• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* apps/x509.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  *
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  *
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  *
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  *
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 
59 #include <assert.h>
60 #include <stdio.h>
61 #include <stdlib.h>
62 #include <string.h>
63 #ifdef OPENSSL_NO_STDIO
64 #define APPS_WIN16
65 #endif
66 #include "apps.h"
67 #include <openssl/bio.h>
68 #include <openssl/asn1.h>
69 #include <openssl/err.h>
70 #include <openssl/bn.h>
71 #include <openssl/evp.h>
72 #include <openssl/x509.h>
73 #include <openssl/x509v3.h>
74 #include <openssl/objects.h>
75 #include <openssl/pem.h>
76 #ifndef OPENSSL_NO_RSA
77 #include <openssl/rsa.h>
78 #endif
79 #ifndef OPENSSL_NO_DSA
80 #include <openssl/dsa.h>
81 #endif
82 
83 #undef PROG
84 #define PROG x509_main
85 
86 #undef POSTFIX
87 #define	POSTFIX	".srl"
88 #define DEF_DAYS	30
89 
90 static const char *x509_usage[]={
91 "usage: x509 args\n",
92 " -inform arg     - input format - default PEM (one of DER, NET or PEM)\n",
93 " -outform arg    - output format - default PEM (one of DER, NET or PEM)\n",
94 " -keyform arg    - private key format - default PEM\n",
95 " -CAform arg     - CA format - default PEM\n",
96 " -CAkeyform arg  - CA key format - default PEM\n",
97 " -in arg         - input file - default stdin\n",
98 " -out arg        - output file - default stdout\n",
99 " -passin arg     - private key password source\n",
100 " -serial         - print serial number value\n",
101 " -subject_hash   - print subject hash value\n",
102 " -issuer_hash    - print issuer hash value\n",
103 " -hash           - synonym for -subject_hash\n",
104 " -subject        - print subject DN\n",
105 " -issuer         - print issuer DN\n",
106 " -email          - print email address(es)\n",
107 " -startdate      - notBefore field\n",
108 " -enddate        - notAfter field\n",
109 " -purpose        - print out certificate purposes\n",
110 " -dates          - both Before and After dates\n",
111 " -modulus        - print the RSA key modulus\n",
112 " -pubkey         - output the public key\n",
113 " -fingerprint    - print the certificate fingerprint\n",
114 " -alias          - output certificate alias\n",
115 " -noout          - no certificate output\n",
116 " -ocspid         - print OCSP hash values for the subject name and public key\n",
117 " -ocspurl        - print OCSP Responder URL(s)\n",
118 " -trustout       - output a \"trusted\" certificate\n",
119 " -clrtrust       - clear all trusted purposes\n",
120 " -clrreject      - clear all rejected purposes\n",
121 " -addtrust arg   - trust certificate for a given purpose\n",
122 " -addreject arg  - reject certificate for a given purpose\n",
123 " -setalias arg   - set certificate alias\n",
124 " -days arg       - How long till expiry of a signed certificate - def 30 days\n",
125 " -checkend arg   - check whether the cert expires in the next arg seconds\n",
126 "                   exit 1 if so, 0 if not\n",
127 " -signkey arg    - self sign cert with arg\n",
128 " -x509toreq      - output a certification request object\n",
129 " -req            - input is a certificate request, sign and output.\n",
130 " -CA arg         - set the CA certificate, must be PEM format.\n",
131 " -CAkey arg      - set the CA key, must be PEM format\n",
132 "                   missing, it is assumed to be in the CA file.\n",
133 " -CAcreateserial - create serial number file if it does not exist\n",
134 " -CAserial arg   - serial file\n",
135 " -set_serial     - serial number to use\n",
136 " -text           - print the certificate in text form\n",
137 " -C              - print out C code forms\n",
138 " -md2/-md5/-sha1/-mdc2 - digest to use\n",
139 " -extfile        - configuration file with X509V3 extensions to add\n",
140 " -extensions     - section from config file with X509V3 extensions to add\n",
141 " -clrext         - delete extensions before signing and input certificate\n",
142 " -nameopt arg    - various certificate name options\n",
143 #ifndef OPENSSL_NO_ENGINE
144 " -engine e       - use engine e, possibly a hardware device.\n",
145 #endif
146 " -certopt arg    - various certificate text options\n",
147 NULL
148 };
149 
150 static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx);
151 static int sign (X509 *x, EVP_PKEY *pkey,int days,int clrext, const EVP_MD *digest,
152 						CONF *conf, char *section);
153 static int x509_certify (X509_STORE *ctx,char *CAfile,const EVP_MD *digest,
154 			 X509 *x,X509 *xca,EVP_PKEY *pkey,char *serial,
155 			 int create,int days, int clrext, CONF *conf, char *section,
156 						ASN1_INTEGER *sno);
157 static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt);
158 static int reqfile=0;
159 
160 int MAIN(int, char **);
161 
MAIN(int argc,char ** argv)162 int MAIN(int argc, char **argv)
163 	{
164 	ENGINE *e = NULL;
165 	int ret=1;
166 	X509_REQ *req=NULL;
167 	X509 *x=NULL,*xca=NULL;
168 	ASN1_OBJECT *objtmp;
169 	EVP_PKEY *Upkey=NULL,*CApkey=NULL;
170 	ASN1_INTEGER *sno = NULL;
171 	int i,num,badops=0;
172 	BIO *out=NULL;
173 	BIO *STDout=NULL;
174 	STACK_OF(ASN1_OBJECT) *trust = NULL, *reject = NULL;
175 	int informat,outformat,keyformat,CAformat,CAkeyformat;
176 	char *infile=NULL,*outfile=NULL,*keyfile=NULL,*CAfile=NULL;
177 	char *CAkeyfile=NULL,*CAserial=NULL;
178 	char *alias=NULL;
179 	int text=0,serial=0,subject=0,issuer=0,startdate=0,enddate=0;
180 	int next_serial=0;
181 	int subject_hash=0,issuer_hash=0,ocspid=0;
182 	int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0,email=0;
183 	int ocsp_uri=0;
184 	int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0;
185 	int C=0;
186 	int x509req=0,days=DEF_DAYS,modulus=0,pubkey=0;
187 	int pprint = 0;
188 	const char **pp;
189 	X509_STORE *ctx=NULL;
190 	X509_REQ *rq=NULL;
191 	int fingerprint=0;
192 	char buf[256];
193 	const EVP_MD *md_alg,*digest=EVP_sha1();
194 	CONF *extconf = NULL;
195 	char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL;
196 	int need_rand = 0;
197 	int checkend=0,checkoffset=0;
198 	unsigned long nmflag = 0, certflag = 0;
199 #ifndef OPENSSL_NO_ENGINE
200 	char *engine=NULL;
201 #endif
202 
203 	reqfile=0;
204 
205 	apps_startup();
206 
207 	if (bio_err == NULL)
208 		bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
209 
210 	if (!load_config(bio_err, NULL))
211 		goto end;
212 	STDout=BIO_new_fp(stdout,BIO_NOCLOSE);
213 #ifdef OPENSSL_SYS_VMS
214 	{
215 	BIO *tmpbio = BIO_new(BIO_f_linebuffer());
216 	STDout = BIO_push(tmpbio, STDout);
217 	}
218 #endif
219 
220 	informat=FORMAT_PEM;
221 	outformat=FORMAT_PEM;
222 	keyformat=FORMAT_PEM;
223 	CAformat=FORMAT_PEM;
224 	CAkeyformat=FORMAT_PEM;
225 
226 	ctx=X509_STORE_new();
227 	if (ctx == NULL) goto end;
228 	X509_STORE_set_verify_cb_func(ctx,callb);
229 
230 	argc--;
231 	argv++;
232 	num=0;
233 	while (argc >= 1)
234 		{
235 		if 	(strcmp(*argv,"-inform") == 0)
236 			{
237 			if (--argc < 1) goto bad;
238 			informat=str2fmt(*(++argv));
239 			}
240 		else if (strcmp(*argv,"-outform") == 0)
241 			{
242 			if (--argc < 1) goto bad;
243 			outformat=str2fmt(*(++argv));
244 			}
245 		else if (strcmp(*argv,"-keyform") == 0)
246 			{
247 			if (--argc < 1) goto bad;
248 			keyformat=str2fmt(*(++argv));
249 			}
250 		else if (strcmp(*argv,"-req") == 0)
251 			{
252 			reqfile=1;
253 			need_rand = 1;
254 			}
255 		else if (strcmp(*argv,"-CAform") == 0)
256 			{
257 			if (--argc < 1) goto bad;
258 			CAformat=str2fmt(*(++argv));
259 			}
260 		else if (strcmp(*argv,"-CAkeyform") == 0)
261 			{
262 			if (--argc < 1) goto bad;
263 			CAkeyformat=str2fmt(*(++argv));
264 			}
265 		else if (strcmp(*argv,"-days") == 0)
266 			{
267 			if (--argc < 1) goto bad;
268 			days=atoi(*(++argv));
269 			if (days == 0)
270 				{
271 				BIO_printf(STDout,"bad number of days\n");
272 				goto bad;
273 				}
274 			}
275 		else if (strcmp(*argv,"-passin") == 0)
276 			{
277 			if (--argc < 1) goto bad;
278 			passargin= *(++argv);
279 			}
280 		else if (strcmp(*argv,"-extfile") == 0)
281 			{
282 			if (--argc < 1) goto bad;
283 			extfile= *(++argv);
284 			}
285 		else if (strcmp(*argv,"-extensions") == 0)
286 			{
287 			if (--argc < 1) goto bad;
288 			extsect= *(++argv);
289 			}
290 		else if (strcmp(*argv,"-in") == 0)
291 			{
292 			if (--argc < 1) goto bad;
293 			infile= *(++argv);
294 			}
295 		else if (strcmp(*argv,"-out") == 0)
296 			{
297 			if (--argc < 1) goto bad;
298 			outfile= *(++argv);
299 			}
300 		else if (strcmp(*argv,"-signkey") == 0)
301 			{
302 			if (--argc < 1) goto bad;
303 			keyfile= *(++argv);
304 			sign_flag= ++num;
305 			need_rand = 1;
306 			}
307 		else if (strcmp(*argv,"-CA") == 0)
308 			{
309 			if (--argc < 1) goto bad;
310 			CAfile= *(++argv);
311 			CA_flag= ++num;
312 			need_rand = 1;
313 			}
314 		else if (strcmp(*argv,"-CAkey") == 0)
315 			{
316 			if (--argc < 1) goto bad;
317 			CAkeyfile= *(++argv);
318 			}
319 		else if (strcmp(*argv,"-CAserial") == 0)
320 			{
321 			if (--argc < 1) goto bad;
322 			CAserial= *(++argv);
323 			}
324 		else if (strcmp(*argv,"-set_serial") == 0)
325 			{
326 			if (--argc < 1) goto bad;
327 			if (!(sno = s2i_ASN1_INTEGER(NULL, *(++argv))))
328 				goto bad;
329 			}
330 		else if (strcmp(*argv,"-addtrust") == 0)
331 			{
332 			if (--argc < 1) goto bad;
333 			if (!(objtmp = OBJ_txt2obj(*(++argv), 0)))
334 				{
335 				BIO_printf(bio_err,
336 					"Invalid trust object value %s\n", *argv);
337 				goto bad;
338 				}
339 			if (!trust) trust = sk_ASN1_OBJECT_new_null();
340 			sk_ASN1_OBJECT_push(trust, objtmp);
341 			trustout = 1;
342 			}
343 		else if (strcmp(*argv,"-addreject") == 0)
344 			{
345 			if (--argc < 1) goto bad;
346 			if (!(objtmp = OBJ_txt2obj(*(++argv), 0)))
347 				{
348 				BIO_printf(bio_err,
349 					"Invalid reject object value %s\n", *argv);
350 				goto bad;
351 				}
352 			if (!reject) reject = sk_ASN1_OBJECT_new_null();
353 			sk_ASN1_OBJECT_push(reject, objtmp);
354 			trustout = 1;
355 			}
356 		else if (strcmp(*argv,"-setalias") == 0)
357 			{
358 			if (--argc < 1) goto bad;
359 			alias= *(++argv);
360 			trustout = 1;
361 			}
362 		else if (strcmp(*argv,"-certopt") == 0)
363 			{
364 			if (--argc < 1) goto bad;
365 			if (!set_cert_ex(&certflag, *(++argv))) goto bad;
366 			}
367 		else if (strcmp(*argv,"-nameopt") == 0)
368 			{
369 			if (--argc < 1) goto bad;
370 			if (!set_name_ex(&nmflag, *(++argv))) goto bad;
371 			}
372 #ifndef OPENSSL_NO_ENGINE
373 		else if (strcmp(*argv,"-engine") == 0)
374 			{
375 			if (--argc < 1) goto bad;
376 			engine= *(++argv);
377 			}
378 #endif
379 		else if (strcmp(*argv,"-C") == 0)
380 			C= ++num;
381 		else if (strcmp(*argv,"-email") == 0)
382 			email= ++num;
383 		else if (strcmp(*argv,"-ocsp_uri") == 0)
384 			ocsp_uri= ++num;
385 		else if (strcmp(*argv,"-serial") == 0)
386 			serial= ++num;
387 		else if (strcmp(*argv,"-next_serial") == 0)
388 			next_serial= ++num;
389 		else if (strcmp(*argv,"-modulus") == 0)
390 			modulus= ++num;
391 		else if (strcmp(*argv,"-pubkey") == 0)
392 			pubkey= ++num;
393 		else if (strcmp(*argv,"-x509toreq") == 0)
394 			x509req= ++num;
395 		else if (strcmp(*argv,"-text") == 0)
396 			text= ++num;
397 		else if (strcmp(*argv,"-hash") == 0
398 			|| strcmp(*argv,"-subject_hash") == 0)
399 			subject_hash= ++num;
400 		else if (strcmp(*argv,"-issuer_hash") == 0)
401 			issuer_hash= ++num;
402 		else if (strcmp(*argv,"-subject") == 0)
403 			subject= ++num;
404 		else if (strcmp(*argv,"-issuer") == 0)
405 			issuer= ++num;
406 		else if (strcmp(*argv,"-fingerprint") == 0)
407 			fingerprint= ++num;
408 		else if (strcmp(*argv,"-dates") == 0)
409 			{
410 			startdate= ++num;
411 			enddate= ++num;
412 			}
413 		else if (strcmp(*argv,"-purpose") == 0)
414 			pprint= ++num;
415 		else if (strcmp(*argv,"-startdate") == 0)
416 			startdate= ++num;
417 		else if (strcmp(*argv,"-enddate") == 0)
418 			enddate= ++num;
419 		else if (strcmp(*argv,"-checkend") == 0)
420 			{
421 			if (--argc < 1) goto bad;
422 			checkoffset=atoi(*(++argv));
423 			checkend=1;
424 			}
425 		else if (strcmp(*argv,"-noout") == 0)
426 			noout= ++num;
427 		else if (strcmp(*argv,"-trustout") == 0)
428 			trustout= 1;
429 		else if (strcmp(*argv,"-clrtrust") == 0)
430 			clrtrust= ++num;
431 		else if (strcmp(*argv,"-clrreject") == 0)
432 			clrreject= ++num;
433 		else if (strcmp(*argv,"-alias") == 0)
434 			aliasout= ++num;
435 		else if (strcmp(*argv,"-CAcreateserial") == 0)
436 			CA_createserial= ++num;
437 		else if (strcmp(*argv,"-clrext") == 0)
438 			clrext = 1;
439 #if 1 /* stay backwards-compatible with 0.9.5; this should go away soon */
440 		else if (strcmp(*argv,"-crlext") == 0)
441 			{
442 			BIO_printf(bio_err,"use -clrext instead of -crlext\n");
443 			clrext = 1;
444 			}
445 #endif
446 		else if (strcmp(*argv,"-ocspid") == 0)
447 			ocspid= ++num;
448 		else if ((md_alg=EVP_get_digestbyname(*argv + 1)))
449 			{
450 			/* ok */
451 			digest=md_alg;
452 			}
453 		else
454 			{
455 			BIO_printf(bio_err,"unknown option %s\n",*argv);
456 			badops=1;
457 			break;
458 			}
459 		argc--;
460 		argv++;
461 		}
462 
463 	if (badops)
464 		{
465 bad:
466 		for (pp=x509_usage; (*pp != NULL); pp++)
467 			BIO_printf(bio_err,"%s",*pp);
468 		goto end;
469 		}
470 
471 #ifndef OPENSSL_NO_ENGINE
472         e = setup_engine(bio_err, engine, 0);
473 #endif
474 
475 	if (need_rand)
476 		app_RAND_load_file(NULL, bio_err, 0);
477 
478 	ERR_load_crypto_strings();
479 
480 	if (!app_passwd(bio_err, passargin, NULL, &passin, NULL))
481 		{
482 		BIO_printf(bio_err, "Error getting password\n");
483 		goto end;
484 		}
485 
486 	if (!X509_STORE_set_default_paths(ctx))
487 		{
488 		ERR_print_errors(bio_err);
489 		goto end;
490 		}
491 
492 	if ((CAkeyfile == NULL) && (CA_flag) && (CAformat == FORMAT_PEM))
493 		{ CAkeyfile=CAfile; }
494 	else if ((CA_flag) && (CAkeyfile == NULL))
495 		{
496 		BIO_printf(bio_err,"need to specify a CAkey if using the CA command\n");
497 		goto end;
498 		}
499 
500 	if (extfile)
501 		{
502 		long errorline = -1;
503 		X509V3_CTX ctx2;
504 		extconf = NCONF_new(NULL);
505 		if (!NCONF_load(extconf, extfile,&errorline))
506 			{
507 			if (errorline <= 0)
508 				BIO_printf(bio_err,
509 					"error loading the config file '%s'\n",
510 								extfile);
511                 	else
512                         	BIO_printf(bio_err,
513 				       "error on line %ld of config file '%s'\n"
514 							,errorline,extfile);
515 			goto end;
516 			}
517 		if (!extsect)
518 			{
519 			extsect = NCONF_get_string(extconf, "default", "extensions");
520 			if (!extsect)
521 				{
522 				ERR_clear_error();
523 				extsect = "default";
524 				}
525 			}
526 		X509V3_set_ctx_test(&ctx2);
527 		X509V3_set_nconf(&ctx2, extconf);
528 		if (!X509V3_EXT_add_nconf(extconf, &ctx2, extsect, NULL))
529 			{
530 			BIO_printf(bio_err,
531 				"Error Loading extension section %s\n",
532 								 extsect);
533 			ERR_print_errors(bio_err);
534 			goto end;
535 			}
536 		}
537 
538 
539 	if (reqfile)
540 		{
541 		EVP_PKEY *pkey;
542 		X509_CINF *ci;
543 		BIO *in;
544 
545 		if (!sign_flag && !CA_flag)
546 			{
547 			BIO_printf(bio_err,"We need a private key to sign with\n");
548 			goto end;
549 			}
550 		in=BIO_new(BIO_s_file());
551 		if (in == NULL)
552 			{
553 			ERR_print_errors(bio_err);
554 			goto end;
555 			}
556 
557 		if (infile == NULL)
558 			BIO_set_fp(in,stdin,BIO_NOCLOSE|BIO_FP_TEXT);
559 		else
560 			{
561 			if (BIO_read_filename(in,infile) <= 0)
562 				{
563 				perror(infile);
564 				BIO_free(in);
565 				goto end;
566 				}
567 			}
568 		req=PEM_read_bio_X509_REQ(in,NULL,NULL,NULL);
569 		BIO_free(in);
570 
571 		if (req == NULL)
572 			{
573 			ERR_print_errors(bio_err);
574 			goto end;
575 			}
576 
577 		if (	(req->req_info == NULL) ||
578 			(req->req_info->pubkey == NULL) ||
579 			(req->req_info->pubkey->public_key == NULL) ||
580 			(req->req_info->pubkey->public_key->data == NULL))
581 			{
582 			BIO_printf(bio_err,"The certificate request appears to corrupted\n");
583 			BIO_printf(bio_err,"It does not contain a public key\n");
584 			goto end;
585 			}
586 		if ((pkey=X509_REQ_get_pubkey(req)) == NULL)
587 	                {
588 	                BIO_printf(bio_err,"error unpacking public key\n");
589 	                goto end;
590 	                }
591 		i=X509_REQ_verify(req,pkey);
592 		EVP_PKEY_free(pkey);
593 		if (i < 0)
594 			{
595 			BIO_printf(bio_err,"Signature verification error\n");
596 			ERR_print_errors(bio_err);
597 			goto end;
598 			}
599 	        if (i == 0)
600 			{
601 			BIO_printf(bio_err,"Signature did not match the certificate request\n");
602 			goto end;
603 			}
604 		else
605 			BIO_printf(bio_err,"Signature ok\n");
606 
607 		print_name(bio_err, "subject=", X509_REQ_get_subject_name(req), nmflag);
608 
609 		if ((x=X509_new()) == NULL) goto end;
610 		ci=x->cert_info;
611 
612 		if (sno == NULL)
613 			{
614 			sno = ASN1_INTEGER_new();
615 			if (!sno || !rand_serial(NULL, sno))
616 				goto end;
617 			if (!X509_set_serialNumber(x, sno))
618 				goto end;
619 			ASN1_INTEGER_free(sno);
620 			sno = NULL;
621 			}
622 		else if (!X509_set_serialNumber(x, sno))
623 			goto end;
624 
625 		if (!X509_set_issuer_name(x,req->req_info->subject)) goto end;
626 		if (!X509_set_subject_name(x,req->req_info->subject)) goto end;
627 
628 		X509_gmtime_adj(X509_get_notBefore(x),0);
629 	        X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days);
630 
631 		pkey = X509_REQ_get_pubkey(req);
632 		X509_set_pubkey(x,pkey);
633 		EVP_PKEY_free(pkey);
634 		}
635 	else
636 		x=load_cert(bio_err,infile,informat,NULL,e,"Certificate");
637 
638 	if (x == NULL) goto end;
639 	if (CA_flag)
640 		{
641 		xca=load_cert(bio_err,CAfile,CAformat,NULL,e,"CA Certificate");
642 		if (xca == NULL) goto end;
643 		}
644 
645 	if (!noout || text || next_serial)
646 		{
647 		OBJ_create("2.99999.3",
648 			"SET.ex3","SET x509v3 extension 3");
649 
650 		out=BIO_new(BIO_s_file());
651 		if (out == NULL)
652 			{
653 			ERR_print_errors(bio_err);
654 			goto end;
655 			}
656 		if (outfile == NULL)
657 			{
658 			BIO_set_fp(out,stdout,BIO_NOCLOSE);
659 #ifdef OPENSSL_SYS_VMS
660 			{
661 			BIO *tmpbio = BIO_new(BIO_f_linebuffer());
662 			out = BIO_push(tmpbio, out);
663 			}
664 #endif
665 			}
666 		else
667 			{
668 			if (BIO_write_filename(out,outfile) <= 0)
669 				{
670 				perror(outfile);
671 				goto end;
672 				}
673 			}
674 		}
675 
676 	if (alias) X509_alias_set1(x, (unsigned char *)alias, -1);
677 
678 	if (clrtrust) X509_trust_clear(x);
679 	if (clrreject) X509_reject_clear(x);
680 
681 	if (trust)
682 		{
683 		for (i = 0; i < sk_ASN1_OBJECT_num(trust); i++)
684 			{
685 			objtmp = sk_ASN1_OBJECT_value(trust, i);
686 			X509_add1_trust_object(x, objtmp);
687 			}
688 		}
689 
690 	if (reject)
691 		{
692 		for (i = 0; i < sk_ASN1_OBJECT_num(reject); i++)
693 			{
694 			objtmp = sk_ASN1_OBJECT_value(reject, i);
695 			X509_add1_reject_object(x, objtmp);
696 			}
697 		}
698 
699 	if (num)
700 		{
701 		for (i=1; i<=num; i++)
702 			{
703 			if (issuer == i)
704 				{
705 				print_name(STDout, "issuer= ",
706 					X509_get_issuer_name(x), nmflag);
707 				}
708 			else if (subject == i)
709 				{
710 				print_name(STDout, "subject= ",
711 					X509_get_subject_name(x), nmflag);
712 				}
713 			else if (serial == i)
714 				{
715 				BIO_printf(STDout,"serial=");
716 				i2a_ASN1_INTEGER(STDout,
717 					X509_get_serialNumber(x));
718 				BIO_printf(STDout,"\n");
719 				}
720 			else if (next_serial == i)
721 				{
722 				BIGNUM *bnser;
723 				ASN1_INTEGER *ser;
724 				ser = X509_get_serialNumber(x);
725 				bnser = ASN1_INTEGER_to_BN(ser, NULL);
726 				if (!bnser)
727 					goto end;
728 				if (!BN_add_word(bnser, 1))
729 					goto end;
730 				ser = BN_to_ASN1_INTEGER(bnser, NULL);
731 				if (!ser)
732 					goto end;
733 				BN_free(bnser);
734 				i2a_ASN1_INTEGER(out, ser);
735 				ASN1_INTEGER_free(ser);
736 				BIO_puts(out, "\n");
737 				}
738 			else if ((email == i) || (ocsp_uri == i))
739 				{
740 				int j;
741 				STACK *emlst;
742 				if (email == i)
743 					emlst = X509_get1_email(x);
744 				else
745 					emlst = X509_get1_ocsp(x);
746 				for (j = 0; j < sk_num(emlst); j++)
747 					BIO_printf(STDout, "%s\n", sk_value(emlst, j));
748 				X509_email_free(emlst);
749 				}
750 			else if (aliasout == i)
751 				{
752 				unsigned char *alstr;
753 				alstr = X509_alias_get0(x, NULL);
754 				if (alstr) BIO_printf(STDout,"%s\n", alstr);
755 				else BIO_puts(STDout,"<No Alias>\n");
756 				}
757 			else if (subject_hash == i)
758 				{
759 				BIO_printf(STDout,"%08lx\n",X509_subject_name_hash(x));
760 				}
761 			else if (issuer_hash == i)
762 				{
763 				BIO_printf(STDout,"%08lx\n",X509_issuer_name_hash(x));
764 				}
765 			else if (pprint == i)
766 				{
767 				X509_PURPOSE *ptmp;
768 				int j;
769 				BIO_printf(STDout, "Certificate purposes:\n");
770 				for (j = 0; j < X509_PURPOSE_get_count(); j++)
771 					{
772 					ptmp = X509_PURPOSE_get0(j);
773 					purpose_print(STDout, x, ptmp);
774 					}
775 				}
776 			else
777 				if (modulus == i)
778 				{
779 				EVP_PKEY *pkey;
780 
781 				pkey=X509_get_pubkey(x);
782 				if (pkey == NULL)
783 					{
784 					BIO_printf(bio_err,"Modulus=unavailable\n");
785 					ERR_print_errors(bio_err);
786 					goto end;
787 					}
788 				BIO_printf(STDout,"Modulus=");
789 #ifndef OPENSSL_NO_RSA
790 				if (pkey->type == EVP_PKEY_RSA)
791 					BN_print(STDout,pkey->pkey.rsa->n);
792 				else
793 #endif
794 #ifndef OPENSSL_NO_DSA
795 				if (pkey->type == EVP_PKEY_DSA)
796 					BN_print(STDout,pkey->pkey.dsa->pub_key);
797 				else
798 #endif
799 					BIO_printf(STDout,"Wrong Algorithm type");
800 				BIO_printf(STDout,"\n");
801 				EVP_PKEY_free(pkey);
802 				}
803 			else
804 				if (pubkey == i)
805 				{
806 				EVP_PKEY *pkey;
807 
808 				pkey=X509_get_pubkey(x);
809 				if (pkey == NULL)
810 					{
811 					BIO_printf(bio_err,"Error getting public key\n");
812 					ERR_print_errors(bio_err);
813 					goto end;
814 					}
815 				PEM_write_bio_PUBKEY(STDout, pkey);
816 				EVP_PKEY_free(pkey);
817 				}
818 			else
819 				if (C == i)
820 				{
821 				unsigned char *d;
822 				char *m;
823 				int y,z;
824 
825 				X509_NAME_oneline(X509_get_subject_name(x),
826 					buf,sizeof buf);
827 				BIO_printf(STDout,"/* subject:%s */\n",buf);
828 				m=X509_NAME_oneline(
829 					X509_get_issuer_name(x),buf,
830 					sizeof buf);
831 				BIO_printf(STDout,"/* issuer :%s */\n",buf);
832 
833 				z=i2d_X509(x,NULL);
834 				m=OPENSSL_malloc(z);
835 
836 				d=(unsigned char *)m;
837 				z=i2d_X509_NAME(X509_get_subject_name(x),&d);
838 				BIO_printf(STDout,"unsigned char XXX_subject_name[%d]={\n",z);
839 				d=(unsigned char *)m;
840 				for (y=0; y<z; y++)
841 					{
842 					BIO_printf(STDout,"0x%02X,",d[y]);
843 					if ((y & 0x0f) == 0x0f) BIO_printf(STDout,"\n");
844 					}
845 				if (y%16 != 0) BIO_printf(STDout,"\n");
846 				BIO_printf(STDout,"};\n");
847 
848 				z=i2d_X509_PUBKEY(X509_get_X509_PUBKEY(x),&d);
849 				BIO_printf(STDout,"unsigned char XXX_public_key[%d]={\n",z);
850 				d=(unsigned char *)m;
851 				for (y=0; y<z; y++)
852 					{
853 					BIO_printf(STDout,"0x%02X,",d[y]);
854 					if ((y & 0x0f) == 0x0f)
855 						BIO_printf(STDout,"\n");
856 					}
857 				if (y%16 != 0) BIO_printf(STDout,"\n");
858 				BIO_printf(STDout,"};\n");
859 
860 				z=i2d_X509(x,&d);
861 				BIO_printf(STDout,"unsigned char XXX_certificate[%d]={\n",z);
862 				d=(unsigned char *)m;
863 				for (y=0; y<z; y++)
864 					{
865 					BIO_printf(STDout,"0x%02X,",d[y]);
866 					if ((y & 0x0f) == 0x0f)
867 						BIO_printf(STDout,"\n");
868 					}
869 				if (y%16 != 0) BIO_printf(STDout,"\n");
870 				BIO_printf(STDout,"};\n");
871 
872 				OPENSSL_free(m);
873 				}
874 			else if (text == i)
875 				{
876 				X509_print_ex(out,x,nmflag, certflag);
877 				}
878 			else if (startdate == i)
879 				{
880 				BIO_puts(STDout,"notBefore=");
881 				ASN1_TIME_print(STDout,X509_get_notBefore(x));
882 				BIO_puts(STDout,"\n");
883 				}
884 			else if (enddate == i)
885 				{
886 				BIO_puts(STDout,"notAfter=");
887 				ASN1_TIME_print(STDout,X509_get_notAfter(x));
888 				BIO_puts(STDout,"\n");
889 				}
890 			else if (fingerprint == i)
891 				{
892 				int j;
893 				unsigned int n;
894 				unsigned char md[EVP_MAX_MD_SIZE];
895 
896 				if (!X509_digest(x,digest,md,&n))
897 					{
898 					BIO_printf(bio_err,"out of memory\n");
899 					goto end;
900 					}
901 				BIO_printf(STDout,"%s Fingerprint=",
902 						OBJ_nid2sn(EVP_MD_type(digest)));
903 				for (j=0; j<(int)n; j++)
904 					{
905 					BIO_printf(STDout,"%02X%c",md[j],
906 						(j+1 == (int)n)
907 						?'\n':':');
908 					}
909 				}
910 
911 			/* should be in the library */
912 			else if ((sign_flag == i) && (x509req == 0))
913 				{
914 				BIO_printf(bio_err,"Getting Private key\n");
915 				if (Upkey == NULL)
916 					{
917 					Upkey=load_key(bio_err,
918 						keyfile, keyformat, 0,
919 						passin, e, "Private key");
920 					if (Upkey == NULL) goto end;
921 					}
922 #ifndef OPENSSL_NO_DSA
923 		                if (Upkey->type == EVP_PKEY_DSA)
924 		                        digest=EVP_dss1();
925 #endif
926 #ifndef OPENSSL_NO_ECDSA
927 				if (Upkey->type == EVP_PKEY_EC)
928 					digest=EVP_ecdsa();
929 #endif
930 
931 				assert(need_rand);
932 				if (!sign(x,Upkey,days,clrext,digest,
933 						 extconf, extsect)) goto end;
934 				}
935 			else if (CA_flag == i)
936 				{
937 				BIO_printf(bio_err,"Getting CA Private Key\n");
938 				if (CAkeyfile != NULL)
939 					{
940 					CApkey=load_key(bio_err,
941 						CAkeyfile, CAkeyformat,
942 						0, passin, e,
943 						"CA Private Key");
944 					if (CApkey == NULL) goto end;
945 					}
946 #ifndef OPENSSL_NO_DSA
947 		                if (CApkey->type == EVP_PKEY_DSA)
948 		                        digest=EVP_dss1();
949 #endif
950 #ifndef OPENSSL_NO_ECDSA
951 				if (CApkey->type == EVP_PKEY_EC)
952 					digest = EVP_ecdsa();
953 #endif
954 
955 				assert(need_rand);
956 				if (!x509_certify(ctx,CAfile,digest,x,xca,
957 					CApkey, CAserial,CA_createserial,days, clrext,
958 					extconf, extsect, sno))
959 					goto end;
960 				}
961 			else if (x509req == i)
962 				{
963 				EVP_PKEY *pk;
964 
965 				BIO_printf(bio_err,"Getting request Private Key\n");
966 				if (keyfile == NULL)
967 					{
968 					BIO_printf(bio_err,"no request key file specified\n");
969 					goto end;
970 					}
971 				else
972 					{
973 					pk=load_key(bio_err,
974 						keyfile, FORMAT_PEM, 0,
975 						passin, e, "request key");
976 					if (pk == NULL) goto end;
977 					}
978 
979 				BIO_printf(bio_err,"Generating certificate request\n");
980 
981 #ifndef OPENSSL_NO_DSA
982 		                if (pk->type == EVP_PKEY_DSA)
983 		                        digest=EVP_dss1();
984 #endif
985 #ifndef OPENSSL_NO_ECDSA
986 				if (pk->type == EVP_PKEY_EC)
987 					digest=EVP_ecdsa();
988 #endif
989 
990 				rq=X509_to_X509_REQ(x,pk,digest);
991 				EVP_PKEY_free(pk);
992 				if (rq == NULL)
993 					{
994 					ERR_print_errors(bio_err);
995 					goto end;
996 					}
997 				if (!noout)
998 					{
999 					X509_REQ_print(out,rq);
1000 					PEM_write_bio_X509_REQ(out,rq);
1001 					}
1002 				noout=1;
1003 				}
1004 			else if (ocspid == i)
1005 				{
1006 				X509_ocspid_print(out, x);
1007 				}
1008 			}
1009 		}
1010 
1011 	if (checkend)
1012 		{
1013 		time_t tcheck=time(NULL) + checkoffset;
1014 
1015 		if (X509_cmp_time(X509_get_notAfter(x), &tcheck) < 0)
1016 			{
1017 			BIO_printf(out,"Certificate will expire\n");
1018 			ret=1;
1019 			}
1020 		else
1021 			{
1022 			BIO_printf(out,"Certificate will not expire\n");
1023 			ret=0;
1024 			}
1025 		goto end;
1026 		}
1027 
1028 	if (noout)
1029 		{
1030 		ret=0;
1031 		goto end;
1032 		}
1033 
1034 	if 	(outformat == FORMAT_ASN1)
1035 		i=i2d_X509_bio(out,x);
1036 	else if (outformat == FORMAT_PEM)
1037 		{
1038 		if (trustout) i=PEM_write_bio_X509_AUX(out,x);
1039 		else i=PEM_write_bio_X509(out,x);
1040 		}
1041 	else if (outformat == FORMAT_NETSCAPE)
1042 		{
1043 		ASN1_HEADER ah;
1044 		ASN1_OCTET_STRING os;
1045 
1046 		os.data=(unsigned char *)NETSCAPE_CERT_HDR;
1047 		os.length=strlen(NETSCAPE_CERT_HDR);
1048 		ah.header= &os;
1049 		ah.data=(char *)x;
1050 		ah.meth=X509_asn1_meth();
1051 
1052 		i=ASN1_i2d_bio_of(ASN1_HEADER,i2d_ASN1_HEADER,out,&ah);
1053 		}
1054 	else	{
1055 		BIO_printf(bio_err,"bad output format specified for outfile\n");
1056 		goto end;
1057 		}
1058 	if (!i)
1059 		{
1060 		BIO_printf(bio_err,"unable to write certificate\n");
1061 		ERR_print_errors(bio_err);
1062 		goto end;
1063 		}
1064 	ret=0;
1065 end:
1066 	if (need_rand)
1067 		app_RAND_write_file(NULL, bio_err);
1068 	OBJ_cleanup();
1069 	NCONF_free(extconf);
1070 	BIO_free_all(out);
1071 	BIO_free_all(STDout);
1072 	X509_STORE_free(ctx);
1073 	X509_REQ_free(req);
1074 	X509_free(x);
1075 	X509_free(xca);
1076 	EVP_PKEY_free(Upkey);
1077 	EVP_PKEY_free(CApkey);
1078 	X509_REQ_free(rq);
1079 	ASN1_INTEGER_free(sno);
1080 	sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free);
1081 	sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free);
1082 	if (passin) OPENSSL_free(passin);
1083 	apps_shutdown();
1084 	OPENSSL_EXIT(ret);
1085 	}
1086 
x509_load_serial(char * CAfile,char * serialfile,int create)1087 static ASN1_INTEGER *x509_load_serial(char *CAfile, char *serialfile, int create)
1088 	{
1089 	char *buf = NULL, *p;
1090 	ASN1_INTEGER *bs = NULL;
1091 	BIGNUM *serial = NULL;
1092 	size_t len;
1093 
1094 	len = ((serialfile == NULL)
1095 		?(strlen(CAfile)+strlen(POSTFIX)+1)
1096 		:(strlen(serialfile)))+1;
1097 	buf=OPENSSL_malloc(len);
1098 	if (buf == NULL) { BIO_printf(bio_err,"out of mem\n"); goto end; }
1099 	if (serialfile == NULL)
1100 		{
1101 		BUF_strlcpy(buf,CAfile,len);
1102 		for (p=buf; *p; p++)
1103 			if (*p == '.')
1104 				{
1105 				*p='\0';
1106 				break;
1107 				}
1108 		BUF_strlcat(buf,POSTFIX,len);
1109 		}
1110 	else
1111 		BUF_strlcpy(buf,serialfile,len);
1112 
1113 	serial = load_serial(buf, create, NULL);
1114 	if (serial == NULL) goto end;
1115 
1116 	if (!BN_add_word(serial,1))
1117 		{ BIO_printf(bio_err,"add_word failure\n"); goto end; }
1118 
1119 	if (!save_serial(buf, NULL, serial, &bs)) goto end;
1120 
1121  end:
1122 	if (buf) OPENSSL_free(buf);
1123 	BN_free(serial);
1124 	return bs;
1125 	}
1126 
x509_certify(X509_STORE * ctx,char * CAfile,const EVP_MD * digest,X509 * x,X509 * xca,EVP_PKEY * pkey,char * serialfile,int create,int days,int clrext,CONF * conf,char * section,ASN1_INTEGER * sno)1127 static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
1128 	     X509 *x, X509 *xca, EVP_PKEY *pkey, char *serialfile, int create,
1129 	     int days, int clrext, CONF *conf, char *section, ASN1_INTEGER *sno)
1130 	{
1131 	int ret=0;
1132 	ASN1_INTEGER *bs=NULL;
1133 	X509_STORE_CTX xsc;
1134 	EVP_PKEY *upkey;
1135 
1136 	upkey = X509_get_pubkey(xca);
1137 	EVP_PKEY_copy_parameters(upkey,pkey);
1138 	EVP_PKEY_free(upkey);
1139 
1140 	if(!X509_STORE_CTX_init(&xsc,ctx,x,NULL))
1141 		{
1142 		BIO_printf(bio_err,"Error initialising X509 store\n");
1143 		goto end;
1144 		}
1145 	if (sno) bs = sno;
1146 	else if (!(bs = x509_load_serial(CAfile, serialfile, create)))
1147 		goto end;
1148 
1149 /*	if (!X509_STORE_add_cert(ctx,x)) goto end;*/
1150 
1151 	/* NOTE: this certificate can/should be self signed, unless it was
1152 	 * a certificate request in which case it is not. */
1153 	X509_STORE_CTX_set_cert(&xsc,x);
1154 	if (!reqfile && X509_verify_cert(&xsc) <= 0)
1155 		goto end;
1156 
1157 	if (!X509_check_private_key(xca,pkey))
1158 		{
1159 		BIO_printf(bio_err,"CA certificate and CA private key do not match\n");
1160 		goto end;
1161 		}
1162 
1163 	if (!X509_set_issuer_name(x,X509_get_subject_name(xca))) goto end;
1164 	if (!X509_set_serialNumber(x,bs)) goto end;
1165 
1166 	if (X509_gmtime_adj(X509_get_notBefore(x),0L) == NULL)
1167 		goto end;
1168 
1169 	/* hardwired expired */
1170 	if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) == NULL)
1171 		goto end;
1172 
1173 	if (clrext)
1174 		{
1175 		while (X509_get_ext_count(x) > 0) X509_delete_ext(x, 0);
1176 		}
1177 
1178 	if (conf)
1179 		{
1180 		X509V3_CTX ctx2;
1181 		X509_set_version(x,2); /* version 3 certificate */
1182                 X509V3_set_ctx(&ctx2, xca, x, NULL, NULL, 0);
1183                 X509V3_set_nconf(&ctx2, conf);
1184                 if (!X509V3_EXT_add_nconf(conf, &ctx2, section, x)) goto end;
1185 		}
1186 
1187 	if (!X509_sign(x,pkey,digest)) goto end;
1188 	ret=1;
1189 end:
1190 	X509_STORE_CTX_cleanup(&xsc);
1191 	if (!ret)
1192 		ERR_print_errors(bio_err);
1193 	if (!sno) ASN1_INTEGER_free(bs);
1194 	return ret;
1195 	}
1196 
callb(int ok,X509_STORE_CTX * ctx)1197 static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx)
1198 	{
1199 	int err;
1200 	X509 *err_cert;
1201 
1202 	/* it is ok to use a self signed certificate
1203 	 * This case will catch both the initial ok == 0 and the
1204 	 * final ok == 1 calls to this function */
1205 	err=X509_STORE_CTX_get_error(ctx);
1206 	if (err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
1207 		return 1;
1208 
1209 	/* BAD we should have gotten an error.  Normally if everything
1210 	 * worked X509_STORE_CTX_get_error(ctx) will still be set to
1211 	 * DEPTH_ZERO_SELF_.... */
1212 	if (ok)
1213 		{
1214 		BIO_printf(bio_err,"error with certificate to be certified - should be self signed\n");
1215 		return 0;
1216 		}
1217 	else
1218 		{
1219 		err_cert=X509_STORE_CTX_get_current_cert(ctx);
1220 		print_name(bio_err, NULL, X509_get_subject_name(err_cert),0);
1221 		BIO_printf(bio_err,"error with certificate - error %d at depth %d\n%s\n",
1222 			err,X509_STORE_CTX_get_error_depth(ctx),
1223 			X509_verify_cert_error_string(err));
1224 		return 1;
1225 		}
1226 	}
1227 
1228 /* self sign */
sign(X509 * x,EVP_PKEY * pkey,int days,int clrext,const EVP_MD * digest,CONF * conf,char * section)1229 static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const EVP_MD *digest,
1230 						CONF *conf, char *section)
1231 	{
1232 
1233 	EVP_PKEY *pktmp;
1234 
1235 	pktmp = X509_get_pubkey(x);
1236 	EVP_PKEY_copy_parameters(pktmp,pkey);
1237 	EVP_PKEY_save_parameters(pktmp,1);
1238 	EVP_PKEY_free(pktmp);
1239 
1240 	if (!X509_set_issuer_name(x,X509_get_subject_name(x))) goto err;
1241 	if (X509_gmtime_adj(X509_get_notBefore(x),0) == NULL) goto err;
1242 
1243 	/* Lets just make it 12:00am GMT, Jan 1 1970 */
1244 	/* memcpy(x->cert_info->validity->notBefore,"700101120000Z",13); */
1245 	/* 28 days to be certified */
1246 
1247 	if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) == NULL)
1248 		goto err;
1249 
1250 	if (!X509_set_pubkey(x,pkey)) goto err;
1251 	if (clrext)
1252 		{
1253 		while (X509_get_ext_count(x) > 0) X509_delete_ext(x, 0);
1254 		}
1255 	if (conf)
1256 		{
1257 		X509V3_CTX ctx;
1258 		X509_set_version(x,2); /* version 3 certificate */
1259                 X509V3_set_ctx(&ctx, x, x, NULL, NULL, 0);
1260                 X509V3_set_nconf(&ctx, conf);
1261                 if (!X509V3_EXT_add_nconf(conf, &ctx, section, x)) goto err;
1262 		}
1263 	if (!X509_sign(x,pkey,digest)) goto err;
1264 	return 1;
1265 err:
1266 	ERR_print_errors(bio_err);
1267 	return 0;
1268 	}
1269 
purpose_print(BIO * bio,X509 * cert,X509_PURPOSE * pt)1270 static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt)
1271 {
1272 	int id, i, idret;
1273 	char *pname;
1274 	id = X509_PURPOSE_get_id(pt);
1275 	pname = X509_PURPOSE_get0_name(pt);
1276 	for (i = 0; i < 2; i++)
1277 		{
1278 		idret = X509_check_purpose(cert, id, i);
1279 		BIO_printf(bio, "%s%s : ", pname, i ? " CA" : "");
1280 		if (idret == 1) BIO_printf(bio, "Yes\n");
1281 		else if (idret == 0) BIO_printf(bio, "No\n");
1282 		else BIO_printf(bio, "Yes (WARNING code=%d)\n", idret);
1283 		}
1284 	return 1;
1285 }
1286