diff --git a/central_backend/src/crypto/pki.rs b/central_backend/src/crypto/pki.rs index c141f7e..9612560 100644 --- a/central_backend/src/crypto/pki.rs +++ b/central_backend/src/crypto/pki.rs @@ -11,12 +11,14 @@ use openssl::hash::MessageDigest; use openssl::nid::Nid; use openssl::pkey::{PKey, Private}; use openssl::x509::extension::{BasicConstraints, KeyUsage, SubjectKeyIdentifier}; -use openssl::x509::{ReasonCode, X509Crl, X509NameBuilder, X509}; -use openssl_sys::{X509_CRL_free, X509_CRL_set1_lastUpdate, X509_CRL_set1_nextUpdate, X509_CRL_set_issuer_name, X509_CRL_set_version}; +use openssl::x509::{X509Crl, X509NameBuilder, X509}; +use openssl_sys::{ + X509_CRL_add0_revoked, X509_CRL_set1_lastUpdate, X509_CRL_set1_nextUpdate, + X509_CRL_set_issuer_name, X509_CRL_set_version, X509_CRL_sign, X509_REVOKED_dup, +}; use crate::app_config::AppConfig; use crate::crypto::crl_extension::CRLDistributionPointExt; -use crate::crypto::openssl_utils::clone_asn1_time; #[derive(thiserror::Error, Debug)] pub enum PKIError { @@ -230,7 +232,7 @@ pub fn initialize_devices_ca() -> anyhow::Result<()> { fn refresh_crl(d: &CertData) -> anyhow::Result<()> { let crl_path = d.crl.as_ref().ok_or(PKIError::MissingCRL)?; - let old_list = if crl_path.exists() { + let old_crl = if crl_path.exists() { let crl = load_crl_from_file(crl_path)?; // Check if revocation is un-needed @@ -239,20 +241,7 @@ fn refresh_crl(d: &CertData) -> anyhow::Result<()> { return Ok(()); } - match crl.get_revoked() { - Some(l) => Some( - l.iter() - .map(|r| { - Ok(( - r.serial_number().to_owned()?, - clone_asn1_time(r.revocation_date())?, - r.extension::()?, - )) - }) - .collect::>>()?, - ), - None => None, - } + Some(crl) } else { None }; @@ -284,7 +273,24 @@ fn refresh_crl(d: &CertData) -> anyhow::Result<()> { return Err(PKIError::GenCRLError("X509_CRL_set1_nextUpdate").into()); } - X509_CRL_free(crl); + // Add old entries + if let Some(old_crl) = old_crl { + if let Some(entries) = old_crl.get_revoked() { + for entry in entries { + if X509_CRL_add0_revoked(crl, X509_REVOKED_dup(entry.as_ptr())) == 0 { + return Err(PKIError::GenCRLError("X509_CRL_add0_revoked").into()); + } + } + } + } + + let md = MessageDigest::sha256(); + if X509_CRL_sign(crl, d.key.as_ptr(), md.as_ptr()) == 0 { + return Err(PKIError::GenCRLError("X509_CRL_sign").into()); + } + + let crl = X509Crl::from_ptr(crl); + std::fs::write(crl_path, crl.to_pem()?)?; } Ok(())