Extend X509Crl functionality

openssl/src/asn1.rs

@@ -320,9 +320,19 @@ impl Asn1Time {
         }
     }
 
+    /// Creates a new time with the current time
+    pub fn now() -> Result<Asn1Time, ErrorStack> {
+        Asn1Time::seconds_from_now(0)
+    }
+
     /// Creates a new time on specified interval in days from now
     pub fn days_from_now(days: u32) -> Result<Asn1Time, ErrorStack> {
-        Asn1Time::from_period(days as c_long * 60 * 60 * 24)
+        Asn1Time::seconds_from_now(days as c_long * 60 * 60 * 24)
+    }
+
+    /// Creates a new time on specified interval in seconds from now
+    pub fn seconds_from_now(seconds: c_long) -> Result<Asn1Time, ErrorStack> {
+        Asn1Time::from_period(seconds)
     }
 
     /// Creates a new time from the specified `time_t` value

openssl/src/x509/mod.rs

@@ -24,10 +24,11 @@ use std::slice;
 use std::str;
 
 use crate::asn1::{
-    Asn1BitStringRef, Asn1Enumerated, Asn1IntegerRef, Asn1Object, Asn1ObjectRef,
-    Asn1OctetStringRef, Asn1StringRef, Asn1TimeRef, Asn1Type,
+    Asn1BitStringRef, Asn1Enumerated, Asn1Integer, Asn1IntegerRef, Asn1Object, Asn1ObjectRef,
+    Asn1OctetStringRef, Asn1StringRef, Asn1Time, Asn1TimeRef, Asn1Type,
 };
 use crate::bio::MemBioSlice;
+use crate::bn::BigNum;
 use crate::conf::ConfRef;
 use crate::error::ErrorStack;
 use crate::ex_data::Index;
@@ -1670,6 +1671,27 @@ impl X509Revoked {
         X509Revoked,
         ffi::d2i_X509_REVOKED
     }
+
+    pub fn new(to_revoke: &X509) -> Result<Self, ErrorStack> {
+        unsafe { Ok(Self(Self::new_raw(to_revoke)?)) }
+    }
+
+    /// the caller has to ensure the pointer is freed
+    unsafe fn new_raw(to_revoke: &X509) -> Result<*mut ffi::X509_REVOKED, ErrorStack> {
+        let result = cvt_p(ffi::X509_REVOKED_new())?;
+
+        if ffi::X509_REVOKED_set_serialNumber(result, to_revoke.serial_number().as_ptr()) <= 0 {
+            ffi::X509_REVOKED_free(result);
+            return Err(ErrorStack::get());
+        }
+        if ffi::X509_REVOKED_set_revocationDate(result, crate::asn1::Asn1Time::now()?.as_ptr()) <= 0
+        {
+            ffi::X509_REVOKED_free(result);
+            return Err(ErrorStack::get());
+        }
+
+        Ok(result)
+    }
 }
 
 impl X509RevokedRef {
@@ -1845,6 +1867,157 @@ impl X509Crl {
         X509Crl,
         ffi::d2i_X509_CRL
     }
+
+    pub fn new(issuer_cert: &X509) -> Result<Self, ErrorStack> {
+        unsafe {
+            let crl = Self(cvt_p(ffi::X509_CRL_new())?);
+            #[cfg(ossl110)]
+            {
+                cvt(ffi::X509_CRL_set_version(
+                    crl.as_ptr(),
+                    issuer_cert.version() as c_long,
+                ))?;
+            }
+            cvt(ffi::X509_CRL_set_issuer_name(
+                crl.as_ptr(),
+                issuer_cert.issuer_name().as_ptr(),
+            ))?;
+
+            cfg_if!(
+                if #[cfg(any(ossl110, libressl270, boringssl))] {
+                    cvt(ffi::X509_CRL_set1_lastUpdate(crl.as_ptr(), Asn1Time::now()?.as_ptr())).map(|_| ())?
+                } else {
+                    cvt(ffi::X509_CRL_set_lastUpdate(crl.as_ptr(), Asn1Time::now()?.as_ptr())).map(|_| ())?
+                }
+            );
+
+            Ok(crl)
+        }
+    }
+
+    /// use a negative value to set a time before 'now'
+    pub fn set_last_update(&mut self, seconds_from_now: Option<i32>) -> Result<(), ErrorStack> {
+        let time = Asn1Time::seconds_from_now(seconds_from_now.unwrap_or(0) as c_long)?;
+        cfg_if!(
+        if #[cfg(any(ossl110, libressl270, boringssl))] {
+                unsafe {
+                    cvt(ffi::X509_CRL_set1_lastUpdate(self.as_ptr(), time.as_ptr())).map(|_| ())?
+                };
+            } else {
+                unsafe {
+                    cvt(ffi::X509_CRL_set_lastUpdate(self.as_ptr(), time.as_ptr())).map(|_| ())?
+                };
+            }
+        );
+
+        Ok(())
+    }
+
+    pub fn set_next_update_from_now(&mut self, seconds_from_now: i32) -> Result<(), ErrorStack> {
+        cfg_if!(
+        if #[cfg(any(ossl110, libressl270, boringssl))] {
+                unsafe {
+                    cvt(ffi::X509_CRL_set1_nextUpdate(
+                        self.as_ptr(),
+                        Asn1Time::seconds_from_now(seconds_from_now as c_long)?.as_ptr(),
+                    ))
+                    .map(|_| ())?;
+            }
+        } else {
+            unsafe {
+                cvt(ffi::X509_CRL_set_nextUpdate(
+                    self.as_ptr(),
+                    Asn1Time::seconds_from_now(seconds_from_now as c_long)?.as_ptr(),
+                ))
+                .map(|_| ())?;
+            }
+            }
+        );
+
+        Ok(())
+    }
+
+    pub fn entry_count(&mut self) -> usize {
+        self.get_revoked()
+            .map(|stack| stack.len())
+            .unwrap_or_default()
+    }
+
+    pub fn sign<T>(&mut self, key: &PKeyRef<T>, hash: MessageDigest) -> Result<(), ErrorStack>
+    where
+        T: HasPrivate,
+    {
+        unsafe {
+            cvt(ffi::X509_CRL_sign(
+                self.as_ptr(),
+                key.as_ptr(),
+                hash.as_ptr(),
+            ))
+            .map(|_| ())
+        }
+    }
+
+    /// Read the value of the crl_number extensions.
+    /// Returns None if the extension is not present.
+    pub fn read_crl_number(&self) -> Result<Option<BigNum>, ErrorStack> {
+        unsafe {
+            let mut crit = 0;
+            let number = Asn1Integer::from_ptr_opt(std::mem::transmute(ffi::X509_CRL_get_ext_d2i(
+                self.as_ptr(),
+                ffi::NID_crl_number,
+                &mut crit,
+                std::ptr::null_mut(),
+            )));
+            match number {
+                None => {
+                    if crit == -1 {
+                        // extension was not found
+                        Ok(None)
+                    } else {
+                        Err(ErrorStack::get())
+                    }
+                }
+
+                Some(number) => Ok(Some(number.to_bn()?)),
+            }
+        }
+    }
+
+    /// Set the crl_number extension's value.
+    /// If the extension is not present, it will be added.
+    pub fn set_crl_number(&mut self, value: &BigNum) -> Result<(), ErrorStack> {
+        unsafe {
+            let value = Asn1Integer::from_bn(value)?;
+            cvt(ffi::X509_CRL_add1_ext_i2d(
+                self.as_ptr(),
+                ffi::NID_crl_number,
+                std::mem::transmute(value.as_ptr()),
+                0,
+                #[allow(clippy::useless_conversion)]
+                ffi::X509V3_ADD_REPLACE.try_into().expect("This is an openssl flag and should therefore always fit into the expected integer type"),
+            ))
+            .map(|_| ())
+        }
+    }
+
+    /// Revoke the given certificate.
+    /// This function won't produce duplicate entries in case the certificate was already revoked.
+    /// Sets the CRL's last_updated time to the current time before returning irregardless of the given certificate.
+    pub fn revoke(&mut self, to_revoke: &X509) -> Result<(), ErrorStack> {
+        match self.get_by_cert(to_revoke) {
+            CrlStatus::NotRevoked => unsafe {
+                // we are not allowed to drop the revoked after adding it to the crl
+                let revoked = X509Revoked::new_raw(to_revoke)?;
+                if ffi::X509_CRL_add0_revoked(self.as_ptr(), revoked) == 0 {
+                    return Err(ErrorStack::get());
+                };
+            },
+
+            _ => { /* do nothing, already revoked */ }
+        }
+
+        self.set_last_update(Some(0))
+    }
 }
 
 impl X509CrlRef {

openssl/src/x509/tests.rs

@@ -696,6 +696,66 @@ fn test_load_crl() {
     );
 }
 
+#[test]
+fn test_crl_sign() {
+    let ca = include_bytes!("../../test/crl-ca.crt");
+    let ca = X509::from_pem(ca).unwrap();
+    let pkey = include_bytes!("../../test/rsa.pem");
+    let pkey = PKey::private_key_from_pem(pkey).unwrap();
+
+    let mut crl = X509Crl::new(&ca).unwrap();
+    crl.sign(&pkey, MessageDigest::sha256()).unwrap();
+    assert!(crl.verify(&pkey).unwrap());
+}
+
+#[test]
+fn test_crl_revoke() {
+    let ca = include_bytes!("../../test/crl-ca.crt");
+    let ca = X509::from_pem(ca).unwrap();
+
+    let crl = include_bytes!("../../test/test.crl");
+    let mut crl = X509Crl::from_der(crl).unwrap();
+    assert!(crl.verify(&ca.public_key().unwrap()).unwrap());
+
+    // ensure revoking an already revoked cert does not change the revoked count
+    {
+        let already_revoked_cert = include_bytes!("../../test/subca.crt");
+        let already_revoked_cert = X509::from_pem(already_revoked_cert).unwrap();
+
+        let count_before = crl.entry_count();
+        crl.revoke(&already_revoked_cert).unwrap();
+        assert_eq!(
+            count_before,
+            crl.entry_count(),
+            "clr's entry count should not change when trying to revoke an already revoked cert"
+        );
+
+        let revoked = match crl.get_by_cert(&already_revoked_cert) {
+            CrlStatus::Revoked(revoked) => revoked,
+            _ => panic!("cert should be revoked"),
+        };
+        assert_eq!(
+            revoked.serial_number().to_bn().unwrap(),
+            already_revoked_cert.serial_number().to_bn().unwrap(),
+            "revoked and cert serial numbers should match"
+        );
+    }
+
+    // ensure revoke does correctly add a new revoked cert to the crl
+    {
+        let cert = include_bytes!("../../test/cert.pem");
+        let cert = X509::from_pem(cert).unwrap();
+
+        let count_before = crl.entry_count();
+        crl.revoke(&cert).unwrap();
+        assert_eq!(
+            count_before + 1,
+            crl.entry_count(),
+            "clr's entry count should have incremented by one after revoking a cert"
+        );
+    }
+}
+
 #[test]
 fn test_crl_entry_extensions() {
     let crl = include_bytes!("../../test/entry_extensions.crl");