static VALUE
ossl_x509crl_get_next_update(VALUE self)
{
X509_CRL *crl;
GetX509CRL(self, crl);
return asn1time_to_time(X509_CRL_get_nextUpdate(crl));
}
/*
Function:
GetX509CrlNextUpdate
Used by System.Security.Cryptography.X509Certificates' CrlCache to identify the
end of the validity period of the certificate revocation list in question.
Return values:
NULL if the validity cannot be determined, a pointer to the ASN1_TIME structure for the NextUpdate value
otherwise.
*/
extern ASN1_TIME* CryptoNative_GetX509CrlNextUpdate(X509_CRL* crl)
{
if (crl)
{
return X509_CRL_get_nextUpdate(crl);
}
return NULL;
}
/*
Function:
GetX509CrlNextUpdate
Used by System.Security.Cryptography.X509Certificates' CrlCache to identify the
end of the validity period of the certificate revocation list in question.
Return values:
NULL if the validity cannot be determined, a pointer to the ASN1_TIME structure for the NextUpdate value
otherwise.
*/
ASN1_TIME*
GetX509CrlNextUpdate(
X509_CRL* crl)
{
if (crl)
{
return X509_CRL_get_nextUpdate(crl);
}
return NULL;
}
DWORD
VMCAGetCRLInfoPrivate(
PSTR pszFileName,
time_t *ptmLastUpdate,
time_t *ptmNextUpdate,
DWORD *pdwCRLNumber)
{
DWORD dwError = 0;
X509_CRL *pCrl = NULL;
ASN1_TIME *pLastUpdate = NULL;
ASN1_TIME *pNextUpdate = NULL;
ASN1_INTEGER *pCrlNumber = NULL;
long nCrlNum = 0;
if ( (IsNullOrEmptyString(pszFileName))
|| (ptmNextUpdate == NULL)
|| (ptmLastUpdate == NULL)
|| (pdwCRLNumber == NULL)
) {
dwError = ERROR_INVALID_PARAMETER;
BAIL_ON_ERROR(dwError);
}
dwError = VMCAFileToCRL(pszFileName, &pCrl);
BAIL_ON_ERROR(dwError);
pLastUpdate = X509_CRL_get_lastUpdate(pCrl);
pNextUpdate = X509_CRL_get_nextUpdate(pCrl);
pCrlNumber = ASN1_INTEGER_new();
if(pCrlNumber == NULL) {
dwError = VMCA_OUT_MEMORY_ERR;
BAIL_ON_ERROR(dwError);
}
pCrlNumber = X509_CRL_get_ext_d2i(pCrl, NID_crl_number, 0,0);
nCrlNum = ASN1_INTEGER_get(pCrlNumber);
*pdwCRLNumber = nCrlNum;
dwError = VMCAASN1ToTimeT(pLastUpdate,ptmLastUpdate);
BAIL_ON_ERROR(dwError);
dwError = VMCAASN1ToTimeT(pNextUpdate,ptmNextUpdate);
BAIL_ON_ERROR(dwError);
cleanup:
if(pCrlNumber){
ASN1_INTEGER_free(pCrlNumber);
}
VMCACrlFree(pCrl);
return dwError;
error :
goto cleanup;
}
/*
* Check if a CRL entry is expired.
*/
static int crl_entry_expired(X509_CRL *crl)
{
int lastUpdate, nextUpdate;
if (!crl) {
return 0;
}
lastUpdate = X509_cmp_current_time(X509_CRL_get_lastUpdate(crl));
nextUpdate = X509_cmp_current_time(X509_CRL_get_nextUpdate(crl));
if (lastUpdate < 0 && nextUpdate > 0) {
return 0;
}
return 1;
}
static LUA_FUNCTION(openssl_crl_updateTime)
{
X509_CRL *crl = CHECK_OBJECT(1, X509_CRL, "openssl.x509_crl");
if (lua_isnone(L, 2))
{
ASN1_TIME *ltm, *ntm;
ltm = X509_CRL_get_lastUpdate(crl);
ntm = X509_CRL_get_nextUpdate(crl);
PUSH_ASN1_TIME(L, ltm);
PUSH_ASN1_TIME(L, ntm);
return 2;
}
else
{
ASN1_TIME *ltm, *ntm;
int ret = 0;
time_t last, next;
if (lua_gettop(L) == 2)
{
time(&last);
next = last + luaL_checkint(L, 2);
}
else
{
last = luaL_checkint(L, 2);
next = last + luaL_checkint(L, 3);
luaL_argcheck(L, next > last, 3, "value must after #2");
}
ltm = ASN1_TIME_new();
ASN1_TIME_set(ltm, last);
ntm = ASN1_TIME_new();
ASN1_TIME_set(ntm, next);
ret = X509_CRL_set_lastUpdate(crl, ltm);
if (ret == 1)
ret = X509_CRL_set_nextUpdate(crl, ntm);
ASN1_TIME_free(ltm);
ASN1_TIME_free(ntm);
openssl_pushresult(L, ret);
return 1;
}
}
DWORD
VMCAGetNextUpdateTime(
X509_CRL *pCrl,
time_t *pNextUpdateTime
)
{
DWORD dwError = 0;
ASN1_TIME *pLastUpdate = NULL;
ASN1_TIME *pNextUpdate = NULL;
time_t tmLast = 0;
time_t tmNext = 0;
time_t tmDiff = 0;
time_t tmNextUpdate = 0;
if( (pCrl == NULL) ||
(pNextUpdateTime == NULL))
{
dwError = ERROR_INVALID_PARAMETER;
BAIL_ON_ERROR(dwError);
}
pLastUpdate = X509_CRL_get_lastUpdate(pCrl);
pNextUpdate = X509_CRL_get_nextUpdate(pCrl);
dwError = VMCAASN1ToTimeT(pLastUpdate, &tmLast);
BAIL_ON_ERROR(dwError);
dwError = VMCAASN1ToTimeT(pNextUpdate, &tmNext);
BAIL_ON_ERROR(dwError);
tmDiff = tmNext - tmLast;
tmNextUpdate = time(NULL) + tmDiff;
*pNextUpdateTime = tmNextUpdate;
cleanup :
return dwError;
error :
goto cleanup;
}
static LUA_FUNCTION(openssl_crl_nextUpdate)
{
X509_CRL *crl = CHECK_OBJECT(1, X509_CRL, "openssl.x509_crl");
if (lua_isnone(L, 2))
{
ASN1_TIME *tm = X509_CRL_get_nextUpdate(crl);
PUSH_ASN1_TIME(L, tm);
return 1;
}
else
{
int ret;
time_t time = luaL_checkint(L, 2);
ASN1_TIME *tm = ASN1_TIME_new();
ASN1_TIME_set(tm, time);
ret = X509_CRL_set_nextUpdate(crl, tm);
ASN1_TIME_free(tm);
return openssl_pushresult(L, ret);
}
}
/* based on BSD-style licensed code of mod_ssl */
static int crl_check(CLI *c, X509_STORE_CTX *callback_ctx) {
X509_STORE_CTX store_ctx;
X509_OBJECT obj;
X509_NAME *subject;
X509_NAME *issuer;
X509 *cert;
X509_CRL *crl;
X509_REVOKED *revoked;
EVP_PKEY *pubkey;
long serial;
int i, n, rc;
char *cp;
ASN1_TIME *last_update=NULL, *next_update=NULL;
/* determine certificate ingredients in advance */
cert=X509_STORE_CTX_get_current_cert(callback_ctx);
subject=X509_get_subject_name(cert);
issuer=X509_get_issuer_name(cert);
/* try to retrieve a CRL corresponding to the _subject_ of
* the current certificate in order to verify it's integrity */
memset((char *)&obj, 0, sizeof obj);
X509_STORE_CTX_init(&store_ctx, c->opt->revocation_store, NULL, NULL);
rc=X509_STORE_get_by_subject(&store_ctx, X509_LU_CRL, subject, &obj);
X509_STORE_CTX_cleanup(&store_ctx);
crl=obj.data.crl;
if(rc>0 && crl) {
cp=X509_NAME_oneline(subject, NULL, 0);
s_log(LOG_INFO, "CRL: issuer: %s", cp);
OPENSSL_free(cp);
last_update=X509_CRL_get_lastUpdate(crl);
next_update=X509_CRL_get_nextUpdate(crl);
log_time(LOG_INFO, "CRL: last update", last_update);
log_time(LOG_INFO, "CRL: next update", next_update);
/* verify the signature on this CRL */
pubkey=X509_get_pubkey(cert);
if(X509_CRL_verify(crl, pubkey)<=0) {
s_log(LOG_WARNING, "CRL: Invalid signature");
X509_STORE_CTX_set_error(callback_ctx,
X509_V_ERR_CRL_SIGNATURE_FAILURE);
X509_OBJECT_free_contents(&obj);
if(pubkey)
EVP_PKEY_free(pubkey);
return 0; /* reject connection */
}
if(pubkey)
EVP_PKEY_free(pubkey);
/* check date of CRL to make sure it's not expired */
if(!next_update) {
s_log(LOG_WARNING, "CRL: Invalid nextUpdate field");
X509_STORE_CTX_set_error(callback_ctx,
X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD);
X509_OBJECT_free_contents(&obj);
return 0; /* reject connection */
}
if(X509_cmp_current_time(next_update)<0) {
s_log(LOG_WARNING, "CRL: CRL Expired - revoking all certificates");
X509_STORE_CTX_set_error(callback_ctx, X509_V_ERR_CRL_HAS_EXPIRED);
X509_OBJECT_free_contents(&obj);
return 0; /* reject connection */
}
X509_OBJECT_free_contents(&obj);
}
/* try to retrieve a CRL corresponding to the _issuer_ of
* the current certificate in order to check for revocation */
memset((char *)&obj, 0, sizeof obj);
X509_STORE_CTX_init(&store_ctx, c->opt->revocation_store, NULL, NULL);
rc=X509_STORE_get_by_subject(&store_ctx, X509_LU_CRL, issuer, &obj);
X509_STORE_CTX_cleanup(&store_ctx);
crl=obj.data.crl;
if(rc>0 && crl) {
/* check if the current certificate is revoked by this CRL */
n=sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl));
for(i=0; i<n; i++) {
revoked=sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
if(ASN1_INTEGER_cmp(revoked->serialNumber,
X509_get_serialNumber(cert)) == 0) {
serial=ASN1_INTEGER_get(revoked->serialNumber);
cp=X509_NAME_oneline(issuer, NULL, 0);
s_log(LOG_WARNING, "CRL: Certificate with serial %ld (0x%lX) "
"revoked per CRL from issuer %s", serial, serial, cp);
OPENSSL_free(cp);
X509_STORE_CTX_set_error(callback_ctx, X509_V_ERR_CERT_REVOKED);
X509_OBJECT_free_contents(&obj);
return 0; /* reject connection */
}
}
X509_OBJECT_free_contents(&obj);
}
return 1; /* accept connection */
}
int MAIN(int argc, char **argv)
{
X509_CRL *x=NULL;
char *CAfile = NULL, *CApath = NULL;
int ret=1,i,num,badops=0;
BIO *out=NULL;
int informat,outformat;
char *infile=NULL,*outfile=NULL;
int hash=0,issuer=0,lastupdate=0,nextupdate=0,noout=0,text=0;
int fingerprint = 0;
char **pp,buf[256];
X509_STORE *store = NULL;
X509_STORE_CTX ctx;
X509_LOOKUP *lookup = NULL;
X509_OBJECT xobj;
EVP_PKEY *pkey;
int do_ver = 0;
const EVP_MD *md_alg,*digest=EVP_md5();
apps_startup();
if (bio_err == NULL)
if ((bio_err=BIO_new(BIO_s_file())) != NULL)
BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
if (bio_out == NULL)
if ((bio_out=BIO_new(BIO_s_file())) != NULL)
{
BIO_set_fp(bio_out,stdout,BIO_NOCLOSE);
#ifdef VMS
{
BIO *tmpbio = BIO_new(BIO_f_linebuffer());
bio_out = BIO_push(tmpbio, bio_out);
}
#endif
}
informat=FORMAT_PEM;
outformat=FORMAT_PEM;
argc--;
argv++;
num=0;
while (argc >= 1)
{
#ifdef undef
if (strcmp(*argv,"-p") == 0)
{
if (--argc < 1) goto bad;
if (!args_from_file(++argv,Nargc,Nargv)) {
goto end;
}*/
}
#endif
if (strcmp(*argv,"-inform") == 0)
{
if (--argc < 1) goto bad;
informat=str2fmt(*(++argv));
}
else if (strcmp(*argv,"-outform") == 0)
{
if (--argc < 1) goto bad;
outformat=str2fmt(*(++argv));
}
else if (strcmp(*argv,"-in") == 0)
{
if (--argc < 1) goto bad;
infile= *(++argv);
}
else if (strcmp(*argv,"-out") == 0)
{
if (--argc < 1) goto bad;
outfile= *(++argv);
}
else if (strcmp(*argv,"-CApath") == 0)
{
if (--argc < 1) goto bad;
CApath = *(++argv);
do_ver = 1;
}
else if (strcmp(*argv,"-CAfile") == 0)
{
if (--argc < 1) goto bad;
CAfile = *(++argv);
do_ver = 1;
}
else if (strcmp(*argv,"-verify") == 0)
do_ver = 1;
else if (strcmp(*argv,"-text") == 0)
text = 1;
else if (strcmp(*argv,"-hash") == 0)
hash= ++num;
else if (strcmp(*argv,"-issuer") == 0)
issuer= ++num;
else if (strcmp(*argv,"-lastupdate") == 0)
lastupdate= ++num;
else if (strcmp(*argv,"-nextupdate") == 0)
nextupdate= ++num;
else if (strcmp(*argv,"-noout") == 0)
noout= ++num;
else if (strcmp(*argv,"-fingerprint") == 0)
fingerprint= ++num;
else if ((md_alg=EVP_get_digestbyname(*argv + 1)))
{
/* ok */
digest=md_alg;
}
else
{
BIO_printf(bio_err,"unknown option %s\n",*argv);
badops=1;
break;
}
argc--;
argv++;
}
if (badops)
{
bad:
for (pp=crl_usage; (*pp != NULL); pp++)
BIO_printf(bio_err,*pp);
goto end;
}
ERR_load_crypto_strings();
x=load_crl(infile,informat);
if (x == NULL) {
goto end;
}
if(do_ver) {
store = X509_STORE_new();
lookup=X509_STORE_add_lookup(store,X509_LOOKUP_file());
if (lookup == NULL) goto end;
if (!X509_LOOKUP_load_file(lookup,CAfile,X509_FILETYPE_PEM))
X509_LOOKUP_load_file(lookup,NULL,X509_FILETYPE_DEFAULT);
lookup=X509_STORE_add_lookup(store,X509_LOOKUP_hash_dir());
if (lookup == NULL) goto end;
if (!X509_LOOKUP_add_dir(lookup,CApath,X509_FILETYPE_PEM))
X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT);
ERR_clear_error();
X509_STORE_CTX_init(&ctx, store, NULL, NULL);
i = X509_STORE_get_by_subject(&ctx, X509_LU_X509,
X509_CRL_get_issuer(x), &xobj);
if(i <= 0) {
BIO_printf(bio_err,
"Error getting CRL issuer certificate\n");
goto end;
}
pkey = X509_get_pubkey(xobj.data.x509);
X509_OBJECT_free_contents(&xobj);
if(!pkey) {
BIO_printf(bio_err,
"Error getting CRL issuer public key\n");
goto end;
}
i = X509_CRL_verify(x, pkey);
EVP_PKEY_free(pkey);
if(i < 0) goto end;
if(i == 0) BIO_printf(bio_err, "verify failure\n");
else BIO_printf(bio_err, "verify OK\n");
}
if (num)
{
for (i=1; i<=num; i++)
{
if (issuer == i)
{
X509_NAME_oneline(X509_CRL_get_issuer(x),
buf,256);
BIO_printf(bio_out,"issuer= %s\n",buf);
}
if (hash == i)
{
BIO_printf(bio_out,"%08lx\n",
X509_NAME_hash(X509_CRL_get_issuer(x)));
}
if (lastupdate == i)
{
BIO_printf(bio_out,"lastUpdate=");
ASN1_TIME_print(bio_out,
X509_CRL_get_lastUpdate(x));
BIO_printf(bio_out,"\n");
}
if (nextupdate == i)
{
BIO_printf(bio_out,"nextUpdate=");
if (X509_CRL_get_nextUpdate(x))
ASN1_TIME_print(bio_out,
X509_CRL_get_nextUpdate(x));
else
BIO_printf(bio_out,"NONE");
BIO_printf(bio_out,"\n");
}
if (fingerprint == i)
{
int j;
unsigned int n;
unsigned char md[EVP_MAX_MD_SIZE];
if (!X509_CRL_digest(x,digest,md,&n))
{
BIO_printf(bio_err,"out of memory\n");
goto end;
}
BIO_printf(bio_out,"%s Fingerprint=",
OBJ_nid2sn(EVP_MD_type(digest)));
for (j=0; j<(int)n; j++)
{
BIO_printf(bio_out,"%02X%c",md[j],
(j+1 == (int)n)
?'\n':':');
}
}
}
}
out=BIO_new(BIO_s_file());
if (out == NULL)
{
ERR_print_errors(bio_err);
goto end;
}
if (outfile == NULL)
{
BIO_set_fp(out,stdout,BIO_NOCLOSE);
#ifdef VMS
{
BIO *tmpbio = BIO_new(BIO_f_linebuffer());
out = BIO_push(tmpbio, out);
}
#endif
}
else
{
if (BIO_write_filename(out,outfile) <= 0)
{
perror(outfile);
goto end;
}
}
if (text) X509_CRL_print(out, x);
if (noout) goto end;
if (outformat == FORMAT_ASN1)
i=(int)i2d_X509_CRL_bio(out,x);
else if (outformat == FORMAT_PEM)
i=PEM_write_bio_X509_CRL(out,x);
else
{
BIO_printf(bio_err,"bad output format specified for outfile\n");
goto end;
}
if (!i) {
BIO_printf(bio_err,"unable to write CRL\n");
goto end;
}
ret=0;
end:
BIO_free_all(out);
BIO_free_all(bio_out);
bio_out=NULL;
X509_CRL_free(x);
if(store) {
X509_STORE_CTX_cleanup(&ctx);
X509_STORE_free(store);
}
EXIT(ret);
}
int crl_main(int argc, char **argv)
{
X509_CRL *x = NULL;
BIO *out = NULL;
X509_STORE *store = NULL;
X509_STORE_CTX ctx;
X509_LOOKUP *lookup = NULL;
X509_OBJECT xobj;
EVP_PKEY *pkey;
const EVP_MD *digest = EVP_sha1();
unsigned long nmflag = 0;
char nmflag_set = 0;
char *infile = NULL, *outfile = NULL, *crldiff = NULL, *keyfile = NULL;
char *CAfile = NULL, *CApath = NULL, *prog;
OPTION_CHOICE o;
int hash = 0, issuer = 0, lastupdate = 0, nextupdate = 0, noout = 0;
int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyformat = FORMAT_PEM;
int ret = 1, num = 0, badsig = 0, fingerprint = 0, crlnumber = 0;
int text = 0, do_ver = 0, noCAfile = 0, noCApath = 0;
int i;
#ifndef OPENSSL_NO_MD5
int hash_old = 0;
#endif
prog = opt_init(argc, argv, crl_options);
while ((o = opt_next()) != OPT_EOF) {
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
opt_help(crl_options);
ret = 0;
goto end;
case OPT_INFORM:
if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
goto opthelp;
break;
case OPT_IN:
infile = opt_arg();
break;
case OPT_OUTFORM:
if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
goto opthelp;
break;
case OPT_OUT:
outfile = opt_arg();
break;
case OPT_KEYFORM:
if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &keyformat))
goto opthelp;
break;
case OPT_KEY:
keyfile = opt_arg();
break;
case OPT_GENDELTA:
crldiff = opt_arg();
break;
case OPT_CAPATH:
CApath = opt_arg();
do_ver = 1;
break;
case OPT_CAFILE:
CAfile = opt_arg();
do_ver = 1;
break;
case OPT_NOCAPATH:
noCApath = 1;
break;
case OPT_NOCAFILE:
noCAfile = 1;
break;
case OPT_HASH_OLD:
#ifndef OPENSSL_NO_MD5
hash_old = ++num;
#endif
break;
case OPT_VERIFY:
do_ver = 1;
break;
case OPT_TEXT:
text = 1;
break;
case OPT_HASH:
hash = ++num;
break;
case OPT_ISSUER:
issuer = ++num;
break;
case OPT_LASTUPDATE:
lastupdate = ++num;
break;
case OPT_NEXTUPDATE:
nextupdate = ++num;
break;
case OPT_NOOUT:
noout = ++num;
break;
case OPT_FINGERPRINT:
fingerprint = ++num;
break;
case OPT_CRLNUMBER:
crlnumber = ++num;
break;
case OPT_BADSIG:
badsig = 1;
break;
case OPT_NAMEOPT:
nmflag_set = 1;
if (!set_name_ex(&nmflag, opt_arg()))
goto opthelp;
break;
case OPT_MD:
if (!opt_md(opt_unknown(), &digest))
goto opthelp;
}
}
argc = opt_num_rest();
argv = opt_rest();
if (!nmflag_set)
nmflag = XN_FLAG_ONELINE;
x = load_crl(infile, informat);
if (x == NULL)
goto end;
if (do_ver) {
if ((store = setup_verify(CAfile, CApath, noCAfile, noCApath)) == NULL)
goto end;
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
if (lookup == NULL)
goto end;
if (!X509_STORE_CTX_init(&ctx, store, NULL, NULL)) {
BIO_printf(bio_err, "Error initialising X509 store\n");
goto end;
}
i = X509_STORE_get_by_subject(&ctx, X509_LU_X509,
X509_CRL_get_issuer(x), &xobj);
if (i <= 0) {
BIO_printf(bio_err, "Error getting CRL issuer certificate\n");
goto end;
}
pkey = X509_get0_pubkey(xobj.data.x509);
X509_OBJECT_free_contents(&xobj);
if (!pkey) {
BIO_printf(bio_err, "Error getting CRL issuer public key\n");
goto end;
}
i = X509_CRL_verify(x, pkey);
if (i < 0)
goto end;
if (i == 0)
BIO_printf(bio_err, "verify failure\n");
else
BIO_printf(bio_err, "verify OK\n");
}
if (crldiff) {
X509_CRL *newcrl, *delta;
if (!keyfile) {
BIO_puts(bio_err, "Missing CRL signing key\n");
goto end;
}
newcrl = load_crl(crldiff, informat);
if (!newcrl)
goto end;
pkey = load_key(keyfile, keyformat, 0, NULL, NULL, "CRL signing key");
if (!pkey) {
X509_CRL_free(newcrl);
goto end;
}
delta = X509_CRL_diff(x, newcrl, pkey, digest, 0);
X509_CRL_free(newcrl);
EVP_PKEY_free(pkey);
if (delta) {
X509_CRL_free(x);
x = delta;
} else {
BIO_puts(bio_err, "Error creating delta CRL\n");
goto end;
}
}
if (num) {
for (i = 1; i <= num; i++) {
if (issuer == i) {
print_name(bio_out, "issuer=", X509_CRL_get_issuer(x),
nmflag);
}
if (crlnumber == i) {
ASN1_INTEGER *crlnum;
crlnum = X509_CRL_get_ext_d2i(x, NID_crl_number, NULL, NULL);
BIO_printf(bio_out, "crlNumber=");
if (crlnum) {
i2a_ASN1_INTEGER(bio_out, crlnum);
ASN1_INTEGER_free(crlnum);
} else
BIO_puts(bio_out, "<NONE>");
BIO_printf(bio_out, "\n");
}
if (hash == i) {
BIO_printf(bio_out, "%08lx\n",
X509_NAME_hash(X509_CRL_get_issuer(x)));
}
#ifndef OPENSSL_NO_MD5
if (hash_old == i) {
BIO_printf(bio_out, "%08lx\n",
X509_NAME_hash_old(X509_CRL_get_issuer(x)));
}
#endif
if (lastupdate == i) {
BIO_printf(bio_out, "lastUpdate=");
ASN1_TIME_print(bio_out, X509_CRL_get_lastUpdate(x));
BIO_printf(bio_out, "\n");
}
if (nextupdate == i) {
BIO_printf(bio_out, "nextUpdate=");
if (X509_CRL_get_nextUpdate(x))
ASN1_TIME_print(bio_out, X509_CRL_get_nextUpdate(x));
else
BIO_printf(bio_out, "NONE");
BIO_printf(bio_out, "\n");
}
if (fingerprint == i) {
int j;
unsigned int n;
unsigned char md[EVP_MAX_MD_SIZE];
if (!X509_CRL_digest(x, digest, md, &n)) {
BIO_printf(bio_err, "out of memory\n");
goto end;
}
BIO_printf(bio_out, "%s Fingerprint=",
OBJ_nid2sn(EVP_MD_type(digest)));
for (j = 0; j < (int)n; j++) {
BIO_printf(bio_out, "%02X%c", md[j], (j + 1 == (int)n)
? '\n' : ':');
}
}
}
}
out = bio_open_default(outfile, 'w', outformat);
if (out == NULL)
goto end;
if (text)
X509_CRL_print(out, x);
if (noout) {
ret = 0;
goto end;
}
if (badsig) {
ASN1_BIT_STRING *sig;
unsigned char *psig;
X509_CRL_get0_signature(&sig, NULL, x);
psig = ASN1_STRING_data(sig);
psig[ASN1_STRING_length(sig) - 1] ^= 0x1;
}
if (outformat == FORMAT_ASN1)
i = (int)i2d_X509_CRL_bio(out, x);
else
i = PEM_write_bio_X509_CRL(out, x);
if (!i) {
BIO_printf(bio_err, "unable to write CRL\n");
goto end;
}
ret = 0;
end:
if (ret != 0)
ERR_print_errors(bio_err);
BIO_free_all(out);
X509_CRL_free(x);
if (store) {
X509_STORE_CTX_cleanup(&ctx);
X509_STORE_free(store);
}
return (ret);
}
int X509_CRL_print(BIO *out, X509_CRL *x)
{
char buf[256];
unsigned char *s;
STACK_OF(X509_REVOKED) *rev;
X509_REVOKED *r;
long l;
int i, j, n;
BIO_printf(out, "Certificate Revocation List (CRL):\n");
l = X509_CRL_get_version(x);
BIO_printf(out, "%8sVersion %lu (0x%lx)\n", "", l+1, l);
i = OBJ_obj2nid(x->sig_alg->algorithm);
BIO_printf(out, "%8sSignature Algorithm: %s\n", "",
(i == NID_undef) ? "NONE" : OBJ_nid2ln(i));
X509_NAME_oneline(X509_CRL_get_issuer(x),buf,256);
BIO_printf(out,"%8sIssuer: %s\n","",buf);
BIO_printf(out,"%8sLast Update: ","");
ASN1_TIME_print(out,X509_CRL_get_lastUpdate(x));
BIO_printf(out,"\n%8sNext Update: ","");
if (X509_CRL_get_nextUpdate(x))
ASN1_TIME_print(out,X509_CRL_get_nextUpdate(x));
else BIO_printf(out,"NONE");
BIO_printf(out,"\n");
n=X509_CRL_get_ext_count(x);
if (n > 0) {
BIO_printf(out,"%8sCRL extensions:\n","");
for (i=0; i<n; i++) ext_print(out, X509_CRL_get_ext(x, i));
}
rev = X509_CRL_get_REVOKED(x);
if(sk_X509_REVOKED_num(rev))
BIO_printf(out, "Revoked Certificates:\n");
else BIO_printf(out, "No Revoked Certificates.\n");
for(i = 0; i < sk_X509_REVOKED_num(rev); i++) {
r = sk_X509_REVOKED_value(rev, i);
BIO_printf(out," Serial Number: ");
i2a_ASN1_INTEGER(out,r->serialNumber);
BIO_printf(out,"\n Revocation Date: ","");
ASN1_TIME_print(out,r->revocationDate);
BIO_printf(out,"\n");
for(j = 0; j < X509_REVOKED_get_ext_count(r); j++)
ext_print(out, X509_REVOKED_get_ext(r, j));
}
i=OBJ_obj2nid(x->sig_alg->algorithm);
BIO_printf(out," Signature Algorithm: %s",
(i == NID_undef)?"UNKNOWN":OBJ_nid2ln(i));
s = x->signature->data;
n = x->signature->length;
for (i=0; i<n; i++, s++)
{
if ((i%18) == 0) BIO_write(out,"\n ",9);
BIO_printf(out,"%02x%s",*s, ((i+1) == n)?"":":");
}
BIO_write(out,"\n",1);
return 1;
}
const ASN1_TIME* X509_CRL_get0_nextUpdate(const X509_CRL* crl) {
return X509_CRL_get_nextUpdate(crl);
}
const void * PKI_X509_CRL_get_data(const PKI_X509_CRL * x,
PKI_X509_DATA type ) {
const void *ret = NULL;
PKI_X509_CRL_VALUE *tmp_x = NULL;
if (!x || !x->value) return NULL;
tmp_x = x->value;
switch( type ) {
case PKI_X509_DATA_VERSION:
#if OPENSSL_VERSION_NUMBER > 0x1010000fL
ret = (tmp_x)->crl.version;
#else
ret = (tmp_x)->crl->version;
#endif
// ret = X509_CRL_get_version((X509_CRL *) x);
break;
case PKI_X509_DATA_ISSUER:
ret = X509_CRL_get_issuer ((X509_CRL *) tmp_x);
break;
case PKI_X509_DATA_NOTAFTER:
case PKI_X509_DATA_NEXTUPDATE:
#if OPENSSL_VERSION_NUMBER > 0x1010000fL
ret = X509_CRL_get0_nextUpdate ((X509_CRL *) tmp_x);
#else
ret = X509_CRL_get_nextUpdate ((X509_CRL *) tmp_x);
#endif
break;
case PKI_X509_DATA_NOTBEFORE:
case PKI_X509_DATA_LASTUPDATE:
#if OPENSSL_VERSION_NUMBER > 0x1010000fL
ret = X509_CRL_get0_lastUpdate ((X509_CRL *) tmp_x);
#else
ret = X509_CRL_get_lastUpdate ((X509_CRL *) tmp_x);
#endif
break;
case PKI_X509_DATA_EXTENSIONS:
// ret = X509_CRL_get_extensions((X509_CRL *) x );
PKI_log_debug("To Be implemented!");
ret = NULL;
// ret = X509_CRL_get_algor((X509_CRL *) x );
break;
case PKI_X509_DATA_SIGNATURE:
#if OPENSSL_VERSION_NUMBER > 0x1010000fL
X509_CRL_get0_signature((X509_CRL *)tmp_x,
(const ASN1_BIT_STRING **)&ret, NULL);
#else
ret = tmp_x->signature;
#endif
// ret = tmp_x->signature;
// ret = X509_CRL_get_signature ((X509_CRL *) x);
break;
case PKI_X509_DATA_SIGNATURE_ALG1:
#if OPENSSL_VERSION_NUMBER > 0x1010000fL
// X509_CRL_get0_signature((X509_CRL *)tmp_x,
// NULL, (const X509_ALGOR **)&ret);
ret = &(((PKI_X509_CRL_FULL *)tmp_x)->crl.sig_alg);
#else
if (tmp_x->crl) ret = tmp_x->crl->sig_alg;
#endif
break;
case PKI_X509_DATA_ALGORITHM:
case PKI_X509_DATA_SIGNATURE_ALG2:
#if OPENSSL_VERSION_NUMBER > 0x1010000fL
X509_CRL_get0_signature((X509_CRL *)tmp_x,
NULL, (const X509_ALGOR **)&ret);
#else
ret = tmp_x->sig_alg;
#endif
break;
default:
/* Not Recognized/Supported DATATYPE */
return (NULL);
}
return (ret);
}
static LUA_FUNCTION(openssl_crl_parse)
{
X509_CRL *crl = CHECK_OBJECT(1, X509_CRL, "openssl.x509_crl");
int utf8 = lua_isnoneornil(L, 2) ? 1 : lua_toboolean(L, 2);
int n, i;
lua_newtable(L);
AUXILIAR_SET(L, -1, "version", X509_CRL_get_version(crl), integer);
/* hash as used in CA directories to lookup cert by subject name */
{
char buf[32];
snprintf(buf, sizeof(buf), "%08lx", X509_NAME_hash(X509_CRL_get_issuer(crl)));
AUXILIAR_SET(L, -1, "hash", buf, string);
}
{
const EVP_MD *digest = EVP_get_digestbyname("sha1");
unsigned char md[EVP_MAX_MD_SIZE];
int n = sizeof(md);
if (X509_CRL_digest(crl, digest, md, (unsigned int*)&n))
{
lua_newtable(L);
AUXILIAR_SET(L, -1, "alg", OBJ_nid2sn(EVP_MD_type(digest)), string);
AUXILIAR_SETLSTR(L, -1, "hash", (const char*)md, n);
lua_setfield(L, -2, "fingerprint");
}
}
openssl_push_xname_asobject(L, X509_CRL_get_issuer(crl));
lua_setfield(L, -2, "issuer");
PUSH_ASN1_TIME(L,X509_CRL_get_lastUpdate(crl));
lua_setfield(L, -2, "lastUpdate");
PUSH_ASN1_TIME(L,X509_CRL_get_nextUpdate(crl));
lua_setfield(L, -2, "nextUpdate");
openssl_push_x509_algor(L, crl->crl->sig_alg);
lua_setfield(L, -2, "sig_alg");
PUSH_ASN1_INTEGER(L, X509_CRL_get_ext_d2i(crl, NID_crl_number, NULL, NULL));
lua_setfield(L, -2, "crl_number");
PUSH_OBJECT(sk_X509_EXTENSION_dup(crl->crl->extensions),"openssl.stack_of_x509_extension");
lua_setfield(L, -2, "extensions");
n = sk_X509_REVOKED_num(crl->crl->revoked);
lua_newtable(L);
for (i = 0; i < n; i++)
{
X509_REVOKED *revoked = sk_X509_REVOKED_value(crl->crl->revoked, i);
lua_newtable(L);
#if OPENSSL_VERSION_NUMBER > 0x10000000L
AUXILIAR_SET(L, -1, "CRLReason", reason_flags[revoked->reason].lname, string);
#else
{
int crit = 0;
void* reason = X509_REVOKED_get_ext_d2i(revoked, NID_crl_reason, &crit, NULL);
AUXILIAR_SET(L, -1, "CRLReason", reason_flags[ASN1_ENUMERATED_get(reason)].lname, string);
ASN1_ENUMERATED_free(reason);
}
#endif
PUSH_ASN1_INTEGER(L, revoked->serialNumber);
lua_setfield(L,-2, "serialNumber");
PUSH_ASN1_TIME(L, revoked->revocationDate);
lua_setfield(L,-2, "revocationDate");
PUSH_OBJECT(sk_X509_EXTENSION_dup(revoked->extensions),"openssl.stack_of_x509_extension");
lua_setfield(L,-2, "extensions");
lua_rawseti(L, -2, i + 1);
}
lua_setfield(L, -2, "revoked");
return 1;
}
int
crl_main(int argc, char **argv)
{
unsigned long nmflag = 0;
X509_CRL *x = NULL;
int ret = 1, i;
BIO *out = NULL;
X509_STORE *store = NULL;
X509_STORE_CTX ctx;
X509_LOOKUP *lookup = NULL;
X509_OBJECT xobj;
EVP_PKEY *pkey;
const EVP_MD *digest;
char *digest_name = NULL;
if (single_execution) {
if (pledge("stdio cpath wpath rpath", NULL) == -1) {
perror("pledge");
exit(1);
}
}
if (bio_out == NULL) {
if ((bio_out = BIO_new(BIO_s_file())) != NULL) {
BIO_set_fp(bio_out, stdout, BIO_NOCLOSE);
}
}
digest = EVP_sha256();
memset(&crl_config, 0, sizeof(crl_config));
crl_config.informat = FORMAT_PEM;
crl_config.outformat = FORMAT_PEM;
if (options_parse(argc, argv, crl_options, &digest_name, NULL) != 0) {
crl_usage();
goto end;
}
if (crl_config.cafile != NULL || crl_config.capath != NULL)
crl_config.verify = 1;
if (crl_config.nameopt != NULL) {
if (set_name_ex(&nmflag, crl_config.nameopt) != 1) {
fprintf(stderr,
"Invalid -nameopt argument '%s'\n",
crl_config.nameopt);
goto end;
}
}
if (digest_name != NULL) {
if ((digest = EVP_get_digestbyname(digest_name)) == NULL) {
fprintf(stderr,
"Unknown message digest algorithm '%s'\n",
digest_name);
goto end;
}
}
x = load_crl(crl_config.infile, crl_config.informat);
if (x == NULL)
goto end;
if (crl_config.verify) {
store = X509_STORE_new();
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
if (lookup == NULL)
goto end;
if (!X509_LOOKUP_load_file(lookup, crl_config.cafile,
X509_FILETYPE_PEM))
X509_LOOKUP_load_file(lookup, NULL,
X509_FILETYPE_DEFAULT);
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
if (lookup == NULL)
goto end;
if (!X509_LOOKUP_add_dir(lookup, crl_config.capath,
X509_FILETYPE_PEM))
X509_LOOKUP_add_dir(lookup, NULL,
X509_FILETYPE_DEFAULT);
ERR_clear_error();
if (!X509_STORE_CTX_init(&ctx, store, NULL, NULL)) {
BIO_printf(bio_err,
"Error initialising X509 store\n");
goto end;
}
i = X509_STORE_get_by_subject(&ctx, X509_LU_X509,
X509_CRL_get_issuer(x), &xobj);
if (i <= 0) {
BIO_printf(bio_err,
"Error getting CRL issuer certificate\n");
goto end;
}
pkey = X509_get_pubkey(xobj.data.x509);
X509_OBJECT_free_contents(&xobj);
if (!pkey) {
BIO_printf(bio_err,
"Error getting CRL issuer public key\n");
goto end;
}
i = X509_CRL_verify(x, pkey);
EVP_PKEY_free(pkey);
if (i < 0)
goto end;
if (i == 0)
BIO_printf(bio_err, "verify failure\n");
else
BIO_printf(bio_err, "verify OK\n");
}
/* Print requested information the order that the flags were given. */
for (i = 1; i <= argc; i++) {
if (crl_config.issuer == i) {
print_name(bio_out, "issuer=",
X509_CRL_get_issuer(x), nmflag);
}
if (crl_config.crlnumber == i) {
ASN1_INTEGER *crlnum;
crlnum = X509_CRL_get_ext_d2i(x,
NID_crl_number, NULL, NULL);
BIO_printf(bio_out, "crlNumber=");
if (crlnum) {
i2a_ASN1_INTEGER(bio_out, crlnum);
ASN1_INTEGER_free(crlnum);
} else
BIO_puts(bio_out, "<NONE>");
BIO_printf(bio_out, "\n");
}
if (crl_config.hash == i) {
BIO_printf(bio_out, "%08lx\n",
X509_NAME_hash(X509_CRL_get_issuer(x)));
}
#ifndef OPENSSL_NO_MD5
if (crl_config.hash_old == i) {
BIO_printf(bio_out, "%08lx\n",
X509_NAME_hash_old(X509_CRL_get_issuer(x)));
}
#endif
if (crl_config.lastupdate == i) {
BIO_printf(bio_out, "lastUpdate=");
ASN1_TIME_print(bio_out,
X509_CRL_get_lastUpdate(x));
BIO_printf(bio_out, "\n");
}
if (crl_config.nextupdate == i) {
BIO_printf(bio_out, "nextUpdate=");
if (X509_CRL_get_nextUpdate(x))
ASN1_TIME_print(bio_out,
X509_CRL_get_nextUpdate(x));
else
BIO_printf(bio_out, "NONE");
BIO_printf(bio_out, "\n");
}
if (crl_config.fingerprint == i) {
int j;
unsigned int n;
unsigned char md[EVP_MAX_MD_SIZE];
if (!X509_CRL_digest(x, digest, md, &n)) {
BIO_printf(bio_err, "out of memory\n");
goto end;
}
BIO_printf(bio_out, "%s Fingerprint=",
OBJ_nid2sn(EVP_MD_type(digest)));
for (j = 0; j < (int) n; j++) {
BIO_printf(bio_out, "%02X%c", md[j],
(j + 1 == (int)n) ? '\n' : ':');
}
}
}
out = BIO_new(BIO_s_file());
if (out == NULL) {
ERR_print_errors(bio_err);
goto end;
}
if (crl_config.outfile == NULL) {
BIO_set_fp(out, stdout, BIO_NOCLOSE);
} else {
if (BIO_write_filename(out, crl_config.outfile) <= 0) {
perror(crl_config.outfile);
goto end;
}
}
if (crl_config.text)
X509_CRL_print(out, x);
if (crl_config.noout) {
ret = 0;
goto end;
}
if (crl_config.outformat == FORMAT_ASN1)
i = (int) i2d_X509_CRL_bio(out, x);
else if (crl_config.outformat == FORMAT_PEM)
i = PEM_write_bio_X509_CRL(out, x);
else {
BIO_printf(bio_err,
"bad output format specified for outfile\n");
goto end;
}
if (!i) {
BIO_printf(bio_err, "unable to write CRL\n");
goto end;
}
ret = 0;
end:
BIO_free_all(out);
BIO_free_all(bio_out);
bio_out = NULL;
X509_CRL_free(x);
if (store) {
X509_STORE_CTX_cleanup(&ctx);
X509_STORE_free(store);
}
return (ret);
}
int MAIN(int argc, char **argv)
{
unsigned long nmflag = 0;
X509_CRL *x = NULL;
char *CAfile = NULL, *CApath = NULL;
int ret = 1, i, num, badops = 0, badsig = 0;
BIO *out = NULL;
int informat, outformat, keyformat;
char *infile = NULL, *outfile = NULL, *crldiff = NULL, *keyfile = NULL;
int hash = 0, issuer = 0, lastupdate = 0, nextupdate = 0, noout =
0, text = 0;
#ifndef OPENSSL_NO_MD5
int hash_old = 0;
#endif
int fingerprint = 0, crlnumber = 0;
const char **pp;
X509_STORE *store = NULL;
X509_STORE_CTX ctx;
X509_LOOKUP *lookup = NULL;
X509_OBJECT xobj;
EVP_PKEY *pkey;
int do_ver = 0;
const EVP_MD *md_alg, *digest = EVP_sha1();
apps_startup();
if (bio_err == NULL)
if ((bio_err = BIO_new(BIO_s_file())) != NULL)
BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
if (!load_config(bio_err, NULL))
goto end;
if (bio_out == NULL)
if ((bio_out = BIO_new(BIO_s_file())) != NULL) {
BIO_set_fp(bio_out, stdout, BIO_NOCLOSE);
#ifdef OPENSSL_SYS_VMS
{
BIO *tmpbio = BIO_new(BIO_f_linebuffer());
bio_out = BIO_push(tmpbio, bio_out);
}
#endif
}
informat = FORMAT_PEM;
outformat = FORMAT_PEM;
keyformat = FORMAT_PEM;
argc--;
argv++;
num = 0;
while (argc >= 1) {
#ifdef undef
if (sgx_strcmp(*argv, "-p") == 0) {
if (--argc < 1)
goto bad;
if (!args_from_file(++argv, Nargc, Nargv)) {
goto end;
}
*/}
#endif
if (sgx_strcmp(*argv, "-inform") == 0) {
if (--argc < 1)
goto bad;
informat = str2fmt(*(++argv));
} else if (sgx_strcmp(*argv, "-outform") == 0) {
if (--argc < 1)
goto bad;
outformat = str2fmt(*(++argv));
} else if (sgx_strcmp(*argv, "-in") == 0) {
if (--argc < 1)
goto bad;
infile = *(++argv);
} else if (sgx_strcmp(*argv, "-gendelta") == 0) {
if (--argc < 1)
goto bad;
crldiff = *(++argv);
} else if (sgx_strcmp(*argv, "-key") == 0) {
if (--argc < 1)
goto bad;
keyfile = *(++argv);
} else if (sgx_strcmp(*argv, "-keyform") == 0) {
if (--argc < 1)
goto bad;
keyformat = str2fmt(*(++argv));
} else if (sgx_strcmp(*argv, "-out") == 0) {
if (--argc < 1)
goto bad;
outfile = *(++argv);
} else if (sgx_strcmp(*argv, "-CApath") == 0) {
if (--argc < 1)
goto bad;
CApath = *(++argv);
do_ver = 1;
} else if (sgx_strcmp(*argv, "-CAfile") == 0) {
if (--argc < 1)
goto bad;
CAfile = *(++argv);
do_ver = 1;
} else if (sgx_strcmp(*argv, "-verify") == 0)
do_ver = 1;
else if (sgx_strcmp(*argv, "-text") == 0)
text = 1;
else if (sgx_strcmp(*argv, "-hash") == 0)
hash = ++num;
#ifndef OPENSSL_NO_MD5
else if (sgx_strcmp(*argv, "-hash_old") == 0)
hash_old = ++num;
#endif
else if (sgx_strcmp(*argv, "-nameopt") == 0) {
if (--argc < 1)
goto bad;
if (!set_name_ex(&nmflag, *(++argv)))
goto bad;
} else if (sgx_strcmp(*argv, "-issuer") == 0)
issuer = ++num;
else if (sgx_strcmp(*argv, "-lastupdate") == 0)
lastupdate = ++num;
else if (sgx_strcmp(*argv, "-nextupdate") == 0)
nextupdate = ++num;
else if (sgx_strcmp(*argv, "-noout") == 0)
noout = ++num;
else if (sgx_strcmp(*argv, "-fingerprint") == 0)
fingerprint = ++num;
else if (sgx_strcmp(*argv, "-crlnumber") == 0)
crlnumber = ++num;
else if (sgx_strcmp(*argv, "-badsig") == 0)
badsig = 1;
else if ((md_alg = EVP_get_digestbyname(*argv + 1))) {
/* ok */
digest = md_alg;
} else {
BIO_printf(bio_err, "unknown option %s\n", *argv);
badops = 1;
break;
}
argc--;
argv++;
}
if (badops) {
bad:
for (pp = crl_usage; (*pp != NULL); pp++)
BIO_printf(bio_err, "%s", *pp);
goto end;
}
ERR_load_crypto_strings();
x = load_crl(infile, informat);
if (x == NULL) {
goto end;
}
if (do_ver) {
store = X509_STORE_new();
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
if (lookup == NULL)
goto end;
if (!X509_LOOKUP_load_file(lookup, CAfile, X509_FILETYPE_PEM))
X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT);
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
if (lookup == NULL)
goto end;
if (!X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM))
X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
ERR_clear_error();
if (!X509_STORE_CTX_init(&ctx, store, NULL, NULL)) {
BIO_printf(bio_err, "Error initialising X509 store\n");
goto end;
}
i = X509_STORE_get_by_subject(&ctx, X509_LU_X509,
X509_CRL_get_issuer(x), &xobj);
if (i <= 0) {
BIO_printf(bio_err, "Error getting CRL issuer certificate\n");
goto end;
}
pkey = X509_get_pubkey(xobj.data.x509);
X509_OBJECT_free_contents(&xobj);
if (!pkey) {
BIO_printf(bio_err, "Error getting CRL issuer public key\n");
goto end;
}
i = X509_CRL_verify(x, pkey);
EVP_PKEY_free(pkey);
if (i < 0)
goto end;
if (i == 0)
BIO_printf(bio_err, "verify failure\n");
else
BIO_printf(bio_err, "verify OK\n");
}
if (crldiff) {
X509_CRL *newcrl, *delta;
if (!keyfile) {
BIO_puts(bio_err, "Missing CRL signing key\n");
goto end;
}
newcrl = load_crl(crldiff, informat);
if (!newcrl)
goto end;
pkey = load_key(bio_err, keyfile, keyformat, 0, NULL, NULL,
"CRL signing key");
if (!pkey) {
X509_CRL_free(newcrl);
goto end;
}
delta = X509_CRL_diff(x, newcrl, pkey, digest, 0);
X509_CRL_free(newcrl);
EVP_PKEY_free(pkey);
if (delta) {
X509_CRL_free(x);
x = delta;
} else {
BIO_puts(bio_err, "Error creating delta CRL\n");
goto end;
}
}
if (num) {
for (i = 1; i <= num; i++) {
if (issuer == i) {
print_name(bio_out, "issuer=", X509_CRL_get_issuer(x),
nmflag);
}
if (crlnumber == i) {
ASN1_INTEGER *crlnum;
crlnum = X509_CRL_get_ext_d2i(x, NID_crl_number, NULL, NULL);
BIO_printf(bio_out, "crlNumber=");
if (crlnum) {
i2a_ASN1_INTEGER(bio_out, crlnum);
ASN1_INTEGER_free(crlnum);
} else
BIO_puts(bio_out, "<NONE>");
BIO_printf(bio_out, "\n");
}
if (hash == i) {
BIO_printf(bio_out, "%08lx\n",
X509_NAME_hash(X509_CRL_get_issuer(x)));
}
#ifndef OPENSSL_NO_MD5
if (hash_old == i) {
BIO_printf(bio_out, "%08lx\n",
X509_NAME_hash_old(X509_CRL_get_issuer(x)));
}
#endif
if (lastupdate == i) {
BIO_printf(bio_out, "lastUpdate=");
ASN1_TIME_print(bio_out, X509_CRL_get_lastUpdate(x));
BIO_printf(bio_out, "\n");
}
if (nextupdate == i) {
BIO_printf(bio_out, "nextUpdate=");
if (X509_CRL_get_nextUpdate(x))
ASN1_TIME_print(bio_out, X509_CRL_get_nextUpdate(x));
else
BIO_printf(bio_out, "NONE");
BIO_printf(bio_out, "\n");
}
if (fingerprint == i) {
int j;
unsigned int n;
unsigned char md[EVP_MAX_MD_SIZE];
if (!X509_CRL_digest(x, digest, md, &n)) {
BIO_printf(bio_err, "out of memory\n");
goto end;
}
BIO_printf(bio_out, "%s Fingerprint=",
OBJ_nid2sn(EVP_MD_type(digest)));
for (j = 0; j < (int)n; j++) {
BIO_printf(bio_out, "%02X%c", md[j], (j + 1 == (int)n)
? '\n' : ':');
}
}
}
}
out = BIO_new(BIO_s_file());
if (out == NULL) {
ERR_print_errors(bio_err);
goto end;
}
if (outfile == NULL) {
BIO_set_fp(out, stdout, BIO_NOCLOSE);
#ifdef OPENSSL_SYS_VMS
{
BIO *tmpbio = BIO_new(BIO_f_linebuffer());
out = BIO_push(tmpbio, out);
}
#endif
} else {
if (BIO_write_filename(out, outfile) <= 0) {
perror(outfile);
goto end;
}
}
if (text)
X509_CRL_print(out, x);
if (noout) {
ret = 0;
goto end;
}
if (badsig)
x->signature->data[x->signature->length - 1] ^= 0x1;
if (outformat == FORMAT_ASN1)
i = (int)i2d_X509_CRL_bio(out, x);
else if (outformat == FORMAT_PEM)
i = PEM_write_bio_X509_CRL(out, x);
else {
BIO_printf(bio_err, "bad output format specified for outfile\n");
goto end;
}
if (!i) {
BIO_printf(bio_err, "unable to write CRL\n");
goto end;
}
ret = 0;
end:
if (ret != 0)
ERR_print_errors(bio_err);
BIO_free_all(out);
BIO_free_all(bio_out);
bio_out = NULL;
X509_CRL_free(x);
if (store) {
X509_STORE_CTX_cleanup(&ctx);
X509_STORE_free(store);
}
apps_shutdown();
OPENSSL_EXIT(ret);
}
/* based on the code of stunnel utility */
int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx) {
X509_STORE* store;
X509_STORE_CTX store_ctx;
X509_OBJECT obj;
X509_NAME* subject;
X509_NAME* issuer;
X509* cert;
X509_CRL* crl;
X509_REVOKED* revoked;
EVP_PKEY* pubkey;
int i, n, rc;
ASN1_TIME* next_update = NULL;
if (!preverify_ok) {
return 0;
}
if ((store = pthread_getspecific(tls_store_key)) == NULL) {
ERROR("Failed to get thread-specific X509 store");
return 1; /* fail */
}
cert = X509_STORE_CTX_get_current_cert(x509_ctx);
subject = X509_get_subject_name(cert);
issuer = X509_get_issuer_name(cert);
/* try to retrieve a CRL corresponding to the _subject_ of
* the current certificate in order to verify it's integrity */
memset((char *)&obj, 0, sizeof obj);
X509_STORE_CTX_init(&store_ctx, store, NULL, NULL);
rc = X509_STORE_get_by_subject(&store_ctx, X509_LU_CRL, subject, &obj);
X509_STORE_CTX_cleanup(&store_ctx);
crl = obj.data.crl;
if (rc > 0 && crl) {
next_update = X509_CRL_get_nextUpdate(crl);
/* verify the signature on this CRL */
pubkey = X509_get_pubkey(cert);
if (X509_CRL_verify(crl, pubkey) <= 0) {
X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE);
X509_OBJECT_free_contents(&obj);
if (pubkey) {
EVP_PKEY_free(pubkey);
}
return 0; /* fail */
}
if (pubkey) {
EVP_PKEY_free(pubkey);
}
/* check date of CRL to make sure it's not expired */
if (!next_update) {
X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD);
X509_OBJECT_free_contents(&obj);
return 0; /* fail */
}
if (X509_cmp_current_time(next_update) < 0) {
X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CRL_HAS_EXPIRED);
X509_OBJECT_free_contents(&obj);
return 0; /* fail */
}
X509_OBJECT_free_contents(&obj);
}
/* try to retrieve a CRL corresponding to the _issuer_ of
* the current certificate in order to check for revocation */
memset((char *)&obj, 0, sizeof obj);
X509_STORE_CTX_init(&store_ctx, store, NULL, NULL);
rc = X509_STORE_get_by_subject(&store_ctx, X509_LU_CRL, issuer, &obj);
X509_STORE_CTX_cleanup(&store_ctx);
crl = obj.data.crl;
if (rc > 0 && crl) {
/* check if the current certificate is revoked by this CRL */
n = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl));
for (i = 0; i < n; i++) {
revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
if (ASN1_INTEGER_cmp(revoked->serialNumber, X509_get_serialNumber(cert)) == 0) {
ERROR("Certificate revoked");
X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_CERT_REVOKED);
X509_OBJECT_free_contents(&obj);
return 0; /* fail */
}
}
X509_OBJECT_free_contents(&obj);
}
return 1; /* success */
}
ASN1_TIME* HsOpenSSL_X509_CRL_get_nextUpdate(X509_CRL* crl) {
return X509_CRL_get_nextUpdate(crl);
}
