DWORD VMCACreateRevokedFromCert_Reason( ASN1_INTEGER *asnSerial, DWORD dwRevokedDate, VMCA_CRL_REASON certRevokeReason, X509_REVOKED **pRevoked) { DWORD dwError = 0; X509_REVOKED *pTempRev = NULL; ASN1_TIME *pRevTime = NULL; ASN1_ENUMERATED *pCode = NULL; pCode = ASN1_ENUMERATED_new(); if(pCode == NULL) { dwError = VMCA_OUT_MEMORY_ERR; BAIL_ON_ERROR(dwError); } pTempRev = X509_REVOKED_new(); if (pTempRev == NULL) { dwError = VMCA_OUT_MEMORY_ERR; BAIL_ON_ERROR(dwError); } pRevTime = ASN1_TIME_new(); if (pRevTime == NULL) { dwError = VMCA_OUT_MEMORY_ERR; BAIL_ON_ERROR(dwError); } ASN1_TIME_set(pRevTime, (time_t)dwRevokedDate); dwError = X509_REVOKED_set_serialNumber(pTempRev, asnSerial); BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_SET_SERIAL_FAIL); dwError = X509_REVOKED_set_revocationDate(pTempRev, pRevTime); BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_SET_TIME_FAIL); ASN1_ENUMERATED_set(pCode, certRevokeReason); dwError = X509_REVOKED_add1_ext_i2d(pTempRev, NID_crl_reason, pCode, 0, 0); BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_REASON_FAIL); *pRevoked = pTempRev; cleanup : if(pRevTime != NULL) { ASN1_TIME_free(pRevTime); } if(pCode !=NULL) { ASN1_ENUMERATED_free(pCode); } return dwError; error: if(pTempRev != NULL) { X509_REVOKED_free(pTempRev); } goto cleanup; }
DWORD VMCACreateRevokedFromCert( X509 *pCert, X509_REVOKED **pRevoked) { DWORD dwError = 0; X509_REVOKED *pTempRev = NULL; ASN1_TIME *pRevTime = NULL; ASN1_ENUMERATED *pCode = NULL; pCode = ASN1_ENUMERATED_new(); if(pCode == NULL) { dwError = VMCA_OUT_MEMORY_ERR; BAIL_ON_ERROR(dwError); } pTempRev = X509_REVOKED_new(); if (pTempRev == NULL) { dwError = VMCA_OUT_MEMORY_ERR; BAIL_ON_ERROR(dwError); } pRevTime = ASN1_TIME_new(); if (pRevTime == NULL) { dwError = VMCA_OUT_MEMORY_ERR; BAIL_ON_ERROR(dwError); } ASN1_TIME_set(pRevTime, time(NULL)); dwError = X509_REVOKED_set_serialNumber(pTempRev, X509_get_serialNumber(pCert)); BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_SET_SERIAL_FAIL); dwError = X509_REVOKED_set_revocationDate(pTempRev, pRevTime); BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_SET_TIME_FAIL); //TODO : Fix the UNSPECIFIED to real valid reason // which users can pass in. ASN1_ENUMERATED_set(pCode, CRL_REASON_UNSPECIFIED); dwError = X509_REVOKED_add1_ext_i2d(pTempRev, NID_crl_reason, pCode, 0, 0); BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_REASON_FAIL); *pRevoked = pTempRev; cleanup : if(pRevTime != NULL) { ASN1_TIME_free(pRevTime); } if(pCode !=NULL) { ASN1_ENUMERATED_free(pCode); } return dwError; error: if(pTempRev != NULL) { X509_REVOKED_free(pTempRev); } goto cleanup; }
PKI_X509_CRL_ENTRY * PKI_X509_CRL_ENTRY_new_serial( const char *serial, PKI_X509_CRL_REASON reason, const PKI_TIME *revDate, const PKI_X509_PROFILE *profile ) { PKI_X509_CRL_ENTRY *entry = NULL; // Entry to be added to the CRL PKI_INTEGER * s_int = NULL; // ASN1 Integer PKI_TIME * a_date = NULL; // ASN1 Rev Date // Input check if (!serial) { PKI_ERROR(PKI_ERR_PARAM_NULL, "Missing serial number"); return NULL; } // Allocates the Memory for the entry if((entry = (PKI_X509_CRL_ENTRY *) X509_REVOKED_new()) == NULL ) { PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL); return NULL; } // If no revocation date is provided, let's use "now" if (!revDate && (a_date = PKI_TIME_new(0)) == NULL) { // Can not allocate the revocation date time PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL); return NULL; } else { // Gets the Pointer from the caller a_date = (PKI_TIME *)revDate; } // Generates the integer carrying the serial number if ((s_int = PKI_INTEGER_new_char(serial)) != NULL) { // Sets the serial number in the X509_REVOKED structure if (X509_REVOKED_set_serialNumber(entry, s_int) == 1) { // Sets the revocation date if (a_date && !X509_REVOKED_set_revocationDate((X509_REVOKED *) entry, a_date)) { PKI_ERROR(PKI_ERR_GENERAL, "Can not assign revocation date"); goto err; } // All Ok here } else { // Error While assigning the serial PKI_ERROR(PKI_ERR_MEMORY_ALLOC, "Can not assign the serial (%s)", serial); goto err; } } else { // Error generating the ASN1 Integer PKI_ERROR(PKI_ERR_MEMORY_ALLOC, "Can not convert serial %s to Integer", serial); goto err; } if (reason != PKI_CRL_REASON_UNSPECIFIED) { int supported_reason = -1; ASN1_ENUMERATED *rtmp = ASN1_ENUMERATED_new(); switch (reason ) { case PKI_CRL_REASON_CERTIFICATE_HOLD: case PKI_CRL_REASON_HOLD_INSTRUCTION_REJECT: if (!X509_REVOKED_add1_ext_i2d(entry, NID_hold_instruction_code, PKI_OID_get("holdInstructionReject"), 0, 0)) { PKI_ERROR(PKI_ERR_X509_CRL, "Can not add holdInstructionReject"); goto err; } if (revDate && !X509_REVOKED_add1_ext_i2d(entry, NID_invalidity_date, (PKI_TIME *)revDate, 0, 0)) { PKI_ERROR(PKI_ERR_X509_CRL, "Can not add invalidity date"); goto err; } supported_reason = PKI_CRL_REASON_CERTIFICATE_HOLD; break; /* --- Deprecated in RFC 5280 --- case PKI_CRL_REASON_HOLD_INSTRUCTION_NONE: if (!X509_REVOKED_add1_ext_i2d(entry, NID_hold_instruction_code, PKI_OID_get( "holdInstructionReject"), 0, 0)) { goto err; }; if( revDate && !X509_REVOKED_add1_ext_i2d ( entry, NID_invalidity_date, revDate, 0, 0)) { goto err; }; reason = PKI_CRL_REASON_CERTIFICATE_HOLD; break; */ case PKI_CRL_REASON_HOLD_INSTRUCTION_CALLISSUER: if (!X509_REVOKED_add1_ext_i2d( entry, NID_hold_instruction_code, PKI_OID_get( "holdInstructionCallIssuer"), 0, 0)) { goto err; } if( revDate && !X509_REVOKED_add1_ext_i2d( entry, NID_invalidity_date, (PKI_TIME *)revDate, 0, 0)) { goto err; } supported_reason = PKI_CRL_REASON_CERTIFICATE_HOLD; break; case PKI_CRL_REASON_KEY_COMPROMISE: case PKI_CRL_REASON_CA_COMPROMISE: case PKI_CRL_REASON_AFFILIATION_CHANGED: case PKI_CRL_REASON_SUPERSEDED: case PKI_CRL_REASON_CESSATION_OF_OPERATION: case PKI_CRL_REASON_REMOVE_FROM_CRL: case PKI_CRL_REASON_PRIVILEGE_WITHDRAWN: case PKI_CRL_REASON_AA_COMPROMISE: PKI_ERROR(PKI_ERR_GENERAL, "CRL Reason Not Implemented Yet %d", reason); break; default: PKI_ERROR(PKI_ERR_GENERAL, "CRL Reason Unknown %d", reason); supported_reason = -1; break; } if (supported_reason >= 0) { if (!ASN1_ENUMERATED_set(rtmp, supported_reason)) goto err; if (!X509_REVOKED_add1_ext_i2d( entry, NID_crl_reason, rtmp, 0, 0)) goto err; } /* if( reason == CRL_REASON_HOLD_INSTRUCTION ) { // if (!X509_REVOKED_add1_ext_i2d ( entry, // NID_invalidity_date, revDate, 0, 0)) { // goto err; // }; // if (!X509_REVOKED_add1_ext_i2d(entry, NID_hold_instruction_code, // PKI_OID_get( "holdInstructionReject"), 0, 0)) { // goto err; // }; }; */ } /* if (rev && !X509_REVOKED_set_revocationDate(rev, revDate)) goto err; if (rev && (reason_code != OCSP_REVOKED_STATUS_NOSTATUS)) { rtmp = ASN1_ENUMERATED_new(); if (!rtmp || !ASN1_ENUMERATED_set(rtmp, reason_code)) goto err; if (!X509_REVOKED_add1_ext_i2d(rev, NID_crl_reason, rtmp, 0, 0)) goto err; } if (rev && comp_time) { if (!X509_REVOKED_add1_ext_i2d(rev, NID_invalidity_date, comp_time, 0, 0)) goto err; } if (rev && hold) { if (!X509_REVOKED_add1_ext_i2d(rev, NID_hold_instruction_code, hold, 0, 0)) goto err; } */ // Free Allocated Memory if (s_int) PKI_INTEGER_free(s_int); if (a_date && !revDate) PKI_TIME_free(a_date); // Returns the created entry return entry; err: // Free Allocated memory if (s_int) PKI_INTEGER_free(s_int); if (a_date && !revDate) PKI_TIME_free(a_date); if (entry) X509_REVOKED_free((X509_REVOKED *) entry); // Returns null (error) return NULL; }