATUS_REMOVEFROMCRL;
- else if (reason_code == 8) /* Hold instruction */
- {
- if (!arg_str)
- {
- BIO_printf(bio_err, "missing hold instruction\n");
- goto err;
- }
- reason_code = OCSP_REVOKED_STATUS_CERTIFICATEHOLD;
- hold = OBJ_txt2obj(arg_str, 0);
-
- if (!hold)
- {
- BIO_printf(bio_err, "invalid object identifier %s\n", arg_str);
- goto err;
- }
- }
- else if ((reason_code == 9) || (reason_code == 10))
- {
- if (!arg_str)
- {
- BIO_printf(bio_err, "missing compromised time\n");
- goto err;
- }
- comp_time = ASN1_GENERALIZEDTIME_new();
- if (!ASN1_GENERALIZEDTIME_set_string(comp_time, arg_str))
- {
- BIO_printf(bio_err, "invalid compromised time %s\n", arg_str);
- goto err;
- }
- if (reason_code == 9)
- reason_code = OCSP_REVOKED_STATUS_KEYCOMPROMISE;
- else
- reason_code = OCSP_REVOKED_STATUS_CACOMPROMISE;
- }
- }
+ if (rev && !X509_REVOKED_set_revocationDate(rev, revDate))
+ goto err;
if (rev && (reason_code != OCSP_REVOKED_STATUS_NOSTATUS))
{
ASN1_OBJECT_free(hold);
ASN1_GENERALIZEDTIME_free(comp_time);
ASN1_ENUMERATED_free(rtmp);
+ ASN1_TIME_free(revDate);
return ret;
}
-static X509_NAME *do_subject(char *subject)
+/*
+ * subject is expected to be in the format /type0=value0/type1=value1/type2=...
+ * where characters may be escaped by \
+ */
+X509_NAME *do_subject(char *subject, long chtype)
{
- X509_NAME *n = NULL;
+ size_t buflen = strlen(subject)+1; /* to copy the types and values into. due to escaping, the copy can only become shorter */
+ char *buf = OPENSSL_malloc(buflen);
+ size_t max_ne = buflen / 2 + 1; /* maximum number of name elements */
+ char **ne_types = OPENSSL_malloc(max_ne * sizeof (char *));
+ char **ne_values = OPENSSL_malloc(max_ne * sizeof (char *));
- int i, nid, ne_num=0;
+ char *sp = subject, *bp = buf;
+ int i, ne_num = 0;
- char *ne_name = NULL;
- char *ne_value = NULL;
-
- char *tmp = NULL;
- char *p[2];
+ X509_NAME *n = NULL;
+ int nid;
- char *str_list[256];
-
- p[0] = ",/";
- p[1] = "=";
+ if (!buf || !ne_types || !ne_values)
+ {
+ BIO_printf(bio_err, "malloc error\n");
+ goto error;
+ }
- n = X509_NAME_new();
+ if (*subject != '/')
+ {
+ BIO_printf(bio_err, "Subject does not start with '/'.\n");
+ goto error;
+ }
+ sp++; /* skip leading / */
- tmp = strtok(subject, p[0]);
- while((tmp != NULL) && (ne_num < (sizeof str_list/sizeof *str_list)))
+ while (*sp)
+ {
+ /* collect type */
+ ne_types[ne_num] = bp;
+ while (*sp)
{
- char *token = tmp;
-
- while (token[0] == ' ')
- token++;
- str_list[ne_num] = token;
-
- tmp = strtok(NULL, p[0]);
- ne_num++;
+ if (*sp == '\\') /* is there anything to escape in the type...? */
+ if (*++sp)
+ *bp++ = *sp++;
+ else
+ {
+ BIO_printf(bio_err, "escape character at end of string\n");
+ goto error;
+ }
+ else if (*sp == '=')
+ {
+ sp++;
+ *bp++ = '\0';
+ break;
+ }
+ else
+ *bp++ = *sp++;
+ }
+ if (!*sp)
+ {
+ BIO_printf(bio_err, "end of string encountered while processing type of subject name element #%d\n", ne_num);
+ goto error;
+ }
+ ne_values[ne_num] = bp;
+ while (*sp)
+ {
+ if (*sp == '\\')
+ if (*++sp)
+ *bp++ = *sp++;
+ else
+ {
+ BIO_printf(bio_err, "escape character at end of string\n");
+ goto error;
+ }
+ else if (*sp == '/')
+ {
+ sp++;
+ break;
+ }
+ else
+ *bp++ = *sp++;
}
+ *bp++ = '\0';
+ ne_num++;
+ }
+
+ if (!(n = X509_NAME_new()))
+ goto error;
for (i = 0; i < ne_num; i++)
{
- ne_name = strtok(str_list[i], p[1]);
- ne_value = strtok(NULL, p[1]);
-
- if ((nid=OBJ_txt2nid(ne_name)) == NID_undef)
+ if ((nid=OBJ_txt2nid(ne_types[i])) == NID_undef)
{
- BIO_printf(bio_err, "Subject Attribute %s has no known NID, skipped\n", ne_name);
+ BIO_printf(bio_err, "Subject Attribute %s has no known NID, skipped\n", ne_types[i]);
continue;
}
- if (ne_value == NULL)
+ if (!*ne_values[i])
{
- BIO_printf(bio_err, "No value provided for Subject Attribute %s, skipped\n", ne_name);
+ BIO_printf(bio_err, "No value provided for Subject Attribute %s, skipped\n", ne_types[i]);
continue;
}
- if (!X509_NAME_add_entry_by_NID(n, nid, MBSTRING_ASC, (unsigned char*)ne_value, -1,-1,0))
- {
- X509_NAME_free(n);
- return NULL;
- }
+ if (!X509_NAME_add_entry_by_NID(n, nid, chtype, (unsigned char*)ne_values[i], -1,-1,0))
+ goto error;
}
+ OPENSSL_free(ne_values);
+ OPENSSL_free(ne_types);
+ OPENSSL_free(buf);
return n;
- }
+error:
+ X509_NAME_free(n);
+ if (ne_values)
+ OPENSSL_free(ne_values);
+ if (ne_types)
+ OPENSSL_free(ne_types);
+ if (buf)
+ OPENSSL_free(buf);
+ return NULL;
+}
int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str)
{
BIO_printf(bp,"'\n");
return 1;
}
+
+int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, ASN1_GENERALIZEDTIME **pinvtm, char *str)
+ {
+ char *tmp = NULL;
+ char *rtime_str, *reason_str = NULL, *arg_str = NULL, *p;
+ int reason_code = -1;
+ int i, ret = 0;
+ ASN1_OBJECT *hold = NULL;
+ ASN1_GENERALIZEDTIME *comp_time = NULL;
+ tmp = BUF_strdup(str);
+
+ p = strchr(tmp, ',');
+
+ rtime_str = tmp;
+
+ if (p)
+ {
+ *p = '\0';
+ p++;
+ reason_str = p;
+ p = strchr(p, ',');
+ if (p)
+ {
+ *p = '\0';
+ arg_str = p + 1;
+ }
+ }
+
+ if (prevtm)
+ {
+ *prevtm = ASN1_UTCTIME_new();
+ if (!ASN1_UTCTIME_set_string(*prevtm, rtime_str))
+ {
+ BIO_printf(bio_err, "invalid revocation date %s\n", rtime_str);
+ goto err;
+ }
+ }
+ if (reason_str)
+ {
+ for (i = 0; i < NUM_REASONS; i++)
+ {
+ if(!strcasecmp(reason_str, crl_reasons[i]))
+ {
+ reason_code = i;
+ break;
+ }
+ }
+ if (reason_code == OCSP_REVOKED_STATUS_NOSTATUS)
+ {
+ BIO_printf(bio_err, "invalid reason code %s\n", reason_str);
+ goto err;
+ }
+
+ if (reason_code == 7)
+ reason_code = OCSP_REVOKED_STATUS_REMOVEFROMCRL;
+ else if (reason_code == 8) /* Hold instruction */
+ {
+ if (!arg_str)
+ {
+ BIO_printf(bio_err, "missing hold instruction\n");
+ goto err;
+ }
+ reason_code = OCSP_REVOKED_STATUS_CERTIFICATEHOLD;
+ hold = OBJ_txt2obj(arg_str, 0);
+
+ if (!hold)
+ {
+ BIO_printf(bio_err, "invalid object identifier %s\n", arg_str);
+ goto err;
+ }
+ if (phold) *phold = hold;
+ }
+ else if ((reason_code == 9) || (reason_code == 10))
+ {
+ if (!arg_str)
+ {
+ BIO_printf(bio_err, "missing compromised time\n");
+ goto err;
+ }
+ comp_time = ASN1_GENERALIZEDTIME_new();
+ if (!ASN1_GENERALIZEDTIME_set_string(comp_time, arg_str))
+ {
+ BIO_printf(bio_err, "invalid compromised time %s\n", arg_str);
+ goto err;
+ }
+ if (reason_code == 9)
+ reason_code = OCSP_REVOKED_STATUS_KEYCOMPROMISE;
+ else
+ reason_code = OCSP_REVOKED_STATUS_CACOMPROMISE;
+ }
+ }
+
+ if (preason) *preason = reason_code;
+ if (pinvtm) *pinvtm = comp_time;
+ else ASN1_GENERALIZEDTIME_free(comp_time);
+
+ ret = 1;
+
+ err:
+
+ if (tmp) OPENSSL_free(tmp);
+ if (!phold) ASN1_OBJECT_free(hold);
+ if (!pinvtm) ASN1_GENERALIZEDTIME_free(comp_time);
+
+ return ret;
+ }
+
+int make_serial_index(TXT_DB *db)
+ {
+ if (!TXT_DB_create_index(db, DB_serial, NULL,
+ LHASH_HASH_FN(index_serial_hash),
+ LHASH_COMP_FN(index_serial_cmp)))
+ {
+ BIO_printf(bio_err,
+ "error creating serial number index:(%ld,%ld,%ld)\n",
+ db->error,db->arg1,db->arg2);
+ return 0;
+ }
+ return 1;
+ }
projects / openssl.git / blobdiff