2  * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
32 #define UNSET_DAYS      -2 /* -1 is used for testing expiration checks */
33 #define EXT_COPY_UNSET     -1
61     {"help", OPT_HELP, '-', "Display this summary"},
64      "Certificate input, or CSR input file with -req (default stdin)"},
65     {"passin", OPT_PASSIN, 's', "Private key and cert file pass-phrase source"},
66     {"new", OPT_NEW, '-', "Generate a certificate from scratch"},
67     {"x509toreq", OPT_X509TOREQ, '-',
68      "Output a certification request (rather than a certificate)"},
69     {"req", OPT_REQ, '-', "Input is a CSR file (rather than a certificate)"},
73      "CSR input file format (DER or PEM) - default PEM"},
76      "Key for signing, and to include unless using -force_pubkey"},
78      "Same as -key"},
81     {"out", OPT_OUT, '>', "Output file - default stdout"},
83      "Output format (DER or PEM) - default PEM"},
84     {"nocert", OPT_NOCERT, '-',
85      "No cert output (except for requested printing)"},
86     {"noout", OPT_NOOUT, '-', "No output (except for requested printing)"},
88     OPT_SECTION("Certificate printing"),
89     {"text", OPT_TEXT, '-', "Print the certificate in text form"},
91     {"certopt", OPT_CERTOPT, 's', "Various certificate text printing options"},
92     {"fingerprint", OPT_FINGERPRINT, '-', "Print the certificate fingerprint"},
93     {"alias", OPT_ALIAS, '-', "Print certificate alias"},
94     {"serial", OPT_SERIAL, '-', "Print serial number value"},
95     {"startdate", OPT_STARTDATE, '-', "Print the notBefore field"},
96     {"enddate", OPT_ENDDATE, '-', "Print the notAfter field"},
97     {"dates", OPT_DATES, '-', "Print both notBefore and notAfter fields"},
98     {"subject", OPT_SUBJECT, '-', "Print subject DN"},
99     {"issuer", OPT_ISSUER, '-', "Print issuer DN"},
101      "Certificate subject/issuer name printing options"},
102     {"email", OPT_EMAIL, '-', "Print email address(es)"},
103     {"hash", OPT_HASH, '-', "Synonym for -subject_hash (for backward compat)"},
104     {"subject_hash", OPT_HASH, '-', "Print subject hash value"},
106     {"subject_hash_old", OPT_SUBJECT_HASH_OLD, '-',
107      "Print old-style (MD5) subject hash value"},
109     {"issuer_hash", OPT_ISSUER_HASH, '-', "Print issuer hash value"},
111     {"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-',
112      "Print old-style (MD5) issuer hash value"},
116     {"ocspid", OPT_OCSPID, '-',
118     {"ocsp_uri", OPT_OCSP_URI, '-', "Print OCSP Responder URL(s)"},
119     {"purpose", OPT_PURPOSE, '-', "Print out certificate purposes"},
120     {"pubkey", OPT_PUBKEY, '-', "Print the public key in PEM format"},
121     {"modulus", OPT_MODULUS, '-', "Print the RSA key modulus"},
123     OPT_SECTION("Certificate checking"),
125      "Check whether cert expires in the next arg seconds"},
127     {"checkhost", OPT_CHECKHOST, 's', "Check certificate matches host"},
128     {"checkemail", OPT_CHECKEMAIL, 's', "Check certificate matches email"},
129     {"checkip", OPT_CHECKIP, 's', "Check certificate matches ipaddr"},
131     OPT_SECTION("Certificate output"),
133      "Serial number to use, overrides -CAserial"},
134     {"next_serial", OPT_NEXT_SERIAL, '-',
135      "Increment current certificate serial number"},
137      "Number of days until newly generated certificate expires - default 30"},
138     {"preserve_dates", OPT_PRESERVE_DATES, '-',
140     {"subj", OPT_SUBJ, 's', "Set or override certificate subject (and issuer)"},
142      "Place the given key in new certificate"},
143     {"clrext", OPT_CLREXT, '-',
144      "Do not take over any extensions from the source certificate or request"},
147      "Section of extfile to use - default: unnamed section"},
149     {"badsig", OPT_BADSIG, '-',
150      "Corrupt last byte of certificate signature (for test)"},
151     {"", OPT_MD, '-', "Any supported digest, used for signing and printing"},
153     OPT_SECTION("Micro-CA"),
155      "Use the given CA certificate, conflicts with -key"},
156     {"CAform", OPT_CAFORM, 'F', "CA cert format (PEM/DER/P12); has no effect"},
157     {"CAkey", OPT_CAKEY, 's', "The corresponding CA key; default is -CA arg"},
161      "File that keeps track of CA-generated serial number"},
162     {"CAcreateserial", OPT_CACREATESERIAL, '-',
165     OPT_SECTION("Certificate trust output"),
166     {"trustout", OPT_TRUSTOUT, '-', "Mark certificate PEM output as trusted"},
167     {"setalias", OPT_SETALIAS, 's', "Set certificate alias (nickname)"},
168     {"clrtrust", OPT_CLRTRUST, '-', "Clear all trusted purposes"},
169     {"addtrust", OPT_ADDTRUST, 's', "Trust certificate for a given purpose"},
170     {"clrreject", OPT_CLRREJECT, '-',
171      "Clears all the prohibited or rejected uses of the certificate"},
173      "Reject certificate for a given purpose"},
189                    "Warning: -ext should not specify copying %s extension to CSR; ignoring this\n",  in warn_copying()
206      * Filter out SKID and AKID extensions, which make no sense in a CSR.  in x509_to_req()
225             BIO_printf(bio_err, "Error copying extensions from certificate\n");  in x509_to_req()
311             BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);  in x509_main()
376             if (days < -1) {  in x509_main()
377                 BIO_printf(bio_err, "%s: -days parameter arg must be >= -1\n",  in x509_main()
596     /* No extra arguments. */  in x509_main()
605         BIO_printf(bio_err, "Cannot use -preserve_dates with -days option\n");  in x509_main()
621         BIO_printf(bio_err, "The -in option cannot be used with -new\n");  in x509_main()
626                    "The -req option cannot be used with -new\n");  in x509_main()
643                        "The -new option requires a subject to be set using -subj\n");  in x509_main()
648                        "The -new option requires using the -key or -force_pubkey option\n");  in x509_main()
660             BIO_printf(bio_err, "Cannot use both -key/-signkey and -CA option\n");  in x509_main()
665         "Warning: ignoring " opt " option since -CA option is not given\n");  in x509_main()
667             WARN_NO_CA("-CAkey");  in x509_main()
669             WARN_NO_CA("-CAkeyform");  in x509_main()
671             WARN_NO_CA("-CAform");  in x509_main()
673             WARN_NO_CA("-CAserial");  in x509_main()
675             WARN_NO_CA("-CAcreateserial");  in x509_main()
681                        "Warning: ignoring -extensions option without -extfile\n");  in x509_main()
704         req = load_csr(infile, informat, "certificate request input");  in x509_main()
715                        ? "Error while verifying certificate request self-signature\n"  in x509_main()
716                        : "Certificate request self-signature did not match the contents\n");  in x509_main()
719         BIO_printf(bio_err, "Certificate request self-signature ok\n");  in x509_main()
723 …BIO_printf(bio_err, "Warning: ignoring -copy_extensions since neither -x509toreq nor -req is given…  in x509_main()
729                        "Warning: ignoring -preserve_dates option with -req or -new\n");  in x509_main()
733 …               "We need a private key to sign with, use -key or -CAkey or -CA with private key\n");  in x509_main()
745                 BIO_printf(bio_err, "Must not use -clrext together with -copy_extensions\n");  in x509_main()
753         x = load_cert_pass(infile, informat, 1, passin, "certificate");  in x509_main()
768         xca = load_cert_pass(CAfile, CAformat, 1, passin, "CA certificate");  in x509_main()
781         X509_alias_set1(x, (unsigned char *)alias, -1);  in x509_main()
799         BIO_printf(bio_err, "Warning: Ignoring -ext since -clrext is given\n");  in x509_main()
800     for (i = X509_get_ext_count(x) - 1; i >= 0; i--) {  in x509_main()
844     /* At this point the contents of the certificate x have been finished. */  in x509_main()
852     if (x509toreq) { /* also works in conjunction with -req */  in x509_main()
854             BIO_printf(bio_err, "Must specify request signing key using -key\n");  in x509_main()
858             BIO_printf(bio_err, "Must not use -clrext together with -copy_extensions\n");  in x509_main()
882                            "Unable to write certificate request\n");  in x509_main()
896                        "CA certificate and CA private key do not match\n");  in x509_main()
948                 BIO_puts(out, "<No Alias>\n");  in x509_main()
962             BIO_printf(out, "Certificate purposes:\n");  in x509_main()
967             if (EVP_PKEY_is_a(pkey, "RSA") || EVP_PKEY_is_a(pkey, "RSA-PSS")) {  in x509_main()
982                 BIO_printf(out, "No modulus for this public key type");  in x509_main()
1034             BIO_printf(out, "Certificate will expire\n");  in x509_main()
1036             BIO_printf(out, "Certificate will not expire\n");  in x509_main()
1059         BIO_printf(bio_err, "Unable to write certificate\n");  in x509_main()
1098         size_t len = p != NULL ? (size_t)(p - CAfile) : strlen(CAfile);  in x509_load_serial()
1133      * It is ok to use a self-signed certificate. This case will catch both  in callb()
1147                    "Error with certificate to be certified - should be self-signed\n");  in callb()
1153                    "Error with certificate - error %d at depth %d\n%s\n", err,  in callb()
1172             BIO_printf(bio, "No\n");  in purpose_print()
1187     while (q - names <= len) {  in parse_ext_names()
1218         BIO_printf(bio_err, "No extensions in certificate\n");  in print_x509v3_exts()
1237         /* check if this ext is what we want */  in print_x509v3_exts()
1256         BIO_printf(bio, "No extensions matched with %s\n", ext_names);  in print_x509v3_exts()