+static int get_certificate_status(const char *serial, CA_DB *db)
+ {
+ char *row[DB_NUMBER],**rrow;
+ int ok=-1,i;
+
+ /* Free Resources */
+ for (i=0; i<DB_NUMBER; i++)
+ row[i]=NULL;
+
+ /* Malloc needed char spaces */
+ row[DB_serial] = OPENSSL_malloc(strlen(serial) + 2);
+ if (row[DB_serial] == NULL)
+ {
+ BIO_printf(bio_err,"Malloc failure\n");
+ goto err;
+ }
+
+ if (strlen(serial) % 2)
+ {
+ /* Set the first char to 0 */;
+ row[DB_serial][0]='0';
+
+ /* Copy String from serial to row[DB_serial] */
+ memcpy(row[DB_serial]+1, serial, strlen(serial));
+ row[DB_serial][strlen(serial)+1]='\0';
+ }
+ else
+ {
+ /* Copy String from serial to row[DB_serial] */
+ memcpy(row[DB_serial], serial, strlen(serial));
+ row[DB_serial][strlen(serial)]='\0';
+ }
+
+ /* Make it Upper Case */
+ for (i=0; row[DB_serial][i] != '\0'; i++)
+ row[DB_serial][i] = toupper(row[DB_serial][i]);
+
+
+ ok=1;
+
+ /* Search for the certificate */
+ rrow=TXT_DB_get_by_index(db->db,DB_serial,row);
+ if (rrow == NULL)
+ {
+ BIO_printf(bio_err,"Serial %s not present in db.\n",
+ row[DB_serial]);
+ ok=-1;
+ goto err;
+ }
+ else if (rrow[DB_type][0]=='V')
+ {
+ BIO_printf(bio_err,"%s=Valid (%c)\n",
+ row[DB_serial], rrow[DB_type][0]);
+ goto err;
+ }
+ else if (rrow[DB_type][0]=='R')
+ {
+ BIO_printf(bio_err,"%s=Revoked (%c)\n",
+ row[DB_serial], rrow[DB_type][0]);
+ goto err;
+ }
+ else if (rrow[DB_type][0]=='E')
+ {
+ BIO_printf(bio_err,"%s=Expired (%c)\n",
+ row[DB_serial], rrow[DB_type][0]);
+ goto err;
+ }
+ else if (rrow[DB_type][0]=='S')
+ {
+ BIO_printf(bio_err,"%s=Suspended (%c)\n",
+ row[DB_serial], rrow[DB_type][0]);
+ goto err;
+ }
+ else
+ {
+ BIO_printf(bio_err,"%s=Unknown (%c).\n",
+ row[DB_serial], rrow[DB_type][0]);
+ ok=-1;
+ }
+err:
+ for (i=0; i<DB_NUMBER; i++)
+ {
+ if (row[i] != NULL)
+ OPENSSL_free(row[i]);
+ }
+ return(ok);
+ }
+
+static int do_updatedb (CA_DB *db)
+ {
+ ASN1_UTCTIME *a_tm = NULL;
+ int i, cnt = 0;
+ int db_y2k, a_y2k; /* flags = 1 if y >= 2000 */
+ char **rrow, *a_tm_s;
+
+ a_tm = ASN1_UTCTIME_new();
+
+ /* get actual time and make a string */
+ a_tm = X509_gmtime_adj(a_tm, 0);
+ a_tm_s = (char *) OPENSSL_malloc(a_tm->length+1);
+ if (a_tm_s == NULL)
+ {
+ cnt = -1;
+ goto err;
+ }
+
+ memcpy(a_tm_s, a_tm->data, a_tm->length);
+ a_tm_s[a_tm->length] = '\0';
+
+ if (strncmp(a_tm_s, "49", 2) <= 0)
+ a_y2k = 1;
+ else
+ a_y2k = 0;
+
+ for (i = 0; i < sk_num(db->db->data); i++)
+ {
+ rrow = (char **) sk_value(db->db->data, i);
+
+ if (rrow[DB_type][0] == 'V')
+ {
+ /* ignore entries that are not valid */
+ if (strncmp(rrow[DB_exp_date], "49", 2) <= 0)
+ db_y2k = 1;
+ else
+ db_y2k = 0;
+
+ if (db_y2k == a_y2k)
+ {
+ /* all on the same y2k side */
+ if (strcmp(rrow[DB_exp_date], a_tm_s) <= 0)
+ {
+ rrow[DB_type][0] = 'E';
+ rrow[DB_type][1] = '\0';
+ cnt++;
+
+ BIO_printf(bio_err, "%s=Expired\n",
+ rrow[DB_serial]);
+ }
+ }
+ else if (db_y2k < a_y2k)
+ {
+ rrow[DB_type][0] = 'E';
+ rrow[DB_type][1] = '\0';
+ cnt++;
+
+ BIO_printf(bio_err, "%s=Expired\n",
+ rrow[DB_serial]);
+ }
+
+ }
+ }
+
+err:
+
+ ASN1_UTCTIME_free(a_tm);
+ OPENSSL_free(a_tm_s);
+
+ return (cnt);
+ }
+
+static const char *crl_reasons[] = {
+ /* CRL reason strings */
+ "unspecified",
+ "keyCompromise",
+ "CACompromise",
+ "affiliationChanged",
+ "superseded",
+ "cessationOfOperation",
+ "certificateHold",
+ "removeFromCRL",
+ /* Additional pseudo reasons */
+ "holdInstruction",
+ "keyTime",
+ "CAkeyTime"
+};
+
+#define NUM_REASONS (sizeof(crl_reasons) / sizeof(char *))
+
+/* Given revocation information convert to a DB string.
+ * The format of the string is:
+ * revtime[,reason,extra]. Where 'revtime' is the
+ * revocation time (the current time). 'reason' is the
+ * optional CRL reason and 'extra' is any additional
+ * argument
+ */
+
+char *make_revocation_str(int rev_type, char *rev_arg)
+ {
+ char *other = NULL, *str;
+ const char *reason = NULL;
+ ASN1_OBJECT *otmp;
+ ASN1_UTCTIME *revtm = NULL;
+ int i;
+ switch (rev_type)
+ {
+ case REV_NONE:
+ break;
+
+ case REV_CRL_REASON:
+ for (i = 0; i < 8; i++)
+ {
+ if (!strcasecmp(rev_arg, crl_reasons[i]))
+ {
+ reason = crl_reasons[i];
+ break;
+ }
+ }
+ if (reason == NULL)
+ {
+ BIO_printf(bio_err, "Unknown CRL reason %s\n", rev_arg);
+ return NULL;
+ }
+ break;
+
+ case REV_HOLD:
+ /* Argument is an OID */
+
+ otmp = OBJ_txt2obj(rev_arg, 0);
+ ASN1_OBJECT_free(otmp);
+
+ if (otmp == NULL)
+ {
+ BIO_printf(bio_err, "Invalid object identifier %s\n", rev_arg);
+ return NULL;
+ }
+
+ reason = "holdInstruction";
+ other = rev_arg;
+ break;
+
+ case REV_KEY_COMPROMISE:
+ case REV_CA_COMPROMISE:
+
+ /* Argument is the key compromise time */
+ if (!ASN1_GENERALIZEDTIME_set_string(NULL, rev_arg))
+ {
+ BIO_printf(bio_err, "Invalid time format %s. Need YYYYMMDDHHMMSSZ\n", rev_arg);
+ return NULL;
+ }
+ other = rev_arg;
+ if (rev_type == REV_KEY_COMPROMISE)
+ reason = "keyTime";
+ else
+ reason = "CAkeyTime";
+
+ break;
+
+ }
+
+ revtm = X509_gmtime_adj(NULL, 0);
+
+ i = revtm->length + 1;
+
+ if (reason) i += strlen(reason) + 1;
+ if (other) i += strlen(other) + 1;
+
+ str = OPENSSL_malloc(i);
+
+ if (!str) return NULL;
+
+ BUF_strlcpy(str, (char *)revtm->data, i);
+ if (reason)
+ {
+ BUF_strlcat(str, ",", i);
+ BUF_strlcat(str, reason, i);
+ }
+ if (other)
+ {
+ BUF_strlcat(str, ",", i);
+ BUF_strlcat(str, other, i);
+ }
+ ASN1_UTCTIME_free(revtm);
+ return str;
+ }
+
+/* Convert revocation field to X509_REVOKED entry
+ * return code:
+ * 0 error
+ * 1 OK
+ * 2 OK and some extensions added (i.e. V2 CRL)
+ */
+
+
+int make_revoked(X509_REVOKED *rev, const char *str)
+ {
+ char *tmp = NULL;
+ int reason_code = -1;
+ int i, ret = 0;
+ ASN1_OBJECT *hold = NULL;
+ ASN1_GENERALIZEDTIME *comp_time = NULL;
+ ASN1_ENUMERATED *rtmp = NULL;
+
+ ASN1_TIME *revDate = NULL;
+
+ i = unpack_revinfo(&revDate, &reason_code, &hold, &comp_time, str);
+
+ if (i == 0)
+ goto err;
+
+ if (rev && !X509_REVOKED_set_revocationDate(rev, revDate))
+ goto err;
+
+ if (rev && (reason_code != OCSP_REVOKED_STATUS_NOSTATUS))
+ {
+ rtmp = ASN1_ENUMERATED_new();
+ if (!rtmp || !ASN1_ENUMERATED_set(rtmp, reason_code))
+ goto err;
+ if (!X509_REVOKED_add1_ext_i2d(rev, NID_crl_reason, rtmp, 0, 0))
+ goto err;
+ }
+
+ if (rev && comp_time)
+ {
+ if (!X509_REVOKED_add1_ext_i2d(rev, NID_invalidity_date, comp_time, 0, 0))
+ goto err;
+ }
+ if (rev && hold)
+ {
+ if (!X509_REVOKED_add1_ext_i2d(rev, NID_hold_instruction_code, hold, 0, 0))
+ goto err;
+ }
+
+ if (reason_code != OCSP_REVOKED_STATUS_NOSTATUS)
+ ret = 2;
+ else ret = 1;
+
+ err:
+
+ if (tmp) OPENSSL_free(tmp);
+ ASN1_OBJECT_free(hold);
+ ASN1_GENERALIZEDTIME_free(comp_time);
+ ASN1_ENUMERATED_free(rtmp);
+ ASN1_TIME_free(revDate);
+
+ return ret;
+ }
+
+int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str)
+ {
+ char buf[25],*pbuf, *p;
+ int j;
+ j=i2a_ASN1_OBJECT(bp,obj);
+ pbuf=buf;
+ for (j=22-j; j>0; j--)
+ *(pbuf++)=' ';
+ *(pbuf++)=':';
+ *(pbuf++)='\0';
+ BIO_puts(bp,buf);
+
+ if (str->type == V_ASN1_PRINTABLESTRING)
+ BIO_printf(bp,"PRINTABLE:'");
+ else if (str->type == V_ASN1_T61STRING)
+ BIO_printf(bp,"T61STRING:'");
+ else if (str->type == V_ASN1_IA5STRING)
+ BIO_printf(bp,"IA5STRING:'");
+ else if (str->type == V_ASN1_UNIVERSALSTRING)
+ BIO_printf(bp,"UNIVERSALSTRING:'");
+ else
+ BIO_printf(bp,"ASN.1 %2d:'",str->type);
+
+ p=(char *)str->data;
+ for (j=str->length; j>0; j--)
+ {
+ if ((*p >= ' ') && (*p <= '~'))
+ BIO_printf(bp,"%c",*p);
+ else if (*p & 0x80)
+ BIO_printf(bp,"\\0x%02X",*p);
+ else if ((unsigned char)*p == 0xf7)
+ BIO_printf(bp,"^?");
+ else BIO_printf(bp,"^%c",*p+'@');
+ p++;
+ }
+ BIO_printf(bp,"'\n");
+ return 1;
+ }
+
+int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, ASN1_GENERALIZEDTIME **pinvtm, const char *str)
+ {
+ char *tmp = NULL;
+ char *rtime_str, *reason_str = NULL, *arg_str = NULL, *p;
+ int reason_code = -1;
+ int ret = 0;
+ unsigned int i;
+ ASN1_OBJECT *hold = NULL;
+ ASN1_GENERALIZEDTIME *comp_time = NULL;
+ tmp = BUF_strdup(str);
+
+ p = strchr(tmp, ',');
+
+ rtime_str = tmp;
+
+ if (p)
+ {
+ *p = '\0';
+ p++;
+ reason_str = p;
+ p = strchr(p, ',');
+ if (p)
+ {
+ *p = '\0';
+ arg_str = p + 1;
+ }
+ }
+
+ if (prevtm)
+ {
+ *prevtm = ASN1_UTCTIME_new();
+ if (!ASN1_UTCTIME_set_string(*prevtm, rtime_str))
+ {
+ BIO_printf(bio_err, "invalid revocation date %s\n", rtime_str);
+ goto err;
+ }
+ }
+ if (reason_str)
+ {
+ for (i = 0; i < NUM_REASONS; i++)
+ {
+ if(!strcasecmp(reason_str, crl_reasons[i]))
+ {
+ reason_code = i;
+ break;
+ }
+ }
+ if (reason_code == OCSP_REVOKED_STATUS_NOSTATUS)
+ {
+ BIO_printf(bio_err, "invalid reason code %s\n", reason_str);
+ goto err;
+ }
+
+ if (reason_code == 7)
+ reason_code = OCSP_REVOKED_STATUS_REMOVEFROMCRL;
+ else if (reason_code == 8) /* Hold instruction */
+ {
+ if (!arg_str)
+ {
+ BIO_printf(bio_err, "missing hold instruction\n");
+ goto err;
+ }
+ reason_code = OCSP_REVOKED_STATUS_CERTIFICATEHOLD;
+ hold = OBJ_txt2obj(arg_str, 0);
+
+ if (!hold)
+ {
+ BIO_printf(bio_err, "invalid object identifier %s\n", arg_str);
+ goto err;
+ }
+ if (phold) *phold = hold;
+ }
+ else if ((reason_code == 9) || (reason_code == 10))
+ {
+ if (!arg_str)
+ {
+ BIO_printf(bio_err, "missing compromised time\n");
+ goto err;
+ }
+ comp_time = ASN1_GENERALIZEDTIME_new();
+ if (!ASN1_GENERALIZEDTIME_set_string(comp_time, arg_str))
+ {
+ BIO_printf(bio_err, "invalid compromised time %s\n", arg_str);
+ goto err;
+ }
+ if (reason_code == 9)
+ reason_code = OCSP_REVOKED_STATUS_KEYCOMPROMISE;
+ else
+ reason_code = OCSP_REVOKED_STATUS_CACOMPROMISE;
+ }
+ }
+
+ if (preason) *preason = reason_code;
+ if (pinvtm) *pinvtm = comp_time;
+ else ASN1_GENERALIZEDTIME_free(comp_time);
+
+ ret = 1;
+
+ err:
+
+ if (tmp) OPENSSL_free(tmp);
+ if (!phold) ASN1_OBJECT_free(hold);
+ if (!pinvtm) ASN1_GENERALIZEDTIME_free(comp_time);
+
+ return ret;
+ }