ca.c

mediastreamer2是开源的网络传输媒体流的库

			rev_arg = *(++argv);
			rev_type = REV_CRL_REASON;
			}
		else if (strcmp(*argv,"-crl_hold") == 0)
			{
			if (--argc < 1) goto bad;
			rev_arg = *(++argv);
			rev_type = REV_HOLD;
			}
		else if (strcmp(*argv,"-crl_compromise") == 0)
			{
			if (--argc < 1) goto bad;
			rev_arg = *(++argv);
			rev_type = REV_KEY_COMPROMISE;
			}
		else if (strcmp(*argv,"-crl_CA_compromise") == 0)
			{
			if (--argc < 1) goto bad;
			rev_arg = *(++argv);
			rev_type = REV_CA_COMPROMISE;
			}
#ifndef OPENSSL_NO_ENGINE
		else if (strcmp(*argv,"-engine") == 0)
			{
			if (--argc < 1) goto bad;
			engine= *(++argv);
			}
#endif
		else
			{
bad:
			BIO_printf(bio_err,"unknown option %s\n",*argv);
			badops=1;
			break;
			}
		argc--;
		argv++;
		}

	if (badops)
		{
		for (pp=ca_usage; (*pp != NULL); pp++)
			BIO_printf(bio_err,"%s",*pp);
		goto err;
		}

	ERR_load_crypto_strings();

	/*****************************************************************/
	tofree=NULL;
	if (configfile == NULL) configfile = getenv("OPENSSL_CONF");
	if (configfile == NULL) configfile = getenv("SSLEAY_CONF");
	if (configfile == NULL)
		{
		const char *s=X509_get_default_cert_area();
		size_t len;

#ifdef OPENSSL_SYS_VMS
		len = strlen(s)+sizeof(CONFIG_FILE);
		tofree=OPENSSL_malloc(len);
		strcpy(tofree,s);
#else
		len = strlen(s)+sizeof(CONFIG_FILE)+1;
		tofree=OPENSSL_malloc(len);
		BUF_strlcpy(tofree,s,len);
		BUF_strlcat(tofree,"/",len);
#endif
		BUF_strlcat(tofree,CONFIG_FILE,len);
		configfile=tofree;
		}

	BIO_printf(bio_err,"Using configuration from %s\n",configfile);
	conf = NCONF_new(NULL);
	if (NCONF_load(conf,configfile,&errorline) <= 0)
		{
		if (errorline <= 0)
			BIO_printf(bio_err,"error loading the config file '%s'\n",
				configfile);
		else
			BIO_printf(bio_err,"error on line %ld of config file '%s'\n"
				,errorline,configfile);
		goto err;
		}
	if(tofree)
		{
		OPENSSL_free(tofree);
		tofree = NULL;
		}

	if (!load_config(bio_err, conf))
		goto err;

#ifndef OPENSSL_NO_ENGINE
	e = setup_engine(bio_err, engine, 0);
#endif

	/* Lets get the config section we are using */
	if (section == NULL)
		{
		section=NCONF_get_string(conf,BASE_SECTION,ENV_DEFAULT_CA);
		if (section == NULL)
			{
			lookup_fail(BASE_SECTION,ENV_DEFAULT_CA);
			goto err;
			}
		}

	if (conf != NULL)
		{
		p=NCONF_get_string(conf,NULL,"oid_file");
		if (p == NULL)
			ERR_clear_error();
		if (p != NULL)
			{
			BIO *oid_bio;

			oid_bio=BIO_new_file(p,"r");
			if (oid_bio == NULL) 
				{
				/*
				BIO_printf(bio_err,"problems opening %s for extra oid's\n",p);
				ERR_print_errors(bio_err);
				*/
				ERR_clear_error();
				}
			else
				{
				OBJ_create_objects(oid_bio);
				BIO_free(oid_bio);
				}
			}
		if (!add_oid_section(bio_err,conf)) 
			{
			ERR_print_errors(bio_err);
			goto err;
			}
		}

	randfile = NCONF_get_string(conf, BASE_SECTION, "RANDFILE");
	if (randfile == NULL)
		ERR_clear_error();
	app_RAND_load_file(randfile, bio_err, 0);

	f = NCONF_get_string(conf, section, STRING_MASK);
	if (!f)
		ERR_clear_error();

	if(f && !ASN1_STRING_set_default_mask_asc(f)) {
		BIO_printf(bio_err, "Invalid global string mask setting %s\n", f);
		goto err;
	}

	if (chtype != MBSTRING_UTF8){
		f = NCONF_get_string(conf, section, UTF8_IN);
		if (!f)
			ERR_clear_error();
		else if (!strcmp(f, "yes"))
			chtype = MBSTRING_UTF8;
	}

	db_attr.unique_subject = 1;
	p = NCONF_get_string(conf, section, ENV_UNIQUE_SUBJECT);
	if (p)
		{
#ifdef RL_DEBUG
		BIO_printf(bio_err, "DEBUG: unique_subject = \"%s\"\n", p);
#endif
		db_attr.unique_subject = parse_yesno(p,1);
		}
	else
		ERR_clear_error();
#ifdef RL_DEBUG
	if (!p)
		BIO_printf(bio_err, "DEBUG: unique_subject undefined\n", p);
#endif
#ifdef RL_DEBUG
	BIO_printf(bio_err, "DEBUG: configured unique_subject is %d\n",
		db_attr.unique_subject);
#endif
	
	in=BIO_new(BIO_s_file());
	out=BIO_new(BIO_s_file());
	Sout=BIO_new(BIO_s_file());
	Cout=BIO_new(BIO_s_file());
	if ((in == NULL) || (out == NULL) || (Sout == NULL) || (Cout == NULL))
		{
		ERR_print_errors(bio_err);
		goto err;
		}

	/*****************************************************************/
	/* report status of cert with serial number given on command line */
	if (ser_status)
	{
		if ((dbfile=NCONF_get_string(conf,section,ENV_DATABASE)) == NULL)
			{
			lookup_fail(section,ENV_DATABASE);
			goto err;
			}
		db = load_index(dbfile,&db_attr);
		if (db == NULL) goto err;

		if (!index_index(db)) goto err;

		if (get_certificate_status(ser_status,db) != 1)
			BIO_printf(bio_err,"Error verifying serial %s!\n",
				 ser_status);
		goto err;
	}

	/*****************************************************************/
	/* we definitely need a private key, so let's get it */

	if ((keyfile == NULL) && ((keyfile=NCONF_get_string(conf,
		section,ENV_PRIVATE_KEY)) == NULL))
		{
		lookup_fail(section,ENV_PRIVATE_KEY);
		goto err;
		}
	if (!key)
		{
		free_key = 1;
		if (!app_passwd(bio_err, passargin, NULL, &key, NULL))
			{
			BIO_printf(bio_err,"Error getting password\n");
			goto err;
			}
		}
	pkey = load_key(bio_err, keyfile, keyform, 0, key, e, 
		"CA private key");
	if (key) OPENSSL_cleanse(key,strlen(key));
	if (pkey == NULL)
		{
		/* load_key() has already printed an appropriate message */
		goto err;
		}

	/*****************************************************************/
	/* we need a certificate */
	if (!selfsign || spkac_file || ss_cert_file || gencrl)
		{
		if ((certfile == NULL)
			&& ((certfile=NCONF_get_string(conf,
				     section,ENV_CERTIFICATE)) == NULL))
			{
			lookup_fail(section,ENV_CERTIFICATE);
			goto err;
			}
		x509=load_cert(bio_err, certfile, FORMAT_PEM, NULL, e,
			"CA certificate");
		if (x509 == NULL)
			goto err;

		if (!X509_check_private_key(x509,pkey))
			{
			BIO_printf(bio_err,"CA certificate and CA private key do not match\n");
			goto err;
			}
		}
	if (!selfsign) x509p = x509;

	f=NCONF_get_string(conf,BASE_SECTION,ENV_PRESERVE);
	if (f == NULL)
		ERR_clear_error();
	if ((f != NULL) && ((*f == 'y') || (*f == 'Y')))
		preserve=1;
	f=NCONF_get_string(conf,BASE_SECTION,ENV_MSIE_HACK);
	if (f == NULL)
		ERR_clear_error();
	if ((f != NULL) && ((*f == 'y') || (*f == 'Y')))
		msie_hack=1;

	f=NCONF_get_string(conf,section,ENV_NAMEOPT);

	if (f)
		{
		if (!set_name_ex(&nameopt, f))
			{
			BIO_printf(bio_err, "Invalid name options: \"%s\"\n", f);
			goto err;
			}
		default_op = 0;
		}
	else
		ERR_clear_error();

	f=NCONF_get_string(conf,section,ENV_CERTOPT);

	if (f)
		{
		if (!set_cert_ex(&certopt, f))
			{
			BIO_printf(bio_err, "Invalid certificate options: \"%s\"\n", f);
			goto err;
			}
		default_op = 0;
		}
	else
		ERR_clear_error();

	f=NCONF_get_string(conf,section,ENV_EXTCOPY);

	if (f)
		{
		if (!set_ext_copy(&ext_copy, f))
			{
			BIO_printf(bio_err, "Invalid extension copy option: \"%s\"\n", f);
			goto err;
			}
		}
	else
		ERR_clear_error();

	/*****************************************************************/
	/* lookup where to write new certificates */
	if ((outdir == NULL) && (req))
		{
		struct stat sb;

		if ((outdir=NCONF_get_string(conf,section,ENV_NEW_CERTS_DIR))
			== NULL)
			{
			BIO_printf(bio_err,"there needs to be defined a directory for new certificate to be placed in\n");
			goto err;
			}
#ifndef OPENSSL_SYS_VMS
	    /* outdir is a directory spec, but access() for VMS demands a
	       filename.  In any case, stat(), below, will catch the problem
	       if outdir is not a directory spec, and the fopen() or open()
	       will catch an error if there is no write access.

	       Presumably, this problem could also be solved by using the DEC
	       C routines to convert the directory syntax to Unixly, and give
	       that to access().  However, time's too short to do that just
	       now.
	    */
		if (access(outdir,R_OK|W_OK|X_OK) != 0)
			{
			BIO_printf(bio_err,"I am unable to access the %s directory\n",outdir);
			perror(outdir);
			goto err;
			}

		if (stat(outdir,&sb) != 0)
			{
			BIO_printf(bio_err,"unable to stat(%s)\n",outdir);
			perror(outdir);
			goto err;
			}
#ifdef S_IFDIR
		if (!(sb.st_mode & S_IFDIR))
			{
			BIO_printf(bio_err,"%s need to be a directory\n",outdir);
			perror(outdir);
			goto err;
			}
#endif
#endif
		}

	/*****************************************************************/
	/* we need to load the database file */
	if ((dbfile=NCONF_get_string(conf,section,ENV_DATABASE)) == NULL)
		{
		lookup_fail(section,ENV_DATABASE);
		goto err;
		}
	db = load_index(dbfile, &db_attr);
	if (db == NULL) goto err;

	/* Lets check some fields */
	for (i=0; i<sk_num(db->db->data); i++)
		{
		pp=(const char **)sk_value(db->db->data,i);
		if ((pp[DB_type][0] != DB_TYPE_REV) &&
			(pp[DB_rev_date][0] != '\0'))
			{
			BIO_printf(bio_err,"entry %d: not revoked yet, but has a revocation date\n",i+1);
			goto err;
			}
		if ((pp[DB_type][0] == DB_TYPE_REV) &&
			!make_revoked(NULL, pp[DB_rev_date]))
			{
			BIO_printf(bio_err," in entry %d\n", i+1);
			goto err;
			}
		if (!check_time_format((char *)pp[DB_exp_date]))
			{
			BIO_printf(bio_err,"entry %d: invalid expiry date\n",i+1);
			goto err;
			}
		p=pp[DB_serial];
		j=strlen(p);
		if (*p == '-')
			{
			p++;
			j--;
			}
		if ((j&1) || (j < 2))
			{
			BIO_printf(bio_err,"entry %d: bad serial number length (%d)\n",i+1,j);
			goto err;
			}
		while (*p)
			{
			if (!(	((*p >= '0') && (*p <= '9')) ||
				((*p >= 'A') && (*p <= 'F')) ||
				((*p >= 'a') && (*p <= 'f')))  )
				{
				BIO_printf(bio_err,"entry %d: bad serial number characters, char pos %ld, char is '%c'\n",i+1,(long)(p-pp[DB_serial]),*p);
				goto err;
				}
			p++;
			}
		}
	if (verbose)
		{
		BIO_set_fp(out,stdout,BIO_NOCLOSE|BIO_FP_TEXT); /* cannot fail */
#ifdef OPENSSL_SYS_VMS
		{
		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
		out = BIO_push(tmpbio, out);
		}
#endif
		TXT_DB_write(out,db->db);
		BIO_printf(bio_err,"%d entries loaded from the database\n",
			db->db->data->num);
		BIO_printf(bio_err,"generating index\n");
		}
	
	if (!index_index(db)) goto err;

	/*****************************************************************/
	/* Update the db file for expired certificates */
	if (doupdatedb)
		{
		if (verbose)
			BIO_printf(bio_err, "Updating %s ...\n",
							dbfile);

		i = do_updatedb(db);
		if (i == -1)
			{
			BIO_printf(bio_err,"Malloc failure\n");
			goto err;
			}
		else if (i == 0)
			{
			if (verbose) BIO_printf(bio_err,
					"No entries found to mark expired\n"); 
			}
	    	else
			{
			if (!save_index(dbfile,"new",db)) goto err;
				
			if (!rotate_index(dbfile,"new","old")) goto err;
				
			if (verbose) BIO_printf(bio_err,
				"Done. %d entries marked as expired\n",i); 
	      		}
	  	}

 	/*****************************************************************/
	/* Read extentions config file                                   */
	if (extfile)
		{
		extconf = NCONF_new(NULL);
		if (NCONF_load(extconf,extfile,&errorline) <= 0)
			{
			if (errorline <= 0)
				BIO_printf(bio_err, "ERROR: loading the config file '%s'\n",
					extfile);
			else
				BIO_printf(bio_err, "ERROR: on line %ld of config file '%s'\n",
					errorline,extfile);
			ret = 1;
			goto err;
			}

		if (verbose)
			BIO_printf(bio_err, "Successfully loaded extensions file %s\n", extfile);

		/* We can have sections in the ext file */
		if (!extensions && !(extensions = NCONF_get_string(extconf, "default", "extensions")))
			extensions = "default";
		}

	/*****************************************************************/
	if (req || gencrl)
		{
		if (outfile != NULL)
			{
			if (BIO_write_filename(Sout,outfile) <= 0)
				{
				perror(outfile);
				goto err;
				}
			}
		else
			{
			BIO_set_fp(Sout,stdout,BIO_NOCLOSE|BIO_FP_TEXT);
#ifdef OPENSSL_SYS_VMS
			{
			BIO *tmpbio = BIO_new(BIO_f_linebuffer());
			Sout = BIO_push(tmpbio, Sout);
			}
#endif
			}
		}

	if ((md == NULL) && ((md=NCONF_get_string(conf,