void pki_crl::sign(pki_key *key, const EVP_MD *md) { EVP_PKEY *pkey; if (!key || key->isPubKey()) return; X509_CRL_sort(crl); pkey = key->decryptKey(); X509_CRL_sign(crl, pkey, md); EVP_PKEY_free(pkey); pki_openssl_error(); }
DWORD VMCACrlSign( X509_CRL *pCrl, PVMCA_X509_CA pCA ) { DWORD dwError = 0; dwError = X509_CRL_sign(pCrl, pCA->pKey, EVP_sha256()); BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_SIGN_FAIL); error : return dwError; }
static VALUE ossl_x509crl_sign(VALUE self, VALUE key, VALUE digest) { X509_CRL *crl; EVP_PKEY *pkey; const EVP_MD *md; GetX509CRL(self, crl); pkey = GetPrivPKeyPtr(key); /* NO NEED TO DUP */ md = GetDigestPtr(digest); if (!X509_CRL_sign(crl, pkey, md)) { ossl_raise(eX509CRLError, NULL); } return self; }
void openssl_x509_crl() { RSA *r; BIO *bp; int len; FILE *fp; BIGNUM *bne; X509_CRL *crl; EVP_PKEY *pkey; X509_NAME *issuer; ASN1_INTEGER *serial; X509_REVOKED *revoked; ASN1_TIME *lastUpdate, *nextUpdate, *rvTime; unsigned char *buf, *p, tmp[MAX1_LEN] = "crl cert"; printf("\nX509_CRL info:\n"); bne = BN_new(); BN_set_word(bne, RSA_3); r = RSA_new(); RSA_generate_key_ex(r, MAX1_LEN, bne, NULL); pkey = EVP_PKEY_new(); EVP_PKEY_assign_RSA(pkey, r); crl = X509_CRL_new(); X509_CRL_set_version(crl, 3); issuer = X509_NAME_new(); X509_NAME_add_entry_by_NID(issuer, NID_commonName, V_ASN1_PRINTABLESTRING, tmp, 10, -1, 0); X509_CRL_set_issuer_name(crl, issuer); lastUpdate = ASN1_TIME_new(); ASN1_TIME_set(lastUpdate, time(NULL)); X509_CRL_set_lastUpdate(crl, lastUpdate); nextUpdate = ASN1_TIME_new(); ASN1_TIME_set(nextUpdate, time(NULL) + 1280); X509_CRL_set_nextUpdate(crl, nextUpdate); revoked = X509_REVOKED_new(); serial = ASN1_INTEGER_new(); ASN1_INTEGER_set(serial, 1280); X509_REVOKED_set_serialNumber(revoked, serial); rvTime = ASN1_TIME_new(); ASN1_TIME_set(rvTime, time(NULL) + 2000); X509_CRL_set_nextUpdate(crl, rvTime); X509_REVOKED_set_revocationDate(revoked, rvTime); X509_CRL_add0_revoked(crl, revoked); X509_CRL_sort(crl); X509_CRL_sign(crl, pkey, EVP_md5()); bp = BIO_new(BIO_s_file()); BIO_set_fp(bp, stdout, BIO_NOCLOSE); X509_CRL_print(bp, crl); len = i2d_X509_CRL(crl, NULL); buf = (unsigned char *)malloc(len + 10); p = buf; len = i2d_X509_CRL(crl, &p); fp = fopen("/tmp/crl.crl", "wb"); fwrite(buf, 1, len, fp); fclose(fp); free(buf); BIO_free(bp); X509_CRL_free(crl); }
static LUA_FUNCTION(openssl_crl_new) { int i; int n = lua_gettop(L); X509_CRL * crl = X509_CRL_new(); int ret = X509_CRL_set_version(crl, 0); X509* cacert = NULL; EVP_PKEY* capkey = NULL; const EVP_MD* md = NULL; int step; for (i = 1; ret == 1 && i <= n; i++) { if (i == 1) { luaL_argcheck(L, lua_istable(L, 1), 1, "must be table contains rovked entry table{reason,time,sn}"); if (lua_rawlen(L, i) > 0) { int j, m; m = lua_rawlen(L, i); for (j = 1; ret == 1 && j <= m; j++) { X509_REVOKED *revoked; BIGNUM* sn; lua_rawgeti(L, i, j); luaL_checktable(L, -1); lua_getfield(L, -1, "reason"); lua_getfield(L, -2, "time"); lua_getfield(L, -3, "sn"); sn = BN_get(L, -1); revoked = create_revoked(sn, lua_tointeger(L, -2), reason_get(L, -3)); if (revoked) { ret = X509_CRL_add0_revoked(crl, revoked); } BN_free(sn); lua_pop(L, 3); lua_pop(L, 1); }; } }; if (i == 2) { cacert = CHECK_OBJECT(2, X509, "openssl.x509"); ret = X509_CRL_set_issuer_name(crl, X509_get_issuer_name(cacert)); } if (i == 3) { capkey = CHECK_OBJECT(3, EVP_PKEY, "openssl.evp_pkey"); luaL_argcheck(L, openssl_pkey_is_private(capkey), 3, "must be private key"); luaL_argcheck(L, X509_check_private_key(cacert, capkey) == 1, 3, "evp_pkey not match with x509 in #2"); } } md = lua_isnoneornil(L, 4) ? EVP_get_digestbyname("sha1") : get_digest(L, 4); step = lua_isnoneornil(L, 5) ? 7 * 24 * 3600 : luaL_checkint(L, 5); if (ret == 1) { time_t lastUpdate; time_t nextUpdate; ASN1_TIME *ltm, *ntm; time(&lastUpdate); nextUpdate = lastUpdate + step; ltm = ASN1_TIME_new(); ntm = ASN1_TIME_new(); ASN1_TIME_set(ltm, lastUpdate); ASN1_TIME_set(ntm, nextUpdate); ret = X509_CRL_set_lastUpdate(crl, ltm); if (ret == 1) ret = X509_CRL_set_nextUpdate(crl, ntm); ASN1_TIME_free(ltm); ASN1_TIME_free(ntm); } if (cacert && capkey && md) { ret = (X509_CRL_sign(crl, capkey, md) == EVP_PKEY_size(capkey)); } if (ret == 1) { PUSH_OBJECT(crl, "openssl.x509_crl"); } else { X509_CRL_free(crl); return openssl_pushresult(L, ret); }; return 1; }
int addToCRL(char* pemSigningKey, char* pemOldCrl, char* pemRevokedCert, char* result) { int err = 0; BIO* bioSigningKey = BIO_new_mem_buf(pemSigningKey, -1); if (!bioSigningKey) { return ERR_peek_error(); } BIO* bioRevCert = BIO_new_mem_buf(pemRevokedCert, -1); if (!bioRevCert) { BIO_free(bioSigningKey); return ERR_peek_error(); } BIO* bioOldCRL = BIO_new_mem_buf(pemOldCrl, -1); if (!bioOldCRL) { BIO_free(bioSigningKey); BIO_free(bioRevCert); return ERR_peek_error(); } X509* badCert = PEM_read_bio_X509(bioRevCert, NULL, NULL, NULL); if (!badCert) { BIO_free(bioSigningKey); BIO_free(bioRevCert); return ERR_peek_error(); } EVP_PKEY* caKey = PEM_read_bio_PrivateKey(bioSigningKey, NULL, NULL, NULL); if (!caKey) { BIO_free(bioSigningKey); BIO_free(bioRevCert); return -18; } X509_CRL* crl = PEM_read_bio_X509_CRL(bioOldCRL, NULL, NULL, NULL); if (!crl) { BIO_free(bioSigningKey); BIO_free(bioRevCert); return ERR_peek_error(); } X509_REVOKED* revoked = X509_REVOKED_new(); X509_REVOKED_set_serialNumber(revoked, X509_get_serialNumber(badCert)); ASN1_TIME* tmptm = ASN1_TIME_new(); X509_gmtime_adj(tmptm, long(0)); X509_REVOKED_set_revocationDate(revoked, tmptm); //set the reason? Not yet. // ASN1_ENUMERATED* rtmp = ASN1_ENUMERATED_new(); // ASN1_ENUMERATED_set(rtmp, reasonCode); // goto err; // if (!X509_REVOKED_add1_ext_i2d(rev, NID_crl_reason, rtmp, 0, 0)) // goto err; // } if(!(err = X509_CRL_add0_revoked(crl,revoked))) { BIO_free(bioSigningKey); BIO_free(bioRevCert); return err; } X509_CRL_sort(crl); if(!(err=X509_CRL_sign(crl,caKey,EVP_sha1()))) { BIO_free(bioSigningKey); BIO_free(bioRevCert); return err; } BIO *mem = BIO_new(BIO_s_mem()); PEM_write_bio_X509_CRL(mem,crl); BUF_MEM *bptr; BIO_get_mem_ptr(mem, &bptr); BIO_read(mem, result, bptr->length); BIO_free(bioRevCert); BIO_free(bioSigningKey); BIO_free(bioOldCRL); BIO_free(mem); return 0; }
int createEmptyCRL(char* pemSigningKey, char* pemCaCert, int crldays, int crlhours, char* result) { int err = 0; //convert to BIOs and then keys and x509 structures BIO* bioCert = BIO_new_mem_buf(pemCaCert, -1); if (!bioCert) { BIO_free(bioCert); return ERR_peek_error(); } BIO* bioSigningKey = BIO_new_mem_buf(pemSigningKey, -1); if (!bioSigningKey) { BIO_free(bioCert); BIO_free(bioSigningKey); return ERR_peek_error(); } X509* caCert = PEM_read_bio_X509(bioCert, NULL, NULL, NULL); if (!caCert) { BIO_free(bioCert); BIO_free(bioSigningKey); return ERR_peek_error(); } EVP_PKEY* caKey = PEM_read_bio_PrivateKey(bioSigningKey, NULL, NULL, NULL); if (!caKey) { BIO_free(bioCert); BIO_free(bioSigningKey); return ERR_peek_error(); } X509_CRL* crl = X509_CRL_new(); X509_CRL_set_issuer_name(crl, X509_get_subject_name(caCert)); //set update times (probably not essential, but why not. ASN1_TIME* tmptm = ASN1_TIME_new(); X509_gmtime_adj(tmptm, long(0)); X509_CRL_set_lastUpdate(crl, tmptm); X509_gmtime_adj(tmptm,(crldays*24+crlhours)*60*60); X509_CRL_set_nextUpdate(crl, tmptm); ASN1_TIME_free(tmptm); X509_CRL_sort(crl); //extensions would go here. if (!(err = X509_CRL_sign(crl,caKey,EVP_sha1()))) { BIO_free(bioCert); BIO_free(bioSigningKey); return err; } BIO *mem = BIO_new(BIO_s_mem()); PEM_write_bio_X509_CRL(mem,crl); BUF_MEM *bptr; BIO_get_mem_ptr(mem, &bptr); BIO_read(mem, result, bptr->length); BIO_free(bioCert); BIO_free(bioSigningKey); BIO_free(mem); return 0; }
/* * Revoke one certificate at a time * No check performed to see if certificate already revoked. */ void revoke_cert(char * ca_name, char * name) { char filename[FIELD_SZ+5]; FILE * f ; X509_CRL * crl ; X509 * cert ; ASN1_INTEGER * r_serial ; ASN1_INTEGER * crlnum ; X509_REVOKED * rev ; ASN1_TIME * tm ; identity ca ; BIO * out ; BIGNUM * b_crlnum ; /* Find requested certificate by name */ sprintf(filename, "%s.crt", name); if ((f=fopen(filename, "r"))==NULL) { fprintf(stderr, "Cannot find: %s\n", filename); return ; } cert = PEM_read_X509(f, NULL, NULL, NULL); fclose(f); /* Get certificate serial number */ r_serial = X509_get_serialNumber(cert); /* Find out if if was already revoked */ /* Make a revoked object with that serial */ rev = X509_REVOKED_new(); X509_REVOKED_set_serialNumber(rev, r_serial); X509_free(cert); /* Set reason to unspecified */ rev->reason = ASN1_ENUMERATED_get(CRL_REASON_UNSPECIFIED); /* Load or create new CRL */ if ((crl = load_crl(ca_name))==NULL) { crl = X509_CRL_new(); X509_CRL_set_version(crl, 1); /* Set CRL number */ crlnum = ASN1_INTEGER_new(); ASN1_INTEGER_set(crlnum, 1); X509_CRL_add1_ext_i2d(crl, NID_crl_number, crlnum, 0, 0); ASN1_INTEGER_free(crlnum); } else { crlnum = X509_CRL_get_ext_d2i(crl, NID_crl_number, 0, 0); b_crlnum = ASN1_INTEGER_to_BN(crlnum, NULL); BN_add_word(b_crlnum, 1); BN_to_ASN1_INTEGER(b_crlnum, crlnum); BN_free(b_crlnum); X509_CRL_add1_ext_i2d(crl, NID_crl_number, crlnum, 0, X509V3_ADD_REPLACE_EXISTING); ASN1_INTEGER_free(crlnum); } /* What time is it? */ tm = ASN1_TIME_new(); X509_gmtime_adj(tm, 0); X509_REVOKED_set_revocationDate(rev, tm); X509_CRL_set_lastUpdate(crl, tm); /* Set CRL next update to a year from now */ X509_gmtime_adj(tm, 365*24*60*60); X509_CRL_set_nextUpdate(crl, tm); ASN1_TIME_free(tm); /* Add revoked to CRL */ X509_CRL_add0_revoked(crl, rev); X509_CRL_sort(crl); /* Load root key to sign CRL */ if (load_ca(ca_name, &ca)!=0) { fprintf(stderr, "Cannot find CA key/crt\n"); return ; } X509_CRL_set_issuer_name(crl, X509_get_subject_name(ca.cert)); X509_free(ca.cert); /* Sign CRL */ X509_CRL_sign(crl, ca.key, EVP_sha256()); EVP_PKEY_free(ca.key); /* Dump CRL */ sprintf(filename, "%s.crl", ca_name); if ((f = fopen(filename, "wb"))==NULL) { fprintf(stderr, "Cannot write %s: aborting\n", filename); X509_CRL_free(crl); return ; } out = BIO_new(BIO_s_file()); BIO_set_fp(out, f, BIO_NOCLOSE); PEM_write_bio_X509_CRL(out, crl); BIO_free_all(out); fclose(f); X509_CRL_free(crl); return ; }