Example #1
0
/**
 * gnutls_x509_crl_set_crt:
 * @crl: should contain a gnutls_x509_crl_t type
 * @crt: a certificate of type #gnutls_x509_crt_t with the revoked certificate
 * @revocation_time: The time this certificate was revoked
 *
 * This function will set a revoked certificate's serial number to the CRL.
 *
 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
 *   negative error value.
 **/
int
gnutls_x509_crl_set_crt(gnutls_x509_crl_t crl, gnutls_x509_crt_t crt,
			time_t revocation_time)
{
	int ret;
	uint8_t serial[128];
	size_t serial_size;

	if (crl == NULL || crt == NULL) {
		gnutls_assert();
		return GNUTLS_E_INVALID_REQUEST;
	}

	serial_size = sizeof(serial);
	ret = gnutls_x509_crt_get_serial(crt, serial, &serial_size);
	if (ret < 0) {
		gnutls_assert();
		return ret;
	}

	ret =
	    gnutls_x509_crl_set_crt_serial(crl, serial, serial_size,
					   revocation_time);
	if (ret < 0) {
		gnutls_assert();
		return _gnutls_asn2err(ret);
	}

	return 0;
}
int tls_revoke_analyzer(requiem_client_profile_t *cp, gnutls_x509_privkey key,
                        gnutls_x509_crt crt, uint64_t revoked_analyzerid)
{
        int ret, i;
        size_t len, dsize;
        gnutls_datum data;
        gnutls_x509_crl crl;
        uint64_t analyzerid;
        char crlfile[PATH_MAX], buf[65535];

        ret = gnutls_x509_crl_init(&crl);
        requiem_client_profile_get_tls_server_crl_filename(cp, crlfile, sizeof(crlfile));

        ret = access(crlfile, R_OK);
        if ( ret == 0 ) {
                ret = _requiem_load_file(crlfile, &data.data, &dsize);
                if ( ret < 0 ) {
                        fprintf(stderr, "error loading '%s': %s.\n", crlfile, requiem_strerror(ret));
                        return ret;
                }

                data.size = (unsigned int) dsize;

                ret = gnutls_x509_crl_import(crl, &data, GNUTLS_X509_FMT_PEM);
                if ( ret < 0 ) {
                        fprintf(stderr, "error importing CRL: %s.\n", gnutls_strerror(ret));
                        return -1;
                }
        }

        for ( i = 0; i < gnutls_x509_crl_get_crt_count(crl); i++ ) {
                len = sizeof(analyzerid);
                gnutls_x509_crl_get_crt_serial(crl, i, (unsigned char *) &analyzerid, &len, NULL);

                if ( analyzerid == revoked_analyzerid )
                        return 0;
        }

        ret = gnutls_x509_crl_set_crt_serial(crl, &revoked_analyzerid, sizeof(revoked_analyzerid), time(NULL));
        if ( ret < 0 ) {
                fprintf(stderr, "error setting CRL certificate serial: %s.\n", gnutls_strerror(ret));
                return -1;
        }

        gnutls_x509_crl_set_version(crl, 2);
        gnutls_x509_crl_set_next_update(crl, time(NULL));
        gnutls_x509_crl_set_this_update(crl, time(NULL));

        ret = gnutls_x509_crl_sign(crl, crt, key);
        if ( ret < 0 ) {
                fprintf(stderr, "error signing CRL: %s.\n", gnutls_strerror(ret));
                return -1;
        }

        len = sizeof(buf);
        ret = gnutls_x509_crl_export(crl, GNUTLS_X509_FMT_PEM, buf, &len);
        if ( ret < 0 ) {
                fprintf(stderr, "error exporting certificate revocation list: %s\n", gnutls_strerror(ret));
                gnutls_x509_crl_deinit(crl);
                return -1;
        }

        gnutls_x509_crl_deinit(crl);

        unlink(crlfile);
        ret = save_buf(crlfile, requiem_client_profile_get_uid(cp),
                       requiem_client_profile_get_gid(cp), (unsigned char *) buf, len);
        if ( ret < 0 ) {
                fprintf(stderr, "error saving private key.\n");
                return -1;
        }

        return 1;
}