diff options
Diffstat (limited to 'apps/lib/apps.c')
-rw-r--r-- | apps/lib/apps.c | 2618 |
1 files changed, 2618 insertions, 0 deletions
diff --git a/apps/lib/apps.c b/apps/lib/apps.c new file mode 100644 index 0000000000..5038817750 --- /dev/null +++ b/apps/lib/apps.c @@ -0,0 +1,2618 @@ +/* + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#if !defined(_POSIX_C_SOURCE) && defined(OPENSSL_SYS_VMS) +/* + * On VMS, you need to define this to get the declaration of fileno(). The + * value 2 is to make sure no function defined in POSIX-2 is left undefined. + */ +# define _POSIX_C_SOURCE 2 +#endif + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sys/types.h> +#ifndef OPENSSL_NO_POSIX_IO +# include <sys/stat.h> +# include <fcntl.h> +#endif +#include <ctype.h> +#include <errno.h> +#include <openssl/err.h> +#include <openssl/x509.h> +#include <openssl/x509v3.h> +#include <openssl/pem.h> +#include <openssl/pkcs12.h> +#include <openssl/ui.h> +#include <openssl/safestack.h> +#ifndef OPENSSL_NO_ENGINE +# include <openssl/engine.h> +#endif +#ifndef OPENSSL_NO_RSA +# include <openssl/rsa.h> +#endif +#include <openssl/bn.h> +#include <openssl/ssl.h> +#include "apps.h" + +#ifdef _WIN32 +static int WIN32_rename(const char *from, const char *to); +# define rename(from,to) WIN32_rename((from),(to)) +#endif + +#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) +# include <conio.h> +#endif + +#if defined(OPENSSL_SYS_MSDOS) && !defined(_WIN32) +# define _kbhit kbhit +#endif + +#define PASS_SOURCE_SIZE_MAX 4 + +typedef struct { + const char *name; + unsigned long flag; + unsigned long mask; +} NAME_EX_TBL; + +static int set_table_opts(unsigned long *flags, const char *arg, + const NAME_EX_TBL * in_tbl); +static int set_multi_opts(unsigned long *flags, const char *arg, + const NAME_EX_TBL * in_tbl); + +int app_init(long mesgwin); + +int chopup_args(ARGS *arg, char *buf) +{ + int quoted; + char c = '\0', *p = NULL; + + arg->argc = 0; + if (arg->size == 0) { + arg->size = 20; + arg->argv = app_malloc(sizeof(*arg->argv) * arg->size, "argv space"); + } + + for (p = buf;;) { + /* Skip whitespace. */ + while (*p && isspace(_UC(*p))) + p++; + if (!*p) + break; + + /* The start of something good :-) */ + if (arg->argc >= arg->size) { + char **tmp; + arg->size += 20; + tmp = OPENSSL_realloc(arg->argv, sizeof(*arg->argv) * arg->size); + if (tmp == NULL) + return 0; + arg->argv = tmp; + } + quoted = *p == '\'' || *p == '"'; + if (quoted) + c = *p++; + arg->argv[arg->argc++] = p; + + /* now look for the end of this */ + if (quoted) { + while (*p && *p != c) + p++; + *p++ = '\0'; + } else { + while (*p && !isspace(_UC(*p))) + p++; + if (*p) + *p++ = '\0'; + } + } + arg->argv[arg->argc] = NULL; + return 1; +} + +#ifndef APP_INIT +int app_init(long mesgwin) +{ + return 1; +} +#endif + +int ctx_set_verify_locations(SSL_CTX *ctx, const char *CAfile, + const char *CApath, int noCAfile, int noCApath) +{ + if (CAfile == NULL && CApath == NULL) { + if (!noCAfile && SSL_CTX_set_default_verify_file(ctx) <= 0) + return 0; + if (!noCApath && SSL_CTX_set_default_verify_dir(ctx) <= 0) + return 0; + + return 1; + } + return SSL_CTX_load_verify_locations(ctx, CAfile, CApath); +} + +#ifndef OPENSSL_NO_CT + +int ctx_set_ctlog_list_file(SSL_CTX *ctx, const char *path) +{ + if (path == NULL) + return SSL_CTX_set_default_ctlog_list_file(ctx); + + return SSL_CTX_set_ctlog_list_file(ctx, path); +} + +#endif + +static unsigned long nmflag = 0; +static char nmflag_set = 0; + +int set_nameopt(const char *arg) +{ + int ret = set_name_ex(&nmflag, arg); + + if (ret) + nmflag_set = 1; + + return ret; +} + +unsigned long get_nameopt(void) +{ + return (nmflag_set) ? nmflag : XN_FLAG_ONELINE; +} + +int dump_cert_text(BIO *out, X509 *x) +{ + print_name(out, "subject=", X509_get_subject_name(x), get_nameopt()); + BIO_puts(out, "\n"); + print_name(out, "issuer=", X509_get_issuer_name(x), get_nameopt()); + BIO_puts(out, "\n"); + + return 0; +} + +int wrap_password_callback(char *buf, int bufsiz, int verify, void *userdata) +{ + return password_callback(buf, bufsiz, verify, (PW_CB_DATA *)userdata); +} + + +static char *app_get_pass(const char *arg, int keepbio); + +int app_passwd(const char *arg1, const char *arg2, char **pass1, char **pass2) +{ + int same = arg1 != NULL && arg2 != NULL && strcmp(arg1, arg2) == 0; + + if (arg1 != NULL) { + *pass1 = app_get_pass(arg1, same); + if (*pass1 == NULL) + return 0; + } else if (pass1 != NULL) { + *pass1 = NULL; + } + if (arg2 != NULL) { + *pass2 = app_get_pass(arg2, same ? 2 : 0); + if (*pass2 == NULL) + return 0; + } else if (pass2 != NULL) { + *pass2 = NULL; + } + return 1; +} + +static char *app_get_pass(const char *arg, int keepbio) +{ + static BIO *pwdbio = NULL; + char *tmp, tpass[APP_PASS_LEN]; + int i; + + /* PASS_SOURCE_SIZE_MAX = max number of chars before ':' in below strings */ + if (strncmp(arg, "pass:", 5) == 0) + return OPENSSL_strdup(arg + 5); + if (strncmp(arg, "env:", 4) == 0) { + tmp = getenv(arg + 4); + if (tmp == NULL) { + BIO_printf(bio_err, "No environment variable %s\n", arg + 4); + return NULL; + } + return OPENSSL_strdup(tmp); + } + if (!keepbio || pwdbio == NULL) { + if (strncmp(arg, "file:", 5) == 0) { + pwdbio = BIO_new_file(arg + 5, "r"); + if (pwdbio == NULL) { + BIO_printf(bio_err, "Can't open file %s\n", arg + 5); + return NULL; + } +#if !defined(_WIN32) + /* + * Under _WIN32, which covers even Win64 and CE, file + * descriptors referenced by BIO_s_fd are not inherited + * by child process and therefore below is not an option. + * It could have been an option if bss_fd.c was operating + * on real Windows descriptors, such as those obtained + * with CreateFile. + */ + } else if (strncmp(arg, "fd:", 3) == 0) { + BIO *btmp; + i = atoi(arg + 3); + if (i >= 0) + pwdbio = BIO_new_fd(i, BIO_NOCLOSE); + if ((i < 0) || !pwdbio) { + BIO_printf(bio_err, "Can't access file descriptor %s\n", arg + 3); + return NULL; + } + /* + * Can't do BIO_gets on an fd BIO so add a buffering BIO + */ + btmp = BIO_new(BIO_f_buffer()); + pwdbio = BIO_push(btmp, pwdbio); +#endif + } else if (strcmp(arg, "stdin") == 0) { + pwdbio = dup_bio_in(FORMAT_TEXT); + if (!pwdbio) { + BIO_printf(bio_err, "Can't open BIO for stdin\n"); + return NULL; + } + } else { + /* argument syntax error; do not reveal too much about arg */ + tmp = strchr(arg, ':'); + if (tmp == NULL || tmp - arg > PASS_SOURCE_SIZE_MAX) + BIO_printf(bio_err, + "Invalid password argument, missing ':' within the first %d chars\n", + PASS_SOURCE_SIZE_MAX + 1); + else + BIO_printf(bio_err, + "Invalid password argument, starting with \"%.*s\"\n", + (int)(tmp - arg + 1), arg); + return NULL; + } + } + i = BIO_gets(pwdbio, tpass, APP_PASS_LEN); + if (keepbio != 1) { + BIO_free_all(pwdbio); + pwdbio = NULL; + } + if (i <= 0) { + BIO_printf(bio_err, "Error reading password from BIO\n"); + return NULL; + } + tmp = strchr(tpass, '\n'); + if (tmp != NULL) + *tmp = 0; + return OPENSSL_strdup(tpass); +} + +CONF *app_load_config_bio(BIO *in, const char *filename) +{ + long errorline = -1; + CONF *conf; + int i; + + conf = NCONF_new(NULL); + i = NCONF_load_bio(conf, in, &errorline); + if (i > 0) + return conf; + + if (errorline <= 0) { + BIO_printf(bio_err, "%s: Can't load ", opt_getprog()); + } else { + BIO_printf(bio_err, "%s: Error on line %ld of ", opt_getprog(), + errorline); + } + if (filename != NULL) + BIO_printf(bio_err, "config file \"%s\"\n", filename); + else + BIO_printf(bio_err, "config input"); + + NCONF_free(conf); + return NULL; +} + +CONF *app_load_config(const char *filename) +{ + BIO *in; + CONF *conf; + + in = bio_open_default(filename, 'r', FORMAT_TEXT); + if (in == NULL) + return NULL; + + conf = app_load_config_bio(in, filename); + BIO_free(in); + return conf; +} + +CONF *app_load_config_quiet(const char *filename) +{ + BIO *in; + CONF *conf; + + in = bio_open_default_quiet(filename, 'r', FORMAT_TEXT); + if (in == NULL) + return NULL; + + conf = app_load_config_bio(in, filename); + BIO_free(in); + return conf; +} + +int app_load_modules(const CONF *config) +{ + CONF *to_free = NULL; + + if (config == NULL) + config = to_free = app_load_config_quiet(default_config_file); + if (config == NULL) + return 1; + + if (CONF_modules_load(config, NULL, 0) <= 0) { + BIO_printf(bio_err, "Error configuring OpenSSL modules\n"); + ERR_print_errors(bio_err); + NCONF_free(to_free); + return 0; + } + NCONF_free(to_free); + return 1; +} + +int add_oid_section(CONF *conf) +{ + char *p; + STACK_OF(CONF_VALUE) *sktmp; + CONF_VALUE *cnf; + int i; + + if ((p = NCONF_get_string(conf, NULL, "oid_section")) == NULL) { + ERR_clear_error(); + return 1; + } + if ((sktmp = NCONF_get_section(conf, p)) == NULL) { + BIO_printf(bio_err, "problem loading oid section %s\n", p); + return 0; + } + for (i = 0; i < sk_CONF_VALUE_num(sktmp); i++) { + cnf = sk_CONF_VALUE_value(sktmp, i); + if (OBJ_create(cnf->value, cnf->name, cnf->name) == NID_undef) { + BIO_printf(bio_err, "problem creating object %s=%s\n", + cnf->name, cnf->value); + return 0; + } + } + return 1; +} + +static int load_pkcs12(BIO *in, const char *desc, + pem_password_cb *pem_cb, PW_CB_DATA *cb_data, + EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca) +{ + const char *pass; + char tpass[PEM_BUFSIZE]; + int len, ret = 0; + PKCS12 *p12; + p12 = d2i_PKCS12_bio(in, NULL); + if (p12 == NULL) { + BIO_printf(bio_err, "Error loading PKCS12 file for %s\n", desc); + goto die; + } + /* See if an empty password will do */ + if (PKCS12_verify_mac(p12, "", 0) || PKCS12_verify_mac(p12, NULL, 0)) { + pass = ""; + } else { + if (!pem_cb) + pem_cb = (pem_password_cb *)password_callback; + len = pem_cb(tpass, PEM_BUFSIZE, 0, cb_data); + if (len < 0) { + BIO_printf(bio_err, "Passphrase callback error for %s\n", desc); + goto die; + } + if (len < PEM_BUFSIZE) + tpass[len] = 0; + if (!PKCS12_verify_mac(p12, tpass, len)) { + BIO_printf(bio_err, + "Mac verify error (wrong password?) in PKCS12 file for %s\n", + desc); + goto die; + } + pass = tpass; + } + ret = PKCS12_parse(p12, pass, pkey, cert, ca); + die: + PKCS12_free(p12); + return ret; +} + +#if !defined(OPENSSL_NO_OCSP) && !defined(OPENSSL_NO_SOCK) +static int load_cert_crl_http(const char *url, X509 **pcert, X509_CRL **pcrl) +{ + char *host = NULL, *port = NULL, *path = NULL; + BIO *bio = NULL; + OCSP_REQ_CTX *rctx = NULL; + int use_ssl, rv = 0; + if (!OCSP_parse_url(url, &host, &port, &path, &use_ssl)) + goto err; + if (use_ssl) { + BIO_puts(bio_err, "https not supported\n"); + goto err; + } + bio = BIO_new_connect(host); + if (!bio || !BIO_set_conn_port(bio, port)) + goto err; + rctx = OCSP_REQ_CTX_new(bio, 1024); + if (rctx == NULL) + goto err; + if (!OCSP_REQ_CTX_http(rctx, "GET", path)) + goto err; + if (!OCSP_REQ_CTX_add1_header(rctx, "Host", host)) + goto err; + if (pcert) { + do { + rv = X509_http_nbio(rctx, pcert); + } while (rv == -1); + } else { + do { + rv = X509_CRL_http_nbio(rctx, pcrl); + } while (rv == -1); + } + + err: + OPENSSL_free(host); + OPENSSL_free(path); + OPENSSL_free(port); + BIO_free_all(bio); + OCSP_REQ_CTX_free(rctx); + if (rv != 1) { + BIO_printf(bio_err, "Error loading %s from %s\n", + pcert ? "certificate" : "CRL", url); + ERR_print_errors(bio_err); + } + return rv; +} +#endif + +X509 *load_cert(const char *file, int format, const char *cert_descrip) +{ + X509 *x = NULL; + BIO *cert; + + if (format == FORMAT_HTTP) { +#if !defined(OPENSSL_NO_OCSP) && !defined(OPENSSL_NO_SOCK) + load_cert_crl_http(file, &x, NULL); +#endif + return x; + } + + if (file == NULL) { + unbuffer(stdin); + cert = dup_bio_in(format); + } else { + cert = bio_open_default(file, 'r', format); + } + if (cert == NULL) + goto end; + + if (format == FORMAT_ASN1) { + x = d2i_X509_bio(cert, NULL); + } else if (format == FORMAT_PEM) { + x = PEM_read_bio_X509_AUX(cert, NULL, + (pem_password_cb *)password_callback, NULL); + } else if (format == FORMAT_PKCS12) { + if (!load_pkcs12(cert, cert_descrip, NULL, NULL, NULL, &x, NULL)) + goto end; + } else { + BIO_printf(bio_err, "bad input format specified for %s\n", cert_descrip); + goto end; + } + end: + if (x == NULL) { + BIO_printf(bio_err, "unable to load certificate\n"); + ERR_print_errors(bio_err); + } + BIO_free(cert); + return x; +} + +X509_CRL *load_crl(const char *infile, int format) +{ + X509_CRL *x = NULL; + BIO *in = NULL; + + if (format == FORMAT_HTTP) { +#if !defined(OPENSSL_NO_OCSP) && !defined(OPENSSL_NO_SOCK) + load_cert_crl_http(infile, NULL, &x); +#endif + return x; + } + + in = bio_open_default(infile, 'r', format); + if (in == NULL) + goto end; + if (format == FORMAT_ASN1) { + x = d2i_X509_CRL_bio(in, NULL); + } else if (format == FORMAT_PEM) { + x = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL); + } else { + BIO_printf(bio_err, "bad input format specified for input crl\n"); + goto end; + } + if (x == NULL) { + BIO_printf(bio_err, "unable to load CRL\n"); + ERR_print_errors(bio_err); + goto end; + } + + end: + BIO_free(in); + return x; +} + +EVP_PKEY *load_key(const char *file, int format, int maybe_stdin, + const char *pass, ENGINE *e, const char *key_descrip) +{ + BIO *key = NULL; + EVP_PKEY *pkey = NULL; + PW_CB_DATA cb_data; + + cb_data.password = pass; + cb_data.prompt_info = file; + + if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE)) { + BIO_printf(bio_err, "no keyfile specified\n"); + goto end; + } + if (format == FORMAT_ENGINE) { + if (e == NULL) { + BIO_printf(bio_err, "no engine specified\n"); + } else { +#ifndef OPENSSL_NO_ENGINE + if (ENGINE_init(e)) { + pkey = ENGINE_load_private_key(e, file, + (UI_METHOD *)get_ui_method(), + &cb_data); + ENGINE_finish(e); + } + if (pkey == NULL) { + BIO_printf(bio_err, "cannot load %s from engine\n", key_descrip); + ERR_print_errors(bio_err); + } +#else + BIO_printf(bio_err, "engines not supported\n"); +#endif + } + goto end; + } + if (file == NULL && maybe_stdin) { + unbuffer(stdin); + key = dup_bio_in(format); + } else { + key = bio_open_default(file, 'r', format); + } + if (key == NULL) + goto end; + if (format == FORMAT_ASN1) { + pkey = d2i_PrivateKey_bio(key, NULL); + } else if (format == FORMAT_PEM) { + pkey = PEM_read_bio_PrivateKey(key, NULL, wrap_password_callback, &cb_data); + } else if (format == FORMAT_PKCS12) { + if (!load_pkcs12(key, key_descrip, wrap_password_callback, &cb_data, + &pkey, NULL, NULL)) + goto end; +#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) && !defined (OPENSSL_NO_RC4) + } else if (format == FORMAT_MSBLOB) { + pkey = b2i_PrivateKey_bio(key); + } else if (format == FORMAT_PVK) { + pkey = b2i_PVK_bio(key, wrap_password_callback, &cb_data); +#endif + } else { + BIO_printf(bio_err, "bad input format specified for key file\n"); + goto end; + } + end: + BIO_free(key); + if (pkey == NULL) { + BIO_printf(bio_err, "unable to load %s\n", key_descrip); + ERR_print_errors(bio_err); + } + return pkey; +} + +EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin, + const char *pass, ENGINE *e, const char *key_descrip) +{ + BIO *key = NULL; + EVP_PKEY *pkey = NULL; + PW_CB_DATA cb_data; + + cb_data.password = pass; + cb_data.prompt_info = file; + + if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE)) { + BIO_printf(bio_err, "no keyfile specified\n"); + goto end; + } + if (format == FORMAT_ENGINE) { + if (e == NULL) { + BIO_printf(bio_err, "no engine specified\n"); + } else { +#ifndef OPENSSL_NO_ENGINE + pkey = ENGINE_load_public_key(e, file, (UI_METHOD *)get_ui_method(), + &cb_data); + if (pkey == NULL) { + BIO_printf(bio_err, "cannot load %s from engine\n", key_descrip); + ERR_print_errors(bio_err); + } +#else + BIO_printf(bio_err, "engines not supported\n"); +#endif + } + goto end; + } + if (file == NULL && maybe_stdin) { + unbuffer(stdin); + key = dup_bio_in(format); + } else { + key = bio_open_default(file, 'r', format); + } + if (key == NULL) + goto end; + if (format == FORMAT_ASN1) { + pkey = d2i_PUBKEY_bio(key, NULL); + } else if (format == FORMAT_ASN1RSA) { +#ifndef OPENSSL_NO_RSA + RSA *rsa; + rsa = d2i_RSAPublicKey_bio(key, NULL); + if (rsa) { + pkey = EVP_PKEY_new(); + if (pkey != NULL) + EVP_PKEY_set1_RSA(pkey, rsa); + RSA_free(rsa); + } else +#else + BIO_printf(bio_err, "RSA keys not supported\n"); +#endif + pkey = NULL; + } else if (format == FORMAT_PEMRSA) { +#ifndef OPENSSL_NO_RSA + RSA *rsa; + rsa = PEM_read_bio_RSAPublicKey(key, NULL, + (pem_password_cb *)password_callback, + &cb_data); + if (rsa != NULL) { + pkey = EVP_PKEY_new(); + if (pkey != NULL) + EVP_PKEY_set1_RSA(pkey, rsa); + RSA_free(rsa); + } else +#else + BIO_printf(bio_err, "RSA keys not supported\n"); +#endif + pkey = NULL; + } else if (format == FORMAT_PEM) { + pkey = PEM_read_bio_PUBKEY(key, NULL, + (pem_password_cb *)password_callback, + &cb_data); +#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) + } else if (format == FORMAT_MSBLOB) { + pkey = b2i_PublicKey_bio(key); +#endif + } + end: + BIO_free(key); + if (pkey == NULL) + BIO_printf(bio_err, "unable to load %s\n", key_descrip); + return pkey; +} + +static int load_certs_crls(const char *file, int format, + const char *pass, const char *desc, + STACK_OF(X509) **pcerts, + STACK_OF(X509_CRL) **pcrls) +{ + int i; + BIO *bio; + STACK_OF(X509_INFO) *xis = NULL; + X509_INFO *xi; + PW_CB_DATA cb_data; + int rv = 0; + + cb_data.password = pass; + cb_data.prompt_info = file; + + if (format != FORMAT_PEM) { + BIO_printf(bio_err, "bad input format specified for %s\n", desc); + return 0; + } + + bio = bio_open_default(file, 'r', FORMAT_PEM); + if (bio == NULL) + return 0; + + xis = PEM_X509_INFO_read_bio(bio, NULL, + (pem_password_cb *)password_callback, + &cb_data); + + BIO_free(bio); + + if (pcerts != NULL && *pcerts == NULL) { + *pcerts = sk_X509_new_null(); + if (*pcerts == NULL) + goto end; + } + + if (pcrls != NULL && *pcrls == NULL) { + *pcrls = sk_X509_CRL_new_null(); + if (*pcrls == NULL) + goto end; + } + + for (i = 0; i < sk_X509_INFO_num(xis); i++) { + xi = sk_X509_INFO_value(xis, i); + if (xi->x509 != NULL && pcerts != NULL) { + if (!sk_X509_push(*pcerts, xi->x509)) + goto end; + xi->x509 = NULL; + } + if (xi->crl != NULL && pcrls != NULL) { + if (!sk_X509_CRL_push(*pcrls, xi->crl)) + goto end; + xi->crl = NULL; + } + } + + if (pcerts != NULL && sk_X509_num(*pcerts) > 0) + rv = 1; + + if (pcrls != NULL && sk_X509_CRL_num(*pcrls) > 0) + rv = 1; + + end: + + sk_X509_INFO_pop_free(xis, X509_INFO_free); + + if (rv == 0) { + if (pcerts != NULL) { + sk_X509_pop_free(*pcerts, X509_free); + *pcerts = NULL; + } + if (pcrls != NULL) { + sk_X509_CRL_pop_free(*pcrls, X509_CRL_free); + *pcrls = NULL; + } + BIO_printf(bio_err, "unable to load %s\n", + pcerts ? "certificates" : "CRLs"); + ERR_print_errors(bio_err); + } + return rv; +} + +void* app_malloc(int sz, const char *what) +{ + void *vp = OPENSSL_malloc(sz); + + if (vp == NULL) { + BIO_printf(bio_err, "%s: Could not allocate %d bytes for %s\n", + opt_getprog(), sz, what); + ERR_print_errors(bio_err); + exit(1); + } + return vp; +} + +/* + * Initialize or extend, if *certs != NULL, a certificate stack. + */ +int load_certs(const char *file, STACK_OF(X509) **certs, int format, + const char *pass, const char *desc) +{ + return load_certs_crls(file, format, pass, desc, certs, NULL); +} + +/* + * Initialize or extend, if *crls != NULL, a certificate stack. + */ +int load_crls(const char *file, STACK_OF(X509_CRL) **crls, int format, + const char *pass, const char *desc) +{ + return load_certs_crls(file, format, pass, desc, NULL, crls); +} + +#define X509V3_EXT_UNKNOWN_MASK (0xfL << 16) +/* Return error for unknown extensions */ +#define X509V3_EXT_DEFAULT 0 +/* Print error for unknown extensions */ +#define X509V3_EXT_ERROR_UNKNOWN (1L << 16) +/* ASN1 parse unknown extensions */ +#define X509V3_EXT_PARSE_UNKNOWN (2L << 16) +/* BIO_dump unknown extensions */ +#define X509V3_EXT_DUMP_UNKNOWN (3L << 16) + +#define X509_FLAG_CA (X509_FLAG_NO_ISSUER | X509_FLAG_NO_PUBKEY | \ + X509_FLAG_NO_HEADER | X509_FLAG_NO_VERSION) + +int set_cert_ex(unsigned long *flags, const char *arg) +{ + static const NAME_EX_TBL cert_tbl[] = { + {"compatible", X509_FLAG_COMPAT, 0xffffffffl}, + {"ca_default", X509_FLAG_CA, 0xffffffffl}, + {"no_header", X509_FLAG_NO_HEADER, 0}, + {"no_version", X509_FLAG_NO_VERSION, 0}, + {"no_serial", X509_FLAG_NO_SERIAL, 0}, + {"no_signame", X509_FLAG_NO_SIGNAME, 0}, + {"no_validity", X509_FLAG_NO_VALIDITY, 0}, + {"no_subject", X509_FLAG_NO_SUBJECT, 0}, + {"no_issuer", X509_FLAG_NO_ISSUER, 0}, + {"no_pubkey", X509_FLAG_NO_PUBKEY, 0}, + {"no_extensions", X509_FLAG_NO_EXTENSIONS, 0}, + {"no_sigdump", X509_FLAG_NO_SIGDUMP, 0}, + {"no_aux", X509_FLAG_NO_AUX, 0}, + {"no_attributes", X509_FLAG_NO_ATTRIBUTES, 0}, + {"ext_default", X509V3_EXT_DEFAULT, X509V3_EXT_UNKNOWN_MASK}, + {"ext_error", X509V3_EXT_ERROR_UNKNOWN, X509V3_EXT_UNKNOWN_MASK}, + {"ext_parse", X509V3_EXT_PARSE_UNKNOWN, X509V3_EXT_UNKNOWN_MASK}, + {"ext_dump", X509V3_EXT_DUMP_UNKNOWN, X509V3_EXT_UNKNOWN_MASK}, + {NULL, 0, 0} + }; + return set_multi_opts(flags, arg, cert_tbl); +} + +int set_name_ex(unsigned long *flags, const char *arg) +{ + static const NAME_EX_TBL ex_tbl[] = { + {"esc_2253", ASN1_STRFLGS_ESC_2253, 0}, + {"esc_2254", ASN1_STRFLGS_ESC_2254, 0}, + {"esc_ctrl", ASN1_STRFLGS_ESC_CTRL, 0}, + {"esc_msb", ASN1_STRFLGS_ESC_MSB, 0}, + {"use_quote", ASN1_STRFLGS_ESC_QUOTE, 0}, + {"utf8", ASN1_STRFLGS_UTF8_CONVERT, 0}, + {"ignore_type", ASN1_STRFLGS_IGNORE_TYPE, 0}, + {"show_type", ASN1_STRFLGS_SHOW_TYPE, 0}, + {"dump_all", ASN1_STRFLGS_DUMP_ALL, 0}, + {"dump_nostr", ASN1_STRFLGS_DUMP_UNKNOWN, 0}, + {"dump_der", ASN1_STRFLGS_DUMP_DER, 0}, + {"compat", XN_FLAG_COMPAT, 0xffffffffL}, + {"sep_comma_plus", XN_FLAG_SEP_COMMA_PLUS, XN_FLAG_SEP_MASK}, + {"sep_comma_plus_space", XN_FLAG_SEP_CPLUS_SPC, XN_FLAG_SEP_MASK}, + {"sep_semi_plus_space", XN_FLAG_SEP_SPLUS_SPC, XN_FLAG_SEP_MASK}, + {"sep_multiline", XN_FLAG_SEP_MULTILINE, XN_FLAG_SEP_MASK}, + {"dn_rev", XN_FLAG_DN_REV, 0}, + {"nofname", XN_FLAG_FN_NONE, XN_FLAG_FN_MASK}, + {"sname", XN_FLAG_FN_SN, XN_FLAG_FN_MASK}, + {"lname", XN_FLAG_FN_LN, XN_FLAG_FN_MASK}, + {"align", XN_FLAG_FN_ALIGN, 0}, + {"oid", XN_FLAG_FN_OID, XN_FLAG_FN_MASK}, + {"space_eq", XN_FLAG_SPC_EQ, 0}, + {"dump_unknown", XN_FLAG_DUMP_UNKNOWN_FIELDS, 0}, + {"RFC2253", XN_FLAG_RFC2253, 0xffffffffL}, + {"oneline", XN_FLAG_ONELINE, 0xffffffffL}, + {"multiline", XN_FLAG_MULTILINE, 0xffffffffL}, + {"ca_default", XN_FLAG_MULTILINE, 0xffffffffL}, + {NULL, 0, 0} + }; + if (set_multi_opts(flags, arg, ex_tbl) == 0) + return 0; + if (*flags != XN_FLAG_COMPAT + && (*flags & XN_FLAG_SEP_MASK) == 0) + *flags |= XN_FLAG_SEP_CPLUS_SPC; + return 1; +} + +int set_ext_copy(int *copy_type, const char *arg) +{ + if (strcasecmp(arg, "none") == 0) + *copy_type = EXT_COPY_NONE; + else if (strcasecmp(arg, "copy") == 0) + *copy_type = EXT_COPY_ADD; + else if (strcasecmp(arg, "copyall") == 0) + *copy_type = EXT_COPY_ALL; + else + return 0; + return 1; +} + +int copy_extensions(X509 *x, X509_REQ *req, int copy_type) +{ + STACK_OF(X509_EXTENSION) *exts = NULL; + X509_EXTENSION *ext, *tmpext; + ASN1_OBJECT *obj; + int i, idx, ret = 0; + if (!x || !req || (copy_type == EXT_COPY_NONE)) + return 1; + exts = X509_REQ_get_extensions(req); + + for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) { + ext = sk_X509_EXTENSION_value(exts, i); + obj = X509_EXTENSION_get_object(ext); + idx = X509_get_ext_by_OBJ(x, obj, -1); + /* Does extension exist? */ + if (idx != -1) { + /* If normal copy don't override existing extension */ + if (copy_type == EXT_COPY_ADD) + continue; + /* Delete all extensions of same type */ + do { + tmpext = X509_get_ext(x, idx); + X509_delete_ext(x, idx); + X509_EXTENSION_free(tmpext); + idx = X509_get_ext_by_OBJ(x, obj, -1); + } while (idx != -1); + } + if (!X509_add_ext(x, ext, -1)) + goto end; + } + + ret = 1; + + end: + + sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); + + return ret; +} + +static int set_multi_opts(unsigned long *flags, const char *arg, + const NAME_EX_TBL * in_tbl) +{ + STACK_OF(CONF_VALUE) *vals; + CONF_VALUE *val; + int i, ret = 1; + if (!arg) + return 0; + vals = X509V3_parse_list(arg); + for (i = 0; i < sk_CONF_VALUE_num(vals); i++) { + val = sk_CONF_VALUE_value(vals, i); + if (!set_table_opts(flags, val->name, in_tbl)) + ret = 0; + } + sk_CONF_VALUE_pop_free(vals, X509V3_conf_free); + return ret; +} + +static int set_table_opts(unsigned long *flags, const char *arg, + const NAME_EX_TBL * in_tbl) +{ + char c; + const NAME_EX_TBL *ptbl; + c = arg[0]; + + if (c == '-') { + c = 0; + arg++; + } else if (c == '+') { + c = 1; + arg++; + } else { + c = 1; + } + + for (ptbl = in_tbl; ptbl->name; ptbl++) { + if (strcasecmp(arg, ptbl->name) == 0) { + *flags &= ~ptbl->mask; + if (c) + *flags |= ptbl->flag; + else + *flags &= ~ptbl->flag; + return 1; + } + } + return 0; +} + +void print_name(BIO *out, const char *title, X509_NAME *nm, + unsigned long lflags) +{ + char *buf; + char mline = 0; + int indent = 0; + + if (title) + BIO_puts(out, title); + if ((lflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) { + mline = 1; + indent = 4; + } + if (lflags == XN_FLAG_COMPAT) { + buf = X509_NAME_oneline(nm, 0, 0); + BIO_puts(out, buf); + BIO_puts(out, "\n"); + OPENSSL_free(buf); + } else { + if (mline) + BIO_puts(out, "\n"); + X509_NAME_print_ex(out, nm, indent, lflags); + BIO_puts(out, "\n"); + } +} + +void print_bignum_var(BIO *out, const BIGNUM *in, const char *var, + int len, unsigned char *buffer) +{ + BIO_printf(out, " static unsigned char %s_%d[] = {", var, len); + if (BN_is_zero(in)) { + BIO_printf(out, "\n 0x00"); + } else { + int i, l; + + l = BN_bn2bin(in, buffer); + for (i = 0; i < l; i++) { + BIO_printf(out, (i % 10) == 0 ? "\n " : " "); + if (i < l - 1) + BIO_printf(out, "0x%02X,", buffer[i]); + else + BIO_printf(out, "0x%02X", buffer[i]); + } + } + BIO_printf(out, "\n };\n"); +} + +void print_array(BIO *out, const char* title, int len, const unsigned char* d) +{ + int i; + + BIO_printf(out, "unsigned char %s[%d] = {", title, len); + for (i = 0; i < len; i++) { + if ((i % 10) == 0) + BIO_printf(out, "\n "); + if (i < len - 1) + BIO_printf(out, "0x%02X, ", d[i]); + else + BIO_printf(out, "0x%02X", d[i]); + } + BIO_printf(out, "\n};\n"); +} + +X509_STORE *setup_verify(const char *CAfile, const char *CApath, int noCAfile, int noCApath) +{ + X509_STORE *store = X509_STORE_new(); + X509_LOOKUP *lookup; + + if (store == NULL) + goto end; + + if (CAfile != NULL || !noCAfile) { + lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); + if (lookup == NULL) + goto end; + if (CAfile) { + if (!X509_LOOKUP_load_file(lookup, CAfile, X509_FILETYPE_PEM)) { + BIO_printf(bio_err, "Error loading file %s\n", CAfile); + goto end; + } + } else { + X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT); + } + } + + if (CApath != NULL || !noCApath) { + lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir()); + if (lookup == NULL) + goto end; + if (CApath) { + if (!X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM)) { + BIO_printf(bio_err, "Error loading directory %s\n", CApath); + goto end; + } + } else { + X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT); + } + } + + ERR_clear_error(); + return store; + |