diff options
author | Rich Salz <rsalz@akamai.com> | 2014-07-12 00:49:57 -0400 |
---|---|---|
committer | Rich Salz <rsalz@akamai.com> | 2014-07-14 18:03:33 -0400 |
commit | 6505061afe5525d0ec37a149680b138fc5b496fc (patch) | |
tree | dd38f131f00d02f93da29339a1033e9076e69d2e | |
parent | 8360c6f616ee13ab97c18977fc1763c63c27e3ad (diff) | |
download | openssl-new-6505061afe5525d0ec37a149680b138fc5b496fc.tar.gz |
Wrote opt_verify; started to use it in last few conversions.
-rw-r--r-- | apps/TODO | 9 | ||||
-rw-r--r-- | apps/apps.c | 213 | ||||
-rw-r--r-- | apps/apps.h | 75 | ||||
-rw-r--r-- | apps/ca.c | 642 | ||||
-rw-r--r-- | apps/cms.c | 48 | ||||
-rw-r--r-- | apps/dsaparam.c | 178 | ||||
-rw-r--r-- | apps/ocsp.c | 740 | ||||
-rw-r--r-- | apps/opt.c | 131 | ||||
-rw-r--r-- | apps/s_client.c | 12 | ||||
-rw-r--r-- | apps/s_server.c | 14 | ||||
-rw-r--r-- | apps/smime.c | 511 | ||||
-rw-r--r-- | apps/verify.c | 161 | ||||
-rw-r--r-- | apps/x509.c | 2 |
13 files changed, 1235 insertions, 1501 deletions
@@ -23,12 +23,13 @@ X 317 dsa.c X 324 rsautl.c X 329 ec.c - 370 apps.h - 390 verify.c +X 390 verify.c X 400 rsa.c X 411 asn1pars.c X 416 genpkey.c X 418 opt.c X 420 crl.c +X 423 dsaparam.c - 433 progs.h X 438 pkcs8.c X 473 passwd.c @@ -42,17 +43,17 @@ X 697 enc.c X 738 srp.c - 758 s_socket.c 789 openssl.c - 829 smime.c +X 829 smime.c X 952 pkcs12.c X 1117 ts.c X 1313 x509.c - 1447 ocsp.c +X 1447 ocsp.c 1514 cms.c X 1758 req.c - 1960 s_cb.c - 2010 testrsa.h 2525 s_client.c 2942 speed.c - 2986 ca.c +X 2986 ca.c 3082 apps.c 3677 s_server.c diff --git a/apps/apps.c b/apps/apps.c index 9526b8b9ca..4aab043aa7 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -2067,219 +2067,6 @@ error: return NULL; } -int args_verify(char ***pargs, int *pargc, - int *badarg, BIO *err, X509_VERIFY_PARAM **pm) - { - ASN1_OBJECT *otmp = NULL; - unsigned long flags = 0; - int i; - int purpose = 0, depth = -1; - char **oldargs = *pargs; - char *arg = **pargs, *argn = (*pargs)[1]; - const X509_VERIFY_PARAM *vpm = NULL; - time_t at_time = 0; - char *hostname = NULL; - char *email = NULL; - char *ipasc = NULL; - if (!strcmp(arg, "-policy")) - { - if (!argn) - *badarg = 1; - else - { - otmp = OBJ_txt2obj(argn, 0); - if (!otmp) - { - BIO_printf(err, "Invalid Policy \"%s\"\n", - argn); - *badarg = 1; - } - } - (*pargs)++; - } - else if (strcmp(arg,"-purpose") == 0) - { - X509_PURPOSE *xptmp; - if (!argn) - *badarg = 1; - else - { - i = X509_PURPOSE_get_by_sname(argn); - if(i < 0) - { - BIO_printf(err, "unrecognized purpose\n"); - *badarg = 1; - } - else - { - xptmp = X509_PURPOSE_get0(i); - purpose = X509_PURPOSE_get_id(xptmp); - } - } - (*pargs)++; - } - else if (strcmp(arg,"-verify_name") == 0) - { - if (!argn) - *badarg = 1; - else - { - vpm = X509_VERIFY_PARAM_lookup(argn); - if(!vpm) - { - BIO_printf(err, "unrecognized verify name\n"); - *badarg = 1; - } - } - (*pargs)++; - } - else if (strcmp(arg,"-verify_depth") == 0) - { - if (!argn) - *badarg = 1; - else - { - depth = atoi(argn); - if(depth < 0) - { - BIO_printf(err, "invalid depth\n"); - *badarg = 1; - } - } - (*pargs)++; - } - else if (strcmp(arg,"-attime") == 0) - { - if (!argn) - *badarg = 1; - else - { - long timestamp; - /* interpret the -attime argument as seconds since - * Epoch */ - if (sscanf(argn, "%li", ×tamp) != 1) - { - BIO_printf(bio_err, - "Error parsing timestamp %s\n", - argn); - *badarg = 1; - } - /* on some platforms time_t may be a float */ - at_time = (time_t) timestamp; - } - (*pargs)++; - } - else if (strcmp(arg,"-verify_hostname") == 0) - { - if (!argn) - *badarg = 1; - hostname = argn; - (*pargs)++; - } - else if (strcmp(arg,"-verify_email") == 0) - { - if (!argn) - *badarg = 1; - email = argn; - (*pargs)++; - } - else if (strcmp(arg,"-verify_ip") == 0) - { - if (!argn) - *badarg = 1; - ipasc = argn; - (*pargs)++; - } - else if (!strcmp(arg, "-ignore_critical")) - flags |= X509_V_FLAG_IGNORE_CRITICAL; - else if (!strcmp(arg, "-issuer_checks")) - flags |= X509_V_FLAG_CB_ISSUER_CHECK; - else if (!strcmp(arg, "-crl_check")) - flags |= X509_V_FLAG_CRL_CHECK; - else if (!strcmp(arg, "-crl_check_all")) - flags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL; - else if (!strcmp(arg, "-policy_check")) - flags |= X509_V_FLAG_POLICY_CHECK; - else if (!strcmp(arg, "-explicit_policy")) - flags |= X509_V_FLAG_EXPLICIT_POLICY; - else if (!strcmp(arg, "-inhibit_any")) - flags |= X509_V_FLAG_INHIBIT_ANY; - else if (!strcmp(arg, "-inhibit_map")) - flags |= X509_V_FLAG_INHIBIT_MAP; - else if (!strcmp(arg, "-x509_strict")) - flags |= X509_V_FLAG_X509_STRICT; - else if (!strcmp(arg, "-extended_crl")) - flags |= X509_V_FLAG_EXTENDED_CRL_SUPPORT; - else if (!strcmp(arg, "-use_deltas")) - flags |= X509_V_FLAG_USE_DELTAS; - else if (!strcmp(arg, "-policy_print")) - flags |= X509_V_FLAG_NOTIFY_POLICY; - else if (!strcmp(arg, "-check_ss_sig")) - flags |= X509_V_FLAG_CHECK_SS_SIGNATURE; - else if (!strcmp(arg, "-trusted_first")) - flags |= X509_V_FLAG_TRUSTED_FIRST; - else if (!strcmp(arg, "-suiteB_128_only")) - flags |= X509_V_FLAG_SUITEB_128_LOS_ONLY; - else if (!strcmp(arg, "-suiteB_128")) - flags |= X509_V_FLAG_SUITEB_128_LOS; - else if (!strcmp(arg, "-suiteB_192")) - flags |= X509_V_FLAG_SUITEB_192_LOS; - else if (!strcmp(arg, "-partial_chain")) - flags |= X509_V_FLAG_PARTIAL_CHAIN; - else - return 0; - - if (*badarg) - { - if (*pm) - X509_VERIFY_PARAM_free(*pm); - *pm = NULL; - goto end; - } - - if (!*pm && !(*pm = X509_VERIFY_PARAM_new())) - { - *badarg = 1; - goto end; - } - - if (vpm) - X509_VERIFY_PARAM_set1(*pm, vpm); - - if (otmp) - X509_VERIFY_PARAM_add0_policy(*pm, otmp); - if (flags) - X509_VERIFY_PARAM_set_flags(*pm, flags); - - if (purpose) - X509_VERIFY_PARAM_set_purpose(*pm, purpose); - - if (depth >= 0) - X509_VERIFY_PARAM_set_depth(*pm, depth); - - if (at_time) - X509_VERIFY_PARAM_set_time(*pm, at_time); - - if (hostname && !X509_VERIFY_PARAM_set1_host(*pm, hostname, 0)) - *badarg = 1; - - if (email && !X509_VERIFY_PARAM_set1_email(*pm, email, 0)) - *badarg = 1; - - if (ipasc && !X509_VERIFY_PARAM_set1_ip_asc(*pm, ipasc)) - *badarg = 1; - - end: - - (*pargs)++; - - if (pargc) - *pargc -= *pargs - oldargs; - - return 1; - - } - /* Read whole contents of a BIO into an allocated memory buffer and * return it. */ diff --git a/apps/apps.h b/apps/apps.h index 255bd4100c..057e0644f8 100644 --- a/apps/apps.h +++ b/apps/apps.h @@ -152,6 +152,76 @@ extern void unbuffer(FILE* fp); #include <signal.h> #endif +#define OPT_V_ENUM \ + OPT_V__FIRST=2000, \ + OPT_V_POLICY, OPT_V_PURPOSE, OPT_V_VERIFY_NAME, OPT_V_VERIFY_DEPTH, \ + OPT_V_ATTIME, OPT_V_VERIFY_HOSTNAME, OPT_V_VERIFY_EMAIL, \ + OPT_V_VERIFY_IP, OPT_V_IGNORE_CRITICAL, OPT_V_ISSUER_CHECKS, \ + OPT_V_CRL_CHECK, OPT_V_CRL_CHECK_ALL, OPT_V_POLICY_CHECK, \ + OPT_V_EXPLICIT_POLICY, OPT_V_INHIBIT_ANY, OPT_V_INHIBIT_MAP, \ + OPT_V_X509_STRICT, OPT_V_EXTENDED_CRL, OPT_V_USE_DELTAS, \ + OPT_V_POLICY_PRINT, OPT_V_CHECK_SS_SIG, OPT_V_TRUSTED_FIRST, \ + OPT_V_SUITEB_128_ONLY, OPT_V_SUITEB_128, OPT_V_SUITEB_192, \ + OPT_V_PARTIAL_CHAIN, \ + OPT_V__LAST + +#define OPT_V_OPTIONS \ + { "policy", OPT_V_POLICY, 's' }, \ + { "purpose", OPT_V_PURPOSE, 's' }, \ + { "verify_name", OPT_V_VERIFY_NAME, 's' }, \ + { "verify_depth", OPT_V_VERIFY_DEPTH, 'p' }, \ + { "attime", OPT_V_ATTIME, 'p' }, \ + { "verify_hostname", OPT_V_VERIFY_HOSTNAME, 's' }, \ + { "verify_email", OPT_V_VERIFY_EMAIL, 's' }, \ + { "verify_ip", OPT_V_VERIFY_IP, 's' }, \ + { "ignore_critical", OPT_V_IGNORE_CRITICAL, '-' }, \ + { "issuer_checks", OPT_V_ISSUER_CHECKS, '-' }, \ + { "crl_check", OPT_V_CRL_CHECK, '-' }, \ + { "crl_check_all", OPT_V_CRL_CHECK_ALL, '-' }, \ + { "policy_check", OPT_V_POLICY_CHECK, '-' }, \ + { "explicit_policy", OPT_V_EXPLICIT_POLICY, '-' }, \ + { "inhibit_any", OPT_V_INHIBIT_ANY, '-' }, \ + { "inhibit_map", OPT_V_INHIBIT_MAP, '-' }, \ + { "x509_strict", OPT_V_X509_STRICT, '-' }, \ + { "extended_crl", OPT_V_EXTENDED_CRL, '-' }, \ + { "use_deltas", OPT_V_USE_DELTAS, '-' }, \ + { "policy_print", OPT_V_POLICY_PRINT, '-' }, \ + { "check_ss_sig", OPT_V_CHECK_SS_SIG, '-' }, \ + { "trusted_first", OPT_V_TRUSTED_FIRST, '-' }, \ + { "suiteB_128_only", OPT_V_SUITEB_128_ONLY, '-' }, \ + { "suiteB_128", OPT_V_SUITEB_128, '-' }, \ + { "suiteB_192", OPT_V_SUITEB_192, '-' }, \ + { "partial_chain", OPT_V_PARTIAL_CHAIN, '-' } + +#define OPT_V_CASES \ + OPT_V__FIRST: case OPT_V__LAST: break; \ + case OPT_V_POLICY: \ + case OPT_V_PURPOSE: \ + case OPT_V_VERIFY_NAME: \ + case OPT_V_VERIFY_DEPTH: \ + case OPT_V_ATTIME: \ + case OPT_V_VERIFY_HOSTNAME: \ + case OPT_V_VERIFY_EMAIL: \ + case OPT_V_VERIFY_IP: \ + case OPT_V_IGNORE_CRITICAL: \ + case OPT_V_ISSUER_CHECKS: \ + case OPT_V_CRL_CHECK: \ + case OPT_V_CRL_CHECK_ALL: \ + case OPT_V_POLICY_CHECK: \ + case OPT_V_EXPLICIT_POLICY: \ + case OPT_V_INHIBIT_ANY: \ + case OPT_V_INHIBIT_MAP: \ + case OPT_V_X509_STRICT: \ + case OPT_V_EXTENDED_CRL: \ + case OPT_V_USE_DELTAS: \ + case OPT_V_POLICY_PRINT: \ + case OPT_V_CHECK_SS_SIG: \ + case OPT_V_TRUSTED_FIRST: \ + case OPT_V_SUITEB_128_ONLY: \ + case OPT_V_SUITEB_128: \ + case OPT_V_SUITEB_192: \ + case OPT_V_PARTIAL_CHAIN + #if defined(OPENSSL_SYSNAME_WIN32) || defined(OPENSSL_SYSNAME_WINCE) # define openssl_fdset(a,b) FD_SET((unsigned int)a, b) @@ -193,7 +263,8 @@ extern char* opt_unknown(void); extern char* opt_reset(void); extern char** opt_rest(void); extern int opt_num_rest(void); -extern int str2fmt(char* s); /* XXX rsalz remove */ +extern int opt_verify(int i, X509_VERIFY_PARAM* vpm); + #define RB(xformat) ((xformat) == FORMAT_ASN1 ? "rb" : "r") #define WB(xformat) ((xformat) == FORMAT_ASN1 ? "wb" : "w") @@ -296,8 +367,6 @@ int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b); int parse_yesno(const char *str, int def); X509_NAME *parse_name(char *str, long chtype, int multirdn); -int args_verify(char ***pargs, int *pargc, - int *badarg, BIO *err, X509_VERIFY_PARAM **pm); void policies_print(BIO *out, X509_STORE_CTX *ctx); int bio_to_mem(unsigned char **out, int maxlen, BIO *in); int pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value); @@ -97,6 +97,9 @@ #endif +#undef BSIZE +#define BSIZE 256 + #define BASE_SECTION "ca" #define CONFIG_FILE "openssl.cnf" @@ -143,48 +146,6 @@ #define REV_KEY_COMPROMISE 3 /* Value is cert key compromise time */ #define REV_CA_COMPROMISE 4 /* Value is CA key compromise time */ -const char *ca_help[] = { - "-verbose - Talk a lot while doing things", - "-config file - A config file", - "-name arg - The particular CA definition to use", - "-gencrl - Generate a new CRL", - "-crldays days - Days is when the next CRL is due", - "-crlhours hours - Hours is when the next CRL is due", - "-startdate YYMMDDHHMMSSZ - certificate validity notBefore", - "-enddate YYMMDDHHMMSSZ - certificate validity notAfter (overrides -days)", - "-days arg - number of days to certify the certificate for", - "-md arg - md to use, one of md2, md5, sha or sha1", - "-policy arg - The CA 'policy' to support", - "-keyfile arg - private key file", - "-keyform arg - private key file format (PEM or ENGINE)", - "-key arg - key to decode the private key if it is encrypted", - "-cert file - The CA certificate", - "-selfsign - sign a certificate with the key associated with it", - "-in file - The input PEM encoded certificate request(s)", - "-out file - Where to put the output file(s)", - "-outdir dir - Where to put output certificates", - "-infiles .... - The last argument, requests to process", - "-spkac file - File contains DN and signed public key and challenge", - "-ss_cert file - File contains a self signed cert to sign", - "-preserveDN - Don't re-order the DN", - "-noemailDN - Don't add the EMAIL field into certificate' subject", - "-batch - Don't ask questions", - "-msie_hack - msie modifications to handle all those universal strings", - "-revoke file - Revoke a certificate (given in file)", - "-subj arg - Use arg instead of request's subject", - "-utf8 - input characters are UTF8 (default ASCII)", - "-multivalue-rdn - enable support for multivalued RDNs", - "-extensions .. - Extension section (override value in config file)", - "-extfile file - Configuration file with X509v3 extensions to add", - "-crlexts .. - CRL extension section (override value in config file)", -#ifndef OPENSSL_NO_ENGINE - "-engine e - use engine e, possibly a hardware device.", -#endif - "-status serial - Shows certificate status given the serial number", - "-updatedb - Updates db for expired certificates", - NULL -}; - static void lookup_fail(const char *name, const char *tag); static int certify(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509, const EVP_MD *dgst,STACK_OF(OPENSSL_STRING) *sigopts, @@ -223,336 +184,323 @@ static int check_time_format(const char *str); char *make_revocation_str(int rev_type, char *rev_arg); int make_revoked(X509_REVOKED *rev, const char *str); int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str); + static CONF *conf=NULL; static CONF *extconf=NULL; static char *section=NULL; - static int preserve=0; static int msie_hack=0; +const char *ca_help[] = { + "-verbose - Talk a lot while doing things", + "-config file - A config file", + "-name arg - The particular CA definition to use", + "-gencrl - Generate a new CRL", + "-crldays days - Days is when the next CRL is due", + "-crlhours hours - Hours is when the next CRL is due", + "-startdate YYMMDDHHMMSSZ - certificate validity notBefore", + "-enddate YYMMDDHHMMSSZ - certificate validity notAfter (overrides -days)", + "-days arg - number of days to certify the certificate for", + "-md arg - md to use, one of md2, md5, sha or sha1", + "-policy arg - The CA 'policy' to support", + "-keyfile arg - private key file", + "-keyform arg - private key file format (PEM or ENGINE)", + "-key arg - key to decode the private key if it is encrypted", + "-cert file - The CA certificate", + "-selfsign - sign a certificate with the key associated with it", + "-in file - The input PEM encoded certificate request(s)", + "-out file - Where to put the output file(s)", + "-outdir dir - Where to put output certificates", + "-infiles .... - The last argument, requests to process", + "-spkac file - File contains DN and signed public key and challenge", + "-ss_cert file - File contains a self signed cert to sign", + "-preserveDN - Don't re-order the DN", + "-noemailDN - Don't add the EMAIL field into certificate' subject", + "-batch - Don't ask questions", + "-msie_hack - msie modifications to handle all those universal strings", + "-revoke file - Revoke a certificate (given in file)", + "-subj arg - Use arg instead of request's subject", + "-utf8 - input characters are UTF8 (default ASCII)", + "-multivalue-rdn - enable support for multivalued RDNs", + "-extensions .. - Extension section (override value in config file)", + "-extfile file - Configuration file with X509v3 extensions to add", + "-crlexts .. - CRL extension section (override value in config file)", +#ifndef OPENSSL_NO_ENGINE + "-engine e - use engine e, possibly a hardware device.", +#endif + "-status serial - Shows certificate status given the serial number", + "-updatedb - Updates db for expired certificates", + NULL +}; + +enum options { + OPT_ERR = -1, OPT_EOF = 0, + OPT_ENGINE, OPT_VERBOSE, OPT_CONFIG, OPT_NAME, OPT_SUBJ, OPT_UTF8, + OPT_CREATE_SERIAL, OPT_MULTIVALUE_RDN, OPT_STARTDATE, OPT_ENDDATE, + OPT_DAYS, OPT_MD, OPT_POLICY, OPT_KEYFILE, OPT_KEYFORM, OPT_PASSIN, + OPT_KEY, OPT_CERT, OPT_SELFSIGN, OPT_IN, OPT_OUT, OPT_OUTDIR, + OPT_SIGOPT, OPT_NOTEXT, OPT_BATCH, OPT_PRESERVEDN, OPT_NOEMAILDN, + OPT_GENCRL, OPT_MSIE_HACK, OPT_CRLDAYS, OPT_CRLHOURS, OPT_CRLSEC, + OPT_INFILES, OPT_SS_CERT, OPT_SPKAC, OPT_REVOKE, OPT_VALID, + OPT_EXTENSIONS, OPT_EXTFILE, OPT_STATUS, OPT_UPDATEDB, OPT_CRLEXTS, + OPT_CRL_REASON, OPT_CRL_HOLD, OPT_CRL_COMPROMISE, OPT_CRL_CA_COMPROMISE, +}; + +static OPTIONS options[] = { +#ifndef OPENSSL_NO_ENGINE + { "engine", OPT_ENGINE, 's' }, +#endif + { "verbose", OPT_VERBOSE, '-' }, + { "config", OPT_CONFIG, 's' }, + { "name", OPT_NAME, 's' }, + { "subj", OPT_SUBJ, 's' }, + { "utf8", OPT_UTF8, '-' }, + { "create_serial", OPT_CREATE_SERIAL, '-' }, + { "multivalue-rdn", OPT_MULTIVALUE_RDN, '-' }, + { "startdate", OPT_STARTDATE, 's' }, + { "enddate", OPT_ENDDATE, 's' }, + { "days", OPT_DAYS, 'p' }, + { "md", OPT_MD, 's' }, + { "policy", OPT_POLICY, 's' }, + { "keyfile", OPT_KEYFILE, '<' }, + { "keyform", OPT_KEYFORM, 'F' }, + { "passin", OPT_PASSIN, 's' }, + { "key", OPT_KEY, 's' }, + { "cert", OPT_CERT, '<' }, + { "selfsign", OPT_SELFSIGN, '-' }, + { "in", OPT_IN, '<' }, + { "out", OPT_OUT, '>' }, + { "outdir", OPT_OUTDIR, '/' }, + { "sigopt", OPT_SIGOPT, 's' }, + { "notext", OPT_NOTEXT, '-' }, + { "batch", OPT_BATCH, '-' }, + { "preserveDN", OPT_PRESERVEDN, '-' }, + { "noemailDN", OPT_NOEMAILDN, '-' }, + { "gencrl", OPT_GENCRL, '-' }, + { "msie_hack", OPT_MSIE_HACK, '-' }, + { "crldays", OPT_CRLDAYS, 'p' }, + { "crlhours", OPT_CRLHOURS, 'p' }, + { "crlsec", OPT_CRLSEC, 'p' }, + { "infiles", OPT_INFILES, 's' }, + { "ss_cert", OPT_SS_CERT, '<' }, + { "spkac", OPT_SPKAC, '<' }, + { "revoke", OPT_REVOKE, '<' }, + { "valid", OPT_VALID, 's' }, + { "extensions", OPT_EXTENSIONS, 's' }, + { "extfile", OPT_EXTFILE, '<' }, + { "status", OPT_STATUS, 's' }, + { "updatedb", OPT_UPDATEDB, '-' }, + { "crlexts", OPT_CRLEXTS, 's' }, + { "crl_reason", OPT_CRL_REASON, 's' }, + { "crl_hold", OPT_CRL_HOLD, 's' }, + { "crl_compromise", OPT_CRL_COMPROMISE, 's' }, + { "crl_CA_compromise", OPT_CRL_CA_COMPROMISE, 's' }, + { NULL } +}; int ca_main(int argc, char **argv) { - ENGINE *e = NULL; - char *key=NULL,*passargin=NULL; - int create_ser = 0; - int free_key = 0; - int total=0; - int total_done=0; - int badops=0; - int ret=1; - int email_dn=1; - int req=0; - int verbose=0; - int gencrl=0; - int dorevoke=0; - int doupdatedb=0; - long crldays=0; - long crlhours=0; - long crlsec=0; - long errorline= -1; - char *configfile=NULL; - char *md=NULL; - char *policy=NULL; - char *keyfile=NULL; - char *certfile=NULL; - int keyform=FORMAT_PEM; - char *infile=NULL; - char *spkac_file=NULL; - char *ss_cert_file=NULL; - char *ser_status=NULL; + ENGINE *e=NULL; + BIGNUM *crlnumber=NULL, *serial=NULL; EVP_PKEY *pkey=NULL; - int output_der = 0; - char *outfile=NULL; - char *outdir=NULL; - char *serialfile=NULL; - char *crlnumberfile=NULL; - char *extensions=NULL; - char *extfile=NULL; - char *subj=NULL; - unsigned long chtype = MBSTRING_ASC; - int multirdn = 0; - char *tmp_email_dn=NULL; - char *crl_ext=NULL; - int rev_type = REV_NONE; - char *rev_arg = NULL; - BIGNUM *serial=NULL; - BIGNUM *crlnumber=NULL; - char *startdate=NULL; - char *enddate=NULL; - long days=0; - int batch=0; - int notext=0; - unsigned long nameopt = 0, certopt = 0; - int default_op = 1; - int ext_copy = EXT_COPY_NONE; - int selfsign = 0; - X509 *x509=NULL, *x509p = NULL; - X509 *x=NULL; + const EVP_MD *dgst=NULL; + char *configfile=NULL, *md=NULL, *policy=NULL, *keyfile=NULL; + char *certfile=NULL, *crl_ext=NULL, *crlnumberfile=NULL, *enddate=NULL; + char *infile=NULL, *spkac_file=NULL, *ss_cert_file=NULL; + char *extensions=NULL, *extfile=NULL, *key=NULL,*passinarg=NULL; + char *outdir=NULL, *outfile=NULL, *rev_arg=NULL, *ser_status=NULL; + char *serialfile=NULL, *startdate=NULL, *subj=NULL, *tmp_email_dn=NULL; + char * const *pp; + char *dbfile=NULL, *engine=NULL, *f, *randfile=NULL, *tofree=NULL; + const char *p; + int create_ser=0, free_key=0, total=0, total_done=0; + int batch=0, default_op=1, doupdatedb=0, ext_copy=EXT_COPY_NONE; + int keyformat=FORMAT_PEM, multirdn=0, notext=0, output_der=0; + int ret=1, email_dn=1, req=0, verbose=0, gencrl=0, dorevoke=0; + int i, j, rev_type=REV_NONE, selfsign=0; + long crldays=0, crlhours=0, crlsec=0, errorline=-1, days=0; + unsigned long chtype=MBSTRING_ASC, nameopt=0, certopt=0; + X509 *x509=NULL, *x509p=NULL, *x=NULL; BIO *in=NULL,*out=NULL,*Sout=NULL,*Cout=NULL; - char *dbfile=NULL; - CA_DB *db=NULL; - X509_CRL *crl=NULL; - X509_REVOKED *r=NULL; - ASN1_TIME *tmptm; ASN1_INTEGER *tmpser; - char *f; - const char *p; - char * const *pp; - int i,j; - const EVP_MD *dgst=NULL; + ASN1_TIME *tmptm; + CA_DB *db=NULL; + DB_ATTR db_attr; + MS_STATIC char buf[3][BSIZE]; STACK_OF(CONF_VALUE) *attribs=NULL; + STACK_OF(OPENSSL_STRING) *sigopts=NULL; STACK_OF(X509) *cert_sk=NULL; - STACK_OF(OPENSSL_STRING) *sigopts = NULL; -#undef BSIZE -#define BSIZE 256 - MS_STATIC char buf[3][BSIZE]; - char *randfile=NULL; - char *engine = NULL; - char *tofree=NULL; - DB_ATTR db_attr; + X509_CRL *crl=NULL; + X509_REVOKED *r=NULL; conf = NULL; - key = NULL; section = NULL; - - preserve=0; - msie_hack=0; - argc--; - argv++; - while (argc >= 1) - { - if (strcmp(*argv,"-verbose") == 0) - verbose=1; - else if (strcmp(*argv,"-config") == 0) - { - if (--argc < 1) goto bad; - configfile= *(++argv); - } - else if (strcmp(*argv,"-name") == 0) - { - if (--argc < 1) goto bad; - section= *(++argv); - } - else if (strcmp(*argv,"-subj") == 0) - { - if (--argc < 1) goto bad; - subj= *(++argv); + preserve = 0; + msie_hack = 0; + + enum options o; + char* prog; + + prog = opt_init(argc, argv, options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + BIO_printf(bio_err,"Valid options are:\n"); + printhelp(ca_help); + goto err; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_VERBOSE: + verbose = 1; + break; + case OPT_CONFIG: + configfile = opt_arg(); + break; + case OPT_NAME: + section = opt_arg(); + break; + case OPT_SUBJ: + subj = opt_arg(); /* preserve=1; */ - } - else if (strcmp(*argv,"-utf8") == 0) + break; + case OPT_UTF8: chtype = MBSTRING_UTF8; - else if (strcmp(*argv,"-create_serial") == 0) + break; + case OPT_CREATE_SERIAL: create_ser = 1; - else if (strcmp(*argv,"-multivalue-rdn") == 0) - multirdn=1; - else if (strcmp(*argv,"-startdate") == 0) - { - if (--argc < 1) goto bad; - startdate= *(++argv); - } - else if (strcmp(*argv,"-enddate") == 0) - { - if (--argc < 1) goto bad; - enddate= *(++argv); - } - else if (strcmp(*argv,"-days") == 0) - { - if (--argc < 1) goto bad; - days=atoi(*(++argv)); - } - else if (strcmp(*argv,"-md") == 0) - { - if (--argc < 1) goto bad; - md= *(++argv); - } - else if (strcmp(*argv,"-policy") == 0) - { - if (--argc < 1) goto bad; - policy= *(++argv); - } - else if (strcmp(*argv,"-keyfile") == 0) - { - if (--argc < 1) goto bad; - keyfile= *(++argv); - } - else if (strcmp(*argv,"-keyform") == 0) - { - if (--argc < 1) goto bad; - keyform=str2fmt(*(++argv)); - } - else if (strcmp(*argv,"-passin") == 0) - { - if (--argc < 1) goto bad; - passargin= *(++argv); - } - else if (strcmp(*argv,"-key") == 0) - { - if (--argc < 1) goto bad; - key= *(++argv); - } - else if (strcmp(*argv,"-cert") == 0) - { - if (--argc < 1) goto bad; - certfile= *(++argv); - } - else if (strcmp(*argv,"-selfsign") == 0) + break; + case OPT_MULTIVALUE_RDN: + multirdn = 1; + break; + case OPT_STARTDATE: + startdate = opt_arg(); + break; + case OPT_ENDDATE: + enddate = opt_arg(); + break; + case OPT_DAYS: + days = atoi(opt_arg()); + break; + case OPT_MD: + md = opt_arg(); + break; + case OPT_POLICY: + policy = opt_arg(); + break; + case OPT_KEYFILE: + keyfile = opt_arg(); + break; + case OPT_KEYFORM: + opt_format(opt_arg(), 1, &keyformat); + break; + case OPT_PASSIN: + passinarg = opt_arg(); + break; + case OPT_KEY: + key = opt_arg(); + break; + case OPT_CERT: + certfile = opt_arg(); + break; + case OPT_SELFSIGN: selfsign=1; - else if (strcmp(*argv,"-in") == 0) - { - if (--argc < 1) goto bad; - infile= *(++argv); - req=1; - } - else if (strcmp(*argv,"-out") == 0) - { - if (--argc < 1) goto bad; - outfile= *(++argv); - } - else if (strcmp(*argv,"-outdir") == 0) - { - if (--argc < 1) goto bad; - outdir= *(++argv); - } - else if (strcmp(*argv,"-sigopt") == 0) - { - if (--argc < 1) - goto bad; - if (!sigopts) + break; + case OPT_OUTDIR: + outdir = opt_arg(); + break; + case OPT_SIGOPT: + if (sigopts == NULL) sigopts = sk_OPENSSL_STRING_new_null(); - if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv))) - goto bad; - } - else if (strcmp(*argv,"-notext") == 0) - notext=1; - else if (strcmp(*argv,"-batch") == 0) - batch=1; - else if (strcmp(*argv,"-preserveDN") == 0) - preserve=1; - else if (strcmp(*argv,"-noemailDN") == 0) - email_dn=0; - else if (strcmp(*argv,"-gencrl") == 0) - gencrl=1; - else if (strcmp(*argv,"-msie_hack") == 0) - msie_hack=1; - else if (strcmp(*argv,"-crldays") == 0) - { - if (--argc < 1) goto bad; - crldays= atol(*(++argv)); - } - else if (strcmp(*argv,"-crlhours") == 0) - { - if (--argc < 1) goto bad; - crlhours= atol(*(++argv)); - } - else if (strcmp(*argv,"-crlsec") == 0) - { - if (--argc < 1) goto bad; - crlsec = atol(*(++argv)); - } - else if (strcmp(*argv,"-infiles") == 0) - { - argc--; - argv++; - req=1; + if (sigopts == NULL || !sk_OPENSSL_STRING_push(sigopts, opt_arg())) + goto err; break; - } - else if (strcmp(*argv, "-ss_cert") == 0) - { - if (--argc < 1) goto bad; - ss_cert_file = *(++argv); - req=1; - } - else if (strcmp(*argv, "-spkac") == 0) - { - if (--argc < 1) goto bad; - spkac_file = *(++argv); - req=1; - } - else if (strcmp(*argv,"-revoke") == 0) - { - if (--argc < 1) goto bad; - infile= *(++argv); - dorevoke=1; - } - else if (strcmp(*argv,"-valid") == 0) - { - if (--argc < 1) goto bad; - infile= *(++argv); - dorevoke=2; - } - else if (strcmp(*argv,"-extensions") == 0) - { - if (--argc < 1) goto bad; - extensions= *(++argv); - } - else if (strcmp(*argv,"-extfile") == 0) - { - if (--argc < 1) goto bad; - extfile= *(++argv); - } - else if (strcmp(*argv,"-status") == 0) - { - if (--argc < 1) goto bad; - ser_status= *(++argv); - } - else if (strcmp(*argv,"-updatedb") == 0) - { - doupdatedb=1; - } - else if (strcmp(*argv,"-crlexts") == 0) - { - if (--argc < 1) goto bad; - crl_ext= *(++argv); - } - else if (strcmp(*argv,"-crl_reason") == 0) - { - if (--argc < 1) goto bad; - rev_arg = *(++argv); + case OPT_NOTEXT: + notext = 1; + break; + case OPT_BATCH: + batch = 1; + break; + case OPT_PRESERVEDN: + preserve = 1; + break; + case OPT_NOEMAILDN: + email_dn = 0; + break; + case OPT_GENCRL: + gencrl = 1; + break; + case OPT_MSIE_HACK: + msie_hack = 1; + break; + case OPT_CRLDAYS: + crldays = atol(opt_arg()); + break; + case OPT_CRLHOURS: + crlhours = atol(opt_arg()); + break; + case OPT_CRLSEC: + crlsec = atol(opt_arg()); + break; + case OPT_INFILES: + req = 1; + break; + case OPT_SS_CERT: + ss_cert_file = opt_arg(); + req = 1; + break; + case OPT_SPKAC: + spkac_file = opt_arg(); + req = 1; + break; + case OPT_REVOKE: + infile = opt_arg(); + dorevoke = 1; + break; + case OPT_VALID: + infile = opt_arg(); + dorevoke = 2; + break; + case OPT_EXTENSIONS: + extensions = opt_arg(); + break; + case OPT_EXTFILE: + extfile = opt_arg(); + break; + case OPT_STATUS: + ser_status = opt_arg(); + break; + case OPT_UPDATEDB: + doupdatedb = 1; + break; + case OPT_CRLEXTS: + crl_ext = opt_arg(); + break; + case OPT_CRL_REASON: + rev_arg = opt_arg(); rev_type = REV_CRL_REASON; - } - else if (strcmp(*argv,"-crl_hold") == 0) - { - if (--argc < 1) goto bad; - rev_arg = *(++argv); + break; + case OPT_CRL_HOLD: + rev_arg = opt_arg(); rev_type = REV_HOLD; - } - else if (strcmp(*argv,"-crl_compromise") == 0) - { - if (--argc < 1) goto bad; - rev_arg = *(++argv); + break; + case OPT_CRL_COMPROMISE: + rev_arg = opt_arg(); rev_type = REV_KEY_COMPROMISE; - } - else if (strcmp(*argv,"-crl_CA_compromise") == 0) - { - if (--argc < 1) goto bad; - rev_arg = *(++argv); + break; + case OPT_CRL_CA_COMPROMISE: + rev_arg = opt_arg(); rev_type = REV_CA_COMPROMISE; - } -#ifndef OPENSSL_NO_ENGINE - else if (strcmp(*argv,"-engine") == 0) - { - if (--argc < 1) goto bad; - engine= *(++argv); - } -#endif - else - { -bad: - BIO_printf(bio_err,"unknown option %s\n",*argv); - badops=1; break; - } - argc--; - argv++; - } - - if (badops) - { - BIO_printf(bio_err, "usage: ca args\n"); - printhelp(ca_help); - goto err; + case OPT_ENGINE: + engine = opt_arg(); + break; } + } /*****************************************************************/ tofree=NULL; @@ -715,13 +663,13 @@ bad: if (!key) { free_key = 1; - if (!app_passwd(bio_err, passargin, NULL, &key, NULL)) + if (!app_passwd(bio_err, passinarg, NULL, &key, NULL)) { BIO_printf(bio_err,"Error getting password\n"); goto err; } } - pkey = load_key(bio_err, keyfile, keyform, 0, key, e, + pkey = load_key(bio_err, keyfile, keyformat, 0, key, e, "CA private key"); if (key) OPENSSL_cleanse(key,strlen(key)); if (pkey == NULL) @@ -2615,8 +2563,8 @@ static int do_updatedb (CA_DB *db) /* all on the same y2k side */ if (strcmp(rrow[DB_exp_date], a_tm_s) <= 0) { - rrow[DB_type][0] = 'E'; - rrow[DB_type][1] = '\0'; + rrow[DB_type][0] = 'E'; + rrow[DB_type][1] = '\0'; cnt++; BIO_printf(bio_err, "%s=Expired\n", diff --git a/apps/cms.c b/apps/cms.c index bdb9e26800..f34655b24a 100644 --- a/apps/cms.c +++ b/apps/cms.c @@ -212,6 +212,9 @@ int cms_main(int argc, char **argv) ASN1_OBJECT *econtent_type = NULL; X509_VERIFY_PARAM *vpm = NULL; + if ((vpm = X509_VERIFY_PARAM_new()) == NULL) + return 1; + args = argv + 1; ret = 1; while (!badarg && *args && *args[0] == '-') @@ -256,32 +259,11 @@ int cms_main(int argc, char **argv) operation = SMIME_ENCRYPTED_DECRYPT; else if (!strcmp (*args, "-EncryptedData_encrypt")) operation = SMIME_ENCRYPTED_ENCRYPT; -#ifndef OPENSSL_NO_DES - else if (!strcmp (*args, "-des3")) - cipher = EVP_des_ede3_cbc(); - else if (!strcmp (*args, "-des")) - cipher = EVP_des_cbc(); - else if (!strcmp (*args, "-des3-wrap")) - wrap_cipher = EVP_des_ede3_wrap(); -#endif -#ifndef OPENSSL_NO_SEED - else if (!strcmp (*args, "-seed")) - cipher = EVP_seed_cbc(); -#endif -#ifndef OPENSSL_NO_RC2 - else if (!strcmp (*args, "-rc2-40")) - cipher = EVP_rc2_40_cbc(); - else if (!strcmp (*args, "-rc2-128")) - cipher = EVP_rc2_cbc(); - else if (!strcmp (*args, "-rc2-64")) - cipher = EVP_rc2_64_cbc(); -#endif + case OPT_CIPHER: + if (!opt_cipher(opt_arg(), &cipher)) + goto bad; + break; #ifndef OPENSSL_NO_AES - else if (!strcmp(*args,"-aes128")) - cipher = EVP_aes_128_cbc(); - else if (!strcmp(*args,"-aes192")) - cipher = EVP_aes_192_cbc(); - else if (!strcmp(*args,"-aes256")) cipher = EVP_aes_256_cbc(); else if (!strcmp(*args,"-aes128-wrap")) wrap_cipher = EVP_aes_128_wrap(); @@ -290,14 +272,6 @@ int cms_main(int argc, char **argv) else if (!strcmp(*args,"-aes256-wrap")) wrap_cipher = EVP_aes_256_wrap(); #endif -#ifndef OPENSSL_NO_CAMELLIA - else if (!strcmp(*args,"-camellia128")) - cipher = EVP_camellia_128_cbc(); - else if (!strcmp(*args,"-camellia192")) - cipher = EVP_camellia_192_cbc(); - else if (!strcmp(*args,"-camellia256")) - cipher = EVP_camellia_256_cbc(); -#endif else if (!strcmp (*args, "-debug_decrypt")) flags |= CMS_DEBUG_DECRYPT; else if (!strcmp (*args, "-text")) @@ -423,14 +397,12 @@ int cms_main(int argc, char **argv) inrand = *args; need_rand = 1; } -#ifndef OPENSSL_NO_ENGINE else if (!strcmp(*args,"-engine")) { if (!args[1]) goto argerr; engine = *++args; } -#endif else if (!strcmp(*args,"-passin")) { if (!args[1]) @@ -628,7 +600,8 @@ int cms_main(int argc, char **argv) goto argerr; contfile = *++args; } - else if (args_verify(&args, NULL, &badarg, bio_err, &vpm)) + // case OPT_V_COMMON_VERIFY_CASES: vpmtouched++; + else if (opt_verify(i, vpm)) continue; else if (!opt_cipher(opt_unknown(), &cipher)) badarg = 1; @@ -1275,8 +1248,7 @@ end: app_RAND_write_file(NULL, bio_err); sk_X509_pop_free(encerts, X509_free); sk_X509_pop_free(other, X509_free); - if (vpm) - X509_VERIFY_PARAM_free(vpm); + X509_VERIFY_PARAM_free(vpm); if (sksigners) sk_OPENSSL_STRING_free(sksigners); if (skkeys) diff --git a/apps/dsaparam.c b/apps/dsaparam.c index f79dbedaab..61030f251c 100644 --- a/apps/dsaparam.c +++ b/apps/dsaparam.c @@ -110,110 +110,102 @@ const char* dsaparam_help[] = { NULL }; +enum options { + OPT_ERR = -1, OPT_EOF = 0, + OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_TEXT, OPT_C, + OPT_NOOUT, OPT_GENKEY, OPT_RAND, OPT_NON_FIPS_ALLOW, OPT_ENGINE, + OPT_TIMEBOMB, +}; + +static OPTIONS options[] = { + { "inform", OPT_INFORM, 'F' }, + { "outform", OPT_OUTFORM, 'F' }, + { "in", OPT_IN, '<' }, + { "out", OPT_OUT, '>' }, + { "text", OPT_TEXT, '-' }, + { "C", OPT_C, '-' }, + { "noout", OPT_NOOUT, '-' }, + { "genkey", OPT_GENKEY, '-' }, + { "rand", OPT_RAND, 's' }, + { "non-fips-allow", OPT_NON_FIPS_ALLOW, '-' }, +#ifndef OPENSSL_NO_ENGINE + { "engine", OPT_ENGINE, 's' }, +#endif +#ifdef GENCB_TEST + { "timebomb", OPT_TIMEBOMB, 'p' }, +#endif + { NULL } +}; + int dsaparam_main(int argc, char **argv) { DSA *dsa=NULL; - int i,badops=0,text=0; BIO *in=NULL,*out=NULL; - int informat,outformat,noout=0,C=0,ret=1; - char *infile,*outfile,*prog,*inrand=NULL; - int numbits= -1,num,genkey=0; - int need_rand=0; - int non_fips_allow = 0; -#ifndef OPENSSL_NO_ENGINE + int i,badops=0,text=0; + int numbits=-1,num,genkey=0, need_rand=0, non_fips_allow=0; + int informat=FORMAT_PEM,outformat=FORMAT_PEM,noout=0,C=0,ret=1; + char *infile=NULL,*outfile=NULL,*prog,*inrand=NULL; char *engine=NULL; -#endif -#ifdef GENCB_TEST int timebomb=0; -#endif - - infile=NULL; - outfile=NULL; - informat=FORMAT_PEM; - outformat=FORMAT_PEM; + enum options o; - prog=argv[0]; - argc--; - argv++; - while (argc >= 1) - { - if (strcmp(*argv,"-inform") == 0) - { - if (--argc < 1) goto bad; - informat=str2fmt(*(++argv)); - } - else if (strcmp(*argv,"-outform") == 0) - { - if (--argc < 1) goto bad; - outformat=str2fmt(*(++argv)); - } - else if (strcmp(*argv,"-in") == 0) - { - if (--argc < 1) goto bad; - infile= *(++argv); - } - else if (strcmp(*argv,"-out") == 0) - { - if (--argc < 1) goto bad; - outfile= *(++argv); - } -#ifndef OPENSSL_NO_ENGINE - else if(strcmp(*argv, "-engine") == 0) - { - if (--argc < 1) goto bad; - engine = *(++argv); - } -#endif -#ifdef GENCB_TEST - else if(strcmp(*argv, "-timebomb") == 0) - { - if (--argc < 1) goto bad; - timebomb = atoi(*(++argv)); - } -#endif - else if (strcmp(*argv,"-text") == 0) - text=1; - else if (strcmp(*argv,"-C") == 0) - C=1; - else if (strcmp(*argv,"-genkey") == 0) - { - genkey=1; - need_rand=1; - } - else if (strcmp(*argv,"-rand") == 0) - { - if (--argc < 1) goto bad; - inrand= *(++argv); - need_rand=1; - } - else if (strcmp(*argv,"-noout") == 0) - noout=1; - else if (strcmp(*argv,"-non-fips-allow") == 0) + prog = opt_init(argc, argv, options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + BIO_printf(bio_err,"Valid options are:\n"); + printhelp(dsaparam_help); + goto end; + case OPT_INFORM: + opt_format(opt_arg(), 1, &informat); + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUTFORM: + opt_format(opt_arg(), 1, &outformat); + break; + case OPT_OUT: + outfile= opt_arg(); + break; + case OPT_ENGINE: + engine = opt_arg(); + break; + case OPT_TIMEBOMB: + timebomb = atoi(opt_arg()); + break; + case OPT_TEXT: + text = 1; + break; + case OPT_C: + C = 1; + break; + case OPT_GENKEY: + genkey = need_rand = 1; + break; + case OPT_RAND: + inrand = opt_arg(); + need_rand = 1; + break; + case OPT_NOOUT: + noout = 1; + break; + case OPT_NON_FIPS_ALLOW: non_fips_allow = 1; - else if (sscanf(*argv,"%d",&num) == 1) - { - /* generate a key */ - numbits=num; - need_rand=1; - } - else - { - BIO_printf(bio_err,"unknown option %s\n",*argv); - badops=1; break; - } - argc--; - argv++; } + } - if (badops) - { -bad: - BIO_printf(bio_err,"%s [options] [bits] <infile >outfile\n",prog); - BIO_printf(bio_err,"where options are\n"); - printhelp(dsaparam_help); - goto end; - } + argc = opt_num_rest(); + argv = opt_rest(); + if (argc == 1) { + if ( !opt_int(argv[0], &num)) + goto end; + /* generate a key */ + numbits = num; + need_rand = 1; + } in = bio_open_default(infile, "r"); if (in == NULL) diff --git a/apps/ocsp.c b/apps/ocsp.c index 3f4368b45a..9af4b16d2d 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -168,124 +168,157 @@ const char* ocsp_help[] = { "-<dgst alg> use specified digest in the request", NULL }; + + +enum options { + OPT_ERR = -1, OPT_EOF = 0, + OPT_V_ENUM, + OPT_OUTFILE, OPT_TIMEOUT, OPT_URL, OPT_HOST, OPT_PORT, + OPT_IGNORE_ERR, OPT_NOVERIFY, OPT_NONCE, OPT_NO_NONCE, + OPT_RESP_NO_CERTS, OPT_RESP_KEY_ID, OPT_NO_CERTS, + OPT_NO_SIGNATURE_VERIFY, OPT_NO_CERT_VERIFY, OPT_NO_CHAIN, + OPT_NO_CERT_CHECKS, OPT_NO_EXPLICIT, OPT_TRUST_OTHER, + OPT_NO_INTERN, OPT_BADSIG, OPT_TEXT, OPT_REQ_TEXT, OPT_RESP_TEXT, + OPT_REQIN, OPT_RESPIN, OPT_SIGNER, OPT_VAFILE, OPT_SIGN_OTHER, + OPT_VERIFY_OTHER, OPT_CAFILE, OPT_CAPATH, + OPT_VALIDITY_PERIOD, OPT_STATUS_AGE, OPT_SIGNKEY, OPT_REQOUT, + OPT_RESPOUT, OPT_PATH, OPT_ISSUER, OPT_CERT, OPT_SERIAL, + OPT_INDEX, OPT_CA, OPT_NMIN, OPT_REQUEST, OPT_NDAYS, OPT_RSIGNER, + OPT_RKEY, OPT_ROTHER, OPT_RMD, OPT_MD, +}; + +static OPTIONS options[] = { + OPT_V_OPTIONS, + { "out", OPT_OUTFILE, '>' }, + { "timeout", OPT_TIMEOUT, 'p' }, + { "url", OPT_URL, 's' }, + { "host", OPT_HOST, 's' }, + { "port", OPT_PORT, 's' }, + { "ignore_err", OPT_IGNORE_ERR, '-' }, + { "noverify", OPT_NOVERIFY, '-' }, + { "nonce", OPT_NONCE, '-' }, + { "no_nonce", OPT_NO_NONCE, '-' }, + { "resp_no_certs", OPT_RESP_NO_CERTS, '-' }, + { "resp_key_id", OPT_RESP_KEY_ID, '-' }, + { "no_certs", OPT_NO_CERTS, '-' }, + { "no_signature_verify", OPT_NO_SIGNATURE_VERIFY, '-' }, + { "no_cert_verify", OPT_NO_CERT_VERIFY, '-' }, + { "no_chain", OPT_NO_CHAIN, '-' }, + { "no_cert_checks", OPT_NO_CERT_CHECKS, '-' }, + { "no_explicit", OPT_NO_EXPLICIT, '-' }, + { "trust_other", OPT_TRUST_OTHER, '-' }, + { "no_intern", OPT_NO_INTERN, '-' }, + { "badsig", OPT_BADSIG, '-' }, + { "text", OPT_TEXT, '-' }, + { "req_text", OPT_REQ_TEXT, '-' }, + { "resp_text", OPT_RESP_TEXT, '-' }, + { "reqin", OPT_REQIN, 's' }, + { "respin", OPT_RESPIN, 's' }, + { "signer", OPT_SIGNER, '<' }, + { "VAfile", OPT_VAFILE, '<' }, + { "sign_other", OPT_SIGN_OTHER, '<' }, + { "verify_other", OPT_VERIFY_OTHER, '<' }, + { "CAfile", OPT_CAFILE, '<' }, + { "CApath", OPT_CAPATH, '<' }, + { "validity_period", OPT_VALIDITY_PERIOD, 'p' }, + { "status_age", OPT_STATUS_AGE, 'p' }, + { "signkey", OPT_SIGNKEY, 's' }, + { "reqout", OPT_REQOUT, 's' }, + { "respout", OPT_RESPOUT, 's' }, + { "path", OPT_PATH, 's' }, + { "issuer", OPT_ISSUER, '<' }, + { "cert", OPT_CERT, '<' }, + { "serial", OPT_SERIAL, 's' }, + { "index", OPT_INDEX, ',' }, + { "CA", OPT_CA, ',' }, + { "nmin", OPT_NMIN, 'p' }, + { "nrequest", OPT_REQUEST, 'p' }, + { "ndays", OPT_NDAYS, 'p' }, + { "rsigner", OPT_RSIGNER, '<' }, + { "rkey", OPT_RKEY, '<' }, + { "rother", OPT_ROTHER, '<' }, + { "rmd", OPT_RMD, 's' }, + { "", OPT_MD, '-' }, + { NULL } +}; + int ocsp_main(int argc, char **argv) { - ENGINE *e = NULL; - char **args; - char *host = NULL, *port = NULL, *path = "/"; - char *thost = NULL, *tport = NULL, *tpath = NULL; - char *reqin = NULL, *respin = NULL; - char *reqout = NULL, *respout = NULL; - char *signfile = NULL, *keyfile = NULL; - char *rsignfile = NULL, *rkeyfile = NULL; - char *outfile = NULL; - int add_nonce = 1, noverify = 0, use_ssl = -1; - STACK_OF(CONF_VALUE) *headers = NULL; - OCSP_REQUEST *req = NULL; - OCSP_RESPONSE *resp = NULL; - OCSP_BASICRESP *bs = NULL; - X509 *issuer = NULL, *cert = NULL; - X509 *signer = NULL, *rsigner = NULL; - EVP_PKEY *key = NULL, *rkey = NULL; - BIO *acbio = NULL, *cbio = NULL; - BIO *derbio = NULL; - BIO *out = NULL; - int req_timeout = -1; - int req_text = 0, resp_text = 0; - long nsec = MAX_VALIDITY_PERIOD, maxage = -1; - char *CAfile = NULL, *CApath = NULL; - X509_STORE *store = NULL; - X509_VERIFY_PARAM *vpm = NULL; - STACK_OF(X509) *sign_other = NULL, *verify_other = NULL, *rother = NULL; - char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL; - unsigned long sign_flags = 0, verify_flags = 0, rflags = 0; - int ret = 1; - int accept_count = -1; - int badarg = 0; - int badsig = 0; - int i; - int ignore_err = 0; - STACK_OF(OPENSSL_STRING) *reqnames = NULL; - STACK_OF(OCSP_CERTID) *ids = NULL; - - X509 *rca_cert = NULL; - char *ridx_filename = NULL; - char *rca_filename = NULL; - CA_DB *rdb = NULL; - int nmin = 0, ndays = -1; - const EVP_MD *cert_id_md = NULL, *rsign_md = NULL; - - args = argv + 1; + BIO *acbio=NULL, *cbio=NULL, *derbio=NULL, *out=NULL; + const EVP_MD *cert_id_md=NULL, *rsign_md=NULL; + CA_DB *rdb=NULL; + EVP_PKEY *key=NULL, *rkey=NULL; + OCSP_BASICRESP *bs=NULL; + OCSP_REQUEST *req=NULL; + OCSP_RESPONSE *resp=NULL; + STACK_OF(CONF_VALUE) *headers=NULL; + STACK_OF(OCSP_CERTID) *ids=NULL; + STACK_OF(OPENSSL_STRING) *reqnames=NULL; + STACK_OF(X509) *sign_other=NULL, *verify_other=NULL, *rother=NULL; + X509 *issuer=NULL, *cert=NULL, *rca_cert=NULL; + X509 *signer=NULL, *rsigner=NULL; + X509_STORE *store=NULL; + X509_VERIFY_PARAM *vpm=NULL; + char *CAfile=NULL, *CApath=NULL; + char *host=NULL, *port=NULL, *path="/", *outfile=NULL; + char *rca_filename=NULL, *reqin=NULL, *respin=NULL; + char *reqout=NULL, *respout=NULL, *ridx_filename=NULL; + char *rsignfile=NULL, *rkeyfile=NULL; + char *sign_certfile=NULL, *verify_certfile=NULL, *rcertfile=NULL; + char *signfile=NULL, *keyfile=NULL; + char *thost=NULL, *tport=NULL, *tpath=NULL; + int accept_count=-1, add_nonce=1, noverify=0, use_ssl=-1; + int vpmtouched=0, badsig=0, i, ignore_err=0, nmin=0, ndays=-1; + int req_text=0, resp_text=0, req_timeout=-1, ret=1; + long nsec=MAX_VALIDITY_PERIOD, maxage=-1; + unsigned long sign_flags=0, verify_flags=0, rflags=0; + enum options o; + char* prog; + reqnames = sk_OPENSSL_STRING_new_null(); ids = sk_OCSP_CERTID_new_null(); - while (!badarg && *args && *args[0] == '-') - { - if (!strcmp(*args, "-out")) - { - if (args[1]) - { - args++; - outfile = *args; - } - else badarg = 1; - } - else if (!strcmp(*args, "-timeout")) - { - if (args[1]) - { - args++; - req_timeout = atol(*args); - if (req_timeout < 0) - { - BIO_printf(bio_err, - "Illegal timeout value %s\n", - *args); - badarg = 1; - } - } - else badarg = 1; - } - else if (!strcmp(*args, "-url")) - { + if ((vpm = X509_VERIFY_PARAM_new()) == NULL) + return 1; + + prog = opt_init(argc, argv, options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: +err: + BIO_printf(bio_err,"Valid options are:\n"); + printhelp(ocsp_help); + goto end; + case OPT_OUTFILE: + outfile = opt_arg(); + break; + case OPT_TIMEOUT: + req_timeout = atoi(opt_arg()); + break; + case OPT_URL: if (thost) OPENSSL_free(thost); if (tport) OPENSSL_free(tport); if (tpath) OPENSSL_free(tpath); - if (args[1]) - { - args++; - if (!OCSP_parse_url(*args, &host, &port, &path, &use_ssl)) - { - BIO_printf(bio_err, "Error parsing URL\n"); - badarg = 1; - } - thost = host; - tport = port; - tpath = path; - } - else badarg = 1; - } - else if (!strcmp(*args, "-host")) - { - if (args[1]) - { - args++; - host = *args; - } - else badarg = 1; - } - else if (!strcmp(*args, "-port")) - { - if (args[1]) - { - args++; - port = *args; - } - else badarg = 1; + if (!OCSP_parse_url(opt_arg(), &host, &port, &path, &use_ssl)) { + BIO_printf(bio_err, + "%s Error parsing URL\n", prog); + goto end; } - else if (!strcmp(*args, "-header")) + thost = host; + tport = port; + tpath = path; + break; + case OPT_HOST: + host = opt_arg(); + break; + case OPT_PORT: + port = opt_arg(); + break; + /* + else if (!strcmp(opt_arg(), "-header")) { if (args[1] && args[2]) { @@ -295,357 +328,176 @@ int ocsp_main(int argc, char **argv) } else badarg = 1; } - else if (!strcmp(*args, "-ignore_err")) + */ + case OPT_IGNORE_ERR: ignore_err = 1; - else if (!strcmp(*args, "-noverify")) + break; + case OPT_NOVERIFY: noverify = 1; - else if (!strcmp(*args, "-nonce")) + break; + case OPT_NONCE: add_nonce = 2; - else if (!strcmp(*args, "-no_nonce")) + break; + case OPT_NO_NONCE: add_nonce = 0; - else if (!strcmp(*args, "-resp_no_certs")) + break; + case OPT_RESP_NO_CERTS: rflags |= OCSP_NOCERTS; - else if (!strcmp(*args, "-resp_key_id")) + break; + case OPT_RESP_KEY_ID: rflags |= OCSP_RESPID_KEY; - else if (!strcmp(*args, "-no_certs")) + break; + case OPT_NO_CERTS: sign_flags |= OCSP_NOCERTS; - else if (!strcmp(*args, "-no_signature_verify")) + break; + case OPT_NO_SIGNATURE_VERIFY: verify_flags |= OCSP_NOSIGS; - else if (!strcmp(*args, "-no_cert_verify")) + break; + case OPT_NO_CERT_VERIFY: verify_flags |= OCSP_NOVERIFY; - else if (!strcmp(*args, "-no_chain")) + break; + case OPT_NO_CHAIN: verify_flags |= OCSP_NOCHAIN; - else if (!strcmp(*args, "-no_cert_checks")) + break; + case OPT_NO_CERT_CHECKS: verify_flags |= OCSP_NOCHECKS; - else if (!strcmp(*args, "-no_explicit")) + break; + case OPT_NO_EXPLICIT: verify_flags |= OCSP_NOEXPLICIT; - else if (!strcmp(*args, "-trust_other")) + break; + case OPT_TRUST_OTHER: verify_flags |= OCSP_TRUSTOTHER; - else if (!strcmp(*args, "-no_intern")) + break; + case OPT_NO_INTERN: verify_flags |= OCSP_NOINTERN; - else if (!strcmp(*args, "-badsig")) + break; + case OPT_BADSIG: badsig = 1; - else if (!strcmp(*args, "-text")) - { - req_text = 1; - resp_text = 1; - } - else if (!strcmp(*args, "-req_text")) + break; + case OPT_TEXT: + req_text = resp_text = 1; + break; + case OPT_REQ_TEXT: req_text = 1; - else if (!strcmp(*args, "-resp_text")) + break; + case OPT_RESP_TEXT: resp_text = 1; - else if (!strcmp(*args, "-reqin")) - { - if (args[1]) - { - args++; - reqin = *args; - } - else badarg = 1; - } - else if (!strcmp(*args, "-respin")) - { - if (args[1]) - { - args++; - respin = *args; - } - else badarg = 1; - } - else if (!strcmp(*args, "-signer")) - { - if (args[1]) - { - args++; - signfile = *args; - } - else badarg = 1; - } - else if (!strcmp (*args, "-VAfile")) - { - if (args[1]) - { - args++; - verify_certfile = *args; - verify_flags |= OCSP_TRUSTOTHER; - } - else badarg = 1; - } - else if (!strcmp(*args, "-sign_other")) - { - if (args[1]) - { - args++; - sign_certfile = *args; - } - else badarg = 1; - } - else if (!strcmp(*args, "-verify_other")) - { - if (args[1]) - { - args++; - verify_certfile = *args; - } - else badarg = 1; - } - else if (!strcmp (*args, "-CAfile")) - { - if (args[1]) - { - args++; - CAfile = *args; - } - else badarg = 1; - } - else if (!strcmp (*args, "-CApath")) - { - if (args[1]) - { - args++; - CApath = *args; - } - else badarg = 1; - } - else if (args_verify(&args, NULL, &badarg, bio_err, &vpm)) - { - if (badarg) + break; + case OPT_REQIN: + reqin = opt_arg(); + break; + case OPT_RESPIN: + respin = opt_arg(); + break; + case OPT_SIGNER: + signfile = opt_arg(); + break; + case OPT_VAFILE: + verify_certfile = opt_arg(); + verify_flags |= OCSP_TRUSTOTHER; + break; + case OPT_SIGN_OTHER: + sign_certfile = opt_arg(); + break; + case OPT_VERIFY_OTHER: + verify_certfile = opt_arg(); + break; + case OPT_CAFILE: + CAfile = opt_arg(); + break; + case OPT_CAPATH: + CApath = opt_arg(); + break; + case OPT_V_CASES: + if (!opt_verify(o, vpm)) goto end; - continue; - } - else if (!strcmp (*args, "-validity_period")) - { - if (args[1]) - { - args++; - nsec = atol(*args); - if (nsec < 0) - { - BIO_printf(bio_err, - "Illegal validity period %s\n", - *args); - badarg = 1; - } - } - else badarg = 1; - } - else if (!strcmp (*args, "-status_age")) - { - if (args[1]) - { - args++; - maxage = atol(*args); - if (maxage < 0) - { - BIO_printf(bio_err, - "Illegal validity age %s\n", - *args); - badarg = 1; - } - } - else badarg = 1; - } - else if (!strcmp(*args, "-signkey")) - { - if (args[1]) - { - args++; - keyfile = *args; - } - else badarg = 1; - } - else if (!strcmp(*args, "-reqout")) - { - if (args[1]) - { - args++; - reqout = *args; - } - else badarg = 1; - } - else if (!strcmp(*args, "-respout")) - { - if (args[1]) - { - args++; - respout = *args; - } - else badarg = 1; - } - else if (!strcmp(*args, "-path")) - { - if (args[1]) - { - args++; - path = *args; - } - else badarg = 1; - } - else if (!strcmp(*args, "-issuer")) - { - if (args[1]) - { - args++; - X509_free(issuer); - issuer = load_cert(bio_err, *args, FORMAT_PEM, - NULL, e, "issuer certificate"); - if(!issuer) goto end; - } - else badarg = 1; - } - else if (!strcmp (*args, "-cert")) - { - if (args[1]) - { - args++; - X509_free(cert); - cert = load_cert(bio_err, *args, FORMAT_PEM, - NULL, e, "certificate"); - if(!cert) goto end; - if (!cert_id_md) cert_id_md = EVP_sha1(); - if(!add_ocsp_cert(&req, cert, cert_id_md, issuer, ids)) - goto end; - if(!sk_OPENSSL_STRING_push(reqnames, *args)) - goto end; - } - else badarg = 1; - } - else if (!strcmp(*args, "-serial")) - { - if (args[1]) - { - args++; - if (!cert_id_md) cert_id_md = EVP_sha1(); - if(!add_ocsp_serial(&req, *args, cert_id_md, issuer, ids)) - goto end; - if(!sk_OPENSSL_STRING_push(reqnames, *args)) - goto end; - } - else badarg = 1; - } - else if (!strcmp(*args, "-index")) - { - if (args[1]) - { - args++; - ridx_filename = *args; - } - else badarg = 1; - } - else if (!strcmp(*args, "-CA")) - { - if (args[1]) - { - args++; - rca_filename = *args; - } - else badarg = 1; - } - else if (!strcmp (*args, "-nmin")) - { - if (args[1]) - { - args++; - nmin = atol(*args); - if (nmin < 0) - { - BIO_printf(bio_err, - "Illegal update period %s\n", - *args); - badarg = 1; - } - } - if (ndays == -1) - ndays = 0; - else badarg = 1; - } - else if (!strcmp (*args, "-nrequest")) - { - if (args[1]) - { - args++; - accept_count = atol(*args); - if (accept_count < 0) - { - BIO_printf(bio_err, - "Illegal accept count %s\n", - *args); - badarg = 1; - } - } - else badarg = 1; - } - else if (!strcmp (*args, "-ndays")) - { - if (args[1]) - { - args++; - ndays = atol(*args); - if (ndays < 0) - { - BIO_printf(bio_err, - "Illegal update period %s\n", - *args); - badarg = 1; - } - } - else badarg = 1; - } - else if (!strcmp(*args, "-rsigner")) - { - if (args[1]) - { - args++; - rsignfile = *args; - } - else badarg = 1; - } - else if (!strcmp(*args, "-rkey")) - { - if (args[1]) - { - args++; - rkeyfile = *args; - } - else badarg = 1; - } - else if (!strcmp(*args, "-rother")) - { - if (args[1]) - { - args++; - rcertfile = *args; - } - else badarg = 1; - } - else if (!strcmp(*args, "-rmd")) - { - if (args[1]) - { - args++; - if (!opt_md(opt_arg(), &rsign_md)) - if (!rsign_md) - badarg = 1; - } - else badarg = 1; - } - else if (!opt_md(opt_unknown(), &cert_id_md)) - { - badarg = 1; - } - args++; + vpmtouched++; + break; + case OPT_VALIDITY_PERIOD: + opt_ulong(opt_arg(), &nsec); + break; + case OPT_STATUS_AGE: + opt_ulong(opt_arg(), &maxage); + break; + case OPT_SIGNKEY: + keyfile = opt_arg(); + break; + case OPT_REQOUT: + reqout = opt_arg(); + break; + case OPT_RESPOUT: + respout = opt_arg(); + break; + case OPT_PATH: + path = opt_arg(); + break; + case OPT_ISSUER: + X509_free(issuer); + issuer = load_cert(bio_err, opt_arg(), FORMAT_PEM, + NULL, NULL, "issuer certificate"); + if (issuer == NULL) + goto end; + break; + case OPT_CERT: + X509_free(cert); + cert = load_cert(bio_err, opt_arg(), FORMAT_PEM, + NULL, NULL, "certificate"); + if (cert == NULL) + goto end; + if (cert_id_md == NULL) + cert_id_md = EVP_sha1(); + if (!add_ocsp_cert(&req, cert, cert_id_md, issuer, ids)) + goto end; + if(!sk_OPENSSL_STRING_push(reqnames, opt_arg())) + goto end; + break; + case OPT_SERIAL: + if (cert_id_md == NULL) + cert_id_md = EVP_sha1(); + if (!add_ocsp_serial(&req, opt_arg(), cert_id_md, issuer, ids)) + goto end; + if (!sk_OPENSSL_STRING_push(reqnames, opt_arg())) + goto end; + break; + case OPT_INDEX: + ridx_filename = opt_arg(); + break; + case OPT_CA: + rca_filename = opt_arg(); + break; + case OPT_NMIN: + opt_int(opt_arg(), &nmin); + if (ndays == -1) + ndays = 0; + break; + case OPT_REQUEST: + opt_int(opt_arg(), &accept_count); + break; + case OPT_NDAYS: + ndays = atoi(opt_arg()); + break; + case OPT_RSIGNER: + rsignfile = opt_arg(); + break; + case OPT_RKEY: + rkeyfile = opt_arg(); + break; + case OPT_ROTHER: + rcertfile = opt_arg(); + break; + case OPT_RMD: + if (!opt_md(opt_arg(), &rsign_md)) + goto end; + break; + case OPT_MD: + opt_md(opt_unknown(), &cert_id_md); + break; } + } /* Have we anything to do? */ - if (!req && !reqin && !respin && !(port && ridx_filename)) badarg = 1; - - if (badarg) - { - BIO_printf (bio_err, "Usage: ocsp [options]\n"); - BIO_printf (bio_err, "where options are\n"); - printhelp(ocsp_help); - goto end; - } + if (!req && !reqin && !respin && !(port && ridx_filename)) + goto err; out = bio_open_default(outfile, "w"); if(out==NULL) @@ -678,18 +530,18 @@ int ocsp_main(int argc, char **argv) { if (!rkeyfile) rkeyfile = rsignfile; rsigner = load_cert(bio_err, rsignfile, FORMAT_PEM, - NULL, e, "responder certificate"); + NULL, NULL, "responder certificate"); if (!rsigner) { BIO_printf(bio_err, "Error loading responder certificate\n"); goto end; } rca_cert = load_cert(bio_err, rca_filename, FORMAT_PEM, - NULL, e, "CA certificate"); + NULL, NULL, "CA certificate"); if (rcertfile) { rother = load_certs(bio_err, rcertfile, FORMAT_PEM, - NULL, e, "responder other certificates"); + NULL, NULL, "responder other certificates"); if (!rother) goto end; } rkey = load_key(bio_err, rkeyfile, FORMAT_PEM, 0, NULL, NULL, @@ -726,7 +578,7 @@ int ocsp_main(int argc, char **argv) { if (!keyfile) keyfile = signfile; signer = load_cert(bio_err, signfile, FORMAT_PEM, - NULL, e, "signer certificate"); + NULL, NULL, "signer certificate"); if (!signer) { BIO_printf(bio_err, "Error loading signer certificate\n"); @@ -735,7 +587,7 @@ int ocsp_main(int argc, char **argv) if (sign_certfile) { sign_other = load_certs(bio_err, sign_certfile, FORMAT_PEM, - NULL, e, "signer certificates"); + NULL, NULL, "signer certificates"); if (!sign_other) goto end; } key = load_key(bio_err, keyfile, FORMAT_PEM, 0, NULL, NULL, @@ -866,12 +718,12 @@ int ocsp_main(int argc, char **argv) store = setup_verify(bio_err, CAfile, CApath); if (!store) goto end; - if (vpm) + if (vpmtouched) X509_STORE_set1_param(store, vpm); if (verify_certfile) { verify_other = load_certs(bio_err, verify_certfile, FORMAT_PEM, - NULL, e, "validator certificate"); + NULL, NULL, "validator certificate"); if (!verify_other) goto end; } diff --git a/apps/opt.c b/apps/opt.c index 3fe21e08bb..1ac2ea5826 100644 --- a/apps/opt.c +++ b/apps/opt.c @@ -277,6 +277,137 @@ int opt_ulong(const char* arg, unsigned long* result) return 1; } +enum range { OPT_V_ENUM }; + +int opt_verify(int opt, X509_VERIFY_PARAM *vpm) +{ + unsigned long ul; + int i; + ASN1_OBJECT *otmp; + X509_PURPOSE *xptmp; + const X509_VERIFY_PARAM* vtmp; + + assert(vpm != NULL); + assert(opt > OPT_V__FIRST); + assert(opt < OPT_V__FIRST); + + switch ((enum range)opt) { + case OPT_V__FIRST: + case OPT_V__LAST: + return 0; + case OPT_V_POLICY: + otmp = OBJ_txt2obj(opt_arg(), 0); + if (otmp == NULL) { + BIO_printf(bio_err, "%s: Invalid Policy %s\n", + prog, opt_arg()); + return 0; + } + X509_VERIFY_PARAM_add0_policy(vpm, otmp); + break; + case OPT_V_PURPOSE: + i = X509_PURPOSE_get_by_sname(opt_arg()); + if (i < 0) { + BIO_printf(bio_err, "%s: Invalid purpose %s\n", + prog, opt_arg()); + return 0; + } + xptmp = X509_PURPOSE_get0(i); + i = X509_PURPOSE_get_id(xptmp); + X509_VERIFY_PARAM_set_purpose(vpm, i); + break; + case OPT_V_VERIFY_NAME: + vtmp = X509_VERIFY_PARAM_lookup(opt_arg()); + if (vpm == NULL) { + BIO_printf(bio_err, "%s: Invalid verify name %s\n", + prog, opt_arg()); + return 0; + } + X509_VERIFY_PARAM_set1(vpm, vtmp); + break; + case OPT_V_VERIFY_DEPTH: + if (i >= 0) + X509_VERIFY_PARAM_set_depth(vpm, atoi(opt_arg())); + break; + case OPT_V_ATTIME: + opt_ulong(opt_arg(), &ul); + if (ul) + X509_VERIFY_PARAM_set_time(vpm, (time_t)ul); + break; + case OPT_V_VERIFY_HOSTNAME: + if (!X509_VERIFY_PARAM_set1_host(vpm, opt_arg(), 0)) + return 0; + break; + case OPT_V_VERIFY_EMAIL: + if (!X509_VERIFY_PARAM_set1_email(vpm, opt_arg(), 0)) + return 0; + break; + case OPT_V_VERIFY_IP: + if (!X509_VERIFY_PARAM_set1_ip_asc(vpm, opt_arg())) + return 0; + break; + case OPT_V_IGNORE_CRITICAL: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_IGNORE_CRITICAL); + break; + case OPT_V_ISSUER_CHECKS: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_CB_ISSUER_CHECK); + break; + case OPT_V_CRL_CHECK: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_CRL_CHECK); + break; + case OPT_V_CRL_CHECK_ALL: + X509_VERIFY_PARAM_set_flags(vpm, + X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); + break; + case OPT_V_POLICY_CHECK: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_POLICY_CHECK); + break; + case OPT_V_EXPLICIT_POLICY: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_EXPLICIT_POLICY); + break; + case OPT_V_INHIBIT_ANY: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_INHIBIT_ANY); + break; + case OPT_V_INHIBIT_MAP: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_INHIBIT_MAP); + break; + case OPT_V_X509_STRICT: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_X509_STRICT); + break; + case OPT_V_EXTENDED_CRL: + X509_VERIFY_PARAM_set_flags(vpm, + X509_V_FLAG_EXTENDED_CRL_SUPPORT); + break; + case OPT_V_USE_DELTAS: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_USE_DELTAS); + break; + case OPT_V_POLICY_PRINT: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NOTIFY_POLICY); + break; + case OPT_V_CHECK_SS_SIG: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_CHECK_SS_SIGNATURE); + break; + case OPT_V_TRUSTED_FIRST: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_TRUSTED_FIRST); + break; + case OPT_V_SUITEB_128_ONLY: + X509_VERIFY_PARAM_set_flags(vpm, + X509_V_FLAG_SUITEB_128_LOS_ONLY); + break; + case OPT_V_SUITEB_128: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_SUITEB_128_LOS); + break; + case OPT_V_SUITEB_192: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_SUITEB_192_LOS); + break; + case OPT_V_PARTIAL_CHAIN: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_PARTIAL_CHAIN); + break; + } + return 1; + +} + + /* Parse the next flag (and value if specified), return 0 if done, -1 on * error, otherwise the flag's retval. */ int opt_next(void) diff --git a/apps/s_client.c b/apps/s_client.c index 35e3a2b0e2..ab513acbc2 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -679,6 +679,10 @@ static char *jpake_secret = NULL; c_msg=0; c_showcerts=0; + if ((vpm = X509_VERIFY_PARAM_new()) == NULL) + return 1; + + cctx = SSL_CONF_CTX_new(); if (!cctx) goto end; @@ -770,11 +774,9 @@ static char *jpake_secret = NULL; if (--argc < 1) goto bad; crl_format = str2fmt(*(++argv)); } - else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm)) - { - if (badarg) + // case OPT_V_COMMON_VERIFY_CASES: vpmtouched++ + else if (!opt_verify(i, vpm)) goto bad; - continue; } else if (strcmp(*argv,"-verify_return_error") == 0) verify_return_error = 1; @@ -1273,7 +1275,7 @@ bad: if (sdebug) ssl_ctx_security_debug(ctx, bio_err, sdebug); - if (vpm) + if (vpmtouched) SSL_CTX_set1_param(ctx, vpm); if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, 1, no_jpake)) diff --git a/apps/s_server.c b/apps/s_server.c index d04d5344dd..1df85d4057 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -1042,6 +1042,9 @@ int s_server_main(int argc, char *argv[]) goto end; SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER); SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CMDLINE); + if ((vpm = X509_VERIFY_PARAM_new()) == NULL) + return 1; + verify_depth=0; #ifdef FIONBIO @@ -1220,12 +1223,9 @@ int s_server_main(int argc, char *argv[]) if (--argc < 1) goto bad; crl_format = str2fmt(*(++argv)); } - else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm)) - { - if (badarg) - goto bad; - continue; - } + // case OPT_V_COMMON_VERIFY_CASES: vpmtouched++ + else if (!opt_verify(i, vpm)) + goto bad; else if (args_excert(&argv, &argc, &badarg, bio_err, &exc)) { if (badarg) @@ -1784,7 +1784,7 @@ bad: ERR_print_errors(bio_err); /* goto end; */ } - if (vpm) + if (vpmtouched) SSL_CTX_set1_param(ctx, vpm); ssl_ctx_add_crls(ctx, crls, 0); diff --git a/apps/smime.c b/apps/smime.c index 338bd17f34..f52b70c6da 100644 --- a/apps/smime.c +++ b/apps/smime.c @@ -141,281 +141,270 @@ const char* smime_help[] = { NULL, }; +enum options { + OPT_ERR = -1, OPT_EOF = 0, + OPT_V_ENUM, + OPT_ENCRYPT, OPT_DECRYPT, OPT_SIGN, OPT_RESIGN, OPT_VERIFY, + OPT_PK7OUT, OPT_TEXT, OPT_NOINTERN, OPT_NOVERIFY, OPT_NOCHAIN, + OPT_NOCERTS, OPT_NOATTR, OPT_NODETACH, OPT_NOSMIMECAP, + OPT_BINARY, OPT_NOSIGS, OPT_STREAM, OPT_INDEF, OPT_NOINDEF, + OPT_NOOLDMIME, OPT_CRLFEOL, OPT_RAND, OPT_ENGINE, OPT_PASSIN, + OPT_TO, OPT_FROM, OPT_SUBJECT, OPT_SIGNER, OPT_RECIP, OPT_MD, + OPT_CIPHER, OPT_INKEY, OPT_KEYFORM, OPT_CERTFILE, OPT_CAFILE, + OPT_CAPATH, OPT_IN, OPT_INFORM, OPT_OUT, OPT_OUTFORM, OPT_CONTENT, +}; + +static OPTIONS options[] = { + OPT_V_OPTIONS, + { "encrypt", OPT_ENCRYPT, '-' }, + { "decrypt", OPT_DECRYPT, '-' }, + { "sign", OPT_SIGN, '-' }, + { "resign", OPT_RESIGN, '-' }, + { "verify", OPT_VERIFY, '-' }, + { "pk7out", OPT_PK7OUT, '-' }, + { "text", OPT_TEXT, '-' }, + { "nointern", OPT_NOINTERN, '-' }, + { "noverify", OPT_NOVERIFY, '-' }, + { "nochain", OPT_NOCHAIN, '-' }, + { "nocerts", OPT_NOCERTS, '-' }, + { "noattr", OPT_NOATTR, '-' }, + { "nodetach", OPT_NODETACH, '-' }, + { "nosmimecap", OPT_NOSMIMECAP, '-' }, + { "binary", OPT_BINARY, '-' }, + { "nosigs", OPT_NOSIGS, '-' }, + { "stream", OPT_STREAM, '-' }, + { "indef", OPT_INDEF, '-' }, + { "noindef", OPT_NOINDEF, '-' }, + { "nooldmime", OPT_NOOLDMIME, '-' }, + { "crlfeol", OPT_CRLFEOL, '-' }, + { "rand", OPT_RAND, 's' }, + { "engine", OPT_ENGINE, 's' }, + { "passin", OPT_PASSIN, 's' }, + { "to", OPT_TO, 's' }, + { "from", OPT_FROM, 's' }, + { "subject", OPT_SUBJECT, 's' }, + { "signer", OPT_SIGNER, '<' }, + { "recip", OPT_RECIP, '<' }, + { "md", OPT_MD, 's' }, + { "", OPT_CIPHER, '-' }, + { "inkey", OPT_INKEY, '<' }, + { "keyform", OPT_KEYFORM, 'f' }, + { "certfile", OPT_CERTFILE, '<' }, + { "CAfile", OPT_CAFILE, '<' }, + { "CApath", OPT_CAPATH, '/' }, + { "in", OPT_IN, '<' }, + { "inform", OPT_INFORM, 'F' }, + { "out", OPT_OUT, '>' }, + { "outformn", OPT_OUTFORM, 'F' }, + { "content", OPT_CONTENT, '<' }, + { NULL } +}; + int smime_main(int argc, char **argv) { - ENGINE *e = NULL; - int operation = 0; - int ret = 0; - char **args; - const char *inmode = "r", *outmode = "w"; - char *infile = NULL, *outfile = NULL; - char *signerfile = NULL, *recipfile = NULL; - STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL; - char *certfile = NULL, *keyfile = NULL, *contfile=NULL; - const EVP_CIPHER *cipher = NULL; - PKCS7 *p7 = NULL; - X509_STORE *store = NULL; - X509 *cert = NULL, *recip = NULL, *signer = NULL; - EVP_PKEY *key = NULL; - STACK_OF(X509) *encerts = NULL, *other = NULL; - BIO *in = NULL, *out = NULL, *indata = NULL; - int badarg = 0; - int flags = PKCS7_DETACHED; - char *to = NULL, *from = NULL, *subject = NULL; - char *CAfile = NULL, *CApath = NULL; - char *passargin = NULL, *passin = NULL; - char *inrand = NULL; - int need_rand = 0; - int indef = 0; - const EVP_MD *sign_md = NULL; - int informat = FORMAT_SMIME, outformat = FORMAT_SMIME; - int keyform = FORMAT_PEM; + const char *inmode="r", *outmode="w"; + char *infile=NULL, *outfile=NULL, *signerfile=NULL, *recipfile=NULL; + char *certfile=NULL, *keyfile=NULL, *contfile=NULL; + char *to=NULL, *from=NULL, *subject=NULL; + char *passinarg=NULL, *passin=NULL; + char *CAfile=NULL, *CApath=NULL, *inrand=NULL, *engine=NULL; + int flags=PKCS7_DETACHED, operation=0, ret=0, need_rand=0, indef=0; + int informat=FORMAT_SMIME, outformat=FORMAT_SMIME, keyform=FORMAT_PEM; + int vpmtouched=0; + const EVP_MD *sign_md=NULL; #ifndef OPENSSL_NO_ENGINE - char *engine=NULL; + ENGINE *e=NULL; #endif - X509_VERIFY_PARAM *vpm = NULL; - - args = argv + 1; - ret = 1; + const EVP_CIPHER *cipher=NULL; + X509_VERIFY_PARAM *vpm=NULL; + STACK_OF(OPENSSL_STRING) *sksigners=NULL, *skkeys=NULL; + PKCS7 *p7=NULL; + X509_STORE *store=NULL; + X509 *cert=NULL, *recip=NULL, *signer=NULL; + EVP_PKEY *key=NULL; + STACK_OF(X509) *encerts=NULL, *other=NULL; + BIO *in=NULL, *out=NULL, *indata=NULL; + enum options o; + char* prog; + + if ((vpm = X509_VERIFY_PARAM_new()) == NULL) + return 1; - while (!badarg && *args && *args[0] == '-') - { - if (!strcmp (*args, "-encrypt")) + prog = opt_init(argc, argv, options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: +err: + BIO_printf(bio_err,"Valid options are:\n"); + printhelp(smime_help); + goto end; + case OPT_INFORM: + opt_format(opt_arg(), 1, &informat); + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUTFORM: + opt_format(opt_arg(), 1, &outformat); + break; + case OPT_OUT: + outfile= opt_arg(); + break; + case OPT_ENCRYPT: operation = SMIME_ENCRYPT; - else if (!strcmp (*args, "-decrypt")) + break; + case OPT_DECRYPT: operation = SMIME_DECRYPT; - else if (!strcmp (*args, "-sign")) + break; + case OPT_SIGN: operation = SMIME_SIGN; - else if (!strcmp (*args, "-resign")) + break; + case OPT_RESIGN: operation = SMIME_RESIGN; - else if (!strcmp (*args, "-verify")) + break; + case OPT_VERIFY: operation = SMIME_VERIFY; - else if (!strcmp (*args, "-pk7out")) + break; + case OPT_PK7OUT: operation = SMIME_PK7OUT; -#ifndef OPENSSL_NO_DES - else if (!strcmp (*args, "-des3")) - cipher = EVP_des_ede3_cbc(); - else if (!strcmp (*args, "-des")) - cipher = EVP_des_cbc(); -#endif -#ifndef OPENSSL_NO_SEED - else if (!strcmp (*args, "-seed")) - cipher = EVP_seed_cbc(); -#endif -#ifndef OPENSSL_NO_RC2 - else if (!strcmp (*args, "-rc2-40")) - cipher = EVP_rc2_40_cbc(); - else if (!strcmp (*args, "-rc2-128")) - cipher = EVP_rc2_cbc(); - else if (!strcmp (*args, "-rc2-64")) - cipher = EVP_rc2_64_cbc(); -#endif -#ifndef OPENSSL_NO_AES - else if (!strcmp(*args,"-aes128")) - cipher = EVP_aes_128_cbc(); - else if (!strcmp(*args,"-aes192")) - cipher = EVP_aes_192_cbc(); - else if (!strcmp(*args,"-aes256")) - cipher = EVP_aes_256_cbc(); -#endif -#ifndef OPENSSL_NO_CAMELLIA - else if (!strcmp(*args,"-camellia128")) - cipher = EVP_camellia_128_cbc(); - else if (!strcmp(*args,"-camellia192")) - cipher = EVP_camellia_192_cbc(); - else if (!strcmp(*args,"-camellia256")) - cipher = EVP_camellia_256_cbc(); -#endif - else if (!strcmp (*args, "-text")) - flags |= PKCS7_TEXT; - else if (!strcmp (*args, "-nointern")) - flags |= PKCS7_NOINTERN; - else if (!strcmp (*args, "-noverify")) - flags |= PKCS7_NOVERIFY; - else if (!strcmp (*args, "-nochain")) - flags |= PKCS7_NOCHAIN; - else if (!strcmp (*args, "-nocerts")) - flags |= PKCS7_NOCERTS; - else if (!strcmp (*args, "-noattr")) - flags |= PKCS7_NOATTR; - else if (!strcmp (*args, "-nodetach")) - flags &= ~PKCS7_DETACHED; - else if (!strcmp (*args, "-nosmimecap")) - flags |= PKCS7_NOSMIMECAP; - else if (!strcmp (*args, "-binary")) - flags |= PKCS7_BINARY; - else if (!strcmp (*args, "-nosigs")) - flags |= PKCS7_NOSIGS; - else if (!strcmp (*args, "-stream")) - indef = 1; - else if (!strcmp (*args, "-indef")) - indef = 1; - else if (!strcmp (*args, "-noindef")) - indef = 0; - else if (!strcmp (*args, "-nooldmime")) - flags |= PKCS7_NOOLDMIMETYPE; - else if (!strcmp (*args, "-crlfeol")) - flags |= PKCS7_CRLFEOL; - else if (!strcmp(*args,"-rand")) - { - if (!args[1]) - goto argerr; - args++; - inrand = *args; + break; + case OPT_TEXT: + flags |= PKCS7_TEXT; + break; + case OPT_NOINTERN: + flags |= PKCS7_NOINTERN; + break; + case OPT_NOVERIFY: + flags |= PKCS7_NOVERIFY; + break; + case OPT_NOCHAIN: + flags |= PKCS7_NOCHAIN; + break; + case OPT_NOCERTS: + flags |= PKCS7_NOCERTS; + break; + case OPT_NOATTR: + flags |= PKCS7_NOATTR; + break; + case OPT_NODETACH: + flags &= ~PKCS7_DETACHED; + break; + case OPT_NOSMIMECAP: + flags |= PKCS7_NOSMIMECAP; + break; + case OPT_BINARY: + flags |= PKCS7_BINARY; + break; + case OPT_NOSIGS: + flags |= PKCS7_NOSIGS; + break; + case OPT_STREAM: + case OPT_INDEF: + indef = 1; + break; + case OPT_NOINDEF: + indef = 0; + break; + case OPT_NOOLDMIME: + flags |= PKCS7_NOOLDMIMETYPE; + break; + case OPT_CRLFEOL: + flags |= PKCS7_CRLFEOL; + break; + case OPT_RAND: + inrand = opt_arg(); need_rand = 1; - } -#ifndef OPENSSL_NO_ENGINE - else if (!strcmp(*args,"-engine")) - { - if (!args[1]) - goto argerr; - engine = *++args; - } -#endif - else if (!strcmp(*args,"-passin")) - { - if (!args[1]) - goto argerr; - passargin = *++args; - } - else if (!strcmp (*args, "-to")) - { - if (!args[1]) - goto argerr; - to = *++args; - } - else if (!strcmp (*args, "-from")) - { - if (!args[1]) - goto argerr; - from = *++args; - } - else if (!strcmp (*args, "-subject")) - { - if (!args[1]) - goto argerr; - subject = *++args; - } - else if (!strcmp (*args, "-signer")) - { - if (!args[1]) - goto argerr; + break; + case OPT_ENGINE: + engine = opt_arg(); + break; + case OPT_PASSIN: + passinarg = opt_arg(); + break; + case OPT_TO: + to = opt_arg(); + break; + case OPT_FROM: + from = opt_arg(); + break; + case OPT_SUBJECT: + subject = opt_arg(); + break; + case OPT_SIGNER: /* If previous -signer argument add signer to list */ - - if (signerfile) - { - if (!sksigners) + if (signerfile) { + if (sksigners == NULL) sksigners = sk_OPENSSL_STRING_new_null(); sk_OPENSSL_STRING_push(sksigners, signerfile); - if (!keyfile) + if (keyfile == NULL) keyfile = signerfile; - if (!skkeys) + if (skkeys == NULL) skkeys = sk_OPENSSL_STRING_new_null(); sk_OPENSSL_STRING_push(skkeys, keyfile); keyfile = NULL; - } - signerfile = *++args; } - else if (!strcmp (*args, "-recip")) - { - if (!args[1]) - goto argerr; - recipfile = *++args; - } - else if (!strcmp (*args, "-md")) - { - if (!args[1]) - goto argerr; + signerfile = opt_arg(); + break; + case OPT_RECIP: + recipfile = opt_arg(); + break; + case OPT_MD: if (!opt_md(opt_arg(), &sign_md)) - goto argerr; - } - else if (!strcmp (*args, "-inkey")) - { - if (!args[1]) - goto argerr; + goto err; + break; + case OPT_CIPHER: + if (!opt_cipher(opt_unknown(), &cipher)) + goto err; + break; + case OPT_INKEY: /* If previous -inkey arument add signer to list */ - if (keyfile) - { - if (!signerfile) - { - BIO_puts(bio_err, "Illegal -inkey without -signer\n"); - goto argerr; - } - if (!sksigners) + if (keyfile) { + if (signerfile == NULL) { + BIO_printf(bio_err, + "%s: Must have -signer before -inkey\n", + prog); + goto err; + } + if (sksigners == NULL) sksigners = sk_OPENSSL_STRING_new_null(); sk_OPENSSL_STRING_push(sksigners, signerfile); signerfile = NULL; - if (!skkeys) + if (skkeys == NULL) skkeys = sk_OPENSSL_STRING_new_null(); sk_OPENSSL_STRING_push(skkeys, keyfile); - } - keyfile = *++args; - } - else if (!strcmp (*args, "-keyform")) - { - if (!args[1]) - goto argerr; - keyform = str2fmt(*++args); - } - else if (!strcmp (*args, "-certfile")) - { - if (!args[1]) - goto argerr; - certfile = *++args; - } - else if (!strcmp (*args, "-CAfile")) - { - if (!args[1]) - goto argerr; - CAfile = *++args; - } - else if (!strcmp (*args, "-CApath")) - { - if (!args[1]) - goto argerr; - CApath = *++args; } - else if (!strcmp (*args, "-in")) - { - if (!args[1]) - goto argerr; - infile = *++args; - } - else if (!strcmp (*args, "-inform")) - { - if (!args[1]) - goto argerr; - informat = str2fmt(*++args); - } - else if (!strcmp (*args, "-outform")) - { - if (!args[1]) - goto argerr; - outformat = str2fmt(*++args); - } - else if (!strcmp (*args, "-out")) - { - if (!args[1]) - goto argerr; - outfile = *++args; - } - else if (!strcmp (*args, "-content")) - { - if (!args[1]) - goto argerr; - contfile = *++args; - } - else if (args_verify(&args, NULL, &badarg, bio_err, &vpm)) - continue; - else if (!opt_cipher(*args+1, &cipher)) - badarg = 1; - args++; + keyfile = opt_arg(); + break; + case OPT_KEYFORM: + opt_format(opt_arg(), 0, &keyform); + break; + case OPT_CERTFILE: + certfile = opt_arg(); + break; + case OPT_CAFILE: + CAfile = opt_arg(); + break; + case OPT_CAPATH: + CApath = opt_arg(); + break; + case OPT_CONTENT: + contfile = opt_arg(); + break; + case OPT_V_CASES: + if (!opt_verify(o, vpm)) + goto err; + vpmtouched++; + break; } + } + argc = opt_num_rest(); + argv = opt_rest(); if (!(operation & SMIME_SIGNERS) && (skkeys || sksigners)) { BIO_puts(bio_err, "Multiple signers or keys not allowed\n"); - goto argerr; + goto err; } if (operation & SMIME_SIGNERS) @@ -424,7 +413,7 @@ int smime_main(int argc, char **argv) if (keyfile && !signerfile) { BIO_puts(bio_err, "Illegal -inkey without -signer\n"); - goto argerr; + goto err; } if (signerfile) { @@ -440,7 +429,7 @@ int smime_main(int argc, char **argv) if (!sksigners) { BIO_printf(bio_err, "No signer certificate specified\n"); - badarg = 1; + goto err; } signerfile = NULL; keyfile = NULL; @@ -451,35 +440,27 @@ int smime_main(int argc, char **argv) if (!recipfile && !keyfile) { BIO_printf(bio_err, "No recipient certificate or key specified\n"); - badarg = 1; + goto err; } } else if (operation == SMIME_ENCRYPT) { - if (!*args) + if (argc == 0) { BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n"); - badarg = 1; + goto err; } need_rand = 1; } else if (!operation) - badarg = 1; + goto err; - if (badarg) - { - argerr: - BIO_printf (bio_err, "Usage smime [options] cert.pem ...\n"); - BIO_printf (bio_err, "where options are\n"); - printhelp(smime_help); - goto end; - } #ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); #endif - if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) + if (!app_passwd(bio_err, passinarg, NULL, &passin, NULL)) { BIO_printf(bio_err, "Error getting password\n"); goto end; @@ -532,19 +513,15 @@ int smime_main(int argc, char **argv) #endif } encerts = sk_X509_new_null(); - while (*args) + while (*argv) { - if (!(cert = load_cert(bio_err,*args,FORMAT_PEM, - NULL, e, "recipient certificate file"))) - { -#if 0 /* An appropriate message is already printed */ - BIO_printf(bio_err, "Can't read recipient certificate file %s\n", *args); -#endif + cert = load_cert(bio_err,*argv,FORMAT_PEM, + NULL, e, "recipient certificate file"); + if (cert == NULL) goto end; - } sk_X509_push(encerts, cert); cert = NULL; - args++; + argv++; } } @@ -631,7 +608,7 @@ int smime_main(int argc, char **argv) if (!(store = setup_verify(bio_err, CAfile, CApath))) goto end; X509_STORE_set_verify_cb(store, smime_cb); - if (vpm) + if (vpmtouched) X509_STORE_set1_param(store, vpm); } diff --git a/apps/verify.c b/apps/verify.c index 32f8c44606..a83d2f40af 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -66,6 +66,12 @@ #include <openssl/x509v3.h> #include <openssl/pem.h> +static int cb(int ok, X509_STORE_CTX *ctx); +static int check(X509_STORE *ctx, char *file, + STACK_OF(X509) *uchain, STACK_OF(X509) *tchain, + STACK_OF(X509_CRL) *crls, ENGINE *e, int show_chain); +static int v_verbose=0, vflags = 0; + const char* verify_help[] = { "-verbose", "-CApath path", @@ -79,101 +85,98 @@ const char* verify_help[] = { NULL }; -static int cb(int ok, X509_STORE_CTX *ctx); -static int check(X509_STORE *ctx, char *file, - STACK_OF(X509) *uchain, STACK_OF(X509) *tchain, - STACK_OF(X509_CRL) *crls, ENGINE *e, int show_chain); -static int v_verbose=0, vflags = 0; +enum options { + OPT_ERR = -1, OPT_EOF = 0, + OPT_V_ENUM, + OPT_ENGINE, OPT_CAPATH, OPT_CAFILE, OPT_UNTRUSTED, OPT_TRUSTED, + OPT_CRLFILE, OPT_CRL_DOWNLOAD, OPT_SHOW_CHAIN, OPT_VERBOSE, +}; + +static OPTIONS options[] = { + OPT_V_OPTIONS, +#ifndef OPENSSL_NO_ENGINE + { "engine", OPT_ENGINE, 's' }, +#endif + { "CApath", OPT_CAPATH, '/' }, + { "CAfile", OPT_CAFILE, '<' }, + { "untrusted", OPT_UNTRUSTED, '<' }, + { "trusted", OPT_TRUSTED, '<' }, + { "CRLfile", OPT_CRLFILE, '<' }, + { "crl_download", OPT_CRL_DOWNLOAD, '-' }, + { "show_chain", OPT_SHOW_CHAIN, '-' }, + { "verbose", OPT_VERBOSE, '-' }, + { NULL } +}; + int verify_main(int argc, char **argv) { - ENGINE *e = NULL; - int i,ret=1, badarg = 0; - char *CApath=NULL,*CAfile=NULL; - char *untfile = NULL, *trustfile = NULL, *crlfile = NULL; - STACK_OF(X509) *untrusted = NULL, *trusted = NULL; - STACK_OF(X509_CRL) *crls = NULL; - X509_STORE *cert_ctx=NULL; + ENGINE *e=NULL; + STACK_OF(X509) *untrusted=NULL, *trusted=NULL; + STACK_OF(X509_CRL) *crls=NULL; X509_LOOKUP *lookup=NULL; - X509_VERIFY_PARAM *vpm = NULL; - int crl_download = 0, show_chain = 0; -#ifndef OPENSSL_NO_ENGINE - char *engine=NULL; -#endif + X509_STORE *cert_ctx=NULL; + X509_VERIFY_PARAM *vpm=NULL; + char* prog, *CApath=NULL,*CAfile=NULL, *engine=NULL; + char *untfile=NULL, *trustfile=NULL, *crlfile=NULL; + int vpmtouched=0, crl_download=0, show_chain=0, i=0, ret=1; + enum options o; cert_ctx=X509_STORE_new(); - if (cert_ctx == NULL) goto end; + if (cert_ctx == NULL) + goto end; X509_STORE_set_verify_cb(cert_ctx,cb); + if ((vpm = X509_VERIFY_PARAM_new()) == NULL) + goto end; - argc--; - argv++; - for (;;) - { - if (argc >= 1) - { - if (strcmp(*argv,"-CApath") == 0) - { - if (argc-- < 1) goto end; - CApath= *(++argv); - } - else if (strcmp(*argv,"-CAfile") == 0) - { - if (argc-- < 1) goto end; - CAfile= *(++argv); - } - else if (args_verify(&argv, &argc, &badarg, bio_err, - &vpm)) - { - if (badarg) - goto end; - continue; - } - else if (strcmp(*argv,"-untrusted") == 0) - { - if (argc-- < 1) goto end; - untfile= *(++argv); - } - else if (strcmp(*argv,"-trusted") == 0) - { - if (argc-- < 1) goto end; - trustfile= *(++argv); - } - else if (strcmp(*argv,"-CRLfile") == 0) - { - if (argc-- < 1) goto end; - crlfile= *(++argv); - } - else if (strcmp(*argv,"-crl_download") == 0) - crl_download = 1; - else if (strcmp(*argv,"-show_chain") == 0) - show_chain = 1; -#ifndef OPENSSL_NO_ENGINE - else if (strcmp(*argv,"-engine") == 0) - { - if (--argc < 1) goto end; - engine= *(++argv); - } -#endif - else if (strcmp(*argv,"-help") == 0) - goto end; - else if (strcmp(*argv,"-verbose") == 0) - v_verbose=1; - else if (argv[0][0] == '-') + prog = opt_init(argc, argv, options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + BIO_printf(bio_err,"Valid options are:\n"); + printhelp(verify_help); + goto end; + case OPT_V_CASES: + if (!opt_verify(o, vpm)) goto end; - else - break; - argc--; - argv++; - } - else + vpmtouched++; + break; + case OPT_CAPATH: + CApath = opt_arg(); + break; + case OPT_CAFILE: + CAfile = opt_arg(); + break; + case OPT_UNTRUSTED: + untfile = opt_arg(); + break; + case OPT_TRUSTED: + trustfile = opt_arg(); + break; + case OPT_CRLFILE: + crlfile = opt_arg(); + break; + case OPT_CRL_DOWNLOAD: + crl_download = 1; + break; + case OPT_SHOW_CHAIN: + show_chain = 1; + break; + case OPT_ENGINE: + engine = opt_arg(); + break; + case OPT_VERBOSE: + v_verbose = 1; break; } + } #ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); #endif - if (vpm) + if (vpmtouched) X509_STORE_set1_param(cert_ctx, vpm); lookup=X509_STORE_add_lookup(cert_ctx,X509_LOOKUP_file()); diff --git a/apps/x509.c b/apps/x509.c index 057bf77ee2..8739bf5a15 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -543,7 +543,7 @@ err: checkip = opt_arg(); break; case OPT_MD: - if (!opt_md(*argv+1, &digest)) + if (!opt_md(opt_arg(), &digest)) goto err; } } |