* [including the GNU Public Licence.]
*/
+#include <assert.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define APPS_WIN16
#endif
#include "apps.h"
-#include "bio.h"
-#include "asn1.h"
-#include "err.h"
-#include "bn.h"
-#include "evp.h"
-#include "x509.h"
-#include "objects.h"
-#include "pem.h"
+#include <openssl/bio.h>
+#include <openssl/asn1.h>
+#include <openssl/err.h>
+#include <openssl/bn.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <openssl/objects.h>
+#include <openssl/pem.h>
#undef PROG
#define PROG x509_main
#define POSTFIX ".srl"
#define DEF_DAYS 30
-#define FORMAT_UNDEF 0
-#define FORMAT_ASN1 1
-#define FORMAT_TEXT 2
-#define FORMAT_PEM 3
-
#define CERT_HDR "certificate"
static char *x509_usage[]={
"usage: x509 args\n",
" -inform arg - input format - default PEM (one of DER, NET or PEM)\n",
-" -outform arg - output format - default PEM (one of DER, NET or PEM\n",
+" -outform arg - output format - default PEM (one of DER, NET or PEM)\n",
" -keyform arg - private key format - default PEM\n",
" -CAform arg - CA format - default PEM\n",
" -CAkeyform arg - CA key format - default PEM\n",
" -in arg - input file - default stdin\n",
" -out arg - output file - default stdout\n",
+" -passin arg - private key password source\n",
" -serial - print serial number value\n",
" -hash - print hash value\n",
" -subject - print subject DN\n",
" -issuer - print issuer DN\n",
" -startdate - notBefore field\n",
" -enddate - notAfter field\n",
+" -purpose - print out certificate purposes\n",
" -dates - both Before and After dates\n",
" -modulus - print the RSA key modulus\n",
+" -pubkey - output the public key\n",
" -fingerprint - print the certificate fingerprint\n",
+" -alias - output certificate alias\n",
" -noout - no certificate output\n",
-
+" -trustout - output a \"trusted\" certificate\n",
+" -clrtrust - clear all trusted purposes\n",
+" -clrreject - clear all rejected purposes\n",
+" -addtrust arg - trust certificate for a given purpose\n",
+" -addreject arg - reject certificate for a given purpose\n",
+" -setalias arg - set certificate alias\n",
" -days arg - How long till expiry of a signed certificate - def 30 days\n",
" -signkey arg - self sign cert with arg\n",
" -x509toreq - output a certification request object\n",
" -req - input is a certificate request, sign and output.\n",
" -CA arg - set the CA certificate, must be PEM format.\n",
" -CAkey arg - set the CA key, must be PEM format\n",
-" missing, it is asssumed to be in the CA file.\n",
+" missing, it is assumed to be in the CA file.\n",
" -CAcreateserial - create serial number file if it does not exist\n",
" -CAserial - serial file\n",
-" -text - print the certitificate in text form\n",
+" -text - print the certificate in text form\n",
" -C - print out C code forms\n",
-" -md2/-md5/-sha1/-mdc2 - digest to do an RSA sign with\n",
+" -md2/-md5/-sha1/-mdc2 - digest to use\n",
+" -extfile - configuration file with X509V3 extensions to add\n",
+" -extensions - section from config file with X509V3 extensions to add\n",
+" -crlext - delete extensions before signing and input certificate\n",
NULL
};
-#ifndef NOPROTO
static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx);
-static EVP_PKEY *load_key(char *file, int format);
+static EVP_PKEY *load_key(char *file, int format, char *passin);
static X509 *load_cert(char *file, int format);
-static int sign (X509 *x, EVP_PKEY *pkey,int days,EVP_MD *digest);
-static int x509_certify (X509_STORE *ctx,char *CAfile, EVP_MD *digest,X509 *x,
- X509 *xca, EVP_PKEY *pkey,char *serial, int create, int days);
-#else
-static int MS_CALLBACK callb();
-static EVP_PKEY *load_key();
-static X509 *load_cert();
-static int sign ();
-static int x509_certify ();
-#endif
-
+static int sign (X509 *x, EVP_PKEY *pkey,int days,int clrext, const EVP_MD *digest,
+ LHASH *conf, char *section);
+static int x509_certify (X509_STORE *ctx,char *CAfile,const EVP_MD *digest,
+ X509 *x,X509 *xca,EVP_PKEY *pkey,char *serial,
+ int create,int days, int clrext, LHASH *conf, char *section);
+static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt);
static int reqfile=0;
-int MAIN(argc, argv)
-int argc;
-char **argv;
+int MAIN(int, char **);
+
+int MAIN(int argc, char **argv)
{
int ret=1;
X509_REQ *req=NULL;
X509 *x=NULL,*xca=NULL;
+ ASN1_OBJECT *objtmp;
EVP_PKEY *Upkey=NULL,*CApkey=NULL;
int i,num,badops=0;
BIO *out=NULL;
BIO *STDout=NULL;
+ STACK_OF(ASN1_OBJECT) *trust = NULL, *reject = NULL;
int informat,outformat,keyformat,CAformat,CAkeyformat;
char *infile=NULL,*outfile=NULL,*keyfile=NULL,*CAfile=NULL;
char *CAkeyfile=NULL,*CAserial=NULL;
+ char *alias=NULL;
int text=0,serial=0,hash=0,subject=0,issuer=0,startdate=0,enddate=0;
int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0;
+ int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0;
int C=0;
- int x509req=0,days=DEF_DAYS,modulus=0;
+ int x509req=0,days=DEF_DAYS,modulus=0,pubkey=0;
+ int pprint = 0;
char **pp;
X509_STORE *ctx=NULL;
X509_REQ *rq=NULL;
int fingerprint=0;
char buf[256];
- EVP_MD *md_alg,*digest=EVP_md5();
+ const EVP_MD *md_alg,*digest=EVP_md5();
+ LHASH *extconf = NULL;
+ char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL;
+ int need_rand = 0;
reqfile=0;
keyformat=str2fmt(*(++argv));
}
else if (strcmp(*argv,"-req") == 0)
+ {
reqfile=1;
+ need_rand = 1;
+ }
else if (strcmp(*argv,"-CAform") == 0)
{
if (--argc < 1) goto bad;
days=atoi(*(++argv));
if (days == 0)
{
- BIO_printf(bio_err,"bad number of days\n");
+ BIO_printf(STDout,"bad number of days\n");
goto bad;
}
}
+ else if (strcmp(*argv,"-passin") == 0)
+ {
+ if (--argc < 1) goto bad;
+ passargin= *(++argv);
+ }
+ else if (strcmp(*argv,"-extfile") == 0)
+ {
+ if (--argc < 1) goto bad;
+ extfile= *(++argv);
+ }
+ else if (strcmp(*argv,"-extensions") == 0)
+ {
+ if (--argc < 1) goto bad;
+ extsect= *(++argv);
+ }
else if (strcmp(*argv,"-in") == 0)
{
if (--argc < 1) goto bad;
if (--argc < 1) goto bad;
keyfile= *(++argv);
sign_flag= ++num;
+ need_rand = 1;
}
else if (strcmp(*argv,"-CA") == 0)
{
if (--argc < 1) goto bad;
CAfile= *(++argv);
CA_flag= ++num;
+ need_rand = 1;
}
else if (strcmp(*argv,"-CAkey") == 0)
{
if (--argc < 1) goto bad;
CAserial= *(++argv);
}
+ else if (strcmp(*argv,"-addtrust") == 0)
+ {
+ if (--argc < 1) goto bad;
+ if(!(objtmp = OBJ_txt2obj(*(++argv), 0))) {
+ BIO_printf(bio_err,
+ "Invalid trust object value %s\n", *argv);
+ goto bad;
+ }
+ if(!trust) trust = sk_ASN1_OBJECT_new_null();
+ sk_ASN1_OBJECT_push(trust, objtmp);
+ trustout = 1;
+ }
+ else if (strcmp(*argv,"-addreject") == 0)
+ {
+ if (--argc < 1) goto bad;
+ if(!(objtmp = OBJ_txt2obj(*(++argv), 0))) {
+ BIO_printf(bio_err,
+ "Invalid reject object value %s\n", *argv);
+ goto bad;
+ }
+ if(!reject) reject = sk_ASN1_OBJECT_new_null();
+ sk_ASN1_OBJECT_push(reject, objtmp);
+ trustout = 1;
+ }
+ else if (strcmp(*argv,"-setalias") == 0)
+ {
+ if (--argc < 1) goto bad;
+ alias= *(++argv);
+ trustout = 1;
+ }
+ else if (strcmp(*argv,"-setalias") == 0)
+ {
+ if (--argc < 1) goto bad;
+ alias= *(++argv);
+ trustout = 1;
+ }
else if (strcmp(*argv,"-C") == 0)
C= ++num;
else if (strcmp(*argv,"-serial") == 0)
serial= ++num;
else if (strcmp(*argv,"-modulus") == 0)
modulus= ++num;
+ else if (strcmp(*argv,"-pubkey") == 0)
+ pubkey= ++num;
else if (strcmp(*argv,"-x509toreq") == 0)
x509req= ++num;
else if (strcmp(*argv,"-text") == 0)
startdate= ++num;
enddate= ++num;
}
+ else if (strcmp(*argv,"-purpose") == 0)
+ pprint= ++num;
else if (strcmp(*argv,"-startdate") == 0)
startdate= ++num;
else if (strcmp(*argv,"-enddate") == 0)
enddate= ++num;
else if (strcmp(*argv,"-noout") == 0)
noout= ++num;
+ else if (strcmp(*argv,"-trustout") == 0)
+ trustout= 1;
+ else if (strcmp(*argv,"-clrtrust") == 0)
+ clrtrust= ++num;
+ else if (strcmp(*argv,"-clrreject") == 0)
+ clrreject= ++num;
+ else if (strcmp(*argv,"-alias") == 0)
+ aliasout= ++num;
else if (strcmp(*argv,"-CAcreateserial") == 0)
CA_createserial= ++num;
- else if ((md_alg=EVP_get_digestbyname(&((*argv)[1]))) != NULL)
+ else if (strcmp(*argv,"-crlext") == 0)
+ clrext = 1;
+ else if ((md_alg=EVP_get_digestbyname(*argv + 1)))
{
/* ok */
digest=md_alg;
goto end;
}
+ if (need_rand)
+ app_RAND_load_file(NULL, bio_err, 0);
+
ERR_load_crypto_strings();
+ if(!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
+ BIO_printf(bio_err, "Error getting password\n");
+ goto end;
+ }
+
if (!X509_STORE_set_default_paths(ctx))
{
ERR_print_errors(bio_err);
goto end;
}
+ if (extfile) {
+ long errorline;
+ X509V3_CTX ctx2;
+ if (!(extconf=CONF_load(NULL,extfile,&errorline))) {
+ if (errorline <= 0)
+ BIO_printf(bio_err,
+ "error loading the config file '%s'\n",
+ extfile);
+ else
+ BIO_printf(bio_err,
+ "error on line %ld of config file '%s'\n"
+ ,errorline,extfile);
+ goto end;
+ }
+ if(!extsect && !(extsect = CONF_get_string(extconf, "default",
+ "extensions"))) extsect = "default";
+ X509V3_set_ctx_test(&ctx2);
+ X509V3_set_conf_lhash(&ctx2, extconf);
+ if(!X509V3_EXT_add_conf(extconf, &ctx2, extsect, NULL)) {
+ BIO_printf(bio_err,
+ "Error Loading extension section %s\n",
+ extsect);
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ }
+
+
if (reqfile)
{
EVP_PKEY *pkey;
goto end;
}
}
- req=PEM_read_bio_X509_REQ(in,NULL,NULL);
+ req=PEM_read_bio_X509_REQ(in,NULL,NULL,NULL);
BIO_free(in);
if (req == NULL) { perror(infile); goto end; }
goto end;
}
i=X509_REQ_verify(req,pkey);
+ EVP_PKEY_free(pkey);
if (i < 0)
{
BIO_printf(bio_err,"Signature verification error\n");
X509_gmtime_adj(X509_get_notBefore(x),0);
X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days);
- X509_PUBKEY_free(ci->key);
- ci->key=req->req_info->pubkey;
- req->req_info->pubkey=NULL;
+ pkey = X509_REQ_get_pubkey(req);
+ X509_set_pubkey(x,pkey);
+ EVP_PKEY_free(pkey);
}
else
x=load_cert(infile,informat);
}
}
+ if(alias) X509_alias_set1(x, (unsigned char *)alias, -1);
+
+ if(clrtrust) X509_trust_clear(x);
+ if(clrreject) X509_reject_clear(x);
+
+ if(trust) {
+ for(i = 0; i < sk_ASN1_OBJECT_num(trust); i++) {
+ objtmp = sk_ASN1_OBJECT_value(trust, i);
+ X509_add1_trust_object(x, objtmp);
+ }
+ }
+
+ if(reject) {
+ for(i = 0; i < sk_ASN1_OBJECT_num(reject); i++) {
+ objtmp = sk_ASN1_OBJECT_value(reject, i);
+ X509_add1_reject_object(x, objtmp);
+ }
+ }
+
if (num)
{
for (i=1; i<=num; i++)
{
X509_NAME_oneline(X509_get_issuer_name(x),
buf,256);
- fprintf(stdout,"issuer= %s\n",buf);
+ BIO_printf(STDout,"issuer= %s\n",buf);
}
else if (subject == i)
{
X509_NAME_oneline(X509_get_subject_name(x),
buf,256);
- fprintf(stdout,"subject=%s\n",buf);
+ BIO_printf(STDout,"subject=%s\n",buf);
}
else if (serial == i)
{
- fprintf(stdout,"serial=");
+ BIO_printf(STDout,"serial=");
i2a_ASN1_INTEGER(STDout,x->cert_info->serialNumber);
- fprintf(stdout,"\n");
+ BIO_printf(STDout,"\n");
+ }
+ else if (aliasout == i)
+ {
+ unsigned char *alstr;
+ alstr = X509_alias_get0(x, NULL);
+ if(alstr) BIO_printf(STDout,"%s\n", alstr);
+ else BIO_puts(STDout,"<No Alias>\n");
}
else if (hash == i)
{
- fprintf(stdout,"%08lx\n",
- X509_subject_name_hash(x));
+ BIO_printf(STDout,"%08lx\n",X509_subject_name_hash(x));
+ }
+ else if (pprint == i)
+ {
+ X509_PURPOSE *ptmp;
+ int j;
+ BIO_printf(STDout, "Certificate purposes:\n");
+ for(j = 0; j < X509_PURPOSE_get_count(); j++)
+ {
+ ptmp = X509_PURPOSE_get0(j);
+ purpose_print(STDout, x, ptmp);
+ }
}
else
-#ifndef NO_RSA
if (modulus == i)
{
EVP_PKEY *pkey;
pkey=X509_get_pubkey(x);
if (pkey == NULL)
{
- fprintf(stdout,"Modulus=unavailable\n");
+ BIO_printf(bio_err,"Modulus=unavailable\n");
ERR_print_errors(bio_err);
goto end;
}
- fprintf(stdout,"Modulus=");
+ BIO_printf(STDout,"Modulus=");
+#ifndef NO_RSA
if (pkey->type == EVP_PKEY_RSA)
BN_print(STDout,pkey->pkey.rsa->n);
else
- fprintf(stdout,"Wrong Algorithm type");
- fprintf(stdout,"\n");
+#endif
+#ifndef NO_DSA
+ if (pkey->type == EVP_PKEY_DSA)
+ BN_print(STDout,pkey->pkey.dsa->pub_key);
+ else
+#endif
+ BIO_printf(STDout,"Wrong Algorithm type");
+ BIO_printf(STDout,"\n");
+ EVP_PKEY_free(pkey);
+ }
+ else
+ if (pubkey == i)
+ {
+ EVP_PKEY *pkey;
+
+ pkey=X509_get_pubkey(x);
+ if (pkey == NULL)
+ {
+ BIO_printf(bio_err,"Error getting public key\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ PEM_write_bio_PUBKEY(STDout, pkey);
+ EVP_PKEY_free(pkey);
}
else
-#endif
if (C == i)
{
unsigned char *d;
X509_NAME_oneline(X509_get_subject_name(x),
buf,256);
- printf("/* subject:%s */\n",buf);
+ BIO_printf(STDout,"/* subject:%s */\n",buf);
m=X509_NAME_oneline(
X509_get_issuer_name(x),buf,256);
- printf("/* issuer :%s */\n",buf);
+ BIO_printf(STDout,"/* issuer :%s */\n",buf);
z=i2d_X509(x,NULL);
m=Malloc(z);
d=(unsigned char *)m;
z=i2d_X509_NAME(X509_get_subject_name(x),&d);
- printf("unsigned char XXX_subject_name[%d]={\n",z);
+ BIO_printf(STDout,"unsigned char XXX_subject_name[%d]={\n",z);
d=(unsigned char *)m;
for (y=0; y<z; y++)
{
- printf("0x%02X,",d[y]);
- if ((y & 0x0f) == 0x0f) printf("\n");
+ BIO_printf(STDout,"0x%02X,",d[y]);
+ if ((y & 0x0f) == 0x0f) BIO_printf(STDout,"\n");
}
- if (y%16 != 0) printf("\n");
- printf("};\n");
+ if (y%16 != 0) BIO_printf(STDout,"\n");
+ BIO_printf(STDout,"};\n");
z=i2d_X509_PUBKEY(X509_get_X509_PUBKEY(x),&d);
- printf("unsigned char XXX_public_key[%d]={\n",z);
+ BIO_printf(STDout,"unsigned char XXX_public_key[%d]={\n",z);
d=(unsigned char *)m;
for (y=0; y<z; y++)
{
- printf("0x%02X,",d[y]);
- if ((y & 0x0f) == 0x0f) printf("\n");
+ BIO_printf(STDout,"0x%02X,",d[y]);
+ if ((y & 0x0f) == 0x0f)
+ BIO_printf(STDout,"\n");
}
- if (y%16 != 0) printf("\n");
- printf("};\n");
+ if (y%16 != 0) BIO_printf(STDout,"\n");
+ BIO_printf(STDout,"};\n");
z=i2d_X509(x,&d);
- printf("unsigned char XXX_certificate[%d]={\n",z);
+ BIO_printf(STDout,"unsigned char XXX_certificate[%d]={\n",z);
d=(unsigned char *)m;
for (y=0; y<z; y++)
{
- printf("0x%02X,",d[y]);
- if ((y & 0x0f) == 0x0f) printf("\n");
+ BIO_printf(STDout,"0x%02X,",d[y]);
+ if ((y & 0x0f) == 0x0f)
+ BIO_printf(STDout,"\n");
}
- if (y%16 != 0) printf("\n");
- printf("};\n");
+ if (y%16 != 0) BIO_printf(STDout,"\n");
+ BIO_printf(STDout,"};\n");
Free(m);
}
else if (startdate == i)
{
BIO_puts(STDout,"notBefore=");
- ASN1_UTCTIME_print(STDout,X509_get_notBefore(x));
+ ASN1_TIME_print(STDout,X509_get_notBefore(x));
BIO_puts(STDout,"\n");
}
else if (enddate == i)
{
BIO_puts(STDout,"notAfter=");
- ASN1_UTCTIME_print(STDout,X509_get_notAfter(x));
+ ASN1_TIME_print(STDout,X509_get_notAfter(x));
BIO_puts(STDout,"\n");
}
else if (fingerprint == i)
unsigned int n;
unsigned char md[EVP_MAX_MD_SIZE];
- if (!X509_digest(x,EVP_md5(),md,&n))
+ if (!X509_digest(x,digest,md,&n))
{
BIO_printf(bio_err,"out of memory\n");
goto end;
}
- fprintf(stdout,"MD5 Fingerprint=");
+ BIO_printf(STDout,"%s Fingerprint=",
+ OBJ_nid2sn(EVP_MD_type(digest)));
for (j=0; j<(int)n; j++)
{
- fprintf(stdout,"%02X%c",md[j],
+ BIO_printf(STDout,"%02X%c",md[j],
(j+1 == (int)n)
?'\n':':');
}
BIO_printf(bio_err,"Getting Private key\n");
if (Upkey == NULL)
{
- Upkey=load_key(keyfile,keyformat);
+ Upkey=load_key(keyfile,keyformat, passin);
if (Upkey == NULL) goto end;
}
#ifndef NO_DSA
digest=EVP_dss1();
#endif
- if (!sign(x,Upkey,days,digest)) goto end;
+ assert(need_rand);
+ if (!sign(x,Upkey,days,clrext,digest,
+ extconf, extsect)) goto end;
}
else if (CA_flag == i)
{
BIO_printf(bio_err,"Getting CA Private Key\n");
if (CAkeyfile != NULL)
{
- CApkey=load_key(CAkeyfile,CAkeyformat);
+ CApkey=load_key(CAkeyfile,CAkeyformat, passin);
if (CApkey == NULL) goto end;
}
#ifndef NO_DSA
if (CApkey->type == EVP_PKEY_DSA)
digest=EVP_dss1();
#endif
+
+ assert(need_rand);
if (!x509_certify(ctx,CAfile,digest,x,xca,
- CApkey,
- CAserial,CA_createserial,days))
+ CApkey, CAserial,CA_createserial,days, clrext,
+ extconf, extsect))
goto end;
}
else if (x509req == i)
}
else
{
- pk=load_key(keyfile,FORMAT_PEM);
+ pk=load_key(keyfile,FORMAT_PEM, passin);
if (pk == NULL) goto end;
}
BIO_printf(bio_err,"Generating certificate request\n");
- rq=X509_to_X509_REQ(x,pk,EVP_md5());
+ if (pk->type == EVP_PKEY_DSA)
+ digest=EVP_dss1();
+
+ rq=X509_to_X509_REQ(x,pk,digest);
EVP_PKEY_free(pk);
if (rq == NULL)
{
if (outformat == FORMAT_ASN1)
i=i2d_X509_bio(out,x);
- else if (outformat == FORMAT_PEM)
- i=PEM_write_bio_X509(out,x);
- else if (outformat == FORMAT_NETSCAPE)
+ else if (outformat == FORMAT_PEM) {
+ if(trustout) i=PEM_write_bio_X509_AUX(out,x);
+ else i=PEM_write_bio_X509(out,x);
+ } else if (outformat == FORMAT_NETSCAPE)
{
ASN1_HEADER ah;
ASN1_OCTET_STRING os;
}
ret=0;
end:
+ if (need_rand)
+ app_RAND_write_file(NULL, bio_err);
OBJ_cleanup();
- if (out != NULL) BIO_free(out);
- if (STDout != NULL) BIO_free(STDout);
- if (ctx != NULL) X509_STORE_free(ctx);
- if (req != NULL) X509_REQ_free(req);
- if (x != NULL) X509_free(x);
- if (xca != NULL) X509_free(xca);
- if (Upkey != NULL) EVP_PKEY_free(Upkey);
- if (CApkey != NULL) EVP_PKEY_free(CApkey);
- if (rq != NULL) X509_REQ_free(rq);
+ CONF_free(extconf);
+ BIO_free(out);
+ BIO_free(STDout);
+ X509_STORE_free(ctx);
+ X509_REQ_free(req);
+ X509_free(x);
+ X509_free(xca);
+ EVP_PKEY_free(Upkey);
+ EVP_PKEY_free(CApkey);
+ X509_REQ_free(rq);
+ sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free);
+ sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free);
+ if(passin) Free(passin);
EXIT(ret);
}
-static int x509_certify(ctx,CAfile,digest,x,xca,pkey,serialfile,create,days)
-X509_STORE *ctx;
-char *CAfile;
-EVP_MD *digest;
-X509 *x;
-X509 *xca;
-EVP_PKEY *pkey;
-char *serialfile;
-int create;
-int days;
+static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
+ X509 *x, X509 *xca, EVP_PKEY *pkey, char *serialfile, int create,
+ int days, int clrext, LHASH *conf, char *section)
{
int ret=0;
BIO *io=NULL;
X509_STORE_CTX xsc;
EVP_PKEY *upkey;
- EVP_PKEY_copy_parameters(X509_get_pubkey(xca),pkey);
+ upkey = X509_get_pubkey(xca);
+ EVP_PKEY_copy_parameters(upkey,pkey);
+ EVP_PKEY_free(upkey);
X509_STORE_CTX_init(&xsc,ctx,x,NULL);
- buf=(char *)Malloc(EVP_PKEY_size(pkey)*2+
+ buf=Malloc(EVP_PKEY_size(pkey)*2+
((serialfile == NULL)
?(strlen(CAfile)+strlen(POSTFIX)+1)
:(strlen(serialfile)))+1);
}
else
{
- ASN1_INTEGER_set(bs,0);
- BN_zero(serial);
+ ASN1_INTEGER_set(bs,1);
+ BN_one(serial);
}
}
else
if (!reqfile && !X509_verify_cert(&xsc))
goto end;
+ if (!X509_check_private_key(xca,pkey))
+ {
+ BIO_printf(bio_err,"CA certificate and CA private key do not match\n");
+ goto end;
+ }
+
if (!X509_set_issuer_name(x,X509_get_subject_name(xca))) goto end;
if (!X509_set_serialNumber(x,bs)) goto end;
if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) == NULL)
goto end;
- /* don't save DSA parameters in child if parent has them
- * and the parents and the childs are the same. */
- upkey=X509_get_pubkey(x);
- if (!EVP_PKEY_missing_parameters(pkey) &&
- (EVP_PKEY_cmp_parameters(pkey,upkey) == 0))
- {
- EVP_PKEY_save_parameters(upkey,0);
- /* Force a re-write */
- X509_set_pubkey(x,upkey);
- }
+ if(clrext) {
+ while(X509_get_ext_count(x) > 0) X509_delete_ext(x, 0);
+ }
+
+ if(conf) {
+ X509V3_CTX ctx2;
+ X509_set_version(x,2); /* version 3 certificate */
+ X509V3_set_ctx(&ctx2, xca, x, NULL, NULL, 0);
+ X509V3_set_conf_lhash(&ctx2, conf);
+ if(!X509V3_EXT_add_conf(conf, &ctx2, section, x)) goto end;
+ }
if (!X509_sign(x,pkey,digest)) goto end;
ret=1;
return(ret);
}
-static int MS_CALLBACK callb(ok, ctx)
-int ok;
-X509_STORE_CTX *ctx;
+static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx)
{
char buf[256];
int err;
* DEPTH_ZERO_SELF_.... */
if (ok)
{
- printf("error with certificate to be certified - should be self signed\n");
+ BIO_printf(bio_err,"error with certificate to be certified - should be self signed\n");
return(0);
}
else
{
err_cert=X509_STORE_CTX_get_current_cert(ctx);
X509_NAME_oneline(X509_get_subject_name(err_cert),buf,256);
- printf("%s\n",buf);
- printf("error with certificate - error %d at depth %d\n%s\n",
+ BIO_printf(bio_err,"%s\n",buf);
+ BIO_printf(bio_err,"error with certificate - error %d at depth %d\n%s\n",
err,X509_STORE_CTX_get_error_depth(ctx),
X509_verify_cert_error_string(err));
return(1);
}
}
-static EVP_PKEY *load_key(file, format)
-char *file;
-int format;
+static EVP_PKEY *load_key(char *file, int format, char *passin)
{
BIO *key=NULL;
EVP_PKEY *pkey=NULL;
perror(file);
goto end;
}
-#ifndef NO_RSA
- if (format == FORMAT_ASN1)
+ if (format == FORMAT_ASN1)
{
- RSA *rsa;
-
- rsa=d2i_RSAPrivateKey_bio(key,NULL);
- if (rsa != NULL)
- {
- if ((pkey=EVP_PKEY_new()) != NULL)
- EVP_PKEY_assign_RSA(pkey,rsa);
- else
- RSA_free(rsa);
- }
+ pkey=d2i_PrivateKey_bio(key, NULL);
}
- else
-#endif
- if (format == FORMAT_PEM)
+ else if (format == FORMAT_PEM)
{
- pkey=PEM_read_bio_PrivateKey(key,NULL,NULL);
+ pkey=PEM_read_bio_PrivateKey(key,NULL,NULL,passin);
}
else
{
return(pkey);
}
-static X509 *load_cert(file, format)
-char *file;
-int format;
+static X509 *load_cert(char *file, int format)
{
ASN1_HEADER *ah=NULL;
BUF_MEM *buf=NULL;
ah->data=NULL;
}
else if (format == FORMAT_PEM)
- x=PEM_read_bio_X509(cert,NULL,NULL);
+ x=PEM_read_bio_X509_AUX(cert,NULL,NULL,NULL);
else {
BIO_printf(bio_err,"bad input format specified for input cert\n");
goto end;
}
/* self sign */
-static int sign(x, pkey, days, digest)
-X509 *x;
-EVP_PKEY *pkey;
-int days;
-EVP_MD *digest;
+static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const EVP_MD *digest,
+ LHASH *conf, char *section)
{
- EVP_PKEY_copy_parameters(X509_get_pubkey(x),pkey);
- EVP_PKEY_save_parameters(X509_get_pubkey(x),1);
+ EVP_PKEY *pktmp;
+
+ pktmp = X509_get_pubkey(x);
+ EVP_PKEY_copy_parameters(pktmp,pkey);
+ EVP_PKEY_save_parameters(pktmp,1);
+ EVP_PKEY_free(pktmp);
if (!X509_set_issuer_name(x,X509_get_subject_name(x))) goto err;
if (X509_gmtime_adj(X509_get_notBefore(x),0) == NULL) goto err;
goto err;
if (!X509_set_pubkey(x,pkey)) goto err;
+ if(clrext) {
+ while(X509_get_ext_count(x) > 0) X509_delete_ext(x, 0);
+ }
+ if(conf) {
+ X509V3_CTX ctx;
+ X509_set_version(x,2); /* version 3 certificate */
+ X509V3_set_ctx(&ctx, x, x, NULL, NULL, 0);
+ X509V3_set_conf_lhash(&ctx, conf);
+ if(!X509V3_EXT_add_conf(conf, &ctx, section, x)) goto err;
+ }
if (!X509_sign(x,pkey,digest)) goto err;
return(1);
err:
ERR_print_errors(bio_err);
return(0);
}
+
+static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt)
+{
+ int id, i, idret;
+ char *pname;
+ id = X509_PURPOSE_get_id(pt);
+ pname = X509_PURPOSE_get0_name(pt);
+ for(i = 0; i < 2; i++) {
+ idret = X509_check_purpose(cert, id, i);
+ BIO_printf(bio, "%s%s : ", pname, i ? " CA" : "");
+ if(idret == 1) BIO_printf(bio, "Yes\n");
+ else if (idret == 0) BIO_printf(bio, "No\n");
+ else BIO_printf(bio, "Yes (WARNING code=%d)\n", idret);
+ }
+ return 1;
+}
+
+
+
projects / openssl.git / blobdiff