Implement CRL numbers.

Contributed in whole by Laurent Genier <Laurent.Genier@intrinsec.com>
PR: 644

diff --git a/apps/ca.c b/apps/ca.c
index 618d88b2d0e76bba4497cb0b76e2783bce6e700e..2c7e91aabb3c6ea860b85f82bc71c4b3e9cd3015 100644 (file)
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -122,6 +122,7 @@
 #define ENV_NEW_CERTS_DIR      "new_certs_dir"
 #define ENV_CERTIFICATE        "certificate"
 #define ENV_SERIAL             "serial"
+#define ENV_CRLNUMBER          "crlnumber"
 #define ENV_CRL                        "crl"
 #define ENV_PRIVATE_KEY                "private_key"
 #define ENV_RANDFILE           "RANDFILE"
@@ -277,6 +278,7 @@ int MAIN(int argc, char **argv)
        char *outfile=NULL;
        char *outdir=NULL;
        char *serialfile=NULL;
+       char *crlnumberfile=NULL;
        char *extensions=NULL;
        char *extfile=NULL;
        char *subj=NULL;
@@ -285,6 +287,7 @@ int MAIN(int argc, char **argv)
        int rev_type = REV_NONE;
        char *rev_arg = NULL;
        BIGNUM *serial=NULL;
+       BIGNUM *crlnumber=NULL;
        char *startdate=NULL;
        char *enddate=NULL;
        long days=0;
@@ -1337,6 +1340,14 @@ bad:
                                }
                        }
 
+               if ((crlnumberfile=NCONF_get_string(conf,section,ENV_CRLNUMBER))
+                       != NULL)
+                       if ((crlnumber=load_serial(crlnumberfile,0,NULL)) == NULL)
+                               {
+                               BIO_printf(bio_err,"error while loading CRL number\n");
+                               goto err;
+                               }
+
                if (!crldays && !crlhours)
                        {
                        if (!NCONF_get_number(conf,section,
@@ -1418,14 +1429,24 @@ bad:
 
                /* Add any extensions asked for */
 
-               if (crl_ext)
+               if (crl_ext || crlnumberfile != NULL)
                        {
                        X509V3_CTX crlctx;
                        X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0);
                        X509V3_set_nconf(&crlctx, conf);
 
-                       if (!X509V3_EXT_CRL_add_nconf(conf, &crlctx,
-                               crl_ext, crl)) goto err;
+                       if (crl_ext)
+                               if (!X509V3_EXT_CRL_add_nconf(conf, &crlctx,
+                                       crl_ext, crl)) goto err;
+                       if (crlnumberfile != NULL)
+                               {
+                               tmpser = BN_to_ASN1_INTEGER(crlnumber, NULL);
+                               if (!tmpser) goto err;
+                               X509_CRL_add1_ext_i2d(crl,NID_crl_number,tmpser,0,0);
+                               ASN1_INTEGER_free(tmpser);
+                               crl_v2 = 1;
+                               if (!BN_add_word(crlnumber,1)) goto err;
+                               }
                        }
                if (crl_ext || crl_v2)
                        {
@@ -1433,9 +1454,17 @@ bad:
                                goto err; /* version 2 CRL */
                        }
 
+               
+               if (crlnumberfile != NULL)      /* we have a CRL number that need updating */
+                       if (!save_serial(crlnumberfile,"new",crlnumber,NULL)) goto err;
+
                if (!X509_CRL_sign(crl,pkey,dgst)) goto err;
 
                PEM_write_bio_X509_CRL(Sout,crl);
+
+               if (crlnumberfile != NULL)      /* Rename the crlnumber file */
+                       if (!rotate_serial(crlnumberfile,"new","old")) goto err;
+
                }
        /*****************************************************************/
        if (dorevoke)
@@ -3086,4 +3115,3 @@ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, ASN1_G
 
        return ret;
        }
-

diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index 2696044cf1d9bf0d028f5d6fd79e7e6c28544abe..8941f454f8a577d088f5628772498a75e2f21e54 100644 (file)
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -44,6 +44,8 @@ new_certs_dir = $dir/newcerts         # default place for new certs.
 
 certificate    = $dir/cacert.pem       # The CA certificate
 serial         = $dir/serial           # The current serial number
+crlnumber      = $dir/crlnumber        # the current crl number
+                                       # must be commented out to leave a V1 CRL
 crl            = $dir/crl.pem          # The current CRL
 private_key    = $dir/private/cakey.pem# The private key
 RANDFILE       = $dir/private/.rand    # private random number file
@@ -60,6 +62,7 @@ cert_opt      = ca_default            # Certificate field options
 
 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
 # so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
 # crl_extensions       = crl_ext
 
 default_days   = 365                   # how long to certify for