/* * Create a CRL */ X509_CRL X509_CA::make_crl(const std::vector<CRL_Entry>& revoked, u32bit crl_number, u32bit next_update, RandomNumberGenerator& rng) const { const size_t X509_CRL_VERSION = 2; if(next_update == 0) next_update = timespec_to_u32bit("7d"); // Totally stupid: ties encoding logic to the return of std::time!! auto current_time = std::chrono::system_clock::now(); auto expire_time = current_time + std::chrono::seconds(next_update); Extensions extensions; extensions.add( new Cert_Extension::Authority_Key_ID(m_cert.subject_key_id())); extensions.add(new Cert_Extension::CRL_Number(crl_number)); // clang-format off const std::vector<byte> crl = X509_Object::make_signed( m_signer, rng, m_ca_sig_algo, DER_Encoder().start_cons(SEQUENCE) .encode(X509_CRL_VERSION-1) .encode(m_ca_sig_algo) .encode(m_cert.issuer_dn()) .encode(X509_Time(current_time)) .encode(X509_Time(expire_time)) .encode_if(revoked.size() > 0, DER_Encoder() .start_cons(SEQUENCE) .encode_list(revoked) .end_cons() ) .start_explicit(0) .start_cons(SEQUENCE) .encode(extensions) .end_cons() .end_explicit() .end_cons() .get_contents()); // clang-format on return X509_CRL(crl); }
std::vector<X509_CRL> Certificate_Store_In_SQL::generate_crls() const { auto stmt = m_database->new_statement( "SELECT certificate,reason,time FROM " + m_prefix + "revoked " "JOIN " + m_prefix + "certificates ON " + m_prefix + "certificates.fingerprint == " + m_prefix + "revoked.fingerprint"); std::map<X509_DN,std::vector<CRL_Entry>> crls; while(stmt->step()) { auto blob = stmt->get_blob(0); auto cert = X509_Certificate( std::vector<uint8_t>(blob.first,blob.first + blob.second)); auto code = static_cast<CRL_Code>(stmt->get_size_t(1)); auto ent = CRL_Entry(cert,code); auto i = crls.find(cert.issuer_dn()); if(i == crls.end()) { crls.insert(std::make_pair(cert.issuer_dn(),std::vector<CRL_Entry>({ent}))); } else { i->second.push_back(ent); } } std::vector<X509_CRL> ret; X509_Time t(std::chrono::system_clock::now()); for(auto p: crls) { ret.push_back(X509_CRL(p.first,t,t,p.second)); } return ret; }