*** empty log message ***

1 files changed, 259 insertions, 0 deletions

diff --git a/lib/x509/crl_write.c b/lib/x509/crl_write.c
new file mode 100644
index 0000000000..7545f2c6a8
--- /dev/null
+++ b/lib/x509/crl_write.c
@@ -0,0 +1,259 @@
+/*
+ *  Copyright (C) 2003 Nikos Mavroyanopoulos
+ *  Copyright (C) 2004 Free Software Foundation
+ *
+ *  This file is part of GNUTLS.
+ *
+ *  The GNUTLS library is free software; you can redistribute it and/or
+ *  modify it under the terms of the GNU Lesser General Public   
+ *  License as published by the Free Software Foundation; either 
+ *  version 2.1 of the License, or (at your option) any later version.
+ *
+ *  This library is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of 
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ *  Lesser General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Lesser General Public
+ *  License along with this library; if not, write to the Free Software
+ *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA
+ *
+ */
+
+/* This file contains functions to handle CRL generation.
+ */
+
+#include <gnutls_int.h>
+
+#ifdef ENABLE_PKI
+
+#include <gnutls_datum.h>
+#include <gnutls_global.h>
+#include <gnutls_errors.h>
+#include <common.h>
+#include <gnutls_x509.h>
+#include <x509_b64.h>
+#include <crq.h>
+#include <dn.h>
+#include <mpi.h>
+#include <sign.h>
+#include <extensions.h>
+#include <libtasn1.h>
+#include <gnutls_ui.h>
+
+static void disable_optional_stuff( gnutls_x509_crl crl);
+
+/**
+  * gnutls_x509_crl_set_version - This function will set the CRL version
+  * @crl: should contain a gnutls_x509_crl structure
+  * @version: holds the version number. For CRLv1 crls must be 1.
+  *
+  * This function will set the version of the CRL. This
+  * must be one for CRL version 1, and so on. The CRLs generated
+  * by gnutls should have a version number of 2.
+  *
+  * Returns 0 on success.
+  *
+  **/
+int gnutls_x509_crl_set_version(gnutls_x509_crl crl, unsigned int version)
+{
+int result;
+char null = version;
+
+	if (crl==NULL) {
+		gnutls_assert();
+		return GNUTLS_E_INVALID_REQUEST;
+	}
+
+	null -= 1;
+	if (null < 0) null = 0;
+
+	result = asn1_write_value( crl->crl, "tbsCertList.version", &null, 1);
+	if (result != ASN1_SUCCESS) {
+		gnutls_assert();
+		return _gnutls_asn2err(result);
+	}
+
+	return 0;
+}
+
+/**
+  * gnutls_x509_crl_sign - This function will sign a CRL with a key
+  * @crl: should contain a gnutls_x509_crl structure
+  * @issuer: is the certificate of the certificate issuer
+  * @issuer_key: holds the issuer's private key
+  *
+  * This function will sign the CRL with the issuer's private key, and
+  * will copy the issuer's information into the CRL.
+  *
+  * This must be the last step in a certificate CRL since all
+  * the previously set parameters are now signed.
+  *
+  * Returns 0 on success.
+  *
+  **/
+int gnutls_x509_crl_sign(gnutls_x509_crl crl, gnutls_x509_crt issuer, 
+	gnutls_x509_privkey issuer_key)
+{
+int result;
+
+	if (crl==NULL || issuer == NULL) {
+		gnutls_assert();
+		return GNUTLS_E_INVALID_REQUEST;
+	}
+
+	/* disable all the unneeded OPTIONAL fields.
+	 */
+	disable_optional_stuff( crl);
+	
+	result = _gnutls_x509_pkix_sign( crl->crl, "tbsCertList", issuer,
+		issuer_key);
+	if (result < 0) {
+		gnutls_assert();
+		return result;
+	}
+
+	return 0;
+}
+
+/**
+  * gnutls_x509_crl_set_this_update - This function will set the CRL's issuing time
+  * @crl: should contain a gnutls_x509_crl structure
+  * @act_time: The actual time
+  *
+  * This function will set the time this CRL was issued.
+  *
+  * Returns 0 on success, or a negative value in case of an error.
+  *
+  **/
+int gnutls_x509_crl_set_this_update(gnutls_x509_crl crl, time_t act_time)
+{
+	if (crl==NULL) {
+		gnutls_assert();
+		return GNUTLS_E_INVALID_REQUEST;
+	}
+
+	return _gnutls_x509_set_time( crl->crl, "tbsCertList.thisUpdate", act_time);
+}
+
+/**
+  * gnutls_x509_crl_set_next_update - This function will set the CRL next update time
+  * @crl: should contain a gnutls_x509_crl structure
+  * @exp_time: The actual time
+  *
+  * This function will set the time this CRL will be updated.
+  *
+  * Returns 0 on success, or a negative value in case of an error.
+  *
+  **/
+int gnutls_x509_crl_set_next_update(gnutls_x509_crl crl, time_t exp_time)
+{
+	if (crl==NULL) {
+		gnutls_assert();
+		return GNUTLS_E_INVALID_REQUEST;
+	}
+	return _gnutls_x509_set_time( crl->crl, "tbsCertList.nextUpdate", exp_time);
+}
+
+/**
+  * gnutls_x509_crl_set_crt_serial - This function will set a revoked certificate's serial number
+  * @crl: should contain a gnutls_x509_crl structure
+  * @serial: The revoked certificate's serial number
+  * @serial_size: Holds the size of the serial field.
+  * @revocation_time: The time this certificate was revoked
+  *
+  * This function will set a revoked certificate's serial number to the CRL. 
+  *
+  * Returns 0 on success, or a negative value in case of an error.
+  *
+  **/
+int gnutls_x509_crl_set_crt_serial(gnutls_x509_crl crl, const void* serial, 
+	size_t serial_size, time_t revocation_time)
+{
+	int ret;
+
+	if (crl==NULL) {
+		gnutls_assert();
+		return GNUTLS_E_INVALID_REQUEST;
+	}
+	
+	ret = asn1_write_value(crl->crl, "tbsCertList.revokedCertificates", "NEW", 1);
+	if (ret != ASN1_SUCCESS) {
+		gnutls_assert();
+		return _gnutls_asn2err(ret);
+	}
+
+	ret = asn1_write_value(crl->crl, "tbsCertList.revokedCertificates.?LAST.userCertificate", serial, serial_size);
+	if (ret != ASN1_SUCCESS) {
+		gnutls_assert();
+		return _gnutls_asn2err(ret);
+	}
+
+	ret = _gnutls_x509_set_time( crl->crl, "tbsCertList.revokedCertificates.?LAST.revocationDate", 
+		revocation_time);
+	if (ret < 0) {
+		gnutls_assert();
+		return ret;
+	}
+
+	ret = asn1_write_value(crl->crl, "tbsCertList.revokedCertificates.?LAST.crlEntryExtensions", NULL, 0);
+	if (ret != ASN1_SUCCESS) {
+		gnutls_assert();
+		return _gnutls_asn2err(ret);
+	}
+
+	return 0;
+}
+
+/**
+  * gnutls_x509_crl_set_crt - This function will set a revoked certificate's serial number
+  * @crl: should contain a gnutls_x509_crl structure
+  * @crt: should contain a gnutls_x509_crt structure with the revoked certificate
+  * @revocation_time: The time this certificate was revoked
+  *
+  * This function will set a revoked certificate's serial number to the CRL. 
+  *
+  * Returns 0 on success, or a negative value in case of an error.
+  *
+  **/
+int gnutls_x509_crl_set_crt(gnutls_x509_crl crl, gnutls_x509_crt crt,
+	time_t revocation_time)
+{
+	int ret;
+	opaque serial[128];
+	size_t serial_size;
+
+	if (crl==NULL || crt == NULL) {
+		gnutls_assert();
+		return GNUTLS_E_INVALID_REQUEST;
+	}
+
+	serial_size = sizeof(serial);
+	ret = gnutls_x509_crt_get_serial(crt, serial, &serial_size);
+	if (ret < 0) {
+		gnutls_assert();
+		return ret;
+	}
+	
+	ret = gnutls_x509_crl_set_crt_serial( crl, serial, serial_size, revocation_time);
+	if (ret < 0) {
+		gnutls_assert();
+		return _gnutls_asn2err(ret);
+	}
+
+	return 0;
+}
+
+
+/* If OPTIONAL fields have not been initialized then
+ * disable them.
+ */
+static void disable_optional_stuff( gnutls_x509_crl crl)
+{
+
+	asn1_write_value( crl->crl, "tbsCertList.crlExtensions", NULL, 0);
+
+	return;
+}
+
+#endif /* ENABLE_PKI */