X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=apps%2Fx509.c;h=9472b68da5226594616e8c4ba14a5e8fd49c40d4;hp=e1cc3cde1fca2c85e4708ddbe7f9e921ef5a76a0;hb=5278dec375c9a2d991db4c533b60e09c6c80e6e3;hpb=333b070ec06d7a67538ee9d5312656a19e802dc1 diff --git a/apps/x509.c b/apps/x509.c index e1cc3cde1f..9472b68da5 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -55,7 +55,6 @@ * [including the GNU Public Licence.] */ -#include #include #include #include @@ -107,13 +106,9 @@ typedef enum OPTION_choice { OPT_PURPOSE, OPT_STARTDATE, OPT_ENDDATE, OPT_CHECKEND, OPT_CHECKHOST, OPT_CHECKEMAIL, OPT_CHECKIP, OPT_NOOUT, OPT_TRUSTOUT, OPT_CLRTRUST, OPT_CLRREJECT, OPT_ALIAS, OPT_CACREATESERIAL, OPT_CLREXT, OPT_OCSPID, -#ifndef OPENSSL_NO_MD5 OPT_SUBJECT_HASH_OLD, OPT_ISSUER_HASH_OLD, -#endif -#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL OPT_FORCE_VERSION, -#endif OPT_BADSIG, OPT_MD, OPT_ENGINE, OPT_NOCERT } OPTION_CHOICE; @@ -130,12 +125,6 @@ OPTIONS x509_options[] = { {"serial", OPT_SERIAL, '-', "Print serial number value"}, {"subject_hash", OPT_HASH, '-', "Print subject hash value"}, {"issuer_hash", OPT_ISSUER_HASH, '-', "Print issuer hash value"}, -#ifndef OPENSSL_NO_MD5 - {"subject_hash_old", OPT_SUBJECT_HASH_OLD, '-', - "Print old-style (MD5) issuer hash value"}, - {"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-', - "Print old-style (MD5) subject hash value"}, -#endif {"hash", OPT_HASH, '-', "Synonym for -subject_hash"}, {"subject", OPT_SUBJECT, '-', "Print subject DN"}, {"issuer", OPT_ISSUER, '-', "Print issuer DN"}, @@ -175,7 +164,7 @@ OPTIONS x509_options[] = { "The CA key, must be PEM format; if not in CAfile"}, {"CAcreateserial", OPT_CACREATESERIAL, '-', "Create serial number file if it does not exist"}, - {"CAserial", OPT_CASERIAL, '<', "Serial file"}, + {"CAserial", OPT_CASERIAL, 's', "Serial file"}, {"set_serial", OPT_SET_SERIAL, 's', "Serial number to use"}, {"text", OPT_TEXT, '-', "Print the certificate in text form"}, {"C", OPT_C, '-', "Print out C code forms"}, @@ -194,11 +183,17 @@ OPTIONS x509_options[] = { {"clrreject", OPT_CLRREJECT, '-'}, {"badsig", OPT_BADSIG, '-'}, {"", OPT_MD, '-', "Any supported digest"}, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#ifndef OPENSSL_NO_MD5 + {"subject_hash_old", OPT_SUBJECT_HASH_OLD, '-', + "Print old-style (MD5) issuer hash value"}, + {"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-', + "Print old-style (MD5) subject hash value"}, #endif #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL {"force_version", OPT_FORCE_VERSION, 'p'}, +#endif +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, #endif {NULL} }; @@ -232,6 +227,7 @@ int x509_main(int argc, char **argv) int text = 0, serial = 0, subject = 0, issuer = 0, startdate = 0; int checkoffset = 0, enddate = 0; unsigned long nmflag = 0, certflag = 0; + char nmflag_set = 0; OPTION_CHOICE o; ENGINE *e = NULL; #ifndef OPENSSL_NO_MD5 @@ -291,11 +287,11 @@ int x509_main(int argc, char **argv) if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, opt_arg())) goto opthelp; break; -#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL case OPT_FORCE_VERSION: +#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL force_version = atoi(opt_arg()) - 1; - break; #endif + break; case OPT_DAYS: days = atoi(opt_arg()); break; @@ -365,6 +361,7 @@ int x509_main(int argc, char **argv) goto opthelp; break; case OPT_NAMEOPT: + nmflag_set = 1; if (!set_name_ex(&nmflag, opt_arg())) goto opthelp; break; @@ -459,6 +456,10 @@ int x509_main(int argc, char **argv) case OPT_ISSUER_HASH_OLD: issuer_hash_old = ++num; break; +#else + case OPT_SUBJECT_HASH_OLD: + case OPT_ISSUER_HASH_OLD: + break; #endif case OPT_DATES: startdate = ++num; @@ -489,7 +490,13 @@ int x509_main(int argc, char **argv) goto opthelp; } - out = bio_open_default(outfile, "w"); + if (!nmflag_set) + nmflag = XN_FLAG_ONELINE; + + if (!app_load_modules(NULL)) + goto end; + + out = bio_open_default(outfile, 'w', outformat); if (out == NULL) goto end; @@ -521,19 +528,9 @@ int x509_main(int argc, char **argv) } if (extfile) { - long errorline = -1; X509V3_CTX ctx2; - extconf = NCONF_new(NULL); - if (!NCONF_load(extconf, extfile, &errorline)) { - if (errorline <= 0) - BIO_printf(bio_err, - "error loading the config file '%s'\n", extfile); - else - BIO_printf(bio_err, - "error on line %ld of config file '%s'\n", - errorline, extfile); + if ((extconf = app_load_config(extfile)) == NULL) goto end; - } if (!extsect) { extsect = NCONF_get_string(extconf, "default", "extensions"); if (!extsect) { @@ -559,7 +556,7 @@ int x509_main(int argc, char **argv) BIO_printf(bio_err, "We need a private key to sign with\n"); goto end; } - in = bio_open_default(infile, "r"); + in = bio_open_default(infile, 'r', informat); if (in == NULL) goto end; req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL); @@ -570,15 +567,6 @@ int x509_main(int argc, char **argv) goto end; } - if ((req->req_info == NULL) || - (req->req_info->pubkey == NULL) || - (req->req_info->pubkey->public_key == NULL) || - (req->req_info->pubkey->public_key->data == NULL)) { - BIO_printf(bio_err, - "The certificate request appears to corrupted\n"); - BIO_printf(bio_err, "It does not contain a public key\n"); - goto end; - } if ((pkey = X509_REQ_get_pubkey(req)) == NULL) { BIO_printf(bio_err, "error unpacking public key\n"); goto end; @@ -614,9 +602,9 @@ int x509_main(int argc, char **argv) } else if (!X509_set_serialNumber(x, sno)) goto end; - if (!X509_set_issuer_name(x, req->req_info->subject)) + if (!X509_set_issuer_name(x, X509_REQ_get_subject_name(req))) goto end; - if (!X509_set_subject_name(x, req->req_info->subject)) + if (!X509_set_subject_name(x, X509_REQ_get_subject_name(req))) goto end; X509_gmtime_adj(X509_get_notBefore(x), 0); @@ -783,12 +771,7 @@ int x509_main(int argc, char **argv) " */\n", buf); len = i2d_X509(x, NULL); - m = OPENSSL_malloc(len); - if (!m) { - BIO_printf(bio_err, "Out of memory\n"); - goto end; - } - + m = app_malloc(len, "x509 name buffer"); d = (unsigned char *)m; len = i2d_X509_NAME(X509_get_subject_name(x), &d); print_array(out, "the_subject_name", len, (unsigned char *)m); @@ -911,8 +894,13 @@ int x509_main(int argc, char **argv) goto end; } - if (badsig) - x->signature->data[x->signature->length - 1] ^= 0x1; + if (badsig) { + ASN1_BIT_STRING *signature; + unsigned char *s; + X509_get0_signature(&signature, NULL, x); + s = ASN1_STRING_data(signature); + s[ASN1_STRING_length(signature) - 1] ^= 0x1; + } if (outformat == FORMAT_ASN1) i = i2d_X509_bio(out, x); @@ -921,16 +909,6 @@ int x509_main(int argc, char **argv) i = PEM_write_bio_X509_AUX(out, x); else i = PEM_write_bio_X509(out, x); - } else if (outformat == FORMAT_NETSCAPE) { - NETSCAPE_X509 nx; - ASN1_OCTET_STRING hdr; - - hdr.data = (unsigned char *)NETSCAPE_CERT_HDR; - hdr.length = strlen(NETSCAPE_CERT_HDR); - nx.header = &hdr; - nx.cert = x; - - i = ASN1_item_i2d_bio(ASN1_ITEM_rptr(NETSCAPE_X509), out, &nx); } else { BIO_printf(bio_err, "bad output format specified for outfile\n"); goto end; @@ -954,14 +932,12 @@ int x509_main(int argc, char **argv) EVP_PKEY_free(Upkey); EVP_PKEY_free(CApkey); EVP_PKEY_free(fkey); - if (sigopts) - sk_OPENSSL_STRING_free(sigopts); + sk_OPENSSL_STRING_free(sigopts); X509_REQ_free(rq); ASN1_INTEGER_free(sno); sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free); sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free); - if (passin) - OPENSSL_free(passin); + OPENSSL_free(passin); return (ret); } @@ -976,11 +952,7 @@ static ASN1_INTEGER *x509_load_serial(char *CAfile, char *serialfile, len = ((serialfile == NULL) ? (strlen(CAfile) + strlen(POSTFIX) + 1) : (strlen(serialfile))) + 1; - buf = OPENSSL_malloc(len); - if (buf == NULL) { - BIO_printf(bio_err, "out of mem\n"); - goto end; - } + buf = app_malloc(len, "serial# buffer"); if (serialfile == NULL) { BUF_strlcpy(buf, CAfile, len); for (p = buf; *p; p++) @@ -1005,8 +977,7 @@ static ASN1_INTEGER *x509_load_serial(char *CAfile, char *serialfile, goto end; end: - if (buf) - OPENSSL_free(buf); + OPENSSL_free(buf); BN_free(serial); return bs; } @@ -1033,11 +1004,9 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, } if (sno) bs = sno; - else if (!(bs = x509_load_serial(CAfile, serialfile, create))) + else if ((bs = x509_load_serial(CAfile, serialfile, create)) == NULL) goto end; -/* if (!X509_STORE_add_cert(ctx,x)) goto end;*/ - /* * NOTE: this certificate can/should be self signed, unless it was a * certificate request in which case it is not.