[openssl-users] Revoke certificate and append to existing crl file

neel patel neel5481 at gmail.com
Fri Jan 19 08:27:41 UTC 2018 

Hi,

I am using openssl C API.

I have created openssl certificates so i have .crt and .key file. If I want
to append those certificates in existing certificate revocation list then
how can we do that ? I have tried with below code.


#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <assert.h>


#include <openssl/pem.h>

#include <openssl/conf.h>

#include <openssl/x509.h>

#include <openssl/x509v3.h>

#include <openssl/err.h>

#include <openssl/rsa.h>

#include <openssl/ssl.h>

#include <openssl/evp.h>

#include <openssl/asn1.h>


#define DB_NUMBER   6

#define DB_name     5

#define DB_serial   3

#define DB_rev_date 2


static X509* load_cert(const char* usercert)

{

/* read usercert from file */

X509* x = NULL;

BIO* bio = BIO_new(BIO_s_file());

assert(bio != NULL);

assert(BIO_read_filename(bio, usercert) > 0);

x = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL);

BIO_free(bio);

assert(x != NULL);


return x;

}


int main()

{

int i;

ASN1_UTCTIME* tm = NULL;

char* rev_str = NULL;

BIGNUM* bn = NULL;

char* row[DB_NUMBER];


for (i = 0; i < DB_NUMBER; i++)

    row[i] = NULL;


X509* x = load_cert("../client.crt");


row[DB_name] = X509_NAME_oneline(X509_get_subject_name(x), NULL, 0);

bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x), NULL);

assert(bn != NULL);

if (BN_is_zero(bn))

    row[DB_serial] = BUF_strdup("00");

else

    row[DB_serial] = BN_bn2hex(bn);


BN_free(bn);


printf("Serial Number is: %s\n", row[DB_serial]);



printf("---- Now Updating CRL file with expired client certificates
--------\n");



char       *crl_file_path = "../root_mod.crl";

FILE       *fp_crl_file = NULL;

X509_CRL *x_crl = NULL;

BIGNUM* serial = NULL;


/* Get the CA crl */

fp_crl_file = fopen(crl_file_path, "r");

if (!fp_crl_file)

{

    printf("---- Error while opening CRL file --------\n");

    exit(1);

}


x_crl = PEM_read_X509_CRL(fp_crl_file, NULL, NULL, NULL);

if (!x_crl)

{

    printf("---- Error while reading X509 CRL file --------\n");

    exit(1);

}


fclose(fp_crl_file);


X509_REVOKED* r = X509_REVOKED_new();

assert(r != NULL);


assert(BN_hex2bn(&serial, row[DB_serial]) > 0);


ASN1_INTEGER* tmpser = BN_to_ASN1_INTEGER(serial, NULL);

BN_free(serial);

serial = NULL;

assert(tmpser != NULL);

i = X509_REVOKED_set_serialNumber(r, tmpser);


ASN1_INTEGER_free(tmpser);

X509_CRL_add0_revoked(x_crl, r);


return 0;

}


Is is possible to add revoked certificate serial number to CRL file ? OR Do
I need to regenerate the CRL file from list of revoked certificate serial
numbers ( e.g. index.txt ).

Let us know your thoughts.

Thanks,
Neel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180119/e72fe5b7/attachment-0001.html>

More information about the openssl-users mailing list