/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
#include "apps.h"
#include "progs.h"
+DEFINE_STACK_OF(X509)
+DEFINE_STACK_OF(X509_EXTENSION)
+DEFINE_STACK_OF(CONF_VALUE)
+DEFINE_STACK_OF_STRING()
+
#ifndef W_OK
# define F_OK 0
# define W_OK 2
static char *lookup_conf(const CONF *conf, const char *group, const char *tag);
-static int certify(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509,
+static int certify(X509 **xret, const char *infile, int informat,
+ EVP_PKEY *pkey, X509 *x509,
const EVP_MD *dgst,
STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(OPENSSL_STRING) *vfyopts,
long days, int batch, const char *ext_sect, CONF *conf,
int verbose, unsigned long certopt, unsigned long nameopt,
int default_op, int ext_copy, int selfsign);
-static int certify_cert(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509,
+static int certify_cert(X509 **xret, const char *infile, int informat,
+ EVP_PKEY *pkey, X509 *x509,
const EVP_MD *dgst,
STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(OPENSSL_STRING) *vfyopts,
OPT_ENGINE, OPT_VERBOSE, OPT_CONFIG, OPT_NAME, OPT_SUBJ, OPT_UTF8,
OPT_CREATE_SERIAL, OPT_MULTIVALUE_RDN, OPT_STARTDATE, OPT_ENDDATE,
OPT_DAYS, OPT_MD, OPT_POLICY, OPT_KEYFILE, OPT_KEYFORM, OPT_PASSIN,
- OPT_KEY, OPT_CERT, OPT_SELFSIGN, OPT_IN, OPT_OUT, OPT_OUTDIR, OPT_VFYOPT,
+ OPT_KEY, OPT_CERT, OPT_CERTFORM, OPT_SELFSIGN,
+ OPT_IN, OPT_INFORM, OPT_OUT, OPT_OUTDIR, OPT_VFYOPT,
OPT_SIGOPT, OPT_NOTEXT, OPT_BATCH, OPT_PRESERVEDN, OPT_NOEMAILDN,
OPT_GENCRL, OPT_MSIE_HACK, OPT_CRLDAYS, OPT_CRLHOURS, OPT_CRLSEC,
OPT_INFILES, OPT_SS_CERT, OPT_SPKAC, OPT_REVOKE, OPT_VALID,
{"help", OPT_HELP, '-', "Display this summary"},
{"verbose", OPT_VERBOSE, '-', "Verbose output during processing"},
{"outdir", OPT_OUTDIR, '/', "Where to put output cert"},
- {"in", OPT_IN, '<', "The input PEM encoded cert request(s)"},
+ {"in", OPT_IN, '<', "The input cert request(s)"},
+ {"inform", OPT_INFORM, 'F', "CSR input format (DER or PEM); default PEM"},
{"infiles", OPT_INFILES, '-', "The last argument, requests to process"},
{"out", OPT_OUT, '>', "Where to put the output file(s)"},
{"notext", OPT_NOTEXT, '-', "Do not print the generated certificate"},
OPT_SECTION("Certificate"),
{"subj", OPT_SUBJ, 's', "Use arg instead of request's subject"},
- {"utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)"},
+ {"utf8", OPT_UTF8, '-', "Input characters are UTF8; default ASCII"},
{"create_serial", OPT_CREATE_SERIAL, '-',
"If reading serial fails, create a new random serial"},
{"rand_serial", OPT_RAND_SERIAL, '-',
OPT_SECTION("Signing"),
{"md", OPT_MD, 's', "md to use; one of md2, md5, sha or sha1"},
{"keyfile", OPT_KEYFILE, 's', "Private key"},
- {"keyform", OPT_KEYFORM, 'f', "Private key file format (PEM or ENGINE)"},
+ {"keyform", OPT_KEYFORM, 'f', "Private key file format (ENGINE, other values ignored)"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"key", OPT_KEY, 's', "Key to decode the private key if it is encrypted"},
{"cert", OPT_CERT, '<', "The CA cert"},
+ {"certform", OPT_CERTFORM, 'F',
+ "certificate input format (DER/PEM/P12); has no effect"},
{"selfsign", OPT_SELFSIGN, '-',
"Sign a cert with the key associated with it"},
{"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
char *configfile = default_config_file, *section = NULL;
char *md = NULL, *policy = NULL, *keyfile = NULL;
char *certfile = NULL, *crl_ext = NULL, *crlnumberfile = NULL, *key = NULL;
+ int certformat = FORMAT_PEM, informat = FORMAT_PEM;
const char *infile = NULL, *spkac_file = NULL, *ss_cert_file = NULL;
const char *extensions = NULL, *extfile = NULL, *passinarg = NULL;
char *outdir = NULL, *outfile = NULL, *rev_arg = NULL, *ser_status = NULL;
req = 1;
infile = opt_arg();
break;
+ case OPT_INFORM:
+ if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
+ goto opthelp;
+ break;
case OPT_OUT:
outfile = opt_arg();
break;
case OPT_CERT:
certfile = opt_arg();
break;
+ case OPT_CERTFORM:
+ if (!opt_format(opt_arg(), OPT_FMT_ANY, &certformat))
+ goto opthelp;
+ break;
case OPT_SELFSIGN:
selfsign = 1;
break;
}
}
pkey = load_key(keyfile, keyformat, 0, key, e, "CA private key");
- if (key != NULL)
- OPENSSL_cleanse(key, strlen(key));
+ cleanse(key);
if (pkey == NULL)
/* load_key() has already printed an appropriate message */
goto end;
&& (certfile = lookup_conf(conf, section, ENV_CERTIFICATE)) == NULL)
goto end;
- x509 = load_cert(certfile, FORMAT_PEM, "CA certificate");
+ x509 = load_cert(certfile, certformat, "CA certificate");
if (x509 == NULL)
goto end;
}
if (ss_cert_file != NULL) {
total++;
- j = certify_cert(&x, ss_cert_file, pkey, x509, dgst,
+ j = certify_cert(&x, ss_cert_file, certformat, pkey, x509, dgst,
sigopts, vfyopts, attribs,
db, serial, subj, chtype, multirdn, email_dn,
startdate, enddate, days, batch, extensions,
}
if (infile != NULL) {
total++;
- j = certify(&x, infile, pkey, x509p, dgst, sigopts, vfyopts,
- attribs, db,
+ j = certify(&x, infile, informat, pkey, x509p, dgst,
+ sigopts, vfyopts, attribs, db,
serial, subj, chtype, multirdn, email_dn, startdate,
enddate, days, batch, extensions, conf, verbose,
certopt, get_nameopt(), default_op, ext_copy, selfsign);
}
for (i = 0; i < argc; i++) {
total++;
- j = certify(&x, argv[i], pkey, x509p, dgst, sigopts, vfyopts,
+ j = certify(&x, argv[i], informat, pkey, x509p, dgst,
+ sigopts, vfyopts,
attribs, db,
serial, subj, chtype, multirdn, email_dn, startdate,
enddate, days, batch, extensions, conf, verbose,
for (i = 0; i < sk_X509_num(cert_sk); i++) {
BIO *Cout = NULL;
X509 *xi = sk_X509_value(cert_sk, i);
- ASN1_INTEGER *serialNumber = X509_get_serialNumber(xi);
+ const ASN1_INTEGER *serialNumber = X509_get0_serialNumber(xi);
const unsigned char *psn = ASN1_STRING_get0_data(serialNumber);
const int snl = ASN1_STRING_length(serialNumber);
const int filen_len = 2 * (snl > 0 ? snl : 1) + sizeof(".pem");
goto end;
} else {
X509 *revcert;
- revcert = load_cert(infile, FORMAT_PEM, infile);
+ revcert = load_cert(infile, certformat, infile);
if (revcert == NULL)
goto end;
if (dorevoke == 2)
return entry;
}
-static int certify(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509,
+static int certify(X509 **xret, const char *infile, int informat,
+ EVP_PKEY *pkey, X509 *x509,
const EVP_MD *dgst,
STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(OPENSSL_STRING) *vfyopts,
int default_op, int ext_copy, int selfsign)
{
X509_REQ *req = NULL;
- BIO *in = NULL;
EVP_PKEY *pktmp = NULL;
int ok = -1, i;
- in = BIO_new_file(infile, "r");
- if (in == NULL) {
- ERR_print_errors(bio_err);
+ req = load_csr(infile, informat, "certificate request");
+ if (req == NULL)
goto end;
- }
- if ((req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL)) == NULL) {
- BIO_printf(bio_err, "Error reading certificate request in %s\n",
- infile);
- goto end;
- }
if (verbose)
X509_REQ_print_ex(bio_err, req, nameopt, X509_FLAG_COMPAT);
end:
X509_REQ_free(req);
- BIO_free(in);
return ok;
}
-static int certify_cert(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509,
+static int certify_cert(X509 **xret, const char *infile, int certformat,
+ EVP_PKEY *pkey, X509 *x509,
const EVP_MD *dgst,
STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(OPENSSL_STRING) *vfyopts,
EVP_PKEY *pktmp = NULL;
int ok = -1, i;
- if ((req = load_cert(infile, FORMAT_PEM, infile)) == NULL)
+ if ((req = load_cert(infile, certformat, infile)) == NULL)
goto end;
if (verbose)
X509_print(bio_err, req);
row[i] = NULL;
if (subj) {
- X509_NAME *n = parse_name(subj, chtype, multirdn);
+ X509_NAME *n = parse_name(subj, chtype, multirdn, "subject");
if (!n) {
ERR_print_errors(bio_err);
BIO_printf(bio_err,
"Everything appears to be ok, creating and signing the certificate\n");
- if ((ret = X509_new()) == NULL)
+ if ((ret = X509_new_with_libctx(app_get0_libctx(), app_get0_propq())) == NULL)
goto end;
#ifdef X509_V3
for (i = 0; i < DB_NUMBER; i++)
row[i] = NULL;
row[DB_name] = X509_NAME_oneline(X509_get_subject_name(x509), NULL, 0);
- bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x509), NULL);
+ bn = ASN1_INTEGER_to_BN(X509_get0_serialNumber(x509), NULL);
if (!bn)
goto end;
if (BN_is_zero(bn))