Here are the diffs I mentioned in an earlier email. To recap:
adds the -notext option to the usage info
adds the -nodb option to avoid recording the cert in the database
adds the -mins option to specify cert expiration in minutes
adds the -find DN option to printthe pathname of a cert matching
the given DN
patched to store the actual cert filename in the index.txt database
Howard Chu - Black GTS http://highlandsun.com
http://people.we.mediaone.net/hyc
--- ca.c 2000/10/13 12:53:02 1.1
+++ ca.c 2000/10/13 13:01:41
@@ -150,6 +150,7 @@
" -startdate YYMMDDHHMMSSZ - certificate validity notBefore\n",
" -enddate YYMMDDHHMMSSZ - certificate validity notAfter (overrides -days)\n",
" -days arg - number of days to certify the certificate for\n",
+" -mins arg - number of minutes to certify the certificate for\n",
" -md arg - md to use, one of md2, md5, sha or sha1\n",
" -policy arg - The CA 'policy' to support\n",
" -keyfile arg - PEM private key file\n",
@@ -163,10 +164,13 @@
" -ss_cert file - File contains a self signed cert to sign\n",
" -preserveDN - Don't re-order the DN\n",
" -batch - Don't ask questions\n",
+" -notext - Don't output decoded cert\n",
+" -nodb - Don't record cert in database\n",
" -msie_hack - msie modifications to handle all those universal strings\n",
" -revoke file - Revoke a certificate (given in file)\n",
" -extensions .. - Extension section (override value in config file)\n",
" -crlexts .. - CRL extension section (override value in config file)\n",
+" -find DN - Output filename where cert for DN is stored\n",
NULL
};
@@ -186,26 +190,28 @@
static int save_serial(char *serialfile, BIGNUM *serial);
static int certify(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,TXT_DB *db,
- BIGNUM *serial, char *startdate,char *enddate, int days,
- int batch, char *ext_sect, LHASH *conf,int verbose);
+ BIGNUM *serial, char *startdate,char *enddate, int mins,
+ int batch, char *ext_sect, LHASH *conf,int verbose,
+ int nodb);
static int certify_cert(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,
TXT_DB *db, BIGNUM *serial,char *startdate,
- char *enddate, int days, int batch, char *ext_sect,
- LHASH *conf,int verbose);
+ char *enddate, int mins, int batch, char *ext_sect,
+ LHASH *conf,int verbose,int nodb);
static int certify_spkac(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,
TXT_DB *db, BIGNUM *serial,char *startdate,
- char *enddate, int days, char *ext_sect,LHASH *conf,
- int verbose);
+ char *enddate, int mins, char *ext_sect,LHASH *conf,
+ int verbose,int nodb);
static int fix_data(int nid, int *type);
static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext);
static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial,
- char *startdate, char *enddate, int days, int batch, int verbose,
- X509_REQ *req, char *ext_sect, LHASH *conf);
+ char *startdate, char *enddate, int mins, int batch, int verbose,
+ int nodb, X509_REQ *req, char *ext_sect, LHASH *conf);
static int do_revoke(X509 *x509, TXT_DB *db);
static int check_time_format(char *str);
+static char *serial_name(char *buf, ASN1_INTEGER *serial);
static LHASH *conf=NULL;
static char *section=NULL;
@@ -236,6 +242,7 @@
char *infile=NULL;
char *spkac_file=NULL;
char *ss_cert_file=NULL;
+ char *find=NULL;
EVP_PKEY *pkey=NULL;
int output_der = 0;
char *outfile=NULL;
@@ -246,9 +253,10 @@
BIGNUM *serial=NULL;
char *startdate=NULL;
char *enddate=NULL;
- int days=0;
+ int mins=0;
int batch=0;
int notext=0;
+ int nodb=0;
X509 *x509=NULL;
X509 *x=NULL;
BIO *in=NULL,*out=NULL,*Sout=NULL,*Cout=NULL;
@@ -316,7 +324,13 @@
else if (strcmp(*argv,"-days") == 0)
{
if (--argc < 1) goto bad;
- days=atoi(*(++argv));
+ mins=atoi(*(++argv));
+ mins *= 60 * 24;
+ }
+ else if (strcmp(*argv,"-mins") == 0)
+ {
+ if (--argc < 1) goto bad;
+ mins=atoi(*(++argv));
}
else if (strcmp(*argv,"-md") == 0)
{
@@ -364,6 +378,13 @@
if (--argc < 1) goto bad;
outdir= *(++argv);
}
+ else if (strcmp(*argv,"-find") == 0)
+ {
+ if (--argc < 1) goto bad;
+ find= *(++argv);
+ }
+ else if (strcmp(*argv,"-nodb") == 0)
+ nodb=1;
else if (strcmp(*argv,"-notext") == 0)
notext=1;
else if (strcmp(*argv,"-batch") == 0)
@@ -586,7 +607,7 @@
/*****************************************************************/
/* lookup where to write new certificates */
- if ((outdir == NULL) && (req))
+ if ((outdir == NULL) && (req || find))
{
struct stat sb;
@@ -718,6 +739,24 @@
}
/*****************************************************************/
+ if (find)
+ {
+ char *row[DB_NUMBER],**rrow;
+ for (i=0; i<DB_NUMBER; i++) row[i]=NULL;
+ row[DB_name]=find;
+ rrow=TXT_DB_get_by_index(db,DB_name,row);
+ BIO_set_fp(Sout,stdout,BIO_NOCLOSE|BIO_FP_TEXT);
+ BIO_printf(Sout,"%s", outdir);
+#ifndef VMS
+ BIO_printf(Sout,"/");
+#endif
+ if (rrow)
+ BIO_printf(Sout,"%s\n",rrow[DB_file]);
+ else
+ BIO_printf(Sout,"unknown\n");
+ }
+
+ /*****************************************************************/
if (req || gencrl)
{
if (outfile != NULL)
@@ -811,12 +850,13 @@
goto err;
}
- if (days == 0)
+ if (mins == 0)
{
- days=(int)CONF_get_number(conf,section,
+ mins=(int)CONF_get_number(conf,section,
ENV_DEFAULT_DAYS);
+ mins *= 24 * 60;
}
- if (!enddate && (days == 0))
+ if (!enddate && (mins == 0))
{
BIO_printf(bio_err,"cannot lookup how many days to certify
for\n");
goto err;
@@ -849,8 +889,8 @@
{
total++;
j=certify_spkac(&x,spkac_file,pkey,x509,dgst,attribs,db,
- serial,startdate,enddate, days,extensions,conf,
- verbose);
+ serial,startdate,enddate, mins,extensions,conf,
+ verbose,nodb);
if (j < 0) goto err;
if (j > 0)
{
@@ -873,8 +913,8 @@
{
total++;
j=certify_cert(&x,ss_cert_file,pkey,x509,dgst,attribs,
- db,serial,startdate,enddate,days,batch,
- extensions,conf,verbose);
+ db,serial,startdate,enddate,mins,batch,
+ extensions,conf,verbose,nodb);
if (j < 0) goto err;
if (j > 0)
{
@@ -892,8 +932,8 @@
{
total++;
j=certify(&x,infile,pkey,x509,dgst,attribs,db,
- serial,startdate,enddate,days,batch,
- extensions,conf,verbose);
+ serial,startdate,enddate,mins,batch,
+ extensions,conf,verbose,nodb);
if (j < 0) goto err;
if (j > 0)
{
@@ -911,8 +951,8 @@
{
total++;
j=certify(&x,argv[i],pkey,x509,dgst,attribs,db,
- serial,startdate,enddate,days,batch,
- extensions,conf,verbose);
+ serial,startdate,enddate,mins,batch,
+ extensions,conf,verbose,nodb);
if (j < 0) goto err;
if (j > 0)
{
@@ -946,8 +986,6 @@
}
}
- BIO_printf(bio_err,"Write out database with %d new
entries\n",sk_X509_num(cert_sk));
-
strncpy(buf[0],serialfile,BSIZE-4);
#ifdef VMS
@@ -958,6 +996,10 @@
if (!save_serial(buf[0],serial)) goto err;
+ if (!nodb)
+ {
+ BIO_printf(bio_err,"Write out database with %d new
+entries\n",sk_X509_num(cert_sk));
+
strncpy(buf[1],dbfile,BSIZE-4);
#ifdef VMS
@@ -974,17 +1016,19 @@
}
l=TXT_DB_write(out,db);
if (l <= 0) goto err;
+ }
}
if (verbose)
BIO_printf(bio_err,"writing new certificates\n");
for (i=0; i<sk_X509_num(cert_sk); i++)
{
- int k;
unsigned char *n;
x=sk_X509_value(cert_sk,i);
+ if (!nodb)
+ {
j=x->cert_info->serialNumber->length;
p=(char *)x->cert_info->serialNumber->data;
@@ -994,22 +1038,8 @@
strcat(buf[2],"/");
#endif
- n=(unsigned char *)&(buf[2][strlen(buf[2])]);
- if (j > 0)
- {
- for (k=0; k<j; k++)
- {
- sprintf((char *)n,"%02X",(unsigned
char)*(p++));
- n+=2;
- }
- }
- else
- {
- *(n++)='0';
- *(n++)='0';
- }
- *(n++)='.'; *(n++)='p'; *(n++)='e'; *(n++)='m';
- *n='\0';
+ n=(unsigned char *)&(buf[2][strlen(buf[2])]);
+ serial_name(n, x->cert_info->serialNumber);
if (verbose)
BIO_printf(bio_err,"writing %s\n",buf[2]);
@@ -1019,6 +1049,7 @@
goto err;
}
write_new_certificate(Cout,x, 0, notext);
+ }
write_new_certificate(Sout,x, output_der, notext);
}
@@ -1053,6 +1084,8 @@
goto err;
}
+ if (!nodb)
+ {
strncpy(buf[2],dbfile,BSIZE-4);
#ifdef VMS
@@ -1077,6 +1110,7 @@
goto err;
}
BIO_printf(bio_err,"Data Base Updated\n");
+ }
}
}
@@ -1303,6 +1337,42 @@
{ return(strcmp(a[DB_name],
b[DB_name])); }
+static char *serial_name(char *buf, ASN1_INTEGER *ai)
+{
+ char *n, *p;
+ int j, k;
+
+ j = ai->length;
+ p = (char *)ai->data;
+
+ if (!buf)
+ {
+ if (j > 0)
+ buf = OPENSSL_malloc(j*2 + 5);
+ else
+ buf = OPENSSL_malloc(7);
+ }
+ n = buf;
+
+ if (j > 0)
+ {
+ for (k=0; k<j; k++)
+ {
+ sprintf((char *)n,"%02X",(unsigned char)*(p++));
+ n+=2;
+ }
+ }
+ else
+ {
+ *(n++)='0';
+ *(n++)='0';
+ }
+ *(n++)='.'; *(n++)='p'; *(n++)='e'; *(n++)='m';
+ *n='\0';
+
+ return buf;
+}
+
static BIGNUM *load_serial(char *serialfile)
{
BIO *in=NULL;
@@ -1375,8 +1445,8 @@
static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db,
- BIGNUM *serial, char *startdate, char *enddate, int days,
- int batch, char *ext_sect, LHASH *lconf, int verbose)
+ BIGNUM *serial, char *startdate, char *enddate, int mins,
+ int batch, char *ext_sect, LHASH *lconf, int verbose, int nodb)
{
X509_REQ *req=NULL;
BIO *in=NULL;
@@ -1424,7 +1494,7 @@
BIO_printf(bio_err,"Signature ok\n");
ok=do_body(xret,pkey,x509,dgst,policy,db,serial,startdate, enddate,
- days,batch,verbose,req,ext_sect,lconf);
+ mins,batch,verbose,nodb,req,ext_sect,lconf);
err:
if (req != NULL) X509_REQ_free(req);
@@ -1434,8 +1504,8 @@
static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db,
- BIGNUM *serial, char *startdate, char *enddate, int days,
- int batch, char *ext_sect, LHASH *lconf, int verbose)
+ BIGNUM *serial, char *startdate, char *enddate, int mins,
+ int batch, char *ext_sect, LHASH *lconf, int verbose, int nodb)
{
X509 *req=NULL;
X509_REQ *rreq=NULL;
@@ -1485,8 +1555,8 @@
if ((rreq=X509_to_X509_REQ(req,NULL,EVP_md5())) == NULL)
goto err;
- ok=do_body(xret,pkey,x509,dgst,policy,db,serial,startdate,enddate,days,
- batch,verbose,rreq,ext_sect,lconf);
+ ok=do_body(xret,pkey,x509,dgst,policy,db,serial,startdate,enddate,mins,
+ batch,verbose,nodb,rreq,ext_sect,lconf);
err:
if (rreq != NULL) X509_REQ_free(rreq);
@@ -1497,8 +1567,8 @@
static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial,
- char *startdate, char *enddate, int days, int batch, int verbose,
- X509_REQ *req, char *ext_sect, LHASH *lconf)
+ char *startdate, char *enddate, int mins, int batch, int verbose,
+ int nodb, X509_REQ *req, char *ext_sect, LHASH *lconf)
{
X509_NAME *name=NULL,*CAname=NULL,*subject=NULL;
ASN1_UTCTIME *tm,*tmptm;
@@ -1727,7 +1797,9 @@
goto err;
}
- rrow=TXT_DB_get_by_index(db,DB_name,row);
+ rrow = NULL;
+ if (!nodb)
+ rrow=TXT_DB_get_by_index(db,DB_name,row);
if (rrow != NULL)
{
BIO_printf(bio_err,"ERROR:There is already a certificate for %s\n",
@@ -1797,11 +1869,11 @@
else ASN1_UTCTIME_set_string(X509_get_notBefore(ret),startdate);
if (enddate == NULL)
- X509_gmtime_adj(X509_get_notAfter(ret),(long)60*60*24*days);
+ X509_gmtime_adj(X509_get_notAfter(ret),(long)60*mins);
else ASN1_UTCTIME_set_string(X509_get_notAfter(ret),enddate);
ASN1_UTCTIME_print(bio_err,X509_get_notAfter(ret));
- if(days) BIO_printf(bio_err," (%d days)",days);
+ if(mins) BIO_printf(bio_err," (%d days)",mins / (24*60));
BIO_printf(bio_err, "\n");
if (!X509_set_subject_name(ret,subject)) goto err;
@@ -1863,6 +1935,8 @@
if (!X509_sign(ret,pkey,dgst))
goto err;
+ if (!nodb)
+ {
/* We now just add it to the database */
row[DB_type]=(char *)OPENSSL_malloc(2);
@@ -1874,7 +1948,7 @@
row[DB_rev_date]=NULL;
/* row[DB_serial] done already */
- row[DB_file]=(char *)OPENSSL_malloc(8);
+ row[DB_file]=(char *)serial_name(NULL, ci->serialNumber);
/* row[DB_name] done already */
if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
@@ -1883,7 +1957,6 @@
BIO_printf(bio_err,"Memory allocation failure\n");
goto err;
}
- strcpy(row[DB_file],"unknown");
row[DB_type][0]='V';
row[DB_type][1]='\0';
@@ -1906,6 +1979,7 @@
BIO_printf(bio_err,"TXT_DB error number %ld\n",db->error);
goto err;
}
+ }
ok=1;
err:
for (i=0; i<DB_NUMBER; i++)
@@ -1953,8 +2027,8 @@
static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db,
- BIGNUM *serial, char *startdate, char *enddate, int days,
- char *ext_sect, LHASH *lconf, int verbose)
+ BIGNUM *serial, char *startdate, char *enddate, int mins,
+ char *ext_sect, LHASH *lconf, int verbose, int nodb)
{
STACK_OF(CONF_VALUE) *sk=NULL;
LHASH *parms=NULL;
@@ -2088,7 +2162,7 @@
X509_REQ_set_pubkey(req,pktmp);
EVP_PKEY_free(pktmp);
ok=do_body(xret,pkey,x509,dgst,policy,db,serial,startdate,enddate,
- days,1,verbose,req,ext_sect,lconf);
+ mins,1,verbose,nodb,req,ext_sect,lconf);
err:
if (req != NULL) X509_REQ_free(req);
if (parms != NULL) CONF_free(parms);
@@ -2160,7 +2234,7 @@
row[DB_rev_date]=NULL;
/* row[DB_serial] done already */
- row[DB_file]=(char *)OPENSSL_malloc(8);
+ row[DB_file]=serial_name(NULL, X509_get_serialNumber(x509));
/* row[DB_name] done already */
@@ -2170,7 +2244,6 @@
BIO_printf(bio_err,"Memory allocation failure\n");
goto err;
}
- strcpy(row[DB_file],"unknown");
row[DB_type][0]='V';
row[DB_type][1]='\0';
