Next: , Previous: , Up: More on certificate authentication   [Contents][Index]


4.2.2 PKIX certificate revocation lists

A certificate revocation list (CRL) is a structure issued by an authority periodically containing a list of revoked certificates serial numbers. The CRL structure is signed with the issuing authorities’ keys. A typical CRL contains the fields as shown in Table 4.5. Certificate revocation lists are used to complement the expiration date of a certificate, in order to account for other reasons of revocation, such as compromised keys, etc.

Each CRL is valid for limited amount of time and is required to provide, except for the current issuing time, also the issuing time of the next update.

FieldDescription
versionThe field that indicates the version of the CRL structure.
signatureA signature by the issuing authority.
issuerHolds the issuer’s distinguished name.
thisUpdateThe issuing time of the revocation list.
nextUpdateThe issuing time of the revocation list that will update that one.
revokedCertificatesList of revoked certificates serial numbers.
extensionsOptional CRL structure extensions.

Table 4.5: Certificate revocation list fields.

The basic CRL structure functions follow.

int gnutls_x509_crl_init (gnutls_x509_crl_t * crl)
int gnutls_x509_crl_import (gnutls_x509_crl_t crl, const gnutls_datum_t * data, gnutls_x509_crt_fmt_t format)
int gnutls_x509_crl_export (gnutls_x509_crl_t crl, gnutls_x509_crt_fmt_t format, void * output_data, size_t * output_data_size)
int gnutls_x509_crl_export (gnutls_x509_crl_t crl, gnutls_x509_crt_fmt_t format, void * output_data, size_t * output_data_size)

Reading a CRL

The most important function that extracts the certificate revocation information from a CRL is gnutls_x509_crl_get_crt_serial. Other functions that return other fields of the CRL structure are also provided.

Function: int gnutls_x509_crl_get_crt_serial (gnutls_x509_crl_t crl, unsigned indx, unsigned char * serial, size_t * serial_size, time_t * t)

crl: should contain a gnutls_x509_crl_t type

indx: the index of the certificate to extract (starting from 0)

serial: where the serial number will be copied

serial_size: initially holds the size of serial

t: if non null, will hold the time this certificate was revoked

This function will retrieve the serial number of the specified, by the index, revoked certificate.

Note that this function will have performance issues in large sequences of revoked certificates. In that case use gnutls_x509_crl_iter_crt_serial() .

Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

int gnutls_x509_crl_get_version (gnutls_x509_crl_t crl)
int gnutls_x509_crl_get_issuer_dn (const gnutls_x509_crl_t crl, char * buf, size_t * sizeof_buf)
int gnutls_x509_crl_get_issuer_dn2 (gnutls_x509_crl_t crl, gnutls_datum_t * dn)
time_t gnutls_x509_crl_get_this_update (gnutls_x509_crl_t crl)
time_t gnutls_x509_crl_get_next_update (gnutls_x509_crl_t crl)
int gnutls_x509_crl_get_crt_count (gnutls_x509_crl_t crl)

Generation of a CRL

The following functions can be used to generate a CRL.

int gnutls_x509_crl_set_version (gnutls_x509_crl_t crl, unsigned int version)
int gnutls_x509_crl_set_crt_serial (gnutls_x509_crl_t crl, const void * serial, size_t serial_size, time_t revocation_time)
int gnutls_x509_crl_set_crt (gnutls_x509_crl_t crl, gnutls_x509_crt_t crt, time_t revocation_time)
int gnutls_x509_crl_set_next_update (gnutls_x509_crl_t crl, time_t exp_time)
int gnutls_x509_crl_set_this_update (gnutls_x509_crl_t crl, time_t act_time)

The gnutls_x509_crl_sign2 and gnutls_x509_crl_privkey_sign functions sign the revocation list with a private key. The latter function can be used to sign with a key residing in a PKCS #11 token.

Function: int gnutls_x509_crl_sign2 (gnutls_x509_crl_t crl, gnutls_x509_crt_t issuer, gnutls_x509_privkey_t issuer_key, gnutls_digest_algorithm_t dig, unsigned int flags)

crl: should contain a gnutls_x509_crl_t type

issuer: is the certificate of the certificate issuer

issuer_key: holds the issuer’s private key

dig: The message digest to use. GNUTLS_DIG_SHA256 is the safe choice unless you know what you’re doing.

flags: must be 0

This function will sign the CRL with the issuer’s private key, and will copy the issuer’s information into the CRL.

This must be the last step in a certificate CRL since all the previously set parameters are now signed.

A known limitation of this function is, that a newly-signed CRL will not be fully functional (e.g., for signature verification), until it is exported an re-imported.

Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Function: int gnutls_x509_crl_privkey_sign (gnutls_x509_crl_t crl, gnutls_x509_crt_t issuer, gnutls_privkey_t issuer_key, gnutls_digest_algorithm_t dig, unsigned int flags)

crl: should contain a gnutls_x509_crl_t type

issuer: is the certificate of the certificate issuer

issuer_key: holds the issuer’s private key

dig: The message digest to use. GNUTLS_DIG_SHA256 is the safe choice unless you know what you’re doing.

flags: must be 0

This function will sign the CRL with the issuer’s private key, and will copy the issuer’s information into the CRL.

This must be the last step in a certificate CRL since all the previously set parameters are now signed.

A known limitation of this function is, that a newly-signed CRL will not be fully functional (e.g., for signature verification), until it is exported an re-imported.

Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since 2.12.0

Few extensions on the CRL structure are supported, including the CRL number extension and the authority key identifier.

int gnutls_x509_crl_set_number (gnutls_x509_crl_t crl, const void * nr, size_t nr_size)
int gnutls_x509_crl_set_authority_key_id (gnutls_x509_crl_t crl, const void * id, size_t id_size)

Next: , Previous: , Up: More on certificate authentication   [Contents][Index]