2
0

crl.c 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429
  1. /* apps/crl.c */
  2. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  3. * All rights reserved.
  4. *
  5. * This package is an SSL implementation written
  6. * by Eric Young (eay@cryptsoft.com).
  7. * The implementation was written so as to conform with Netscapes SSL.
  8. *
  9. * This library is free for commercial and non-commercial use as long as
  10. * the following conditions are aheared to. The following conditions
  11. * apply to all code found in this distribution, be it the RC4, RSA,
  12. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  13. * included with this distribution is covered by the same copyright terms
  14. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  15. *
  16. * Copyright remains Eric Young's, and as such any Copyright notices in
  17. * the code are not to be removed.
  18. * If this package is used in a product, Eric Young should be given attribution
  19. * as the author of the parts of the library used.
  20. * This can be in the form of a textual message at program startup or
  21. * in documentation (online or textual) provided with the package.
  22. *
  23. * Redistribution and use in source and binary forms, with or without
  24. * modification, are permitted provided that the following conditions
  25. * are met:
  26. * 1. Redistributions of source code must retain the copyright
  27. * notice, this list of conditions and the following disclaimer.
  28. * 2. Redistributions in binary form must reproduce the above copyright
  29. * notice, this list of conditions and the following disclaimer in the
  30. * documentation and/or other materials provided with the distribution.
  31. * 3. All advertising materials mentioning features or use of this software
  32. * must display the following acknowledgement:
  33. * "This product includes cryptographic software written by
  34. * Eric Young (eay@cryptsoft.com)"
  35. * The word 'cryptographic' can be left out if the rouines from the library
  36. * being used are not cryptographic related :-).
  37. * 4. If you include any Windows specific code (or a derivative thereof) from
  38. * the apps directory (application code) you must include an acknowledgement:
  39. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  40. *
  41. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  42. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  43. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  44. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  45. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  46. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  47. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  49. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  50. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  51. * SUCH DAMAGE.
  52. *
  53. * The licence and distribution terms for any publically available version or
  54. * derivative of this code cannot be changed. i.e. this code cannot simply be
  55. * copied and put under another distribution licence
  56. * [including the GNU Public Licence.]
  57. */
  58. #include <stdio.h>
  59. #include <stdlib.h>
  60. #include <string.h>
  61. #include "apps.h"
  62. #include <openssl/bio.h>
  63. #include <openssl/err.h>
  64. #include <openssl/x509.h>
  65. #include <openssl/x509v3.h>
  66. #include <openssl/pem.h>
  67. #undef PROG
  68. #define PROG crl_main
  69. #undef POSTFIX
  70. #define POSTFIX ".rvk"
  71. static const char *crl_usage[]={
  72. "usage: crl args\n",
  73. "\n",
  74. " -inform arg - input format - default PEM (DER or PEM)\n",
  75. " -outform arg - output format - default PEM\n",
  76. " -text - print out a text format version\n",
  77. " -in arg - input file - default stdin\n",
  78. " -out arg - output file - default stdout\n",
  79. " -hash - print hash value\n",
  80. " -fingerprint - print the crl fingerprint\n",
  81. " -issuer - print issuer DN\n",
  82. " -lastupdate - lastUpdate field\n",
  83. " -nextupdate - nextUpdate field\n",
  84. " -noout - no CRL output\n",
  85. " -CAfile name - verify CRL using certificates in file \"name\"\n",
  86. " -CApath dir - verify CRL using certificates in \"dir\"\n",
  87. " -nameopt arg - various certificate name options\n",
  88. NULL
  89. };
  90. static X509_CRL *load_crl(char *file, int format);
  91. static BIO *bio_out=NULL;
  92. int MAIN(int, char **);
  93. int MAIN(int argc, char **argv)
  94. {
  95. unsigned long nmflag = 0;
  96. X509_CRL *x=NULL;
  97. char *CAfile = NULL, *CApath = NULL;
  98. int ret=1,i,num,badops=0;
  99. BIO *out=NULL;
  100. int informat,outformat;
  101. char *infile=NULL,*outfile=NULL;
  102. int hash=0,issuer=0,lastupdate=0,nextupdate=0,noout=0,text=0;
  103. int fingerprint = 0;
  104. const char **pp;
  105. X509_STORE *store = NULL;
  106. X509_STORE_CTX ctx;
  107. X509_LOOKUP *lookup = NULL;
  108. X509_OBJECT xobj;
  109. EVP_PKEY *pkey;
  110. int do_ver = 0;
  111. const EVP_MD *md_alg,*digest=EVP_sha1();
  112. apps_startup();
  113. if (bio_err == NULL)
  114. if ((bio_err=BIO_new(BIO_s_file())) != NULL)
  115. BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
  116. if (!load_config(bio_err, NULL))
  117. goto end;
  118. if (bio_out == NULL)
  119. if ((bio_out=BIO_new(BIO_s_file())) != NULL)
  120. {
  121. BIO_set_fp(bio_out,stdout,BIO_NOCLOSE);
  122. #ifdef OPENSSL_SYS_VMS
  123. {
  124. BIO *tmpbio = BIO_new(BIO_f_linebuffer());
  125. bio_out = BIO_push(tmpbio, bio_out);
  126. }
  127. #endif
  128. }
  129. informat=FORMAT_PEM;
  130. outformat=FORMAT_PEM;
  131. argc--;
  132. argv++;
  133. num=0;
  134. while (argc >= 1)
  135. {
  136. #ifdef undef
  137. if (strcmp(*argv,"-p") == 0)
  138. {
  139. if (--argc < 1) goto bad;
  140. if (!args_from_file(++argv,Nargc,Nargv)) { goto end; }*/
  141. }
  142. #endif
  143. if (strcmp(*argv,"-inform") == 0)
  144. {
  145. if (--argc < 1) goto bad;
  146. informat=str2fmt(*(++argv));
  147. }
  148. else if (strcmp(*argv,"-outform") == 0)
  149. {
  150. if (--argc < 1) goto bad;
  151. outformat=str2fmt(*(++argv));
  152. }
  153. else if (strcmp(*argv,"-in") == 0)
  154. {
  155. if (--argc < 1) goto bad;
  156. infile= *(++argv);
  157. }
  158. else if (strcmp(*argv,"-out") == 0)
  159. {
  160. if (--argc < 1) goto bad;
  161. outfile= *(++argv);
  162. }
  163. else if (strcmp(*argv,"-CApath") == 0)
  164. {
  165. if (--argc < 1) goto bad;
  166. CApath = *(++argv);
  167. do_ver = 1;
  168. }
  169. else if (strcmp(*argv,"-CAfile") == 0)
  170. {
  171. if (--argc < 1) goto bad;
  172. CAfile = *(++argv);
  173. do_ver = 1;
  174. }
  175. else if (strcmp(*argv,"-verify") == 0)
  176. do_ver = 1;
  177. else if (strcmp(*argv,"-text") == 0)
  178. text = 1;
  179. else if (strcmp(*argv,"-hash") == 0)
  180. hash= ++num;
  181. else if (strcmp(*argv,"-nameopt") == 0)
  182. {
  183. if (--argc < 1) goto bad;
  184. if (!set_name_ex(&nmflag, *(++argv))) goto bad;
  185. }
  186. else if (strcmp(*argv,"-issuer") == 0)
  187. issuer= ++num;
  188. else if (strcmp(*argv,"-lastupdate") == 0)
  189. lastupdate= ++num;
  190. else if (strcmp(*argv,"-nextupdate") == 0)
  191. nextupdate= ++num;
  192. else if (strcmp(*argv,"-noout") == 0)
  193. noout= ++num;
  194. else if (strcmp(*argv,"-fingerprint") == 0)
  195. fingerprint= ++num;
  196. else if ((md_alg=EVP_get_digestbyname(*argv + 1)))
  197. {
  198. /* ok */
  199. digest=md_alg;
  200. }
  201. else
  202. {
  203. BIO_printf(bio_err,"unknown option %s\n",*argv);
  204. badops=1;
  205. break;
  206. }
  207. argc--;
  208. argv++;
  209. }
  210. if (badops)
  211. {
  212. bad:
  213. for (pp=crl_usage; (*pp != NULL); pp++)
  214. BIO_printf(bio_err,"%s",*pp);
  215. goto end;
  216. }
  217. ERR_load_crypto_strings();
  218. x=load_crl(infile,informat);
  219. if (x == NULL) { goto end; }
  220. if(do_ver) {
  221. store = X509_STORE_new();
  222. lookup=X509_STORE_add_lookup(store,X509_LOOKUP_file());
  223. if (lookup == NULL) goto end;
  224. if (!X509_LOOKUP_load_file(lookup,CAfile,X509_FILETYPE_PEM))
  225. X509_LOOKUP_load_file(lookup,NULL,X509_FILETYPE_DEFAULT);
  226. lookup=X509_STORE_add_lookup(store,X509_LOOKUP_hash_dir());
  227. if (lookup == NULL) goto end;
  228. if (!X509_LOOKUP_add_dir(lookup,CApath,X509_FILETYPE_PEM))
  229. X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT);
  230. ERR_clear_error();
  231. if(!X509_STORE_CTX_init(&ctx, store, NULL, NULL)) {
  232. BIO_printf(bio_err,
  233. "Error initialising X509 store\n");
  234. goto end;
  235. }
  236. i = X509_STORE_get_by_subject(&ctx, X509_LU_X509,
  237. X509_CRL_get_issuer(x), &xobj);
  238. if(i <= 0) {
  239. BIO_printf(bio_err,
  240. "Error getting CRL issuer certificate\n");
  241. goto end;
  242. }
  243. pkey = X509_get_pubkey(xobj.data.x509);
  244. X509_OBJECT_free_contents(&xobj);
  245. if(!pkey) {
  246. BIO_printf(bio_err,
  247. "Error getting CRL issuer public key\n");
  248. goto end;
  249. }
  250. i = X509_CRL_verify(x, pkey);
  251. EVP_PKEY_free(pkey);
  252. if(i < 0) goto end;
  253. if(i == 0) BIO_printf(bio_err, "verify failure\n");
  254. else BIO_printf(bio_err, "verify OK\n");
  255. }
  256. if (num)
  257. {
  258. for (i=1; i<=num; i++)
  259. {
  260. if (issuer == i)
  261. {
  262. print_name(bio_out, "issuer=", X509_CRL_get_issuer(x), nmflag);
  263. }
  264. if (hash == i)
  265. {
  266. BIO_printf(bio_out,"%08lx\n",
  267. X509_NAME_hash(X509_CRL_get_issuer(x)));
  268. }
  269. if (lastupdate == i)
  270. {
  271. BIO_printf(bio_out,"lastUpdate=");
  272. ASN1_TIME_print(bio_out,
  273. X509_CRL_get_lastUpdate(x));
  274. BIO_printf(bio_out,"\n");
  275. }
  276. if (nextupdate == i)
  277. {
  278. BIO_printf(bio_out,"nextUpdate=");
  279. if (X509_CRL_get_nextUpdate(x))
  280. ASN1_TIME_print(bio_out,
  281. X509_CRL_get_nextUpdate(x));
  282. else
  283. BIO_printf(bio_out,"NONE");
  284. BIO_printf(bio_out,"\n");
  285. }
  286. if (fingerprint == i)
  287. {
  288. int j;
  289. unsigned int n;
  290. unsigned char md[EVP_MAX_MD_SIZE];
  291. if (!X509_CRL_digest(x,digest,md,&n))
  292. {
  293. BIO_printf(bio_err,"out of memory\n");
  294. goto end;
  295. }
  296. BIO_printf(bio_out,"%s Fingerprint=",
  297. OBJ_nid2sn(EVP_MD_type(digest)));
  298. for (j=0; j<(int)n; j++)
  299. {
  300. BIO_printf(bio_out,"%02X%c",md[j],
  301. (j+1 == (int)n)
  302. ?'\n':':');
  303. }
  304. }
  305. }
  306. }
  307. out=BIO_new(BIO_s_file());
  308. if (out == NULL)
  309. {
  310. ERR_print_errors(bio_err);
  311. goto end;
  312. }
  313. if (outfile == NULL)
  314. {
  315. BIO_set_fp(out,stdout,BIO_NOCLOSE);
  316. #ifdef OPENSSL_SYS_VMS
  317. {
  318. BIO *tmpbio = BIO_new(BIO_f_linebuffer());
  319. out = BIO_push(tmpbio, out);
  320. }
  321. #endif
  322. }
  323. else
  324. {
  325. if (BIO_write_filename(out,outfile) <= 0)
  326. {
  327. perror(outfile);
  328. goto end;
  329. }
  330. }
  331. if (text) X509_CRL_print(out, x);
  332. if (noout)
  333. {
  334. ret = 0;
  335. goto end;
  336. }
  337. if (outformat == FORMAT_ASN1)
  338. i=(int)i2d_X509_CRL_bio(out,x);
  339. else if (outformat == FORMAT_PEM)
  340. i=PEM_write_bio_X509_CRL(out,x);
  341. else
  342. {
  343. BIO_printf(bio_err,"bad output format specified for outfile\n");
  344. goto end;
  345. }
  346. if (!i) { BIO_printf(bio_err,"unable to write CRL\n"); goto end; }
  347. ret=0;
  348. end:
  349. BIO_free_all(out);
  350. BIO_free_all(bio_out);
  351. bio_out=NULL;
  352. X509_CRL_free(x);
  353. if(store) {
  354. X509_STORE_CTX_cleanup(&ctx);
  355. X509_STORE_free(store);
  356. }
  357. apps_shutdown();
  358. OPENSSL_EXIT(ret);
  359. }
  360. static X509_CRL *load_crl(char *infile, int format)
  361. {
  362. X509_CRL *x=NULL;
  363. BIO *in=NULL;
  364. in=BIO_new(BIO_s_file());
  365. if (in == NULL)
  366. {
  367. ERR_print_errors(bio_err);
  368. goto end;
  369. }
  370. if (infile == NULL)
  371. BIO_set_fp(in,stdin,BIO_NOCLOSE);
  372. else
  373. {
  374. if (BIO_read_filename(in,infile) <= 0)
  375. {
  376. perror(infile);
  377. goto end;
  378. }
  379. }
  380. if (format == FORMAT_ASN1)
  381. x=d2i_X509_CRL_bio(in,NULL);
  382. else if (format == FORMAT_PEM)
  383. x=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL);
  384. else {
  385. BIO_printf(bio_err,"bad input format specified for input crl\n");
  386. goto end;
  387. }
  388. if (x == NULL)
  389. {
  390. BIO_printf(bio_err,"unable to load CRL\n");
  391. ERR_print_errors(bio_err);
  392. goto end;
  393. }
  394. end:
  395. BIO_free(in);
  396. return(x);
  397. }