" -CAkeyform arg - CA key format - default PEM\n",
" -in arg - input file - default stdin\n",
" -out arg - output file - default stdout\n",
-" -passin arg - private key password\n",
-" -envpassin arg - read private key password from encvironment variable \"arg\"\n",
+" -passin arg - private key password source\n",
" -serial - print serial number value\n",
" -hash - print hash value\n",
" -subject - print subject DN\n",
" -req - input is a certificate request, sign and output.\n",
" -CA arg - set the CA certificate, must be PEM format.\n",
" -CAkey arg - set the CA key, must be PEM format\n",
-" missing, it is asssumed to be in the CA file.\n",
+" missing, it is assumed to be in the CA file.\n",
" -CAcreateserial - create serial number file if it does not exist\n",
" -CAserial - serial file\n",
" -text - print the certificate in text form\n",
" -md2/-md5/-sha1/-mdc2 - digest to use\n",
" -extfile - configuration file with X509V3 extensions to add\n",
" -extensions - section from config file with X509V3 extensions to add\n",
+" -clrext - delete extensions before signing and input certificate\n",
NULL
};
static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx);
static EVP_PKEY *load_key(char *file, int format, char *passin);
static X509 *load_cert(char *file, int format);
-static int sign (X509 *x, EVP_PKEY *pkey,int days,const EVP_MD *digest,
+static int sign (X509 *x, EVP_PKEY *pkey,int days,int clrext, const EVP_MD *digest,
LHASH *conf, char *section);
static int x509_certify (X509_STORE *ctx,char *CAfile,const EVP_MD *digest,
X509 *x,X509 *xca,EVP_PKEY *pkey,char *serial,
- int create,int days, LHASH *conf, char *section);
+ int create,int days, int clrext, LHASH *conf, char *section);
static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt);
static int reqfile=0;
+int MAIN(int, char **);
+
int MAIN(int argc, char **argv)
{
int ret=1;
char *alias=NULL;
int text=0,serial=0,hash=0,subject=0,issuer=0,startdate=0,enddate=0;
int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0;
- int trustout=0,clrtrust=0,clrreject=0,aliasout=0;
+ int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0;
int C=0;
int x509req=0,days=DEF_DAYS,modulus=0,pubkey=0;
int pprint = 0;
char buf[256];
const EVP_MD *md_alg,*digest=EVP_md5();
LHASH *extconf = NULL;
- char *extsect = NULL, *extfile = NULL, *passin = NULL;
+ char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL;
int need_rand = 0;
reqfile=0;
else if (strcmp(*argv,"-passin") == 0)
{
if (--argc < 1) goto bad;
- passin= *(++argv);
- }
- else if (strcmp(*argv,"-envpassin") == 0)
- {
- if (--argc < 1) goto bad;
- if(!(passin= getenv(*(++argv))))
- {
- BIO_printf(bio_err,
- "Can't read environment variable %s\n",
- *argv);
- badops = 1;
- }
+ passargin= *(++argv);
}
else if (strcmp(*argv,"-extfile") == 0)
{
aliasout= ++num;
else if (strcmp(*argv,"-CAcreateserial") == 0)
CA_createserial= ++num;
+ else if (strcmp(*argv,"-clrext") == 0)
+ clrext = 1;
+#if 1 /* stay backwards-compatible with 0.9.5; this should go away soon */
+ else if (strcmp(*argv,"-crlext") == 0)
+ {
+ BIO_printf(bio_err,"use -clrext instead of -crlext\n");
+ clrext = 1;
+ }
+#endif
else if ((md_alg=EVP_get_digestbyname(*argv + 1)))
{
/* ok */
ERR_load_crypto_strings();
+ if(!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
+ BIO_printf(bio_err, "Error getting password\n");
+ goto end;
+ }
+
if (!X509_STORE_set_default_paths(ctx))
{
ERR_print_errors(bio_err);
}
}
- if(alias) X509_alias_rset(x, (unsigned char *)alias, -1);
+ if(alias) X509_alias_set1(x, (unsigned char *)alias, -1);
if(clrtrust) X509_trust_clear(x);
if(clrreject) X509_reject_clear(x);
if(trust) {
for(i = 0; i < sk_ASN1_OBJECT_num(trust); i++) {
objtmp = sk_ASN1_OBJECT_value(trust, i);
- X509_radd_trust_object(x, objtmp);
+ X509_add1_trust_object(x, objtmp);
}
}
if(reject) {
for(i = 0; i < sk_ASN1_OBJECT_num(reject); i++) {
objtmp = sk_ASN1_OBJECT_value(reject, i);
- X509_radd_reject_object(x, objtmp);
+ X509_add1_reject_object(x, objtmp);
}
}
else if (aliasout == i)
{
unsigned char *alstr;
- alstr = X509_alias_iget(x, NULL);
+ alstr = X509_alias_get0(x, NULL);
if(alstr) BIO_printf(STDout,"%s\n", alstr);
else BIO_puts(STDout,"<No Alias>\n");
}
BIO_printf(STDout, "Certificate purposes:\n");
for(j = 0; j < X509_PURPOSE_get_count(); j++)
{
- ptmp = X509_PURPOSE_iget(j);
+ ptmp = X509_PURPOSE_get0(j);
purpose_print(STDout, x, ptmp);
}
}
#endif
assert(need_rand);
- if (!sign(x,Upkey,days,digest,
+ if (!sign(x,Upkey,days,clrext,digest,
extconf, extsect)) goto end;
}
else if (CA_flag == i)
assert(need_rand);
if (!x509_certify(ctx,CAfile,digest,x,xca,
- CApkey, CAserial,CA_createserial,days,
+ CApkey, CAserial,CA_createserial,days, clrext,
extconf, extsect))
goto end;
}
X509_REQ_free(rq);
sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free);
sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free);
+ if(passin) Free(passin);
EXIT(ret);
}
static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
X509 *x, X509 *xca, EVP_PKEY *pkey, char *serialfile, int create,
- int days, LHASH *conf, char *section)
+ int days, int clrext, LHASH *conf, char *section)
{
int ret=0;
BIO *io=NULL;
EVP_PKEY_free(upkey);
X509_STORE_CTX_init(&xsc,ctx,x,NULL);
- buf=(char *)Malloc(EVP_PKEY_size(pkey)*2+
+ buf=Malloc(EVP_PKEY_size(pkey)*2+
((serialfile == NULL)
?(strlen(CAfile)+strlen(POSTFIX)+1)
:(strlen(serialfile)))+1);
if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) == NULL)
goto end;
+ if(clrext) {
+ while(X509_get_ext_count(x) > 0) X509_delete_ext(x, 0);
+ }
+
if(conf) {
X509V3_CTX ctx2;
X509_set_version(x,2); /* version 3 certificate */
perror(file);
goto end;
}
-#ifndef NO_RSA
- if (format == FORMAT_ASN1)
+ if (format == FORMAT_ASN1)
{
- RSA *rsa;
-
- rsa=d2i_RSAPrivateKey_bio(key,NULL);
- if (rsa != NULL)
- {
- if ((pkey=EVP_PKEY_new()) != NULL)
- EVP_PKEY_assign_RSA(pkey,rsa);
- else
- RSA_free(rsa);
- }
+ pkey=d2i_PrivateKey_bio(key, NULL);
}
- else
-#endif
- if (format == FORMAT_PEM)
+ else if (format == FORMAT_PEM)
{
- pkey=PEM_read_bio_PrivateKey(key,NULL,PEM_cb,passin);
+ pkey=PEM_read_bio_PrivateKey(key,NULL,NULL,passin);
}
else
{
}
/* self sign */
-static int sign(X509 *x, EVP_PKEY *pkey, int days, const EVP_MD *digest,
+static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const EVP_MD *digest,
LHASH *conf, char *section)
{
goto err;
if (!X509_set_pubkey(x,pkey)) goto err;
+ if(clrext) {
+ while(X509_get_ext_count(x) > 0) X509_delete_ext(x, 0);
+ }
if(conf) {
X509V3_CTX ctx;
X509_set_version(x,2); /* version 3 certificate */
int id, i, idret;
char *pname;
id = X509_PURPOSE_get_id(pt);
- pname = X509_PURPOSE_iget_name(pt);
+ pname = X509_PURPOSE_get0_name(pt);
for(i = 0; i < 2; i++) {
idret = X509_check_purpose(cert, id, i);
BIO_printf(bio, "%s%s : ", pname, i ? " CA" : "");