void CA_LIST_ENTRY_free ( CA_LIST_ENTRY *ca ) { if ( !ca ) return; if ( ca->ca_id ) { PKI_log(PKI_LOG_INFO, "MEM::Freeing %s CA config", ca->ca_id ); PKI_Free ( ca->ca_id ); } if ( ca->ca_cert ) PKI_X509_CERT_free ( ca->ca_cert ); if ( ca->cid ) CA_ENTRY_CERTID_free ( ca->cid ); if ( ca->ca_url ) URL_free ( ca->ca_url ); if ( ca->crl_url ) URL_free ( ca->crl_url ); if ( ca->crl_list ) { X509_REVOKED *r = NULL; while ((r = sk_X509_REVOKED_pop ( ca->crl_list )) != NULL) { X509_REVOKED_free ( r ); } } if ( ca->nextUpdate ) PKI_TIME_free ( ca->nextUpdate ); if ( ca->lastUpdate ) PKI_TIME_free ( ca->lastUpdate ); if ( ca->token_name ) PKI_Free ( ca->token_name ); if ( ca->token ) PKI_TOKEN_free ( ca->token ); PKI_Free ( ca ); return; }
int PKI_X509_OCSP_RESP_add ( PKI_X509_OCSP_RESP *resp, OCSP_CERTID *cid, PKI_OCSP_CERTSTATUS status, PKI_TIME *revokeTime, PKI_TIME *thisUpdate, PKI_TIME *nextUpdate, PKI_X509_CRL_REASON reason, PKI_X509_EXTENSION *invalidityDate ) { OCSP_SINGLERESP *single = NULL; PKI_TIME *myThisUpdate = NULL; PKI_OCSP_RESP *r = NULL; if ( !resp || !resp->value || !cid ) return ( PKI_ERR ); r = resp->value; if( !r->bs ) { // Creates the basic response object if ((r->bs = OCSP_BASICRESP_new()) == NULL) { PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL); return PKI_ERR; } } if (thisUpdate == NULL ) { myThisUpdate = X509_gmtime_adj(NULL,0); } else { myThisUpdate = PKI_TIME_dup(thisUpdate); } if((single = OCSP_basic_add1_status(r->bs, cid, status, reason, revokeTime, myThisUpdate, nextUpdate))== NULL) { PKI_log_err ("Can not create basic entry!"); return ( PKI_ERR ); } if (myThisUpdate) PKI_TIME_free(myThisUpdate); if (invalidityDate) { if (!OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date, invalidityDate, 0, 0)) { PKI_log_err("Can not create extension entry for response!"); return PKI_ERR; } } return PKI_OK; }
static void _pki_stderr_add( int level, const char *fmt, va_list ap ) { PKI_TIME *now = NULL; now = PKI_TIME_new(0); /* Let's print the log entry */ fprintf ( stderr, "%s [%d] %s: ", PKI_TIME_get_parsed( (PKI_TIME *) now ), getpid(), _get_info_string( level )); vfprintf( stderr, fmt, ap ); fprintf ( stderr, "\n" ); PKI_TIME_free( now ); return; }
static void _pki_file_add( int level, const char *fmt, va_list ap ) { int fd = 0; FILE *file = NULL; PKI_TIME *now = NULL; if( ! _log_st.resource ) return; if(( fd = open( _log_st.resource, O_RDWR|O_APPEND|O_CREAT, S_IRUSR | S_IWUSR )) == -1 ) { /* Error! */ return; } if(( file = fdopen( fd, "a+")) == NULL ) { /* Error!!! */ fprintf( stderr, "DEBUG::ERROR, can not open log file!\n"); return; } now = PKI_TIME_new(0); /* Let's print the log entry */ fprintf ( file, "%s [%d]: %s: ", PKI_TIME_get_parsed( (PKI_TIME *) now ), getpid(), _get_info_string( level )); vfprintf( file, fmt, ap ); fprintf ( file, "\n"); PKI_TIME_free( now ); /* Now close the file stream */ fclose( file ); /* Do we need to also close the fd ? */ close ( fd ); return; }
PKI_X509_CRL *PKI_X509_CRL_new(const PKI_X509_KEYPAIR *k, const PKI_X509_CERT *cert, const char * crlNumber_s, unsigned long validity, const PKI_X509_CRL_ENTRY_STACK *sk, const PKI_X509_PROFILE *profile, const PKI_CONFIG *oids, HSM *hsm) { PKI_X509_CRL *ret = NULL; PKI_X509_CRL_VALUE *val = NULL; ASN1_INTEGER *crlNumber = NULL; ASN1_TIME *time = NULL; int rv = PKI_OK; int i = 0; char * tmp_s = NULL; PKI_X509_CRL_ENTRY *entry = NULL; PKI_DIGEST_ALG *dgst = NULL; long long lastUpdateVal = 0; long long nextUpdateVal = 0; /* Checks for the Key and its internal value */ if( !k || !k->value ) return NULL; /* checks for the certificate and its internal value */ if( !cert || !cert->value ) return ( NULL ); if(( ret = PKI_X509_CRL_new_null()) == NULL ) { PKI_ERROR(PKI_ERR_OBJECT_CREATE, NULL); goto err; } /* Alloc memory structure for the Certificate */ if((ret->value = ret->cb->create()) == NULL ) { PKI_ERROR(PKI_ERR_OBJECT_CREATE, NULL); goto err; } val = ret->value; if ( !crlNumber_s && profile ) { if(( tmp_s = PKI_CONFIG_get_value( profile, "/profile/crlNumber")) != NULL ) { crlNumber = PKI_INTEGER_new_char ( tmp_s ); PKI_Free ( tmp_s ); }; } else if ( crlNumber_s ) { crlNumber = PKI_INTEGER_new_char( crlNumber_s ); // Let's add the CRLSerial extension X509_CRL_add1_ext_i2d(val, NID_crl_number, crlNumber, 0, 0); }; /* Set the start date (notBefore) */ if (profile) { int years = 0; int days = 0; int hours = 0; int mins = 0; int secs = 0; if(( tmp_s = PKI_CONFIG_get_value( profile, "/profile/notBefore/years")) != NULL ) { years = atoi( tmp_s ); PKI_Free ( tmp_s ); }; if(( tmp_s = PKI_CONFIG_get_value( profile, "/profile/notBefore/days")) != NULL ) { days = atoi( tmp_s ); PKI_Free ( tmp_s ); }; if(( tmp_s = PKI_CONFIG_get_value( profile, "/profile/notBefore/hours")) != NULL ) { hours = atoi( tmp_s ); PKI_Free ( tmp_s ); }; if(( tmp_s = PKI_CONFIG_get_value( profile, "/profile/notBefore/minutes")) != NULL ) { mins = atoi( tmp_s ); PKI_Free ( tmp_s ); }; if(( tmp_s = PKI_CONFIG_get_value( profile, "/profile/notBefore/minutes")) != NULL ) { secs = atoi( tmp_s ); PKI_Free ( tmp_s ); }; lastUpdateVal = secs + ( mins * 60 ) + ( hours * 3600 ) + ( days * 3600 * 24 ) + ( years * 3600 * 24 * 365 ); } else { // Sets lastUpdate to current time lastUpdateVal = 0; }; if ( profile && validity <= 0 ) { long long years = 0; long long days = 0; long long hours = 0; long long mins = 0; long long secs = 0; if((tmp_s = PKI_CONFIG_get_value ( profile, "/profile/validity/years")) != NULL ) { years = atoll( tmp_s ); PKI_Free(tmp_s); } if((tmp_s = PKI_CONFIG_get_value ( profile, "/profile/validity/days")) != NULL ) { days = atoll( tmp_s ); PKI_Free( tmp_s ); } if((tmp_s = PKI_CONFIG_get_value ( profile, "/profile/validity/hours")) != NULL ) { hours = atoll( tmp_s ); PKI_Free( tmp_s ); } if((tmp_s = PKI_CONFIG_get_value ( profile, "/profile/validity/mins")) != NULL ) { mins = atoll( tmp_s ); PKI_Free ( tmp_s ); } if((tmp_s = PKI_CONFIG_get_value ( profile, "/profile/validity/secs")) != NULL ) { secs = atoll( tmp_s ); PKI_Free ( tmp_s ); } nextUpdateVal = secs + 60 * ( mins + 60 * (hours + 24 * ( days + 365 * years ) ) ); } else { nextUpdateVal = (long long) validity; }; /* Generates a new time for lastUpdate field */ if((time = PKI_TIME_new( lastUpdateVal )) == NULL ) { PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL); goto err; }; /* Set the Last Update field */ if(X509_CRL_set_lastUpdate( val, time ) == 0 ) { PKI_log_err ( "ERROR, can not set lastUpdate field in CRL"); goto err; } PKI_TIME_free ( time ); time = NULL; // Memory /* Generates a new time for lastUpdate field */ if((time = PKI_TIME_new( nextUpdateVal )) == NULL ) { PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL); goto err; }; /* Set the nextUpdate field */ if(X509_CRL_set_nextUpdate( val, time ) == 0 ) { PKI_log_err ( "ERROR, can not set lastUpdate field in CRL"); goto err; } PKI_TIME_free ( time ); time = NULL; // Memory /* Now we need to add the CRL issuer name and details */ if (X509_CRL_set_issuer_name( val, X509_get_subject_name(cert->value)) == 0) { PKI_log_debug( "Can not set CRL issuer name"); goto err; } if ( sk ) { /* Adds the list of revoked certificates */ for(i=0; i < PKI_STACK_X509_CRL_ENTRY_elements(sk); i++ ) { PKI_log_debug("CRL::ADDING ENTRY %d\n", i ); entry = PKI_STACK_X509_CRL_ENTRY_get_num(sk, i); if(!entry) break; X509_CRL_add0_revoked(val, entry); }; } /* Sorts the CRL entries */ X509_CRL_sort ( val ); /* if((ret = PKI_X509_new_value( PKI_DATATYPE_X509_CRL, val, hsm)) == NULL ) { PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL); X509_CRL_free ( val ); return ( NULL ); } */ /* Get the extensions from the profile */ if( profile ) { PKI_TOKEN * tk; if((tk = PKI_TOKEN_new_null()) == NULL ) { PKI_log_err ( "Memory allocation failure"); PKI_X509_CRL_free ( ret ); return NULL; } PKI_TOKEN_set_cert(tk, (PKI_X509_CERT *)cert); PKI_TOKEN_set_keypair(tk, (PKI_X509_KEYPAIR *)k); if(PKI_X509_EXTENSIONS_crl_add_profile( profile, oids, ret, tk) == 0 ) { PKI_log_debug( "ERROR, can not set extensions!"); PKI_X509_CRL_free ( ret ); tk->cert = NULL; tk->keypair = NULL; PKI_TOKEN_free ( tk ); return ( NULL ); } tk->cert = NULL; tk->keypair = NULL; PKI_TOKEN_free ( tk ); } /* Get the Digest Algorithm */ if( (dgst = PKI_DIGEST_ALG_get_by_key( k )) == NULL ) { PKI_log_err("Can not get digest algor from keypair!"); goto err; } rv = PKI_X509_sign ( ret, dgst, k ); if ( rv == PKI_ERR ) { PKI_log_debug ("ERROR, can not sign CRL!"); goto err; } return( ret ); err: if ( time ) PKI_TIME_free ( time ); if ( ret ) PKI_X509_CRL_free ( ret ); return NULL; }
PKI_X509_CRL_ENTRY * PKI_X509_CRL_ENTRY_new_serial( const char *serial, PKI_X509_CRL_REASON reason, const PKI_TIME *revDate, const PKI_X509_PROFILE *profile ) { PKI_X509_CRL_ENTRY *entry = NULL; // Entry to be added to the CRL PKI_INTEGER * s_int = NULL; // ASN1 Integer PKI_TIME * a_date = NULL; // ASN1 Rev Date // Input check if (!serial) { PKI_ERROR(PKI_ERR_PARAM_NULL, "Missing serial number"); return NULL; } // Allocates the Memory for the entry if((entry = (PKI_X509_CRL_ENTRY *) X509_REVOKED_new()) == NULL ) { PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL); return NULL; } // If no revocation date is provided, let's use "now" if (!revDate && (a_date = PKI_TIME_new(0)) == NULL) { // Can not allocate the revocation date time PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL); return NULL; } else { // Gets the Pointer from the caller a_date = (PKI_TIME *)revDate; } // Generates the integer carrying the serial number if ((s_int = PKI_INTEGER_new_char(serial)) != NULL) { // Sets the serial number in the X509_REVOKED structure if (X509_REVOKED_set_serialNumber(entry, s_int) == 1) { // Sets the revocation date if (a_date && !X509_REVOKED_set_revocationDate((X509_REVOKED *) entry, a_date)) { PKI_ERROR(PKI_ERR_GENERAL, "Can not assign revocation date"); goto err; } // All Ok here } else { // Error While assigning the serial PKI_ERROR(PKI_ERR_MEMORY_ALLOC, "Can not assign the serial (%s)", serial); goto err; } } else { // Error generating the ASN1 Integer PKI_ERROR(PKI_ERR_MEMORY_ALLOC, "Can not convert serial %s to Integer", serial); goto err; } if (reason != PKI_CRL_REASON_UNSPECIFIED) { int supported_reason = -1; ASN1_ENUMERATED *rtmp = ASN1_ENUMERATED_new(); switch (reason ) { case PKI_CRL_REASON_CERTIFICATE_HOLD: case PKI_CRL_REASON_HOLD_INSTRUCTION_REJECT: if (!X509_REVOKED_add1_ext_i2d(entry, NID_hold_instruction_code, PKI_OID_get("holdInstructionReject"), 0, 0)) { PKI_ERROR(PKI_ERR_X509_CRL, "Can not add holdInstructionReject"); goto err; } if (revDate && !X509_REVOKED_add1_ext_i2d(entry, NID_invalidity_date, (PKI_TIME *)revDate, 0, 0)) { PKI_ERROR(PKI_ERR_X509_CRL, "Can not add invalidity date"); goto err; } supported_reason = PKI_CRL_REASON_CERTIFICATE_HOLD; break; /* --- Deprecated in RFC 5280 --- case PKI_CRL_REASON_HOLD_INSTRUCTION_NONE: if (!X509_REVOKED_add1_ext_i2d(entry, NID_hold_instruction_code, PKI_OID_get( "holdInstructionReject"), 0, 0)) { goto err; }; if( revDate && !X509_REVOKED_add1_ext_i2d ( entry, NID_invalidity_date, revDate, 0, 0)) { goto err; }; reason = PKI_CRL_REASON_CERTIFICATE_HOLD; break; */ case PKI_CRL_REASON_HOLD_INSTRUCTION_CALLISSUER: if (!X509_REVOKED_add1_ext_i2d( entry, NID_hold_instruction_code, PKI_OID_get( "holdInstructionCallIssuer"), 0, 0)) { goto err; } if( revDate && !X509_REVOKED_add1_ext_i2d( entry, NID_invalidity_date, (PKI_TIME *)revDate, 0, 0)) { goto err; } supported_reason = PKI_CRL_REASON_CERTIFICATE_HOLD; break; case PKI_CRL_REASON_KEY_COMPROMISE: case PKI_CRL_REASON_CA_COMPROMISE: case PKI_CRL_REASON_AFFILIATION_CHANGED: case PKI_CRL_REASON_SUPERSEDED: case PKI_CRL_REASON_CESSATION_OF_OPERATION: case PKI_CRL_REASON_REMOVE_FROM_CRL: case PKI_CRL_REASON_PRIVILEGE_WITHDRAWN: case PKI_CRL_REASON_AA_COMPROMISE: PKI_ERROR(PKI_ERR_GENERAL, "CRL Reason Not Implemented Yet %d", reason); break; default: PKI_ERROR(PKI_ERR_GENERAL, "CRL Reason Unknown %d", reason); supported_reason = -1; break; } if (supported_reason >= 0) { if (!ASN1_ENUMERATED_set(rtmp, supported_reason)) goto err; if (!X509_REVOKED_add1_ext_i2d( entry, NID_crl_reason, rtmp, 0, 0)) goto err; } /* if( reason == CRL_REASON_HOLD_INSTRUCTION ) { // if (!X509_REVOKED_add1_ext_i2d ( entry, // NID_invalidity_date, revDate, 0, 0)) { // goto err; // }; // if (!X509_REVOKED_add1_ext_i2d(entry, NID_hold_instruction_code, // PKI_OID_get( "holdInstructionReject"), 0, 0)) { // goto err; // }; }; */ } /* if (rev && !X509_REVOKED_set_revocationDate(rev, revDate)) goto err; if (rev && (reason_code != OCSP_REVOKED_STATUS_NOSTATUS)) { rtmp = ASN1_ENUMERATED_new(); if (!rtmp || !ASN1_ENUMERATED_set(rtmp, reason_code)) goto err; if (!X509_REVOKED_add1_ext_i2d(rev, NID_crl_reason, rtmp, 0, 0)) goto err; } if (rev && comp_time) { if (!X509_REVOKED_add1_ext_i2d(rev, NID_invalidity_date, comp_time, 0, 0)) goto err; } if (rev && hold) { if (!X509_REVOKED_add1_ext_i2d(rev, NID_hold_instruction_code, hold, 0, 0)) goto err; } */ // Free Allocated Memory if (s_int) PKI_INTEGER_free(s_int); if (a_date && !revDate) PKI_TIME_free(a_date); // Returns the created entry return entry; err: // Free Allocated memory if (s_int) PKI_INTEGER_free(s_int); if (a_date && !revDate) PKI_TIME_free(a_date); if (entry) X509_REVOKED_free((X509_REVOKED *) entry); // Returns null (error) return NULL; }