[SCM] GNU gnutls branch, master, updated. gnutls_3_0

gnutls-commit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SCM] GNU gnutls branch, master, updated. gnutls_3_0_7-70-g8c32e91

From:	Nikos Mavrogiannopoulos
Subject:	[SCM] GNU gnutls branch, master, updated. gnutls_3_0_7-70-g8c32e91
Date:	Fri, 11 Nov 2011 08:20:29 +0000

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".

http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=8c32e9111e4ea6b704712d98ee1c2b36c2310724

The branch, master has been updated
       via  8c32e9111e4ea6b704712d98ee1c2b36c2310724 (commit)
      from  f2302e7902a5bf93b6f8c4d45bd1f116fac6594b (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 8c32e9111e4ea6b704712d98ee1c2b36c2310724
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Fri Nov 11 09:07:35 2011 +0100

    Added documentation on revocation lists.

-----------------------------------------------------------------------

Summary of changes:
 doc/cha-cert-auth.texi   |   77 +++++++++++++++++++++++++++++++++++++++++++++-
 doc/scripts/mytexi2latex |    4 +-
 lib/x509/crl_write.c     |    8 +++-
 3 files changed, 84 insertions(+), 5 deletions(-)

diff --git a/doc/cha-cert-auth.texi b/doc/cha-cert-auth.texi
index 26a23e7..4cc3ab3 100644
--- a/doc/cha-cert-auth.texi
+++ b/doc/cha-cert-auth.texi
@@ -34,6 +34,7 @@ acceptable.  The framework is illustrated on @ref{fig:x509}.
 * Verifying X.509 certificate paths::
 * Verifying a certificate in the context of TLS session::
 * Certificate requests::
+* Certificate revocation lists::
 * PKCS 12 structures::
 @end menu
 
@@ -55,6 +56,9 @@ The field that indicates the version of the certificate.
 @item serialNumber @tab
 This field holds a unique serial number per certificate.
 
address@hidden signature @tab
+The issuing authority's signature.
+
 @item issuer @tab
 Holds the issuer's distinguished name.
 
@@ -240,6 +244,77 @@ which should return a signed certificate.
 @anchor{ex:crq}
 @verbatiminclude examples/ex-crq.c
 
address@hidden Certificate revocation lists
address@hidden Certificate revocation lists
address@hidden certificate revocation lists
address@hidden CRL
+
+A certificate revocation list (CRL) is a structure issued by an authority
+periodically containing a list of revoked certificates serial numbers. 
+The CRL structure is signed with the issuing authorities' keys. A typical
+CRL contains the fields as shown in @ref{tab:crl}.
+Certificate revocation lists are used to complement the expiration date of a 
certificate,
+in order to account for other reasons of revocation, such as compromised keys, 
etc.
+
address@hidden,gnutls_x509_crl_deinit}
address@hidden,gnutls_x509_crl_export}
+
+A certificate request can be generated by
+associating it with a private key, setting the
+subject's information and finally self signing it.
+The last step ensures that the requester is in
+possession of the private key. Each CRL is valid for limited amount of
+time and is required to provide, except for the current issuing time, also 
+the issuing time of the next update.
+
address@hidden Table,tab:crl
address@hidden @columnfractions .2 .7
+
address@hidden Field @tab Description
+
address@hidden version @tab
+The field that indicates the version of the CRL structure.
+
address@hidden signature @tab
+A signature by the issuing authority.
+
address@hidden issuer @tab
+Holds the issuer's distinguished name.
+
address@hidden thisUpdate @tab
+The issuing time of the revocation list.
+
address@hidden nextUpdate @tab
+The issuing time of the revocation list that will update that one.
+
address@hidden revokedCertificates @tab
+List of revoked certificates serial numbers.
+
address@hidden extensions @tab
+Optional CRL structure extensions.
+
address@hidden multitable
address@hidden revocation list fields.}
address@hidden float
+
+
address@hidden
address@hidden
+
address@hidden,gnutls_x509_crl_set_next_update,gnutls_x509_crl_set_this_update}
+
+The @funcref{gnutls_x509_crl_sign2} and @funcref{gnutls_x509_crl_privkey_sign} 
+functions sign the revocation list with a private key. The latter function
+can be used to sign with a key residing in a PKCS #11 token.
+
address@hidden
address@hidden
+
+Few extensions on the CRL structure are supported, including the
+CRL number extension and the authority key identifier.
+
address@hidden,gnutls_x509_crl_set_authority_key_id}
+
 @node PKCS 12 structures
 @subsection @acronym{PKCS} #12 structures
 @cindex PKCS #12
@@ -546,7 +621,7 @@ gnutls_privkey_t abs_key;
 
   /* sign the certificate to be signed */
   gnutls_x509_crt_privkey_sign(to_be_signed, ca_cert, ca_key, 
-                               GNUTLS_DIG_SHA1, 0);
+                               GNUTLS_DIG_SHA256, 0);
 @}
 @end example
 
diff --git a/doc/scripts/mytexi2latex b/doc/scripts/mytexi2latex
index 4b9518e..db333a0 100755
--- a/doc/scripts/mytexi2latex
+++ b/doc/scripts/mytexi2latex
@@ -262,12 +262,12 @@ multitable:
                         $mode = ITEMIZE;
                         push(@stack, NORMAL);
                 }
-                if ($line =~ s/address@hidden 
Figure\,(.*)/\\begin{figure}[htp]\n\\centering/g) {
+                if ($line =~ s/address@hidden 
Figure\,(.*)/\\begin{figure}[htbp]\n\\centering/g) {
                        $label = $1;
                         push(@stack, NORMAL);
                         $mode = FLOAT;
                 }
-                if ($line =~ s/address@hidden 
Table\,(.*)/\\begin{table}[thp]\n\\centering/g) {
+                if ($line =~ s/address@hidden 
Table\,(.*)/\\begin{table}[htbp]\n\\centering/g) {
                        $label = $1;
                         push(@stack, NORMAL);
                         $mode = FLOAT_TABLE;
diff --git a/lib/x509/crl_write.c b/lib/x509/crl_write.c
index 8a38071..8fd9f18 100644
--- a/lib/x509/crl_write.c
+++ b/lib/x509/crl_write.c
@@ -335,7 +335,9 @@ disable_optional_stuff (gnutls_x509_crl_t crl)
  * @id_size: Holds the size of the serial field.
  *
  * This function will set the CRL's authority key ID extension.  Only
- * the keyIdentifier field can be set with this function.
+ * the keyIdentifier field can be set with this function. This may
+ * be used by an authority that holds multiple private keys, to distinguish
+ * the used key.
  *
  * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
  *   negative error value.
@@ -399,7 +401,9 @@ gnutls_x509_crl_set_authority_key_id (gnutls_x509_crl_t crl,
  * @nr: The CRL number
  * @nr_size: Holds the size of the nr field.
  *
- * This function will set the CRL's number extension.
+ * This function will set the CRL's number extension. This
+ * is to be used as a unique and monotonic number assigned to
+ * the CRL by the authority.
  *
  * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
  *   negative error value.


hooks/post-receive
-- 
GNU gnutls

[Prev in Thread]

Current Thread

[Next in Thread]

[SCM] GNU gnutls branch, master, updated. gnutls_3_0_7-70-g8c32e91, Nikos Mavrogiannopoulos <=

Prev by Date: [SCM] GNU gnutls branch, master, updated. gnutls_3_0_7-69-gf2302e7
Next by Date: [SCM] GNU gnutls branch, master, updated. gnutls_3_0_7-74-g8886a2f
Previous by thread: [SCM] GNU gnutls branch, master, updated. gnutls_3_0_7-69-gf2302e7
Next by thread: [SCM] GNU gnutls branch, master, updated. gnutls_3_0_7-74-g8886a2f
Index(es):
- Date
- Thread