rev_arg = *(++argv);			rev_type = REV_CRL_REASON;			}		else if (strcmp(*argv,"-crl_hold") == 0)			{			if (--argc < 1) goto bad;			rev_arg = *(++argv);			rev_type = REV_HOLD;			}		else if (strcmp(*argv,"-crl_compromise") == 0)			{			if (--argc < 1) goto bad;			rev_arg = *(++argv);			rev_type = REV_KEY_COMPROMISE;			}		else if (strcmp(*argv,"-crl_CA_compromise") == 0)			{			if (--argc < 1) goto bad;			rev_arg = *(++argv);			rev_type = REV_CA_COMPROMISE;			}#ifndef OPENSSL_NO_ENGINE		else if (strcmp(*argv,"-engine") == 0)			{			if (--argc < 1) goto bad;			engine= *(++argv);			}#endif		else			{bad:			BIO_printf(bio_err,"unknown option %s\n",*argv);			badops=1;			break;			}		argc--;		argv++;		}	if (badops)		{		for (pp=ca_usage; (*pp != NULL); pp++)			BIO_printf(bio_err,"%s",*pp);		goto err;		}	ERR_load_crypto_strings();	/*****************************************************************/	tofree=NULL;	if (configfile == NULL) configfile = getenv("OPENSSL_CONF");	if (configfile == NULL) configfile = getenv("SSLEAY_CONF");	if (configfile == NULL)		{		const char *s=X509_get_default_cert_area();		size_t len;#ifdef OPENSSL_SYS_VMS		len = strlen(s)+sizeof(CONFIG_FILE);		tofree=OPENSSL_malloc(len);		strcpy(tofree,s);#else		len = strlen(s)+sizeof(CONFIG_FILE)+1;		tofree=OPENSSL_malloc(len);		BUF_strlcpy(tofree,s,len);		BUF_strlcat(tofree,"/",len);#endif		BUF_strlcat(tofree,CONFIG_FILE,len);		configfile=tofree;		}	BIO_printf(bio_err,"Using configuration from %s\n",configfile);	conf = NCONF_new(NULL);	if (NCONF_load(conf,configfile,&errorline) <= 0)		{		if (errorline <= 0)			BIO_printf(bio_err,"error loading the config file '%s'\n",				configfile);		else			BIO_printf(bio_err,"error on line %ld of config file '%s'\n"				,errorline,configfile);		goto err;		}	if(tofree)		{		OPENSSL_free(tofree);		tofree = NULL;		}	if (!load_config(bio_err, conf))		goto err;#ifndef OPENSSL_NO_ENGINE	e = setup_engine(bio_err, engine, 0);#endif	/* Lets get the config section we are using */	if (section == NULL)		{		section=NCONF_get_string(conf,BASE_SECTION,ENV_DEFAULT_CA);		if (section == NULL)			{			lookup_fail(BASE_SECTION,ENV_DEFAULT_CA);			goto err;			}		}	if (conf != NULL)		{		p=NCONF_get_string(conf,NULL,"oid_file");		if (p == NULL)			ERR_clear_error();		if (p != NULL)			{			BIO *oid_bio;			oid_bio=BIO_new_file(p,"r");			if (oid_bio == NULL) 				{				/*				BIO_printf(bio_err,"problems opening %s for extra oid's\n",p);				ERR_print_errors(bio_err);				*/				ERR_clear_error();				}			else				{				OBJ_create_objects(oid_bio);				BIO_free(oid_bio);				}			}		if (!add_oid_section(bio_err,conf)) 			{			ERR_print_errors(bio_err);			goto err;			}		}	randfile = NCONF_get_string(conf, BASE_SECTION, "RANDFILE");	if (randfile == NULL)		ERR_clear_error();	app_RAND_load_file(randfile, bio_err, 0);	f = NCONF_get_string(conf, section, STRING_MASK);	if (!f)		ERR_clear_error();	if(f && !ASN1_STRING_set_default_mask_asc(f)) {		BIO_printf(bio_err, "Invalid global string mask setting %s\n", f);		goto err;	}	if (chtype != MBSTRING_UTF8){		f = NCONF_get_string(conf, section, UTF8_IN);		if (!f)			ERR_clear_error();		else if (!strcmp(f, "yes"))			chtype = MBSTRING_UTF8;	}	db_attr.unique_subject = 1;	p = NCONF_get_string(conf, section, ENV_UNIQUE_SUBJECT);	if (p)		{#ifdef RL_DEBUG		BIO_printf(bio_err, "DEBUG: unique_subject = \"%s\"\n", p);#endif		db_attr.unique_subject = parse_yesno(p,1);		}	else		ERR_clear_error();#ifdef RL_DEBUG	if (!p)		BIO_printf(bio_err, "DEBUG: unique_subject undefined\n", p);#endif#ifdef RL_DEBUG	BIO_printf(bio_err, "DEBUG: configured unique_subject is %d\n",		db_attr.unique_subject);#endif		in=BIO_new(BIO_s_file());	out=BIO_new(BIO_s_file());	Sout=BIO_new(BIO_s_file());	Cout=BIO_new(BIO_s_file());	if ((in == NULL) || (out == NULL) || (Sout == NULL) || (Cout == NULL))		{		ERR_print_errors(bio_err);		goto err;		}	/*****************************************************************/	/* report status of cert with serial number given on command line */	if (ser_status)	{		if ((dbfile=NCONF_get_string(conf,section,ENV_DATABASE)) == NULL)			{			lookup_fail(section,ENV_DATABASE);			goto err;			}		db = load_index(dbfile,&db_attr);		if (db == NULL) goto err;		if (!index_index(db)) goto err;		if (get_certificate_status(ser_status,db) != 1)			BIO_printf(bio_err,"Error verifying serial %s!\n",				 ser_status);		goto err;	}	/*****************************************************************/	/* we definitely need a private key, so let's get it */	if ((keyfile == NULL) && ((keyfile=NCONF_get_string(conf,		section,ENV_PRIVATE_KEY)) == NULL))		{		lookup_fail(section,ENV_PRIVATE_KEY);		goto err;		}	if (!key)		{		free_key = 1;		if (!app_passwd(bio_err, passargin, NULL, &key, NULL))			{			BIO_printf(bio_err,"Error getting password\n");			goto err;			}		}	pkey = load_key(bio_err, keyfile, keyform, 0, key, e, 		"CA private key");	if (key) OPENSSL_cleanse(key,strlen(key));	if (pkey == NULL)		{		/* load_key() has already printed an appropriate message */		goto err;		}	/*****************************************************************/	/* we need a certificate */	if (!selfsign || spkac_file || ss_cert_file || gencrl)		{		if ((certfile == NULL)			&& ((certfile=NCONF_get_string(conf,				     section,ENV_CERTIFICATE)) == NULL))			{			lookup_fail(section,ENV_CERTIFICATE);			goto err;			}		x509=load_cert(bio_err, certfile, FORMAT_PEM, NULL, e,			"CA certificate");		if (x509 == NULL)			goto err;		if (!X509_check_private_key(x509,pkey))			{			BIO_printf(bio_err,"CA certificate and CA private key do not match\n");			goto err;			}		}	if (!selfsign) x509p = x509;	f=NCONF_get_string(conf,BASE_SECTION,ENV_PRESERVE);	if (f == NULL)		ERR_clear_error();	if ((f != NULL) && ((*f == 'y') || (*f == 'Y')))		preserve=1;	f=NCONF_get_string(conf,BASE_SECTION,ENV_MSIE_HACK);	if (f == NULL)		ERR_clear_error();	if ((f != NULL) && ((*f == 'y') || (*f == 'Y')))		msie_hack=1;	f=NCONF_get_string(conf,section,ENV_NAMEOPT);	if (f)		{		if (!set_name_ex(&nameopt, f))			{			BIO_printf(bio_err, "Invalid name options: \"%s\"\n", f);			goto err;			}		default_op = 0;		}	else		ERR_clear_error();	f=NCONF_get_string(conf,section,ENV_CERTOPT);	if (f)		{		if (!set_cert_ex(&certopt, f))			{			BIO_printf(bio_err, "Invalid certificate options: \"%s\"\n", f);			goto err;			}		default_op = 0;		}	else		ERR_clear_error();	f=NCONF_get_string(conf,section,ENV_EXTCOPY);	if (f)		{		if (!set_ext_copy(&ext_copy, f))			{			BIO_printf(bio_err, "Invalid extension copy option: \"%s\"\n", f);			goto err;			}		}	else		ERR_clear_error();	/*****************************************************************/	/* lookup where to write new certificates */	if ((outdir == NULL) && (req))		{		struct stat sb;		if ((outdir=NCONF_get_string(conf,section,ENV_NEW_CERTS_DIR))			== NULL)			{			BIO_printf(bio_err,"there needs to be defined a directory for new certificate to be placed in\n");			goto err;			}#ifndef OPENSSL_SYS_VMS	    /* outdir is a directory spec, but access() for VMS demands a	       filename.  In any case, stat(), below, will catch the problem	       if outdir is not a directory spec, and the fopen() or open()	       will catch an error if there is no write access.	       Presumably, this problem could also be solved by using the DEC	       C routines to convert the directory syntax to Unixly, and give	       that to access().  However, time's too short to do that just	       now.	    */		if (access(outdir,R_OK|W_OK|X_OK) != 0)			{			BIO_printf(bio_err,"I am unable to access the %s directory\n",outdir);			perror(outdir);			goto err;			}		if (stat(outdir,&sb) != 0)			{			BIO_printf(bio_err,"unable to stat(%s)\n",outdir);			perror(outdir);			goto err;			}#ifdef S_IFDIR		if (!(sb.st_mode & S_IFDIR))			{			BIO_printf(bio_err,"%s need to be a directory\n",outdir);			perror(outdir);			goto err;			}#endif#endif		}	/*****************************************************************/	/* we need to load the database file */	if ((dbfile=NCONF_get_string(conf,section,ENV_DATABASE)) == NULL)		{		lookup_fail(section,ENV_DATABASE);		goto err;		}	db = load_index(dbfile, &db_attr);	if (db == NULL) goto err;	/* Lets check some fields */	for (i=0; i<sk_num(db->db->data); i++)		{		pp=(const char **)sk_value(db->db->data,i);		if ((pp[DB_type][0] != DB_TYPE_REV) &&			(pp[DB_rev_date][0] != '\0'))			{			BIO_printf(bio_err,"entry %d: not revoked yet, but has a revocation date\n",i+1);			goto err;			}		if ((pp[DB_type][0] == DB_TYPE_REV) &&			!make_revoked(NULL, pp[DB_rev_date]))			{			BIO_printf(bio_err," in entry %d\n", i+1);			goto err;			}		if (!check_time_format((char *)pp[DB_exp_date]))			{			BIO_printf(bio_err,"entry %d: invalid expiry date\n",i+1);			goto err;			}		p=pp[DB_serial];		j=strlen(p);		if (*p == '-')			{			p++;			j--;			}		if ((j&1) || (j < 2))			{			BIO_printf(bio_err,"entry %d: bad serial number length (%d)\n",i+1,j);			goto err;			}		while (*p)			{			if (!(	((*p >= '0') && (*p <= '9')) ||				((*p >= 'A') && (*p <= 'F')) ||				((*p >= 'a') && (*p <= 'f')))  )				{				BIO_printf(bio_err,"entry %d: bad serial number characters, char pos %ld, char is '%c'\n",i+1,(long)(p-pp[DB_serial]),*p);				goto err;				}			p++;			}		}	if (verbose)		{		BIO_set_fp(out,stdout,BIO_NOCLOSE|BIO_FP_TEXT); /* cannot fail */#ifdef OPENSSL_SYS_VMS		{		BIO *tmpbio = BIO_new(BIO_f_linebuffer());		out = BIO_push(tmpbio, out);		}#endif		TXT_DB_write(out,db->db);		BIO_printf(bio_err,"%d entries loaded from the database\n",			db->db->data->num);		BIO_printf(bio_err,"generating index\n");		}		if (!index_index(db)) goto err;	/*****************************************************************/	/* Update the db file for expired certificates */	if (doupdatedb)		{		if (verbose)			BIO_printf(bio_err, "Updating %s ...\n",							dbfile);		i = do_updatedb(db);		if (i == -1)			{			BIO_printf(bio_err,"Malloc failure\n");			goto err;			}		else if (i == 0)			{			if (verbose) BIO_printf(bio_err,					"No entries found to mark expired\n"); 			}	    	else			{			if (!save_index(dbfile,"new",db)) goto err;							if (!rotate_index(dbfile,"new","old")) goto err;							if (verbose) BIO_printf(bio_err,				"Done. %d entries marked as expired\n",i); 	      		}	  	} 	/*****************************************************************/	/* Read extentions config file                                   */	if (extfile)		{		extconf = NCONF_new(NULL);		if (NCONF_load(extconf,extfile,&errorline) <= 0)			{			if (errorline <= 0)				BIO_printf(bio_err, "ERROR: loading the config file '%s'\n",					extfile);			else				BIO_printf(bio_err, "ERROR: on line %ld of config file '%s'\n",					errorline,extfile);			ret = 1;			goto err;			}		if (verbose)			BIO_printf(bio_err, "Successfully loaded extensions file %s\n", extfile);		/* We can have sections in the ext file */		if (!extensions && !(extensions = NCONF_get_string(extconf, "default", "extensions")))			extensions = "default";		}	/*****************************************************************/	if (req || gencrl)		{		if (outfile != NULL)			{			if (BIO_write_filename(Sout,outfile) <= 0)				{				perror(outfile);				goto err;				}			}		else			{			BIO_set_fp(Sout,stdout,BIO_NOCLOSE|BIO_FP_TEXT);#ifdef OPENSSL_SYS_VMS			{			BIO *tmpbio = BIO_new(BIO_f_linebuffer());			Sout = BIO_push(tmpbio, Sout);			}#endif			}		}	if ((md == NULL) && ((md=NCONF_get_string(conf,