int X509_CRL_print(BIO *out, X509_CRL *x) { STACK_OF(X509_REVOKED) *rev; X509_REVOKED *r; long l; int i; char *p; BIO_printf(out, "Certificate Revocation List (CRL):\n"); l = X509_CRL_get_version(x); if (l < 0 || l == LONG_MAX) goto err; BIO_printf(out, "%8sVersion %lu (0x%lx)\n", "", l + 1, l); i = OBJ_obj2nid(x->sig_alg->algorithm); if (X509_signature_print(out, x->sig_alg, NULL) == 0) goto err; p = X509_NAME_oneline(X509_CRL_get_issuer(x), NULL, 0); if (p == NULL) goto err; BIO_printf(out, "%8sIssuer: %s\n", "", p); free(p); BIO_printf(out, "%8sLast Update: ", ""); ASN1_TIME_print(out, X509_CRL_get_lastUpdate(x)); BIO_printf(out, "\n%8sNext Update: ", ""); if (X509_CRL_get_nextUpdate(x)) ASN1_TIME_print(out, X509_CRL_get_nextUpdate(x)); else BIO_printf(out, "NONE"); BIO_printf(out, "\n"); X509V3_extensions_print(out, "CRL extensions", x->crl->extensions, 0, 8); rev = X509_CRL_get_REVOKED(x); if (sk_X509_REVOKED_num(rev) > 0) BIO_printf(out, "Revoked Certificates:\n"); else BIO_printf(out, "No Revoked Certificates.\n"); for (i = 0; i < sk_X509_REVOKED_num(rev); i++) { r = sk_X509_REVOKED_value(rev, i); BIO_printf(out, " Serial Number: "); i2a_ASN1_INTEGER(out, r->serialNumber); BIO_printf(out, "\n Revocation Date: "); ASN1_TIME_print(out, r->revocationDate); BIO_printf(out, "\n"); X509V3_extensions_print(out, "CRL entry extensions", r->extensions, 0, 8); } if (X509_signature_print(out, x->sig_alg, x->signature) == 0) goto err; return 1; err: return 0; }
int verify_callback(int ok, X509_STORE_CTX * ctx) { X509 *err_cert; int err, depth; err_cert = X509_STORE_CTX_get_current_cert(ctx); err = X509_STORE_CTX_get_error(ctx); depth = X509_STORE_CTX_get_error_depth(ctx); BIO_printf(bio_err, "depth=%d ", depth); if (err_cert) { X509_NAME_print_ex(bio_err, X509_get_subject_name(err_cert), 0, XN_FLAG_ONELINE); BIO_puts(bio_err, "\n"); } else BIO_puts(bio_err, "<no cert>\n"); if (!ok) { BIO_printf(bio_err, "verify error:num=%d:%s\n", err, X509_verify_cert_error_string(err)); if (verify_depth >= depth) { if (!verify_return_error) ok = 1; verify_error = X509_V_OK; } else { ok = 0; verify_error = X509_V_ERR_CERT_CHAIN_TOO_LONG; } } switch (err) { case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: BIO_puts(bio_err, "issuer= "); X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert), 0, XN_FLAG_ONELINE); BIO_puts(bio_err, "\n"); break; case X509_V_ERR_CERT_NOT_YET_VALID: case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: BIO_printf(bio_err, "notBefore="); ASN1_TIME_print(bio_err, X509_get_notBefore(err_cert)); BIO_printf(bio_err, "\n"); break; case X509_V_ERR_CERT_HAS_EXPIRED: case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: BIO_printf(bio_err, "notAfter="); ASN1_TIME_print(bio_err, X509_get_notAfter(err_cert)); BIO_printf(bio_err, "\n"); break; case X509_V_ERR_NO_EXPLICIT_POLICY: policies_print(bio_err, ctx); break; } if (err == X509_V_OK && ok == 2) policies_print(bio_err, ctx); BIO_printf(bio_err, "verify return:%d\n", ok); return (ok); }
int X509_CRL_print_ex(BIO *out, X509_CRL *x, unsigned long nmflag) { STACK_OF(X509_REVOKED) *rev; X509_REVOKED *r; const X509_ALGOR *sig_alg; const ASN1_BIT_STRING *sig; long l; int i; BIO_printf(out, "Certificate Revocation List (CRL):\n"); l = X509_CRL_get_version(x); if (l >= 0 && l <= 1) BIO_printf(out, "%8sVersion %ld (0x%lx)\n", "", l + 1, (unsigned long)l); else BIO_printf(out, "%8sVersion unknown (%ld)\n", "", l); X509_CRL_get0_signature(x, &sig, &sig_alg); BIO_puts(out, " "); X509_signature_print(out, sig_alg, NULL); BIO_printf(out, "%8sIssuer: ", ""); X509_NAME_print_ex(out, X509_CRL_get_issuer(x), 0, nmflag); BIO_puts(out, "\n"); BIO_printf(out, "%8sLast Update: ", ""); ASN1_TIME_print(out, X509_CRL_get0_lastUpdate(x)); BIO_printf(out, "\n%8sNext Update: ", ""); if (X509_CRL_get0_nextUpdate(x)) ASN1_TIME_print(out, X509_CRL_get0_nextUpdate(x)); else BIO_printf(out, "NONE"); BIO_printf(out, "\n"); X509V3_extensions_print(out, "CRL extensions", X509_CRL_get0_extensions(x), 0, 8); rev = X509_CRL_get_REVOKED(x); if (sk_X509_REVOKED_num(rev) > 0) BIO_printf(out, "Revoked Certificates:\n"); else BIO_printf(out, "No Revoked Certificates.\n"); for (i = 0; i < sk_X509_REVOKED_num(rev); i++) { r = sk_X509_REVOKED_value(rev, i); BIO_printf(out, " Serial Number: "); i2a_ASN1_INTEGER(out, X509_REVOKED_get0_serialNumber(r)); BIO_printf(out, "\n Revocation Date: "); ASN1_TIME_print(out, X509_REVOKED_get0_revocationDate(r)); BIO_printf(out, "\n"); X509V3_extensions_print(out, "CRL entry extensions", X509_REVOKED_get0_extensions(r), 0, 8); } X509_signature_print(out, sig_alg, sig); return 1; }
EXPORT_C int X509_CRL_print(BIO *out, X509_CRL *x) { STACK_OF(X509_REVOKED) *rev; X509_REVOKED *r; long l; int i, n; char *p; BIO_printf(out, "Certificate Revocation List (CRL):\n"); l = X509_CRL_get_version(x); BIO_printf(out, "%8sVersion %lu (0x%lx)\n", "", l+1, l); i = OBJ_obj2nid(x->sig_alg->algorithm); BIO_printf(out, "%8sSignature Algorithm: %s\n", "", (i == NID_undef) ? "NONE" : OBJ_nid2ln(i)); p=X509_NAME_oneline(X509_CRL_get_issuer(x),NULL,0); BIO_printf(out,"%8sIssuer: %s\n","",p); OPENSSL_free(p); BIO_printf(out,"%8sLast Update: ",""); ASN1_TIME_print(out,X509_CRL_get_lastUpdate(x)); BIO_printf(out,"\n%8sNext Update: ",""); if (X509_CRL_get_nextUpdate(x)) ASN1_TIME_print(out,X509_CRL_get_nextUpdate(x)); else BIO_printf(out,"NONE"); BIO_printf(out,"\n"); n=X509_CRL_get_ext_count(x); X509V3_extensions_print(out, "CRL extensions", x->crl->extensions, 0, 8); rev = X509_CRL_get_REVOKED(x); if(sk_X509_REVOKED_num(rev) > 0) BIO_printf(out, "Revoked Certificates:\n"); else BIO_printf(out, "No Revoked Certificates.\n"); for(i = 0; i < sk_X509_REVOKED_num(rev); i++) { r = sk_X509_REVOKED_value(rev, i); BIO_printf(out," Serial Number: "); i2a_ASN1_INTEGER(out,r->serialNumber); BIO_printf(out,"\n Revocation Date: "); ASN1_TIME_print(out,r->revocationDate); BIO_printf(out,"\n"); X509V3_extensions_print(out, "CRL entry extensions", r->extensions, 0, 8); } X509_signature_print(out, x->sig_alg, x->signature); return 1; }
/* Verify certificate callback. Gets invoked by crypto/x509/x509_vfy.c: * internal_verify() after it checks the signature and the time of * the certificate. Copied from apps/s_cb.c. Configured through * verify_depth and verify_error, initialized in main(). Doesn't * really do much other than print verify errors to the screen and * ignore errors down to verify_depth. Mainly an example of how * OpenSSL let's your app have a say in certificate validating. * At this point OpenSSL has checked the signature and dates are * good, so you don't need to do that. One thing you could do * here would be to verify the certificate status with an on-line * service, e.g. via OCSP. */ int verify_cb(int ok, X509_STORE_CTX *ctx) { char buf[256]; X509 *err_cert; int err,depth; BIO* bio_err; int verify_error = X509_V_OK, verify_depth = 0; if ((bio_err=BIO_new(BIO_s_file())) == NULL) return(0); BIO_set_fp(bio_err,stderr,BIO_NOCLOSE); err_cert=X509_STORE_CTX_get_current_cert(ctx); err=X509_STORE_CTX_get_error(ctx); depth=X509_STORE_CTX_get_error_depth(ctx); X509_NAME_oneline(X509_get_subject_name(err_cert),buf,256); BIO_printf(bio_err,"depth=%d %s\n",depth,buf); if (!ok) { BIO_printf(bio_err,"verify error:num=%d:%s\n",err, X509_verify_cert_error_string(err)); if (depth > verify_depth) { verify_error=X509_V_ERR_CERT_CHAIN_TOO_LONG; } else { ok=1; verify_error=X509_V_OK; } } switch (ctx->error) { case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),buf,256); BIO_printf(bio_err,"issuer= %s\n",buf); break; case X509_V_ERR_CERT_NOT_YET_VALID: case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: BIO_printf(bio_err,"notBefore="); ASN1_TIME_print(bio_err,X509_get_notBefore(ctx->current_cert)); BIO_printf(bio_err,"\n"); break; case X509_V_ERR_CERT_HAS_EXPIRED: case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: BIO_printf(bio_err,"notAfter="); ASN1_TIME_print(bio_err,X509_get_notAfter(ctx->current_cert)); BIO_printf(bio_err,"\n"); break; } BIO_printf(bio_err,"verify return:%d\n",ok); BIO_free(bio_err); return(ok); }
int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx) { char buf[256]; X509 *err_cert; int err,depth; err_cert=X509_STORE_CTX_get_current_cert(ctx); err= X509_STORE_CTX_get_error(ctx); depth= X509_STORE_CTX_get_error_depth(ctx); X509_NAME_oneline(X509_get_subject_name(err_cert),buf,sizeof buf); BIO_printf(bio_err,"depth=%d %s\n",depth,buf); if (!ok) { BIO_printf(bio_err,"verify error:num=%d:%s\n",err, X509_verify_cert_error_string(err)); if (verify_depth >= depth) { ok=1; verify_error=X509_V_OK; } else { ok=0; verify_error=X509_V_ERR_CERT_CHAIN_TOO_LONG; } } switch (ctx->error) { case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),buf,sizeof buf); BIO_printf(bio_err,"issuer= %s\n",buf); break; case X509_V_ERR_CERT_NOT_YET_VALID: case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: BIO_printf(bio_err,"notBefore="); ASN1_TIME_print(bio_err,X509_get_notBefore(ctx->current_cert)); BIO_printf(bio_err,"\n"); break; case X509_V_ERR_CERT_HAS_EXPIRED: case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: BIO_printf(bio_err,"notAfter="); ASN1_TIME_print(bio_err,X509_get_notAfter(ctx->current_cert)); BIO_printf(bio_err,"\n"); break; } BIO_printf(bio_err,"verify return:%d\n",ok); return(ok); }
/* * openssl crl -in ca.crl -text */ void show_crl(char * ca_name) { X509_CRL * crl ; X509_REVOKED * rev ; int i, total ; STACK_OF(X509_REVOKED) * rev_list ; BIO * out ; if ((crl = load_crl(ca_name))==NULL) { printf("No CRL found\n"); return ; } rev_list = X509_CRL_get_REVOKED(crl); total = sk_X509_REVOKED_num(rev_list); out = BIO_new(BIO_s_file()); out = BIO_new_fp(stdout, BIO_NOCLOSE); BIO_printf(out, "-- Revoked certificates found in CRL\n"); for (i=0 ; i<total ; i++) { rev=sk_X509_REVOKED_value(rev_list, i); BIO_printf(out, "serial: "); i2a_ASN1_INTEGER(out, rev->serialNumber); BIO_printf(out, "\n date: "); ASN1_TIME_print(out, rev->revocationDate); BIO_printf(out, "\n\n"); } X509_CRL_free(crl); BIO_free_all(out); return ; }
int getTimeString(ASN1_TIME *time_data, char *buf, int buflen) { int result; BIO* bio = BIO_new(BIO_s_mem()); if (NULL == bio) { result = CERT_MEMORY_ERROR; } else { BUF_MEM *bufmem; ASN1_TIME_print(bio, time_data); BIO_get_mem_ptr(bio, &bufmem); /* is this allocating? */ if (NULL == buf) { result = CERT_NULL_BUFFER; } else if (bufmem->length >= buflen) { result = CERT_BUFFER_LIMIT_EXCEEDED; } else { memcpy(buf, bufmem->data, bufmem->length); buf[bufmem->length] = 0; result = CERT_OK; } BIO_free( bio ); } return result; } /* getTimeString */
const datetime X509Certificate_OpenSSL::convertX509Date(void* time) const { char* buffer; BIO* out = BIO_new(BIO_s_mem()); BIO_set_close(out, BIO_CLOSE); ASN1_TIME* asn1_time = reinterpret_cast<ASN1_TIME*>(time); ASN1_TIME_print(out, asn1_time); int sz = BIO_get_mem_data(out, &buffer); char* dest = new char[sz + 1]; dest[sz] = 0; memcpy(dest, buffer, sz); vmime::string t(dest); BIO_free(out); delete dest; if (t.size() > 0) { char month[4] = {0}; char zone[4] = {0}; int day, hour, minute, second, year; int nrconv = sscanf(t.c_str(), "%s %2d %02d:%02d:%02d %d%s", month, &day, &hour, &minute, &second,&year,zone); if (nrconv >= 6) return datetime(year, sg_monthMap.getMonth(vmime::string(month)), day, hour, minute, second); } // let datetime try and parse it return datetime(t); }
static void log_time(const int level, const char *txt, ASN1_TIME *t) { #ifndef HAVE_LIB_CYASSL char *cp; BIO *bio; int n; if(!t) return; bio=BIO_new(BIO_s_mem()); if(!bio) return; ASN1_TIME_print(bio, t); n=BIO_pending(bio); cp=str_alloc(n+1); n=BIO_read(bio, cp, n); if(n<0) { BIO_free(bio); str_free(cp); return; } cp[n]='\0'; BIO_free(bio); s_log(level, "%s: %s", txt, cp); str_free(cp); #else s_log(level, "%s: N/A", txt); #endif }
int convertAsn1ToString(ASN1_TIME *notAfter, char buffer[]) { BIO *bio = BIO_new(BIO_s_mem()); ASN1_TIME_print(bio, notAfter); BIO_gets(bio, buffer, BUFLEN); BIO_free(bio); return 0; }
/* Appends information about an issued certificate to the index file. */ int add_to_index(X509 *cert) { FILE *fp = NULL; BIO *bio = NULL; X509_NAME *subject = X509_get_subject_name(cert); long serial = ASN1_INTEGER_get(X509_get_serialNumber(cert)); fp = fopen(CA_PATH(caIni.indexFile), "a"); if (fp != NULL) { bio = BIO_new_fp(fp, BIO_CLOSE); /* Write serial */ BIO_printf(bio, "%ld\t", serial); /* Write notBefore time */ ASN1_TIME_print(bio, X509_get_notBefore(cert)); BIO_printf(bio, "\t"); /* Write subject */ X509_NAME_print_ex(bio, subject, 0, 0); BIO_printf(bio, "\n"); BIO_free(bio); /* Closes fp too */ return 1; } return 0; }
std::string genHumanReadableDateTime(ASN1_TIME* time) { BIO* bio_stream = BIO_new(BIO_s_mem()); if (bio_stream == nullptr) { return ""; } // ANS1_TIME_print's format is: Mon DD HH:MM:SS YYYY GMT // e.g. Jan 1 00:00:00 1970 GMT (always GMT) auto buffer_size = 32; char buffer[32] = {0}; if (!ASN1_TIME_print(bio_stream, time)) { BIO_free(bio_stream); return ""; } // BIO_gets() returns amount of data successfully read or written // (if the return value is positive) or that no data was successfully // read or written if the result is 0 or -1. if (BIO_gets(bio_stream, buffer, buffer_size) <= 0) { BIO_free(bio_stream); return ""; } BIO_free(bio_stream); return std::string(buffer); }
static int _VerifyCallBack( int ok, X509_STORE_CTX *ctx) { char buf[256]; X509 *err_cert; BIO *bio_err; char *ptr = NULL; char printable[256] = {'\0'}; int length; bio_err = BIO_new(BIO_s_mem()); err_cert = X509_STORE_CTX_get_current_cert(ctx); X509_STORE_CTX_get_error(ctx); X509_NAME_oneline(X509_get_subject_name(err_cert),buf,sizeof buf); switch (ctx->error) { case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),buf,sizeof buf); SSL_Error(_d(" Unable to get issuer cert.\n issuer= %s\n"), buf); break; case X509_V_ERR_CERT_NOT_YET_VALID: case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: SSL_Error(_d(" Error in cert not_before field.\n notBefore=")); ASN1_TIME_print(bio_err,X509_get_notBefore(ctx->current_cert)); length = BIO_get_mem_data(bio_err, &ptr); memcpy(printable, ptr, length - 1); SSL_Error("%s\n", printable); break; case X509_V_ERR_CERT_HAS_EXPIRED: case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: SSL_Error(_d(" Error in cert not_after field.\n notAfter=")); ASN1_TIME_print(bio_err,X509_get_notAfter(ctx->current_cert)); length = BIO_get_mem_data(bio_err, &ptr); memcpy(printable, ptr, length - 1); SSL_Error("%s\n", printable); break; } BIO_free(bio_err); return(ok); }
static int get_validity(str* res, int local, int bound, sip_msg_t* msg) { #define NOT_BEFORE 0 #define NOT_AFTER 1 static char buf[1024]; X509* cert; struct tcp_connection* c; BUF_MEM* p; BIO* mem = 0; ASN1_TIME* date; if (get_cert(&cert, &c, msg, local) < 0) return -1; switch (bound) { case NOT_BEFORE: date = X509_get_notBefore(cert); break; case NOT_AFTER: date = X509_get_notAfter(cert); break; default: BUG("Unexpected parameter value \"%d\"\n", bound); goto err; } mem = BIO_new(BIO_s_mem()); if (!mem) { ERR("Error while creating memory BIO\n"); goto err; } if (!ASN1_TIME_print(mem, date)) { ERR("Error while printing certificate date/time\n"); goto err; } BIO_get_mem_ptr(mem, &p); if (p->length >= 1024) { ERR("Date/time too long\n"); goto err; } memcpy(buf, p->data, p->length); res->s = buf; res->len = p->length; BIO_free(mem); if (!local) X509_free(cert); tcpconn_put(c); return 0; err: if (mem) BIO_free(mem); if (!local) X509_free(cert); tcpconn_put(c); return -1; }
/** * Return a human readable time. */ static int push_asn1_time(lua_State *L, ASN1_UTCTIME *tm) { char *tmp; long size; BIO *out = BIO_new(BIO_s_mem()); ASN1_TIME_print(out, tm); size = BIO_get_mem_data(out, &tmp); lua_pushlstring(L, tmp, size); BIO_free(out); return 1; }
int tlsops_validity(struct sip_msg *msg, pv_param_t *param, pv_value_t *res) { static char buf[1024]; X509* cert; struct tcp_connection* c; BUF_MEM* p; BIO* mem = 0; ASN1_TIME* date; int my = 0; if (get_cert(&cert, &c, msg, my) < 0) return -1; switch (param->pvn.u.isname.name.n) { case CERT_NOTBEFORE: date = X509_get_notBefore(cert); break; case CERT_NOTAFTER: date = X509_get_notAfter(cert); break; default: LM_CRIT("unexpected parameter value \"%d\"\n", param->pvn.u.isname.name.n); goto err; } mem = BIO_new(BIO_s_mem()); if (!mem) { LM_ERR("failed to create memory BIO\n"); goto err; } if (!ASN1_TIME_print(mem, date)) { LM_ERR("failed to print certificate date/time\n"); goto err; } BIO_get_mem_ptr(mem, &p); if (p->length >= 1024) { LM_ERR("Date/time too long\n"); goto err; } memcpy(buf, p->data, p->length); res->rs.s = buf; res->rs.len = p->length; res->flags = PV_VAL_STR ; BIO_free(mem); if (!my) X509_free(cert); tcpconn_put(c); return 0; err: if (mem) BIO_free(mem); if (!my) X509_free(cert); tcpconn_put(c); return pv_get_null(msg, param, res); }
/* Format an ASN1 time to a string. 'buf' must be at least of size * 'NE_SSL_VDATELEN'. */ static void asn1time_to_string(ASN1_TIME *tm, char *buf) { BIO *bio; strncpy(buf, _("[invalid date]"), NE_SSL_VDATELEN-1); bio = BIO_new(BIO_s_mem()); if (bio) { if (ASN1_TIME_print(bio, tm)) BIO_read(bio, buf, NE_SSL_VDATELEN-1); BIO_free(bio); } }
std::string genHumanReadableDateTime(ASN1_TIME* time) { BIO* bio_stream = nullptr; OSX_OPENSSL(bio_stream = BIO_new(BIO_s_mem())); if (bio_stream == nullptr) { return ""; } // ANS1_TIME_print's format is: Mon DD HH:MM:SS YYYY GMT // e.g. Jan 1 00:00:00 1970 GMT (always GMT) auto buffer_size = 32; char buffer[32] = {0}; OSX_OPENSSL(if (!ASN1_TIME_print(bio_stream, time)) { BIO_free(bio_stream); return ""; });
char* SSLConnection::asn1time_to_string (ASN1_UTCTIME * tm) { static char buf[64]; BIO *bio; strfcpy (buf, _("[invalid date]"), sizeof (buf)); bio = BIO_new (BIO_s_mem ()); if (bio) { if (ASN1_TIME_print (bio, tm)) (void) BIO_read (bio, buf, sizeof (buf)); BIO_free (bio); } return buf; }
Datum x509_get_not_after(PG_FUNCTION_ARGS) { bytea *raw; X509 *cert; BIO *bio; char buf[DATE_LEN]; int r; // check for null value. raw = PG_GETARG_BYTEA_P(0); if (raw == NULL || VARSIZE(raw) == VARHDRSZ) { PG_RETURN_NULL(); } // read cert cert = x509_from_bytea(raw); if (cert == NULL) { ereport(ERROR, (errcode(ERRCODE_DATA_CORRUPTED), errmsg( "unable to decode X509 record"))); PG_RETURN_NULL(); } // extract 'not after' date bio = BIO_new(BIO_s_mem()); if ((r = ASN1_TIME_print(bio, X509_get_notAfter(cert))) <= 0) { X509_free(cert); BIO_free(bio); ereport(ERROR, (errcode(ERRCODE_DATA_CORRUPTED), errmsg("unable to retrieve 'notAfter' timestamp"))); PG_RETURN_NULL(); } // convert 'not before' date if ((r = BIO_gets(bio, buf, DATE_LEN)) <= 0) { X509_free(cert); BIO_free(bio); ereport(ERROR, (errcode(ERRCODE_DATA_CORRUPTED), errmsg("unable to create ISO-8601 timestamp"))); PG_RETURN_NULL(); } BIO_free(bio); X509_free(cert); // FIXME convert ISO-8601 timestamp PG_RETURN_NULL(); }
static void ASN1_TIME_snprintf (char *buf, int buf_len, ASN1_TIME * tm) { char *expires = NULL; BIO *inMem = BIO_new (BIO_s_mem ()); ASN1_TIME_print (inMem, tm); BIO_get_mem_data (inMem, &expires); buf[0] = 0; if (expires != NULL) { memset (buf, 0, buf_len); strncpy (buf, expires, 24); } BIO_free (inMem); }
static void ASN1_TIME_snprintf (char *buf, int buf_len, ASN1_TIME * tm) { char *expires = NULL; BIO *inMem = BIO_new (BIO_s_mem ()); ASN1_TIME_print (inMem, tm); BIO_get_mem_data (inMem, &expires); buf[0] = 0; if (expires != NULL) { /* expires is not \0 terminated */ safe_strcpy (buf, expires, MIN(24, buf_len)); } BIO_free (inMem); }
static void log_time(const int level, const char *txt, ASN1_TIME *t) { char *cp; BIO *bio; int n; if(!t) return; bio=BIO_new(BIO_s_mem()); ASN1_TIME_print(bio, t); n=BIO_pending(bio); cp=str_alloc(n+1); n=BIO_read(bio, cp, n); cp[n]='\0'; BIO_free(bio); s_log(level, "%s: %s", txt, cp); str_free(cp); }
/** * Convert ASN1_TIME object to PostgreSQL timestamp. */ int asn1Time_to_timestamp(ASN1_TIME *asn1, Timestamp *dt) { BIO *bio; char buf[DATE_LEN]; struct tm tm; struct pg_tm pgtm; int r; // extract 'not before' date bio = BIO_new(BIO_s_mem()); if ((r = ASN1_TIME_print(bio, asn1)) <= 0) { BIO_free(bio); ereport(ERROR, (errcode(ERRCODE_DATA_CORRUPTED), errmsg("unable to retrieve timestamp"))); return 1; } // convert 'not before' date if ((r = BIO_gets(bio, buf, DATE_LEN)) <= 0) { BIO_free(bio); ereport(ERROR, (errcode(ERRCODE_DATA_CORRUPTED), errmsg("unable to create ISO-8601 timestamp"))); return 1; } BIO_free(bio); memset(&tm, 0, sizeof(struct tm)); strptime(buf, "%b %d %T %Y %z", &tm); pgtm.tm_sec = tm.tm_sec; pgtm.tm_min = tm.tm_min; pgtm.tm_hour = tm.tm_hour; pgtm.tm_mday= tm.tm_mday; pgtm.tm_mon= tm.tm_mon + 1; pgtm.tm_year = tm.tm_year + 1900; pgtm.tm_wday= tm.tm_wday; pgtm.tm_yday = tm.tm_yday; pgtm.tm_isdst = tm.tm_isdst; pgtm.tm_gmtoff = 0; pgtm.tm_zone = "UTC"; tm2timestamp(&pgtm, 0, NULL, dt); return 0; }
static int setenv_x509_date(ASN1_TIME *tm, const char *env) { BIO *bio_out=NULL; BUF_MEM *bptr=NULL; char tmpbuf[256]=""; if(!(bio_out=BIO_new(BIO_s_mem()))) { log_out_of_memory(__func__); return -1; } ASN1_TIME_print(bio_out, tm); BIO_get_mem_ptr(bio_out, &bptr); BIO_gets(bio_out, tmpbuf, sizeof(tmpbuf)-1); BIO_free_all(bio_out); sanitise(tmpbuf); setenv(env, (char*)tmpbuf, 1); return 0; }
static int check_certificate_expiry(struct openconnect_info *vpninfo) { ASN1_TIME *notAfter; const char *reason = NULL; time_t t; int i; if (!vpninfo->cert_x509) return 0; t = time(NULL); notAfter = X509_get_notAfter(vpninfo->cert_x509); i = X509_cmp_time(notAfter, &t); if (!i) { vpn_progress(vpninfo, PRG_ERR, _("Error in client cert notAfter field\n")); return -EINVAL; } else if (i < 0) { reason = _("Client certificate has expired at"); } else { t += vpninfo->cert_expire_warning; i = X509_cmp_time(notAfter, &t); if (i < 0) reason = _("Client certificate expires soon at"); } if (reason) { BIO *bp = BIO_new(BIO_s_mem()); BUF_MEM *bm; const char *expiry = _("<error>"); char zero = 0; if (bp) { ASN1_TIME_print(bp, notAfter); BIO_write(bp, &zero, 1); BIO_get_mem_ptr(bp, &bm); expiry = bm->data; } vpn_progress(vpninfo, PRG_ERR, "%s: %s\n", reason, expiry); if (bp) BIO_free(bp); } return 0; }
int MAIN(int argc, char **argv) { ENGINE *e = NULL; int ret=1; X509_REQ *req=NULL; X509 *x=NULL,*xca=NULL; ASN1_OBJECT *objtmp; STACK_OF(OPENSSL_STRING) *sigopts = NULL; EVP_PKEY *Upkey=NULL,*CApkey=NULL; ASN1_INTEGER *sno = NULL; int i,num,badops=0; BIO *out=NULL; BIO *STDout=NULL; STACK_OF(ASN1_OBJECT) *trust = NULL, *reject = NULL; int informat,outformat,keyformat,CAformat,CAkeyformat; char *infile=NULL,*outfile=NULL,*keyfile=NULL,*CAfile=NULL; char *CAkeyfile=NULL,*CAserial=NULL; char *alias=NULL; int text=0,serial=0,subject=0,issuer=0,startdate=0,enddate=0; int next_serial=0; int subject_hash=0,issuer_hash=0,ocspid=0; #ifndef OPENSSL_NO_MD5 int subject_hash_old=0,issuer_hash_old=0; #endif int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0,email=0; int ocsp_uri=0; int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0; int C=0; int x509req=0,days=DEF_DAYS,modulus=0,pubkey=0; int pprint = 0; const char **pp; X509_STORE *ctx=NULL; X509_REQ *rq=NULL; int fingerprint=0; char buf[256]; const EVP_MD *md_alg,*digest=NULL; CONF *extconf = NULL; char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL; int need_rand = 0; int checkend=0,checkoffset=0; unsigned long nmflag = 0, certflag = 0; #ifndef OPENSSL_NO_ENGINE char *engine=NULL; #endif reqfile=0; apps_startup(); if (bio_err == NULL) bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); if (!load_config(bio_err, NULL)) goto end; STDout=BIO_new_fp(stdout,BIO_NOCLOSE); #ifdef OPENSSL_SYS_VMS { BIO *tmpbio = BIO_new(BIO_f_linebuffer()); STDout = BIO_push(tmpbio, STDout); } #endif informat=FORMAT_PEM; outformat=FORMAT_PEM; keyformat=FORMAT_PEM; CAformat=FORMAT_PEM; CAkeyformat=FORMAT_PEM; ctx=X509_STORE_new(); if (ctx == NULL) goto end; X509_STORE_set_verify_cb(ctx,callb); argc--; argv++; num=0; while (argc >= 1) { if (strcmp(*argv,"-inform") == 0) { if (--argc < 1) goto bad; informat=str2fmt(*(++argv)); } else if (strcmp(*argv,"-outform") == 0) { if (--argc < 1) goto bad; outformat=str2fmt(*(++argv)); } else if (strcmp(*argv,"-keyform") == 0) { if (--argc < 1) goto bad; keyformat=str2fmt(*(++argv)); } else if (strcmp(*argv,"-req") == 0) { reqfile=1; need_rand = 1; } else if (strcmp(*argv,"-CAform") == 0) { if (--argc < 1) goto bad; CAformat=str2fmt(*(++argv)); } else if (strcmp(*argv,"-CAkeyform") == 0) { if (--argc < 1) goto bad; CAkeyformat=str2fmt(*(++argv)); } else if (strcmp(*argv,"-sigopt") == 0) { if (--argc < 1) goto bad; if (!sigopts) sigopts = sk_OPENSSL_STRING_new_null(); if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv))) goto bad; } else if (strcmp(*argv,"-days") == 0) { if (--argc < 1) goto bad; days=atoi(*(++argv)); if (days == 0) { BIO_printf(STDout,"bad number of days\n"); goto bad; } } else if (strcmp(*argv,"-passin") == 0) { if (--argc < 1) goto bad; passargin= *(++argv); } else if (strcmp(*argv,"-extfile") == 0) { if (--argc < 1) goto bad; extfile= *(++argv); } else if (strcmp(*argv,"-extensions") == 0) { if (--argc < 1) goto bad; extsect= *(++argv); } else if (strcmp(*argv,"-in") == 0) { if (--argc < 1) goto bad; infile= *(++argv); } else if (strcmp(*argv,"-out") == 0) { if (--argc < 1) goto bad; outfile= *(++argv); } else if (strcmp(*argv,"-signkey") == 0) { if (--argc < 1) goto bad; keyfile= *(++argv); sign_flag= ++num; need_rand = 1; } else if (strcmp(*argv,"-CA") == 0) { if (--argc < 1) goto bad; CAfile= *(++argv); CA_flag= ++num; need_rand = 1; } else if (strcmp(*argv,"-CAkey") == 0) { if (--argc < 1) goto bad; CAkeyfile= *(++argv); } else if (strcmp(*argv,"-CAserial") == 0) { if (--argc < 1) goto bad; CAserial= *(++argv); } else if (strcmp(*argv,"-set_serial") == 0) { if (--argc < 1) goto bad; if (!(sno = s2i_ASN1_INTEGER(NULL, *(++argv)))) goto bad; } else if (strcmp(*argv,"-addtrust") == 0) { if (--argc < 1) goto bad; if (!(objtmp = OBJ_txt2obj(*(++argv), 0))) { BIO_printf(bio_err, "Invalid trust object value %s\n", *argv); goto bad; } if (!trust) trust = sk_ASN1_OBJECT_new_null(); sk_ASN1_OBJECT_push(trust, objtmp); trustout = 1; } else if (strcmp(*argv,"-addreject") == 0) { if (--argc < 1) goto bad; if (!(objtmp = OBJ_txt2obj(*(++argv), 0))) { BIO_printf(bio_err, "Invalid reject object value %s\n", *argv); goto bad; } if (!reject) reject = sk_ASN1_OBJECT_new_null(); sk_ASN1_OBJECT_push(reject, objtmp); trustout = 1; } else if (strcmp(*argv,"-setalias") == 0) { if (--argc < 1) goto bad; alias= *(++argv); trustout = 1; } else if (strcmp(*argv,"-certopt") == 0) { if (--argc < 1) goto bad; if (!set_cert_ex(&certflag, *(++argv))) goto bad; } else if (strcmp(*argv,"-nameopt") == 0) { if (--argc < 1) goto bad; if (!set_name_ex(&nmflag, *(++argv))) goto bad; } #ifndef OPENSSL_NO_ENGINE else if (strcmp(*argv,"-engine") == 0) { if (--argc < 1) goto bad; engine= *(++argv); } #endif else if (strcmp(*argv,"-C") == 0) C= ++num; else if (strcmp(*argv,"-email") == 0) email= ++num; else if (strcmp(*argv,"-ocsp_uri") == 0) ocsp_uri= ++num; else if (strcmp(*argv,"-serial") == 0) serial= ++num; else if (strcmp(*argv,"-next_serial") == 0) next_serial= ++num; else if (strcmp(*argv,"-modulus") == 0) modulus= ++num; else if (strcmp(*argv,"-pubkey") == 0) pubkey= ++num; else if (strcmp(*argv,"-x509toreq") == 0) x509req= ++num; else if (strcmp(*argv,"-text") == 0) text= ++num; else if (strcmp(*argv,"-hash") == 0 || strcmp(*argv,"-subject_hash") == 0) subject_hash= ++num; #ifndef OPENSSL_NO_MD5 else if (strcmp(*argv,"-subject_hash_old") == 0) subject_hash_old= ++num; #endif else if (strcmp(*argv,"-issuer_hash") == 0) issuer_hash= ++num; #ifndef OPENSSL_NO_MD5 else if (strcmp(*argv,"-issuer_hash_old") == 0) issuer_hash_old= ++num; #endif else if (strcmp(*argv,"-subject") == 0) subject= ++num; else if (strcmp(*argv,"-issuer") == 0) issuer= ++num; else if (strcmp(*argv,"-fingerprint") == 0) fingerprint= ++num; else if (strcmp(*argv,"-dates") == 0) { startdate= ++num; enddate= ++num; } else if (strcmp(*argv,"-purpose") == 0) pprint= ++num; else if (strcmp(*argv,"-startdate") == 0) startdate= ++num; else if (strcmp(*argv,"-enddate") == 0) enddate= ++num; else if (strcmp(*argv,"-checkend") == 0) { if (--argc < 1) goto bad; checkoffset=atoi(*(++argv)); checkend=1; } else if (strcmp(*argv,"-noout") == 0) noout= ++num; else if (strcmp(*argv,"-trustout") == 0) trustout= 1; else if (strcmp(*argv,"-clrtrust") == 0) clrtrust= ++num; else if (strcmp(*argv,"-clrreject") == 0) clrreject= ++num; else if (strcmp(*argv,"-alias") == 0) aliasout= ++num; else if (strcmp(*argv,"-CAcreateserial") == 0) CA_createserial= ++num; else if (strcmp(*argv,"-clrext") == 0) clrext = 1; #if 1 /* stay backwards-compatible with 0.9.5; this should go away soon */ else if (strcmp(*argv,"-crlext") == 0) { BIO_printf(bio_err,"use -clrext instead of -crlext\n"); clrext = 1; } #endif else if (strcmp(*argv,"-ocspid") == 0) ocspid= ++num; else if ((md_alg=EVP_get_digestbyname(*argv + 1))) { /* ok */ digest=md_alg; } else { BIO_printf(bio_err,"unknown option %s\n",*argv); badops=1; break; } argc--; argv++; } if (badops) { bad: for (pp=x509_usage; (*pp != NULL); pp++) BIO_printf(bio_err,"%s",*pp); goto end; } #ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); #endif if (need_rand) app_RAND_load_file(NULL, bio_err, 0); ERR_load_crypto_strings(); if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) { BIO_printf(bio_err, "Error getting password\n"); goto end; } if (!X509_STORE_set_default_paths(ctx)) { ERR_print_errors(bio_err); goto end; } if ((CAkeyfile == NULL) && (CA_flag) && (CAformat == FORMAT_PEM)) { CAkeyfile=CAfile; } else if ((CA_flag) && (CAkeyfile == NULL)) { BIO_printf(bio_err,"need to specify a CAkey if using the CA command\n"); goto end; } if (extfile) { long errorline = -1; X509V3_CTX ctx2; extconf = NCONF_new(NULL); if (!NCONF_load(extconf, extfile,&errorline)) { if (errorline <= 0) BIO_printf(bio_err, "error loading the config file '%s'\n", extfile); else BIO_printf(bio_err, "error on line %ld of config file '%s'\n" ,errorline,extfile); goto end; } if (!extsect) { extsect = NCONF_get_string(extconf, "default", "extensions"); if (!extsect) { ERR_clear_error(); extsect = "default"; } } X509V3_set_ctx_test(&ctx2); X509V3_set_nconf(&ctx2, extconf); if (!X509V3_EXT_add_nconf(extconf, &ctx2, extsect, NULL)) { BIO_printf(bio_err, "Error Loading extension section %s\n", extsect); ERR_print_errors(bio_err); goto end; } } if (reqfile) { EVP_PKEY *pkey; BIO *in; if (!sign_flag && !CA_flag) { BIO_printf(bio_err,"We need a private key to sign with\n"); goto end; } in=BIO_new(BIO_s_file()); if (in == NULL) { ERR_print_errors(bio_err); goto end; } if (infile == NULL) BIO_set_fp(in,stdin,BIO_NOCLOSE|BIO_FP_TEXT); else { if (BIO_read_filename(in,infile) <= 0) { perror(infile); BIO_free(in); goto end; } } req=PEM_read_bio_X509_REQ(in,NULL,NULL,NULL); BIO_free(in); if (req == NULL) { ERR_print_errors(bio_err); goto end; } if ( (req->req_info == NULL) || (req->req_info->pubkey == NULL) || (req->req_info->pubkey->public_key == NULL) || (req->req_info->pubkey->public_key->data == NULL)) { BIO_printf(bio_err,"The certificate request appears to corrupted\n"); BIO_printf(bio_err,"It does not contain a public key\n"); goto end; } if ((pkey=X509_REQ_get_pubkey(req)) == NULL) { BIO_printf(bio_err,"error unpacking public key\n"); goto end; } i=X509_REQ_verify(req,pkey); EVP_PKEY_free(pkey); if (i < 0) { BIO_printf(bio_err,"Signature verification error\n"); ERR_print_errors(bio_err); goto end; } if (i == 0) { BIO_printf(bio_err,"Signature did not match the certificate request\n"); goto end; } else BIO_printf(bio_err,"Signature ok\n"); print_name(bio_err, "subject=", X509_REQ_get_subject_name(req), nmflag); if ((x=X509_new()) == NULL) goto end; if (sno == NULL) { sno = ASN1_INTEGER_new(); if (!sno || !rand_serial(NULL, sno)) goto end; if (!X509_set_serialNumber(x, sno)) goto end; ASN1_INTEGER_free(sno); sno = NULL; } else if (!X509_set_serialNumber(x, sno)) goto end; if (!X509_set_issuer_name(x,req->req_info->subject)) goto end; if (!X509_set_subject_name(x,req->req_info->subject)) goto end; X509_gmtime_adj(X509_get_notBefore(x),0); X509_time_adj_ex(X509_get_notAfter(x),days, 0, NULL); pkey = X509_REQ_get_pubkey(req); X509_set_pubkey(x,pkey); EVP_PKEY_free(pkey); } else x=load_cert(bio_err,infile,informat,NULL,e,"Certificate"); if (x == NULL) goto end; if (CA_flag) { xca=load_cert(bio_err,CAfile,CAformat,NULL,e,"CA Certificate"); if (xca == NULL) goto end; } if (!noout || text || next_serial) { OBJ_create("2.99999.3", "SET.ex3","SET x509v3 extension 3"); out=BIO_new(BIO_s_file()); if (out == NULL) { ERR_print_errors(bio_err); goto end; } if (outfile == NULL) { BIO_set_fp(out,stdout,BIO_NOCLOSE); #ifdef OPENSSL_SYS_VMS { BIO *tmpbio = BIO_new(BIO_f_linebuffer()); out = BIO_push(tmpbio, out); } #endif } else { if (BIO_write_filename(out,outfile) <= 0) { perror(outfile); goto end; } } } if (alias) X509_alias_set1(x, (unsigned char *)alias, -1); if (clrtrust) X509_trust_clear(x); if (clrreject) X509_reject_clear(x); if (trust) { for (i = 0; i < sk_ASN1_OBJECT_num(trust); i++) { objtmp = sk_ASN1_OBJECT_value(trust, i); X509_add1_trust_object(x, objtmp); } } if (reject) { for (i = 0; i < sk_ASN1_OBJECT_num(reject); i++) { objtmp = sk_ASN1_OBJECT_value(reject, i); X509_add1_reject_object(x, objtmp); } } if (num) { for (i=1; i<=num; i++) { if (issuer == i) { print_name(STDout, "issuer= ", X509_get_issuer_name(x), nmflag); } else if (subject == i) { print_name(STDout, "subject= ", X509_get_subject_name(x), nmflag); } else if (serial == i) { BIO_printf(STDout,"serial="); i2a_ASN1_INTEGER(STDout, X509_get_serialNumber(x)); BIO_printf(STDout,"\n"); } else if (next_serial == i) { BIGNUM *bnser; ASN1_INTEGER *ser; ser = X509_get_serialNumber(x); bnser = ASN1_INTEGER_to_BN(ser, NULL); if (!bnser) goto end; if (!BN_add_word(bnser, 1)) goto end; ser = BN_to_ASN1_INTEGER(bnser, NULL); if (!ser) goto end; BN_free(bnser); i2a_ASN1_INTEGER(out, ser); ASN1_INTEGER_free(ser); BIO_puts(out, "\n"); } else if ((email == i) || (ocsp_uri == i)) { int j; STACK_OF(OPENSSL_STRING) *emlst; if (email == i) emlst = X509_get1_email(x); else emlst = X509_get1_ocsp(x); for (j = 0; j < sk_OPENSSL_STRING_num(emlst); j++) BIO_printf(STDout, "%s\n", sk_OPENSSL_STRING_value(emlst, j)); X509_email_free(emlst); } else if (aliasout == i) { unsigned char *alstr; alstr = X509_alias_get0(x, NULL); if (alstr) BIO_printf(STDout,"%s\n", alstr); else BIO_puts(STDout,"<No Alias>\n"); } else if (subject_hash == i) { BIO_printf(STDout,"%08lx\n",X509_subject_name_hash(x)); } #ifndef OPENSSL_NO_MD5 else if (subject_hash_old == i) { BIO_printf(STDout,"%08lx\n",X509_subject_name_hash_old(x)); } #endif else if (issuer_hash == i) { BIO_printf(STDout,"%08lx\n",X509_issuer_name_hash(x)); } #ifndef OPENSSL_NO_MD5 else if (issuer_hash_old == i) { BIO_printf(STDout,"%08lx\n",X509_issuer_name_hash_old(x)); } #endif else if (pprint == i) { X509_PURPOSE *ptmp; int j; BIO_printf(STDout, "Certificate purposes:\n"); for (j = 0; j < X509_PURPOSE_get_count(); j++) { ptmp = X509_PURPOSE_get0(j); purpose_print(STDout, x, ptmp); } } else if (modulus == i) { EVP_PKEY *pkey; pkey=X509_get_pubkey(x); if (pkey == NULL) { BIO_printf(bio_err,"Modulus=unavailable\n"); ERR_print_errors(bio_err); goto end; } BIO_printf(STDout,"Modulus="); #ifndef OPENSSL_NO_RSA if (pkey->type == EVP_PKEY_RSA) BN_print(STDout,pkey->pkey.rsa->n); else #endif #ifndef OPENSSL_NO_DSA if (pkey->type == EVP_PKEY_DSA) BN_print(STDout,pkey->pkey.dsa->pub_key); else #endif BIO_printf(STDout,"Wrong Algorithm type"); BIO_printf(STDout,"\n"); EVP_PKEY_free(pkey); } else if (pubkey == i) { EVP_PKEY *pkey; pkey=X509_get_pubkey(x); if (pkey == NULL) { BIO_printf(bio_err,"Error getting public key\n"); ERR_print_errors(bio_err); goto end; } PEM_write_bio_PUBKEY(STDout, pkey); EVP_PKEY_free(pkey); } else if (C == i) { unsigned char *d; char *m; int y,z; X509_NAME_oneline(X509_get_subject_name(x), buf,sizeof buf); BIO_printf(STDout,"/* subject:%s */\n",buf); m=X509_NAME_oneline( X509_get_issuer_name(x),buf, sizeof buf); BIO_printf(STDout,"/* issuer :%s */\n",buf); z=i2d_X509(x,NULL); m=OPENSSL_malloc(z); d=(unsigned char *)m; z=i2d_X509_NAME(X509_get_subject_name(x),&d); BIO_printf(STDout,"unsigned char XXX_subject_name[%d]={\n",z); d=(unsigned char *)m; for (y=0; y<z; y++) { BIO_printf(STDout,"0x%02X,",d[y]); if ((y & 0x0f) == 0x0f) BIO_printf(STDout,"\n"); } if (y%16 != 0) BIO_printf(STDout,"\n"); BIO_printf(STDout,"};\n"); z=i2d_X509_PUBKEY(X509_get_X509_PUBKEY(x),&d); BIO_printf(STDout,"unsigned char XXX_public_key[%d]={\n",z); d=(unsigned char *)m; for (y=0; y<z; y++) { BIO_printf(STDout,"0x%02X,",d[y]); if ((y & 0x0f) == 0x0f) BIO_printf(STDout,"\n"); } if (y%16 != 0) BIO_printf(STDout,"\n"); BIO_printf(STDout,"};\n"); z=i2d_X509(x,&d); BIO_printf(STDout,"unsigned char XXX_certificate[%d]={\n",z); d=(unsigned char *)m; for (y=0; y<z; y++) { BIO_printf(STDout,"0x%02X,",d[y]); if ((y & 0x0f) == 0x0f) BIO_printf(STDout,"\n"); } if (y%16 != 0) BIO_printf(STDout,"\n"); BIO_printf(STDout,"};\n"); OPENSSL_free(m); } else if (text == i) { X509_print_ex(out,x,nmflag, certflag); } else if (startdate == i) { BIO_puts(STDout,"notBefore="); ASN1_TIME_print(STDout,X509_get_notBefore(x)); BIO_puts(STDout,"\n"); } else if (enddate == i) { BIO_puts(STDout,"notAfter="); ASN1_TIME_print(STDout,X509_get_notAfter(x)); BIO_puts(STDout,"\n"); } else if (fingerprint == i) { int j; unsigned int n; unsigned char md[EVP_MAX_MD_SIZE]; const EVP_MD *fdig = digest; if (!fdig) fdig = EVP_sha1(); if (!X509_digest(x,fdig,md,&n)) { BIO_printf(bio_err,"out of memory\n"); goto end; } BIO_printf(STDout,"%s Fingerprint=", OBJ_nid2sn(EVP_MD_type(fdig))); for (j=0; j<(int)n; j++) { BIO_printf(STDout,"%02X%c",md[j], (j+1 == (int)n) ?'\n':':'); } } /* should be in the library */ else if ((sign_flag == i) && (x509req == 0)) { BIO_printf(bio_err,"Getting Private key\n"); if (Upkey == NULL) { Upkey=load_key(bio_err, keyfile, keyformat, 0, passin, e, "Private key"); if (Upkey == NULL) goto end; } assert(need_rand); if (!sign(x,Upkey,days,clrext,digest, extconf, extsect)) goto end; } else if (CA_flag == i) { BIO_printf(bio_err,"Getting CA Private Key\n"); if (CAkeyfile != NULL) { CApkey=load_key(bio_err, CAkeyfile, CAkeyformat, 0, passin, e, "CA Private Key"); if (CApkey == NULL) goto end; } assert(need_rand); if (!x509_certify(ctx,CAfile,digest,x,xca, CApkey, sigopts, CAserial,CA_createserial,days, clrext, extconf, extsect, sno)) goto end; } else if (x509req == i) { EVP_PKEY *pk; BIO_printf(bio_err,"Getting request Private Key\n"); if (keyfile == NULL) { BIO_printf(bio_err,"no request key file specified\n"); goto end; } else { pk=load_key(bio_err, keyfile, keyformat, 0, passin, e, "request key"); if (pk == NULL) goto end; } BIO_printf(bio_err,"Generating certificate request\n"); rq=X509_to_X509_REQ(x,pk,digest); EVP_PKEY_free(pk); if (rq == NULL) { ERR_print_errors(bio_err); goto end; } if (!noout) { X509_REQ_print(out,rq); PEM_write_bio_X509_REQ(out,rq); } noout=1; } else if (ocspid == i) { X509_ocspid_print(out, x); } } } if (checkend) { time_t tcheck=time(NULL) + checkoffset; if (X509_cmp_time(X509_get_notAfter(x), &tcheck) < 0) { BIO_printf(out,"Certificate will expire\n"); ret=1; } else { BIO_printf(out,"Certificate will not expire\n"); ret=0; } goto end; } if (noout) { ret=0; goto end; } if (outformat == FORMAT_ASN1) i=i2d_X509_bio(out,x); else if (outformat == FORMAT_PEM) { if (trustout) i=PEM_write_bio_X509_AUX(out,x); else i=PEM_write_bio_X509(out,x); } else if (outformat == FORMAT_NETSCAPE) { NETSCAPE_X509 nx; ASN1_OCTET_STRING hdr; hdr.data=(unsigned char *)NETSCAPE_CERT_HDR; hdr.length=strlen(NETSCAPE_CERT_HDR); nx.header= &hdr; nx.cert=x; i=ASN1_item_i2d_bio(ASN1_ITEM_rptr(NETSCAPE_X509),out,&nx); } else { BIO_printf(bio_err,"bad output format specified for outfile\n"); goto end; } if (!i) { BIO_printf(bio_err,"unable to write certificate\n"); ERR_print_errors(bio_err); goto end; } ret=0; end: if (need_rand) app_RAND_write_file(NULL, bio_err); OBJ_cleanup(); NCONF_free(extconf); BIO_free_all(out); BIO_free_all(STDout); X509_STORE_free(ctx); X509_REQ_free(req); X509_free(x); X509_free(xca); EVP_PKEY_free(Upkey); EVP_PKEY_free(CApkey); if (sigopts) sk_OPENSSL_STRING_free(sigopts); X509_REQ_free(rq); ASN1_INTEGER_free(sno); sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free); sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free); if (passin) OPENSSL_free(passin); apps_shutdown(); OPENSSL_EXIT(ret); }
int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag) { long l; int ret = 0, i; char *m = NULL, mlch = ' '; int nmindent = 0; X509_CINF *ci; ASN1_INTEGER *bs; EVP_PKEY *pkey = NULL; const char *neg; if ((nmflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) { mlch = '\n'; nmindent = 12; } if (nmflags == X509_FLAG_COMPAT) nmindent = 16; ci = x->cert_info; if (!(cflag & X509_FLAG_NO_HEADER)) { if (BIO_write(bp, "Certificate:\n", 13) <= 0) goto err; if (BIO_write(bp, " Data:\n", 10) <= 0) goto err; } if (!(cflag & X509_FLAG_NO_VERSION)) { l = X509_get_version(x); if (BIO_printf(bp, "%8sVersion: %lu (0x%lx)\n", "", l + 1, l) <= 0) goto err; } if (!(cflag & X509_FLAG_NO_SERIAL)) { if (BIO_write(bp, " Serial Number:", 22) <= 0) goto err; bs = X509_get_serialNumber(x); if (bs->length < (int)sizeof(long) || (bs->length == sizeof(long) && (bs->data[0] & 0x80) == 0)) { l = ASN1_INTEGER_get(bs); if (bs->type == V_ASN1_NEG_INTEGER) { l = -l; neg = "-"; } else neg = ""; if (BIO_printf(bp, " %s%lu (%s0x%lx)\n", neg, l, neg, l) <= 0) goto err; } else { neg = (bs->type == V_ASN1_NEG_INTEGER) ? " (Negative)" : ""; if (BIO_printf(bp, "\n%12s%s", "", neg) <= 0) goto err; for (i = 0; i < bs->length; i++) { if (BIO_printf(bp, "%02x%c", bs->data[i], ((i + 1 == bs->length) ? '\n' : ':')) <= 0) goto err; } } } if (!(cflag & X509_FLAG_NO_SIGNAME)) { if (X509_signature_print(bp, ci->signature, NULL) <= 0) goto err; } if (!(cflag & X509_FLAG_NO_ISSUER)) { if (BIO_printf(bp, " Issuer:%c", mlch) <= 0) goto err; if (X509_NAME_print_ex(bp, X509_get_issuer_name(x), nmindent, nmflags) < 0) goto err; if (BIO_write(bp, "\n", 1) <= 0) goto err; } if (!(cflag & X509_FLAG_NO_VALIDITY)) { if (BIO_write(bp, " Validity\n", 17) <= 0) goto err; if (BIO_write(bp, " Not Before: ", 24) <= 0) goto err; if (!ASN1_TIME_print(bp, X509_get_notBefore(x))) goto err; if (BIO_write(bp, "\n Not After : ", 25) <= 0) goto err; if (!ASN1_TIME_print(bp, X509_get_notAfter(x))) goto err; if (BIO_write(bp, "\n", 1) <= 0) goto err; } if (!(cflag & X509_FLAG_NO_SUBJECT)) { if (BIO_printf(bp, " Subject:%c", mlch) <= 0) goto err; if (X509_NAME_print_ex (bp, X509_get_subject_name(x), nmindent, nmflags) < 0) goto err; if (BIO_write(bp, "\n", 1) <= 0) goto err; } if (!(cflag & X509_FLAG_NO_PUBKEY)) { if (BIO_write(bp, " Subject Public Key Info:\n", 33) <= 0) goto err; if (BIO_printf(bp, "%12sPublic Key Algorithm: ", "") <= 0) goto err; if (i2a_ASN1_OBJECT(bp, ci->key->algor->algorithm) <= 0) goto err; if (BIO_puts(bp, "\n") <= 0) goto err; pkey = X509_get_pubkey(x); if (pkey == NULL) { BIO_printf(bp, "%12sUnable to load Public Key\n", ""); ERR_print_errors(bp); } else { EVP_PKEY_print_public(bp, pkey, 16, NULL); EVP_PKEY_free(pkey); } } if (!(cflag & X509_FLAG_NO_IDS)) { if (ci->issuerUID) { if (BIO_printf(bp, "%8sIssuer Unique ID: ", "") <= 0) goto err; if (!X509_signature_dump(bp, ci->issuerUID, 12)) goto err; } if (ci->subjectUID) { if (BIO_printf(bp, "%8sSubject Unique ID: ", "") <= 0) goto err; if (!X509_signature_dump(bp, ci->subjectUID, 12)) goto err; } } if (!(cflag & X509_FLAG_NO_EXTENSIONS)) X509V3_extensions_print(bp, "X509v3 extensions", ci->extensions, cflag, 8); if (!(cflag & X509_FLAG_NO_SIGDUMP)) { if (X509_signature_print(bp, x->sig_alg, x->signature) <= 0) goto err; } if (!(cflag & X509_FLAG_NO_AUX)) { if (!X509_CERT_AUX_print(bp, x->aux, 0)) goto err; } ret = 1; err: if (m != NULL) OPENSSL_free(m); return (ret); }
int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag) { long l; int ret = 0, i; char *m = NULL, mlch = ' '; int nmindent = 0; ASN1_INTEGER *bs; EVP_PKEY *pkey = NULL; const char *neg; if ((nmflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) { mlch = '\n'; nmindent = 12; } if (nmflags == X509_FLAG_COMPAT) nmindent = 16; if (!(cflag & X509_FLAG_NO_HEADER)) { if (BIO_write(bp, "Certificate:\n", 13) <= 0) goto err; if (BIO_write(bp, " Data:\n", 10) <= 0) goto err; } if (!(cflag & X509_FLAG_NO_VERSION)) { l = X509_get_version(x); if (BIO_printf(bp, "%8sVersion: %lu (0x%lx)\n", "", l + 1, l) <= 0) goto err; } if (!(cflag & X509_FLAG_NO_SERIAL)) { if (BIO_write(bp, " Serial Number:", 22) <= 0) goto err; bs = X509_get_serialNumber(x); if (bs->length <= (int)sizeof(long)) { ERR_set_mark(); l = ASN1_INTEGER_get(bs); ERR_pop_to_mark(); } else { l = -1; } if (l != -1) { if (bs->type == V_ASN1_NEG_INTEGER) { l = -l; neg = "-"; } else neg = ""; if (BIO_printf(bp, " %s%lu (%s0x%lx)\n", neg, l, neg, l) <= 0) goto err; } else { neg = (bs->type == V_ASN1_NEG_INTEGER) ? " (Negative)" : ""; if (BIO_printf(bp, "\n%12s%s", "", neg) <= 0) goto err; for (i = 0; i < bs->length; i++) { if (BIO_printf(bp, "%02x%c", bs->data[i], ((i + 1 == bs->length) ? '\n' : ':')) <= 0) goto err; } } } if (!(cflag & X509_FLAG_NO_SIGNAME)) { X509_ALGOR *tsig_alg = X509_get0_tbs_sigalg(x); if (X509_signature_print(bp, tsig_alg, NULL) <= 0) goto err; } if (!(cflag & X509_FLAG_NO_ISSUER)) { if (BIO_printf(bp, " Issuer:%c", mlch) <= 0) goto err; if (X509_NAME_print_ex(bp, X509_get_issuer_name(x), nmindent, nmflags) < 0) goto err; if (BIO_write(bp, "\n", 1) <= 0) goto err; } if (!(cflag & X509_FLAG_NO_VALIDITY)) { if (BIO_write(bp, " Validity\n", 17) <= 0) goto err; if (BIO_write(bp, " Not Before: ", 24) <= 0) goto err; if (!ASN1_TIME_print(bp, X509_get_notBefore(x))) goto err; if (BIO_write(bp, "\n Not After : ", 25) <= 0) goto err; if (!ASN1_TIME_print(bp, X509_get_notAfter(x))) goto err; if (BIO_write(bp, "\n", 1) <= 0) goto err; } if (!(cflag & X509_FLAG_NO_SUBJECT)) { if (BIO_printf(bp, " Subject:%c", mlch) <= 0) goto err; if (X509_NAME_print_ex (bp, X509_get_subject_name(x), nmindent, nmflags) < 0) goto err; if (BIO_write(bp, "\n", 1) <= 0) goto err; } if (!(cflag & X509_FLAG_NO_PUBKEY)) { X509_PUBKEY *xpkey = X509_get_X509_PUBKEY(x); ASN1_OBJECT *xpoid; X509_PUBKEY_get0_param(&xpoid, NULL, NULL, NULL, xpkey); if (BIO_write(bp, " Subject Public Key Info:\n", 33) <= 0) goto err; if (BIO_printf(bp, "%12sPublic Key Algorithm: ", "") <= 0) goto err; if (i2a_ASN1_OBJECT(bp, xpoid) <= 0) goto err; if (BIO_puts(bp, "\n") <= 0) goto err; pkey = X509_get_pubkey(x); if (pkey == NULL) { BIO_printf(bp, "%12sUnable to load Public Key\n", ""); ERR_print_errors(bp); } else { EVP_PKEY_print_public(bp, pkey, 16, NULL); EVP_PKEY_free(pkey); } } if (!(cflag & X509_FLAG_NO_IDS)) { ASN1_BIT_STRING *iuid, *suid; X509_get0_uids(&iuid, &suid, x); if (iuid != NULL) { if (BIO_printf(bp, "%8sIssuer Unique ID: ", "") <= 0) goto err; if (!X509_signature_dump(bp, iuid, 12)) goto err; } if (suid != NULL) { if (BIO_printf(bp, "%8sSubject Unique ID: ", "") <= 0) goto err; if (!X509_signature_dump(bp, suid, 12)) goto err; } } if (!(cflag & X509_FLAG_NO_EXTENSIONS)) X509V3_extensions_print(bp, "X509v3 extensions", X509_get0_extensions(x), cflag, 8); if (!(cflag & X509_FLAG_NO_SIGDUMP)) { X509_ALGOR *sig_alg; ASN1_BIT_STRING *sig; X509_get0_signature(&sig, &sig_alg, x); if (X509_signature_print(bp, sig_alg, sig) <= 0) goto err; } if (!(cflag & X509_FLAG_NO_AUX)) { if (!X509_aux_print(bp, x, 0)) goto err; } ret = 1; err: OPENSSL_free(m); return (ret); }