static LUA_FUNCTION(openssl_crl_sort)
{
X509_CRL *crl = CHECK_OBJECT(1, X509_CRL, "openssl.x509_crl");
int ret = X509_CRL_sort(crl);
lua_pushboolean(L, ret);
return 1;
}
static VALUE
ossl_x509crl_set_revoked(VALUE self, VALUE ary)
{
X509_CRL *crl;
X509_REVOKED *rev;
int i;
Check_Type(ary, T_ARRAY);
/* All ary members should be X509 Revoked */
for (i=0; i<RARRAY_LEN(ary); i++) {
OSSL_Check_Kind(RARRAY_PTR(ary)[i], cX509Rev);
}
GetX509CRL(self, crl);
sk_X509_REVOKED_pop_free(crl->crl->revoked, X509_REVOKED_free);
crl->crl->revoked = NULL;
for (i=0; i<RARRAY_LEN(ary); i++) {
rev = DupX509RevokedPtr(RARRAY_PTR(ary)[i]);
if (!X509_CRL_add0_revoked(crl, rev)) { /* NO DUP - don't free! */
ossl_raise(eX509CRLError, NULL);
}
}
X509_CRL_sort(crl);
return ary;
}
static VALUE
ossl_x509crl_set_revoked(VALUE self, VALUE ary)
{
X509_CRL *crl;
X509_REVOKED *rev;
STACK_OF(X509_REVOKED) *sk;
long i;
Check_Type(ary, T_ARRAY);
/* All ary members should be X509 Revoked */
for (i=0; i<RARRAY_LEN(ary); i++) {
OSSL_Check_Kind(RARRAY_AREF(ary, i), cX509Rev);
}
GetX509CRL(self, crl);
if ((sk = X509_CRL_get_REVOKED(crl))) {
while ((rev = sk_X509_REVOKED_pop(sk)))
X509_REVOKED_free(rev);
}
for (i=0; i<RARRAY_LEN(ary); i++) {
rev = DupX509RevokedPtr(RARRAY_AREF(ary, i));
if (!X509_CRL_add0_revoked(crl, rev)) { /* NO DUP - don't free! */
X509_REVOKED_free(rev);
ossl_raise(eX509CRLError, "X509_CRL_add0_revoked");
}
}
X509_CRL_sort(crl);
return ary;
}
void pki_crl::sign(pki_key *key, const EVP_MD *md)
{
EVP_PKEY *pkey;
if (!key || key->isPubKey())
return;
X509_CRL_sort(crl);
pkey = key->decryptKey();
X509_CRL_sign(crl, pkey, md);
EVP_PKEY_free(pkey);
pki_openssl_error();
}
DWORD
VMCASortCRL(
X509_CRL *pCrl
)
{
DWORD dwError = 0;
dwError = X509_CRL_sort(pCrl);
BAIL_ON_SSL_ERROR(dwError, VMCA_CRL_SORT_FAILED);
error :
return dwError;
}
static VALUE
ossl_x509crl_add_revoked(VALUE self, VALUE revoked)
{
X509_CRL *crl;
X509_REVOKED *rev;
GetX509CRL(self, crl);
rev = DupX509RevokedPtr(revoked);
if (!X509_CRL_add0_revoked(crl, rev)) { /* NO DUP - don't free! */
ossl_raise(eX509CRLError, NULL);
}
X509_CRL_sort(crl);
return revoked;
}
void openssl_x509_crl()
{
RSA *r;
BIO *bp;
int len;
FILE *fp;
BIGNUM *bne;
X509_CRL *crl;
EVP_PKEY *pkey;
X509_NAME *issuer;
ASN1_INTEGER *serial;
X509_REVOKED *revoked;
ASN1_TIME *lastUpdate, *nextUpdate, *rvTime;
unsigned char *buf, *p, tmp[MAX1_LEN] = "crl cert";
printf("\nX509_CRL info:\n");
bne = BN_new();
BN_set_word(bne, RSA_3);
r = RSA_new();
RSA_generate_key_ex(r, MAX1_LEN, bne, NULL);
pkey = EVP_PKEY_new();
EVP_PKEY_assign_RSA(pkey, r);
crl = X509_CRL_new();
X509_CRL_set_version(crl, 3);
issuer = X509_NAME_new();
X509_NAME_add_entry_by_NID(issuer, NID_commonName,
V_ASN1_PRINTABLESTRING, tmp, 10, -1, 0);
X509_CRL_set_issuer_name(crl, issuer);
lastUpdate = ASN1_TIME_new();
ASN1_TIME_set(lastUpdate, time(NULL));
X509_CRL_set_lastUpdate(crl, lastUpdate);
nextUpdate = ASN1_TIME_new();
ASN1_TIME_set(nextUpdate, time(NULL) + 1280);
X509_CRL_set_nextUpdate(crl, nextUpdate);
revoked = X509_REVOKED_new();
serial = ASN1_INTEGER_new();
ASN1_INTEGER_set(serial, 1280);
X509_REVOKED_set_serialNumber(revoked, serial);
rvTime = ASN1_TIME_new();
ASN1_TIME_set(rvTime, time(NULL) + 2000);
X509_CRL_set_nextUpdate(crl, rvTime);
X509_REVOKED_set_revocationDate(revoked, rvTime);
X509_CRL_add0_revoked(crl, revoked);
X509_CRL_sort(crl);
X509_CRL_sign(crl, pkey, EVP_md5());
bp = BIO_new(BIO_s_file());
BIO_set_fp(bp, stdout, BIO_NOCLOSE);
X509_CRL_print(bp, crl);
len = i2d_X509_CRL(crl, NULL);
buf = (unsigned char *)malloc(len + 10);
p = buf;
len = i2d_X509_CRL(crl, &p);
fp = fopen("/tmp/crl.crl", "wb");
fwrite(buf, 1, len, fp);
fclose(fp);
free(buf);
BIO_free(bp);
X509_CRL_free(crl);
}
static LUA_FUNCTION(openssl_crl_sort)
{
X509_CRL *crl = CHECK_OBJECT(1, X509_CRL, "openssl.x509_crl");
int ret = X509_CRL_sort(crl);
return openssl_pushresult(L, ret);
}
PKI_X509_CRL *PKI_X509_CRL_new(const PKI_X509_KEYPAIR *k,
const PKI_X509_CERT *cert,
const char * crlNumber_s,
unsigned long validity,
const PKI_X509_CRL_ENTRY_STACK *sk,
const PKI_X509_PROFILE *profile,
const PKI_CONFIG *oids,
HSM *hsm) {
PKI_X509_CRL *ret = NULL;
PKI_X509_CRL_VALUE *val = NULL;
ASN1_INTEGER *crlNumber = NULL;
ASN1_TIME *time = NULL;
int rv = PKI_OK;
int i = 0;
char * tmp_s = NULL;
PKI_X509_CRL_ENTRY *entry = NULL;
PKI_DIGEST_ALG *dgst = NULL;
long long lastUpdateVal = 0;
long long nextUpdateVal = 0;
/* Checks for the Key and its internal value */
if( !k || !k->value ) return NULL;
/* checks for the certificate and its internal value */
if( !cert || !cert->value ) return ( NULL );
if(( ret = PKI_X509_CRL_new_null()) == NULL ) {
PKI_ERROR(PKI_ERR_OBJECT_CREATE, NULL);
goto err;
}
/* Alloc memory structure for the Certificate */
if((ret->value = ret->cb->create()) == NULL ) {
PKI_ERROR(PKI_ERR_OBJECT_CREATE, NULL);
goto err;
}
val = ret->value;
if ( !crlNumber_s && profile ) {
if(( tmp_s = PKI_CONFIG_get_value( profile,
"/profile/crlNumber")) != NULL ) {
crlNumber = PKI_INTEGER_new_char ( tmp_s );
PKI_Free ( tmp_s );
};
} else if ( crlNumber_s ) {
crlNumber = PKI_INTEGER_new_char( crlNumber_s );
// Let's add the CRLSerial extension
X509_CRL_add1_ext_i2d(val, NID_crl_number, crlNumber, 0, 0);
};
/* Set the start date (notBefore) */
if (profile)
{
int years = 0;
int days = 0;
int hours = 0;
int mins = 0;
int secs = 0;
if(( tmp_s = PKI_CONFIG_get_value( profile,
"/profile/notBefore/years")) != NULL ) {
years = atoi( tmp_s );
PKI_Free ( tmp_s );
};
if(( tmp_s = PKI_CONFIG_get_value( profile,
"/profile/notBefore/days")) != NULL ) {
days = atoi( tmp_s );
PKI_Free ( tmp_s );
};
if(( tmp_s = PKI_CONFIG_get_value( profile,
"/profile/notBefore/hours")) != NULL ) {
hours = atoi( tmp_s );
PKI_Free ( tmp_s );
};
if(( tmp_s = PKI_CONFIG_get_value( profile,
"/profile/notBefore/minutes")) != NULL ) {
mins = atoi( tmp_s );
PKI_Free ( tmp_s );
};
if(( tmp_s = PKI_CONFIG_get_value( profile,
"/profile/notBefore/minutes")) != NULL ) {
secs = atoi( tmp_s );
PKI_Free ( tmp_s );
};
lastUpdateVal = secs +
( mins * 60 ) +
( hours * 3600 ) +
( days * 3600 * 24 ) +
( years * 3600 * 24 * 365 );
}
else
{
// Sets lastUpdate to current time
lastUpdateVal = 0;
};
if ( profile && validity <= 0 ) {
long long years = 0;
long long days = 0;
long long hours = 0;
long long mins = 0;
long long secs = 0;
if((tmp_s = PKI_CONFIG_get_value ( profile,
"/profile/validity/years")) != NULL ) {
years = atoll( tmp_s );
PKI_Free(tmp_s);
}
if((tmp_s = PKI_CONFIG_get_value ( profile,
"/profile/validity/days")) != NULL ) {
days = atoll( tmp_s );
PKI_Free( tmp_s );
}
if((tmp_s = PKI_CONFIG_get_value ( profile,
"/profile/validity/hours")) != NULL ) {
hours = atoll( tmp_s );
PKI_Free( tmp_s );
}
if((tmp_s = PKI_CONFIG_get_value ( profile,
"/profile/validity/mins")) != NULL ) {
mins = atoll( tmp_s );
PKI_Free ( tmp_s );
}
if((tmp_s = PKI_CONFIG_get_value ( profile,
"/profile/validity/secs")) != NULL ) {
secs = atoll( tmp_s );
PKI_Free ( tmp_s );
}
nextUpdateVal = secs +
60 * ( mins +
60 * (hours +
24 * ( days +
365 * years
)
)
);
}
else
{
nextUpdateVal = (long long) validity;
};
/* Generates a new time for lastUpdate field */
if((time = PKI_TIME_new( lastUpdateVal )) == NULL ) {
PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL);
goto err;
};
/* Set the Last Update field */
if(X509_CRL_set_lastUpdate( val, time ) == 0 ) {
PKI_log_err ( "ERROR, can not set lastUpdate field in CRL");
goto err;
}
PKI_TIME_free ( time );
time = NULL; // Memory
/* Generates a new time for lastUpdate field */
if((time = PKI_TIME_new( nextUpdateVal )) == NULL ) {
PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL);
goto err;
};
/* Set the nextUpdate field */
if(X509_CRL_set_nextUpdate( val, time ) == 0 ) {
PKI_log_err ( "ERROR, can not set lastUpdate field in CRL");
goto err;
}
PKI_TIME_free ( time );
time = NULL; // Memory
/* Now we need to add the CRL issuer name and details */
if (X509_CRL_set_issuer_name( val,
X509_get_subject_name(cert->value)) == 0) {
PKI_log_debug( "Can not set CRL issuer name");
goto err;
}
if ( sk ) {
/* Adds the list of revoked certificates */
for(i=0; i < PKI_STACK_X509_CRL_ENTRY_elements(sk); i++ ) {
PKI_log_debug("CRL::ADDING ENTRY %d\n", i );
entry = PKI_STACK_X509_CRL_ENTRY_get_num(sk, i);
if(!entry) break;
X509_CRL_add0_revoked(val, entry);
};
}
/* Sorts the CRL entries */
X509_CRL_sort ( val );
/*
if((ret = PKI_X509_new_value( PKI_DATATYPE_X509_CRL, val, hsm)) == NULL ) {
PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL);
X509_CRL_free ( val );
return ( NULL );
}
*/
/* Get the extensions from the profile */
if( profile ) {
PKI_TOKEN * tk;
if((tk = PKI_TOKEN_new_null()) == NULL ) {
PKI_log_err ( "Memory allocation failure");
PKI_X509_CRL_free ( ret );
return NULL;
}
PKI_TOKEN_set_cert(tk, (PKI_X509_CERT *)cert);
PKI_TOKEN_set_keypair(tk, (PKI_X509_KEYPAIR *)k);
if(PKI_X509_EXTENSIONS_crl_add_profile( profile, oids, ret, tk) == 0 ) {
PKI_log_debug( "ERROR, can not set extensions!");
PKI_X509_CRL_free ( ret );
tk->cert = NULL;
tk->keypair = NULL;
PKI_TOKEN_free ( tk );
return ( NULL );
}
tk->cert = NULL;
tk->keypair = NULL;
PKI_TOKEN_free ( tk );
}
/* Get the Digest Algorithm */
if( (dgst = PKI_DIGEST_ALG_get_by_key( k )) == NULL ) {
PKI_log_err("Can not get digest algor from keypair!");
goto err;
}
rv = PKI_X509_sign ( ret, dgst, k );
if ( rv == PKI_ERR ) {
PKI_log_debug ("ERROR, can not sign CRL!");
goto err;
}
return( ret );
err:
if ( time ) PKI_TIME_free ( time );
if ( ret ) PKI_X509_CRL_free ( ret );
return NULL;
}
int addToCRL(char* pemSigningKey, char* pemOldCrl, char* pemRevokedCert, char* result) {
int err = 0;
BIO* bioSigningKey = BIO_new_mem_buf(pemSigningKey, -1);
if (!bioSigningKey) {
return ERR_peek_error();
}
BIO* bioRevCert = BIO_new_mem_buf(pemRevokedCert, -1);
if (!bioRevCert) {
BIO_free(bioSigningKey);
return ERR_peek_error();
}
BIO* bioOldCRL = BIO_new_mem_buf(pemOldCrl, -1);
if (!bioOldCRL) {
BIO_free(bioSigningKey);
BIO_free(bioRevCert);
return ERR_peek_error();
}
X509* badCert = PEM_read_bio_X509(bioRevCert, NULL, NULL, NULL);
if (!badCert) {
BIO_free(bioSigningKey);
BIO_free(bioRevCert);
return ERR_peek_error();
}
EVP_PKEY* caKey = PEM_read_bio_PrivateKey(bioSigningKey, NULL, NULL, NULL);
if (!caKey) {
BIO_free(bioSigningKey);
BIO_free(bioRevCert);
return -18;
}
X509_CRL* crl = PEM_read_bio_X509_CRL(bioOldCRL, NULL, NULL, NULL);
if (!crl) {
BIO_free(bioSigningKey);
BIO_free(bioRevCert);
return ERR_peek_error();
}
X509_REVOKED* revoked = X509_REVOKED_new();
X509_REVOKED_set_serialNumber(revoked, X509_get_serialNumber(badCert));
ASN1_TIME* tmptm = ASN1_TIME_new();
X509_gmtime_adj(tmptm, long(0));
X509_REVOKED_set_revocationDate(revoked, tmptm);
//set the reason? Not yet.
// ASN1_ENUMERATED* rtmp = ASN1_ENUMERATED_new();
// ASN1_ENUMERATED_set(rtmp, reasonCode);
// goto err;
// if (!X509_REVOKED_add1_ext_i2d(rev, NID_crl_reason, rtmp, 0, 0))
// goto err;
// }
if(!(err = X509_CRL_add0_revoked(crl,revoked))) {
BIO_free(bioSigningKey);
BIO_free(bioRevCert);
return err;
}
X509_CRL_sort(crl);
if(!(err=X509_CRL_sign(crl,caKey,EVP_sha1()))) {
BIO_free(bioSigningKey);
BIO_free(bioRevCert);
return err;
}
BIO *mem = BIO_new(BIO_s_mem());
PEM_write_bio_X509_CRL(mem,crl);
BUF_MEM *bptr;
BIO_get_mem_ptr(mem, &bptr);
BIO_read(mem, result, bptr->length);
BIO_free(bioRevCert);
BIO_free(bioSigningKey);
BIO_free(bioOldCRL);
BIO_free(mem);
return 0;
}
int createEmptyCRL(char* pemSigningKey, char* pemCaCert, int crldays, int crlhours, char* result) {
int err = 0;
//convert to BIOs and then keys and x509 structures
BIO* bioCert = BIO_new_mem_buf(pemCaCert, -1);
if (!bioCert) {
BIO_free(bioCert);
return ERR_peek_error();
}
BIO* bioSigningKey = BIO_new_mem_buf(pemSigningKey, -1);
if (!bioSigningKey) {
BIO_free(bioCert);
BIO_free(bioSigningKey);
return ERR_peek_error();
}
X509* caCert = PEM_read_bio_X509(bioCert, NULL, NULL, NULL);
if (!caCert) {
BIO_free(bioCert);
BIO_free(bioSigningKey);
return ERR_peek_error();
}
EVP_PKEY* caKey = PEM_read_bio_PrivateKey(bioSigningKey, NULL, NULL, NULL);
if (!caKey) {
BIO_free(bioCert);
BIO_free(bioSigningKey);
return ERR_peek_error();
}
X509_CRL* crl = X509_CRL_new();
X509_CRL_set_issuer_name(crl, X509_get_subject_name(caCert));
//set update times (probably not essential, but why not.
ASN1_TIME* tmptm = ASN1_TIME_new();
X509_gmtime_adj(tmptm, long(0));
X509_CRL_set_lastUpdate(crl, tmptm);
X509_gmtime_adj(tmptm,(crldays*24+crlhours)*60*60);
X509_CRL_set_nextUpdate(crl, tmptm);
ASN1_TIME_free(tmptm);
X509_CRL_sort(crl);
//extensions would go here.
if (!(err = X509_CRL_sign(crl,caKey,EVP_sha1())))
{
BIO_free(bioCert);
BIO_free(bioSigningKey);
return err;
}
BIO *mem = BIO_new(BIO_s_mem());
PEM_write_bio_X509_CRL(mem,crl);
BUF_MEM *bptr;
BIO_get_mem_ptr(mem, &bptr);
BIO_read(mem, result, bptr->length);
BIO_free(bioCert);
BIO_free(bioSigningKey);
BIO_free(mem);
return 0;
}
/*
* Revoke one certificate at a time
* No check performed to see if certificate already revoked.
*/
void revoke_cert(char * ca_name, char * name)
{
char filename[FIELD_SZ+5];
FILE * f ;
X509_CRL * crl ;
X509 * cert ;
ASN1_INTEGER * r_serial ;
ASN1_INTEGER * crlnum ;
X509_REVOKED * rev ;
ASN1_TIME * tm ;
identity ca ;
BIO * out ;
BIGNUM * b_crlnum ;
/* Find requested certificate by name */
sprintf(filename, "%s.crt", name);
if ((f=fopen(filename, "r"))==NULL) {
fprintf(stderr, "Cannot find: %s\n", filename);
return ;
}
cert = PEM_read_X509(f, NULL, NULL, NULL);
fclose(f);
/* Get certificate serial number */
r_serial = X509_get_serialNumber(cert);
/* Find out if if was already revoked */
/* Make a revoked object with that serial */
rev = X509_REVOKED_new();
X509_REVOKED_set_serialNumber(rev, r_serial);
X509_free(cert);
/* Set reason to unspecified */
rev->reason = ASN1_ENUMERATED_get(CRL_REASON_UNSPECIFIED);
/* Load or create new CRL */
if ((crl = load_crl(ca_name))==NULL) {
crl = X509_CRL_new();
X509_CRL_set_version(crl, 1);
/* Set CRL number */
crlnum = ASN1_INTEGER_new();
ASN1_INTEGER_set(crlnum, 1);
X509_CRL_add1_ext_i2d(crl, NID_crl_number, crlnum, 0, 0);
ASN1_INTEGER_free(crlnum);
} else {
crlnum = X509_CRL_get_ext_d2i(crl, NID_crl_number, 0, 0);
b_crlnum = ASN1_INTEGER_to_BN(crlnum, NULL);
BN_add_word(b_crlnum, 1);
BN_to_ASN1_INTEGER(b_crlnum, crlnum);
BN_free(b_crlnum);
X509_CRL_add1_ext_i2d(crl, NID_crl_number, crlnum, 0, X509V3_ADD_REPLACE_EXISTING);
ASN1_INTEGER_free(crlnum);
}
/* What time is it? */
tm = ASN1_TIME_new();
X509_gmtime_adj(tm, 0);
X509_REVOKED_set_revocationDate(rev, tm);
X509_CRL_set_lastUpdate(crl, tm);
/* Set CRL next update to a year from now */
X509_gmtime_adj(tm, 365*24*60*60);
X509_CRL_set_nextUpdate(crl, tm);
ASN1_TIME_free(tm);
/* Add revoked to CRL */
X509_CRL_add0_revoked(crl, rev);
X509_CRL_sort(crl);
/* Load root key to sign CRL */
if (load_ca(ca_name, &ca)!=0) {
fprintf(stderr, "Cannot find CA key/crt\n");
return ;
}
X509_CRL_set_issuer_name(crl, X509_get_subject_name(ca.cert));
X509_free(ca.cert);
/* Sign CRL */
X509_CRL_sign(crl, ca.key, EVP_sha256());
EVP_PKEY_free(ca.key);
/* Dump CRL */
sprintf(filename, "%s.crl", ca_name);
if ((f = fopen(filename, "wb"))==NULL) {
fprintf(stderr, "Cannot write %s: aborting\n", filename);
X509_CRL_free(crl);
return ;
}
out = BIO_new(BIO_s_file());
BIO_set_fp(out, f, BIO_NOCLOSE);
PEM_write_bio_X509_CRL(out, crl);
BIO_free_all(out);
fclose(f);
X509_CRL_free(crl);
return ;
}
