Hi Daniel,
I was curious about this, as I work mostly with Cisco and I didn't know you
could get a CRL check through SCEP. So I took a look at the codes.
I think the missing part you are looking for is in "LibSCEP.xs" (C wrapper for
perl).
===
SV *
get_getcert_serial(pkiMessage)
Crypt::LibSCEP pkiMessage
PREINIT:
char *ret = NULL;
CODE:
ret = "";
if(pkiMessage->issuer_and_serial != NULL) {
ret = i2s_ASN1_INTEGER(NULL, pkiMessage->issuer_and_serial->serial);
}
RETVAL = newSVpv(ret, 0);
OUTPUT:
RETVAL
===
I think this is called from "Service/LibSCEP/Command/PKIOperation.pm"
===
sub __find_cert_issuer_serial : PRIVATE {
my $self = shift;
my $arg_ref = shift;
my $token = $arg_ref->{TOKEN};
my $scep_handle = $arg_ref->{SCEP_HANDLE};
my $requested_serial_dec = $token->command({
COMMAND => 'get_getcert_serial',
SCEP_HANDLE => $scep_handle,
});
...
===
And this is called from "__send_crl" in same file:
===
=head2 __send_crl
Create the response for the GetCRL request by extracting the issuer and
serial from the request. As we do not support scoped CRLs yet it is
sufficient to check the issuer dn but to catch situations where the issuer dn
is used over multiple generations we search for both.
=cut
sub __send_crl : PRIVATE {
my $self = shift;
my $arg_ref = shift;
my $scep_handle = $arg_ref->{SCEP_HANDLE};
my $token = $arg_ref->{TOKEN};
my $cert_result = $self->__find_cert_issuer_serial( $arg_ref );
===
But I don't see any error in the logic here.
I *suppose* the C wrapper is taking the serial in the request through:
i2s_ASN1_INTEGER(NULL, pkiMessage->issuer_and_serial->serial);
Currently I cannot test, but I would look into this serial.
Regards,
Carlos Velasco
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
