DWORD
VMCACreateRevokedFromCert_Reason(
ASN1_INTEGER *asnSerial,
DWORD dwRevokedDate,
VMCA_CRL_REASON certRevokeReason,
X509_REVOKED **pRevoked)
{
DWORD dwError = 0;
X509_REVOKED *pTempRev = NULL;
ASN1_TIME *pRevTime = NULL;
ASN1_ENUMERATED *pCode = NULL;
pCode = ASN1_ENUMERATED_new();
if(pCode == NULL) {
dwError = VMCA_OUT_MEMORY_ERR;
BAIL_ON_ERROR(dwError);
}
pTempRev = X509_REVOKED_new();
if (pTempRev == NULL) {
dwError = VMCA_OUT_MEMORY_ERR;
BAIL_ON_ERROR(dwError);
}
pRevTime = ASN1_TIME_new();
if (pRevTime == NULL) {
dwError = VMCA_OUT_MEMORY_ERR;
BAIL_ON_ERROR(dwError);
}
ASN1_TIME_set(pRevTime, (time_t)dwRevokedDate);
dwError = X509_REVOKED_set_serialNumber(pTempRev,
asnSerial);
BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_SET_SERIAL_FAIL);
dwError = X509_REVOKED_set_revocationDate(pTempRev, pRevTime);
BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_SET_TIME_FAIL);
ASN1_ENUMERATED_set(pCode, certRevokeReason);
dwError = X509_REVOKED_add1_ext_i2d(pTempRev,
NID_crl_reason, pCode, 0, 0);
BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_REASON_FAIL);
*pRevoked = pTempRev;
cleanup :
if(pRevTime != NULL) {
ASN1_TIME_free(pRevTime);
}
if(pCode !=NULL) {
ASN1_ENUMERATED_free(pCode);
}
return dwError;
error:
if(pTempRev != NULL)
{
X509_REVOKED_free(pTempRev);
}
goto cleanup;
}
DWORD
VMCACreateRevokedFromCert(
X509 *pCert,
X509_REVOKED **pRevoked)
{
DWORD dwError = 0;
X509_REVOKED *pTempRev = NULL;
ASN1_TIME *pRevTime = NULL;
ASN1_ENUMERATED *pCode = NULL;
pCode = ASN1_ENUMERATED_new();
if(pCode == NULL) {
dwError = VMCA_OUT_MEMORY_ERR;
BAIL_ON_ERROR(dwError);
}
pTempRev = X509_REVOKED_new();
if (pTempRev == NULL) {
dwError = VMCA_OUT_MEMORY_ERR;
BAIL_ON_ERROR(dwError);
}
pRevTime = ASN1_TIME_new();
if (pRevTime == NULL) {
dwError = VMCA_OUT_MEMORY_ERR;
BAIL_ON_ERROR(dwError);
}
ASN1_TIME_set(pRevTime, time(NULL));
dwError = X509_REVOKED_set_serialNumber(pTempRev,
X509_get_serialNumber(pCert));
BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_SET_SERIAL_FAIL);
dwError = X509_REVOKED_set_revocationDate(pTempRev, pRevTime);
BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_SET_TIME_FAIL);
//TODO : Fix the UNSPECIFIED to real valid reason
// which users can pass in.
ASN1_ENUMERATED_set(pCode, CRL_REASON_UNSPECIFIED);
dwError = X509_REVOKED_add1_ext_i2d(pTempRev,
NID_crl_reason, pCode, 0, 0);
BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_REASON_FAIL);
*pRevoked = pTempRev;
cleanup :
if(pRevTime != NULL) {
ASN1_TIME_free(pRevTime);
}
if(pCode !=NULL) {
ASN1_ENUMERATED_free(pCode);
}
return dwError;
error:
if(pTempRev != NULL)
{
X509_REVOKED_free(pTempRev);
}
goto cleanup;
}
PKI_X509_CRL_ENTRY * PKI_X509_CRL_ENTRY_new_serial( const char *serial,
PKI_X509_CRL_REASON reason, const PKI_TIME *revDate,
const PKI_X509_PROFILE *profile ) {
PKI_X509_CRL_ENTRY *entry = NULL;
// Entry to be added to the CRL
PKI_INTEGER * s_int = NULL;
// ASN1 Integer
PKI_TIME * a_date = NULL;
// ASN1 Rev Date
// Input check
if (!serial) {
PKI_ERROR(PKI_ERR_PARAM_NULL, "Missing serial number");
return NULL;
}
// Allocates the Memory for the entry
if((entry = (PKI_X509_CRL_ENTRY *) X509_REVOKED_new()) == NULL ) {
PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL);
return NULL;
}
// If no revocation date is provided, let's use "now"
if (!revDate && (a_date = PKI_TIME_new(0)) == NULL) {
// Can not allocate the revocation date time
PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL);
return NULL;
} else {
// Gets the Pointer from the caller
a_date = (PKI_TIME *)revDate;
}
// Generates the integer carrying the serial number
if ((s_int = PKI_INTEGER_new_char(serial)) != NULL) {
// Sets the serial number in the X509_REVOKED structure
if (X509_REVOKED_set_serialNumber(entry, s_int) == 1) {
// Sets the revocation date
if (a_date && !X509_REVOKED_set_revocationDate((X509_REVOKED *) entry, a_date)) {
PKI_ERROR(PKI_ERR_GENERAL, "Can not assign revocation date");
goto err;
}
// All Ok here
} else {
// Error While assigning the serial
PKI_ERROR(PKI_ERR_MEMORY_ALLOC, "Can not assign the serial (%s)", serial);
goto err;
}
} else {
// Error generating the ASN1 Integer
PKI_ERROR(PKI_ERR_MEMORY_ALLOC, "Can not convert serial %s to Integer", serial);
goto err;
}
if (reason != PKI_CRL_REASON_UNSPECIFIED) {
int supported_reason = -1;
ASN1_ENUMERATED *rtmp = ASN1_ENUMERATED_new();
switch (reason )
{
case PKI_CRL_REASON_CERTIFICATE_HOLD:
case PKI_CRL_REASON_HOLD_INSTRUCTION_REJECT:
if (!X509_REVOKED_add1_ext_i2d(entry,
NID_hold_instruction_code,
PKI_OID_get("holdInstructionReject"), 0, 0)) {
PKI_ERROR(PKI_ERR_X509_CRL, "Can not add holdInstructionReject");
goto err;
}
if (revDate && !X509_REVOKED_add1_ext_i2d(entry,
NID_invalidity_date, (PKI_TIME *)revDate, 0, 0)) {
PKI_ERROR(PKI_ERR_X509_CRL, "Can not add invalidity date");
goto err;
}
supported_reason = PKI_CRL_REASON_CERTIFICATE_HOLD;
break;
/* --- Deprecated in RFC 5280 ---
case PKI_CRL_REASON_HOLD_INSTRUCTION_NONE:
if (!X509_REVOKED_add1_ext_i2d(entry, NID_hold_instruction_code,
PKI_OID_get( "holdInstructionReject"), 0, 0)) {
goto err;
};
if( revDate && !X509_REVOKED_add1_ext_i2d ( entry,
NID_invalidity_date, revDate, 0, 0)) {
goto err;
};
reason = PKI_CRL_REASON_CERTIFICATE_HOLD;
break;
*/
case PKI_CRL_REASON_HOLD_INSTRUCTION_CALLISSUER:
if (!X509_REVOKED_add1_ext_i2d(
entry,
NID_hold_instruction_code,
PKI_OID_get(
"holdInstructionCallIssuer"), 0, 0)) {
goto err;
}
if( revDate && !X509_REVOKED_add1_ext_i2d(
entry,
NID_invalidity_date,
(PKI_TIME *)revDate,
0, 0)) {
goto err;
}
supported_reason = PKI_CRL_REASON_CERTIFICATE_HOLD;
break;
case PKI_CRL_REASON_KEY_COMPROMISE:
case PKI_CRL_REASON_CA_COMPROMISE:
case PKI_CRL_REASON_AFFILIATION_CHANGED:
case PKI_CRL_REASON_SUPERSEDED:
case PKI_CRL_REASON_CESSATION_OF_OPERATION:
case PKI_CRL_REASON_REMOVE_FROM_CRL:
case PKI_CRL_REASON_PRIVILEGE_WITHDRAWN:
case PKI_CRL_REASON_AA_COMPROMISE:
PKI_ERROR(PKI_ERR_GENERAL, "CRL Reason Not Implemented Yet %d", reason);
break;
default:
PKI_ERROR(PKI_ERR_GENERAL, "CRL Reason Unknown %d", reason);
supported_reason = -1;
break;
}
if (supported_reason >= 0)
{
if (!ASN1_ENUMERATED_set(rtmp, supported_reason)) goto err;
if (!X509_REVOKED_add1_ext_i2d( entry, NID_crl_reason, rtmp, 0, 0)) goto err;
}
/*
if( reason == CRL_REASON_HOLD_INSTRUCTION ) {
// if (!X509_REVOKED_add1_ext_i2d ( entry,
// NID_invalidity_date, revDate, 0, 0)) {
// goto err;
// };
// if (!X509_REVOKED_add1_ext_i2d(entry, NID_hold_instruction_code,
// PKI_OID_get( "holdInstructionReject"), 0, 0)) {
// goto err;
// };
};
*/
}
/*
if (rev && !X509_REVOKED_set_revocationDate(rev, revDate))
goto err;
if (rev && (reason_code != OCSP_REVOKED_STATUS_NOSTATUS))
{
rtmp = ASN1_ENUMERATED_new();
if (!rtmp || !ASN1_ENUMERATED_set(rtmp, reason_code))
goto err;
if (!X509_REVOKED_add1_ext_i2d(rev, NID_crl_reason, rtmp, 0, 0))
goto err;
}
if (rev && comp_time)
{
if (!X509_REVOKED_add1_ext_i2d(rev, NID_invalidity_date, comp_time, 0, 0))
goto err;
}
if (rev && hold)
{
if (!X509_REVOKED_add1_ext_i2d(rev, NID_hold_instruction_code, hold, 0, 0))
goto err;
}
*/
// Free Allocated Memory
if (s_int) PKI_INTEGER_free(s_int);
if (a_date && !revDate) PKI_TIME_free(a_date);
// Returns the created entry
return entry;
err:
// Free Allocated memory
if (s_int) PKI_INTEGER_free(s_int);
if (a_date && !revDate) PKI_TIME_free(a_date);
if (entry) X509_REVOKED_free((X509_REVOKED *) entry);
// Returns null (error)
return NULL;
}
