cdk::CRL

CRL Struct Reference

#include <cert.h>

Collaboration diagram for CRL:

Collaboration graph

Detailed Description

Data type used for creating and processing certificate revocation lists.

Data members closely map to standard X.509v3 certifcate fields. See RFC 3280, section 5.1 for details.

Sample code illustrating the use of this class appears in the Cookbook section Processing X.509v3 Certificates and CRLs.


Public Types

 unspecified = 0
 unspecified
 keyCompromise = 1
 key compromise
 cACompromise = 2
 CA compromise.
 affiliationChanged = 3
 affiliation changed
 superseded = 4
 superceded
 cessationOfOperation = 5
 cessation of operation
 certificateHold = 6
 certificate hold - see CRLInstructions
 removeFromCRL = 8
 remove from CRL
 privilegeWithdrawn = 9
 privilege withdrawn
 aACompromise = 10
 AA compromise.
 none = 1
 none
 callissuer = 2
 call issuer
 reject = 3
 reject
 pickuptoken = 4
 pickup token
enum  Reasons {
  unspecified = 0,
  keyCompromise = 1,
  cACompromise = 2,
  affiliationChanged = 3,
  superseded = 4,
  cessationOfOperation = 5,
  certificateHold = 6,
  removeFromCRL = 8,
  privilegeWithdrawn = 9,
  aACompromise = 10
}
 CRL reason codes. More...
enum  Instructions {
  none = 1,
  callissuer = 2,
  reject = 3,
  pickuptoken = 4
}
 CRL instruction codes (use only with the certificateHold reason). More...

Public Member Functions

Object Reuse and Initialization
void clear ()
 Clear this CRL object.
int load (const str &b)
 Load a binary ASN.1 DER-encoded CRL into this object.
void add (const num &serial, TimeT date)
 Add a certificate (and revocation date) to the CRL.
Validation
int check (const str &certCA) const
 Validate the issuer's digital signature on this CRL.
int isRevoked (const str &cert, TimeT &date, int &reason) const
 Test whether a particular certificate has been revoked and, if so, get the revocation date and reason code.
int isExpired () const
 Predicate used to test whether this CRL has expired.
Inspectors
str makebody () const
 Get an ASN.1 DER-encoded tbsCertList representing this CRL.

Data Fields

asn issuer
 issuer distinguished name
TimeT thisUpdate
 date of this CRL
TimeT nextUpdate
 expected date of next CRL
asn list
 list of revoked serial numbers (revokedCertificates)
int warn
 warning flag
asn body
 CRL body.
asn oid
 algorithm ID
asn sig
 CRL signature.

Member Enumeration Documentation

enum Instructions

CRL instruction codes (use only with the certificateHold reason).

Enumerator:
none  none
callissuer  call issuer
reject  reject
pickuptoken  pickup token

enum Reasons

CRL reason codes.

Enumerator:
unspecified  unspecified
keyCompromise  key compromise
cACompromise  CA compromise.
affiliationChanged  affiliation changed
superseded  superceded
cessationOfOperation  cessation of operation
certificateHold  certificate hold - see CRLInstructions
removeFromCRL  remove from CRL
privilegeWithdrawn  privilege withdrawn
aACompromise  AA compromise.

Member Function Documentation

void add ( const num serial,
TimeT  date 
)

Add a certificate (and revocation date) to the CRL.

Parameters:
serial the serial number of the certificate to be added
date the revocationDate for this new CRL entry
Remarks:
Modifies: serial and date are ASN.1 encoded and appended to list.

int check ( const str certCA  )  const

Validate the issuer's digital signature on this CRL.

Parameters:
certCA the binary ASN.1 DER-encoded certificate of the CRL issuer.
Returns:
0 (success; the signature is valid)
CDK_PARSE_ERROR (certCA or CRL can't be parsed, or signature is invalid) CDK_CERT_EXPIRED (system time is outside the validity period of certCA) CDK_WRONG_ISSUER_CERT (certCA doesn't match CRL issuer)

int isExpired (  )  const

Predicate used to test whether this CRL has expired.

Returns:
true, if the system time lies outside this CRL's validity period
false, if the system time lies within this CRL's validity period

int isRevoked ( const str cert,
TimeT date,
int &  reason 
) const

Test whether a particular certificate has been revoked and, if so, get the revocation date and reason code.

Parameters:
cert a binary ASN.1 DER-encoded certificate to be found in the CRL
date an output buffer for the revocationDate (if certificate is found)
reason an output buffer for the reason code (if certificate is found)
Returns:
0 (certificate is *not* in this CRL
CDK_CERT_REVOKED (cert is in this CRL)
CDK_PARSE_ERROR (cert or CRL can't be parsed)
CDK_CANT_PARSE_SUBJECT_CERT (cert body can't be parsed)
CDK_CRL_EXPIRED (system time lies outside validity period of this CRL)
CDK_SUBJECT_CERT_EXPIRED (system time lies outside validity period of cert)
CDK_WRONG_ISSUER_CERT (cert issuer doesn't match CRL issuer)

int load ( const str b  ) 

Load a binary ASN.1 DER-encoded CRL into this object.

Parameters:
b the binary ASN.1 DER-encoded CRL to be loaded
Returns:
0 (success)
CDK_PARSE_ERROR, if the CRL can't be parsed
Remarks:
Modifies: the CRL is parsed and Time, issuer, thisUpdate, nextUpdate, list, extra, warn, body, oid, and sig are filled in. warn = 2 if a CRL_deltaCRLIndicator was found in the CRL. warn = 3 if a CRL_issuingDistributionPoint was found in the CRL.

str makebody (  )  const

Get an ASN.1 DER-encoded tbsCertList representing this CRL.

Returns:
a str containing an ASN.1 DER-encoded CRL body ready to be signed by its issuer
(On error, the returned str has length 0: +str == 0.)
Remarks:
The str value returned by this function can be made into a signed, ASN.1 DER-encoded CRL by using Key::Sign and makesign().

The documentation for this struct was generated from the following file:
ISC Cryptographic Development Kit - User's Guide
ISC website
Questions? E-mail ISC technical support
Copyright© 2002-2006 Information Security Corp. All rights reserved.