2 * Copyright (C) 2003, 2004, 2005, 2008, 2010 Free Software Foundation,
5 * Author: Nikos Mavrogiannopoulos
7 * This file is part of GnuTLS.
9 * The GnuTLS is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * as published by the Free Software Foundation; either version 2.1 of
12 * the License, or (at your option) any later version.
14 * This library is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
26 /* This file contains functions to handle CRL generation.
29 #include <gnutls_int.h>
33 #include <gnutls_datum.h>
34 #include <gnutls_global.h>
35 #include <gnutls_errors.h>
37 #include <gnutls_x509.h>
42 static void disable_optional_stuff (gnutls_x509_crl_t crl);
45 * gnutls_x509_crl_set_version:
46 * @crl: should contain a gnutls_x509_crl_t structure
47 * @version: holds the version number. For CRLv1 crls must be 1.
49 * This function will set the version of the CRL. This
50 * must be one for CRL version 1, and so on. The CRLs generated
51 * by gnutls should have a version number of 2.
53 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
54 * negative error value.
57 gnutls_x509_crl_set_version (gnutls_x509_crl_t crl, unsigned int version)
60 uint8_t null = version & 0xFF;
65 return GNUTLS_E_INVALID_REQUEST;
71 result = asn1_write_value (crl->crl, "tbsCertList.version", &null, 1);
72 if (result != ASN1_SUCCESS)
75 return _gnutls_asn2err (result);
82 * gnutls_x509_crl_sign2:
83 * @crl: should contain a gnutls_x509_crl_t structure
84 * @issuer: is the certificate of the certificate issuer
85 * @issuer_key: holds the issuer's private key
86 * @dig: The message digest to use. GNUTLS_DIG_SHA1 is the safe choice unless you know what you're doing.
89 * This function will sign the CRL with the issuer's private key, and
90 * will copy the issuer's information into the CRL.
92 * This must be the last step in a certificate CRL since all
93 * the previously set parameters are now signed.
95 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
96 * negative error value.
98 * Deprecated: Use gnutls_x509_crl_privkey_sign() instead.
101 gnutls_x509_crl_sign2 (gnutls_x509_crl_t crl, gnutls_x509_crt_t issuer,
102 gnutls_x509_privkey_t issuer_key,
103 gnutls_digest_algorithm_t dig, unsigned int flags)
106 gnutls_privkey_t privkey;
108 if (crl == NULL || issuer == NULL)
111 return GNUTLS_E_INVALID_REQUEST;
114 result = gnutls_privkey_init (&privkey);
121 result = gnutls_privkey_import_x509 (privkey, issuer_key, 0);
128 result = gnutls_x509_crl_privkey_sign (crl, issuer, privkey, dig, flags);
138 gnutls_privkey_deinit (privkey);
144 * gnutls_x509_crl_sign:
145 * @crl: should contain a gnutls_x509_crl_t structure
146 * @issuer: is the certificate of the certificate issuer
147 * @issuer_key: holds the issuer's private key
149 * This function is the same a gnutls_x509_crl_sign2() with no flags, and
150 * SHA1 as the hash algorithm.
152 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
153 * negative error value.
155 * Deprecated: Use gnutls_x509_crl_privkey_sign().
158 gnutls_x509_crl_sign (gnutls_x509_crl_t crl, gnutls_x509_crt_t issuer,
159 gnutls_x509_privkey_t issuer_key)
161 return gnutls_x509_crl_sign2 (crl, issuer, issuer_key, GNUTLS_DIG_SHA1, 0);
165 * gnutls_x509_crl_set_this_update:
166 * @crl: should contain a gnutls_x509_crl_t structure
167 * @act_time: The actual time
169 * This function will set the time this CRL was issued.
171 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
172 * negative error value.
175 gnutls_x509_crl_set_this_update (gnutls_x509_crl_t crl, time_t act_time)
180 return GNUTLS_E_INVALID_REQUEST;
183 return _gnutls_x509_set_time (crl->crl, "tbsCertList.thisUpdate", act_time);
187 * gnutls_x509_crl_set_next_update:
188 * @crl: should contain a gnutls_x509_crl_t structure
189 * @exp_time: The actual time
191 * This function will set the time this CRL will be updated.
193 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
194 * negative error value.
197 gnutls_x509_crl_set_next_update (gnutls_x509_crl_t crl, time_t exp_time)
202 return GNUTLS_E_INVALID_REQUEST;
204 return _gnutls_x509_set_time (crl->crl, "tbsCertList.nextUpdate", exp_time);
208 * gnutls_x509_crl_set_crt_serial:
209 * @crl: should contain a gnutls_x509_crl_t structure
210 * @serial: The revoked certificate's serial number
211 * @serial_size: Holds the size of the serial field.
212 * @revocation_time: The time this certificate was revoked
214 * This function will set a revoked certificate's serial number to the CRL.
216 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
217 * negative error value.
220 gnutls_x509_crl_set_crt_serial (gnutls_x509_crl_t crl,
221 const void *serial, size_t serial_size,
222 time_t revocation_time)
229 return GNUTLS_E_INVALID_REQUEST;
233 asn1_write_value (crl->crl, "tbsCertList.revokedCertificates", "NEW", 1);
234 if (ret != ASN1_SUCCESS)
237 return _gnutls_asn2err (ret);
241 asn1_write_value (crl->crl,
242 "tbsCertList.revokedCertificates.?LAST.userCertificate",
243 serial, serial_size);
244 if (ret != ASN1_SUCCESS)
247 return _gnutls_asn2err (ret);
251 _gnutls_x509_set_time (crl->crl,
252 "tbsCertList.revokedCertificates.?LAST.revocationDate",
261 asn1_write_value (crl->crl,
262 "tbsCertList.revokedCertificates.?LAST.crlEntryExtensions",
264 if (ret != ASN1_SUCCESS)
267 return _gnutls_asn2err (ret);
274 * gnutls_x509_crl_set_crt:
275 * @crl: should contain a gnutls_x509_crl_t structure
276 * @crt: a certificate of type #gnutls_x509_crt_t with the revoked certificate
277 * @revocation_time: The time this certificate was revoked
279 * This function will set a revoked certificate's serial number to the CRL.
281 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
282 * negative error value.
285 gnutls_x509_crl_set_crt (gnutls_x509_crl_t crl, gnutls_x509_crt_t crt,
286 time_t revocation_time)
292 if (crl == NULL || crt == NULL)
295 return GNUTLS_E_INVALID_REQUEST;
298 serial_size = sizeof (serial);
299 ret = gnutls_x509_crt_get_serial (crt, serial, &serial_size);
307 gnutls_x509_crl_set_crt_serial (crl, serial, serial_size,
312 return _gnutls_asn2err (ret);
319 /* If OPTIONAL fields have not been initialized then
323 disable_optional_stuff (gnutls_x509_crl_t crl)
326 if (crl->use_extensions == 0)
328 asn1_write_value (crl->crl, "tbsCertList.crlExtensions", NULL, 0);
335 * gnutls_x509_crl_set_authority_key_id:
336 * @crl: a CRL of type #gnutls_x509_crl_t
338 * @id_size: Holds the size of the serial field.
340 * This function will set the CRL's authority key ID extension. Only
341 * the keyIdentifier field can be set with this function.
343 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
344 * negative error value.
349 gnutls_x509_crl_set_authority_key_id (gnutls_x509_crl_t crl,
350 const void *id, size_t id_size)
353 gnutls_datum_t old_id, der_data;
354 unsigned int critical;
359 return GNUTLS_E_INVALID_REQUEST;
362 /* Check if the extension already exists.
365 _gnutls_x509_crl_get_extension (crl, "2.5.29.35", 0, &old_id, &critical);
368 _gnutls_free_datum (&old_id);
369 if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
372 return GNUTLS_E_INVALID_REQUEST;
375 /* generate the extension.
377 result = _gnutls_x509_ext_gen_auth_key_id (id, id_size, &der_data);
384 result = _gnutls_x509_crl_set_extension (crl, "2.5.29.35", &der_data, 0);
386 _gnutls_free_datum (&der_data);
394 crl->use_extensions = 1;
400 * gnutls_x509_crl_set_number:
401 * @crl: a CRL of type #gnutls_x509_crl_t
402 * @nr: The CRL number
403 * @nr_size: Holds the size of the nr field.
405 * This function will set the CRL's number extension.
407 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
408 * negative error value.
413 gnutls_x509_crl_set_number (gnutls_x509_crl_t crl,
414 const void *nr, size_t nr_size)
417 gnutls_datum_t old_id, der_data;
418 unsigned int critical;
423 return GNUTLS_E_INVALID_REQUEST;
426 /* Check if the extension already exists.
429 _gnutls_x509_crl_get_extension (crl, "2.5.29.20", 0, &old_id, &critical);
432 _gnutls_free_datum (&old_id);
433 if (result != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
436 return GNUTLS_E_INVALID_REQUEST;
439 /* generate the extension.
441 result = _gnutls_x509_ext_gen_number (nr, nr_size, &der_data);
448 result = _gnutls_x509_crl_set_extension (crl, "2.5.29.20", &der_data, 0);
450 _gnutls_free_datum (&der_data);
458 crl->use_extensions = 1;
464 * gnutls_x509_crl_privkey_sign:
465 * @crl: should contain a gnutls_x509_crl_t structure
466 * @issuer: is the certificate of the certificate issuer
467 * @issuer_key: holds the issuer's private key
468 * @dig: The message digest to use. GNUTLS_DIG_SHA1 is the safe choice unless you know what you're doing.
471 * This function will sign the CRL with the issuer's private key, and
472 * will copy the issuer's information into the CRL.
474 * This must be the last step in a certificate CRL since all
475 * the previously set parameters are now signed.
477 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
478 * negative error value.
481 gnutls_x509_crl_privkey_sign (gnutls_x509_crl_t crl, gnutls_x509_crt_t issuer,
482 gnutls_privkey_t issuer_key,
483 gnutls_digest_algorithm_t dig,
488 if (crl == NULL || issuer == NULL)
491 return GNUTLS_E_INVALID_REQUEST;
494 /* disable all the unneeded OPTIONAL fields.
496 disable_optional_stuff (crl);
498 result = _gnutls_x509_pkix_sign (crl->crl, "tbsCertList",
499 dig, issuer, issuer_key);
509 #endif /* ENABLE_PKI */