x509.c 39 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161
  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  2. * All rights reserved.
  3. *
  4. * This package is an SSL implementation written
  5. * by Eric Young (eay@cryptsoft.com).
  6. * The implementation was written so as to conform with Netscapes SSL.
  7. *
  8. * This library is free for commercial and non-commercial use as long as
  9. * the following conditions are aheared to. The following conditions
  10. * apply to all code found in this distribution, be it the RC4, RSA,
  11. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  12. * included with this distribution is covered by the same copyright terms
  13. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  14. *
  15. * Copyright remains Eric Young's, and as such any Copyright notices in
  16. * the code are not to be removed.
  17. * If this package is used in a product, Eric Young should be given attribution
  18. * as the author of the parts of the library used.
  19. * This can be in the form of a textual message at program startup or
  20. * in documentation (online or textual) provided with the package.
  21. *
  22. * Redistribution and use in source and binary forms, with or without
  23. * modification, are permitted provided that the following conditions
  24. * are met:
  25. * 1. Redistributions of source code must retain the copyright
  26. * notice, this list of conditions and the following disclaimer.
  27. * 2. Redistributions in binary form must reproduce the above copyright
  28. * notice, this list of conditions and the following disclaimer in the
  29. * documentation and/or other materials provided with the distribution.
  30. * 3. All advertising materials mentioning features or use of this software
  31. * must display the following acknowledgement:
  32. * "This product includes cryptographic software written by
  33. * Eric Young (eay@cryptsoft.com)"
  34. * The word 'cryptographic' can be left out if the rouines from the library
  35. * being used are not cryptographic related :-).
  36. * 4. If you include any Windows specific code (or a derivative thereof) from
  37. * the apps directory (application code) you must include an acknowledgement:
  38. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  39. *
  40. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  41. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  42. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  43. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  44. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  45. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  46. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  47. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  48. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  49. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  50. * SUCH DAMAGE.
  51. *
  52. * The licence and distribution terms for any publically available version or
  53. * derivative of this code cannot be changed. i.e. this code cannot simply be
  54. * copied and put under another distribution licence
  55. * [including the GNU Public Licence.]
  56. */
  57. #include <stdio.h>
  58. #include <stdlib.h>
  59. #include <string.h>
  60. #include "apps.h"
  61. #include <openssl/bio.h>
  62. #include <openssl/asn1.h>
  63. #include <openssl/err.h>
  64. #include <openssl/bn.h>
  65. #include <openssl/evp.h>
  66. #include <openssl/x509.h>
  67. #include <openssl/x509v3.h>
  68. #include <openssl/objects.h>
  69. #include <openssl/pem.h>
  70. #ifndef OPENSSL_NO_RSA
  71. # include <openssl/rsa.h>
  72. #endif
  73. #ifndef OPENSSL_NO_DSA
  74. # include <openssl/dsa.h>
  75. #endif
  76. #undef POSTFIX
  77. #define POSTFIX ".srl"
  78. #define DEF_DAYS 30
  79. static int callb(int ok, X509_STORE_CTX *ctx);
  80. static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext,
  81. const EVP_MD *digest, CONF *conf, char *section);
  82. static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
  83. X509 *x, X509 *xca, EVP_PKEY *pkey,
  84. STACK_OF(OPENSSL_STRING) *sigopts, char *serial,
  85. int create, int days, int clrext, CONF *conf,
  86. char *section, ASN1_INTEGER *sno, int reqfile);
  87. static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt);
  88. #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
  89. static int force_version = 2;
  90. #endif
  91. typedef enum OPTION_choice {
  92. OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
  93. OPT_INFORM, OPT_OUTFORM, OPT_KEYFORM, OPT_REQ, OPT_CAFORM,
  94. OPT_CAKEYFORM, OPT_SIGOPT, OPT_DAYS, OPT_PASSIN, OPT_EXTFILE,
  95. OPT_EXTENSIONS, OPT_IN, OPT_OUT, OPT_SIGNKEY, OPT_CA,
  96. OPT_CAKEY, OPT_CASERIAL, OPT_SET_SERIAL, OPT_FORCE_PUBKEY,
  97. OPT_ADDTRUST, OPT_ADDREJECT, OPT_SETALIAS, OPT_CERTOPT, OPT_NAMEOPT,
  98. OPT_C, OPT_EMAIL, OPT_OCSP_URI, OPT_SERIAL, OPT_NEXT_SERIAL,
  99. OPT_MODULUS, OPT_PUBKEY, OPT_X509TOREQ, OPT_TEXT, OPT_HASH,
  100. OPT_ISSUER_HASH, OPT_SUBJECT, OPT_ISSUER, OPT_FINGERPRINT, OPT_DATES,
  101. OPT_PURPOSE, OPT_STARTDATE, OPT_ENDDATE, OPT_CHECKEND, OPT_CHECKHOST,
  102. OPT_CHECKEMAIL, OPT_CHECKIP, OPT_NOOUT, OPT_TRUSTOUT, OPT_CLRTRUST,
  103. OPT_CLRREJECT, OPT_ALIAS, OPT_CACREATESERIAL, OPT_CLREXT, OPT_OCSPID,
  104. OPT_SUBJECT_HASH_OLD,
  105. OPT_ISSUER_HASH_OLD,
  106. OPT_FORCE_VERSION,
  107. OPT_BADSIG, OPT_MD, OPT_ENGINE, OPT_NOCERT
  108. } OPTION_CHOICE;
  109. OPTIONS x509_options[] = {
  110. {"help", OPT_HELP, '-', "Display this summary"},
  111. {"inform", OPT_INFORM, 'f',
  112. "Input format - default PEM (one of DER, NET or PEM)"},
  113. {"in", OPT_IN, '<', "Input file - default stdin"},
  114. {"outform", OPT_OUTFORM, 'f',
  115. "Output format - default PEM (one of DER, NET or PEM)"},
  116. {"out", OPT_OUT, '>', "Output file - default stdout"},
  117. {"keyform", OPT_KEYFORM, 'F', "Private key format - default PEM"},
  118. {"passin", OPT_PASSIN, 's', "Private key password source"},
  119. {"serial", OPT_SERIAL, '-', "Print serial number value"},
  120. {"subject_hash", OPT_HASH, '-', "Print subject hash value"},
  121. {"issuer_hash", OPT_ISSUER_HASH, '-', "Print issuer hash value"},
  122. {"hash", OPT_HASH, '-', "Synonym for -subject_hash"},
  123. {"subject", OPT_SUBJECT, '-', "Print subject DN"},
  124. {"issuer", OPT_ISSUER, '-', "Print issuer DN"},
  125. {"email", OPT_EMAIL, '-', "Print email address(es)"},
  126. {"startdate", OPT_STARTDATE, '-', "Set notBefore field"},
  127. {"enddate", OPT_ENDDATE, '-', "Set notAfter field"},
  128. {"purpose", OPT_PURPOSE, '-', "Print out certificate purposes"},
  129. {"dates", OPT_DATES, '-', "Both Before and After dates"},
  130. {"modulus", OPT_MODULUS, '-', "Print the RSA key modulus"},
  131. {"pubkey", OPT_PUBKEY, '-', "Output the public key"},
  132. {"fingerprint", OPT_FINGERPRINT, '-',
  133. "Print the certificate fingerprint"},
  134. {"alias", OPT_ALIAS, '-', "Output certificate alias"},
  135. {"noout", OPT_NOOUT, '-', "No output, just status"},
  136. {"nocert", OPT_NOCERT, '-', "No certificate output"},
  137. {"ocspid", OPT_OCSPID, '-',
  138. "Print OCSP hash values for the subject name and public key"},
  139. {"ocsp_uri", OPT_OCSP_URI, '-', "Print OCSP Responder URL(s)"},
  140. {"trustout", OPT_TRUSTOUT, '-', "Output a trusted certificate"},
  141. {"clrtrust", OPT_CLRTRUST, '-', "Clear all trusted purposes"},
  142. {"clrext", OPT_CLREXT, '-', "Clear all rejected purposes"},
  143. {"addtrust", OPT_ADDTRUST, 's', "Trust certificate for a given purpose"},
  144. {"addreject", OPT_ADDREJECT, 's',
  145. "Reject certificate for a given purpose"},
  146. {"setalias", OPT_SETALIAS, 's', "Set certificate alias"},
  147. {"days", OPT_DAYS, 'n',
  148. "How long till expiry of a signed certificate - def 30 days"},
  149. {"checkend", OPT_CHECKEND, 'M',
  150. "Check whether the cert expires in the next arg seconds"},
  151. {OPT_MORE_STR, 1, 1, "Exit 1 if so, 0 if not"},
  152. {"signkey", OPT_SIGNKEY, '<', "Self sign cert with arg"},
  153. {"x509toreq", OPT_X509TOREQ, '-',
  154. "Output a certification request object"},
  155. {"req", OPT_REQ, '-', "Input is a certificate request, sign and output"},
  156. {"CA", OPT_CA, '<', "Set the CA certificate, must be PEM format"},
  157. {"CAkey", OPT_CAKEY, 's',
  158. "The CA key, must be PEM format; if not in CAfile"},
  159. {"CAcreateserial", OPT_CACREATESERIAL, '-',
  160. "Create serial number file if it does not exist"},
  161. {"CAserial", OPT_CASERIAL, 's', "Serial file"},
  162. {"set_serial", OPT_SET_SERIAL, 's', "Serial number to use"},
  163. {"text", OPT_TEXT, '-', "Print the certificate in text form"},
  164. {"C", OPT_C, '-', "Print out C code forms"},
  165. {"extfile", OPT_EXTFILE, '<', "File with X509V3 extensions to add"},
  166. {"extensions", OPT_EXTENSIONS, 's', "Section from config file to use"},
  167. {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
  168. {"certopt", OPT_CERTOPT, 's', "Various certificate text options"},
  169. {"checkhost", OPT_CHECKHOST, 's', "Check certificate matches host"},
  170. {"checkemail", OPT_CHECKEMAIL, 's', "Check certificate matches email"},
  171. {"checkip", OPT_CHECKIP, 's', "Check certificate matches ipaddr"},
  172. {"CAform", OPT_CAFORM, 'F', "CA format - default PEM"},
  173. {"CAkeyform", OPT_CAKEYFORM, 'F', "CA key format - default PEM"},
  174. {"sigopt", OPT_SIGOPT, 's'},
  175. {"force_pubkey", OPT_FORCE_PUBKEY, '<'},
  176. {"next_serial", OPT_NEXT_SERIAL, '-'},
  177. {"clrreject", OPT_CLRREJECT, '-'},
  178. {"badsig", OPT_BADSIG, '-'},
  179. {"", OPT_MD, '-', "Any supported digest"},
  180. #ifndef OPENSSL_NO_MD5
  181. {"subject_hash_old", OPT_SUBJECT_HASH_OLD, '-',
  182. "Print old-style (MD5) issuer hash value"},
  183. {"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-',
  184. "Print old-style (MD5) subject hash value"},
  185. #endif
  186. #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
  187. {"force_version", OPT_FORCE_VERSION, 'p'},
  188. #endif
  189. #ifndef OPENSSL_NO_ENGINE
  190. {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
  191. #endif
  192. {NULL}
  193. };
  194. int x509_main(int argc, char **argv)
  195. {
  196. ASN1_INTEGER *sno = NULL;
  197. ASN1_OBJECT *objtmp;
  198. BIO *out = NULL;
  199. CONF *extconf = NULL;
  200. EVP_PKEY *Upkey = NULL, *CApkey = NULL, *fkey = NULL;
  201. STACK_OF(ASN1_OBJECT) *trust = NULL, *reject = NULL;
  202. STACK_OF(OPENSSL_STRING) *sigopts = NULL;
  203. X509 *x = NULL, *xca = NULL;
  204. X509_REQ *req = NULL, *rq = NULL;
  205. X509_STORE *ctx = NULL;
  206. const EVP_MD *digest = NULL;
  207. char *CAkeyfile = NULL, *CAserial = NULL, *fkeyfile = NULL, *alias = NULL;
  208. char *checkhost = NULL, *checkemail = NULL, *checkip = NULL;
  209. char *extsect = NULL, *extfile = NULL, *passin = NULL, *passinarg = NULL;
  210. char *infile = NULL, *outfile = NULL, *keyfile = NULL, *CAfile = NULL;
  211. char buf[256], *prog;
  212. int x509req = 0, days = DEF_DAYS, modulus = 0, pubkey = 0, pprint = 0;
  213. int C = 0, CAformat = FORMAT_PEM, CAkeyformat = FORMAT_PEM;
  214. int fingerprint = 0, reqfile = 0, need_rand = 0, checkend = 0;
  215. int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyformat = FORMAT_PEM;
  216. int next_serial = 0, subject_hash = 0, issuer_hash = 0, ocspid = 0;
  217. int noout = 0, sign_flag = 0, CA_flag = 0, CA_createserial = 0, email = 0;
  218. int ocsp_uri = 0, trustout = 0, clrtrust = 0, clrreject = 0, aliasout = 0;
  219. int ret = 1, i, num = 0, badsig = 0, clrext = 0, nocert = 0;
  220. int text = 0, serial = 0, subject = 0, issuer = 0, startdate = 0;
  221. int enddate = 0;
  222. time_t checkoffset = 0;
  223. unsigned long nmflag = 0, certflag = 0;
  224. char nmflag_set = 0;
  225. OPTION_CHOICE o;
  226. ENGINE *e = NULL;
  227. #ifndef OPENSSL_NO_MD5
  228. int subject_hash_old = 0, issuer_hash_old = 0;
  229. #endif
  230. ctx = X509_STORE_new();
  231. if (ctx == NULL)
  232. goto end;
  233. X509_STORE_set_verify_cb(ctx, callb);
  234. prog = opt_init(argc, argv, x509_options);
  235. while ((o = opt_next()) != OPT_EOF) {
  236. switch (o) {
  237. case OPT_EOF:
  238. case OPT_ERR:
  239. opthelp:
  240. BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
  241. goto end;
  242. case OPT_HELP:
  243. opt_help(x509_options);
  244. ret = 0;
  245. goto end;
  246. case OPT_INFORM:
  247. if (!opt_format(opt_arg(), OPT_FMT_ANY, &informat))
  248. goto opthelp;
  249. break;
  250. case OPT_IN:
  251. infile = opt_arg();
  252. break;
  253. case OPT_OUTFORM:
  254. if (!opt_format(opt_arg(), OPT_FMT_ANY, &outformat))
  255. goto opthelp;
  256. break;
  257. case OPT_KEYFORM:
  258. if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &keyformat))
  259. goto opthelp;
  260. break;
  261. case OPT_CAFORM:
  262. if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &CAformat))
  263. goto opthelp;
  264. break;
  265. case OPT_CAKEYFORM:
  266. if (!opt_format(opt_arg(), OPT_FMT_ANY, &CAkeyformat))
  267. goto opthelp;
  268. break;
  269. case OPT_OUT:
  270. outfile = opt_arg();
  271. break;
  272. case OPT_REQ:
  273. reqfile = need_rand = 1;
  274. break;
  275. case OPT_SIGOPT:
  276. if (!sigopts)
  277. sigopts = sk_OPENSSL_STRING_new_null();
  278. if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, opt_arg()))
  279. goto opthelp;
  280. break;
  281. case OPT_FORCE_VERSION:
  282. #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
  283. force_version = atoi(opt_arg()) - 1;
  284. #endif
  285. break;
  286. case OPT_DAYS:
  287. days = atoi(opt_arg());
  288. break;
  289. case OPT_PASSIN:
  290. passinarg = opt_arg();
  291. break;
  292. case OPT_EXTFILE:
  293. extfile = opt_arg();
  294. break;
  295. case OPT_EXTENSIONS:
  296. extsect = opt_arg();
  297. break;
  298. case OPT_SIGNKEY:
  299. keyfile = opt_arg();
  300. sign_flag = ++num;
  301. need_rand = 1;
  302. break;
  303. case OPT_CA:
  304. CAfile = opt_arg();
  305. CA_flag = ++num;
  306. need_rand = 1;
  307. break;
  308. case OPT_CAKEY:
  309. CAkeyfile = opt_arg();
  310. break;
  311. case OPT_CASERIAL:
  312. CAserial = opt_arg();
  313. break;
  314. case OPT_SET_SERIAL:
  315. if ((sno = s2i_ASN1_INTEGER(NULL, opt_arg())) == NULL)
  316. goto opthelp;
  317. break;
  318. case OPT_FORCE_PUBKEY:
  319. fkeyfile = opt_arg();
  320. break;
  321. case OPT_ADDTRUST:
  322. if ((objtmp = OBJ_txt2obj(opt_arg(), 0)) == NULL) {
  323. BIO_printf(bio_err,
  324. "%s: Invalid trust object value %s\n",
  325. prog, opt_arg());
  326. goto opthelp;
  327. }
  328. if (trust == NULL && (trust = sk_ASN1_OBJECT_new_null()) == NULL)
  329. goto end;
  330. sk_ASN1_OBJECT_push(trust, objtmp);
  331. trustout = 1;
  332. break;
  333. case OPT_ADDREJECT:
  334. if ((objtmp = OBJ_txt2obj(opt_arg(), 0)) == NULL) {
  335. BIO_printf(bio_err,
  336. "%s: Invalid reject object value %s\n",
  337. prog, opt_arg());
  338. goto opthelp;
  339. }
  340. if (reject == NULL
  341. && (reject = sk_ASN1_OBJECT_new_null()) == NULL)
  342. goto end;
  343. sk_ASN1_OBJECT_push(reject, objtmp);
  344. trustout = 1;
  345. break;
  346. case OPT_SETALIAS:
  347. alias = opt_arg();
  348. trustout = 1;
  349. break;
  350. case OPT_CERTOPT:
  351. if (!set_cert_ex(&certflag, opt_arg()))
  352. goto opthelp;
  353. break;
  354. case OPT_NAMEOPT:
  355. nmflag_set = 1;
  356. if (!set_name_ex(&nmflag, opt_arg()))
  357. goto opthelp;
  358. break;
  359. case OPT_ENGINE:
  360. e = setup_engine(opt_arg(), 0);
  361. break;
  362. case OPT_C:
  363. C = ++num;
  364. break;
  365. case OPT_EMAIL:
  366. email = ++num;
  367. break;
  368. case OPT_OCSP_URI:
  369. ocsp_uri = ++num;
  370. break;
  371. case OPT_SERIAL:
  372. serial = ++num;
  373. break;
  374. case OPT_NEXT_SERIAL:
  375. next_serial = ++num;
  376. break;
  377. case OPT_MODULUS:
  378. modulus = ++num;
  379. break;
  380. case OPT_PUBKEY:
  381. pubkey = ++num;
  382. break;
  383. case OPT_X509TOREQ:
  384. x509req = ++num;
  385. break;
  386. case OPT_TEXT:
  387. text = ++num;
  388. break;
  389. case OPT_SUBJECT:
  390. subject = ++num;
  391. break;
  392. case OPT_ISSUER:
  393. issuer = ++num;
  394. break;
  395. case OPT_FINGERPRINT:
  396. fingerprint = ++num;
  397. break;
  398. case OPT_HASH:
  399. subject_hash = ++num;
  400. break;
  401. case OPT_ISSUER_HASH:
  402. issuer_hash = ++num;
  403. break;
  404. case OPT_PURPOSE:
  405. pprint = ++num;
  406. break;
  407. case OPT_STARTDATE:
  408. startdate = ++num;
  409. break;
  410. case OPT_ENDDATE:
  411. enddate = ++num;
  412. break;
  413. case OPT_NOOUT:
  414. noout = ++num;
  415. break;
  416. case OPT_NOCERT:
  417. nocert = 1;
  418. break;
  419. case OPT_TRUSTOUT:
  420. trustout = 1;
  421. break;
  422. case OPT_CLRTRUST:
  423. clrtrust = ++num;
  424. break;
  425. case OPT_CLRREJECT:
  426. clrreject = ++num;
  427. break;
  428. case OPT_ALIAS:
  429. aliasout = ++num;
  430. break;
  431. case OPT_CACREATESERIAL:
  432. CA_createserial = ++num;
  433. break;
  434. case OPT_CLREXT:
  435. clrext = 1;
  436. break;
  437. case OPT_OCSPID:
  438. ocspid = ++num;
  439. break;
  440. case OPT_BADSIG:
  441. badsig = 1;
  442. break;
  443. #ifndef OPENSSL_NO_MD5
  444. case OPT_SUBJECT_HASH_OLD:
  445. subject_hash_old = ++num;
  446. break;
  447. case OPT_ISSUER_HASH_OLD:
  448. issuer_hash_old = ++num;
  449. break;
  450. #else
  451. case OPT_SUBJECT_HASH_OLD:
  452. case OPT_ISSUER_HASH_OLD:
  453. break;
  454. #endif
  455. case OPT_DATES:
  456. startdate = ++num;
  457. enddate = ++num;
  458. break;
  459. case OPT_CHECKEND:
  460. checkend = 1;
  461. {
  462. intmax_t temp = 0;
  463. if (!opt_imax(opt_arg(), &temp))
  464. goto opthelp;
  465. checkoffset = (time_t)temp;
  466. if ((intmax_t)checkoffset != temp) {
  467. BIO_printf(bio_err, "%s: checkend time out of range %s\n",
  468. prog, opt_arg());
  469. goto opthelp;
  470. }
  471. }
  472. break;
  473. case OPT_CHECKHOST:
  474. checkhost = opt_arg();
  475. break;
  476. case OPT_CHECKEMAIL:
  477. checkemail = opt_arg();
  478. break;
  479. case OPT_CHECKIP:
  480. checkip = opt_arg();
  481. break;
  482. case OPT_MD:
  483. if (!opt_md(opt_unknown(), &digest))
  484. goto opthelp;
  485. }
  486. }
  487. argc = opt_num_rest();
  488. argv = opt_rest();
  489. if (argc != 0) {
  490. BIO_printf(bio_err, "%s: Unknown parameter %s\n", prog, argv[0]);
  491. goto opthelp;
  492. }
  493. if (!nmflag_set)
  494. nmflag = XN_FLAG_ONELINE;
  495. out = bio_open_default(outfile, 'w', outformat);
  496. if (out == NULL)
  497. goto end;
  498. if (need_rand)
  499. app_RAND_load_file(NULL, 0);
  500. if (!app_passwd(passinarg, NULL, &passin, NULL)) {
  501. BIO_printf(bio_err, "Error getting password\n");
  502. goto end;
  503. }
  504. if (!X509_STORE_set_default_paths(ctx)) {
  505. ERR_print_errors(bio_err);
  506. goto end;
  507. }
  508. if (fkeyfile) {
  509. fkey = load_pubkey(fkeyfile, keyformat, 0, NULL, e, "Forced key");
  510. if (fkey == NULL)
  511. goto end;
  512. }
  513. if ((CAkeyfile == NULL) && (CA_flag) && (CAformat == FORMAT_PEM)) {
  514. CAkeyfile = CAfile;
  515. } else if ((CA_flag) && (CAkeyfile == NULL)) {
  516. BIO_printf(bio_err,
  517. "need to specify a CAkey if using the CA command\n");
  518. goto end;
  519. }
  520. if (extfile) {
  521. X509V3_CTX ctx2;
  522. if ((extconf = app_load_config(extfile)) == NULL)
  523. goto end;
  524. if (!extsect) {
  525. extsect = NCONF_get_string(extconf, "default", "extensions");
  526. if (!extsect) {
  527. ERR_clear_error();
  528. extsect = "default";
  529. }
  530. }
  531. X509V3_set_ctx_test(&ctx2);
  532. X509V3_set_nconf(&ctx2, extconf);
  533. if (!X509V3_EXT_add_nconf(extconf, &ctx2, extsect, NULL)) {
  534. BIO_printf(bio_err,
  535. "Error Loading extension section %s\n", extsect);
  536. ERR_print_errors(bio_err);
  537. goto end;
  538. }
  539. }
  540. if (reqfile) {
  541. EVP_PKEY *pkey;
  542. BIO *in;
  543. if (!sign_flag && !CA_flag) {
  544. BIO_printf(bio_err, "We need a private key to sign with\n");
  545. goto end;
  546. }
  547. in = bio_open_default(infile, 'r', informat);
  548. if (in == NULL)
  549. goto end;
  550. req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL);
  551. BIO_free(in);
  552. if (req == NULL) {
  553. ERR_print_errors(bio_err);
  554. goto end;
  555. }
  556. if ((pkey = X509_REQ_get_pubkey(req)) == NULL) {
  557. BIO_printf(bio_err, "error unpacking public key\n");
  558. goto end;
  559. }
  560. i = X509_REQ_verify(req, pkey);
  561. EVP_PKEY_free(pkey);
  562. if (i < 0) {
  563. BIO_printf(bio_err, "Signature verification error\n");
  564. ERR_print_errors(bio_err);
  565. goto end;
  566. }
  567. if (i == 0) {
  568. BIO_printf(bio_err,
  569. "Signature did not match the certificate request\n");
  570. goto end;
  571. } else
  572. BIO_printf(bio_err, "Signature ok\n");
  573. print_name(bio_err, "subject=", X509_REQ_get_subject_name(req),
  574. nmflag);
  575. if ((x = X509_new()) == NULL)
  576. goto end;
  577. if (sno == NULL) {
  578. sno = ASN1_INTEGER_new();
  579. if (sno == NULL || !rand_serial(NULL, sno))
  580. goto end;
  581. if (!X509_set_serialNumber(x, sno))
  582. goto end;
  583. ASN1_INTEGER_free(sno);
  584. sno = NULL;
  585. } else if (!X509_set_serialNumber(x, sno))
  586. goto end;
  587. if (!X509_set_issuer_name(x, X509_REQ_get_subject_name(req)))
  588. goto end;
  589. if (!X509_set_subject_name(x, X509_REQ_get_subject_name(req)))
  590. goto end;
  591. X509_gmtime_adj(X509_get_notBefore(x), 0);
  592. X509_time_adj_ex(X509_get_notAfter(x), days, 0, NULL);
  593. if (fkey)
  594. X509_set_pubkey(x, fkey);
  595. else {
  596. pkey = X509_REQ_get_pubkey(req);
  597. X509_set_pubkey(x, pkey);
  598. EVP_PKEY_free(pkey);
  599. }
  600. } else
  601. x = load_cert(infile, informat, NULL, e, "Certificate");
  602. if (x == NULL)
  603. goto end;
  604. if (CA_flag) {
  605. xca = load_cert(CAfile, CAformat, NULL, e, "CA Certificate");
  606. if (xca == NULL)
  607. goto end;
  608. }
  609. if (!noout || text || next_serial) {
  610. OBJ_create("2.99999.3", "SET.ex3", "SET x509v3 extension 3");
  611. }
  612. if (alias)
  613. X509_alias_set1(x, (unsigned char *)alias, -1);
  614. if (clrtrust)
  615. X509_trust_clear(x);
  616. if (clrreject)
  617. X509_reject_clear(x);
  618. if (trust) {
  619. for (i = 0; i < sk_ASN1_OBJECT_num(trust); i++) {
  620. objtmp = sk_ASN1_OBJECT_value(trust, i);
  621. X509_add1_trust_object(x, objtmp);
  622. }
  623. }
  624. if (reject) {
  625. for (i = 0; i < sk_ASN1_OBJECT_num(reject); i++) {
  626. objtmp = sk_ASN1_OBJECT_value(reject, i);
  627. X509_add1_reject_object(x, objtmp);
  628. }
  629. }
  630. if (num) {
  631. for (i = 1; i <= num; i++) {
  632. if (issuer == i) {
  633. print_name(out, "issuer= ", X509_get_issuer_name(x), nmflag);
  634. } else if (subject == i) {
  635. print_name(out, "subject= ",
  636. X509_get_subject_name(x), nmflag);
  637. } else if (serial == i) {
  638. BIO_printf(out, "serial=");
  639. i2a_ASN1_INTEGER(out, X509_get_serialNumber(x));
  640. BIO_printf(out, "\n");
  641. } else if (next_serial == i) {
  642. BIGNUM *bnser;
  643. ASN1_INTEGER *ser;
  644. ser = X509_get_serialNumber(x);
  645. bnser = ASN1_INTEGER_to_BN(ser, NULL);
  646. if (!bnser)
  647. goto end;
  648. if (!BN_add_word(bnser, 1))
  649. goto end;
  650. ser = BN_to_ASN1_INTEGER(bnser, NULL);
  651. if (!ser)
  652. goto end;
  653. BN_free(bnser);
  654. i2a_ASN1_INTEGER(out, ser);
  655. ASN1_INTEGER_free(ser);
  656. BIO_puts(out, "\n");
  657. } else if ((email == i) || (ocsp_uri == i)) {
  658. int j;
  659. STACK_OF(OPENSSL_STRING) *emlst;
  660. if (email == i)
  661. emlst = X509_get1_email(x);
  662. else
  663. emlst = X509_get1_ocsp(x);
  664. for (j = 0; j < sk_OPENSSL_STRING_num(emlst); j++)
  665. BIO_printf(out, "%s\n",
  666. sk_OPENSSL_STRING_value(emlst, j));
  667. X509_email_free(emlst);
  668. } else if (aliasout == i) {
  669. unsigned char *alstr;
  670. alstr = X509_alias_get0(x, NULL);
  671. if (alstr)
  672. BIO_printf(out, "%s\n", alstr);
  673. else
  674. BIO_puts(out, "<No Alias>\n");
  675. } else if (subject_hash == i) {
  676. BIO_printf(out, "%08lx\n", X509_subject_name_hash(x));
  677. }
  678. #ifndef OPENSSL_NO_MD5
  679. else if (subject_hash_old == i) {
  680. BIO_printf(out, "%08lx\n", X509_subject_name_hash_old(x));
  681. }
  682. #endif
  683. else if (issuer_hash == i) {
  684. BIO_printf(out, "%08lx\n", X509_issuer_name_hash(x));
  685. }
  686. #ifndef OPENSSL_NO_MD5
  687. else if (issuer_hash_old == i) {
  688. BIO_printf(out, "%08lx\n", X509_issuer_name_hash_old(x));
  689. }
  690. #endif
  691. else if (pprint == i) {
  692. X509_PURPOSE *ptmp;
  693. int j;
  694. BIO_printf(out, "Certificate purposes:\n");
  695. for (j = 0; j < X509_PURPOSE_get_count(); j++) {
  696. ptmp = X509_PURPOSE_get0(j);
  697. purpose_print(out, x, ptmp);
  698. }
  699. } else if (modulus == i) {
  700. EVP_PKEY *pkey;
  701. pkey = X509_get0_pubkey(x);
  702. if (pkey == NULL) {
  703. BIO_printf(bio_err, "Modulus=unavailable\n");
  704. ERR_print_errors(bio_err);
  705. goto end;
  706. }
  707. BIO_printf(out, "Modulus=");
  708. #ifndef OPENSSL_NO_RSA
  709. if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA)
  710. BN_print(out, EVP_PKEY_get0_RSA(pkey)->n);
  711. else
  712. #endif
  713. #ifndef OPENSSL_NO_DSA
  714. if (EVP_PKEY_id(pkey) == EVP_PKEY_DSA)
  715. BN_print(out, EVP_PKEY_get0_DSA(pkey)->pub_key);
  716. else
  717. #endif
  718. BIO_printf(out, "Wrong Algorithm type");
  719. BIO_printf(out, "\n");
  720. } else if (pubkey == i) {
  721. EVP_PKEY *pkey;
  722. pkey = X509_get0_pubkey(x);
  723. if (pkey == NULL) {
  724. BIO_printf(bio_err, "Error getting public key\n");
  725. ERR_print_errors(bio_err);
  726. goto end;
  727. }
  728. PEM_write_bio_PUBKEY(out, pkey);
  729. } else if (C == i) {
  730. unsigned char *d;
  731. char *m;
  732. int len;
  733. X509_NAME_oneline(X509_get_subject_name(x), buf, sizeof buf);
  734. BIO_printf(out, "/*\n"
  735. " * Subject: %s\n", buf);
  736. m = X509_NAME_oneline(X509_get_issuer_name(x), buf, sizeof buf);
  737. BIO_printf(out, " * Issuer: %s\n"
  738. " */\n", buf);
  739. len = i2d_X509(x, NULL);
  740. m = app_malloc(len, "x509 name buffer");
  741. d = (unsigned char *)m;
  742. len = i2d_X509_NAME(X509_get_subject_name(x), &d);
  743. print_array(out, "the_subject_name", len, (unsigned char *)m);
  744. d = (unsigned char *)m;
  745. len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(x), &d);
  746. print_array(out, "the_public_key", len, (unsigned char *)m);
  747. d = (unsigned char *)m;
  748. len = i2d_X509(x, &d);
  749. print_array(out, "the_certificate", len, (unsigned char *)m);
  750. OPENSSL_free(m);
  751. } else if (text == i) {
  752. X509_print_ex(out, x, nmflag, certflag);
  753. } else if (startdate == i) {
  754. BIO_puts(out, "notBefore=");
  755. ASN1_TIME_print(out, X509_get_notBefore(x));
  756. BIO_puts(out, "\n");
  757. } else if (enddate == i) {
  758. BIO_puts(out, "notAfter=");
  759. ASN1_TIME_print(out, X509_get_notAfter(x));
  760. BIO_puts(out, "\n");
  761. } else if (fingerprint == i) {
  762. int j;
  763. unsigned int n;
  764. unsigned char md[EVP_MAX_MD_SIZE];
  765. const EVP_MD *fdig = digest;
  766. if (!fdig)
  767. fdig = EVP_sha1();
  768. if (!X509_digest(x, fdig, md, &n)) {
  769. BIO_printf(bio_err, "out of memory\n");
  770. goto end;
  771. }
  772. BIO_printf(out, "%s Fingerprint=",
  773. OBJ_nid2sn(EVP_MD_type(fdig)));
  774. for (j = 0; j < (int)n; j++) {
  775. BIO_printf(out, "%02X%c", md[j], (j + 1 == (int)n)
  776. ? '\n' : ':');
  777. }
  778. }
  779. /* should be in the library */
  780. else if ((sign_flag == i) && (x509req == 0)) {
  781. BIO_printf(bio_err, "Getting Private key\n");
  782. if (Upkey == NULL) {
  783. Upkey = load_key(keyfile, keyformat, 0,
  784. passin, e, "Private key");
  785. if (Upkey == NULL)
  786. goto end;
  787. }
  788. assert(need_rand);
  789. if (!sign(x, Upkey, days, clrext, digest, extconf, extsect))
  790. goto end;
  791. } else if (CA_flag == i) {
  792. BIO_printf(bio_err, "Getting CA Private Key\n");
  793. if (CAkeyfile != NULL) {
  794. CApkey = load_key(CAkeyfile, CAkeyformat,
  795. 0, passin, e, "CA Private Key");
  796. if (CApkey == NULL)
  797. goto end;
  798. }
  799. assert(need_rand);
  800. if (!x509_certify(ctx, CAfile, digest, x, xca,
  801. CApkey, sigopts,
  802. CAserial, CA_createserial, days, clrext,
  803. extconf, extsect, sno, reqfile))
  804. goto end;
  805. } else if (x509req == i) {
  806. EVP_PKEY *pk;
  807. BIO_printf(bio_err, "Getting request Private Key\n");
  808. if (keyfile == NULL) {
  809. BIO_printf(bio_err, "no request key file specified\n");
  810. goto end;
  811. } else {
  812. pk = load_key(keyfile, keyformat, 0,
  813. passin, e, "request key");
  814. if (pk == NULL)
  815. goto end;
  816. }
  817. BIO_printf(bio_err, "Generating certificate request\n");
  818. rq = X509_to_X509_REQ(x, pk, digest);
  819. EVP_PKEY_free(pk);
  820. if (rq == NULL) {
  821. ERR_print_errors(bio_err);
  822. goto end;
  823. }
  824. if (!noout) {
  825. X509_REQ_print(out, rq);
  826. PEM_write_bio_X509_REQ(out, rq);
  827. }
  828. noout = 1;
  829. } else if (ocspid == i) {
  830. X509_ocspid_print(out, x);
  831. }
  832. }
  833. }
  834. if (checkend) {
  835. time_t tcheck = time(NULL) + checkoffset;
  836. if (X509_cmp_time(X509_get_notAfter(x), &tcheck) < 0) {
  837. BIO_printf(out, "Certificate will expire\n");
  838. ret = 1;
  839. } else {
  840. BIO_printf(out, "Certificate will not expire\n");
  841. ret = 0;
  842. }
  843. goto end;
  844. }
  845. print_cert_checks(out, x, checkhost, checkemail, checkip);
  846. if (noout || nocert) {
  847. ret = 0;
  848. goto end;
  849. }
  850. if (badsig) {
  851. ASN1_BIT_STRING *signature;
  852. unsigned char *s;
  853. X509_get0_signature(&signature, NULL, x);
  854. s = ASN1_STRING_data(signature);
  855. s[ASN1_STRING_length(signature) - 1] ^= 0x1;
  856. }
  857. if (outformat == FORMAT_ASN1)
  858. i = i2d_X509_bio(out, x);
  859. else if (outformat == FORMAT_PEM) {
  860. if (trustout)
  861. i = PEM_write_bio_X509_AUX(out, x);
  862. else
  863. i = PEM_write_bio_X509(out, x);
  864. } else {
  865. BIO_printf(bio_err, "bad output format specified for outfile\n");
  866. goto end;
  867. }
  868. if (!i) {
  869. BIO_printf(bio_err, "unable to write certificate\n");
  870. ERR_print_errors(bio_err);
  871. goto end;
  872. }
  873. ret = 0;
  874. end:
  875. if (need_rand)
  876. app_RAND_write_file(NULL);
  877. OBJ_cleanup();
  878. NCONF_free(extconf);
  879. BIO_free_all(out);
  880. X509_STORE_free(ctx);
  881. X509_REQ_free(req);
  882. X509_free(x);
  883. X509_free(xca);
  884. EVP_PKEY_free(Upkey);
  885. EVP_PKEY_free(CApkey);
  886. EVP_PKEY_free(fkey);
  887. sk_OPENSSL_STRING_free(sigopts);
  888. X509_REQ_free(rq);
  889. ASN1_INTEGER_free(sno);
  890. sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free);
  891. sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free);
  892. OPENSSL_free(passin);
  893. return (ret);
  894. }
  895. static ASN1_INTEGER *x509_load_serial(char *CAfile, char *serialfile,
  896. int create)
  897. {
  898. char *buf = NULL, *p;
  899. ASN1_INTEGER *bs = NULL;
  900. BIGNUM *serial = NULL;
  901. size_t len;
  902. len = ((serialfile == NULL)
  903. ? (strlen(CAfile) + strlen(POSTFIX) + 1)
  904. : (strlen(serialfile))) + 1;
  905. buf = app_malloc(len, "serial# buffer");
  906. if (serialfile == NULL) {
  907. OPENSSL_strlcpy(buf, CAfile, len);
  908. for (p = buf; *p; p++)
  909. if (*p == '.') {
  910. *p = '\0';
  911. break;
  912. }
  913. OPENSSL_strlcat(buf, POSTFIX, len);
  914. } else
  915. OPENSSL_strlcpy(buf, serialfile, len);
  916. serial = load_serial(buf, create, NULL);
  917. if (serial == NULL)
  918. goto end;
  919. if (!BN_add_word(serial, 1)) {
  920. BIO_printf(bio_err, "add_word failure\n");
  921. goto end;
  922. }
  923. if (!save_serial(buf, NULL, serial, &bs))
  924. goto end;
  925. end:
  926. OPENSSL_free(buf);
  927. BN_free(serial);
  928. return bs;
  929. }
  930. static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
  931. X509 *x, X509 *xca, EVP_PKEY *pkey,
  932. STACK_OF(OPENSSL_STRING) *sigopts,
  933. char *serialfile, int create,
  934. int days, int clrext, CONF *conf, char *section,
  935. ASN1_INTEGER *sno, int reqfile)
  936. {
  937. int ret = 0;
  938. ASN1_INTEGER *bs = NULL;
  939. X509_STORE_CTX xsc;
  940. EVP_PKEY *upkey;
  941. upkey = X509_get0_pubkey(xca);
  942. EVP_PKEY_copy_parameters(upkey, pkey);
  943. if (!X509_STORE_CTX_init(&xsc, ctx, x, NULL)) {
  944. BIO_printf(bio_err, "Error initialising X509 store\n");
  945. goto end;
  946. }
  947. if (sno)
  948. bs = sno;
  949. else if ((bs = x509_load_serial(CAfile, serialfile, create)) == NULL)
  950. goto end;
  951. /*
  952. * NOTE: this certificate can/should be self signed, unless it was a
  953. * certificate request in which case it is not.
  954. */
  955. X509_STORE_CTX_set_cert(&xsc, x);
  956. X509_STORE_CTX_set_flags(&xsc, X509_V_FLAG_CHECK_SS_SIGNATURE);
  957. if (!reqfile && X509_verify_cert(&xsc) <= 0)
  958. goto end;
  959. if (!X509_check_private_key(xca, pkey)) {
  960. BIO_printf(bio_err,
  961. "CA certificate and CA private key do not match\n");
  962. goto end;
  963. }
  964. if (!X509_set_issuer_name(x, X509_get_subject_name(xca)))
  965. goto end;
  966. if (!X509_set_serialNumber(x, bs))
  967. goto end;
  968. if (X509_gmtime_adj(X509_get_notBefore(x), 0L) == NULL)
  969. goto end;
  970. /* hardwired expired */
  971. if (X509_time_adj_ex(X509_get_notAfter(x), days, 0, NULL) == NULL)
  972. goto end;
  973. if (clrext) {
  974. while (X509_get_ext_count(x) > 0)
  975. X509_delete_ext(x, 0);
  976. }
  977. if (conf) {
  978. X509V3_CTX ctx2;
  979. #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
  980. X509_set_version(x, force_version);
  981. #else
  982. X509_set_version(x, 2); /* version 3 certificate */
  983. #endif
  984. X509V3_set_ctx(&ctx2, xca, x, NULL, NULL, 0);
  985. X509V3_set_nconf(&ctx2, conf);
  986. if (!X509V3_EXT_add_nconf(conf, &ctx2, section, x))
  987. goto end;
  988. }
  989. if (!do_X509_sign(x, pkey, digest, sigopts))
  990. goto end;
  991. ret = 1;
  992. end:
  993. X509_STORE_CTX_cleanup(&xsc);
  994. if (!ret)
  995. ERR_print_errors(bio_err);
  996. if (!sno)
  997. ASN1_INTEGER_free(bs);
  998. return ret;
  999. }
  1000. static int callb(int ok, X509_STORE_CTX *ctx)
  1001. {
  1002. int err;
  1003. X509 *err_cert;
  1004. /*
  1005. * it is ok to use a self signed certificate This case will catch both
  1006. * the initial ok == 0 and the final ok == 1 calls to this function
  1007. */
  1008. err = X509_STORE_CTX_get_error(ctx);
  1009. if (err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
  1010. return 1;
  1011. /*
  1012. * BAD we should have gotten an error. Normally if everything worked
  1013. * X509_STORE_CTX_get_error(ctx) will still be set to
  1014. * DEPTH_ZERO_SELF_....
  1015. */
  1016. if (ok) {
  1017. BIO_printf(bio_err,
  1018. "error with certificate to be certified - should be self signed\n");
  1019. return 0;
  1020. } else {
  1021. err_cert = X509_STORE_CTX_get_current_cert(ctx);
  1022. print_name(bio_err, NULL, X509_get_subject_name(err_cert), 0);
  1023. BIO_printf(bio_err,
  1024. "error with certificate - error %d at depth %d\n%s\n", err,
  1025. X509_STORE_CTX_get_error_depth(ctx),
  1026. X509_verify_cert_error_string(err));
  1027. return 1;
  1028. }
  1029. }
  1030. /* self sign */
  1031. static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext,
  1032. const EVP_MD *digest, CONF *conf, char *section)
  1033. {
  1034. if (!X509_set_issuer_name(x, X509_get_subject_name(x)))
  1035. goto err;
  1036. if (X509_gmtime_adj(X509_get_notBefore(x), 0) == NULL)
  1037. goto err;
  1038. if (X509_time_adj_ex(X509_get_notAfter(x), days, 0, NULL) == NULL)
  1039. goto err;
  1040. if (!X509_set_pubkey(x, pkey))
  1041. goto err;
  1042. if (clrext) {
  1043. while (X509_get_ext_count(x) > 0)
  1044. X509_delete_ext(x, 0);
  1045. }
  1046. if (conf) {
  1047. X509V3_CTX ctx;
  1048. #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
  1049. X509_set_version(x, force_version);
  1050. #else
  1051. X509_set_version(x, 2); /* version 3 certificate */
  1052. #endif
  1053. X509V3_set_ctx(&ctx, x, x, NULL, NULL, 0);
  1054. X509V3_set_nconf(&ctx, conf);
  1055. if (!X509V3_EXT_add_nconf(conf, &ctx, section, x))
  1056. goto err;
  1057. }
  1058. if (!X509_sign(x, pkey, digest))
  1059. goto err;
  1060. return 1;
  1061. err:
  1062. ERR_print_errors(bio_err);
  1063. return 0;
  1064. }
  1065. static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt)
  1066. {
  1067. int id, i, idret;
  1068. char *pname;
  1069. id = X509_PURPOSE_get_id(pt);
  1070. pname = X509_PURPOSE_get0_name(pt);
  1071. for (i = 0; i < 2; i++) {
  1072. idret = X509_check_purpose(cert, id, i);
  1073. BIO_printf(bio, "%s%s : ", pname, i ? " CA" : "");
  1074. if (idret == 1)
  1075. BIO_printf(bio, "Yes\n");
  1076. else if (idret == 0)
  1077. BIO_printf(bio, "No\n");
  1078. else
  1079. BIO_printf(bio, "Yes (WARNING code=%d)\n", idret);
  1080. }
  1081. return 1;
  1082. }