证书注销列表

X.509证书注销列表以如下格式组织:

CRLReason ::= ENUMERATED // 见后文“部分接口”部分

CRL Entry Extensions:
	OID_ce_crl_reasons		ENUMERATED // 注销原因
	OID_ce_invalidity_date		GeneralizedTime // 注销时间
	OID_ce_certificate_issuer	SEQUENCE		GeneralNames // 证书发行者

RevokedCertificate ::= SEQUENCE { // 已注销证书
	userCertificate		CertificateSerialNumber, // 证书序列号
	revocationDate		Time, // 注销时间
	crlEntryExtensions	Extensions OPTIONAL // 扩展信息
}

RevokedCertificates ::= SEQUENCE OF RevokedCertificate // 已注销证书集合

CRL Extensions:
	OID_ce_authority_key_identifier		SEQUENCE	AuthorityKeyIdentifier
	OID_ce_issuer_alt_name			SEQUENCE	GeneralNames
	OID_ce_crl_number			INTEGER
	OID_ce_delta_crl_indicator		INTEGER
	OID_ce_issuing_distribution_point	SEQUENCE	IssuingDistributionPoint

TBSCertList ::= SEQUENCE {
	version			INTEGER OPTIONAL, -- if present, MUST be v2 // 证书版本号(可选)
	signature		AlgorithmIdentifier, // 证书签名算法标识
	issuer			Name, // 证书发行者名称
	thisUpdate		Time, // 开始生效日期
	nextUpdate		Time OPTIONAL, // 失效日期(可选)
	revokedCertificates	RevokedCertificates OPTIONAL, // 已注销证书集合(可选)
	crlExtensions		[0] EXPLICIT Extensions OPTIONAL, -- if present, MUST be v2 // 扩展信息(可选)
}

CertificateList ::= SEQUENCE { // 证书列表
	tbsCertList		TBSCertList, // 证书主体列表
	signatureAlgorithm	AlgorithmIdentifier, // 证书签名算法标识
	signatureValue		BIT STRING // 证书签名值
}

部分接口

本部分头文件中的接口与“X.509证书”部分的接口功能基本一致,但面向对象为证书注销列表(而非证书),在此不再赘述。

typedef enum {
	X509_cr_unspecified = 0,
	X509_cr_key_compromise = 1,
	X509_cr_ca_compromise = 2 ,
	X509_cr_affiliation_changed = 3,
	X509_cr_superseded = 4,
	X509_cr_cessation_of_operation = 5,
	X509_cr_certificate_hold = 6,
	X509_cr_not_assigned = 7,
	X509_cr_remove_from_crl = 8,
	X509_cr_privilege_withdrawn = 9,
	X509_cr_aa_compromise = 10,
} X509_CRL_REASON;

该枚举类型用于表示证书注销原因。

int x509_crl_sign(uint8_t *crl, size_t *crl_len,
	int version,
	int signature_algor,
	const uint8_t *issuer, size_t issuer_len,
	time_t this_update,
	time_t next_update,
	const uint8_t *revoked_certs, size_t revoked_certs_len,
	const uint8_t *exts, size_t exts_len,
	const SM2_KEY *sign_key, const char *signer_id, size_t signer_id_len);

使用SM2签名算法,对证书注销列表crl进行签名。

int x509_crl_verify(const uint8_t *a, size_t alen,
	const SM2_KEY *sign_pub_key, const char *signer_id, size_t signer_id_len);

以签名者的公钥sign_pub_key和身份信息signer_id验证DER格式证书a的SM2签名。

int x509_crl_get_details(const uint8_t *crl, size_t crl_len,
	int *version,
	const uint8_t **issuer, size_t *issuer_len,
	time_t *this_update,
	time_t *next_update,
	const uint8_t **revoked_certs, size_t *revoked_certs_len,
	int *signature_algor,
	const uint8_t *sig, size_t *siglen);

将认证申请crl的各项信息存放在指定的数组中。

int x509_crls_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen);

调用vfprintf等系统函数,打印长为dlen的认证申请d的各项内容到输出流fp中。