Generate first CRL

This commit is contained in:
Pierre HUBERT 2024-06-28 19:29:18 +02:00
parent 32d5707055
commit aa97d28657

View File

@ -11,12 +11,14 @@ use openssl::hash::MessageDigest;
use openssl::nid::Nid; use openssl::nid::Nid;
use openssl::pkey::{PKey, Private}; use openssl::pkey::{PKey, Private};
use openssl::x509::extension::{BasicConstraints, KeyUsage, SubjectKeyIdentifier}; use openssl::x509::extension::{BasicConstraints, KeyUsage, SubjectKeyIdentifier};
use openssl::x509::{ReasonCode, X509Crl, X509NameBuilder, X509}; use openssl::x509::{X509Crl, X509NameBuilder, X509};
use openssl_sys::{X509_CRL_free, X509_CRL_set1_lastUpdate, X509_CRL_set1_nextUpdate, X509_CRL_set_issuer_name, X509_CRL_set_version}; use openssl_sys::{
X509_CRL_add0_revoked, X509_CRL_set1_lastUpdate, X509_CRL_set1_nextUpdate,
X509_CRL_set_issuer_name, X509_CRL_set_version, X509_CRL_sign, X509_REVOKED_dup,
};
use crate::app_config::AppConfig; use crate::app_config::AppConfig;
use crate::crypto::crl_extension::CRLDistributionPointExt; use crate::crypto::crl_extension::CRLDistributionPointExt;
use crate::crypto::openssl_utils::clone_asn1_time;
#[derive(thiserror::Error, Debug)] #[derive(thiserror::Error, Debug)]
pub enum PKIError { pub enum PKIError {
@ -230,7 +232,7 @@ pub fn initialize_devices_ca() -> anyhow::Result<()> {
fn refresh_crl(d: &CertData) -> anyhow::Result<()> { fn refresh_crl(d: &CertData) -> anyhow::Result<()> {
let crl_path = d.crl.as_ref().ok_or(PKIError::MissingCRL)?; let crl_path = d.crl.as_ref().ok_or(PKIError::MissingCRL)?;
let old_list = if crl_path.exists() { let old_crl = if crl_path.exists() {
let crl = load_crl_from_file(crl_path)?; let crl = load_crl_from_file(crl_path)?;
// Check if revocation is un-needed // Check if revocation is un-needed
@ -239,20 +241,7 @@ fn refresh_crl(d: &CertData) -> anyhow::Result<()> {
return Ok(()); return Ok(());
} }
match crl.get_revoked() { Some(crl)
Some(l) => Some(
l.iter()
.map(|r| {
Ok((
r.serial_number().to_owned()?,
clone_asn1_time(r.revocation_date())?,
r.extension::<ReasonCode>()?,
))
})
.collect::<anyhow::Result<Vec<_>>>()?,
),
None => None,
}
} else { } else {
None None
}; };
@ -284,7 +273,24 @@ fn refresh_crl(d: &CertData) -> anyhow::Result<()> {
return Err(PKIError::GenCRLError("X509_CRL_set1_nextUpdate").into()); return Err(PKIError::GenCRLError("X509_CRL_set1_nextUpdate").into());
} }
X509_CRL_free(crl); // Add old entries
if let Some(old_crl) = old_crl {
if let Some(entries) = old_crl.get_revoked() {
for entry in entries {
if X509_CRL_add0_revoked(crl, X509_REVOKED_dup(entry.as_ptr())) == 0 {
return Err(PKIError::GenCRLError("X509_CRL_add0_revoked").into());
}
}
}
}
let md = MessageDigest::sha256();
if X509_CRL_sign(crl, d.key.as_ptr(), md.as_ptr()) == 0 {
return Err(PKIError::GenCRLError("X509_CRL_sign").into());
}
let crl = X509Crl::from_ptr(crl);
std::fs::write(crl_path, crl.to_pem()?)?;
} }
Ok(()) Ok(())