/*- * _gnutls_x509_crl_cpy - This function copies a gnutls_x509_crl_t structure * @dest: The structure where to copy * @src: The structure to be copied * * This function will copy an X.509 certificate structure. * * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a * negative error value. * -*/ int _gnutls_x509_crl_cpy (gnutls_x509_crl_t dest, gnutls_x509_crl_t src) { int ret; size_t der_size; opaque *der; gnutls_datum_t tmp; ret = gnutls_x509_crl_export (src, GNUTLS_X509_FMT_DER, NULL, &der_size); if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) { gnutls_assert (); return ret; } der = gnutls_malloc (der_size); if (der == NULL) { gnutls_assert (); return GNUTLS_E_MEMORY_ERROR; } ret = gnutls_x509_crl_export (src, GNUTLS_X509_FMT_DER, der, &der_size); if (ret < 0) { gnutls_assert (); gnutls_free (der); return ret; } tmp.data = der; tmp.size = der_size; ret = gnutls_x509_crl_import (dest, &tmp, GNUTLS_X509_FMT_DER); gnutls_free (der); if (ret < 0) { gnutls_assert (); return ret; } return 0; }
int tls_revoke_analyzer(requiem_client_profile_t *cp, gnutls_x509_privkey key, gnutls_x509_crt crt, uint64_t revoked_analyzerid) { int ret, i; size_t len, dsize; gnutls_datum data; gnutls_x509_crl crl; uint64_t analyzerid; char crlfile[PATH_MAX], buf[65535]; ret = gnutls_x509_crl_init(&crl); requiem_client_profile_get_tls_server_crl_filename(cp, crlfile, sizeof(crlfile)); ret = access(crlfile, R_OK); if ( ret == 0 ) { ret = _requiem_load_file(crlfile, &data.data, &dsize); if ( ret < 0 ) { fprintf(stderr, "error loading '%s': %s.\n", crlfile, requiem_strerror(ret)); return ret; } data.size = (unsigned int) dsize; ret = gnutls_x509_crl_import(crl, &data, GNUTLS_X509_FMT_PEM); if ( ret < 0 ) { fprintf(stderr, "error importing CRL: %s.\n", gnutls_strerror(ret)); return -1; } } for ( i = 0; i < gnutls_x509_crl_get_crt_count(crl); i++ ) { len = sizeof(analyzerid); gnutls_x509_crl_get_crt_serial(crl, i, (unsigned char *) &analyzerid, &len, NULL); if ( analyzerid == revoked_analyzerid ) return 0; } ret = gnutls_x509_crl_set_crt_serial(crl, &revoked_analyzerid, sizeof(revoked_analyzerid), time(NULL)); if ( ret < 0 ) { fprintf(stderr, "error setting CRL certificate serial: %s.\n", gnutls_strerror(ret)); return -1; } gnutls_x509_crl_set_version(crl, 2); gnutls_x509_crl_set_next_update(crl, time(NULL)); gnutls_x509_crl_set_this_update(crl, time(NULL)); ret = gnutls_x509_crl_sign(crl, crt, key); if ( ret < 0 ) { fprintf(stderr, "error signing CRL: %s.\n", gnutls_strerror(ret)); return -1; } len = sizeof(buf); ret = gnutls_x509_crl_export(crl, GNUTLS_X509_FMT_PEM, buf, &len); if ( ret < 0 ) { fprintf(stderr, "error exporting certificate revocation list: %s\n", gnutls_strerror(ret)); gnutls_x509_crl_deinit(crl); return -1; } gnutls_x509_crl_deinit(crl); unlink(crlfile); ret = save_buf(crlfile, requiem_client_profile_get_uid(cp), requiem_client_profile_get_gid(cp), (unsigned char *) buf, len); if ( ret < 0 ) { fprintf(stderr, "error saving private key.\n"); return -1; } return 1; }