/*
* Create a CRL
*/
X509_CRL X509_CA::make_crl(const std::vector<CRL_Entry>& revoked,
u32bit crl_number, u32bit next_update,
RandomNumberGenerator& rng) const
{
const size_t X509_CRL_VERSION = 2;
if(next_update == 0)
next_update = timespec_to_u32bit("7d");
// Totally stupid: ties encoding logic to the return of std::time!!
auto current_time = std::chrono::system_clock::now();
auto expire_time = current_time + std::chrono::seconds(next_update);
Extensions extensions;
extensions.add(
new Cert_Extension::Authority_Key_ID(m_cert.subject_key_id()));
extensions.add(new Cert_Extension::CRL_Number(crl_number));
// clang-format off
const std::vector<byte> crl = X509_Object::make_signed(
m_signer, rng, m_ca_sig_algo,
DER_Encoder().start_cons(SEQUENCE)
.encode(X509_CRL_VERSION-1)
.encode(m_ca_sig_algo)
.encode(m_cert.issuer_dn())
.encode(X509_Time(current_time))
.encode(X509_Time(expire_time))
.encode_if(revoked.size() > 0,
DER_Encoder()
.start_cons(SEQUENCE)
.encode_list(revoked)
.end_cons()
)
.start_explicit(0)
.start_cons(SEQUENCE)
.encode(extensions)
.end_cons()
.end_explicit()
.end_cons()
.get_contents());
// clang-format on
return X509_CRL(crl);
}
std::vector<X509_CRL> Certificate_Store_In_SQL::generate_crls() const
{
auto stmt = m_database->new_statement(
"SELECT certificate,reason,time FROM " + m_prefix + "revoked "
"JOIN " + m_prefix + "certificates ON " +
m_prefix + "certificates.fingerprint == " + m_prefix + "revoked.fingerprint");
std::map<X509_DN,std::vector<CRL_Entry>> crls;
while(stmt->step())
{
auto blob = stmt->get_blob(0);
auto cert = X509_Certificate(
std::vector<uint8_t>(blob.first,blob.first + blob.second));
auto code = static_cast<CRL_Code>(stmt->get_size_t(1));
auto ent = CRL_Entry(cert,code);
auto i = crls.find(cert.issuer_dn());
if(i == crls.end())
{
crls.insert(std::make_pair(cert.issuer_dn(),std::vector<CRL_Entry>({ent})));
}
else
{
i->second.push_back(ent);
}
}
std::vector<X509_CRL> ret;
X509_Time t(std::chrono::system_clock::now());
for(auto p: crls)
{
ret.push_back(X509_CRL(p.first,t,t,p.second));
}
return ret;
}
