📄 ca.c
字号:
ci->nextUpdate=ASN1_UTCTIME_new(); X509_gmtime_adj(ci->nextUpdate,(crldays*24+crlhours)*60*60); for (i=0; i<sk_num(db->data); i++) { pp=(char **)sk_value(db->data,i); if (pp[DB_type][0] == DB_TYPE_REV) { if ((r=X509_REVOKED_new()) == NULL) goto err; ASN1_STRING_set((ASN1_STRING *) r->revocationDate, (unsigned char *)pp[DB_rev_date], strlen(pp[DB_rev_date])); /* strcpy(r->revocationDate,pp[DB_rev_date]);*/ (void)BIO_reset(hex); if (!BIO_puts(hex,pp[DB_serial])) goto err; if (!a2i_ASN1_INTEGER(hex,r->serialNumber, buf[0],BSIZE)) goto err; sk_X509_REVOKED_push(ci->revoked,r); } } /* sort the data so it will be written in serial * number order */ sk_X509_REVOKED_sort(ci->revoked); for (i=0; i<sk_X509_REVOKED_num(ci->revoked); i++) { r=sk_X509_REVOKED_value(ci->revoked,i); r->sequence=i; } /* we now have a CRL */ if (verbose) BIO_printf(bio_err,"signing CRL\n"); if (md != NULL) { if ((dgst=EVP_get_digestbyname(md)) == NULL) { BIO_printf(bio_err,"%s is an unsupported message digest type\n",md); goto err; } } else {#ifndef NO_DSA if (pkey->type == EVP_PKEY_DSA) dgst=EVP_dss1(); else#endif dgst=EVP_md5(); } /* Add any extensions asked for */ if(crl_ext) { X509V3_CTX crlctx; if (ci->version == NULL) if ((ci->version=ASN1_INTEGER_new()) == NULL) goto err; ASN1_INTEGER_set(ci->version,1); /* version 2 CRL */ X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0); X509V3_set_conf_lhash(&crlctx, conf); if(!X509V3_EXT_CRL_add_conf(conf, &crlctx, crl_ext, crl)) goto err; } if (!X509_CRL_sign(crl,pkey,dgst)) goto err; PEM_write_bio_X509_CRL(Sout,crl); } /*****************************************************************/ if (dorevoke) { if (infile == NULL) { BIO_printf(bio_err,"no input files\n"); goto err; } else { X509 *revcert; if (BIO_read_filename(in,infile) <= 0) { perror(infile); BIO_printf(bio_err,"error trying to load '%s' certificate\n",infile); goto err; } revcert=PEM_read_bio_X509(in,NULL,NULL,NULL); if (revcert == NULL) { BIO_printf(bio_err,"unable to load '%s' certificate\n",infile); goto err; } j=do_revoke(revcert,db); if (j <= 0) goto err; X509_free(revcert); strncpy(buf[0],dbfile,BSIZE-4);#ifndef VMS strcat(buf[0],".new");#else strcat(buf[0],"-new");#endif if (BIO_write_filename(out,buf[0]) <= 0) { perror(dbfile); BIO_printf(bio_err,"unable to open '%s'\n",dbfile); goto err; } j=TXT_DB_write(out,db); if (j <= 0) goto err; strncpy(buf[1],dbfile,BSIZE-4);#ifndef VMS strcat(buf[1],".old");#else strcat(buf[1],"-old");#endif if (rename(dbfile,buf[1]) < 0) { BIO_printf(bio_err,"unable to rename %s to %s\n", dbfile, buf[1]); perror("reason"); goto err; } if (rename(buf[0],dbfile) < 0) { BIO_printf(bio_err,"unable to rename %s to %s\n", buf[0],dbfile); perror("reason"); rename(buf[1],dbfile); goto err; } BIO_printf(bio_err,"Data Base Updated\n"); } } /*****************************************************************/ ret=0;err: BIO_free(hex); BIO_free_all(Cout); BIO_free_all(Sout); BIO_free_all(out); BIO_free(in); sk_X509_pop_free(cert_sk,X509_free); if (ret) ERR_print_errors(bio_err); app_RAND_write_file(randfile, bio_err); BN_free(serial); TXT_DB_free(db); EVP_PKEY_free(pkey); X509_free(x509); X509_CRL_free(crl); CONF_free(conf); OBJ_cleanup(); OPENSSL_EXIT(ret); }static void lookup_fail(char *name, char *tag) { BIO_printf(bio_err,"variable lookup failed for %s::%s\n",name,tag); }static unsigned long index_serial_hash(char **a) { char *n; n=a[DB_serial]; while (*n == '0') n++; return(lh_strhash(n)); }static int index_serial_cmp(char **a, char **b) { char *aa,*bb; for (aa=a[DB_serial]; *aa == '0'; aa++); for (bb=b[DB_serial]; *bb == '0'; bb++); return(strcmp(aa,bb)); }static unsigned long index_name_hash(char **a) { return(lh_strhash(a[DB_name])); }static int index_name_qual(char **a) { return(a[0][0] == 'V'); }static int index_name_cmp(char **a, char **b) { return(strcmp(a[DB_name], b[DB_name])); }static BIGNUM *load_serial(char *serialfile) { BIO *in=NULL; BIGNUM *ret=NULL; MS_STATIC char buf[1024]; ASN1_INTEGER *ai=NULL; if ((in=BIO_new(BIO_s_file())) == NULL) { ERR_print_errors(bio_err); goto err; } if (BIO_read_filename(in,serialfile) <= 0) { perror(serialfile); goto err; } ai=ASN1_INTEGER_new(); if (ai == NULL) goto err; if (!a2i_ASN1_INTEGER(in,ai,buf,1024)) { BIO_printf(bio_err,"unable to load number from %s\n", serialfile); goto err; } ret=ASN1_INTEGER_to_BN(ai,NULL); if (ret == NULL) { BIO_printf(bio_err,"error converting number from bin to BIGNUM\n"); goto err; }err: if (in != NULL) BIO_free(in); if (ai != NULL) ASN1_INTEGER_free(ai); return(ret); }static int save_serial(char *serialfile, BIGNUM *serial) { BIO *out; int ret=0; ASN1_INTEGER *ai=NULL; out=BIO_new(BIO_s_file()); if (out == NULL) { ERR_print_errors(bio_err); goto err; } if (BIO_write_filename(out,serialfile) <= 0) { perror(serialfile); goto err; } if ((ai=BN_to_ASN1_INTEGER(serial,NULL)) == NULL) { BIO_printf(bio_err,"error converting serial to ASN.1 format\n"); goto err; } i2a_ASN1_INTEGER(out,ai); BIO_puts(out,"\n"); ret=1;err: if (out != NULL) BIO_free_all(out); if (ai != NULL) ASN1_INTEGER_free(ai); return(ret); }static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial, char *startdate, char *enddate, int days, int batch, char *ext_sect, LHASH *lconf, int verbose) { X509_REQ *req=NULL; BIO *in=NULL; EVP_PKEY *pktmp=NULL; int ok= -1,i; in=BIO_new(BIO_s_file()); if (BIO_read_filename(in,infile) <= 0) { perror(infile); goto err; } if ((req=PEM_read_bio_X509_REQ(in,NULL,NULL,NULL)) == NULL) { BIO_printf(bio_err,"Error reading certificate request in %s\n", infile); goto err; } if (verbose) X509_REQ_print(bio_err,req); BIO_printf(bio_err,"Check that the request matches the signature\n"); if ((pktmp=X509_REQ_get_pubkey(req)) == NULL) { BIO_printf(bio_err,"error unpacking public key\n"); goto err; } i=X509_REQ_verify(req,pktmp); EVP_PKEY_free(pktmp); if (i < 0) { ok=0; BIO_printf(bio_err,"Signature verification problems....\n"); goto err; } if (i == 0) { ok=0; BIO_printf(bio_err,"Signature did not match the certificate request\n"); goto err; } else BIO_printf(bio_err,"Signature ok\n"); ok=do_body(xret,pkey,x509,dgst,policy,db,serial,startdate, enddate, days,batch,verbose,req,ext_sect,lconf);err: if (req != NULL) X509_REQ_free(req); if (in != NULL) BIO_free(in); return(ok); }static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial, char *startdate, char *enddate, int days, int batch, char *ext_sect, LHASH *lconf, int verbose) { X509 *req=NULL; X509_REQ *rreq=NULL; BIO *in=NULL; EVP_PKEY *pktmp=NULL; int ok= -1,i; in=BIO_new(BIO_s_file()); if (BIO_read_filename(in,infile) <= 0) { perror(infile); goto err; } if ((req=PEM_read_bio_X509(in,NULL,NULL,NULL)) == NULL) { BIO_printf(bio_err,"Error reading self signed certificate in %s\n",infile); goto err; } if (verbose) X509_print(bio_err,req); BIO_printf(bio_err,"Check that the request matches the signature\n"); if ((pktmp=X509_get_pubkey(req)) == NULL) { BIO_printf(bio_err,"error unpacking public key\n"); goto err; } i=X509_verify(req,pktmp); EVP_PKEY_free(pktmp); if (i < 0) { ok=0; BIO_printf(bio_err,"Signature verification problems....\n"); goto err; } if (i == 0) { ok=0; BIO_printf(bio_err,"Signature did not match the certificate\n"); goto err; } else BIO_printf(bio_err,"Signature ok\n"); if ((rreq=X509_to_X509_REQ(req,NULL,EVP_md5())) == NULL) goto err; ok=do_body(xret,pkey,x509,dgst,policy,db,serial,startdate,enddate,days, batch,verbose,rreq,ext_sect,lconf);err: if (rreq != NULL) X509_REQ_free(rreq); if (req != NULL) X509_free(req); if (in != NULL) BIO_free(in); return(ok); }static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial, char *startdate, char *enddate, int days, int batch, int verbose, X509_REQ *req, char *ext_sect, LHASH *lconf) { X509_NAME *name=NULL,*CAname=NULL,*subject=NULL; ASN1_UTCTIME *tm,*tmptm; ASN1_STRING *str,*str2; ASN1_OBJECT *obj; X509 *ret=NULL; X509_CINF *ci; X509_NAME_ENTRY *ne; X509_NAME_ENTRY *tne,*push; EVP_PKEY *pktmp; int ok= -1,i,j,last,nid; char *p; CONF_VALUE *cv; char *row[DB_NUMBER],**rrow,**irow=NULL; char buf[25],*pbuf; tmptm=ASN1_UTCTIME_new(); if (tmptm == NULL) { BIO_printf(bio_err,"malloc error\n"); return(0); } for (i=0; i<DB_NUMBER; i++) row[i]=NULL; BIO_printf(bio_err,"The Subjects Distinguished Name is as follows\n"); name=X509_REQ_get_subject_name(req); for (i=0; i<X509_NAME_entry_count(name); i++) { ne=(X509_NAME_ENTRY *)X509_NAME_get_entry(name,i); obj=X509_NAME_ENTRY_get_object(ne); j=i2a_ASN1_OBJECT(bio_err,obj); str=X509_NAME_ENTRY_get_data(ne); pbuf=buf; for (j=22-j; j>0; j--) *(pbuf++)=' '; *(pbuf++)=':'; *(pbuf++)='\0'; BIO_puts(bio_err,buf); if (msie_hack) { /* assume all type should be strings */ nid=OBJ_obj2nid(ne->object); if (str->type == V_ASN1_UNIVERSALSTRING) ASN1_UNIVERSALSTRING_to_string(str); if ((str->type == V_ASN1_IA5STRING) && (nid != NID_pkcs9_emailAddress)) str->type=V_ASN1_T61STRING; if ((nid == NID_pkcs9_emailAddress) && (str->type == V_ASN1_PRINTABLESTRING)) str->type=V_ASN1_IA5STRING; } if (str->type == V_ASN1_PRINTABLESTRING) BIO_printf(bio_err,"PRINTABLE:'"); else if (str->type == V_ASN1_T61STRING) BIO_printf(bio_err,"T61STRING:'"); else if (str->type == V_ASN1_IA5STRING) BIO_printf(bio_err,"IA5STRING:'"); else if (str->type == V_ASN1_UNIVERSALSTRING) BIO_printf(bio_err,"UNIVERSALSTRING:'"); else BIO_printf(bio_err,"ASN.1 %2d:'",str->type); /* check some things */ if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) && (str->type != V_ASN1_IA5STRING)) { BIO_printf(bio_err,"\nemailAddress type needs to be of type IA5STRING\n"); goto err; } j=ASN1_PRINTABLE_type(str->data,str->length); if ( ((j == V_ASN1_T61STRING) && (str->type != V_ASN1_T61STRING)) || ((j == V_ASN1_IA5STRING) && (str->type == V_ASN1_PRINTABLESTRING))) { BIO_printf(bio_err,"\nThe string contains characters that are illegal for the ASN.1 type\n"); goto err; } p=(char *)str->data; for (j=str->length; j>0; j--) { if ((*p >= ' ') && (*p <= '~')) BIO_printf(bio_err,"%c",*p); else if (*p & 0x80) BIO_printf(bio_err,"\\0x%02X",*p); else if ((unsigned char)*p == 0xf7) BIO_printf(bio_err,"^?"); else BIO_printf(bio_err,"^%c",*p+'@'); p++; } BIO_printf(bio_err,"'\n"); } /* Ok, now we check the 'policy' stuff. */ if ((subject=X509_NAME_new()) == NULL) { BIO_printf(bio_err,"Memory allocation failure\n"); goto err; } /* take a copy of the issuer name before we mess with it. */ CAname=X509_NAME_dup(x509->cert_info->subject); if (CAname == NULL) goto err; str=str2=NULL; for (i=0; i<sk_CONF_VALUE_num(policy); i++) { cv=sk_CONF_VALUE_value(policy,i); /* get the object id */ if ((j=OBJ_txt2nid(cv->name)) == NID_undef) { BIO_printf(bio_err,"%s:unknown object type in 'policy' configuration\n",cv->name); goto err; } obj=OBJ_nid2obj(j); last= -1; for (;;) { /* lookup the object in the supplied name list */ j=X509_NAME_get_index_by_OBJ(name,obj,last); if (j < 0) { if (last != -1) break; tne=NULL; } else { tne=X509_NAME_get_entry(name,j); } last=j; /* depending on the 'policy', decide what to do. */ push=NULL; if (strcmp(cv->value,"optional") == 0) { if (tne != NULL) push=tne; } else if (strcmp(cv->value,"supplied") == 0) { if (tne == NULL) { BIO_printf(bio_err,"The %s field needed to be supplied and was missing\n",cv->name); goto err; } else push=tne; } else if (strcmp(cv->value,"match") == 0) { int last2; if (tne == NULL) { BIO_printf(bio_err,"The mandatory %s field was missing\n",cv->name); goto err; } last2= -1;again2: j=X509_NAME_get_index_by_OBJ(CAname,obj,last2); if ((j < 0) && (last2 == -1)) { BIO_printf(bio_err,"The %s field does not exist in the CA certificate,\nthe 'policy' is misconfigured\n",cv->name); goto err; } if (j >= 0) { push=X509_NAME_get_entry(CAname,j); str=X509_NAME_ENTRY_get_data(tne);⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -