Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extend X509Crl functionality #2174

Open
wants to merge 26 commits into
base: master
Choose a base branch
from
Open

Extend X509Crl functionality #2174

wants to merge 26 commits into from

Conversation

gweisert
Copy link

@gweisert gweisert commented Feb 17, 2024
edited
Loading

  • added two more constructors for Asn1Time
  • added X509Revoked constructor which handles allocation and initial data (takes the cert to be revoked as argument)
  • extended X509Clr
    • added constructor to create a new crl for a given cert
    • added support for the crl_number extension
    • added function to sign the crl with a given key
    • added function to retrieve entry_count of the crl
    • added function to revoke a given certificate
    • added functions to set both last_updated and next_update times
usage example 
use openssl::bn::BigNum;

pub fn main() {
    let crl = include_bytes!("../tests/assets2/ca_ca1.crl");
    let mut crl = openssl::x509::X509Crl::from_pem(crl).unwrap();

    let key = include_bytes!("../tests/assets2/ca_ca1.key");
    let key = openssl::pkey::PKey::private_key_from_pem(key).unwrap();

    let to_revoke = include_bytes!("../tests/assets2/ca1_cert2.cert");
    let to_revoke = openssl::x509::X509::from_pem(to_revoke).unwrap();

    crl.verify(&key).unwrap();
    crl.revoke(&to_revoke).unwrap();
    crl.increment_crl_number().unwrap();
    crl.sign(&key, openssl::hash::MessageDigest::sha256())
        .unwrap();
    crl.verify(&key).unwrap();

    let to_write = crl.to_pem().unwrap();
    std::fs::write("updated_crl.crl", to_write).unwrap();
}

@gweisert gweisert force-pushed the implement_crl_revoke branch 2 times, most recently from 0ed91d2 to 923783c Compare February 17, 2024 10:00
elwerene
elwerene approved these changes Feb 27, 2024
View reviewed changes
openssl/src/asn1.rs Show resolved Hide resolved
botovq
botovq reviewed Feb 29, 2024
View reviewed changes
openssl/src/x509/mod.rs Outdated Show resolved Hide resolved
gweisert and others added 5 commits March 2, 2024 10:56
@gweisert
Merge branch 'sfackler:master' into implement_crl_revoke
3ccd389
add binding for X509_CRL_get_version
41fd2a4
add method to retrieve a CRL's version
a86bf40
rework X509Crl::new
fc468e5 
add optional config paramter; fix erroneous CRL version; add
AuthorityKetIdenfier extension when building CRLv2; set_crl_number is
now private; increment_crl_number is the new public interface, returning
the new crl value, or None if self is a CRLv1; update tests using
X509Crl::new
add conditional compilation directives
a53177e
botovq
botovq reviewed Mar 3, 2024
View reviewed changes
Copy link
Contributor

@botovq botovq left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. Yes, this is OpenSSL 1.1 API. All this should be available since 2.8.1.

I have only looked at the cfg parts.

openssl-sys/src/handwritten/x509.rs Outdated Show resolved Hide resolved
openssl/src/x509/mod.rs Outdated Show resolved Hide resolved
openssl/src/x509/mod.rs Outdated Show resolved Hide resolved
openssl/src/x509/mod.rs Outdated Show resolved Hide resolved
mhartmay
mhartmay reviewed Mar 22, 2024
View reviewed changes
openssl/src/x509/mod.rs Outdated Show resolved Hide resolved
mhartmay
mhartmay reviewed Mar 30, 2024
View reviewed changes
openssl/src/x509/mod.rs
Comment on lines +2074 to +2075
pub fn revoke(&mut self, to_revoke: &X509) -> Result<(), ErrorStack> {
match self.get_by_cert(to_revoke) {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When my PR #2207 is merged, you can change this &X509 to &X509Ref as well.

Suggested change
pub fn revoke(&mut self, to_revoke: &X509) -> Result<(), ErrorStack> {
match self.get_by_cert(to_revoke) {
pub fn revoke(&mut self, to_revoke: &X509Ref) -> Result<(), ErrorStack> {
match self.get_by_cert(to_revoke) {

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alright, I will update it once it is merged.

@gweisert
Copy link
Author

@botovq do you see any further issues with this PR? (since you haven't approved it yet 😅)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mhartmay mhartmay mhartmay left review comments

@botovq botovq botovq left review comments

@elwerene elwerene elwerene approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@gweisert @elwerene @botovq @mhartmay