Initialize num properly.
[openssl.git] / apps / x509.c
index e402f6a..1b612d1 100644 (file)
@@ -150,6 +150,9 @@ static const char *x509_usage[]={
 " -engine e       - use engine e, possibly a hardware device.\n",
 #endif
 " -certopt arg    - various certificate text options\n",
+" -checkhost host - check certificate matches \"host\"\n",
+" -checkemail email - check certificate matches \"email\"\n",
+" -checkip ipaddr - check certificate matches \"ipaddr\"\n",
 NULL
 };
 
@@ -163,6 +166,9 @@ static int x509_certify (X509_STORE *ctx,char *CAfile,const EVP_MD *digest,
                         CONF *conf, char *section, ASN1_INTEGER *sno);
 static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt);
 static int reqfile=0;
+#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
+static int force_version=2;
+#endif
 
 int MAIN(int, char **);
 
@@ -174,15 +180,16 @@ int MAIN(int argc, char **argv)
        X509 *x=NULL,*xca=NULL;
        ASN1_OBJECT *objtmp;
        STACK_OF(OPENSSL_STRING) *sigopts = NULL;
-       EVP_PKEY *Upkey=NULL,*CApkey=NULL;
+       EVP_PKEY *Upkey=NULL,*CApkey=NULL, *fkey = NULL;
        ASN1_INTEGER *sno = NULL;
-       int i,num,badops=0;
+       int i,num,badops=0, badsig=0;
        BIO *out=NULL;
        BIO *STDout=NULL;
        STACK_OF(ASN1_OBJECT) *trust = NULL, *reject = NULL;
        int informat,outformat,keyformat,CAformat,CAkeyformat;
        char *infile=NULL,*outfile=NULL,*keyfile=NULL,*CAfile=NULL;
        char *CAkeyfile=NULL,*CAserial=NULL;
+       char *fkeyfile=NULL;
        char *alias=NULL;
        int text=0,serial=0,subject=0,issuer=0,startdate=0,enddate=0;
        int next_serial=0;
@@ -207,6 +214,8 @@ int MAIN(int argc, char **argv)
        int need_rand = 0;
        int checkend=0,checkoffset=0;
        unsigned long nmflag = 0, certflag = 0;
+       unsigned char *checkhost = NULL, *checkemail = NULL;
+       char *checkip = NULL;
 #ifndef OPENSSL_NO_ENGINE
        char *engine=NULL;
 #endif
@@ -282,6 +291,13 @@ int MAIN(int argc, char **argv)
                        if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv)))
                                goto bad;
                        }
+#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
+               else if (strcmp(*argv,"-force_version") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       force_version=atoi(*(++argv)) - 1;
+                       }
+#endif
                else if (strcmp(*argv,"-days") == 0)
                        {
                        if (--argc < 1) goto bad;
@@ -347,6 +363,11 @@ int MAIN(int argc, char **argv)
                        if (!(sno = s2i_ASN1_INTEGER(NULL, *(++argv))))
                                goto bad;
                        }
+               else if (strcmp(*argv,"-force_pubkey") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       fkeyfile= *(++argv);
+                       }
                else if (strcmp(*argv,"-addtrust") == 0)
                        {
                        if (--argc < 1) goto bad;
@@ -450,6 +471,21 @@ int MAIN(int argc, char **argv)
                        checkoffset=atoi(*(++argv));
                        checkend=1;
                        }
+               else if (strcmp(*argv,"-checkhost") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       checkhost=(unsigned char *)*(++argv);
+                       }
+               else if (strcmp(*argv,"-checkemail") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       checkemail=(unsigned char *)*(++argv);
+                       }
+               else if (strcmp(*argv,"-checkip") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       checkip=*(++argv);
+                       }
                else if (strcmp(*argv,"-noout") == 0)
                        noout= ++num;
                else if (strcmp(*argv,"-trustout") == 0)
@@ -473,6 +509,8 @@ int MAIN(int argc, char **argv)
 #endif
                else if (strcmp(*argv,"-ocspid") == 0)
                        ocspid= ++num;
+               else if (strcmp(*argv,"-badsig") == 0)
+                       badsig = 1;
                else if ((md_alg=EVP_get_digestbyname(*argv + 1)))
                        {
                        /* ok */
@@ -517,6 +555,13 @@ bad:
                goto end;
                }
 
+       if (fkeyfile)
+               {
+               fkey = load_pubkey(bio_err, fkeyfile, keyformat, 0,
+                                               NULL, e, "Forced key");
+               if (fkey == NULL) goto end;
+               }
+
        if ((CAkeyfile == NULL) && (CA_flag) && (CAformat == FORMAT_PEM))
                { CAkeyfile=CAfile; }
        else if ((CA_flag) && (CAkeyfile == NULL))
@@ -653,10 +698,14 @@ bad:
 
                X509_gmtime_adj(X509_get_notBefore(x),0);
                X509_time_adj_ex(X509_get_notAfter(x),days, 0, NULL);
-
-               pkey = X509_REQ_get_pubkey(req);
-               X509_set_pubkey(x,pkey);
-               EVP_PKEY_free(pkey);
+               if (fkey)
+                       X509_set_pubkey(x, fkey);
+               else
+                       {
+                       pkey = X509_REQ_get_pubkey(req);
+                       X509_set_pubkey(x,pkey);
+                       EVP_PKEY_free(pkey);
+                       }
                }
        else
                x=load_cert(bio_err,infile,informat,NULL,e,"Certificate");
@@ -999,7 +1048,7 @@ bad:
                                else
                                        {
                                        pk=load_key(bio_err,
-                                               keyfile, FORMAT_PEM, 0,
+                                               keyfile, keyformat, 0,
                                                passin, e, "request key");
                                        if (pk == NULL) goto end;
                                        }
@@ -1044,12 +1093,17 @@ bad:
                goto end;
                }
 
+       print_cert_checks(STDout, x, checkhost, checkemail, checkip);
+
        if (noout)
                {
                ret=0;
                goto end;
                }
 
+       if (badsig)
+               x->signature->data[x->signature->length - 1] ^= 0x1;
+
        if      (outformat == FORMAT_ASN1)
                i=i2d_X509_bio(out,x);
        else if (outformat == FORMAT_PEM)
@@ -1093,6 +1147,7 @@ end:
        X509_free(xca);
        EVP_PKEY_free(Upkey);
        EVP_PKEY_free(CApkey);
+       EVP_PKEY_free(fkey);
        if (sigopts)
                sk_OPENSSL_STRING_free(sigopts);
        X509_REQ_free(rq);
@@ -1202,7 +1257,11 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
        if (conf)
                {
                X509V3_CTX ctx2;
+#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
+               X509_set_version(x, force_version);
+#else
                X509_set_version(x,2); /* version 3 certificate */
+#endif
                 X509V3_set_ctx(&ctx2, xca, x, NULL, NULL, 0);
                 X509V3_set_nconf(&ctx2, conf);
                 if (!X509V3_EXT_add_nconf(conf, &ctx2, section, x)) goto end;
@@ -1280,7 +1339,11 @@ static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const EVP_MD *dig
        if (conf)
                {
                X509V3_CTX ctx;
+#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
+               X509_set_version(x, force_version);
+#else
                X509_set_version(x,2); /* version 3 certificate */
+#endif
                 X509V3_set_ctx(&ctx, x, x, NULL, NULL, 0);
                 X509V3_set_nconf(&ctx, conf);
                 if (!X509V3_EXT_add_nconf(conf, &ctx, section, x)) goto err;