예제 #1
0
파일: crl.c 프로젝트: Udo/lua-openssl
static LUA_FUNCTION(openssl_crl_new)
{
  X509* x509 = lua_isnoneornil(L, 1) ? NULL : CHECK_OBJECT(1, X509, "openssl.x509");
  time_t lastUpdate = luaL_optinteger(L, 3, (lua_Integer)time(&lastUpdate));
  time_t nextUpdate = luaL_optinteger(L, 4, (lua_Integer)(lastUpdate + 7 * 24 * 3600));
  long version = luaL_optint(L, 5, 1);

  X509_CRL * crl = NULL;
  ASN1_TIME *ltm, *ntm;

  if (!lua_isnoneornil(L, 2))
    luaL_checktype(L, 2, LUA_TTABLE);

  crl = X509_CRL_new();
  X509_CRL_set_version(crl, version);
  if (x509)
    X509_CRL_set_issuer_name(crl, X509_get_subject_name(x509));

  ltm = ASN1_TIME_new();
  ntm = ASN1_TIME_new();
  ASN1_TIME_set(ltm, lastUpdate);
  ASN1_TIME_set(ntm, nextUpdate);
  X509_CRL_set_lastUpdate(crl, ltm);
  X509_CRL_set_nextUpdate(crl, ntm);
  ASN1_TIME_free(ltm);
  ASN1_TIME_free(ntm);


  if (lua_istable(L, 2) && lua_objlen(L, 2) > 0)
  {
    int i;
    int n = lua_objlen(L, 2);

    for (i = 1; i <= n; i++)
    {
      lua_rawgeti(L, 2, i);
      if (lua_istable(L, -1))
      {
        X509_REVOKED *revoked;

        lua_getfield(L, -1, "reason");
        lua_getfield(L, -2, "time");
        lua_getfield(L, -3, "sn");

        revoked = create_revoked(L, BN_get(L, -1), lua_tointeger(L, -2), reason_get(L, -3));
        if (revoked)
        {
          X509_CRL_add0_revoked(crl, revoked);
        }
        lua_pop(L, 3);
      }
      lua_pop(L, 1);
    }
  }

  PUSH_OBJECT(crl, "openssl.x509_crl");
  return 1;
}
예제 #2
0
static VALUE
ossl_x509crl_set_next_update(VALUE self, VALUE time)
{
    X509_CRL *crl;
    ASN1_TIME *asn1time;

    GetX509CRL(self, crl);
    asn1time = ossl_x509_time_adjust(NULL, time);
    if (!X509_CRL_set_nextUpdate(crl, asn1time)) {
	ASN1_TIME_free(asn1time);
	ossl_raise(eX509CRLError, "X509_CRL_set_nextUpdate");
    }
    ASN1_TIME_free(asn1time);

    return time;
}
예제 #3
0
static LUA_FUNCTION(openssl_crl_updateTime)
{
  X509_CRL *crl = CHECK_OBJECT(1, X509_CRL, "openssl.x509_crl");
  if (lua_isnone(L, 2))
  {
    ASN1_TIME *ltm, *ntm;
    ltm = X509_CRL_get_lastUpdate(crl);
    ntm = X509_CRL_get_nextUpdate(crl);
    PUSH_ASN1_TIME(L, ltm);
    PUSH_ASN1_TIME(L, ntm);
    return 2;
  }
  else
  {
    ASN1_TIME *ltm, *ntm;
    int ret = 0;

    time_t last, next;

    if (lua_gettop(L) == 2)
    {
      time(&last);
      next = last + luaL_checkint(L, 2);
    }
    else
    {
      last = luaL_checkint(L, 2);
      next = last + luaL_checkint(L, 3);
      luaL_argcheck(L, next > last, 3, "value must after #2");
    }

    ltm = ASN1_TIME_new();
    ASN1_TIME_set(ltm, last);
    ntm = ASN1_TIME_new();
    ASN1_TIME_set(ntm, next);
    ret = X509_CRL_set_lastUpdate(crl, ltm);
    if (ret == 1)
      ret = X509_CRL_set_nextUpdate(crl, ntm);
    ASN1_TIME_free(ltm);
    ASN1_TIME_free(ntm);
    openssl_pushresult(L, ret);
    return 1;
  }
}
예제 #4
0
static LUA_FUNCTION(openssl_crl_nextUpdate)
{
  X509_CRL *crl = CHECK_OBJECT(1, X509_CRL, "openssl.x509_crl");
  if (lua_isnone(L, 2))
  {
    ASN1_TIME *tm = X509_CRL_get_nextUpdate(crl);
    PUSH_ASN1_TIME(L, tm);
    return 1;
  }
  else
  {
    int ret;
    time_t time = luaL_checkint(L, 2);
    ASN1_TIME *tm = ASN1_TIME_new();
    ASN1_TIME_set(tm, time);

    ret = X509_CRL_set_nextUpdate(crl, tm);
    ASN1_TIME_free(tm);
    return openssl_pushresult(L, ret);
  }
}
예제 #5
0
파일: crl.c 프로젝트: Udo/lua-openssl
static LUA_FUNCTION(openssl_crl_set_updatetime)
{
  X509_CRL *crl = CHECK_OBJECT(1, X509_CRL, "openssl.x509_crl");
  ASN1_TIME *ltm, *ntm;
  int ret = 0;

  time_t last, next;
  time(&last);
  last = luaL_optinteger(L, 2, (lua_Integer)last);
  next = luaL_optinteger(L, 3, (lua_Integer)last + 7 * 24 * 3600);

  ltm = ASN1_TIME_new();
  ASN1_TIME_set(ltm, last);
  ntm = ASN1_TIME_new();
  ASN1_TIME_set(ntm, next);

  ret = X509_CRL_set_lastUpdate(crl, ltm);
  if (ret == 1)
    ret = X509_CRL_set_nextUpdate(crl, ntm);
  ASN1_TIME_free(ltm);
  ASN1_TIME_free(ntm);
  lua_pushboolean(L, ret);
  return 1;
}
예제 #6
0
void openssl_x509_crl()
{
	RSA *r;
	BIO *bp;
	int len;
	FILE *fp;
	BIGNUM *bne;
	X509_CRL *crl;
	EVP_PKEY *pkey;
	X509_NAME *issuer;
	ASN1_INTEGER *serial;
	X509_REVOKED *revoked;
	ASN1_TIME *lastUpdate, *nextUpdate, *rvTime;
	unsigned char *buf, *p, tmp[MAX1_LEN] = "crl cert";

	printf("\nX509_CRL info:\n");
	bne = BN_new();
	BN_set_word(bne, RSA_3);
	r = RSA_new();
	RSA_generate_key_ex(r, MAX1_LEN, bne, NULL);
	pkey = EVP_PKEY_new();
	EVP_PKEY_assign_RSA(pkey, r);

	crl = X509_CRL_new();
	X509_CRL_set_version(crl, 3);

	issuer = X509_NAME_new();
	X509_NAME_add_entry_by_NID(issuer, NID_commonName,
								V_ASN1_PRINTABLESTRING, tmp, 10, -1, 0);
	X509_CRL_set_issuer_name(crl, issuer);

	lastUpdate = ASN1_TIME_new();
	ASN1_TIME_set(lastUpdate, time(NULL));
	X509_CRL_set_lastUpdate(crl, lastUpdate);

	nextUpdate = ASN1_TIME_new();
	ASN1_TIME_set(nextUpdate, time(NULL) + 1280);
	X509_CRL_set_nextUpdate(crl, nextUpdate);

	revoked = X509_REVOKED_new();
	serial = ASN1_INTEGER_new();
	ASN1_INTEGER_set(serial, 1280);
	X509_REVOKED_set_serialNumber(revoked, serial);

	rvTime = ASN1_TIME_new();
	ASN1_TIME_set(rvTime, time(NULL) + 2000);
	X509_CRL_set_nextUpdate(crl, rvTime);
	X509_REVOKED_set_revocationDate(revoked, rvTime);

	X509_CRL_add0_revoked(crl, revoked);
	X509_CRL_sort(crl);
	X509_CRL_sign(crl, pkey, EVP_md5());

	bp = BIO_new(BIO_s_file());
	BIO_set_fp(bp, stdout, BIO_NOCLOSE);
	X509_CRL_print(bp, crl);
	len = i2d_X509_CRL(crl, NULL);
	buf = (unsigned char *)malloc(len + 10);
	p = buf;
	len = i2d_X509_CRL(crl, &p);
	fp = fopen("/tmp/crl.crl", "wb");
	fwrite(buf, 1, len, fp);
	fclose(fp);

	free(buf);
	BIO_free(bp);
	X509_CRL_free(crl);
}
예제 #7
0
static LUA_FUNCTION(openssl_crl_new)
{
  int i;
  int n = lua_gettop(L);
  X509_CRL * crl = X509_CRL_new();
  int ret = X509_CRL_set_version(crl, 0);
  X509* cacert = NULL;
  EVP_PKEY* capkey = NULL;
  const EVP_MD* md = NULL;
  int step;

  for (i = 1; ret == 1 && i <= n; i++)
  {
    if (i == 1)
    {
      luaL_argcheck(L, lua_istable(L, 1), 1, "must be table contains rovked entry table{reason,time,sn}");
      if (lua_rawlen(L, i) > 0)
      {
        int j, m;
        m = lua_rawlen(L, i);

        for (j = 1; ret == 1 && j <= m; j++)
        {
          X509_REVOKED *revoked;
          BIGNUM* sn;
          lua_rawgeti(L, i, j);
          luaL_checktable(L, -1);

          lua_getfield(L, -1, "reason");
          lua_getfield(L, -2, "time");
          lua_getfield(L, -3, "sn");
          sn = BN_get(L, -1);
          revoked = create_revoked(sn, lua_tointeger(L, -2), reason_get(L, -3));
          if (revoked)
          {
            ret = X509_CRL_add0_revoked(crl, revoked);
          }
          BN_free(sn);
          lua_pop(L, 3);
          lua_pop(L, 1);
        };
      }
    };
    if (i == 2)
    {
      cacert = CHECK_OBJECT(2, X509, "openssl.x509");
      ret = X509_CRL_set_issuer_name(crl, X509_get_issuer_name(cacert));
    }
    if (i == 3)
    {
      capkey = CHECK_OBJECT(3, EVP_PKEY, "openssl.evp_pkey");
      luaL_argcheck(L, openssl_pkey_is_private(capkey), 3, "must be private key");
      luaL_argcheck(L, X509_check_private_key(cacert, capkey) == 1, 3, "evp_pkey not match with x509 in #2");
    }
  }
  md = lua_isnoneornil(L, 4) ? EVP_get_digestbyname("sha1") : get_digest(L, 4);
  step = lua_isnoneornil(L, 5) ? 7 * 24 * 3600 : luaL_checkint(L, 5);

  if (ret == 1)
  {
    time_t lastUpdate;
    time_t nextUpdate;
    ASN1_TIME *ltm, *ntm;

    time(&lastUpdate);
    nextUpdate = lastUpdate + step;

    ltm = ASN1_TIME_new();
    ntm = ASN1_TIME_new();
    ASN1_TIME_set(ltm, lastUpdate);
    ASN1_TIME_set(ntm, nextUpdate);
    ret = X509_CRL_set_lastUpdate(crl, ltm);
    if (ret == 1)
      ret = X509_CRL_set_nextUpdate(crl, ntm);
    ASN1_TIME_free(ltm);
    ASN1_TIME_free(ntm);
  }
  if (cacert && capkey && md)
  {
    ret = (X509_CRL_sign(crl, capkey, md) == EVP_PKEY_size(capkey));
  }
  if (ret == 1)
  {
    PUSH_OBJECT(crl, "openssl.x509_crl");
  }
  else
  {
    X509_CRL_free(crl);
    return openssl_pushresult(L, ret);
  };

  return 1;
}
예제 #8
0
DWORD
VMCAUpdateTimeStamps(
    X509_CRL *pCrl,
    time_t tmLastUpdate,
    time_t tmNextUpdate,
    DWORD nCrlNum
)
{
    ASN1_TIME *pAsnLastUpdate = NULL;
    ASN1_TIME *pAsnNextUpdate = NULL;
    DWORD dwError = 0;
    ASN1_INTEGER *pSerial = NULL;

    if(pCrl == NULL) {
        dwError = ERROR_INVALID_PARAMETER;
        BAIL_ON_ERROR(dwError);
    }

    pAsnLastUpdate = ASN1_TIME_new();
    if(pAsnLastUpdate == NULL){
        dwError = VMCA_OUT_MEMORY_ERR;
        BAIL_ON_ERROR(dwError);
    }

    pAsnNextUpdate  = ASN1_TIME_new();
    if(pAsnNextUpdate == NULL) {
        dwError = VMCA_OUT_MEMORY_ERR;
        BAIL_ON_ERROR(dwError);
    }

    ASN1_TIME_set(pAsnLastUpdate, tmLastUpdate);
    ASN1_TIME_set(pAsnNextUpdate, tmNextUpdate);

    dwError = X509_CRL_set_lastUpdate(pCrl, pAsnLastUpdate);
    BAIL_ON_SSL_ERROR(dwError, VMCA_SSL_SET_START_TIME);

    dwError = X509_CRL_set_nextUpdate(pCrl, pAsnNextUpdate);
    BAIL_ON_SSL_ERROR(dwError, VMCA_SSL_SET_END_TIME);
    pSerial = ASN1_INTEGER_new();
    if (pSerial == NULL){
        dwError = VMCA_OUT_MEMORY_ERR;
        BAIL_ON_ERROR(dwError);
    }
    ASN1_INTEGER_set(pSerial, nCrlNum);

    X509_CRL_add1_ext_i2d(pCrl, NID_crl_number, pSerial,0,0);

error:
    if ( pAsnLastUpdate != NULL) {
        ASN1_TIME_free(pAsnLastUpdate);
    }

    if( pAsnNextUpdate != NULL) {
        ASN1_TIME_free(pAsnNextUpdate);
    }

    if(pSerial != NULL) {
        ASN1_INTEGER_free(pSerial);
    }
    return dwError;
}
예제 #9
0
PKI_X509_CRL *PKI_X509_CRL_new(const PKI_X509_KEYPAIR *k,
             const PKI_X509_CERT *cert, 
             const char * crlNumber_s,
             unsigned long validity,
             const PKI_X509_CRL_ENTRY_STACK *sk, 
             const PKI_X509_PROFILE *profile,
             const PKI_CONFIG *oids,
             HSM *hsm) {

  PKI_X509_CRL *ret = NULL;
  PKI_X509_CRL_VALUE *val = NULL;
  ASN1_INTEGER *crlNumber = NULL;
  ASN1_TIME *time = NULL;
  int rv = PKI_OK;
  int i = 0;

  char * tmp_s = NULL;

  PKI_X509_CRL_ENTRY *entry = NULL;

  PKI_DIGEST_ALG *dgst = NULL;

  long long lastUpdateVal  = 0;
  long long nextUpdateVal  = 0;

  /* Checks for the Key and its internal value */
  if( !k || !k->value ) return NULL;

  /* checks for the certificate and its internal value */
  if( !cert || !cert->value ) return ( NULL );

  if(( ret = PKI_X509_CRL_new_null()) == NULL ) {
    PKI_ERROR(PKI_ERR_OBJECT_CREATE, NULL);
    goto err;
  }

  /* Alloc memory structure for the Certificate */
  if((ret->value = ret->cb->create()) == NULL ) {
    PKI_ERROR(PKI_ERR_OBJECT_CREATE, NULL);
    goto err;
  }

  val = ret->value;

  if ( !crlNumber_s && profile ) {

    if(( tmp_s = PKI_CONFIG_get_value( profile, 
        "/profile/crlNumber")) != NULL ) {
      crlNumber = PKI_INTEGER_new_char ( tmp_s );
      PKI_Free ( tmp_s );
    };
  } else if ( crlNumber_s ) {
    crlNumber = PKI_INTEGER_new_char( crlNumber_s );

    // Let's add the CRLSerial extension
    X509_CRL_add1_ext_i2d(val, NID_crl_number, crlNumber, 0, 0);
  };

  /* Set the start date (notBefore) */
  if (profile)
  {
    int years = 0;
    int days  = 0;
    int hours = 0;
    int mins  = 0;
    int secs  = 0;

    if(( tmp_s = PKI_CONFIG_get_value( profile, 
        "/profile/notBefore/years")) != NULL ) {
      years = atoi( tmp_s );
      PKI_Free ( tmp_s );
    };

    if(( tmp_s = PKI_CONFIG_get_value( profile, 
        "/profile/notBefore/days")) != NULL ) {
      days = atoi( tmp_s );
      PKI_Free ( tmp_s );
    };

    if(( tmp_s = PKI_CONFIG_get_value( profile, 
        "/profile/notBefore/hours")) != NULL ) {
      hours = atoi( tmp_s );
      PKI_Free ( tmp_s );
    };

    if(( tmp_s = PKI_CONFIG_get_value( profile, 
        "/profile/notBefore/minutes")) != NULL ) {
      mins = atoi( tmp_s );
      PKI_Free ( tmp_s );
    };

    if(( tmp_s = PKI_CONFIG_get_value( profile, 
        "/profile/notBefore/minutes")) != NULL ) {
      secs = atoi( tmp_s );
      PKI_Free ( tmp_s );
    };

    lastUpdateVal = secs +
            ( mins * 60 ) + 
            ( hours * 3600 ) + 
            ( days   * 3600 * 24 ) + 
            ( years * 3600 * 24 * 365 );
  } 
  else 
  {
    // Sets lastUpdate to current time
    lastUpdateVal = 0;
  };

  if ( profile && validity <= 0 ) {
    long long years = 0;
    long long days = 0;
    long long hours = 0;
    long long mins = 0;
    long long secs = 0;

    if((tmp_s = PKI_CONFIG_get_value ( profile,
          "/profile/validity/years")) != NULL ) {
      years = atoll( tmp_s );
      PKI_Free(tmp_s);
    }

    if((tmp_s = PKI_CONFIG_get_value ( profile,
          "/profile/validity/days")) != NULL ) {
      days = atoll( tmp_s );
      PKI_Free( tmp_s );
    }

    if((tmp_s = PKI_CONFIG_get_value ( profile,
          "/profile/validity/hours")) != NULL ) {
      hours = atoll( tmp_s );
      PKI_Free( tmp_s );
    }

    if((tmp_s = PKI_CONFIG_get_value ( profile,
          "/profile/validity/mins")) != NULL ) {
      mins = atoll( tmp_s );
      PKI_Free ( tmp_s );
    }

    if((tmp_s = PKI_CONFIG_get_value ( profile,
          "/profile/validity/secs")) != NULL ) {
      secs = atoll( tmp_s );
      PKI_Free ( tmp_s );
    }

    nextUpdateVal = secs + 
        60 * ( mins + 
          60 * (hours + 
            24 * ( days + 
              365 * years 
                 )
               )
            );
  } 
  else
  {
    nextUpdateVal = (long long) validity;
  };

  /* Generates a new time for lastUpdate field */
  if((time = PKI_TIME_new( lastUpdateVal )) == NULL ) {
    PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL);
    goto err;
  };

  /* Set the Last Update field */
  if(X509_CRL_set_lastUpdate( val, time ) == 0 ) {
    PKI_log_err ( "ERROR, can not set lastUpdate field in CRL");
    goto err;
  }
  PKI_TIME_free ( time );
  time = NULL; // Memory

  /* Generates a new time for lastUpdate field */
  if((time = PKI_TIME_new( nextUpdateVal )) == NULL ) {
    PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL);
    goto err;
  };

  /* Set the nextUpdate field */
  if(X509_CRL_set_nextUpdate( val, time ) == 0 ) {
    PKI_log_err ( "ERROR, can not set lastUpdate field in CRL");
    goto err;
  }
  PKI_TIME_free ( time );
  time = NULL; // Memory

  /* Now we need to add the CRL issuer name and details */
  if (X509_CRL_set_issuer_name( val, 
        X509_get_subject_name(cert->value)) == 0) {
    PKI_log_debug( "Can not set CRL issuer name");
    goto err;
  }

  if ( sk ) {
    /* Adds the list of revoked certificates */
    for(i=0; i < PKI_STACK_X509_CRL_ENTRY_elements(sk); i++ ) {
      PKI_log_debug("CRL::ADDING ENTRY %d\n", i );

      entry = PKI_STACK_X509_CRL_ENTRY_get_num(sk, i);
      if(!entry) break;

      X509_CRL_add0_revoked(val, entry);
    };
  }

  /* Sorts the CRL entries */
  X509_CRL_sort ( val );

  /*
  if((ret = PKI_X509_new_value( PKI_DATATYPE_X509_CRL, val, hsm)) == NULL ) {
    PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL);
    X509_CRL_free ( val );
    return ( NULL );
  }
  */

  /* Get the extensions from the profile */
  if( profile ) {
    PKI_TOKEN * tk;

    if((tk = PKI_TOKEN_new_null()) == NULL ) {
      PKI_log_err ( "Memory allocation failure");
      PKI_X509_CRL_free ( ret );
      return NULL;
    }

    PKI_TOKEN_set_cert(tk, (PKI_X509_CERT *)cert);
    PKI_TOKEN_set_keypair(tk, (PKI_X509_KEYPAIR *)k);

    if(PKI_X509_EXTENSIONS_crl_add_profile( profile, oids, ret, tk) == 0 ) {
          PKI_log_debug( "ERROR, can not set extensions!");
      PKI_X509_CRL_free ( ret );

      tk->cert = NULL;
      tk->keypair = NULL;
      PKI_TOKEN_free ( tk );

      return ( NULL );
    }
    tk->cert = NULL;
    tk->keypair = NULL;
    PKI_TOKEN_free ( tk );
  }

  /* Get the Digest Algorithm */
  if( (dgst = PKI_DIGEST_ALG_get_by_key( k )) == NULL ) {
    PKI_log_err("Can not get digest algor from keypair!");
    goto err;
  }
  
  rv = PKI_X509_sign ( ret, dgst, k );

  if ( rv == PKI_ERR ) {
    PKI_log_debug ("ERROR, can not sign CRL!");
    goto err;
  }

  return( ret );

err:

  if ( time ) PKI_TIME_free ( time );
  if ( ret ) PKI_X509_CRL_free ( ret );
  return NULL;
}
int createEmptyCRL(char* pemSigningKey, char* pemCaCert, int crldays, int crlhours, char* result) {
  int err = 0;

  //convert to BIOs and then keys and x509 structures
  BIO* bioCert = BIO_new_mem_buf(pemCaCert, -1);
  if (!bioCert) {
    BIO_free(bioCert);
    return ERR_peek_error();
  }

  BIO* bioSigningKey = BIO_new_mem_buf(pemSigningKey, -1);
  if (!bioSigningKey) {
    BIO_free(bioCert);
    BIO_free(bioSigningKey);
    return ERR_peek_error();
  }

  X509* caCert = PEM_read_bio_X509(bioCert, NULL, NULL, NULL);
  if (!caCert) {
    BIO_free(bioCert);
    BIO_free(bioSigningKey);
    return ERR_peek_error();
  }

  EVP_PKEY* caKey = PEM_read_bio_PrivateKey(bioSigningKey, NULL, NULL, NULL);
  if (!caKey) {
    BIO_free(bioCert);
    BIO_free(bioSigningKey);
    return ERR_peek_error();
  }

  X509_CRL* crl = X509_CRL_new();

  X509_CRL_set_issuer_name(crl, X509_get_subject_name(caCert));

  //set update times (probably not essential, but why not.
  ASN1_TIME* tmptm = ASN1_TIME_new();
  X509_gmtime_adj(tmptm, long(0));
  X509_CRL_set_lastUpdate(crl, tmptm);
  X509_gmtime_adj(tmptm,(crldays*24+crlhours)*60*60);
  X509_CRL_set_nextUpdate(crl, tmptm);
  ASN1_TIME_free(tmptm);

  X509_CRL_sort(crl);

  //extensions would go here.

  if (!(err = X509_CRL_sign(crl,caKey,EVP_sha1())))
  {
    BIO_free(bioCert);
    BIO_free(bioSigningKey);
    return err;
  }


  BIO *mem = BIO_new(BIO_s_mem());
  PEM_write_bio_X509_CRL(mem,crl);
  BUF_MEM *bptr;
  BIO_get_mem_ptr(mem, &bptr);
  BIO_read(mem, result, bptr->length);


  BIO_free(bioCert);
  BIO_free(bioSigningKey);
  BIO_free(mem);
  return 0;
}
예제 #11
0
파일: 2cca.c 프로젝트: randunel/2cca
/*
 * Revoke one certificate at a time
 * No check performed to see if certificate already revoked.
 */
void revoke_cert(char * ca_name, char * name)
{
    char filename[FIELD_SZ+5];
    FILE * f ;
    X509_CRL * crl ;
    X509 * cert ;
    ASN1_INTEGER * r_serial ;
    ASN1_INTEGER * crlnum ;
    X509_REVOKED * rev ;
    ASN1_TIME * tm ;
    identity ca ;
    BIO * out ;
    BIGNUM * b_crlnum ;

    /* Find requested certificate by name */
    sprintf(filename, "%s.crt", name);
    if ((f=fopen(filename, "r"))==NULL) {
        fprintf(stderr, "Cannot find: %s\n", filename);
        return ; 
    }
    cert = PEM_read_X509(f, NULL, NULL, NULL);
    fclose(f);
    /* Get certificate serial number */
    r_serial = X509_get_serialNumber(cert);

    /* Find out if if was already revoked */

    /* Make a revoked object with that serial */
    rev = X509_REVOKED_new();
    X509_REVOKED_set_serialNumber(rev, r_serial);
    X509_free(cert);
    /* Set reason to unspecified */
    rev->reason = ASN1_ENUMERATED_get(CRL_REASON_UNSPECIFIED);

    /* Load or create new CRL */
    if ((crl = load_crl(ca_name))==NULL) {
        crl = X509_CRL_new();
        X509_CRL_set_version(crl, 1);
        /* Set CRL number */
        crlnum = ASN1_INTEGER_new();
        ASN1_INTEGER_set(crlnum, 1);
        X509_CRL_add1_ext_i2d(crl, NID_crl_number, crlnum, 0, 0);
        ASN1_INTEGER_free(crlnum);
    } else {
        crlnum = X509_CRL_get_ext_d2i(crl, NID_crl_number, 0, 0);
        b_crlnum = ASN1_INTEGER_to_BN(crlnum, NULL);
        BN_add_word(b_crlnum, 1);
        BN_to_ASN1_INTEGER(b_crlnum, crlnum);
        BN_free(b_crlnum);
        X509_CRL_add1_ext_i2d(crl, NID_crl_number, crlnum, 0, X509V3_ADD_REPLACE_EXISTING);
        ASN1_INTEGER_free(crlnum);
    }

    /* What time is it? */
    tm = ASN1_TIME_new();
    X509_gmtime_adj(tm, 0);
    X509_REVOKED_set_revocationDate(rev, tm);
    X509_CRL_set_lastUpdate(crl, tm);

    /* Set CRL next update to a year from now */
    X509_gmtime_adj(tm, 365*24*60*60);
    X509_CRL_set_nextUpdate(crl, tm);
    ASN1_TIME_free(tm);

    /* Add revoked to CRL */
    X509_CRL_add0_revoked(crl, rev);    
    X509_CRL_sort(crl);

    /* Load root key to sign CRL */
    if (load_ca(ca_name, &ca)!=0) {
        fprintf(stderr, "Cannot find CA key/crt\n");
        return ;
    }
    X509_CRL_set_issuer_name(crl, X509_get_subject_name(ca.cert));
    X509_free(ca.cert);

    /* Sign CRL */
    X509_CRL_sign(crl, ca.key, EVP_sha256());
    EVP_PKEY_free(ca.key);

    /* Dump CRL */
    sprintf(filename, "%s.crl", ca_name);
    if ((f = fopen(filename, "wb"))==NULL) {
        fprintf(stderr, "Cannot write %s: aborting\n", filename);
        X509_CRL_free(crl);
        return ;
    }
    out = BIO_new(BIO_s_file());
    BIO_set_fp(out, f, BIO_NOCLOSE);
    PEM_write_bio_X509_CRL(out, crl);
    BIO_free_all(out);
    fclose(f);
    X509_CRL_free(crl);
    return ;
}
예제 #12
0
파일: pki_crl.cpp 프로젝트: jbfavre/xca
void pki_crl::setNextUpdate(const a1time &a)
{
	a1time t(a);
	X509_CRL_set_nextUpdate(crl, t.get_utc());
}