diff options
Diffstat (limited to 'src/daemon/https/x509/crl_write.c')
-rw-r--r-- | src/daemon/https/x509/crl_write.c | 317 |
1 files changed, 0 insertions, 317 deletions
diff --git a/src/daemon/https/x509/crl_write.c b/src/daemon/https/x509/crl_write.c deleted file mode 100644 index 5e323be2..00000000 --- a/src/daemon/https/x509/crl_write.c +++ /dev/null | |||
@@ -1,317 +0,0 @@ | |||
1 | /* | ||
2 | * Copyright (C) 2003, 2004, 2005 Free Software Foundation | ||
3 | * | ||
4 | * Author: Nikos Mavrogiannopoulos | ||
5 | * | ||
6 | * This file is part of GNUTLS. | ||
7 | * | ||
8 | * The GNUTLS library is free software; you can redistribute it and/or | ||
9 | * modify it under the terms of the GNU Lesser General Public License | ||
10 | * as published by the Free Software Foundation; either version 2.1 of | ||
11 | * the License, or (at your option) any later version. | ||
12 | * | ||
13 | * This library is distributed in the hope that it will be useful, but | ||
14 | * WITHOUT ANY WARRANTY; without even the implied warranty of | ||
15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
16 | * Lesser General Public License for more details. | ||
17 | * | ||
18 | * You should have received a copy of the GNU Lesser General Public | ||
19 | * License along with this library; if not, write to the Free Software | ||
20 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, | ||
21 | * USA | ||
22 | * | ||
23 | */ | ||
24 | |||
25 | /* This file contains functions to handle CRL generation. | ||
26 | */ | ||
27 | |||
28 | #include <gnutls_int.h> | ||
29 | |||
30 | #ifdef ENABLE_PKI | ||
31 | |||
32 | #include <gnutls_datum.h> | ||
33 | #include <gnutls_global.h> | ||
34 | #include <gnutls_errors.h> | ||
35 | #include <common.h> | ||
36 | #include <gnutls_x509.h> | ||
37 | #include <x509_b64.h> | ||
38 | #include <crq.h> | ||
39 | #include <dn.h> | ||
40 | #include <mpi.h> | ||
41 | #include <sign.h> | ||
42 | #include <extensions.h> | ||
43 | #include <libtasn1.h> | ||
44 | |||
45 | static void disable_optional_stuff (gnutls_x509_crl_t crl); | ||
46 | |||
47 | /** | ||
48 | * gnutls_x509_crl_set_version - This function will set the CRL version | ||
49 | * @crl: should contain a gnutls_x509_crl_t structure | ||
50 | * @version: holds the version number. For CRLv1 crls must be 1. | ||
51 | * | ||
52 | * This function will set the version of the CRL. This | ||
53 | * must be one for CRL version 1, and so on. The CRLs generated | ||
54 | * by gnutls should have a version number of 2. | ||
55 | * | ||
56 | * Returns 0 on success. | ||
57 | * | ||
58 | **/ | ||
59 | int | ||
60 | gnutls_x509_crl_set_version (gnutls_x509_crl_t crl, unsigned int version) | ||
61 | { | ||
62 | int result; | ||
63 | char null = version; | ||
64 | |||
65 | if (crl == NULL) | ||
66 | { | ||
67 | gnutls_assert (); | ||
68 | return GNUTLS_E_INVALID_REQUEST; | ||
69 | } | ||
70 | |||
71 | null -= 1; | ||
72 | if (null < 0) | ||
73 | null = 0; | ||
74 | |||
75 | result = asn1_write_value (crl->crl, "tbsCertList.version", &null, 1); | ||
76 | if (result != ASN1_SUCCESS) | ||
77 | { | ||
78 | gnutls_assert (); | ||
79 | return mhd_gtls_asn2err (result); | ||
80 | } | ||
81 | |||
82 | return 0; | ||
83 | } | ||
84 | |||
85 | /** | ||
86 | * gnutls_x509_crl_sign2 - This function will sign a CRL with a key | ||
87 | * @crl: should contain a gnutls_x509_crl_t structure | ||
88 | * @issuer: is the certificate of the certificate issuer | ||
89 | * @issuer_key: holds the issuer's private key | ||
90 | * @dig: The message digest to use. GNUTLS_DIG_SHA1 is the safe choice unless you know what you're doing. | ||
91 | * @flags: must be 0 | ||
92 | * | ||
93 | * This function will sign the CRL with the issuer's private key, and | ||
94 | * will copy the issuer's information into the CRL. | ||
95 | * | ||
96 | * This must be the last step in a certificate CRL since all | ||
97 | * the previously set parameters are now signed. | ||
98 | * | ||
99 | * Returns 0 on success. | ||
100 | * | ||
101 | **/ | ||
102 | int | ||
103 | gnutls_x509_crl_sign2 (gnutls_x509_crl_t crl, gnutls_x509_crt_t issuer, | ||
104 | gnutls_x509_privkey_t issuer_key, | ||
105 | enum MHD_GNUTLS_HashAlgorithm dig, unsigned int flags) | ||
106 | { | ||
107 | int result; | ||
108 | |||
109 | if (crl == NULL || issuer == NULL) | ||
110 | { | ||
111 | gnutls_assert (); | ||
112 | return GNUTLS_E_INVALID_REQUEST; | ||
113 | } | ||
114 | |||
115 | /* disable all the unneeded OPTIONAL fields. | ||
116 | */ | ||
117 | disable_optional_stuff (crl); | ||
118 | |||
119 | result = _gnutls_x509_pkix_sign (crl->crl, "tbsCertList", | ||
120 | dig, issuer, issuer_key); | ||
121 | if (result < 0) | ||
122 | { | ||
123 | gnutls_assert (); | ||
124 | return result; | ||
125 | } | ||
126 | |||
127 | return 0; | ||
128 | } | ||
129 | |||
130 | /** | ||
131 | * gnutls_x509_crl_sign - This function will sign a CRL with a key | ||
132 | * @crl: should contain a gnutls_x509_crl_t structure | ||
133 | * @issuer: is the certificate of the certificate issuer | ||
134 | * @issuer_key: holds the issuer's private key | ||
135 | * | ||
136 | * This function is the same a gnutls_x509_crl_sign2() with no flags, and | ||
137 | * SHA1 as the hash algorithm. | ||
138 | * | ||
139 | * Returns 0 on success. | ||
140 | * | ||
141 | **/ | ||
142 | int | ||
143 | gnutls_x509_crl_sign (gnutls_x509_crl_t crl, gnutls_x509_crt_t issuer, | ||
144 | gnutls_x509_privkey_t issuer_key) | ||
145 | { | ||
146 | return gnutls_x509_crl_sign2 (crl, issuer, issuer_key, MHD_GNUTLS_MAC_SHA1, | ||
147 | 0); | ||
148 | } | ||
149 | |||
150 | /** | ||
151 | * gnutls_x509_crl_set_this_update - This function will set the CRL's issuing time | ||
152 | * @crl: should contain a gnutls_x509_crl_t structure | ||
153 | * @act_time: The actual time | ||
154 | * | ||
155 | * This function will set the time this CRL was issued. | ||
156 | * | ||
157 | * Returns 0 on success, or a negative value in case of an error. | ||
158 | * | ||
159 | **/ | ||
160 | int | ||
161 | gnutls_x509_crl_set_this_update (gnutls_x509_crl_t crl, time_t act_time) | ||
162 | { | ||
163 | if (crl == NULL) | ||
164 | { | ||
165 | gnutls_assert (); | ||
166 | return GNUTLS_E_INVALID_REQUEST; | ||
167 | } | ||
168 | |||
169 | return _gnutls_x509_set_time (crl->crl, "tbsCertList.thisUpdate", act_time); | ||
170 | } | ||
171 | |||
172 | /** | ||
173 | * gnutls_x509_crl_set_next_update - This function will set the CRL next update time | ||
174 | * @crl: should contain a gnutls_x509_crl_t structure | ||
175 | * @exp_time: The actual time | ||
176 | * | ||
177 | * This function will set the time this CRL will be updated. | ||
178 | * | ||
179 | * Returns 0 on success, or a negative value in case of an error. | ||
180 | * | ||
181 | **/ | ||
182 | int | ||
183 | gnutls_x509_crl_set_next_update (gnutls_x509_crl_t crl, time_t exp_time) | ||
184 | { | ||
185 | if (crl == NULL) | ||
186 | { | ||
187 | gnutls_assert (); | ||
188 | return GNUTLS_E_INVALID_REQUEST; | ||
189 | } | ||
190 | return _gnutls_x509_set_time (crl->crl, "tbsCertList.nextUpdate", exp_time); | ||
191 | } | ||
192 | |||
193 | /** | ||
194 | * gnutls_x509_crl_set_crt_serial - This function will set a revoked certificate's serial number | ||
195 | * @crl: should contain a gnutls_x509_crl_t structure | ||
196 | * @serial: The revoked certificate's serial number | ||
197 | * @serial_size: Holds the size of the serial field. | ||
198 | * @revocation_time: The time this certificate was revoked | ||
199 | * | ||
200 | * This function will set a revoked certificate's serial number to the CRL. | ||
201 | * | ||
202 | * Returns 0 on success, or a negative value in case of an error. | ||
203 | * | ||
204 | **/ | ||
205 | int | ||
206 | gnutls_x509_crl_set_crt_serial (gnutls_x509_crl_t crl, | ||
207 | const void *serial, size_t serial_size, | ||
208 | time_t revocation_time) | ||
209 | { | ||
210 | int ret; | ||
211 | |||
212 | if (crl == NULL) | ||
213 | { | ||
214 | gnutls_assert (); | ||
215 | return GNUTLS_E_INVALID_REQUEST; | ||
216 | } | ||
217 | |||
218 | ret = | ||
219 | asn1_write_value (crl->crl, "tbsCertList.revokedCertificates", "NEW", 1); | ||
220 | if (ret != ASN1_SUCCESS) | ||
221 | { | ||
222 | gnutls_assert (); | ||
223 | return mhd_gtls_asn2err (ret); | ||
224 | } | ||
225 | |||
226 | ret = | ||
227 | asn1_write_value (crl->crl, | ||
228 | "tbsCertList.revokedCertificates.?LAST.userCertificate", | ||
229 | serial, serial_size); | ||
230 | if (ret != ASN1_SUCCESS) | ||
231 | { | ||
232 | gnutls_assert (); | ||
233 | return mhd_gtls_asn2err (ret); | ||
234 | } | ||
235 | |||
236 | ret = | ||
237 | _gnutls_x509_set_time (crl->crl, | ||
238 | "tbsCertList.revokedCertificates.?LAST.revocationDate", | ||
239 | revocation_time); | ||
240 | if (ret < 0) | ||
241 | { | ||
242 | gnutls_assert (); | ||
243 | return ret; | ||
244 | } | ||
245 | |||
246 | ret = | ||
247 | asn1_write_value (crl->crl, | ||
248 | "tbsCertList.revokedCertificates.?LAST.crlEntryExtensions", | ||
249 | NULL, 0); | ||
250 | if (ret != ASN1_SUCCESS) | ||
251 | { | ||
252 | gnutls_assert (); | ||
253 | return mhd_gtls_asn2err (ret); | ||
254 | } | ||
255 | |||
256 | return 0; | ||
257 | } | ||
258 | |||
259 | /** | ||
260 | * gnutls_x509_crl_set_crt - This function will set a revoked certificate's serial number | ||
261 | * @crl: should contain a gnutls_x509_crl_t structure | ||
262 | * @crt: should contain a gnutls_x509_crt_t structure with the revoked certificate | ||
263 | * @revocation_time: The time this certificate was revoked | ||
264 | * | ||
265 | * This function will set a revoked certificate's serial number to the CRL. | ||
266 | * | ||
267 | * Returns 0 on success, or a negative value in case of an error. | ||
268 | * | ||
269 | **/ | ||
270 | int | ||
271 | gnutls_x509_crl_set_crt (gnutls_x509_crl_t crl, gnutls_x509_crt_t crt, | ||
272 | time_t revocation_time) | ||
273 | { | ||
274 | int ret; | ||
275 | opaque serial[128]; | ||
276 | size_t serial_size; | ||
277 | |||
278 | if (crl == NULL || crt == NULL) | ||
279 | { | ||
280 | gnutls_assert (); | ||
281 | return GNUTLS_E_INVALID_REQUEST; | ||
282 | } | ||
283 | |||
284 | serial_size = sizeof (serial); | ||
285 | ret = gnutls_x509_crt_get_serial (crt, serial, &serial_size); | ||
286 | if (ret < 0) | ||
287 | { | ||
288 | gnutls_assert (); | ||
289 | return ret; | ||
290 | } | ||
291 | |||
292 | ret = | ||
293 | gnutls_x509_crl_set_crt_serial (crl, serial, serial_size, | ||
294 | revocation_time); | ||
295 | if (ret < 0) | ||
296 | { | ||
297 | gnutls_assert (); | ||
298 | return mhd_gtls_asn2err (ret); | ||
299 | } | ||
300 | |||
301 | return 0; | ||
302 | } | ||
303 | |||
304 | |||
305 | /* If OPTIONAL fields have not been initialized then | ||
306 | * disable them. | ||
307 | */ | ||
308 | static void | ||
309 | disable_optional_stuff (gnutls_x509_crl_t crl) | ||
310 | { | ||
311 | |||
312 | asn1_write_value (crl->crl, "tbsCertList.crlExtensions", NULL, 0); | ||
313 | |||
314 | return; | ||
315 | } | ||
316 | |||
317 | #endif /* ENABLE_PKI */ | ||