Initial trust code: allow setting of trust checking functions

 Changes between 0.9.4 and 0.9.5  [xx XXX 1999]

  *) Fixes and enhancements to the 'x509' utility. It allowed a message

     digest to be passed on the command line but it only used this

     parameter when signing a certificate. Modified so all relevant

     operations are affected by the digest parameter including the

     -fingerprint and -x509toreq options. Also -x509toreq choked if a

     DSA key was used because it didn't fix the digest.

     [Steve Henson]

  *) Very preliminary certificate chain verify code. Currently just tests

     the untrusted certificates for consistency with the verify purpose

     (which is set when the X509_STORE_CTX structure is set up) and checks

     reject chains with invalid extensions whereas before it made no checks

     at all.

     Still needs some trust checking code.

     Preliminary untested trust code. 

     Also added X509_STORE_CTX_new() and X509_STORE_CTX_free() functions

     which should be used for version portability: especially since the

$thread_cflag = (unknown)

$lflags       = 

$bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHUNK

$bn_obj       = 

$bn_obj       = asm/alpha.o

$des_obj      = 

$bf_obj       = 

$md5_obj      = 

$thread_cflag = (unknown)

$lflags       = 

$bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1

$bn_obj       = 

$bn_obj       = asm/alpha.o

$des_obj      = 

$bf_obj       = 

$md5_obj      = 

$thread_cflag = (unknown)

$lflags       = 

$bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHUNK

$bn_obj       = 

$bn_obj       = asm/alpha.o

$des_obj      = 

$bf_obj       = 

$md5_obj      = 

" -noout          - no certificate output\n",

" -trustout       - output a \"trusted\" certificate\n",

" -clrtrust       - clear all trusted purposes\n",

" -clrnotrust     - clear all untrusted purposes\n",

" -addtrust arg   - mark certificate as trusted for a given purpose\n",

" -addnotrust arg - mark certificate as not trusted for a given purpose\n",

" -clrreject      - clear all rejected purposes\n",

" -addtrust arg   - trust certificate for a given purpose\n",

" -addreject arg  - reject certificate for a given purpose\n",

" -setalias arg   - set certificate alias\n",

" -days arg       - How long till expiry of a signed certificate - def 30 days\n",

" -signkey arg    - self sign cert with arg\n",

" -CAserial       - serial file\n",

" -text           - print the certificate in text form\n",

" -C              - print out C code forms\n",

" -md2/-md5/-sha1/-mdc2 - digest to do an RSA sign with\n",

" -md2/-md5/-sha1/-mdc2 - digest to use\n",

" -extfile        - configuration file with X509V3 extensions to add\n",

" -extensions     - section from config file with X509V3 extensions to add\n",

NULL

	int i,num,badops=0;

	BIO *out=NULL;

	BIO *STDout=NULL;

	STACK *trust = NULL, *notrust = NULL;

	STACK *trust = NULL, *reject = NULL;

	int informat,outformat,keyformat,CAformat,CAkeyformat;

	char *infile=NULL,*outfile=NULL,*keyfile=NULL,*CAfile=NULL;

	char *CAkeyfile=NULL,*CAserial=NULL;

	char *alias=NULL, *trstr=NULL;

	int text=0,serial=0,hash=0,subject=0,issuer=0,startdate=0,enddate=0;

	int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0;

	int trustout=0,clrtrust=0,clrnotrust=0,aliasout=0;

	int trustout=0,clrtrust=0,clrreject=0,aliasout=0;

	int C=0;

	int x509req=0,days=DEF_DAYS,modulus=0,pubkey=0;

	int pprint = 0;

			sk_push(trust, trstr);

			trustout = 1;

			}

		else if (strcmp(*argv,"-addnotrust") == 0)

		else if (strcmp(*argv,"-addreject") == 0)

			{

			if (--argc < 1) goto bad;

			trstr= *(++argv);

			if(!X509_notrust_set_bit_asc(NULL, trstr, 0)) {

			if(!X509_reject_set_bit_asc(NULL, trstr, 0)) {

				BIO_printf(bio_err,

					"Unknown trust value %s\n", trstr);

				goto bad;

			}

			if(!notrust) notrust = sk_new_null();

			sk_push(notrust, trstr);

			if(!reject) reject = sk_new_null();

			sk_push(reject, trstr);

			trustout = 1;

			}

		else if (strcmp(*argv,"-setalias") == 0)

			trustout= 1;

		else if (strcmp(*argv,"-clrtrust") == 0)

			clrtrust= ++num;

		else if (strcmp(*argv,"-clrnotrust") == 0)

			clrnotrust= ++num;

		else if (strcmp(*argv,"-clrreject") == 0)

			clrreject= ++num;

		else if (strcmp(*argv,"-alias") == 0)

			aliasout= ++num;

		else if (strcmp(*argv,"-CAcreateserial") == 0)

			CA_createserial= ++num;

		else if ((md_alg=EVP_get_digestbyname(&((*argv)[1]))) != NULL)

		else if ((md_alg=EVP_get_digestbyname(*argv + 1)))

			{

			/* ok */

			digest=md_alg;

	if(alias) X509_alias_set(x, (unsigned char *)alias, -1);

	if(clrtrust) X509_trust_set_bit(x, -1, 0);

	if(clrnotrust) X509_notrust_set_bit(x, -1, 0);

	if(clrreject) X509_reject_set_bit(x, -1, 0);

	if(trust) {

		for(i = 0; i < sk_num(trust); i++) {

		sk_free(trust);

	}

	if(notrust) {

		for(i = 0; i < sk_num(notrust); i++) {

			trstr = sk_value(notrust, i);

			X509_notrust_set_bit_asc(x, trstr, 1);

	if(reject) {

		for(i = 0; i < sk_num(reject); i++) {

			trstr = sk_value(reject, i);

			X509_reject_set_bit_asc(x, trstr, 1);

		}

		sk_free(notrust);

		sk_free(reject);

	}

	if (num)

				unsigned int n;

				unsigned char md[EVP_MAX_MD_SIZE];

				if (!X509_digest(x,EVP_md5(),md,&n))

				if (!X509_digest(x,digest,md,&n))

					{

					BIO_printf(bio_err,"out of memory\n");

					goto end;

					}

				BIO_printf(STDout,"MD5 Fingerprint=");

				BIO_printf(STDout,"%s Fingerprint=",

						OBJ_nid2sn(EVP_MD_type(digest)));

				for (j=0; j<(int)n; j++)

					{

					BIO_printf(STDout,"%02X%c",md[j],

				BIO_printf(bio_err,"Generating certificate request\n");

				rq=X509_to_X509_REQ(x,pk,EVP_md5());

		                if (pk->type == EVP_PKEY_DSA)

		                        digest=EVP_dss1();

				rq=X509_to_X509_REQ(x,pk,digest);

				EVP_PKEY_free(pk);

				if (rq == NULL)

					{

#include <openssl/buffer.h>

#include <openssl/x509.h>

int ASN1_digest(int (*i2d)(), EVP_MD *type, char *data, unsigned char *md,

	     unsigned int *len)

int ASN1_digest(int (*i2d)(), const EVP_MD *type, char *data,

		unsigned char *md, unsigned int *len)

	{

	EVP_MD_CTX ctx;

	int i;

	return 1;

}

int X509_notrust_set_bit_asc(X509 *x, char *str, int value)

int X509_reject_set_bit_asc(X509 *x, char *str, int value)

{

	int bitnum;

	bitnum = ASN1_BIT_STRING_num_asc(str, tbits);

	if(bitnum < 0) return 0;

	if(x) return X509_notrust_set_bit(x, bitnum, value);

	if(x) return X509_reject_set_bit(x, bitnum, value);

	return 1;

}

		BIO_printf(out, "%*sTrusted for:\n", indent, "");

		ASN1_BIT_STRING_name_print(out, aux->trust, tbits, indent + 2);

	} else BIO_printf(out, "%*sNo Trust Settings\n", indent + 2, "");

	if(aux->notrust) {

	if(aux->reject) {

		BIO_printf(out, "%*sUntrusted for:\n", indent, "");

		ASN1_BIT_STRING_name_print(out, aux->notrust, tbits, indent + 2);

		ASN1_BIT_STRING_name_print(out, aux->reject, tbits, indent + 2);

	} else BIO_printf(out, "%*sNo Untrusted Settings\n", indent + 2, "");

	if(aux->othertrust) {

		first = 1;

		}

		BIO_puts(out, "\n");

	}

	if(aux->othernotrust) {

	if(aux->otherreject) {

		first = 1;

		BIO_printf(out, "%*sOther Untrusted Uses:\n%*s",

						indent, "", indent + 2, "");

		for(i = 0; i < sk_ASN1_OBJECT_num(aux->othernotrust); i++) {

		for(i = 0; i < sk_ASN1_OBJECT_num(aux->otherreject); i++) {

			if(!first) BIO_puts(out, ", ");

			else first = 0;

			OBJ_obj2txt(oidstr, 80,

				sk_ASN1_OBJECT_value(aux->othernotrust, i), 0);

				sk_ASN1_OBJECT_value(aux->otherreject, i), 0);

			BIO_puts(out, oidstr);

		}

		BIO_puts(out, "\n");