int signRequest(char* pemRequest, int days, char* pemCAKey, char* pemCaCert, int certType, char *url, char* result) { BIO* bioReq = BIO_new_mem_buf(pemRequest, -1); BIO* bioCAKey = BIO_new_mem_buf(pemCAKey, -1); BIO* bioCert = BIO_new_mem_buf(pemCaCert, -1); X509* caCert = PEM_read_bio_X509(bioCert, NULL, NULL, NULL); int err = 0; X509_REQ *req=NULL; if (!(req=PEM_read_bio_X509_REQ(bioReq, NULL, NULL, NULL))) { BIO_free(bioReq); BIO_free(bioCert); BIO_free(bioCAKey); return ERR_peek_error(); } EVP_PKEY* caKey = PEM_read_bio_PrivateKey(bioCAKey, NULL, NULL, NULL); if (!caKey) { BIO_free(bioReq); BIO_free(bioCert); BIO_free(bioCAKey); return ERR_peek_error(); } X509* cert = X509_new(); EVP_PKEY* reqPub; if(!(err = X509_set_version(cert, 2))) { BIO_free(bioReq); BIO_free(bioCAKey); return ERR_peek_error(); } //redo all the certificate details, because OpenSSL wants us to work hard X509_set_issuer_name(cert, X509_get_subject_name(caCert)); ASN1_UTCTIME *s=ASN1_UTCTIME_new(); // Jira-issue: WP-37 // This is temp solution for putting pzp validity 5 minutes before current time // If there is a small clock difference between machines, it results in cert_not_yet_valid // It does set GMT time but is relevant to machine time. // A better solution would be to have ntp server contacted to get a proper time. if(certType == 2) { X509_gmtime_adj(s, long(0-300)); } else { X509_gmtime_adj(s, long(0)); } // End of WP-37 X509_set_notBefore(cert, s); X509_gmtime_adj(s, (long)60*60*24*days); X509_set_notAfter(cert, s); ASN1_UTCTIME_free(s); X509_set_subject_name(cert, X509_REQ_get_subject_name(req)); reqPub = X509_REQ_get_pubkey(req); X509_set_pubkey(cert,reqPub); EVP_PKEY_free(reqPub); //create a serial number at random ASN1_INTEGER* serial = getRandomSN(); X509_set_serialNumber(cert, serial); X509_EXTENSION *ex; X509V3_CTX ctx; X509V3_set_ctx_nodb(&ctx); X509V3_set_ctx(&ctx, cert, cert, NULL, NULL, 0); char *str = (char*)malloc(strlen("caIssuers;") + strlen(url) + 1); if (str == NULL) { return -10; } strcpy(str, "caIssuers;"); strcat(str, url); if(!(ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_info_access, (char*)str))) { free(str); return ERR_peek_error(); } else { X509_add_ext(cert, ex, -1); } free(str); if(!(ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_subject_alt_name, (char*)url))) { return ERR_peek_error(); } else { X509_add_ext(cert, ex, -1); } if(!(ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_issuer_alt_name, (char*)"issuer:copy"))) { return ERR_peek_error(); } else { X509_add_ext(cert, ex, -1); } if(!(ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_subject_key_identifier, (char*)"hash"))) { return ERR_peek_error(); } else { X509_add_ext(cert, ex, -1); } if( certType == 1) { if(!(ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_basic_constraints, (char*)"critical, CA:FALSE"))) { return ERR_peek_error(); } else { X509_add_ext(cert, ex, -1); } if(!(ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_ext_key_usage, (char*)"critical, clientAuth, serverAuth"))) { return ERR_peek_error(); } else { X509_add_ext(cert, ex, -1); } } else if( certType == 2) { if(!(ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_basic_constraints, (char*)"critical, CA:FALSE"))) { return ERR_peek_error(); } else { X509_add_ext(cert, ex, -1); } if(!(ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_ext_key_usage, (char*)"critical, clientAuth, serverAuth"))) { return ERR_peek_error(); } else { X509_add_ext(cert, ex, -1); } } if (!(err = X509_sign(cert,caKey,EVP_sha1()))) { BIO_free(bioReq); BIO_free(bioCert); BIO_free(bioCAKey); return err; } BIO *mem = BIO_new(BIO_s_mem()); PEM_write_bio_X509(mem,cert); BUF_MEM *bptr; BIO_get_mem_ptr(mem, &bptr); BIO_read(mem, result, bptr->length); BIO_free(mem); BIO_free(bioReq); BIO_free(bioCert); BIO_free(bioCAKey); return 0; }
int selfSignRequest(char* pemRequest, int days, char* pemCAKey, int certType, char *url, char* result) { BIO* bioReq = BIO_new_mem_buf(pemRequest, -1); BIO* bioCAKey = BIO_new_mem_buf(pemCAKey, -1); int err = 0; X509_REQ *req=NULL; if (!(req=PEM_read_bio_X509_REQ(bioReq, NULL, NULL, NULL))) { BIO_free(bioReq); BIO_free(bioCAKey); return -5; } EVP_PKEY* caKey = PEM_read_bio_PrivateKey(bioCAKey, NULL, NULL, NULL); if (!caKey) { BIO_free(bioReq); BIO_free(bioCAKey); return -6; } X509* cert = X509_new(); EVP_PKEY* reqPub; //redo all the certificate details, because OpenSSL wants us to work hard if(!(err = X509_set_version(cert, 2))) { BIO_free(bioReq); BIO_free(bioCAKey); return err; } if(!(err = X509_set_issuer_name(cert, X509_REQ_get_subject_name(req)))) { BIO_free(bioReq); BIO_free(bioCAKey); return err; } ASN1_UTCTIME *s=ASN1_UTCTIME_new(); // Jira-issue: WP-37 // This is temp solution for putting pzp validity 5 minutes before current time // If there is a small clock difference between machines, it results in cert_not_yet_valid // It does set GMT time but is relevant to machine time. // A better solution would be to have ntp server contacted to get proper time. if(certType == 2) { X509_gmtime_adj(s, long(0-300)); } else { X509_gmtime_adj(s, long(0)); } // End of WP-37 X509_set_notBefore(cert, s); X509_gmtime_adj(s, (long)60*60*24*days); X509_set_notAfter(cert, s); ASN1_UTCTIME_free(s); if(!(err = X509_set_subject_name(cert, X509_REQ_get_subject_name(req)))) { BIO_free(bioReq); BIO_free(bioCAKey); return err; } if (!(reqPub = X509_REQ_get_pubkey(req))) { BIO_free(bioReq); BIO_free(bioCAKey); return -7; } err = X509_set_pubkey(cert,reqPub); EVP_PKEY_free(reqPub); if (!err) { return err; // an error occurred, this is terrible style. } //create a serial number at random ASN1_INTEGER* serial = getRandomSN(); X509_set_serialNumber(cert, serial); // V3 extensions X509_EXTENSION *ex; X509V3_CTX ctx; X509V3_set_ctx_nodb(&ctx); X509V3_set_ctx(&ctx, cert, cert, NULL, NULL, 0); if(!(ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_subject_alt_name, (char*)url))) { return ERR_peek_error(); } else { X509_add_ext(cert, ex, -1); } if(!(ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_subject_key_identifier, (char*)"hash"))) { return ERR_peek_error(); } else { X509_add_ext(cert, ex, -1); } if( certType == 0) { if(!(ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_basic_constraints, (char*)"critical, CA:TRUE"))) { return ERR_peek_error(); } else { X509_add_ext(cert, ex, -1); } if(!(ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_key_usage, (char*)"critical, keyCertSign, digitalSignature, cRLSign"))) { /* critical, keyCertSign,cRLSign, nonRepudiation,*/ return ERR_peek_error(); } else { X509_add_ext(cert, ex, -1); } if(!(ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_ext_key_usage, (char*)"critical, serverAuth"))) { return ERR_peek_error(); } else { X509_add_ext(cert, ex, -1); } if(!(ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_inhibit_any_policy, (char*)"0"))) { return ERR_peek_error(); } else { X509_add_ext(cert, ex, -1); } if(!(ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_crl_distribution_points, (char*)url))) { return ERR_peek_error(); } else { X509_add_ext(cert, ex, -1); } } if (!(err = X509_sign(cert,caKey,EVP_sha1()))) { BIO_free(bioReq); BIO_free(bioCAKey); return err; } BIO *mem = BIO_new(BIO_s_mem()); PEM_write_bio_X509(mem,cert); BUF_MEM *bptr; BIO_get_mem_ptr(mem, &bptr); BIO_read(mem, result, bptr->length); BIO_free(mem); BIO_free(bioReq); BIO_free(bioCAKey); return 0; }
ASN1_UTCTIME *ASN1_UTCTIME_adj(ASN1_UTCTIME *s, time_t t, int offset_day, long offset_sec) { char *p; struct tm *ts; struct tm data; size_t len = 20; int free_s = 0; if (s == NULL) { s = ASN1_UTCTIME_new(); if (s == NULL) goto err; free_s = 1; } ts = OPENSSL_gmtime(&t, &data); if (ts == NULL) goto err; if (offset_day || offset_sec) { if (!OPENSSL_gmtime_adj(ts, offset_day, offset_sec)) goto err; } if ((ts->tm_year < 50) || (ts->tm_year >= 150)) goto err; p = (char *)s->data; if ((p == NULL) || ((size_t)s->length < len)) { p = OPENSSL_malloc(len); if (p == NULL) { ASN1err(ASN1_F_ASN1_UTCTIME_ADJ, ERR_R_MALLOC_FAILURE); goto err; } OPENSSL_free(s->data); s->data = (unsigned char *)p; } BIO_snprintf(p, len, "%02d%02d%02d%02d%02d%02dZ", ts->tm_year % 100, ts->tm_mon + 1, ts->tm_mday, ts->tm_hour, ts->tm_min, ts->tm_sec); s->length = strlen(p); s->type = V_ASN1_UTCTIME; #ifdef CHARSET_EBCDIC_not ebcdic2ascii(s->data, s->data, s->length); #endif return (s); err: if (free_s) ASN1_UTCTIME_free(s); return NULL; }
ASN1_UTCTIME * ASN1_UTCTIME_adj(ASN1_UTCTIME *s, time_t t, int offset_day, long offset_sec) { ASN1_UTCTIME *tmp = NULL, *ret; if (s == NULL) { tmp = ASN1_UTCTIME_new(); if (tmp == NULL) return NULL; s = tmp; } ret = ASN1_UTCTIME_adj_internal(s, t, offset_day, offset_sec); if (ret == NULL && tmp != NULL) ASN1_UTCTIME_free(tmp); return ret; }
static int get_times(glite_renewal_core_context ctx, char *proxy_file, time_t *not_after_x509, time_t *not_after_voms) { X509 *cert = NULL; STACK_OF(X509) *chain = NULL; int ret, i; time_t now, end_time, end_time_x509; struct vomsdata *voms_data = NULL; struct voms **voms_cert = NULL; ASN1_UTCTIME *t; char *s, *c; ret = load_proxy(ctx, proxy_file, &cert, NULL, &chain, NULL); if (ret) return ret; ret = get_voms_cert(ctx, cert, chain, &voms_data); if (ret) goto end; end_time = 0; if (voms_data != NULL) { for (voms_cert = voms_data->data; voms_cert && *voms_cert; voms_cert++) { t = ASN1_UTCTIME_new(); if (t == NULL) { glite_renewal_core_set_err(ctx, "ASN1_UTCTIME_new() failed"); ret = 1; goto end; } /* date2 contains a GENERALIZEDTIME format (YYYYMMDDHHSS[.fff]Z) * value, which must be converted to the UTC (YYMMDDHHSSZ) format */ s = strdup((*voms_cert)->date2 + 2); if (s == NULL) { glite_renewal_core_set_err(ctx, "Not enough memory"); ret = ENOMEM; goto end; } c = strchr(s, '.'); if (c) { *c++ = 'Z'; *c = '\0'; } ret = ASN1_UTCTIME_set_string(t, s); if (ret == 0) { glite_renewal_core_set_err(ctx, "ASN1_UTCTIME_set_string() failed\n"); ret = 1; free(s); goto end; } if (end_time == 0 || ASN1_UTCTIME_cmp_time_t(t, end_time) < 0) globus_gsi_cert_utils_make_time(t, &end_time); ASN1_UTCTIME_free(t); free(s); } } globus_gsi_cert_utils_make_time(X509_get_notAfter(cert), &end_time_x509); now = time(NULL); if (end_time_x509 + RENEWAL_CLOCK_SKEW < now) { glite_renewal_core_set_err(ctx, "Expired proxy in %s", proxy_file); ret = EDG_WLPR_PROXY_EXPIRED; goto end; } /* Myproxy seems not to do check on expiration and return expired proxies if credentials in repository are expired */ for (i = 0; i < sk_X509_num(chain); i++) { t = X509_get_notAfter(sk_X509_value(chain, i)); if (ASN1_UTCTIME_cmp_time_t(t, now - RENEWAL_CLOCK_SKEW) < 0) { glite_renewal_core_set_err(ctx, "Expired proxy in %s", proxy_file); ret = EDG_WLPR_PROXY_EXPIRED; goto end; } } *not_after_voms = end_time; *not_after_x509 = end_time_x509; ret = 0; end: if (voms_data) VOMS_Destroy(voms_data); if (chain) sk_X509_pop_free(chain, X509_free); if (cert) X509_free(cert); return ret; }
ASN1_STRING *str,*str2; ASN1_OBJECT *obj; X509 *ret=NULL; X509_CINF *ci; X509_NAME_ENTRY *ne; X509_NAME_ENTRY *tne,*push; EVP_PKEY *pktmp; int ok= -1,i,j,last,nid; const char *p; CONF_VALUE *cv; OPENSSL_STRING row[DB_NUMBER]; OPENSSL_STRING *irow=NULL; OPENSSL_STRING *rrow=NULL; char buf[25]; tmptm=ASN1_UTCTIME_new(); if (tmptm == NULL) { BIO_printf(bio_err,"malloc error\n"); return(0); } for (i=0; i<DB_NUMBER; i++) row[i]=NULL; if (subj) { X509_NAME *n = parse_name(subj, chtype, multirdn); if (!n) {
int file_select(const struct dirent *entry) { cert = X509_new(); certsubject = X509_NAME_new(); int i = 0; char buf[80] = ""; /* check for "." and ".." directory entries */ if(entry->d_name[0]=='.') return 0; /* Check for <id>.pem file name extensions */ if(strstr(entry->d_name, ".pem") == NULL) return 0; /* generate the full file name and path to open it */ snprintf(certfilestr, sizeof(certfilestr), "%s/%s", CACERTSTORE, entry->d_name); /* if we cannot open the file, we move on to the next */ if ((certfile = fopen(certfilestr, "r")) == NULL) return 0; /* now we load the certificate data */ if (! (cert = PEM_read_X509(certfile,NULL,NULL,NULL))) return 0; /* if search type is dn, check if dn field contains the search value */ if (strcmp(search, "dn") == 0) { /* get the subject information to compare the entries in it */ if (! (certsubject = X509_get_subject_name(cert))) return 0; /* now we cycle through all entries of the subject */ for (i = 0; i < X509_NAME_entry_count(certsubject); i++) { e = X509_NAME_get_entry(certsubject, i); OBJ_obj2txt(buf, 80, X509_NAME_ENTRY_get_object(e), 0); /* when the search file matches the cert subject field */ /* check if the field value is equal the search value */ if(strstr(buf, field) != NULL) if(strstr( (char *) X509_NAME_ENTRY_get_data(e), dnvalue) != NULL) return 1; } } /* if search type is exp, check expiration date is between start and end date */ if (strcmp(search, "exp") == 0) { /* get the certificates expiration date */ expiration_date = X509_get_notAfter(cert); /* copy the certificate expiration date into a string */ membio = BIO_new(BIO_s_mem()); ASN1_TIME_print(membio, expiration_date); BIO_gets(membio, membio_buf, sizeof(membio_buf)); BIO_free(membio); //int_error(membio_buf); /* debug correct time parsing */ /* parse the expiration date string into a time struct */ memset (&expiration_tm, '\0', sizeof(expiration_tm)); strptime(membio_buf, "%h %d %T %Y %z", &expiration_tm); // int_error(asctime(&expiration_tm)); /* debug correct time parsing */ /* parse the CGI start date string into the start_tm struct */ memset (&start_tm, '\0', sizeof(start_tm)); strptime(exp_startstr, "%d.%m.%Y %R", &start_tm); // int_error(asctime(&start_tm)); /* debug correct time parsing */ /* parse the CGI end date string into the end_tm struct */ memset (&end_tm, '\0', sizeof(end_tm)); strptime(exp_endstr, "%d.%m.%Y %R", &end_tm); // int_error(asctime(&end_tm)); /* debug correct time parsing */ /* check if expiration date >= start date and <= end date */ if ( difftime(mktime(&start_tm), mktime(&expiration_tm)) <=0 && difftime(mktime(&end_tm), mktime(&expiration_tm)) >= 0 ) return 1; } /* if search type is ena, check enable date is between start and end date */ if (strcmp(search, "ena") == 0) { /* get the certificates enable date */ start_date = X509_get_notBefore(cert); /* copy the certificate expiration date into a string */ membio = BIO_new(BIO_s_mem()); ASN1_TIME_print(membio, start_date); BIO_gets(membio, membio_buf, sizeof(membio_buf)); BIO_free(membio); /* parse the expiration date string into a time struct */ memset (&enable_tm, '\0', sizeof(enable_tm)); strptime(membio_buf, "%h %d %T %Y %z", &enable_tm); // int_error(asctime(&enable_tm)); /* debug correct time parsing */ /* parse the CGI start date string into the start_tm struct */ memset (&start_tm, '\0', sizeof(start_tm)); strptime(ena_startstr, "%d.%m.%Y %R", &start_tm); // int_error(asctime(&start_tm)); /* debug correct time parsing */ /* parse the CGI end date string into the end_tm struct */ memset (&end_tm, '\0', sizeof(end_tm)); strptime(ena_endstr, "%d.%m.%Y %R", &end_tm); // int_error(asctime(&end_tm)); /* debug correct time parsing */ /* check if expiration date >= start date and <= end date */ if ( difftime(mktime(&start_tm), mktime(&enable_tm)) <=0 && difftime(mktime(&end_tm), mktime(&enable_tm)) >= 0 ) return 1; } /* if search type is rev, check if cert was revoked between start and end date */ if (strcmp(search, "rev") == 0) { /* ---------------------------------------------------------- * * Parse the CGI start date string into the start_tm struct * * ---------------------------------------------------------- */ memset (&start_tm, '\0', sizeof(start_tm)); strptime(rev_startstr, "%d.%m.%Y %R", &start_tm); /* ---------------------------------------------------------- * * Parse the CGI end date string into the end_tm struct * * ---------------------------------------------------------- */ memset (&end_tm, '\0', sizeof(end_tm)); strptime(rev_endstr, "%d.%m.%Y %R", &end_tm); /* ---------------------------------------------------------- * * Get all revoked certificates from revocation DB index.txt * * ---------------------------------------------------------- */ CA_DB *db = NULL; DB_ATTR db_attr; if((db = load_index(INDEXFILE, &db_attr)) == NULL) int_error("Error cannot load CRL certificate database file"); /* ---------------------------------------------------------- * * Get the certs serial number, convert it into a hex string * * -----------------------------------------------------------*/ BIGNUM *bn = NULL; bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(cert), NULL); if (!bn) int_error("Cannot extract serial number from cert into BIGNUM"); char *serialstr = BN_bn2hex(bn); /* ---------------------------------------------------------- * * Check if the cert is revoked, looking up its serial in DB * * -----------------------------------------------------------*/ char *const *pp; int i; for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) { pp = sk_OPENSSL_PSTRING_value(db->db->data, i); if ( (strcmp(pp[DB_serial], serialstr) == 0) && (pp[DB_type][0] == DB_TYPE_REV) ) { /* ---------------------------------------------------------- * * Revoked, get the certs revocation date from the database * * -----------------------------------------------------------*/ char *p = strchr(pp[DB_rev_date], ','); if (p) *p = '\0'; // if revocation reason is given, terminate before char *revokedstr = BUF_strdup(pp[DB_rev_date]); revocation_date = ASN1_UTCTIME_new(); ASN1_UTCTIME_set_string(revocation_date, revokedstr); //int_error(revokedstr); /* debug correct time parsing */ /* copy the certificate revocation date into a string */ membio = BIO_new(BIO_s_mem()); ASN1_TIME_print(membio, revocation_date); BIO_gets(membio, membio_buf, sizeof(membio_buf)); BIO_free(membio); //int_error(membio_buf); /* parse the revocation date string into a time struct */ memset (&revoked_tm, '\0', sizeof(revoked_tm)); strptime(membio_buf, "%h %d %T %Y %z", &revoked_tm); //int_error(asctime(&revoked_tm)); /* debug correct time parsing */ /* ---------------------------------------------------------- * * Check if revocation date >= start date and <= end date * * -----------------------------------------------------------*/ if ( difftime(mktime(&start_tm), mktime(&revoked_tm)) <=0 && difftime(mktime(&end_tm), mktime(&revoked_tm)) >= 0 ) return 1; } } BN_free(bn); } /* if search type is ser, check if serial is between start and end serial */ if (strcmp(search, "ser") == 0) { /* convert the serial strings to BIGNUM */ BN_dec2bn(&startserialbn, startserstr); BN_dec2bn(&endserialbn, endserstr); /* get the certificates serial number and convert it to BIGNUM */ if ((certserial = X509_get_serialNumber(cert)) == NULL) int_error("Error: Getting certificate serial number in ASN1 format."); if ((certserialbn = ASN1_INTEGER_to_BN(certserial, NULL)) == NULL) int_error("Error: converting certserial number from ASN1 to BIGNUM."); /* debugging output to see values of BIGNUM */ //membio = BIO_new(BIO_s_mem()); //BN_print(membio, endserialbn); //BIO_gets(membio, membio_buf, sizeof(membio_buf)); //BIO_free(membio); //int_error(membio_buf); /* check if certserial >= startserial and <= endserial */ if ( BN_cmp(startserialbn, certserialbn) <= 0 && BN_cmp(endserialbn, certserialbn) >= 0 ) return 1; } return 0; }
KSSLCertificate* KSSLCertificateFactory::generateSelfSigned(KSSLKeyType /*keytype*/) { #if 0 //#ifdef KSSL_HAVE_SSL X509_NAME *x509name = X509_NAME_new(); X509 *x509; ASN1_UTCTIME *beforeafter; KSSLCertificate *newcert; int rc; // FIXME: generate the private key if (keytype == KEYTYPE_UNKNOWN || (key=EVP_PKEY_new()) == NULL) { X509_NAME_free(x509name); return NULL; } switch(keytype) { case KEYTYPE_RSA: if (!EVP_PKEY_assign_RSA(key, RSA_generate_key(newkey,0x10001, req_cb,bio_err))) { } break; case KEYTYPE_DSA: if (!DSA_generate_key(dsa_params)) goto end; if (!EVP_PKEY_assign_DSA(pkey,dsa_params)) goto end; dsa_params=NULL; if (pkey->type == EVP_PKEY_DSA) digest=EVP_dss1(); break; } // FIXME: dn doesn't exist // FIXME: allow the notAfter value to be parameterized // FIXME: allow a password to lock the key with // Fill in the certificate X509_NAME_add_entry_by_NID(x509name, OBJ_txt2nid("CN"), 0x1001, (unsigned char *) dn, -1, -1, 0); x509 = X509_new(); rc = X509_set_issuer_name(x509, x509name); if (rc != 0) { X509_free(x509); X509_NAME_free(x509name); return NULL; } rc = X509_set_subject_name(x509, x509name); if (rc != 0) { X509_free(x509); X509_NAME_free(x509name); return NULL; } ASN1_INTEGER_set(X509_get_serialNumber(*x509), 0); X509_NAME_free(x509name); // Make it a 1 year certificate beforeafter = ASN1_UTCTIME_new(); if (!X509_gmtime_adj(beforeafter, -60*60*24)) { // yesterday X509_free(x509); return NULL; } if (!X509_set_notBefore(x509, beforeafter)) { X509_free(x509); return NULL; } if (!X509_gmtime_adj(beforeafter, 60*60*24*364)) { // a year from yesterday X509_free(x509); return NULL; } if (!X509_set_notAfter(x509, beforeafter)) { X509_free(x509); return NULL; } ASN1_UTCTIME_free(beforeafter); if (!X509_set_pubkey(x509, key)) { X509_free(x509); return NULL; } rc = X509_sign(x509, key, EVP_sha1()); if (rc != 0) { X509_free(x509); return NULL; } newCert = new KSSLCertificate; newCert->setCert(x509); return newCert; #else return NULL; #endif }
inline utctime utctime::create() { return take_ownership(ASN1_UTCTIME_new()); }