Manuel Mollar wrote:
>
> I have a expired certificate that appears as 'valid' in the index.txt file:
[...]
> The matching entry has the following details
> Type :Valid
> Expires on :990930204854Z
>
> So, what is the solution?
I have some time ago posted a patch. Here it is the patch for the SNAP of
19990920.
This patch adds two flags to the ca program:
-updatedb : updates the index.txt making a backup copy of it.
Y2000 compliant.
-status : give back the status of a certificate.
I think the patch should be included in the openssl package (at least the
updatedb). Will it ???
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
--- ca.c.orig Wed Oct 20 20:23:32 1999
+++ ca.c Wed Oct 20 20:52:24 1999
@@ -61,6 +61,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <ctype.h>
#include <sys/types.h>
#include <sys/stat.h>
#include "apps.h"
@@ -167,6 +168,8 @@
" -revoke file - Revoke a certificate (given in file)\n",
" -extensions .. - Extension section (override value in config file)\n",
" -crlexts .. - CRL extension section (override value in config file)\n",
+" -status serial - Shows certificate' status given the serial number\n",
+" -updatedb - Checks index.txt for expired certificates and mark them\n",
NULL
};
@@ -207,6 +210,8 @@
char *startdate, char *enddate, int days, int batch, int verbose,
X509_REQ *req, char *ext_sect, LHASH *conf);
static int do_revoke(X509 *x509, TXT_DB *db);
+static int get_certificate_status(char *ser_status, TXT_DB *db);
+static int do_updatedb(TXT_DB *db);
static int check_time_format(char *str);
static LHASH *conf=NULL;
static char *key=NULL;
@@ -225,6 +230,7 @@
int verbose=0;
int gencrl=0;
int dorevoke=0;
+ int doupdate=0;
long crldays=0;
long crlhours=0;
long errorline= -1;
@@ -236,6 +242,7 @@
char *infile=NULL;
char *spkac_file=NULL;
char *ss_cert_file=NULL;
+ char *ser_status=NULL;
EVP_PKEY *pkey=NULL;
int output_der = 0;
char *outfile=NULL;
@@ -412,6 +419,15 @@
if (--argc < 1) goto bad;
crl_ext= *(++argv);
}
+ else if (strcmp(*argv,"-status") == 0)
+ {
+ if (--argc < 1) goto bad;
+ ser_status= *(++argv);
+ }
+ else if (strcmp(*argv,"-updatedb") == 0)
+ {
+ doupdate=1;
+ }
else
{
bad:
@@ -693,6 +709,78 @@
}
/*****************************************************************/
+ /* if the certificate status is required we give it */
+ if (ser_status)
+ {
+ if( get_certificate_status(ser_status,db) != 1)
+ BIO_printf(bio_err,"Error verifying serial %s!\n",
+ ser_status);
+ goto err;
+ }
+
+ /*****************************************************************/
+ /* Update the db file for expired certificates */
+ if (doupdate)
+ {
+ i = do_updatedb (db);
+ if ( i == -1)
+ {
+ BIO_printf(bio_err,"Malloc failure\n");
+ goto err;
+ }
+ else if ( i == 0 )
+ {
+ BIO_printf(bio_err,"No entry found to mark expired\n");
+ }
+ else
+ {
+ out = BIO_new (BIO_s_file());
+ if (out == NULL)
+ {
+ ERR_print_errors (bio_err);
+ goto err;
+ }
+
+ strncpy (buf[0],dbfile,BSIZE-4);
+ strcat (buf[0],".new");
+ if (BIO_write_filename(out,buf[0]) <= 0)
+ {
+ perror(dbfile);
+ BIO_printf(bio_err,"unable to open '%s'\n",
+ dbfile);
+ goto err;
+ }
+
+ j=TXT_DB_write(out,db);
+ if (j <= 0)
+ goto err;
+
+ BIO_free(out);
+ out = NULL;
+
+ strncpy (buf[1],dbfile,BSIZE-4);
+ strcat (buf[1],".old");
+
+ if (rename(dbfile,buf[1]) < 0)
+ {
+ BIO_printf(bio_err,"unable to rename %s to %s\n",
+dbfile, buf[1]);
+ perror("reason");
+ goto err;
+ }
+ if (rename(buf[0],dbfile) < 0)
+ {
+ BIO_printf(bio_err,"unable to rename %s to %s\n",
+buf[0],dbfile);
+ perror("reason");
+ rename(buf[1],dbfile);
+ goto err;
+ }
+
+ BIO_printf(bio_err,"%d entry's marked as expired\n", i);
+ }
+ goto err;
+ }
+
+ /*****************************************************************/
if (req || gencrl)
{
if (outfile != NULL)
@@ -1222,7 +1310,9 @@
BIO_printf(bio_err,"Data Base Updated\n");
}
}
+
/*****************************************************************/
+
ret=0;
err:
BIO_free(hex);
@@ -2238,3 +2328,135 @@
return(ok);
}
+static int get_certificate_status ( char *serial, TXT_DB *db )
+{
+ char *row[DB_NUMBER],**rrow;
+ int ok=-1,i;
+
+ /* Free Resources */
+ for (i=0; i<DB_NUMBER; i++)
+ row[i]=NULL;
+ /* Malloc needed char spaces */
+ row[DB_serial]=( char * ) Malloc ( strlen(serial) +1);
+ if (row[DB_serial] == NULL)
+ {
+ BIO_printf(bio_err,"Malloc failure\n");
+ goto err;
+ }
+
+ /* Copy String from serial to row[DB_serial] */
+ memcpy( row[DB_serial], serial, strlen(serial));
+ row[DB_serial][strlen(serial)]='\0';
+
+ /* Make it Upper Case */
+ for( i=0; row[DB_serial][i] != '\0'; i++ )
+ row[DB_serial][i] = (char) toupper( row[DB_serial][i] );
+
+ ok=1;
+
+ /* Search for the certificate */
+ rrow=TXT_DB_get_by_index(db,DB_serial,row);
+ if (rrow == NULL)
+ {
+ BIO_printf(bio_err,"Serial %s not present in db.\n",
+ row[DB_serial]);
+ ok=-1;
+ goto err;
+ }
+ else if (rrow[DB_type][0]==DB_TYPE_VAL)
+ {
+ BIO_printf(bio_err,"STATUS (%c): Valid\n",
+ rrow[DB_type][0]);
+ goto err;
+ }
+ else if (rrow[DB_type][0]==DB_TYPE_REV)
+ {
+ BIO_printf(bio_err,"STATUS (%c): Revoked on %s\n",
+ rrow[DB_type][0], rrow[DB_rev_date]);
+ goto err;
+ }
+ else if (rrow[DB_type][0]==DB_TYPE_EXP)
+ {
+ BIO_printf(bio_err,"STATUS (%c): Expired on %s\n",
+ rrow[DB_type][0], rrow[DB_exp_date]);
+ goto err;
+ }
+ else
+ {
+ BIO_printf(bio_err,"ERROR: Unknown status (%c).\n",
+ rrow[DB_type][0]);
+ ok=-1;
+ }
+err:
+ for (i=0; i<DB_NUMBER; i++)
+ {
+ if ((row[i] != NULL) && (row[i] != serial) )
+ Free(row[i]);
+ }
+ return(ok);
+}
+
+static int do_updatedb (TXT_DB *db)
+{
+ ASN1_UTCTIME *a_tm = NULL;
+ int i, cnt = 0;
+ int db_y2k, a_y2k; /* flags = 1 if y >= 2000 */
+ char **rrow, *a_tm_s;
+
+ /* mdified by madwolf */
+ a_tm = ASN1_UTCTIME_new();
+
+ /* get actual time and make a string */
+ a_tm = X509_gmtime_adj( a_tm, 0 );
+ a_tm_s = (char *) Malloc( a_tm->length+1 );
+ if ( a_tm_s == NULL )
+ {
+ cnt = -1;
+ goto err;
+ }
+
+ memcpy( a_tm_s, a_tm->data, a_tm->length );
+ a_tm_s[a_tm->length] = '\0';
+
+ if ( strncmp( a_tm_s, "49", 2 ) <= 0 )
+ a_y2k = 1;
+ else
+ a_y2k = 0;
+
+ for (i = 0; i < sk_num( db->data ); i++)
+ {
+ rrow = (char **) sk_value( db->data, i );
+ if ( rrow[DB_type][0] == DB_TYPE_VAL )
+ {
+ /* ignore entry's that are not valid */
+ if ( strncmp( rrow[DB_exp_date], "49", 2 ) <= 0 )
+ db_y2k = 1;
+ else
+ db_y2k = 0;
+
+ if ( db_y2k == a_y2k )
+ {
+ /* all on the same y2k side */
+ if ( strcmp( rrow[DB_exp_date], a_tm_s ) <= 0 )
+ {
+ rrow[DB_type][0] = DB_TYPE_EXP;
+ rrow[DB_type][1] = '\0';
+ cnt++;
+ }
+ }
+ else if ( db_y2k < a_y2k )
+ {
+ rrow[DB_type][0] = DB_TYPE_EXP;
+ rrow[DB_type][1] = '\0';
+ cnt++;
+ }
+
+ }
+ }
+
+err:
+
+ ASN1_UTCTIME_free( a_tm );
+ Free( a_tm_s );
+ return (cnt);
+}
S/MIME Cryptographic Signature
