../deps/openssl/openssl/apps/ca.c

Bug Summary

File:	out/../deps/openssl/openssl/apps/ca.c
Warning:	line 1070, column 9 Value stored to 'outdirlen' is never read

Annotated Source Code

Press '?' to see keyboard shortcuts

Show analyzer invocation

clang -cc1 -cc1 -triple x86_64-unknown-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name ca.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 2 -pic-is-pie -mframe-pointer=all -fmath-errno -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/home/maurizio/node-v18.6.0/out -resource-dir /usr/local/lib/clang/16.0.0 -D V8_DEPRECATION_WARNINGS -D V8_IMMINENT_DEPRECATION_WARNINGS -D _GLIBCXX_USE_CXX11_ABI=1 -D NODE_OPENSSL_CONF_NAME=nodejs_conf -D NODE_OPENSSL_HAS_QUIC -D __STDC_FORMAT_MACROS -D OPENSSL_NO_PINSHARED -D OPENSSL_THREADS -D OPENSSL_API_COMPAT=0x10100001L -D NDEBUG -D OPENSSL_USE_NODELETE -D L_ENDIAN -D OPENSSL_BUILDING_OPENSSL -D AES_ASM -D BSAES_ASM -D CMLL_ASM -D ECP_NISTZ256_ASM -D GHASH_ASM -D KECCAK1600_ASM -D MD5_ASM -D OPENSSL_BN_ASM_GF2m -D OPENSSL_BN_ASM_MONT -D OPENSSL_BN_ASM_MONT5 -D OPENSSL_CPUID_OBJ -D OPENSSL_IA32_SSE2 -D PADLOCK_ASM -D POLY1305_ASM -D SHA1_ASM -D SHA256_ASM -D SHA512_ASM -D VPAES_ASM -D WHIRLPOOL_ASM -D X25519_ASM -D OPENSSL_PIC -D OPENSSLDIR="/etc/ssl" -D ENGINESDIR="/dev/null" -D TERMIOS -I ../deps/openssl/openssl/apps/include -I ../deps/openssl/openssl -I ../deps/openssl/openssl/include -I ../deps/openssl/openssl/crypto -I ../deps/openssl/openssl/crypto/include -I ../deps/openssl/openssl/crypto/modes -I ../deps/openssl/openssl/crypto/ec/curve448 -I ../deps/openssl/openssl/crypto/ec/curve448/arch_32 -I ../deps/openssl/openssl/providers/common/include -I ../deps/openssl/openssl/providers/implementations/include -I ../deps/openssl/config -I ../deps/openssl/config/archs/linux-x86_64/asm/include -I ../deps/openssl/openssl/include -I ../deps/openssl/openssl/crypto/include -I ../deps/openssl/config/archs/linux-x86_64/asm -internal-isystem /usr/local/lib/clang/16.0.0/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-redhat-linux/8/../../../../x86_64-redhat-linux/include -internal-externc-isystem /include -internal-externc-isystem /usr/include -O3 -Wno-unused-parameter -Wno-missing-field-initializers -Wno-old-style-declaration -fdebug-compilation-dir=/home/maurizio/node-v18.6.0/out -ferror-limit 19 -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /tmp/scan-build-2022-08-22-142216-507842-1 -x c ../deps/openssl/openssl/apps/ca.c

1	/*
2	* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
3	*
4	* Licensed under the Apache License 2.0 (the "License"). You may not use
5	* this file except in compliance with the License. You can obtain a copy
6	* in the file LICENSE in the source distribution or at
7	* https://www.openssl.org/source/license.html
8	*/
9	#include <stdio.h>
10	#include <stdlib.h>
11	#include <string.h>
12	#include <ctype.h>
13	#include <sys/types.h>
14	#include <openssl/conf.h>
15	#include <openssl/bio.h>
16	#include <openssl/err.h>
17	#include <openssl/bn.h>
18	#include <openssl/txt_db.h>
19	#include <openssl/evp.h>
20	#include <openssl/x509.h>
21	#include <openssl/x509v3.h>
22	#include <openssl/objects.h>
23	#include <openssl/ocsp.h>
24	#include <openssl/pem.h>
25
26	#ifndef W_OK2
27	# ifdef OPENSSL_SYS_VMS
28	# include <unistd.h>
29	# elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_TANDEM)
30	# include <sys/file.h>
31	# endif
32	#endif
33
34	#include "apps.h"
35	#include "progs.h"
36
37	#ifndef W_OK2
38	# define F_OK0 0
39	# define W_OK2 2
40	# define R_OK4 4
41	#endif
42
43	#ifndef PATH_MAX4096
44	# define PATH_MAX4096 4096
45	#endif
46
47	#define BASE_SECTION"ca" "ca"
48
49	#define ENV_DEFAULT_CA"default_ca" "default_ca"
50
51	#define STRING_MASK"string_mask" "string_mask"
52	#define UTF8_IN"utf8" "utf8"
53
54	#define ENV_NEW_CERTS_DIR"new_certs_dir" "new_certs_dir"
55	#define ENV_CERTIFICATE"certificate" "certificate"
56	#define ENV_SERIAL"serial" "serial"
57	#define ENV_RAND_SERIAL"rand_serial" "rand_serial"
58	#define ENV_CRLNUMBER"crlnumber" "crlnumber"
59	#define ENV_PRIVATE_KEY"private_key" "private_key"
60	#define ENV_DEFAULT_DAYS"default_days" "default_days"
61	#define ENV_DEFAULT_STARTDATE"default_startdate" "default_startdate"
62	#define ENV_DEFAULT_ENDDATE"default_enddate" "default_enddate"
63	#define ENV_DEFAULT_CRL_DAYS"default_crl_days" "default_crl_days"
64	#define ENV_DEFAULT_CRL_HOURS"default_crl_hours" "default_crl_hours"
65	#define ENV_DEFAULT_MD"default_md" "default_md"
66	#define ENV_DEFAULT_EMAIL_DN"email_in_dn" "email_in_dn"
67	#define ENV_PRESERVE"preserve" "preserve"
68	#define ENV_POLICY"policy" "policy"
69	#define ENV_EXTENSIONS"x509_extensions" "x509_extensions"
70	#define ENV_CRLEXT"crl_extensions" "crl_extensions"
71	#define ENV_MSIE_HACK"msie_hack" "msie_hack"
72	#define ENV_NAMEOPT"name_opt" "name_opt"
73	#define ENV_CERTOPT"cert_opt" "cert_opt"
74	#define ENV_EXTCOPY"copy_extensions" "copy_extensions"
75	#define ENV_UNIQUE_SUBJECT"unique_subject" "unique_subject"
76
77	#define ENV_DATABASE"database" "database"
78
79	/* Additional revocation information types */
80	typedef enum {
81	REV_VALID = -1, /* Valid (not-revoked) status */
82	REV_NONE = 0, /* No additional information */
83	REV_CRL_REASON = 1, /* Value is CRL reason code */
84	REV_HOLD = 2, /* Value is hold instruction */
85	REV_KEY_COMPROMISE = 3, /* Value is cert key compromise time */
86	REV_CA_COMPROMISE = 4 /* Value is CA key compromise time */
87	} REVINFO_TYPE;
88
89	static char lookup_conf(const CONF conf, const char group, const char tag);
90
91	static int certify(X509 *xret, const char infile, int informat,
92	EVP_PKEY pkey, X509 x509,
93	const char *dgst,
94	STACK_OF(OPENSSL_STRING)struct stack_st_OPENSSL_STRING *sigopts,
95	STACK_OF(OPENSSL_STRING)struct stack_st_OPENSSL_STRING *vfyopts,
96	STACK_OF(CONF_VALUE)struct stack_st_CONF_VALUE policy, CA_DB db,
97	BIGNUM serial, const char subj, unsigned long chtype,
98	int multirdn, int email_dn, const char *startdate,
99	const char *enddate,
100	long days, int batch, const char ext_sect, CONF conf,
101	int verbose, unsigned long certopt, unsigned long nameopt,
102	int default_op, int ext_copy, int selfsign, unsigned long dateopt);
103	static int certify_cert(X509 *xret, const char infile, int certformat,
104	const char passin, EVP_PKEY pkey, X509 *x509,
105	const char *dgst,
106	STACK_OF(OPENSSL_STRING)struct stack_st_OPENSSL_STRING *sigopts,
107	STACK_OF(OPENSSL_STRING)struct stack_st_OPENSSL_STRING *vfyopts,
108	STACK_OF(CONF_VALUE)struct stack_st_CONF_VALUE policy, CA_DB db,
109	BIGNUM serial, const char subj, unsigned long chtype,
110	int multirdn, int email_dn, const char *startdate,
111	const char enddate, long days, int batch, const char ext_sect,
112	CONF *conf, int verbose, unsigned long certopt,
113	unsigned long nameopt, int default_op, int ext_copy, unsigned long dateopt);
114	static int certify_spkac(X509 *xret, const char infile, EVP_PKEY *pkey,
115	X509 x509, const char dgst,
116	STACK_OF(OPENSSL_STRING)struct stack_st_OPENSSL_STRING *sigopts,
117	STACK_OF(CONF_VALUE)struct stack_st_CONF_VALUE policy, CA_DB db,
118	BIGNUM serial, const char subj, unsigned long chtype,
119	int multirdn, int email_dn, const char *startdate,
120	const char enddate, long days, const char ext_sect, CONF *conf,
121	int verbose, unsigned long certopt,
122	unsigned long nameopt, int default_op, int ext_copy, unsigned long dateopt);
123	static int do_body(X509 *xret, EVP_PKEY pkey, X509 *x509,
124	const char dgst, STACK_OF(OPENSSL_STRING)struct stack_st_OPENSSL_STRING sigopts,
125	STACK_OF(CONF_VALUE)struct stack_st_CONF_VALUE policy, CA_DB db, BIGNUM *serial,
126	const char *subj, unsigned long chtype, int multirdn,
127	int email_dn, const char startdate, const char enddate, long days,
128	int batch, int verbose, X509_REQ req, const char ext_sect,
129	CONF *conf, unsigned long certopt, unsigned long nameopt,
130	int default_op, int ext_copy, int selfsign, unsigned long dateopt);
131	static int get_certificate_status(const char ser_status, CA_DB db);
132	static int do_updatedb(CA_DB *db);
133	static int check_time_format(const char *str);
134	static int do_revoke(X509 x509, CA_DB db, REVINFO_TYPE rev_type,
135	const char *extval);
136	static char make_revocation_str(REVINFO_TYPE rev_type, const char rev_arg);
137	static int make_revoked(X509_REVOKED rev, const char str);
138	static int old_entry_print(const ASN1_OBJECT obj, const ASN1_STRING str);
139	static void write_new_certificate(BIO bp, X509 x, int output_der, int notext);
140
141	static CONF extfile_conf = NULL((void)0);
142	static int preserve = 0;
143	static int msie_hack = 0;
144
145	typedef enum OPTION_choice {
146	OPT_COMMONOPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
147	OPT_ENGINE, OPT_VERBOSE, OPT_CONFIG, OPT_NAME, OPT_SUBJ, OPT_UTF8,
148	OPT_CREATE_SERIAL, OPT_MULTIVALUE_RDN, OPT_STARTDATE, OPT_ENDDATE,
149	OPT_DAYS, OPT_MD, OPT_POLICY, OPT_KEYFILE, OPT_KEYFORM, OPT_PASSIN,
150	OPT_KEY, OPT_CERT, OPT_CERTFORM, OPT_SELFSIGN,
151	OPT_IN, OPT_INFORM, OPT_OUT, OPT_DATEOPT, OPT_OUTDIR, OPT_VFYOPT,
152	OPT_SIGOPT, OPT_NOTEXT, OPT_BATCH, OPT_PRESERVEDN, OPT_NOEMAILDN,
153	OPT_GENCRL, OPT_MSIE_HACK, OPT_CRL_LASTUPDATE, OPT_CRL_NEXTUPDATE,
154	OPT_CRLDAYS, OPT_CRLHOURS, OPT_CRLSEC,
155	OPT_INFILES, OPT_SS_CERT, OPT_SPKAC, OPT_REVOKE, OPT_VALID,
156	OPT_EXTENSIONS, OPT_EXTFILE, OPT_STATUS, OPT_UPDATEDB, OPT_CRLEXTS,
157	OPT_RAND_SERIAL,
158	OPT_R_ENUMOPT_R__FIRST=1500, OPT_R_RAND, OPT_R_WRITERAND, OPT_R__LAST, OPT_PROV_ENUMOPT_PROV__FIRST=1600, OPT_PROV_PROVIDER, OPT_PROV_PROVIDER_PATH , OPT_PROV_PROPQUERY, OPT_PROV__LAST,
159	/* Do not change the order here; see related case statements below */
160	OPT_CRL_REASON, OPT_CRL_HOLD, OPT_CRL_COMPROMISE, OPT_CRL_CA_COMPROMISE
161	} OPTION_CHOICE;
162
163	const OPTIONS ca_options[] = {
164	{OPT_HELP_STR, 1, '-', "Usage: %s [options] [certreq...]\n"},
165
166	OPT_SECTION("General"){ OPT_SECTION_STR, 1, '-', "General" " options:\n" },
167	{"help", OPT_HELP, '-', "Display this summary"},
168	{"verbose", OPT_VERBOSE, '-', "Verbose output during processing"},
169	{"outdir", OPT_OUTDIR, '/', "Where to put output cert"},
170	{"in", OPT_IN, '<', "The input cert request(s)"},
171	{"inform", OPT_INFORM, 'F', "CSR input format (DER or PEM); default PEM"},
172	{"infiles", OPT_INFILES, '-', "The last argument, requests to process"},
173	{"out", OPT_OUT, '>', "Where to put the output file(s)"},
174	{"dateopt", OPT_DATEOPT, 's', "Datetime format used for printing. (rfc_822/iso_8601). Default is rfc_822."},
175	{"notext", OPT_NOTEXT, '-', "Do not print the generated certificate"},
176	{"batch", OPT_BATCH, '-', "Don't ask questions"},
177	{"msie_hack", OPT_MSIE_HACK, '-',
178	"msie modifications to handle all Universal Strings"},
179	{"ss_cert", OPT_SS_CERT, '<', "File contains a self signed cert to sign"},
180	{"spkac", OPT_SPKAC, '<',
181	"File contains DN and signed public key and challenge"},
182	#ifndef OPENSSL_NO_ENGINE
183	{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
184	#endif
185
186	OPT_SECTION("Configuration"){ OPT_SECTION_STR, 1, '-', "Configuration" " options:\n" },
187	{"config", OPT_CONFIG, 's', "A config file"},
188	{"name", OPT_NAME, 's', "The particular CA definition to use"},
189	{"section", OPT_NAME, 's', "An alias for -name"},
190	{"policy", OPT_POLICY, 's', "The CA 'policy' to support"},
191
192	OPT_SECTION("Certificate"){ OPT_SECTION_STR, 1, '-', "Certificate" " options:\n" },
193	{"subj", OPT_SUBJ, 's', "Use arg instead of request's subject"},
194	{"utf8", OPT_UTF8, '-', "Input characters are UTF8; default ASCII"},
195	{"create_serial", OPT_CREATE_SERIAL, '-',
196	"If reading serial fails, create a new random serial"},
197	{"rand_serial", OPT_RAND_SERIAL, '-',
198	"Always create a random serial; do not store it"},
199	{"multivalue-rdn", OPT_MULTIVALUE_RDN, '-',
200	"Deprecated; multi-valued RDNs support is always on."},
201	{"startdate", OPT_STARTDATE, 's', "Cert notBefore, YYMMDDHHMMSSZ"},
202	{"enddate", OPT_ENDDATE, 's',
203	"YYMMDDHHMMSSZ cert notAfter (overrides -days)"},
204	{"days", OPT_DAYS, 'p', "Number of days to certify the cert for"},
205	{"extensions", OPT_EXTENSIONS, 's',
206	"Extension section (override value in config file)"},
207	{"extfile", OPT_EXTFILE, '<',
208	"Configuration file with X509v3 extensions to add"},
209	{"preserveDN", OPT_PRESERVEDN, '-', "Don't re-order the DN"},
210	{"noemailDN", OPT_NOEMAILDN, '-', "Don't add the EMAIL field to the DN"},
211
212	OPT_SECTION("Signing"){ OPT_SECTION_STR, 1, '-', "Signing" " options:\n" },
213	{"md", OPT_MD, 's', "Digest to use, such as sha256"},
214	{"keyfile", OPT_KEYFILE, 's', "The CA private key"},
215	{"keyform", OPT_KEYFORM, 'f',
216	"Private key file format (ENGINE, other values ignored)"},
217	{"passin", OPT_PASSIN, 's', "Key and cert input file pass phrase source"},
218	{"key", OPT_KEY, 's',
219	"Key to decrypt the private key or cert files if encrypted. Better use -passin"},
220	{"cert", OPT_CERT, '<', "The CA cert"},
221	{"certform", OPT_CERTFORM, 'F',
222	"Certificate input format (DER/PEM/P12); has no effect"},
223	{"selfsign", OPT_SELFSIGN, '-',
224	"Sign a cert with the key associated with it"},
225	{"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
226	{"vfyopt", OPT_VFYOPT, 's', "Verification parameter in n:v form"},
227
228	OPT_SECTION("Revocation"){ OPT_SECTION_STR, 1, '-', "Revocation" " options:\n" },
229	{"gencrl", OPT_GENCRL, '-', "Generate a new CRL"},
230	{"valid", OPT_VALID, 's',
231	"Add a Valid(not-revoked) DB entry about a cert (given in file)"},
232	{"status", OPT_STATUS, 's', "Shows cert status given the serial number"},
233	{"updatedb", OPT_UPDATEDB, '-', "Updates db for expired cert"},
234	{"crlexts", OPT_CRLEXTS, 's',
235	"CRL extension section (override value in config file)"},
236	{"crl_reason", OPT_CRL_REASON, 's', "revocation reason"},
237	{"crl_hold", OPT_CRL_HOLD, 's',
238	"the hold instruction, an OID. Sets revocation reason to certificateHold"},
239	{"crl_compromise", OPT_CRL_COMPROMISE, 's',
240	"sets compromise time to val and the revocation reason to keyCompromise"},
241	{"crl_CA_compromise", OPT_CRL_CA_COMPROMISE, 's',
242	"sets compromise time to val and the revocation reason to CACompromise"},
243	{"crl_lastupdate", OPT_CRL_LASTUPDATE, 's',
244	"Sets the CRL lastUpdate time to val (YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ)"},
245	{"crl_nextupdate", OPT_CRL_NEXTUPDATE, 's',
246	"Sets the CRL nextUpdate time to val (YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ)"},
247	{"crldays", OPT_CRLDAYS, 'p', "Days until the next CRL is due"},
248	{"crlhours", OPT_CRLHOURS, 'p', "Hours until the next CRL is due"},
249	{"crlsec", OPT_CRLSEC, 'p', "Seconds until the next CRL is due"},
250	{"revoke", OPT_REVOKE, '<', "Revoke a cert (given in file)"},
251
252	OPT_R_OPTIONS{ OPT_SECTION_STR, 1, '-', "Random state" " options:\n" }, {"rand" , OPT_R_RAND, 's', "Load the given file(s) into the random number generator" }, {"writerand", OPT_R_WRITERAND, '>', "Write random data to the specified file" },
253	OPT_PROV_OPTIONS{ OPT_SECTION_STR, 1, '-', "Provider" " options:\n" }, { "provider-path" , OPT_PROV_PROVIDER_PATH, 's', "Provider load path (must be before 'provider' argument if required)" }, { "provider", OPT_PROV_PROVIDER, 's', "Provider to load (can be specified multiple times)" }, { "propquery", OPT_PROV_PROPQUERY, 's', "Property query used when fetching algorithms" },
254
255	OPT_PARAMETERS(){ OPT_PARAM_STR, 1, '-', "Parameters:\n" },
256	{"certreq", 0, 0, "Certificate requests to be signed (optional)"},
257	{NULL((void*)0)}
258	};
259
260	int ca_main(int argc, char **argv)
261	{
262	CONF conf = NULL((void)0);
263	ENGINE e = NULL((void)0);
264	BIGNUM crlnumber = NULL((void)0), serial = NULL((void)0);
265	EVP_PKEY pkey = NULL((void)0);
266	BIO in = NULL((void)0), out = NULL((void)0), Sout = NULL((void)0);
267	ASN1_INTEGER *tmpser;
268	CA_DB db = NULL((void)0);
269	DB_ATTR db_attr;
270	STACK_OF(CONF_VALUE)struct stack_st_CONF_VALUE attribs = NULL((void)0);
271	STACK_OF(OPENSSL_STRING)struct stack_st_OPENSSL_STRING sigopts = NULL((void)0), vfyopts = NULL((void)0);
272	STACK_OF(X509)struct stack_st_X509 cert_sk = NULL((void)0);
273	X509_CRL crl = NULL((void)0);
274	char configfile = default_config_file, section = NULL((void*)0);
275	char def_dgst[80] = "";
276	char dgst = NULL((void)0), policy = NULL((void)0), keyfile = NULL((void)0);
277	char certfile = NULL((void)0), crl_ext = NULL((void)0), crlnumberfile = NULL((void)0);
278	int certformat = FORMAT_UNDEF0, informat = FORMAT_UNDEF0;
279	unsigned long dateopt = ASN1_DTFLGS_RFC8220x00UL;
280	const char infile = NULL((void)0), spkac_file = NULL((void)0), ss_cert_file = NULL((void)0);
281	const char extensions = NULL((void)0), extfile = NULL((void)0), passinarg = NULL((void)0);
282	char passin = NULL((void)0);
283	char outdir = NULL((void)0), outfile = NULL((void)0), rev_arg = NULL((void)0), ser_status = NULL((void)0);
284	const char serialfile = NULL((void)0), subj = NULL((void)0);
285	char prog, startdate = NULL((void)0), enddate = NULL((void*)0);
286	char dbfile = NULL((void)0), *f;
287	char new_cert[PATH_MAX4096];
288	char tmp[10 + 1] = "\0";
289	char const pp;
290	const char *p;
291	size_t outdirlen = 0;
292	int create_ser = 0, free_passin = 0, total = 0, total_done = 0;
293	int batch = 0, default_op = 1, doupdatedb = 0, ext_copy = EXT_COPY_NONE0;
294	int keyformat = FORMAT_UNDEF0, multirdn = 1, notext = 0, output_der = 0;
295	int ret = 1, email_dn = 1, req = 0, verbose = 0, gencrl = 0, dorevoke = 0;
296	int rand_ser = 0, i, j, selfsign = 0, def_ret;
297	char crl_lastupdate = NULL((void)0), crl_nextupdate = NULL((void)0);
298	long crldays = 0, crlhours = 0, crlsec = 0, days = 0;
299	unsigned long chtype = MBSTRING_ASC(0x1000\|1), certopt = 0;
300	X509 x509 = NULL((void)0), x509p = NULL((void)0), x = NULL((void)0);
301	REVINFO_TYPE rev_type = REV_NONE;
302	X509_REVOKED r = NULL((void)0);
303	OPTION_CHOICE o;
304
305	prog = opt_init(argc, argv, ca_options);
306	while ((o = opt_next()) != OPT_EOF) {
307	switch (o) {
308	case OPT_EOF:
309	case OPT_ERR:
310	opthelp:
311	BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
312	goto end;
313	case OPT_HELP:
314	opt_help(ca_options);
315	ret = 0;
316	goto end;
317	case OPT_IN:
318	req = 1;
319	infile = opt_arg();
320	break;
321	case OPT_INFORM:
322	if (!opt_format(opt_arg(), OPT_FMT_PEMDER(1L << 1), &informat))
323	goto opthelp;
324	break;
325	case OPT_OUT:
326	outfile = opt_arg();
327	break;
328	case OPT_DATEOPT:
329	if (!set_dateopt(&dateopt, opt_arg()))
330	goto opthelp;
331	break;
332	case OPT_VERBOSE:
333	verbose = 1;
334	break;
335	case OPT_CONFIG:
336	configfile = opt_arg();
337	break;
338	case OPT_NAME:
339	section = opt_arg();
340	break;
341	case OPT_SUBJ:
342	subj = opt_arg();
343	/* preserve=1; */
344	break;
345	case OPT_UTF8:
346	chtype = MBSTRING_UTF8(0x1000);
347	break;
348	case OPT_RAND_SERIAL:
349	rand_ser = 1;
350	break;
351	case OPT_CREATE_SERIAL:
352	create_ser = 1;
353	break;
354	case OPT_MULTIVALUE_RDN:
355	/* obsolete */
356	break;
357	case OPT_STARTDATE:
358	startdate = opt_arg();
359	break;
360	case OPT_ENDDATE:
361	enddate = opt_arg();
362	break;
363	case OPT_DAYS:
364	days = atoi(opt_arg());
365	break;
366	case OPT_MD:
367	dgst = opt_arg();
368	break;
369	case OPT_POLICY:
370	policy = opt_arg();
371	break;
372	case OPT_KEYFILE:
373	keyfile = opt_arg();
374	break;
375	case OPT_KEYFORM:
376	if (!opt_format(opt_arg(), OPT_FMT_ANY( (1L << 1) \| (1L << 2) \| (1L << 3) \| (1L << 4) \| (1L << 5) \| (1L << 7) \| (1L << 8) \| ( 1L << 9) \| (1L << 10)), &keyformat))
377	goto opthelp;
378	break;
379	case OPT_PASSIN:
380	passinarg = opt_arg();
381	break;
382	case OPT_R_CASESOPT_R__FIRST: case OPT_R__LAST: break; case OPT_R_RAND: case OPT_R_WRITERAND:
383	if (!opt_rand(o))
384	goto end;
385	break;
386	case OPT_PROV_CASESOPT_PROV__FIRST: case OPT_PROV__LAST: break; case OPT_PROV_PROVIDER : case OPT_PROV_PROVIDER_PATH: case OPT_PROV_PROPQUERY:
387	if (!opt_provider(o))
388	goto end;
389	break;
390	case OPT_KEY:
391	passin = opt_arg();
392	break;
393	case OPT_CERT:
394	certfile = opt_arg();
395	break;
396	case OPT_CERTFORM:
397	if (!opt_format(opt_arg(), OPT_FMT_ANY( (1L << 1) \| (1L << 2) \| (1L << 3) \| (1L << 4) \| (1L << 5) \| (1L << 7) \| (1L << 8) \| ( 1L << 9) \| (1L << 10)), &certformat))
398	goto opthelp;
399	break;
400	case OPT_SELFSIGN:
401	selfsign = 1;
402	break;
403	case OPT_OUTDIR:
404	outdir = opt_arg();
405	break;
406	case OPT_SIGOPT:
407	if (sigopts == NULL((void*)0))
408	sigopts = sk_OPENSSL_STRING_new_null()((struct stack_st_OPENSSL_STRING *)OPENSSL_sk_new_null());
409	if (sigopts == NULL((void*)0) \|\| !sk_OPENSSL_STRING_push(sigopts, opt_arg())OPENSSL_sk_push(ossl_check_OPENSSL_STRING_sk_type(sigopts), ossl_check_OPENSSL_STRING_type (opt_arg())))
410	goto end;
411	break;
412	case OPT_VFYOPT:
413	if (vfyopts == NULL((void*)0))
414	vfyopts = sk_OPENSSL_STRING_new_null()((struct stack_st_OPENSSL_STRING *)OPENSSL_sk_new_null());
415	if (vfyopts == NULL((void*)0) \|\| !sk_OPENSSL_STRING_push(vfyopts, opt_arg())OPENSSL_sk_push(ossl_check_OPENSSL_STRING_sk_type(vfyopts), ossl_check_OPENSSL_STRING_type (opt_arg())))
416	goto end;
417	break;
418	case OPT_NOTEXT:
419	notext = 1;
420	break;
421	case OPT_BATCH:
422	batch = 1;
423	break;
424	case OPT_PRESERVEDN:
425	preserve = 1;
426	break;
427	case OPT_NOEMAILDN:
428	email_dn = 0;
429	break;
430	case OPT_GENCRL:
431	gencrl = 1;
432	break;
433	case OPT_MSIE_HACK:
434	msie_hack = 1;
435	break;
436	case OPT_CRL_LASTUPDATE:
437	crl_lastupdate = opt_arg();
438	break;
439	case OPT_CRL_NEXTUPDATE:
440	crl_nextupdate = opt_arg();
441	break;
442	case OPT_CRLDAYS:
443	crldays = atol(opt_arg());
444	break;
445	case OPT_CRLHOURS:
446	crlhours = atol(opt_arg());
447	break;
448	case OPT_CRLSEC:
449	crlsec = atol(opt_arg());
450	break;
451	case OPT_INFILES:
452	req = 1;
453	goto end_of_options;
454	case OPT_SS_CERT:
455	ss_cert_file = opt_arg();
456	req = 1;
457	break;
458	case OPT_SPKAC:
459	spkac_file = opt_arg();
460	req = 1;
461	break;
462	case OPT_REVOKE:
463	infile = opt_arg();
464	dorevoke = 1;
465	break;
466	case OPT_VALID:
467	infile = opt_arg();
468	dorevoke = 2;
469	break;
470	case OPT_EXTENSIONS:
471	extensions = opt_arg();
472	break;
473	case OPT_EXTFILE:
474	extfile = opt_arg();
475	break;
476	case OPT_STATUS:
477	ser_status = opt_arg();
478	break;
479	case OPT_UPDATEDB:
480	doupdatedb = 1;
481	break;
482	case OPT_CRLEXTS:
483	crl_ext = opt_arg();
484	break;
485	case OPT_CRL_REASON: /* := REV_CRL_REASON */
486	case OPT_CRL_HOLD:
487	case OPT_CRL_COMPROMISE:
488	case OPT_CRL_CA_COMPROMISE:
489	rev_arg = opt_arg();
490	rev_type = (o - OPT_CRL_REASON) + REV_CRL_REASON;
491	break;
492	case OPT_ENGINE:
493	e = setup_engine(opt_arg(), 0)setup_engine_methods(opt_arg(), (unsigned int)-1, 0);
494	break;
495	}
496	}
497
498	end_of_options:
499	/* Remaining args are files to certify. */
500	argc = opt_num_rest();
501	argv = opt_rest();
502
503	if ((conf = app_load_config_verbose(configfile, 1)) == NULL((void*)0))
504	goto end;
505	if (configfile != default_config_file && !app_load_modules(conf))
506	goto end;
507
508	/* Lets get the config section we are using */
509	if (section == NULL((void*)0)
510	&& (section = lookup_conf(conf, BASE_SECTION"ca", ENV_DEFAULT_CA"default_ca")) == NULL((void*)0))
511	goto end;
512
513	p = NCONF_get_string(conf, NULL((void*)0), "oid_file");
514	if (p == NULL((void*)0))
515	ERR_clear_error();
516	if (p != NULL((void*)0)) {
517	BIO *oid_bio = BIO_new_file(p, "r");
518
519	if (oid_bio == NULL((void*)0)) {
520	ERR_clear_error();
521	} else {
522	OBJ_create_objects(oid_bio);
523	BIO_free(oid_bio);
524	}
525	}
526	if (!add_oid_section(conf))
527	goto end;
528
529	app_RAND_load_conf(conf, BASE_SECTION"ca");
530	if (!app_RAND_load())
531	goto end;
532
533	f = NCONF_get_string(conf, section, STRING_MASK"string_mask");
534	if (f == NULL((void*)0))
535	ERR_clear_error();
536
537	if (f != NULL((void*)0) && !ASN1_STRING_set_default_mask_asc(f)) {
538	BIO_printf(bio_err, "Invalid global string mask setting %s\n", f);
539	goto end;
540	}
541
542	if (chtype != MBSTRING_UTF8(0x1000)) {
543	f = NCONF_get_string(conf, section, UTF8_IN"utf8");
544	if (f == NULL((void*)0))
545	ERR_clear_error();
546	else if (strcmp(f, "yes") == 0)
547	chtype = MBSTRING_UTF8(0x1000);
548	}
549
550	db_attr.unique_subject = 1;
551	p = NCONF_get_string(conf, section, ENV_UNIQUE_SUBJECT"unique_subject");
552	if (p != NULL((void*)0))
553	db_attr.unique_subject = parse_yesno(p, 1);
554	else
555	ERR_clear_error();
556
557	/*****************************************************************/
558	/* report status of cert with serial number given on command line */
559	if (ser_status) {
560	dbfile = lookup_conf(conf, section, ENV_DATABASE"database");
561	if (dbfile == NULL((void*)0))
562	goto end;
563
564	db = load_index(dbfile, &db_attr);
565	if (db == NULL((void*)0)) {
566	BIO_printf(bio_err, "Problem with index file: %s (could not load/parse file)\n", dbfile);
567	goto end;
568	}
569
570	if (index_index(db) <= 0)
571	goto end;
572
573	if (get_certificate_status(ser_status, db) != 1)
574	BIO_printf(bio_err, "Error verifying serial %s!\n", ser_status);
575	goto end;
576	}
577
578	/*****************************************************************/
579	/* we definitely need a private key, so let's get it */
580
581	if (keyfile == NULL((void*)0)
582	&& (keyfile = lookup_conf(conf, section, ENV_PRIVATE_KEY"private_key")) == NULL((void*)0))
583	goto end;
584
585	if (passin == NULL((void*)0)) {
586	free_passin = 1;
587	if (!app_passwd(passinarg, NULL((void)0), &passin, NULL((void)0))) {
588	BIO_printf(bio_err, "Error getting password\n");
589	goto end;
590	}
591	}
592	pkey = load_key(keyfile, keyformat, 0, passin, e, "CA private key");
593	cleanse(passin);
594	if (pkey == NULL((void*)0))
595	/* load_key() has already printed an appropriate message */
596	goto end;
597
598	/*****************************************************************/
599	/* we need a certificate */
600	if (!selfsign \|\| spkac_file \|\| ss_cert_file \|\| gencrl) {
601	if (certfile == NULL((void*)0)
602	&& (certfile = lookup_conf(conf, section, ENV_CERTIFICATE"certificate")) == NULL((void*)0))
603	goto end;
604
605	x509 = load_cert_pass(certfile, certformat, 1, passin, "CA certificate");
606	if (x509 == NULL((void*)0))
607	goto end;
608
609	if (!X509_check_private_key(x509, pkey)) {
610	BIO_printf(bio_err,
611	"CA certificate and CA private key do not match\n");
612	goto end;
613	}
614	}
615	if (!selfsign)
616	x509p = x509;
617
618	f = NCONF_get_string(conf, BASE_SECTION"ca", ENV_PRESERVE"preserve");
619	if (f == NULL((void*)0))
620	ERR_clear_error();
621	if ((f != NULL((void)0)) && ((f == 'y') \|\| (*f == 'Y')))
622	preserve = 1;
623	f = NCONF_get_string(conf, BASE_SECTION"ca", ENV_MSIE_HACK"msie_hack");
624	if (f == NULL((void*)0))
625	ERR_clear_error();
626	if ((f != NULL((void)0)) && ((f == 'y') \|\| (*f == 'Y')))
627	msie_hack = 1;
628
629	f = NCONF_get_string(conf, section, ENV_NAMEOPT"name_opt");
630
631	if (f != NULL((void*)0)) {
632	if (!set_nameopt(f)) {
633	BIO_printf(bio_err, "Invalid name options: \"%s\"\n", f);
634	goto end;
635	}
636	default_op = 0;
637	}
638
639	f = NCONF_get_string(conf, section, ENV_CERTOPT"cert_opt");
640
641	if (f != NULL((void*)0)) {
642	if (!set_cert_ex(&certopt, f)) {
643	BIO_printf(bio_err, "Invalid certificate options: \"%s\"\n", f);
644	goto end;
645	}
646	default_op = 0;
647	} else {
648	ERR_clear_error();
649	}
650
651	f = NCONF_get_string(conf, section, ENV_EXTCOPY"copy_extensions");
652
653	if (f != NULL((void*)0)) {
654	if (!set_ext_copy(&ext_copy, f)) {
655	BIO_printf(bio_err, "Invalid extension copy option: \"%s\"\n", f);
656	goto end;
657	}
658	} else {
659	ERR_clear_error();
660	}
661
662	/*****************************************************************/
663	/* lookup where to write new certificates */
664	if ((outdir == NULL((void*)0)) && (req)) {
665
666	outdir = NCONF_get_string(conf, section, ENV_NEW_CERTS_DIR"new_certs_dir");
667	if (outdir == NULL((void*)0)) {
668	BIO_printf(bio_err,
669	"there needs to be defined a directory for new certificate to be placed in\n");
670	goto end;
671	}
672	#ifndef OPENSSL_SYS_VMS
673	/*
674	* outdir is a directory spec, but access() for VMS demands a
675	* filename. We could use the DEC C routine to convert the
676	* directory syntax to Unix, and give that to app_isdir,
677	* but for now the fopen will catch the error if it's not a
678	* directory
679	*/
680	if (app_isdir(outdir) <= 0) {
681	BIO_printf(bio_err, "%s: %s is not a directory\n", prog, outdir);
682	perror(outdir);
683	goto end;
684	}
685	#endif
686	}
687
688	/*****************************************************************/
689	/* we need to load the database file */
690	dbfile = lookup_conf(conf, section, ENV_DATABASE"database");
691	if (dbfile == NULL((void*)0))
692	goto end;
693
694	db = load_index(dbfile, &db_attr);
695	if (db == NULL((void*)0)) {
696	BIO_printf(bio_err, "Problem with index file: %s (could not load/parse file)\n", dbfile);
697	goto end;
698	}
699
700	/* Lets check some fields */
701	for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
702	pp = sk_OPENSSL_PSTRING_value(db->db->data, i);
703	if ((pp[DB_type0][0] != DB_TYPE_REV'R') && (pp[DB_rev_date2][0] != '\0')) {
704	BIO_printf(bio_err,
705	"entry %d: not revoked yet, but has a revocation date\n",
706	i + 1);
707	goto end;
708	}
709	if ((pp[DB_type0][0] == DB_TYPE_REV'R') &&
710	!make_revoked(NULL((void*)0), pp[DB_rev_date2])) {
711	BIO_printf(bio_err, " in entry %d\n", i + 1);
712	goto end;
713	}
714	if (!check_time_format((char *)pp[DB_exp_date1])) {
715	BIO_printf(bio_err, "entry %d: invalid expiry date\n", i + 1);
716	goto end;
717	}
718	p = pp[DB_serial3];
719	j = strlen(p);
720	if (*p == '-') {
721	p++;
722	j--;
723	}
724	if ((j & 1) \|\| (j < 2)) {
725	BIO_printf(bio_err, "entry %d: bad serial number length (%d)\n",
726	i + 1, j);
727	goto end;
728	}
729	for ( ; *p; p++) {
730	if (!isxdigit(_UC(p))((__ctype_b_loc ())[(int) ((((unsigned char)(*p))))] & ( unsigned short int) _ISxdigit)) {
731	BIO_printf(bio_err,
732	"entry %d: bad char 0%o '%c' in serial number\n",
733	i + 1, p, p);
734	goto end;
735	}
736	}
737	}
738	if (verbose) {
739	TXT_DB_write(bio_out, db->db);
740	BIO_printf(bio_err, "%d entries loaded from the database\n",
741	sk_OPENSSL_PSTRING_num(db->db->data));
742	BIO_printf(bio_err, "generating index\n");
743	}
744
745	if (index_index(db) <= 0)
746	goto end;
747
748	/*****************************************************************/
749	/* Update the db file for expired certificates */
750	if (doupdatedb) {
751	if (verbose)
752	BIO_printf(bio_err, "Updating %s ...\n", dbfile);
753
754	i = do_updatedb(db);
755	if (i == -1) {
756	BIO_printf(bio_err, "Malloc failure\n");
757	goto end;
758	} else if (i == 0) {
759	if (verbose)
760	BIO_printf(bio_err, "No entries found to mark expired\n");
761	} else {
762	if (!save_index(dbfile, "new", db))
763	goto end;
764
765	if (!rotate_index(dbfile, "new", "old"))
766	goto end;
767
768	if (verbose)
769	BIO_printf(bio_err, "Done. %d entries marked as expired\n", i);
770	}
771	}
772
773	/*****************************************************************/
774	/* Read extensions config file */
775	if (extfile) {
776	if ((extfile_conf = app_load_config(extfile)app_load_config_internal(extfile, 0)) == NULL((void*)0)) {
777	ret = 1;
778	goto end;
779	}
780
781	if (verbose)
782	BIO_printf(bio_err, "Successfully loaded extensions file %s\n",
783	extfile);
784
785	/* We can have sections in the ext file */
786	if (extensions == NULL((void*)0)) {
787	extensions = NCONF_get_string(extfile_conf, "default", "extensions");
788	if (extensions == NULL((void*)0))
789	extensions = "default";
790	}
791	}
792
793	/*****************************************************************/
794	if (req \|\| gencrl) {
795	if (spkac_file != NULL((void)0) && outfile != NULL((void)0)) {
796	output_der = 1;
797	batch = 1;
798	}
799	}
800
801	def_ret = EVP_PKEY_get_default_digest_name(pkey, def_dgst, sizeof(def_dgst));
802	/*
803	* EVP_PKEY_get_default_digest_name() returns 2 if the digest is
804	* mandatory for this algorithm.
805	*/
806	if (def_ret == 2 && strcmp(def_dgst, "UNDEF") == 0) {
807	/* The signing algorithm requires there to be no digest */
808	dgst = NULL((void*)0);
809	} else if (dgst == NULL((void*)0)
810	&& (dgst = lookup_conf(conf, section, ENV_DEFAULT_MD"default_md")) == NULL((void*)0)) {
811	goto end;
812	} else {
813	if (strcmp(dgst, "default") == 0) {
814	if (def_ret <= 0) {
815	BIO_puts(bio_err, "no default digest\n");
816	goto end;
817	}
818	dgst = def_dgst;
819	}
820	}
821
822	if (req) {
823	if (email_dn == 1) {
824	char tmp_email_dn = NULL((void)0);
825
826	tmp_email_dn = NCONF_get_string(conf, section, ENV_DEFAULT_EMAIL_DN"email_in_dn");
827	if (tmp_email_dn != NULL((void*)0) && strcmp(tmp_email_dn, "no") == 0)
828	email_dn = 0;
829	}
830	if (verbose)
831	BIO_printf(bio_err, "message digest is %s\n", dgst);
832	if (policy == NULL((void*)0)
833	&& (policy = lookup_conf(conf, section, ENV_POLICY"policy")) == NULL((void*)0))
834	goto end;
835
836	if (verbose)
837	BIO_printf(bio_err, "policy is %s\n", policy);
838
839	if (NCONF_get_string(conf, section, ENV_RAND_SERIAL"rand_serial") != NULL((void*)0)) {
840	rand_ser = 1;
841	} else {
842	serialfile = lookup_conf(conf, section, ENV_SERIAL"serial");
843	if (serialfile == NULL((void*)0))
844	goto end;
845	}
846
847	if (extfile_conf != NULL((void*)0)) {
848	/* Check syntax of extfile */
849	X509V3_CTX ctx;
850
851	X509V3_set_ctx_test(&ctx)X509V3_set_ctx(&ctx, ((void)0), ((void)0), ((void)0), ( (void)0), 0x1);
852	X509V3_set_nconf(&ctx, extfile_conf);
853	if (!X509V3_EXT_add_nconf(extfile_conf, &ctx, extensions, NULL((void*)0))) {
854	BIO_printf(bio_err,
855	"Error checking certificate extensions from extfile section %s\n",
856	extensions);
857	ret = 1;
858	goto end;
859	}
860	} else {
861	/*
862	* no '-extfile' option, so we look for extensions in the main
863	* configuration file
864	*/
865	if (extensions == NULL((void*)0)) {
866	extensions = NCONF_get_string(conf, section, ENV_EXTENSIONS"x509_extensions");
867	if (extensions == NULL((void*)0))
868	ERR_clear_error();
869	}
870	if (extensions != NULL((void*)0)) {
871	/* Check syntax of config file section */
872	X509V3_CTX ctx;
873
874	X509V3_set_ctx_test(&ctx)X509V3_set_ctx(&ctx, ((void)0), ((void)0), ((void)0), ( (void)0), 0x1);
875	X509V3_set_nconf(&ctx, conf);
876	if (!X509V3_EXT_add_nconf(conf, &ctx, extensions, NULL((void*)0))) {
877	BIO_printf(bio_err,
878	"Error checking certificate extension config section %s\n",
879	extensions);
880	ret = 1;
881	goto end;
882	}
883	}
884	}
885
886	if (startdate == NULL((void*)0)) {
887	startdate = NCONF_get_string(conf, section, ENV_DEFAULT_STARTDATE"default_startdate");
888	if (startdate == NULL((void*)0))
889	ERR_clear_error();
890	}
891	if (startdate != NULL((void)0) && !ASN1_TIME_set_string_X509(NULL((void)0), startdate)) {
892	BIO_printf(bio_err,
893	"start date is invalid, it should be YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ\n");
894	goto end;
895	}
896	if (startdate == NULL((void*)0))
897	startdate = "today";
898
899	if (enddate == NULL((void*)0)) {
900	enddate = NCONF_get_string(conf, section, ENV_DEFAULT_ENDDATE"default_enddate");
901	if (enddate == NULL((void*)0))
902	ERR_clear_error();
903	}
904	if (enddate != NULL((void)0) && !ASN1_TIME_set_string_X509(NULL((void)0), enddate)) {
905	BIO_printf(bio_err,
906	"end date is invalid, it should be YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ\n");
907	goto end;
908	}
909
910	if (days == 0) {
911	if (!NCONF_get_number(conf, section, ENV_DEFAULT_DAYS, &days)NCONF_get_number_e(conf,section,"default_days",&days))
912	days = 0;
913	}
914	if (enddate == NULL((void*)0) && days == 0) {
915	BIO_printf(bio_err, "cannot lookup how many days to certify for\n");
916	goto end;
917	}
918
919	if (rand_ser) {
920	if ((serial = BN_new()) == NULL((void)0) \|\| !rand_serial(serial, NULL((void)0))) {
921	BIO_printf(bio_err, "error generating serial number\n");
922	goto end;
923	}
924	} else {
925	if ((serial = load_serial(serialfile, create_ser, NULL((void)0))) == NULL((void)0)) {
926	BIO_printf(bio_err, "error while loading serial number\n");
927	goto end;
928	}
929	if (verbose) {
930	if (BN_is_zero(serial)) {
931	BIO_printf(bio_err, "next serial number is 00\n");
932	} else {
933	if ((f = BN_bn2hex(serial)) == NULL((void*)0))
934	goto end;
935	BIO_printf(bio_err, "next serial number is %s\n", f);
936	OPENSSL_free(f)CRYPTO_free(f, "../deps/openssl/openssl/apps/ca.c", 936);
937	}
938	}
939	}
940
941	if ((attribs = NCONF_get_section(conf, policy)) == NULL((void*)0)) {
942	BIO_printf(bio_err, "unable to find 'section' for %s\n", policy);
943	goto end;
944	}
945
946	if ((cert_sk = sk_X509_new_null()((struct stack_st_X509 )OPENSSL_sk_new_null())) == NULL((void)0)) {
947	BIO_printf(bio_err, "Memory allocation failure\n");
948	goto end;
949	}
950	if (spkac_file != NULL((void*)0)) {
951	total++;
952	j = certify_spkac(&x, spkac_file, pkey, x509, dgst, sigopts,
953	attribs, db, serial, subj, chtype, multirdn,
954	email_dn, startdate, enddate, days, extensions,
955	conf, verbose, certopt, get_nameopt(), default_op,
956	ext_copy, dateopt);
957	if (j < 0)
958	goto end;
959	if (j > 0) {
960	total_done++;
961	BIO_printf(bio_err, "\n");
962	if (!BN_add_word(serial, 1))
963	goto end;
964	if (!sk_X509_push(cert_sk, x)OPENSSL_sk_push(ossl_check_X509_sk_type(cert_sk), ossl_check_X509_type (x))) {
965	BIO_printf(bio_err, "Memory allocation failure\n");
966	goto end;
967	}
968	}
969	}
970	if (ss_cert_file != NULL((void*)0)) {
971	total++;
972	j = certify_cert(&x, ss_cert_file, certformat, passin, pkey,
973	x509, dgst, sigopts, vfyopts, attribs,
974	db, serial, subj, chtype, multirdn, email_dn,
975	startdate, enddate, days, batch, extensions,
976	conf, verbose, certopt, get_nameopt(), default_op,
977	ext_copy, dateopt);
978	if (j < 0)
979	goto end;
980	if (j > 0) {
981	total_done++;
982	BIO_printf(bio_err, "\n");
983	if (!BN_add_word(serial, 1))
984	goto end;
985	if (!sk_X509_push(cert_sk, x)OPENSSL_sk_push(ossl_check_X509_sk_type(cert_sk), ossl_check_X509_type (x))) {
986	BIO_printf(bio_err, "Memory allocation failure\n");
987	goto end;
988	}
989	}
990	}
991	if (infile != NULL((void*)0)) {
992	total++;
993	j = certify(&x, infile, informat, pkey, x509p, dgst,
994	sigopts, vfyopts, attribs, db,
995	serial, subj, chtype, multirdn, email_dn, startdate,
996	enddate, days, batch, extensions, conf, verbose,
997	certopt, get_nameopt(), default_op, ext_copy, selfsign, dateopt);
998	if (j < 0)
999	goto end;
1000	if (j > 0) {
1001	total_done++;
1002	BIO_printf(bio_err, "\n");
1003	if (!BN_add_word(serial, 1))
1004	goto end;
1005	if (!sk_X509_push(cert_sk, x)OPENSSL_sk_push(ossl_check_X509_sk_type(cert_sk), ossl_check_X509_type (x))) {
1006	BIO_printf(bio_err, "Memory allocation failure\n");
1007	goto end;
1008	}
1009	}
1010	}
1011	for (i = 0; i < argc; i++) {
1012	total++;
1013	j = certify(&x, argv[i], informat, pkey, x509p, dgst,
1014	sigopts, vfyopts,
1015	attribs, db,
1016	serial, subj, chtype, multirdn, email_dn, startdate,
1017	enddate, days, batch, extensions, conf, verbose,
1018	certopt, get_nameopt(), default_op, ext_copy, selfsign, dateopt);
1019	if (j < 0)
1020	goto end;
1021	if (j > 0) {
1022	total_done++;
1023	BIO_printf(bio_err, "\n");
1024	if (!BN_add_word(serial, 1)) {
1025	X509_free(x);
1026	goto end;
1027	}
1028	if (!sk_X509_push(cert_sk, x)OPENSSL_sk_push(ossl_check_X509_sk_type(cert_sk), ossl_check_X509_type (x))) {
1029	BIO_printf(bio_err, "Memory allocation failure\n");
1030	X509_free(x);
1031	goto end;
1032	}
1033	}
1034	}
1035	/*
1036	* we have a stack of newly certified certificates and a data base
1037	* and serial number that need updating
1038	*/
1039
1040	if (sk_X509_num(cert_sk)OPENSSL_sk_num(ossl_check_const_X509_sk_type(cert_sk)) > 0) {
1041	if (!batch) {
1042	BIO_printf(bio_err,
1043	"\n%d out of %d certificate requests certified, commit? [y/n]",
1044	total_done, total);
1045	(void)BIO_flush(bio_err)(int)BIO_ctrl(bio_err,11,0,((void*)0));
1046	tmp[0] = '\0';
1047	if (fgets(tmp, sizeof(tmp), stdinstdin) == NULL((void*)0)) {
1048	BIO_printf(bio_err, "CERTIFICATION CANCELED: I/O error\n");
1049	ret = 0;
1050	goto end;
1051	}
1052	if (tmp[0] != 'y' && tmp[0] != 'Y') {
1053	BIO_printf(bio_err, "CERTIFICATION CANCELED\n");
1054	ret = 0;
1055	goto end;
1056	}
1057	}
1058
1059	BIO_printf(bio_err, "Write out database with %d new entries\n",
1060	sk_X509_num(cert_sk)OPENSSL_sk_num(ossl_check_const_X509_sk_type(cert_sk)));
1061
1062	if (serialfile != NULL((void*)0)
1063	&& !save_serial(serialfile, "new", serial, NULL((void*)0)))
1064	goto end;
1065
1066	if (!save_index(dbfile, "new", db))
1067	goto end;
1068	}
1069
1070	outdirlen = OPENSSL_strlcpy(new_cert, outdir, sizeof(new_cert));
	Value stored to 'outdirlen' is never read
1071	#ifndef OPENSSL_SYS_VMS
1072	outdirlen = OPENSSL_strlcat(new_cert, "/", sizeof(new_cert));
1073	#endif
1074
1075	if (verbose)
1076	BIO_printf(bio_err, "writing new certificates\n");
1077
1078	for (i = 0; i < sk_X509_num(cert_sk)OPENSSL_sk_num(ossl_check_const_X509_sk_type(cert_sk)); i++) {
1079	BIO Cout = NULL((void)0);
1080	X509 xi = sk_X509_value(cert_sk, i)((X509 )OPENSSL_sk_value(ossl_check_const_X509_sk_type(cert_sk ), (i)));
1081	const ASN1_INTEGER *serialNumber = X509_get0_serialNumber(xi);
1082	const unsigned char *psn = ASN1_STRING_get0_data(serialNumber);
1083	const int snl = ASN1_STRING_length(serialNumber);
1084	const int filen_len = 2 * (snl > 0 ? snl : 1) + sizeof(".pem");
1085	char *n = new_cert + outdirlen;
1086
1087	if (outdirlen + filen_len > PATH_MAX4096) {
1088	BIO_printf(bio_err, "certificate file name too long\n");
1089	goto end;
1090	}
1091
1092	if (snl > 0) {
1093	static const char HEX_DIGITS[] = "0123456789ABCDEF";
1094
1095	for (j = 0; j < snl; j++, psn++) {
1096	n++ = HEX_DIGITS[psn >> 4];
1097	n++ = HEX_DIGITS[psn & 0x0F];
1098	}
1099	} else {
1100	*(n++) = '0';
1101	*(n++) = '0';
1102	}
1103	*(n++) = '.';
1104	*(n++) = 'p';
1105	*(n++) = 'e';
1106	*(n++) = 'm';
1107	n = '\0'; / closing new_cert */
1108	if (verbose)
1109	BIO_printf(bio_err, "writing %s\n", new_cert);
1110
1111	Sout = bio_open_default(outfile, 'w',
1112	output_der ? FORMAT_ASN14 : FORMAT_TEXT(1 \| 0x8000));
1113	if (Sout == NULL((void*)0))
1114	goto end;
1115
1116	Cout = BIO_new_file(new_cert, "w");
1117	if (Cout == NULL((void*)0)) {
1118	perror(new_cert);
1119	goto end;
1120	}
1121	write_new_certificate(Cout, xi, 0, notext);
1122	write_new_certificate(Sout, xi, output_der, notext);
1123	BIO_free_all(Cout);
1124	BIO_free_all(Sout);
1125	Sout = NULL((void*)0);
1126	}
1127
1128	if (sk_X509_num(cert_sk)OPENSSL_sk_num(ossl_check_const_X509_sk_type(cert_sk))) {
1129	/* Rename the database and the serial file */
1130	if (serialfile != NULL((void*)0)
1131	&& !rotate_serial(serialfile, "new", "old"))
1132	goto end;
1133
1134	if (!rotate_index(dbfile, "new", "old"))
1135	goto end;
1136
1137	BIO_printf(bio_err, "Data Base Updated\n");
1138	}
1139	}
1140
1141	/*****************************************************************/
1142	if (gencrl) {
1143	int crl_v2 = 0;
1144	if (crl_ext == NULL((void*)0)) {
1145	crl_ext = NCONF_get_string(conf, section, ENV_CRLEXT"crl_extensions");
1146	if (crl_ext == NULL((void*)0))
1147	ERR_clear_error();
1148	}
1149	if (crl_ext != NULL((void*)0)) {
1150	/* Check syntax of file */
1151	X509V3_CTX ctx;
1152
1153	X509V3_set_ctx_test(&ctx)X509V3_set_ctx(&ctx, ((void)0), ((void)0), ((void)0), ( (void)0), 0x1);
1154	X509V3_set_nconf(&ctx, conf);
1155	if (!X509V3_EXT_add_nconf(conf, &ctx, crl_ext, NULL((void*)0))) {
1156	BIO_printf(bio_err,
1157	"Error checking CRL extension section %s\n", crl_ext);
1158	ret = 1;
1159	goto end;
1160	}
1161	}
1162
1163	if ((crlnumberfile = NCONF_get_string(conf, section, ENV_CRLNUMBER"crlnumber"))
1164	!= NULL((void*)0))
1165	if ((crlnumber = load_serial(crlnumberfile, 0, NULL((void)0))) == NULL((void)0)) {
1166	BIO_printf(bio_err, "error while loading CRL number\n");
1167	goto end;
1168	}
1169
1170	if (!crldays && !crlhours && !crlsec) {
1171	if (!NCONF_get_number(conf, section,NCONF_get_number_e(conf,section,"default_crl_days",&crldays )
1172	ENV_DEFAULT_CRL_DAYS, &crldays)NCONF_get_number_e(conf,section,"default_crl_days",&crldays ))
1173	crldays = 0;
1174	if (!NCONF_get_number(conf, section,NCONF_get_number_e(conf,section,"default_crl_hours",&crlhours )
1175	ENV_DEFAULT_CRL_HOURS, &crlhours)NCONF_get_number_e(conf,section,"default_crl_hours",&crlhours ))
1176	crlhours = 0;
1177	ERR_clear_error();
1178	}
1179	if ((crl_nextupdate == NULL((void*)0)) &&
1180	(crldays == 0) && (crlhours == 0) && (crlsec == 0)) {
1181	BIO_printf(bio_err,
1182	"cannot lookup how long until the next CRL is issued\n");
1183	goto end;
1184	}
1185
1186	if (verbose)
1187	BIO_printf(bio_err, "making CRL\n");
1188	if ((crl = X509_CRL_new_ex(app_get0_libctx(), app_get0_propq())) == NULL((void*)0))
1189	goto end;
1190	if (!X509_CRL_set_issuer_name(crl, X509_get_subject_name(x509)))
1191	goto end;
1192
1193	if (!set_crl_lastupdate(crl, crl_lastupdate)) {
1194	BIO_puts(bio_err, "error setting CRL lastUpdate\n");
1195	ret = 1;
1196	goto end;
1197	}
1198
1199	if (!set_crl_nextupdate(crl, crl_nextupdate,
1200	crldays, crlhours, crlsec)) {
1201	BIO_puts(bio_err, "error setting CRL nextUpdate\n");
1202	ret = 1;
1203	goto end;
1204	}
1205
1206	for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
1207	pp = sk_OPENSSL_PSTRING_value(db->db->data, i);
1208	if (pp[DB_type0][0] == DB_TYPE_REV'R') {
1209	if ((r = X509_REVOKED_new()) == NULL((void*)0))
1210	goto end;
1211	j = make_revoked(r, pp[DB_rev_date2]);
1212	if (!j)
1213	goto end;
1214	if (j == 2)
1215	crl_v2 = 1;
1216	if (!BN_hex2bn(&serial, pp[DB_serial3]))
1217	goto end;
1218	tmpser = BN_to_ASN1_INTEGER(serial, NULL((void*)0));
1219	BN_free(serial);
1220	serial = NULL((void*)0);
1221	if (!tmpser)
1222	goto end;
1223	X509_REVOKED_set_serialNumber(r, tmpser);
1224	ASN1_INTEGER_free(tmpser);
1225	X509_CRL_add0_revoked(crl, r);
1226	}
1227	}
1228
1229	/*
1230	* sort the data so it will be written in serial number order
1231	*/
1232	X509_CRL_sort(crl);
1233
1234	/* we now have a CRL */
1235	if (verbose)
1236	BIO_printf(bio_err, "signing CRL\n");
1237
1238	/* Add any extensions asked for */
1239
1240	if (crl_ext != NULL((void)0) \|\| crlnumberfile != NULL((void)0)) {
1241	X509V3_CTX crlctx;
1242
1243	X509V3_set_ctx(&crlctx, x509, NULL((void)0), NULL((void)0), crl, 0);
1244	X509V3_set_nconf(&crlctx, conf);
1245
1246	if (crl_ext != NULL((void*)0))
1247	if (!X509V3_EXT_CRL_add_nconf(conf, &crlctx, crl_ext, crl)) {
1248	BIO_printf(bio_err,
1249	"Error adding CRL extensions from section %s\n", crl_ext);
1250	goto end;
1251	}
1252	if (crlnumberfile != NULL((void*)0)) {
1253	tmpser = BN_to_ASN1_INTEGER(crlnumber, NULL((void*)0));
1254	if (!tmpser)
1255	goto end;
1256	X509_CRL_add1_ext_i2d(crl, NID_crl_number88, tmpser, 0, 0);
1257	ASN1_INTEGER_free(tmpser);
1258	crl_v2 = 1;
1259	if (!BN_add_word(crlnumber, 1))
1260	goto end;
1261	}
1262	}
1263	if (crl_ext != NULL((void*)0) \|\| crl_v2) {
1264	if (!X509_CRL_set_version(crl, X509_CRL_VERSION_21))
1265	goto end;
1266	}
1267
1268	/* we have a CRL number that need updating */
1269	if (crlnumberfile != NULL((void*)0)
1270	&& !save_serial(crlnumberfile, "new", crlnumber, NULL((void*)0)))
1271	goto end;
1272
1273	BN_free(crlnumber);
1274	crlnumber = NULL((void*)0);
1275
1276	if (!do_X509_CRL_sign(crl, pkey, dgst, sigopts))
1277	goto end;
1278
1279	Sout = bio_open_default(outfile, 'w',
1280	output_der ? FORMAT_ASN14 : FORMAT_TEXT(1 \| 0x8000));
1281	if (Sout == NULL((void*)0))
1282	goto end;
1283
1284	PEM_write_bio_X509_CRL(Sout, crl);
1285
1286	/* Rename the crlnumber file */
1287	if (crlnumberfile != NULL((void*)0)
1288	&& !rotate_serial(crlnumberfile, "new", "old"))
1289	goto end;
1290
1291	}
1292	/*****************************************************************/
1293	if (dorevoke) {
1294	if (infile == NULL((void*)0)) {
1295	BIO_printf(bio_err, "no input files\n");
1296	goto end;
1297	} else {
1298	X509 *revcert;
1299
1300	revcert = load_cert_pass(infile, informat, 1, passin,
1301	"certificate to be revoked");
1302	if (revcert == NULL((void*)0))
1303	goto end;
1304	if (dorevoke == 2)
1305	rev_type = REV_VALID;
1306	j = do_revoke(revcert, db, rev_type, rev_arg);
1307	if (j <= 0)
1308	goto end;
1309	X509_free(revcert);
1310
1311	if (!save_index(dbfile, "new", db))
1312	goto end;
1313
1314	if (!rotate_index(dbfile, "new", "old"))
1315	goto end;
1316
1317	BIO_printf(bio_err, "Data Base Updated\n");
1318	}
1319	}
1320	ret = 0;
1321
1322	end:
1323	if (ret)
1324	ERR_print_errors(bio_err);
1325	BIO_free_all(Sout);
1326	BIO_free_all(out);
1327	BIO_free_all(in);
1328	sk_X509_pop_free(cert_sk, X509_free)OPENSSL_sk_pop_free(ossl_check_X509_sk_type(cert_sk),ossl_check_X509_freefunc_type (X509_free));
1329
1330	cleanse(passin);
1331	if (free_passin)
1332	OPENSSL_free(passin)CRYPTO_free(passin, "../deps/openssl/openssl/apps/ca.c", 1332 );
1333	BN_free(serial);
1334	BN_free(crlnumber);
1335	free_index(db);
1336	sk_OPENSSL_STRING_free(sigopts)OPENSSL_sk_free(ossl_check_OPENSSL_STRING_sk_type(sigopts));
1337	sk_OPENSSL_STRING_free(vfyopts)OPENSSL_sk_free(ossl_check_OPENSSL_STRING_sk_type(vfyopts));
1338	EVP_PKEY_free(pkey);
1339	X509_free(x509);
1340	X509_CRL_free(crl);
1341	NCONF_free(conf);
1342	NCONF_free(extfile_conf);
1343	release_engine(e);
1344	return ret;
1345	}
1346
1347	static char lookup_conf(const CONF conf, const char section, const char tag)
1348	{
1349	char *entry = NCONF_get_string(conf, section, tag);
1350	if (entry == NULL((void*)0))
1351	BIO_printf(bio_err, "variable lookup failed for %s::%s\n", section, tag);
1352	return entry;
1353	}
1354
1355	static int certify(X509 *xret, const char infile, int informat,
1356	EVP_PKEY pkey, X509 x509,
1357	const char *dgst,
1358	STACK_OF(OPENSSL_STRING)struct stack_st_OPENSSL_STRING *sigopts,
1359	STACK_OF(OPENSSL_STRING)struct stack_st_OPENSSL_STRING *vfyopts,
1360	STACK_OF(CONF_VALUE)struct stack_st_CONF_VALUE policy, CA_DB db,
1361	BIGNUM serial, const char subj, unsigned long chtype,
1362	int multirdn, int email_dn, const char *startdate,
1363	const char *enddate,
1364	long days, int batch, const char ext_sect, CONF lconf,
1365	int verbose, unsigned long certopt, unsigned long nameopt,
1366	int default_op, int ext_copy, int selfsign, unsigned long dateopt)
1367	{
1368	X509_REQ req = NULL((void)0);
1369	EVP_PKEY pktmp = NULL((void)0);
1370	int ok = -1, i;
1371
1372	req = load_csr(infile, informat, "certificate request");
1373	if (req == NULL((void*)0))
1374	goto end;
1375	if ((pktmp = X509_REQ_get0_pubkey(req)) == NULL((void*)0)) {
1376	BIO_printf(bio_err, "Error unpacking public key\n");
1377	goto end;
1378	}
1379	if (verbose)
1380	X509_REQ_print_ex(bio_err, req, nameopt, X509_FLAG_COMPAT0);
1381
1382	BIO_printf(bio_err, "Check that the request matches the signature\n");
1383	ok = 0;
1384
1385	if (selfsign && !X509_REQ_check_private_key(req, pkey)) {
1386	BIO_printf(bio_err,
1387	"Certificate request and CA private key do not match\n");
1388	goto end;
1389	}
1390	i = do_X509_REQ_verify(req, pktmp, vfyopts);
1391	if (i < 0) {
1392	BIO_printf(bio_err, "Signature verification problems...\n");
1393	goto end;
1394	}
1395	if (i == 0) {
1396	BIO_printf(bio_err,
1397	"Signature did not match the certificate request\n");
1398	goto end;
1399	}
1400	BIO_printf(bio_err, "Signature ok\n");
1401
1402	ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, subj,
1403	chtype, multirdn, email_dn, startdate, enddate, days, batch,
1404	verbose, req, ext_sect, lconf, certopt, nameopt, default_op,
1405	ext_copy, selfsign, dateopt);
1406
1407	end:
1408	ERR_print_errors(bio_err);
1409	X509_REQ_free(req);
1410	return ok;
1411	}
1412
1413	static int certify_cert(X509 *xret, const char infile, int certformat,
1414	const char passin, EVP_PKEY pkey, X509 *x509,
1415	const char *dgst,
1416	STACK_OF(OPENSSL_STRING)struct stack_st_OPENSSL_STRING *sigopts,
1417	STACK_OF(OPENSSL_STRING)struct stack_st_OPENSSL_STRING *vfyopts,
1418	STACK_OF(CONF_VALUE)struct stack_st_CONF_VALUE policy, CA_DB db,
1419	BIGNUM serial, const char subj, unsigned long chtype,
1420	int multirdn, int email_dn, const char *startdate,
1421	const char enddate, long days, int batch, const char ext_sect,
1422	CONF *lconf, int verbose, unsigned long certopt,
1423	unsigned long nameopt, int default_op, int ext_copy, unsigned long dateopt)
1424	{
1425	X509 template_cert = NULL((void)0);
1426	X509_REQ rreq = NULL((void)0);
1427	EVP_PKEY pktmp = NULL((void)0);
1428	int ok = -1, i;
1429
1430	if ((template_cert = load_cert_pass(infile, certformat, 1, passin,
1431	"template certificate")) == NULL((void*)0))
1432	goto end;
1433	if (verbose)
1434	X509_print(bio_err, template_cert);
1435
1436	BIO_printf(bio_err, "Check that the request matches the signature\n");
1437
1438	if ((pktmp = X509_get0_pubkey(template_cert)) == NULL((void*)0)) {
1439	BIO_printf(bio_err, "error unpacking public key\n");
1440	goto end;
1441	}
1442	i = do_X509_verify(template_cert, pktmp, vfyopts);
1443	if (i < 0) {
1444	ok = 0;
1445	BIO_printf(bio_err, "Signature verification problems....\n");
1446	goto end;
1447	}
1448	if (i == 0) {
1449	ok = 0;
1450	BIO_printf(bio_err, "Signature did not match the certificate\n");
1451	goto end;
1452	} else {
1453	BIO_printf(bio_err, "Signature ok\n");
1454	}
1455
1456	if ((rreq = X509_to_X509_REQ(template_cert, NULL((void)0), NULL((void)0))) == NULL((void*)0))
1457	goto end;
1458
1459	ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, subj,
1460	chtype, multirdn, email_dn, startdate, enddate, days, batch,
1461	verbose, rreq, ext_sect, lconf, certopt, nameopt, default_op,
1462	ext_copy, 0, dateopt);
1463
1464	end:
1465	X509_REQ_free(rreq);
1466	X509_free(template_cert);
1467	return ok;
1468	}
1469
1470	static int do_body(X509 *xret, EVP_PKEY pkey, X509 *x509,
1471	const char dgst, STACK_OF(OPENSSL_STRING)struct stack_st_OPENSSL_STRING sigopts,
1472	STACK_OF(CONF_VALUE)struct stack_st_CONF_VALUE policy, CA_DB db, BIGNUM *serial,
1473	const char *subj, unsigned long chtype, int multirdn,
1474	int email_dn, const char startdate, const char enddate, long days,
1475	int batch, int verbose, X509_REQ req, const char ext_sect,
1476	CONF *lconf, unsigned long certopt, unsigned long nameopt,
1477	int default_op, int ext_copy, int selfsign, unsigned long dateopt)
1478	{
1479	const X509_NAME name = NULL((void)0);
1480	X509_NAME CAname = NULL((void)0), subject = NULL((void)0);
1481	const ASN1_TIME *tm;
1482	ASN1_STRING str, str2;
1483	ASN1_OBJECT *obj;
1484	X509 ret = NULL((void)0);
1485	X509_NAME_ENTRY ne, tne;
1486	EVP_PKEY *pktmp;
1487	int ok = -1, i, j, last, nid;
1488	const char *p;
1489	CONF_VALUE *cv;
1490	OPENSSL_STRING row[DB_NUMBER6];
1491	OPENSSL_STRING irow = NULL((void)0);
1492	OPENSSL_STRING rrow = NULL((void)0);
1493	char buf[25];
1494	X509V3_CTX ext_ctx;
1495
1496	for (i = 0; i < DB_NUMBER6; i++)
1497	row[i] = NULL((void*)0);
1498
1499	if (subj) {
1500	X509_NAME *n = parse_name(subj, chtype, multirdn, "subject");
1501
1502	if (!n)
1503	goto end;
1504	X509_REQ_set_subject_name(req, n);
1505	X509_NAME_free(n);
1506	}
1507
1508	if (default_op)
1509	BIO_printf(bio_err, "The Subject's Distinguished Name is as follows\n");
1510
1511	name = X509_REQ_get_subject_name(req);
1512	for (i = 0; i < X509_NAME_entry_count(name); i++) {
1513	ne = X509_NAME_get_entry(name, i);
1514	str = X509_NAME_ENTRY_get_data(ne);
1515	obj = X509_NAME_ENTRY_get_object(ne);
1516	nid = OBJ_obj2nid(obj);
1517
1518	if (msie_hack) {
1519	/* assume all type should be strings */
1520
1521	if (str->type == V_ASN1_UNIVERSALSTRING28)
1522	ASN1_UNIVERSALSTRING_to_string(str);
1523
1524	if (str->type == V_ASN1_IA5STRING22 && nid != NID_pkcs9_emailAddress48)
1525	str->type = V_ASN1_T61STRING20;
1526
1527	if (nid == NID_pkcs9_emailAddress48
1528	&& str->type == V_ASN1_PRINTABLESTRING19)
1529	str->type = V_ASN1_IA5STRING22;
1530	}
1531
1532	/* If no EMAIL is wanted in the subject */
1533	if (nid == NID_pkcs9_emailAddress48 && !email_dn)
1534	continue;
1535
1536	/* check some things */
1537	if (nid == NID_pkcs9_emailAddress48 && str->type != V_ASN1_IA5STRING22) {
1538	BIO_printf(bio_err,
1539	"\nemailAddress type needs to be of type IA5STRING\n");
1540	goto end;
1541	}
1542	if (str->type != V_ASN1_BMPSTRING30 && str->type != V_ASN1_UTF8STRING12) {
1543	j = ASN1_PRINTABLE_type(str->data, str->length);
1544	if ((j == V_ASN1_T61STRING20 && str->type != V_ASN1_T61STRING20) \|\|
1545	(j == V_ASN1_IA5STRING22 && str->type == V_ASN1_PRINTABLESTRING19))
1546	{
1547	BIO_printf(bio_err,
1548	"\nThe string contains characters that are illegal for the ASN.1 type\n");
1549	goto end;
1550	}
1551	}
1552
1553	if (default_op)
1554	old_entry_print(obj, str);
1555	}
1556
1557	/* Ok, now we check the 'policy' stuff. */
1558	if ((subject = X509_NAME_new()) == NULL((void*)0)) {
1559	BIO_printf(bio_err, "Memory allocation failure\n");
1560	goto end;
1561	}
1562
1563	/* take a copy of the issuer name before we mess with it. */
1564	if (selfsign)
1565	CAname = X509_NAME_dup(name);
1566	else
1567	CAname = X509_NAME_dup(X509_get_subject_name(x509));
1568	if (CAname == NULL((void*)0))
1569	goto end;
1570	str = str2 = NULL((void*)0);
1571
1572	for (i = 0; i < sk_CONF_VALUE_num(policy)OPENSSL_sk_num(ossl_check_const_CONF_VALUE_sk_type(policy)); i++) {
1573	cv = sk_CONF_VALUE_value(policy, i)((CONF_VALUE )OPENSSL_sk_value(ossl_check_const_CONF_VALUE_sk_type (policy), (i))); / get the object id */
1574	if ((j = OBJ_txt2nid(cv->name)) == NID_undef0) {
1575	BIO_printf(bio_err,
1576	"%s:unknown object type in 'policy' configuration\n",
1577	cv->name);
1578	goto end;
1579	}
1580	obj = OBJ_nid2obj(j);
1581
1582	last = -1;
1583	for (;;) {
1584	X509_NAME_ENTRY push = NULL((void)0);
1585
1586	/* lookup the object in the supplied name list */
1587	j = X509_NAME_get_index_by_OBJ(name, obj, last);
1588	if (j < 0) {
1589	if (last != -1)
1590	break;
1591	tne = NULL((void*)0);
1592	} else {
1593	tne = X509_NAME_get_entry(name, j);
1594	}
1595	last = j;
1596
1597	/* depending on the 'policy', decide what to do. */
1598	if (strcmp(cv->value, "optional") == 0) {
1599	if (tne != NULL((void*)0))
1600	push = tne;
1601	} else if (strcmp(cv->value, "supplied") == 0) {
1602	if (tne == NULL((void*)0)) {
1603	BIO_printf(bio_err,
1604	"The %s field needed to be supplied and was missing\n",
1605	cv->name);
1606	goto end;
1607	} else {
1608	push = tne;
1609	}
1610	} else if (strcmp(cv->value, "match") == 0) {
1611	int last2;
1612
1613	if (tne == NULL((void*)0)) {
1614	BIO_printf(bio_err,
1615	"The mandatory %s field was missing\n",
1616	cv->name);
1617	goto end;
1618	}
1619
1620	last2 = -1;
1621
1622	again2:
1623	j = X509_NAME_get_index_by_OBJ(CAname, obj, last2);
1624	if ((j < 0) && (last2 == -1)) {
1625	BIO_printf(bio_err,
1626	"The %s field does not exist in the CA certificate,\n"
1627	"the 'policy' is misconfigured\n", cv->name);
1628	goto end;
1629	}
1630	if (j >= 0) {
1631	push = X509_NAME_get_entry(CAname, j);
1632	str = X509_NAME_ENTRY_get_data(tne);
1633	str2 = X509_NAME_ENTRY_get_data(push);
1634	last2 = j;
1635	if (ASN1_STRING_cmp(str, str2) != 0)
1636	goto again2;
1637	}
1638	if (j < 0) {
1639	BIO_printf(bio_err,
1640	"The %s field is different between\n"
1641	"CA certificate (%s) and the request (%s)\n",
1642	cv->name,
1643	((str2 == NULL((void)0)) ? "NULL" : (char )str2->data),
1644	((str == NULL((void)0)) ? "NULL" : (char )str->data));
1645	goto end;
1646	}
1647	} else {
1648	BIO_printf(bio_err,
1649	"%s:invalid type in 'policy' configuration\n",
1650	cv->value);
1651	goto end;
1652	}
1653
1654	if (push != NULL((void*)0)) {
1655	if (!X509_NAME_add_entry(subject, push, -1, 0)) {
1656	BIO_printf(bio_err, "Memory allocation failure\n");
1657	goto end;
1658	}
1659	}
1660	if (j < 0)
1661	break;
1662	}
1663	}
1664
1665	if (preserve) {
1666	X509_NAME_free(subject);
1667	/* subject=X509_NAME_dup(X509_REQ_get_subject_name(req)); */
1668	subject = X509_NAME_dup(name);
1669	if (subject == NULL((void*)0))
1670	goto end;
1671	}
1672
1673	/* We are now totally happy, lets make and sign the certificate */
1674	if (verbose)
1675	BIO_printf(bio_err,
1676	"Everything appears to be ok, creating and signing the certificate\n");
1677
1678	if ((ret = X509_new_ex(app_get0_libctx(), app_get0_propq())) == NULL((void*)0))
1679	goto end;
1680
1681	if (BN_to_ASN1_INTEGER(serial, X509_get_serialNumber(ret)) == NULL((void*)0))
1682	goto end;
1683	if (selfsign) {
1684	if (!X509_set_issuer_name(ret, subject))
1685	goto end;
1686	} else {
1687	if (!X509_set_issuer_name(ret, X509_get_subject_name(x509)))
1688	goto end;
1689	}
1690
1691	if (!set_cert_times(ret, startdate, enddate, days))
1692	goto end;
1693
1694	if (enddate != NULL((void*)0)) {
1695	int tdays;
1696
1697	if (!ASN1_TIME_diff(&tdays, NULL((void)0), NULL((void)0), X509_get0_notAfter(ret)))
1698	goto end;
1699	days = tdays;
1700	}
1701
1702	if (!X509_set_subject_name(ret, subject))
1703	goto end;
1704
1705	pktmp = X509_REQ_get0_pubkey(req);
1706	i = X509_set_pubkey(ret, pktmp);
1707	if (!i)
1708	goto end;
1709
1710	/* Initialize the context structure */
1711	X509V3_set_ctx(&ext_ctx, selfsign ? ret : x509,
1712	ret, req, NULL((void*)0), X509V3_CTX_REPLACE0x2);
1713
1714	/* Lets add the extensions, if there are any */
1715	if (ext_sect) {
1716	if (extfile_conf != NULL((void*)0)) {
1717	if (verbose)
1718	BIO_printf(bio_err, "Extra configuration file found\n");
1719
1720	/* Use the extfile_conf configuration db LHASH */
1721	X509V3_set_nconf(&ext_ctx, extfile_conf);
1722
1723	/* Adds exts contained in the configuration file */
1724	if (!X509V3_EXT_add_nconf(extfile_conf, &ext_ctx, ext_sect, ret)) {
1725	BIO_printf(bio_err,
1726	"Error adding certificate extensions from extfile section %s\n",
1727	ext_sect);
1728	goto end;
1729	}
1730	if (verbose)
1731	BIO_printf(bio_err,
1732	"Successfully added extensions from file.\n");
1733	} else if (ext_sect) {
1734	/* We found extensions to be set from config file */
1735	X509V3_set_nconf(&ext_ctx, lconf);
1736
1737	if (!X509V3_EXT_add_nconf(lconf, &ext_ctx, ext_sect, ret)) {
1738	BIO_printf(bio_err,
1739	"Error adding certificate extensions from config section %s\n",
1740	ext_sect);
1741	goto end;
1742	}
1743
1744	if (verbose)
1745	BIO_printf(bio_err,
1746	"Successfully added extensions from config\n");
1747	}
1748	}
1749
1750	/* Copy extensions from request (if any) */
1751
1752	if (!copy_extensions(ret, req, ext_copy)) {
1753	BIO_printf(bio_err, "ERROR: adding extensions from request\n");
1754	goto end;
1755	}
1756
1757	if (verbose)
1758	BIO_printf(bio_err,
1759	"The subject name appears to be ok, checking data base for clashes\n");
1760
1761	/* Build the correct Subject if no e-mail is wanted in the subject. */
1762	if (!email_dn) {
1763	X509_NAME_ENTRY *tmpne;
1764	X509_NAME *dn_subject;
1765
1766	/*
1767	* Its best to dup the subject DN and then delete any email addresses
1768	* because this retains its structure.
1769	*/
1770	if ((dn_subject = X509_NAME_dup(subject)) == NULL((void*)0)) {
1771	BIO_printf(bio_err, "Memory allocation failure\n");
1772	goto end;
1773	}
1774	i = -1;
1775	while ((i = X509_NAME_get_index_by_NID(dn_subject,
1776	NID_pkcs9_emailAddress48,
1777	i)) >= 0) {
1778	tmpne = X509_NAME_delete_entry(dn_subject, i--);
1779	X509_NAME_ENTRY_free(tmpne);
1780	}
1781
1782	if (!X509_set_subject_name(ret, dn_subject)) {
1783	X509_NAME_free(dn_subject);
1784	goto end;
1785	}
1786	X509_NAME_free(dn_subject);
1787	}
1788
1789	row[DB_name5] = X509_NAME_oneline(X509_get_subject_name(ret), NULL((void*)0), 0);
1790	if (row[DB_name5] == NULL((void*)0)) {
1791	BIO_printf(bio_err, "Memory allocation failure\n");
1792	goto end;
1793	}
1794
1795	if (BN_is_zero(serial))
1796	row[DB_serial3] = OPENSSL_strdup("00")CRYPTO_strdup("00", "../deps/openssl/openssl/apps/ca.c", 1796 );
1797	else
1798	row[DB_serial3] = BN_bn2hex(serial);
1799	if (row[DB_serial3] == NULL((void*)0)) {
1800	BIO_printf(bio_err, "Memory allocation failure\n");
1801	goto end;
1802	}
1803
1804	if (row[DB_name5][0] == '\0') {
1805	/*
1806	* An empty subject! We'll use the serial number instead. If
1807	* unique_subject is in use then we don't want different entries with
1808	* empty subjects matching each other.
1809	*/
1810	OPENSSL_free(row[DB_name])CRYPTO_free(row[5], "../deps/openssl/openssl/apps/ca.c", 1810 );
1811	row[DB_name5] = OPENSSL_strdup(row[DB_serial])CRYPTO_strdup(row[3], "../deps/openssl/openssl/apps/ca.c", 1811 );
1812	if (row[DB_name5] == NULL((void*)0)) {
1813	BIO_printf(bio_err, "Memory allocation failure\n");
1814	goto end;
1815	}
1816	}
1817
1818	if (db->attributes.unique_subject) {
1819	OPENSSL_STRING *crow = row;
1820
1821	rrow = TXT_DB_get_by_index(db->db, DB_name5, crow);
1822	if (rrow != NULL((void*)0)) {
1823	BIO_printf(bio_err,
1824	"ERROR:There is already a certificate for %s\n",
1825	row[DB_name5]);
1826	}
1827	}
1828	if (rrow == NULL((void*)0)) {
1829	rrow = TXT_DB_get_by_index(db->db, DB_serial3, row);
1830	if (rrow != NULL((void*)0)) {
1831	BIO_printf(bio_err,
1832	"ERROR:Serial number %s has already been issued,\n",
1833	row[DB_serial3]);
1834	BIO_printf(bio_err,
1835	" check the database/serial_file for corruption\n");
1836	}
1837	}
1838
1839	if (rrow != NULL((void*)0)) {
1840	BIO_printf(bio_err, "The matching entry has the following details\n");
1841	if (rrow[DB_type0][0] == DB_TYPE_EXP'E')
1842	p = "Expired";
1843	else if (rrow[DB_type0][0] == DB_TYPE_REV'R')
1844	p = "Revoked";
1845	else if (rrow[DB_type0][0] == DB_TYPE_VAL'V')
1846	p = "Valid";
1847	else
1848	p = "\ninvalid type, Data base error\n";
1849	BIO_printf(bio_err, "Type :%s\n", p);;
1850	if (rrow[DB_type0][0] == DB_TYPE_REV'R') {
1851	p = rrow[DB_exp_date1];
1852	if (p == NULL((void*)0))
1853	p = "undef";
1854	BIO_printf(bio_err, "Was revoked on:%s\n", p);
1855	}
1856	p = rrow[DB_exp_date1];
1857	if (p == NULL((void*)0))
1858	p = "undef";
1859	BIO_printf(bio_err, "Expires on :%s\n", p);
1860	p = rrow[DB_serial3];
1861	if (p == NULL((void*)0))
1862	p = "undef";
1863	BIO_printf(bio_err, "Serial Number :%s\n", p);
1864	p = rrow[DB_file4];
1865	if (p == NULL((void*)0))
1866	p = "undef";
1867	BIO_printf(bio_err, "File name :%s\n", p);
1868	p = rrow[DB_name5];
1869	if (p == NULL((void*)0))
1870	p = "undef";
1871	BIO_printf(bio_err, "Subject Name :%s\n", p);
1872	ok = -1; /* This is now a 'bad' error. */
1873	goto end;
1874	}
1875
1876	if (!default_op) {
1877	BIO_printf(bio_err, "Certificate Details:\n");
1878	/*
1879	* Never print signature details because signature not present
1880	*/
1881	certopt \|= X509_FLAG_NO_SIGDUMP(1L << 9) \| X509_FLAG_NO_SIGNAME(1L << 3);
1882	X509_print_ex(bio_err, ret, nameopt, certopt);
1883	}
1884
1885	BIO_printf(bio_err, "Certificate is to be certified until ");
1886	ASN1_TIME_print_ex(bio_err, X509_get0_notAfter(ret), dateopt);
1887	if (days)
1888	BIO_printf(bio_err, " (%ld days)", days);
1889	BIO_printf(bio_err, "\n");
1890
1891	if (!batch) {
1892
1893	BIO_printf(bio_err, "Sign the certificate? [y/n]:");
1894	(void)BIO_flush(bio_err)(int)BIO_ctrl(bio_err,11,0,((void*)0));
1895	buf[0] = '\0';
1896	if (fgets(buf, sizeof(buf), stdinstdin) == NULL((void*)0)) {
1897	BIO_printf(bio_err,
1898	"CERTIFICATE WILL NOT BE CERTIFIED: I/O error\n");
1899	ok = 0;
1900	goto end;
1901	}
1902	if (!(buf[0] == 'y' \|\| buf[0] == 'Y')) {
1903	BIO_printf(bio_err, "CERTIFICATE WILL NOT BE CERTIFIED\n");
1904	ok = 0;
1905	goto end;
1906	}
1907	}
1908
1909	pktmp = X509_get0_pubkey(ret);
1910	if (EVP_PKEY_missing_parameters(pktmp) &&
1911	!EVP_PKEY_missing_parameters(pkey))
1912	EVP_PKEY_copy_parameters(pktmp, pkey);
1913
1914	if (!do_X509_sign(ret, pkey, dgst, sigopts, &ext_ctx))
1915	goto end;
1916
1917	/* We now just add it to the database as DB_TYPE_VAL('V') */
1918	row[DB_type0] = OPENSSL_strdup("V")CRYPTO_strdup("V", "../deps/openssl/openssl/apps/ca.c", 1918);
1919	tm = X509_get0_notAfter(ret);
1920	row[DB_exp_date1] = app_malloc(tm->length + 1, "row expdate");
1921	memcpy(row[DB_exp_date1], tm->data, tm->length);
1922	row[DB_exp_date1][tm->length] = '\0';
1923	row[DB_rev_date2] = NULL((void*)0);
1924	row[DB_file4] = OPENSSL_strdup("unknown")CRYPTO_strdup("unknown", "../deps/openssl/openssl/apps/ca.c", 1924);
1925	if ((row[DB_type0] == NULL((void)0)) \|\| (row[DB_file4] == NULL((void)0))
1926	\|\| (row[DB_name5] == NULL((void*)0))) {
1927	BIO_printf(bio_err, "Memory allocation failure\n");
1928	goto end;
1929	}
1930
1931	irow = app_malloc(sizeof(irow) (DB_NUMBER6 + 1), "row space");
1932	for (i = 0; i < DB_NUMBER6; i++)
1933	irow[i] = row[i];
1934	irow[DB_NUMBER6] = NULL((void*)0);
1935
1936	if (!TXT_DB_insert(db->db, irow)) {
1937	BIO_printf(bio_err, "failed to update database\n");
1938	BIO_printf(bio_err, "TXT_DB error number %ld\n", db->db->error);
1939	goto end;
1940	}
1941	irow = NULL((void*)0);
1942	ok = 1;
1943	end:
1944	if (ok != 1) {
1945	for (i = 0; i < DB_NUMBER6; i++)
1946	OPENSSL_free(row[i])CRYPTO_free(row[i], "../deps/openssl/openssl/apps/ca.c", 1946 );
1947	}
1948	OPENSSL_free(irow)CRYPTO_free(irow, "../deps/openssl/openssl/apps/ca.c", 1948);
1949
1950	X509_NAME_free(CAname);
1951	X509_NAME_free(subject);
1952	if (ok <= 0)
1953	X509_free(ret);
1954	else
1955	*xret = ret;
1956	return ok;
1957	}
1958
1959	static void write_new_certificate(BIO bp, X509 x, int output_der, int notext)
1960	{
1961
1962	if (output_der) {
1963	(void)i2d_X509_bio(bp, x);
1964	return;
1965	}
1966	if (!notext)
1967	X509_print(bp, x);
1968	PEM_write_bio_X509(bp, x);
1969	}
1970
1971	static int certify_spkac(X509 *xret, const char infile, EVP_PKEY *pkey,
1972	X509 x509, const char dgst,
1973	STACK_OF(OPENSSL_STRING)struct stack_st_OPENSSL_STRING *sigopts,
1974	STACK_OF(CONF_VALUE)struct stack_st_CONF_VALUE policy, CA_DB db,
1975	BIGNUM serial, const char subj, unsigned long chtype,
1976	int multirdn, int email_dn, const char *startdate,
1977	const char enddate, long days, const char ext_sect,
1978	CONF *lconf, int verbose, unsigned long certopt,
1979	unsigned long nameopt, int default_op, int ext_copy, unsigned long dateopt)
1980	{
1981	STACK_OF(CONF_VALUE)struct stack_st_CONF_VALUE sk = NULL((void)0);
1982	LHASH_OF(CONF_VALUE)struct lhash_st_CONF_VALUE parms = NULL((void)0);
1983	X509_REQ req = NULL((void)0);
1984	CONF_VALUE cv = NULL((void)0);
1985	NETSCAPE_SPKI spki = NULL((void)0);
1986	char type, buf;
1987	EVP_PKEY pktmp = NULL((void)0);
1988	X509_NAME n = NULL((void)0);
1989	X509_NAME_ENTRY ne = NULL((void)0);
1990	int ok = -1, i, j;
1991	long errline;
1992	int nid;
1993
1994	/*
1995	* Load input file into a hash table. (This is just an easy
1996	* way to read and parse the file, then put it into a convenient
1997	* STACK format).
1998	*/
1999	parms = CONF_load(NULL((void*)0), infile, &errline);
2000	if (parms == NULL((void*)0)) {
2001	BIO_printf(bio_err, "error on line %ld of %s\n", errline, infile);
2002	goto end;
2003	}
2004
2005	sk = CONF_get_section(parms, "default");
2006	if (sk_CONF_VALUE_num(sk)OPENSSL_sk_num(ossl_check_const_CONF_VALUE_sk_type(sk)) == 0) {
2007	BIO_printf(bio_err, "no name/value pairs found in %s\n", infile);
2008	goto end;
2009	}
2010
2011	/*
2012	* Now create a dummy X509 request structure. We don't actually
2013	* have an X509 request, but we have many of the components
2014	* (a public key, various DN components). The idea is that we
2015	* put these components into the right X509 request structure
2016	* and we can use the same code as if you had a real X509 request.
2017	*/
2018	req = X509_REQ_new();
2019	if (req == NULL((void*)0))
2020	goto end;
2021
2022	/*
2023	* Build up the subject name set.
2024	*/
2025	n = X509_REQ_get_subject_name(req);
2026
2027	for (i = 0;; i++) {
2028	if (sk_CONF_VALUE_num(sk)OPENSSL_sk_num(ossl_check_const_CONF_VALUE_sk_type(sk)) <= i)
2029	break;
2030
2031	cv = sk_CONF_VALUE_value(sk, i)((CONF_VALUE *)OPENSSL_sk_value(ossl_check_const_CONF_VALUE_sk_type (sk), (i)));
2032	type = cv->name;
2033	/*
2034	* Skip past any leading X. X: X, etc to allow for multiple instances
2035	*/
2036	for (buf = cv->name; *buf; buf++)
2037	if ((buf == ':') \|\| (buf == ',') \|\| (*buf == '.')) {
2038	buf++;
2039	if (*buf)
2040	type = buf;
2041	break;
2042	}
2043
2044	buf = cv->value;
2045	if ((nid = OBJ_txt2nid(type)) == NID_undef0) {
2046	if (strcmp(type, "SPKAC") == 0) {
2047	spki = NETSCAPE_SPKI_b64_decode(cv->value, -1);
2048	if (spki == NULL((void*)0)) {
2049	BIO_printf(bio_err,
2050	"unable to load Netscape SPKAC structure\n");
2051	goto end;
2052	}
2053	}
2054	continue;
2055	}
2056
2057	if (!X509_NAME_add_entry_by_NID(n, nid, chtype,
2058	(unsigned char *)buf, -1, -1, 0))
2059	goto end;
2060	}
2061	if (spki == NULL((void*)0)) {
2062	BIO_printf(bio_err, "Netscape SPKAC structure not found in %s\n",
2063	infile);
2064	goto end;
2065	}
2066
2067	/*
2068	* Now extract the key from the SPKI structure.
2069	*/
2070
2071	BIO_printf(bio_err, "Check that the SPKAC request matches the signature\n");
2072
2073	if ((pktmp = NETSCAPE_SPKI_get_pubkey(spki)) == NULL((void*)0)) {
2074	BIO_printf(bio_err, "error unpacking SPKAC public key\n");
2075	goto end;
2076	}
2077
2078	j = NETSCAPE_SPKI_verify(spki, pktmp);
2079	if (j <= 0) {
2080	EVP_PKEY_free(pktmp);
2081	BIO_printf(bio_err,
2082	"signature verification failed on SPKAC public key\n");
2083	goto end;
2084	}
2085	BIO_printf(bio_err, "Signature ok\n");
2086
2087	X509_REQ_set_pubkey(req, pktmp);
2088	EVP_PKEY_free(pktmp);
2089	ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, subj,
2090	chtype, multirdn, email_dn, startdate, enddate, days, 1,
2091	verbose, req, ext_sect, lconf, certopt, nameopt, default_op,
2092	ext_copy, 0, dateopt);
2093	end:
2094	X509_REQ_free(req);
2095	CONF_free(parms);
2096	NETSCAPE_SPKI_free(spki);
2097	X509_NAME_ENTRY_free(ne);
2098
2099	return ok;
2100	}
2101
2102	static int check_time_format(const char *str)
2103	{
2104	return ASN1_TIME_set_string(NULL((void*)0), str);
2105	}
2106
2107	static int do_revoke(X509 x509, CA_DB db, REVINFO_TYPE rev_type,
2108	const char *value)
2109	{
2110	const ASN1_TIME tm = NULL((void)0);
2111	char row[DB_NUMBER6], rrow, *irow;
2112	char rev_str = NULL((void)0);
2113	BIGNUM bn = NULL((void)0);
2114	int ok = -1, i;
2115
2116	for (i = 0; i < DB_NUMBER6; i++)
2117	row[i] = NULL((void*)0);
2118	row[DB_name5] = X509_NAME_oneline(X509_get_subject_name(x509), NULL((void*)0), 0);
2119	bn = ASN1_INTEGER_to_BN(X509_get0_serialNumber(x509), NULL((void*)0));
2120	if (!bn)
2121	goto end;
2122	if (BN_is_zero(bn))
2123	row[DB_serial3] = OPENSSL_strdup("00")CRYPTO_strdup("00", "../deps/openssl/openssl/apps/ca.c", 2123 );
2124	else
2125	row[DB_serial3] = BN_bn2hex(bn);
2126	BN_free(bn);
2127	if (row[DB_name5] != NULL((void*)0) && row[DB_name5][0] == '\0') {
2128	/* Entries with empty Subjects actually use the serial number instead */
2129	OPENSSL_free(row[DB_name])CRYPTO_free(row[5], "../deps/openssl/openssl/apps/ca.c", 2129 );
2130	row[DB_name5] = OPENSSL_strdup(row[DB_serial])CRYPTO_strdup(row[3], "../deps/openssl/openssl/apps/ca.c", 2130 );
2131	}
2132	if ((row[DB_name5] == NULL((void)0)) \|\| (row[DB_serial3] == NULL((void)0))) {
2133	BIO_printf(bio_err, "Memory allocation failure\n");
2134	goto end;
2135	}
2136	/*
2137	* We have to lookup by serial number because name lookup skips revoked
2138	* certs
2139	*/
2140	rrow = TXT_DB_get_by_index(db->db, DB_serial3, row);
2141	if (rrow == NULL((void*)0)) {
2142	BIO_printf(bio_err,
2143	"Adding Entry with serial number %s to DB for %s\n",
2144	row[DB_serial3], row[DB_name5]);
2145
2146	/* We now just add it to the database as DB_TYPE_REV('V') */
2147	row[DB_type0] = OPENSSL_strdup("V")CRYPTO_strdup("V", "../deps/openssl/openssl/apps/ca.c", 2147);
2148	tm = X509_get0_notAfter(x509);
2149	row[DB_exp_date1] = app_malloc(tm->length + 1, "row exp_data");
2150	memcpy(row[DB_exp_date1], tm->data, tm->length);
2151	row[DB_exp_date1][tm->length] = '\0';
2152	row[DB_rev_date2] = NULL((void*)0);
2153	row[DB_file4] = OPENSSL_strdup("unknown")CRYPTO_strdup("unknown", "../deps/openssl/openssl/apps/ca.c", 2153);
2154
2155	if (row[DB_type0] == NULL((void)0) \|\| row[DB_file4] == NULL((void)0)) {
2156	BIO_printf(bio_err, "Memory allocation failure\n");
2157	goto end;
2158	}
2159
2160	irow = app_malloc(sizeof(irow) (DB_NUMBER6 + 1), "row ptr");
2161	for (i = 0; i < DB_NUMBER6; i++)
2162	irow[i] = row[i];
2163	irow[DB_NUMBER6] = NULL((void*)0);
2164
2165	if (!TXT_DB_insert(db->db, irow)) {
2166	BIO_printf(bio_err, "failed to update database\n");
2167	BIO_printf(bio_err, "TXT_DB error number %ld\n", db->db->error);
2168	OPENSSL_free(irow)CRYPTO_free(irow, "../deps/openssl/openssl/apps/ca.c", 2168);
2169	goto end;
2170	}
2171
2172	for (i = 0; i < DB_NUMBER6; i++)
2173	row[i] = NULL((void*)0);
2174
2175	/* Revoke Certificate */
2176	if (rev_type == REV_VALID)
2177	ok = 1;
2178	else
2179	/* Retry revocation after DB insertion */
2180	ok = do_revoke(x509, db, rev_type, value);
2181
2182	goto end;
2183
2184	} else if (index_name_cmp_noconst(row, rrow)index_name_cmp((const OPENSSL_CSTRING )((void) (1 ? row : ( OPENSSL_STRING)0)), (const OPENSSL_CSTRING )((void) (1 ? rrow : (OPENSSL_STRING)0)))) {
2185	BIO_printf(bio_err, "ERROR:name does not match %s\n", row[DB_name5]);
2186	goto end;
2187	} else if (rev_type == REV_VALID) {
2188	BIO_printf(bio_err, "ERROR:Already present, serial number %s\n",
2189	row[DB_serial3]);
2190	goto end;
2191	} else if (rrow[DB_type0][0] == DB_TYPE_REV'R') {
2192	BIO_printf(bio_err, "ERROR:Already revoked, serial number %s\n",
2193	row[DB_serial3]);
2194	goto end;
2195	} else {
2196	BIO_printf(bio_err, "Revoking Certificate %s.\n", rrow[DB_serial3]);
2197	rev_str = make_revocation_str(rev_type, value);
2198	if (!rev_str) {
2199	BIO_printf(bio_err, "Error in revocation arguments\n");
2200	goto end;
2201	}
2202	rrow[DB_type0][0] = DB_TYPE_REV'R';
2203	rrow[DB_type0][1] = '\0';
2204	rrow[DB_rev_date2] = rev_str;
2205	}
2206	ok = 1;
2207	end:
2208	for (i = 0; i < DB_NUMBER6; i++)
2209	OPENSSL_free(row[i])CRYPTO_free(row[i], "../deps/openssl/openssl/apps/ca.c", 2209 );
2210	return ok;
2211	}
2212
2213	static int get_certificate_status(const char serial, CA_DB db)
2214	{
2215	char row[DB_NUMBER6], *rrow;
2216	int ok = -1, i;
2217	size_t serial_len = strlen(serial);
2218
2219	/* Free Resources */
2220	for (i = 0; i < DB_NUMBER6; i++)
2221	row[i] = NULL((void*)0);
2222
2223	/* Malloc needed char spaces */
2224	row[DB_serial3] = app_malloc(serial_len + 2, "row serial#");
2225
2226	if (serial_len % 2) {
2227	/*
2228	* Set the first char to 0
2229	*/
2230	row[DB_serial3][0] = '0';
2231
2232	/* Copy String from serial to row[DB_serial] */
2233	memcpy(row[DB_serial3] + 1, serial, serial_len);
2234	row[DB_serial3][serial_len + 1] = '\0';
2235	} else {
2236	/* Copy String from serial to row[DB_serial] */
2237	memcpy(row[DB_serial3], serial, serial_len);
2238	row[DB_serial3][serial_len] = '\0';
2239	}
2240
2241	/* Make it Upper Case */
2242	make_uppercase(row[DB_serial3]);
2243
2244	ok = 1;
2245
2246	/* Search for the certificate */
2247	rrow = TXT_DB_get_by_index(db->db, DB_serial3, row);
2248	if (rrow == NULL((void*)0)) {
2249	BIO_printf(bio_err, "Serial %s not present in db.\n", row[DB_serial3]);
2250	ok = -1;
2251	goto end;
2252	} else if (rrow[DB_type0][0] == DB_TYPE_VAL'V') {
2253	BIO_printf(bio_err, "%s=Valid (%c)\n",
2254	row[DB_serial3], rrow[DB_type0][0]);
2255	goto end;
2256	} else if (rrow[DB_type0][0] == DB_TYPE_REV'R') {
2257	BIO_printf(bio_err, "%s=Revoked (%c)\n",
2258	row[DB_serial3], rrow[DB_type0][0]);
2259	goto end;
2260	} else if (rrow[DB_type0][0] == DB_TYPE_EXP'E') {
2261	BIO_printf(bio_err, "%s=Expired (%c)\n",
2262	row[DB_serial3], rrow[DB_type0][0]);
2263	goto end;
2264	} else if (rrow[DB_type0][0] == DB_TYPE_SUSP'S') {
2265	BIO_printf(bio_err, "%s=Suspended (%c)\n",
2266	row[DB_serial3], rrow[DB_type0][0]);
2267	goto end;
2268	} else {
2269	BIO_printf(bio_err, "%s=Unknown (%c).\n",
2270	row[DB_serial3], rrow[DB_type0][0]);
2271	ok = -1;
2272	}
2273	end:
2274	for (i = 0; i < DB_NUMBER6; i++) {
2275	OPENSSL_free(row[i])CRYPTO_free(row[i], "../deps/openssl/openssl/apps/ca.c", 2275 );
2276	}
2277	return ok;
2278	}
2279
2280	static int do_updatedb(CA_DB *db)
2281	{
2282	ASN1_TIME a_tm = NULL((void)0);
2283	int i, cnt = 0;
2284	char **rrow;
2285
2286	a_tm = ASN1_TIME_new();
2287	if (a_tm == NULL((void*)0))
2288	return -1;
2289
2290	/* get actual time */
2291	if (X509_gmtime_adj(a_tm, 0) == NULL((void*)0)) {
2292	ASN1_TIME_free(a_tm);
2293	return -1;
2294	}
2295
2296	for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
2297	rrow = sk_OPENSSL_PSTRING_value(db->db->data, i);
2298
2299	if (rrow[DB_type0][0] == DB_TYPE_VAL'V') {
2300	/* ignore entries that are not valid */
2301	ASN1_TIME exp_date = NULL((void)0);
2302
2303	exp_date = ASN1_TIME_new();
2304	if (exp_date == NULL((void*)0)) {
2305	ASN1_TIME_free(a_tm);
2306	return -1;
2307	}
2308
2309	if (!ASN1_TIME_set_string(exp_date, rrow[DB_exp_date1])) {
2310	ASN1_TIME_free(a_tm);
2311	ASN1_TIME_free(exp_date);
2312	return -1;
2313	}
2314
2315	if (ASN1_TIME_compare(exp_date, a_tm) <= 0) {
2316	rrow[DB_type0][0] = DB_TYPE_EXP'E';
2317	rrow[DB_type0][1] = '\0';
2318	cnt++;
2319
2320	BIO_printf(bio_err, "%s=Expired\n", rrow[DB_serial3]);
2321	}
2322	ASN1_TIME_free(exp_date);
2323	}
2324	}
2325
2326	ASN1_TIME_free(a_tm);
2327	return cnt;
2328	}
2329
2330	static const char *crl_reasons[] = {
2331	/* CRL reason strings */
2332	"unspecified",
2333	"keyCompromise",
2334	"CACompromise",
2335	"affiliationChanged",
2336	"superseded",
2337	"cessationOfOperation",
2338	"certificateHold",
2339	"removeFromCRL",
2340	/* Additional pseudo reasons */
2341	"holdInstruction",
2342	"keyTime",
2343	"CAkeyTime"
2344	};
2345
2346	#define NUM_REASONS(sizeof(crl_reasons)/sizeof((crl_reasons)[0])) OSSL_NELEM(crl_reasons)(sizeof(crl_reasons)/sizeof((crl_reasons)[0]))
2347
2348	/*
2349	* Given revocation information convert to a DB string. The format of the
2350	* string is: revtime[,reason,extra]. Where 'revtime' is the revocation time
2351	* (the current time). 'reason' is the optional CRL reason and 'extra' is any
2352	* additional argument
2353	*/
2354
2355	static char make_revocation_str(REVINFO_TYPE rev_type, const char rev_arg)
2356	{
2357	char *str;
2358	const char reason = NULL((void)0), other = NULL((void)0);
2359	ASN1_OBJECT *otmp;
2360	ASN1_UTCTIME revtm = NULL((void)0);
2361	int i;
2362
2363	switch (rev_type) {
2364	case REV_NONE:
2365	case REV_VALID:
2366	break;
2367
2368	case REV_CRL_REASON:
2369	for (i = 0; i < 8; i++) {
2370	if (OPENSSL_strcasecmp(rev_arg, crl_reasons[i]) == 0) {
2371	reason = crl_reasons[i];
2372	break;
2373	}
2374	}
2375	if (reason == NULL((void*)0)) {
2376	BIO_printf(bio_err, "Unknown CRL reason %s\n", rev_arg);
2377	return NULL((void*)0);
2378	}
2379	break;
2380
2381	case REV_HOLD:
2382	/* Argument is an OID */
2383	otmp = OBJ_txt2obj(rev_arg, 0);
2384	ASN1_OBJECT_free(otmp);
2385
2386	if (otmp == NULL((void*)0)) {
2387	BIO_printf(bio_err, "Invalid object identifier %s\n", rev_arg);
2388	return NULL((void*)0);
2389	}
2390
2391	reason = "holdInstruction";
2392	other = rev_arg;
2393	break;
2394
2395	case REV_KEY_COMPROMISE:
2396	case REV_CA_COMPROMISE:
2397	/* Argument is the key compromise time */
2398	if (!ASN1_GENERALIZEDTIME_set_string(NULL((void*)0), rev_arg)) {
2399	BIO_printf(bio_err,
2400	"Invalid time format %s. Need YYYYMMDDHHMMSSZ\n",
2401	rev_arg);
2402	return NULL((void*)0);
2403	}
2404	other = rev_arg;
2405	if (rev_type == REV_KEY_COMPROMISE)
2406	reason = "keyTime";
2407	else
2408	reason = "CAkeyTime";
2409
2410	break;
2411	}
2412
2413	revtm = X509_gmtime_adj(NULL((void*)0), 0);
2414
2415	if (!revtm)
2416	return NULL((void*)0);
2417
2418	i = revtm->length + 1;
2419
2420	if (reason)
2421	i += strlen(reason) + 1;
2422	if (other)
2423	i += strlen(other) + 1;
2424
2425	str = app_malloc(i, "revocation reason");
2426	OPENSSL_strlcpy(str, (char *)revtm->data, i);
2427	if (reason) {
2428	OPENSSL_strlcat(str, ",", i);
2429	OPENSSL_strlcat(str, reason, i);
2430	}
2431	if (other) {
2432	OPENSSL_strlcat(str, ",", i);
2433	OPENSSL_strlcat(str, other, i);
2434	}
2435	ASN1_UTCTIME_free(revtm);
2436	return str;
2437	}
2438
2439	/*-
2440	* Convert revocation field to X509_REVOKED entry
2441	* return code:
2442	* 0 error
2443	* 1 OK
2444	* 2 OK and some extensions added (i.e. V2 CRL)
2445	*/
2446
2447	static int make_revoked(X509_REVOKED rev, const char str)
2448	{
2449	char tmp = NULL((void)0);
2450	int reason_code = -1;
2451	int i, ret = 0;
2452	ASN1_OBJECT hold = NULL((void)0);
2453	ASN1_GENERALIZEDTIME comp_time = NULL((void)0);
2454	ASN1_ENUMERATED rtmp = NULL((void)0);
2455
2456	ASN1_TIME revDate = NULL((void)0);
2457
2458	i = unpack_revinfo(&revDate, &reason_code, &hold, &comp_time, str);
2459
2460	if (i == 0)
2461	goto end;
2462
2463	if (rev && !X509_REVOKED_set_revocationDate(rev, revDate))
2464	goto end;
2465
2466	if (rev && (reason_code != OCSP_REVOKED_STATUS_NOSTATUS-1)) {
2467	rtmp = ASN1_ENUMERATED_new();
2468	if (rtmp == NULL((void*)0) \|\| !ASN1_ENUMERATED_set(rtmp, reason_code))
2469	goto end;
2470	if (X509_REVOKED_add1_ext_i2d(rev, NID_crl_reason141, rtmp, 0, 0) <= 0)
2471	goto end;
2472	}
2473
2474	if (rev && comp_time) {
2475	if (X509_REVOKED_add1_ext_i2d
2476	(rev, NID_invalidity_date142, comp_time, 0, 0) <= 0)
2477	goto end;
2478	}
2479	if (rev && hold) {
2480	if (X509_REVOKED_add1_ext_i2d
2481	(rev, NID_hold_instruction_code430, hold, 0, 0) <= 0)
2482	goto end;
2483	}
2484
2485	if (reason_code != OCSP_REVOKED_STATUS_NOSTATUS-1)
2486	ret = 2;
2487	else
2488	ret = 1;
2489
2490	end:
2491
2492	OPENSSL_free(tmp)CRYPTO_free(tmp, "../deps/openssl/openssl/apps/ca.c", 2492);
2493	ASN1_OBJECT_free(hold);
2494	ASN1_GENERALIZEDTIME_free(comp_time);
2495	ASN1_ENUMERATED_free(rtmp);
2496	ASN1_TIME_free(revDate);
2497
2498	return ret;
2499	}
2500
2501	static int old_entry_print(const ASN1_OBJECT obj, const ASN1_STRING str)
2502	{
2503	char buf[25], *pbuf;
2504	const char *p;
2505	int j;
2506
2507	j = i2a_ASN1_OBJECT(bio_err, obj);
2508	pbuf = buf;
2509	for (j = 22 - j; j > 0; j--)
2510	*(pbuf++) = ' ';
2511	*(pbuf++) = ':';
2512	*(pbuf++) = '\0';
2513	BIO_puts(bio_err, buf);
2514
2515	if (str->type == V_ASN1_PRINTABLESTRING19)
2516	BIO_printf(bio_err, "PRINTABLE:'");
2517	else if (str->type == V_ASN1_T61STRING20)
2518	BIO_printf(bio_err, "T61STRING:'");
2519	else if (str->type == V_ASN1_IA5STRING22)
2520	BIO_printf(bio_err, "IA5STRING:'");
2521	else if (str->type == V_ASN1_UNIVERSALSTRING28)
2522	BIO_printf(bio_err, "UNIVERSALSTRING:'");
2523	else
2524	BIO_printf(bio_err, "ASN.1 %2d:'", str->type);
2525
2526	p = (const char *)str->data;
2527	for (j = str->length; j > 0; j--) {
2528	if ((p >= ' ') && (p <= '~'))
2529	BIO_printf(bio_err, "%c", *p);
2530	else if (*p & 0x80)
2531	BIO_printf(bio_err, "\\0x%02X", *p);
2532	else if ((unsigned char)*p == 0xf7)
2533	BIO_printf(bio_err, "^?");
2534	else
2535	BIO_printf(bio_err, "^%c", *p + '@');
2536	p++;
2537	}
2538	BIO_printf(bio_err, "'\n");
2539	return 1;
2540	}
2541
2542	int unpack_revinfo(ASN1_TIME *prevtm, int preason, ASN1_OBJECT **phold,
2543	ASN1_GENERALIZEDTIME *pinvtm, const char str)
2544	{
2545	char *tmp;
2546	char rtime_str, reason_str = NULL((void)0), arg_str = NULL((void)0), p;
2547	int reason_code = -1;
2548	int ret = 0;
2549	unsigned int i;
2550	ASN1_OBJECT hold = NULL((void)0);
2551	ASN1_GENERALIZEDTIME comp_time = NULL((void)0);
2552
2553	tmp = OPENSSL_strdup(str)CRYPTO_strdup(str, "../deps/openssl/openssl/apps/ca.c", 2553);
2554	if (!tmp) {
2555	BIO_printf(bio_err, "memory allocation failure\n");
2556	goto end;
2557	}
2558
2559	p = strchr(tmp, ',');
2560
2561	rtime_str = tmp;
2562
2563	if (p) {
2564	*p = '\0';
2565	p++;
2566	reason_str = p;
2567	p = strchr(p, ',');
2568	if (p) {
2569	*p = '\0';
2570	arg_str = p + 1;
2571	}
2572	}
2573
2574	if (prevtm) {
2575	*prevtm = ASN1_UTCTIME_new();
2576	if (prevtm == NULL((void)0)) {
2577	BIO_printf(bio_err, "memory allocation failure\n");
2578	goto end;
2579	}
2580	if (!ASN1_UTCTIME_set_string(*prevtm, rtime_str)) {
2581	BIO_printf(bio_err, "invalid revocation date %s\n", rtime_str);
2582	goto end;
2583	}
2584	}
2585	if (reason_str) {
2586	for (i = 0; i < NUM_REASONS(sizeof(crl_reasons)/sizeof((crl_reasons)[0])); i++) {
2587	if (OPENSSL_strcasecmp(reason_str, crl_reasons[i]) == 0) {
2588	reason_code = i;
2589	break;
2590	}
2591	}
2592	if (reason_code == OCSP_REVOKED_STATUS_NOSTATUS-1) {
2593	BIO_printf(bio_err, "invalid reason code %s\n", reason_str);
2594	goto end;
2595	}
2596
2597	if (reason_code == 7) {
2598	reason_code = OCSP_REVOKED_STATUS_REMOVEFROMCRL8;
2599	} else if (reason_code == 8) { /* Hold instruction */
2600	if (!arg_str) {
2601	BIO_printf(bio_err, "missing hold instruction\n");
2602	goto end;
2603	}
2604	reason_code = OCSP_REVOKED_STATUS_CERTIFICATEHOLD6;
2605	hold = OBJ_txt2obj(arg_str, 0);
2606
2607	if (!hold) {
2608	BIO_printf(bio_err, "invalid object identifier %s\n", arg_str);
2609	goto end;
2610	}
2611	if (phold)
2612	*phold = hold;
2613	else
2614	ASN1_OBJECT_free(hold);
2615	} else if ((reason_code == 9) \|\| (reason_code == 10)) {
2616	if (!arg_str) {
2617	BIO_printf(bio_err, "missing compromised time\n");
2618	goto end;
2619	}
2620	comp_time = ASN1_GENERALIZEDTIME_new();
2621	if (comp_time == NULL((void*)0)) {
2622	BIO_printf(bio_err, "memory allocation failure\n");
2623	goto end;
2624	}
2625	if (!ASN1_GENERALIZEDTIME_set_string(comp_time, arg_str)) {
2626	BIO_printf(bio_err, "invalid compromised time %s\n", arg_str);
2627	goto end;
2628	}
2629	if (reason_code == 9)
2630	reason_code = OCSP_REVOKED_STATUS_KEYCOMPROMISE1;
2631	else
2632	reason_code = OCSP_REVOKED_STATUS_CACOMPROMISE2;
2633	}
2634	}
2635
2636	if (preason)
2637	*preason = reason_code;
2638	if (pinvtm) {
2639	*pinvtm = comp_time;
2640	comp_time = NULL((void*)0);
2641	}
2642
2643	ret = 1;
2644
2645	end:
2646
2647	OPENSSL_free(tmp)CRYPTO_free(tmp, "../deps/openssl/openssl/apps/ca.c", 2647);
2648	ASN1_GENERALIZEDTIME_free(comp_time);
2649
2650	return ret;
2651	}