diff --git a/CHANGES b/CHANGES index c2ef7bffe..0af7ea03c 100644 --- a/CHANGES +++ b/CHANGES @@ -5,6 +5,11 @@ Changes between 0.9.1c and 0.9.2 + *) Dump the old yucky req code that tried (and failed) to allow raw OIDs + to be added. Now both 'req' and 'ca' can use new objects defined in the + config file. + [Steve Henson] + *) Add cool BIO that does syslog (or event log on NT). [Arne Ansper , integrated by Ben Laurie] diff --git a/apps/ca.c b/apps/ca.c index 76bbcbc2c..6f3b1a850 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -155,6 +155,7 @@ extern int EF_ALIGNMENT; #endif #ifndef NOPROTO +static int add_oid_section(LHASH *conf); static void lookup_fail(char *name,char *tag); static int MS_CALLBACK key_callback(char *buf,int len,int verify); static unsigned long index_serial_hash(char **a); @@ -181,6 +182,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, EVP_MD *dgst, LHASH *conf); static int check_time_format(char *str); #else +static int add_oid_section(); static void lookup_fail(); static int MS_CALLBACK key_callback(); static unsigned long index_serial_hash(); @@ -453,6 +455,10 @@ bad: } } } + if(!add_oid_section(conf)) { + ERR_print_errors(bio_err); + goto err; + } in=BIO_new(BIO_s_file()); out=BIO_new(BIO_s_file()); @@ -1044,22 +1050,23 @@ bad: /*****************************************************************/ ret=0; err: - if (hex != NULL) BIO_free(hex); - if (Cout != NULL) BIO_free(Cout); - if (Sout != NULL) BIO_free(Sout); - if (out != NULL) BIO_free(out); - if (in != NULL) BIO_free(in); + BIO_free(hex); + BIO_free(Cout); + BIO_free(Sout); + BIO_free(out); + BIO_free(in); - if (cert_sk != NULL) sk_pop_free(cert_sk,X509_free); + sk_pop_free(cert_sk,X509_free); if (ret) ERR_print_errors(bio_err); - if (serial != NULL) BN_free(serial); - if (db != NULL) TXT_DB_free(db); - if (pkey != NULL) EVP_PKEY_free(pkey); - if (x509 != NULL) X509_free(x509); - if (crl != NULL) X509_CRL_free(crl); - if (conf != NULL) CONF_free(conf); + BN_free(serial); + TXT_DB_free(db); + EVP_PKEY_free(pkey); + X509_free(x509); + X509_CRL_free(crl); + CONF_free(conf); X509V3_EXT_cleanup(); + OBJ_cleanup(); EXIT(ret); } @@ -2009,3 +2016,25 @@ char *str; return(ASN1_UTCTIME_check(&tm)); } +static int add_oid_section(conf) +LHASH *conf; +{ + char *p; + STACK *sktmp; + CONF_VALUE *cnf; + int i; + if(!(p=CONF_get_string(conf,NULL,"oid_section"))) return 1; + if(!(sktmp = CONF_get_section(conf, p))) { + BIO_printf(bio_err, "problem loading oid section %s\n", p); + return 0; + } + for(i = 0; i < sk_num(sktmp); i++) { + cnf = (CONF_VALUE *)sk_value(sktmp, i); + if(OBJ_create(cnf->value, cnf->name, cnf->name) == NID_undef) { + BIO_printf(bio_err, "problem creating object %s=%s\n", + cnf->name, cnf->value); + return 0; + } + } + return 1; +} diff --git a/apps/openssl.cnf b/apps/openssl.cnf index 7dee6432a..49cff56f3 100644 --- a/apps/openssl.cnf +++ b/apps/openssl.cnf @@ -5,6 +5,15 @@ RANDFILE = $ENV::HOME/.rnd oid_file = $ENV::HOME/.oid +oid_section = new_oids + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca' and 'req'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 #################################################################### [ ca ] @@ -92,7 +101,7 @@ commonName_max = 64 emailAddress = Email Address emailAddress_max = 40 -SET-ex3 = SET extension number 3 +# SET-ex3 = SET extension number 3 [ req_attributes ] challengePassword = A challenge password diff --git a/apps/req.c b/apps/req.c index b2c1bb257..9a100aef7 100644 --- a/apps/req.c +++ b/apps/req.c @@ -115,12 +115,16 @@ static int add_DN_object(X509_NAME *n, char *text, char *def, char *value, int nid,int min,int max); static void MS_CALLBACK req_cb(int p,int n,char *arg); static int req_fix_data(int nid,int *type,int len,int min,int max); +static int check_end(char *str, char *end); +static int add_oid_section(LHASH *conf); #else static int make_REQ(); static int add_attribute_object(); static int add_DN_object(); static void MS_CALLBACK req_cb(); static int req_fix_data(); +static int check_end(); +static int add_oid_section(); #endif #ifndef MONOLITH @@ -423,6 +427,7 @@ bad: } } } + if(!add_oid_section(req_conf)) goto end; if ((md_alg == NULL) && ((p=CONF_get_string(req_conf,SECTION,"default_md")) != NULL)) @@ -800,11 +805,13 @@ end: ERR_print_errors(bio_err); } if ((req_conf != NULL) && (req_conf != config)) CONF_free(req_conf); - if (in != NULL) BIO_free(in); - if (out != NULL) BIO_free(out); - if (pkey != NULL) EVP_PKEY_free(pkey); - if (req != NULL) X509_REQ_free(req); - if (x509ss != NULL) X509_free(x509ss); + BIO_free(in); + BIO_free(out); + EVP_PKEY_free(pkey); + X509_REQ_free(req); + X509_free(x509ss); + X509V3_EXT_cleanup(); + OBJ_cleanup(); #ifndef NO_DSA if (dsa_params != NULL) DSA_free(dsa_params); #endif @@ -816,7 +823,7 @@ X509_REQ *req; EVP_PKEY *pkey; int attribs; { - int ret=0,i,j; + int ret=0,i; unsigned char *p,*q; X509_REQ_INFO *ri; char buf[100]; @@ -876,42 +883,18 @@ start: for (;;) v=(CONF_VALUE *)sk_value(sk,i); p=q=NULL; type=v->name; - /* Allow for raw OIDs */ - /* [n.mm.ooo.ppp] */ - for (j=0; type[j] != '\0'; j++) - { - if ( (type[j] == ':') || - (type[j] == ',') || - (type[j] == '.')) - p=(unsigned char *)&(type[j+1]); - if (type[j] == '[') - { - p=(unsigned char *)&(type[j+1]); - for (j++; type[j] != '\0'; j++) - if (type[j] == ']') - { - q=(unsigned char *)&(type[j]); - break; - } - break; - } - } - if (p != NULL) - type=(char *)p; - if ((nid=OBJ_txt2nid(type)) == NID_undef) - { - /* Add a new one if possible */ - if ((p != NULL) && (q != NULL) && (*q == ']')) - { - *q='\0'; - nid=OBJ_create((char *)p,NULL,NULL); - *q=']'; - if (nid == NID_undef) goto start; - } - else - goto start; - } - + if(!check_end(type,"_min") || !check_end(type,"_max") || + !check_end(type,"_default") || + !check_end(type,"_value")) continue; + /* Skip past any leading X. X: X, etc to allow for + * multiple instances + */ + for(p = v->name; *p ; p++) + if ((*p != ':') || (*p != ',') || + (*p != '.')) break; + if (*p) type=(char *)p; + /* If OBJ not recognised ignore it */ + if ((nid=OBJ_txt2nid(type)) == NID_undef) goto start; sprintf(buf,"%s_default",v->name); if ((def=CONF_get_string(req_conf,tmp,buf)) == NULL) def=""; @@ -1194,3 +1177,41 @@ int len,min,max; } return(1); } + +/* Check if the end of a string matches 'end' */ +static int check_end(str, end) +char *str; +char *end; +{ + int elen, slen; + char *tmp; + elen = strlen(end); + slen = strlen(str); + if(elen > slen) return 1; + tmp = str + slen - elen; +fprintf(stderr, "Matching %s, %s %s\n", str, end, tmp); + return strcmp(tmp, end); +} + +static int add_oid_section(conf) +LHASH *conf; +{ + char *p; + STACK *sktmp; + CONF_VALUE *cnf; + int i; + if(!(p=CONF_get_string(conf,NULL,"oid_section"))) return 1; + if(!(sktmp = CONF_get_section(conf, p))) { + BIO_printf(bio_err, "problem loading oid section %s\n", p); + return 0; + } + for(i = 0; i < sk_num(sktmp); i++) { + cnf = (CONF_VALUE *)sk_value(sktmp, i); + if(OBJ_create(cnf->value, cnf->name, cnf->name) == NID_undef) { + BIO_printf(bio_err, "problem creating object %s=%s\n", + cnf->name, cnf->value); + return 0; + } + } + return 1; +}