-#define POSTFIX ".srl"
-#define DEF_DAYS 30
-
-static const char *x509_usage[]={
-"usage: x509 args\n",
-" -inform arg - input format - default PEM (one of DER, NET or PEM)\n",
-" -outform arg - output format - default PEM (one of DER, NET or PEM)\n",
-" -keyform arg - private key format - default PEM\n",
-" -CAform arg - CA format - default PEM\n",
-" -CAkeyform arg - CA key format - default PEM\n",
-" -in arg - input file - default stdin\n",
-" -out arg - output file - default stdout\n",
-" -passin arg - private key password source\n",
-" -serial - print serial number value\n",
-" -subject_hash - print subject hash value\n",
-" -issuer_hash - print issuer hash value\n",
-" -hash - synonym for -subject_hash\n",
-" -subject - print subject DN\n",
-" -issuer - print issuer DN\n",
-" -email - print email address(es)\n",
-" -startdate - notBefore field\n",
-" -enddate - notAfter field\n",
-" -purpose - print out certificate purposes\n",
-" -dates - both Before and After dates\n",
-" -modulus - print the RSA key modulus\n",
-" -pubkey - output the public key\n",
-" -fingerprint - print the certificate fingerprint\n",
-" -alias - output certificate alias\n",
-" -noout - no certificate output\n",
-" -ocspid - print OCSP hash values for the subject name and public key\n",
-" -trustout - output a \"trusted\" certificate\n",
-" -clrtrust - clear all trusted purposes\n",
-" -clrreject - clear all rejected purposes\n",
-" -addtrust arg - trust certificate for a given purpose\n",
-" -addreject arg - reject certificate for a given purpose\n",
-" -setalias arg - set certificate alias\n",
-" -days arg - How long till expiry of a signed certificate - def 30 days\n",
-" -checkend arg - check whether the cert expires in the next arg seconds\n",
-" exit 1 if so, 0 if not\n",
-" -signkey arg - self sign cert with arg\n",
-" -x509toreq - output a certification request object\n",
-" -req - input is a certificate request, sign and output.\n",
-" -CA arg - set the CA certificate, must be PEM format.\n",
-" -CAkey arg - set the CA key, must be PEM format\n",
-" missing, it is assumed to be in the CA file.\n",
-" -CAcreateserial - create serial number file if it does not exist\n",
-" -CAserial arg - serial file\n",
-" -set_serial - serial number to use\n",
-" -text - print the certificate in text form\n",
-" -C - print out C code forms\n",
-" -md2/-md5/-sha1/-mdc2 - digest to use\n",
-" -extfile - configuration file with X509V3 extensions to add\n",
-" -extensions - section from config file with X509V3 extensions to add\n",
-" -clrext - delete extensions before signing and input certificate\n",
-" -nameopt arg - various certificate name options\n",
+#define POSTFIX ".srl"
+#define DEF_DAYS 30
+
+static int callb(int ok, X509_STORE_CTX *ctx);
+static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext,
+ const EVP_MD *digest, CONF *conf, const char *section,
+ int preserve_dates);
+static int x509_certify(X509_STORE *ctx, const char *CAfile, const EVP_MD *digest,
+ X509 *x, X509 *xca, EVP_PKEY *pkey,
+ STACK_OF(OPENSSL_STRING) *sigopts, const char *serialfile,
+ int create, int days, int clrext, CONF *conf,
+ const char *section, ASN1_INTEGER *sno, int reqfile,
+ int preserve_dates);
+static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt);
+static int print_x509v3_exts(BIO *bio, X509 *x, const char *exts);
+
+typedef enum OPTION_choice {
+ OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+ OPT_INFORM, OPT_OUTFORM, OPT_KEYFORM, OPT_REQ, OPT_CAFORM,
+ OPT_CAKEYFORM, OPT_SIGOPT, OPT_DAYS, OPT_PASSIN, OPT_EXTFILE,
+ OPT_EXTENSIONS, OPT_IN, OPT_OUT, OPT_SIGNKEY, OPT_CA,
+ OPT_CAKEY, OPT_CASERIAL, OPT_SET_SERIAL, OPT_FORCE_PUBKEY,
+ OPT_ADDTRUST, OPT_ADDREJECT, OPT_SETALIAS, OPT_CERTOPT, OPT_NAMEOPT,
+ OPT_C, OPT_EMAIL, OPT_OCSP_URI, OPT_SERIAL, OPT_NEXT_SERIAL,
+ OPT_MODULUS, OPT_PUBKEY, OPT_X509TOREQ, OPT_TEXT, OPT_HASH,
+ OPT_ISSUER_HASH, OPT_SUBJECT, OPT_ISSUER, OPT_FINGERPRINT, OPT_DATES,
+ OPT_PURPOSE, OPT_STARTDATE, OPT_ENDDATE, OPT_CHECKEND, OPT_CHECKHOST,
+ OPT_CHECKEMAIL, OPT_CHECKIP, OPT_NOOUT, OPT_TRUSTOUT, OPT_CLRTRUST,
+ OPT_CLRREJECT, OPT_ALIAS, OPT_CACREATESERIAL, OPT_CLREXT, OPT_OCSPID,
+ OPT_SUBJECT_HASH_OLD,
+ OPT_ISSUER_HASH_OLD,
+ OPT_BADSIG, OPT_MD, OPT_ENGINE, OPT_NOCERT, OPT_PRESERVE_DATES,
+ OPT_R_ENUM, OPT_EXT
+} OPTION_CHOICE;
+
+const OPTIONS x509_options[] = {
+ {"help", OPT_HELP, '-', "Display this summary"},
+ {"inform", OPT_INFORM, 'f',
+ "Input format - default PEM (one of DER, NET or PEM)"},
+ {"in", OPT_IN, '<', "Input file - default stdin"},
+ {"outform", OPT_OUTFORM, 'f',
+ "Output format - default PEM (one of DER, NET or PEM)"},
+ {"out", OPT_OUT, '>', "Output file - default stdout"},
+ {"keyform", OPT_KEYFORM, 'F', "Private key format - default PEM"},
+ {"passin", OPT_PASSIN, 's', "Private key password/pass-phrase source"},
+ {"serial", OPT_SERIAL, '-', "Print serial number value"},
+ {"subject_hash", OPT_HASH, '-', "Print subject hash value"},
+ {"issuer_hash", OPT_ISSUER_HASH, '-', "Print issuer hash value"},
+ {"hash", OPT_HASH, '-', "Synonym for -subject_hash"},
+ {"subject", OPT_SUBJECT, '-', "Print subject DN"},
+ {"issuer", OPT_ISSUER, '-', "Print issuer DN"},
+ {"email", OPT_EMAIL, '-', "Print email address(es)"},
+ {"startdate", OPT_STARTDATE, '-', "Set notBefore field"},
+ {"enddate", OPT_ENDDATE, '-', "Set notAfter field"},
+ {"purpose", OPT_PURPOSE, '-', "Print out certificate purposes"},
+ {"dates", OPT_DATES, '-', "Both Before and After dates"},
+ {"modulus", OPT_MODULUS, '-', "Print the RSA key modulus"},
+ {"pubkey", OPT_PUBKEY, '-', "Output the public key"},
+ {"fingerprint", OPT_FINGERPRINT, '-',
+ "Print the certificate fingerprint"},
+ {"alias", OPT_ALIAS, '-', "Output certificate alias"},
+ {"noout", OPT_NOOUT, '-', "No output, just status"},
+ {"nocert", OPT_NOCERT, '-', "No certificate output"},
+ {"ocspid", OPT_OCSPID, '-',
+ "Print OCSP hash values for the subject name and public key"},
+ {"ocsp_uri", OPT_OCSP_URI, '-', "Print OCSP Responder URL(s)"},
+ {"trustout", OPT_TRUSTOUT, '-', "Output a trusted certificate"},
+ {"clrtrust", OPT_CLRTRUST, '-', "Clear all trusted purposes"},
+ {"clrext", OPT_CLREXT, '-', "Clear all certificate extensions"},
+ {"addtrust", OPT_ADDTRUST, 's', "Trust certificate for a given purpose"},
+ {"addreject", OPT_ADDREJECT, 's',
+ "Reject certificate for a given purpose"},
+ {"setalias", OPT_SETALIAS, 's', "Set certificate alias"},
+ {"days", OPT_DAYS, 'n',
+ "How long till expiry of a signed certificate - def 30 days"},
+ {"checkend", OPT_CHECKEND, 'M',
+ "Check whether the cert expires in the next arg seconds"},
+ {OPT_MORE_STR, 1, 1, "Exit 1 if so, 0 if not"},
+ {"signkey", OPT_SIGNKEY, '<', "Self sign cert with arg"},
+ {"x509toreq", OPT_X509TOREQ, '-',
+ "Output a certification request object"},
+ {"req", OPT_REQ, '-', "Input is a certificate request, sign and output"},
+ {"CA", OPT_CA, '<', "Set the CA certificate, must be PEM format"},
+ {"CAkey", OPT_CAKEY, 's',
+ "The CA key, must be PEM format; if not in CAfile"},
+ {"CAcreateserial", OPT_CACREATESERIAL, '-',
+ "Create serial number file if it does not exist"},
+ {"CAserial", OPT_CASERIAL, 's', "Serial file"},
+ {"set_serial", OPT_SET_SERIAL, 's', "Serial number to use"},
+ {"text", OPT_TEXT, '-', "Print the certificate in text form"},
+ {"ext", OPT_EXT, 's', "Print various X509V3 extensions"},
+ {"C", OPT_C, '-', "Print out C code forms"},
+ {"extfile", OPT_EXTFILE, '<', "File with X509V3 extensions to add"},
+ OPT_R_OPTIONS,
+ {"extensions", OPT_EXTENSIONS, 's', "Section from config file to use"},
+ {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
+ {"certopt", OPT_CERTOPT, 's', "Various certificate text options"},
+ {"checkhost", OPT_CHECKHOST, 's', "Check certificate matches host"},
+ {"checkemail", OPT_CHECKEMAIL, 's', "Check certificate matches email"},
+ {"checkip", OPT_CHECKIP, 's', "Check certificate matches ipaddr"},
+ {"CAform", OPT_CAFORM, 'F', "CA format - default PEM"},
+ {"CAkeyform", OPT_CAKEYFORM, 'f', "CA key format - default PEM"},
+ {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
+ {"force_pubkey", OPT_FORCE_PUBKEY, '<', "Force the Key to put inside certificate"},
+ {"next_serial", OPT_NEXT_SERIAL, '-', "Increment current certificate serial number"},
+ {"clrreject", OPT_CLRREJECT, '-',
+ "Clears all the prohibited or rejected uses of the certificate"},
+ {"badsig", OPT_BADSIG, '-', "Corrupt last byte of certificate signature (for test)"},
+ {"", OPT_MD, '-', "Any supported digest"},
+#ifndef OPENSSL_NO_MD5
+ {"subject_hash_old", OPT_SUBJECT_HASH_OLD, '-',
+ "Print old-style (MD5) issuer hash value"},
+ {"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-',
+ "Print old-style (MD5) subject hash value"},
+#endif