1

I have created openssl certificates so i have .crt and .key file. If I want to add those certificates in existing certificate revocation list then how can we do that ?

I have tried with below code.

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <assert.h>

#include <openssl/pem.h>
#include <openssl/conf.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/err.h>
#include <openssl/rsa.h>
#include <openssl/ssl.h>
#include <openssl/evp.h>
#include <openssl/asn1.h>

#define DB_NUMBER   6
#define DB_name     5
#define DB_serial   3
#define DB_rev_date 2

static X509* load_cert(const char* usercert)
{
    /* read usercert from file */
    X509* x = NULL;
    BIO* bio = BIO_new(BIO_s_file());
    assert(bio != NULL);
    assert(BIO_read_filename(bio, usercert) > 0);
    x = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL);
    BIO_free(bio);
    assert(x != NULL);

    return x;
}

int main()
{
    int i;
    ASN1_UTCTIME* tm = NULL;
    char* rev_str = NULL;
    BIGNUM* bn = NULL;
    char* row[DB_NUMBER];

    for (i = 0; i < DB_NUMBER; i++)
        row[i] = NULL;

    X509* x = load_cert("../client.crt");

    row[DB_name] = X509_NAME_oneline(X509_get_subject_name(x), NULL, 0);
    bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x), NULL);
    assert(bn != NULL);
    if (BN_is_zero(bn))
        row[DB_serial] = BUF_strdup("00");
    else
        row[DB_serial] = BN_bn2hex(bn);

    BN_free(bn);

    //assert(row[DB_name] != NULL);
    //assert(row[DB_serial] != NULL);

    printf("Serial Number is: %s\n", row[DB_serial]);


    printf("---- Now Updating CRL file with expired client certificates --------\n");


    char       *crl_file_path = "../root_mod.crl";
    FILE       *fp_crl_file = NULL;
    X509_CRL *x_crl = NULL;
    BIGNUM* serial = NULL;

    /* Get the CA crl */
    fp_crl_file = fopen(crl_file_path, "r");
    if (!fp_crl_file)
    {
        printf("---- Error while opening CRL file --------\n");
        exit(1);
    }

    x_crl = PEM_read_X509_CRL(fp_crl_file, NULL, NULL, NULL);
    if (!x_crl)
    {
        printf("---- Error while reading X509 CRL file --------\n");
        exit(1);
    }

    fclose(fp_crl_file);

    X509_REVOKED* r = X509_REVOKED_new();
    assert(r != NULL);

    assert(BN_hex2bn(&serial, row[DB_serial]) > 0);

    ASN1_INTEGER* tmpser = BN_to_ASN1_INTEGER(serial, NULL);
    BN_free(serial);
    serial = NULL;
    assert(tmpser != NULL);
    i = X509_REVOKED_set_serialNumber(r, tmpser);

    ASN1_INTEGER_free(tmpser);
    X509_CRL_add0_revoked(x_crl, r);

    return 0;
}

I have wrote above code and i got the serial number but do not get added to revoked list in "root_mod.crl" file.

Can you suggest any pointers ?

jww
  • 97,681
  • 90
  • 411
  • 885
Neel
  • 451
  • 1
  • 9
  • 23
  • [OpenSSL API Examples](http://fm4dd.com/openssl/) along with the documentation at openssl.org is a good pace to start. – David C. Rankin Jan 18 '18 at 08:15
  • Thanks. I have tried above updated code from openssl source code reference but client certificate serial number is not getting added to CRL file. Any pointers ? – Neel Jan 18 '18 at 17:45
  • The OpenSSL command is `openssl ca -revoke ...`. It is the reference implementation provided by OpenSSL. You can find the source code for the `ca` subcommand at [`/apps/ca.c`](https://github.com/openssl/openssl/blob/master/apps/ca.c). I'm guessing you will find `int do_revoke(X509 *x509, CA_DB *db, REVINFO_TYPE rev_type, const char *extval);` interesting. – jww Jan 20 '18 at 13:45

0 Answers0