1/* apps/x509.c */ 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 59#include <assert.h> 60#include <stdio.h> 61#include <stdlib.h> 62#include <string.h> 63#ifdef OPENSSL_NO_STDIO 64#define APPS_WIN16 65#endif 66#include "apps.h" 67#include <openssl/bio.h> 68#include <openssl/asn1.h> 69#include <openssl/err.h> 70#include <openssl/bn.h> 71#include <openssl/evp.h> 72#include <openssl/x509.h> 73#include <openssl/x509v3.h> 74#include <openssl/objects.h> 75#include <openssl/pem.h> 76#ifndef OPENSSL_NO_RSA 77#include <openssl/rsa.h> 78#endif 79#ifndef OPENSSL_NO_DSA 80#include <openssl/dsa.h> 81#endif 82 83#undef PROG 84#define PROG x509_main 85 86#undef POSTFIX 87#define POSTFIX ".srl" 88#define DEF_DAYS 30 89 90static const char *x509_usage[]={ 91"usage: x509 args\n", 92" -inform arg - input format - default PEM (one of DER, NET or PEM)\n", 93" -outform arg - output format - default PEM (one of DER, NET or PEM)\n", 94" -keyform arg - private key format - default PEM\n", 95" -CAform arg - CA format - default PEM\n", 96" -CAkeyform arg - CA key format - default PEM\n", 97" -in arg - input file - default stdin\n", 98" -out arg - output file - default stdout\n", 99" -passin arg - private key password source\n", 100" -serial - print serial number value\n", 101" -subject_hash - print subject hash value\n", 102#ifndef OPENSSL_NO_MD5 103" -subject_hash_old - print old-style (MD5) subject hash value\n", 104#endif 105" -issuer_hash - print issuer hash value\n", 106#ifndef OPENSSL_NO_MD5 107" -issuer_hash_old - print old-style (MD5) issuer hash value\n", 108#endif 109" -hash - synonym for -subject_hash\n", 110" -subject - print subject DN\n", 111" -issuer - print issuer DN\n", 112" -email - print email address(es)\n", 113" -startdate - notBefore field\n", 114" -enddate - notAfter field\n", 115" -purpose - print out certificate purposes\n", 116" -dates - both Before and After dates\n", 117" -modulus - print the RSA key modulus\n", 118" -pubkey - output the public key\n", 119" -fingerprint - print the certificate fingerprint\n", 120" -alias - output certificate alias\n", 121" -noout - no certificate output\n", 122" -ocspid - print OCSP hash values for the subject name and public key\n", 123" -ocsp_uri - print OCSP Responder URL(s)\n", 124" -trustout - output a \"trusted\" certificate\n", 125" -clrtrust - clear all trusted purposes\n", 126" -clrreject - clear all rejected purposes\n", 127" -addtrust arg - trust certificate for a given purpose\n", 128" -addreject arg - reject certificate for a given purpose\n", 129" -setalias arg - set certificate alias\n", 130" -days arg - How long till expiry of a signed certificate - def 30 days\n", 131" -checkend arg - check whether the cert expires in the next arg seconds\n", 132" exit 1 if so, 0 if not\n", 133" -signkey arg - self sign cert with arg\n", 134" -x509toreq - output a certification request object\n", 135" -req - input is a certificate request, sign and output.\n", 136" -CA arg - set the CA certificate, must be PEM format.\n", 137" -CAkey arg - set the CA key, must be PEM format\n", 138" missing, it is assumed to be in the CA file.\n", 139" -CAcreateserial - create serial number file if it does not exist\n", 140" -CAserial arg - serial file\n", 141" -set_serial - serial number to use\n", 142" -text - print the certificate in text form\n", 143" -C - print out C code forms\n", 144" -md2/-md5/-sha1/-mdc2 - digest to use\n", 145" -extfile - configuration file with X509V3 extensions to add\n", 146" -extensions - section from config file with X509V3 extensions to add\n", 147" -clrext - delete extensions before signing and input certificate\n", 148" -nameopt arg - various certificate name options\n", 149#ifndef OPENSSL_NO_ENGINE 150" -engine e - use engine e, possibly a hardware device.\n", 151#endif 152" -certopt arg - various certificate text options\n", 153NULL 154}; 155 156static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx); 157static int sign (X509 *x, EVP_PKEY *pkey,int days,int clrext, const EVP_MD *digest, 158 CONF *conf, char *section); 159static int x509_certify (X509_STORE *ctx,char *CAfile,const EVP_MD *digest, 160 X509 *x,X509 *xca,EVP_PKEY *pkey,char *serial, 161 int create,int days, int clrext, CONF *conf, char *section, 162 ASN1_INTEGER *sno); 163static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt); 164static int reqfile=0; 165 166int MAIN(int, char **); 167 168int MAIN(int argc, char **argv) 169 { 170 ENGINE *e = NULL; 171 int ret=1; 172 X509_REQ *req=NULL; 173 X509 *x=NULL,*xca=NULL; 174 ASN1_OBJECT *objtmp; 175 EVP_PKEY *Upkey=NULL,*CApkey=NULL; 176 ASN1_INTEGER *sno = NULL; 177 int i,num,badops=0; 178 BIO *out=NULL; 179 BIO *STDout=NULL; 180 STACK_OF(ASN1_OBJECT) *trust = NULL, *reject = NULL; 181 int informat,outformat,keyformat,CAformat,CAkeyformat; 182 char *infile=NULL,*outfile=NULL,*keyfile=NULL,*CAfile=NULL; 183 char *CAkeyfile=NULL,*CAserial=NULL; 184 char *alias=NULL; 185 int text=0,serial=0,subject=0,issuer=0,startdate=0,enddate=0; 186 int next_serial=0; 187 int subject_hash=0,issuer_hash=0,ocspid=0; 188#ifndef OPENSSL_NO_MD5 189 int subject_hash_old=0,issuer_hash_old=0; 190#endif 191 int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0,email=0; 192 int ocsp_uri=0; 193 int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0; 194 int C=0; 195 int x509req=0,days=DEF_DAYS,modulus=0,pubkey=0; 196 int pprint = 0; 197 const char **pp; 198 X509_STORE *ctx=NULL; 199 X509_REQ *rq=NULL; 200 int fingerprint=0; 201 char buf[256]; 202 const EVP_MD *md_alg,*digest=NULL; 203 CONF *extconf = NULL; 204 char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL; 205 int need_rand = 0; 206 int checkend=0,checkoffset=0; 207 unsigned long nmflag = 0, certflag = 0; 208#ifndef OPENSSL_NO_ENGINE 209 char *engine=NULL; 210#endif 211 212 reqfile=0; 213 214 apps_startup(); 215 216 if (bio_err == NULL) 217 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); 218 219 if (!load_config(bio_err, NULL)) 220 goto end; 221 STDout=BIO_new_fp(stdout,BIO_NOCLOSE); 222#ifdef OPENSSL_SYS_VMS 223 { 224 BIO *tmpbio = BIO_new(BIO_f_linebuffer()); 225 STDout = BIO_push(tmpbio, STDout); 226 } 227#endif 228 229 informat=FORMAT_PEM; 230 outformat=FORMAT_PEM; 231 keyformat=FORMAT_PEM; 232 CAformat=FORMAT_PEM; 233 CAkeyformat=FORMAT_PEM; 234 235 ctx=X509_STORE_new(); 236 if (ctx == NULL) goto end; 237 X509_STORE_set_verify_cb(ctx,callb); 238 239 argc--; 240 argv++; 241 num=0; 242 while (argc >= 1) 243 { 244 if (strcmp(*argv,"-inform") == 0) 245 { 246 if (--argc < 1) goto bad; 247 informat=str2fmt(*(++argv)); 248 } 249 else if (strcmp(*argv,"-outform") == 0) 250 { 251 if (--argc < 1) goto bad; 252 outformat=str2fmt(*(++argv)); 253 } 254 else if (strcmp(*argv,"-keyform") == 0) 255 { 256 if (--argc < 1) goto bad; 257 keyformat=str2fmt(*(++argv)); 258 } 259 else if (strcmp(*argv,"-req") == 0) 260 { 261 reqfile=1; 262 need_rand = 1; 263 } 264 else if (strcmp(*argv,"-CAform") == 0) 265 { 266 if (--argc < 1) goto bad; 267 CAformat=str2fmt(*(++argv)); 268 } 269 else if (strcmp(*argv,"-CAkeyform") == 0) 270 { 271 if (--argc < 1) goto bad; 272 CAkeyformat=str2fmt(*(++argv)); 273 } 274 else if (strcmp(*argv,"-days") == 0) 275 { 276 if (--argc < 1) goto bad; 277 days=atoi(*(++argv)); 278 if (days == 0) 279 { 280 BIO_printf(STDout,"bad number of days\n"); 281 goto bad; 282 } 283 } 284 else if (strcmp(*argv,"-passin") == 0) 285 { 286 if (--argc < 1) goto bad; 287 passargin= *(++argv); 288 } 289 else if (strcmp(*argv,"-extfile") == 0) 290 { 291 if (--argc < 1) goto bad; 292 extfile= *(++argv); 293 } 294 else if (strcmp(*argv,"-extensions") == 0) 295 { 296 if (--argc < 1) goto bad; 297 extsect= *(++argv); 298 } 299 else if (strcmp(*argv,"-in") == 0) 300 { 301 if (--argc < 1) goto bad; 302 infile= *(++argv); 303 } 304 else if (strcmp(*argv,"-out") == 0) 305 { 306 if (--argc < 1) goto bad; 307 outfile= *(++argv); 308 } 309 else if (strcmp(*argv,"-signkey") == 0) 310 { 311 if (--argc < 1) goto bad; 312 keyfile= *(++argv); 313 sign_flag= ++num; 314 need_rand = 1; 315 } 316 else if (strcmp(*argv,"-CA") == 0) 317 { 318 if (--argc < 1) goto bad; 319 CAfile= *(++argv); 320 CA_flag= ++num; 321 need_rand = 1; 322 } 323 else if (strcmp(*argv,"-CAkey") == 0) 324 { 325 if (--argc < 1) goto bad; 326 CAkeyfile= *(++argv); 327 } 328 else if (strcmp(*argv,"-CAserial") == 0) 329 { 330 if (--argc < 1) goto bad; 331 CAserial= *(++argv); 332 } 333 else if (strcmp(*argv,"-set_serial") == 0) 334 { 335 if (--argc < 1) goto bad; 336 if (!(sno = s2i_ASN1_INTEGER(NULL, *(++argv)))) 337 goto bad; 338 } 339 else if (strcmp(*argv,"-addtrust") == 0) 340 { 341 if (--argc < 1) goto bad; 342 if (!(objtmp = OBJ_txt2obj(*(++argv), 0))) 343 { 344 BIO_printf(bio_err, 345 "Invalid trust object value %s\n", *argv); 346 goto bad; 347 } 348 if (!trust) trust = sk_ASN1_OBJECT_new_null(); 349 sk_ASN1_OBJECT_push(trust, objtmp); 350 trustout = 1; 351 } 352 else if (strcmp(*argv,"-addreject") == 0) 353 { 354 if (--argc < 1) goto bad; 355 if (!(objtmp = OBJ_txt2obj(*(++argv), 0))) 356 { 357 BIO_printf(bio_err, 358 "Invalid reject object value %s\n", *argv); 359 goto bad; 360 } 361 if (!reject) reject = sk_ASN1_OBJECT_new_null(); 362 sk_ASN1_OBJECT_push(reject, objtmp); 363 trustout = 1; 364 } 365 else if (strcmp(*argv,"-setalias") == 0) 366 { 367 if (--argc < 1) goto bad; 368 alias= *(++argv); 369 trustout = 1; 370 } 371 else if (strcmp(*argv,"-certopt") == 0) 372 { 373 if (--argc < 1) goto bad; 374 if (!set_cert_ex(&certflag, *(++argv))) goto bad; 375 } 376 else if (strcmp(*argv,"-nameopt") == 0) 377 { 378 if (--argc < 1) goto bad; 379 if (!set_name_ex(&nmflag, *(++argv))) goto bad; 380 } 381#ifndef OPENSSL_NO_ENGINE 382 else if (strcmp(*argv,"-engine") == 0) 383 { 384 if (--argc < 1) goto bad; 385 engine= *(++argv); 386 } 387#endif 388 else if (strcmp(*argv,"-C") == 0) 389 C= ++num; 390 else if (strcmp(*argv,"-email") == 0) 391 email= ++num; 392 else if (strcmp(*argv,"-ocsp_uri") == 0) 393 ocsp_uri= ++num; 394 else if (strcmp(*argv,"-serial") == 0) 395 serial= ++num; 396 else if (strcmp(*argv,"-next_serial") == 0) 397 next_serial= ++num; 398 else if (strcmp(*argv,"-modulus") == 0) 399 modulus= ++num; 400 else if (strcmp(*argv,"-pubkey") == 0) 401 pubkey= ++num; 402 else if (strcmp(*argv,"-x509toreq") == 0) 403 x509req= ++num; 404 else if (strcmp(*argv,"-text") == 0) 405 text= ++num; 406 else if (strcmp(*argv,"-hash") == 0 407 || strcmp(*argv,"-subject_hash") == 0) 408 subject_hash= ++num; 409#ifndef OPENSSL_NO_MD5 410 else if (strcmp(*argv,"-subject_hash_old") == 0) 411 subject_hash_old= ++num; 412#endif 413 else if (strcmp(*argv,"-issuer_hash") == 0) 414 issuer_hash= ++num; 415#ifndef OPENSSL_NO_MD5 416 else if (strcmp(*argv,"-issuer_hash_old") == 0) 417 issuer_hash_old= ++num; 418#endif 419 else if (strcmp(*argv,"-subject") == 0) 420 subject= ++num; 421 else if (strcmp(*argv,"-issuer") == 0) 422 issuer= ++num; 423 else if (strcmp(*argv,"-fingerprint") == 0) 424 fingerprint= ++num; 425 else if (strcmp(*argv,"-dates") == 0) 426 { 427 startdate= ++num; 428 enddate= ++num; 429 } 430 else if (strcmp(*argv,"-purpose") == 0) 431 pprint= ++num; 432 else if (strcmp(*argv,"-startdate") == 0) 433 startdate= ++num; 434 else if (strcmp(*argv,"-enddate") == 0) 435 enddate= ++num; 436 else if (strcmp(*argv,"-checkend") == 0) 437 { 438 if (--argc < 1) goto bad; 439 checkoffset=atoi(*(++argv)); 440 checkend=1; 441 } 442 else if (strcmp(*argv,"-noout") == 0) 443 noout= ++num; 444 else if (strcmp(*argv,"-trustout") == 0) 445 trustout= 1; 446 else if (strcmp(*argv,"-clrtrust") == 0) 447 clrtrust= ++num; 448 else if (strcmp(*argv,"-clrreject") == 0) 449 clrreject= ++num; 450 else if (strcmp(*argv,"-alias") == 0) 451 aliasout= ++num; 452 else if (strcmp(*argv,"-CAcreateserial") == 0) 453 CA_createserial= ++num; 454 else if (strcmp(*argv,"-clrext") == 0) 455 clrext = 1; 456#if 1 /* stay backwards-compatible with 0.9.5; this should go away soon */ 457 else if (strcmp(*argv,"-crlext") == 0) 458 { 459 BIO_printf(bio_err,"use -clrext instead of -crlext\n"); 460 clrext = 1; 461 } 462#endif 463 else if (strcmp(*argv,"-ocspid") == 0) 464 ocspid= ++num; 465 else if ((md_alg=EVP_get_digestbyname(*argv + 1))) 466 { 467 /* ok */ 468 digest=md_alg; 469 } 470 else 471 { 472 BIO_printf(bio_err,"unknown option %s\n",*argv); 473 badops=1; 474 break; 475 } 476 argc--; 477 argv++; 478 } 479 480 if (badops) 481 { 482bad: 483 for (pp=x509_usage; (*pp != NULL); pp++) 484 BIO_printf(bio_err,"%s",*pp); 485 goto end; 486 } 487 488#ifndef OPENSSL_NO_ENGINE 489 e = setup_engine(bio_err, engine, 0); 490#endif 491 492 if (need_rand) 493 app_RAND_load_file(NULL, bio_err, 0); 494 495 ERR_load_crypto_strings(); 496 497 if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) 498 { 499 BIO_printf(bio_err, "Error getting password\n"); 500 goto end; 501 } 502 503 if (!X509_STORE_set_default_paths(ctx)) 504 { 505 ERR_print_errors(bio_err); 506 goto end; 507 } 508 509 if ((CAkeyfile == NULL) && (CA_flag) && (CAformat == FORMAT_PEM)) 510 { CAkeyfile=CAfile; } 511 else if ((CA_flag) && (CAkeyfile == NULL)) 512 { 513 BIO_printf(bio_err,"need to specify a CAkey if using the CA command\n"); 514 goto end; 515 } 516 517 if (extfile) 518 { 519 long errorline = -1; 520 X509V3_CTX ctx2; 521 extconf = NCONF_new(NULL); 522 if (!NCONF_load(extconf, extfile,&errorline)) 523 { 524 if (errorline <= 0) 525 BIO_printf(bio_err, 526 "error loading the config file '%s'\n", 527 extfile); 528 else 529 BIO_printf(bio_err, 530 "error on line %ld of config file '%s'\n" 531 ,errorline,extfile); 532 goto end; 533 } 534 if (!extsect) 535 { 536 extsect = NCONF_get_string(extconf, "default", "extensions"); 537 if (!extsect) 538 { 539 ERR_clear_error(); 540 extsect = "default"; 541 } 542 } 543 X509V3_set_ctx_test(&ctx2); 544 X509V3_set_nconf(&ctx2, extconf); 545 if (!X509V3_EXT_add_nconf(extconf, &ctx2, extsect, NULL)) 546 { 547 BIO_printf(bio_err, 548 "Error Loading extension section %s\n", 549 extsect); 550 ERR_print_errors(bio_err); 551 goto end; 552 } 553 } 554 555 556 if (reqfile) 557 { 558 EVP_PKEY *pkey; 559 BIO *in; 560 561 if (!sign_flag && !CA_flag) 562 { 563 BIO_printf(bio_err,"We need a private key to sign with\n"); 564 goto end; 565 } 566 in=BIO_new(BIO_s_file()); 567 if (in == NULL) 568 { 569 ERR_print_errors(bio_err); 570 goto end; 571 } 572 573 if (infile == NULL) 574 BIO_set_fp(in,stdin,BIO_NOCLOSE|BIO_FP_TEXT); 575 else 576 { 577 if (BIO_read_filename(in,infile) <= 0) 578 { 579 perror(infile); 580 BIO_free(in); 581 goto end; 582 } 583 } 584 req=PEM_read_bio_X509_REQ(in,NULL,NULL,NULL); 585 BIO_free(in); 586 587 if (req == NULL) 588 { 589 ERR_print_errors(bio_err); 590 goto end; 591 } 592 593 if ( (req->req_info == NULL) || 594 (req->req_info->pubkey == NULL) || 595 (req->req_info->pubkey->public_key == NULL) || 596 (req->req_info->pubkey->public_key->data == NULL)) 597 { 598 BIO_printf(bio_err,"The certificate request appears to corrupted\n"); 599 BIO_printf(bio_err,"It does not contain a public key\n"); 600 goto end; 601 } 602 if ((pkey=X509_REQ_get_pubkey(req)) == NULL) 603 { 604 BIO_printf(bio_err,"error unpacking public key\n"); 605 goto end; 606 } 607 i=X509_REQ_verify(req,pkey); 608 EVP_PKEY_free(pkey); 609 if (i < 0) 610 { 611 BIO_printf(bio_err,"Signature verification error\n"); 612 ERR_print_errors(bio_err); 613 goto end; 614 } 615 if (i == 0) 616 { 617 BIO_printf(bio_err,"Signature did not match the certificate request\n"); 618 goto end; 619 } 620 else 621 BIO_printf(bio_err,"Signature ok\n"); 622 623 print_name(bio_err, "subject=", X509_REQ_get_subject_name(req), nmflag); 624 625 if ((x=X509_new()) == NULL) goto end; 626 627 if (sno == NULL) 628 { 629 sno = ASN1_INTEGER_new(); 630 if (!sno || !rand_serial(NULL, sno)) 631 goto end; 632 if (!X509_set_serialNumber(x, sno)) 633 goto end; 634 ASN1_INTEGER_free(sno); 635 sno = NULL; 636 } 637 else if (!X509_set_serialNumber(x, sno)) 638 goto end; 639 640 if (!X509_set_issuer_name(x,req->req_info->subject)) goto end; 641 if (!X509_set_subject_name(x,req->req_info->subject)) goto end; 642 643 X509_gmtime_adj(X509_get_notBefore(x),0); 644 X509_time_adj_ex(X509_get_notAfter(x),days, 0, NULL); 645 646 pkey = X509_REQ_get_pubkey(req); 647 X509_set_pubkey(x,pkey); 648 EVP_PKEY_free(pkey); 649 } 650 else 651 x=load_cert(bio_err,infile,informat,NULL,e,"Certificate"); 652 653 if (x == NULL) goto end; 654 if (CA_flag) 655 { 656 xca=load_cert(bio_err,CAfile,CAformat,NULL,e,"CA Certificate"); 657 if (xca == NULL) goto end; 658 } 659 660 if (!noout || text || next_serial) 661 { 662 OBJ_create("2.99999.3", 663 "SET.ex3","SET x509v3 extension 3"); 664 665 out=BIO_new(BIO_s_file()); 666 if (out == NULL) 667 { 668 ERR_print_errors(bio_err); 669 goto end; 670 } 671 if (outfile == NULL) 672 { 673 BIO_set_fp(out,stdout,BIO_NOCLOSE); 674#ifdef OPENSSL_SYS_VMS 675 { 676 BIO *tmpbio = BIO_new(BIO_f_linebuffer()); 677 out = BIO_push(tmpbio, out); 678 } 679#endif 680 } 681 else 682 { 683 if (BIO_write_filename(out,outfile) <= 0) 684 { 685 perror(outfile); 686 goto end; 687 } 688 } 689 } 690 691 if (alias) X509_alias_set1(x, (unsigned char *)alias, -1); 692 693 if (clrtrust) X509_trust_clear(x); 694 if (clrreject) X509_reject_clear(x); 695 696 if (trust) 697 { 698 for (i = 0; i < sk_ASN1_OBJECT_num(trust); i++) 699 { 700 objtmp = sk_ASN1_OBJECT_value(trust, i); 701 X509_add1_trust_object(x, objtmp); 702 } 703 } 704 705 if (reject) 706 { 707 for (i = 0; i < sk_ASN1_OBJECT_num(reject); i++) 708 { 709 objtmp = sk_ASN1_OBJECT_value(reject, i); 710 X509_add1_reject_object(x, objtmp); 711 } 712 } 713 714 if (num) 715 { 716 for (i=1; i<=num; i++) 717 { 718 if (issuer == i) 719 { 720 print_name(STDout, "issuer= ", 721 X509_get_issuer_name(x), nmflag); 722 } 723 else if (subject == i) 724 { 725 print_name(STDout, "subject= ", 726 X509_get_subject_name(x), nmflag); 727 } 728 else if (serial == i) 729 { 730 BIO_printf(STDout,"serial="); 731 i2a_ASN1_INTEGER(STDout, 732 X509_get_serialNumber(x)); 733 BIO_printf(STDout,"\n"); 734 } 735 else if (next_serial == i) 736 { 737 BIGNUM *bnser; 738 ASN1_INTEGER *ser; 739 ser = X509_get_serialNumber(x); 740 bnser = ASN1_INTEGER_to_BN(ser, NULL); 741 if (!bnser) 742 goto end; 743 if (!BN_add_word(bnser, 1)) 744 goto end; 745 ser = BN_to_ASN1_INTEGER(bnser, NULL); 746 if (!ser) 747 goto end; 748 BN_free(bnser); 749 i2a_ASN1_INTEGER(out, ser); 750 ASN1_INTEGER_free(ser); 751 BIO_puts(out, "\n"); 752 } 753 else if ((email == i) || (ocsp_uri == i)) 754 { 755 int j; 756 STACK_OF(OPENSSL_STRING) *emlst; 757 if (email == i) 758 emlst = X509_get1_email(x); 759 else 760 emlst = X509_get1_ocsp(x); 761 for (j = 0; j < sk_OPENSSL_STRING_num(emlst); j++) 762 BIO_printf(STDout, "%s\n", 763 sk_OPENSSL_STRING_value(emlst, j)); 764 X509_email_free(emlst); 765 } 766 else if (aliasout == i) 767 { 768 unsigned char *alstr; 769 alstr = X509_alias_get0(x, NULL); 770 if (alstr) BIO_printf(STDout,"%s\n", alstr); 771 else BIO_puts(STDout,"<No Alias>\n"); 772 } 773 else if (subject_hash == i) 774 { 775 BIO_printf(STDout,"%08lx\n",X509_subject_name_hash(x)); 776 } 777#ifndef OPENSSL_NO_MD5 778 else if (subject_hash_old == i) 779 { 780 BIO_printf(STDout,"%08lx\n",X509_subject_name_hash_old(x)); 781 } 782#endif 783 else if (issuer_hash == i) 784 { 785 BIO_printf(STDout,"%08lx\n",X509_issuer_name_hash(x)); 786 } 787#ifndef OPENSSL_NO_MD5 788 else if (issuer_hash_old == i) 789 { 790 BIO_printf(STDout,"%08lx\n",X509_issuer_name_hash_old(x)); 791 } 792#endif 793 else if (pprint == i) 794 { 795 X509_PURPOSE *ptmp; 796 int j; 797 BIO_printf(STDout, "Certificate purposes:\n"); 798 for (j = 0; j < X509_PURPOSE_get_count(); j++) 799 { 800 ptmp = X509_PURPOSE_get0(j); 801 purpose_print(STDout, x, ptmp); 802 } 803 } 804 else 805 if (modulus == i) 806 { 807 EVP_PKEY *pkey; 808 809 pkey=X509_get_pubkey(x); 810 if (pkey == NULL) 811 { 812 BIO_printf(bio_err,"Modulus=unavailable\n"); 813 ERR_print_errors(bio_err); 814 goto end; 815 } 816 BIO_printf(STDout,"Modulus="); 817#ifndef OPENSSL_NO_RSA 818 if (pkey->type == EVP_PKEY_RSA) 819 BN_print(STDout,pkey->pkey.rsa->n); 820 else 821#endif 822#ifndef OPENSSL_NO_DSA 823 if (pkey->type == EVP_PKEY_DSA) 824 BN_print(STDout,pkey->pkey.dsa->pub_key); 825 else 826#endif 827 BIO_printf(STDout,"Wrong Algorithm type"); 828 BIO_printf(STDout,"\n"); 829 EVP_PKEY_free(pkey); 830 } 831 else 832 if (pubkey == i) 833 { 834 EVP_PKEY *pkey; 835 836 pkey=X509_get_pubkey(x); 837 if (pkey == NULL) 838 { 839 BIO_printf(bio_err,"Error getting public key\n"); 840 ERR_print_errors(bio_err); 841 goto end; 842 } 843 PEM_write_bio_PUBKEY(STDout, pkey); 844 EVP_PKEY_free(pkey); 845 } 846 else 847 if (C == i) 848 { 849 unsigned char *d; 850 char *m; 851 int y,z; 852 853 X509_NAME_oneline(X509_get_subject_name(x), 854 buf,sizeof buf); 855 BIO_printf(STDout,"/* subject:%s */\n",buf); 856 m=X509_NAME_oneline( 857 X509_get_issuer_name(x),buf, 858 sizeof buf); 859 BIO_printf(STDout,"/* issuer :%s */\n",buf); 860 861 z=i2d_X509(x,NULL); 862 m=OPENSSL_malloc(z); 863 864 d=(unsigned char *)m; 865 z=i2d_X509_NAME(X509_get_subject_name(x),&d); 866 BIO_printf(STDout,"unsigned char XXX_subject_name[%d]={\n",z); 867 d=(unsigned char *)m; 868 for (y=0; y<z; y++) 869 { 870 BIO_printf(STDout,"0x%02X,",d[y]); 871 if ((y & 0x0f) == 0x0f) BIO_printf(STDout,"\n"); 872 } 873 if (y%16 != 0) BIO_printf(STDout,"\n"); 874 BIO_printf(STDout,"};\n"); 875 876 z=i2d_X509_PUBKEY(X509_get_X509_PUBKEY(x),&d); 877 BIO_printf(STDout,"unsigned char XXX_public_key[%d]={\n",z); 878 d=(unsigned char *)m; 879 for (y=0; y<z; y++) 880 { 881 BIO_printf(STDout,"0x%02X,",d[y]); 882 if ((y & 0x0f) == 0x0f) 883 BIO_printf(STDout,"\n"); 884 } 885 if (y%16 != 0) BIO_printf(STDout,"\n"); 886 BIO_printf(STDout,"};\n"); 887 888 z=i2d_X509(x,&d); 889 BIO_printf(STDout,"unsigned char XXX_certificate[%d]={\n",z); 890 d=(unsigned char *)m; 891 for (y=0; y<z; y++) 892 { 893 BIO_printf(STDout,"0x%02X,",d[y]); 894 if ((y & 0x0f) == 0x0f) 895 BIO_printf(STDout,"\n"); 896 } 897 if (y%16 != 0) BIO_printf(STDout,"\n"); 898 BIO_printf(STDout,"};\n"); 899 900 OPENSSL_free(m); 901 } 902 else if (text == i) 903 { 904 X509_print_ex(out,x,nmflag, certflag); 905 } 906 else if (startdate == i) 907 { 908 BIO_puts(STDout,"notBefore="); 909 ASN1_TIME_print(STDout,X509_get_notBefore(x)); 910 BIO_puts(STDout,"\n"); 911 } 912 else if (enddate == i) 913 { 914 BIO_puts(STDout,"notAfter="); 915 ASN1_TIME_print(STDout,X509_get_notAfter(x)); 916 BIO_puts(STDout,"\n"); 917 } 918 else if (fingerprint == i) 919 { 920 int j; 921 unsigned int n; 922 unsigned char md[EVP_MAX_MD_SIZE]; 923 const EVP_MD *fdig = digest; 924 925 if (!fdig) 926 fdig = EVP_sha1(); 927 928 if (!X509_digest(x,fdig,md,&n)) 929 { 930 BIO_printf(bio_err,"out of memory\n"); 931 goto end; 932 } 933 BIO_printf(STDout,"%s Fingerprint=", 934 OBJ_nid2sn(EVP_MD_type(fdig))); 935 for (j=0; j<(int)n; j++) 936 { 937 BIO_printf(STDout,"%02X%c",md[j], 938 (j+1 == (int)n) 939 ?'\n':':'); 940 } 941 } 942 943 /* should be in the library */ 944 else if ((sign_flag == i) && (x509req == 0)) 945 { 946 BIO_printf(bio_err,"Getting Private key\n"); 947 if (Upkey == NULL) 948 { 949 Upkey=load_key(bio_err, 950 keyfile, keyformat, 0, 951 passin, e, "Private key"); 952 if (Upkey == NULL) goto end; 953 } 954 955 assert(need_rand); 956 if (!sign(x,Upkey,days,clrext,digest, 957 extconf, extsect)) goto end; 958 } 959 else if (CA_flag == i) 960 { 961 BIO_printf(bio_err,"Getting CA Private Key\n"); 962 if (CAkeyfile != NULL) 963 { 964 CApkey=load_key(bio_err, 965 CAkeyfile, CAkeyformat, 966 0, passin, e, 967 "CA Private Key"); 968 if (CApkey == NULL) goto end; 969 } 970 971 assert(need_rand); 972 if (!x509_certify(ctx,CAfile,digest,x,xca, 973 CApkey, CAserial,CA_createserial,days, clrext, 974 extconf, extsect, sno)) 975 goto end; 976 } 977 else if (x509req == i) 978 { 979 EVP_PKEY *pk; 980 981 BIO_printf(bio_err,"Getting request Private Key\n"); 982 if (keyfile == NULL) 983 { 984 BIO_printf(bio_err,"no request key file specified\n"); 985 goto end; 986 } 987 else 988 { 989 pk=load_key(bio_err, 990 keyfile, keyformat, 0, 991 passin, e, "request key"); 992 if (pk == NULL) goto end; 993 } 994 995 BIO_printf(bio_err,"Generating certificate request\n"); 996 997 rq=X509_to_X509_REQ(x,pk,digest); 998 EVP_PKEY_free(pk); 999 if (rq == NULL) 1000 { 1001 ERR_print_errors(bio_err); 1002 goto end; 1003 } 1004 if (!noout) 1005 { 1006 X509_REQ_print(out,rq); 1007 PEM_write_bio_X509_REQ(out,rq); 1008 } 1009 noout=1; 1010 } 1011 else if (ocspid == i) 1012 { 1013 X509_ocspid_print(out, x); 1014 } 1015 } 1016 } 1017 1018 if (checkend) 1019 { 1020 time_t tcheck=time(NULL) + checkoffset; 1021 1022 if (X509_cmp_time(X509_get_notAfter(x), &tcheck) < 0) 1023 { 1024 BIO_printf(out,"Certificate will expire\n"); 1025 ret=1; 1026 } 1027 else 1028 { 1029 BIO_printf(out,"Certificate will not expire\n"); 1030 ret=0; 1031 } 1032 goto end; 1033 } 1034 1035 if (noout) 1036 { 1037 ret=0; 1038 goto end; 1039 } 1040 1041 if (outformat == FORMAT_ASN1) 1042 i=i2d_X509_bio(out,x); 1043 else if (outformat == FORMAT_PEM) 1044 { 1045 if (trustout) i=PEM_write_bio_X509_AUX(out,x); 1046 else i=PEM_write_bio_X509(out,x); 1047 } 1048 else if (outformat == FORMAT_NETSCAPE) 1049 { 1050 NETSCAPE_X509 nx; 1051 ASN1_OCTET_STRING hdr; 1052 1053 hdr.data=(unsigned char *)NETSCAPE_CERT_HDR; 1054 hdr.length=strlen(NETSCAPE_CERT_HDR); 1055 nx.header= &hdr; 1056 nx.cert=x; 1057 1058 i=ASN1_item_i2d_bio(ASN1_ITEM_rptr(NETSCAPE_X509),out,&nx); 1059 } 1060 else { 1061 BIO_printf(bio_err,"bad output format specified for outfile\n"); 1062 goto end; 1063 } 1064 if (!i) 1065 { 1066 BIO_printf(bio_err,"unable to write certificate\n"); 1067 ERR_print_errors(bio_err); 1068 goto end; 1069 } 1070 ret=0; 1071end: 1072 if (need_rand) 1073 app_RAND_write_file(NULL, bio_err); 1074 OBJ_cleanup(); 1075 NCONF_free(extconf); 1076 BIO_free_all(out); 1077 BIO_free_all(STDout); 1078 X509_STORE_free(ctx); 1079 X509_REQ_free(req); 1080 X509_free(x); 1081 X509_free(xca); 1082 EVP_PKEY_free(Upkey); 1083 EVP_PKEY_free(CApkey); 1084 X509_REQ_free(rq); 1085 ASN1_INTEGER_free(sno); 1086 sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free); 1087 sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free); 1088 if (passin) OPENSSL_free(passin); 1089 apps_shutdown(); 1090 OPENSSL_EXIT(ret); 1091 } 1092 1093static ASN1_INTEGER *x509_load_serial(char *CAfile, char *serialfile, int create) 1094 { 1095 char *buf = NULL, *p; 1096 ASN1_INTEGER *bs = NULL; 1097 BIGNUM *serial = NULL; 1098 size_t len; 1099 1100 len = ((serialfile == NULL) 1101 ?(strlen(CAfile)+strlen(POSTFIX)+1) 1102 :(strlen(serialfile)))+1; 1103 buf=OPENSSL_malloc(len); 1104 if (buf == NULL) { BIO_printf(bio_err,"out of mem\n"); goto end; } 1105 if (serialfile == NULL) 1106 { 1107 BUF_strlcpy(buf,CAfile,len); 1108 for (p=buf; *p; p++) 1109 if (*p == '.') 1110 { 1111 *p='\0'; 1112 break; 1113 } 1114 BUF_strlcat(buf,POSTFIX,len); 1115 } 1116 else 1117 BUF_strlcpy(buf,serialfile,len); 1118 1119 serial = load_serial(buf, create, NULL); 1120 if (serial == NULL) goto end; 1121 1122 if (!BN_add_word(serial,1)) 1123 { BIO_printf(bio_err,"add_word failure\n"); goto end; } 1124 1125 if (!save_serial(buf, NULL, serial, &bs)) goto end; 1126 1127 end: 1128 if (buf) OPENSSL_free(buf); 1129 BN_free(serial); 1130 return bs; 1131 } 1132 1133static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, 1134 X509 *x, X509 *xca, EVP_PKEY *pkey, char *serialfile, int create, 1135 int days, int clrext, CONF *conf, char *section, ASN1_INTEGER *sno) 1136 { 1137 int ret=0; 1138 ASN1_INTEGER *bs=NULL; 1139 X509_STORE_CTX xsc; 1140 EVP_PKEY *upkey; 1141 1142 upkey = X509_get_pubkey(xca); 1143 EVP_PKEY_copy_parameters(upkey,pkey); 1144 EVP_PKEY_free(upkey); 1145 1146 if(!X509_STORE_CTX_init(&xsc,ctx,x,NULL)) 1147 { 1148 BIO_printf(bio_err,"Error initialising X509 store\n"); 1149 goto end; 1150 } 1151 if (sno) bs = sno; 1152 else if (!(bs = x509_load_serial(CAfile, serialfile, create))) 1153 goto end; 1154 1155/* if (!X509_STORE_add_cert(ctx,x)) goto end;*/ 1156 1157 /* NOTE: this certificate can/should be self signed, unless it was 1158 * a certificate request in which case it is not. */ 1159 X509_STORE_CTX_set_cert(&xsc,x); 1160 X509_STORE_CTX_set_flags(&xsc, X509_V_FLAG_CHECK_SS_SIGNATURE); 1161 if (!reqfile && X509_verify_cert(&xsc) <= 0) 1162 goto end; 1163 1164 if (!X509_check_private_key(xca,pkey)) 1165 { 1166 BIO_printf(bio_err,"CA certificate and CA private key do not match\n"); 1167 goto end; 1168 } 1169 1170 if (!X509_set_issuer_name(x,X509_get_subject_name(xca))) goto end; 1171 if (!X509_set_serialNumber(x,bs)) goto end; 1172 1173 if (X509_gmtime_adj(X509_get_notBefore(x),0L) == NULL) 1174 goto end; 1175 1176 /* hardwired expired */ 1177 if (X509_time_adj_ex(X509_get_notAfter(x),days, 0, NULL) == NULL) 1178 goto end; 1179 1180 if (clrext) 1181 { 1182 while (X509_get_ext_count(x) > 0) X509_delete_ext(x, 0); 1183 } 1184 1185 if (conf) 1186 { 1187 X509V3_CTX ctx2; 1188 X509_set_version(x,2); /* version 3 certificate */ 1189 X509V3_set_ctx(&ctx2, xca, x, NULL, NULL, 0); 1190 X509V3_set_nconf(&ctx2, conf); 1191 if (!X509V3_EXT_add_nconf(conf, &ctx2, section, x)) goto end; 1192 } 1193 1194 if (!X509_sign(x,pkey,digest)) goto end; 1195 ret=1; 1196end: 1197 X509_STORE_CTX_cleanup(&xsc); 1198 if (!ret) 1199 ERR_print_errors(bio_err); 1200 if (!sno) ASN1_INTEGER_free(bs); 1201 return ret; 1202 } 1203 1204static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx) 1205 { 1206 int err; 1207 X509 *err_cert; 1208 1209 /* it is ok to use a self signed certificate 1210 * This case will catch both the initial ok == 0 and the 1211 * final ok == 1 calls to this function */ 1212 err=X509_STORE_CTX_get_error(ctx); 1213 if (err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) 1214 return 1; 1215 1216 /* BAD we should have gotten an error. Normally if everything 1217 * worked X509_STORE_CTX_get_error(ctx) will still be set to 1218 * DEPTH_ZERO_SELF_.... */ 1219 if (ok) 1220 { 1221 BIO_printf(bio_err,"error with certificate to be certified - should be self signed\n"); 1222 return 0; 1223 } 1224 else 1225 { 1226 err_cert=X509_STORE_CTX_get_current_cert(ctx); 1227 print_name(bio_err, NULL, X509_get_subject_name(err_cert),0); 1228 BIO_printf(bio_err,"error with certificate - error %d at depth %d\n%s\n", 1229 err,X509_STORE_CTX_get_error_depth(ctx), 1230 X509_verify_cert_error_string(err)); 1231 return 1; 1232 } 1233 } 1234 1235/* self sign */ 1236static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const EVP_MD *digest, 1237 CONF *conf, char *section) 1238 { 1239 1240 EVP_PKEY *pktmp; 1241 1242 pktmp = X509_get_pubkey(x); 1243 EVP_PKEY_copy_parameters(pktmp,pkey); 1244 EVP_PKEY_save_parameters(pktmp,1); 1245 EVP_PKEY_free(pktmp); 1246 1247 if (!X509_set_issuer_name(x,X509_get_subject_name(x))) goto err; 1248 if (X509_gmtime_adj(X509_get_notBefore(x),0) == NULL) goto err; 1249 1250 /* Lets just make it 12:00am GMT, Jan 1 1970 */ 1251 /* memcpy(x->cert_info->validity->notBefore,"700101120000Z",13); */ 1252 /* 28 days to be certified */ 1253 1254 if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) == NULL) 1255 goto err; 1256 1257 if (!X509_set_pubkey(x,pkey)) goto err; 1258 if (clrext) 1259 { 1260 while (X509_get_ext_count(x) > 0) X509_delete_ext(x, 0); 1261 } 1262 if (conf) 1263 { 1264 X509V3_CTX ctx; 1265 X509_set_version(x,2); /* version 3 certificate */ 1266 X509V3_set_ctx(&ctx, x, x, NULL, NULL, 0); 1267 X509V3_set_nconf(&ctx, conf); 1268 if (!X509V3_EXT_add_nconf(conf, &ctx, section, x)) goto err; 1269 } 1270 if (!X509_sign(x,pkey,digest)) goto err; 1271 return 1; 1272err: 1273 ERR_print_errors(bio_err); 1274 return 0; 1275 } 1276 1277static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt) 1278{ 1279 int id, i, idret; 1280 char *pname; 1281 id = X509_PURPOSE_get_id(pt); 1282 pname = X509_PURPOSE_get0_name(pt); 1283 for (i = 0; i < 2; i++) 1284 { 1285 idret = X509_check_purpose(cert, id, i); 1286 BIO_printf(bio, "%s%s : ", pname, i ? " CA" : ""); 1287 if (idret == 1) BIO_printf(bio, "Yes\n"); 1288 else if (idret == 0) BIO_printf(bio, "No\n"); 1289 else BIO_printf(bio, "Yes (WARNING code=%d)\n", idret); 1290 } 1291 return 1; 1292} 1293