X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=apps%2Freq.c;h=a945610f92b938fbde87e69902798e7b8445b1a1;hp=f37616feffe910088fcc7133c87673389135eba2;hb=a31011e8e0ea18f1cc79d7eb53238768ae9369c6;hpb=bc4deee07a53228db7a8962519f05e904eb4b670 diff --git a/apps/req.c b/apps/req.c index f37616feff..a945610f92 100644 --- a/apps/req.c +++ b/apps/req.c @@ -64,15 +64,15 @@ #define APPS_WIN16 #endif #include "apps.h" -#include "bio.h" -#include "evp.h" -#include "rand.h" -#include "conf.h" -#include "err.h" -#include "asn1.h" -#include "x509.h" -#include "objects.h" -#include "pem.h" +#include +#include +#include +#include +#include +#include +#include +#include +#include #define SECTION "req" @@ -80,6 +80,8 @@ #define KEYFILE "default_keyfile" #define DISTINGUISHED_NAME "distinguished_name" #define ATTRIBUTES "attributes" +#define V3_EXTENSIONS "x509_extensions" +#define REQ_EXTENSIONS "req_extensions" #define DEFAULT_KEY_LENGTH 512 #define MIN_KEY_LENGTH 384 @@ -105,22 +107,16 @@ * require. This format is wrong */ -#ifndef NOPROTO static int make_REQ(X509_REQ *req,EVP_PKEY *pkey,int attribs); -static int add_attribute_object(STACK *n, char *text, char *def, - char *value, int nid,int min,int max); +static int add_attribute_object(STACK_OF(X509_ATTRIBUTE) *n, char *text, + char *def, char *value, int nid, int min, + int max); static int add_DN_object(X509_NAME *n, char *text, char *def, char *value, int nid,int min,int max); -static void MS_CALLBACK req_cb(int p,int n,char *arg); +static void MS_CALLBACK req_cb(int p,int n,void *arg); static int req_fix_data(int nid,int *type,int len,int min,int max); -#else -static int make_REQ(); -static int add_attribute_object(); -static int add_DN_object(); -static void MS_CALLBACK req_cb(); -static int req_fix_data(); -#endif - +static int check_end(char *str, char *end); +static int add_oid_section(LHASH *conf); #ifndef MONOLITH static char *default_config_file=NULL; static LHASH *config=NULL; @@ -131,9 +127,7 @@ static LHASH *req_conf=NULL; #define TYPE_DSA 2 #define TYPE_DH 3 -int MAIN(argc, argv) -int argc; -char **argv; +int MAIN(int argc, char **argv) { #ifndef NO_DSA DSA *dsa_params=NULL; @@ -147,14 +141,17 @@ char **argv; int informat,outformat,verify=0,noout=0,text=0,keyform=FORMAT_PEM; int nodes=0,kludge=0; char *infile,*outfile,*prog,*keyfile=NULL,*template=NULL,*keyout=NULL; + char *extensions = NULL; + char *req_exts = NULL; EVP_CIPHER *cipher=NULL; int modulus=0; char *p; - EVP_MD *md_alg=NULL,*digest=EVP_md5(); + const EVP_MD *md_alg=NULL,*digest=EVP_md5(); #ifndef MONOLITH MS_STATIC char config_name[256]; #endif + req_conf = NULL; #ifndef NO_DES cipher=EVP_des_ede3_cbc(); #endif @@ -247,21 +244,20 @@ char **argv; perror(p); goto end; } - if ((dsa_params=PEM_read_bio_DSAparams(in,NULL,NULL)) == NULL) + if ((dsa_params=PEM_read_bio_DSAparams(in,NULL,NULL,NULL)) == NULL) { ERR_clear_error(); - BIO_reset(in); - if ((xtmp=PEM_read_bio_X509(in,NULL,NULL)) == NULL) + (void)BIO_reset(in); + if ((xtmp=PEM_read_bio_X509(in,NULL,NULL,NULL)) == NULL) { BIO_printf(bio_err,"unable to load DSA parameters from file\n"); goto end; } - /* This will 'disapear' - * when we free xtmp */ dtmp=X509_get_pubkey(xtmp); if (dtmp->type == EVP_PKEY_DSA) dsa_params=DSAparams_dup(dtmp->pkey.dsa); + EVP_PKEY_free(dtmp); X509_free(xtmp); if (dsa_params == NULL) { @@ -314,8 +310,17 @@ char **argv; /* ok */ digest=md_alg; } + else if (strcmp(*argv,"-extensions") == 0) + { + if (--argc < 1) goto bad; + extensions = *(++argv); + } + else if (strcmp(*argv,"-reqexts") == 0) + { + if (--argc < 1) goto bad; + req_exts = *(++argv); + } else - { BIO_printf(bio_err,"unknown option %s\n",*argv); badops=1; @@ -332,7 +337,7 @@ bad: BIO_printf(bio_err,"where options are\n"); BIO_printf(bio_err," -inform arg input format - one of DER TXT PEM\n"); BIO_printf(bio_err," -outform arg output format - one of DER TXT PEM\n"); - BIO_printf(bio_err," -in arg inout file\n"); + BIO_printf(bio_err," -in arg input file\n"); BIO_printf(bio_err," -out arg output file\n"); BIO_printf(bio_err," -text text form of request\n"); BIO_printf(bio_err," -noout do not output REQ\n"); @@ -346,17 +351,20 @@ bad: BIO_printf(bio_err," -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'\n"); BIO_printf(bio_err," -[digest] Digest to sign with (md5, sha1, md2, mdc2)\n"); - BIO_printf(bio_err," -config file request templace file.\n"); + BIO_printf(bio_err," -config file request template file.\n"); BIO_printf(bio_err," -new new request.\n"); BIO_printf(bio_err," -x509 output a x509 structure instead of a cert. req.\n"); BIO_printf(bio_err," -days number of days a x509 generated by -x509 is valid for.\n"); BIO_printf(bio_err," -asn1-kludge Output the 'request' in a format that is wrong but some CA's\n"); BIO_printf(bio_err," have been reported as requiring\n"); BIO_printf(bio_err," [ It is now always turned on but can be turned off with -no-asn1-kludge ]\n"); + BIO_printf(bio_err," -extensions .. specify certificate extension section (override value in config file)\n"); + BIO_printf(bio_err," -reqexts .. specify request extension section (override value in config file)\n"); goto end; } ERR_load_crypto_strings(); + X509V3_add_standard_extensions(); #ifndef MONOLITH /* Lets load up our environment a little */ @@ -366,7 +374,9 @@ bad: if (p == NULL) { strcpy(config_name,X509_get_default_cert_area()); - strcat(config_name,"/lib/"); +#ifndef VMS + strcat(config_name,"/"); +#endif strcat(config_name,OPENSSL_CONF); p=config_name; } @@ -419,6 +429,7 @@ bad: } } } + if(!add_oid_section(req_conf)) goto end; if ((md_alg == NULL) && ((p=CONF_get_string(req_conf,SECTION,"default_md")) != NULL)) @@ -427,6 +438,35 @@ bad: digest=md_alg; } + if(!extensions) + extensions = CONF_get_string(req_conf, SECTION, V3_EXTENSIONS); + if(extensions) { + /* Check syntax of file */ + X509V3_CTX ctx; + X509V3_set_ctx_test(&ctx); + X509V3_set_conf_lhash(&ctx, req_conf); + if(!X509V3_EXT_add_conf(req_conf, &ctx, extensions, NULL)) { + BIO_printf(bio_err, + "Error Loading extension section %s\n", extensions); + goto end; + } + } + + if(!req_exts) + req_exts = CONF_get_string(req_conf, SECTION, REQ_EXTENSIONS); + if(req_exts) { + /* Check syntax of file */ + X509V3_CTX ctx; + X509V3_set_ctx_test(&ctx); + X509V3_set_conf_lhash(&ctx, req_conf); + if(!X509V3_EXT_add_conf(req_conf, &ctx, req_exts, NULL)) { + BIO_printf(bio_err, + "Error Loading request extension section %s\n", + req_exts); + goto end; + } + } + in=BIO_new(BIO_s_file()); out=BIO_new(BIO_s_file()); if ((in == NULL) || (out == NULL)) @@ -444,7 +484,7 @@ bad: rsa=d2i_RSAPrivateKey_bio(in,NULL); else */ if (keyform == FORMAT_PEM) - pkey=PEM_read_bio_PrivateKey(in,NULL,NULL); + pkey=PEM_read_bio_PrivateKey(in,NULL,NULL,NULL); else { BIO_printf(bio_err,"bad input format specified for X509 request\n"); @@ -460,25 +500,9 @@ bad: if (newreq && (pkey == NULL)) { - char *randfile; - char buffer[200]; - - if ((randfile=CONF_get_string(req_conf,SECTION,"RANDFILE")) == NULL) - randfile=RAND_file_name(buffer,200); -#ifdef WINDOWS - BIO_printf(bio_err,"Loading 'screen' into random state -"); - BIO_flush(bio_err); - RAND_screen(); - BIO_printf(bio_err," done\n"); -#endif - if ((randfile == NULL) || !RAND_load_file(randfile,1024L*1024L)) - { - BIO_printf(bio_err,"unable to load 'random state'\n"); - BIO_printf(bio_err,"What this means is that the random number generator has not been seeded\n"); - BIO_printf(bio_err,"with much random data.\n"); - BIO_printf(bio_err,"Consider setting the RANDFILE environment variable to point at a file that\n"); - BIO_printf(bio_err,"'random' data can be kept in.\n"); - } + char *randfile = CONF_get_string(req_conf,SECTION,"RANDFILE"); + app_RAND_load_file(randfile, bio_err, 0); + if (newkey <= 0) { newkey=(int)CONF_get_number(req_conf,SECTION,BITS); @@ -502,7 +526,7 @@ bad: { if (!EVP_PKEY_assign_RSA(pkey, RSA_generate_key(newkey,0x10001, - req_cb,(char *)bio_err))) + req_cb,bio_err))) goto end; } else @@ -516,8 +540,7 @@ bad: } #endif - if ((randfile == NULL) || (RAND_write_file(randfile) == 0)) - BIO_printf(bio_err,"unable to write 'random state'\n"); + app_RAND_write_file(randfile, bio_err); if (pkey == NULL) goto end; @@ -549,7 +572,7 @@ bad: i=0; loop: if (!PEM_write_bio_PrivateKey(out,pkey,cipher, - NULL,0,NULL)) + NULL,0,NULL,NULL)) { if ((ERR_GET_REASON(ERR_peek_error()) == PEM_R_PROBLEMS_GETTING_PASSWORD) && (i < 3)) @@ -583,7 +606,7 @@ loop: if (informat == FORMAT_ASN1) req=d2i_X509_REQ_bio(in,NULL); else if (informat == FORMAT_PEM) - req=PEM_read_bio_X509_REQ(in,NULL,NULL); + req=PEM_read_bio_X509_REQ(in,NULL,NULL,NULL); else { BIO_printf(bio_err,"bad input format specified for X509 request\n"); @@ -628,12 +651,11 @@ loop: if (x509) { EVP_PKEY *tmppkey; + X509V3_CTX ext_ctx; if ((x509ss=X509_new()) == NULL) goto end; - /* don't set the version number, for starters - * the field is null and second, null is v0 - * if (!ASN1_INTEGER_set(ci->version,0L)) goto end; - */ + /* Set version to V3 */ + if(!X509_set_version(x509ss, 2)) goto end; ASN1_INTEGER_set(X509_get_serialNumber(x509ss),0L); X509_set_issuer_name(x509ss, @@ -647,11 +669,42 @@ loop: X509_set_pubkey(x509ss,tmppkey); EVP_PKEY_free(tmppkey); + /* Set up V3 context struct */ + + X509V3_set_ctx(&ext_ctx, x509ss, x509ss, NULL, NULL, 0); + X509V3_set_conf_lhash(&ext_ctx, req_conf); + + /* Add extensions */ + if(extensions && !X509V3_EXT_add_conf(req_conf, + &ext_ctx, extensions, x509ss)) + { + BIO_printf(bio_err, + "Error Loading extension section %s\n", + extensions); + goto end; + } + if (!(i=X509_sign(x509ss,pkey,digest))) goto end; } else { + X509V3_CTX ext_ctx; + + /* Set up V3 context struct */ + + X509V3_set_ctx(&ext_ctx, NULL, NULL, req, NULL, 0); + X509V3_set_conf_lhash(&ext_ctx, req_conf); + + /* Add extensions */ + if(req_exts && !X509V3_EXT_REQ_add_conf(req_conf, + &ext_ctx, req_exts, req)) + { + BIO_printf(bio_err, + "Error Loading extension section %s\n", + req_exts); + goto end; + } if (!(i=X509_REQ_sign(req,pkey,digest))) goto end; } @@ -777,29 +830,28 @@ end: ERR_print_errors(bio_err); } if ((req_conf != NULL) && (req_conf != config)) CONF_free(req_conf); - if (in != NULL) BIO_free(in); - if (out != NULL) BIO_free(out); - if (pkey != NULL) EVP_PKEY_free(pkey); - if (req != NULL) X509_REQ_free(req); - if (x509ss != NULL) X509_free(x509ss); + BIO_free(in); + BIO_free(out); + EVP_PKEY_free(pkey); + X509_REQ_free(req); + X509_free(x509ss); + X509V3_EXT_cleanup(); + OBJ_cleanup(); #ifndef NO_DSA if (dsa_params != NULL) DSA_free(dsa_params); #endif EXIT(ex); } -static int make_REQ(req,pkey,attribs) -X509_REQ *req; -EVP_PKEY *pkey; -int attribs; +static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, int attribs) { - int ret=0,i,j; - unsigned char *p,*q; + int ret=0,i; + char *p,*q; X509_REQ_INFO *ri; char buf[100]; int nid,min,max; char *type,*def,*tmp,*value,*tmp_attr; - STACK *sk,*attr=NULL; + STACK_OF(CONF_VALUE) *sk, *attr=NULL; CONF_VALUE *v; tmp=CONF_get_string(req_conf,SECTION,DISTINGUISHED_NAME); @@ -842,53 +894,32 @@ int attribs; /* setup version number */ if (!ASN1_INTEGER_set(ri->version,0L)) goto err; /* version 1 */ - if (sk_num(sk)) + if (sk_CONF_VALUE_num(sk)) { i= -1; start: for (;;) { i++; - if ((int)sk_num(sk) <= i) break; + if (sk_CONF_VALUE_num(sk) <= i) break; - v=(CONF_VALUE *)sk_value(sk,i); + v=sk_CONF_VALUE_value(sk,i); p=q=NULL; type=v->name; - /* Allow for raw OIDs */ - /* [n.mm.ooo.ppp] */ - for (j=0; type[j] != '\0'; j++) - { - if ( (type[j] == ':') || - (type[j] == ',') || - (type[j] == '.')) - p=(unsigned char *)&(type[j+1]); - if (type[j] == '[') - { - p=(unsigned char *)&(type[j+1]); - for (j++; type[j] != '\0'; j++) - if (type[j] == ']') - { - q=(unsigned char *)&(type[j]); - break; - } + if(!check_end(type,"_min") || !check_end(type,"_max") || + !check_end(type,"_default") || + !check_end(type,"_value")) continue; + /* Skip past any leading X. X: X, etc to allow for + * multiple instances + */ + for(p = v->name; *p ; p++) + if ((*p == ':') || (*p == ',') || + (*p == '.')) { + p++; + if(*p) type = p; break; - } } - if (p != NULL) - type=(char *)p; - if ((nid=OBJ_txt2nid(type)) == NID_undef) - { - /* Add a new one if possible */ - if ((p != NULL) && (q != NULL) && (*q == ']')) - { - *q='\0'; - nid=OBJ_create((char *)p,NULL,NULL); - *q=']'; - if (nid == NID_undef) goto start; - } - else - goto start; - } - + /* If OBJ not recognised ignore it */ + if ((nid=OBJ_txt2nid(type)) == NID_undef) goto start; sprintf(buf,"%s_default",v->name); if ((def=CONF_get_string(req_conf,tmp,buf)) == NULL) def=""; @@ -907,7 +938,7 @@ start: for (;;) min,max)) goto err; } - if (sk_num(ri->subject->entries) == 0) + if (sk_X509_NAME_ENTRY_num(ri->subject->entries) == 0) { BIO_printf(bio_err,"error, no objects specified in config file\n"); goto err; @@ -915,7 +946,7 @@ start: for (;;) if (attribs) { - if ((attr != NULL) && (sk_num(attr) > 0)) + if ((attr != NULL) && (sk_CONF_VALUE_num(attr) > 0)) { BIO_printf(bio_err,"\nPlease enter the following 'extra' attributes\n"); BIO_printf(bio_err,"to be sent with your certificate request\n"); @@ -925,10 +956,11 @@ start: for (;;) start2: for (;;) { i++; - if ((attr == NULL) || ((int)sk_num(attr) <= i)) + if ((attr == NULL) || + (sk_CONF_VALUE_num(attr) <= i)) break; - v=(CONF_VALUE *)sk_value(attr,i); + v=sk_CONF_VALUE_value(attr,i); type=v->name; if ((nid=OBJ_txt2nid(type)) == NID_undef) goto start2; @@ -968,21 +1000,15 @@ err: return(ret); } -static int add_DN_object(n,text,def,value,nid,min,max) -X509_NAME *n; -char *text; -char *def; -char *value; -int nid; -int min; -int max; +static int add_DN_object(X509_NAME *n, char *text, char *def, char *value, + int nid, int min, int max) { int i,j,ret=0; X509_NAME_ENTRY *ne=NULL; MS_STATIC char buf[1024]; BIO_printf(bio_err,"%s [%s]:",text,def); - BIO_flush(bio_err); + (void)BIO_flush(bio_err); if (value != NULL) { strcpy(buf,value); @@ -1016,6 +1042,9 @@ int max; j=ASN1_PRINTABLE_type((unsigned char *)buf,-1); if (req_fix_data(nid,&j,i,min,max) == 0) goto err; +#ifdef CHARSET_EBCDIC + ebcdic2ascii(buf, buf, i); +#endif if ((ne=X509_NAME_ENTRY_create_by_NID(NULL,nid,j,(unsigned char *)buf, strlen(buf))) == NULL) goto err; @@ -1028,14 +1057,9 @@ err: return(ret); } -static int add_attribute_object(n,text,def,value,nid,min,max) -STACK *n; -char *text; -char *def; -char *value; -int nid; -int min; -int max; +static int add_attribute_object(STACK_OF(X509_ATTRIBUTE) *n, char *text, + char *def, char *value, int nid, int min, + int max) { int i,z; X509_ATTRIBUTE *xa=NULL; @@ -1045,7 +1069,7 @@ int max; start: BIO_printf(bio_err,"%s [%s]:",text,def); - BIO_flush(bio_err); + (void)BIO_flush(bio_err); if (value != NULL) { strcpy(buf,value); @@ -1079,7 +1103,7 @@ start: /* add object plus value */ if ((xa=X509_ATTRIBUTE_new()) == NULL) goto err; - if ((xa->value.set=sk_new_null()) == NULL) + if ((xa->value.set=sk_ASN1_TYPE_new_null()) == NULL) goto err; xa->set=1; @@ -1105,12 +1129,12 @@ start: { BIO_printf(bio_err,"Malloc failure\n"); goto err; } ASN1_TYPE_set(at,bs->type,(char *)bs); - sk_push(xa->value.set,(char *)at); + sk_ASN1_TYPE_push(xa->value.set,at); bs=NULL; at=NULL; /* only one item per attribute */ - if (!sk_push(n,(char *)xa)) goto err; + if (!sk_X509_ATTRIBUTE_push(n,xa)) goto err; return(1); err: if (xa != NULL) X509_ATTRIBUTE_free(xa); @@ -1119,10 +1143,7 @@ err: return(0); } -static void MS_CALLBACK req_cb(p,n,arg) -int p; -int n; -char *arg; +static void MS_CALLBACK req_cb(int p, int n, void *arg) { char c='*'; @@ -1131,16 +1152,13 @@ char *arg; if (p == 2) c='*'; if (p == 3) c='\n'; BIO_write((BIO *)arg,&c,1); - BIO_flush((BIO *)arg); + (void)BIO_flush((BIO *)arg); #ifdef LINT p=n; #endif } -static int req_fix_data(nid,type,len,min,max) -int nid; -int *type; -int len,min,max; +static int req_fix_data(int nid, int *type, int len, int min, int max) { if (nid == NID_pkcs9_emailAddress) *type=V_ASN1_IA5STRING; @@ -1171,3 +1189,37 @@ int len,min,max; } return(1); } + +/* Check if the end of a string matches 'end' */ +static int check_end(char *str, char *end) +{ + int elen, slen; + char *tmp; + elen = strlen(end); + slen = strlen(str); + if(elen > slen) return 1; + tmp = str + slen - elen; + return strcmp(tmp, end); +} + +static int add_oid_section(LHASH *conf) +{ + char *p; + STACK_OF(CONF_VALUE) *sktmp; + CONF_VALUE *cnf; + int i; + if(!(p=CONF_get_string(conf,NULL,"oid_section"))) return 1; + if(!(sktmp = CONF_get_section(conf, p))) { + BIO_printf(bio_err, "problem loading oid section %s\n", p); + return 0; + } + for(i = 0; i < sk_CONF_VALUE_num(sktmp); i++) { + cnf = sk_CONF_VALUE_value(sktmp, i); + if(OBJ_create(cnf->value, cnf->name, cnf->name) == NID_undef) { + BIO_printf(bio_err, "problem creating object %s=%s\n", + cnf->name, cnf->value); + return 0; + } + } + return 1; +}