/* apps/ca.c *//* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. *  * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to.  The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code.  The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). *  * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. *  * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright *    notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright *    notice, this list of conditions and the following disclaimer in the *    documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software *    must display the following acknowledgement: *    "This product includes cryptographic software written by *     Eric Young (eay@cryptsoft.com)" *    The word 'cryptographic' can be left out if the rouines from the library *    being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from  *    the apps directory (application code) you must include an acknowledgement: *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" *  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. *  * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed.  i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] *//* The PPKI stuff has been donated by Jeff Barber <jeffb@issl.atl.hp.com> */#include <stdio.h>#include <stdlib.h>#include <string.h>#include <ctype.h>#include <sys/types.h>#include <sys/stat.h>#include <openssl/conf.h>#include <openssl/bio.h>#include <openssl/err.h>#include <openssl/bn.h>#include <openssl/txt_db.h>#include <openssl/evp.h>#include <openssl/x509.h>#include <openssl/x509v3.h>#include <openssl/objects.h>#include <openssl/ocsp.h>#include <openssl/pem.h>#ifndef W_OK#  ifdef OPENSSL_SYS_VMS#    if defined(__DECC)#      include <unistd.h>#    else#      include <unixlib.h>#    endif#  elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_NETWARE)#    include <sys/file.h>#  endif#endif#include "apps.h"#ifndef W_OK#  define F_OK 0#  define X_OK 1#  define W_OK 2#  define R_OK 4#endif#undef PROG#define PROG ca_main#define BASE_SECTION	"ca"#define CONFIG_FILE "openssl.cnf"#define ENV_DEFAULT_CA		"default_ca"#define STRING_MASK	"string_mask"#define UTF8_IN			"utf8"#define ENV_DIR			"dir"#define ENV_CERTS		"certs"#define ENV_CRL_DIR		"crl_dir"#define ENV_CA_DB		"CA_DB"#define ENV_NEW_CERTS_DIR	"new_certs_dir"#define ENV_CERTIFICATE 	"certificate"#define ENV_SERIAL		"serial"#define ENV_CRLNUMBER		"crlnumber"#define ENV_CRL			"crl"#define ENV_PRIVATE_KEY		"private_key"#define ENV_RANDFILE		"RANDFILE"#define ENV_DEFAULT_DAYS 	"default_days"#define ENV_DEFAULT_STARTDATE 	"default_startdate"#define ENV_DEFAULT_ENDDATE 	"default_enddate"#define ENV_DEFAULT_CRL_DAYS 	"default_crl_days"#define ENV_DEFAULT_CRL_HOURS 	"default_crl_hours"#define ENV_DEFAULT_MD		"default_md"#define ENV_DEFAULT_EMAIL_DN	"email_in_dn"#define ENV_PRESERVE		"preserve"#define ENV_POLICY      	"policy"#define ENV_EXTENSIONS      	"x509_extensions"#define ENV_CRLEXT      	"crl_extensions"#define ENV_MSIE_HACK		"msie_hack"#define ENV_NAMEOPT		"name_opt"#define ENV_CERTOPT		"cert_opt"#define ENV_EXTCOPY		"copy_extensions"#define ENV_UNIQUE_SUBJECT	"unique_subject"#define ENV_DATABASE		"database"/* Additional revocation information types */#define REV_NONE		0	/* No addditional information */#define REV_CRL_REASON		1	/* Value is CRL reason code */#define REV_HOLD		2	/* Value is hold instruction */#define REV_KEY_COMPROMISE	3	/* Value is cert key compromise time */#define REV_CA_COMPROMISE	4	/* Value is CA key compromise time */static const char *ca_usage[]={"usage: ca args\n","\n"," -verbose        - Talk alot while doing things\n"," -config file    - A config file\n"," -name arg       - The particular CA definition to use\n"," -gencrl         - Generate a new CRL\n"," -crldays days   - Days is when the next CRL is due\n"," -crlhours hours - Hours is when the next CRL is due\n"," -startdate YYMMDDHHMMSSZ  - certificate validity notBefore\n"," -enddate YYMMDDHHMMSSZ    - certificate validity notAfter (overrides -days)\n"," -days arg       - number of days to certify the certificate for\n"," -md arg         - md to use, one of md2, md5, sha or sha1\n"," -policy arg     - The CA 'policy' to support\n"," -keyfile arg    - private key file\n"," -keyform arg    - private key file format (PEM or ENGINE)\n"," -key arg        - key to decode the private key if it is encrypted\n"," -cert file      - The CA certificate\n"," -selfsign       - sign a certificate with the key associated with it\n"," -in file        - The input PEM encoded certificate request(s)\n"," -out file       - Where to put the output file(s)\n"," -outdir dir     - Where to put output certificates\n"," -infiles ....   - The last argument, requests to process\n"," -spkac file     - File contains DN and signed public key and challenge\n"," -ss_cert file   - File contains a self signed cert to sign\n"," -preserveDN     - Don't re-order the DN\n"," -noemailDN      - Don't add the EMAIL field into certificate' subject\n"," -batch          - Don't ask questions\n"," -msie_hack      - msie modifications to handle all those universal strings\n"," -revoke file    - Revoke a certificate (given in file)\n"," -subj arg       - Use arg instead of request's subject\n"," -utf8           - input characters are UTF8 (default ASCII)\n"," -multivalue-rdn - enable support for multivalued RDNs\n"," -extensions ..  - Extension section (override value in config file)\n"," -extfile file   - Configuration file with X509v3 extentions to add\n"," -crlexts ..     - CRL extension section (override value in config file)\n",#ifndef OPENSSL_NO_ENGINE" -engine e       - use engine e, possibly a hardware device.\n",#endif" -status serial  - Shows certificate status given the serial number\n"," -updatedb       - Updates db for expired certificates\n",NULL};#ifdef EFENCEextern int EF_PROTECT_FREE;extern int EF_PROTECT_BELOW;extern int EF_ALIGNMENT;#endifstatic void lookup_fail(const char *name, const char *tag);static int certify(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,		   const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,CA_DB *db,		   BIGNUM *serial, char *subj,unsigned long chtype, int multirdn, int email_dn, char *startdate,		   char *enddate, long days, int batch, char *ext_sect, CONF *conf,		   int verbose, unsigned long certopt, unsigned long nameopt,		   int default_op, int ext_copy, int selfsign);static int certify_cert(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,			const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,			CA_DB *db, BIGNUM *serial, char *subj,unsigned long chtype, int multirdn, int email_dn,			char *startdate, char *enddate, long days, int batch,			char *ext_sect, CONF *conf,int verbose, unsigned long certopt,			unsigned long nameopt, int default_op, int ext_copy,			ENGINE *e);static int certify_spkac(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,			 const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,			 CA_DB *db, BIGNUM *serial,char *subj,unsigned long chtype, int multirdn, int email_dn,			 char *startdate, char *enddate, long days, char *ext_sect,			 CONF *conf, int verbose, unsigned long certopt, 			 unsigned long nameopt, int default_op, int ext_copy);static int fix_data(int nid, int *type);static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext);static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,	STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial,char *subj,unsigned long chtype, int multirdn,	int email_dn, char *startdate, char *enddate, long days, int batch,       	int verbose, X509_REQ *req, char *ext_sect, CONF *conf,	unsigned long certopt, unsigned long nameopt, int default_op,	int ext_copy, int selfsign);static int do_revoke(X509 *x509, CA_DB *db, int ext, char *extval);static int get_certificate_status(const char *ser_status, CA_DB *db);static int do_updatedb(CA_DB *db);static int check_time_format(char *str);char *make_revocation_str(int rev_type, char *rev_arg);int make_revoked(X509_REVOKED *rev, const char *str);int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str);static CONF *conf=NULL;static CONF *extconf=NULL;static char *section=NULL;static int preserve=0;static int msie_hack=0;int MAIN(int, char **);int MAIN(int argc, char **argv)	{	ENGINE *e = NULL;	char *key=NULL,*passargin=NULL;	int create_ser = 0;	int free_key = 0;	int total=0;	int total_done=0;	int badops=0;	int ret=1;	int email_dn=1;	int req=0;	int verbose=0;	int gencrl=0;	int dorevoke=0;	int doupdatedb=0;	long crldays=0;	long crlhours=0;	long errorline= -1;	char *configfile=NULL;	char *md=NULL;	char *policy=NULL;	char *keyfile=NULL;	char *certfile=NULL;	int keyform=FORMAT_PEM;	char *infile=NULL;	char *spkac_file=NULL;	char *ss_cert_file=NULL;	char *ser_status=NULL;	EVP_PKEY *pkey=NULL;	int output_der = 0;	char *outfile=NULL;	char *outdir=NULL;	char *serialfile=NULL;	char *crlnumberfile=NULL;	char *extensions=NULL;	char *extfile=NULL;	char *subj=NULL;	unsigned long chtype = MBSTRING_ASC;	int multirdn = 0;	char *tmp_email_dn=NULL;	char *crl_ext=NULL;	int rev_type = REV_NONE;	char *rev_arg = NULL;	BIGNUM *serial=NULL;	BIGNUM *crlnumber=NULL;	char *startdate=NULL;	char *enddate=NULL;	long days=0;	int batch=0;	int notext=0;	unsigned long nameopt = 0, certopt = 0;	int default_op = 1;	int ext_copy = EXT_COPY_NONE;	int selfsign = 0;	X509 *x509=NULL, *x509p = NULL;	X509 *x=NULL;	BIO *in=NULL,*out=NULL,*Sout=NULL,*Cout=NULL;	char *dbfile=NULL;	CA_DB *db=NULL;	X509_CRL *crl=NULL;	X509_REVOKED *r=NULL;	ASN1_TIME *tmptm;	ASN1_INTEGER *tmpser;	char *f;	const char *p, **pp;	int i,j;	const EVP_MD *dgst=NULL;	STACK_OF(CONF_VALUE) *attribs=NULL;	STACK_OF(X509) *cert_sk=NULL;#undef BSIZE#define BSIZE 256	MS_STATIC char buf[3][BSIZE];	char *randfile=NULL;#ifndef OPENSSL_NO_ENGINE	char *engine = NULL;#endif	char *tofree=NULL;	DB_ATTR db_attr;#ifdef EFENCEEF_PROTECT_FREE=1;EF_PROTECT_BELOW=1;EF_ALIGNMENT=0;#endif	apps_startup();	conf = NULL;	key = NULL;	section = NULL;	preserve=0;	msie_hack=0;	if (bio_err == NULL)		if ((bio_err=BIO_new(BIO_s_file())) != NULL)			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);	argc--;	argv++;	while (argc >= 1)		{		if	(strcmp(*argv,"-verbose") == 0)			verbose=1;		else if	(strcmp(*argv,"-config") == 0)			{			if (--argc < 1) goto bad;			configfile= *(++argv);			}		else if (strcmp(*argv,"-name") == 0)			{			if (--argc < 1) goto bad;			section= *(++argv);			}		else if (strcmp(*argv,"-subj") == 0)			{			if (--argc < 1) goto bad;			subj= *(++argv);			/* preserve=1; */			}		else if (strcmp(*argv,"-utf8") == 0)			chtype = MBSTRING_UTF8;		else if (strcmp(*argv,"-create_serial") == 0)			create_ser = 1;		else if (strcmp(*argv,"-multivalue-rdn") == 0)			multirdn=1;		else if (strcmp(*argv,"-startdate") == 0)			{			if (--argc < 1) goto bad;			startdate= *(++argv);			}		else if (strcmp(*argv,"-enddate") == 0)			{			if (--argc < 1) goto bad;			enddate= *(++argv);			}		else if (strcmp(*argv,"-days") == 0)			{			if (--argc < 1) goto bad;			days=atoi(*(++argv));			}		else if (strcmp(*argv,"-md") == 0)			{			if (--argc < 1) goto bad;			md= *(++argv);			}		else if (strcmp(*argv,"-policy") == 0)			{			if (--argc < 1) goto bad;			policy= *(++argv);			}		else if (strcmp(*argv,"-keyfile") == 0)			{			if (--argc < 1) goto bad;			keyfile= *(++argv);			}		else if (strcmp(*argv,"-keyform") == 0)			{			if (--argc < 1) goto bad;			keyform=str2fmt(*(++argv));			}		else if (strcmp(*argv,"-passin") == 0)			{			if (--argc < 1) goto bad;			passargin= *(++argv);			}		else if (strcmp(*argv,"-key") == 0)			{			if (--argc < 1) goto bad;			key= *(++argv);			}		else if (strcmp(*argv,"-cert") == 0)			{			if (--argc < 1) goto bad;			certfile= *(++argv);			}		else if (strcmp(*argv,"-selfsign") == 0)			selfsign=1;		else if (strcmp(*argv,"-in") == 0)			{			if (--argc < 1) goto bad;			infile= *(++argv);			req=1;			}		else if (strcmp(*argv,"-out") == 0)			{			if (--argc < 1) goto bad;			outfile= *(++argv);			}		else if (strcmp(*argv,"-outdir") == 0)			{			if (--argc < 1) goto bad;			outdir= *(++argv);			}		else if (strcmp(*argv,"-notext") == 0)			notext=1;		else if (strcmp(*argv,"-batch") == 0)			batch=1;		else if (strcmp(*argv,"-preserveDN") == 0)			preserve=1;		else if (strcmp(*argv,"-noemailDN") == 0)			email_dn=0;		else if (strcmp(*argv,"-gencrl") == 0)			gencrl=1;		else if (strcmp(*argv,"-msie_hack") == 0)			msie_hack=1;		else if (strcmp(*argv,"-crldays") == 0)			{			if (--argc < 1) goto bad;			crldays= atol(*(++argv));			}		else if (strcmp(*argv,"-crlhours") == 0)			{			if (--argc < 1) goto bad;			crlhours= atol(*(++argv));			}		else if (strcmp(*argv,"-infiles") == 0)			{			argc--;			argv++;			req=1;			break;			}		else if (strcmp(*argv, "-ss_cert") == 0)			{			if (--argc < 1) goto bad;			ss_cert_file = *(++argv);			req=1;			}		else if (strcmp(*argv, "-spkac") == 0)			{			if (--argc < 1) goto bad;			spkac_file = *(++argv);			req=1;			}		else if (strcmp(*argv,"-revoke") == 0)			{			if (--argc < 1) goto bad;			infile= *(++argv);			dorevoke=1;			}		else if (strcmp(*argv,"-extensions") == 0)			{			if (--argc < 1) goto bad;			extensions= *(++argv);			}		else if (strcmp(*argv,"-extfile") == 0)			{			if (--argc < 1) goto bad;			extfile= *(++argv);			}		else if (strcmp(*argv,"-status") == 0)			{			if (--argc < 1) goto bad;			ser_status= *(++argv);			}		else if (strcmp(*argv,"-updatedb") == 0)			{			doupdatedb=1;			}		else if (strcmp(*argv,"-crlexts") == 0)			{			if (--argc < 1) goto bad;			crl_ext= *(++argv);			}		else if (strcmp(*argv,"-crl_reason") == 0)			{			if (--argc < 1) goto bad;