generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add `openssl ca -revoke <certfile>' facility which revokes a certificate

Browse Source 
specified in <certfile> by updating the entry in the index.txt file.
This way one no longer has to edit the index.txt file manually for
revoking a certificate. The -revoke option does the gory details now.

Submitted by: Massimiliano Pala <madwolf@openca.org>
Cleaned up and integrated by: Ralf S. Engelschall
This commit is contained in:
Ralf S. Engelschall 1999-04-12 11:45:14 +00:00
parent 2f0cd19533
commit f9a2593163
2 changed files with 187 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
CHANGES
View File

@ -5,6 +5,12 @@
Changes between 0.9.2b and 0.9.3 Changes between 0.9.2b and 0.9.3
*) Add `openssl ca -revoke <certfile>' facility which revokes a certificate
specified in <certfile> by updating the entry in the index.txt file.
This way one no longer has to edit the index.txt file manually for
revoking a certificate. The -revoke option does the gory details now.
[Massimiliano Pala <madwolf@openca.org>, Ralf S. Engelschall]
*) Fix `openssl crl -noout -text' combination where `-noout' killed the *) Fix `openssl crl -noout -text' combination where `-noout' killed the
`-text' option at all and this way the `-noout -text' combination was `-text' option at all and this way the `-noout -text' combination was
inconsistent in `openssl crl' with the friends in `openssl x509|rsa|dsa'. inconsistent in `openssl crl' with the friends in `openssl x509|rsa|dsa'.

181
apps/ca.c
View File

@ -146,6 +146,7 @@ static char *ca_usage[]={
" -preserveDN - Don't re-order the DN\n", " -preserveDN - Don't re-order the DN\n",
" -batch - Don't ask questions\n", " -batch - Don't ask questions\n",
" -msie_hack - msie modifications to handle all those universal strings\n", " -msie_hack - msie modifications to handle all those universal strings\n",
" -revoke file - Revoke a certificate (given in file)\n",
NULL NULL
}; };
@ -181,6 +182,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, EVP_MD *dgst,
STACK *policy, TXT_DB *db, BIGNUM *serial, char *startdate, STACK *policy, TXT_DB *db, BIGNUM *serial, char *startdate,
int days, int batch, int verbose, X509_REQ *req, char *ext_sect, int days, int batch, int verbose, X509_REQ *req, char *ext_sect,
LHASH *conf); LHASH *conf);
static int do_revoke(X509 *x509, TXT_DB *db);
static int check_time_format(char *str); static int check_time_format(char *str);
#else #else
static int add_oid_section(); static int add_oid_section();
@ -199,6 +201,7 @@ static int certify_cert();
static int certify_spkac(); static int certify_spkac();
static void write_new_certificate(); static void write_new_certificate();
static int do_body(); static int do_body();
static int do_revoke();
static int check_time_format(); static int check_time_format();
#endif #endif
@ -220,6 +223,7 @@ char **argv;
int req=0; int req=0;
int verbose=0; int verbose=0;
int gencrl=0; int gencrl=0;
int revoke=0;
long crldays=0; long crldays=0;
long crlhours=0; long crlhours=0;
long errorline= -1; long errorline= -1;
@ -380,6 +384,12 @@ EF_ALIGNMENT=0;
spkac_file = *(++argv); spkac_file = *(++argv);
req=1; req=1;
} }
else if (strcmp(*argv,"-revoke") == 0)
{
if (--argc < 1) goto bad;
infile= *(++argv);
revoke=1;
}
else else
{ {
bad: bad:
@ -1078,6 +1088,69 @@ bad:
PEM_write_bio_X509_CRL(Sout,crl); PEM_write_bio_X509_CRL(Sout,crl);
} }
/*****************************************************************/ /*****************************************************************/
if (revoke)
{
in=BIO_new(BIO_s_file());
out=BIO_new(BIO_s_file());
if ((in == NULL) || (out == NULL))
{
ERR_print_errors(bio_err);
goto err;
}
if (infile == NULL)
{
BIO_printf(bio_err,"no input files\n");
goto err;
}
else
{
if (BIO_read_filename(in,infile) <= 0)
{
perror(infile);
BIO_printf(bio_err,"error trying to load '%s' certificate\n",infile);
goto err;
}
x509=PEM_read_bio_X509(in,NULL,NULL);
if (x509 == NULL)
{
BIO_printf(bio_err,"unable to load '%s' certificate\n",infile);
goto err;
}
j=do_revoke(x509,db);
strncpy(buf[0],dbfile,BSIZE-4);
strcat(buf[0],".new");
if (BIO_write_filename(out,buf[0]) <= 0)
{
perror(dbfile);
BIO_printf(bio_err,"unable to open '%s'\n",dbfile);
goto err;
}
j=TXT_DB_write(out,db);
if (j <= 0) goto err;
BIO_free(in);
BIO_free(out);
in=NULL;
out=NULL;
strncpy(buf[1],dbfile,BSIZE-4);
strcat(buf[1],".old");
if (rename(dbfile,buf[1]) < 0)
{
BIO_printf(bio_err,"unable to rename %s to %s\n", dbfile, buf[1]);
perror("reason");
goto err;
}
if (rename(buf[0],dbfile) < 0)
{
BIO_printf(bio_err,"unable to rename %s to %s\n", buf[0],dbfile);
perror("reason");
rename(buf[1],dbfile);
goto err;
}
BIO_printf(bio_err,"Data Base Updated\n");
}
}
/*****************************************************************/
ret=0; ret=0;
err: err:
BIO_free(hex); BIO_free(hex);
@ -2068,3 +2141,111 @@ LHASH *hconf;
} }
return 1; return 1;
} }
static int do_revoke(x509,db)
X509 *x509;
TXT_DB *db;
{
ASN1_UTCTIME *tm=NULL;
char *row[DB_NUMBER],**rrow,**irow;
int ok=-1,i;
for (i=0; i<DB_NUMBER; i++)
row[i]=NULL;
row[DB_name]=X509_NAME_oneline(x509->cert_info->subject,NULL,0);
row[DB_serial]=BN_bn2hex(ASN1_INTEGER_to_BN(x509->cert_info->serialNumber,NULL));
if ((row[DB_name] == NULL) || (row[DB_serial] == NULL))
{
BIO_printf(bio_err,"Malloc failure\n");
goto err;
}
rrow=TXT_DB_get_by_index(db,DB_name,row);
if (rrow == NULL)
{
BIO_printf(bio_err,"Adding Entry to DB for %s\n", row[DB_name]);
/* We now just add it to the database */
row[DB_type]=(char *)Malloc(2);
tm=X509_get_notAfter(x509);
row[DB_exp_date]=(char *)Malloc(tm->length+1);
memcpy(row[DB_exp_date],tm->data,tm->length);
row[DB_exp_date][tm->length]='\0';
row[DB_rev_date]=NULL;
/* row[DB_serial] done already */
row[DB_file]=(char *)Malloc(8);
/* row[DB_name] done already */
if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
(row[DB_file] == NULL))
{
BIO_printf(bio_err,"Malloc failure\n");
goto err;
}
strcpy(row[DB_file],"unknown");
row[DB_type][0]='V';
row[DB_type][1]='\0';
if ((irow=(char **)Malloc(sizeof(char *)*(DB_NUMBER+1))) == NULL)
{
BIO_printf(bio_err,"Malloc failure\n");
goto err;
}
for (i=0; i<DB_NUMBER; i++)
{
irow[i]=row[i];
row[i]=NULL;
}
irow[DB_NUMBER]=NULL;
if (!TXT_DB_insert(db,irow))
{
BIO_printf(bio_err,"failed to update database\n");
BIO_printf(bio_err,"TXT_DB error number %ld\n",db->error);
goto err;
}
/* Revoke Certificate */
do_revoke(x509,db);
ok=1;
goto err;
}
else if (index_serial_cmp(row,rrow))
{
BIO_printf(bio_err,"ERROR:no same serial number %s\n",
row[DB_serial]);
goto err;
}
else if (rrow[DB_type][0]=='R')
{
BIO_printf(bio_err,"ERROR:Already revoked, serial number %s\n",
row[DB_serial]);
goto err;
}
else
{
BIO_printf(bio_err,"Revoking Certificate %s.\n", rrow[DB_serial]);
tm=X509_gmtime_adj(tm,0);
rrow[DB_type][0]='R';
rrow[DB_type][1]='\0';
rrow[DB_rev_date]=(char *)Malloc(tm->length+1);
memcpy(rrow[DB_rev_date],tm->data,tm->length);
rrow[DB_rev_date][tm->length]='\0';
}
ok=1;
err:
for (i=0; i<DB_NUMBER; i++)
{
if (row[i] != NULL)
Free(row[i]);
}
ASN1_UTCTIME_free(tm);
return(ok);
}