X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=apps%2Fca.c;h=26c077858f6f723ebb1e9b0c5583bf820597aa5d;hp=976f6bb5f00c8416d4a383e00219fb64e72cb2fa;hb=c1f15b76ef13823ddd1f006ba75128c369eca067;hpb=9590da2cd67ae23588568c57556d6140fb86f892 diff --git a/apps/ca.c b/apps/ca.c index 976f6bb5f0..26c077858f 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -1,14 +1,11 @@ /* - * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html */ - -/* The PPKI stuff has been donated by Jeff Barber */ - #include #include #include @@ -35,6 +32,7 @@ #endif #include "apps.h" +#include "progs.h" #ifndef W_OK # define F_OK 0 @@ -45,11 +43,6 @@ #ifndef PATH_MAX # define PATH_MAX 4096 #endif -#ifndef NAME_MAX -# define NAME_MAX 255 -#endif - -#define CERT_MAX (PATH_MAX + NAME_MAX) #define BASE_SECTION "ca" @@ -253,10 +246,11 @@ int ca_main(int argc, char **argv) const char *serialfile = NULL, *subj = NULL; char *prog, *startdate = NULL, *enddate = NULL; char *dbfile = NULL, *f; - char new_cert[CERT_MAX + 1]; + char new_cert[PATH_MAX]; char tmp[10 + 1] = "\0"; char *const *pp; const char *p; + size_t outdirlen = 0; int create_ser = 0, free_key = 0, total = 0, total_done = 0; int batch = 0, default_op = 1, doupdatedb = 0, ext_copy = EXT_COPY_NONE; int keyformat = FORMAT_PEM, multirdn = 0, notext = 0, output_der = 0; @@ -269,8 +263,6 @@ int ca_main(int argc, char **argv) X509_REVOKED *r = NULL; OPTION_CHOICE o; - new_cert[CERT_MAX] = '\0'; - prog = opt_init(argc, argv, ca_options); while ((o = opt_next()) != OPT_EOF) { switch (o) { @@ -359,8 +351,7 @@ opthelp: case OPT_SIGOPT: if (sigopts == NULL) sigopts = sk_OPENSSL_STRING_new_null(); - if (sigopts == NULL - || !sk_OPENSSL_STRING_push(sigopts, opt_arg())) + if (sigopts == NULL || !sk_OPENSSL_STRING_push(sigopts, opt_arg())) goto end; break; case OPT_NOTEXT: @@ -424,7 +415,7 @@ opthelp: case OPT_CRLEXTS: crl_ext = opt_arg(); break; - case OPT_CRL_REASON: /* := REV_CRL_REASON */ + case OPT_CRL_REASON: /* := REV_CRL_REASON */ case OPT_CRL_HOLD: case OPT_CRL_COMPROMISE: case OPT_CRL_CA_COMPROMISE: @@ -452,30 +443,23 @@ end_of_options: && (section = lookup_conf(conf, BASE_SECTION, ENV_DEFAULT_CA)) == NULL) goto end; - if (conf != NULL) { - p = NCONF_get_string(conf, NULL, "oid_file"); - if (p == NULL) - ERR_clear_error(); - if (p != NULL) { - BIO *oid_bio; + p = NCONF_get_string(conf, NULL, "oid_file"); + if (p == NULL) + ERR_clear_error(); + if (p != NULL) { + BIO *oid_bio = BIO_new_file(p, "r"); - oid_bio = BIO_new_file(p, "r"); - if (oid_bio == NULL) { - /*- - BIO_printf(bio_err,"problems opening %s for extra oid's\n",p); - ERR_print_errors(bio_err); - */ - ERR_clear_error(); - } else { - OBJ_create_objects(oid_bio); - BIO_free(oid_bio); - } - } - if (!add_oid_section(conf)) { - ERR_print_errors(bio_err); - goto end; + if (oid_bio == NULL) { + ERR_clear_error(); + } else { + OBJ_create_objects(oid_bio); + BIO_free(oid_bio); } } + if (!add_oid_section(conf)) { + ERR_print_errors(bio_err); + goto end; + } app_RAND_load_conf(conf, BASE_SECTION); @@ -680,6 +664,10 @@ end_of_options: goto end; } } + if (pp[DB_name][0] == '\0') { + BIO_printf(bio_err, "entry %d: bad Subject\n", i + 1); + goto end; + } } if (verbose) { TXT_DB_write(bio_out, db->db); @@ -712,8 +700,7 @@ end_of_options: goto end; if (verbose) - BIO_printf(bio_err, - "Done. %d entries marked as expired\n", i); + BIO_printf(bio_err, "Done. %d entries marked as expired\n", i); } } @@ -745,8 +732,7 @@ end_of_options: goto end; } - if (md == NULL - && (md = lookup_conf(conf, section, ENV_DEFAULT_MD)) == NULL) + if (md == NULL && (md = lookup_conf(conf, section, ENV_DEFAULT_MD)) == NULL) goto end; if (strcmp(md, "default") == 0) { @@ -814,8 +800,7 @@ end_of_options: } if (startdate == NULL) { - startdate = NCONF_get_string(conf, section, - ENV_DEFAULT_STARTDATE); + startdate = NCONF_get_string(conf, section, ENV_DEFAULT_STARTDATE); if (startdate == NULL) ERR_clear_error(); } @@ -842,9 +827,8 @@ end_of_options: if (!NCONF_get_number(conf, section, ENV_DEFAULT_DAYS, &days)) days = 0; } - if (enddate == NULL && (days == 0)) { - BIO_printf(bio_err, - "cannot lookup how many days to certify for\n"); + if (enddate == NULL && days == 0) { + BIO_printf(bio_err, "cannot lookup how many days to certify for\n"); goto end; } @@ -975,8 +959,7 @@ end_of_options: (void)BIO_flush(bio_err); tmp[0] = '\0'; if (fgets(tmp, sizeof(tmp), stdin) == NULL) { - BIO_printf(bio_err, - "CERTIFICATION CANCELED: I/O error\n"); + BIO_printf(bio_err, "CERTIFICATION CANCELED: I/O error\n"); ret = 0; goto end; } @@ -998,37 +981,34 @@ end_of_options: goto end; } + outdirlen = OPENSSL_strlcpy(new_cert, outdir, sizeof(new_cert)); +#ifndef OPENSSL_SYS_VMS + outdirlen = OPENSSL_strlcat(new_cert, "/", sizeof(new_cert)); +#endif + if (verbose) BIO_printf(bio_err, "writing new certificates\n"); + for (i = 0; i < sk_X509_num(cert_sk); i++) { BIO *Cout = NULL; X509 *xi = sk_X509_value(cert_sk, i); ASN1_INTEGER *serialNumber = X509_get_serialNumber(xi); - int k; - char *n; - - j = ASN1_STRING_length(serialNumber); - p = (const char *)ASN1_STRING_get0_data(serialNumber); + const unsigned char *psn = ASN1_STRING_get0_data(serialNumber); + const int snl = ASN1_STRING_length(serialNumber); + const int filen_len = 2 * (snl > 0 ? snl : 1) + sizeof(".pem"); + char *n = new_cert + outdirlen; - if (strlen(outdir) >= (size_t)(j ? CERT_MAX - j * 2 - 6 : CERT_MAX - 8)) { + if (outdirlen + filen_len > PATH_MAX) { BIO_printf(bio_err, "certificate file name too long\n"); goto end; } - strcpy(new_cert, outdir); -#ifndef OPENSSL_SYS_VMS - OPENSSL_strlcat(new_cert, "/", sizeof(new_cert)); -#endif + if (snl > 0) { + static const char HEX_DIGITS[] = "0123456789ABCDEF"; - n = (char *)&(new_cert[strlen(new_cert)]); - if (j > 0) { - for (k = 0; k < j; k++) { - if (n >= &(new_cert[sizeof(new_cert)])) - break; - BIO_snprintf(n, - &new_cert[0] + sizeof(new_cert) - n, - "%02X", (unsigned char)*(p++)); - n += 2; + for (j = 0; j < snl; j++, psn++) { + *n++ = HEX_DIGITS[*psn >> 4]; + *n++ = HEX_DIGITS[*psn & 0x0F]; } } else { *(n++) = '0'; @@ -1038,7 +1018,7 @@ end_of_options: *(n++) = 'p'; *(n++) = 'e'; *(n++) = 'm'; - *n = '\0'; + *n = '\0'; /* closing new_cert */ if (verbose) BIO_printf(bio_err, "writing %s\n", new_cert); @@ -1079,8 +1059,7 @@ end_of_options: X509V3_set_nconf(&ctx, conf); if (!X509V3_EXT_add_nconf(conf, &ctx, crl_ext, NULL)) { BIO_printf(bio_err, - "Error Loading CRL extension section %s\n", - crl_ext); + "Error Loading CRL extension section %s\n", crl_ext); ret = 1; goto end; } @@ -1116,13 +1095,13 @@ end_of_options: goto end; tmptm = ASN1_TIME_new(); - if (tmptm == NULL) - goto end; - X509_gmtime_adj(tmptm, 0); - X509_CRL_set1_lastUpdate(crl, tmptm); - if (!X509_time_adj_ex(tmptm, crldays, crlhours * 60 * 60 + crlsec, - NULL)) { + if (tmptm == NULL + || X509_gmtime_adj(tmptm, 0) == NULL + || !X509_CRL_set1_lastUpdate(crl, tmptm) + || X509_time_adj_ex(tmptm, crldays, crlhours * 60 * 60 + crlsec, + NULL) == NULL) { BIO_puts(bio_err, "error setting CRL nextUpdate\n"); + ASN1_TIME_free(tmptm); goto end; } X509_CRL_set1_nextUpdate(crl, tmptm); @@ -1254,7 +1233,7 @@ end_of_options: NCONF_free(conf); NCONF_free(extconf); release_engine(e); - return (ret); + return ret; } static char *lookup_conf(const CONF *conf, const char *section, const char *tag) @@ -1331,7 +1310,7 @@ static int certify(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509, end: X509_REQ_free(req); BIO_free(in); - return (ok); + return ok; } static int certify_cert(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509, @@ -1384,7 +1363,7 @@ static int certify_cert(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x end: X509_REQ_free(rreq); X509_free(req); - return (ok); + return ok; } static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, @@ -1396,8 +1375,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, CONF *lconf, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy, int selfsign) { - X509_NAME *name = NULL, *CAname = NULL, *subject = NULL, *dn_subject = - NULL; + X509_NAME *name = NULL, *CAname = NULL, *subject = NULL, *dn_subject = NULL; const ASN1_TIME *tm; ASN1_STRING *str, *str2; ASN1_OBJECT *obj; @@ -1427,10 +1405,13 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, } if (default_op) - BIO_printf(bio_err, - "The Subject's Distinguished Name is as follows\n"); + BIO_printf(bio_err, "The Subject's Distinguished Name is as follows\n"); name = X509_REQ_get_subject_name(req); + if (X509_NAME_entry_count(name) == 0) { + BIO_printf(bio_err, "Error: The supplied Subject is empty\n"); + goto end; + } for (i = 0; i < X509_NAME_entry_count(name); i++) { ne = X509_NAME_get_entry(name, i); str = X509_NAME_ENTRY_get_data(ne); @@ -1546,8 +1527,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, if ((j < 0) && (last2 == -1)) { BIO_printf(bio_err, "The %s field does not exist in the CA certificate,\n" - "the 'policy' is misconfigured\n", - cv->name); + "the 'policy' is misconfigured\n", cv->name); goto end; } if (j >= 0) { @@ -1594,6 +1574,12 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, goto end; } + if (X509_NAME_entry_count(subject) == 0) { + BIO_printf(bio_err, + "Error: After applying policy the Subject is empty\n"); + goto end; + } + if (verbose) BIO_printf(bio_err, "The subject name appears to be ok, checking data base for clashes\n"); @@ -1720,7 +1706,9 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, if (enddate != NULL) { int tdays; - ASN1_TIME_diff(&tdays, NULL, NULL, X509_get0_notAfter(ret)); + + if (!ASN1_TIME_diff(&tdays, NULL, NULL, X509_get0_notAfter(ret))) + goto end; days = tdays; } @@ -1735,7 +1723,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, /* Lets add the extensions, if there are any */ if (ext_sect) { X509V3_CTX ctx; - X509_set_version(ret, 2); /* Initialize the context structure */ if (selfsign) @@ -1790,6 +1777,15 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, goto end; } + { + const STACK_OF(X509_EXTENSION) *exts = X509_get0_extensions(ret); + + if (exts != NULL && sk_X509_EXTENSION_num(exts) > 0) + /* Make it an X509 v3 certificate. */ + if (!X509_set_version(ret, 2)) + goto end; + } + /* Set the right value for the noemailDN option */ if (email_dn == 0) { if (!X509_set_subject_name(ret, dn_subject)) @@ -1880,11 +1876,10 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, X509_free(ret); else *xret = ret; - return (ok); + return ok; } -static void write_new_certificate(BIO *bp, X509 *x, int output_der, - int notext) +static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext) { if (output_der) { @@ -2000,8 +1995,7 @@ static int certify_spkac(X509 **xret, const char *infile, EVP_PKEY *pkey, * Now extract the key from the SPKI structure. */ - BIO_printf(bio_err, - "Check that the SPKAC request matches the signature\n"); + BIO_printf(bio_err, "Check that the SPKAC request matches the signature\n"); if ((pktmp = NETSCAPE_SPKI_get_pubkey(spki)) == NULL) { BIO_printf(bio_err, "error unpacking SPKAC public key\n"); @@ -2029,7 +2023,7 @@ static int certify_spkac(X509 **xret, const char *infile, EVP_PKEY *pkey, NETSCAPE_SPKI_free(spki); X509_NAME_ENTRY_free(ne); - return (ok); + return ok; } static int check_time_format(const char *str) @@ -2135,7 +2129,7 @@ static int do_revoke(X509 *x509, CA_DB *db, REVINFO_TYPE rev_type, end: for (i = 0; i < DB_NUMBER; i++) OPENSSL_free(row[i]); - return (ok); + return ok; } static int get_certificate_status(const char *serial, CA_DB *db) @@ -2202,7 +2196,7 @@ static int get_certificate_status(const char *serial, CA_DB *db) for (i = 0; i < DB_NUMBER; i++) { OPENSSL_free(row[i]); } - return (ok); + return ok; } static int do_updatedb(CA_DB *db) @@ -2217,7 +2211,10 @@ static int do_updatedb(CA_DB *db) return -1; /* get actual time and make a string */ - a_tm = X509_gmtime_adj(a_tm, 0); + if (X509_gmtime_adj(a_tm, 0) == NULL) { + ASN1_UTCTIME_free(a_tm); + return -1; + } a_tm_s = app_malloc(a_tm->length + 1, "time string"); memcpy(a_tm_s, a_tm->data, a_tm->length); @@ -2260,7 +2257,7 @@ static int do_updatedb(CA_DB *db) ASN1_UTCTIME_free(a_tm); OPENSSL_free(a_tm_s); - return (cnt); + return cnt; } static const char *crl_reasons[] = { @@ -2541,8 +2538,7 @@ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, hold = OBJ_txt2obj(arg_str, 0); if (!hold) { - BIO_printf(bio_err, "invalid object identifier %s\n", - arg_str); + BIO_printf(bio_err, "invalid object identifier %s\n", arg_str); goto end; } if (phold)