Generate first CRL

central_backend/src/crypto/pki.rs

@@ -11,12 +11,14 @@ use openssl::hash::MessageDigest;
 use openssl::nid::Nid;
 use openssl::pkey::{PKey, Private};
 use openssl::x509::extension::{BasicConstraints, KeyUsage, SubjectKeyIdentifier};
-use openssl::x509::{ReasonCode, X509Crl, X509NameBuilder, X509};
-use openssl_sys::{X509_CRL_free, X509_CRL_set1_lastUpdate, X509_CRL_set1_nextUpdate, X509_CRL_set_issuer_name, X509_CRL_set_version};
+use openssl::x509::{X509Crl, X509NameBuilder, X509};
+use openssl_sys::{
+    X509_CRL_add0_revoked, X509_CRL_set1_lastUpdate, X509_CRL_set1_nextUpdate,
+    X509_CRL_set_issuer_name, X509_CRL_set_version, X509_CRL_sign, X509_REVOKED_dup,
+};
 
 use crate::app_config::AppConfig;
 use crate::crypto::crl_extension::CRLDistributionPointExt;
-use crate::crypto::openssl_utils::clone_asn1_time;
 
 #[derive(thiserror::Error, Debug)]
 pub enum PKIError {
@@ -230,7 +232,7 @@ pub fn initialize_devices_ca() -> anyhow::Result<()> {
 fn refresh_crl(d: &CertData) -> anyhow::Result<()> {
     let crl_path = d.crl.as_ref().ok_or(PKIError::MissingCRL)?;
 
-    let old_list = if crl_path.exists() {
+    let old_crl = if crl_path.exists() {
         let crl = load_crl_from_file(crl_path)?;
 
         // Check if revocation is un-needed
@@ -239,20 +241,7 @@ fn refresh_crl(d: &CertData) -> anyhow::Result<()> {
             return Ok(());
         }
 
-        match crl.get_revoked() {
-            Some(l) => Some(
-                l.iter()
-                    .map(|r| {
-                        Ok((
-                            r.serial_number().to_owned()?,
-                            clone_asn1_time(r.revocation_date())?,
-                            r.extension::<ReasonCode>()?,
-                        ))
-                    })
-                    .collect::<anyhow::Result<Vec<_>>>()?,
-            ),
-            None => None,
-        }
+        Some(crl)
     } else {
         None
     };
@@ -284,7 +273,24 @@ fn refresh_crl(d: &CertData) -> anyhow::Result<()> {
             return Err(PKIError::GenCRLError("X509_CRL_set1_nextUpdate").into());
         }
 
-        X509_CRL_free(crl);
+        // Add old entries
+        if let Some(old_crl) = old_crl {
+            if let Some(entries) = old_crl.get_revoked() {
+                for entry in entries {
+                    if X509_CRL_add0_revoked(crl, X509_REVOKED_dup(entry.as_ptr())) == 0 {
+                        return Err(PKIError::GenCRLError("X509_CRL_add0_revoked").into());
+                    }
+                }
+            }
+        }
+
+        let md = MessageDigest::sha256();
+        if X509_CRL_sign(crl, d.key.as_ptr(), md.as_ptr()) == 0 {
+            return Err(PKIError::GenCRLError("X509_CRL_sign").into());
+        }
+
+        let crl = X509Crl::from_ptr(crl);
+        std::fs::write(crl_path, crl.to_pem()?)?;
     }
 
     Ok(())