diff options
Diffstat (limited to 'src/pki/commands')
| -rw-r--r-- | src/pki/commands/issue.c | 2 | ||||
| -rw-r--r-- | src/pki/commands/print.c | 7 | ||||
| -rw-r--r-- | src/pki/commands/self.c | 2 | ||||
| -rw-r--r-- | src/pki/commands/signcrl.c | 30 |
4 files changed, 26 insertions, 15 deletions
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c index 6a5686d92..20163edf2 100644 --- a/src/pki/commands/issue.c +++ b/src/pki/commands/issue.c @@ -67,11 +67,11 @@ static int issue() char *error = NULL, *keyid = NULL; identification_t *id = NULL; linked_list_t *san, *cdps, *ocsp, *permitted, *excluded, *policies, *mappings; - int lifetime = 1095; int pathlen = X509_NO_CONSTRAINT, inhibit_any = X509_NO_CONSTRAINT; int inhibit_mapping = X509_NO_CONSTRAINT, require_explicit = X509_NO_CONSTRAINT; chunk_t serial = chunk_empty; chunk_t encoding = chunk_empty; + time_t lifetime = 1095; time_t not_before, not_after; x509_flag_t flags = 0; x509_t *x509; diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c index ee6f30c98..a7f02bfac 100644 --- a/src/pki/commands/print.c +++ b/src/pki/commands/print.c @@ -79,7 +79,7 @@ static void print_x509(x509_t *x509) x509_cert_policy_t *policy; x509_policy_mapping_t *mapping; - chunk = x509->get_serial(x509); + chunk = chunk_skip_zero(x509->get_serial(x509)); printf("serial: %#B\n", &chunk); first = TRUE; @@ -329,10 +329,12 @@ static void print_crl(crl_t *crl) struct tm tm; x509_cdp_t *cdp; - chunk = crl->get_serial(crl); + chunk = chunk_skip_zero(crl->get_serial(crl)); printf("serial: %#B\n", &chunk); + if (crl->is_delta_crl(crl, &chunk)) { + chunk = chunk_skip_zero(chunk); printf("delta CRL: for serial %#B\n", &chunk); } chunk = crl->get_authKeyIdentifier(crl); @@ -371,6 +373,7 @@ static void print_crl(crl_t *crl) enumerator = crl->create_enumerator(crl); while (enumerator->enumerate(enumerator, &chunk, &ts, &reason)) { + chunk = chunk_skip_zero(chunk); localtime_r(&ts, &tm); strftime(buf, sizeof(buf), "%F %T", &tm); printf(" %#B %N %s\n", &chunk, crl_reason_names, reason, buf); diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c index c7788ff62..c4508a671 100644 --- a/src/pki/commands/self.c +++ b/src/pki/commands/self.c @@ -55,11 +55,11 @@ static int self() char *file = NULL, *dn = NULL, *hex = NULL, *error = NULL, *keyid = NULL; identification_t *id = NULL; linked_list_t *san, *ocsp, *permitted, *excluded, *policies, *mappings; - int lifetime = 1095; int pathlen = X509_NO_CONSTRAINT, inhibit_any = X509_NO_CONSTRAINT; int inhibit_mapping = X509_NO_CONSTRAINT, require_explicit = X509_NO_CONSTRAINT; chunk_t serial = chunk_empty; chunk_t encoding = chunk_empty; + time_t lifetime = 1095; time_t not_before, not_after; x509_flag_t flags = 0; x509_cert_policy_t *policy = NULL; diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c index 9a21bd99c..153734f53 100644 --- a/src/pki/commands/signcrl.c +++ b/src/pki/commands/signcrl.c @@ -120,21 +120,20 @@ static int sign_crl() hash_algorithm_t digest = HASH_SHA1; char *arg, *cacert = NULL, *cakey = NULL, *lastupdate = NULL, *error = NULL; char *basecrl = NULL; - char serial[512], crl_serial[8], *keyid = NULL; + char serial[512], *keyid = NULL; int serial_len = 0; crl_reason_t reason = CRL_REASON_UNSPECIFIED; time_t thisUpdate, nextUpdate, date = time(NULL); - int lifetime = 15; + time_t lifetime = 15; linked_list_t *list, *cdps; enumerator_t *enumerator, *lastenum = NULL; x509_cdp_t *cdp; - chunk_t encoding = chunk_empty, baseCrlNumber = chunk_empty; + chunk_t crl_serial = chunk_empty, baseCrlNumber = chunk_empty; + chunk_t encoding = chunk_empty; list = linked_list_create(); cdps = linked_list_create(); - memset(crl_serial, 0, sizeof(crl_serial)); - while (TRUE) { switch (command_getopt(&arg)) @@ -334,9 +333,8 @@ static int sign_crl() error = "loading base CRL failed"; goto error; } - memcpy(crl_serial, lastcrl->get_serial(lastcrl).ptr, - min(lastcrl->get_serial(lastcrl).len, sizeof(crl_serial))); baseCrlNumber = chunk_clone(lastcrl->get_serial(lastcrl)); + crl_serial = baseCrlNumber; DESTROY_IF((certificate_t*)lastcrl); lastcrl = NULL; } @@ -350,22 +348,31 @@ static int sign_crl() error = "loading lastUpdate CRL failed"; goto error; } - memcpy(crl_serial, lastcrl->get_serial(lastcrl).ptr, - min(lastcrl->get_serial(lastcrl).len, sizeof(crl_serial))); + crl_serial = lastcrl->get_serial(lastcrl); lastenum = lastcrl->create_enumerator(lastcrl); } else { + crl_serial = chunk_from_chars(0x00); lastenum = enumerator_create_empty(); } - chunk_increment(chunk_create(crl_serial, sizeof(crl_serial))); + /* remove superfluous leading zeros */ + while (crl_serial.len > 1 && crl_serial.ptr[0] == 0x00 && + (crl_serial.ptr[1] & 0x80) == 0x00) + { + crl_serial = chunk_skip_zero(crl_serial); + } + crl_serial = chunk_clone(crl_serial); + + /* increment the serial number by one */ + chunk_increment(crl_serial); enumerator = enumerator_create_filter(list->create_enumerator(list), (void*)filter, NULL, NULL); crl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, BUILD_SIGNING_KEY, private, BUILD_SIGNING_CERT, ca, - BUILD_SERIAL, chunk_create(crl_serial, sizeof(crl_serial)), + BUILD_SERIAL, crl_serial, BUILD_NOT_BEFORE_TIME, thisUpdate, BUILD_NOT_AFTER_TIME, nextUpdate, BUILD_REVOKED_ENUMERATOR, enumerator, BUILD_REVOKED_ENUMERATOR, lastenum, BUILD_DIGEST_ALG, digest, @@ -374,6 +381,7 @@ static int sign_crl() enumerator->destroy(enumerator); lastenum->destroy(lastenum); DESTROY_IF((certificate_t*)lastcrl); + free(crl_serial.ptr); if (!crl) { |