1

我已经创建了 openssl 证书,所以我有 .crt 和 .key 文件。如果我想在现有证书吊销列表中添加这些证书,那么我们该怎么做呢?

我试过下面的代码。

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <assert.h>

#include <openssl/pem.h>
#include <openssl/conf.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/err.h>
#include <openssl/rsa.h>
#include <openssl/ssl.h>
#include <openssl/evp.h>
#include <openssl/asn1.h>

#define DB_NUMBER   6
#define DB_name     5
#define DB_serial   3
#define DB_rev_date 2

static X509* load_cert(const char* usercert)
{
    /* read usercert from file */
    X509* x = NULL;
    BIO* bio = BIO_new(BIO_s_file());
    assert(bio != NULL);
    assert(BIO_read_filename(bio, usercert) > 0);
    x = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL);
    BIO_free(bio);
    assert(x != NULL);

    return x;
}

int main()
{
    int i;
    ASN1_UTCTIME* tm = NULL;
    char* rev_str = NULL;
    BIGNUM* bn = NULL;
    char* row[DB_NUMBER];

    for (i = 0; i < DB_NUMBER; i++)
        row[i] = NULL;

    X509* x = load_cert("../client.crt");

    row[DB_name] = X509_NAME_oneline(X509_get_subject_name(x), NULL, 0);
    bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x), NULL);
    assert(bn != NULL);
    if (BN_is_zero(bn))
        row[DB_serial] = BUF_strdup("00");
    else
        row[DB_serial] = BN_bn2hex(bn);

    BN_free(bn);

    //assert(row[DB_name] != NULL);
    //assert(row[DB_serial] != NULL);

    printf("Serial Number is: %s\n", row[DB_serial]);


    printf("---- Now Updating CRL file with expired client certificates --------\n");


    char       *crl_file_path = "../root_mod.crl";
    FILE       *fp_crl_file = NULL;
    X509_CRL *x_crl = NULL;
    BIGNUM* serial = NULL;

    /* Get the CA crl */
    fp_crl_file = fopen(crl_file_path, "r");
    if (!fp_crl_file)
    {
        printf("---- Error while opening CRL file --------\n");
        exit(1);
    }

    x_crl = PEM_read_X509_CRL(fp_crl_file, NULL, NULL, NULL);
    if (!x_crl)
    {
        printf("---- Error while reading X509 CRL file --------\n");
        exit(1);
    }

    fclose(fp_crl_file);

    X509_REVOKED* r = X509_REVOKED_new();
    assert(r != NULL);

    assert(BN_hex2bn(&serial, row[DB_serial]) > 0);

    ASN1_INTEGER* tmpser = BN_to_ASN1_INTEGER(serial, NULL);
    BN_free(serial);
    serial = NULL;
    assert(tmpser != NULL);
    i = X509_REVOKED_set_serialNumber(r, tmpser);

    ASN1_INTEGER_free(tmpser);
    X509_CRL_add0_revoked(x_crl, r);

    return 0;
}

我已经写了上面的代码,我得到了序列号,但没有被添加到“root_mod.crl”文件中的撤销列表中。

你能提出任何建议吗?

4

0 回答 0