static X509_REVOKED *create_revoked(const BIGNUM* bn, time_t t, int reason) { X509_REVOKED *revoked = X509_REVOKED_new(); ASN1_TIME *tm = ASN1_TIME_new(); ASN1_INTEGER *it = BN_to_ASN1_INTEGER(bn, NULL);; ASN1_TIME_set(tm, t); X509_REVOKED_set_revocationDate(revoked, tm); X509_REVOKED_set_serialNumber(revoked, it); { ASN1_ENUMERATED * e = ASN1_ENUMERATED_new(); X509_EXTENSION * ext = X509_EXTENSION_new(); ASN1_ENUMERATED_set(e, reason); X509_EXTENSION_set_data(ext, e); X509_EXTENSION_set_object(ext, OBJ_nid2obj(NID_crl_reason)); X509_REVOKED_add_ext(revoked, ext, 0); X509_EXTENSION_free(ext); ASN1_ENUMERATED_free(e); } ASN1_TIME_free(tm); ASN1_INTEGER_free(it); return revoked; }
static X509_REVOKED *create_revoked(lua_State*L, const BIGNUM* bn, time_t t, int reason) { X509_REVOKED *revoked = X509_REVOKED_new(); ASN1_TIME *tm = ASN1_TIME_new(); ASN1_INTEGER *it = BN_to_ASN1_INTEGER((BIGNUM*)bn, NULL);; ASN1_TIME_set(tm, t); X509_REVOKED_set_revocationDate(revoked, tm); X509_REVOKED_set_serialNumber(revoked, it); #if OPENSSL_VERSION_NUMBER > 0x10000000L revoked->reason = reason; #else { ASN1_ENUMERATED * e = ASN1_ENUMERATED_new(); X509_EXTENSION * ext = X509_EXTENSION_new(); ASN1_ENUMERATED_set(e, reason); X509_EXTENSION_set_data(ext, e); X509_EXTENSION_set_object(ext, OBJ_nid2obj(NID_crl_reason)); X509_REVOKED_add_ext(revoked, ext, 0); X509_EXTENSION_free(ext); ASN1_ENUMERATED_free(e); } #endif ASN1_TIME_free(tm); ASN1_INTEGER_free(it); return revoked; }
ASN1_ENUMERATED * BN_to_ASN1_ENUMERATED(BIGNUM *bn, ASN1_ENUMERATED *ai) { ASN1_ENUMERATED *ret; int len, j; if (ai == NULL) ret = ASN1_ENUMERATED_new(); else ret = ai; if (ret == NULL) { ASN1err(ASN1_F_BN_TO_ASN1_ENUMERATED, ERR_R_NESTED_ASN1_ERROR); goto err; } if (BN_is_negative(bn)) ret->type = V_ASN1_NEG_ENUMERATED; else ret->type = V_ASN1_ENUMERATED; j = BN_num_bits(bn); len = ((j == 0) ? 0 : ((j / 8) + 1)); if (ret->length < len + 4) { unsigned char *new_data = realloc(ret->data, len + 4); if (!new_data) { ASN1err(ASN1_F_BN_TO_ASN1_ENUMERATED, ERR_R_MALLOC_FAILURE); goto err; } ret->data = new_data; } ret->length = BN_bn2bin(bn, ret->data); /* Correct zero case */ if (!ret->length) { ret->data[0] = 0; ret->length = 1; } return (ret); err: if (ret != ai) ASN1_ENUMERATED_free(ret); return (NULL); }
OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp, OCSP_CERTID *cid, int status, int reason, ASN1_TIME *revtime, ASN1_TIME *thisupd, ASN1_TIME *nextupd) { OCSP_SINGLERESP *single = NULL; OCSP_CERTSTATUS *cs; OCSP_REVOKEDINFO *ri; if(!rsp->tbsResponseData->responses && !(rsp->tbsResponseData->responses = sk_OCSP_SINGLERESP_new_null())) goto err; if (!(single = OCSP_SINGLERESP_new())) goto err; if (!ASN1_TIME_to_generalizedtime(thisupd, &single->thisUpdate)) goto err; if (nextupd && !ASN1_TIME_to_generalizedtime(nextupd, &single->nextUpdate)) goto err; OCSP_CERTID_free(single->certId); if(!(single->certId = OCSP_CERTID_dup(cid))) goto err; cs = single->certStatus; switch(cs->type = status) { case V_OCSP_CERTSTATUS_REVOKED: if (!revtime) { OCSPerr(OCSP_F_OCSP_BASIC_ADD1_STATUS,OCSP_R_NO_REVOKED_TIME); goto err; } if (!(cs->value.revoked = ri = OCSP_REVOKEDINFO_new())) goto err; if (!ASN1_TIME_to_generalizedtime(revtime, &ri->revocationTime)) goto err; if (reason != OCSP_REVOKED_STATUS_NOSTATUS) { if (!(ri->revocationReason = ASN1_ENUMERATED_new())) goto err; if (!(ASN1_ENUMERATED_set(ri->revocationReason, reason))) goto err; } break; case V_OCSP_CERTSTATUS_GOOD: cs->value.good = ASN1_NULL_new(); break; case V_OCSP_CERTSTATUS_UNKNOWN: cs->value.unknown = ASN1_NULL_new(); break; default: goto err; } if (!(sk_OCSP_SINGLERESP_push(rsp->tbsResponseData->responses, single))) goto err; return single; err: OCSP_SINGLERESP_free(single); return NULL; }
DWORD VMCAAddCertToCRL_Reason( X509_CRL *pCrl, PWSTR pwszSerial, DWORD dwRevokedDate, VMCA_CRL_REASON certRevokeReason ) { DWORD dwError = 0; X509 *pCert = NULL; X509_REVOKED *pRevoked = NULL; ASN1_INTEGER *asnSerial = NULL; if (!pCrl || IsNullOrEmptyString (pwszSerial) ) { dwError = ERROR_INVALID_PARAMETER; BAIL_ON_ERROR(dwError); } asnSerial = ASN1_ENUMERATED_new(); if(asnSerial == NULL) { dwError = VMCA_OUT_MEMORY_ERR; BAIL_ON_ERROR(dwError); } dwError = VMCAWIntegerToASN1Integer( pwszSerial, asnSerial ); BAIL_ON_ERROR (dwError); dwError = VMCACheckNotAlreadyRevoked_Serial( asnSerial, pCrl ); BAIL_ON_VMCA_ERROR (dwError); dwError = VMCACreateRevokedFromCert_Reason( asnSerial, dwRevokedDate, certRevokeReason, &pRevoked ); BAIL_ON_VMCA_ERROR (dwError); // Please Note : 0 functions in Open SSL means // when we free parent , children will be freed // Automatically. dwError = X509_CRL_add0_revoked(pCrl, pRevoked); BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_ERROR); cleanup: if (pCert) { X509_free(pCert); } if (asnSerial) { ASN1_INTEGER_free (asnSerial); } return dwError; error : goto cleanup; }
DWORD VMCACreateRevokedFromCert( X509 *pCert, X509_REVOKED **pRevoked) { DWORD dwError = 0; X509_REVOKED *pTempRev = NULL; ASN1_TIME *pRevTime = NULL; ASN1_ENUMERATED *pCode = NULL; pCode = ASN1_ENUMERATED_new(); if(pCode == NULL) { dwError = VMCA_OUT_MEMORY_ERR; BAIL_ON_ERROR(dwError); } pTempRev = X509_REVOKED_new(); if (pTempRev == NULL) { dwError = VMCA_OUT_MEMORY_ERR; BAIL_ON_ERROR(dwError); } pRevTime = ASN1_TIME_new(); if (pRevTime == NULL) { dwError = VMCA_OUT_MEMORY_ERR; BAIL_ON_ERROR(dwError); } ASN1_TIME_set(pRevTime, time(NULL)); dwError = X509_REVOKED_set_serialNumber(pTempRev, X509_get_serialNumber(pCert)); BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_SET_SERIAL_FAIL); dwError = X509_REVOKED_set_revocationDate(pTempRev, pRevTime); BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_SET_TIME_FAIL); //TODO : Fix the UNSPECIFIED to real valid reason // which users can pass in. ASN1_ENUMERATED_set(pCode, CRL_REASON_UNSPECIFIED); dwError = X509_REVOKED_add1_ext_i2d(pTempRev, NID_crl_reason, pCode, 0, 0); BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_REASON_FAIL); *pRevoked = pTempRev; cleanup : if(pRevTime != NULL) { ASN1_TIME_free(pRevTime); } if(pCode !=NULL) { ASN1_ENUMERATED_free(pCode); } return dwError; error: if(pTempRev != NULL) { X509_REVOKED_free(pTempRev); } goto cleanup; }
DWORD VMCACreateRevokedFromCert_Reason( ASN1_INTEGER *asnSerial, DWORD dwRevokedDate, VMCA_CRL_REASON certRevokeReason, X509_REVOKED **pRevoked) { DWORD dwError = 0; X509_REVOKED *pTempRev = NULL; ASN1_TIME *pRevTime = NULL; ASN1_ENUMERATED *pCode = NULL; pCode = ASN1_ENUMERATED_new(); if(pCode == NULL) { dwError = VMCA_OUT_MEMORY_ERR; BAIL_ON_ERROR(dwError); } pTempRev = X509_REVOKED_new(); if (pTempRev == NULL) { dwError = VMCA_OUT_MEMORY_ERR; BAIL_ON_ERROR(dwError); } pRevTime = ASN1_TIME_new(); if (pRevTime == NULL) { dwError = VMCA_OUT_MEMORY_ERR; BAIL_ON_ERROR(dwError); } ASN1_TIME_set(pRevTime, (time_t)dwRevokedDate); dwError = X509_REVOKED_set_serialNumber(pTempRev, asnSerial); BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_SET_SERIAL_FAIL); dwError = X509_REVOKED_set_revocationDate(pTempRev, pRevTime); BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_SET_TIME_FAIL); ASN1_ENUMERATED_set(pCode, certRevokeReason); dwError = X509_REVOKED_add1_ext_i2d(pTempRev, NID_crl_reason, pCode, 0, 0); BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_REASON_FAIL); *pRevoked = pTempRev; cleanup : if(pRevTime != NULL) { ASN1_TIME_free(pRevTime); } if(pCode !=NULL) { ASN1_ENUMERATED_free(pCode); } return dwError; error: if(pTempRev != NULL) { X509_REVOKED_free(pTempRev); } goto cleanup; }
PKI_X509_CRL_ENTRY * PKI_X509_CRL_ENTRY_new_serial( const char *serial, PKI_X509_CRL_REASON reason, const PKI_TIME *revDate, const PKI_X509_PROFILE *profile ) { PKI_X509_CRL_ENTRY *entry = NULL; // Entry to be added to the CRL PKI_INTEGER * s_int = NULL; // ASN1 Integer PKI_TIME * a_date = NULL; // ASN1 Rev Date // Input check if (!serial) { PKI_ERROR(PKI_ERR_PARAM_NULL, "Missing serial number"); return NULL; } // Allocates the Memory for the entry if((entry = (PKI_X509_CRL_ENTRY *) X509_REVOKED_new()) == NULL ) { PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL); return NULL; } // If no revocation date is provided, let's use "now" if (!revDate && (a_date = PKI_TIME_new(0)) == NULL) { // Can not allocate the revocation date time PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL); return NULL; } else { // Gets the Pointer from the caller a_date = (PKI_TIME *)revDate; } // Generates the integer carrying the serial number if ((s_int = PKI_INTEGER_new_char(serial)) != NULL) { // Sets the serial number in the X509_REVOKED structure if (X509_REVOKED_set_serialNumber(entry, s_int) == 1) { // Sets the revocation date if (a_date && !X509_REVOKED_set_revocationDate((X509_REVOKED *) entry, a_date)) { PKI_ERROR(PKI_ERR_GENERAL, "Can not assign revocation date"); goto err; } // All Ok here } else { // Error While assigning the serial PKI_ERROR(PKI_ERR_MEMORY_ALLOC, "Can not assign the serial (%s)", serial); goto err; } } else { // Error generating the ASN1 Integer PKI_ERROR(PKI_ERR_MEMORY_ALLOC, "Can not convert serial %s to Integer", serial); goto err; } if (reason != PKI_CRL_REASON_UNSPECIFIED) { int supported_reason = -1; ASN1_ENUMERATED *rtmp = ASN1_ENUMERATED_new(); switch (reason ) { case PKI_CRL_REASON_CERTIFICATE_HOLD: case PKI_CRL_REASON_HOLD_INSTRUCTION_REJECT: if (!X509_REVOKED_add1_ext_i2d(entry, NID_hold_instruction_code, PKI_OID_get("holdInstructionReject"), 0, 0)) { PKI_ERROR(PKI_ERR_X509_CRL, "Can not add holdInstructionReject"); goto err; } if (revDate && !X509_REVOKED_add1_ext_i2d(entry, NID_invalidity_date, (PKI_TIME *)revDate, 0, 0)) { PKI_ERROR(PKI_ERR_X509_CRL, "Can not add invalidity date"); goto err; } supported_reason = PKI_CRL_REASON_CERTIFICATE_HOLD; break; /* --- Deprecated in RFC 5280 --- case PKI_CRL_REASON_HOLD_INSTRUCTION_NONE: if (!X509_REVOKED_add1_ext_i2d(entry, NID_hold_instruction_code, PKI_OID_get( "holdInstructionReject"), 0, 0)) { goto err; }; if( revDate && !X509_REVOKED_add1_ext_i2d ( entry, NID_invalidity_date, revDate, 0, 0)) { goto err; }; reason = PKI_CRL_REASON_CERTIFICATE_HOLD; break; */ case PKI_CRL_REASON_HOLD_INSTRUCTION_CALLISSUER: if (!X509_REVOKED_add1_ext_i2d( entry, NID_hold_instruction_code, PKI_OID_get( "holdInstructionCallIssuer"), 0, 0)) { goto err; } if( revDate && !X509_REVOKED_add1_ext_i2d( entry, NID_invalidity_date, (PKI_TIME *)revDate, 0, 0)) { goto err; } supported_reason = PKI_CRL_REASON_CERTIFICATE_HOLD; break; case PKI_CRL_REASON_KEY_COMPROMISE: case PKI_CRL_REASON_CA_COMPROMISE: case PKI_CRL_REASON_AFFILIATION_CHANGED: case PKI_CRL_REASON_SUPERSEDED: case PKI_CRL_REASON_CESSATION_OF_OPERATION: case PKI_CRL_REASON_REMOVE_FROM_CRL: case PKI_CRL_REASON_PRIVILEGE_WITHDRAWN: case PKI_CRL_REASON_AA_COMPROMISE: PKI_ERROR(PKI_ERR_GENERAL, "CRL Reason Not Implemented Yet %d", reason); break; default: PKI_ERROR(PKI_ERR_GENERAL, "CRL Reason Unknown %d", reason); supported_reason = -1; break; } if (supported_reason >= 0) { if (!ASN1_ENUMERATED_set(rtmp, supported_reason)) goto err; if (!X509_REVOKED_add1_ext_i2d( entry, NID_crl_reason, rtmp, 0, 0)) goto err; } /* if( reason == CRL_REASON_HOLD_INSTRUCTION ) { // if (!X509_REVOKED_add1_ext_i2d ( entry, // NID_invalidity_date, revDate, 0, 0)) { // goto err; // }; // if (!X509_REVOKED_add1_ext_i2d(entry, NID_hold_instruction_code, // PKI_OID_get( "holdInstructionReject"), 0, 0)) { // goto err; // }; }; */ } /* if (rev && !X509_REVOKED_set_revocationDate(rev, revDate)) goto err; if (rev && (reason_code != OCSP_REVOKED_STATUS_NOSTATUS)) { rtmp = ASN1_ENUMERATED_new(); if (!rtmp || !ASN1_ENUMERATED_set(rtmp, reason_code)) goto err; if (!X509_REVOKED_add1_ext_i2d(rev, NID_crl_reason, rtmp, 0, 0)) goto err; } if (rev && comp_time) { if (!X509_REVOKED_add1_ext_i2d(rev, NID_invalidity_date, comp_time, 0, 0)) goto err; } if (rev && hold) { if (!X509_REVOKED_add1_ext_i2d(rev, NID_hold_instruction_code, hold, 0, 0)) goto err; } */ // Free Allocated Memory if (s_int) PKI_INTEGER_free(s_int); if (a_date && !revDate) PKI_TIME_free(a_date); // Returns the created entry return entry; err: // Free Allocated memory if (s_int) PKI_INTEGER_free(s_int); if (a_date && !revDate) PKI_TIME_free(a_date); if (entry) X509_REVOKED_free((X509_REVOKED *) entry); // Returns null (error) return NULL; }