+ if (pklen < 32)
+ return -1;
+
+ fclose(pkf);
+
+ if (usign_f_pubkey(pkfp, pubkeyfile))
+ return -1;
+
+ gettimeofday(&tv, NULL);
+
+ if (mkdtemp(tmpdir) == NULL)
+ return errno;
+
+ while (revoker >= 0) {
+ blob_buf_init(&payloadbuf, 0);
+ c = blobmsg_open_table(&payloadbuf, "ucert");
+ blobmsg_add_u32(&payloadbuf, "certtype", revoker?CERTTYPE_REVOKE:CERTTYPE_AUTH);
+ blobmsg_add_u64(&payloadbuf, "validfrom", tv.tv_sec);
+ if (!revoker) {
+ blobmsg_add_u64(&payloadbuf, "expiresat", tv.tv_sec + 60 * 60 * 24 * 365);
+ blobmsg_add_string(&payloadbuf, "pubkey", pkb);
+ } else {
+ blobmsg_add_string(&payloadbuf, "fingerprint", pkfp);
+ }
+
+ blobmsg_close_table(&payloadbuf, c);
+
+ snprintf(fname, sizeof(fname) - 1, "%s/%s", tmpdir, revoker?"revoker":"payload");
+ write_file(fname, blob_data(payloadbuf.head), blob_len(payloadbuf.head), false);
+
+ snprintf(sfname, sizeof(sfname) - 1, "%s/%s", tmpdir, revoker?"revoker.sig":"payload.sig");
+ if (usign_s(fname, seckeyfile, sfname, quiet))
+ return 1;
+
+ sigf = fopen(sfname, "r");
+ if (!sigf)
+ return 1;
+
+ siglen = fread(sigb, 1, 1024, sigf);
+ if (siglen < 1)
+ return 1;
+
+ sigb[siglen-1] = '\0';
+ fclose(sigf);
+
+ unlink(fname);
+ unlink(sfname);
+
+ blob_buf_init(&certbuf, 0);
+ blob_put(&certbuf, CERT_ATTR_SIGNATURE, sigb, siglen);
+ blob_put(&certbuf, CERT_ATTR_PAYLOAD, blob_data(payloadbuf.head), blob_len(payloadbuf.head));
+ snprintf(fname, sizeof(fname) - 1, "%s%s", certfile, revoker?".revoke":"");
+ write_file(fname, certbuf.head, blob_raw_len(certbuf.head), false);
+ revoker--;
+ }
+
+ rmdir(tmpdir);
+
+ return 0;