#define POSTFIX ".srl"
#define DEF_DAYS 30
-#define CERT_HDR "certificate"
-
static char *x509_usage[]={
"usage: x509 args\n",
" -inform arg - input format - default PEM (one of DER, NET or PEM)\n",
" -hash - print hash value\n",
" -subject - print subject DN\n",
" -issuer - print issuer DN\n",
+" -email - print email address(es)\n",
" -startdate - notBefore field\n",
" -enddate - notAfter field\n",
" -purpose - print out certificate purposes\n",
" -addreject arg - reject certificate for a given purpose\n",
" -setalias arg - set certificate alias\n",
" -days arg - How long till expiry of a signed certificate - def 30 days\n",
+" -checkend arg - check whether the cert expires in the next arg seconds\n",
+" exit 1 if so, 0 if not\n",
" -signkey arg - self sign cert with arg\n",
" -x509toreq - output a certification request object\n",
" -req - input is a certificate request, sign and output.\n",
" -md2/-md5/-sha1/-mdc2 - digest to use\n",
" -extfile - configuration file with X509V3 extensions to add\n",
" -extensions - section from config file with X509V3 extensions to add\n",
-" -crlext - delete extensions before signing and input certificate\n",
+" -clrext - delete extensions before signing and input certificate\n",
NULL
};
static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx);
-static EVP_PKEY *load_key(char *file, int format, char *passin);
-static X509 *load_cert(char *file, int format);
static int sign (X509 *x, EVP_PKEY *pkey,int days,int clrext, const EVP_MD *digest,
LHASH *conf, char *section);
static int x509_certify (X509_STORE *ctx,char *CAfile,const EVP_MD *digest,
char *CAkeyfile=NULL,*CAserial=NULL;
char *alias=NULL;
int text=0,serial=0,hash=0,subject=0,issuer=0,startdate=0,enddate=0;
- int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0;
+ int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0,email=0;
int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0;
int C=0;
int x509req=0,days=DEF_DAYS,modulus=0,pubkey=0;
LHASH *extconf = NULL;
char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL;
int need_rand = 0;
+ int checkend=0,checkoffset=0;
reqfile=0;
}
else if (strcmp(*argv,"-C") == 0)
C= ++num;
+ else if (strcmp(*argv,"-email") == 0)
+ email= ++num;
else if (strcmp(*argv,"-serial") == 0)
serial= ++num;
else if (strcmp(*argv,"-modulus") == 0)
startdate= ++num;
else if (strcmp(*argv,"-enddate") == 0)
enddate= ++num;
+ else if (strcmp(*argv,"-checkend") == 0)
+ {
+ if (--argc < 1) goto bad;
+ checkoffset=atoi(*(++argv));
+ checkend=1;
+ }
else if (strcmp(*argv,"-noout") == 0)
noout= ++num;
else if (strcmp(*argv,"-trustout") == 0)
aliasout= ++num;
else if (strcmp(*argv,"-CAcreateserial") == 0)
CA_createserial= ++num;
+ else if (strcmp(*argv,"-clrext") == 0)
+ clrext = 1;
+#if 1 /* stay backwards-compatible with 0.9.5; this should go away soon */
else if (strcmp(*argv,"-crlext") == 0)
+ {
+ BIO_printf(bio_err,"use -clrext instead of -crlext\n");
clrext = 1;
+ }
+#endif
else if ((md_alg=EVP_get_digestbyname(*argv + 1)))
{
/* ok */
if (BIO_read_filename(in,infile) <= 0)
{
perror(infile);
+ BIO_free(in);
goto end;
}
}
req=PEM_read_bio_X509_REQ(in,NULL,NULL,NULL);
BIO_free(in);
- if (req == NULL) { perror(infile); goto end; }
+ if (req == NULL)
+ {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
if ( (req->req_info == NULL) ||
(req->req_info->pubkey == NULL) ||
EVP_PKEY_free(pkey);
}
else
- x=load_cert(infile,informat);
+ x=load_cert(bio_err,infile,informat);
if (x == NULL) goto end;
if (CA_flag)
{
- xca=load_cert(CAfile,CAformat);
+ xca=load_cert(bio_err,CAfile,CAformat);
if (xca == NULL) goto end;
}
}
}
- if(alias) X509_alias_rset(x, (unsigned char *)alias, -1);
+ if(alias) X509_alias_set1(x, (unsigned char *)alias, -1);
if(clrtrust) X509_trust_clear(x);
if(clrreject) X509_reject_clear(x);
i2a_ASN1_INTEGER(STDout,x->cert_info->serialNumber);
BIO_printf(STDout,"\n");
}
+ else if (email == i)
+ {
+ int j;
+ STACK *emlst;
+ emlst = X509_get1_email(x);
+ for(j = 0; j < sk_num(emlst); j++)
+ BIO_printf(STDout, "%s\n", sk_value(emlst, j));
+ X509_email_free(emlst);
+ }
else if (aliasout == i)
{
unsigned char *alstr;
- alstr = X509_alias_iget(x, NULL);
+ alstr = X509_alias_get0(x, NULL);
if(alstr) BIO_printf(STDout,"%s\n", alstr);
else BIO_puts(STDout,"<No Alias>\n");
}
BIO_printf(STDout, "Certificate purposes:\n");
for(j = 0; j < X509_PURPOSE_get_count(); j++)
{
- ptmp = X509_PURPOSE_iget(j);
+ ptmp = X509_PURPOSE_get0(j);
purpose_print(STDout, x, ptmp);
}
}
BIO_printf(STDout,"/* issuer :%s */\n",buf);
z=i2d_X509(x,NULL);
- m=Malloc(z);
+ m=OPENSSL_malloc(z);
d=(unsigned char *)m;
z=i2d_X509_NAME(X509_get_subject_name(x),&d);
if (y%16 != 0) BIO_printf(STDout,"\n");
BIO_printf(STDout,"};\n");
- Free(m);
+ OPENSSL_free(m);
}
else if (text == i)
{
BIO_printf(bio_err,"Getting Private key\n");
if (Upkey == NULL)
{
- Upkey=load_key(keyfile,keyformat, passin);
+ Upkey=load_key(bio_err,
+ keyfile,keyformat, passin);
if (Upkey == NULL) goto end;
}
#ifndef NO_DSA
BIO_printf(bio_err,"Getting CA Private Key\n");
if (CAkeyfile != NULL)
{
- CApkey=load_key(CAkeyfile,CAkeyformat, passin);
+ CApkey=load_key(bio_err,
+ CAkeyfile,CAkeyformat, passin);
if (CApkey == NULL) goto end;
}
#ifndef NO_DSA
}
else
{
- pk=load_key(keyfile,FORMAT_PEM, passin);
+ pk=load_key(bio_err,
+ keyfile,FORMAT_PEM, passin);
if (pk == NULL) goto end;
}
}
}
+ if(checkend)
+ {
+ time_t t=ASN1_UTCTIME_get(X509_get_notAfter(x));
+ time_t tnow=time(NULL);
+
+ if(tnow+checkoffset > t)
+ {
+ BIO_printf(out,"Certificate will expire\n");
+ ret=1;
+ }
+ else
+ {
+ BIO_printf(out,"Certificate will not expire\n");
+ ret=0;
+ }
+ goto end;
+ }
+
if (noout)
{
ret=0;
ASN1_HEADER ah;
ASN1_OCTET_STRING os;
- os.data=(unsigned char *)CERT_HDR;
- os.length=strlen(CERT_HDR);
+ os.data=(unsigned char *)NETSCAPE_CERT_HDR;
+ os.length=strlen(NETSCAPE_CERT_HDR);
ah.header= &os;
ah.data=(char *)x;
ah.meth=X509_asn1_meth();
X509_REQ_free(rq);
sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free);
sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free);
- if(passin) Free(passin);
+ if(passin) OPENSSL_free(passin);
EXIT(ret);
}
EVP_PKEY_free(upkey);
X509_STORE_CTX_init(&xsc,ctx,x,NULL);
- buf=Malloc(EVP_PKEY_size(pkey)*2+
+ buf=OPENSSL_malloc(EVP_PKEY_size(pkey)*2+
((serialfile == NULL)
?(strlen(CAfile)+strlen(POSTFIX)+1)
:(strlen(serialfile)))+1);
X509_STORE_CTX_cleanup(&xsc);
if (!ret)
ERR_print_errors(bio_err);
- if (buf != NULL) Free(buf);
+ if (buf != NULL) OPENSSL_free(buf);
if (bs != NULL) ASN1_INTEGER_free(bs);
if (io != NULL) BIO_free(io);
if (serial != NULL) BN_free(serial);
}
}
-static EVP_PKEY *load_key(char *file, int format, char *passin)
- {
- BIO *key=NULL;
- EVP_PKEY *pkey=NULL;
-
- if (file == NULL)
- {
- BIO_printf(bio_err,"no keyfile specified\n");
- goto end;
- }
- key=BIO_new(BIO_s_file());
- if (key == NULL)
- {
- ERR_print_errors(bio_err);
- goto end;
- }
- if (BIO_read_filename(key,file) <= 0)
- {
- perror(file);
- goto end;
- }
- if (format == FORMAT_ASN1)
- {
- pkey=d2i_PrivateKey_bio(key, NULL);
- }
- else if (format == FORMAT_PEM)
- {
- pkey=PEM_read_bio_PrivateKey(key,NULL,NULL,passin);
- }
- else
- {
- BIO_printf(bio_err,"bad input format specified for key\n");
- goto end;
- }
-end:
- if (key != NULL) BIO_free(key);
- if (pkey == NULL)
- BIO_printf(bio_err,"unable to load Private Key\n");
- return(pkey);
- }
-
-static X509 *load_cert(char *file, int format)
- {
- ASN1_HEADER *ah=NULL;
- BUF_MEM *buf=NULL;
- X509 *x=NULL;
- BIO *cert;
-
- if ((cert=BIO_new(BIO_s_file())) == NULL)
- {
- ERR_print_errors(bio_err);
- goto end;
- }
-
- if (file == NULL)
- BIO_set_fp(cert,stdin,BIO_NOCLOSE);
- else
- {
- if (BIO_read_filename(cert,file) <= 0)
- {
- perror(file);
- goto end;
- }
- }
- if (format == FORMAT_ASN1)
- x=d2i_X509_bio(cert,NULL);
- else if (format == FORMAT_NETSCAPE)
- {
- unsigned char *p,*op;
- int size=0,i;
-
- /* We sort of have to do it this way because it is sort of nice
- * to read the header first and check it, then
- * try to read the certificate */
- buf=BUF_MEM_new();
- for (;;)
- {
- if ((buf == NULL) || (!BUF_MEM_grow(buf,size+1024*10)))
- goto end;
- i=BIO_read(cert,&(buf->data[size]),1024*10);
- size+=i;
- if (i == 0) break;
- if (i < 0)
- {
- perror("reading certificate");
- goto end;
- }
- }
- p=(unsigned char *)buf->data;
- op=p;
-
- /* First load the header */
- if ((ah=d2i_ASN1_HEADER(NULL,&p,(long)size)) == NULL)
- goto end;
- if ((ah->header == NULL) || (ah->header->data == NULL) ||
- (strncmp(CERT_HDR,(char *)ah->header->data,
- ah->header->length) != 0))
- {
- BIO_printf(bio_err,"Error reading header on certificate\n");
- goto end;
- }
- /* header is ok, so now read the object */
- p=op;
- ah->meth=X509_asn1_meth();
- if ((ah=d2i_ASN1_HEADER(&ah,&p,(long)size)) == NULL)
- goto end;
- x=(X509 *)ah->data;
- ah->data=NULL;
- }
- else if (format == FORMAT_PEM)
- x=PEM_read_bio_X509_AUX(cert,NULL,NULL,NULL);
- else {
- BIO_printf(bio_err,"bad input format specified for input cert\n");
- goto end;
- }
-end:
- if (x == NULL)
- {
- BIO_printf(bio_err,"unable to load certificate\n");
- ERR_print_errors(bio_err);
- }
- if (ah != NULL) ASN1_HEADER_free(ah);
- if (cert != NULL) BIO_free(cert);
- if (buf != NULL) BUF_MEM_free(buf);
- return(x);
- }
-
/* self sign */
static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const EVP_MD *digest,
LHASH *conf, char *section)