static VALUE ossl_x509crl_set_revoked(VALUE self, VALUE ary) { X509_CRL *crl; X509_REVOKED *rev; int i; Check_Type(ary, T_ARRAY); /* All ary members should be X509 Revoked */ for (i=0; i<RARRAY_LEN(ary); i++) { OSSL_Check_Kind(RARRAY_PTR(ary)[i], cX509Rev); } GetX509CRL(self, crl); sk_X509_REVOKED_pop_free(crl->crl->revoked, X509_REVOKED_free); crl->crl->revoked = NULL; for (i=0; i<RARRAY_LEN(ary); i++) { rev = DupX509RevokedPtr(RARRAY_PTR(ary)[i]); if (!X509_CRL_add0_revoked(crl, rev)) { /* NO DUP - don't free! */ ossl_raise(eX509CRLError, NULL); } } X509_CRL_sort(crl); return ary; }
static VALUE ossl_x509crl_set_revoked(VALUE self, VALUE ary) { X509_CRL *crl; X509_REVOKED *rev; STACK_OF(X509_REVOKED) *sk; long i; Check_Type(ary, T_ARRAY); /* All ary members should be X509 Revoked */ for (i=0; i<RARRAY_LEN(ary); i++) { OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Rev); } GetX509CRL(self, crl); if ((sk = X509_CRL_get_REVOKED(crl))) { while ((rev = sk_X509_REVOKED_pop(sk))) X509_REVOKED_free(rev); } for (i=0; i<RARRAY_LEN(ary); i++) { rev = DupX509RevokedPtr(RARRAY_AREF(ary, i)); if (!X509_CRL_add0_revoked(crl, rev)) { /* NO DUP - don't free! */ X509_REVOKED_free(rev); ossl_raise(eX509CRLError, "X509_CRL_add0_revoked"); } } X509_CRL_sort(crl); return ary; }
static LUA_FUNCTION(openssl_crl_new) { X509* x509 = lua_isnoneornil(L, 1) ? NULL : CHECK_OBJECT(1, X509, "openssl.x509"); time_t lastUpdate = luaL_optinteger(L, 3, (lua_Integer)time(&lastUpdate)); time_t nextUpdate = luaL_optinteger(L, 4, (lua_Integer)(lastUpdate + 7 * 24 * 3600)); long version = luaL_optint(L, 5, 1); X509_CRL * crl = NULL; ASN1_TIME *ltm, *ntm; if (!lua_isnoneornil(L, 2)) luaL_checktype(L, 2, LUA_TTABLE); crl = X509_CRL_new(); X509_CRL_set_version(crl, version); if (x509) X509_CRL_set_issuer_name(crl, X509_get_subject_name(x509)); ltm = ASN1_TIME_new(); ntm = ASN1_TIME_new(); ASN1_TIME_set(ltm, lastUpdate); ASN1_TIME_set(ntm, nextUpdate); X509_CRL_set_lastUpdate(crl, ltm); X509_CRL_set_nextUpdate(crl, ntm); ASN1_TIME_free(ltm); ASN1_TIME_free(ntm); if (lua_istable(L, 2) && lua_objlen(L, 2) > 0) { int i; int n = lua_objlen(L, 2); for (i = 1; i <= n; i++) { lua_rawgeti(L, 2, i); if (lua_istable(L, -1)) { X509_REVOKED *revoked; lua_getfield(L, -1, "reason"); lua_getfield(L, -2, "time"); lua_getfield(L, -3, "sn"); revoked = create_revoked(L, BN_get(L, -1), lua_tointeger(L, -2), reason_get(L, -3)); if (revoked) { X509_CRL_add0_revoked(crl, revoked); } lua_pop(L, 3); } lua_pop(L, 1); } } PUSH_OBJECT(crl, "openssl.x509_crl"); return 1; }
static LUA_FUNCTION(openssl_crl_add_revocked) { X509_CRL *crl = CHECK_OBJECT(1, X509_CRL, "openssl.x509_crl"); BIGNUM* sn = BN_get(L, 2); time_t t = lua_tointeger(L, 3); int reason = reason_get(L, 4); int ret = 0; X509_REVOKED* revoked = create_revoked(L, sn, t, reason); ret = X509_CRL_add0_revoked(crl, revoked); lua_pushboolean(L, ret); BN_free(sn); return 1; }
static VALUE ossl_x509crl_add_revoked(VALUE self, VALUE revoked) { X509_CRL *crl; X509_REVOKED *rev; GetX509CRL(self, crl); rev = DupX509RevokedPtr(revoked); if (!X509_CRL_add0_revoked(crl, rev)) { /* NO DUP - don't free! */ ossl_raise(eX509CRLError, NULL); } X509_CRL_sort(crl); return revoked; }
DWORD VMCAAddCertToCRL( X509_CRL *pCrl, X509 *pCerts, DWORD dwCertCount ) { DWORD dwError = 0; UINT ndx = 0; X509 *pTempCert = NULL; if(pCerts == NULL) { dwError = ERROR_INVALID_PARAMETER; BAIL_ON_ERROR(dwError); } for(ndx = 0; ndx < dwCertCount; ndx ++) { X509_REVOKED *pRevoked = NULL; pTempCert = pCerts + ndx; if (pTempCert != NULL) { dwError = VMCACheckNotAlreadyRevoked(pTempCert, pCrl); BAIL_ON_ERROR(dwError); dwError = VMCACreateRevokedFromCert(pTempCert, &pRevoked); BAIL_ON_ERROR(dwError); // Please Note : 0 functions in Open SSL means // when we free parent , children will be freed // Automatically. dwError = X509_CRL_add0_revoked(pCrl, pRevoked); BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_ERROR); } } error : return dwError; }
void openssl_x509_crl() { RSA *r; BIO *bp; int len; FILE *fp; BIGNUM *bne; X509_CRL *crl; EVP_PKEY *pkey; X509_NAME *issuer; ASN1_INTEGER *serial; X509_REVOKED *revoked; ASN1_TIME *lastUpdate, *nextUpdate, *rvTime; unsigned char *buf, *p, tmp[MAX1_LEN] = "crl cert"; printf("\nX509_CRL info:\n"); bne = BN_new(); BN_set_word(bne, RSA_3); r = RSA_new(); RSA_generate_key_ex(r, MAX1_LEN, bne, NULL); pkey = EVP_PKEY_new(); EVP_PKEY_assign_RSA(pkey, r); crl = X509_CRL_new(); X509_CRL_set_version(crl, 3); issuer = X509_NAME_new(); X509_NAME_add_entry_by_NID(issuer, NID_commonName, V_ASN1_PRINTABLESTRING, tmp, 10, -1, 0); X509_CRL_set_issuer_name(crl, issuer); lastUpdate = ASN1_TIME_new(); ASN1_TIME_set(lastUpdate, time(NULL)); X509_CRL_set_lastUpdate(crl, lastUpdate); nextUpdate = ASN1_TIME_new(); ASN1_TIME_set(nextUpdate, time(NULL) + 1280); X509_CRL_set_nextUpdate(crl, nextUpdate); revoked = X509_REVOKED_new(); serial = ASN1_INTEGER_new(); ASN1_INTEGER_set(serial, 1280); X509_REVOKED_set_serialNumber(revoked, serial); rvTime = ASN1_TIME_new(); ASN1_TIME_set(rvTime, time(NULL) + 2000); X509_CRL_set_nextUpdate(crl, rvTime); X509_REVOKED_set_revocationDate(revoked, rvTime); X509_CRL_add0_revoked(crl, revoked); X509_CRL_sort(crl); X509_CRL_sign(crl, pkey, EVP_md5()); bp = BIO_new(BIO_s_file()); BIO_set_fp(bp, stdout, BIO_NOCLOSE); X509_CRL_print(bp, crl); len = i2d_X509_CRL(crl, NULL); buf = (unsigned char *)malloc(len + 10); p = buf; len = i2d_X509_CRL(crl, &p); fp = fopen("/tmp/crl.crl", "wb"); fwrite(buf, 1, len, fp); fclose(fp); free(buf); BIO_free(bp); X509_CRL_free(crl); }
static LUA_FUNCTION(openssl_crl_new) { int i; int n = lua_gettop(L); X509_CRL * crl = X509_CRL_new(); int ret = X509_CRL_set_version(crl, 0); X509* cacert = NULL; EVP_PKEY* capkey = NULL; const EVP_MD* md = NULL; int step; for (i = 1; ret == 1 && i <= n; i++) { if (i == 1) { luaL_argcheck(L, lua_istable(L, 1), 1, "must be table contains rovked entry table{reason,time,sn}"); if (lua_rawlen(L, i) > 0) { int j, m; m = lua_rawlen(L, i); for (j = 1; ret == 1 && j <= m; j++) { X509_REVOKED *revoked; BIGNUM* sn; lua_rawgeti(L, i, j); luaL_checktable(L, -1); lua_getfield(L, -1, "reason"); lua_getfield(L, -2, "time"); lua_getfield(L, -3, "sn"); sn = BN_get(L, -1); revoked = create_revoked(sn, lua_tointeger(L, -2), reason_get(L, -3)); if (revoked) { ret = X509_CRL_add0_revoked(crl, revoked); } BN_free(sn); lua_pop(L, 3); lua_pop(L, 1); }; } }; if (i == 2) { cacert = CHECK_OBJECT(2, X509, "openssl.x509"); ret = X509_CRL_set_issuer_name(crl, X509_get_issuer_name(cacert)); } if (i == 3) { capkey = CHECK_OBJECT(3, EVP_PKEY, "openssl.evp_pkey"); luaL_argcheck(L, openssl_pkey_is_private(capkey), 3, "must be private key"); luaL_argcheck(L, X509_check_private_key(cacert, capkey) == 1, 3, "evp_pkey not match with x509 in #2"); } } md = lua_isnoneornil(L, 4) ? EVP_get_digestbyname("sha1") : get_digest(L, 4); step = lua_isnoneornil(L, 5) ? 7 * 24 * 3600 : luaL_checkint(L, 5); if (ret == 1) { time_t lastUpdate; time_t nextUpdate; ASN1_TIME *ltm, *ntm; time(&lastUpdate); nextUpdate = lastUpdate + step; ltm = ASN1_TIME_new(); ntm = ASN1_TIME_new(); ASN1_TIME_set(ltm, lastUpdate); ASN1_TIME_set(ntm, nextUpdate); ret = X509_CRL_set_lastUpdate(crl, ltm); if (ret == 1) ret = X509_CRL_set_nextUpdate(crl, ntm); ASN1_TIME_free(ltm); ASN1_TIME_free(ntm); } if (cacert && capkey && md) { ret = (X509_CRL_sign(crl, capkey, md) == EVP_PKEY_size(capkey)); } if (ret == 1) { PUSH_OBJECT(crl, "openssl.x509_crl"); } else { X509_CRL_free(crl); return openssl_pushresult(L, ret); }; return 1; }
DWORD VMCAAddCertToCRL_Reason( X509_CRL *pCrl, PWSTR pwszSerial, DWORD dwRevokedDate, VMCA_CRL_REASON certRevokeReason ) { DWORD dwError = 0; X509 *pCert = NULL; X509_REVOKED *pRevoked = NULL; ASN1_INTEGER *asnSerial = NULL; if (!pCrl || IsNullOrEmptyString (pwszSerial) ) { dwError = ERROR_INVALID_PARAMETER; BAIL_ON_ERROR(dwError); } asnSerial = ASN1_ENUMERATED_new(); if(asnSerial == NULL) { dwError = VMCA_OUT_MEMORY_ERR; BAIL_ON_ERROR(dwError); } dwError = VMCAWIntegerToASN1Integer( pwszSerial, asnSerial ); BAIL_ON_ERROR (dwError); dwError = VMCACheckNotAlreadyRevoked_Serial( asnSerial, pCrl ); BAIL_ON_VMCA_ERROR (dwError); dwError = VMCACreateRevokedFromCert_Reason( asnSerial, dwRevokedDate, certRevokeReason, &pRevoked ); BAIL_ON_VMCA_ERROR (dwError); // Please Note : 0 functions in Open SSL means // when we free parent , children will be freed // Automatically. dwError = X509_CRL_add0_revoked(pCrl, pRevoked); BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_ERROR); cleanup: if (pCert) { X509_free(pCert); } if (asnSerial) { ASN1_INTEGER_free (asnSerial); } return dwError; error : goto cleanup; }
PKI_X509_CRL *PKI_X509_CRL_new(const PKI_X509_KEYPAIR *k, const PKI_X509_CERT *cert, const char * crlNumber_s, unsigned long validity, const PKI_X509_CRL_ENTRY_STACK *sk, const PKI_X509_PROFILE *profile, const PKI_CONFIG *oids, HSM *hsm) { PKI_X509_CRL *ret = NULL; PKI_X509_CRL_VALUE *val = NULL; ASN1_INTEGER *crlNumber = NULL; ASN1_TIME *time = NULL; int rv = PKI_OK; int i = 0; char * tmp_s = NULL; PKI_X509_CRL_ENTRY *entry = NULL; PKI_DIGEST_ALG *dgst = NULL; long long lastUpdateVal = 0; long long nextUpdateVal = 0; /* Checks for the Key and its internal value */ if( !k || !k->value ) return NULL; /* checks for the certificate and its internal value */ if( !cert || !cert->value ) return ( NULL ); if(( ret = PKI_X509_CRL_new_null()) == NULL ) { PKI_ERROR(PKI_ERR_OBJECT_CREATE, NULL); goto err; } /* Alloc memory structure for the Certificate */ if((ret->value = ret->cb->create()) == NULL ) { PKI_ERROR(PKI_ERR_OBJECT_CREATE, NULL); goto err; } val = ret->value; if ( !crlNumber_s && profile ) { if(( tmp_s = PKI_CONFIG_get_value( profile, "/profile/crlNumber")) != NULL ) { crlNumber = PKI_INTEGER_new_char ( tmp_s ); PKI_Free ( tmp_s ); }; } else if ( crlNumber_s ) { crlNumber = PKI_INTEGER_new_char( crlNumber_s ); // Let's add the CRLSerial extension X509_CRL_add1_ext_i2d(val, NID_crl_number, crlNumber, 0, 0); }; /* Set the start date (notBefore) */ if (profile) { int years = 0; int days = 0; int hours = 0; int mins = 0; int secs = 0; if(( tmp_s = PKI_CONFIG_get_value( profile, "/profile/notBefore/years")) != NULL ) { years = atoi( tmp_s ); PKI_Free ( tmp_s ); }; if(( tmp_s = PKI_CONFIG_get_value( profile, "/profile/notBefore/days")) != NULL ) { days = atoi( tmp_s ); PKI_Free ( tmp_s ); }; if(( tmp_s = PKI_CONFIG_get_value( profile, "/profile/notBefore/hours")) != NULL ) { hours = atoi( tmp_s ); PKI_Free ( tmp_s ); }; if(( tmp_s = PKI_CONFIG_get_value( profile, "/profile/notBefore/minutes")) != NULL ) { mins = atoi( tmp_s ); PKI_Free ( tmp_s ); }; if(( tmp_s = PKI_CONFIG_get_value( profile, "/profile/notBefore/minutes")) != NULL ) { secs = atoi( tmp_s ); PKI_Free ( tmp_s ); }; lastUpdateVal = secs + ( mins * 60 ) + ( hours * 3600 ) + ( days * 3600 * 24 ) + ( years * 3600 * 24 * 365 ); } else { // Sets lastUpdate to current time lastUpdateVal = 0; }; if ( profile && validity <= 0 ) { long long years = 0; long long days = 0; long long hours = 0; long long mins = 0; long long secs = 0; if((tmp_s = PKI_CONFIG_get_value ( profile, "/profile/validity/years")) != NULL ) { years = atoll( tmp_s ); PKI_Free(tmp_s); } if((tmp_s = PKI_CONFIG_get_value ( profile, "/profile/validity/days")) != NULL ) { days = atoll( tmp_s ); PKI_Free( tmp_s ); } if((tmp_s = PKI_CONFIG_get_value ( profile, "/profile/validity/hours")) != NULL ) { hours = atoll( tmp_s ); PKI_Free( tmp_s ); } if((tmp_s = PKI_CONFIG_get_value ( profile, "/profile/validity/mins")) != NULL ) { mins = atoll( tmp_s ); PKI_Free ( tmp_s ); } if((tmp_s = PKI_CONFIG_get_value ( profile, "/profile/validity/secs")) != NULL ) { secs = atoll( tmp_s ); PKI_Free ( tmp_s ); } nextUpdateVal = secs + 60 * ( mins + 60 * (hours + 24 * ( days + 365 * years ) ) ); } else { nextUpdateVal = (long long) validity; }; /* Generates a new time for lastUpdate field */ if((time = PKI_TIME_new( lastUpdateVal )) == NULL ) { PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL); goto err; }; /* Set the Last Update field */ if(X509_CRL_set_lastUpdate( val, time ) == 0 ) { PKI_log_err ( "ERROR, can not set lastUpdate field in CRL"); goto err; } PKI_TIME_free ( time ); time = NULL; // Memory /* Generates a new time for lastUpdate field */ if((time = PKI_TIME_new( nextUpdateVal )) == NULL ) { PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL); goto err; }; /* Set the nextUpdate field */ if(X509_CRL_set_nextUpdate( val, time ) == 0 ) { PKI_log_err ( "ERROR, can not set lastUpdate field in CRL"); goto err; } PKI_TIME_free ( time ); time = NULL; // Memory /* Now we need to add the CRL issuer name and details */ if (X509_CRL_set_issuer_name( val, X509_get_subject_name(cert->value)) == 0) { PKI_log_debug( "Can not set CRL issuer name"); goto err; } if ( sk ) { /* Adds the list of revoked certificates */ for(i=0; i < PKI_STACK_X509_CRL_ENTRY_elements(sk); i++ ) { PKI_log_debug("CRL::ADDING ENTRY %d\n", i ); entry = PKI_STACK_X509_CRL_ENTRY_get_num(sk, i); if(!entry) break; X509_CRL_add0_revoked(val, entry); }; } /* Sorts the CRL entries */ X509_CRL_sort ( val ); /* if((ret = PKI_X509_new_value( PKI_DATATYPE_X509_CRL, val, hsm)) == NULL ) { PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL); X509_CRL_free ( val ); return ( NULL ); } */ /* Get the extensions from the profile */ if( profile ) { PKI_TOKEN * tk; if((tk = PKI_TOKEN_new_null()) == NULL ) { PKI_log_err ( "Memory allocation failure"); PKI_X509_CRL_free ( ret ); return NULL; } PKI_TOKEN_set_cert(tk, (PKI_X509_CERT *)cert); PKI_TOKEN_set_keypair(tk, (PKI_X509_KEYPAIR *)k); if(PKI_X509_EXTENSIONS_crl_add_profile( profile, oids, ret, tk) == 0 ) { PKI_log_debug( "ERROR, can not set extensions!"); PKI_X509_CRL_free ( ret ); tk->cert = NULL; tk->keypair = NULL; PKI_TOKEN_free ( tk ); return ( NULL ); } tk->cert = NULL; tk->keypair = NULL; PKI_TOKEN_free ( tk ); } /* Get the Digest Algorithm */ if( (dgst = PKI_DIGEST_ALG_get_by_key( k )) == NULL ) { PKI_log_err("Can not get digest algor from keypair!"); goto err; } rv = PKI_X509_sign ( ret, dgst, k ); if ( rv == PKI_ERR ) { PKI_log_debug ("ERROR, can not sign CRL!"); goto err; } return( ret ); err: if ( time ) PKI_TIME_free ( time ); if ( ret ) PKI_X509_CRL_free ( ret ); return NULL; }
int addToCRL(char* pemSigningKey, char* pemOldCrl, char* pemRevokedCert, char* result) { int err = 0; BIO* bioSigningKey = BIO_new_mem_buf(pemSigningKey, -1); if (!bioSigningKey) { return ERR_peek_error(); } BIO* bioRevCert = BIO_new_mem_buf(pemRevokedCert, -1); if (!bioRevCert) { BIO_free(bioSigningKey); return ERR_peek_error(); } BIO* bioOldCRL = BIO_new_mem_buf(pemOldCrl, -1); if (!bioOldCRL) { BIO_free(bioSigningKey); BIO_free(bioRevCert); return ERR_peek_error(); } X509* badCert = PEM_read_bio_X509(bioRevCert, NULL, NULL, NULL); if (!badCert) { BIO_free(bioSigningKey); BIO_free(bioRevCert); return ERR_peek_error(); } EVP_PKEY* caKey = PEM_read_bio_PrivateKey(bioSigningKey, NULL, NULL, NULL); if (!caKey) { BIO_free(bioSigningKey); BIO_free(bioRevCert); return -18; } X509_CRL* crl = PEM_read_bio_X509_CRL(bioOldCRL, NULL, NULL, NULL); if (!crl) { BIO_free(bioSigningKey); BIO_free(bioRevCert); return ERR_peek_error(); } X509_REVOKED* revoked = X509_REVOKED_new(); X509_REVOKED_set_serialNumber(revoked, X509_get_serialNumber(badCert)); ASN1_TIME* tmptm = ASN1_TIME_new(); X509_gmtime_adj(tmptm, long(0)); X509_REVOKED_set_revocationDate(revoked, tmptm); //set the reason? Not yet. // ASN1_ENUMERATED* rtmp = ASN1_ENUMERATED_new(); // ASN1_ENUMERATED_set(rtmp, reasonCode); // goto err; // if (!X509_REVOKED_add1_ext_i2d(rev, NID_crl_reason, rtmp, 0, 0)) // goto err; // } if(!(err = X509_CRL_add0_revoked(crl,revoked))) { BIO_free(bioSigningKey); BIO_free(bioRevCert); return err; } X509_CRL_sort(crl); if(!(err=X509_CRL_sign(crl,caKey,EVP_sha1()))) { BIO_free(bioSigningKey); BIO_free(bioRevCert); return err; } BIO *mem = BIO_new(BIO_s_mem()); PEM_write_bio_X509_CRL(mem,crl); BUF_MEM *bptr; BIO_get_mem_ptr(mem, &bptr); BIO_read(mem, result, bptr->length); BIO_free(bioRevCert); BIO_free(bioSigningKey); BIO_free(bioOldCRL); BIO_free(mem); return 0; }
/* * Revoke one certificate at a time * No check performed to see if certificate already revoked. */ void revoke_cert(char * ca_name, char * name) { char filename[FIELD_SZ+5]; FILE * f ; X509_CRL * crl ; X509 * cert ; ASN1_INTEGER * r_serial ; ASN1_INTEGER * crlnum ; X509_REVOKED * rev ; ASN1_TIME * tm ; identity ca ; BIO * out ; BIGNUM * b_crlnum ; /* Find requested certificate by name */ sprintf(filename, "%s.crt", name); if ((f=fopen(filename, "r"))==NULL) { fprintf(stderr, "Cannot find: %s\n", filename); return ; } cert = PEM_read_X509(f, NULL, NULL, NULL); fclose(f); /* Get certificate serial number */ r_serial = X509_get_serialNumber(cert); /* Find out if if was already revoked */ /* Make a revoked object with that serial */ rev = X509_REVOKED_new(); X509_REVOKED_set_serialNumber(rev, r_serial); X509_free(cert); /* Set reason to unspecified */ rev->reason = ASN1_ENUMERATED_get(CRL_REASON_UNSPECIFIED); /* Load or create new CRL */ if ((crl = load_crl(ca_name))==NULL) { crl = X509_CRL_new(); X509_CRL_set_version(crl, 1); /* Set CRL number */ crlnum = ASN1_INTEGER_new(); ASN1_INTEGER_set(crlnum, 1); X509_CRL_add1_ext_i2d(crl, NID_crl_number, crlnum, 0, 0); ASN1_INTEGER_free(crlnum); } else { crlnum = X509_CRL_get_ext_d2i(crl, NID_crl_number, 0, 0); b_crlnum = ASN1_INTEGER_to_BN(crlnum, NULL); BN_add_word(b_crlnum, 1); BN_to_ASN1_INTEGER(b_crlnum, crlnum); BN_free(b_crlnum); X509_CRL_add1_ext_i2d(crl, NID_crl_number, crlnum, 0, X509V3_ADD_REPLACE_EXISTING); ASN1_INTEGER_free(crlnum); } /* What time is it? */ tm = ASN1_TIME_new(); X509_gmtime_adj(tm, 0); X509_REVOKED_set_revocationDate(rev, tm); X509_CRL_set_lastUpdate(crl, tm); /* Set CRL next update to a year from now */ X509_gmtime_adj(tm, 365*24*60*60); X509_CRL_set_nextUpdate(crl, tm); ASN1_TIME_free(tm); /* Add revoked to CRL */ X509_CRL_add0_revoked(crl, rev); X509_CRL_sort(crl); /* Load root key to sign CRL */ if (load_ca(ca_name, &ca)!=0) { fprintf(stderr, "Cannot find CA key/crt\n"); return ; } X509_CRL_set_issuer_name(crl, X509_get_subject_name(ca.cert)); X509_free(ca.cert); /* Sign CRL */ X509_CRL_sign(crl, ca.key, EVP_sha256()); EVP_PKEY_free(ca.key); /* Dump CRL */ sprintf(filename, "%s.crl", ca_name); if ((f = fopen(filename, "wb"))==NULL) { fprintf(stderr, "Cannot write %s: aborting\n", filename); X509_CRL_free(crl); return ; } out = BIO_new(BIO_s_file()); BIO_set_fp(out, f, BIO_NOCLOSE); PEM_write_bio_X509_CRL(out, crl); BIO_free_all(out); fclose(f); X509_CRL_free(crl); return ; }
void pki_crl::addRev(const x509rev &xrev) { X509_CRL_add0_revoked(crl, xrev.get()); pki_openssl_error(); }