Next: OCSP certificate status checking, Previous: PKCS 10 certificate requests, Up: More on certificate authentication [Contents][Index]
A certificate revocation list (CRL) is a structure issued by an authority periodically containing a list of revoked certificates serial numbers. The CRL structure is signed with the issuing authorities’ keys. A typical CRL contains the fields as shown in Table 4.5. Certificate revocation lists are used to complement the expiration date of a certificate, in order to account for other reasons of revocation, such as compromised keys, etc.
Each CRL is valid for limited amount of time and is required to provide, except for the current issuing time, also the issuing time of the next update.
| Field | Description |
|---|---|
| version | The field that indicates the version of the CRL structure. |
| signature | A signature by the issuing authority. |
| issuer | Holds the issuer’s distinguished name. |
| thisUpdate | The issuing time of the revocation list. |
| nextUpdate | The issuing time of the revocation list that will update that one. |
| revokedCertificates | List of revoked certificates serial numbers. |
| extensions | Optional CRL structure extensions. |
Table 4.5: Certificate revocation list fields.
The basic CRL structure functions follow.
int gnutls_x509_crl_init (gnutls_x509_crl_t * crl)int gnutls_x509_crl_import (gnutls_x509_crl_t crl, const gnutls_datum_t * data, gnutls_x509_crt_fmt_t format)int gnutls_x509_crl_export (gnutls_x509_crl_t crl, gnutls_x509_crt_fmt_t format, void * output_data, size_t * output_data_size)int gnutls_x509_crl_export (gnutls_x509_crl_t crl, gnutls_x509_crt_fmt_t format, void * output_data, size_t * output_data_size)The most important function that extracts the certificate revocation information from a CRL is gnutls_x509_crl_get_crt_serial. Other functions that return other fields of the CRL structure are also provided.
crl: should contain a gnutls_x509_crl_t type
indx: the index of the certificate to extract (starting from 0)
serial: where the serial number will be copied
serial_size: initially holds the size of serial
t: if non null, will hold the time this certificate was revoked
This function will retrieve the serial number of the specified, by the index, revoked certificate.
Note that this function will have performance issues in large sequences
of revoked certificates. In that case use gnutls_x509_crl_iter_crt_serial() .
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
int gnutls_x509_crl_get_version (gnutls_x509_crl_t crl)int gnutls_x509_crl_get_issuer_dn (gnutls_x509_crl_t crl, char * buf, size_t * sizeof_buf)int gnutls_x509_crl_get_issuer_dn2 (gnutls_x509_crl_t crl, gnutls_datum_t * dn)time_t gnutls_x509_crl_get_this_update (gnutls_x509_crl_t crl)time_t gnutls_x509_crl_get_next_update (gnutls_x509_crl_t crl)int gnutls_x509_crl_get_crt_count (gnutls_x509_crl_t crl)The following functions can be used to generate a CRL.
int gnutls_x509_crl_set_version (gnutls_x509_crl_t crl, unsigned int version)int gnutls_x509_crl_set_crt_serial (gnutls_x509_crl_t crl, const void * serial, size_t serial_size, time_t revocation_time)int gnutls_x509_crl_set_crt (gnutls_x509_crl_t crl, gnutls_x509_crt_t crt, time_t revocation_time)int gnutls_x509_crl_set_next_update (gnutls_x509_crl_t crl, time_t exp_time)int gnutls_x509_crl_set_this_update (gnutls_x509_crl_t crl, time_t act_time)The gnutls_x509_crl_sign2 and gnutls_x509_crl_privkey_sign functions sign the revocation list with a private key. The latter function can be used to sign with a key residing in a PKCS #11 token.
crl: should contain a gnutls_x509_crl_t type
issuer: is the certificate of the certificate issuer
issuer_key: holds the issuer’s private key
dig: The message digest to use. GNUTLS_DIG_SHA256 is the safe choice unless you know what you’re doing.
flags: must be 0
This function will sign the CRL with the issuer’s private key, and will copy the issuer’s information into the CRL.
This must be the last step in a certificate CRL since all the previously set parameters are now signed.
A known limitation of this function is, that a newly-signed CRL will not be fully functional (e.g., for signature verification), until it is exported an re-imported.
After GnuTLS 3.6.1 the value of dig may be GNUTLS_DIG_UNKNOWN ,
and in that case, a suitable but reasonable for the key algorithm will be selected.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
crl: should contain a gnutls_x509_crl_t type
issuer: is the certificate of the certificate issuer
issuer_key: holds the issuer’s private key
dig: The message digest to use. GNUTLS_DIG_SHA256 is the safe choice unless you know what you’re doing.
flags: must be 0
This function will sign the CRL with the issuer’s private key, and will copy the issuer’s information into the CRL.
This must be the last step in a certificate CRL since all the previously set parameters are now signed.
A known limitation of this function is, that a newly-signed CRL will not be fully functional (e.g., for signature verification), until it is exported an re-imported.
After GnuTLS 3.6.1 the value of dig may be GNUTLS_DIG_UNKNOWN ,
and in that case, a suitable but reasonable for the key algorithm will be selected.
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
Since 2.12.0
Few extensions on the CRL structure are supported, including the CRL number extension and the authority key identifier.
int gnutls_x509_crl_set_number (gnutls_x509_crl_t crl, const void * nr, size_t nr_size)int gnutls_x509_crl_set_authority_key_id (gnutls_x509_crl_t crl, const void * id, size_t id_size)Next: OCSP certificate status checking, Previous: PKCS 10 certificate requests, Up: More on certificate authentication [Contents][Index]