Socket-Class
view release on metacpan or search on metacpan
xs/sc_ssl/openssl/source/apps/ca.c view on Meta::CPAN
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <openssl/conf.h>
#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/bn.h>
#include <openssl/txt_db.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/objects.h>
#include <openssl/ocsp.h>
#include <openssl/pem.h>
#ifndef W_OK
# ifdef OPENSSL_SYS_VMS
# if defined(__DECC)
# include <unistd.h>
# else
# include <unixlib.h>
# endif
# elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_NETWARE) && !defined(__TANDEM)
# include <sys/file.h>
# endif
#endif
#include "apps.h"
#ifndef W_OK
# define F_OK 0
# define X_OK 1
# define W_OK 2
# define R_OK 4
#endif
#undef PROG
#define PROG ca_main
#define BASE_SECTION "ca"
#define CONFIG_FILE "openssl.cnf"
#define ENV_DEFAULT_CA "default_ca"
#define STRING_MASK "string_mask"
#define UTF8_IN "utf8"
#define ENV_DIR "dir"
#define ENV_CERTS "certs"
#define ENV_CRL_DIR "crl_dir"
#define ENV_CA_DB "CA_DB"
#define ENV_NEW_CERTS_DIR "new_certs_dir"
#define ENV_CERTIFICATE "certificate"
#define ENV_SERIAL "serial"
#define ENV_CRLNUMBER "crlnumber"
#define ENV_CRL "crl"
#define ENV_PRIVATE_KEY "private_key"
#define ENV_RANDFILE "RANDFILE"
#define ENV_DEFAULT_DAYS "default_days"
#define ENV_DEFAULT_STARTDATE "default_startdate"
#define ENV_DEFAULT_ENDDATE "default_enddate"
#define ENV_DEFAULT_CRL_DAYS "default_crl_days"
#define ENV_DEFAULT_CRL_HOURS "default_crl_hours"
#define ENV_DEFAULT_MD "default_md"
#define ENV_DEFAULT_EMAIL_DN "email_in_dn"
#define ENV_PRESERVE "preserve"
#define ENV_POLICY "policy"
#define ENV_EXTENSIONS "x509_extensions"
#define ENV_CRLEXT "crl_extensions"
#define ENV_MSIE_HACK "msie_hack"
#define ENV_NAMEOPT "name_opt"
#define ENV_CERTOPT "cert_opt"
#define ENV_EXTCOPY "copy_extensions"
#define ENV_UNIQUE_SUBJECT "unique_subject"
#define ENV_DATABASE "database"
/* Additional revocation information types */
#define REV_NONE 0 /* No addditional information */
#define REV_CRL_REASON 1 /* Value is CRL reason code */
#define REV_HOLD 2 /* Value is hold instruction */
#define REV_KEY_COMPROMISE 3 /* Value is cert key compromise time */
#define REV_CA_COMPROMISE 4 /* Value is CA key compromise time */
static const char *ca_usage[]={
"usage: ca args\n",
"\n",
" -verbose - Talk alot while doing things\n",
" -config file - A config file\n",
" -name arg - The particular CA definition to use\n",
" -gencrl - Generate a new CRL\n",
" -crldays days - Days is when the next CRL is due\n",
" -crlhours hours - Hours is when the next CRL is due\n",
" -startdate YYMMDDHHMMSSZ - certificate validity notBefore\n",
" -enddate YYMMDDHHMMSSZ - certificate validity notAfter (overrides -days)\n",
" -days arg - number of days to certify the certificate for\n",
" -md arg - md to use, one of md2, md5, sha or sha1\n",
" -policy arg - The CA 'policy' to support\n",
" -keyfile arg - private key file\n",
" -keyform arg - private key file format (PEM or ENGINE)\n",
" -key arg - key to decode the private key if it is encrypted\n",
" -cert file - The CA certificate\n",
" -selfsign - sign a certificate with the key associated with it\n",
" -in file - The input PEM encoded certificate request(s)\n",
" -out file - Where to put the output file(s)\n",
" -outdir dir - Where to put output certificates\n",
" -infiles .... - The last argument, requests to process\n",
" -spkac file - File contains DN and signed public key and challenge\n",
" -ss_cert file - File contains a self signed cert to sign\n",
" -preserveDN - Don't re-order the DN\n",
" -noemailDN - Don't add the EMAIL field into certificate' subject\n",
" -batch - Don't ask questions\n",
" -msie_hack - msie modifications to handle all those universal strings\n",
" -revoke file - Revoke a certificate (given in file)\n",
" -subj arg - Use arg instead of request's subject\n",
" -utf8 - input characters are UTF8 (default ASCII)\n",
xs/sc_ssl/openssl/source/apps/ca.c view on Meta::CPAN
{
if ((dbfile=NCONF_get_string(conf,section,ENV_DATABASE)) == NULL)
{
lookup_fail(section,ENV_DATABASE);
goto err;
}
db = load_index(dbfile,&db_attr);
if (db == NULL) goto err;
if (!index_index(db)) goto err;
if (get_certificate_status(ser_status,db) != 1)
BIO_printf(bio_err,"Error verifying serial %s!\n",
ser_status);
goto err;
}
/*****************************************************************/
/* we definitely need a private key, so let's get it */
if ((keyfile == NULL) && ((keyfile=NCONF_get_string(conf,
section,ENV_PRIVATE_KEY)) == NULL))
{
lookup_fail(section,ENV_PRIVATE_KEY);
goto err;
}
if (!key)
{
free_key = 1;
if (!app_passwd(bio_err, passargin, NULL, &key, NULL))
{
BIO_printf(bio_err,"Error getting password\n");
goto err;
}
}
pkey = load_key(bio_err, keyfile, keyform, 0, key, e,
"CA private key");
if (key) OPENSSL_cleanse(key,strlen(key));
if (pkey == NULL)
{
/* load_key() has already printed an appropriate message */
goto err;
}
/*****************************************************************/
/* we need a certificate */
if (!selfsign || spkac_file || ss_cert_file || gencrl)
{
if ((certfile == NULL)
&& ((certfile=NCONF_get_string(conf,
section,ENV_CERTIFICATE)) == NULL))
{
lookup_fail(section,ENV_CERTIFICATE);
goto err;
}
x509=load_cert(bio_err, certfile, FORMAT_PEM, NULL, e,
"CA certificate");
if (x509 == NULL)
goto err;
if (!X509_check_private_key(x509,pkey))
{
BIO_printf(bio_err,"CA certificate and CA private key do not match\n");
goto err;
}
}
if (!selfsign) x509p = x509;
f=NCONF_get_string(conf,BASE_SECTION,ENV_PRESERVE);
if (f == NULL)
ERR_clear_error();
if ((f != NULL) && ((*f == 'y') || (*f == 'Y')))
preserve=1;
f=NCONF_get_string(conf,BASE_SECTION,ENV_MSIE_HACK);
if (f == NULL)
ERR_clear_error();
if ((f != NULL) && ((*f == 'y') || (*f == 'Y')))
msie_hack=1;
f=NCONF_get_string(conf,section,ENV_NAMEOPT);
if (f)
{
if (!set_name_ex(&nameopt, f))
{
BIO_printf(bio_err, "Invalid name options: \"%s\"\n", f);
goto err;
}
default_op = 0;
}
else
ERR_clear_error();
f=NCONF_get_string(conf,section,ENV_CERTOPT);
if (f)
{
if (!set_cert_ex(&certopt, f))
{
BIO_printf(bio_err, "Invalid certificate options: \"%s\"\n", f);
goto err;
}
default_op = 0;
}
else
ERR_clear_error();
f=NCONF_get_string(conf,section,ENV_EXTCOPY);
if (f)
{
if (!set_ext_copy(&ext_copy, f))
{
BIO_printf(bio_err, "Invalid extension copy option: \"%s\"\n", f);
goto err;
}
}
else
ERR_clear_error();
/*****************************************************************/
xs/sc_ssl/openssl/source/apps/ca.c view on Meta::CPAN
OPENSSL_free(tofree);
BIO_free_all(Cout);
BIO_free_all(Sout);
BIO_free_all(out);
BIO_free_all(in);
if (cert_sk)
sk_X509_pop_free(cert_sk,X509_free);
if (ret) ERR_print_errors(bio_err);
app_RAND_write_file(randfile, bio_err);
if (free_key && key)
OPENSSL_free(key);
BN_free(serial);
free_index(db);
EVP_PKEY_free(pkey);
if (x509) X509_free(x509);
X509_CRL_free(crl);
NCONF_free(conf);
NCONF_free(extconf);
OBJ_cleanup();
apps_shutdown();
OPENSSL_EXIT(ret);
}
static void lookup_fail(const char *name, const char *tag)
{
BIO_printf(bio_err,"variable lookup failed for %s::%s\n",name,tag);
}
static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db,
BIGNUM *serial, char *subj,unsigned long chtype, int multirdn, int email_dn, char *startdate, char *enddate,
long days, int batch, char *ext_sect, CONF *lconf, int verbose,
unsigned long certopt, unsigned long nameopt, int default_op,
int ext_copy, int selfsign)
{
X509_REQ *req=NULL;
BIO *in=NULL;
EVP_PKEY *pktmp=NULL;
int ok= -1,i;
in=BIO_new(BIO_s_file());
if (BIO_read_filename(in,infile) <= 0)
{
perror(infile);
goto err;
}
if ((req=PEM_read_bio_X509_REQ(in,NULL,NULL,NULL)) == NULL)
{
BIO_printf(bio_err,"Error reading certificate request in %s\n",
infile);
goto err;
}
if (verbose)
X509_REQ_print(bio_err,req);
BIO_printf(bio_err,"Check that the request matches the signature\n");
if (selfsign && !X509_REQ_check_private_key(req,pkey))
{
BIO_printf(bio_err,"Certificate request and CA private key do not match\n");
ok=0;
goto err;
}
if ((pktmp=X509_REQ_get_pubkey(req)) == NULL)
{
BIO_printf(bio_err,"error unpacking public key\n");
goto err;
}
i=X509_REQ_verify(req,pktmp);
EVP_PKEY_free(pktmp);
if (i < 0)
{
ok=0;
BIO_printf(bio_err,"Signature verification problems....\n");
goto err;
}
if (i == 0)
{
ok=0;
BIO_printf(bio_err,"Signature did not match the certificate request\n");
goto err;
}
else
BIO_printf(bio_err,"Signature ok\n");
ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,chtype,multirdn, email_dn,
startdate,enddate,days,batch,verbose,req,ext_sect,lconf,
certopt, nameopt, default_op, ext_copy, selfsign);
err:
if (req != NULL) X509_REQ_free(req);
if (in != NULL) BIO_free(in);
return(ok);
}
static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db,
BIGNUM *serial, char *subj, unsigned long chtype, int multirdn, int email_dn, char *startdate, char *enddate,
long days, int batch, char *ext_sect, CONF *lconf, int verbose,
unsigned long certopt, unsigned long nameopt, int default_op,
int ext_copy, ENGINE *e)
{
X509 *req=NULL;
X509_REQ *rreq=NULL;
EVP_PKEY *pktmp=NULL;
int ok= -1,i;
if ((req=load_cert(bio_err, infile, FORMAT_PEM, NULL, e, infile)) == NULL)
goto err;
if (verbose)
X509_print(bio_err,req);
BIO_printf(bio_err,"Check that the request matches the signature\n");
if ((pktmp=X509_get_pubkey(req)) == NULL)
{
BIO_printf(bio_err,"error unpacking public key\n");
goto err;
( run in 1.274 second using v1.01-cache-2.11-cpan-39bf76dae61 )