LOCAL_SHORT_COMMANDS := true

LOCAL_MODULE := libcrypto_tls

LOCAL_SHARED_LIBRARIES :=

LOCAL_SRC_FILES := \

	crypto/compat/explicit_bzero.c \
	crypto/compat/reallocarray.c \
	crypto/compat/timingsafe_memcmp.c \

	crypto/aes/aes_cbc.c \
	crypto/aes/aes_core.c \
	crypto/camellia/camellia.c \
	crypto/camellia/cmll_cbc.c \
	crypto/rc4/rc4_enc.c \
	crypto/rc4/rc4_skey.c \
	crypto/whrlpool/wp_block.c \

	crypto/asn1/a_bitstr.c \
	crypto/asn1/a_bool.c \
	crypto/asn1/a_bytes.c \
	crypto/asn1/a_d2i_fp.c \
	crypto/asn1/a_digest.c \
	crypto/asn1/a_dup.c \
	crypto/asn1/a_enum.c \
	crypto/asn1/a_gentm.c \
	crypto/asn1/a_i2d_fp.c \
	crypto/asn1/a_int.c \
	crypto/asn1/a_mbstr.c \
	crypto/asn1/a_object.c \
	crypto/asn1/a_octet.c \
	crypto/asn1/a_print.c \
	crypto/asn1/a_set.c \
	crypto/asn1/a_sign.c \
	crypto/asn1/a_strex.c \
	crypto/asn1/a_strnid.c \
	crypto/asn1/a_time.c \
	crypto/asn1/a_type.c \
	crypto/asn1/a_utctm.c \
	crypto/asn1/a_utf8.c \
	crypto/asn1/a_verify.c \
	crypto/asn1/ameth_lib.c \
	crypto/asn1/asn1_err.c \
	crypto/asn1/asn1_gen.c \
	crypto/asn1/asn1_lib.c \
	crypto/asn1/asn1_par.c \

	crypto/ec/ecp_mont.c \
	crypto/ec/ecp_nist.c \
	crypto/ec/ecp_oct.c \
	crypto/ec/ecp_smpl.c \
	crypto/ecdh/ech_err.c \
	crypto/ecdh/ech_key.c \
	crypto/ecdh/ech_lib.c \
	crypto/ecdh/ech_ossl.c \
	crypto/ecdsa/ecs_asn1.c \
	crypto/ecdsa/ecs_err.c \
	crypto/ecdsa/ecs_lib.c \
	crypto/ecdsa/ecs_ossl.c \
	crypto/ecdsa/ecs_sign.c \
	crypto/ecdsa/ecs_vrf.c \
	crypto/engine/eng_all.c \

	crypto/evp/m_ecdsa.c \
	crypto/evp/m_gost2814789.c \
	crypto/evp/m_gostr341194.c \
	crypto/evp/m_md4.c \
	crypto/evp/m_md5.c \
	crypto/evp/m_null.c \
	crypto/evp/m_ripemd.c \
	crypto/evp/m_sha.c \
	crypto/evp/m_sha1.c \
	crypto/evp/m_sigver.c \
	crypto/evp/m_streebog.c \
	crypto/evp/m_wp.c \
	crypto/evp/names.c \
	crypto/evp/p5_crpt.c \
	crypto/evp/p5_crpt2.c \

	crypto/rsa/rsa_sign.c \
	crypto/rsa/rsa_ssl.c \
	crypto/rsa/rsa_x931.c \
	crypto/sha/sha1_one.c \
	crypto/sha/sha1dgst.c \
	crypto/sha/sha256.c \
	crypto/sha/sha512.c \
	crypto/sha/sha_dgst.c \
	crypto/sha/sha_one.c \
	crypto/stack/stack.c \
	crypto/ts/ts_asn1.c \
	crypto/ts/ts_conf.c \
	crypto/ts/ts_err.c \
	crypto/ts/ts_lib.c \
	crypto/ts/ts_req_print.c \
	crypto/ts/ts_req_utils.c \

	ssl/d1_meth.c \
	ssl/d1_pkt.c \
	ssl/d1_srtp.c \
	ssl/d1_srvr.c \
	ssl/pqueue.c \
	ssl/s23_clnt.c \
	ssl/s23_lib.c \
	ssl/s23_meth.c \
	ssl/s23_pkt.c \
	ssl/s23_srvr.c \
	ssl/s3_both.c \
	ssl/s3_cbc.c \
	ssl/s3_clnt.c \
	ssl/s3_enc.c \
	ssl/s3_lib.c \
	ssl/s3_meth.c \
	ssl/s3_pkt.c \
	ssl/s3_srvr.c \
	ssl/ssl_algs.c \
	ssl/ssl_asn1.c \
	ssl/ssl_cert.c \
	ssl/ssl_ciph.c \
	ssl/ssl_err.c \

cmake_minimum_required (VERSION 2.8)
include(CheckFunctionExists)
include(CheckLibraryExists)
include(CheckIncludeFiles)


project (LibreSSL)

enable_testing()

file(READ ${CMAKE_SOURCE_DIR}/ssl/VERSION SSL_VERSION)
string(STRIP ${SSL_VERSION} SSL_VERSION)
string(REPLACE ":" "." SSL_VERSION ${SSL_VERSION})
string(REGEX REPLACE "\\..*" "" SSL_MAJOR_VERSION ${SSL_VERSION})

file(READ ${CMAKE_SOURCE_DIR}/crypto/VERSION CRYPTO_VERSION)
string(STRIP ${CRYPTO_VERSION} CRYPTO_VERSION)
string(REPLACE ":" "." CRYPTO_VERSION ${CRYPTO_VERSION})
string(REGEX REPLACE "\\..*" "" CRYPTO_MAJOR_VERSION ${CRYPTO_VERSION})

file(READ ${CMAKE_SOURCE_DIR}/tls/VERSION TLS_VERSION)
string(STRIP ${TLS_VERSION} TLS_VERSION)
string(REPLACE ":" "." TLS_VERSION ${TLS_VERSION})
string(REGEX REPLACE "\\..*" "" TLS_MAJOR_VERSION ${TLS_VERSION})












if(CMAKE_SYSTEM_NAME MATCHES "OpenBSD")
	add_definitions(-DHAVE_ATTRIBUTE__BOUNDED__)
endif()

if(CMAKE_SYSTEM_NAME MATCHES "Linux")
	add_definitions(-D_DEFAULT_SOURCE)
	add_definitions(-D_BSD_SOURCE)
	add_definitions(-D_POSIX_SOURCE)
	add_definitions(-D_GNU_SOURCE)
endif()



























add_definitions(-DLIBRESSL_INTERNAL)
add_definitions(-DOPENSSL_NO_HW_PADLOCK)
add_definitions(-DOPENSSL_NO_ASM)

set(CMAKE_POSITION_INDEPENDENT_CODE true)

if (CMAKE_COMPILER_IS_GNUCC OR CMAKE_C_COMPILER_ID MATCHES "Clang")
	add_definitions(-Wno-pointer-sign)
endif()

endif()

check_function_exists(strlcat HAVE_STRLCAT)
if(HAVE_STRLCAT)
	add_definitions(-DHAVE_STRLCAT)
endif()

check_function_exists(strlcat HAVE_STRLCPY)
if(HAVE_STRLCPY)
	add_definitions(-DHAVE_STRLCPY)
endif()

check_function_exists(strndup HAVE_STRNDUP)
if(HAVE_STRNDUP)
	add_definitions(-DHAVE_STRNDUP)
endif()

if(MSVC)
	set(HAVE_STRNLEN)
	add_definitions(-DHAVE_STRNLEN)
else()
	check_function_exists(strnlen HAVE_STRNLEN)
	if(HAVE_STRNLEN)
		add_definitions(-DHAVE_STRNLEN)
	endif()
endif()

check_function_exists(strsep HAVE_STRSEP)
if(HAVE_STRSEP)
	add_definitions(-DHAVE_STRSEP)
endif()






check_function_exists(arc4random_buf HAVE_ARC4RANDOM_BUF)
if(HAVE_ARC4RANDOM_BUF)
	add_definitions(-DHAVE_ARC4RANDOM_BUF)
endif()






check_function_exists(explicit_bzero HAVE_EXPLICIT_BZERO)
if(HAVE_EXPLICIT_BZERO)
	add_definitions(-DHAVE_EXPLICIT_BZERO)
endif()

check_function_exists(getauxval HAVE_GETAUXVAL)

	add_definitions(-DHAVE_TIMINGSAFE_BCMP)
endif()

check_function_exists(timingsafe_memcmp HAVE_TIMINGSAFE_MEMCMP)
if(HAVE_MEMCMP)
	add_definitions(-DHAVE_MEMCMP)
endif()






check_include_files(err.h HAVE_ERR_H)
if(HAVE_ERR_H)
	add_definitions(-DHAVE_ERR_H)
endif()













set(OPENSSL_LIBS ssl crypto)
if(CMAKE_HOST_WIN32)
	set(OPENSSL_LIBS ${OPENSSL_LIBS} ws2_32)
endif()
if(CMAKE_SYSTEM_NAME MATCHES "Linux")
	check_library_exists(rt clock_gettime "time.h" HAVE_CLOCK_GETTIME)
	if (HAVE_CLOCK_GETTIME)
		set(OPENSSL_LIBS ${OPENSSL_LIBS} rt)
	endif()
endif()







if(NOT (CMAKE_SYSTEM_NAME MATCHES "Darwin" OR MSVC))
	set(BUILD_SHARED true)
endif()









add_subdirectory(crypto)
add_subdirectory(ssl)
add_subdirectory(apps)
add_subdirectory(tls)
add_subdirectory(include)
if(NOT MSVC)
	add_subdirectory(man)
	add_subdirectory(tests)
endif()

The portable bits of the project are largely maintained out-of-tree, and their
history is also available from Git.

	https://github.com/libressl-portable/portable

LibreSSL Portable Release Notes:





















































2.2.9 - Security fix

	* Correct a problem that prevents the DSA signing algorithm from
	  running in constant time even if the flag BN_FLG_CONSTTIME is set.
	  This issue was reported by Cesar Pereida (Aalto University), Billy
	  Brumley (Tampere University of Technology), and Yuval Yarom (The
	  University of Adelaide and NICTA). The fix was developed by Cesar
	  Pereida. See OpenBSD 5.8 errata 17, June 6, 2016



























2.2.8 - Reliability fix

	* Fixed an error in libcrypto when parsing some ASN.1 elements > 16k.

2.2.7 - Security Update

	* Fix multiple vulnerabilities in libcrypto relating to ASN.1 and encoding.
	From OpenSSL.


2.2.6 - Security Update



	* Deprecated the SSL_OP_SINGLE_DH_USE flag.











2.2.5 - Reliability Update






































	* Fixes from OpenSSL 1.0.1q
	 - CVE-2015-3194 - NULL pointer dereference in client side certificate
	                   validation.
	 - CVE-2015-3195 - Memory leak in PKCS7 - not reachable from TLS/SSL

	* The following OpenSSL CVEs did not apply to LibreSSL
	 - CVE-2015-3193 - Carry propagating bug in the x86_64 Montgomery
	                   squaring procedure.
	 - CVE-2015-3196 - Double free race condition of the identify hint
	                   data.

	 See https://marc.info/?l=openbsd-announce&m=144925068504102


2.2.4 - Build and bug fixes




	* Backported build fixes for CMake on Windows, OSX and Linux













	* Fixes for a memory leak and out-of-bounds access in OBJ_obj2txt
	  reported by Qualys Security.
	 - CVE-2015-5333 - memory leak in OBJ_obj2txt


	 - CVE-2015-5334 - 1-byte buffer overflow in OBJ_obj2txt





	 See http://www.openwall.com/lists/oss-security/2015/10/16/1


























































2.2.3 - Bug fixes, build enhancements

	* LibreSSL 2.2.2 incorrectly handles ClientHello messages that do not
	  include TLS extensions, resulting in such handshakes being aborted.
	  This release corrects the handling of such messages. Thanks to
	  Ligushka from github for reporting the issue.

SUBDIRS = crypto ssl tls include apps tests man
ACLOCAL_AMFLAGS = -I m4

pkgconfigdir = $(libdir)/pkgconfig
pkgconfig_DATA = libcrypto.pc libssl.pc libtls.pc openssl.pc

EXTRA_DIST = README.md README.windows VERSION config scripts
EXTRA_DIST += CMakeLists.txt

ETAGS = etags
CTAGS = ctags
CSCOPE = cscope
DIST_SUBDIRS = $(SUBDIRS)
am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/libcrypto.pc.in \
	$(srcdir)/libssl.pc.in $(srcdir)/libtls.pc.in \
	$(srcdir)/openssl.pc.in COPYING ChangeLog compile config.guess \
	config.sub depcomp install-sh ltmain.sh missing
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
distdir = $(PACKAGE)-$(VERSION)
top_distdir = $(distdir)
am__remove_distdir = \
  if test -d "$(distdir)"; then \
    find "$(distdir)" -type d ! -perm -200 -exec chmod u+w {} ';' \
      && rm -rf "$(distdir)" \

top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
SUBDIRS = crypto ssl tls include apps tests man
ACLOCAL_AMFLAGS = -I m4
pkgconfigdir = $(libdir)/pkgconfig
pkgconfig_DATA = libcrypto.pc libssl.pc libtls.pc openssl.pc
EXTRA_DIST = README.md README.windows VERSION config scripts \
	CMakeLists.txt
all: all-recursive

.SUFFIXES:
am--refresh: Makefile
	@:
$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
	@for dep in $?; do \

	maintainer-clean-generic mostlyclean mostlyclean-generic \
	mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
	uninstall-am uninstall-pkgconfigDATA

.PRECIOUS: Makefile





# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:

other operating systems, and assists with improving OS-native implementations
where possible.

At the time of this writing, LibreSSL is know to build and work on:

* Linux (kernel 3.17 or later recommended)
* FreeBSD (tested with 9.2 and later)
* NetBSD (tested with 6.1.5)
* HP-UX (11i)
* Solaris (11 and later preferred)
* Mac OS X (tested with 10.8 and later)
* AIX (5.3 and later)

LibreSSL also supports the following Windows environments:
* Microsoft Windows (XP or higher, x86 and x64)

2.2.9

include_directories(
	.
	../include
	../include/compat
)

set(
	OPENSSL_SRC
	apps.c
	asn1pars.c
	ca.c
	ciphers.c
	cms.c
	crl.c
	crl2p7.c
	dgst.c
	dh.c
	dhparam.c
	dsa.c
	dsaparam.c
	ec.c
	ecparam.c
	enc.c
	engine.c
	errstr.c
	gendh.c
	gendsa.c
	genpkey.c
	genrsa.c
	nseq.c
	ocsp.c
	openssl.c
	passwd.c
	pkcs12.c
	pkcs7.c
	pkcs8.c
	pkey.c
	pkeyparam.c
	pkeyutl.c
	prime.c
	rand.c
	req.c
	rsa.c
	rsautl.c
	s_cb.c
	s_client.c
	s_server.c
	s_socket.c
	s_time.c
	sess_id.c
	smime.c
	speed.c
	spkac.c
	ts.c
	verify.c
	version.c
	x509.c
)

if(CMAKE_HOST_UNIX)
	set(OPENSSL_SRC ${OPENSSL_SRC} apps_posix.c)
	set(OPENSSL_SRC ${OPENSSL_SRC} certhash.c)
endif()

if(CMAKE_HOST_WIN32)
	set(OPENSSL_SRC ${OPENSSL_SRC} apps_win.c)
	set(OPENSSL_SRC ${OPENSSL_SRC} certhash_disabled.c)
	set(OPENSSL_SRC ${OPENSSL_SRC} poll_win.c)
endif()

check_function_exists(strtonum HAVE_STRTONUM)
if(HAVE_STRTONUM)
	add_definitions(-DHAVE_STRTONUM)
else()
	set(OPENSSL_SRC ${OPENSSL_SRC} strtonum.c)
endif()

add_executable(openssl ${OPENSSL_SRC})
target_link_libraries(openssl ${OPENSSL_LIBS})

install(TARGETS openssl DESTINATION bin)

include $(top_srcdir)/Makefile.am.common

bin_PROGRAMS = openssl

openssl_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD)
openssl_LDADD += $(top_builddir)/ssl/libssl.la
openssl_LDADD += $(top_builddir)/crypto/libcrypto.la

openssl_SOURCES = apps.c
openssl_SOURCES += asn1pars.c
openssl_SOURCES += ca.c
openssl_SOURCES += ciphers.c
openssl_SOURCES += cms.c
openssl_SOURCES += crl.c
openssl_SOURCES += crl2p7.c
openssl_SOURCES += dgst.c
openssl_SOURCES += dh.c
openssl_SOURCES += dhparam.c
openssl_SOURCES += dsa.c
openssl_SOURCES += dsaparam.c
openssl_SOURCES += ec.c
openssl_SOURCES += ecparam.c
openssl_SOURCES += enc.c
openssl_SOURCES += engine.c
openssl_SOURCES += errstr.c
openssl_SOURCES += gendh.c
openssl_SOURCES += gendsa.c
openssl_SOURCES += genpkey.c
openssl_SOURCES += genrsa.c
openssl_SOURCES += nseq.c
openssl_SOURCES += ocsp.c
openssl_SOURCES += openssl.c
openssl_SOURCES += passwd.c
openssl_SOURCES += pkcs12.c
openssl_SOURCES += pkcs7.c
openssl_SOURCES += pkcs8.c
openssl_SOURCES += pkey.c
openssl_SOURCES += pkeyparam.c
openssl_SOURCES += pkeyutl.c
openssl_SOURCES += prime.c
openssl_SOURCES += rand.c
openssl_SOURCES += req.c
openssl_SOURCES += rsa.c
openssl_SOURCES += rsautl.c
openssl_SOURCES += s_cb.c
openssl_SOURCES += s_client.c
openssl_SOURCES += s_server.c
openssl_SOURCES += s_socket.c
openssl_SOURCES += s_time.c
openssl_SOURCES += sess_id.c
openssl_SOURCES += smime.c
openssl_SOURCES += speed.c
openssl_SOURCES += spkac.c
openssl_SOURCES += ts.c
openssl_SOURCES += verify.c
openssl_SOURCES += version.c
openssl_SOURCES += x509.c

if BUILD_CERTHASH
openssl_SOURCES += certhash.c
else
openssl_SOURCES += certhash_disabled.c
endif

if HOST_WIN
openssl_SOURCES += apps_win.c
else
openssl_SOURCES += apps_posix.c
endif

if !HAVE_POLL
if HOST_WIN
openssl_SOURCES += poll_win.c
endif
endif

if !HAVE_STRTONUM
openssl_SOURCES += strtonum.c
endif

noinst_HEADERS = apps.h
noinst_HEADERS += progs.h
noinst_HEADERS += s_apps.h
noinst_HEADERS += testdsa.h
noinst_HEADERS += testrsa.h
noinst_HEADERS += timeouts.h

EXTRA_DIST = cert.pem
EXTRA_DIST += openssl.cnf
EXTRA_DIST += x509v3.cnf
EXTRA_DIST += CMakeLists.txt

install-exec-hook:
	@if [ "@OPENSSLDIR@x" != "x" ]; then \
		OPENSSLDIR="$(DESTDIR)/@OPENSSLDIR@"; \
	else \
		OPENSSLDIR="$(DESTDIR)/$(sysconfdir)/ssl"; \
	fi; \
	mkdir -p "$$OPENSSLDIR/certs"; \
	for i in cert.pem openssl.cnf x509v3.cnf; do \
		if [ ! -f "$$OPENSSLDIR/$i" ]; then \
			$(INSTALL) -m 644 "$(srcdir)/$$i" "$$OPENSSLDIR/$$i"; \
		else \
			echo " $$OPENSSLDIR/$$i already exists, install will not overwrite"; \
		fi \
	done

uninstall-local:
	@if [ "@OPENSSLDIR@x" != "x" ]; then \
		OPENSSLDIR="$(DESTDIR)/@OPENSSLDIR@"; \
	else \
		OPENSSLDIR="$(DESTDIR)/$(sysconfdir)/ssl"; \
	fi; \
	for i in cert.pem openssl.cnf x509v3.cnf; do \
		if cmp -s "$$OPENSSLDIR/$$i" "$(srcdir)/$$i"; then \
			rm -f "$$OPENSSLDIR/$$i"; \
		fi \
	done

# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
# PARTICULAR PURPOSE.

@SET_MAKE@


VPATH = @srcdir@
am__is_gnu_make = { \
  if test -z '$(MAKELEVEL)'; then \
    false; \
  elif test -n '$(MAKE_HOST)'; then \
    true; \
  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \

PRE_INSTALL = :
POST_INSTALL = :
NORMAL_UNINSTALL = :
PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
bin_PROGRAMS = openssl$(EXEEXT)
@BUILD_CERTHASH_TRUE@am__append_1 = certhash.c
@BUILD_CERTHASH_FALSE@am__append_2 = certhash_disabled.c
@HOST_WIN_TRUE@am__append_3 = apps_win.c
@HOST_WIN_FALSE@am__append_4 = apps_posix.c
@HAVE_POLL_FALSE@@HOST_WIN_TRUE@am__append_5 = poll_win.c
@HAVE_STRTONUM_FALSE@am__append_6 = strtonum.c
subdir = apps
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/check-hardening-options.m4 \
	$(top_srcdir)/m4/check-libc.m4 \
	$(top_srcdir)/m4/check-os-options.m4 \
	$(top_srcdir)/m4/disable-compiler-warnings.m4 \
	$(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \
	$(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \
	$(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
	$(ACLOCAL_M4)
DIST_COMMON = $(srcdir)/Makefile.am $(noinst_HEADERS) \
	$(am__DIST_COMMON)
mkinstalldirs = $(install_sh) -d
CONFIG_CLEAN_FILES =
CONFIG_CLEAN_VPATH_FILES =
am__installdirs = "$(DESTDIR)$(bindir)"
PROGRAMS = $(bin_PROGRAMS)
am__openssl_SOURCES_DIST = apps.c asn1pars.c ca.c ciphers.c cms.c \
	crl.c crl2p7.c dgst.c dh.c dhparam.c dsa.c dsaparam.c ec.c \
	ecparam.c enc.c engine.c errstr.c gendh.c gendsa.c genpkey.c \
	genrsa.c nseq.c ocsp.c openssl.c passwd.c pkcs12.c pkcs7.c \
	pkcs8.c pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c \
	rsa.c rsautl.c s_cb.c s_client.c s_server.c s_socket.c \
	s_time.c sess_id.c smime.c speed.c spkac.c ts.c verify.c \
	version.c x509.c certhash.c certhash_disabled.c apps_win.c \
	apps_posix.c poll_win.c strtonum.c
@BUILD_CERTHASH_TRUE@am__objects_1 = certhash.$(OBJEXT)
@BUILD_CERTHASH_FALSE@am__objects_2 = certhash_disabled.$(OBJEXT)
@HOST_WIN_TRUE@am__objects_3 = apps_win.$(OBJEXT)
@HOST_WIN_FALSE@am__objects_4 = apps_posix.$(OBJEXT)
@HAVE_POLL_FALSE@@HOST_WIN_TRUE@am__objects_5 = poll_win.$(OBJEXT)
@HAVE_STRTONUM_FALSE@am__objects_6 = strtonum.$(OBJEXT)
am_openssl_OBJECTS = apps.$(OBJEXT) asn1pars.$(OBJEXT) ca.$(OBJEXT) \
	ciphers.$(OBJEXT) cms.$(OBJEXT) crl.$(OBJEXT) crl2p7.$(OBJEXT) \
	dgst.$(OBJEXT) dh.$(OBJEXT) dhparam.$(OBJEXT) dsa.$(OBJEXT) \
	dsaparam.$(OBJEXT) ec.$(OBJEXT) ecparam.$(OBJEXT) \
	enc.$(OBJEXT) engine.$(OBJEXT) errstr.$(OBJEXT) \
	gendh.$(OBJEXT) gendsa.$(OBJEXT) genpkey.$(OBJEXT) \
	genrsa.$(OBJEXT) nseq.$(OBJEXT) ocsp.$(OBJEXT) \
	openssl.$(OBJEXT) passwd.$(OBJEXT) pkcs12.$(OBJEXT) \
	pkcs7.$(OBJEXT) pkcs8.$(OBJEXT) pkey.$(OBJEXT) \
	pkeyparam.$(OBJEXT) pkeyutl.$(OBJEXT) prime.$(OBJEXT) \
	rand.$(OBJEXT) req.$(OBJEXT) rsa.$(OBJEXT) rsautl.$(OBJEXT) \
	s_cb.$(OBJEXT) s_client.$(OBJEXT) s_server.$(OBJEXT) \
	s_socket.$(OBJEXT) s_time.$(OBJEXT) sess_id.$(OBJEXT) \
	smime.$(OBJEXT) speed.$(OBJEXT) spkac.$(OBJEXT) ts.$(OBJEXT) \
	verify.$(OBJEXT) version.$(OBJEXT) x509.$(OBJEXT) \
	$(am__objects_1) $(am__objects_2) $(am__objects_3) \
	$(am__objects_4) $(am__objects_5) $(am__objects_6)
openssl_OBJECTS = $(am_openssl_OBJECTS)
am__DEPENDENCIES_1 =
openssl_DEPENDENCIES = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
	$(top_builddir)/ssl/libssl.la \
	$(top_builddir)/crypto/libcrypto.la
AM_V_lt = $(am__v_lt_@AM_V@)
am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
am__v_lt_0 = --silent
am__v_lt_1 = 
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
am__v_P_0 = false
am__v_P_1 = :
AM_V_GEN = $(am__v_GEN_@AM_V@)
am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
am__v_GEN_0 = @echo "  GEN     " $@;
am__v_GEN_1 = 
AM_V_at = $(am__v_at_@AM_V@)
am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
am__v_at_0 = @
am__v_at_1 = 
DEFAULT_INCLUDES = -I.@am__isrc@
depcomp = $(SHELL) $(top_srcdir)/depcomp
am__depfiles_maybe = depfiles
am__mv = mv -f
COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
	$(AM_CFLAGS) $(CFLAGS)
AM_V_CC = $(am__v_CC_@AM_V@)
am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
am__v_CC_0 = @echo "  CC      " $@;
am__v_CC_1 = 
CCLD = $(CC)
LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
	$(AM_LDFLAGS) $(LDFLAGS) -o $@
AM_V_CCLD = $(am__v_CCLD_@AM_V@)
am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
am__v_CCLD_0 = @echo "  CCLD    " $@;
am__v_CCLD_1 = 
SOURCES = $(openssl_SOURCES)
DIST_SOURCES = $(am__openssl_SOURCES_DIST)








am__can_run_installinfo = \
  case $$AM_UPDATE_INFO_DIR in \
    n|no|NO) false;; \
    *) (install-info --version) >/dev/null 2>&1;; \
  esac







HEADERS = $(noinst_HEADERS)
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
# Read a list of newline-separated strings from the standard input,
# and print each of them once, without duplicates.  Input order is
# *not* preserved.
am__uniquify_input = $(AWK) '\
  BEGIN { nonempty = 0; } \
  { items[$$0] = 1; nonempty = 1; } \
  END { if (nonempty) { for (i in items) print i; }; } \
'
# Make sure the list of sources is unique.  This is necessary because,
# e.g., the same source file might be shared among _SOURCES variables
# for different programs/libraries.
am__define_uniq_tagged_files = \
  list='$(am__tagged_files)'; \
  unique=`for i in $$list; do \
    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
  done | $(am__uniquify_input)`
ETAGS = etags
CTAGS = ctags

am__DIST_COMMON = $(srcdir)/Makefile.in \
	$(top_srcdir)/Makefile.am.common $(top_srcdir)/depcomp
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)

























ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@

sysconfdir = @sysconfdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
AM_CFLAGS = 
AM_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/include/compat -DLIBRESSL_INTERNAL
openssl_LDADD = $(PLATFORM_LDADD) $(PROG_LDADD) \
	$(top_builddir)/ssl/libssl.la \
	$(top_builddir)/crypto/libcrypto.la
openssl_SOURCES = apps.c asn1pars.c ca.c ciphers.c cms.c crl.c \
	crl2p7.c dgst.c dh.c dhparam.c dsa.c dsaparam.c ec.c ecparam.c \
	enc.c engine.c errstr.c gendh.c gendsa.c genpkey.c genrsa.c \
	nseq.c ocsp.c openssl.c passwd.c pkcs12.c pkcs7.c pkcs8.c \
	pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c rsa.c \
	rsautl.c s_cb.c s_client.c s_server.c s_socket.c s_time.c \
	sess_id.c smime.c speed.c spkac.c ts.c verify.c version.c \
	x509.c $(am__append_1) $(am__append_2) $(am__append_3) \
	$(am__append_4) $(am__append_5) $(am__append_6)
noinst_HEADERS = apps.h progs.h s_apps.h testdsa.h testrsa.h \
	timeouts.h
EXTRA_DIST = cert.pem openssl.cnf x509v3.cnf CMakeLists.txt
all: all-am

.SUFFIXES:
.SUFFIXES: .c .lo .o .obj
$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(am__configure_deps)
	@for dep in $?; do \
	  case '$(am__configure_deps)' in \
	    *$$dep*) \
	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
	        && { if test -f $@; then exit 0; else break; fi; }; \
	      exit 1;; \

	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh

$(top_srcdir)/configure:  $(am__configure_deps)
	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(am__aclocal_m4_deps):
install-binPROGRAMS: $(bin_PROGRAMS)
	@$(NORMAL_INSTALL)
	@list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \
	if test -n "$$list"; then \
	  echo " $(MKDIR_P) '$(DESTDIR)$(bindir)'"; \
	  $(MKDIR_P) "$(DESTDIR)$(bindir)" || exit 1; \
	fi; \
	for p in $$list; do echo "$$p $$p"; done | \
	sed 's/$(EXEEXT)$$//' | \
	while read p p1; do if test -f $$p \
	 || test -f $$p1 \
	  ; then echo "$$p"; echo "$$p"; else :; fi; \
	done | \
	sed -e 'p;s,.*/,,;n;h' \
	    -e 's|.*|.|' \
	    -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
	sed 'N;N;N;s,\n, ,g' | \
	$(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
	  { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
	    if ($$2 == $$4) files[d] = files[d] " " $$1; \
	    else { print "f", $$3 "/" $$4, $$1; } } \
	  END { for (d in files) print "f", d, files[d] }' | \
	while read type dir files; do \
	    if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
	    test -z "$$files" || { \
	    echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(bindir)$$dir'"; \
	    $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(bindir)$$dir" || exit $$?; \
	    } \
	; done

uninstall-binPROGRAMS:
	@$(NORMAL_UNINSTALL)
	@list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \
	files=`for p in $$list; do echo "$$p"; done | \
	  sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
	      -e 's/$$/$(EXEEXT)/' \
	`; \
	test -n "$$list" || exit 0; \
	echo " ( cd '$(DESTDIR)$(bindir)' && rm -f" $$files ")"; \
	cd "$(DESTDIR)$(bindir)" && rm -f $$files

clean-binPROGRAMS:
	@list='$(bin_PROGRAMS)'; test -n "$$list" || exit 0; \
	echo " rm -f" $$list; \
	rm -f $$list || exit $$?; \
	test -n "$(EXEEXT)" || exit 0; \
	list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
	echo " rm -f" $$list; \
	rm -f $$list

openssl$(EXEEXT): $(openssl_OBJECTS) $(openssl_DEPENDENCIES) $(EXTRA_openssl_DEPENDENCIES) 
	@rm -f openssl$(EXEEXT)
	$(AM_V_CCLD)$(LINK) $(openssl_OBJECTS) $(openssl_LDADD) $(LIBS)

mostlyclean-compile:
	-rm -f *.$(OBJEXT)

distclean-compile:
	-rm -f *.tab.c

@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/apps.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/apps_posix.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/apps_win.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1pars.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ca.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certhash.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certhash_disabled.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ciphers.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cms.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crl.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crl2p7.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dgst.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dh.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dhparam.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dsa.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dsaparam.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ec.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ecparam.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/enc.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/engine.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/errstr.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gendh.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gendsa.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/genpkey.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/genrsa.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nseq.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ocsp.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/passwd.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs12.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs8.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkey.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkeyparam.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkeyutl.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/poll_win.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/prime.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rand.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/req.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rsa.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rsautl.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/s_cb.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/s_client.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/s_server.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/s_socket.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/s_time.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sess_id.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/smime.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/speed.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/spkac.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/strtonum.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ts.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/verify.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/version.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/x509.Po@am__quote@

.c.o:
@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<

.c.obj:
@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`

.c.lo:
@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Plo
@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<

mostlyclean-libtool:
	-rm -f *.lo

clean-libtool:
	-rm -rf .libs _libs



































ID: $(am__tagged_files)
	$(am__define_uniq_tagged_files); mkid -fID $$unique
tags: tags-am
TAGS: tags

tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
	set x; \
	here=`pwd`; \













	$(am__define_uniq_tagged_files); \
	shift; \
	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
	  test -n "$$unique" || unique=$$empty_fix; \
	  if test $$# -gt 0; then \
	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
	      "$$@" $$unique; \
	  else \
	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
	      $$unique; \
	  fi; \
	fi
ctags: ctags-am

CTAGS: ctags
ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
	$(am__define_uniq_tagged_files); \
	test -z "$(CTAGS_ARGS)$$unique" \
	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
	     $$unique

GTAGS:
	here=`$(am__cd) $(top_builddir) && pwd` \
	  && $(am__cd) $(top_srcdir) \
	  && gtags -i $(GTAGS_ARGS) "$$here"
cscopelist: cscopelist-am

cscopelist-am: $(am__tagged_files)
	list='$(am__tagged_files)'; \
	case "$(srcdir)" in \
	  [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
	  *) sdir=$(subdir)/$(srcdir) ;; \
	esac; \

	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
	  else \
	    test -f "$(distdir)/$$file" \
	    || cp -p $$d/$$file "$(distdir)/$$file" \
	    || exit 1; \
	  fi; \
	done

























check-am: all-am
check: check-am
all-am: Makefile $(PROGRAMS) $(HEADERS)
installdirs:
	for dir in "$(DESTDIR)$(bindir)"; do \
	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
	done
install: install-am
install-exec: install-exec-am
install-data: install-data-am
uninstall: uninstall-am

install-am: all-am
	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am

installcheck: installcheck-am
install-strip:
	if test -z '$(STRIP)'; then \
	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
	      install; \
	else \
	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \

distclean-generic:
	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)

maintainer-clean-generic:
	@echo "This command is intended for maintainers to use"
	@echo "it deletes files that may require special tools to rebuild."
clean: clean-am

clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am

distclean: distclean-am
	-rm -rf ./$(DEPDIR)
	-rm -f Makefile
distclean-am: clean-am distclean-compile distclean-generic \
	distclean-tags

dvi: dvi-am

dvi-am:

html: html-am

html-am:

info: info-am

info-am:

install-data-am:

install-dvi: install-dvi-am

install-dvi-am:

install-exec-am: install-binPROGRAMS
	@$(NORMAL_INSTALL)
	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
install-html: install-html-am

install-html-am:

install-info: install-info-am

install-info-am:

install-man:

install-pdf: install-pdf-am

install-pdf-am:

install-ps: install-ps-am

install-ps-am:

installcheck-am:

maintainer-clean: maintainer-clean-am
	-rm -rf ./$(DEPDIR)
	-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic

mostlyclean: mostlyclean-am

mostlyclean-am: mostlyclean-compile mostlyclean-generic \
	mostlyclean-libtool

pdf: pdf-am

pdf-am:

ps: ps-am

ps-am:

uninstall-am: uninstall-binPROGRAMS uninstall-local

.MAKE: install-am install-exec-am install-strip

.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean \
	clean-binPROGRAMS clean-generic clean-libtool cscopelist-am \
	ctags ctags-am distclean distclean-compile distclean-generic \
	distclean-libtool distclean-tags distdir dvi dvi-am html \
	html-am info info-am install install-am install-binPROGRAMS \
	install-data install-data-am install-dvi install-dvi-am \
	install-exec install-exec-am install-exec-hook install-html \
	install-html-am install-info install-info-am install-man \
	install-pdf install-pdf-am install-ps install-ps-am \
	install-strip installcheck installcheck-am installdirs \
	maintainer-clean maintainer-clean-generic mostlyclean \
	mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
	pdf pdf-am ps ps-am tags tags-am uninstall uninstall-am \
	uninstall-binPROGRAMS uninstall-local

.PRECIOUS: Makefile


install-exec-hook:
	@if [ "@OPENSSLDIR@x" != "x" ]; then \
		OPENSSLDIR="$(DESTDIR)/@OPENSSLDIR@"; \
	else \
		OPENSSLDIR="$(DESTDIR)/$(sysconfdir)/ssl"; \
	fi; \
	mkdir -p "$$OPENSSLDIR/certs"; \
	for i in cert.pem openssl.cnf x509v3.cnf; do \
		if [ ! -f "$$OPENSSLDIR/$i" ]; then \
			$(INSTALL) -m 644 "$(srcdir)/$$i" "$$OPENSSLDIR/$$i"; \
		else \
			echo " $$OPENSSLDIR/$$i already exists, install will not overwrite"; \
		fi \
	done

uninstall-local:
	@if [ "@OPENSSLDIR@x" != "x" ]; then \
		OPENSSLDIR="$(DESTDIR)/@OPENSSLDIR@"; \
	else \
		OPENSSLDIR="$(DESTDIR)/$(sysconfdir)/ssl"; \
	fi; \
	for i in cert.pem openssl.cnf x509v3.cnf; do \
		if cmp -s "$$OPENSSLDIR/$$i" "$(srcdir)/$$i"; then \
			rm -f "$$OPENSSLDIR/$$i"; \
		fi \
	done

# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:

/* $OpenBSD: apps.c,v 1.32 2015/07/20 22:51:11 bcook Exp $ */
/*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 *
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
 *
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *    "This product includes cryptographic software written by
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
 * 4. If you include any Windows specific code (or a derivative thereof) from
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
 *
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
/* ====================================================================
 * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    openssl-core@openssl.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */

#include <sys/types.h>
#include <sys/stat.h>

#include <ctype.h>
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <limits.h>
#include <string.h>
#include <unistd.h>

#include "apps.h"

#include <openssl/bn.h>
#include <openssl/err.h>
#include <openssl/pem.h>
#include <openssl/pkcs12.h>
#include <openssl/safestack.h>
#include <openssl/ui.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>

#ifndef OPENSSL_NO_ENGINE
#include <openssl/engine.h>
#endif

#include <openssl/rsa.h>

typedef struct {
	const char *name;
	unsigned long flag;
	unsigned long mask;
} NAME_EX_TBL;

static UI_METHOD *ui_method = NULL;

static int set_table_opts(unsigned long *flags, const char *arg,
    const NAME_EX_TBL *in_tbl);
static int set_multi_opts(unsigned long *flags, const char *arg,
    const NAME_EX_TBL *in_tbl);

#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
/* Looks like this stuff is worth moving into separate function */
static EVP_PKEY *load_netscape_key(BIO *err, BIO *key, const char *file,
    const char *key_descrip, int format);
#endif

int
str2fmt(char *s)
{
	if (s == NULL)
		return FORMAT_UNDEF;
	if ((*s == 'D') || (*s == 'd'))
		return (FORMAT_ASN1);
	else if ((*s == 'T') || (*s == 't'))
		return (FORMAT_TEXT);
	else if ((*s == 'N') || (*s == 'n'))
		return (FORMAT_NETSCAPE);
	else if ((*s == 'S') || (*s == 's'))
		return (FORMAT_SMIME);
	else if ((*s == 'M') || (*s == 'm'))
		return (FORMAT_MSBLOB);
	else if ((*s == '1') ||
	    (strcmp(s, "PKCS12") == 0) || (strcmp(s, "pkcs12") == 0) ||
	    (strcmp(s, "P12") == 0) || (strcmp(s, "p12") == 0))
		return (FORMAT_PKCS12);
	else if ((*s == 'E') || (*s == 'e'))
		return (FORMAT_ENGINE);
	else if ((*s == 'P') || (*s == 'p')) {
		if (s[1] == 'V' || s[1] == 'v')
			return FORMAT_PVK;
		else
			return (FORMAT_PEM);
	} else
		return (FORMAT_UNDEF);
}

void
program_name(char *in, char *out, int size)
{
	char *p;

	p = strrchr(in, '/');
	if (p != NULL)
		p++;
	else
		p = in;
	strlcpy(out, p, size);
}

int
chopup_args(ARGS *arg, char *buf, int *argc, char **argv[])
{
	int num, i;
	char *p;

	*argc = 0;
	*argv = NULL;

	i = 0;
	if (arg->count == 0) {
		arg->count = 20;
		arg->data = reallocarray(NULL, arg->count, sizeof(char *));
		if (arg->data == NULL)
			return 0;
	}
	for (i = 0; i < arg->count; i++)
		arg->data[i] = NULL;

	num = 0;
	p = buf;
	for (;;) {
		/* first scan over white space */
		if (!*p)
			break;
		while (*p && ((*p == ' ') || (*p == '\t') || (*p == '\n')))
			p++;
		if (!*p)
			break;

		/* The start of something good :-) */
		if (num >= arg->count) {
			char **tmp_p;
			int tlen = arg->count + 20;
			tmp_p = reallocarray(arg->data, tlen, sizeof(char *));
			if (tmp_p == NULL)
				return 0;
			arg->data = tmp_p;
			arg->count = tlen;
			/* initialize newly allocated data */
			for (i = num; i < arg->count; i++)
				arg->data[i] = NULL;
		}
		arg->data[num++] = p;

		/* now look for the end of this */
		if ((*p == '\'') || (*p == '\"')) {	/* scan for closing
							 * quote */
			i = *(p++);
			arg->data[num - 1]++;	/* jump over quote */
			while (*p && (*p != i))
				p++;
			*p = '\0';
		} else {
			while (*p && ((*p != ' ') &&
			    (*p != '\t') && (*p != '\n')))
				p++;

			if (*p == '\0')
				p--;
			else
				*p = '\0';
		}
		p++;
	}
	*argc = num;
	*argv = arg->data;
	return (1);
}

int
dump_cert_text(BIO *out, X509 *x)
{
	char *p;

	p = X509_NAME_oneline(X509_get_subject_name(x), NULL, 0);
	BIO_puts(out, "subject=");
	BIO_puts(out, p);
	free(p);

	p = X509_NAME_oneline(X509_get_issuer_name(x), NULL, 0);
	BIO_puts(out, "\nissuer=");
	BIO_puts(out, p);
	BIO_puts(out, "\n");
	free(p);

	return 0;
}

static int
ui_open(UI *ui)
{
	return UI_method_get_opener(UI_OpenSSL()) (ui);
}

static int
ui_read(UI *ui, UI_STRING *uis)
{
	if (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD &&
	    UI_get0_user_data(ui)) {
		switch (UI_get_string_type(uis)) {
		case UIT_PROMPT:
		case UIT_VERIFY:
			{
				const char *password =
				    ((PW_CB_DATA *)UI_get0_user_data(ui))->password;
				if (password && password[0] != '\0') {
					UI_set_result(ui, uis, password);
					return 1;
				}
			}
			break;
		default:
			break;
		}
	}
	return UI_method_get_reader(UI_OpenSSL()) (ui, uis);
}

static int
ui_write(UI *ui, UI_STRING *uis)
{
	if (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD &&
	    UI_get0_user_data(ui)) {
		switch (UI_get_string_type(uis)) {
		case UIT_PROMPT:
		case UIT_VERIFY:
			{
				const char *password =
				    ((PW_CB_DATA *)UI_get0_user_data(ui))->password;
				if (password && password[0] != '\0')
					return 1;
			}
			break;
		default:
			break;
		}
	}
	return UI_method_get_writer(UI_OpenSSL()) (ui, uis);
}

static int
ui_close(UI *ui)
{
	return UI_method_get_closer(UI_OpenSSL()) (ui);
}

int
setup_ui_method(void)
{
	ui_method = UI_create_method("OpenSSL application user interface");
	UI_method_set_opener(ui_method, ui_open);
	UI_method_set_reader(ui_method, ui_read);
	UI_method_set_writer(ui_method, ui_write);
	UI_method_set_closer(ui_method, ui_close);
	return 0;
}

void
destroy_ui_method(void)
{
	if (ui_method) {
		UI_destroy_method(ui_method);
		ui_method = NULL;
	}
}

int
password_callback(char *buf, int bufsiz, int verify, void *arg)
{
	PW_CB_DATA *cb_tmp = arg;
	UI *ui = NULL;
	int res = 0;
	const char *prompt_info = NULL;
	const char *password = NULL;
	PW_CB_DATA *cb_data = (PW_CB_DATA *) cb_tmp;

	if (cb_data) {
		if (cb_data->password)
			password = cb_data->password;
		if (cb_data->prompt_info)
			prompt_info = cb_data->prompt_info;
	}
	if (password) {
		res = strlen(password);
		if (res > bufsiz)
			res = bufsiz;
		memcpy(buf, password, res);
		return res;
	}
	ui = UI_new_method(ui_method);
	if (ui) {
		int ok = 0;
		char *buff = NULL;
		int ui_flags = 0;
		char *prompt = NULL;

		prompt = UI_construct_prompt(ui, "pass phrase", prompt_info);

		ui_flags |= UI_INPUT_FLAG_DEFAULT_PWD;
		UI_ctrl(ui, UI_CTRL_PRINT_ERRORS, 1, 0, 0);

		if (ok >= 0)
			ok = UI_add_input_string(ui, prompt, ui_flags, buf,
			    PW_MIN_LENGTH, bufsiz - 1);
		if (ok >= 0 && verify) {
			buff = malloc(bufsiz);
			ok = UI_add_verify_string(ui, prompt, ui_flags, buff,
			    PW_MIN_LENGTH, bufsiz - 1, buf);
		}
		if (ok >= 0)
			do {
				ok = UI_process(ui);
			} while (ok < 0 &&
			    UI_ctrl(ui, UI_CTRL_IS_REDOABLE, 0, 0, 0));

		if (buff) {
			OPENSSL_cleanse(buff, (unsigned int) bufsiz);
			free(buff);
		}
		if (ok >= 0)
			res = strlen(buf);
		if (ok == -1) {
			BIO_printf(bio_err, "User interface error\n");
			ERR_print_errors(bio_err);
			OPENSSL_cleanse(buf, (unsigned int) bufsiz);
			res = 0;
		}
		if (ok == -2) {
			BIO_printf(bio_err, "aborted!\n");
			OPENSSL_cleanse(buf, (unsigned int) bufsiz);
			res = 0;
		}
		UI_free(ui);
		free(prompt);
	}
	return res;
}

static char *app_get_pass(BIO *err, char *arg, int keepbio);

int
app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2)
{
	int same;

	if (!arg2 || !arg1 || strcmp(arg1, arg2))
		same = 0;
	else
		same = 1;
	if (arg1) {
		*pass1 = app_get_pass(err, arg1, same);
		if (!*pass1)
			return 0;
	} else if (pass1)
		*pass1 = NULL;
	if (arg2) {
		*pass2 = app_get_pass(err, arg2, same ? 2 : 0);
		if (!*pass2)
			return 0;
	} else if (pass2)
		*pass2 = NULL;
	return 1;
}

static char *
app_get_pass(BIO *err, char *arg, int keepbio)
{
	char *tmp, tpass[APP_PASS_LEN];
	static BIO *pwdbio = NULL;
	const char *errstr = NULL;
	int i;

	if (!strncmp(arg, "pass:", 5))
		return strdup(arg + 5);
	if (!strncmp(arg, "env:", 4)) {
		tmp = getenv(arg + 4);
		if (!tmp) {
			BIO_printf(err, "Can't read environment variable %s\n",
			    arg + 4);
			return NULL;
		}
		return strdup(tmp);
	}
	if (!keepbio || !pwdbio) {
		if (!strncmp(arg, "file:", 5)) {
			pwdbio = BIO_new_file(arg + 5, "r");
			if (!pwdbio) {
				BIO_printf(err, "Can't open file %s\n",
				    arg + 5);
				return NULL;
			}
		} else if (!strncmp(arg, "fd:", 3)) {
			BIO *btmp;
			i = strtonum(arg + 3, 0, INT_MAX, &errstr);
			if (errstr) {
				BIO_printf(err,
				    "Invalid file descriptor %s: %s\n",
				    arg, errstr);
				return NULL;
			}
			pwdbio = BIO_new_fd(i, BIO_NOCLOSE);
			if (!pwdbio) {
				BIO_printf(err,
				    "Can't access file descriptor %s\n",
				    arg + 3);
				return NULL;
			}
			/*
			 * Can't do BIO_gets on an fd BIO so add a buffering
			 * BIO
			 */
			btmp = BIO_new(BIO_f_buffer());
			pwdbio = BIO_push(btmp, pwdbio);
		} else if (!strcmp(arg, "stdin")) {
			pwdbio = BIO_new_fp(stdin, BIO_NOCLOSE);
			if (!pwdbio) {
				BIO_printf(err, "Can't open BIO for stdin\n");
				return NULL;
			}
		} else {
			BIO_printf(err, "Invalid password argument \"%s\"\n",
			    arg);
			return NULL;
		}
	}
	i = BIO_gets(pwdbio, tpass, APP_PASS_LEN);
	if (keepbio != 1) {
		BIO_free_all(pwdbio);
		pwdbio = NULL;
	}
	if (i <= 0) {
		BIO_printf(err, "Error reading password from BIO\n");
		return NULL;
	}
	tmp = strchr(tpass, '\n');
	if (tmp)
		*tmp = 0;
	return strdup(tpass);
}

int
add_oid_section(BIO *err, CONF *conf)
{
	char *p;
	STACK_OF(CONF_VALUE) *sktmp;
	CONF_VALUE *cnf;
	int i;

	if (!(p = NCONF_get_string(conf, NULL, "oid_section"))) {
		ERR_clear_error();
		return 1;
	}
	if (!(sktmp = NCONF_get_section(conf, p))) {
		BIO_printf(err, "problem loading oid section %s\n", p);
		return 0;
	}
	for (i = 0; i < sk_CONF_VALUE_num(sktmp); i++) {
		cnf = sk_CONF_VALUE_value(sktmp, i);
		if (OBJ_create(cnf->value, cnf->name, cnf->name) == NID_undef) {
			BIO_printf(err, "problem creating object %s=%s\n",
			    cnf->name, cnf->value);
			return 0;
		}
	}
	return 1;
}

static int
load_pkcs12(BIO *err, BIO *in, const char *desc, pem_password_cb *pem_cb,
    void *cb_data, EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca)
{
	const char *pass;
	char tpass[PEM_BUFSIZE];
	int len, ret = 0;
	PKCS12 *p12;

	p12 = d2i_PKCS12_bio(in, NULL);
	if (p12 == NULL) {
		BIO_printf(err, "Error loading PKCS12 file for %s\n", desc);
		goto die;
	}
	/* See if an empty password will do */
	if (PKCS12_verify_mac(p12, "", 0) || PKCS12_verify_mac(p12, NULL, 0))
		pass = "";
	else {
		if (!pem_cb)
			pem_cb = password_callback;
		len = pem_cb(tpass, PEM_BUFSIZE, 0, cb_data);
		if (len < 0) {
			BIO_printf(err, "Passpharse callback error for %s\n",
			    desc);
			goto die;
		}
		if (len < PEM_BUFSIZE)
			tpass[len] = 0;
		if (!PKCS12_verify_mac(p12, tpass, len)) {
			BIO_printf(err,
			    "Mac verify error (wrong password?) in PKCS12 file for %s\n", desc);
			goto die;
		}
		pass = tpass;
	}
	ret = PKCS12_parse(p12, pass, pkey, cert, ca);

die:
	if (p12)
		PKCS12_free(p12);
	return ret;
}

X509 *
load_cert(BIO *err, const char *file, int format, const char *pass, ENGINE *e,
    const char *cert_descrip)
{
	X509 *x = NULL;
	BIO *cert;

	if ((cert = BIO_new(BIO_s_file())) == NULL) {
		ERR_print_errors(err);
		goto end;
	}
	if (file == NULL) {
		setvbuf(stdin, NULL, _IONBF, 0);
		BIO_set_fp(cert, stdin, BIO_NOCLOSE);
	} else {
		if (BIO_read_filename(cert, file) <= 0) {
			BIO_printf(err, "Error opening %s %s\n",
			    cert_descrip, file);
			ERR_print_errors(err);
			goto end;
		}
	}

	if (format == FORMAT_ASN1)
		x = d2i_X509_bio(cert, NULL);
	else if (format == FORMAT_NETSCAPE) {
		NETSCAPE_X509 *nx;
		nx = ASN1_item_d2i_bio(ASN1_ITEM_rptr(NETSCAPE_X509),
		    cert, NULL);
		if (nx == NULL)
			goto end;

		if ((strncmp(NETSCAPE_CERT_HDR, (char *) nx->header->data,
		    nx->header->length) != 0)) {
			NETSCAPE_X509_free(nx);
			BIO_printf(err,
			    "Error reading header on certificate\n");
			goto end;
		}
		x = nx->cert;
		nx->cert = NULL;
		NETSCAPE_X509_free(nx);
	} else if (format == FORMAT_PEM)
		x = PEM_read_bio_X509_AUX(cert, NULL, password_callback, NULL);
	else if (format == FORMAT_PKCS12) {
		if (!load_pkcs12(err, cert, cert_descrip, NULL, NULL,
		    NULL, &x, NULL))
			goto end;
	} else {
		BIO_printf(err, "bad input format specified for %s\n",
		    cert_descrip);
		goto end;
	}

end:
	if (x == NULL) {
		BIO_printf(err, "unable to load certificate\n");
		ERR_print_errors(err);
	}
	BIO_free(cert);
	return (x);
}

EVP_PKEY *
load_key(BIO *err, const char *file, int format, int maybe_stdin,
    const char *pass, ENGINE *e, const char *key_descrip)
{
	BIO *key = NULL;
	EVP_PKEY *pkey = NULL;
	PW_CB_DATA cb_data;

	cb_data.password = pass;
	cb_data.prompt_info = file;

	if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE)) {
		BIO_printf(err, "no keyfile specified\n");
		goto end;
	}
#ifndef OPENSSL_NO_ENGINE
	if (format == FORMAT_ENGINE) {
		if (!e)
			BIO_printf(err, "no engine specified\n");
		else {
			pkey = ENGINE_load_private_key(e, file,
			    ui_method, &cb_data);
			if (!pkey) {
				BIO_printf(err, "cannot load %s from engine\n",
				    key_descrip);
				ERR_print_errors(err);
			}
		}
		goto end;
	}
#endif
	key = BIO_new(BIO_s_file());
	if (key == NULL) {
		ERR_print_errors(err);
		goto end;
	}
	if (file == NULL && maybe_stdin) {
		setvbuf(stdin, NULL, _IONBF, 0);
		BIO_set_fp(key, stdin, BIO_NOCLOSE);
	} else if (BIO_read_filename(key, file) <= 0) {
		BIO_printf(err, "Error opening %s %s\n",
		    key_descrip, file);
		ERR_print_errors(err);
		goto end;
	}
	if (format == FORMAT_ASN1) {
		pkey = d2i_PrivateKey_bio(key, NULL);
	} else if (format == FORMAT_PEM) {
		pkey = PEM_read_bio_PrivateKey(key, NULL, password_callback, &cb_data);
	}
#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
	else if (format == FORMAT_NETSCAPE || format == FORMAT_IISSGC)
		pkey = load_netscape_key(err, key, file, key_descrip, format);
#endif
	else if (format == FORMAT_PKCS12) {
		if (!load_pkcs12(err, key, key_descrip, password_callback, &cb_data,
		    &pkey, NULL, NULL))
			goto end;
	}
#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) && !defined (OPENSSL_NO_RC4)
	else if (format == FORMAT_MSBLOB)
		pkey = b2i_PrivateKey_bio(key);
	else if (format == FORMAT_PVK)
		pkey = b2i_PVK_bio(key, password_callback,
		    &cb_data);
#endif
	else {
		BIO_printf(err, "bad input format specified for key file\n");
		goto end;
	}
end:
	BIO_free(key);
	if (pkey == NULL) {
		BIO_printf(err, "unable to load %s\n", key_descrip);
		ERR_print_errors(err);
	}
	return (pkey);
}

EVP_PKEY *
load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,
    const char *pass, ENGINE *e, const char *key_descrip)
{
	BIO *key = NULL;
	EVP_PKEY *pkey = NULL;
	PW_CB_DATA cb_data;

	cb_data.password = pass;
	cb_data.prompt_info = file;

	if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE)) {
		BIO_printf(err, "no keyfile specified\n");
		goto end;
	}
#ifndef OPENSSL_NO_ENGINE
	if (format == FORMAT_ENGINE) {
		if (!e)
			BIO_printf(bio_err, "no engine specified\n");
		else
			pkey = ENGINE_load_public_key(e, file,
			    ui_method, &cb_data);
		goto end;
	}
#endif
	key = BIO_new(BIO_s_file());
	if (key == NULL) {
		ERR_print_errors(err);
		goto end;
	}
	if (file == NULL && maybe_stdin) {
		setvbuf(stdin, NULL, _IONBF, 0);
		BIO_set_fp(key, stdin, BIO_NOCLOSE);
	} else if (BIO_read_filename(key, file) <= 0) {
		BIO_printf(err, "Error opening %s %s\n", key_descrip, file);
		ERR_print_errors(err);
		goto end;
	}
	if (format == FORMAT_ASN1) {
		pkey = d2i_PUBKEY_bio(key, NULL);
	}
	else if (format == FORMAT_ASN1RSA) {
		RSA *rsa;
		rsa = d2i_RSAPublicKey_bio(key, NULL);
		if (rsa) {
			pkey = EVP_PKEY_new();
			if (pkey)
				EVP_PKEY_set1_RSA(pkey, rsa);
			RSA_free(rsa);
		} else
			pkey = NULL;
	} else if (format == FORMAT_PEMRSA) {
		RSA *rsa;
		rsa = PEM_read_bio_RSAPublicKey(key, NULL, password_callback, &cb_data);
		if (rsa) {
			pkey = EVP_PKEY_new();
			if (pkey)
				EVP_PKEY_set1_RSA(pkey, rsa);
			RSA_free(rsa);
		} else
			pkey = NULL;
	}
	else if (format == FORMAT_PEM) {
		pkey = PEM_read_bio_PUBKEY(key, NULL, password_callback, &cb_data);
	}
#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
	else if (format == FORMAT_NETSCAPE || format == FORMAT_IISSGC)
		pkey = load_netscape_key(err, key, file, key_descrip, format);
#endif
#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA)
	else if (format == FORMAT_MSBLOB)
		pkey = b2i_PublicKey_bio(key);
#endif
	else {
		BIO_printf(err, "bad input format specified for key file\n");
		goto end;
	}

end:
	BIO_free(key);
	if (pkey == NULL)
		BIO_printf(err, "unable to load %s\n", key_descrip);
	return (pkey);
}

#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
static EVP_PKEY *
load_netscape_key(BIO *err, BIO *key, const char *file,
    const char *key_descrip, int format)
{
	EVP_PKEY *pkey;
	BUF_MEM *buf;
	RSA *rsa;
	const unsigned char *p;
	int size, i;

	buf = BUF_MEM_new();
	pkey = EVP_PKEY_new();
	size = 0;
	if (buf == NULL || pkey == NULL)
		goto error;
	for (;;) {
		if (!BUF_MEM_grow_clean(buf, size + 1024 * 10))
			goto error;
		i = BIO_read(key, &(buf->data[size]), 1024 * 10);
		size += i;
		if (i == 0)
			break;
		if (i < 0) {
			BIO_printf(err, "Error reading %s %s",
			    key_descrip, file);
			goto error;
		}
	}
	p = (unsigned char *) buf->data;
	rsa = d2i_RSA_NET(NULL, &p, (long) size, NULL,
	    (format == FORMAT_IISSGC ? 1 : 0));
	if (rsa == NULL)
		goto error;
	BUF_MEM_free(buf);
	EVP_PKEY_set1_RSA(pkey, rsa);
	return pkey;

error:
	BUF_MEM_free(buf);
	EVP_PKEY_free(pkey);
	return NULL;
}
#endif				/* ndef OPENSSL_NO_RC4 */

static int
load_certs_crls(BIO *err, const char *file, int format, const char *pass,
    ENGINE *e, const char *desc, STACK_OF(X509) **pcerts,
    STACK_OF(X509_CRL) **pcrls)
{
	int i;
	BIO *bio;
	STACK_OF(X509_INFO) *xis = NULL;
	X509_INFO *xi;
	PW_CB_DATA cb_data;
	int rv = 0;

	cb_data.password = pass;
	cb_data.prompt_info = file;

	if (format != FORMAT_PEM) {
		BIO_printf(err, "bad input format specified for %s\n", desc);
		return 0;
	}
	if (file == NULL)
		bio = BIO_new_fp(stdin, BIO_NOCLOSE);
	else
		bio = BIO_new_file(file, "r");

	if (bio == NULL) {
		BIO_printf(err, "Error opening %s %s\n",
		    desc, file ? file : "stdin");
		ERR_print_errors(err);
		return 0;
	}
	xis = PEM_X509_INFO_read_bio(bio, NULL, password_callback, &cb_data);

	BIO_free(bio);

	if (pcerts) {
		*pcerts = sk_X509_new_null();
		if (!*pcerts)
			goto end;
	}
	if (pcrls) {
		*pcrls = sk_X509_CRL_new_null();
		if (!*pcrls)
			goto end;
	}
	for (i = 0; i < sk_X509_INFO_num(xis); i++) {
		xi = sk_X509_INFO_value(xis, i);
		if (xi->x509 && pcerts) {
			if (!sk_X509_push(*pcerts, xi->x509))
				goto end;
			xi->x509 = NULL;
		}
		if (xi->crl && pcrls) {
			if (!sk_X509_CRL_push(*pcrls, xi->crl))
				goto end;
			xi->crl = NULL;
		}
	}

	if (pcerts && sk_X509_num(*pcerts) > 0)
		rv = 1;

	if (pcrls && sk_X509_CRL_num(*pcrls) > 0)
		rv = 1;

end:
	if (xis)
		sk_X509_INFO_pop_free(xis, X509_INFO_free);

	if (rv == 0) {
		if (pcerts) {
			sk_X509_pop_free(*pcerts, X509_free);
			*pcerts = NULL;
		}
		if (pcrls) {
			sk_X509_CRL_pop_free(*pcrls, X509_CRL_free);
			*pcrls = NULL;
		}
		BIO_printf(err, "unable to load %s\n",
		    pcerts ? "certificates" : "CRLs");
		ERR_print_errors(err);
	}
	return rv;
}

STACK_OF(X509) *
load_certs(BIO *err, const char *file, int format, const char *pass,
    ENGINE *e, const char *desc)
{
	STACK_OF(X509) *certs;

	if (!load_certs_crls(err, file, format, pass, e, desc, &certs, NULL))
		return NULL;
	return certs;
}

STACK_OF(X509_CRL) *
load_crls(BIO *err, const char *file, int format, const char *pass, ENGINE *e,
    const char *desc)
{
	STACK_OF(X509_CRL) *crls;

	if (!load_certs_crls(err, file, format, pass, e, desc, NULL, &crls))
		return NULL;
	return crls;
}

#define X509V3_EXT_UNKNOWN_MASK		(0xfL << 16)
/* Return error for unknown extensions */
#define X509V3_EXT_DEFAULT		0
/* Print error for unknown extensions */
#define X509V3_EXT_ERROR_UNKNOWN	(1L << 16)
/* ASN1 parse unknown extensions */
#define X509V3_EXT_PARSE_UNKNOWN	(2L << 16)
/* BIO_dump unknown extensions */
#define X509V3_EXT_DUMP_UNKNOWN		(3L << 16)

#define X509_FLAG_CA (X509_FLAG_NO_ISSUER | X509_FLAG_NO_PUBKEY | \
			 X509_FLAG_NO_HEADER | X509_FLAG_NO_VERSION)

int
set_cert_ex(unsigned long *flags, const char *arg)
{
	static const NAME_EX_TBL cert_tbl[] = {
		{"compatible", X509_FLAG_COMPAT, 0xffffffffl},
		{"ca_default", X509_FLAG_CA, 0xffffffffl},
		{"no_header", X509_FLAG_NO_HEADER, 0},
		{"no_version", X509_FLAG_NO_VERSION, 0},
		{"no_serial", X509_FLAG_NO_SERIAL, 0},
		{"no_signame", X509_FLAG_NO_SIGNAME, 0},
		{"no_validity", X509_FLAG_NO_VALIDITY, 0},
		{"no_subject", X509_FLAG_NO_SUBJECT, 0},
		{"no_issuer", X509_FLAG_NO_ISSUER, 0},
		{"no_pubkey", X509_FLAG_NO_PUBKEY, 0},
		{"no_extensions", X509_FLAG_NO_EXTENSIONS, 0},
		{"no_sigdump", X509_FLAG_NO_SIGDUMP, 0},
		{"no_aux", X509_FLAG_NO_AUX, 0},
		{"no_attributes", X509_FLAG_NO_ATTRIBUTES, 0},
		{"ext_default", X509V3_EXT_DEFAULT, X509V3_EXT_UNKNOWN_MASK},
		{"ext_error", X509V3_EXT_ERROR_UNKNOWN, X509V3_EXT_UNKNOWN_MASK},
		{"ext_parse", X509V3_EXT_PARSE_UNKNOWN, X509V3_EXT_UNKNOWN_MASK},
		{"ext_dump", X509V3_EXT_DUMP_UNKNOWN, X509V3_EXT_UNKNOWN_MASK},
		{NULL, 0, 0}
	};
	return set_multi_opts(flags, arg, cert_tbl);
}

int
set_name_ex(unsigned long *flags, const char *arg)
{
	static const NAME_EX_TBL ex_tbl[] = {
		{"esc_2253", ASN1_STRFLGS_ESC_2253, 0},
		{"esc_ctrl", ASN1_STRFLGS_ESC_CTRL, 0},
		{"esc_msb", ASN1_STRFLGS_ESC_MSB, 0},
		{"use_quote", ASN1_STRFLGS_ESC_QUOTE, 0},
		{"utf8", ASN1_STRFLGS_UTF8_CONVERT, 0},
		{"ignore_type", ASN1_STRFLGS_IGNORE_TYPE, 0},
		{"show_type", ASN1_STRFLGS_SHOW_TYPE, 0},
		{"dump_all", ASN1_STRFLGS_DUMP_ALL, 0},
		{"dump_nostr", ASN1_STRFLGS_DUMP_UNKNOWN, 0},
		{"dump_der", ASN1_STRFLGS_DUMP_DER, 0},
		{"compat", XN_FLAG_COMPAT, 0xffffffffL},
		{"sep_comma_plus", XN_FLAG_SEP_COMMA_PLUS, XN_FLAG_SEP_MASK},
		{"sep_comma_plus_space", XN_FLAG_SEP_CPLUS_SPC, XN_FLAG_SEP_MASK},
		{"sep_semi_plus_space", XN_FLAG_SEP_SPLUS_SPC, XN_FLAG_SEP_MASK},
		{"sep_multiline", XN_FLAG_SEP_MULTILINE, XN_FLAG_SEP_MASK},
		{"dn_rev", XN_FLAG_DN_REV, 0},
		{"nofname", XN_FLAG_FN_NONE, XN_FLAG_FN_MASK},
		{"sname", XN_FLAG_FN_SN, XN_FLAG_FN_MASK},
		{"lname", XN_FLAG_FN_LN, XN_FLAG_FN_MASK},
		{"align", XN_FLAG_FN_ALIGN, 0},
		{"oid", XN_FLAG_FN_OID, XN_FLAG_FN_MASK},
		{"space_eq", XN_FLAG_SPC_EQ, 0},
		{"dump_unknown", XN_FLAG_DUMP_UNKNOWN_FIELDS, 0},
		{"RFC2253", XN_FLAG_RFC2253, 0xffffffffL},
		{"oneline", XN_FLAG_ONELINE, 0xffffffffL},
		{"multiline", XN_FLAG_MULTILINE, 0xffffffffL},
		{"ca_default", XN_FLAG_MULTILINE, 0xffffffffL},
		{NULL, 0, 0}
	};
	return set_multi_opts(flags, arg, ex_tbl);
}

int
set_ext_copy(int *copy_type, const char *arg)
{
	if (!strcasecmp(arg, "none"))
		*copy_type = EXT_COPY_NONE;
	else if (!strcasecmp(arg, "copy"))
		*copy_type = EXT_COPY_ADD;
	else if (!strcasecmp(arg, "copyall"))
		*copy_type = EXT_COPY_ALL;
	else
		return 0;
	return 1;
}

int
copy_extensions(X509 *x, X509_REQ *req, int copy_type)
{
	STACK_OF(X509_EXTENSION) *exts = NULL;
	X509_EXTENSION *ext, *tmpext;
	ASN1_OBJECT *obj;
	int i, idx, ret = 0;

	if (!x || !req || (copy_type == EXT_COPY_NONE))
		return 1;
	exts = X509_REQ_get_extensions(req);

	for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
		ext = sk_X509_EXTENSION_value(exts, i);
		obj = X509_EXTENSION_get_object(ext);
		idx = X509_get_ext_by_OBJ(x, obj, -1);
		/* Does extension exist? */
		if (idx != -1) {
			/* If normal copy don't override existing extension */
			if (copy_type == EXT_COPY_ADD)
				continue;
			/* Delete all extensions of same type */
			do {
				tmpext = X509_get_ext(x, idx);
				X509_delete_ext(x, idx);
				X509_EXTENSION_free(tmpext);
				idx = X509_get_ext_by_OBJ(x, obj, -1);
			} while (idx != -1);
		}
		if (!X509_add_ext(x, ext, -1))
			goto end;
	}

	ret = 1;

end:
	sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);

	return ret;
}

static int
set_multi_opts(unsigned long *flags, const char *arg,
    const NAME_EX_TBL *in_tbl)
{
	STACK_OF(CONF_VALUE) *vals;
	CONF_VALUE *val;
	int i, ret = 1;

	if (!arg)
		return 0;
	vals = X509V3_parse_list(arg);
	for (i = 0; i < sk_CONF_VALUE_num(vals); i++) {
		val = sk_CONF_VALUE_value(vals, i);
		if (!set_table_opts(flags, val->name, in_tbl))
			ret = 0;
	}
	sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
	return ret;
}

static int
set_table_opts(unsigned long *flags, const char *arg,
    const NAME_EX_TBL *in_tbl)
{
	char c;
	const NAME_EX_TBL *ptbl;

	c = arg[0];
	if (c == '-') {
		c = 0;
		arg++;
	} else if (c == '+') {
		c = 1;
		arg++;
	} else
		c = 1;

	for (ptbl = in_tbl; ptbl->name; ptbl++) {
		if (!strcasecmp(arg, ptbl->name)) {
			*flags &= ~ptbl->mask;
			if (c)
				*flags |= ptbl->flag;
			else
				*flags &= ~ptbl->flag;
			return 1;
		}
	}
	return 0;
}

void
print_name(BIO *out, const char *title, X509_NAME *nm, unsigned long lflags)
{
	char *buf;
	char mline = 0;
	int indent = 0;

	if (title)
		BIO_puts(out, title);
	if ((lflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) {
		mline = 1;
		indent = 4;
	}
	if (lflags == XN_FLAG_COMPAT) {
		buf = X509_NAME_oneline(nm, 0, 0);
		BIO_puts(out, buf);
		BIO_puts(out, "\n");
		free(buf);
	} else {
		if (mline)
			BIO_puts(out, "\n");
		X509_NAME_print_ex(out, nm, indent, lflags);
		BIO_puts(out, "\n");
	}
}

X509_STORE *
setup_verify(BIO *bp, char *CAfile, char *CApath)
{
	X509_STORE *store;
	X509_LOOKUP *lookup;

	if (!(store = X509_STORE_new()))
		goto end;
	lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
	if (lookup == NULL)
		goto end;
	if (CAfile) {
		if (!X509_LOOKUP_load_file(lookup, CAfile, X509_FILETYPE_PEM)) {
			BIO_printf(bp, "Error loading file %s\n", CAfile);
			goto end;
		}
	} else
		X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT);

	lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
	if (lookup == NULL)
		goto end;
	if (CApath) {
		if (!X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM)) {
			BIO_printf(bp, "Error loading directory %s\n", CApath);
			goto end;
		}
	} else
		X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);

	ERR_clear_error();
	return store;

end:
	X509_STORE_free(store);
	return NULL;
}

#ifndef OPENSSL_NO_ENGINE

ENGINE *
setup_engine(BIO *err, const char *engine, int debug)
{
	ENGINE *e = NULL;

	if (engine) {
		if (strcmp(engine, "auto") == 0) {
			BIO_printf(err, "enabling auto ENGINE support\n");
			ENGINE_register_all_complete();
			return NULL;
		}
		if ((e = ENGINE_by_id(engine)) == NULL) {
			BIO_printf(err, "invalid engine \"%s\"\n", engine);
			ERR_print_errors(err);
			return NULL;
		}
		if (debug) {
			if (ENGINE_ctrl(e, ENGINE_CTRL_SET_LOGSTREAM,
			    0, err, 0) <= 0) {
				BIO_printf(err, "Cannot set logstream for "
				    "engine \"%s\"\n", engine);
				ERR_print_errors(err);
				ENGINE_free(e);
				return NULL;
			}
		}
		if (!ENGINE_ctrl_cmd(e, "SET_USER_INTERFACE", 0, ui_method, 0, 1)) {
			BIO_printf(err, "can't set user interface\n");
			ERR_print_errors(err);
			ENGINE_free(e);
			return NULL;
		}
		if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
			BIO_printf(err, "can't use that engine\n");
			ERR_print_errors(err);
			ENGINE_free(e);
			return NULL;
		}
		BIO_printf(err, "engine \"%s\" set.\n", ENGINE_get_id(e));

		/* Free our "structural" reference. */
		ENGINE_free(e);
	}
	return e;
}
#endif

int
load_config(BIO *err, CONF *cnf)
{
	static int load_config_called = 0;

	if (load_config_called)
		return 1;
	load_config_called = 1;
	if (cnf == NULL)
		cnf = config;
	if (cnf == NULL)
		return 1;

	OPENSSL_load_builtin_modules();

	if (CONF_modules_load(cnf, NULL, 0) <= 0) {
		BIO_printf(err, "Error configuring OpenSSL\n");
		ERR_print_errors(err);
		return 0;
	}
	return 1;
}

char *
make_config_name()
{
	const char *t = X509_get_default_cert_area();
	char *p;

	if (asprintf(&p, "%s/openssl.cnf", t) == -1)
		return NULL;
	return p;
}

static unsigned long
index_serial_hash(const OPENSSL_CSTRING *a)
{
	const char *n;

	n = a[DB_serial];
	while (*n == '0')
		n++;
	return (lh_strhash(n));
}

static int
index_serial_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b)
{
	const char *aa, *bb;

	for (aa = a[DB_serial]; *aa == '0'; aa++)
		;
	for (bb = b[DB_serial]; *bb == '0'; bb++)
		;
	return (strcmp(aa, bb));
}

static int
index_name_qual(char **a)
{
	return (a[0][0] == 'V');
}

static unsigned long
index_name_hash(const OPENSSL_CSTRING *a)
{
	return (lh_strhash(a[DB_name]));
}

int
index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b)
{
	return (strcmp(a[DB_name], b[DB_name]));
}

static IMPLEMENT_LHASH_HASH_FN(index_serial, OPENSSL_CSTRING)
static IMPLEMENT_LHASH_COMP_FN(index_serial, OPENSSL_CSTRING)
static IMPLEMENT_LHASH_HASH_FN(index_name, OPENSSL_CSTRING)
static IMPLEMENT_LHASH_COMP_FN(index_name, OPENSSL_CSTRING)

#define BUFLEN 256

BIGNUM *
load_serial(char *serialfile, int create, ASN1_INTEGER **retai)
{
	BIO *in = NULL;
	BIGNUM *ret = NULL;
	char buf[1024];
	ASN1_INTEGER *ai = NULL;

	ai = ASN1_INTEGER_new();
	if (ai == NULL)
		goto err;

	if ((in = BIO_new(BIO_s_file())) == NULL) {
		ERR_print_errors(bio_err);
		goto err;
	}
	if (BIO_read_filename(in, serialfile) <= 0) {
		if (!create) {
			perror(serialfile);
			goto err;
		} else {
			ret = BN_new();
			if (ret == NULL || !rand_serial(ret, ai))
				BIO_printf(bio_err, "Out of memory\n");
		}
	} else {
		if (!a2i_ASN1_INTEGER(in, ai, buf, 1024)) {
			BIO_printf(bio_err, "unable to load number from %s\n",
			    serialfile);
			goto err;
		}
		ret = ASN1_INTEGER_to_BN(ai, NULL);
		if (ret == NULL) {
			BIO_printf(bio_err,
			    "error converting number from bin to BIGNUM\n");
			goto err;
		}
	}

	if (ret && retai) {
		*retai = ai;
		ai = NULL;
	}

err:
	if (in != NULL)
		BIO_free(in);
	if (ai != NULL)
		ASN1_INTEGER_free(ai);
	return (ret);
}

int
save_serial(char *serialfile, char *suffix, BIGNUM *serial,
    ASN1_INTEGER **retai)
{
	char buf[1][BUFLEN];
	BIO *out = NULL;
	int ret = 0, n;
	ASN1_INTEGER *ai = NULL;
	int j;

	if (suffix == NULL)
		j = strlen(serialfile);
	else
		j = strlen(serialfile) + strlen(suffix) + 1;
	if (j >= BUFLEN) {
		BIO_printf(bio_err, "file name too long\n");
		goto err;
	}
	if (suffix == NULL)
		n = strlcpy(buf[0], serialfile, BUFLEN);
	else
		n = snprintf(buf[0], sizeof buf[0], "%s.%s",
		    serialfile, suffix);
	if (n == -1 || n >= sizeof(buf[0])) {
		BIO_printf(bio_err, "serial too long\n");
		goto err;
	}
	out = BIO_new(BIO_s_file());
	if (out == NULL) {
		ERR_print_errors(bio_err);
		goto err;
	}
	if (BIO_write_filename(out, buf[0]) <= 0) {
		perror(serialfile);
		goto err;
	}
	if ((ai = BN_to_ASN1_INTEGER(serial, NULL)) == NULL) {
		BIO_printf(bio_err,
		    "error converting serial to ASN.1 format\n");
		goto err;
	}
	i2a_ASN1_INTEGER(out, ai);
	BIO_puts(out, "\n");
	ret = 1;
	if (retai) {
		*retai = ai;
		ai = NULL;
	}

err:
	if (out != NULL)
		BIO_free_all(out);
	if (ai != NULL)
		ASN1_INTEGER_free(ai);
	return (ret);
}

int
rotate_serial(char *serialfile, char *new_suffix, char *old_suffix)
{
	char buf[5][BUFLEN];
	int i, j;

	i = strlen(serialfile) + strlen(old_suffix);
	j = strlen(serialfile) + strlen(new_suffix);
	if (i > j)
		j = i;
	if (j + 1 >= BUFLEN) {
		BIO_printf(bio_err, "file name too long\n");
		goto err;
	}
	snprintf(buf[0], sizeof buf[0], "%s.%s", serialfile, new_suffix);
	snprintf(buf[1], sizeof buf[1], "%s.%s", serialfile, old_suffix);


	if (rename(serialfile, buf[1]) < 0 &&
	    errno != ENOENT && errno != ENOTDIR) {
		BIO_printf(bio_err, "unable to rename %s to %s\n",
		    serialfile, buf[1]);
		perror("reason");
		goto err;
	}


	if (rename(buf[0], serialfile) < 0) {
		BIO_printf(bio_err, "unable to rename %s to %s\n",
		    buf[0], serialfile);
		perror("reason");
		if (rename(buf[1], serialfile) < 0) {
			BIO_printf(bio_err, "unable to rename %s to %s\n",
			    buf[1], serialfile);
			perror("reason");
		}
		goto err;
	}
	return 1;

err:
	return 0;
}

int
rand_serial(BIGNUM *b, ASN1_INTEGER *ai)
{
	BIGNUM *btmp;
	int ret = 0;

	if (b)
		btmp = b;
	else
		btmp = BN_new();

	if (!btmp)
		return 0;

	if (!BN_pseudo_rand(btmp, SERIAL_RAND_BITS, 0, 0))
		goto error;
	if (ai && !BN_to_ASN1_INTEGER(btmp, ai))
		goto error;

	ret = 1;

error:
	if (!b)
		BN_free(btmp);

	return ret;
}

CA_DB *
load_index(char *dbfile, DB_ATTR *db_attr)
{
	CA_DB *retdb = NULL;
	TXT_DB *tmpdb = NULL;
	BIO *in = BIO_new(BIO_s_file());
	CONF *dbattr_conf = NULL;
	char buf[1][BUFLEN];
	long errorline = -1;

	if (in == NULL) {
		ERR_print_errors(bio_err);
		goto err;
	}
	if (BIO_read_filename(in, dbfile) <= 0) {
		perror(dbfile);
		BIO_printf(bio_err, "unable to open '%s'\n", dbfile);
		goto err;
	}
	if ((tmpdb = TXT_DB_read(in, DB_NUMBER)) == NULL)
		goto err;

	snprintf(buf[0], sizeof buf[0], "%s.attr", dbfile);
	dbattr_conf = NCONF_new(NULL);
	if (NCONF_load(dbattr_conf, buf[0], &errorline) <= 0) {
		if (errorline > 0) {
			BIO_printf(bio_err,
			    "error on line %ld of db attribute file '%s'\n",
			    errorline, buf[0]);
			goto err;
		} else {
			NCONF_free(dbattr_conf);
			dbattr_conf = NULL;
		}
	}
	if ((retdb = malloc(sizeof(CA_DB))) == NULL) {
		fprintf(stderr, "Out of memory\n");
		goto err;
	}
	retdb->db = tmpdb;
	tmpdb = NULL;
	if (db_attr)
		retdb->attributes = *db_attr;
	else {
		retdb->attributes.unique_subject = 1;
	}

	if (dbattr_conf) {
		char *p = NCONF_get_string(dbattr_conf, NULL, "unique_subject");
		if (p) {
			retdb->attributes.unique_subject = parse_yesno(p, 1);
		}
	}

err:
	if (dbattr_conf)
		NCONF_free(dbattr_conf);
	if (tmpdb)
		TXT_DB_free(tmpdb);
	if (in)
		BIO_free_all(in);
	return retdb;
}

int
index_index(CA_DB *db)
{
	if (!TXT_DB_create_index(db->db, DB_serial, NULL,
	    LHASH_HASH_FN(index_serial), LHASH_COMP_FN(index_serial))) {
		BIO_printf(bio_err,
		    "error creating serial number index:(%ld,%ld,%ld)\n",
		    db->db->error, db->db->arg1, db->db->arg2);
		return 0;
	}
	if (db->attributes.unique_subject &&
	    !TXT_DB_create_index(db->db, DB_name, index_name_qual,
	    LHASH_HASH_FN(index_name), LHASH_COMP_FN(index_name))) {
		BIO_printf(bio_err, "error creating name index:(%ld,%ld,%ld)\n",
		    db->db->error, db->db->arg1, db->db->arg2);
		return 0;
	}
	return 1;
}

int
save_index(const char *dbfile, const char *suffix, CA_DB *db)
{
	char buf[3][BUFLEN];
	BIO *out = BIO_new(BIO_s_file());
	int j;

	if (out == NULL) {
		ERR_print_errors(bio_err);
		goto err;
	}
	j = strlen(dbfile) + strlen(suffix);
	if (j + 6 >= BUFLEN) {
		BIO_printf(bio_err, "file name too long\n");
		goto err;
	}
	snprintf(buf[2], sizeof buf[2], "%s.attr", dbfile);
	snprintf(buf[1], sizeof buf[1], "%s.attr.%s", dbfile, suffix);
	snprintf(buf[0], sizeof buf[0], "%s.%s", dbfile, suffix);


	if (BIO_write_filename(out, buf[0]) <= 0) {
		perror(dbfile);
		BIO_printf(bio_err, "unable to open '%s'\n", dbfile);
		goto err;
	}
	j = TXT_DB_write(out, db->db);
	if (j <= 0)
		goto err;

	BIO_free(out);

	out = BIO_new(BIO_s_file());


	if (BIO_write_filename(out, buf[1]) <= 0) {
		perror(buf[2]);
		BIO_printf(bio_err, "unable to open '%s'\n", buf[2]);
		goto err;
	}
	BIO_printf(out, "unique_subject = %s\n",
	    db->attributes.unique_subject ? "yes" : "no");
	BIO_free(out);

	return 1;

err:
	return 0;
}

int
rotate_index(const char *dbfile, const char *new_suffix, const char *old_suffix)
{
	char buf[5][BUFLEN];
	int i, j;

	i = strlen(dbfile) + strlen(old_suffix);
	j = strlen(dbfile) + strlen(new_suffix);
	if (i > j)
		j = i;
	if (j + 6 >= BUFLEN) {
		BIO_printf(bio_err, "file name too long\n");
		goto err;
	}
	snprintf(buf[4], sizeof buf[4], "%s.attr", dbfile);
	snprintf(buf[2], sizeof buf[2], "%s.attr.%s", dbfile, new_suffix);
	snprintf(buf[0], sizeof buf[0], "%s.%s", dbfile, new_suffix);
	snprintf(buf[1], sizeof buf[1], "%s.%s", dbfile, old_suffix);
	snprintf(buf[3], sizeof buf[3], "%s.attr.%s", dbfile, old_suffix);


	if (rename(dbfile, buf[1]) < 0 && errno != ENOENT && errno != ENOTDIR) {
		BIO_printf(bio_err, "unable to rename %s to %s\n",
		    dbfile, buf[1]);
		perror("reason");
		goto err;
	}


	if (rename(buf[0], dbfile) < 0) {
		BIO_printf(bio_err, "unable to rename %s to %s\n",
		    buf[0], dbfile);
		perror("reason");
		if (rename(buf[1], dbfile) < 0) {
			BIO_printf(bio_err, "unable to rename %s to %s\n",
			    buf[1], dbfile);
			perror("reason");
		}
		goto err;
	}


	if (rename(buf[4], buf[3]) < 0 && errno != ENOENT && errno != ENOTDIR) {
		BIO_printf(bio_err, "unable to rename %s to %s\n",
		    buf[4], buf[3]);
		perror("reason");
		if (rename(dbfile, buf[0]) < 0) {
			BIO_printf(bio_err, "unable to rename %s to %s\n",
			    dbfile, buf[0]);
			perror("reason");
		}
		if (rename(buf[1], dbfile) < 0) {
			BIO_printf(bio_err, "unable to rename %s to %s\n",
			    buf[1], dbfile);
			perror("reason");
		}
		goto err;
	}


	if (rename(buf[2], buf[4]) < 0) {
		BIO_printf(bio_err, "unable to rename %s to %s\n",
		    buf[2], buf[4]);
		perror("reason");
		if (rename(buf[3], buf[4]) < 0) {
			BIO_printf(bio_err, "unable to rename %s to %s\n",
			    buf[3], buf[4]);
			perror("reason");
		}
		if (rename(dbfile, buf[0]) < 0) {
			BIO_printf(bio_err, "unable to rename %s to %s\n",
			    dbfile, buf[0]);
			perror("reason");
		}
		if (rename(buf[1], dbfile) < 0) {
			BIO_printf(bio_err, "unable to rename %s to %s\n",
			    buf[1], dbfile);
			perror("reason");
		}
		goto err;
	}
	return 1;

err:
	return 0;
}

void
free_index(CA_DB *db)
{
	if (db) {
		if (db->db)
			TXT_DB_free(db->db);
		free(db);
	}
}

int
parse_yesno(const char *str, int def)
{
	int ret = def;

	if (str) {
		switch (*str) {
		case 'f':	/* false */
		case 'F':	/* FALSE */
		case 'n':	/* no */
		case 'N':	/* NO */
		case '0':	/* 0 */
			ret = 0;
			break;
		case 't':	/* true */
		case 'T':	/* TRUE */
		case 'y':	/* yes */
		case 'Y':	/* YES */
		case '1':	/* 1 */
			ret = 1;
			break;
		default:
			ret = def;
			break;
		}
	}
	return ret;
}

/*
 * subject is expected to be in the format /type0=value0/type1=value1/type2=...
 * where characters may be escaped by \
 */
X509_NAME *
parse_name(char *subject, long chtype, int multirdn)
{
	X509_NAME *name = NULL;
	size_t buflen, max_ne;
	char **ne_types, **ne_values;
	char *buf, *bp, *sp;
	int i, nid, ne_num = 0;
	int *mval;

	/*
	 * Buffer to copy the types and values into. Due to escaping the
	 * copy can only become shorter.
	 */
	buflen = strlen(subject) + 1;
	buf = malloc(buflen);

	/* Maximum number of name elements. */
	max_ne = buflen / 2 + 1;
	ne_types = reallocarray(NULL, max_ne, sizeof(char *));
	ne_values = reallocarray(NULL, max_ne, sizeof(char *));
	mval = reallocarray(NULL, max_ne, sizeof(int));

	if (buf == NULL || ne_types == NULL || ne_values == NULL ||
	    mval == NULL) {
		BIO_printf(bio_err, "malloc error\n");
		goto error;
	}

	bp = buf;
	sp = subject;

	if (*subject != '/') {
		BIO_printf(bio_err, "Subject does not start with '/'.\n");
		goto error;
	}

	/* Skip leading '/'. */
	sp++;

	/* No multivalued RDN by default. */
	mval[ne_num] = 0;

	while (*sp) {
		/* Collect type. */
		ne_types[ne_num] = bp;
		while (*sp) {
			/* is there anything to escape in the type...? */
			if (*sp == '\\') {
				if (*++sp)
					*bp++ = *sp++;
				else {
					BIO_printf(bio_err, "escape character "
					    "at end of string\n");
					goto error;
				}
			} else if (*sp == '=') {
				sp++;
				*bp++ = '\0';
				break;
			} else
				*bp++ = *sp++;
		}
		if (!*sp) {
			BIO_printf(bio_err, "end of string encountered while "
			    "processing type of subject name element #%d\n",
			    ne_num);
			goto error;
		}
		ne_values[ne_num] = bp;
		while (*sp) {
			if (*sp == '\\') {
				if (*++sp)
					*bp++ = *sp++;
				else {
					BIO_printf(bio_err, "escape character "
					    "at end of string\n");
					goto error;
				}
			} else if (*sp == '/') {
				sp++;
				/* no multivalued RDN by default */
				mval[ne_num + 1] = 0;
				break;
			} else if (*sp == '+' && multirdn) {
				/* a not escaped + signals a mutlivalued RDN */
				sp++;
				mval[ne_num + 1] = -1;
				break;
			} else
				*bp++ = *sp++;
		}
		*bp++ = '\0';
		ne_num++;
	}

	if ((name = X509_NAME_new()) == NULL)
		goto error;

	for (i = 0; i < ne_num; i++) {
		if ((nid = OBJ_txt2nid(ne_types[i])) == NID_undef) {
			BIO_printf(bio_err,
			    "Subject Attribute %s has no known NID, skipped\n",
			    ne_types[i]);
			continue;
		}
		if (!*ne_values[i]) {
			BIO_printf(bio_err, "No value provided for Subject "
			    "Attribute %s, skipped\n", ne_types[i]);
			continue;
		}
		if (!X509_NAME_add_entry_by_NID(name, nid, chtype,
		    (unsigned char *) ne_values[i], -1, -1, mval[i]))
			goto error;
	}
	goto done;

error:
	X509_NAME_free(name);
	name = NULL;

done:
	free(ne_values);
	free(ne_types);
	free(mval);
	free(buf);

	return name;
}

int
args_verify(char ***pargs, int *pargc, int *badarg, BIO *err,
    X509_VERIFY_PARAM **pm)
{
	ASN1_OBJECT *otmp = NULL;
	unsigned long flags = 0;
	int i;
	int purpose = 0, depth = -1;
	char **oldargs = *pargs;
	char *arg = **pargs, *argn = (*pargs)[1];
	time_t at_time = 0;
	const char *errstr = NULL;

	if (!strcmp(arg, "-policy")) {
		if (!argn)
			*badarg = 1;
		else {
			otmp = OBJ_txt2obj(argn, 0);
			if (!otmp) {
				BIO_printf(err, "Invalid Policy \"%s\"\n",
				    argn);
				*badarg = 1;
			}
		}
		(*pargs)++;
	} else if (strcmp(arg, "-purpose") == 0) {
		X509_PURPOSE *xptmp;
		if (!argn)
			*badarg = 1;
		else {
			i = X509_PURPOSE_get_by_sname(argn);
			if (i < 0) {
				BIO_printf(err, "unrecognized purpose\n");
				*badarg = 1;
			} else {
				xptmp = X509_PURPOSE_get0(i);
				purpose = X509_PURPOSE_get_id(xptmp);
			}
		}
		(*pargs)++;
	} else if (strcmp(arg, "-verify_depth") == 0) {
		if (!argn)
			*badarg = 1;
		else {
			depth = strtonum(argn, 1, INT_MAX, &errstr);
			if (errstr) {
				BIO_printf(err, "invalid depth %s: %s\n",
				    argn, errstr);
				*badarg = 1;
			}
		}
		(*pargs)++;
	} else if (strcmp(arg, "-attime") == 0) {
		if (!argn)
			*badarg = 1;
		else {
			long long timestamp;
			/*
			 * interpret the -attime argument as seconds since
			 * Epoch
			 */
			if (sscanf(argn, "%lli", &timestamp) != 1) {
				BIO_printf(bio_err,
				    "Error parsing timestamp %s\n",
				    argn);
				*badarg = 1;
			}
			/* XXX 2038 truncation */
			at_time = (time_t) timestamp;
		}
		(*pargs)++;
	} else if (!strcmp(arg, "-ignore_critical"))
		flags |= X509_V_FLAG_IGNORE_CRITICAL;
	else if (!strcmp(arg, "-issuer_checks"))
		flags |= X509_V_FLAG_CB_ISSUER_CHECK;
	else if (!strcmp(arg, "-crl_check"))
		flags |= X509_V_FLAG_CRL_CHECK;
	else if (!strcmp(arg, "-crl_check_all"))
		flags |= X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL;
	else if (!strcmp(arg, "-policy_check"))
		flags |= X509_V_FLAG_POLICY_CHECK;
	else if (!strcmp(arg, "-explicit_policy"))
		flags |= X509_V_FLAG_EXPLICIT_POLICY;
	else if (!strcmp(arg, "-inhibit_any"))
		flags |= X509_V_FLAG_INHIBIT_ANY;
	else if (!strcmp(arg, "-inhibit_map"))
		flags |= X509_V_FLAG_INHIBIT_MAP;
	else if (!strcmp(arg, "-x509_strict"))
		flags |= X509_V_FLAG_X509_STRICT;
	else if (!strcmp(arg, "-extended_crl"))
		flags |= X509_V_FLAG_EXTENDED_CRL_SUPPORT;
	else if (!strcmp(arg, "-use_deltas"))
		flags |= X509_V_FLAG_USE_DELTAS;
	else if (!strcmp(arg, "-policy_print"))
		flags |= X509_V_FLAG_NOTIFY_POLICY;
	else if (!strcmp(arg, "-check_ss_sig"))
		flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;
	else
		return 0;

	if (*badarg) {
		if (*pm)
			X509_VERIFY_PARAM_free(*pm);
		*pm = NULL;
		goto end;
	}
	if (!*pm && !(*pm = X509_VERIFY_PARAM_new())) {
		*badarg = 1;
		goto end;
	}
	if (otmp) {
		X509_VERIFY_PARAM_add0_policy(*pm, otmp);
		otmp = NULL;
	}
	if (flags)
		X509_VERIFY_PARAM_set_flags(*pm, flags);

	if (purpose)
		X509_VERIFY_PARAM_set_purpose(*pm, purpose);

	if (depth >= 0)
		X509_VERIFY_PARAM_set_depth(*pm, depth);

	if (at_time)
		X509_VERIFY_PARAM_set_time(*pm, at_time);

end:
	(*pargs)++;

	if (pargc)
		*pargc -= *pargs - oldargs;

	ASN1_OBJECT_free(otmp);
	return 1;
}

/* Read whole contents of a BIO into an allocated memory buffer and
 * return it.
 */

int
bio_to_mem(unsigned char **out, int maxlen, BIO *in)
{
	BIO *mem;
	int len, ret;
	unsigned char tbuf[1024];

	mem = BIO_new(BIO_s_mem());
	if (!mem)
		return -1;
	for (;;) {
		if ((maxlen != -1) && maxlen < 1024)
			len = maxlen;
		else
			len = 1024;
		len = BIO_read(in, tbuf, len);
		if (len <= 0)
			break;
		if (BIO_write(mem, tbuf, len) != len) {
			BIO_free(mem);
			return -1;
		}
		maxlen -= len;

		if (maxlen == 0)
			break;
	}
	ret = BIO_get_mem_data(mem, (char **) out);
	BIO_set_flags(mem, BIO_FLAGS_MEM_RDONLY);
	BIO_free(mem);
	return ret;
}

int
pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value)
{
	int rv;
	char *stmp, *vtmp = NULL;

	if (value == NULL)
		return -1;
	stmp = strdup(value);
	if (!stmp)
		return -1;
	vtmp = strchr(stmp, ':');
	if (vtmp) {
		*vtmp = 0;
		vtmp++;
	}
	rv = EVP_PKEY_CTX_ctrl_str(ctx, stmp, vtmp);
	free(stmp);

	return rv;
}

static void
nodes_print(BIO *out, const char *name, STACK_OF(X509_POLICY_NODE) *nodes)
{
	X509_POLICY_NODE *node;
	int i;

	BIO_printf(out, "%s Policies:", name);
	if (nodes) {
		BIO_puts(out, "\n");
		for (i = 0; i < sk_X509_POLICY_NODE_num(nodes); i++) {
			node = sk_X509_POLICY_NODE_value(nodes, i);
			X509_POLICY_NODE_print(out, node, 2);
		}
	} else
		BIO_puts(out, " <empty>\n");
}

void
policies_print(BIO *out, X509_STORE_CTX *ctx)
{
	X509_POLICY_TREE *tree;
	int explicit_policy;
	int free_out = 0;

	if (out == NULL) {
		out = BIO_new_fp(stderr, BIO_NOCLOSE);
		free_out = 1;
	}
	tree = X509_STORE_CTX_get0_policy_tree(ctx);
	explicit_policy = X509_STORE_CTX_get_explicit_policy(ctx);

	BIO_printf(out, "Require explicit Policy: %s\n",
	    explicit_policy ? "True" : "False");

	nodes_print(out, "Authority", X509_policy_tree_get0_policies(tree));
	nodes_print(out, "User", X509_policy_tree_get0_user_policies(tree));
	if (free_out)
		BIO_free(out);
}

/* next_protos_parse parses a comma separated list of strings into a string
 * in a format suitable for passing to SSL_CTX_set_next_protos_advertised.
 *   outlen: (output) set to the length of the resulting buffer on success.
 *   err: (maybe NULL) on failure, an error message line is written to this BIO.
 *   in: a NUL termianted string like "abc,def,ghi"
 *
 *   returns: a malloced buffer or NULL on failure.
 */
unsigned char *
next_protos_parse(unsigned short *outlen, const char *in)
{
	size_t len;
	unsigned char *out;
	size_t i, start = 0;

	len = strlen(in);
	if (len >= 65535)
		return NULL;

	out = malloc(strlen(in) + 1);
	if (!out)
		return NULL;

	for (i = 0; i <= len; ++i) {
		if (i == len || in[i] == ',') {
			if (i - start > 255) {
				free(out);
				return NULL;
			}
			out[start] = i - start;
			start = i + 1;
		} else
			out[i + 1] = in[i];
	}

	*outlen = len + 1;
	return out;
}

int
app_isdir(const char *name)
{
	struct stat st;

	if (stat(name, &st) == 0)
		return S_ISDIR(st.st_mode);
	return -1;
}

#define OPTION_WIDTH 18

void
options_usage(struct option *opts)
{
	const char *p, *q;
	char optstr[32];
	int i;

	for (i = 0; opts[i].name != NULL; i++) {
		if (opts[i].desc == NULL)
			continue;

		snprintf(optstr, sizeof(optstr), "-%s %s", opts[i].name,
		    (opts[i].argname != NULL) ? opts[i].argname : "");
		fprintf(stderr, " %-*s", OPTION_WIDTH, optstr);
		if (strlen(optstr) > OPTION_WIDTH)
			fprintf(stderr, "\n %-*s", OPTION_WIDTH, "");

		p = opts[i].desc;
		while ((q = strchr(p, '\n')) != NULL) {
			fprintf(stderr, " %.*s", (int)(q - p), p);
			fprintf(stderr, "\n %-*s", OPTION_WIDTH, "");
			p = q + 1;
		}
		fprintf(stderr, " %s\n", p);
	}
}

int
options_parse(int argc, char **argv, struct option *opts, char **unnamed,
    int *argsused)
{
	const char *errstr;
	struct option *opt;
	long long val;
	char *arg, *p;
	int fmt, used;
	int ord = 0;
	int i, j;

	if (unnamed != NULL)
		*unnamed = NULL;

	for (i = 1; i < argc; i++) {
		p = arg = argv[i];

		/* Single unnamed argument (without leading hyphen). */
		if (*p++ != '-') {
			if (argsused != NULL)
				goto done;
			if (unnamed == NULL)
				goto unknown;
			if (*unnamed != NULL)
				goto toomany;
			*unnamed = arg;
			continue;
		}

		/* End of named options (single hyphen). */
		if (*p == '\0') {
			if (++i >= argc)
				goto done;
			if (argsused != NULL)
				goto done;
			if (unnamed != NULL && i == argc - 1) {
				if (*unnamed != NULL)
					goto toomany;
				*unnamed = argv[i];
				continue;
			}
			goto unknown;
		}

		/* See if there is a matching option... */
		for (j = 0; opts[j].name != NULL; j++) {
			if (strcmp(p, opts[j].name) == 0)
				break;
		}
		opt = &opts[j];
		if (opt->name == NULL && opt->type == 0)
			goto unknown;

		if (opt->type == OPTION_ARG ||
		    opt->type == OPTION_ARG_FORMAT ||
		    opt->type == OPTION_ARG_FUNC ||
		    opt->type == OPTION_ARG_INT ||
		    opt->type == OPTION_ARG_LONG) {
			if (++i >= argc) {
				fprintf(stderr, "missing %s argument for -%s\n",
				    opt->argname, opt->name);
				return (1);
			}
		}

		switch (opt->type) {
		case OPTION_ARG:
			*opt->opt.arg = argv[i];
			break;

		case OPTION_ARGV_FUNC:
			if (opt->opt.argvfunc(argc - i, &argv[i], &used) != 0)
				return (1);
			i += used - 1;
			break;

		case OPTION_ARG_FORMAT:
			fmt = str2fmt(argv[i]);
			if (fmt == FORMAT_UNDEF) {
				fprintf(stderr, "unknown %s '%s' for -%s\n",
				    opt->argname, argv[i], opt->name);
				return (1);
			}
			*opt->opt.value = fmt;
			break;

		case OPTION_ARG_FUNC:
			if (opt->opt.argfunc(argv[i]) != 0)
				return (1);
			break;

		case OPTION_ARG_INT:
			val = strtonum(argv[i], 0, INT_MAX, &errstr);
			if (errstr != NULL) {
				fprintf(stderr, "%s %s argument for -%s\n",
				    errstr, opt->argname, opt->name);
				return (1);
			}
			*opt->opt.value = (int)val;
			break;

		case OPTION_ARG_LONG:
			val = strtonum(argv[i], 0, LONG_MAX, &errstr);
			if (errstr != NULL) {
				fprintf(stderr, "%s %s argument for -%s\n",
				    errstr, opt->argname, opt->name);
				return (1);
			}
			*opt->opt.lvalue = (long)val;
			break;

		case OPTION_DISCARD:
			break;

		case OPTION_FUNC:
			if (opt->opt.func() != 0)
				return (1);
			break;

		case OPTION_FLAG:
			*opt->opt.flag = 1;
			break;

		case OPTION_FLAG_ORD:
			*opt->opt.flag = ++ord;
			break;

		case OPTION_VALUE:
			*opt->opt.value = opt->value;
			break;

		case OPTION_VALUE_AND:
			*opt->opt.value &= opt->value;
			break;

		case OPTION_VALUE_OR:
			*opt->opt.value |= opt->value;
			break;

		default:
			fprintf(stderr, "option %s - unknown type %i\n",
			    opt->name, opt->type);
			return (1);
		}
	}

done:
	if (argsused != NULL)
		*argsused = i;

	return (0);

toomany:
	fprintf(stderr, "too many arguments\n");
	return (1);

unknown:
	fprintf(stderr, "unknown option '%s'\n", arg);
	return (1);
}

/* $OpenBSD: apps.h,v 1.13 2015/01/01 14:28:00 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 *
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
 *
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *    "This product includes cryptographic software written by
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
 * 4. If you include any Windows specific code (or a derivative thereof) from
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
 *
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
/* ====================================================================
 * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    openssl-core@openssl.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */

#ifndef HEADER_APPS_H
#define HEADER_APPS_H

#include <openssl/opensslconf.h>

#include <openssl/bio.h>
#include <openssl/conf.h>
#include <openssl/lhash.h>
#include <openssl/ossl_typ.h>
#include <openssl/txt_db.h>
#include <openssl/x509.h>

#ifndef OPENSSL_NO_ENGINE
#include <openssl/engine.h>
#endif

#ifndef OPENSSL_NO_OCSP
#include <openssl/ocsp.h>
#endif

extern CONF *config;
extern char *default_config_file;
extern BIO *bio_err;

typedef struct args_st {
	char **data;
	int count;
} ARGS;

#define PW_MIN_LENGTH 4
typedef struct pw_cb_data {
	const void *password;
	const char *prompt_info;
} PW_CB_DATA;

int password_callback(char *buf, int bufsiz, int verify, void *cb_data);

int setup_ui_method(void);
void destroy_ui_method(void);

int should_retry(int i);
int args_from_file(char *file, int *argc, char **argv[]);
int str2fmt(char *s);
void program_name(char *in, char *out, int size);
int chopup_args(ARGS *arg, char *buf, int *argc, char **argv[]);
#ifdef HEADER_X509_H
int dump_cert_text(BIO *out, X509 *x);
void print_name(BIO *out, const char *title, X509_NAME *nm,
    unsigned long lflags);
#endif
int set_cert_ex(unsigned long *flags, const char *arg);
int set_name_ex(unsigned long *flags, const char *arg);
int set_ext_copy(int *copy_type, const char *arg);
int copy_extensions(X509 *x, X509_REQ *req, int copy_type);
int app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2);
int add_oid_section(BIO *err, CONF *conf);
X509 *load_cert(BIO *err, const char *file, int format,
    const char *pass, ENGINE *e, const char *cert_descrip);
EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
    const char *pass, ENGINE *e, const char *key_descrip);
EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,
    const char *pass, ENGINE *e, const char *key_descrip);
STACK_OF(X509) *load_certs(BIO *err, const char *file, int format,
    const char *pass, ENGINE *e, const char *cert_descrip);
STACK_OF(X509_CRL) *load_crls(BIO *err, const char *file, int format,
    const char *pass, ENGINE *e, const char *cert_descrip);
X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath);
#ifndef OPENSSL_NO_ENGINE
ENGINE *setup_engine(BIO *err, const char *engine, int debug);
#endif

#ifndef OPENSSL_NO_OCSP
OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req,
    char *host, char *path, char *port, int use_ssl,
    STACK_OF(CONF_VALUE) *headers, int req_timeout);
#endif

int load_config(BIO *err, CONF *cnf);
char *make_config_name(void);

/* Functions defined in ca.c and also used in ocsp.c */
int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold,
    ASN1_GENERALIZEDTIME **pinvtm, const char *str);

#define DB_type         0
#define DB_exp_date     1
#define DB_rev_date     2
#define DB_serial       3       /* index - unique */
#define DB_file         4
#define DB_name         5       /* index - unique when active and not disabled */
#define DB_NUMBER       6

#define DB_TYPE_REV	'R'
#define DB_TYPE_EXP	'E'
#define DB_TYPE_VAL	'V'

typedef struct db_attr_st {
	int unique_subject;
} DB_ATTR;
typedef struct ca_db_st {
	DB_ATTR attributes;
	TXT_DB *db;
} CA_DB;

BIGNUM *load_serial(char *serialfile, int create, ASN1_INTEGER **retai);
int save_serial(char *serialfile, char *suffix, BIGNUM *serial,
    ASN1_INTEGER **retai);
int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix);
int rand_serial(BIGNUM *b, ASN1_INTEGER *ai);
CA_DB *load_index(char *dbfile, DB_ATTR *dbattr);
int index_index(CA_DB *db);
int save_index(const char *dbfile, const char *suffix, CA_DB *db);
int rotate_index(const char *dbfile, const char *new_suffix,
    const char *old_suffix);
void free_index(CA_DB *db);
#define index_name_cmp_noconst(a, b) \
	index_name_cmp((const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, a), \
	(const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, b))
int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b);
int parse_yesno(const char *str, int def);

X509_NAME *parse_name(char *str, long chtype, int multirdn);
int args_verify(char ***pargs, int *pargc, int *badarg, BIO *err,
    X509_VERIFY_PARAM **pm);
void policies_print(BIO *out, X509_STORE_CTX *ctx);
int bio_to_mem(unsigned char **out, int maxlen, BIO *in);
int pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value);
int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx, const char *algname, ENGINE *e,
    int do_param);
int do_X509_sign(BIO *err, X509 *x, EVP_PKEY *pkey, const EVP_MD *md,
    STACK_OF(OPENSSL_STRING) *sigopts);
int do_X509_REQ_sign(BIO *err, X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md,
    STACK_OF(OPENSSL_STRING) *sigopts);
int do_X509_CRL_sign(BIO *err, X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md,
    STACK_OF(OPENSSL_STRING) *sigopts);

unsigned char *next_protos_parse(unsigned short *outlen, const char *in);

#define FORMAT_UNDEF    0
#define FORMAT_ASN1     1
#define FORMAT_TEXT     2
#define FORMAT_PEM      3
#define FORMAT_NETSCAPE 4
#define FORMAT_PKCS12   5
#define FORMAT_SMIME    6
#define FORMAT_ENGINE   7
#define FORMAT_IISSGC	8	/* XXX this stupid macro helps us to avoid
				 * adding yet another param to load_*key() */
#define FORMAT_PEMRSA	9	/* PEM RSAPubicKey format */
#define FORMAT_ASN1RSA	10	/* DER RSAPubicKey format */
#define FORMAT_MSBLOB	11	/* MS Key blob format */
#define FORMAT_PVK	12	/* MS PVK file format */

#define EXT_COPY_NONE	0
#define EXT_COPY_ADD	1
#define EXT_COPY_ALL	2

#define NETSCAPE_CERT_HDR	"certificate"

#define APP_PASS_LEN	1024

#define SERIAL_RAND_BITS	64

int app_isdir(const char *);

#define TM_START	0
#define TM_STOP		1
double app_tminterval (int stop, int usertime);

#define OPENSSL_NO_SSL_INTERN

struct option {
	const char *name;
	const char *argname;
	const char *desc;
	enum {
		OPTION_ARG,
		OPTION_ARGV_FUNC,
		OPTION_ARG_FORMAT,
		OPTION_ARG_FUNC,
		OPTION_ARG_INT,
		OPTION_ARG_LONG,
		OPTION_DISCARD,
		OPTION_FUNC,
		OPTION_FLAG,
		OPTION_FLAG_ORD,
		OPTION_VALUE,
		OPTION_VALUE_AND,
		OPTION_VALUE_OR,
	} type;
	union {
		char **arg;
		int (*argfunc)(char *arg);
		int (*argvfunc)(int argc, char **argv, int *argsused);
		int *flag;
		int (*func)(void);
		long *lvalue;
		int *value;
	} opt;
	const int value;
};

void options_usage(struct option *opts);
int options_parse(int argc, char **argv, struct option *opts, char **unnamed,
    int *argsused);

#endif

/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 *
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
 *
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *    "This product includes cryptographic software written by
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
 * 4. If you include any Windows specific code (or a derivative thereof) from
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
 *
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
/* ====================================================================
 * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    openssl-core@openssl.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */

/*
 * Functions that need to be overridden by non-POSIX operating systems.
 */

#include <sys/times.h>

#include <unistd.h>

#include "apps.h"

double
app_tminterval(int stop, int usertime)
{
	double ret = 0;
	struct tms rus;
	clock_t now = times(&rus);
	static clock_t tmstart;

	if (usertime)
		now = rus.tms_utime;

	if (stop == TM_START)
		tmstart = now;
	else {
		long int tck = sysconf(_SC_CLK_TCK);
		ret = (now - tmstart) / (double) tck;
	}

	return (ret);
}

/*
 * Public domain
 *
 * Dongsheng Song <dongsheng.song@gmail.com>
 * Brent Cook <bcook@openbsd.org>
 */

#include <windows.h>

#include "apps.h"

double
app_tminterval(int stop, int usertime)
{
	static unsigned __int64 tmstart;
	union {
		unsigned __int64 u64;
		FILETIME ft;
	} ct, et, kt, ut;

	GetProcessTimes(GetCurrentProcess(), &ct.ft, &et.ft, &kt.ft, &ut.ft);

	if (stop == TM_START) {
		tmstart = ut.u64 + kt.u64;
	} else {
		return (ut.u64 + kt.u64 - tmstart) / (double) 10000000;
	}
	return 0;
}

/* $OpenBSD: asn1pars.c,v 1.2 2014/08/28 14:23:52 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 *
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
 *
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *    "This product includes cryptographic software written by
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
 * 4. If you include any Windows specific code (or a derivative thereof) from
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
 *
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */

/* A nice addition from Dr Stephen Henson <steve@openssl.org> to
 * add the -strparse option which parses nested binary structures
 */

#include <stdio.h>
#include <stdlib.h>
#include <limits.h>
#include <string.h>

#include "apps.h"

#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/pem.h>
#include <openssl/x509.h>

static struct {
	char *derfile;
	int dump;
	char *genconf;
	char *genstr;
	int indent;
	char *infile;
	int informat;
	unsigned int length;
	int noout;
	int offset;
	char *oidfile;
	STACK_OF(OPENSSL_STRING) *osk;
} asn1pars_config;

static int
asn1pars_opt_dlimit(char *arg)
{
	const char *errstr;

	asn1pars_config.dump = strtonum(arg, 1, INT_MAX, &errstr);
	if (errstr) {
		fprintf(stderr, "-dlimit must be from 1 to INT_MAX: %s\n",
		    errstr);
		return (-1);
	}
	return (0);
}

static int
asn1pars_opt_length(char *arg)
{
	const char *errstr;

	asn1pars_config.length = strtonum(arg, 1, UINT_MAX, &errstr);
	if (errstr) {
		fprintf(stderr, "-length must be from 1 to UINT_MAX: %s\n",
		    errstr);
		return (-1);
	}
	return (0);
}

static int
asn1pars_opt_strparse(char *arg)
{
	if (sk_OPENSSL_STRING_push(asn1pars_config.osk, arg) == 0) {
		fprintf(stderr, "-strparse cannot add argument\n");
		return (-1);
	}
	return (0);
}

static struct option asn1pars_options[] = {
	{
		.name = "dump",
		.desc = "Dump unknown data in hex form",
		.type = OPTION_VALUE,
		.value = -1,
		.opt.value = &asn1pars_config.dump,
	},
	{
		.name = "dlimit",
		.argname = "num",
		.desc = "Dump the first num bytes of unknown data in hex form",
		.type = OPTION_ARG_FUNC,
		.opt.argfunc = asn1pars_opt_dlimit,
	},
	{
		.name = "genconf",
		.argname = "file",
		.desc = "File to generate ASN.1 structure from",
		.type = OPTION_ARG,
		.opt.arg = &asn1pars_config.genconf,
	},
	{
		.name = "genstr",
		.argname = "string",
		.desc = "String to generate ASN.1 structure from",
		.type = OPTION_ARG,
		.opt.arg = &asn1pars_config.genstr,
	},
	{
		.name = "i",
		.desc = "Indent output according to depth of structures",
		.type = OPTION_FLAG,
		.opt.flag = &asn1pars_config.indent,
	},
	{
		.name = "in",
		.argname = "file",
		.desc = "The input file (default stdin)",
		.type = OPTION_ARG,
		.opt.arg = &asn1pars_config.infile,
	},
	{
		.name = "inform",
		.argname = "fmt",
		.desc = "Input format (DER, TXT or PEM (default))",
		.type = OPTION_ARG_FORMAT,
		.opt.value = &asn1pars_config.informat,
	},
	{
		.name = "length",
		.argname = "num",
		.desc = "Number of bytes to parse (default until EOF)",
		.type = OPTION_ARG_FUNC,
		.opt.argfunc = asn1pars_opt_length,
	},
	{
		.name = "noout",
		.desc = "Do not produce any output",
		.type = OPTION_FLAG,
		.opt.flag = &asn1pars_config.noout,
	},
	{
		.name = "offset",
		.argname = "num",
		.desc = "Offset to begin parsing",
		.type = OPTION_ARG_INT,
		.opt.value = &asn1pars_config.offset,
	},
	{
		.name = "oid",
		.argname = "file",
		.desc = "File containing additional object identifiers (OIDs)",
		.type = OPTION_ARG,
		.opt.arg = &asn1pars_config.oidfile,
	},
	{
		.name = "out",
		.argname = "file",
		.desc = "Output file in DER format",
		.type = OPTION_ARG,
		.opt.arg = &asn1pars_config.derfile,
	},
	{
		.name = "strparse",
		.argname = "offset",
		.desc = "Parse the content octets of ASN.1 object starting at"
		" offset",
		.type = OPTION_ARG_FUNC,
		.opt.argfunc = asn1pars_opt_strparse,
	},
	{ NULL },
};

static void
asn1pars_usage()
{
	fprintf(stderr,
	    "usage: asn1parse [-i] [-dlimit num] [-dump] [-genconf file] "
	    "[-genstr string]\n"
	    "    [-in file] [-inform fmt] [-length num] [-noout] [-offset num] "
	    "[-oid file]\n"
	    "    [-out file] [-strparse offset]\n\n");
	options_usage(asn1pars_options);
}

static int do_generate(BIO *bio, char *genstr, char *genconf, BUF_MEM *buf);

int
asn1parse_main(int argc, char **argv)
{
	int i, j, ret = 1;
	long num, tmplen;
	BIO *in = NULL, *out = NULL, *b64 = NULL, *derout = NULL;
	char *str = NULL;
	const char *errstr = NULL;
	unsigned char *tmpbuf;
	const unsigned char *ctmpbuf;
	BUF_MEM *buf = NULL;
	ASN1_TYPE *at = NULL;

	memset(&asn1pars_config, 0, sizeof(asn1pars_config));

	asn1pars_config.informat = FORMAT_PEM;
	if ((asn1pars_config.osk = sk_OPENSSL_STRING_new_null()) == NULL) {
		BIO_printf(bio_err, "Memory allocation failure\n");
		goto end;
	}

	if (options_parse(argc, argv, asn1pars_options, NULL, NULL) != 0) {
		asn1pars_usage();
		return (1);
	}

	in = BIO_new(BIO_s_file());
	out = BIO_new(BIO_s_file());
	if ((in == NULL) || (out == NULL)) {
		ERR_print_errors(bio_err);
		goto end;
	}
	BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT);

	if (asn1pars_config.oidfile != NULL) {
		if (BIO_read_filename(in, asn1pars_config.oidfile) <= 0) {
			BIO_printf(bio_err, "problems opening %s\n",
			    asn1pars_config.oidfile);
			ERR_print_errors(bio_err);
			goto end;
		}
		OBJ_create_objects(in);
	}
	if (asn1pars_config.infile == NULL)
		BIO_set_fp(in, stdin, BIO_NOCLOSE);
	else {
		if (BIO_read_filename(in, asn1pars_config.infile) <= 0) {
			perror(asn1pars_config.infile);
			goto end;
		}
	}

	if (asn1pars_config.derfile) {
		if (!(derout = BIO_new_file(asn1pars_config.derfile, "wb"))) {
			BIO_printf(bio_err, "problems opening %s\n",
			    asn1pars_config.derfile);
			ERR_print_errors(bio_err);
			goto end;
		}
	}
	if ((buf = BUF_MEM_new()) == NULL)
		goto end;
	if (!BUF_MEM_grow(buf, BUFSIZ * 8))
		goto end;	/* Pre-allocate :-) */

	if (asn1pars_config.genstr || asn1pars_config.genconf) {
		num = do_generate(bio_err, asn1pars_config.genstr,
		    asn1pars_config.genconf, buf);
		if (num < 0) {
			ERR_print_errors(bio_err);
			goto end;
		}
	} else {

		if (asn1pars_config.informat == FORMAT_PEM) {
			BIO *tmp;

			if ((b64 = BIO_new(BIO_f_base64())) == NULL)
				goto end;
			BIO_push(b64, in);
			tmp = in;
			in = b64;
			b64 = tmp;
		}
		num = 0;
		for (;;) {
			if (!BUF_MEM_grow(buf, (int) num + BUFSIZ))
				goto end;
			i = BIO_read(in, &(buf->data[num]), BUFSIZ);
			if (i <= 0)
				break;
			num += i;
		}
	}
	str = buf->data;

	/* If any structs to parse go through in sequence */

	if (sk_OPENSSL_STRING_num(asn1pars_config.osk)) {
		tmpbuf = (unsigned char *) str;
		tmplen = num;
		for (i = 0; i < sk_OPENSSL_STRING_num(asn1pars_config.osk);
		     i++) {
			ASN1_TYPE *atmp;
			int typ;
			j = strtonum(
			    sk_OPENSSL_STRING_value(asn1pars_config.osk, i),
			    1, INT_MAX, &errstr);
			if (errstr) {
				BIO_printf(bio_err,
				    "'%s' is an invalid number: %s\n",
				    sk_OPENSSL_STRING_value(asn1pars_config.osk,
				    i), errstr);
				continue;
			}
			tmpbuf += j;
			tmplen -= j;
			atmp = at;
			ctmpbuf = tmpbuf;
			at = d2i_ASN1_TYPE(NULL, &ctmpbuf, tmplen);
			ASN1_TYPE_free(atmp);
			if (!at) {
				BIO_printf(bio_err, "Error parsing structure\n");
				ERR_print_errors(bio_err);
				goto end;
			}
			typ = ASN1_TYPE_get(at);
			if ((typ == V_ASN1_OBJECT) ||
			    (typ == V_ASN1_NULL)) {
				BIO_printf(bio_err, "Can't parse %s type\n",
				    typ == V_ASN1_NULL ? "NULL" : "OBJECT");
				ERR_print_errors(bio_err);
				goto end;
			}
			/* hmm... this is a little evil but it works */
			tmpbuf = at->value.asn1_string->data;
			tmplen = at->value.asn1_string->length;
		}
		str = (char *) tmpbuf;
		num = tmplen;
	}
	if (asn1pars_config.offset >= num) {
		BIO_printf(bio_err, "Error: offset too large\n");
		goto end;
	}
	num -= asn1pars_config.offset;

	if ((asn1pars_config.length == 0) ||
	    ((long)asn1pars_config.length > num))
		asn1pars_config.length = (unsigned int) num;
	if (derout) {
		if (BIO_write(derout, str + asn1pars_config.offset,
		    asn1pars_config.length) != (int)asn1pars_config.length) {
			BIO_printf(bio_err, "Error writing output\n");
			ERR_print_errors(bio_err);
			goto end;
		}
	}
	if (!asn1pars_config.noout &&
	    !ASN1_parse_dump(out,
	    (unsigned char *)&(str[asn1pars_config.offset]),
	    asn1pars_config.length, asn1pars_config.indent,
	    asn1pars_config.dump)) {
		ERR_print_errors(bio_err);
		goto end;
	}
	ret = 0;
end:
	BIO_free(derout);
	BIO_free(in);
	BIO_free_all(out);
	BIO_free(b64);
	if (ret != 0)
		ERR_print_errors(bio_err);
	BUF_MEM_free(buf);
	if (at != NULL)
		ASN1_TYPE_free(at);
	sk_OPENSSL_STRING_free(asn1pars_config.osk);
	OBJ_cleanup();

	return (ret);
}

static int
do_generate(BIO * bio, char *genstr, char *genconf, BUF_MEM * buf)
{
	CONF *cnf = NULL;
	int len;
	long errline;
	unsigned char *p;
	ASN1_TYPE *atyp = NULL;

	if (genconf) {
		cnf = NCONF_new(NULL);
		if (!NCONF_load(cnf, genconf, &errline))
			goto conferr;
		if (!genstr)
			genstr = NCONF_get_string(cnf, "default", "asn1");
		if (!genstr) {
			BIO_printf(bio, "Can't find 'asn1' in '%s'\n", genconf);
			goto err;
		}
	}
	atyp = ASN1_generate_nconf(genstr, cnf);
	NCONF_free(cnf);
	cnf = NULL;

	if (!atyp)
		return -1;

	len = i2d_ASN1_TYPE(atyp, NULL);
	if (len <= 0)
		goto err;

	if (!BUF_MEM_grow(buf, len))
		goto err;

	p = (unsigned char *) buf->data;

	i2d_ASN1_TYPE(atyp, &p);

	ASN1_TYPE_free(atyp);
	return len;

conferr:

	if (errline > 0)
		BIO_printf(bio, "Error on line %ld of config file '%s'\n",
		    errline, genconf);
	else
		BIO_printf(bio, "Error loading config file '%s'\n", genconf);

err:
	NCONF_free(cnf);
	ASN1_TYPE_free(atyp);

	return -1;

}

/* $OpenBSD: ca.c,v 1.6 2015/07/19 01:10:25 doug Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 *
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
 *
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *    "This product includes cryptographic software written by
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
 * 4. If you include any Windows specific code (or a derivative thereof) from
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
 *
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */

/* The PPKI stuff has been donated by Jeff Barber <jeffb@issl.atl.hp.com> */

#include <sys/types.h>

#include <ctype.h>
#include <stdio.h>
#include <stdlib.h>
#include <limits.h>
#include <string.h>
#include <unistd.h>

#include "apps.h"

#include <openssl/bio.h>
#include <openssl/bn.h>
#include <openssl/conf.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/objects.h>
#include <openssl/ocsp.h>
#include <openssl/pem.h>
#include <openssl/txt_db.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>

#define BASE_SECTION		"ca"

#define ENV_DEFAULT_CA		"default_ca"

#define STRING_MASK		"string_mask"
#define UTF8_IN			"utf8"

#define ENV_DIR			"dir"
#define ENV_CERTS		"certs"
#define ENV_CRL_DIR		"crl_dir"
#define ENV_CA_DB		"CA_DB"
#define ENV_NEW_CERTS_DIR	"new_certs_dir"
#define ENV_CERTIFICATE 	"certificate"
#define ENV_SERIAL		"serial"
#define ENV_CRLNUMBER		"crlnumber"
#define ENV_CRL			"crl"
#define ENV_PRIVATE_KEY		"private_key"
#define ENV_DEFAULT_DAYS 	"default_days"
#define ENV_DEFAULT_STARTDATE 	"default_startdate"
#define ENV_DEFAULT_ENDDATE 	"default_enddate"
#define ENV_DEFAULT_CRL_DAYS 	"default_crl_days"
#define ENV_DEFAULT_CRL_HOURS 	"default_crl_hours"
#define ENV_DEFAULT_MD		"default_md"
#define ENV_DEFAULT_EMAIL_DN	"email_in_dn"
#define ENV_PRESERVE		"preserve"
#define ENV_POLICY      	"policy"
#define ENV_EXTENSIONS      	"x509_extensions"
#define ENV_CRLEXT      	"crl_extensions"
#define ENV_MSIE_HACK		"msie_hack"
#define ENV_NAMEOPT		"name_opt"
#define ENV_CERTOPT		"cert_opt"
#define ENV_EXTCOPY		"copy_extensions"
#define ENV_UNIQUE_SUBJECT	"unique_subject"

#define ENV_DATABASE		"database"

/* Additional revocation information types */

#define REV_NONE		0	/* No addditional information */
#define REV_CRL_REASON		1	/* Value is CRL reason code */
#define REV_HOLD		2	/* Value is hold instruction */
#define REV_KEY_COMPROMISE	3	/* Value is cert key compromise time */
#define REV_CA_COMPROMISE	4	/* Value is CA key compromise time */

static const char *ca_usage[] = {
	"usage: ca args\n",
	"\n",
	" -verbose        - Talk a lot while doing things\n",
	" -config file    - A config file\n",
	" -name arg       - The particular CA definition to use\n",
	" -gencrl         - Generate a new CRL\n",
	" -crldays days   - Days is when the next CRL is due\n",
	" -crlhours hours - Hours is when the next CRL is due\n",
	" -startdate YYMMDDHHMMSSZ  - certificate validity notBefore\n",
	" -enddate YYMMDDHHMMSSZ    - certificate validity notAfter (overrides -days)\n",
	" -days arg       - number of days to certify the certificate for\n",
	" -md arg         - md to use, one of md2, md5, sha or sha1\n",
	" -policy arg     - The CA 'policy' to support\n",
	" -keyfile arg    - private key file\n",
	" -keyform arg    - private key file format (PEM or ENGINE)\n",
	" -key arg        - key to decode the private key if it is encrypted\n",
	" -cert file      - The CA certificate\n",
	" -selfsign       - sign a certificate with the key associated with it\n",
	" -in file        - The input PEM encoded certificate request(s)\n",
	" -out file       - Where to put the output file(s)\n",
	" -outdir dir     - Where to put output certificates\n",
	" -infiles ....   - The last argument, requests to process\n",
	" -spkac file     - File contains DN and signed public key and challenge\n",
	" -ss_cert file   - File contains a self signed cert to sign\n",
	" -preserveDN     - Don't re-order the DN\n",
	" -noemailDN      - Don't add the EMAIL field into certificate' subject\n",
	" -batch          - Don't ask questions\n",
	" -msie_hack      - msie modifications to handle all those universal strings\n",
	" -revoke file    - Revoke a certificate (given in file)\n",
	" -subj arg       - Use arg instead of request's subject\n",
	" -utf8           - input characters are UTF8 (default ASCII)\n",
	" -multivalue-rdn - enable support for multivalued RDNs\n",
	" -extensions ..  - Extension section (override value in config file)\n",
	" -extfile file   - Configuration file with X509v3 extentions to add\n",
	" -crlexts ..     - CRL extension section (override value in config file)\n",
#ifndef OPENSSL_NO_ENGINE
	" -engine e       - use engine e, possibly a hardware device.\n",
#endif
	" -status serial  - Shows certificate status given the serial number\n",
	" -updatedb       - Updates db for expired certificates\n",
	NULL
};

static void lookup_fail(const char *name, const char *tag);
static int certify(X509 ** xret, char *infile, EVP_PKEY * pkey, X509 * x509,
    const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
    STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj,
    unsigned long chtype, int multirdn, int email_dn, char *startdate,
    char *enddate, long days, int batch, char *ext_sect, CONF * conf,
    int verbose, unsigned long certopt, unsigned long nameopt,
    int default_op, int ext_copy, int selfsign);
static int certify_cert(X509 ** xret, char *infile, EVP_PKEY * pkey,
    X509 * x509, const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
    STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj,
    unsigned long chtype, int multirdn, int email_dn, char *startdate,
    char *enddate, long days, int batch, char *ext_sect, CONF * conf,
    int verbose, unsigned long certopt, unsigned long nameopt, int default_op,
    int ext_copy, ENGINE * e);
static int certify_spkac(X509 ** xret, char *infile, EVP_PKEY * pkey,
    X509 * x509, const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
    STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj,
    unsigned long chtype, int multirdn, int email_dn, char *startdate,
    char *enddate, long days, char *ext_sect, CONF * conf, int verbose,
    unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy);
static void write_new_certificate(BIO * bp, X509 * x, int output_der,
    int notext);
static int do_body(X509 ** xret, EVP_PKEY * pkey, X509 * x509,
    const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
    STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj,
    unsigned long chtype, int multirdn, int email_dn, char *startdate,
    char *enddate, long days, int batch, int verbose, X509_REQ * req,
    char *ext_sect, CONF * conf, unsigned long certopt, unsigned long nameopt,
    int default_op, int ext_copy, int selfsign);
static int do_revoke(X509 * x509, CA_DB * db, int ext, char *extval);
static int get_certificate_status(const char *ser_status, CA_DB * db);
static int do_updatedb(CA_DB * db);
static int check_time_format(const char *str);
static char * bin2hex(unsigned char *, size_t);
char *make_revocation_str(int rev_type, char *rev_arg);
int make_revoked(X509_REVOKED * rev, const char *str);
int old_entry_print(BIO * bp, ASN1_OBJECT * obj, ASN1_STRING * str);
static CONF *conf = NULL;
static CONF *extconf = NULL;
static char *section = NULL;

static int preserve = 0;
static int msie_hack = 0;


int ca_main(int, char **);

int
ca_main(int argc, char **argv)
{
	ENGINE *e = NULL;
	char *key = NULL, *passargin = NULL;
	int create_ser = 0;
	int free_key = 0;
	int total = 0;
	int total_done = 0;
	int badops = 0;
	int ret = 1;
	int email_dn = 1;
	int req = 0;
	int verbose = 0;
	int gencrl = 0;
	int dorevoke = 0;
	int doupdatedb = 0;
	long crldays = 0;
	long crlhours = 0;
	long crlsec = 0;
	long errorline = -1;
	char *configfile = NULL;
	char *md = NULL;
	char *policy = NULL;
	char *keyfile = NULL;
	char *certfile = NULL;
	int keyform = FORMAT_PEM;
	char *infile = NULL;
	char *spkac_file = NULL;
	char *ss_cert_file = NULL;
	char *ser_status = NULL;
	EVP_PKEY *pkey = NULL;
	int output_der = 0;
	char *outfile = NULL;
	char *outdir = NULL;
	char *serialfile = NULL;
	char *crlnumberfile = NULL;
	char *extensions = NULL;
	char *extfile = NULL;
	char *subj = NULL;
	unsigned long chtype = MBSTRING_ASC;
	int multirdn = 0;
	char *tmp_email_dn = NULL;
	char *crl_ext = NULL;
	int rev_type = REV_NONE;
	char *rev_arg = NULL;
	BIGNUM *serial = NULL;
	BIGNUM *crlnumber = NULL;
	char *startdate = NULL;
	char *enddate = NULL;
	long days = 0;
	int batch = 0;
	int notext = 0;
	unsigned long nameopt = 0, certopt = 0;
	int default_op = 1;
	int ext_copy = EXT_COPY_NONE;
	int selfsign = 0;
	X509 *x509 = NULL, *x509p = NULL;
	X509 *x = NULL;
	BIO *in = NULL, *out = NULL, *Sout = NULL, *Cout = NULL;
	char *dbfile = NULL;
	CA_DB *db = NULL;
	X509_CRL *crl = NULL;
	X509_REVOKED *r = NULL;
	ASN1_TIME *tmptm;
	ASN1_INTEGER *tmpser;
	char *f;
	const char *p;
	char *const * pp;
	int i, j;
	const EVP_MD *dgst = NULL;
	STACK_OF(CONF_VALUE) * attribs = NULL;
	STACK_OF(X509) * cert_sk = NULL;
	STACK_OF(OPENSSL_STRING) * sigopts = NULL;
#define BUFLEN 256
	char buf[3][BUFLEN];
#ifndef OPENSSL_NO_ENGINE
	char *engine = NULL;
#endif
	char *tofree = NULL;
	const char *errstr = NULL;
	DB_ATTR db_attr;

	conf = NULL;
	key = NULL;
	section = NULL;

	preserve = 0;
	msie_hack = 0;

	argc--;
	argv++;
	while (argc >= 1) {
		if (strcmp(*argv, "-verbose") == 0)
			verbose = 1;
		else if (strcmp(*argv, "-config") == 0) {
			if (--argc < 1)
				goto bad;
			configfile = *(++argv);
		} else if (strcmp(*argv, "-name") == 0) {
			if (--argc < 1)
				goto bad;
			section = *(++argv);
		} else if (strcmp(*argv, "-subj") == 0) {
			if (--argc < 1)
				goto bad;
			subj = *(++argv);
			/* preserve=1; */
		} else if (strcmp(*argv, "-utf8") == 0)
			chtype = MBSTRING_UTF8;
		else if (strcmp(*argv, "-create_serial") == 0)
			create_ser = 1;
		else if (strcmp(*argv, "-multivalue-rdn") == 0)
			multirdn = 1;
		else if (strcmp(*argv, "-startdate") == 0) {
			if (--argc < 1)
				goto bad;
			startdate = *(++argv);
		} else if (strcmp(*argv, "-enddate") == 0) {
			if (--argc < 1)
				goto bad;
			enddate = *(++argv);
		} else if (strcmp(*argv, "-days") == 0) {
			if (--argc < 1)
				goto bad;
			days = strtonum(*(++argv), 0, LONG_MAX, &errstr);
			if (errstr)
				goto bad;
		} else if (strcmp(*argv, "-md") == 0) {
			if (--argc < 1)
				goto bad;
			md = *(++argv);
		} else if (strcmp(*argv, "-policy") == 0) {
			if (--argc < 1)
				goto bad;
			policy = *(++argv);
		} else if (strcmp(*argv, "-keyfile") == 0) {
			if (--argc < 1)
				goto bad;
			keyfile = *(++argv);
		} else if (strcmp(*argv, "-keyform") == 0) {
			if (--argc < 1)
				goto bad;
			keyform = str2fmt(*(++argv));
		} else if (strcmp(*argv, "-passin") == 0) {
			if (--argc < 1)
				goto bad;
			passargin = *(++argv);
		} else if (strcmp(*argv, "-key") == 0) {
			if (--argc < 1)
				goto bad;
			key = *(++argv);
		} else if (strcmp(*argv, "-cert") == 0) {
			if (--argc < 1)
				goto bad;
			certfile = *(++argv);
		} else if (strcmp(*argv, "-selfsign") == 0)
			selfsign = 1;
		else if (strcmp(*argv, "-in") == 0) {
			if (--argc < 1)
				goto bad;
			infile = *(++argv);
			req = 1;
		} else if (strcmp(*argv, "-out") == 0) {
			if (--argc < 1)
				goto bad;
			outfile = *(++argv);
		} else if (strcmp(*argv, "-outdir") == 0) {
			if (--argc < 1)
				goto bad;
			outdir = *(++argv);
		} else if (strcmp(*argv, "-sigopt") == 0) {
			if (--argc < 1)
				goto bad;
			if (!sigopts)
				sigopts = sk_OPENSSL_STRING_new_null();
			if (!sigopts ||
			    !sk_OPENSSL_STRING_push(sigopts, *(++argv)))
				goto bad;
		} else if (strcmp(*argv, "-notext") == 0)
			notext = 1;
		else if (strcmp(*argv, "-batch") == 0)
			batch = 1;
		else if (strcmp(*argv, "-preserveDN") == 0)
			preserve = 1;
		else if (strcmp(*argv, "-noemailDN") == 0)
			email_dn = 0;
		else if (strcmp(*argv, "-gencrl") == 0)
			gencrl = 1;
		else if (strcmp(*argv, "-msie_hack") == 0)
			msie_hack = 1;
		else if (strcmp(*argv, "-crldays") == 0) {
			if (--argc < 1)
				goto bad;
			crldays = strtonum(*(++argv), 0, LONG_MAX, &errstr);
			if (errstr)
				goto bad;
		} else if (strcmp(*argv, "-crlhours") == 0) {
			if (--argc < 1)
				goto bad;
			crlhours = strtonum(*(++argv), 0, LONG_MAX, &errstr);
			if (errstr)
				goto bad;
		} else if (strcmp(*argv, "-crlsec") == 0) {
			if (--argc < 1)
				goto bad;
			crlsec = strtonum(*(++argv), 0, LONG_MAX, &errstr);
			if (errstr)
				goto bad;
		} else if (strcmp(*argv, "-infiles") == 0) {
			argc--;
			argv++;
			req = 1;
			break;
		} else if (strcmp(*argv, "-ss_cert") == 0) {
			if (--argc < 1)
				goto bad;
			ss_cert_file = *(++argv);
			req = 1;
		} else if (strcmp(*argv, "-spkac") == 0) {
			if (--argc < 1)
				goto bad;
			spkac_file = *(++argv);
			req = 1;
		} else if (strcmp(*argv, "-revoke") == 0) {
			if (--argc < 1)
				goto bad;
			infile = *(++argv);
			dorevoke = 1;
		} else if (strcmp(*argv, "-extensions") == 0) {
			if (--argc < 1)
				goto bad;
			extensions = *(++argv);
		} else if (strcmp(*argv, "-extfile") == 0) {
			if (--argc < 1)
				goto bad;
			extfile = *(++argv);
		} else if (strcmp(*argv, "-status") == 0) {
			if (--argc < 1)
				goto bad;
			ser_status = *(++argv);
		} else if (strcmp(*argv, "-updatedb") == 0) {
			doupdatedb = 1;
		} else if (strcmp(*argv, "-crlexts") == 0) {
			if (--argc < 1)
				goto bad;
			crl_ext = *(++argv);
		} else if (strcmp(*argv, "-crl_reason") == 0) {
			if (--argc < 1)
				goto bad;
			rev_arg = *(++argv);
			rev_type = REV_CRL_REASON;
		} else if (strcmp(*argv, "-crl_hold") == 0) {
			if (--argc < 1)
				goto bad;
			rev_arg = *(++argv);
			rev_type = REV_HOLD;
		} else if (strcmp(*argv, "-crl_compromise") == 0) {
			if (--argc < 1)
				goto bad;
			rev_arg = *(++argv);
			rev_type = REV_KEY_COMPROMISE;
		} else if (strcmp(*argv, "-crl_CA_compromise") == 0) {
			if (--argc < 1)
				goto bad;
			rev_arg = *(++argv);
			rev_type = REV_CA_COMPROMISE;
		}
#ifndef OPENSSL_NO_ENGINE
		else if (strcmp(*argv, "-engine") == 0) {
			if (--argc < 1)
				goto bad;
			engine = *(++argv);
		}
#endif
		else {
bad:
			if (errstr)
				BIO_printf(bio_err, "invalid argument %s: %s\n",
				    *argv, errstr);
			else
				BIO_printf(bio_err, "unknown option %s\n", *argv);
			badops = 1;
			break;
		}
		argc--;
		argv++;
	}

	if (badops) {
		const char **pp2;

		for (pp2 = ca_usage; (*pp2 != NULL); pp2++)
			BIO_printf(bio_err, "%s", *pp2);
		goto err;
	}

	/*****************************************************************/
	tofree = NULL;
	if (configfile == NULL)
		configfile = getenv("OPENSSL_CONF");
	if (configfile == NULL)
		configfile = getenv("SSLEAY_CONF");
	if (configfile == NULL) {
		if ((tofree = make_config_name()) == NULL) {
			BIO_printf(bio_err, "error making config file name\n");
			goto err;
		}
		configfile = tofree;
	}
	BIO_printf(bio_err, "Using configuration from %s\n", configfile);
	conf = NCONF_new(NULL);
	if (NCONF_load(conf, configfile, &errorline) <= 0) {
		if (errorline <= 0)
			BIO_printf(bio_err,
			    "error loading the config file '%s'\n",
			    configfile);
		else
			BIO_printf(bio_err,
			    "error on line %ld of config file '%s'\n",
			    errorline, configfile);
		goto err;
	}
	free(tofree);
	tofree = NULL;

#ifndef OPENSSL_NO_ENGINE
	e = setup_engine(bio_err, engine, 0);
#endif

	/* Lets get the config section we are using */
	if (section == NULL) {
		section = NCONF_get_string(conf, BASE_SECTION, ENV_DEFAULT_CA);
		if (section == NULL) {
			lookup_fail(BASE_SECTION, ENV_DEFAULT_CA);
			goto err;
		}
	}
	if (conf != NULL) {
		p = NCONF_get_string(conf, NULL, "oid_file");
		if (p == NULL)
			ERR_clear_error();
		if (p != NULL) {
			BIO *oid_bio;

			oid_bio = BIO_new_file(p, "r");
			if (oid_bio == NULL) {
				/*
				BIO_printf(bio_err,
				    "problems opening %s for extra oid's\n", p);
				ERR_print_errors(bio_err);
				*/
				ERR_clear_error();
			} else {
				OBJ_create_objects(oid_bio);
				BIO_free(oid_bio);
			}
		}
		if (!add_oid_section(bio_err, conf)) {
			ERR_print_errors(bio_err);
			goto err;
		}
	}
	f = NCONF_get_string(conf, section, STRING_MASK);
	if (!f)
		ERR_clear_error();

	if (f && !ASN1_STRING_set_default_mask_asc(f)) {
		BIO_printf(bio_err,
		    "Invalid global string mask setting %s\n", f);
		goto err;
	}
	if (chtype != MBSTRING_UTF8) {
		f = NCONF_get_string(conf, section, UTF8_IN);
		if (!f)
			ERR_clear_error();
		else if (!strcmp(f, "yes"))
			chtype = MBSTRING_UTF8;
	}
	db_attr.unique_subject = 1;
	p = NCONF_get_string(conf, section, ENV_UNIQUE_SUBJECT);
	if (p) {
		db_attr.unique_subject = parse_yesno(p, 1);
	} else
		ERR_clear_error();

	in = BIO_new(BIO_s_file());
	out = BIO_new(BIO_s_file());
	Sout = BIO_new(BIO_s_file());
	Cout = BIO_new(BIO_s_file());
	if ((in == NULL) || (out == NULL) || (Sout == NULL) || (Cout == NULL)) {
		ERR_print_errors(bio_err);
		goto err;
	}
	/*****************************************************************/
	/* report status of cert with serial number given on command line */
	if (ser_status) {
		if ((dbfile = NCONF_get_string(conf, section,
		    ENV_DATABASE)) == NULL) {
			lookup_fail(section, ENV_DATABASE);
			goto err;
		}
		db = load_index(dbfile, &db_attr);
		if (db == NULL)
			goto err;

		if (!index_index(db))
			goto err;

		if (get_certificate_status(ser_status, db) != 1)
			BIO_printf(bio_err, "Error verifying serial %s!\n",
			    ser_status);
		goto err;
	}
	/*****************************************************************/
	/* we definitely need a private key, so let's get it */

	if ((keyfile == NULL) && ((keyfile = NCONF_get_string(conf,
	    section, ENV_PRIVATE_KEY)) == NULL)) {
		lookup_fail(section, ENV_PRIVATE_KEY);
		goto err;
	}
	if (!key) {
		free_key = 1;
		if (!app_passwd(bio_err, passargin, NULL, &key, NULL)) {
			BIO_printf(bio_err, "Error getting password\n");
			goto err;
		}
	}
	pkey = load_key(bio_err, keyfile, keyform, 0, key, e, "CA private key");
	if (key)
		OPENSSL_cleanse(key, strlen(key));
	if (pkey == NULL) {
		/* load_key() has already printed an appropriate message */
		goto err;
	}
	/*****************************************************************/
	/* we need a certificate */
	if (!selfsign || spkac_file || ss_cert_file || gencrl) {
		if ((certfile == NULL) &&
		    ((certfile = NCONF_get_string(conf,
		    section, ENV_CERTIFICATE)) == NULL)) {
			lookup_fail(section, ENV_CERTIFICATE);
			goto err;
		}
		x509 = load_cert(bio_err, certfile, FORMAT_PEM, NULL, e,
		    "CA certificate");
		if (x509 == NULL)
			goto err;

		if (!X509_check_private_key(x509, pkey)) {
			BIO_printf(bio_err,
			    "CA certificate and CA private key do not match\n");
			goto err;
		}
	}
	if (!selfsign)
		x509p = x509;

	f = NCONF_get_string(conf, BASE_SECTION, ENV_PRESERVE);
	if (f == NULL)
		ERR_clear_error();
	if ((f != NULL) && ((*f == 'y') || (*f == 'Y')))
		preserve = 1;
	f = NCONF_get_string(conf, BASE_SECTION, ENV_MSIE_HACK);
	if (f == NULL)
		ERR_clear_error();
	if ((f != NULL) && ((*f == 'y') || (*f == 'Y')))
		msie_hack = 1;

	f = NCONF_get_string(conf, section, ENV_NAMEOPT);

	if (f) {
		if (!set_name_ex(&nameopt, f)) {
			BIO_printf(bio_err,
			    "Invalid name options: \"%s\"\n", f);
			goto err;
		}
		default_op = 0;
	} else
		ERR_clear_error();

	f = NCONF_get_string(conf, section, ENV_CERTOPT);

	if (f) {
		if (!set_cert_ex(&certopt, f)) {
			BIO_printf(bio_err,
			    "Invalid certificate options: \"%s\"\n", f);
			goto err;
		}
		default_op = 0;
	} else
		ERR_clear_error();

	f = NCONF_get_string(conf, section, ENV_EXTCOPY);

	if (f) {
		if (!set_ext_copy(&ext_copy, f)) {
			BIO_printf(bio_err,
			    "Invalid extension copy option: \"%s\"\n", f);
			goto err;
		}
	} else
		ERR_clear_error();

	/*****************************************************************/
	/* lookup where to write new certificates */
	if ((outdir == NULL) && (req)) {

		if ((outdir = NCONF_get_string(conf, section,
		    ENV_NEW_CERTS_DIR)) == NULL) {
			BIO_printf(bio_err, "there needs to be defined a directory for new certificate to be placed in\n");
			goto err;
		}
		/*
		 * outdir is a directory spec, but access() for VMS demands a
		 * filename.  In any case, stat(), below, will catch the
		 * problem if outdir is not a directory spec, and the fopen()
		 * or open() will catch an error if there is no write access.
		 *
		 * Presumably, this problem could also be solved by using the
		 * DEC C routines to convert the directory syntax to Unixly,
		 * and give that to access().  However, time's too short to
		 * do that just now.
		 */
		if (access(outdir, R_OK | W_OK | X_OK) != 0) {
			BIO_printf(bio_err,
			    "I am unable to access the %s directory\n", outdir);
			perror(outdir);
			goto err;
		}
		if (app_isdir(outdir) <= 0) {
			BIO_printf(bio_err,
			    "%s need to be a directory\n", outdir);
			perror(outdir);
			goto err;
		}
	}
	/*****************************************************************/
	/* we need to load the database file */
	if ((dbfile = NCONF_get_string(conf, section, ENV_DATABASE)) == NULL) {
		lookup_fail(section, ENV_DATABASE);
		goto err;
	}
	db = load_index(dbfile, &db_attr);
	if (db == NULL)
		goto err;

	/* Lets check some fields */
	for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
		pp = sk_OPENSSL_PSTRING_value(db->db->data, i);
		if ((pp[DB_type][0] != DB_TYPE_REV) &&
		    (pp[DB_rev_date][0] != '\0')) {
			BIO_printf(bio_err, "entry %d: not revoked yet, but has a revocation date\n", i + 1);
			goto err;
		}
		if ((pp[DB_type][0] == DB_TYPE_REV) &&
		    !make_revoked(NULL, pp[DB_rev_date])) {
			BIO_printf(bio_err, " in entry %d\n", i + 1);
			goto err;
		}
		if (!check_time_format((char *) pp[DB_exp_date])) {
			BIO_printf(bio_err, "entry %d: invalid expiry date\n",
			    i + 1);
			goto err;
		}
		p = pp[DB_serial];
		j = strlen(p);
		if (*p == '-') {
			p++;
			j--;
		}
		if ((j & 1) || (j < 2)) {
			BIO_printf(bio_err,
			    "entry %d: bad serial number length (%d)\n",
			    i + 1, j);
			goto err;
		}
		while (*p) {
			if (!(((*p >= '0') && (*p <= '9')) ||
			    ((*p >= 'A') && (*p <= 'F')) ||
			    ((*p >= 'a') && (*p <= 'f')))) {
				BIO_printf(bio_err, "entry %d: bad serial number characters, char pos %ld, char is '%c'\n", i + 1, (long) (p - pp[DB_serial]), *p);
				goto err;
			}
			p++;
		}
	}
	if (verbose) {
		BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT);	/* cannot fail */
		TXT_DB_write(out, db->db);
		BIO_printf(bio_err, "%d entries loaded from the database\n",
		    sk_OPENSSL_PSTRING_num(db->db->data));
		BIO_printf(bio_err, "generating index\n");
	}
	if (!index_index(db))
		goto err;

	/*****************************************************************/
	/* Update the db file for expired certificates */
	if (doupdatedb) {
		if (verbose)
			BIO_printf(bio_err, "Updating %s ...\n", dbfile);

		i = do_updatedb(db);
		if (i == -1) {
			BIO_printf(bio_err, "Malloc failure\n");
			goto err;
		} else if (i == 0) {
			if (verbose)
				BIO_printf(bio_err,
				    "No entries found to mark expired\n");
		} else {
			if (!save_index(dbfile, "new", db))
				goto err;

			if (!rotate_index(dbfile, "new", "old"))
				goto err;

			if (verbose)
				BIO_printf(bio_err,
				    "Done. %d entries marked as expired\n", i);
		}
	}
	/*****************************************************************/
	/* Read extentions config file                                   */
	if (extfile) {
		extconf = NCONF_new(NULL);
		if (NCONF_load(extconf, extfile, &errorline) <= 0) {
			if (errorline <= 0)
				BIO_printf(bio_err,
				    "ERROR: loading the config file '%s'\n",
				    extfile);
			else
				BIO_printf(bio_err,
				    "ERROR: on line %ld of config file '%s'\n",
				    errorline, extfile);
			ret = 1;
			goto err;
		}
		if (verbose)
			BIO_printf(bio_err,
			    "Successfully loaded extensions file %s\n",
			    extfile);

		/* We can have sections in the ext file */
		if (!extensions && !(extensions = NCONF_get_string(extconf,
		    "default", "extensions")))
			extensions = "default";
	}
	/*****************************************************************/
	if (req || gencrl) {
		if (outfile != NULL) {
			if (BIO_write_filename(Sout, outfile) <= 0) {
				perror(outfile);
				goto err;
			}
		} else {
			BIO_set_fp(Sout, stdout, BIO_NOCLOSE | BIO_FP_TEXT);
		}
	}
	if ((md == NULL) && ((md = NCONF_get_string(conf, section,
	    ENV_DEFAULT_MD)) == NULL)) {
		lookup_fail(section, ENV_DEFAULT_MD);
		goto err;
	}
	if (!strcmp(md, "default")) {
		int def_nid;
		if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) <= 0) {
			BIO_puts(bio_err, "no default digest\n");
			goto err;
		}
		md = (char *) OBJ_nid2sn(def_nid);
	}
	if ((dgst = EVP_get_digestbyname(md)) == NULL) {
		BIO_printf(bio_err,
		    "%s is an unsupported message digest type\n", md);
		goto err;
	}
	if (req) {
		if ((email_dn == 1) && ((tmp_email_dn = NCONF_get_string(conf,
		    section, ENV_DEFAULT_EMAIL_DN)) != NULL)) {
			if (strcmp(tmp_email_dn, "no") == 0)
				email_dn = 0;
		}
		if (verbose)
			BIO_printf(bio_err, "message digest is %s\n",
			    OBJ_nid2ln(dgst->type));
		if ((policy == NULL) && ((policy = NCONF_get_string(conf,
		    section, ENV_POLICY)) == NULL)) {
			lookup_fail(section, ENV_POLICY);
			goto err;
		}
		if (verbose)
			BIO_printf(bio_err, "policy is %s\n", policy);

		if ((serialfile = NCONF_get_string(conf, section,
		    ENV_SERIAL)) == NULL) {
			lookup_fail(section, ENV_SERIAL);
			goto err;
		}
		if (!extconf) {
			/*
			 * no '-extfile' option, so we look for extensions in
			 * the main configuration file
			 */
			if (!extensions) {
				extensions = NCONF_get_string(conf, section,
				    ENV_EXTENSIONS);
				if (!extensions)
					ERR_clear_error();
			}
			if (extensions) {
				/* Check syntax of file */
				X509V3_CTX ctx;
				X509V3_set_ctx_test(&ctx);
				X509V3_set_nconf(&ctx, conf);
				if (!X509V3_EXT_add_nconf(conf, &ctx,
				    extensions, NULL)) {
					BIO_printf(bio_err,
					    "Error Loading extension section %s\n",
					    extensions);
					ret = 1;
					goto err;
				}
			}
		}
		if (startdate == NULL) {
			startdate = NCONF_get_string(conf, section,
			    ENV_DEFAULT_STARTDATE);
			if (startdate == NULL)
				ERR_clear_error();
		}
		if (startdate && !ASN1_TIME_set_string(NULL, startdate)) {
			BIO_printf(bio_err, "start date is invalid, it should be YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ\n");
			goto err;
		}
		if (startdate == NULL)
			startdate = "today";

		if (enddate == NULL) {
			enddate = NCONF_get_string(conf, section,
			    ENV_DEFAULT_ENDDATE);
			if (enddate == NULL)
				ERR_clear_error();
		}
		if (enddate && !ASN1_TIME_set_string(NULL, enddate)) {
			BIO_printf(bio_err, "end date is invalid, it should be YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ\n");
			goto err;
		}
		if (days == 0) {
			if (!NCONF_get_number(conf, section,
			    ENV_DEFAULT_DAYS, &days))
				days = 0;
		}
		if (!enddate && (days == 0)) {
			BIO_printf(bio_err,
			    "cannot lookup how many days to certify for\n");
			goto err;
		}
		if ((serial = load_serial(serialfile, create_ser, NULL)) ==
		    NULL) {
			BIO_printf(bio_err,
			    "error while loading serial number\n");
			goto err;
		}
		if (verbose) {
			if (BN_is_zero(serial))
				BIO_printf(bio_err,
				    "next serial number is 00\n");
			else {
				if ((f = BN_bn2hex(serial)) == NULL)
					goto err;
				BIO_printf(bio_err,
				    "next serial number is %s\n", f);
				free(f);
			}
		}
		if ((attribs = NCONF_get_section(conf, policy)) == NULL) {
			BIO_printf(bio_err,
			    "unable to find 'section' for %s\n", policy);
			goto err;
		}
		if ((cert_sk = sk_X509_new_null()) == NULL) {
			BIO_printf(bio_err, "Memory allocation failure\n");
			goto err;
		}
		if (spkac_file != NULL) {
			total++;
			j = certify_spkac(&x, spkac_file, pkey, x509, dgst,
			    sigopts, attribs, db, serial, subj, chtype,
			    multirdn, email_dn, startdate, enddate, days,
			    extensions, conf, verbose, certopt, nameopt,
			    default_op, ext_copy);
			if (j < 0)
				goto err;
			if (j > 0) {
				total_done++;
				BIO_printf(bio_err, "\n");
				if (!BN_add_word(serial, 1))
					goto err;
				if (!sk_X509_push(cert_sk, x)) {
					BIO_printf(bio_err,
					    "Memory allocation failure\n");
					goto err;
				}
				if (outfile) {
					output_der = 1;
					batch = 1;
				}
			}
		}
		if (ss_cert_file != NULL) {
			total++;
			j = certify_cert(&x, ss_cert_file, pkey, x509, dgst,
			    sigopts, attribs, db, serial, subj, chtype,
			    multirdn, email_dn, startdate, enddate, days, batch,
			    extensions, conf, verbose, certopt, nameopt,
			    default_op, ext_copy, e);
			if (j < 0)
				goto err;
			if (j > 0) {
				total_done++;
				BIO_printf(bio_err, "\n");
				if (!BN_add_word(serial, 1))
					goto err;
				if (!sk_X509_push(cert_sk, x)) {
					BIO_printf(bio_err,
					    "Memory allocation failure\n");
					goto err;
				}
			}
		}
		if (infile != NULL) {
			total++;
			j = certify(&x, infile, pkey, x509p, dgst, sigopts,
			    attribs, db, serial, subj, chtype, multirdn,
			    email_dn, startdate, enddate, days, batch,
			    extensions, conf, verbose, certopt, nameopt,
			    default_op, ext_copy, selfsign);
			if (j < 0)
				goto err;
			if (j > 0) {
				total_done++;
				BIO_printf(bio_err, "\n");
				if (!BN_add_word(serial, 1))
					goto err;
				if (!sk_X509_push(cert_sk, x)) {
					BIO_printf(bio_err,
					    "Memory allocation failure\n");
					goto err;
				}
			}
		}
		for (i = 0; i < argc; i++) {
			total++;
			j = certify(&x, argv[i], pkey, x509p, dgst, sigopts,
			    attribs, db, serial, subj, chtype, multirdn,
			    email_dn, startdate, enddate, days, batch,
			    extensions, conf, verbose, certopt, nameopt,
			    default_op, ext_copy, selfsign);
			if (j < 0)
				goto err;
			if (j > 0) {
				total_done++;
				BIO_printf(bio_err, "\n");
				if (!BN_add_word(serial, 1))
					goto err;
				if (!sk_X509_push(cert_sk, x)) {
					BIO_printf(bio_err,
					    "Memory allocation failure\n");
					goto err;
				}
			}
		}
		/*
		 * we have a stack of newly certified certificates and a data
		 * base and serial number that need updating
		 */

		if (sk_X509_num(cert_sk) > 0) {
			if (!batch) {
				BIO_printf(bio_err, "\n%d out of %d certificate requests certified, commit? [y/n]", total_done, total);
				(void) BIO_flush(bio_err);
				buf[0][0] = '\0';
				if (!fgets(buf[0], 10, stdin)) {
					BIO_printf(bio_err, "CERTIFICATION CANCELED: I/O error\n");
					ret = 0;
					goto err;
				}
				if ((buf[0][0] != 'y') && (buf[0][0] != 'Y')) {
					BIO_printf(bio_err, "CERTIFICATION CANCELED\n");
					ret = 0;
					goto err;
				}
			}
			BIO_printf(bio_err, "Write out database with %d new entries\n", sk_X509_num(cert_sk));

			if (!save_serial(serialfile, "new", serial, NULL))
				goto err;

			if (!save_index(dbfile, "new", db))
				goto err;
		}
		if (verbose)
			BIO_printf(bio_err, "writing new certificates\n");
		for (i = 0; i < sk_X509_num(cert_sk); i++) {
			int k;
			char *serialstr;
			unsigned char *data;

			x = sk_X509_value(cert_sk, i);

			j = x->cert_info->serialNumber->length;
			data = (unsigned char *)x->cert_info->serialNumber->data;
			if (j > 0)
				serialstr = bin2hex(data, j);
			else
				serialstr = strdup("00");
			if (serialstr) {
				k = snprintf(buf[2], sizeof(buf[2]),
				    "%s/%s.pem", outdir, serialstr);
				free(serialstr);
				if (k == -1 || k >= sizeof(buf[2])) {
					BIO_printf(bio_err,
					    "certificate file name too long\n");
					goto err;
				}
			} else {
				BIO_printf(bio_err,
				    "memory allocation failed\n");
				goto err;
			}
			if (verbose)
				BIO_printf(bio_err, "writing %s\n", buf[2]);

			if (BIO_write_filename(Cout, buf[2]) <= 0) {
				perror(buf[2]);
				goto err;
			}
			write_new_certificate(Cout, x, 0, notext);
			write_new_certificate(Sout, x, output_der, notext);
		}

		if (sk_X509_num(cert_sk)) {
			/* Rename the database and the serial file */
			if (!rotate_serial(serialfile, "new", "old"))
				goto err;

			if (!rotate_index(dbfile, "new", "old"))
				goto err;

			BIO_printf(bio_err, "Data Base Updated\n");
		}
	}
	/*****************************************************************/
	if (gencrl) {
		int crl_v2 = 0;
		if (!crl_ext) {
			crl_ext = NCONF_get_string(conf, section, ENV_CRLEXT);
			if (!crl_ext)
				ERR_clear_error();
		}
		if (crl_ext) {
			/* Check syntax of file */
			X509V3_CTX ctx;
			X509V3_set_ctx_test(&ctx);
			X509V3_set_nconf(&ctx, conf);
			if (!X509V3_EXT_add_nconf(conf, &ctx, crl_ext, NULL)) {
				BIO_printf(bio_err,
				    "Error Loading CRL extension section %s\n",
				    crl_ext);
				ret = 1;
				goto err;
			}
		}
		if ((crlnumberfile = NCONF_get_string(conf, section,
		    ENV_CRLNUMBER)) != NULL)
			if ((crlnumber = load_serial(crlnumberfile, 0,
			    NULL)) == NULL) {
				BIO_printf(bio_err,
				    "error while loading CRL number\n");
				goto err;
			}
		if (!crldays && !crlhours && !crlsec) {
			if (!NCONF_get_number(conf, section,
			    ENV_DEFAULT_CRL_DAYS, &crldays))
				crldays = 0;
			if (!NCONF_get_number(conf, section,
			    ENV_DEFAULT_CRL_HOURS, &crlhours))
				crlhours = 0;
			ERR_clear_error();
		}
		if ((crldays == 0) && (crlhours == 0) && (crlsec == 0)) {
			BIO_printf(bio_err, "cannot lookup how long until the next CRL is issued\n");
			goto err;
		}
		if (verbose)
			BIO_printf(bio_err, "making CRL\n");
		if ((crl = X509_CRL_new()) == NULL)
			goto err;
		if (!X509_CRL_set_issuer_name(crl, X509_get_subject_name(x509)))
			goto err;

		tmptm = ASN1_TIME_new();
		if (!tmptm)
			goto err;
		X509_gmtime_adj(tmptm, 0);
		X509_CRL_set_lastUpdate(crl, tmptm);
		if (!X509_time_adj_ex(tmptm, crldays,
		    crlhours * 60 * 60 + crlsec, NULL)) {
			BIO_puts(bio_err, "error setting CRL nextUpdate\n");
			goto err;
		}
		X509_CRL_set_nextUpdate(crl, tmptm);

		ASN1_TIME_free(tmptm);

		for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
			pp = sk_OPENSSL_PSTRING_value(db->db->data, i);
			if (pp[DB_type][0] == DB_TYPE_REV) {
				if ((r = X509_REVOKED_new()) == NULL)
					goto err;
				j = make_revoked(r, pp[DB_rev_date]);
				if (!j)
					goto err;
				if (j == 2)
					crl_v2 = 1;
				if (!BN_hex2bn(&serial, pp[DB_serial]))
					goto err;
				tmpser = BN_to_ASN1_INTEGER(serial, NULL);
				BN_free(serial);
				serial = NULL;
				if (!tmpser)
					goto err;
				X509_REVOKED_set_serialNumber(r, tmpser);
				ASN1_INTEGER_free(tmpser);
				X509_CRL_add0_revoked(crl, r);
			}
		}

		/*
		 * sort the data so it will be written in serial number order
		 */
		X509_CRL_sort(crl);

		/* we now have a CRL */
		if (verbose)
			BIO_printf(bio_err, "signing CRL\n");

		/* Add any extensions asked for */

		if (crl_ext || crlnumberfile != NULL) {
			X509V3_CTX crlctx;
			X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0);
			X509V3_set_nconf(&crlctx, conf);

			if (crl_ext)
				if (!X509V3_EXT_CRL_add_nconf(conf, &crlctx,
				    crl_ext, crl))
					goto err;
			if (crlnumberfile != NULL) {
				tmpser = BN_to_ASN1_INTEGER(crlnumber, NULL);
				if (!tmpser)
					goto err;
				X509_CRL_add1_ext_i2d(crl, NID_crl_number,
				    tmpser, 0, 0);
				ASN1_INTEGER_free(tmpser);
				crl_v2 = 1;
				if (!BN_add_word(crlnumber, 1))
					goto err;
			}
		}
		if (crl_ext || crl_v2) {
			if (!X509_CRL_set_version(crl, 1))
				goto err;	/* version 2 CRL */
		}
		if (crlnumberfile != NULL)	/* we have a CRL number that
						 * need updating */
			if (!save_serial(crlnumberfile, "new", crlnumber, NULL))
				goto err;

		if (crlnumber) {
			BN_free(crlnumber);
			crlnumber = NULL;
		}
		if (!do_X509_CRL_sign(bio_err, crl, pkey, dgst, sigopts))
			goto err;

		PEM_write_bio_X509_CRL(Sout, crl);

		if (crlnumberfile != NULL)	/* Rename the crlnumber file */
			if (!rotate_serial(crlnumberfile, "new", "old"))
				goto err;

	}
	/*****************************************************************/
	if (dorevoke) {
		if (infile == NULL) {
			BIO_printf(bio_err, "no input files\n");
			goto err;
		} else {
			X509 *revcert;
			revcert = load_cert(bio_err, infile, FORMAT_PEM,
			    NULL, e, infile);
			if (revcert == NULL)
				goto err;
			j = do_revoke(revcert, db, rev_type, rev_arg);
			if (j <= 0)
				goto err;
			X509_free(revcert);

			if (!save_index(dbfile, "new", db))
				goto err;

			if (!rotate_index(dbfile, "new", "old"))
				goto err;

			BIO_printf(bio_err, "Data Base Updated\n");
		}
	}
	/*****************************************************************/
	ret = 0;

err:
	free(tofree);

	BIO_free_all(Cout);
	BIO_free_all(Sout);
	BIO_free_all(out);
	BIO_free_all(in);

	if (cert_sk)
		sk_X509_pop_free(cert_sk, X509_free);

	if (ret)
		ERR_print_errors(bio_err);
	if (free_key && key)
		free(key);
	BN_free(serial);
	BN_free(crlnumber);
	free_index(db);
	if (sigopts)
		sk_OPENSSL_STRING_free(sigopts);
	EVP_PKEY_free(pkey);
	if (x509)
		X509_free(x509);
	X509_CRL_free(crl);
	NCONF_free(conf);
	NCONF_free(extconf);
	OBJ_cleanup();

	return (ret);
}

static void
lookup_fail(const char *name, const char *tag)
{
	BIO_printf(bio_err, "variable lookup failed for %s::%s\n", name, tag);
}

static int
certify(X509 ** xret, char *infile, EVP_PKEY * pkey, X509 * x509,
    const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
    STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj,
    unsigned long chtype, int multirdn, int email_dn, char *startdate,
    char *enddate, long days, int batch, char *ext_sect, CONF * lconf,
    int verbose, unsigned long certopt, unsigned long nameopt, int default_op,
    int ext_copy, int selfsign)
{
	X509_REQ *req = NULL;
	BIO *in = NULL;
	EVP_PKEY *pktmp = NULL;
	int ok = -1, i;

	in = BIO_new(BIO_s_file());

	if (BIO_read_filename(in, infile) <= 0) {
		perror(infile);
		goto err;
	}
	if ((req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL)) == NULL) {
		BIO_printf(bio_err, "Error reading certificate request in %s\n",
		    infile);
		goto err;
	}
	if (verbose)
		X509_REQ_print(bio_err, req);

	BIO_printf(bio_err, "Check that the request matches the signature\n");

	if (selfsign && !X509_REQ_check_private_key(req, pkey)) {
		BIO_printf(bio_err,
		    "Certificate request and CA private key do not match\n");
		ok = 0;
		goto err;
	}
	if ((pktmp = X509_REQ_get_pubkey(req)) == NULL) {
		BIO_printf(bio_err, "error unpacking public key\n");
		goto err;
	}
	i = X509_REQ_verify(req, pktmp);
	EVP_PKEY_free(pktmp);
	if (i < 0) {
		ok = 0;
		BIO_printf(bio_err, "Signature verification problems....\n");
		goto err;
	}
	if (i == 0) {
		ok = 0;
		BIO_printf(bio_err,
		    "Signature did not match the certificate request\n");
		goto err;
	} else
		BIO_printf(bio_err, "Signature ok\n");

	ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial,
	    subj, chtype, multirdn, email_dn, startdate, enddate, days, batch,
	    verbose, req, ext_sect, lconf, certopt, nameopt, default_op,
	    ext_copy, selfsign);

err:
	if (req != NULL)
		X509_REQ_free(req);
	if (in != NULL)
		BIO_free(in);
	return (ok);
}

static int
certify_cert(X509 ** xret, char *infile, EVP_PKEY * pkey, X509 * x509,
    const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
    STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj,
    unsigned long chtype, int multirdn, int email_dn, char *startdate,
    char *enddate, long days, int batch, char *ext_sect, CONF * lconf,
    int verbose, unsigned long certopt, unsigned long nameopt, int default_op,
    int ext_copy, ENGINE * e)
{
	X509 *req = NULL;
	X509_REQ *rreq = NULL;
	EVP_PKEY *pktmp = NULL;
	int ok = -1, i;

	if ((req = load_cert(bio_err, infile, FORMAT_PEM, NULL, e,
	    infile)) == NULL)
		goto err;
	if (verbose)
		X509_print(bio_err, req);

	BIO_printf(bio_err, "Check that the request matches the signature\n");

	if ((pktmp = X509_get_pubkey(req)) == NULL) {
		BIO_printf(bio_err, "error unpacking public key\n");
		goto err;
	}
	i = X509_verify(req, pktmp);
	EVP_PKEY_free(pktmp);
	if (i < 0) {
		ok = 0;
		BIO_printf(bio_err, "Signature verification problems....\n");
		goto err;
	}
	if (i == 0) {
		ok = 0;
		BIO_printf(bio_err,
		    "Signature did not match the certificate\n");
		goto err;
	} else
		BIO_printf(bio_err, "Signature ok\n");

	if ((rreq = X509_to_X509_REQ(req, NULL, EVP_md5())) == NULL)
		goto err;

	ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial,
	    subj, chtype, multirdn, email_dn, startdate, enddate, days, batch,
	    verbose, rreq, ext_sect, lconf, certopt, nameopt, default_op,
	    ext_copy, 0);

err:
	if (rreq != NULL)
		X509_REQ_free(rreq);
	if (req != NULL)
		X509_free(req);
	return (ok);
}

static int
do_body(X509 ** xret, EVP_PKEY * pkey, X509 * x509, const EVP_MD * dgst,
    STACK_OF(OPENSSL_STRING) * sigopts, STACK_OF(CONF_VALUE) * policy,
    CA_DB * db, BIGNUM * serial, char *subj, unsigned long chtype, int multirdn,
    int email_dn, char *startdate, char *enddate, long days, int batch,
    int verbose, X509_REQ * req, char *ext_sect, CONF * lconf,
    unsigned long certopt, unsigned long nameopt, int default_op,
    int ext_copy, int selfsign)
{
	X509_NAME *name = NULL, *CAname = NULL, *subject = NULL, *dn_subject = NULL;
	ASN1_UTCTIME *tm, *tmptm;
	ASN1_STRING *str, *str2;
	ASN1_OBJECT *obj;
	X509 *ret = NULL;
	X509_CINF *ci;
	X509_NAME_ENTRY *ne;
	X509_NAME_ENTRY *tne, *push;
	EVP_PKEY *pktmp;
	int ok = -1, i, j, last, nid;
	const char *p;
	CONF_VALUE *cv;
	OPENSSL_STRING row[DB_NUMBER];
	OPENSSL_STRING *irow = NULL;
	OPENSSL_STRING *rrow = NULL;
	char buf[25];

	tmptm = ASN1_UTCTIME_new();
	if (tmptm == NULL) {
		BIO_printf(bio_err, "malloc error\n");
		return (0);
	}
	for (i = 0; i < DB_NUMBER; i++)
		row[i] = NULL;

	if (subj) {
		X509_NAME *n = parse_name(subj, chtype, multirdn);

		if (!n) {
			ERR_print_errors(bio_err);
			goto err;
		}
		X509_REQ_set_subject_name(req, n);
		req->req_info->enc.modified = 1;
		X509_NAME_free(n);
	}
	if (default_op)
		BIO_printf(bio_err,
		    "The Subject's Distinguished Name is as follows\n");

	name = X509_REQ_get_subject_name(req);
	for (i = 0; i < X509_NAME_entry_count(name); i++) {
		ne = X509_NAME_get_entry(name, i);
		str = X509_NAME_ENTRY_get_data(ne);
		obj = X509_NAME_ENTRY_get_object(ne);

		if (msie_hack) {
			/* assume all type should be strings */
			nid = OBJ_obj2nid(ne->object);

			if (str->type == V_ASN1_UNIVERSALSTRING)
				ASN1_UNIVERSALSTRING_to_string(str);

			if ((str->type == V_ASN1_IA5STRING) &&
			    (nid != NID_pkcs9_emailAddress))
				str->type = V_ASN1_T61STRING;

			if ((nid == NID_pkcs9_emailAddress) &&
			    (str->type == V_ASN1_PRINTABLESTRING))
				str->type = V_ASN1_IA5STRING;
		}
		/* If no EMAIL is wanted in the subject */
		if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) && (!email_dn))
			continue;

		/* check some things */
		if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) &&
		    (str->type != V_ASN1_IA5STRING)) {
			BIO_printf(bio_err, "\nemailAddress type needs to be of type IA5STRING\n");
			goto err;
		}
		if ((str->type != V_ASN1_BMPSTRING) &&
		    (str->type != V_ASN1_UTF8STRING)) {
			j = ASN1_PRINTABLE_type(str->data, str->length);
			if (((j == V_ASN1_T61STRING) &&
			    (str->type != V_ASN1_T61STRING)) ||
			    ((j == V_ASN1_IA5STRING) &&
			    (str->type == V_ASN1_PRINTABLESTRING))) {
				BIO_printf(bio_err, "\nThe string contains characters that are illegal for the ASN.1 type\n");
				goto err;
			}
		}
		if (default_op)
			old_entry_print(bio_err, obj, str);
	}

	/* Ok, now we check the 'policy' stuff. */
	if ((subject = X509_NAME_new()) == NULL) {
		BIO_printf(bio_err, "Memory allocation failure\n");
		goto err;
	}
	/* take a copy of the issuer name before we mess with it. */
	if (selfsign)
		CAname = X509_NAME_dup(name);
	else
		CAname = X509_NAME_dup(x509->cert_info->subject);
	if (CAname == NULL)
		goto err;
	str = str2 = NULL;

	for (i = 0; i < sk_CONF_VALUE_num(policy); i++) {
		cv = sk_CONF_VALUE_value(policy, i);	/* get the object id */
		if ((j = OBJ_txt2nid(cv->name)) == NID_undef) {
			BIO_printf(bio_err, "%s:unknown object type in 'policy' configuration\n", cv->name);
			goto err;
		}
		obj = OBJ_nid2obj(j);

		last = -1;
		for (;;) {
			/* lookup the object in the supplied name list */
			j = X509_NAME_get_index_by_OBJ(name, obj, last);
			if (j < 0) {
				if (last != -1)
					break;
				tne = NULL;
			} else {
				tne = X509_NAME_get_entry(name, j);
			}
			last = j;

			/* depending on the 'policy', decide what to do. */
			push = NULL;
			if (strcmp(cv->value, "optional") == 0) {
				if (tne != NULL)
					push = tne;
			} else if (strcmp(cv->value, "supplied") == 0) {
				if (tne == NULL) {
					BIO_printf(bio_err, "The %s field needed to be supplied and was missing\n", cv->name);
					goto err;
				} else
					push = tne;
			} else if (strcmp(cv->value, "match") == 0) {
				int last2;

				if (tne == NULL) {
					BIO_printf(bio_err, "The mandatory %s field was missing\n", cv->name);
					goto err;
				}
				last2 = -1;

again2:
				j = X509_NAME_get_index_by_OBJ(CAname, obj, last2);
				if ((j < 0) && (last2 == -1)) {
					BIO_printf(bio_err, "The %s field does not exist in the CA certificate,\nthe 'policy' is misconfigured\n", cv->name);
					goto err;
				}
				if (j >= 0) {
					push = X509_NAME_get_entry(CAname, j);
					str = X509_NAME_ENTRY_get_data(tne);
					str2 = X509_NAME_ENTRY_get_data(push);
					last2 = j;
					if (ASN1_STRING_cmp(str, str2) != 0)
						goto again2;
				}
				if (j < 0) {
					BIO_printf(bio_err, "The %s field needed to be the same in the\nCA certificate (%s) and the request (%s)\n", cv->name, ((str2 == NULL) ? "NULL" : (char *) str2->data), ((str == NULL) ? "NULL" : (char *) str->data));
					goto err;
				}
			} else {
				BIO_printf(bio_err, "%s:invalid type in 'policy' configuration\n", cv->value);
				goto err;
			}

			if (push != NULL) {
				if (!X509_NAME_add_entry(subject, push,
				    -1, 0)) {
					if (push != NULL)
						X509_NAME_ENTRY_free(push);
					BIO_printf(bio_err,
					    "Memory allocation failure\n");
					goto err;
				}
			}
			if (j < 0)
				break;
		}
	}

	if (preserve) {
		X509_NAME_free(subject);
		/* subject=X509_NAME_dup(X509_REQ_get_subject_name(req)); */
		subject = X509_NAME_dup(name);
		if (subject == NULL)
			goto err;
	}
	if (verbose)
		BIO_printf(bio_err, "The subject name appears to be ok, checking data base for clashes\n");

	/* Build the correct Subject if no e-mail is wanted in the subject */
	/*
	 * and add it later on because of the method extensions are added
	 * (altName)
	 */

	if (email_dn)
		dn_subject = subject;
	else {
		X509_NAME_ENTRY *tmpne;
		/*
		 * Its best to dup the subject DN and then delete any email
		 * addresses because this retains its structure.
		 */
		if (!(dn_subject = X509_NAME_dup(subject))) {
			BIO_printf(bio_err, "Memory allocation failure\n");
			goto err;
		}
		while ((i = X509_NAME_get_index_by_NID(dn_subject,
		    NID_pkcs9_emailAddress, -1)) >= 0) {
			tmpne = X509_NAME_get_entry(dn_subject, i);
			X509_NAME_delete_entry(dn_subject, i);
			X509_NAME_ENTRY_free(tmpne);
		}
	}

	if (BN_is_zero(serial))
		row[DB_serial] = strdup("00");
	else
		row[DB_serial] = BN_bn2hex(serial);
	if (row[DB_serial] == NULL) {
		BIO_printf(bio_err, "Memory allocation failure\n");
		goto err;
	}
	if (db->attributes.unique_subject) {
		OPENSSL_STRING *crow = row;

		rrow = TXT_DB_get_by_index(db->db, DB_name, crow);
		if (rrow != NULL) {
			BIO_printf(bio_err,
			    "ERROR:There is already a certificate for %s\n",
			    row[DB_name]);
		}
	}
	if (rrow == NULL) {
		rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
		if (rrow != NULL) {
			BIO_printf(bio_err,
			    "ERROR:Serial number %s has already been issued,\n",
			    row[DB_serial]);
			BIO_printf(bio_err, "      check the database/serial_file for corruption\n");
		}
	}
	if (rrow != NULL) {
		BIO_printf(bio_err,
		    "The matching entry has the following details\n");
		if (rrow[DB_type][0] == 'E')
			p = "Expired";
		else if (rrow[DB_type][0] == 'R')
			p = "Revoked";
		else if (rrow[DB_type][0] == 'V')
			p = "Valid";
		else
			p = "\ninvalid type, Data base error\n";
		BIO_printf(bio_err, "Type	  :%s\n", p);
		if (rrow[DB_type][0] == 'R') {
			p = rrow[DB_exp_date];
			if (p == NULL)
				p = "undef";
			BIO_printf(bio_err, "Was revoked on:%s\n", p);
		}
		p = rrow[DB_exp_date];
		if (p == NULL)
			p = "undef";
		BIO_printf(bio_err, "Expires on    :%s\n", p);
		p = rrow[DB_serial];
		if (p == NULL)
			p = "undef";
		BIO_printf(bio_err, "Serial Number :%s\n", p);
		p = rrow[DB_file];
		if (p == NULL)
			p = "undef";
		BIO_printf(bio_err, "File name     :%s\n", p);
		p = rrow[DB_name];
		if (p == NULL)
			p = "undef";
		BIO_printf(bio_err, "Subject Name  :%s\n", p);
		ok = -1;	/* This is now a 'bad' error. */
		goto err;
	}
	/* We are now totally happy, lets make and sign the certificate */
	if (verbose)
		BIO_printf(bio_err, "Everything appears to be ok, creating and signing the certificate\n");

	if ((ret = X509_new()) == NULL)
		goto err;
	ci = ret->cert_info;

#ifdef X509_V3
	/* Make it an X509 v3 certificate. */
	if (!X509_set_version(ret, 2))
		goto err;
#endif

	if (BN_to_ASN1_INTEGER(serial, ci->serialNumber) == NULL)
		goto err;
	if (selfsign) {
		if (!X509_set_issuer_name(ret, subject))
			goto err;
	} else {
		if (!X509_set_issuer_name(ret, X509_get_subject_name(x509)))
			goto err;
	}

	if (strcmp(startdate, "today") == 0)
		X509_gmtime_adj(X509_get_notBefore(ret), 0);
	else
		ASN1_TIME_set_string(X509_get_notBefore(ret), startdate);

	if (enddate == NULL)
		X509_time_adj_ex(X509_get_notAfter(ret), days, 0, NULL);
	else
		ASN1_TIME_set_string(X509_get_notAfter(ret), enddate);

	if (!X509_set_subject_name(ret, subject))
		goto err;

	pktmp = X509_REQ_get_pubkey(req);
	i = X509_set_pubkey(ret, pktmp);
	EVP_PKEY_free(pktmp);
	if (!i)
		goto err;

	/* Lets add the extensions, if there are any */
	if (ext_sect) {
		X509V3_CTX ctx;
		if (ci->version == NULL)
			if ((ci->version = ASN1_INTEGER_new()) == NULL)
				goto err;
		ASN1_INTEGER_set(ci->version, 2);	/* version 3 certificate */

		/*
		 * Free the current entries if any, there should not be any I
		 * believe
		 */
		if (ci->extensions != NULL)
			sk_X509_EXTENSION_pop_free(ci->extensions,
			    X509_EXTENSION_free);

		ci->extensions = NULL;

		/* Initialize the context structure */
		if (selfsign)
			X509V3_set_ctx(&ctx, ret, ret, req, NULL, 0);
		else
			X509V3_set_ctx(&ctx, x509, ret, req, NULL, 0);

		if (extconf) {
			if (verbose)
				BIO_printf(bio_err,
				    "Extra configuration file found\n");

			/* Use the extconf configuration db LHASH */
			X509V3_set_nconf(&ctx, extconf);

			/* Test the structure (needed?) */
			/* X509V3_set_ctx_test(&ctx); */

			/* Adds exts contained in the configuration file */
			if (!X509V3_EXT_add_nconf(extconf, &ctx,
			    ext_sect, ret)) {
				BIO_printf(bio_err,
				    "ERROR: adding extensions in section %s\n",
				    ext_sect);
				ERR_print_errors(bio_err);
				goto err;
			}
			if (verbose)
				BIO_printf(bio_err, "Successfully added extensions from file.\n");
		} else if (ext_sect) {
			/* We found extensions to be set from config file */
			X509V3_set_nconf(&ctx, lconf);

			if (!X509V3_EXT_add_nconf(lconf, &ctx, ext_sect, ret)) {
				BIO_printf(bio_err,
				    "ERROR: adding extensions in section %s\n",
				    ext_sect);
				ERR_print_errors(bio_err);
				goto err;
			}
			if (verbose)
				BIO_printf(bio_err, "Successfully added extensions from config\n");
		}
	}
	/* Copy extensions from request (if any) */

	if (!copy_extensions(ret, req, ext_copy)) {
		BIO_printf(bio_err, "ERROR: adding extensions from request\n");
		ERR_print_errors(bio_err);
		goto err;
	}
	/* Set the right value for the noemailDN option */
	if (email_dn == 0) {
		if (!X509_set_subject_name(ret, dn_subject))
			goto err;
	}
	if (!default_op) {
		BIO_printf(bio_err, "Certificate Details:\n");
		/*
		 * Never print signature details because signature not
		 * present
		 */
		certopt |= X509_FLAG_NO_SIGDUMP | X509_FLAG_NO_SIGNAME;
		X509_print_ex(bio_err, ret, nameopt, certopt);
	}
	BIO_printf(bio_err, "Certificate is to be certified until ");
	ASN1_TIME_print(bio_err, X509_get_notAfter(ret));
	if (days)
		BIO_printf(bio_err, " (%ld days)", days);
	BIO_printf(bio_err, "\n");

	if (!batch) {

		BIO_printf(bio_err, "Sign the certificate? [y/n]:");
		(void) BIO_flush(bio_err);
		buf[0] = '\0';
		if (!fgets(buf, sizeof(buf) - 1, stdin)) {
			BIO_printf(bio_err,
			    "CERTIFICATE WILL NOT BE CERTIFIED: I/O error\n");
			ok = 0;
			goto err;
		}
		if (!((buf[0] == 'y') || (buf[0] == 'Y'))) {
			BIO_printf(bio_err,
			    "CERTIFICATE WILL NOT BE CERTIFIED\n");
			ok = 0;
			goto err;
		}
	}
	pktmp = X509_get_pubkey(ret);
	if (EVP_PKEY_missing_parameters(pktmp) &&
	    !EVP_PKEY_missing_parameters(pkey))
		EVP_PKEY_copy_parameters(pktmp, pkey);
	EVP_PKEY_free(pktmp);

	if (!do_X509_sign(bio_err, ret, pkey, dgst, sigopts))
		goto err;

	/* We now just add it to the database */
	row[DB_type] = malloc(2);

	tm = X509_get_notAfter(ret);
	row[DB_exp_date] = malloc(tm->length + 1);
	memcpy(row[DB_exp_date], tm->data, tm->length);
	row[DB_exp_date][tm->length] = '\0';

	row[DB_rev_date] = NULL;

	/* row[DB_serial] done already */
	row[DB_file] = malloc(8);
	row[DB_name] = X509_NAME_oneline(X509_get_subject_name(ret), NULL, 0);

	if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
	    (row[DB_file] == NULL) || (row[DB_name] == NULL)) {
		BIO_printf(bio_err, "Memory allocation failure\n");
		goto err;
	}
	(void) strlcpy(row[DB_file], "unknown", 8);
	row[DB_type][0] = 'V';
	row[DB_type][1] = '\0';

	if ((irow = reallocarray(NULL, DB_NUMBER + 1, sizeof(char *))) ==
	    NULL) {
		BIO_printf(bio_err, "Memory allocation failure\n");
		goto err;
	}
	for (i = 0; i < DB_NUMBER; i++) {
		irow[i] = row[i];
		row[i] = NULL;
	}
	irow[DB_NUMBER] = NULL;

	if (!TXT_DB_insert(db->db, irow)) {
		BIO_printf(bio_err, "failed to update database\n");
		BIO_printf(bio_err, "TXT_DB error number %ld\n", db->db->error);
		goto err;
	}
	ok = 1;
err:
	for (i = 0; i < DB_NUMBER; i++)
		free(row[i]);

	if (CAname != NULL)
		X509_NAME_free(CAname);
	if (subject != NULL)
		X509_NAME_free(subject);
	if ((dn_subject != NULL) && !email_dn)
		X509_NAME_free(dn_subject);
	if (tmptm != NULL)
		ASN1_UTCTIME_free(tmptm);
	if (ok <= 0) {
		if (ret != NULL)
			X509_free(ret);
		ret = NULL;
	} else
		*xret = ret;
	return (ok);
}

static void
write_new_certificate(BIO * bp, X509 * x, int output_der, int notext)
{
	if (output_der) {
		(void) i2d_X509_bio(bp, x);
		return;
	}
	if (!notext)
		X509_print(bp, x);
	PEM_write_bio_X509(bp, x);
}

static int
certify_spkac(X509 ** xret, char *infile, EVP_PKEY * pkey, X509 * x509,
    const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
    STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj,
    unsigned long chtype, int multirdn, int email_dn, char *startdate,
    char *enddate, long days, char *ext_sect, CONF * lconf, int verbose,
    unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy)
{
	STACK_OF(CONF_VALUE) * sk = NULL;
	LHASH_OF(CONF_VALUE) * parms = NULL;
	X509_REQ *req = NULL;
	CONF_VALUE *cv = NULL;
	NETSCAPE_SPKI *spki = NULL;
	X509_REQ_INFO *ri;
	char *type, *buf;
	EVP_PKEY *pktmp = NULL;
	X509_NAME *n = NULL;
	int ok = -1, i, j;
	long errline;
	int nid;

	/*
	 * Load input file into a hash table.  (This is just an easy
	 * way to read and parse the file, then put it into a convenient
	 * STACK format).
	 */
	parms = CONF_load(NULL, infile, &errline);
	if (parms == NULL) {
		BIO_printf(bio_err, "error on line %ld of %s\n",
		    errline, infile);
		ERR_print_errors(bio_err);
		goto err;
	}
	sk = CONF_get_section(parms, "default");
	if (sk_CONF_VALUE_num(sk) == 0) {
		BIO_printf(bio_err, "no name/value pairs found in %s\n",
		    infile);
		CONF_free(parms);
		goto err;
	}
	/*
	 * Now create a dummy X509 request structure.  We don't actually
	 * have an X509 request, but we have many of the components
	 * (a public key, various DN components).  The idea is that we
	 * put these components into the right X509 request structure
	 * and we can use the same code as if you had a real X509 request.
	 */
	req = X509_REQ_new();
	if (req == NULL) {
		ERR_print_errors(bio_err);
		goto err;
	}
	/*
	 * Build up the subject name set.
	 */
	ri = req->req_info;
	n = ri->subject;

	for (i = 0;; i++) {
		if (sk_CONF_VALUE_num(sk) <= i)
			break;

		cv = sk_CONF_VALUE_value(sk, i);
		type = cv->name;
		/*
		 * Skip past any leading X. X: X, etc to allow for multiple
		 * instances
		 */
		for (buf = cv->name; *buf; buf++) {
			if ((*buf == ':') || (*buf == ',') || (*buf == '.')) {
				buf++;
				if (*buf)
					type = buf;
				break;
			}
		}

		buf = cv->value;
		if ((nid = OBJ_txt2nid(type)) == NID_undef) {
			if (strcmp(type, "SPKAC") == 0) {
				spki = NETSCAPE_SPKI_b64_decode(cv->value, -1);
				if (spki == NULL) {
					BIO_printf(bio_err, "unable to load Netscape SPKAC structure\n");
					ERR_print_errors(bio_err);
					goto err;
				}
			}
			continue;
		}
		if (!X509_NAME_add_entry_by_NID(n, nid, chtype,
		    (unsigned char *)buf, -1, -1, 0))
			goto err;
	}
	if (spki == NULL) {
		BIO_printf(bio_err,
		    "Netscape SPKAC structure not found in %s\n", infile);
		goto err;
	}
	/*
	 * Now extract the key from the SPKI structure.
	 */

	BIO_printf(bio_err,
	    "Check that the SPKAC request matches the signature\n");

	if ((pktmp = NETSCAPE_SPKI_get_pubkey(spki)) == NULL) {
		BIO_printf(bio_err, "error unpacking SPKAC public key\n");
		goto err;
	}
	j = NETSCAPE_SPKI_verify(spki, pktmp);
	if (j <= 0) {
		BIO_printf(bio_err,
		    "signature verification failed on SPKAC public key\n");
		goto err;
	}
	BIO_printf(bio_err, "Signature ok\n");

	X509_REQ_set_pubkey(req, pktmp);
	EVP_PKEY_free(pktmp);
	ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial,
	    subj, chtype, multirdn, email_dn, startdate, enddate, days, 1,
	    verbose, req, ext_sect, lconf, certopt, nameopt, default_op,
	    ext_copy, 0);

err:
	if (req != NULL)
		X509_REQ_free(req);
	if (parms != NULL)
		CONF_free(parms);
	if (spki != NULL)
		NETSCAPE_SPKI_free(spki);

	return (ok);
}

static int
check_time_format(const char *str)
{
	return ASN1_TIME_set_string(NULL, str);
}

static int
do_revoke(X509 * x509, CA_DB * db, int type, char *value)
{
	ASN1_UTCTIME *tm = NULL;
	char *row[DB_NUMBER], **rrow, **irow;
	char *rev_str = NULL;
	BIGNUM *bn = NULL;
	int ok = -1, i;

	for (i = 0; i < DB_NUMBER; i++)
		row[i] = NULL;
	row[DB_name] = X509_NAME_oneline(X509_get_subject_name(x509), NULL, 0);
	bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x509), NULL);
	if (!bn)
		goto err;
	if (BN_is_zero(bn))
		row[DB_serial] = strdup("00");
	else
		row[DB_serial] = BN_bn2hex(bn);
	BN_free(bn);
	if ((row[DB_name] == NULL) || (row[DB_serial] == NULL)) {
		BIO_printf(bio_err, "Memory allocation failure\n");
		goto err;
	}
	/*
	 * We have to lookup by serial number because name lookup skips
	 * revoked certs
	 */
	rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
	if (rrow == NULL) {
		BIO_printf(bio_err,
		    "Adding Entry with serial number %s to DB for %s\n",
		    row[DB_serial], row[DB_name]);

		/* We now just add it to the database */
		row[DB_type] = malloc(2);

		tm = X509_get_notAfter(x509);
		row[DB_exp_date] = malloc(tm->length + 1);
		memcpy(row[DB_exp_date], tm->data, tm->length);
		row[DB_exp_date][tm->length] = '\0';

		row[DB_rev_date] = NULL;

		/* row[DB_serial] done already */
		row[DB_file] = malloc(8);

		/* row[DB_name] done already */

		if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
		    (row[DB_file] == NULL)) {
			BIO_printf(bio_err, "Memory allocation failure\n");
			goto err;
		}
		(void) strlcpy(row[DB_file], "unknown", 8);
		row[DB_type][0] = 'V';
		row[DB_type][1] = '\0';

		if ((irow = reallocarray(NULL, sizeof(char *),
		    (DB_NUMBER + 1))) == NULL) {
			BIO_printf(bio_err, "Memory allocation failure\n");
			goto err;
		}
		for (i = 0; i < DB_NUMBER; i++) {
			irow[i] = row[i];
			row[i] = NULL;
		}
		irow[DB_NUMBER] = NULL;

		if (!TXT_DB_insert(db->db, irow)) {
			BIO_printf(bio_err, "failed to update database\n");
			BIO_printf(bio_err, "TXT_DB error number %ld\n",
			    db->db->error);
			goto err;
		}
		/* Revoke Certificate */
		ok = do_revoke(x509, db, type, value);

		goto err;

	} else if (index_name_cmp_noconst(row, rrow)) {
		BIO_printf(bio_err, "ERROR:name does not match %s\n",
		    row[DB_name]);
		goto err;
	} else if (rrow[DB_type][0] == 'R') {
		BIO_printf(bio_err, "ERROR:Already revoked, serial number %s\n",
		    row[DB_serial]);
		goto err;
	} else {
		BIO_printf(bio_err, "Revoking Certificate %s.\n",
		    rrow[DB_serial]);
		rev_str = make_revocation_str(type, value);
		if (!rev_str) {
			BIO_printf(bio_err, "Error in revocation arguments\n");
			goto err;
		}
		rrow[DB_type][0] = 'R';
		rrow[DB_type][1] = '\0';
		rrow[DB_rev_date] = rev_str;
	}
	ok = 1;

err:
	for (i = 0; i < DB_NUMBER; i++)
		free(row[i]);

	return (ok);
}

static int
get_certificate_status(const char *serial, CA_DB * db)
{
	char *row[DB_NUMBER], **rrow;
	int ok = -1, i;

	/* Free Resources */
	for (i = 0; i < DB_NUMBER; i++)
		row[i] = NULL;

	/* Malloc needed char spaces */
	row[DB_serial] = malloc(strlen(serial) + 2);
	if (row[DB_serial] == NULL) {
		BIO_printf(bio_err, "Malloc failure\n");
		goto err;
	}
	if (strlen(serial) % 2) {
		/* Set the first char to 0 */ ;
		row[DB_serial][0] = '0';

		/* Copy String from serial to row[DB_serial] */
		memcpy(row[DB_serial] + 1, serial, strlen(serial));
		row[DB_serial][strlen(serial) + 1] = '\0';
	} else {
		/* Copy String from serial to row[DB_serial] */
		memcpy(row[DB_serial], serial, strlen(serial));
		row[DB_serial][strlen(serial)] = '\0';
	}

	/* Make it Upper Case */
	for (i = 0; row[DB_serial][i] != '\0'; i++)
		row[DB_serial][i] = toupper((unsigned char) row[DB_serial][i]);


	ok = 1;

	/* Search for the certificate */
	rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
	if (rrow == NULL) {
		BIO_printf(bio_err, "Serial %s not present in db.\n",
		    row[DB_serial]);
		ok = -1;
		goto err;
	} else if (rrow[DB_type][0] == 'V') {
		BIO_printf(bio_err, "%s=Valid (%c)\n",
		    row[DB_serial], rrow[DB_type][0]);
		goto err;
	} else if (rrow[DB_type][0] == 'R') {
		BIO_printf(bio_err, "%s=Revoked (%c)\n",
		    row[DB_serial], rrow[DB_type][0]);
		goto err;
	} else if (rrow[DB_type][0] == 'E') {
		BIO_printf(bio_err, "%s=Expired (%c)\n",
		    row[DB_serial], rrow[DB_type][0]);
		goto err;
	} else if (rrow[DB_type][0] == 'S') {
		BIO_printf(bio_err, "%s=Suspended (%c)\n",
		    row[DB_serial], rrow[DB_type][0]);
		goto err;
	} else {
		BIO_printf(bio_err, "%s=Unknown (%c).\n",
		    row[DB_serial], rrow[DB_type][0]);
		ok = -1;
	}

err:
	for (i = 0; i < DB_NUMBER; i++)
		free(row[i]);

	return (ok);
}

static int
do_updatedb(CA_DB * db)
{
	ASN1_UTCTIME *a_tm = NULL;
	int i, cnt = 0;
	int db_y2k, a_y2k;	/* flags = 1 if y >= 2000 */
	char **rrow, *a_tm_s;

	a_tm = ASN1_UTCTIME_new();

	/* get actual time and make a string */
	a_tm = X509_gmtime_adj(a_tm, 0);
	a_tm_s = malloc(a_tm->length + 1);
	if (a_tm_s == NULL) {
		cnt = -1;
		goto err;
	}
	memcpy(a_tm_s, a_tm->data, a_tm->length);
	a_tm_s[a_tm->length] = '\0';

	if (strncmp(a_tm_s, "49", 2) <= 0)
		a_y2k = 1;
	else
		a_y2k = 0;

	for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
		rrow = sk_OPENSSL_PSTRING_value(db->db->data, i);

		if (rrow[DB_type][0] == 'V') {
			/* ignore entries that are not valid */
			if (strncmp(rrow[DB_exp_date], "49", 2) <= 0)
				db_y2k = 1;
			else
				db_y2k = 0;

			if (db_y2k == a_y2k) {
				/* all on the same y2k side */
				if (strcmp(rrow[DB_exp_date], a_tm_s) <= 0) {
					rrow[DB_type][0] = 'E';
					rrow[DB_type][1] = '\0';
					cnt++;

					BIO_printf(bio_err, "%s=Expired\n",
					    rrow[DB_serial]);
				}
			} else if (db_y2k < a_y2k) {
				rrow[DB_type][0] = 'E';
				rrow[DB_type][1] = '\0';
				cnt++;

				BIO_printf(bio_err, "%s=Expired\n",
				    rrow[DB_serial]);
			}
		}
	}

err:
	ASN1_UTCTIME_free(a_tm);
	free(a_tm_s);

	return (cnt);
}

static const char *crl_reasons[] = {
	/* CRL reason strings */
	"unspecified",
	"keyCompromise",
	"CACompromise",
	"affiliationChanged",
	"superseded",
	"cessationOfOperation",
	"certificateHold",
	"removeFromCRL",
	/* Additional pseudo reasons */
	"holdInstruction",
	"keyTime",
	"CAkeyTime"
};

#define NUM_REASONS (sizeof(crl_reasons) / sizeof(char *))

/* Given revocation information convert to a DB string.
 * The format of the string is:
 * revtime[,reason,extra]. Where 'revtime' is the
 * revocation time (the current time). 'reason' is the
 * optional CRL reason and 'extra' is any additional
 * argument
 */

char *
make_revocation_str(int rev_type, char *rev_arg)
{
	char *other = NULL, *str;
	const char *reason = NULL;
	ASN1_OBJECT *otmp;
	ASN1_UTCTIME *revtm = NULL;
	int i;
	switch (rev_type) {
	case REV_NONE:
		break;

	case REV_CRL_REASON:
		for (i = 0; i < 8; i++) {
			if (!strcasecmp(rev_arg, crl_reasons[i])) {
				reason = crl_reasons[i];
				break;
			}
		}
		if (reason == NULL) {
			BIO_printf(bio_err, "Unknown CRL reason %s\n", rev_arg);
			return NULL;
		}
		break;

	case REV_HOLD:
		/* Argument is an OID */

		otmp = OBJ_txt2obj(rev_arg, 0);
		ASN1_OBJECT_free(otmp);

		if (otmp == NULL) {
			BIO_printf(bio_err,
			    "Invalid object identifier %s\n", rev_arg);
			return NULL;
		}
		reason = "holdInstruction";
		other = rev_arg;
		break;

	case REV_KEY_COMPROMISE:
	case REV_CA_COMPROMISE:

		/* Argument is the key compromise time  */
		if (!ASN1_GENERALIZEDTIME_set_string(NULL, rev_arg)) {
			BIO_printf(bio_err,
			    "Invalid time format %s. Need YYYYMMDDHHMMSSZ\n",
			    rev_arg);
			return NULL;
		}
		other = rev_arg;
		if (rev_type == REV_KEY_COMPROMISE)
			reason = "keyTime";
		else
			reason = "CAkeyTime";

		break;

	}

	revtm = X509_gmtime_adj(NULL, 0);
	if (asprintf(&str, "%s%s%s%s%s", revtm->data,
	    reason ? "," : "", reason ? reason : "",
	    other ? "," : "", other ? other : "") == -1)
		str = NULL;
	ASN1_UTCTIME_free(revtm);
	return str;
}

/* Convert revocation field to X509_REVOKED entry
 * return code:
 * 0 error
 * 1 OK
 * 2 OK and some extensions added (i.e. V2 CRL)
 */

int
make_revoked(X509_REVOKED * rev, const char *str)
{
	char *tmp = NULL;
	int reason_code = -1;
	int i, ret = 0;
	ASN1_OBJECT *hold = NULL;
	ASN1_GENERALIZEDTIME *comp_time = NULL;
	ASN1_ENUMERATED *rtmp = NULL;

	ASN1_TIME *revDate = NULL;

	i = unpack_revinfo(&revDate, &reason_code, &hold, &comp_time, str);

	if (i == 0)
		goto err;

	if (rev && !X509_REVOKED_set_revocationDate(rev, revDate))
		goto err;

	if (rev && (reason_code != OCSP_REVOKED_STATUS_NOSTATUS)) {
		rtmp = ASN1_ENUMERATED_new();
		if (!rtmp || !ASN1_ENUMERATED_set(rtmp, reason_code))
			goto err;
		if (!X509_REVOKED_add1_ext_i2d(rev, NID_crl_reason, rtmp, 0, 0))
			goto err;
	}
	if (rev && comp_time) {
		if (!X509_REVOKED_add1_ext_i2d(rev, NID_invalidity_date,
		    comp_time, 0, 0))
			goto err;
	}
	if (rev && hold) {
		if (!X509_REVOKED_add1_ext_i2d(rev, NID_hold_instruction_code,
		    hold, 0, 0))
			goto err;
	}
	if (reason_code != OCSP_REVOKED_STATUS_NOSTATUS)
		ret = 2;
	else
		ret = 1;

err:
	free(tmp);

	ASN1_OBJECT_free(hold);
	ASN1_GENERALIZEDTIME_free(comp_time);
	ASN1_ENUMERATED_free(rtmp);
	ASN1_TIME_free(revDate);

	return ret;
}

int
old_entry_print(BIO * bp, ASN1_OBJECT * obj, ASN1_STRING * str)
{
	char buf[25], *pbuf, *p;
	int j;

	j = i2a_ASN1_OBJECT(bp, obj);
	pbuf = buf;
	for (j = 22 - j; j > 0; j--)
		*(pbuf++) = ' ';
	*(pbuf++) = ':';
	*(pbuf++) = '\0';
	BIO_puts(bp, buf);

	if (str->type == V_ASN1_PRINTABLESTRING)
		BIO_printf(bp, "PRINTABLE:'");
	else if (str->type == V_ASN1_T61STRING)
		BIO_printf(bp, "T61STRING:'");
	else if (str->type == V_ASN1_IA5STRING)
		BIO_printf(bp, "IA5STRING:'");
	else if (str->type == V_ASN1_UNIVERSALSTRING)
		BIO_printf(bp, "UNIVERSALSTRING:'");
	else
		BIO_printf(bp, "ASN.1 %2d:'", str->type);

	p = (char *) str->data;
	for (j = str->length; j > 0; j--) {
		if ((*p >= ' ') && (*p <= '~'))
			BIO_printf(bp, "%c", *p);
		else if (*p & 0x80)
			BIO_printf(bp, "\\0x%02X", *p);
		else if ((unsigned char) *p == 0xf7)
			BIO_printf(bp, "^?");
		else
			BIO_printf(bp, "^%c", *p + '@');
		p++;
	}
	BIO_printf(bp, "'\n");
	return 1;
}

int
unpack_revinfo(ASN1_TIME ** prevtm, int *preason, ASN1_OBJECT ** phold,
    ASN1_GENERALIZEDTIME ** pinvtm, const char *str)
{
	char *tmp = NULL;
	char *rtime_str, *reason_str = NULL, *arg_str = NULL, *p;
	int reason_code = -1;
	int ret = 0;
	unsigned int i;
	ASN1_OBJECT *hold = NULL;
	ASN1_GENERALIZEDTIME *comp_time = NULL;

	if ((tmp = strdup(str)) == NULL) {
		BIO_printf(bio_err, "malloc failed\n");
		goto err;
	}
	p = strchr(tmp, ',');
	rtime_str = tmp;

	if (p) {
		*p = '\0';
		p++;
		reason_str = p;
		p = strchr(p, ',');
		if (p) {
			*p = '\0';
			arg_str = p + 1;
		}
	}
	if (prevtm) {
		*prevtm = ASN1_UTCTIME_new();
		if (!ASN1_UTCTIME_set_string(*prevtm, rtime_str)) {
			BIO_printf(bio_err, "invalid revocation date %s\n",
			    rtime_str);
			goto err;
		}
	}
	if (reason_str) {
		for (i = 0; i < NUM_REASONS; i++) {
			if (!strcasecmp(reason_str, crl_reasons[i])) {
				reason_code = i;
				break;
			}
		}
		if (reason_code == OCSP_REVOKED_STATUS_NOSTATUS) {
			BIO_printf(bio_err, "invalid reason code %s\n",
			    reason_str);
			goto err;
		}
		if (reason_code == 7)
			reason_code = OCSP_REVOKED_STATUS_REMOVEFROMCRL;
		else if (reason_code == 8) {	/* Hold instruction */
			if (!arg_str) {
				BIO_printf(bio_err,
				    "missing hold instruction\n");
				goto err;
			}
			reason_code = OCSP_REVOKED_STATUS_CERTIFICATEHOLD;
			hold = OBJ_txt2obj(arg_str, 0);

			if (!hold) {
				BIO_printf(bio_err,
				    "invalid object identifier %s\n", arg_str);
				goto err;
			}
			if (phold)
				*phold = hold;
		} else if ((reason_code == 9) || (reason_code == 10)) {
			if (!arg_str) {
				BIO_printf(bio_err,
				    "missing compromised time\n");
				goto err;
			}
			comp_time = ASN1_GENERALIZEDTIME_new();
			if (!ASN1_GENERALIZEDTIME_set_string(comp_time,
			    arg_str)) {
				BIO_printf(bio_err,
				    "invalid compromised time %s\n", arg_str);
				goto err;
			}
			if (reason_code == 9)
				reason_code = OCSP_REVOKED_STATUS_KEYCOMPROMISE;
			else
				reason_code = OCSP_REVOKED_STATUS_CACOMPROMISE;
		}
	}
	if (preason)
		*preason = reason_code;
	if (pinvtm)
		*pinvtm = comp_time;
	else
		ASN1_GENERALIZEDTIME_free(comp_time);

	ret = 1;

err:
	free(tmp);

	if (!phold)
		ASN1_OBJECT_free(hold);
	if (!pinvtm)
		ASN1_GENERALIZEDTIME_free(comp_time);

	return ret;
}

static char *
bin2hex(unsigned char * data, size_t len)
{
	char *ret = NULL;
	char hex[] = "0123456789ABCDEF";
	int i;

	if ((ret = malloc(len * 2 + 1))) {
		for (i = 0; i < len; i++) {
			ret[i * 2 + 0] = hex[data[i] >> 4];
			ret[i * 2 + 1] = hex[data[i] & 0x0F];
		}
		ret[len * 2] = '\0';
	}
	return ret;
}