/** * gnutls_x509_crl_set_crt: * @crl: should contain a gnutls_x509_crl_t type * @crt: a certificate of type #gnutls_x509_crt_t with the revoked certificate * @revocation_time: The time this certificate was revoked * * This function will set a revoked certificate's serial number to the CRL. * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. **/ int gnutls_x509_crl_set_crt(gnutls_x509_crl_t crl, gnutls_x509_crt_t crt, time_t revocation_time) { int ret; uint8_t serial[128]; size_t serial_size; if (crl == NULL || crt == NULL) { gnutls_assert(); return GNUTLS_E_INVALID_REQUEST; } serial_size = sizeof(serial); ret = gnutls_x509_crt_get_serial(crt, serial, &serial_size); if (ret < 0) { gnutls_assert(); return ret; } ret = gnutls_x509_crl_set_crt_serial(crl, serial, serial_size, revocation_time); if (ret < 0) { gnutls_assert(); return _gnutls_asn2err(ret); } return 0; }
int tls_revoke_analyzer(requiem_client_profile_t *cp, gnutls_x509_privkey key, gnutls_x509_crt crt, uint64_t revoked_analyzerid) { int ret, i; size_t len, dsize; gnutls_datum data; gnutls_x509_crl crl; uint64_t analyzerid; char crlfile[PATH_MAX], buf[65535]; ret = gnutls_x509_crl_init(&crl); requiem_client_profile_get_tls_server_crl_filename(cp, crlfile, sizeof(crlfile)); ret = access(crlfile, R_OK); if ( ret == 0 ) { ret = _requiem_load_file(crlfile, &data.data, &dsize); if ( ret < 0 ) { fprintf(stderr, "error loading '%s': %s.\n", crlfile, requiem_strerror(ret)); return ret; } data.size = (unsigned int) dsize; ret = gnutls_x509_crl_import(crl, &data, GNUTLS_X509_FMT_PEM); if ( ret < 0 ) { fprintf(stderr, "error importing CRL: %s.\n", gnutls_strerror(ret)); return -1; } } for ( i = 0; i < gnutls_x509_crl_get_crt_count(crl); i++ ) { len = sizeof(analyzerid); gnutls_x509_crl_get_crt_serial(crl, i, (unsigned char *) &analyzerid, &len, NULL); if ( analyzerid == revoked_analyzerid ) return 0; } ret = gnutls_x509_crl_set_crt_serial(crl, &revoked_analyzerid, sizeof(revoked_analyzerid), time(NULL)); if ( ret < 0 ) { fprintf(stderr, "error setting CRL certificate serial: %s.\n", gnutls_strerror(ret)); return -1; } gnutls_x509_crl_set_version(crl, 2); gnutls_x509_crl_set_next_update(crl, time(NULL)); gnutls_x509_crl_set_this_update(crl, time(NULL)); ret = gnutls_x509_crl_sign(crl, crt, key); if ( ret < 0 ) { fprintf(stderr, "error signing CRL: %s.\n", gnutls_strerror(ret)); return -1; } len = sizeof(buf); ret = gnutls_x509_crl_export(crl, GNUTLS_X509_FMT_PEM, buf, &len); if ( ret < 0 ) { fprintf(stderr, "error exporting certificate revocation list: %s\n", gnutls_strerror(ret)); gnutls_x509_crl_deinit(crl); return -1; } gnutls_x509_crl_deinit(crl); unlink(crlfile); ret = save_buf(crlfile, requiem_client_profile_get_uid(cp), requiem_client_profile_get_gid(cp), (unsigned char *) buf, len); if ( ret < 0 ) { fprintf(stderr, "error saving private key.\n"); return -1; } return 1; }