Hi, I am using openssl C API.
I have created openssl certificates so i have .crt and .key file. If I want to append those certificates in existing certificate revocation list then how can we do that ? I have tried with below code. #include <stdio.h> #include <stdlib.h> #include <string.h> #include <assert.h> #include <openssl/pem.h> #include <openssl/conf.h> #include <openssl/x509.h> #include <openssl/x509v3.h> #include <openssl/err.h> #include <openssl/rsa.h> #include <openssl/ssl.h> #include <openssl/evp.h> #include <openssl/asn1.h> #define DB_NUMBER 6 #define DB_name 5 #define DB_serial 3 #define DB_rev_date 2 static X509* load_cert(const char* usercert) { /* read usercert from file */ X509* x = NULL; BIO* bio = BIO_new(BIO_s_file()); assert(bio != NULL); assert(BIO_read_filename(bio, usercert) > 0); x = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL); BIO_free(bio); assert(x != NULL); return x; } int main() { int i; ASN1_UTCTIME* tm = NULL; char* rev_str = NULL; BIGNUM* bn = NULL; char* row[DB_NUMBER]; for (i = 0; i < DB_NUMBER; i++) row[i] = NULL; X509* x = load_cert("../client.crt"); row[DB_name] = X509_NAME_oneline(X509_get_subject_name(x), NULL, 0); bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x), NULL); assert(bn != NULL); if (BN_is_zero(bn)) row[DB_serial] = BUF_strdup("00"); else row[DB_serial] = BN_bn2hex(bn); BN_free(bn); printf("Serial Number is: %s\n", row[DB_serial]); printf("---- Now Updating CRL file with expired client certificates --------\n"); char *crl_file_path = "../root_mod.crl"; FILE *fp_crl_file = NULL; X509_CRL *x_crl = NULL; BIGNUM* serial = NULL; /* Get the CA crl */ fp_crl_file = fopen(crl_file_path, "r"); if (!fp_crl_file) { printf("---- Error while opening CRL file --------\n"); exit(1); } x_crl = PEM_read_X509_CRL(fp_crl_file, NULL, NULL, NULL); if (!x_crl) { printf("---- Error while reading X509 CRL file --------\n"); exit(1); } fclose(fp_crl_file); X509_REVOKED* r = X509_REVOKED_new(); assert(r != NULL); assert(BN_hex2bn(&serial, row[DB_serial]) > 0); ASN1_INTEGER* tmpser = BN_to_ASN1_INTEGER(serial, NULL); BN_free(serial); serial = NULL; assert(tmpser != NULL); i = X509_REVOKED_set_serialNumber(r, tmpser); ASN1_INTEGER_free(tmpser); X509_CRL_add0_revoked(x_crl, r); return 0; } Is is possible to add revoked certificate serial number to CRL file ? OR Do I need to regenerate the CRL file from list of revoked certificate serial numbers ( e.g. index.txt ). Let us know your thoughts. Thanks, Neel
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users