Revoke certificate and append to existing crl file

neel patel <neel5481@xxxxxxxxx> · Fri, 19 Jan 2018 13:57:41 +0530

Hi,
I am using openssl C API.

I have created openssl certificates so i have .crt and .key file. If I want to append those certificates in existing certificate revocation list then how can we do that ? I have tried with below code.

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <assert.h>

#include <openssl/pem.h>
#include <openssl/conf.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/err.h>
#include <openssl/rsa.h>
#include <openssl/ssl.h>
#include <openssl/evp.h>
#include <openssl/asn1.h>

#define DB_NUMBER   6
#define DB_name     5
#define DB_serial   3
#define DB_rev_date 2

static X509* load_cert(const char* usercert)
{
/* read usercert from file */
X509* x = NULL;
BIO* bio = BIO_new(BIO_s_file());
assert(bio != NULL);
assert(BIO_read_filename(bio, usercert) > 0);
x = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL);
BIO_free(bio);
assert(x != NULL);

return x;
}

int main()
{
int i;
ASN1_UTCTIME* tm = NULL;
char* rev_str = NULL;
BIGNUM* bn = NULL;
char* row[DB_NUMBER];

for (i = 0; i < DB_NUMBER; i++)
    row[i] = NULL;

X509* x = load_cert("../client.crt");

row[DB_name] = X509_NAME_oneline(X509_get_subject_name(x), NULL, 0);
bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x), NULL);
assert(bn != NULL);
if (BN_is_zero(bn))
    row[DB_serial] = BUF_strdup("00");
else
    row[DB_serial] = BN_bn2hex(bn);

BN_free(bn);

printf("Serial Number is: %s\n", row[DB_serial]);

printf("---- Now Updating CRL file with expired client certificates --------\n");

char       *crl_file_path = "../root_mod.crl";
FILE       *fp_crl_file = NULL;
X509_CRL *x_crl = NULL;
BIGNUM* serial = NULL;

/* Get the CA crl */
fp_crl_file = fopen(crl_file_path, "r");
if (!fp_crl_file)
{
    printf("---- Error while opening CRL file --------\n");
    exit(1);
}

x_crl = PEM_read_X509_CRL(fp_crl_file, NULL, NULL, NULL);
if (!x_crl)
{
    printf("---- Error while reading X509 CRL file --------\n");
    exit(1);
}

fclose(fp_crl_file);

X509_REVOKED* r = X509_REVOKED_new();
assert(r != NULL);

assert(BN_hex2bn(&serial, row[DB_serial]) > 0);

ASN1_INTEGER* tmpser = BN_to_ASN1_INTEGER(serial, NULL);
BN_free(serial);
serial = NULL;
assert(tmpser != NULL);
i = X509_REVOKED_set_serialNumber(r, tmpser);

ASN1_INTEGER_free(tmpser);
X509_CRL_add0_revoked(x_crl, r);

return 0;

}

Is is possible to add revoked certificate serial number to CRL file ? OR Do I need to regenerate the CRL file from list of revoked certificate serial numbers ( e.g. index.txt ).

Let us know your thoughts.

Thanks,
Neel

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users