Generate first CRL
This commit is contained in:
parent
32d5707055
commit
aa97d28657
@ -11,12 +11,14 @@ use openssl::hash::MessageDigest;
|
|||||||
use openssl::nid::Nid;
|
use openssl::nid::Nid;
|
||||||
use openssl::pkey::{PKey, Private};
|
use openssl::pkey::{PKey, Private};
|
||||||
use openssl::x509::extension::{BasicConstraints, KeyUsage, SubjectKeyIdentifier};
|
use openssl::x509::extension::{BasicConstraints, KeyUsage, SubjectKeyIdentifier};
|
||||||
use openssl::x509::{ReasonCode, X509Crl, X509NameBuilder, X509};
|
use openssl::x509::{X509Crl, X509NameBuilder, X509};
|
||||||
use openssl_sys::{X509_CRL_free, X509_CRL_set1_lastUpdate, X509_CRL_set1_nextUpdate, X509_CRL_set_issuer_name, X509_CRL_set_version};
|
use openssl_sys::{
|
||||||
|
X509_CRL_add0_revoked, X509_CRL_set1_lastUpdate, X509_CRL_set1_nextUpdate,
|
||||||
|
X509_CRL_set_issuer_name, X509_CRL_set_version, X509_CRL_sign, X509_REVOKED_dup,
|
||||||
|
};
|
||||||
|
|
||||||
use crate::app_config::AppConfig;
|
use crate::app_config::AppConfig;
|
||||||
use crate::crypto::crl_extension::CRLDistributionPointExt;
|
use crate::crypto::crl_extension::CRLDistributionPointExt;
|
||||||
use crate::crypto::openssl_utils::clone_asn1_time;
|
|
||||||
|
|
||||||
#[derive(thiserror::Error, Debug)]
|
#[derive(thiserror::Error, Debug)]
|
||||||
pub enum PKIError {
|
pub enum PKIError {
|
||||||
@ -230,7 +232,7 @@ pub fn initialize_devices_ca() -> anyhow::Result<()> {
|
|||||||
fn refresh_crl(d: &CertData) -> anyhow::Result<()> {
|
fn refresh_crl(d: &CertData) -> anyhow::Result<()> {
|
||||||
let crl_path = d.crl.as_ref().ok_or(PKIError::MissingCRL)?;
|
let crl_path = d.crl.as_ref().ok_or(PKIError::MissingCRL)?;
|
||||||
|
|
||||||
let old_list = if crl_path.exists() {
|
let old_crl = if crl_path.exists() {
|
||||||
let crl = load_crl_from_file(crl_path)?;
|
let crl = load_crl_from_file(crl_path)?;
|
||||||
|
|
||||||
// Check if revocation is un-needed
|
// Check if revocation is un-needed
|
||||||
@ -239,20 +241,7 @@ fn refresh_crl(d: &CertData) -> anyhow::Result<()> {
|
|||||||
return Ok(());
|
return Ok(());
|
||||||
}
|
}
|
||||||
|
|
||||||
match crl.get_revoked() {
|
Some(crl)
|
||||||
Some(l) => Some(
|
|
||||||
l.iter()
|
|
||||||
.map(|r| {
|
|
||||||
Ok((
|
|
||||||
r.serial_number().to_owned()?,
|
|
||||||
clone_asn1_time(r.revocation_date())?,
|
|
||||||
r.extension::<ReasonCode>()?,
|
|
||||||
))
|
|
||||||
})
|
|
||||||
.collect::<anyhow::Result<Vec<_>>>()?,
|
|
||||||
),
|
|
||||||
None => None,
|
|
||||||
}
|
|
||||||
} else {
|
} else {
|
||||||
None
|
None
|
||||||
};
|
};
|
||||||
@ -284,7 +273,24 @@ fn refresh_crl(d: &CertData) -> anyhow::Result<()> {
|
|||||||
return Err(PKIError::GenCRLError("X509_CRL_set1_nextUpdate").into());
|
return Err(PKIError::GenCRLError("X509_CRL_set1_nextUpdate").into());
|
||||||
}
|
}
|
||||||
|
|
||||||
X509_CRL_free(crl);
|
// Add old entries
|
||||||
|
if let Some(old_crl) = old_crl {
|
||||||
|
if let Some(entries) = old_crl.get_revoked() {
|
||||||
|
for entry in entries {
|
||||||
|
if X509_CRL_add0_revoked(crl, X509_REVOKED_dup(entry.as_ptr())) == 0 {
|
||||||
|
return Err(PKIError::GenCRLError("X509_CRL_add0_revoked").into());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
let md = MessageDigest::sha256();
|
||||||
|
if X509_CRL_sign(crl, d.key.as_ptr(), md.as_ptr()) == 0 {
|
||||||
|
return Err(PKIError::GenCRLError("X509_CRL_sign").into());
|
||||||
|
}
|
||||||
|
|
||||||
|
let crl = X509Crl::from_ptr(crl);
|
||||||
|
std::fs::write(crl_path, crl.to_pem()?)?;
|
||||||
}
|
}
|
||||||
|
|
||||||
Ok(())
|
Ok(())
|
||||||
|
Loading…
Reference in New Issue
Block a user