x509.c revision 160815
1/* apps/x509.c */ 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 59#include <assert.h> 60#include <stdio.h> 61#include <stdlib.h> 62#include <string.h> 63#ifdef OPENSSL_NO_STDIO 64#define APPS_WIN16 65#endif 66#include "apps.h" 67#include <openssl/bio.h> 68#include <openssl/asn1.h> 69#include <openssl/err.h> 70#include <openssl/bn.h> 71#include <openssl/evp.h> 72#include <openssl/x509.h> 73#include <openssl/x509v3.h> 74#include <openssl/objects.h> 75#include <openssl/pem.h> 76#ifndef OPENSSL_NO_RSA 77#include <openssl/rsa.h> 78#endif 79#ifndef OPENSSL_NO_DSA 80#include <openssl/dsa.h> 81#endif 82 83#undef PROG 84#define PROG x509_main 85 86#undef POSTFIX 87#define POSTFIX ".srl" 88#define DEF_DAYS 30 89 90static const char *x509_usage[]={ 91"usage: x509 args\n", 92" -inform arg - input format - default PEM (one of DER, NET or PEM)\n", 93" -outform arg - output format - default PEM (one of DER, NET or PEM)\n", 94" -keyform arg - private key format - default PEM\n", 95" -CAform arg - CA format - default PEM\n", 96" -CAkeyform arg - CA key format - default PEM\n", 97" -in arg - input file - default stdin\n", 98" -out arg - output file - default stdout\n", 99" -passin arg - private key password source\n", 100" -serial - print serial number value\n", 101" -subject_hash - print subject hash value\n", 102" -issuer_hash - print issuer hash value\n", 103" -hash - synonym for -subject_hash\n", 104" -subject - print subject DN\n", 105" -issuer - print issuer DN\n", 106" -email - print email address(es)\n", 107" -startdate - notBefore field\n", 108" -enddate - notAfter field\n", 109" -purpose - print out certificate purposes\n", 110" -dates - both Before and After dates\n", 111" -modulus - print the RSA key modulus\n", 112" -pubkey - output the public key\n", 113" -fingerprint - print the certificate fingerprint\n", 114" -alias - output certificate alias\n", 115" -noout - no certificate output\n", 116" -ocspid - print OCSP hash values for the subject name and public key\n", 117" -trustout - output a \"trusted\" certificate\n", 118" -clrtrust - clear all trusted purposes\n", 119" -clrreject - clear all rejected purposes\n", 120" -addtrust arg - trust certificate for a given purpose\n", 121" -addreject arg - reject certificate for a given purpose\n", 122" -setalias arg - set certificate alias\n", 123" -days arg - How long till expiry of a signed certificate - def 30 days\n", 124" -checkend arg - check whether the cert expires in the next arg seconds\n", 125" exit 1 if so, 0 if not\n", 126" -signkey arg - self sign cert with arg\n", 127" -x509toreq - output a certification request object\n", 128" -req - input is a certificate request, sign and output.\n", 129" -CA arg - set the CA certificate, must be PEM format.\n", 130" -CAkey arg - set the CA key, must be PEM format\n", 131" missing, it is assumed to be in the CA file.\n", 132" -CAcreateserial - create serial number file if it does not exist\n", 133" -CAserial arg - serial file\n", 134" -set_serial - serial number to use\n", 135" -text - print the certificate in text form\n", 136" -C - print out C code forms\n", 137" -md2/-md5/-sha1/-mdc2 - digest to use\n", 138" -extfile - configuration file with X509V3 extensions to add\n", 139" -extensions - section from config file with X509V3 extensions to add\n", 140" -clrext - delete extensions before signing and input certificate\n", 141" -nameopt arg - various certificate name options\n", 142#ifndef OPENSSL_NO_ENGINE 143" -engine e - use engine e, possibly a hardware device.\n", 144#endif 145" -certopt arg - various certificate text options\n", 146NULL 147}; 148 149static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx); 150static int sign (X509 *x, EVP_PKEY *pkey,int days,int clrext, const EVP_MD *digest, 151 CONF *conf, char *section); 152static int x509_certify (X509_STORE *ctx,char *CAfile,const EVP_MD *digest, 153 X509 *x,X509 *xca,EVP_PKEY *pkey,char *serial, 154 int create,int days, int clrext, CONF *conf, char *section, 155 ASN1_INTEGER *sno); 156static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt); 157static int reqfile=0; 158 159int MAIN(int, char **); 160 161int MAIN(int argc, char **argv) 162 { 163 ENGINE *e = NULL; 164 int ret=1; 165 X509_REQ *req=NULL; 166 X509 *x=NULL,*xca=NULL; 167 ASN1_OBJECT *objtmp; 168 EVP_PKEY *Upkey=NULL,*CApkey=NULL; 169 ASN1_INTEGER *sno = NULL; 170 int i,num,badops=0; 171 BIO *out=NULL; 172 BIO *STDout=NULL; 173 STACK_OF(ASN1_OBJECT) *trust = NULL, *reject = NULL; 174 int informat,outformat,keyformat,CAformat,CAkeyformat; 175 char *infile=NULL,*outfile=NULL,*keyfile=NULL,*CAfile=NULL; 176 char *CAkeyfile=NULL,*CAserial=NULL; 177 char *alias=NULL; 178 int text=0,serial=0,subject=0,issuer=0,startdate=0,enddate=0; 179 int next_serial=0; 180 int subject_hash=0,issuer_hash=0,ocspid=0; 181 int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0,email=0; 182 int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0; 183 int C=0; 184 int x509req=0,days=DEF_DAYS,modulus=0,pubkey=0; 185 int pprint = 0; 186 const char **pp; 187 X509_STORE *ctx=NULL; 188 X509_REQ *rq=NULL; 189 int fingerprint=0; 190 char buf[256]; 191 const EVP_MD *md_alg,*digest=EVP_sha1(); 192 CONF *extconf = NULL; 193 char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL; 194 int need_rand = 0; 195 int checkend=0,checkoffset=0; 196 unsigned long nmflag = 0, certflag = 0; 197#ifndef OPENSSL_NO_ENGINE 198 char *engine=NULL; 199#endif 200 201 reqfile=0; 202 203 apps_startup(); 204 205 if (bio_err == NULL) 206 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); 207 208 if (!load_config(bio_err, NULL)) 209 goto end; 210 STDout=BIO_new_fp(stdout,BIO_NOCLOSE); 211#ifdef OPENSSL_SYS_VMS 212 { 213 BIO *tmpbio = BIO_new(BIO_f_linebuffer()); 214 STDout = BIO_push(tmpbio, STDout); 215 } 216#endif 217 218 informat=FORMAT_PEM; 219 outformat=FORMAT_PEM; 220 keyformat=FORMAT_PEM; 221 CAformat=FORMAT_PEM; 222 CAkeyformat=FORMAT_PEM; 223 224 ctx=X509_STORE_new(); 225 if (ctx == NULL) goto end; 226 X509_STORE_set_verify_cb_func(ctx,callb); 227 228 argc--; 229 argv++; 230 num=0; 231 while (argc >= 1) 232 { 233 if (strcmp(*argv,"-inform") == 0) 234 { 235 if (--argc < 1) goto bad; 236 informat=str2fmt(*(++argv)); 237 } 238 else if (strcmp(*argv,"-outform") == 0) 239 { 240 if (--argc < 1) goto bad; 241 outformat=str2fmt(*(++argv)); 242 } 243 else if (strcmp(*argv,"-keyform") == 0) 244 { 245 if (--argc < 1) goto bad; 246 keyformat=str2fmt(*(++argv)); 247 } 248 else if (strcmp(*argv,"-req") == 0) 249 { 250 reqfile=1; 251 need_rand = 1; 252 } 253 else if (strcmp(*argv,"-CAform") == 0) 254 { 255 if (--argc < 1) goto bad; 256 CAformat=str2fmt(*(++argv)); 257 } 258 else if (strcmp(*argv,"-CAkeyform") == 0) 259 { 260 if (--argc < 1) goto bad; 261 CAkeyformat=str2fmt(*(++argv)); 262 } 263 else if (strcmp(*argv,"-days") == 0) 264 { 265 if (--argc < 1) goto bad; 266 days=atoi(*(++argv)); 267 if (days == 0) 268 { 269 BIO_printf(STDout,"bad number of days\n"); 270 goto bad; 271 } 272 } 273 else if (strcmp(*argv,"-passin") == 0) 274 { 275 if (--argc < 1) goto bad; 276 passargin= *(++argv); 277 } 278 else if (strcmp(*argv,"-extfile") == 0) 279 { 280 if (--argc < 1) goto bad; 281 extfile= *(++argv); 282 } 283 else if (strcmp(*argv,"-extensions") == 0) 284 { 285 if (--argc < 1) goto bad; 286 extsect= *(++argv); 287 } 288 else if (strcmp(*argv,"-in") == 0) 289 { 290 if (--argc < 1) goto bad; 291 infile= *(++argv); 292 } 293 else if (strcmp(*argv,"-out") == 0) 294 { 295 if (--argc < 1) goto bad; 296 outfile= *(++argv); 297 } 298 else if (strcmp(*argv,"-signkey") == 0) 299 { 300 if (--argc < 1) goto bad; 301 keyfile= *(++argv); 302 sign_flag= ++num; 303 need_rand = 1; 304 } 305 else if (strcmp(*argv,"-CA") == 0) 306 { 307 if (--argc < 1) goto bad; 308 CAfile= *(++argv); 309 CA_flag= ++num; 310 need_rand = 1; 311 } 312 else if (strcmp(*argv,"-CAkey") == 0) 313 { 314 if (--argc < 1) goto bad; 315 CAkeyfile= *(++argv); 316 } 317 else if (strcmp(*argv,"-CAserial") == 0) 318 { 319 if (--argc < 1) goto bad; 320 CAserial= *(++argv); 321 } 322 else if (strcmp(*argv,"-set_serial") == 0) 323 { 324 if (--argc < 1) goto bad; 325 if (!(sno = s2i_ASN1_INTEGER(NULL, *(++argv)))) 326 goto bad; 327 } 328 else if (strcmp(*argv,"-addtrust") == 0) 329 { 330 if (--argc < 1) goto bad; 331 if (!(objtmp = OBJ_txt2obj(*(++argv), 0))) 332 { 333 BIO_printf(bio_err, 334 "Invalid trust object value %s\n", *argv); 335 goto bad; 336 } 337 if (!trust) trust = sk_ASN1_OBJECT_new_null(); 338 sk_ASN1_OBJECT_push(trust, objtmp); 339 trustout = 1; 340 } 341 else if (strcmp(*argv,"-addreject") == 0) 342 { 343 if (--argc < 1) goto bad; 344 if (!(objtmp = OBJ_txt2obj(*(++argv), 0))) 345 { 346 BIO_printf(bio_err, 347 "Invalid reject object value %s\n", *argv); 348 goto bad; 349 } 350 if (!reject) reject = sk_ASN1_OBJECT_new_null(); 351 sk_ASN1_OBJECT_push(reject, objtmp); 352 trustout = 1; 353 } 354 else if (strcmp(*argv,"-setalias") == 0) 355 { 356 if (--argc < 1) goto bad; 357 alias= *(++argv); 358 trustout = 1; 359 } 360 else if (strcmp(*argv,"-certopt") == 0) 361 { 362 if (--argc < 1) goto bad; 363 if (!set_cert_ex(&certflag, *(++argv))) goto bad; 364 } 365 else if (strcmp(*argv,"-nameopt") == 0) 366 { 367 if (--argc < 1) goto bad; 368 if (!set_name_ex(&nmflag, *(++argv))) goto bad; 369 } 370#ifndef OPENSSL_NO_ENGINE 371 else if (strcmp(*argv,"-engine") == 0) 372 { 373 if (--argc < 1) goto bad; 374 engine= *(++argv); 375 } 376#endif 377 else if (strcmp(*argv,"-C") == 0) 378 C= ++num; 379 else if (strcmp(*argv,"-email") == 0) 380 email= ++num; 381 else if (strcmp(*argv,"-serial") == 0) 382 serial= ++num; 383 else if (strcmp(*argv,"-next_serial") == 0) 384 next_serial= ++num; 385 else if (strcmp(*argv,"-modulus") == 0) 386 modulus= ++num; 387 else if (strcmp(*argv,"-pubkey") == 0) 388 pubkey= ++num; 389 else if (strcmp(*argv,"-x509toreq") == 0) 390 x509req= ++num; 391 else if (strcmp(*argv,"-text") == 0) 392 text= ++num; 393 else if (strcmp(*argv,"-hash") == 0 394 || strcmp(*argv,"-subject_hash") == 0) 395 subject_hash= ++num; 396 else if (strcmp(*argv,"-issuer_hash") == 0) 397 issuer_hash= ++num; 398 else if (strcmp(*argv,"-subject") == 0) 399 subject= ++num; 400 else if (strcmp(*argv,"-issuer") == 0) 401 issuer= ++num; 402 else if (strcmp(*argv,"-fingerprint") == 0) 403 fingerprint= ++num; 404 else if (strcmp(*argv,"-dates") == 0) 405 { 406 startdate= ++num; 407 enddate= ++num; 408 } 409 else if (strcmp(*argv,"-purpose") == 0) 410 pprint= ++num; 411 else if (strcmp(*argv,"-startdate") == 0) 412 startdate= ++num; 413 else if (strcmp(*argv,"-enddate") == 0) 414 enddate= ++num; 415 else if (strcmp(*argv,"-checkend") == 0) 416 { 417 if (--argc < 1) goto bad; 418 checkoffset=atoi(*(++argv)); 419 checkend=1; 420 } 421 else if (strcmp(*argv,"-noout") == 0) 422 noout= ++num; 423 else if (strcmp(*argv,"-trustout") == 0) 424 trustout= 1; 425 else if (strcmp(*argv,"-clrtrust") == 0) 426 clrtrust= ++num; 427 else if (strcmp(*argv,"-clrreject") == 0) 428 clrreject= ++num; 429 else if (strcmp(*argv,"-alias") == 0) 430 aliasout= ++num; 431 else if (strcmp(*argv,"-CAcreateserial") == 0) 432 CA_createserial= ++num; 433 else if (strcmp(*argv,"-clrext") == 0) 434 clrext = 1; 435#if 1 /* stay backwards-compatible with 0.9.5; this should go away soon */ 436 else if (strcmp(*argv,"-crlext") == 0) 437 { 438 BIO_printf(bio_err,"use -clrext instead of -crlext\n"); 439 clrext = 1; 440 } 441#endif 442 else if (strcmp(*argv,"-ocspid") == 0) 443 ocspid= ++num; 444 else if ((md_alg=EVP_get_digestbyname(*argv + 1))) 445 { 446 /* ok */ 447 digest=md_alg; 448 } 449 else 450 { 451 BIO_printf(bio_err,"unknown option %s\n",*argv); 452 badops=1; 453 break; 454 } 455 argc--; 456 argv++; 457 } 458 459 if (badops) 460 { 461bad: 462 for (pp=x509_usage; (*pp != NULL); pp++) 463 BIO_printf(bio_err,"%s",*pp); 464 goto end; 465 } 466 467#ifndef OPENSSL_NO_ENGINE 468 e = setup_engine(bio_err, engine, 0); 469#endif 470 471 if (need_rand) 472 app_RAND_load_file(NULL, bio_err, 0); 473 474 ERR_load_crypto_strings(); 475 476 if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) 477 { 478 BIO_printf(bio_err, "Error getting password\n"); 479 goto end; 480 } 481 482 if (!X509_STORE_set_default_paths(ctx)) 483 { 484 ERR_print_errors(bio_err); 485 goto end; 486 } 487 488 if ((CAkeyfile == NULL) && (CA_flag) && (CAformat == FORMAT_PEM)) 489 { CAkeyfile=CAfile; } 490 else if ((CA_flag) && (CAkeyfile == NULL)) 491 { 492 BIO_printf(bio_err,"need to specify a CAkey if using the CA command\n"); 493 goto end; 494 } 495 496 if (extfile) 497 { 498 long errorline = -1; 499 X509V3_CTX ctx2; 500 extconf = NCONF_new(NULL); 501 if (!NCONF_load(extconf, extfile,&errorline)) 502 { 503 if (errorline <= 0) 504 BIO_printf(bio_err, 505 "error loading the config file '%s'\n", 506 extfile); 507 else 508 BIO_printf(bio_err, 509 "error on line %ld of config file '%s'\n" 510 ,errorline,extfile); 511 goto end; 512 } 513 if (!extsect) 514 { 515 extsect = NCONF_get_string(extconf, "default", "extensions"); 516 if (!extsect) 517 { 518 ERR_clear_error(); 519 extsect = "default"; 520 } 521 } 522 X509V3_set_ctx_test(&ctx2); 523 X509V3_set_nconf(&ctx2, extconf); 524 if (!X509V3_EXT_add_nconf(extconf, &ctx2, extsect, NULL)) 525 { 526 BIO_printf(bio_err, 527 "Error Loading extension section %s\n", 528 extsect); 529 ERR_print_errors(bio_err); 530 goto end; 531 } 532 } 533 534 535 if (reqfile) 536 { 537 EVP_PKEY *pkey; 538 X509_CINF *ci; 539 BIO *in; 540 541 if (!sign_flag && !CA_flag) 542 { 543 BIO_printf(bio_err,"We need a private key to sign with\n"); 544 goto end; 545 } 546 in=BIO_new(BIO_s_file()); 547 if (in == NULL) 548 { 549 ERR_print_errors(bio_err); 550 goto end; 551 } 552 553 if (infile == NULL) 554 BIO_set_fp(in,stdin,BIO_NOCLOSE|BIO_FP_TEXT); 555 else 556 { 557 if (BIO_read_filename(in,infile) <= 0) 558 { 559 perror(infile); 560 BIO_free(in); 561 goto end; 562 } 563 } 564 req=PEM_read_bio_X509_REQ(in,NULL,NULL,NULL); 565 BIO_free(in); 566 567 if (req == NULL) 568 { 569 ERR_print_errors(bio_err); 570 goto end; 571 } 572 573 if ( (req->req_info == NULL) || 574 (req->req_info->pubkey == NULL) || 575 (req->req_info->pubkey->public_key == NULL) || 576 (req->req_info->pubkey->public_key->data == NULL)) 577 { 578 BIO_printf(bio_err,"The certificate request appears to corrupted\n"); 579 BIO_printf(bio_err,"It does not contain a public key\n"); 580 goto end; 581 } 582 if ((pkey=X509_REQ_get_pubkey(req)) == NULL) 583 { 584 BIO_printf(bio_err,"error unpacking public key\n"); 585 goto end; 586 } 587 i=X509_REQ_verify(req,pkey); 588 EVP_PKEY_free(pkey); 589 if (i < 0) 590 { 591 BIO_printf(bio_err,"Signature verification error\n"); 592 ERR_print_errors(bio_err); 593 goto end; 594 } 595 if (i == 0) 596 { 597 BIO_printf(bio_err,"Signature did not match the certificate request\n"); 598 goto end; 599 } 600 else 601 BIO_printf(bio_err,"Signature ok\n"); 602 603 print_name(bio_err, "subject=", X509_REQ_get_subject_name(req), nmflag); 604 605 if ((x=X509_new()) == NULL) goto end; 606 ci=x->cert_info; 607 608 if (sno == NULL) 609 { 610 sno = ASN1_INTEGER_new(); 611 if (!sno || !rand_serial(NULL, sno)) 612 goto end; 613 if (!X509_set_serialNumber(x, sno)) 614 goto end; 615 ASN1_INTEGER_free(sno); 616 sno = NULL; 617 } 618 else if (!X509_set_serialNumber(x, sno)) 619 goto end; 620 621 if (!X509_set_issuer_name(x,req->req_info->subject)) goto end; 622 if (!X509_set_subject_name(x,req->req_info->subject)) goto end; 623 624 X509_gmtime_adj(X509_get_notBefore(x),0); 625 X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days); 626 627 pkey = X509_REQ_get_pubkey(req); 628 X509_set_pubkey(x,pkey); 629 EVP_PKEY_free(pkey); 630 } 631 else 632 x=load_cert(bio_err,infile,informat,NULL,e,"Certificate"); 633 634 if (x == NULL) goto end; 635 if (CA_flag) 636 { 637 xca=load_cert(bio_err,CAfile,CAformat,NULL,e,"CA Certificate"); 638 if (xca == NULL) goto end; 639 } 640 641 if (!noout || text || next_serial) 642 { 643 OBJ_create("2.99999.3", 644 "SET.ex3","SET x509v3 extension 3"); 645 646 out=BIO_new(BIO_s_file()); 647 if (out == NULL) 648 { 649 ERR_print_errors(bio_err); 650 goto end; 651 } 652 if (outfile == NULL) 653 { 654 BIO_set_fp(out,stdout,BIO_NOCLOSE); 655#ifdef OPENSSL_SYS_VMS 656 { 657 BIO *tmpbio = BIO_new(BIO_f_linebuffer()); 658 out = BIO_push(tmpbio, out); 659 } 660#endif 661 } 662 else 663 { 664 if (BIO_write_filename(out,outfile) <= 0) 665 { 666 perror(outfile); 667 goto end; 668 } 669 } 670 } 671 672 if (alias) X509_alias_set1(x, (unsigned char *)alias, -1); 673 674 if (clrtrust) X509_trust_clear(x); 675 if (clrreject) X509_reject_clear(x); 676 677 if (trust) 678 { 679 for (i = 0; i < sk_ASN1_OBJECT_num(trust); i++) 680 { 681 objtmp = sk_ASN1_OBJECT_value(trust, i); 682 X509_add1_trust_object(x, objtmp); 683 } 684 } 685 686 if (reject) 687 { 688 for (i = 0; i < sk_ASN1_OBJECT_num(reject); i++) 689 { 690 objtmp = sk_ASN1_OBJECT_value(reject, i); 691 X509_add1_reject_object(x, objtmp); 692 } 693 } 694 695 if (num) 696 { 697 for (i=1; i<=num; i++) 698 { 699 if (issuer == i) 700 { 701 print_name(STDout, "issuer= ", 702 X509_get_issuer_name(x), nmflag); 703 } 704 else if (subject == i) 705 { 706 print_name(STDout, "subject= ", 707 X509_get_subject_name(x), nmflag); 708 } 709 else if (serial == i) 710 { 711 BIO_printf(STDout,"serial="); 712 i2a_ASN1_INTEGER(STDout, 713 X509_get_serialNumber(x)); 714 BIO_printf(STDout,"\n"); 715 } 716 else if (next_serial == i) 717 { 718 BIGNUM *bnser; 719 ASN1_INTEGER *ser; 720 ser = X509_get_serialNumber(x); 721 bnser = ASN1_INTEGER_to_BN(ser, NULL); 722 if (!bnser) 723 goto end; 724 if (!BN_add_word(bnser, 1)) 725 goto end; 726 ser = BN_to_ASN1_INTEGER(bnser, NULL); 727 if (!ser) 728 goto end; 729 BN_free(bnser); 730 i2a_ASN1_INTEGER(out, ser); 731 ASN1_INTEGER_free(ser); 732 BIO_puts(out, "\n"); 733 } 734 else if (email == i) 735 { 736 int j; 737 STACK *emlst; 738 emlst = X509_get1_email(x); 739 for (j = 0; j < sk_num(emlst); j++) 740 BIO_printf(STDout, "%s\n", sk_value(emlst, j)); 741 X509_email_free(emlst); 742 } 743 else if (aliasout == i) 744 { 745 unsigned char *alstr; 746 alstr = X509_alias_get0(x, NULL); 747 if (alstr) BIO_printf(STDout,"%s\n", alstr); 748 else BIO_puts(STDout,"<No Alias>\n"); 749 } 750 else if (subject_hash == i) 751 { 752 BIO_printf(STDout,"%08lx\n",X509_subject_name_hash(x)); 753 } 754 else if (issuer_hash == i) 755 { 756 BIO_printf(STDout,"%08lx\n",X509_issuer_name_hash(x)); 757 } 758 else if (pprint == i) 759 { 760 X509_PURPOSE *ptmp; 761 int j; 762 BIO_printf(STDout, "Certificate purposes:\n"); 763 for (j = 0; j < X509_PURPOSE_get_count(); j++) 764 { 765 ptmp = X509_PURPOSE_get0(j); 766 purpose_print(STDout, x, ptmp); 767 } 768 } 769 else 770 if (modulus == i) 771 { 772 EVP_PKEY *pkey; 773 774 pkey=X509_get_pubkey(x); 775 if (pkey == NULL) 776 { 777 BIO_printf(bio_err,"Modulus=unavailable\n"); 778 ERR_print_errors(bio_err); 779 goto end; 780 } 781 BIO_printf(STDout,"Modulus="); 782#ifndef OPENSSL_NO_RSA 783 if (pkey->type == EVP_PKEY_RSA) 784 BN_print(STDout,pkey->pkey.rsa->n); 785 else 786#endif 787#ifndef OPENSSL_NO_DSA 788 if (pkey->type == EVP_PKEY_DSA) 789 BN_print(STDout,pkey->pkey.dsa->pub_key); 790 else 791#endif 792 BIO_printf(STDout,"Wrong Algorithm type"); 793 BIO_printf(STDout,"\n"); 794 EVP_PKEY_free(pkey); 795 } 796 else 797 if (pubkey == i) 798 { 799 EVP_PKEY *pkey; 800 801 pkey=X509_get_pubkey(x); 802 if (pkey == NULL) 803 { 804 BIO_printf(bio_err,"Error getting public key\n"); 805 ERR_print_errors(bio_err); 806 goto end; 807 } 808 PEM_write_bio_PUBKEY(STDout, pkey); 809 EVP_PKEY_free(pkey); 810 } 811 else 812 if (C == i) 813 { 814 unsigned char *d; 815 char *m; 816 int y,z; 817 818 X509_NAME_oneline(X509_get_subject_name(x), 819 buf,sizeof buf); 820 BIO_printf(STDout,"/* subject:%s */\n",buf); 821 m=X509_NAME_oneline( 822 X509_get_issuer_name(x),buf, 823 sizeof buf); 824 BIO_printf(STDout,"/* issuer :%s */\n",buf); 825 826 z=i2d_X509(x,NULL); 827 m=OPENSSL_malloc(z); 828 829 d=(unsigned char *)m; 830 z=i2d_X509_NAME(X509_get_subject_name(x),&d); 831 BIO_printf(STDout,"unsigned char XXX_subject_name[%d]={\n",z); 832 d=(unsigned char *)m; 833 for (y=0; y<z; y++) 834 { 835 BIO_printf(STDout,"0x%02X,",d[y]); 836 if ((y & 0x0f) == 0x0f) BIO_printf(STDout,"\n"); 837 } 838 if (y%16 != 0) BIO_printf(STDout,"\n"); 839 BIO_printf(STDout,"};\n"); 840 841 z=i2d_X509_PUBKEY(X509_get_X509_PUBKEY(x),&d); 842 BIO_printf(STDout,"unsigned char XXX_public_key[%d]={\n",z); 843 d=(unsigned char *)m; 844 for (y=0; y<z; y++) 845 { 846 BIO_printf(STDout,"0x%02X,",d[y]); 847 if ((y & 0x0f) == 0x0f) 848 BIO_printf(STDout,"\n"); 849 } 850 if (y%16 != 0) BIO_printf(STDout,"\n"); 851 BIO_printf(STDout,"};\n"); 852 853 z=i2d_X509(x,&d); 854 BIO_printf(STDout,"unsigned char XXX_certificate[%d]={\n",z); 855 d=(unsigned char *)m; 856 for (y=0; y<z; y++) 857 { 858 BIO_printf(STDout,"0x%02X,",d[y]); 859 if ((y & 0x0f) == 0x0f) 860 BIO_printf(STDout,"\n"); 861 } 862 if (y%16 != 0) BIO_printf(STDout,"\n"); 863 BIO_printf(STDout,"};\n"); 864 865 OPENSSL_free(m); 866 } 867 else if (text == i) 868 { 869 X509_print_ex(out,x,nmflag, certflag); 870 } 871 else if (startdate == i) 872 { 873 BIO_puts(STDout,"notBefore="); 874 ASN1_TIME_print(STDout,X509_get_notBefore(x)); 875 BIO_puts(STDout,"\n"); 876 } 877 else if (enddate == i) 878 { 879 BIO_puts(STDout,"notAfter="); 880 ASN1_TIME_print(STDout,X509_get_notAfter(x)); 881 BIO_puts(STDout,"\n"); 882 } 883 else if (fingerprint == i) 884 { 885 int j; 886 unsigned int n; 887 unsigned char md[EVP_MAX_MD_SIZE]; 888 889 if (!X509_digest(x,digest,md,&n)) 890 { 891 BIO_printf(bio_err,"out of memory\n"); 892 goto end; 893 } 894 BIO_printf(STDout,"%s Fingerprint=", 895 OBJ_nid2sn(EVP_MD_type(digest))); 896 for (j=0; j<(int)n; j++) 897 { 898 BIO_printf(STDout,"%02X%c",md[j], 899 (j+1 == (int)n) 900 ?'\n':':'); 901 } 902 } 903 904 /* should be in the library */ 905 else if ((sign_flag == i) && (x509req == 0)) 906 { 907 BIO_printf(bio_err,"Getting Private key\n"); 908 if (Upkey == NULL) 909 { 910 Upkey=load_key(bio_err, 911 keyfile, keyformat, 0, 912 passin, e, "Private key"); 913 if (Upkey == NULL) goto end; 914 } 915#ifndef OPENSSL_NO_DSA 916 if (Upkey->type == EVP_PKEY_DSA) 917 digest=EVP_dss1(); 918#endif 919#ifndef OPENSSL_NO_ECDSA 920 if (Upkey->type == EVP_PKEY_EC) 921 digest=EVP_ecdsa(); 922#endif 923 924 assert(need_rand); 925 if (!sign(x,Upkey,days,clrext,digest, 926 extconf, extsect)) goto end; 927 } 928 else if (CA_flag == i) 929 { 930 BIO_printf(bio_err,"Getting CA Private Key\n"); 931 if (CAkeyfile != NULL) 932 { 933 CApkey=load_key(bio_err, 934 CAkeyfile, CAkeyformat, 935 0, passin, e, 936 "CA Private Key"); 937 if (CApkey == NULL) goto end; 938 } 939#ifndef OPENSSL_NO_DSA 940 if (CApkey->type == EVP_PKEY_DSA) 941 digest=EVP_dss1(); 942#endif 943#ifndef OPENSSL_NO_ECDSA 944 if (CApkey->type == EVP_PKEY_EC) 945 digest = EVP_ecdsa(); 946#endif 947 948 assert(need_rand); 949 if (!x509_certify(ctx,CAfile,digest,x,xca, 950 CApkey, CAserial,CA_createserial,days, clrext, 951 extconf, extsect, sno)) 952 goto end; 953 } 954 else if (x509req == i) 955 { 956 EVP_PKEY *pk; 957 958 BIO_printf(bio_err,"Getting request Private Key\n"); 959 if (keyfile == NULL) 960 { 961 BIO_printf(bio_err,"no request key file specified\n"); 962 goto end; 963 } 964 else 965 { 966 pk=load_key(bio_err, 967 keyfile, FORMAT_PEM, 0, 968 passin, e, "request key"); 969 if (pk == NULL) goto end; 970 } 971 972 BIO_printf(bio_err,"Generating certificate request\n"); 973 974#ifndef OPENSSL_NO_DSA 975 if (pk->type == EVP_PKEY_DSA) 976 digest=EVP_dss1(); 977#endif 978#ifndef OPENSSL_NO_ECDSA 979 if (pk->type == EVP_PKEY_EC) 980 digest=EVP_ecdsa(); 981#endif 982 983 rq=X509_to_X509_REQ(x,pk,digest); 984 EVP_PKEY_free(pk); 985 if (rq == NULL) 986 { 987 ERR_print_errors(bio_err); 988 goto end; 989 } 990 if (!noout) 991 { 992 X509_REQ_print(out,rq); 993 PEM_write_bio_X509_REQ(out,rq); 994 } 995 noout=1; 996 } 997 else if (ocspid == i) 998 { 999 X509_ocspid_print(out, x); 1000 } 1001 } 1002 } 1003 1004 if (checkend) 1005 { 1006 time_t tcheck=time(NULL) + checkoffset; 1007 1008 if (X509_cmp_time(X509_get_notAfter(x), &tcheck) < 0) 1009 { 1010 BIO_printf(out,"Certificate will expire\n"); 1011 ret=1; 1012 } 1013 else 1014 { 1015 BIO_printf(out,"Certificate will not expire\n"); 1016 ret=0; 1017 } 1018 goto end; 1019 } 1020 1021 if (noout) 1022 { 1023 ret=0; 1024 goto end; 1025 } 1026 1027 if (outformat == FORMAT_ASN1) 1028 i=i2d_X509_bio(out,x); 1029 else if (outformat == FORMAT_PEM) 1030 { 1031 if (trustout) i=PEM_write_bio_X509_AUX(out,x); 1032 else i=PEM_write_bio_X509(out,x); 1033 } 1034 else if (outformat == FORMAT_NETSCAPE) 1035 { 1036 ASN1_HEADER ah; 1037 ASN1_OCTET_STRING os; 1038 1039 os.data=(unsigned char *)NETSCAPE_CERT_HDR; 1040 os.length=strlen(NETSCAPE_CERT_HDR); 1041 ah.header= &os; 1042 ah.data=(char *)x; 1043 ah.meth=X509_asn1_meth(); 1044 1045 i=ASN1_i2d_bio_of(ASN1_HEADER,i2d_ASN1_HEADER,out,&ah); 1046 } 1047 else { 1048 BIO_printf(bio_err,"bad output format specified for outfile\n"); 1049 goto end; 1050 } 1051 if (!i) 1052 { 1053 BIO_printf(bio_err,"unable to write certificate\n"); 1054 ERR_print_errors(bio_err); 1055 goto end; 1056 } 1057 ret=0; 1058end: 1059 if (need_rand) 1060 app_RAND_write_file(NULL, bio_err); 1061 OBJ_cleanup(); 1062 NCONF_free(extconf); 1063 BIO_free_all(out); 1064 BIO_free_all(STDout); 1065 X509_STORE_free(ctx); 1066 X509_REQ_free(req); 1067 X509_free(x); 1068 X509_free(xca); 1069 EVP_PKEY_free(Upkey); 1070 EVP_PKEY_free(CApkey); 1071 X509_REQ_free(rq); 1072 ASN1_INTEGER_free(sno); 1073 sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free); 1074 sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free); 1075 if (passin) OPENSSL_free(passin); 1076 apps_shutdown(); 1077 OPENSSL_EXIT(ret); 1078 } 1079 1080static ASN1_INTEGER *x509_load_serial(char *CAfile, char *serialfile, int create) 1081 { 1082 char *buf = NULL, *p; 1083 ASN1_INTEGER *bs = NULL; 1084 BIGNUM *serial = NULL; 1085 size_t len; 1086 1087 len = ((serialfile == NULL) 1088 ?(strlen(CAfile)+strlen(POSTFIX)+1) 1089 :(strlen(serialfile)))+1; 1090 buf=OPENSSL_malloc(len); 1091 if (buf == NULL) { BIO_printf(bio_err,"out of mem\n"); goto end; } 1092 if (serialfile == NULL) 1093 { 1094 BUF_strlcpy(buf,CAfile,len); 1095 for (p=buf; *p; p++) 1096 if (*p == '.') 1097 { 1098 *p='\0'; 1099 break; 1100 } 1101 BUF_strlcat(buf,POSTFIX,len); 1102 } 1103 else 1104 BUF_strlcpy(buf,serialfile,len); 1105 1106 serial = load_serial(buf, create, NULL); 1107 if (serial == NULL) goto end; 1108 1109 if (!BN_add_word(serial,1)) 1110 { BIO_printf(bio_err,"add_word failure\n"); goto end; } 1111 1112 if (!save_serial(buf, NULL, serial, &bs)) goto end; 1113 1114 end: 1115 if (buf) OPENSSL_free(buf); 1116 BN_free(serial); 1117 return bs; 1118 } 1119 1120static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, 1121 X509 *x, X509 *xca, EVP_PKEY *pkey, char *serialfile, int create, 1122 int days, int clrext, CONF *conf, char *section, ASN1_INTEGER *sno) 1123 { 1124 int ret=0; 1125 ASN1_INTEGER *bs=NULL; 1126 X509_STORE_CTX xsc; 1127 EVP_PKEY *upkey; 1128 1129 upkey = X509_get_pubkey(xca); 1130 EVP_PKEY_copy_parameters(upkey,pkey); 1131 EVP_PKEY_free(upkey); 1132 1133 if(!X509_STORE_CTX_init(&xsc,ctx,x,NULL)) 1134 { 1135 BIO_printf(bio_err,"Error initialising X509 store\n"); 1136 goto end; 1137 } 1138 if (sno) bs = sno; 1139 else if (!(bs = x509_load_serial(CAfile, serialfile, create))) 1140 goto end; 1141 1142/* if (!X509_STORE_add_cert(ctx,x)) goto end;*/ 1143 1144 /* NOTE: this certificate can/should be self signed, unless it was 1145 * a certificate request in which case it is not. */ 1146 X509_STORE_CTX_set_cert(&xsc,x); 1147 if (!reqfile && !X509_verify_cert(&xsc)) 1148 goto end; 1149 1150 if (!X509_check_private_key(xca,pkey)) 1151 { 1152 BIO_printf(bio_err,"CA certificate and CA private key do not match\n"); 1153 goto end; 1154 } 1155 1156 if (!X509_set_issuer_name(x,X509_get_subject_name(xca))) goto end; 1157 if (!X509_set_serialNumber(x,bs)) goto end; 1158 1159 if (X509_gmtime_adj(X509_get_notBefore(x),0L) == NULL) 1160 goto end; 1161 1162 /* hardwired expired */ 1163 if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) == NULL) 1164 goto end; 1165 1166 if (clrext) 1167 { 1168 while (X509_get_ext_count(x) > 0) X509_delete_ext(x, 0); 1169 } 1170 1171 if (conf) 1172 { 1173 X509V3_CTX ctx2; 1174 X509_set_version(x,2); /* version 3 certificate */ 1175 X509V3_set_ctx(&ctx2, xca, x, NULL, NULL, 0); 1176 X509V3_set_nconf(&ctx2, conf); 1177 if (!X509V3_EXT_add_nconf(conf, &ctx2, section, x)) goto end; 1178 } 1179 1180 if (!X509_sign(x,pkey,digest)) goto end; 1181 ret=1; 1182end: 1183 X509_STORE_CTX_cleanup(&xsc); 1184 if (!ret) 1185 ERR_print_errors(bio_err); 1186 if (!sno) ASN1_INTEGER_free(bs); 1187 return ret; 1188 } 1189 1190static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx) 1191 { 1192 int err; 1193 X509 *err_cert; 1194 1195 /* it is ok to use a self signed certificate 1196 * This case will catch both the initial ok == 0 and the 1197 * final ok == 1 calls to this function */ 1198 err=X509_STORE_CTX_get_error(ctx); 1199 if (err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) 1200 return 1; 1201 1202 /* BAD we should have gotten an error. Normally if everything 1203 * worked X509_STORE_CTX_get_error(ctx) will still be set to 1204 * DEPTH_ZERO_SELF_.... */ 1205 if (ok) 1206 { 1207 BIO_printf(bio_err,"error with certificate to be certified - should be self signed\n"); 1208 return 0; 1209 } 1210 else 1211 { 1212 err_cert=X509_STORE_CTX_get_current_cert(ctx); 1213 print_name(bio_err, NULL, X509_get_subject_name(err_cert),0); 1214 BIO_printf(bio_err,"error with certificate - error %d at depth %d\n%s\n", 1215 err,X509_STORE_CTX_get_error_depth(ctx), 1216 X509_verify_cert_error_string(err)); 1217 return 1; 1218 } 1219 } 1220 1221/* self sign */ 1222static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const EVP_MD *digest, 1223 CONF *conf, char *section) 1224 { 1225 1226 EVP_PKEY *pktmp; 1227 1228 pktmp = X509_get_pubkey(x); 1229 EVP_PKEY_copy_parameters(pktmp,pkey); 1230 EVP_PKEY_save_parameters(pktmp,1); 1231 EVP_PKEY_free(pktmp); 1232 1233 if (!X509_set_issuer_name(x,X509_get_subject_name(x))) goto err; 1234 if (X509_gmtime_adj(X509_get_notBefore(x),0) == NULL) goto err; 1235 1236 /* Lets just make it 12:00am GMT, Jan 1 1970 */ 1237 /* memcpy(x->cert_info->validity->notBefore,"700101120000Z",13); */ 1238 /* 28 days to be certified */ 1239 1240 if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) == NULL) 1241 goto err; 1242 1243 if (!X509_set_pubkey(x,pkey)) goto err; 1244 if (clrext) 1245 { 1246 while (X509_get_ext_count(x) > 0) X509_delete_ext(x, 0); 1247 } 1248 if (conf) 1249 { 1250 X509V3_CTX ctx; 1251 X509_set_version(x,2); /* version 3 certificate */ 1252 X509V3_set_ctx(&ctx, x, x, NULL, NULL, 0); 1253 X509V3_set_nconf(&ctx, conf); 1254 if (!X509V3_EXT_add_nconf(conf, &ctx, section, x)) goto err; 1255 } 1256 if (!X509_sign(x,pkey,digest)) goto err; 1257 return 1; 1258err: 1259 ERR_print_errors(bio_err); 1260 return 0; 1261 } 1262 1263static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt) 1264{ 1265 int id, i, idret; 1266 char *pname; 1267 id = X509_PURPOSE_get_id(pt); 1268 pname = X509_PURPOSE_get0_name(pt); 1269 for (i = 0; i < 2; i++) 1270 { 1271 idret = X509_check_purpose(cert, id, i); 1272 BIO_printf(bio, "%s%s : ", pname, i ? " CA" : ""); 1273 if (idret == 1) BIO_printf(bio, "Yes\n"); 1274 else if (idret == 0) BIO_printf(bio, "No\n"); 1275 else BIO_printf(bio, "Yes (WARNING code=%d)\n", idret); 1276 } 1277 return 1; 1278} 1279