{
ENGINE *e = NULL;
char *key=NULL,*passargin=NULL;
+ int free_key = 0;
int total=0;
int total_done=0;
int badops=0;
char *dbfile=NULL;
TXT_DB *db=NULL;
X509_CRL *crl=NULL;
- X509_CRL_INFO *ci=NULL;
X509_REVOKED *r=NULL;
+ ASN1_TIME *tmptm;
+ ASN1_INTEGER *tmpser;
char **pp,*p,*f;
int i,j;
long l;
db=TXT_DB_read(in,DB_NUMBER);
if (db == NULL) goto err;
- if (!TXT_DB_create_index(db, DB_serial, NULL,
- LHASH_HASH_FN(index_serial_hash),
- LHASH_COMP_FN(index_serial_cmp)))
- {
- BIO_printf(bio_err,
- "error creating serial number index:(%ld,%ld,%ld)\n",
- db->error,db->arg1,db->arg2);
+ if (!make_serial_index(db))
goto err;
- }
if (get_certificate_status(ser_status,db) != 1)
BIO_printf(bio_err,"Error verifying serial %s!\n",
lookup_fail(section,ENV_PRIVATE_KEY);
goto err;
}
- if (!key && !app_passwd(bio_err, passargin, NULL, &key, NULL))
+ if (!key)
{
- BIO_printf(bio_err,"Error getting password\n");
- goto err;
+ free_key = 1;
+ if (!app_passwd(bio_err, passargin, NULL, &key, NULL))
+ {
+ BIO_printf(bio_err,"Error getting password\n");
+ goto err;
+ }
}
pkey = load_key(bio_err, keyfile, keyform, key, e,
"CA private key");
BIO_printf(bio_err,"generating index\n");
}
- if (!TXT_DB_create_index(db, DB_serial, NULL,
- LHASH_HASH_FN(index_serial_hash),
- LHASH_COMP_FN(index_serial_cmp)))
- {
- BIO_printf(bio_err,"error creating serial number index:(%ld,%ld,%ld)\n",db->error,db->arg1,db->arg2);
+ if (!make_serial_index(db))
goto err;
- }
if (!TXT_DB_create_index(db, DB_name, index_name_qual,
LHASH_HASH_FN(index_name_hash),
if (verbose) BIO_printf(bio_err,"making CRL\n");
if ((crl=X509_CRL_new()) == NULL) goto err;
- ci=crl->crl;
- X509_NAME_free(ci->issuer);
- ci->issuer=X509_NAME_dup(x509->cert_info->subject);
- if (ci->issuer == NULL) goto err;
+ if (!X509_CRL_set_issuer_name(crl, X509_get_issuer_name(x509))) goto err;
+
+ tmptm = ASN1_TIME_new();
+ if (!tmptm) goto err;
+ X509_gmtime_adj(tmptm,0);
+ X509_CRL_set_lastUpdate(crl, tmptm);
+ X509_gmtime_adj(tmptm,(crldays*24+crlhours)*60*60);
+ X509_CRL_set_nextUpdate(crl, tmptm);
- X509_gmtime_adj(ci->lastUpdate,0);
- if (ci->nextUpdate == NULL)
- ci->nextUpdate=ASN1_UTCTIME_new();
- X509_gmtime_adj(ci->nextUpdate,(crldays*24+crlhours)*60*60);
+ ASN1_TIME_free(tmptm);
for (i=0; i<sk_num(db->data); i++)
{
if (j == 2) crl_v2 = 1;
if (!BN_hex2bn(&serial, pp[DB_serial]))
goto err;
- r->serialNumber = BN_to_ASN1_INTEGER(serial, r->serialNumber);
+ tmpser = BN_to_ASN1_INTEGER(serial, NULL);
BN_free(serial);
serial = NULL;
- if (!r->serialNumber)
+ if (!tmpser)
goto err;
+ X509_REVOKED_set_serialNumber(r, tmpser);
+ ASN1_INTEGER_free(tmpser);
X509_CRL_add0_revoked(crl,r);
}
}
+
/* sort the data so it will be written in serial
* number order */
- sk_X509_REVOKED_sort(ci->revoked);
- for (i=0; i<sk_X509_REVOKED_num(ci->revoked); i++)
- {
- r=sk_X509_REVOKED_value(ci->revoked,i);
- r->sequence=i;
- }
+ X509_CRL_sort(crl);
/* we now have a CRL */
if (verbose) BIO_printf(bio_err,"signing CRL\n");
if (crl_ext)
{
X509V3_CTX crlctx;
- if (ci->version == NULL)
- if ((ci->version=ASN1_INTEGER_new()) == NULL) goto err;
X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0);
X509V3_set_nconf(&crlctx, conf);
}
if (crl_ext || crl_v2)
{
- if (ci->version == NULL)
- if ((ci->version=ASN1_INTEGER_new()) == NULL) goto err;
- ASN1_INTEGER_set(ci->version,1); /* version 2 CRL */
+ if (!X509_CRL_set_version(crl, 1))
+ goto err; /* version 2 CRL */
}
if (!X509_CRL_sign(crl,pkey,dgst)) goto err;
if (ret) ERR_print_errors(bio_err);
app_RAND_write_file(randfile, bio_err);
+ if (free_key)
+ OPENSSL_free(key);
BN_free(serial);
TXT_DB_free(db);
EVP_PKEY_free(pkey);
* 2 OK and some extensions added (i.e. V2 CRL)
*/
+
int make_revoked(X509_REVOKED *rev, char *str)
{
char *tmp = NULL;
- char *rtime_str, *reason_str = NULL, *arg_str = NULL, *p;
int reason_code = -1;
int i, ret = 0;
ASN1_OBJECT *hold = NULL;
ASN1_GENERALIZEDTIME *comp_time = NULL;
ASN1_ENUMERATED *rtmp = NULL;
- tmp = BUF_strdup(str);
-
- p = strchr(tmp, ',');
- rtime_str = tmp;
+ ASN1_TIME *revDate = NULL;
- if (p)
- {
- *p = '\0';
- p++;
- reason_str = p;
- p = strchr(p, ',');
- if (p)
- {
- *p = '\0';
- arg_str = p + 1;
- }
- }
+ i = unpack_revinfo(&revDate, &reason_code, &hold, &comp_time, str);
- if (rev && !ASN1_UTCTIME_set_string(rev->revocationDate, rtime_str))
- {
- BIO_printf(bio_err, "invalid revocation date %s\n", rtime_str);
+ if (i == 0)
goto err;
- }
- if (reason_str)
- {
- for (i = 0; i < NUM_REASONS; i++)
- {
- if(!strcasecmp(reason_str, crl_reasons[i]))
- {
- reason_code = i;
- break;
- }
- }
- if (reason_code == OCSP_REVOKED_STATUS_NOSTATUS)
- {
- BIO_printf(bio_err, "invalid reason code %s\n", reason_str);
- goto err;
- }
-
- if (reason_code == 7)
- reason_code = OCSP_REVOKED_STATUS_REMOVEFROMCRL;
- else if (reason_code == 8) /* Hold instruction */
- {
- if (!arg_str)
- {
- BIO_printf(bio_err, "missing hold instruction\n");
- goto err;
- }
- reason_code = OCSP_REVOKED_STATUS_CERTIFICATEHOLD;
- hold = OBJ_txt2obj(arg_str, 0);
- if (!hold)
- {
- BIO_printf(bio_err, "invalid object identifier %s\n", arg_str);
- goto err;
- }
- }
- else if ((reason_code == 9) || (reason_code == 10))
- {
- if (!arg_str)
- {
- BIO_printf(bio_err, "missing compromised time\n");
- goto err;
- }
- comp_time = ASN1_GENERALIZEDTIME_new();
- if (!ASN1_GENERALIZEDTIME_set_string(comp_time, arg_str))
- {
- BIO_printf(bio_err, "invalid compromised time %s\n", arg_str);
- goto err;
- }
- if (reason_code == 9)
- reason_code = OCSP_REVOKED_STATUS_KEYCOMPROMISE;
- else
- reason_code = OCSP_REVOKED_STATUS_CACOMPROMISE;
- }
- }
+ if (rev && !X509_REVOKED_set_revocationDate(rev, revDate))
+ goto err;
if (rev && (reason_code != OCSP_REVOKED_STATUS_NOSTATUS))
{
ASN1_OBJECT_free(hold);
ASN1_GENERALIZEDTIME_free(comp_time);
ASN1_ENUMERATED_free(rtmp);
+ ASN1_TIME_free(revDate);
return ret;
}
BIO_printf(bp,"'\n");
return 1;
}
+
+int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, ASN1_GENERALIZEDTIME **pinvtm, char *str)
+ {
+ char *tmp = NULL;
+ char *rtime_str, *reason_str = NULL, *arg_str = NULL, *p;
+ int reason_code = -1;
+ int i, ret = 0;
+ ASN1_OBJECT *hold = NULL;
+ ASN1_GENERALIZEDTIME *comp_time = NULL;
+ tmp = BUF_strdup(str);
+
+ p = strchr(tmp, ',');
+
+ rtime_str = tmp;
+
+ if (p)
+ {
+ *p = '\0';
+ p++;
+ reason_str = p;
+ p = strchr(p, ',');
+ if (p)
+ {
+ *p = '\0';
+ arg_str = p + 1;
+ }
+ }
+
+ if (prevtm)
+ {
+ *prevtm = ASN1_UTCTIME_new();
+ if (!ASN1_UTCTIME_set_string(*prevtm, rtime_str))
+ {
+ BIO_printf(bio_err, "invalid revocation date %s\n", rtime_str);
+ goto err;
+ }
+ }
+ if (reason_str)
+ {
+ for (i = 0; i < NUM_REASONS; i++)
+ {
+ if(!strcasecmp(reason_str, crl_reasons[i]))
+ {
+ reason_code = i;
+ break;
+ }
+ }
+ if (reason_code == OCSP_REVOKED_STATUS_NOSTATUS)
+ {
+ BIO_printf(bio_err, "invalid reason code %s\n", reason_str);
+ goto err;
+ }
+
+ if (reason_code == 7)
+ reason_code = OCSP_REVOKED_STATUS_REMOVEFROMCRL;
+ else if (reason_code == 8) /* Hold instruction */
+ {
+ if (!arg_str)
+ {
+ BIO_printf(bio_err, "missing hold instruction\n");
+ goto err;
+ }
+ reason_code = OCSP_REVOKED_STATUS_CERTIFICATEHOLD;
+ hold = OBJ_txt2obj(arg_str, 0);
+
+ if (!hold)
+ {
+ BIO_printf(bio_err, "invalid object identifier %s\n", arg_str);
+ goto err;
+ }
+ if (phold) *phold = hold;
+ }
+ else if ((reason_code == 9) || (reason_code == 10))
+ {
+ if (!arg_str)
+ {
+ BIO_printf(bio_err, "missing compromised time\n");
+ goto err;
+ }
+ comp_time = ASN1_GENERALIZEDTIME_new();
+ if (!ASN1_GENERALIZEDTIME_set_string(comp_time, arg_str))
+ {
+ BIO_printf(bio_err, "invalid compromised time %s\n", arg_str);
+ goto err;
+ }
+ if (reason_code == 9)
+ reason_code = OCSP_REVOKED_STATUS_KEYCOMPROMISE;
+ else
+ reason_code = OCSP_REVOKED_STATUS_CACOMPROMISE;
+ }
+ }
+
+ if (preason) *preason = reason_code;
+ if (pinvtm) *pinvtm = comp_time;
+ else ASN1_GENERALIZEDTIME_free(comp_time);
+
+ ret = 1;
+
+ err:
+
+ if (tmp) OPENSSL_free(tmp);
+ if (!phold) ASN1_OBJECT_free(hold);
+ if (!pinvtm) ASN1_GENERALIZEDTIME_free(comp_time);
+
+ return ret;
+ }
+
+int make_serial_index(TXT_DB *db)
+ {
+ if (!TXT_DB_create_index(db, DB_serial, NULL,
+ LHASH_HASH_FN(index_serial_hash),
+ LHASH_COMP_FN(index_serial_cmp)))
+ {
+ BIO_printf(bio_err,
+ "error creating serial number index:(%ld,%ld,%ld)\n",
+ db->error,db->arg1,db->arg2);
+ return 0;
+ }
+ return 1;
+ }