Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Extend X509Crl functionality #2174

Open
wants to merge 26 commits into
base: master
Choose a base branch
from

Conversation

gweisert
Copy link

@gweisert gweisert commented Feb 17, 2024

  • added two more constructors for Asn1Time
  • added X509Revoked constructor which handles allocation and initial data (takes the cert to be revoked as argument)
  • extended X509Clr
    • added constructor to create a new crl for a given cert
    • added support for the crl_number extension
    • added function to sign the crl with a given key
    • added function to retrieve entry_count of the crl
    • added function to revoke a given certificate
    • added functions to set both last_updated and next_update times
usage example
use openssl::bn::BigNum;

pub fn main() {
    let crl = include_bytes!("../tests/assets2/ca_ca1.crl");
    let mut crl = openssl::x509::X509Crl::from_pem(crl).unwrap();

    let key = include_bytes!("../tests/assets2/ca_ca1.key");
    let key = openssl::pkey::PKey::private_key_from_pem(key).unwrap();

    let to_revoke = include_bytes!("../tests/assets2/ca1_cert2.cert");
    let to_revoke = openssl::x509::X509::from_pem(to_revoke).unwrap();

    crl.verify(&key).unwrap();
    crl.revoke(&to_revoke).unwrap();
    crl.increment_crl_number().unwrap();
    crl.sign(&key, openssl::hash::MessageDigest::sha256())
        .unwrap();
    crl.verify(&key).unwrap();

    let to_write = crl.to_pem().unwrap();
    std::fs::write("updated_crl.crl", to_write).unwrap();
}

@gweisert gweisert force-pushed the implement_crl_revoke branch 2 times, most recently from 0ed91d2 to 923783c Compare February 17, 2024 10:00
openssl/src/asn1.rs Show resolved Hide resolved
openssl/src/x509/mod.rs Outdated Show resolved Hide resolved
gweisert and others added 5 commits March 2, 2024 10:56
add optional config paramter; fix erroneous CRL version; add
AuthorityKetIdenfier extension when building CRLv2; set_crl_number is
now private; increment_crl_number is the new public interface, returning
the new crl value, or None if self is a CRLv1; update tests using
X509Crl::new
Copy link
Contributor

@botovq botovq left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. Yes, this is OpenSSL 1.1 API. All this should be available since 2.8.1.

I have only looked at the cfg parts.

openssl-sys/src/handwritten/x509.rs Outdated Show resolved Hide resolved
openssl/src/x509/mod.rs Outdated Show resolved Hide resolved
openssl/src/x509/mod.rs Outdated Show resolved Hide resolved
openssl/src/x509/mod.rs Outdated Show resolved Hide resolved
openssl/src/x509/mod.rs Outdated Show resolved Hide resolved
Comment on lines +2074 to +2075
pub fn revoke(&mut self, to_revoke: &X509) -> Result<(), ErrorStack> {
match self.get_by_cert(to_revoke) {

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When my PR #2207 is merged, you can change this &X509 to &X509Ref as well.

Suggested change
pub fn revoke(&mut self, to_revoke: &X509) -> Result<(), ErrorStack> {
match self.get_by_cert(to_revoke) {
pub fn revoke(&mut self, to_revoke: &X509Ref) -> Result<(), ErrorStack> {
match self.get_by_cert(to_revoke) {

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alright, I will update it once it is merged.

@gweisert
Copy link
Author

@botovq do you see any further issues with this PR? (since you haven't approved it yet 😅)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants