* [including the GNU Public Licence.]
*/
+#include <assert.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
static char *x509_usage[]={
"usage: x509 args\n",
" -inform arg - input format - default PEM (one of DER, NET or PEM)\n",
-" -outform arg - output format - default PEM (one of DER, NET or PEM\n",
+" -outform arg - output format - default PEM (one of DER, NET or PEM)\n",
" -keyform arg - private key format - default PEM\n",
" -CAform arg - CA format - default PEM\n",
" -CAkeyform arg - CA key format - default PEM\n",
" -issuer - print issuer DN\n",
" -startdate - notBefore field\n",
" -enddate - notAfter field\n",
+" -purpose - print out certificate purposes\n",
" -dates - both Before and After dates\n",
" -modulus - print the RSA key modulus\n",
+" -pubkey - output the public key\n",
" -fingerprint - print the certificate fingerprint\n",
+" -alias - output certificate alias\n",
" -noout - no certificate output\n",
-
+" -trustout - output a \"trusted\" certificate\n",
+" -clrtrust - clear all trusted purposes\n",
+" -clrnotrust - clear all untrusted purposes\n",
+" -addtrust arg - mark certificate as trusted for a given purpose\n",
+" -addnotrust arg - mark certificate as not trusted for a given purpose\n",
+" -setalias arg - set certificate alias\n",
" -days arg - How long till expiry of a signed certificate - def 30 days\n",
" -signkey arg - self sign cert with arg\n",
" -x509toreq - output a certification request object\n",
" -text - print the certificate in text form\n",
" -C - print out C code forms\n",
" -md2/-md5/-sha1/-mdc2 - digest to do an RSA sign with\n",
-" -config - configuration file with X509V3 extensions to add\n",
+" -extfile - configuration file with X509V3 extensions to add\n",
+" -extensions - section from config file with X509V3 extensions to add\n",
NULL
};
static int x509_certify (X509_STORE *ctx,char *CAfile,const EVP_MD *digest,
X509 *x,X509 *xca,EVP_PKEY *pkey,char *serial,
int create,int days, LHASH *conf, char *section);
+static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt);
static int reqfile=0;
int MAIN(int argc, char **argv)
int i,num,badops=0;
BIO *out=NULL;
BIO *STDout=NULL;
+ STACK *trust = NULL, *notrust = NULL;
int informat,outformat,keyformat,CAformat,CAkeyformat;
char *infile=NULL,*outfile=NULL,*keyfile=NULL,*CAfile=NULL;
char *CAkeyfile=NULL,*CAserial=NULL;
+ char *alias=NULL, *trstr=NULL;
int text=0,serial=0,hash=0,subject=0,issuer=0,startdate=0,enddate=0;
int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0;
+ int trustout=0,clrtrust=0,clrnotrust=0,aliasout=0;
int C=0;
- int x509req=0,days=DEF_DAYS,modulus=0;
+ int x509req=0,days=DEF_DAYS,modulus=0,pubkey=0;
+ int pprint = 0;
char **pp;
X509_STORE *ctx=NULL;
X509_REQ *rq=NULL;
const EVP_MD *md_alg,*digest=EVP_md5();
LHASH *extconf = NULL;
char *extsect = NULL, *extfile = NULL;
+ int need_rand = 0;
reqfile=0;
keyformat=str2fmt(*(++argv));
}
else if (strcmp(*argv,"-req") == 0)
+ {
reqfile=1;
+ need_rand = 1;
+ }
else if (strcmp(*argv,"-CAform") == 0)
{
if (--argc < 1) goto bad;
goto bad;
}
}
- else if (strcmp(*argv,"-config") == 0)
+ else if (strcmp(*argv,"-extfile") == 0)
{
if (--argc < 1) goto bad;
extfile= *(++argv);
}
+ else if (strcmp(*argv,"-extensions") == 0)
+ {
+ if (--argc < 1) goto bad;
+ extsect= *(++argv);
+ }
else if (strcmp(*argv,"-in") == 0)
{
if (--argc < 1) goto bad;
if (--argc < 1) goto bad;
keyfile= *(++argv);
sign_flag= ++num;
+ need_rand = 1;
}
else if (strcmp(*argv,"-CA") == 0)
{
if (--argc < 1) goto bad;
CAfile= *(++argv);
CA_flag= ++num;
+ need_rand = 1;
}
else if (strcmp(*argv,"-CAkey") == 0)
{
if (--argc < 1) goto bad;
CAserial= *(++argv);
}
+ else if (strcmp(*argv,"-addtrust") == 0)
+ {
+ if (--argc < 1) goto bad;
+ trstr= *(++argv);
+ if(!X509_trust_set_bit_asc(NULL, trstr, 0)) {
+ BIO_printf(bio_err,
+ "Unknown trust value %s\n", trstr);
+ goto bad;
+ }
+ if(!trust) trust = sk_new_null();
+ sk_push(trust, trstr);
+ trustout = 1;
+ }
+ else if (strcmp(*argv,"-addnotrust") == 0)
+ {
+ if (--argc < 1) goto bad;
+ trstr= *(++argv);
+ if(!X509_notrust_set_bit_asc(NULL, trstr, 0)) {
+ BIO_printf(bio_err,
+ "Unknown trust value %s\n", trstr);
+ goto bad;
+ }
+ if(!notrust) notrust = sk_new_null();
+ sk_push(notrust, trstr);
+ trustout = 1;
+ }
+ else if (strcmp(*argv,"-setalias") == 0)
+ {
+ if (--argc < 1) goto bad;
+ alias= *(++argv);
+ trustout = 1;
+ }
+ else if (strcmp(*argv,"-setalias") == 0)
+ {
+ if (--argc < 1) goto bad;
+ alias= *(++argv);
+ trustout = 1;
+ }
else if (strcmp(*argv,"-C") == 0)
C= ++num;
else if (strcmp(*argv,"-serial") == 0)
serial= ++num;
else if (strcmp(*argv,"-modulus") == 0)
modulus= ++num;
+ else if (strcmp(*argv,"-pubkey") == 0)
+ pubkey= ++num;
else if (strcmp(*argv,"-x509toreq") == 0)
x509req= ++num;
else if (strcmp(*argv,"-text") == 0)
startdate= ++num;
enddate= ++num;
}
+ else if (strcmp(*argv,"-purpose") == 0)
+ pprint= ++num;
else if (strcmp(*argv,"-startdate") == 0)
startdate= ++num;
else if (strcmp(*argv,"-enddate") == 0)
enddate= ++num;
else if (strcmp(*argv,"-noout") == 0)
noout= ++num;
+ else if (strcmp(*argv,"-trustout") == 0)
+ trustout= 1;
+ else if (strcmp(*argv,"-clrtrust") == 0)
+ clrtrust= ++num;
+ else if (strcmp(*argv,"-clrnotrust") == 0)
+ clrnotrust= ++num;
+ else if (strcmp(*argv,"-alias") == 0)
+ aliasout= ++num;
else if (strcmp(*argv,"-CAcreateserial") == 0)
CA_createserial= ++num;
else if ((md_alg=EVP_get_digestbyname(&((*argv)[1]))) != NULL)
goto end;
}
+ if (need_rand)
+ app_RAND_load_file(NULL, bio_err, 0);
+
ERR_load_crypto_strings();
X509V3_add_standard_extensions();
+ X509_PURPOSE_add_standard();
if (!X509_STORE_set_default_paths(ctx))
{
if (extfile) {
long errorline;
- X509V3_CTX ctx;
+ X509V3_CTX ctx2;
if (!(extconf=CONF_load(NULL,extfile,&errorline))) {
if (errorline <= 0)
BIO_printf(bio_err,
,errorline,extfile);
goto end;
}
- if(!(extsect = CONF_get_string(extconf, "default",
+ if(!extsect && !(extsect = CONF_get_string(extconf, "default",
"extensions"))) extsect = "default";
- X509V3_set_ctx_test(&ctx);
- X509V3_set_conf_lhash(&ctx, extconf);
- if(!X509V3_EXT_add_conf(extconf, &ctx, extsect, NULL)) {
+ X509V3_set_ctx_test(&ctx2);
+ X509V3_set_conf_lhash(&ctx2, extconf);
+ if(!X509V3_EXT_add_conf(extconf, &ctx2, extsect, NULL)) {
BIO_printf(bio_err,
"Error Loading extension section %s\n",
extsect);
goto end;
}
}
- req=PEM_read_bio_X509_REQ(in,NULL,NULL);
+ req=PEM_read_bio_X509_REQ(in,NULL,NULL,NULL);
BIO_free(in);
if (req == NULL) { perror(infile); goto end; }
}
}
+ if(alias) X509_alias_set(x, (unsigned char *)alias, -1);
+
+ if(clrtrust) X509_trust_set_bit(x, -1, 0);
+ if(clrnotrust) X509_notrust_set_bit(x, -1, 0);
+
+ if(trust) {
+ for(i = 0; i < sk_num(trust); i++) {
+ trstr = sk_value(trust, i);
+ X509_trust_set_bit_asc(x, trstr, 1);
+ }
+ sk_free(trust);
+ }
+
+ if(notrust) {
+ for(i = 0; i < sk_num(notrust); i++) {
+ trstr = sk_value(notrust, i);
+ X509_notrust_set_bit_asc(x, trstr, 1);
+ }
+ sk_free(notrust);
+ }
+
if (num)
{
for (i=1; i<=num; i++)
i2a_ASN1_INTEGER(STDout,x->cert_info->serialNumber);
BIO_printf(STDout,"\n");
}
+ else if (aliasout == i)
+ {
+ unsigned char *alstr;
+ alstr = X509_alias_get(x, NULL);
+ if(alstr) BIO_printf(STDout,"%s\n", alstr);
+ else BIO_puts(STDout,"<No Alias>\n");
+ }
else if (hash == i)
{
BIO_printf(STDout,"%08lx\n",X509_subject_name_hash(x));
}
+ else if (pprint == i)
+ {
+ X509_PURPOSE *ptmp;
+ int j;
+ BIO_printf(STDout, "Certificate purposes:\n");
+ for(j = 0; j < X509_PURPOSE_get_count(); j++)
+ {
+ ptmp = X509_PURPOSE_iget(j);
+ purpose_print(STDout, x, ptmp);
+ }
+ }
else
if (modulus == i)
{
BIO_printf(STDout,"\n");
EVP_PKEY_free(pkey);
}
+ else
+ if (pubkey == i)
+ {
+ EVP_PKEY *pkey;
+
+ pkey=X509_get_pubkey(x);
+ if (pkey == NULL)
+ {
+ BIO_printf(bio_err,"Error getting public key\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ PEM_write_bio_PUBKEY(STDout, pkey);
+ EVP_PKEY_free(pkey);
+ }
else
if (C == i)
{
digest=EVP_dss1();
#endif
+ assert(need_rand);
if (!sign(x,Upkey,days,digest,
extconf, extsect)) goto end;
}
digest=EVP_dss1();
#endif
+ assert(need_rand);
if (!x509_certify(ctx,CAfile,digest,x,xca,
CApkey, CAserial,CA_createserial,days,
extconf, extsect))
if (outformat == FORMAT_ASN1)
i=i2d_X509_bio(out,x);
- else if (outformat == FORMAT_PEM)
- i=PEM_write_bio_X509(out,x);
- else if (outformat == FORMAT_NETSCAPE)
+ else if (outformat == FORMAT_PEM) {
+ if(trustout) i=PEM_write_bio_X509_AUX(out,x);
+ else i=PEM_write_bio_X509(out,x);
+ } else if (outformat == FORMAT_NETSCAPE)
{
ASN1_HEADER ah;
ASN1_OCTET_STRING os;
}
ret=0;
end:
+ if (need_rand)
+ app_RAND_write_file(NULL, bio_err);
OBJ_cleanup();
CONF_free(extconf);
BIO_free(out);
EVP_PKEY_free(CApkey);
X509_REQ_free(rq);
X509V3_EXT_cleanup();
+ X509_PURPOSE_cleanup();
EXIT(ret);
}
if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) == NULL)
goto end;
- /* don't save DSA parameters in child if parent has them
- * and the parents and the childs are the same. */
- upkey=X509_get_pubkey(x);
- if (!EVP_PKEY_missing_parameters(pkey) &&
- (EVP_PKEY_cmp_parameters(pkey,upkey) == 0))
- {
- EVP_PKEY_save_parameters(upkey,0);
- /* Force a re-write */
- X509_set_pubkey(x,upkey);
- }
- EVP_PKEY_free(upkey);
-
if(conf) {
- X509V3_CTX ctx;
+ X509V3_CTX ctx2;
X509_set_version(x,2); /* version 3 certificate */
- X509V3_set_ctx(&ctx, xca, x, NULL, NULL, 0);
- X509V3_set_conf_lhash(&ctx, conf);
- if(!X509V3_EXT_add_conf(conf, &ctx, section, x)) goto end;
+ X509V3_set_ctx(&ctx2, xca, x, NULL, NULL, 0);
+ X509V3_set_conf_lhash(&ctx2, conf);
+ if(!X509V3_EXT_add_conf(conf, &ctx2, section, x)) goto end;
}
if (!X509_sign(x,pkey,digest)) goto end;
#endif
if (format == FORMAT_PEM)
{
- pkey=PEM_read_bio_PrivateKey(key,NULL,NULL);
+ pkey=PEM_read_bio_PrivateKey(key,NULL,NULL,NULL);
}
else
{
ah->data=NULL;
}
else if (format == FORMAT_PEM)
- x=PEM_read_bio_X509(cert,NULL,NULL);
+ x=PEM_read_bio_X509_AUX(cert,NULL,NULL,NULL);
else {
BIO_printf(bio_err,"bad input format specified for input cert\n");
goto end;
ERR_print_errors(bio_err);
return(0);
}
+
+static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt)
+{
+ int id, i, idret;
+ char *pname;
+ id = X509_PURPOSE_get_id(pt);
+ pname = X509_PURPOSE_iget_name(pt);
+ for(i = 0; i < 2; i++) {
+ idret = X509_check_purpose(cert, id, i);
+ BIO_printf(bio, "%s%s : ", pname, i ? " CA" : "");
+ if(idret == 1) BIO_printf(bio, "Yes\n");
+ else if (idret == 0) BIO_printf(bio, "No\n");
+ else BIO_printf(bio, "Yes (WARNING code=%d)\n", idret);
+ }
+ return 1;
+}
+
+
+