X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=apps%2Fx509.c;h=1b612d17d41d01ebbfd921654b12dac664225563;hp=1fa93aaebaefd50460b0a4d629f20da1fa1d2953;hb=3a98f9cf20c6af604799ee079bec496b296bb5cc;hpb=67c8e7f41486934b6809673b6d836d38eaf2383b diff --git a/apps/x509.c b/apps/x509.c index 1fa93aaeba..1b612d17d4 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -99,7 +99,13 @@ static const char *x509_usage[]={ " -passin arg - private key password source\n", " -serial - print serial number value\n", " -subject_hash - print subject hash value\n", +#ifndef OPENSSL_NO_MD5 +" -subject_hash_old - print old-style (MD5) subject hash value\n", +#endif " -issuer_hash - print issuer hash value\n", +#ifndef OPENSSL_NO_MD5 +" -issuer_hash_old - print old-style (MD5) issuer hash value\n", +#endif " -hash - synonym for -subject_hash\n", " -subject - print subject DN\n", " -issuer - print issuer DN\n", @@ -114,7 +120,7 @@ static const char *x509_usage[]={ " -alias - output certificate alias\n", " -noout - no certificate output\n", " -ocspid - print OCSP hash values for the subject name and public key\n", -" -ocspurl - print OCSP Responder URL(s)\n", +" -ocsp_uri - print OCSP Responder URL(s)\n", " -trustout - output a \"trusted\" certificate\n", " -clrtrust - clear all trusted purposes\n", " -clrreject - clear all rejected purposes\n", @@ -144,6 +150,9 @@ static const char *x509_usage[]={ " -engine e - use engine e, possibly a hardware device.\n", #endif " -certopt arg - various certificate text options\n", +" -checkhost host - check certificate matches \"host\"\n", +" -checkemail email - check certificate matches \"email\"\n", +" -checkip ipaddr - check certificate matches \"ipaddr\"\n", NULL }; @@ -151,11 +160,15 @@ static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx); static int sign (X509 *x, EVP_PKEY *pkey,int days,int clrext, const EVP_MD *digest, CONF *conf, char *section); static int x509_certify (X509_STORE *ctx,char *CAfile,const EVP_MD *digest, - X509 *x,X509 *xca,EVP_PKEY *pkey,char *serial, - int create,int days, int clrext, CONF *conf, char *section, - ASN1_INTEGER *sno); + X509 *x,X509 *xca,EVP_PKEY *pkey, + STACK_OF(OPENSSL_STRING) *sigopts, + char *serial, int create ,int days, int clrext, + CONF *conf, char *section, ASN1_INTEGER *sno); static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt); static int reqfile=0; +#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL +static int force_version=2; +#endif int MAIN(int, char **); @@ -166,19 +179,24 @@ int MAIN(int argc, char **argv) X509_REQ *req=NULL; X509 *x=NULL,*xca=NULL; ASN1_OBJECT *objtmp; - EVP_PKEY *Upkey=NULL,*CApkey=NULL; + STACK_OF(OPENSSL_STRING) *sigopts = NULL; + EVP_PKEY *Upkey=NULL,*CApkey=NULL, *fkey = NULL; ASN1_INTEGER *sno = NULL; - int i,num,badops=0; + int i,num,badops=0, badsig=0; BIO *out=NULL; BIO *STDout=NULL; STACK_OF(ASN1_OBJECT) *trust = NULL, *reject = NULL; int informat,outformat,keyformat,CAformat,CAkeyformat; char *infile=NULL,*outfile=NULL,*keyfile=NULL,*CAfile=NULL; char *CAkeyfile=NULL,*CAserial=NULL; + char *fkeyfile=NULL; char *alias=NULL; int text=0,serial=0,subject=0,issuer=0,startdate=0,enddate=0; int next_serial=0; int subject_hash=0,issuer_hash=0,ocspid=0; +#ifndef OPENSSL_NO_MD5 + int subject_hash_old=0,issuer_hash_old=0; +#endif int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0,email=0; int ocsp_uri=0; int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0; @@ -196,6 +214,8 @@ int MAIN(int argc, char **argv) int need_rand = 0; int checkend=0,checkoffset=0; unsigned long nmflag = 0, certflag = 0; + unsigned char *checkhost = NULL, *checkemail = NULL; + char *checkip = NULL; #ifndef OPENSSL_NO_ENGINE char *engine=NULL; #endif @@ -225,7 +245,7 @@ int MAIN(int argc, char **argv) ctx=X509_STORE_new(); if (ctx == NULL) goto end; - X509_STORE_set_verify_cb_func(ctx,callb); + X509_STORE_set_verify_cb(ctx,callb); argc--; argv++; @@ -262,13 +282,29 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; CAkeyformat=str2fmt(*(++argv)); } + else if (strcmp(*argv,"-sigopt") == 0) + { + if (--argc < 1) + goto bad; + if (!sigopts) + sigopts = sk_OPENSSL_STRING_new_null(); + if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv))) + goto bad; + } +#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL + else if (strcmp(*argv,"-force_version") == 0) + { + if (--argc < 1) goto bad; + force_version=atoi(*(++argv)) - 1; + } +#endif else if (strcmp(*argv,"-days") == 0) { if (--argc < 1) goto bad; days=atoi(*(++argv)); if (days == 0) { - BIO_printf(STDout,"bad number of days\n"); + BIO_printf(bio_err,"bad number of days\n"); goto bad; } } @@ -327,6 +363,11 @@ int MAIN(int argc, char **argv) if (!(sno = s2i_ASN1_INTEGER(NULL, *(++argv)))) goto bad; } + else if (strcmp(*argv,"-force_pubkey") == 0) + { + if (--argc < 1) goto bad; + fkeyfile= *(++argv); + } else if (strcmp(*argv,"-addtrust") == 0) { if (--argc < 1) goto bad; @@ -397,8 +438,16 @@ int MAIN(int argc, char **argv) else if (strcmp(*argv,"-hash") == 0 || strcmp(*argv,"-subject_hash") == 0) subject_hash= ++num; +#ifndef OPENSSL_NO_MD5 + else if (strcmp(*argv,"-subject_hash_old") == 0) + subject_hash_old= ++num; +#endif else if (strcmp(*argv,"-issuer_hash") == 0) issuer_hash= ++num; +#ifndef OPENSSL_NO_MD5 + else if (strcmp(*argv,"-issuer_hash_old") == 0) + issuer_hash_old= ++num; +#endif else if (strcmp(*argv,"-subject") == 0) subject= ++num; else if (strcmp(*argv,"-issuer") == 0) @@ -422,6 +471,21 @@ int MAIN(int argc, char **argv) checkoffset=atoi(*(++argv)); checkend=1; } + else if (strcmp(*argv,"-checkhost") == 0) + { + if (--argc < 1) goto bad; + checkhost=(unsigned char *)*(++argv); + } + else if (strcmp(*argv,"-checkemail") == 0) + { + if (--argc < 1) goto bad; + checkemail=(unsigned char *)*(++argv); + } + else if (strcmp(*argv,"-checkip") == 0) + { + if (--argc < 1) goto bad; + checkip=*(++argv); + } else if (strcmp(*argv,"-noout") == 0) noout= ++num; else if (strcmp(*argv,"-trustout") == 0) @@ -445,6 +509,8 @@ int MAIN(int argc, char **argv) #endif else if (strcmp(*argv,"-ocspid") == 0) ocspid= ++num; + else if (strcmp(*argv,"-badsig") == 0) + badsig = 1; else if ((md_alg=EVP_get_digestbyname(*argv + 1))) { /* ok */ @@ -489,6 +555,13 @@ bad: goto end; } + if (fkeyfile) + { + fkey = load_pubkey(bio_err, fkeyfile, keyformat, 0, + NULL, e, "Forced key"); + if (fkey == NULL) goto end; + } + if ((CAkeyfile == NULL) && (CA_flag) && (CAformat == FORMAT_PEM)) { CAkeyfile=CAfile; } else if ((CA_flag) && (CAkeyfile == NULL)) @@ -539,7 +612,6 @@ bad: if (reqfile) { EVP_PKEY *pkey; - X509_CINF *ci; BIO *in; if (!sign_flag && !CA_flag) @@ -607,7 +679,6 @@ bad: print_name(bio_err, "subject=", X509_REQ_get_subject_name(req), nmflag); if ((x=X509_new()) == NULL) goto end; - ci=x->cert_info; if (sno == NULL) { @@ -626,11 +697,15 @@ bad: if (!X509_set_subject_name(x,req->req_info->subject)) goto end; X509_gmtime_adj(X509_get_notBefore(x),0); - X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days); - - pkey = X509_REQ_get_pubkey(req); - X509_set_pubkey(x,pkey); - EVP_PKEY_free(pkey); + X509_time_adj_ex(X509_get_notAfter(x),days, 0, NULL); + if (fkey) + X509_set_pubkey(x, fkey); + else + { + pkey = X509_REQ_get_pubkey(req); + X509_set_pubkey(x,pkey); + EVP_PKEY_free(pkey); + } } else x=load_cert(bio_err,infile,informat,NULL,e,"Certificate"); @@ -738,13 +813,14 @@ bad: else if ((email == i) || (ocsp_uri == i)) { int j; - STACK *emlst; + STACK_OF(OPENSSL_STRING) *emlst; if (email == i) emlst = X509_get1_email(x); else emlst = X509_get1_ocsp(x); - for (j = 0; j < sk_num(emlst); j++) - BIO_printf(STDout, "%s\n", sk_value(emlst, j)); + for (j = 0; j < sk_OPENSSL_STRING_num(emlst); j++) + BIO_printf(STDout, "%s\n", + sk_OPENSSL_STRING_value(emlst, j)); X509_email_free(emlst); } else if (aliasout == i) @@ -758,10 +834,22 @@ bad: { BIO_printf(STDout,"%08lx\n",X509_subject_name_hash(x)); } +#ifndef OPENSSL_NO_MD5 + else if (subject_hash_old == i) + { + BIO_printf(STDout,"%08lx\n",X509_subject_name_hash_old(x)); + } +#endif else if (issuer_hash == i) { BIO_printf(STDout,"%08lx\n",X509_issuer_name_hash(x)); } +#ifndef OPENSSL_NO_MD5 + else if (issuer_hash_old == i) + { + BIO_printf(STDout,"%08lx\n",X509_issuer_name_hash_old(x)); + } +#endif else if (pprint == i) { X509_PURPOSE *ptmp; @@ -873,7 +961,7 @@ bad: } else if (text == i) { - X509_print_ex(out,x,nmflag, certflag); + X509_print_ex(STDout,x,nmflag, certflag); } else if (startdate == i) { @@ -942,7 +1030,8 @@ bad: assert(need_rand); if (!x509_certify(ctx,CAfile,digest,x,xca, - CApkey, CAserial,CA_createserial,days, clrext, + CApkey, sigopts, + CAserial,CA_createserial,days, clrext, extconf, extsect, sno)) goto end; } @@ -959,7 +1048,7 @@ bad: else { pk=load_key(bio_err, - keyfile, FORMAT_PEM, 0, + keyfile, keyformat, 0, passin, e, "request key"); if (pk == NULL) goto end; } @@ -1004,12 +1093,17 @@ bad: goto end; } + print_cert_checks(STDout, x, checkhost, checkemail, checkip); + if (noout) { ret=0; goto end; } + if (badsig) + x->signature->data[x->signature->length - 1] ^= 0x1; + if (outformat == FORMAT_ASN1) i=i2d_X509_bio(out,x); else if (outformat == FORMAT_PEM) @@ -1053,6 +1147,9 @@ end: X509_free(xca); EVP_PKEY_free(Upkey); EVP_PKEY_free(CApkey); + EVP_PKEY_free(fkey); + if (sigopts) + sk_OPENSSL_STRING_free(sigopts); X509_REQ_free(rq); ASN1_INTEGER_free(sno); sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free); @@ -1103,8 +1200,11 @@ static ASN1_INTEGER *x509_load_serial(char *CAfile, char *serialfile, int create } static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, - X509 *x, X509 *xca, EVP_PKEY *pkey, char *serialfile, int create, - int days, int clrext, CONF *conf, char *section, ASN1_INTEGER *sno) + X509 *x, X509 *xca, EVP_PKEY *pkey, + STACK_OF(OPENSSL_STRING) *sigopts, + char *serialfile, int create, + int days, int clrext, CONF *conf, char *section, + ASN1_INTEGER *sno) { int ret=0; ASN1_INTEGER *bs=NULL; @@ -1129,7 +1229,8 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, /* NOTE: this certificate can/should be self signed, unless it was * a certificate request in which case it is not. */ X509_STORE_CTX_set_cert(&xsc,x); - if (!reqfile && !X509_verify_cert(&xsc)) + X509_STORE_CTX_set_flags(&xsc, X509_V_FLAG_CHECK_SS_SIGNATURE); + if (!reqfile && X509_verify_cert(&xsc) <= 0) goto end; if (!X509_check_private_key(xca,pkey)) @@ -1145,7 +1246,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, goto end; /* hardwired expired */ - if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) == NULL) + if (X509_time_adj_ex(X509_get_notAfter(x),days, 0, NULL) == NULL) goto end; if (clrext) @@ -1156,13 +1257,18 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, if (conf) { X509V3_CTX ctx2; +#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL + X509_set_version(x, force_version); +#else X509_set_version(x,2); /* version 3 certificate */ +#endif X509V3_set_ctx(&ctx2, xca, x, NULL, NULL, 0); X509V3_set_nconf(&ctx2, conf); if (!X509V3_EXT_add_nconf(conf, &ctx2, section, x)) goto end; } - if (!X509_sign(x,pkey,digest)) goto end; + if (!do_X509_sign(bio_err, x, pkey, digest, sigopts)) + goto end; ret=1; end: X509_STORE_CTX_cleanup(&xsc); @@ -1233,7 +1339,11 @@ static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const EVP_MD *dig if (conf) { X509V3_CTX ctx; +#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL + X509_set_version(x, force_version); +#else X509_set_version(x,2); /* version 3 certificate */ +#endif X509V3_set_ctx(&ctx, x, x, NULL, NULL, 0); X509V3_set_nconf(&ctx, conf); if (!X509V3_EXT_add_nconf(conf, &ctx, section, x)) goto err;