Initial trust code: allow setting of trust checking functions

in a table. Doesn't do too much yet.

Make the -<digestname> options in 'x509' affect all relevant
options.

Change the name of the 'notrust' options to 'reject' as this
causes less confusion and is a better description of the
effect.

A few constification changes.

1 files changed, 26 insertions, 22 deletions

diff --git a/apps/x509.c b/apps/x509.c
index 6469761f9e..86896088fb 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -107,9 +107,9 @@ static char *x509_usage[]={
 " -noout          - no certificate output\n",
 " -trustout       - output a \"trusted\" certificate\n",
 " -clrtrust       - clear all trusted purposes\n",
-" -clrnotrust     - clear all untrusted purposes\n",
-" -addtrust arg   - mark certificate as trusted for a given purpose\n",
-" -addnotrust arg - mark certificate as not trusted for a given purpose\n",
+" -clrreject      - clear all rejected purposes\n",
+" -addtrust arg   - trust certificate for a given purpose\n",
+" -addreject arg  - reject certificate for a given purpose\n",
 " -setalias arg   - set certificate alias\n",
 " -days arg       - How long till expiry of a signed certificate - def 30 days\n",
 " -signkey arg    - self sign cert with arg\n",
@@ -122,7 +122,7 @@ static char *x509_usage[]={
 " -CAserial       - serial file\n",
 " -text           - print the certificate in text form\n",
 " -C              - print out C code forms\n",
-" -md2/-md5/-sha1/-mdc2 - digest to do an RSA sign with\n",
+" -md2/-md5/-sha1/-mdc2 - digest to use\n",
 " -extfile        - configuration file with X509V3 extensions to add\n",
 " -extensions     - section from config file with X509V3 extensions to add\n",
 NULL
@@ -148,14 +148,14 @@ int MAIN(int argc, char **argv)
 	int i,num,badops=0;
 	BIO *out=NULL;
 	BIO *STDout=NULL;
-	STACK *trust = NULL, *notrust = NULL;
+	STACK *trust = NULL, *reject = NULL;
 	int informat,outformat,keyformat,CAformat,CAkeyformat;
 	char *infile=NULL,*outfile=NULL,*keyfile=NULL,*CAfile=NULL;
 	char *CAkeyfile=NULL,*CAserial=NULL;
 	char *alias=NULL, *trstr=NULL;
 	int text=0,serial=0,hash=0,subject=0,issuer=0,startdate=0,enddate=0;
 	int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0;
-	int trustout=0,clrtrust=0,clrnotrust=0,aliasout=0;
+	int trustout=0,clrtrust=0,clrreject=0,aliasout=0;
 	int C=0;
 	int x509req=0,days=DEF_DAYS,modulus=0,pubkey=0;
 	int pprint = 0;
@@ -289,17 +289,17 @@ int MAIN(int argc, char **argv)
 			sk_push(trust, trstr);
 			trustout = 1;
 			}
-		else if (strcmp(*argv,"-addnotrust") == 0)
+		else if (strcmp(*argv,"-addreject") == 0)
 			{
 			if (--argc < 1) goto bad;
 			trstr= *(++argv);
-			if(!X509_notrust_set_bit_asc(NULL, trstr, 0)) {
+			if(!X509_reject_set_bit_asc(NULL, trstr, 0)) {
 				BIO_printf(bio_err,
 					"Unknown trust value %s\n", trstr);
 				goto bad;
 			}
-			if(!notrust) notrust = sk_new_null();
-			sk_push(notrust, trstr);
+			if(!reject) reject = sk_new_null();
+			sk_push(reject, trstr);
 			trustout = 1;
 			}
 		else if (strcmp(*argv,"-setalias") == 0)
@@ -351,13 +351,13 @@ int MAIN(int argc, char **argv)
 			trustout= 1;
 		else if (strcmp(*argv,"-clrtrust") == 0)
 			clrtrust= ++num;
-		else if (strcmp(*argv,"-clrnotrust") == 0)
-			clrnotrust= ++num;
+		else if (strcmp(*argv,"-clrreject") == 0)
+			clrreject= ++num;
 		else if (strcmp(*argv,"-alias") == 0)
 			aliasout= ++num;
 		else if (strcmp(*argv,"-CAcreateserial") == 0)
 			CA_createserial= ++num;
-		else if ((md_alg=EVP_get_digestbyname(&((*argv)[1]))) != NULL)
+		else if ((md_alg=EVP_get_digestbyname(*argv + 1)))
 			{
 			/* ok */
 			digest=md_alg;
@@ -551,7 +551,7 @@ bad:
 	if(alias) X509_alias_set(x, (unsigned char *)alias, -1);
 
 	if(clrtrust) X509_trust_set_bit(x, -1, 0);
-	if(clrnotrust) X509_notrust_set_bit(x, -1, 0);
+	if(clrreject) X509_reject_set_bit(x, -1, 0);
 
 	if(trust) {
 		for(i = 0; i < sk_num(trust); i++) {
@@ -561,12 +561,12 @@ bad:
 		sk_free(trust);
 	}
 
-	if(notrust) {
-		for(i = 0; i < sk_num(notrust); i++) {
-			trstr = sk_value(notrust, i);
-			X509_notrust_set_bit_asc(x, trstr, 1);
+	if(reject) {
+		for(i = 0; i < sk_num(reject); i++) {
+			trstr = sk_value(reject, i);
+			X509_reject_set_bit_asc(x, trstr, 1);
 		}
-		sk_free(notrust);
+		sk_free(reject);
 	}
 
 	if (num)
@@ -732,12 +732,13 @@ bad:
 				unsigned int n;
 				unsigned char md[EVP_MAX_MD_SIZE];
 
-				if (!X509_digest(x,EVP_md5(),md,&n))
+				if (!X509_digest(x,digest,md,&n))
 					{
 					BIO_printf(bio_err,"out of memory\n");
 					goto end;
 					}
-				BIO_printf(STDout,"MD5 Fingerprint=");
+				BIO_printf(STDout,"%s Fingerprint=",
+						OBJ_nid2sn(EVP_MD_type(digest)));
 				for (j=0; j<(int)n; j++)
 					{
 					BIO_printf(STDout,"%02X%c",md[j],
@@ -801,7 +802,10 @@ bad:
 
 				BIO_printf(bio_err,"Generating certificate request\n");
 
-				rq=X509_to_X509_REQ(x,pk,EVP_md5());
+		                if (pk->type == EVP_PKEY_DSA)
+		                        digest=EVP_dss1();
+
+				rq=X509_to_X509_REQ(x,pk,digest);
 				EVP_PKEY_free(pk);
 				if (rq == NULL)
 					{