1 /* $OpenBSD: apps.c,v 1.36 2015/09/13 12:41:01 bcook Exp $ */
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
18 * All rights reserved.
20 * This package is an SSL implementation written
21 * by Eric Young (eay@cryptsoft.com).
22 * The implementation was written so as to conform with Netscapes SSL.
24 * This library is free for commercial and non-commercial use as long as
25 * the following conditions are aheared to. The following conditions
26 * apply to all code found in this distribution, be it the RC4, RSA,
27 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
28 * included with this distribution is covered by the same copyright terms
29 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
31 * Copyright remains Eric Young's, and as such any Copyright notices in
32 * the code are not to be removed.
33 * If this package is used in a product, Eric Young should be given attribution
34 * as the author of the parts of the library used.
35 * This can be in the form of a textual message at program startup or
36 * in documentation (online or textual) provided with the package.
38 * Redistribution and use in source and binary forms, with or without
39 * modification, are permitted provided that the following conditions
41 * 1. Redistributions of source code must retain the copyright
42 * notice, this list of conditions and the following disclaimer.
43 * 2. Redistributions in binary form must reproduce the above copyright
44 * notice, this list of conditions and the following disclaimer in the
45 * documentation and/or other materials provided with the distribution.
46 * 3. All advertising materials mentioning features or use of this software
47 * must display the following acknowledgement:
48 * "This product includes cryptographic software written by
49 * Eric Young (eay@cryptsoft.com)"
50 * The word 'cryptographic' can be left out if the rouines from the library
51 * being used are not cryptographic related :-).
52 * 4. If you include any Windows specific code (or a derivative thereof) from
53 * the apps directory (application code) you must include an acknowledgement:
54 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
56 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
57 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
58 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
59 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
60 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
61 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
62 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
63 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
64 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
65 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
68 * The licence and distribution terms for any publically available version or
69 * derivative of this code cannot be changed. i.e. this code cannot simply be
70 * copied and put under another distribution licence
71 * [including the GNU Public Licence.]
73 /* ====================================================================
74 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
76 * Redistribution and use in source and binary forms, with or without
77 * modification, are permitted provided that the following conditions
80 * 1. Redistributions of source code must retain the above copyright
81 * notice, this list of conditions and the following disclaimer.
83 * 2. Redistributions in binary form must reproduce the above copyright
84 * notice, this list of conditions and the following disclaimer in
85 * the documentation and/or other materials provided with the
88 * 3. All advertising materials mentioning features or use of this
89 * software must display the following acknowledgment:
90 * "This product includes software developed by the OpenSSL Project
91 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
93 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
94 * endorse or promote products derived from this software without
95 * prior written permission. For written permission, please contact
96 * openssl-core@openssl.org.
98 * 5. Products derived from this software may not be called "OpenSSL"
99 * nor may "OpenSSL" appear in their names without prior written
100 * permission of the OpenSSL Project.
102 * 6. Redistributions of any form whatsoever must retain the following
104 * "This product includes software developed by the OpenSSL Project
105 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
107 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
108 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
109 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
110 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
111 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
112 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
113 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
114 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
115 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
116 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
117 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
118 * OF THE POSSIBILITY OF SUCH DAMAGE.
119 * ====================================================================
121 * This product includes cryptographic software written by Eric Young
122 * (eay@cryptsoft.com). This product includes software written by Tim
123 * Hudson (tjh@cryptsoft.com).
127 #include <sys/types.h>
128 #include <sys/stat.h>
140 #include <openssl/bn.h>
141 #include <openssl/err.h>
142 #include <openssl/pem.h>
143 #include <openssl/pkcs12.h>
144 #include <openssl/safestack.h>
145 #include <openssl/x509.h>
146 #include <openssl/x509v3.h>
148 #include <openssl/rsa.h>
156 UI_METHOD *ui_method = NULL;
158 static int set_table_opts(unsigned long *flags, const char *arg,
159 const NAME_EX_TBL *in_tbl);
160 static int set_multi_opts(unsigned long *flags, const char *arg,
161 const NAME_EX_TBL *in_tbl);
163 #if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
164 /* Looks like this stuff is worth moving into separate function */
165 static EVP_PKEY *load_netscape_key(BIO *err, BIO *key, const char *file,
166 const char *key_descrip, int format);
174 if ((*s == 'D') || (*s == 'd'))
175 return (FORMAT_ASN1);
176 else if ((*s == 'T') || (*s == 't'))
177 return (FORMAT_TEXT);
178 else if ((*s == 'N') || (*s == 'n'))
179 return (FORMAT_NETSCAPE);
180 else if ((*s == 'S') || (*s == 's'))
181 return (FORMAT_SMIME);
182 else if ((*s == 'M') || (*s == 'm'))
183 return (FORMAT_MSBLOB);
184 else if ((*s == '1') ||
185 (strcmp(s, "PKCS12") == 0) || (strcmp(s, "pkcs12") == 0) ||
186 (strcmp(s, "P12") == 0) || (strcmp(s, "p12") == 0))
187 return (FORMAT_PKCS12);
188 else if ((*s == 'P') || (*s == 'p')) {
189 if (s[1] == 'V' || s[1] == 'v')
194 return (FORMAT_UNDEF);
198 program_name(char *in, char *out, int size)
202 p = strrchr(in, '/');
207 strlcpy(out, p, size);
211 chopup_args(ARGS *arg, char *buf, int *argc, char **argv[])
220 if (arg->count == 0) {
222 arg->data = reallocarray(NULL, arg->count, sizeof(char *));
223 if (arg->data == NULL)
226 for (i = 0; i < arg->count; i++)
232 /* first scan over white space */
235 while (*p && ((*p == ' ') || (*p == '\t') || (*p == '\n')))
240 /* The start of something good :-) */
241 if (num >= arg->count) {
243 int tlen = arg->count + 20;
244 tmp_p = reallocarray(arg->data, tlen, sizeof(char *));
249 /* initialize newly allocated data */
250 for (i = num; i < arg->count; i++)
253 arg->data[num++] = p;
255 /* now look for the end of this */
256 if ((*p == '\'') || (*p == '\"')) { /* scan for closing
259 arg->data[num - 1]++; /* jump over quote */
260 while (*p && (*p != i))
264 while (*p && ((*p != ' ') &&
265 (*p != '\t') && (*p != '\n')))
281 dump_cert_text(BIO *out, X509 *x)
285 p = X509_NAME_oneline(X509_get_subject_name(x), NULL, 0);
286 BIO_puts(out, "subject=");
290 p = X509_NAME_oneline(X509_get_issuer_name(x), NULL, 0);
291 BIO_puts(out, "\nissuer=");
302 return UI_method_get_opener(UI_OpenSSL()) (ui);
306 ui_read(UI *ui, UI_STRING *uis)
308 const char *password;
311 if (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD &&
312 UI_get0_user_data(ui)) {
313 string_type = UI_get_string_type(uis);
314 if (string_type == UIT_PROMPT || string_type == UIT_VERIFY) {
316 ((PW_CB_DATA *)UI_get0_user_data(ui))->password;
317 if (password && password[0] != '\0') {
318 UI_set_result(ui, uis, password);
323 return UI_method_get_reader(UI_OpenSSL()) (ui, uis);
327 ui_write(UI *ui, UI_STRING *uis)
329 const char *password;
332 if (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD &&
333 UI_get0_user_data(ui)) {
334 string_type = UI_get_string_type(uis);
335 if (string_type == UIT_PROMPT || string_type == UIT_VERIFY) {
337 ((PW_CB_DATA *)UI_get0_user_data(ui))->password;
338 if (password && password[0] != '\0')
342 return UI_method_get_writer(UI_OpenSSL()) (ui, uis);
348 return UI_method_get_closer(UI_OpenSSL()) (ui);
352 password_callback(char *buf, int bufsiz, int verify, void *arg)
354 PW_CB_DATA *cb_tmp = arg;
357 const char *prompt_info = NULL;
358 const char *password = NULL;
359 PW_CB_DATA *cb_data = (PW_CB_DATA *) cb_tmp;
362 if (cb_data->password)
363 password = cb_data->password;
364 if (cb_data->prompt_info)
365 prompt_info = cb_data->prompt_info;
368 res = strlen(password);
371 memcpy(buf, password, res);
374 ui = UI_new_method(ui_method);
381 prompt = UI_construct_prompt(ui, "pass phrase", prompt_info);
383 ui_flags |= UI_INPUT_FLAG_DEFAULT_PWD;
384 UI_ctrl(ui, UI_CTRL_PRINT_ERRORS, 1, 0, 0);
387 ok = UI_add_input_string(ui, prompt, ui_flags, buf,
388 PW_MIN_LENGTH, bufsiz - 1);
389 if (ok >= 0 && verify) {
390 buff = malloc(bufsiz);
391 ok = UI_add_verify_string(ui, prompt, ui_flags, buff,
392 PW_MIN_LENGTH, bufsiz - 1, buf);
398 UI_ctrl(ui, UI_CTRL_IS_REDOABLE, 0, 0, 0));
401 explicit_bzero(buff, (unsigned int) bufsiz);
407 BIO_printf(bio_err, "User interface error\n");
408 ERR_print_errors(bio_err);
409 explicit_bzero(buf, (unsigned int) bufsiz);
413 BIO_printf(bio_err, "aborted!\n");
414 explicit_bzero(buf, (unsigned int) bufsiz);
423 static char *app_get_pass(BIO *err, char *arg, int keepbio);
426 app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2)
430 if (!arg2 || !arg1 || strcmp(arg1, arg2))
435 *pass1 = app_get_pass(err, arg1, same);
441 *pass2 = app_get_pass(err, arg2, same ? 2 : 0);
450 app_get_pass(BIO *err, char *arg, int keepbio)
452 char *tmp, tpass[APP_PASS_LEN];
453 static BIO *pwdbio = NULL;
454 const char *errstr = NULL;
457 if (!strncmp(arg, "pass:", 5))
458 return strdup(arg + 5);
459 if (!strncmp(arg, "env:", 4)) {
460 tmp = getenv(arg + 4);
462 BIO_printf(err, "Can't read environment variable %s\n",
468 if (!keepbio || !pwdbio) {
469 if (!strncmp(arg, "file:", 5)) {
470 pwdbio = BIO_new_file(arg + 5, "r");
472 BIO_printf(err, "Can't open file %s\n",
476 } else if (!strncmp(arg, "fd:", 3)) {
478 i = strtonum(arg + 3, 0, INT_MAX, &errstr);
481 "Invalid file descriptor %s: %s\n",
485 pwdbio = BIO_new_fd(i, BIO_NOCLOSE);
488 "Can't access file descriptor %s\n",
493 * Can't do BIO_gets on an fd BIO so add a buffering
496 btmp = BIO_new(BIO_f_buffer());
497 pwdbio = BIO_push(btmp, pwdbio);
498 } else if (!strcmp(arg, "stdin")) {
499 pwdbio = BIO_new_fp(stdin, BIO_NOCLOSE);
501 BIO_printf(err, "Can't open BIO for stdin\n");
505 BIO_printf(err, "Invalid password argument \"%s\"\n",
510 i = BIO_gets(pwdbio, tpass, APP_PASS_LEN);
512 BIO_free_all(pwdbio);
516 BIO_printf(err, "Error reading password from BIO\n");
519 tmp = strchr(tpass, '\n');
522 return strdup(tpass);
526 add_oid_section(BIO *err, CONF *conf)
529 STACK_OF(CONF_VALUE) *sktmp;
533 if (!(p = NCONF_get_string(conf, NULL, "oid_section"))) {
537 if (!(sktmp = NCONF_get_section(conf, p))) {
538 BIO_printf(err, "problem loading oid section %s\n", p);
541 for (i = 0; i < sk_CONF_VALUE_num(sktmp); i++) {
542 cnf = sk_CONF_VALUE_value(sktmp, i);
543 if (OBJ_create(cnf->value, cnf->name, cnf->name) == NID_undef) {
544 BIO_printf(err, "problem creating object %s=%s\n",
545 cnf->name, cnf->value);
553 load_pkcs12(BIO *err, BIO *in, const char *desc, pem_password_cb *pem_cb,
554 void *cb_data, EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca)
557 char tpass[PEM_BUFSIZE];
561 p12 = d2i_PKCS12_bio(in, NULL);
563 BIO_printf(err, "Error loading PKCS12 file for %s\n", desc);
566 /* See if an empty password will do */
567 if (PKCS12_verify_mac(p12, "", 0) || PKCS12_verify_mac(p12, NULL, 0))
571 pem_cb = password_callback;
572 len = pem_cb(tpass, PEM_BUFSIZE, 0, cb_data);
574 BIO_printf(err, "Passpharse callback error for %s\n",
578 if (len < PEM_BUFSIZE)
580 if (!PKCS12_verify_mac(p12, tpass, len)) {
582 "Mac verify error (wrong password?) in PKCS12 file for %s\n", desc);
587 ret = PKCS12_parse(p12, pass, pkey, cert, ca);
596 load_cert(BIO *err, const char *file, int format, const char *pass,
597 const char *cert_descrip)
602 if ((cert = BIO_new(BIO_s_file())) == NULL) {
603 ERR_print_errors(err);
607 setvbuf(stdin, NULL, _IONBF, 0);
608 BIO_set_fp(cert, stdin, BIO_NOCLOSE);
610 if (BIO_read_filename(cert, file) <= 0) {
611 BIO_printf(err, "Error opening %s %s\n",
613 ERR_print_errors(err);
618 if (format == FORMAT_ASN1)
619 x = d2i_X509_bio(cert, NULL);
620 else if (format == FORMAT_NETSCAPE) {
622 nx = ASN1_item_d2i_bio(ASN1_ITEM_rptr(NETSCAPE_X509),
627 if ((strncmp(NETSCAPE_CERT_HDR, (char *) nx->header->data,
628 nx->header->length) != 0)) {
629 NETSCAPE_X509_free(nx);
631 "Error reading header on certificate\n");
636 NETSCAPE_X509_free(nx);
637 } else if (format == FORMAT_PEM)
638 x = PEM_read_bio_X509_AUX(cert, NULL, password_callback, NULL);
639 else if (format == FORMAT_PKCS12) {
640 if (!load_pkcs12(err, cert, cert_descrip, NULL, NULL,
644 BIO_printf(err, "bad input format specified for %s\n",
651 BIO_printf(err, "unable to load certificate\n");
652 ERR_print_errors(err);
659 load_key(BIO *err, const char *file, int format, int maybe_stdin,
660 const char *pass, const char *key_descrip)
663 EVP_PKEY *pkey = NULL;
666 cb_data.password = pass;
667 cb_data.prompt_info = file;
669 if (file == NULL && (!maybe_stdin)) {
670 BIO_printf(err, "no keyfile specified\n");
673 key = BIO_new(BIO_s_file());
675 ERR_print_errors(err);
678 if (file == NULL && maybe_stdin) {
679 setvbuf(stdin, NULL, _IONBF, 0);
680 BIO_set_fp(key, stdin, BIO_NOCLOSE);
681 } else if (BIO_read_filename(key, file) <= 0) {
682 BIO_printf(err, "Error opening %s %s\n",
684 ERR_print_errors(err);
687 if (format == FORMAT_ASN1) {
688 pkey = d2i_PrivateKey_bio(key, NULL);
689 } else if (format == FORMAT_PEM) {
690 pkey = PEM_read_bio_PrivateKey(key, NULL, password_callback, &cb_data);
692 #if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
693 else if (format == FORMAT_NETSCAPE || format == FORMAT_IISSGC)
694 pkey = load_netscape_key(err, key, file, key_descrip, format);
696 else if (format == FORMAT_PKCS12) {
697 if (!load_pkcs12(err, key, key_descrip, password_callback, &cb_data,
701 #if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) && !defined (OPENSSL_NO_RC4)
702 else if (format == FORMAT_MSBLOB)
703 pkey = b2i_PrivateKey_bio(key);
704 else if (format == FORMAT_PVK)
705 pkey = b2i_PVK_bio(key, password_callback,
709 BIO_printf(err, "bad input format specified for key file\n");
715 BIO_printf(err, "unable to load %s\n", key_descrip);
716 ERR_print_errors(err);
722 load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,
723 const char *pass, const char *key_descrip)
726 EVP_PKEY *pkey = NULL;
729 cb_data.password = pass;
730 cb_data.prompt_info = file;
732 if (file == NULL && !maybe_stdin) {
733 BIO_printf(err, "no keyfile specified\n");
736 key = BIO_new(BIO_s_file());
738 ERR_print_errors(err);
741 if (file == NULL && maybe_stdin) {
742 setvbuf(stdin, NULL, _IONBF, 0);
743 BIO_set_fp(key, stdin, BIO_NOCLOSE);
744 } else if (BIO_read_filename(key, file) <= 0) {
745 BIO_printf(err, "Error opening %s %s\n", key_descrip, file);
746 ERR_print_errors(err);
749 if (format == FORMAT_ASN1) {
750 pkey = d2i_PUBKEY_bio(key, NULL);
752 else if (format == FORMAT_ASN1RSA) {
754 rsa = d2i_RSAPublicKey_bio(key, NULL);
756 pkey = EVP_PKEY_new();
758 EVP_PKEY_set1_RSA(pkey, rsa);
762 } else if (format == FORMAT_PEMRSA) {
764 rsa = PEM_read_bio_RSAPublicKey(key, NULL, password_callback, &cb_data);
766 pkey = EVP_PKEY_new();
768 EVP_PKEY_set1_RSA(pkey, rsa);
773 else if (format == FORMAT_PEM) {
774 pkey = PEM_read_bio_PUBKEY(key, NULL, password_callback, &cb_data);
776 #if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
777 else if (format == FORMAT_NETSCAPE || format == FORMAT_IISSGC)
778 pkey = load_netscape_key(err, key, file, key_descrip, format);
780 #if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA)
781 else if (format == FORMAT_MSBLOB)
782 pkey = b2i_PublicKey_bio(key);
785 BIO_printf(err, "bad input format specified for key file\n");
792 BIO_printf(err, "unable to load %s\n", key_descrip);
796 #if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
798 load_netscape_key(BIO *err, BIO *key, const char *file,
799 const char *key_descrip, int format)
804 const unsigned char *p;
808 pkey = EVP_PKEY_new();
810 if (buf == NULL || pkey == NULL)
813 if (!BUF_MEM_grow_clean(buf, size + 1024 * 10))
815 i = BIO_read(key, &(buf->data[size]), 1024 * 10);
820 BIO_printf(err, "Error reading %s %s",
825 p = (unsigned char *) buf->data;
826 rsa = d2i_RSA_NET(NULL, &p, (long) size, NULL,
827 (format == FORMAT_IISSGC ? 1 : 0));
831 EVP_PKEY_set1_RSA(pkey, rsa);
839 #endif /* ndef OPENSSL_NO_RC4 */
842 load_certs_crls(BIO *err, const char *file, int format, const char *pass,
843 const char *desc, STACK_OF(X509) **pcerts,
844 STACK_OF(X509_CRL) **pcrls)
848 STACK_OF(X509_INFO) *xis = NULL;
853 cb_data.password = pass;
854 cb_data.prompt_info = file;
856 if (format != FORMAT_PEM) {
857 BIO_printf(err, "bad input format specified for %s\n", desc);
861 bio = BIO_new_fp(stdin, BIO_NOCLOSE);
863 bio = BIO_new_file(file, "r");
866 BIO_printf(err, "Error opening %s %s\n",
867 desc, file ? file : "stdin");
868 ERR_print_errors(err);
871 xis = PEM_X509_INFO_read_bio(bio, NULL, password_callback, &cb_data);
876 *pcerts = sk_X509_new_null();
881 *pcrls = sk_X509_CRL_new_null();
885 for (i = 0; i < sk_X509_INFO_num(xis); i++) {
886 xi = sk_X509_INFO_value(xis, i);
887 if (xi->x509 && pcerts) {
888 if (!sk_X509_push(*pcerts, xi->x509))
892 if (xi->crl && pcrls) {
893 if (!sk_X509_CRL_push(*pcrls, xi->crl))
899 if (pcerts && sk_X509_num(*pcerts) > 0)
902 if (pcrls && sk_X509_CRL_num(*pcrls) > 0)
907 sk_X509_INFO_pop_free(xis, X509_INFO_free);
911 sk_X509_pop_free(*pcerts, X509_free);
915 sk_X509_CRL_pop_free(*pcrls, X509_CRL_free);
918 BIO_printf(err, "unable to load %s\n",
919 pcerts ? "certificates" : "CRLs");
920 ERR_print_errors(err);
926 load_certs(BIO *err, const char *file, int format, const char *pass,
929 STACK_OF(X509) *certs;
931 if (!load_certs_crls(err, file, format, pass, desc, &certs, NULL))
937 load_crls(BIO *err, const char *file, int format, const char *pass,
940 STACK_OF(X509_CRL) *crls;
942 if (!load_certs_crls(err, file, format, pass, desc, NULL, &crls))
947 #define X509V3_EXT_UNKNOWN_MASK (0xfL << 16)
948 /* Return error for unknown extensions */
949 #define X509V3_EXT_DEFAULT 0
950 /* Print error for unknown extensions */
951 #define X509V3_EXT_ERROR_UNKNOWN (1L << 16)
952 /* ASN1 parse unknown extensions */
953 #define X509V3_EXT_PARSE_UNKNOWN (2L << 16)
954 /* BIO_dump unknown extensions */
955 #define X509V3_EXT_DUMP_UNKNOWN (3L << 16)
957 #define X509_FLAG_CA (X509_FLAG_NO_ISSUER | X509_FLAG_NO_PUBKEY | \
958 X509_FLAG_NO_HEADER | X509_FLAG_NO_VERSION)
961 set_cert_ex(unsigned long *flags, const char *arg)
963 static const NAME_EX_TBL cert_tbl[] = {
964 {"compatible", X509_FLAG_COMPAT, 0xffffffffl},
965 {"ca_default", X509_FLAG_CA, 0xffffffffl},
966 {"no_header", X509_FLAG_NO_HEADER, 0},
967 {"no_version", X509_FLAG_NO_VERSION, 0},
968 {"no_serial", X509_FLAG_NO_SERIAL, 0},
969 {"no_signame", X509_FLAG_NO_SIGNAME, 0},
970 {"no_validity", X509_FLAG_NO_VALIDITY, 0},
971 {"no_subject", X509_FLAG_NO_SUBJECT, 0},
972 {"no_issuer", X509_FLAG_NO_ISSUER, 0},
973 {"no_pubkey", X509_FLAG_NO_PUBKEY, 0},
974 {"no_extensions", X509_FLAG_NO_EXTENSIONS, 0},
975 {"no_sigdump", X509_FLAG_NO_SIGDUMP, 0},
976 {"no_aux", X509_FLAG_NO_AUX, 0},
977 {"no_attributes", X509_FLAG_NO_ATTRIBUTES, 0},
978 {"ext_default", X509V3_EXT_DEFAULT, X509V3_EXT_UNKNOWN_MASK},
979 {"ext_error", X509V3_EXT_ERROR_UNKNOWN, X509V3_EXT_UNKNOWN_MASK},
980 {"ext_parse", X509V3_EXT_PARSE_UNKNOWN, X509V3_EXT_UNKNOWN_MASK},
981 {"ext_dump", X509V3_EXT_DUMP_UNKNOWN, X509V3_EXT_UNKNOWN_MASK},
984 return set_multi_opts(flags, arg, cert_tbl);
988 set_name_ex(unsigned long *flags, const char *arg)
990 static const NAME_EX_TBL ex_tbl[] = {
991 {"esc_2253", ASN1_STRFLGS_ESC_2253, 0},
992 {"esc_ctrl", ASN1_STRFLGS_ESC_CTRL, 0},
993 {"esc_msb", ASN1_STRFLGS_ESC_MSB, 0},
994 {"use_quote", ASN1_STRFLGS_ESC_QUOTE, 0},
995 {"utf8", ASN1_STRFLGS_UTF8_CONVERT, 0},
996 {"ignore_type", ASN1_STRFLGS_IGNORE_TYPE, 0},
997 {"show_type", ASN1_STRFLGS_SHOW_TYPE, 0},
998 {"dump_all", ASN1_STRFLGS_DUMP_ALL, 0},
999 {"dump_nostr", ASN1_STRFLGS_DUMP_UNKNOWN, 0},
1000 {"dump_der", ASN1_STRFLGS_DUMP_DER, 0},
1001 {"compat", XN_FLAG_COMPAT, 0xffffffffL},
1002 {"sep_comma_plus", XN_FLAG_SEP_COMMA_PLUS, XN_FLAG_SEP_MASK},
1003 {"sep_comma_plus_space", XN_FLAG_SEP_CPLUS_SPC, XN_FLAG_SEP_MASK},
1004 {"sep_semi_plus_space", XN_FLAG_SEP_SPLUS_SPC, XN_FLAG_SEP_MASK},
1005 {"sep_multiline", XN_FLAG_SEP_MULTILINE, XN_FLAG_SEP_MASK},
1006 {"dn_rev", XN_FLAG_DN_REV, 0},
1007 {"nofname", XN_FLAG_FN_NONE, XN_FLAG_FN_MASK},
1008 {"sname", XN_FLAG_FN_SN, XN_FLAG_FN_MASK},
1009 {"lname", XN_FLAG_FN_LN, XN_FLAG_FN_MASK},
1010 {"align", XN_FLAG_FN_ALIGN, 0},
1011 {"oid", XN_FLAG_FN_OID, XN_FLAG_FN_MASK},
1012 {"space_eq", XN_FLAG_SPC_EQ, 0},
1013 {"dump_unknown", XN_FLAG_DUMP_UNKNOWN_FIELDS, 0},
1014 {"RFC2253", XN_FLAG_RFC2253, 0xffffffffL},
1015 {"oneline", XN_FLAG_ONELINE, 0xffffffffL},
1016 {"multiline", XN_FLAG_MULTILINE, 0xffffffffL},
1017 {"ca_default", XN_FLAG_MULTILINE, 0xffffffffL},
1020 return set_multi_opts(flags, arg, ex_tbl);
1024 set_ext_copy(int *copy_type, const char *arg)
1026 if (!strcasecmp(arg, "none"))
1027 *copy_type = EXT_COPY_NONE;
1028 else if (!strcasecmp(arg, "copy"))
1029 *copy_type = EXT_COPY_ADD;
1030 else if (!strcasecmp(arg, "copyall"))
1031 *copy_type = EXT_COPY_ALL;
1038 copy_extensions(X509 *x, X509_REQ *req, int copy_type)
1040 STACK_OF(X509_EXTENSION) *exts = NULL;
1041 X509_EXTENSION *ext, *tmpext;
1043 int i, idx, ret = 0;
1045 if (!x || !req || (copy_type == EXT_COPY_NONE))
1047 exts = X509_REQ_get_extensions(req);
1049 for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
1050 ext = sk_X509_EXTENSION_value(exts, i);
1051 obj = X509_EXTENSION_get_object(ext);
1052 idx = X509_get_ext_by_OBJ(x, obj, -1);
1053 /* Does extension exist? */
1055 /* If normal copy don't override existing extension */
1056 if (copy_type == EXT_COPY_ADD)
1058 /* Delete all extensions of same type */
1060 tmpext = X509_get_ext(x, idx);
1061 X509_delete_ext(x, idx);
1062 X509_EXTENSION_free(tmpext);
1063 idx = X509_get_ext_by_OBJ(x, obj, -1);
1064 } while (idx != -1);
1066 if (!X509_add_ext(x, ext, -1))
1073 sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
1079 set_multi_opts(unsigned long *flags, const char *arg,
1080 const NAME_EX_TBL *in_tbl)
1082 STACK_OF(CONF_VALUE) *vals;
1088 vals = X509V3_parse_list(arg);
1089 for (i = 0; i < sk_CONF_VALUE_num(vals); i++) {
1090 val = sk_CONF_VALUE_value(vals, i);
1091 if (!set_table_opts(flags, val->name, in_tbl))
1094 sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
1099 set_table_opts(unsigned long *flags, const char *arg,
1100 const NAME_EX_TBL *in_tbl)
1103 const NAME_EX_TBL *ptbl;
1109 } else if (c == '+') {
1115 for (ptbl = in_tbl; ptbl->name; ptbl++) {
1116 if (!strcasecmp(arg, ptbl->name)) {
1117 *flags &= ~ptbl->mask;
1119 *flags |= ptbl->flag;
1121 *flags &= ~ptbl->flag;
1129 print_name(BIO *out, const char *title, X509_NAME *nm, unsigned long lflags)
1136 BIO_puts(out, title);
1137 if ((lflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) {
1141 if (lflags == XN_FLAG_COMPAT) {
1142 buf = X509_NAME_oneline(nm, 0, 0);
1144 BIO_puts(out, "\n");
1148 BIO_puts(out, "\n");
1149 X509_NAME_print_ex(out, nm, indent, lflags);
1150 BIO_puts(out, "\n");
1155 setup_verify(BIO *bp, char *CAfile, char *CApath)
1158 X509_LOOKUP *lookup;
1160 if (!(store = X509_STORE_new()))
1162 lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
1166 if (!X509_LOOKUP_load_file(lookup, CAfile, X509_FILETYPE_PEM)) {
1167 BIO_printf(bp, "Error loading file %s\n", CAfile);
1171 X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT);
1173 lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
1177 if (!X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM)) {
1178 BIO_printf(bp, "Error loading directory %s\n", CApath);
1182 X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
1188 X509_STORE_free(store);
1193 load_config(BIO *err, CONF *cnf)
1195 static int load_config_called = 0;
1197 if (load_config_called)
1199 load_config_called = 1;
1205 OPENSSL_load_builtin_modules();
1207 if (CONF_modules_load(cnf, NULL, 0) <= 0) {
1208 BIO_printf(err, "Error configuring OpenSSL\n");
1209 ERR_print_errors(err);
1218 const char *t = X509_get_default_cert_area();
1221 if (asprintf(&p, "%s/openssl.cnf", t) == -1)
1226 static unsigned long
1227 index_serial_hash(const OPENSSL_CSTRING *a)
1234 return (lh_strhash(n));
1238 index_serial_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b)
1240 const char *aa, *bb;
1242 for (aa = a[DB_serial]; *aa == '0'; aa++)
1244 for (bb = b[DB_serial]; *bb == '0'; bb++)
1246 return (strcmp(aa, bb));
1250 index_name_qual(char **a)
1252 return (a[0][0] == 'V');
1255 static unsigned long
1256 index_name_hash(const OPENSSL_CSTRING *a)
1258 return (lh_strhash(a[DB_name]));
1262 index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b)
1264 return (strcmp(a[DB_name], b[DB_name]));
1267 static IMPLEMENT_LHASH_HASH_FN(index_serial, OPENSSL_CSTRING)
1268 static IMPLEMENT_LHASH_COMP_FN(index_serial, OPENSSL_CSTRING)
1269 static IMPLEMENT_LHASH_HASH_FN(index_name, OPENSSL_CSTRING)
1270 static IMPLEMENT_LHASH_COMP_FN(index_name, OPENSSL_CSTRING)
1275 load_serial(char *serialfile, int create, ASN1_INTEGER **retai)
1280 ASN1_INTEGER *ai = NULL;
1282 ai = ASN1_INTEGER_new();
1286 if ((in = BIO_new(BIO_s_file())) == NULL) {
1287 ERR_print_errors(bio_err);
1290 if (BIO_read_filename(in, serialfile) <= 0) {
1296 if (ret == NULL || !rand_serial(ret, ai))
1297 BIO_printf(bio_err, "Out of memory\n");
1300 if (!a2i_ASN1_INTEGER(in, ai, buf, 1024)) {
1301 BIO_printf(bio_err, "unable to load number from %s\n",
1305 ret = ASN1_INTEGER_to_BN(ai, NULL);
1308 "error converting number from bin to BIGNUM\n");
1322 ASN1_INTEGER_free(ai);
1327 save_serial(char *serialfile, char *suffix, BIGNUM *serial,
1328 ASN1_INTEGER **retai)
1330 char buf[1][BUFLEN];
1333 ASN1_INTEGER *ai = NULL;
1337 j = strlen(serialfile);
1339 j = strlen(serialfile) + strlen(suffix) + 1;
1341 BIO_printf(bio_err, "file name too long\n");
1345 n = strlcpy(buf[0], serialfile, BUFLEN);
1347 n = snprintf(buf[0], sizeof buf[0], "%s.%s",
1348 serialfile, suffix);
1349 if (n == -1 || n >= sizeof(buf[0])) {
1350 BIO_printf(bio_err, "serial too long\n");
1353 out = BIO_new(BIO_s_file());
1355 ERR_print_errors(bio_err);
1358 if (BIO_write_filename(out, buf[0]) <= 0) {
1362 if ((ai = BN_to_ASN1_INTEGER(serial, NULL)) == NULL) {
1364 "error converting serial to ASN.1 format\n");
1367 i2a_ASN1_INTEGER(out, ai);
1368 BIO_puts(out, "\n");
1379 ASN1_INTEGER_free(ai);
1384 rotate_serial(char *serialfile, char *new_suffix, char *old_suffix)
1386 char buf[5][BUFLEN];
1389 i = strlen(serialfile) + strlen(old_suffix);
1390 j = strlen(serialfile) + strlen(new_suffix);
1393 if (j + 1 >= BUFLEN) {
1394 BIO_printf(bio_err, "file name too long\n");
1397 snprintf(buf[0], sizeof buf[0], "%s.%s", serialfile, new_suffix);
1398 snprintf(buf[1], sizeof buf[1], "%s.%s", serialfile, old_suffix);
1401 if (rename(serialfile, buf[1]) < 0 &&
1402 errno != ENOENT && errno != ENOTDIR) {
1403 BIO_printf(bio_err, "unable to rename %s to %s\n",
1404 serialfile, buf[1]);
1410 if (rename(buf[0], serialfile) < 0) {
1411 BIO_printf(bio_err, "unable to rename %s to %s\n",
1412 buf[0], serialfile);
1414 if (rename(buf[1], serialfile) < 0) {
1415 BIO_printf(bio_err, "unable to rename %s to %s\n",
1416 buf[1], serialfile);
1428 rand_serial(BIGNUM *b, ASN1_INTEGER *ai)
1441 if (!BN_pseudo_rand(btmp, SERIAL_RAND_BITS, 0, 0))
1443 if (ai && !BN_to_ASN1_INTEGER(btmp, ai))
1456 load_index(char *dbfile, DB_ATTR *db_attr)
1458 CA_DB *retdb = NULL;
1459 TXT_DB *tmpdb = NULL;
1460 BIO *in = BIO_new(BIO_s_file());
1461 CONF *dbattr_conf = NULL;
1462 char buf[1][BUFLEN];
1463 long errorline = -1;
1466 ERR_print_errors(bio_err);
1469 if (BIO_read_filename(in, dbfile) <= 0) {
1471 BIO_printf(bio_err, "unable to open '%s'\n", dbfile);
1474 if ((tmpdb = TXT_DB_read(in, DB_NUMBER)) == NULL)
1477 snprintf(buf[0], sizeof buf[0], "%s.attr", dbfile);
1478 dbattr_conf = NCONF_new(NULL);
1479 if (NCONF_load(dbattr_conf, buf[0], &errorline) <= 0) {
1480 if (errorline > 0) {
1482 "error on line %ld of db attribute file '%s'\n",
1486 NCONF_free(dbattr_conf);
1490 if ((retdb = malloc(sizeof(CA_DB))) == NULL) {
1491 fprintf(stderr, "Out of memory\n");
1497 retdb->attributes = *db_attr;
1499 retdb->attributes.unique_subject = 1;
1503 char *p = NCONF_get_string(dbattr_conf, NULL, "unique_subject");
1505 retdb->attributes.unique_subject = parse_yesno(p, 1);
1511 NCONF_free(dbattr_conf);
1520 index_index(CA_DB *db)
1522 if (!TXT_DB_create_index(db->db, DB_serial, NULL,
1523 LHASH_HASH_FN(index_serial), LHASH_COMP_FN(index_serial))) {
1525 "error creating serial number index:(%ld,%ld,%ld)\n",
1526 db->db->error, db->db->arg1, db->db->arg2);
1529 if (db->attributes.unique_subject &&
1530 !TXT_DB_create_index(db->db, DB_name, index_name_qual,
1531 LHASH_HASH_FN(index_name), LHASH_COMP_FN(index_name))) {
1532 BIO_printf(bio_err, "error creating name index:(%ld,%ld,%ld)\n",
1533 db->db->error, db->db->arg1, db->db->arg2);
1540 save_index(const char *dbfile, const char *suffix, CA_DB *db)
1542 char buf[3][BUFLEN];
1543 BIO *out = BIO_new(BIO_s_file());
1547 ERR_print_errors(bio_err);
1550 j = strlen(dbfile) + strlen(suffix);
1551 if (j + 6 >= BUFLEN) {
1552 BIO_printf(bio_err, "file name too long\n");
1555 snprintf(buf[2], sizeof buf[2], "%s.attr", dbfile);
1556 snprintf(buf[1], sizeof buf[1], "%s.attr.%s", dbfile, suffix);
1557 snprintf(buf[0], sizeof buf[0], "%s.%s", dbfile, suffix);
1560 if (BIO_write_filename(out, buf[0]) <= 0) {
1562 BIO_printf(bio_err, "unable to open '%s'\n", dbfile);
1565 j = TXT_DB_write(out, db->db);
1571 out = BIO_new(BIO_s_file());
1574 if (BIO_write_filename(out, buf[1]) <= 0) {
1576 BIO_printf(bio_err, "unable to open '%s'\n", buf[2]);
1579 BIO_printf(out, "unique_subject = %s\n",
1580 db->attributes.unique_subject ? "yes" : "no");
1590 rotate_index(const char *dbfile, const char *new_suffix, const char *old_suffix)
1592 char buf[5][BUFLEN];
1595 i = strlen(dbfile) + strlen(old_suffix);
1596 j = strlen(dbfile) + strlen(new_suffix);
1599 if (j + 6 >= BUFLEN) {
1600 BIO_printf(bio_err, "file name too long\n");
1603 snprintf(buf[4], sizeof buf[4], "%s.attr", dbfile);
1604 snprintf(buf[2], sizeof buf[2], "%s.attr.%s", dbfile, new_suffix);
1605 snprintf(buf[0], sizeof buf[0], "%s.%s", dbfile, new_suffix);
1606 snprintf(buf[1], sizeof buf[1], "%s.%s", dbfile, old_suffix);
1607 snprintf(buf[3], sizeof buf[3], "%s.attr.%s", dbfile, old_suffix);
1610 if (rename(dbfile, buf[1]) < 0 && errno != ENOENT && errno != ENOTDIR) {
1611 BIO_printf(bio_err, "unable to rename %s to %s\n",
1618 if (rename(buf[0], dbfile) < 0) {
1619 BIO_printf(bio_err, "unable to rename %s to %s\n",
1622 if (rename(buf[1], dbfile) < 0) {
1623 BIO_printf(bio_err, "unable to rename %s to %s\n",
1631 if (rename(buf[4], buf[3]) < 0 && errno != ENOENT && errno != ENOTDIR) {
1632 BIO_printf(bio_err, "unable to rename %s to %s\n",
1635 if (rename(dbfile, buf[0]) < 0) {
1636 BIO_printf(bio_err, "unable to rename %s to %s\n",
1640 if (rename(buf[1], dbfile) < 0) {
1641 BIO_printf(bio_err, "unable to rename %s to %s\n",
1649 if (rename(buf[2], buf[4]) < 0) {
1650 BIO_printf(bio_err, "unable to rename %s to %s\n",
1653 if (rename(buf[3], buf[4]) < 0) {
1654 BIO_printf(bio_err, "unable to rename %s to %s\n",
1658 if (rename(dbfile, buf[0]) < 0) {
1659 BIO_printf(bio_err, "unable to rename %s to %s\n",
1663 if (rename(buf[1], dbfile) < 0) {
1664 BIO_printf(bio_err, "unable to rename %s to %s\n",
1677 free_index(CA_DB *db)
1681 TXT_DB_free(db->db);
1687 parse_yesno(const char *str, int def)
1693 case 'f': /* false */
1694 case 'F': /* FALSE */
1700 case 't': /* true */
1701 case 'T': /* TRUE */
1716 * subject is expected to be in the format /type0=value0/type1=value1/type2=...
1717 * where characters may be escaped by \
1720 parse_name(char *subject, long chtype, int multirdn)
1722 X509_NAME *name = NULL;
1723 size_t buflen, max_ne;
1724 char **ne_types, **ne_values;
1725 char *buf, *bp, *sp;
1726 int i, nid, ne_num = 0;
1730 * Buffer to copy the types and values into. Due to escaping the
1731 * copy can only become shorter.
1733 buflen = strlen(subject) + 1;
1734 buf = malloc(buflen);
1736 /* Maximum number of name elements. */
1737 max_ne = buflen / 2 + 1;
1738 ne_types = reallocarray(NULL, max_ne, sizeof(char *));
1739 ne_values = reallocarray(NULL, max_ne, sizeof(char *));
1740 mval = reallocarray(NULL, max_ne, sizeof(int));
1742 if (buf == NULL || ne_types == NULL || ne_values == NULL ||
1744 BIO_printf(bio_err, "malloc error\n");
1751 if (*subject != '/') {
1752 BIO_printf(bio_err, "Subject does not start with '/'.\n");
1756 /* Skip leading '/'. */
1759 /* No multivalued RDN by default. */
1764 ne_types[ne_num] = bp;
1766 /* is there anything to escape in the type...? */
1771 BIO_printf(bio_err, "escape character "
1772 "at end of string\n");
1775 } else if (*sp == '=') {
1783 BIO_printf(bio_err, "end of string encountered while "
1784 "processing type of subject name element #%d\n",
1788 ne_values[ne_num] = bp;
1794 BIO_printf(bio_err, "escape character "
1795 "at end of string\n");
1798 } else if (*sp == '/') {
1800 /* no multivalued RDN by default */
1801 mval[ne_num + 1] = 0;
1803 } else if (*sp == '+' && multirdn) {
1804 /* a not escaped + signals a multivalued RDN */
1806 mval[ne_num + 1] = -1;
1815 if ((name = X509_NAME_new()) == NULL)
1818 for (i = 0; i < ne_num; i++) {
1819 if ((nid = OBJ_txt2nid(ne_types[i])) == NID_undef) {
1821 "Subject Attribute %s has no known NID, skipped\n",
1825 if (!*ne_values[i]) {
1826 BIO_printf(bio_err, "No value provided for Subject "
1827 "Attribute %s, skipped\n", ne_types[i]);
1830 if (!X509_NAME_add_entry_by_NID(name, nid, chtype,
1831 (unsigned char *) ne_values[i], -1, -1, mval[i]))
1837 X509_NAME_free(name);
1850 args_verify(char ***pargs, int *pargc, int *badarg, BIO *err,
1851 X509_VERIFY_PARAM **pm)
1853 ASN1_OBJECT *otmp = NULL;
1854 unsigned long flags = 0;
1856 int purpose = 0, depth = -1;
1857 char **oldargs = *pargs;
1858 char *arg = **pargs, *argn = (*pargs)[1];
1860 const char *errstr = NULL;
1862 if (!strcmp(arg, "-policy")) {
1866 otmp = OBJ_txt2obj(argn, 0);
1868 BIO_printf(err, "Invalid Policy \"%s\"\n",
1874 } else if (strcmp(arg, "-purpose") == 0) {
1875 X509_PURPOSE *xptmp;
1879 i = X509_PURPOSE_get_by_sname(argn);
1881 BIO_printf(err, "unrecognized purpose\n");
1884 xptmp = X509_PURPOSE_get0(i);
1885 purpose = X509_PURPOSE_get_id(xptmp);
1889 } else if (strcmp(arg, "-verify_depth") == 0) {
1893 depth = strtonum(argn, 1, INT_MAX, &errstr);
1895 BIO_printf(err, "invalid depth %s: %s\n",
1901 } else if (strcmp(arg, "-attime") == 0) {
1905 long long timestamp;
1907 * interpret the -attime argument as seconds since
1910 if (sscanf(argn, "%lli", ×tamp) != 1) {
1912 "Error parsing timestamp %s\n",
1916 /* XXX 2038 truncation */
1917 at_time = (time_t) timestamp;
1920 } else if (!strcmp(arg, "-ignore_critical"))
1921 flags |= X509_V_FLAG_IGNORE_CRITICAL;
1922 else if (!strcmp(arg, "-issuer_checks"))
1923 flags |= X509_V_FLAG_CB_ISSUER_CHECK;
1924 else if (!strcmp(arg, "-crl_check"))
1925 flags |= X509_V_FLAG_CRL_CHECK;
1926 else if (!strcmp(arg, "-crl_check_all"))
1927 flags |= X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL;
1928 else if (!strcmp(arg, "-policy_check"))
1929 flags |= X509_V_FLAG_POLICY_CHECK;
1930 else if (!strcmp(arg, "-explicit_policy"))
1931 flags |= X509_V_FLAG_EXPLICIT_POLICY;
1932 else if (!strcmp(arg, "-inhibit_any"))
1933 flags |= X509_V_FLAG_INHIBIT_ANY;
1934 else if (!strcmp(arg, "-inhibit_map"))
1935 flags |= X509_V_FLAG_INHIBIT_MAP;
1936 else if (!strcmp(arg, "-x509_strict"))
1937 flags |= X509_V_FLAG_X509_STRICT;
1938 else if (!strcmp(arg, "-extended_crl"))
1939 flags |= X509_V_FLAG_EXTENDED_CRL_SUPPORT;
1940 else if (!strcmp(arg, "-use_deltas"))
1941 flags |= X509_V_FLAG_USE_DELTAS;
1942 else if (!strcmp(arg, "-policy_print"))
1943 flags |= X509_V_FLAG_NOTIFY_POLICY;
1944 else if (!strcmp(arg, "-check_ss_sig"))
1945 flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;
1951 X509_VERIFY_PARAM_free(*pm);
1955 if (!*pm && !(*pm = X509_VERIFY_PARAM_new())) {
1960 X509_VERIFY_PARAM_add0_policy(*pm, otmp);
1964 X509_VERIFY_PARAM_set_flags(*pm, flags);
1967 X509_VERIFY_PARAM_set_purpose(*pm, purpose);
1970 X509_VERIFY_PARAM_set_depth(*pm, depth);
1973 X509_VERIFY_PARAM_set_time(*pm, at_time);
1979 *pargc -= *pargs - oldargs;
1981 ASN1_OBJECT_free(otmp);
1985 /* Read whole contents of a BIO into an allocated memory buffer and
1990 bio_to_mem(unsigned char **out, int maxlen, BIO *in)
1994 unsigned char tbuf[1024];
1996 mem = BIO_new(BIO_s_mem());
2000 if ((maxlen != -1) && maxlen < 1024)
2004 len = BIO_read(in, tbuf, len);
2007 if (BIO_write(mem, tbuf, len) != len) {
2016 ret = BIO_get_mem_data(mem, (char **) out);
2017 BIO_set_flags(mem, BIO_FLAGS_MEM_RDONLY);
2023 pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value)
2026 char *stmp, *vtmp = NULL;
2030 stmp = strdup(value);
2033 vtmp = strchr(stmp, ':');
2038 rv = EVP_PKEY_CTX_ctrl_str(ctx, stmp, vtmp);
2045 nodes_print(BIO *out, const char *name, STACK_OF(X509_POLICY_NODE) *nodes)
2047 X509_POLICY_NODE *node;
2050 BIO_printf(out, "%s Policies:", name);
2052 BIO_puts(out, "\n");
2053 for (i = 0; i < sk_X509_POLICY_NODE_num(nodes); i++) {
2054 node = sk_X509_POLICY_NODE_value(nodes, i);
2055 X509_POLICY_NODE_print(out, node, 2);
2058 BIO_puts(out, " <empty>\n");
2062 policies_print(BIO *out, X509_STORE_CTX *ctx)
2064 X509_POLICY_TREE *tree;
2065 int explicit_policy;
2069 out = BIO_new_fp(stderr, BIO_NOCLOSE);
2072 tree = X509_STORE_CTX_get0_policy_tree(ctx);
2073 explicit_policy = X509_STORE_CTX_get_explicit_policy(ctx);
2075 BIO_printf(out, "Require explicit Policy: %s\n",
2076 explicit_policy ? "True" : "False");
2078 nodes_print(out, "Authority", X509_policy_tree_get0_policies(tree));
2079 nodes_print(out, "User", X509_policy_tree_get0_user_policies(tree));
2084 /* next_protos_parse parses a comma separated list of strings into a string
2085 * in a format suitable for passing to SSL_CTX_set_next_protos_advertised.
2086 * outlen: (output) set to the length of the resulting buffer on success.
2087 * err: (maybe NULL) on failure, an error message line is written to this BIO.
2088 * in: a NUL termianted string like "abc,def,ghi"
2090 * returns: a malloced buffer or NULL on failure.
2093 next_protos_parse(unsigned short *outlen, const char *in)
2097 size_t i, start = 0;
2103 out = malloc(strlen(in) + 1);
2107 for (i = 0; i <= len; ++i) {
2108 if (i == len || in[i] == ',') {
2109 if (i - start > 255) {
2113 out[start] = i - start;
2124 app_isdir(const char *name)
2128 if (stat(name, &st) == 0)
2129 return S_ISDIR(st.st_mode);
2133 #define OPTION_WIDTH 18
2136 options_usage(struct option *opts)
2142 for (i = 0; opts[i].name != NULL; i++) {
2143 if (opts[i].desc == NULL)
2146 snprintf(optstr, sizeof(optstr), "-%s %s", opts[i].name,
2147 (opts[i].argname != NULL) ? opts[i].argname : "");
2148 fprintf(stderr, " %-*s", OPTION_WIDTH, optstr);
2149 if (strlen(optstr) > OPTION_WIDTH)
2150 fprintf(stderr, "\n %-*s", OPTION_WIDTH, "");
2153 while ((q = strchr(p, '\n')) != NULL) {
2154 fprintf(stderr, " %.*s", (int)(q - p), p);
2155 fprintf(stderr, "\n %-*s", OPTION_WIDTH, "");
2158 fprintf(stderr, " %s\n", p);
2163 options_parse(int argc, char **argv, struct option *opts, char **unnamed,
2174 if (unnamed != NULL)
2177 for (i = 1; i < argc; i++) {
2180 /* Single unnamed argument (without leading hyphen). */
2182 if (argsused != NULL)
2184 if (unnamed == NULL)
2186 if (*unnamed != NULL)
2192 /* End of named options (single hyphen). */
2196 if (argsused != NULL)
2198 if (unnamed != NULL && i == argc - 1) {
2199 if (*unnamed != NULL)
2207 /* See if there is a matching option... */
2208 for (j = 0; opts[j].name != NULL; j++) {
2209 if (strcmp(p, opts[j].name) == 0)
2213 if (opt->name == NULL && opt->type == 0)
2216 if (opt->type == OPTION_ARG ||
2217 opt->type == OPTION_ARG_FORMAT ||
2218 opt->type == OPTION_ARG_FUNC ||
2219 opt->type == OPTION_ARG_INT ||
2220 opt->type == OPTION_ARG_LONG) {
2222 fprintf(stderr, "missing %s argument for -%s\n",
2223 opt->argname, opt->name);
2228 switch (opt->type) {
2230 *opt->opt.arg = argv[i];
2233 case OPTION_ARGV_FUNC:
2234 if (opt->opt.argvfunc(argc - i, &argv[i], &used) != 0)
2239 case OPTION_ARG_FORMAT:
2240 fmt = str2fmt(argv[i]);
2241 if (fmt == FORMAT_UNDEF) {
2242 fprintf(stderr, "unknown %s '%s' for -%s\n",
2243 opt->argname, argv[i], opt->name);
2246 *opt->opt.value = fmt;
2249 case OPTION_ARG_FUNC:
2250 if (opt->opt.argfunc(argv[i]) != 0)
2254 case OPTION_ARG_INT:
2255 val = strtonum(argv[i], 0, INT_MAX, &errstr);
2256 if (errstr != NULL) {
2257 fprintf(stderr, "%s %s argument for -%s\n",
2258 errstr, opt->argname, opt->name);
2261 *opt->opt.value = (int)val;
2264 case OPTION_ARG_LONG:
2265 val = strtonum(argv[i], 0, LONG_MAX, &errstr);
2266 if (errstr != NULL) {
2267 fprintf(stderr, "%s %s argument for -%s\n",
2268 errstr, opt->argname, opt->name);
2271 *opt->opt.lvalue = (long)val;
2274 case OPTION_DISCARD:
2278 if (opt->opt.func() != 0)
2286 case OPTION_FLAG_ORD:
2287 *opt->opt.flag = ++ord;
2291 *opt->opt.value = opt->value;
2294 case OPTION_VALUE_AND:
2295 *opt->opt.value &= opt->value;
2298 case OPTION_VALUE_OR:
2299 *opt->opt.value |= opt->value;
2303 fprintf(stderr, "option %s - unknown type %i\n",
2304 opt->name, opt->type);
2310 if (argsused != NULL)
2316 fprintf(stderr, "too many arguments\n");
2320 fprintf(stderr, "unknown option '%s'\n", arg);