Stéphane Lemaire wrote:
>
> Hi,
>
> I wish improve my question. My CRL contains expirated and revokated
> Certificates. I wish that my CRL contains only the expired certificates
> which are technically valid and not expirated certificates. I do not wish
> that the size of my CRL increases without end.
>
> Did somebody already find a solution?
>
> Regards,
>
> Stéphane Lemaire
>
an entry can be marked either as
R=Revoked
V=Valid
E=Expired
In attachment you can find a source for the expire check (I don't
remember if was based on some sources similar found in the internet, or
if it's entirely of my inspiration...)
Use free for everyone who wants... But retain the creator credits...
--
Dott. Sergio Rabellino
Technical Staff
Department of Computer Science
University of Torino (Italy)
Member of the Internet Society
http://www.di.unito.it/~rabser
Tel. +39-0116706701
Fax. +39-011751603
// Rabellino Sergio - [EMAIL PROTECTED]
// Computer Science Department of Torino
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
/* Openssl Includes */
#include <openssl/conf.h>
#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/bn.h>
#include <openssl/txt_db.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/objects.h>
#include <openssl/pem.h>
#define DB_type 0
#define DB_exp_date 1
#define DB_rev_date 2
#define DB_serial 3 /* index - unique */
#define DB_file 4
#define DB_name 5 /* index - unique for active */
#define DB_NUMBER 6
#define DB_TYPE_REV 'R'
#define DB_TYPE_EXP 'E'
#define DB_TYPE_VAL 'V'
main(int argc, char *argv[])
{
BIO *in=NULL;
BIO *out=NULL;
BIO *bio_err=NULL;
TXT_DB *db=NULL;
char **pp,*p;
int i,l;
time_t nowbin;
const struct tm *nowstruct;
char longdate[20];
long dd,cdd;
char tmpdate[20];
char indbfile[256];
char outdbfile[256];
/* Get time from the O.S. */
time(&nowbin);
nowstruct = localtime(&nowbin);
strftime(longdate,256,"20%y%m%d%H",nowstruct);
dd=atol(longdate);
if ( argc > 1 )
strcpy(indbfile,argv[1]);
else
strcpy(indbfile,"index.txt");
if ( argc > 2 )
strcpy(outdbfile,argv[2]);
else
strcpy(outdbfile,"index.new");
printf("Reading from %s\n",indbfile);
printf("Writing to %s\n",outdbfile);
if (bio_err == NULL)
if ((bio_err=BIO_new(BIO_s_file())) != NULL)
BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
in=BIO_new(BIO_s_file());
out=BIO_new(BIO_s_file());
if (BIO_read_filename(in,indbfile) <= 0)
{
perror(indbfile);
BIO_printf(bio_err,"unable to open '%s'\n",indbfile);
exit(1);
}
if (BIO_write_filename(out,outdbfile) <= 0)
{
perror(outdbfile);
BIO_printf(bio_err,"unable to open '%s'\n",outdbfile);
exit(1);
}
db=TXT_DB_read(in,DB_NUMBER);
if (db == NULL)
{
perror(indbfile);
BIO_printf(bio_err,"unable to decode '%s'\n",indbfile);
exit(1);
}
/* Lets check the entries */
for (i=0; i<sk_num(db->data); i++)
{
pp=(char **)sk_value(db->data,i);
if (pp[DB_type][0] == DB_TYPE_VAL)
{
strcpy(tmpdate,"");
p=pp[DB_exp_date];
/* Do the dirty work for Y2K compatibility */
if (p[0] == '9')
strcat(tmpdate,"19");
else
strcat(tmpdate,"20");
strncat(tmpdate,pp[DB_exp_date],8);
cdd=atol(tmpdate);
if(dd > cdd)
{ /* Expire the cert... */
printf("Certificate %s is signed Valid but is Expired...\n",pp[DB_serial]);
pp[DB_type][0] = DB_TYPE_EXP;
}
}
if (pp[DB_type][0] == DB_TYPE_REV)
{
strcpy(tmpdate,"");
p=pp[DB_exp_date];
/* Do the dirty work for Y2K compatibility */
if (p[0] == '9')
strcat(tmpdate,"19");
else
strcat(tmpdate,"20");
strncat(tmpdate,pp[DB_exp_date],8);
cdd=atol(tmpdate);
if(dd > cdd)
{ /* Expire the cert... */
printf("Certificate %s is signed as Revoked but is
Expired...\n",pp[DB_serial]);
pp[DB_type][0] = DB_TYPE_EXP;
pp[DB_rev_date] = NULL;
}
}
}
/* Write out the DB on the output file */
l=TXT_DB_write(out,db);
if (l < 0)
{
perror(outdbfile);
BIO_printf(bio_err,"unable to encode '%s'\n",indbfile);
}
else
printf("DB analyzed & checked ok. \n");
BIO_free(in);
BIO_free(out);
}
# Set whatever you have installed the Openssl Libraries
OPENSSL_LIB = ./lib
OPENSSL_INCLUDE = ./include
CC = gcc
all : expire
expire : expire.c
${CC} expire.c -o expire -I ${OPENSSL_INCLUDE} -L ${OPENSSL_LIB}
-lcrypto
clean :
rm -f *.o
rm -f expire
