ca.c revision 9dc0df1bac950d6e491f9a7c7e4888f2b301cb15
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
/*
* Copyright 2006 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#pragma ident "%Z%%M% %I% %E% SMI"
/* The PPKI stuff has been donated by Jeff Barber <jeffb@issl.atl.hp.com> */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
#ifndef W_OK
# ifdef OPENSSL_SYS_VMS
# if defined(__DECC)
# include <unistd.h>
# else
# include <unixlib.h>
# endif
# elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_NETWARE)
# endif
#endif
#include "apps.h"
#ifndef W_OK
# define F_OK 0
# define X_OK 1
# define W_OK 2
# define R_OK 4
#endif
#define BASE_SECTION "ca"
#define CONFIG_FILE "openssl.cnf"
#define ENV_DEFAULT_CA "default_ca"
#define STRING_MASK "string_mask"
#define UTF8_IN "utf8"
#define ENV_DIR "dir"
#define ENV_CERTS "certs"
#define ENV_CRL_DIR "crl_dir"
#define ENV_CA_DB "CA_DB"
#define ENV_NEW_CERTS_DIR "new_certs_dir"
#define ENV_CERTIFICATE "certificate"
#define ENV_SERIAL "serial"
#define ENV_CRLNUMBER "crlnumber"
#define ENV_CRL "crl"
#define ENV_PRIVATE_KEY "private_key"
#define ENV_RANDFILE "RANDFILE"
#define ENV_DEFAULT_DAYS "default_days"
#define ENV_DEFAULT_STARTDATE "default_startdate"
#define ENV_DEFAULT_ENDDATE "default_enddate"
#define ENV_DEFAULT_CRL_DAYS "default_crl_days"
#define ENV_DEFAULT_CRL_HOURS "default_crl_hours"
#define ENV_DEFAULT_MD "default_md"
#define ENV_DEFAULT_EMAIL_DN "email_in_dn"
#define ENV_PRESERVE "preserve"
#define ENV_POLICY "policy"
#define ENV_EXTENSIONS "x509_extensions"
#define ENV_CRLEXT "crl_extensions"
#define ENV_MSIE_HACK "msie_hack"
#define ENV_NAMEOPT "name_opt"
#define ENV_CERTOPT "cert_opt"
#define ENV_EXTCOPY "copy_extensions"
#define ENV_UNIQUE_SUBJECT "unique_subject"
#define ENV_DATABASE "database"
/* Additional revocation information types */
#define REV_NONE 0 /* No addditional information */
static const char *ca_usage[]={
"usage: ca args\n",
"\n",
" -verbose - Talk alot while doing things\n",
" -config file - A config file\n",
" -name arg - The particular CA definition to use\n",
" -gencrl - Generate a new CRL\n",
" -crldays days - Days is when the next CRL is due\n",
" -crlhours hours - Hours is when the next CRL is due\n",
" -startdate YYMMDDHHMMSSZ - certificate validity notBefore\n",
" -enddate YYMMDDHHMMSSZ - certificate validity notAfter (overrides -days)\n",
" -days arg - number of days to certify the certificate for\n",
" -md arg - md to use, one of md2, md5, sha or sha1\n",
" -policy arg - The CA 'policy' to support\n",
" -keyfile arg - private key file\n",
" -keyform arg - private key file format (PEM or ENGINE)\n",
" -key arg - key to decode the private key if it is encrypted\n",
" -cert file - The CA certificate\n",
" -selfsign - sign a certificate with the key associated with it\n",
" -in file - The input PEM encoded certificate request(s)\n",
" -out file - Where to put the output file(s)\n",
" -outdir dir - Where to put output certificates\n",
" -infiles .... - The last argument, requests to process\n",
" -spkac file - File contains DN and signed public key and challenge\n",
" -ss_cert file - File contains a self signed cert to sign\n",
" -preserveDN - Don't re-order the DN\n",
" -noemailDN - Don't add the EMAIL field into certificate' subject\n",
" -batch - Don't ask questions\n",
" -msie_hack - msie modifications to handle all those universal strings\n",
" -revoke file - Revoke a certificate (given in file)\n",
" -subj arg - Use arg instead of request's subject\n",
" -utf8 - input characters are UTF8 (default ASCII)\n",
" -multivalue-rdn - enable support for multivalued RDNs\n",
" -extensions .. - Extension section (override value in config file)\n",
" -extfile file - Configuration file with X509v3 extentions to add\n",
" -crlexts .. - CRL extension section (override value in config file)\n",
#ifndef OPENSSL_NO_ENGINE
" -engine e - use engine e, possibly a hardware device.\n",
#endif
" -status serial - Shows certificate status given the serial number\n",
" -updatedb - Updates db for expired certificates\n",
};
#ifdef EFENCE
extern int EF_PROTECT_FREE;
extern int EF_PROTECT_BELOW;
extern int EF_ALIGNMENT;
#endif
ENGINE *e);
STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial,char *subj,unsigned long chtype, int multirdn,
static int check_time_format(char *str);
static int preserve=0;
static int msie_hack=0;
int MAIN(int, char **);
{
int create_ser = 0;
int free_key = 0;
int total=0;
int total_done=0;
int badops=0;
int ret=1;
int email_dn=1;
int req=0;
int verbose=0;
int gencrl=0;
int dorevoke=0;
int doupdatedb=0;
long crldays=0;
long crlhours=0;
long errorline= -1;
char *configfile=NULL;
int keyform=FORMAT_PEM;
char *spkac_file=NULL;
char *ss_cert_file=NULL;
char *ser_status=NULL;
int output_der = 0;
char *serialfile=NULL;
char *crlnumberfile=NULL;
char *extensions=NULL;
unsigned long chtype = MBSTRING_ASC;
int multirdn = 0;
char *tmp_email_dn=NULL;
long days=0;
int batch=0;
int notext=0;
int default_op = 1;
int ext_copy = EXT_COPY_NONE;
int selfsign = 0;
X509_REVOKED *r=NULL;
char *f;
const char *p, **pp;
int i,j;
#define BSIZE 256
#ifndef OPENSSL_NO_ENGINE
#endif
#ifdef EFENCE
EF_ALIGNMENT=0;
#endif
apps_startup();
preserve=0;
msie_hack=0;
argc--;
argv++;
while (argc >= 1)
{
verbose=1;
{
configfile= *(++argv);
}
{
}
{
/* preserve=1; */
}
create_ser = 1;
multirdn=1;
{
}
{
}
{
}
{
}
{
}
{
}
{
}
{
}
{
}
{
}
selfsign=1;
{
req=1;
}
{
}
{
}
notext=1;
batch=1;
preserve=1;
email_dn=0;
gencrl=1;
msie_hack=1;
{
}
{
}
{
argc--;
argv++;
req=1;
break;
}
{
ss_cert_file = *(++argv);
req=1;
}
{
spkac_file = *(++argv);
req=1;
}
{
dorevoke=1;
}
{
extensions= *(++argv);
}
{
}
{
ser_status= *(++argv);
}
{
doupdatedb=1;
}
{
}
{
}
{
}
{
}
{
}
#ifndef OPENSSL_NO_ENGINE
{
}
#endif
else
{
bad:
badops=1;
break;
}
argc--;
argv++;
}
if (badops)
{
goto err;
}
/*****************************************************************/
if (configfile == NULL)
{
const char *s=X509_get_default_cert_area();
#ifdef OPENSSL_SYS_VMS
#else
#endif
}
{
if (errorline <= 0)
else
goto err;
}
if(tofree)
{
}
goto err;
#ifndef OPENSSL_NO_ENGINE
#endif
/* Lets get the config section we are using */
{
{
goto err;
}
}
{
if (p == NULL)
if (p != NULL)
{
{
/*
BIO_printf(bio_err,"problems opening %s for extra oid's\n",p);
ERR_print_errors(bio_err);
*/
}
else
{
}
}
{
goto err;
}
}
if (!f)
if(f && !ASN1_STRING_set_default_mask_asc(f)) {
goto err;
}
if (chtype != MBSTRING_UTF8){
if (!f)
else if (!strcmp(f, "yes"))
}
if (p)
{
#ifdef RL_DEBUG
#endif
}
else
#ifdef RL_DEBUG
if (!p)
#endif
#ifdef RL_DEBUG
#endif
{
goto err;
}
/*****************************************************************/
/* report status of cert with serial number given on command line */
if (ser_status)
{
{
goto err;
}
goto err;
}
/*****************************************************************/
/* we definitely need a private key, so let's get it */
{
goto err;
}
if (!key)
{
free_key = 1;
{
goto err;
}
}
"CA private key");
{
/* load_key() has already printed an appropriate message */
goto err;
}
/*****************************************************************/
/* we need a certificate */
{
{
goto err;
}
"CA certificate");
goto err;
{
goto err;
}
}
if (f == NULL)
preserve=1;
if (f == NULL)
msie_hack=1;
if (f)
{
if (!set_name_ex(&nameopt, f))
{
goto err;
}
default_op = 0;
}
else
if (f)
{
if (!set_cert_ex(&certopt, f))
{
goto err;
}
default_op = 0;
}
else
if (f)
{
if (!set_ext_copy(&ext_copy, f))
{
goto err;
}
}
else
/*****************************************************************/
/* lookup where to write new certificates */
{
== NULL)
{
goto err;
}
#ifndef OPENSSL_SYS_VMS
/* outdir is a directory spec, but access() for VMS demands a
filename. In any case, stat(), below, will catch the problem
if outdir is not a directory spec, and the fopen() or open()
will catch an error if there is no write access.
Presumably, this problem could also be solved by using the DEC
C routines to convert the directory syntax to Unixly, and give
that to access(). However, time's too short to do that just
now.
*/
{
goto err;
}
{
goto err;
}
#ifdef S_ISDIR
{
goto err;
}
#endif
#endif
}
/*****************************************************************/
/* we need to load the database file */
{
goto err;
}
/* Lets check some fields */
{
{
goto err;
}
{
goto err;
}
{
goto err;
}
j=strlen(p);
if (*p == '-')
{
p++;
j--;
}
if ((j&1) || (j < 2))
{
goto err;
}
while (*p)
{
if (!( ((*p >= '0') && (*p <= '9')) ||
((*p >= 'A') && (*p <= 'F')) ||
((*p >= 'a') && (*p <= 'f'))) )
{
BIO_printf(bio_err,"entry %d: bad serial number characters, char pos %ld, char is '%c'\n",i+1,(long)(p-pp[DB_serial]),*p);
goto err;
}
p++;
}
}
if (verbose)
{
#ifdef OPENSSL_SYS_VMS
{
}
#endif
}
/*****************************************************************/
/* Update the db file for expired certificates */
if (doupdatedb)
{
if (verbose)
dbfile);
i = do_updatedb(db);
if (i == -1)
{
goto err;
}
else if (i == 0)
{
"No entries found to mark expired\n");
}
else
{
"Done. %d entries marked as expired\n",i);
}
}
/*****************************************************************/
/* Read extentions config file */
if (extfile)
{
{
if (errorline <= 0)
extfile);
else
ret = 1;
goto err;
}
if (verbose)
/* We can have sections in the ext file */
extensions = "default";
}
/*****************************************************************/
{
{
{
goto err;
}
}
else
{
#ifdef OPENSSL_SYS_VMS
{
}
#endif
}
}
{
goto err;
}
{
goto err;
}
if (req)
{
{
email_dn=0;
}
if (verbose)
{
goto err;
}
if (verbose)
== NULL)
{
goto err;
}
if (!extconf)
{
/* no '-extfile' option, so we look for extensions
* in the main configuration file */
if (!extensions)
{
if (!extensions)
}
if (extensions)
{
/* Check syntax of file */
NULL))
{
"Error Loading extension section %s\n",
ret = 1;
goto err;
}
}
}
{
}
{
goto err;
}
{
}
{
goto err;
}
if (days == 0)
{
days = 0;
}
{
goto err;
}
{
goto err;
}
if (verbose)
{
if (BN_is_zero(serial))
else
{
OPENSSL_free(f);
}
}
{
goto err;
}
{
goto err;
}
if (spkac_file != NULL)
{
total++;
if (j < 0) goto err;
if (j > 0)
{
total_done++;
if (!sk_X509_push(cert_sk,x))
{
goto err;
}
if (outfile)
{
output_der = 1;
batch = 1;
}
}
}
if (ss_cert_file != NULL)
{
total++;
default_op, ext_copy, e);
if (j < 0) goto err;
if (j > 0)
{
total_done++;
if (!sk_X509_push(cert_sk,x))
{
goto err;
}
}
}
{
total++;
if (j < 0) goto err;
if (j > 0)
{
total_done++;
if (!sk_X509_push(cert_sk,x))
{
goto err;
}
}
}
for (i=0; i<argc; i++)
{
total++;
if (j < 0) goto err;
if (j > 0)
{
total_done++;
if (!sk_X509_push(cert_sk,x))
{
goto err;
}
}
}
/* we have a stack of newly certified certificates
* and a data base and serial number that need
* updating */
if (sk_X509_num(cert_sk) > 0)
{
if (!batch)
{
BIO_printf(bio_err,"\n%d out of %d certificate requests certified, commit? [y/n]",total_done,total);
buf[0][0]='\0';
{
ret=0;
goto err;
}
}
}
if (verbose)
for (i=0; i<sk_X509_num(cert_sk); i++)
{
int k;
char *n;
x=sk_X509_value(cert_sk,i);
{
goto err;
}
#ifndef OPENSSL_SYS_VMS
#endif
if (j > 0)
{
for (k=0; k<j; k++)
{
break;
BIO_snprintf(n,
"%02X",(unsigned char)*(p++));
n+=2;
}
}
else
{
*(n++)='0';
*(n++)='0';
}
*(n++)='.'; *(n++)='p'; *(n++)='e'; *(n++)='m';
*n='\0';
if (verbose)
{
goto err;
}
}
if (sk_X509_num(cert_sk))
{
/* Rename the database and the serial file */
}
}
/*****************************************************************/
if (gencrl)
{
int crl_v2 = 0;
if (!crl_ext)
{
if (!crl_ext)
}
if (crl_ext)
{
/* Check syntax of file */
{
"Error Loading CRL extension section %s\n",
crl_ext);
ret = 1;
goto err;
}
}
!= NULL)
{
goto err;
}
{
crldays = 0;
crlhours = 0;
}
{
goto err;
}
tmptm = ASN1_TIME_new();
X509_gmtime_adj(tmptm,0);
{
{
if (!j) goto err;
goto err;
if (!tmpser)
goto err;
}
}
/* sort the data so it will be written in serial
* number order */
/* we now have a CRL */
#ifndef OPENSSL_NO_DSA
else
#endif
#ifndef OPENSSL_NO_ECDSA
#endif
/* Add any extensions asked for */
{
if (crl_ext)
if (crlnumberfile != NULL)
{
crl_v2 = 1;
}
}
{
goto err; /* version 2 CRL */
}
}
/*****************************************************************/
if (dorevoke)
{
{
goto err;
}
else
{
goto err;
if (j <= 0) goto err;
}
}
/*****************************************************************/
ret=0;
err:
if(tofree)
if (cert_sk)
if (db)
free_index(db);
OBJ_cleanup();
}
{
}
BIGNUM *serial, char *subj,unsigned long chtype, int multirdn, int email_dn, char *startdate, char *enddate,
{
int ok= -1,i;
{
goto err;
}
{
infile);
goto err;
}
if (verbose)
{
ok=0;
goto err;
}
{
goto err;
}
if (i < 0)
{
ok=0;
goto err;
}
if (i == 0)
{
ok=0;
goto err;
}
else
err:
return(ok);
}
BIGNUM *serial, char *subj, unsigned long chtype, int multirdn, int email_dn, char *startdate, char *enddate,
{
int ok= -1,i;
goto err;
if (verbose)
{
goto err;
}
if (i < 0)
{
ok=0;
goto err;
}
if (i == 0)
{
ok=0;
goto err;
}
else
goto err;
ext_copy, 0);
err:
return(ok);
}
{
const char *p;
CONF_VALUE *cv;
char buf[25];
{
return(0);
}
for (i=0; i<DB_NUMBER; i++)
if (subj)
{
if (!n)
{
goto err;
}
X509_NAME_free(n);
}
if (default_op)
for (i=0; i<X509_NAME_entry_count(name); i++)
{
if (msie_hack)
{
/* assume all type should be strings */
(nid != NID_pkcs9_emailAddress))
if ((nid == NID_pkcs9_emailAddress) &&
}
/* If no EMAIL is wanted in the subject */
continue;
/* check some things */
{
goto err;
}
{
if ( ((j == V_ASN1_T61STRING) &&
((j == V_ASN1_IA5STRING) &&
{
goto err;
}
}
if (default_op)
}
/* Ok, now we check the 'policy' stuff. */
{
goto err;
}
/* take a copy of the issuer name before we mess with it. */
if (selfsign)
else
for (i=0; i<sk_CONF_VALUE_num(policy); i++)
{
{
goto err;
}
obj=OBJ_nid2obj(j);
last= -1;
for (;;)
{
/* lookup the object in the supplied name list */
if (j < 0)
{
if (last != -1) break;
}
else
{
}
last=j;
/* depending on the 'policy', decide what to do. */
{
}
{
{
goto err;
}
else
}
{
int last2;
{
goto err;
}
last2= -1;
if ((j < 0) && (last2 == -1))
{
BIO_printf(bio_err,"The %s field does not exist in the CA certificate,\nthe 'policy' is misconfigured\n",cv->name);
goto err;
}
if (j >= 0)
{
last2=j;
goto again2;
}
if (j < 0)
{
BIO_printf(bio_err,"The %s field needed to be the same in the\nCA certificate (%s) and the request (%s)\n",cv->name,((str2 == NULL)?"NULL":(char *)str2->data),((str == NULL)?"NULL":(char *)str->data));
goto err;
}
}
else
{
goto err;
}
{
{
goto err;
}
}
if (j < 0) break;
}
}
if (preserve)
{
/* subject=X509_NAME_dup(X509_REQ_get_subject_name(req)); */
}
if (verbose)
/* Build the correct Subject if no e-mail is wanted in the subject */
/* and add it later on because of the method extensions are added (altName) */
if (email_dn)
else
{
/* Its best to dup the subject DN and then delete any email
* addresses because this retains its structure.
*/
{
goto err;
}
while((i = X509_NAME_get_index_by_NID(dn_subject,
NID_pkcs9_emailAddress, -1)) >= 0)
{
}
}
if (BN_is_zero(serial))
else
{
goto err;
}
{
{
"ERROR:There is already a certificate for %s\n",
}
}
{
{
}
}
{
"The matching entry has the following details\n");
p="Expired";
p="Revoked";
p="Valid";
else
p="\ninvalid type, Data base error\n";
{
}
goto err;
}
/* We are now totally happy, lets make and sign the certificate */
if (verbose)
#ifdef X509_V3
/* Make it an X509 v3 certificate. */
#endif
goto err;
if (selfsign)
{
goto err;
}
else
{
goto err;
}
if (!i) goto err;
/* Lets add the extensions, if there are any */
if (ext_sect)
{
goto err;
/* Free the current entries if any, there should not
* be any I believe */
/* Initialize the context structure */
if (selfsign)
else
if (extconf)
{
if (verbose)
/* Use the extconf configuration db LHASH */
/* Test the structure (needed?) */
/* X509V3_set_ctx_test(&ctx); */
/* Adds exts contained in the configuration file */
{
"ERROR: adding extensions in section %s\n",
ext_sect);
goto err;
}
if (verbose)
}
else if (ext_sect)
{
/* We found extensions to be set from config file */
{
goto err;
}
if (verbose)
}
}
/* Copy extensions from request (if any) */
{
goto err;
}
/* Set the right value for the noemailDN option */
if( email_dn == 0 )
{
}
if (!default_op)
{
/* Never print signature details because signature not present */
}
if (!batch)
{
buf[0]='\0';
{
ok=0;
goto err;
}
}
#ifndef OPENSSL_NO_DSA
if (EVP_PKEY_missing_parameters(pktmp) &&
#endif
#ifndef OPENSSL_NO_ECDSA
if (EVP_PKEY_missing_parameters(pktmp) &&
#endif
goto err;
/* We now just add it to the database */
/* row[DB_serial] done already */
{
goto err;
}
{
goto err;
}
for (i=0; i<DB_NUMBER; i++)
{
}
{
goto err;
}
ok=1;
err:
for (i=0; i<DB_NUMBER; i++)
if (ok <= 0)
{
}
else
return(ok);
}
{
if (output_der)
{
(void)i2d_X509_bio(bp,x);
return;
}
#if 0
/* ??? Not needed since X509_print prints all this stuff anyway */
#endif
PEM_write_bio_X509(bp,x);
}
BIGNUM *serial, char *subj,unsigned long chtype, int multirdn, int email_dn, char *startdate, char *enddate,
{
int ok= -1,i,j;
long errline;
int nid;
/*
* Load input file into a hash table. (This is just an easy
* way to read and parse the file, then put it into a convenient
* STACK format).
*/
{
goto err;
}
if (sk_CONF_VALUE_num(sk) == 0)
{
goto err;
}
/*
* Now create a dummy X509 request structure. We don't actually
* have an X509 request, but we have many of the components
* (a public key, various DN components). The idea is that we
* put these components into the right X509 request structure
* and we can use the same code as if you had a real X509 request.
*/
req=X509_REQ_new();
{
goto err;
}
/*
* Build up the subject name set.
*/
for (i = 0; ; i++)
{
if (sk_CONF_VALUE_num(sk) <= i) break;
/* Skip past any leading X. X: X, etc to allow for
* multiple instances
*/
{
buf++;
break;
}
{
{
{
goto err;
}
}
continue;
}
/*
if ((nid == NID_pkcs9_emailAddress) && (email_dn == 0))
continue;
*/
{
"invalid characters in string %s\n",buf);
goto err;
}
(unsigned char *)buf,
goto err;
}
{
infile);
goto err;
}
/*
* Now extract the key from the SPKI structure.
*/
{
goto err;
}
if (j <= 0)
{
goto err;
}
ext_copy, 0);
err:
return(ok);
}
{
if (nid == NID_pkcs9_emailAddress)
return(0);
if (nid == NID_pkcs9_unstructuredName)
return(1);
}
static int check_time_format(char *str)
{
return(ASN1_UTCTIME_check(&tm));
}
{
int ok=-1,i;
for (i=0; i<DB_NUMBER; i++)
if (BN_is_zero(bn))
else
{
goto err;
}
/* We have to lookup by serial number because name lookup
* skips revoked certs
*/
{
BIO_printf(bio_err,"Adding Entry with serial number %s to DB for %s\n", row[DB_serial], row[DB_name]);
/* We now just add it to the database */
/* row[DB_serial] done already */
/* row[DB_name] done already */
{
goto err;
}
{
goto err;
}
for (i=0; i<DB_NUMBER; i++)
{
}
{
goto err;
}
/* Revoke Certificate */
goto err;
}
{
goto err;
}
{
goto err;
}
else
{
if (!rev_str)
{
goto err;
}
}
ok=1;
err:
for (i=0; i<DB_NUMBER; i++)
{
OPENSSL_free(row[i]);
}
return(ok);
}
{
int ok=-1,i;
/* Free Resources */
for (i=0; i<DB_NUMBER; i++)
/* Malloc needed char spaces */
{
goto err;
}
{
/* Set the first char to 0 */;
/* Copy String from serial to row[DB_serial] */
}
else
{
/* Copy String from serial to row[DB_serial] */
}
/* Make it Upper Case */
ok=1;
/* Search for the certificate */
{
ok=-1;
goto err;
}
{
goto err;
}
{
goto err;
}
{
goto err;
}
{
goto err;
}
else
{
ok=-1;
}
err:
for (i=0; i<DB_NUMBER; i++)
{
OPENSSL_free(row[i]);
}
return(ok);
}
{
int i, cnt = 0;
a_tm = ASN1_UTCTIME_new();
/* get actual time and make a string */
{
cnt = -1;
goto err;
}
a_y2k = 1;
else
a_y2k = 0;
{
{
/* ignore entries that are not valid */
db_y2k = 1;
else
db_y2k = 0;
{
/* all on the same y2k side */
{
cnt++;
}
}
{
cnt++;
}
}
}
err:
return (cnt);
}
static const char *crl_reasons[] = {
/* CRL reason strings */
"unspecified",
"keyCompromise",
"CACompromise",
"affiliationChanged",
"superseded",
"cessationOfOperation",
"certificateHold",
"removeFromCRL",
/* Additional pseudo reasons */
"holdInstruction",
"keyTime",
"CAkeyTime"
};
#define NUM_REASONS (sizeof(crl_reasons) / sizeof(char *))
/* Given revocation information convert to a DB string.
* The format of the string is:
* revtime[,reason,extra]. Where 'revtime' is the
* revocation time (the current time). 'reason' is the
* optional CRL reason and 'extra' is any additional
* argument
*/
{
int i;
switch (rev_type)
{
case REV_NONE:
break;
case REV_CRL_REASON:
for (i = 0; i < 8; i++)
{
{
reason = crl_reasons[i];
break;
}
}
{
return NULL;
}
break;
case REV_HOLD:
/* Argument is an OID */
{
return NULL;
}
reason = "holdInstruction";
break;
case REV_KEY_COMPROMISE:
case REV_CA_COMPROMISE:
/* Argument is the key compromise time */
{
return NULL;
}
if (rev_type == REV_KEY_COMPROMISE)
reason = "keyTime";
else
reason = "CAkeyTime";
break;
}
str = OPENSSL_malloc(i);
if (reason)
{
}
if (other)
{
}
return str;
}
/* Convert revocation field to X509_REVOKED entry
* return code:
* 0 error
* 1 OK
* 2 OK and some extensions added (i.e. V2 CRL)
*/
{
int reason_code = -1;
int i, ret = 0;
if (i == 0)
goto err;
goto err;
{
rtmp = ASN1_ENUMERATED_new();
goto err;
goto err;
}
{
goto err;
}
{
goto err;
}
ret = 2;
else ret = 1;
err:
return ret;
}
{
int j;
for (j=22-j; j>0; j--)
*(pbuf++)=' ';
*(pbuf++)=':';
*(pbuf++)='\0';
else
{
if ((*p >= ' ') && (*p <= '~'))
else if (*p & 0x80)
else if ((unsigned char)*p == 0xf7)
p++;
}
return 1;
}
int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, ASN1_GENERALIZEDTIME **pinvtm, const char *str)
{
int reason_code = -1;
int ret = 0;
unsigned int i;
if (p)
{
*p = '\0';
p++;
reason_str = p;
p = strchr(p, ',');
if (p)
{
*p = '\0';
arg_str = p + 1;
}
}
if (prevtm)
{
*prevtm = ASN1_UTCTIME_new();
{
goto err;
}
}
if (reason_str)
{
for (i = 0; i < NUM_REASONS; i++)
{
{
reason_code = i;
break;
}
}
{
goto err;
}
if (reason_code == 7)
{
if (!arg_str)
{
goto err;
}
if (!hold)
{
goto err;
}
}
{
if (!arg_str)
{
goto err;
}
{
goto err;
}
if (reason_code == 9)
else
}
}
ret = 1;
err:
return ret;
}