Source code cleanups: Use void * rather than char * in lhash,

[openssl.git] / apps / ca.c
diff --git a/apps/ca.c b/apps/ca.c

index fa355ab0c9646d862b9e6a00ce29fe3d18cc50a6..ff11c2a05ac6c9d16375bc7031f42d60aba6d17e 100644 (file)
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -147,6 +147,8 @@ static char *ca_usage[]={
  " -gencrl         - Generate a new CRL\n",
  " -crldays days   - Days is when the next CRL is due\n",
  " -crlhours hours - Hours is when the next CRL is due\n",
  " -gencrl         - Generate a new CRL\n",
  " -crldays days   - Days is when the next CRL is due\n",
  " -crlhours hours - Hours is when the next CRL is due\n",
+" -startdate YYMMDDHHMMSSZ  - certificate validity notBefore\n",
+" -enddate YYMMDDHHMMSSZ    - certificate validity notAfter (overrides -days)\n",
  " -days arg       - number of days to certify the certificate for\n",
  " -md arg         - md to use, one of md2, md5, sha or sha1\n",
  " -policy arg     - The CA 'policy' to support\n",
  " -days arg       - number of days to certify the certificate for\n",
  " -md arg         - md to use, one of md2, md5, sha or sha1\n",
  " -policy arg     - The CA 'policy' to support\n",
@@ -163,6 +165,8 @@ static char *ca_usage[]={
  " -batch          - Don't ask questions\n",
  " -msie_hack      - msie modifications to handle all those universal strings\n",
  " -revoke file    - Revoke a certificate (given in file)\n",
  " -batch          - Don't ask questions\n",
  " -msie_hack      - msie modifications to handle all those universal strings\n",
  " -revoke file    - Revoke a certificate (given in file)\n",
+" -extensions ..  - Extension section (override value in config file)\n",
+" -crlexts ..     - CRL extension section (override value in config file)\n",
  NULL
  };
  
  NULL
  };
  
@@ -174,7 +178,6 @@ extern int EF_ALIGNMENT;
  
  static int add_oid_section(LHASH *conf);
  static void lookup_fail(char *name,char *tag);
  
  static int add_oid_section(LHASH *conf);
  static void lookup_fail(char *name,char *tag);
-static int MS_CALLBACK key_callback(char *buf,int len,int verify,void *u);
  static unsigned long index_serial_hash(char **a);
  static int index_serial_cmp(char **a, char **b);
  static unsigned long index_name_hash(char **a);
  static unsigned long index_serial_hash(char **a);
  static int index_serial_cmp(char **a, char **b);
  static unsigned long index_name_hash(char **a);
@@ -204,8 +207,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
         X509_REQ *req, char *ext_sect, LHASH *conf);
  static int do_revoke(X509 *x509, TXT_DB *db);
  static int check_time_format(char *str);
         X509_REQ *req, char *ext_sect, LHASH *conf);
  static int do_revoke(X509 *x509, TXT_DB *db);
  static int check_time_format(char *str);
-static LHASH *conf;
-static char *key=NULL;
+static LHASH *conf=NULL;
  static char *section=NULL;
  
  static int preserve=0;
  static char *section=NULL;
  
  static int preserve=0;
@@ -213,6 +215,7 @@ static int msie_hack=0;
  
  int MAIN(int argc, char **argv)
         {
  
  int MAIN(int argc, char **argv)
         {
+       char *key=NULL;
         int total=0;
         int total_done=0;
         int badops=0;
         int total=0;
         int total_done=0;
         int badops=0;
@@ -262,6 +265,7 @@ int MAIN(int argc, char **argv)
  #undef BSIZE
  #define BSIZE 256
         MS_STATIC char buf[3][BSIZE];
  #undef BSIZE
  #define BSIZE 256
         MS_STATIC char buf[3][BSIZE];
+       char *randfile=NULL;
  
  #ifdef EFENCE
  EF_PROTECT_FREE=1;
  
  #ifdef EFENCE
  EF_PROTECT_FREE=1;
@@ -271,9 +275,12 @@ EF_ALIGNMENT=0;
  
         apps_startup();
  
  
         apps_startup();
  
-       X509V3_add_standard_extensions();
+       conf = NULL;
+       key = NULL;
+       section = NULL;
  
         preserve=0;
  
         preserve=0;
+       msie_hack=0;
         if (bio_err == NULL)
                 if ((bio_err=BIO_new(BIO_s_file())) != NULL)
                         BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
         if (bio_err == NULL)
                 if ((bio_err=BIO_new(BIO_s_file())) != NULL)
                         BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
@@ -393,6 +400,16 @@ EF_ALIGNMENT=0;
                         infile= *(++argv);
                         dorevoke=1;
                         }
                         infile= *(++argv);
                         dorevoke=1;
                         }
+               else if (strcmp(*argv,"-extensions") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       extensions= *(++argv);
+                       }
+               else if (strcmp(*argv,"-crlexts") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       crl_ext= *(++argv);
+                       }
                 else
                         {
  bad:
                 else
                         {
  bad:
@@ -476,12 +493,16 @@ bad:
                                 BIO_free(oid_bio);
                                 }
                         }
                                 BIO_free(oid_bio);
                                 }
                         }
-               }
-               if(!add_oid_section(conf)) {
+               if(!add_oid_section(conf)) 
+                       {
                         ERR_print_errors(bio_err);
                         goto err;
                         ERR_print_errors(bio_err);
                         goto err;
+                       }
                 }
  
                 }
  
+       randfile = CONF_get_string(conf, BASE_SECTION, "RANDFILE");
+       app_RAND_load_file(randfile, bio_err, 0);
+       
         in=BIO_new(BIO_s_file());
         out=BIO_new(BIO_s_file());
         Sout=BIO_new(BIO_s_file());
         in=BIO_new(BIO_s_file());
         out=BIO_new(BIO_s_file());
         Sout=BIO_new(BIO_s_file());
@@ -507,13 +528,8 @@ bad:
                 BIO_printf(bio_err,"trying to load CA private key\n");
                 goto err;
                 }
                 BIO_printf(bio_err,"trying to load CA private key\n");
                 goto err;
                 }
-       if (key == NULL)
-               pkey=PEM_read_bio_PrivateKey(in,NULL,NULL,NULL);
-       else
-               {
-               pkey=PEM_read_bio_PrivateKey(in,NULL,key_callback,NULL);
-               memset(key,0,strlen(key));
-               }
+               pkey=PEM_read_bio_PrivateKey(in,NULL,PEM_cb,key);
+               if(key) memset(key,0,strlen(key));
         if (pkey == NULL)
                 {
                 BIO_printf(bio_err,"unable to load CA private key\n");
         if (pkey == NULL)
                 {
                 BIO_printf(bio_err,"unable to load CA private key\n");
@@ -584,12 +600,14 @@ bad:
                         perror(outdir);
                         goto err;
                         }
                         perror(outdir);
                         goto err;
                         }
+#ifdef S_IFDIR
                 if (!(sb.st_mode & S_IFDIR))
                         {
                         BIO_printf(bio_err,"%s need to be a directory\n",outdir);
                         perror(outdir);
                         goto err;
                         }
                 if (!(sb.st_mode & S_IFDIR))
                         {
                         BIO_printf(bio_err,"%s need to be a directory\n",outdir);
                         perror(outdir);
                         goto err;
                         }
+#endif
                 }
  
         /*****************************************************************/
                 }
  
         /*****************************************************************/
@@ -720,8 +738,8 @@ bad:
                         lookup_fail(section,ENV_SERIAL);
                         goto err;
                         }
                         lookup_fail(section,ENV_SERIAL);
                         goto err;
                         }
-
-               extensions=CONF_get_string(conf,section,ENV_EXTENSIONS);
+               if(!extensions)
+                       extensions=CONF_get_string(conf,section,ENV_EXTENSIONS);
                 if(extensions) {
                         /* Check syntax of file */
                         X509V3_CTX ctx;
                 if(extensions) {
                         /* Check syntax of file */
                         X509V3_CTX ctx;
@@ -1031,7 +1049,7 @@ bad:
         /*****************************************************************/
         if (gencrl)
                 {
         /*****************************************************************/
         if (gencrl)
                 {
-               crl_ext=CONF_get_string(conf,section,ENV_CRLEXT);
+               if(!crl_ext) crl_ext=CONF_get_string(conf,section,ENV_CRLEXT);
                 if(crl_ext) {
                         /* Check syntax of file */
                         X509V3_CTX ctx;
                 if(crl_ext) {
                         /* Check syntax of file */
                         X509V3_CTX ctx;
@@ -1143,13 +1161,6 @@ bad:
         /*****************************************************************/
         if (dorevoke)
                 {
         /*****************************************************************/
         if (dorevoke)
                 {
-               in=BIO_new(BIO_s_file());
-               out=BIO_new(BIO_s_file());
-               if ((in == NULL) || (out == NULL))
-                       {
-                       ERR_print_errors(bio_err);
-                       goto err;
-                       }
                 if (infile == NULL) 
                         {
                         BIO_printf(bio_err,"no input files\n");
                 if (infile == NULL) 
                         {
                         BIO_printf(bio_err,"no input files\n");
@@ -1157,19 +1168,22 @@ bad:
                         }
                 else
                         {
                         }
                 else
                         {
+                       X509 *revcert;
                         if (BIO_read_filename(in,infile) <= 0)
                                 {
                                 perror(infile);
                                 BIO_printf(bio_err,"error trying to load '%s' certificate\n",infile);
                                 goto err;
                                 }
                         if (BIO_read_filename(in,infile) <= 0)
                                 {
                                 perror(infile);
                                 BIO_printf(bio_err,"error trying to load '%s' certificate\n",infile);
                                 goto err;
                                 }
-                       x509=PEM_read_bio_X509(in,NULL,NULL,NULL);
-                       if (x509 == NULL)
+                       revcert=PEM_read_bio_X509(in,NULL,NULL,NULL);
+                       if (revcert == NULL)
                                 {
                                 BIO_printf(bio_err,"unable to load '%s' certificate\n",infile);
                                 goto err;
                                 }
                                 {
                                 BIO_printf(bio_err,"unable to load '%s' certificate\n",infile);
                                 goto err;
                                 }
-                       j=do_revoke(x509,db);
+                       j=do_revoke(revcert,db);
+                       if (j <= 0) goto err;
+                       X509_free(revcert);
  
                         strncpy(buf[0],dbfile,BSIZE-4);
                         strcat(buf[0],".new");
  
                         strncpy(buf[0],dbfile,BSIZE-4);
                         strcat(buf[0],".new");
@@ -1181,10 +1195,6 @@ bad:
                                 }
                         j=TXT_DB_write(out,db);
                         if (j <= 0) goto err;
                                 }
                         j=TXT_DB_write(out,db);
                         if (j <= 0) goto err;
-                       BIO_free(in);
-                       BIO_free(out);
-                       in=NULL;
-                       out=NULL;
                         strncpy(buf[1],dbfile,BSIZE-4);
                         strcat(buf[1],".old");
                         if (rename(dbfile,buf[1]) < 0)
                         strncpy(buf[1],dbfile,BSIZE-4);
                         strcat(buf[1],".old");
                         if (rename(dbfile,buf[1]) < 0)
@@ -1215,13 +1225,13 @@ err:
         sk_pop_free(cert_sk,X509_free);
  
         if (ret) ERR_print_errors(bio_err);
         sk_pop_free(cert_sk,X509_free);
  
         if (ret) ERR_print_errors(bio_err);
+       app_RAND_write_file(randfile, bio_err);
         BN_free(serial);
         TXT_DB_free(db);
         EVP_PKEY_free(pkey);
         X509_free(x509);
         X509_CRL_free(crl);
         CONF_free(conf);
         BN_free(serial);
         TXT_DB_free(db);
         EVP_PKEY_free(pkey);
         X509_free(x509);
         X509_CRL_free(crl);
         CONF_free(conf);
-       X509V3_EXT_cleanup();
         OBJ_cleanup();
         EXIT(ret);
         }
         OBJ_cleanup();
         EXIT(ret);
         }
@@ -1231,17 +1241,6 @@ static void lookup_fail(char *name, char *tag)
         BIO_printf(bio_err,"variable lookup failed for %s::%s\n",name,tag);
         }
  
         BIO_printf(bio_err,"variable lookup failed for %s::%s\n",name,tag);
         }
  
-static int MS_CALLBACK key_callback(char *buf, int len, int verify, void *u)
-       {
-       int i;
-
-       if (key == NULL) return(0);
-       i=strlen(key);
-       i=(i > len)?len:i;
-       memcpy(buf,key,i);
-       return(i);
-       }
-
  static unsigned long index_serial_hash(char **a)
         {
         char *n;
  static unsigned long index_serial_hash(char **a)
         {
         char *n;
@@ -1664,8 +1663,7 @@ again2:
  
                         if (push != NULL)
                                 {
  
                         if (push != NULL)
                                 {
-                               if (!X509_NAME_add_entry(subject,push,
-                                       X509_NAME_entry_count(subject),0))
+                               if (!X509_NAME_add_entry(subject,push, -1, 0))
                                         {
                                         if (push != NULL)
                                                 X509_NAME_ENTRY_free(push);
                                         {
                                         if (push != NULL)
                                                 X509_NAME_ENTRY_free(push);
@@ -1883,6 +1881,8 @@ err:
                 X509_NAME_free(CAname);
         if (subject != NULL)
                 X509_NAME_free(subject);
                 X509_NAME_free(CAname);
         if (subject != NULL)
                 X509_NAME_free(subject);
+       if (tmptm != NULL)
+               ASN1_UTCTIME_free(tmptm);
         if (ok <= 0)
                 {
                 if (ret != NULL) X509_free(ret);
         if (ok <= 0)
                 {
                 if (ret != NULL) X509_free(ret);
@@ -1929,7 +1929,6 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
         X509_REQ *req=NULL;
         CONF_VALUE *cv=NULL;
         NETSCAPE_SPKI *spki = NULL;
         X509_REQ *req=NULL;
         CONF_VALUE *cv=NULL;
         NETSCAPE_SPKI *spki = NULL;
-       unsigned char *spki_der = NULL,*p;
         X509_REQ_INFO *ri;
         char *type,*buf;
         EVP_PKEY *pktmp=NULL;
         X509_REQ_INFO *ri;
         char *type,*buf;
         EVP_PKEY *pktmp=NULL;
@@ -2001,25 +2000,7 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
                         {
                         if (strcmp(type, "SPKAC") == 0)
                                 {
                         {
                         if (strcmp(type, "SPKAC") == 0)
                                 {
-                               spki_der=(unsigned char *)Malloc(
-                                       strlen(cv->value)+1);
-                               if (spki_der == NULL)
-                                       {
-                                       BIO_printf(bio_err,"Malloc failure\n");
-                                       goto err;
-                                       }
-                               j = EVP_DecodeBlock(spki_der, (unsigned char *)cv->value,
-                                       strlen(cv->value));
-                               if (j <= 0)
-                                       {
-                                       BIO_printf(bio_err, "Can't b64 decode SPKAC structure\n");
-                                       goto err;
-                                       }
-
-                               p=spki_der;
-                               spki = d2i_NETSCAPE_SPKI(&spki, &p, j);
-                               Free(spki_der);
-                               spki_der = NULL;
+                               spki = NETSCAPE_SPKI_b64_decode(cv->value, -1);
                                 if (spki == NULL)
                                         {
                                         BIO_printf(bio_err,"unable to load Netscape SPKAC structure\n");
                                 if (spki == NULL)
                                         {
                                         BIO_printf(bio_err,"unable to load Netscape SPKAC structure\n");
@@ -2043,8 +2024,7 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
                         strlen(buf))) == NULL)
                         goto err;
  
                         strlen(buf))) == NULL)
                         goto err;
  
-               if (!X509_NAME_add_entry(n,ne,X509_NAME_entry_count(n),0))
-                       goto err;
+               if (!X509_NAME_add_entry(n,ne,-1, 0)) goto err;
                 }
         if (spki == NULL)
                 {
                 }
         if (spki == NULL)
                 {
@@ -2059,7 +2039,7 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
  
         BIO_printf(bio_err,"Check that the SPKAC request matches the signature\n");
  
  
         BIO_printf(bio_err,"Check that the SPKAC request matches the signature\n");
  
-       if ((pktmp=X509_PUBKEY_get(spki->spkac->pubkey)) == NULL)
+       if ((pktmp=NETSCAPE_SPKI_get_pubkey(spki)) == NULL)
                 {
                 BIO_printf(bio_err,"error unpacking SPKAC public key\n");
                 goto err;
                 {
                 BIO_printf(bio_err,"error unpacking SPKAC public key\n");
                 goto err;
@@ -2080,7 +2060,6 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
  err:
         if (req != NULL) X509_REQ_free(req);
         if (parms != NULL) CONF_free(parms);
  err:
         if (req != NULL) X509_REQ_free(req);
         if (parms != NULL) CONF_free(parms);
-       if (spki_der != NULL) Free(spki_der);
         if (spki != NULL) NETSCAPE_SPKI_free(spki);
         if (ne != NULL) X509_NAME_ENTRY_free(ne);
  
         if (spki != NULL) NETSCAPE_SPKI_free(spki);
         if (ne != NULL) X509_NAME_ENTRY_free(ne);
  
@@ -2136,20 +2115,26 @@ static int add_oid_section(LHASH *hconf)
  
  static int do_revoke(X509 *x509, TXT_DB *db)
  {
  
  static int do_revoke(X509 *x509, TXT_DB *db)
  {
-       ASN1_UTCTIME *tm=NULL;
+       ASN1_UTCTIME *tm=NULL, *revtm=NULL;
         char *row[DB_NUMBER],**rrow,**irow;
         char *row[DB_NUMBER],**rrow,**irow;
+       BIGNUM *bn = NULL;
         int ok=-1,i;
  
         for (i=0; i<DB_NUMBER; i++)
                 row[i]=NULL;
         int ok=-1,i;
  
         for (i=0; i<DB_NUMBER; i++)
                 row[i]=NULL;
-       row[DB_name]=X509_NAME_oneline(x509->cert_info->subject,NULL,0);
-       row[DB_serial]=BN_bn2hex(ASN1_INTEGER_to_BN(x509->cert_info->serialNumber,NULL));
+       row[DB_name]=X509_NAME_oneline(X509_get_subject_name(x509),NULL,0);
+       bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x509),NULL);
+       row[DB_serial]=BN_bn2hex(bn);
+       BN_free(bn);
         if ((row[DB_name] == NULL) || (row[DB_serial] == NULL))
                 {
                 BIO_printf(bio_err,"Malloc failure\n");
                 goto err;
                 }
         if ((row[DB_name] == NULL) || (row[DB_serial] == NULL))
                 {
                 BIO_printf(bio_err,"Malloc failure\n");
                 goto err;
                 }
-       rrow=TXT_DB_get_by_index(db,DB_name,row);
+       /* We have to lookup by serial number because name lookup
+        * skips revoked certs
+        */
+       rrow=TXT_DB_get_by_index(db,DB_serial,row);
         if (rrow == NULL)
                 {
                 BIO_printf(bio_err,"Adding Entry to DB for %s\n", row[DB_name]);
         if (rrow == NULL)
                 {
                 BIO_printf(bio_err,"Adding Entry to DB for %s\n", row[DB_name]);
@@ -2200,16 +2185,15 @@ static int do_revoke(X509 *x509, TXT_DB *db)
                         }
  
                 /* Revoke Certificate */
                         }
  
                 /* Revoke Certificate */
-               do_revoke(x509,db);
+               ok = do_revoke(x509,db);
  
  
-               ok=1;
                 goto err;
  
                 }
                 goto err;
  
                 }
-       else if (index_serial_cmp(row,rrow))
+       else if (index_name_cmp(row,rrow))
                 {
                 {
-               BIO_printf(bio_err,"ERROR:no same serial number %s\n",
-                          row[DB_serial]);
+               BIO_printf(bio_err,"ERROR:name does not match %s\n",
+                          row[DB_name]);
                 goto err;
                 }
         else if (rrow[DB_type][0]=='R')
                 goto err;
                 }
         else if (rrow[DB_type][0]=='R')
@@ -2221,12 +2205,14 @@ static int do_revoke(X509 *x509, TXT_DB *db)
         else
                 {
                 BIO_printf(bio_err,"Revoking Certificate %s.\n", rrow[DB_serial]);
         else
                 {
                 BIO_printf(bio_err,"Revoking Certificate %s.\n", rrow[DB_serial]);
-               tm=X509_gmtime_adj(tm,0);
+               revtm = ASN1_UTCTIME_new();
+               revtm=X509_gmtime_adj(revtm,0);
                 rrow[DB_type][0]='R';
                 rrow[DB_type][1]='\0';
                 rrow[DB_type][0]='R';
                 rrow[DB_type][1]='\0';
-               rrow[DB_rev_date]=(char *)Malloc(tm->length+1);
-               memcpy(rrow[DB_rev_date],tm->data,tm->length);
-               rrow[DB_rev_date][tm->length]='\0';
+               rrow[DB_rev_date]=(char *)Malloc(revtm->length+1);
+               memcpy(rrow[DB_rev_date],revtm->data,revtm->length);
+               rrow[DB_rev_date][revtm->length]='\0';
+               ASN1_UTCTIME_free(revtm);
                 }
         ok=1;
  err:
                 }
         ok=1;
  err:
@@ -2235,7 +2221,6 @@ err:
                 if (row[i] != NULL) 
                         Free(row[i]);
                 }
                 if (row[i] != NULL) 
                         Free(row[i]);
                 }
-       ASN1_UTCTIME_free(tm);
         return(ok);
  }
  
         return(ok);
  }