* [including the GNU Public Licence.]
*/
-#include <assert.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
OPT_PURPOSE, OPT_STARTDATE, OPT_ENDDATE, OPT_CHECKEND, OPT_CHECKHOST,
OPT_CHECKEMAIL, OPT_CHECKIP, OPT_NOOUT, OPT_TRUSTOUT, OPT_CLRTRUST,
OPT_CLRREJECT, OPT_ALIAS, OPT_CACREATESERIAL, OPT_CLREXT, OPT_OCSPID,
-#ifndef OPENSSL_NO_MD5
OPT_SUBJECT_HASH_OLD,
OPT_ISSUER_HASH_OLD,
-#endif
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
OPT_FORCE_VERSION,
-#endif
OPT_BADSIG, OPT_MD, OPT_ENGINE, OPT_NOCERT
} OPTION_CHOICE;
{"serial", OPT_SERIAL, '-', "Print serial number value"},
{"subject_hash", OPT_HASH, '-', "Print subject hash value"},
{"issuer_hash", OPT_ISSUER_HASH, '-', "Print issuer hash value"},
-#ifndef OPENSSL_NO_MD5
- {"subject_hash_old", OPT_SUBJECT_HASH_OLD, '-',
- "Print old-style (MD5) issuer hash value"},
- {"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-',
- "Print old-style (MD5) subject hash value"},
-#endif
{"hash", OPT_HASH, '-', "Synonym for -subject_hash"},
{"subject", OPT_SUBJECT, '-', "Print subject DN"},
{"issuer", OPT_ISSUER, '-', "Print issuer DN"},
"The CA key, must be PEM format; if not in CAfile"},
{"CAcreateserial", OPT_CACREATESERIAL, '-',
"Create serial number file if it does not exist"},
- {"CAserial", OPT_CASERIAL, '<', "Serial file"},
+ {"CAserial", OPT_CASERIAL, 's', "Serial file"},
{"set_serial", OPT_SET_SERIAL, 's', "Serial number to use"},
{"text", OPT_TEXT, '-', "Print the certificate in text form"},
{"C", OPT_C, '-', "Print out C code forms"},
{"clrreject", OPT_CLRREJECT, '-'},
{"badsig", OPT_BADSIG, '-'},
{"", OPT_MD, '-', "Any supported digest"},
-#ifndef OPENSSL_NO_ENGINE
- {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+#ifndef OPENSSL_NO_MD5
+ {"subject_hash_old", OPT_SUBJECT_HASH_OLD, '-',
+ "Print old-style (MD5) issuer hash value"},
+ {"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-',
+ "Print old-style (MD5) subject hash value"},
#endif
#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
{"force_version", OPT_FORCE_VERSION, 'p'},
+#endif
+#ifndef OPENSSL_NO_ENGINE
+ {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
#endif
{NULL}
};
char *checkhost = NULL, *checkemail = NULL, *checkip = NULL;
char *extsect = NULL, *extfile = NULL, *passin = NULL, *passinarg = NULL;
char *infile = NULL, *outfile = NULL, *keyfile = NULL, *CAfile = NULL;
- char buf[256];
- char *engine = NULL, *prog;
- int C = 0, x509req = 0, days = DEF_DAYS, modulus = 0, pubkey = 0, pprint =
- 0;
- int CAformat = FORMAT_PEM, CAkeyformat = FORMAT_PEM;
- int fingerprint = 0, reqfile = 0, need_rand = 0, checkend =
- 0, checkoffset = 0;
+ char buf[256], *prog;
+ int x509req = 0, days = DEF_DAYS, modulus = 0, pubkey = 0, pprint = 0;
+ int C = 0, CAformat = FORMAT_PEM, CAkeyformat = FORMAT_PEM;
+ int fingerprint = 0, reqfile = 0, need_rand = 0, checkend = 0;
int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyformat = FORMAT_PEM;
int next_serial = 0, subject_hash = 0, issuer_hash = 0, ocspid = 0;
int noout = 0, sign_flag = 0, CA_flag = 0, CA_createserial = 0, email = 0;
int ocsp_uri = 0, trustout = 0, clrtrust = 0, clrreject = 0, aliasout = 0;
int ret = 1, i, num = 0, badsig = 0, clrext = 0, nocert = 0;
- int text = 0, serial = 0, subject = 0, issuer = 0, startdate =
- 0, enddate = 0;
+ int text = 0, serial = 0, subject = 0, issuer = 0, startdate = 0;
+ int checkoffset = 0, enddate = 0;
unsigned long nmflag = 0, certflag = 0;
+ char nmflag_set = 0;
OPTION_CHOICE o;
-#ifndef OPENSSL_NO_ENGINE
ENGINE *e = NULL;
-#endif
#ifndef OPENSSL_NO_MD5
int subject_hash_old = 0, issuer_hash_old = 0;
#endif
if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, opt_arg()))
goto opthelp;
break;
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
case OPT_FORCE_VERSION:
+#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
force_version = atoi(opt_arg()) - 1;
- break;
#endif
+ break;
case OPT_DAYS:
days = atoi(opt_arg());
break;
goto opthelp;
break;
case OPT_NAMEOPT:
+ nmflag_set = 1;
if (!set_name_ex(&nmflag, opt_arg()))
goto opthelp;
break;
case OPT_ENGINE:
- engine = opt_arg();
+ e = setup_engine(opt_arg(), 0);
break;
case OPT_C:
C = ++num;
case OPT_ISSUER_HASH_OLD:
issuer_hash_old = ++num;
break;
+#else
+ case OPT_SUBJECT_HASH_OLD:
+ case OPT_ISSUER_HASH_OLD:
+ break;
#endif
case OPT_DATES:
startdate = ++num;
goto opthelp;
}
- out = bio_open_default(outfile, "w");
- if (out == NULL)
+ if (!nmflag_set)
+ nmflag = XN_FLAG_ONELINE;
+
+ if (!app_load_modules(NULL))
goto end;
-#ifndef OPENSSL_NO_ENGINE
- e = setup_engine(engine, 0);
-#endif
+ out = bio_open_default(outfile, 'w', outformat);
+ if (out == NULL)
+ goto end;
if (need_rand)
app_RAND_load_file(NULL, 0);
}
if (extfile) {
- long errorline = -1;
X509V3_CTX ctx2;
- extconf = NCONF_new(NULL);
- if (!NCONF_load(extconf, extfile, &errorline)) {
- if (errorline <= 0)
- BIO_printf(bio_err,
- "error loading the config file '%s'\n", extfile);
- else
- BIO_printf(bio_err,
- "error on line %ld of config file '%s'\n",
- errorline, extfile);
+ if ((extconf = app_load_config(extfile)) == NULL)
goto end;
- }
if (!extsect) {
extsect = NCONF_get_string(extconf, "default", "extensions");
if (!extsect) {
BIO_printf(bio_err, "We need a private key to sign with\n");
goto end;
}
- in = bio_open_default(infile, "r");
+ in = bio_open_default(infile, 'r', informat);
if (in == NULL)
goto end;
req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL);
goto end;
}
- if ((req->req_info == NULL) ||
- (req->req_info->pubkey == NULL) ||
- (req->req_info->pubkey->public_key == NULL) ||
- (req->req_info->pubkey->public_key->data == NULL)) {
- BIO_printf(bio_err,
- "The certificate request appears to corrupted\n");
- BIO_printf(bio_err, "It does not contain a public key\n");
- goto end;
- }
if ((pkey = X509_REQ_get_pubkey(req)) == NULL) {
BIO_printf(bio_err, "error unpacking public key\n");
goto end;
} else if (!X509_set_serialNumber(x, sno))
goto end;
- if (!X509_set_issuer_name(x, req->req_info->subject))
+ if (!X509_set_issuer_name(x, X509_REQ_get_subject_name(req)))
goto end;
- if (!X509_set_subject_name(x, req->req_info->subject))
+ if (!X509_set_subject_name(x, X509_REQ_get_subject_name(req)))
goto end;
X509_gmtime_adj(X509_get_notBefore(x), 0);
" */\n", buf);
len = i2d_X509(x, NULL);
- m = OPENSSL_malloc(len);
- if (!m) {
- BIO_printf(bio_err, "Out of memory\n");
- goto end;
- }
-
+ m = app_malloc(len, "x509 name buffer");
d = (unsigned char *)m;
len = i2d_X509_NAME(X509_get_subject_name(x), &d);
print_array(out, "the_subject_name", len, (unsigned char *)m);
goto end;
}
- if (badsig)
- x->signature->data[x->signature->length - 1] ^= 0x1;
+ if (badsig) {
+ ASN1_BIT_STRING *signature;
+ unsigned char *s;
+ X509_get0_signature(&signature, NULL, x);
+ s = ASN1_STRING_data(signature);
+ s[ASN1_STRING_length(signature) - 1] ^= 0x1;
+ }
if (outformat == FORMAT_ASN1)
i = i2d_X509_bio(out, x);
i = PEM_write_bio_X509_AUX(out, x);
else
i = PEM_write_bio_X509(out, x);
- } else if (outformat == FORMAT_NETSCAPE) {
- NETSCAPE_X509 nx;
- ASN1_OCTET_STRING hdr;
-
- hdr.data = (unsigned char *)NETSCAPE_CERT_HDR;
- hdr.length = strlen(NETSCAPE_CERT_HDR);
- nx.header = &hdr;
- nx.cert = x;
-
- i = ASN1_item_i2d_bio(ASN1_ITEM_rptr(NETSCAPE_X509), out, &nx);
} else {
BIO_printf(bio_err, "bad output format specified for outfile\n");
goto end;
EVP_PKEY_free(Upkey);
EVP_PKEY_free(CApkey);
EVP_PKEY_free(fkey);
- if (sigopts)
- sk_OPENSSL_STRING_free(sigopts);
+ sk_OPENSSL_STRING_free(sigopts);
X509_REQ_free(rq);
ASN1_INTEGER_free(sno);
sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free);
sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free);
- if (passin)
- OPENSSL_free(passin);
+ OPENSSL_free(passin);
return (ret);
}
len = ((serialfile == NULL)
? (strlen(CAfile) + strlen(POSTFIX) + 1)
: (strlen(serialfile))) + 1;
- buf = OPENSSL_malloc(len);
- if (buf == NULL) {
- BIO_printf(bio_err, "out of mem\n");
- goto end;
- }
+ buf = app_malloc(len, "serial# buffer");
if (serialfile == NULL) {
BUF_strlcpy(buf, CAfile, len);
for (p = buf; *p; p++)
goto end;
end:
- if (buf)
- OPENSSL_free(buf);
+ OPENSSL_free(buf);
BN_free(serial);
return bs;
}
}
if (sno)
bs = sno;
- else if (!(bs = x509_load_serial(CAfile, serialfile, create)))
+ else if ((bs = x509_load_serial(CAfile, serialfile, create)) == NULL)
goto end;
-/* if (!X509_STORE_add_cert(ctx,x)) goto end;*/
-
/*
* NOTE: this certificate can/should be self signed, unless it was a
* certificate request in which case it is not.