[gnutls-devel] GnuTLS | x509: add gnutls_x509_crl_set_crt_serial2() with revocation reason (!2113)

[Read-only notification of GnuTLS library development activities]

David Marín Carreño created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/2113

Project:Branches: davefx/gnutls:crl-entry-reason-code to gnutls/gnutls:master
Author:   David Marín Carreño



## Summary

`gnutls_x509_crl_set_crt_serial()` records a revoked certificate's serial and
revocation time but provides no way to set an RFC 5280 **reasonCode** (OID
2.5.29.21) CRL entry extension — in fact it explicitly disables
`crlEntryExtensions`. Applications that manage a CA therefore cannot express
*why* a certificate was revoked (keyCompromise, cessationOfOperation, …).

This adds `gnutls_x509_crl_set_crt_serial2()`, identical to the existing
function plus a `reason` argument (a `gnutls_x509_crl_reason_t` value):

- reason `GNUTLS_X509_CRLREASON_UNSPECIFIED` → no reasonCode extension (RFC
  5280 §5.3.1 recommends omitting it over an explicit "unspecified"); behaviour
  identical to the original.
- any other reason → a non-critical reasonCode entry extension is added.

`gnutls_x509_crl_set_crt_serial()` now delegates to the new function with
`UNSPECIFIED`, so its output is unchanged byte-for-byte (the existing
`crl_apis` golden-output assertions still pass).

## Changes

- `lib/x509/crl_write.c` — new public function + refactor
- `lib/includes/gnutls/x509.h` — declaration
- `lib/libgnutls.map` — `GNUTLS_3_8_14` symbol version node
- `tests/crl_apis.c` — test: reasonCode present with a reason, absent for
  unspecified, and the CRL still verifies
- `NEWS` — entry

## Validation done locally

- `make -C lib` builds clean; symbol exported as
  `gnutls_x509_crl_set_crt_serial2@@GNUTLS_3_8_14`
- `tests/crl_apis` passes (new assertions + unchanged golden output)
- formatted with the repo's clang-format config

## Notes for review

- The implementation mirrors `_gnutls_x509_crl_set_extension()` but targets the
  per-entry `tbsCertList.revokedCertificates.?LAST.crlEntryExtensions` path —
  the same mechanism already used for CRL-level extensions.
- A `gnutls_x509_crl_set_crt2()` convenience wrapper (taking a cert instead of a
  raw serial) could be added symmetrically if you'd prefer; left out to keep the
  MR focused.

## Disclosure

This patch was prepared with AI assistance; I have reviewed, built, and tested
it, and take responsibility for it under the DCO `Signed-off-by`. Happy to
adjust the attribution or approach per your preference.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2113
You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/namespace/17175643/sent_notifications/5-der2rrs51g5qaf107j8kaawg2-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20260623/831c5707/attachment-0001.html>