x509_crl.c 22 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799
  1. /*
  2. * X.509 Certidicate Revocation List (CRL) parsing
  3. *
  4. * Copyright The Mbed TLS Contributors
  5. * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  6. *
  7. * This file is provided under the Apache License 2.0, or the
  8. * GNU General Public License v2.0 or later.
  9. *
  10. * **********
  11. * Apache License 2.0:
  12. *
  13. * Licensed under the Apache License, Version 2.0 (the "License"); you may
  14. * not use this file except in compliance with the License.
  15. * You may obtain a copy of the License at
  16. *
  17. * http://www.apache.org/licenses/LICENSE-2.0
  18. *
  19. * Unless required by applicable law or agreed to in writing, software
  20. * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
  21. * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  22. * See the License for the specific language governing permissions and
  23. * limitations under the License.
  24. *
  25. * **********
  26. *
  27. * **********
  28. * GNU General Public License v2.0 or later:
  29. *
  30. * This program is free software; you can redistribute it and/or modify
  31. * it under the terms of the GNU General Public License as published by
  32. * the Free Software Foundation; either version 2 of the License, or
  33. * (at your option) any later version.
  34. *
  35. * This program is distributed in the hope that it will be useful,
  36. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  37. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  38. * GNU General Public License for more details.
  39. *
  40. * You should have received a copy of the GNU General Public License along
  41. * with this program; if not, write to the Free Software Foundation, Inc.,
  42. * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  43. *
  44. * **********
  45. */
  46. /*
  47. * The ITU-T X.509 standard defines a certificate format for PKI.
  48. *
  49. * http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs)
  50. * http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs)
  51. * http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10)
  52. *
  53. * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
  54. * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
  55. */
  56. #if !defined(MBEDTLS_CONFIG_FILE)
  57. #include "mbedtls/config.h"
  58. #else
  59. #include MBEDTLS_CONFIG_FILE
  60. #endif
  61. #if defined(MBEDTLS_X509_CRL_PARSE_C)
  62. #include "mbedtls/x509_crl.h"
  63. #include "mbedtls/oid.h"
  64. #include "mbedtls/platform_util.h"
  65. #include <string.h>
  66. #if defined(MBEDTLS_PEM_PARSE_C)
  67. #include "mbedtls/pem.h"
  68. #endif
  69. #if defined(MBEDTLS_PLATFORM_C)
  70. #include "mbedtls/platform.h"
  71. #else
  72. #include <stdlib.h>
  73. #include <stdio.h>
  74. #define mbedtls_free free
  75. #define mbedtls_calloc calloc
  76. #define mbedtls_snprintf snprintf
  77. #endif
  78. #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
  79. #include <windows.h>
  80. #else
  81. #include <time.h>
  82. #endif
  83. #if defined(MBEDTLS_FS_IO) || defined(EFIX64) || defined(EFI32)
  84. #include <stdio.h>
  85. #endif
  86. /*
  87. * Version ::= INTEGER { v1(0), v2(1) }
  88. */
  89. static int x509_crl_get_version( unsigned char **p,
  90. const unsigned char *end,
  91. int *ver )
  92. {
  93. int ret;
  94. if( ( ret = mbedtls_asn1_get_int( p, end, ver ) ) != 0 )
  95. {
  96. if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
  97. {
  98. *ver = 0;
  99. return( 0 );
  100. }
  101. return( MBEDTLS_ERR_X509_INVALID_VERSION + ret );
  102. }
  103. return( 0 );
  104. }
  105. /*
  106. * X.509 CRL v2 extensions
  107. *
  108. * We currently don't parse any extension's content, but we do check that the
  109. * list of extensions is well-formed and abort on critical extensions (that
  110. * are unsupported as we don't support any extension so far)
  111. */
  112. static int x509_get_crl_ext( unsigned char **p,
  113. const unsigned char *end,
  114. mbedtls_x509_buf *ext )
  115. {
  116. int ret;
  117. if( *p == end )
  118. return( 0 );
  119. /*
  120. * crlExtensions [0] EXPLICIT Extensions OPTIONAL
  121. * -- if present, version MUST be v2
  122. */
  123. if( ( ret = mbedtls_x509_get_ext( p, end, ext, 0 ) ) != 0 )
  124. return( ret );
  125. end = ext->p + ext->len;
  126. while( *p < end )
  127. {
  128. /*
  129. * Extension ::= SEQUENCE {
  130. * extnID OBJECT IDENTIFIER,
  131. * critical BOOLEAN DEFAULT FALSE,
  132. * extnValue OCTET STRING }
  133. */
  134. int is_critical = 0;
  135. const unsigned char *end_ext_data;
  136. size_t len;
  137. /* Get enclosing sequence tag */
  138. if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
  139. MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
  140. return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
  141. end_ext_data = *p + len;
  142. /* Get OID (currently ignored) */
  143. if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &len,
  144. MBEDTLS_ASN1_OID ) ) != 0 )
  145. {
  146. return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
  147. }
  148. *p += len;
  149. /* Get optional critical */
  150. if( ( ret = mbedtls_asn1_get_bool( p, end_ext_data,
  151. &is_critical ) ) != 0 &&
  152. ( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) )
  153. {
  154. return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
  155. }
  156. /* Data should be octet string type */
  157. if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &len,
  158. MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
  159. return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
  160. /* Ignore data so far and just check its length */
  161. *p += len;
  162. if( *p != end_ext_data )
  163. return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
  164. MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
  165. /* Abort on (unsupported) critical extensions */
  166. if( is_critical )
  167. return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
  168. MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
  169. }
  170. if( *p != end )
  171. return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
  172. MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
  173. return( 0 );
  174. }
  175. /*
  176. * X.509 CRL v2 entry extensions (no extensions parsed yet.)
  177. */
  178. static int x509_get_crl_entry_ext( unsigned char **p,
  179. const unsigned char *end,
  180. mbedtls_x509_buf *ext )
  181. {
  182. int ret;
  183. size_t len = 0;
  184. /* OPTIONAL */
  185. if( end <= *p )
  186. return( 0 );
  187. ext->tag = **p;
  188. ext->p = *p;
  189. /*
  190. * Get CRL-entry extension sequence header
  191. * crlEntryExtensions Extensions OPTIONAL -- if present, MUST be v2
  192. */
  193. if( ( ret = mbedtls_asn1_get_tag( p, end, &ext->len,
  194. MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
  195. {
  196. if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
  197. {
  198. ext->p = NULL;
  199. return( 0 );
  200. }
  201. return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
  202. }
  203. end = *p + ext->len;
  204. if( end != *p + ext->len )
  205. return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
  206. MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
  207. while( *p < end )
  208. {
  209. if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
  210. MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
  211. return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
  212. *p += len;
  213. }
  214. if( *p != end )
  215. return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
  216. MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
  217. return( 0 );
  218. }
  219. /*
  220. * X.509 CRL Entries
  221. */
  222. static int x509_get_entries( unsigned char **p,
  223. const unsigned char *end,
  224. mbedtls_x509_crl_entry *entry )
  225. {
  226. int ret;
  227. size_t entry_len;
  228. mbedtls_x509_crl_entry *cur_entry = entry;
  229. if( *p == end )
  230. return( 0 );
  231. if( ( ret = mbedtls_asn1_get_tag( p, end, &entry_len,
  232. MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED ) ) != 0 )
  233. {
  234. if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
  235. return( 0 );
  236. return( ret );
  237. }
  238. end = *p + entry_len;
  239. while( *p < end )
  240. {
  241. size_t len2;
  242. const unsigned char *end2;
  243. cur_entry->raw.tag = **p;
  244. if( ( ret = mbedtls_asn1_get_tag( p, end, &len2,
  245. MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED ) ) != 0 )
  246. {
  247. return( ret );
  248. }
  249. cur_entry->raw.p = *p;
  250. cur_entry->raw.len = len2;
  251. end2 = *p + len2;
  252. if( ( ret = mbedtls_x509_get_serial( p, end2, &cur_entry->serial ) ) != 0 )
  253. return( ret );
  254. if( ( ret = mbedtls_x509_get_time( p, end2,
  255. &cur_entry->revocation_date ) ) != 0 )
  256. return( ret );
  257. if( ( ret = x509_get_crl_entry_ext( p, end2,
  258. &cur_entry->entry_ext ) ) != 0 )
  259. return( ret );
  260. if( *p < end )
  261. {
  262. cur_entry->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_crl_entry ) );
  263. if( cur_entry->next == NULL )
  264. return( MBEDTLS_ERR_X509_ALLOC_FAILED );
  265. cur_entry = cur_entry->next;
  266. }
  267. }
  268. return( 0 );
  269. }
  270. /*
  271. * Parse one CRLs in DER format and append it to the chained list
  272. */
  273. int mbedtls_x509_crl_parse_der( mbedtls_x509_crl *chain,
  274. const unsigned char *buf, size_t buflen )
  275. {
  276. int ret;
  277. size_t len;
  278. unsigned char *p = NULL, *end = NULL;
  279. mbedtls_x509_buf sig_params1, sig_params2, sig_oid2;
  280. mbedtls_x509_crl *crl = chain;
  281. /*
  282. * Check for valid input
  283. */
  284. if( crl == NULL || buf == NULL )
  285. return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
  286. memset( &sig_params1, 0, sizeof( mbedtls_x509_buf ) );
  287. memset( &sig_params2, 0, sizeof( mbedtls_x509_buf ) );
  288. memset( &sig_oid2, 0, sizeof( mbedtls_x509_buf ) );
  289. /*
  290. * Add new CRL on the end of the chain if needed.
  291. */
  292. while( crl->version != 0 && crl->next != NULL )
  293. crl = crl->next;
  294. if( crl->version != 0 && crl->next == NULL )
  295. {
  296. crl->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_crl ) );
  297. if( crl->next == NULL )
  298. {
  299. mbedtls_x509_crl_free( crl );
  300. return( MBEDTLS_ERR_X509_ALLOC_FAILED );
  301. }
  302. mbedtls_x509_crl_init( crl->next );
  303. crl = crl->next;
  304. }
  305. /*
  306. * Copy raw DER-encoded CRL
  307. */
  308. if( buflen == 0 )
  309. return( MBEDTLS_ERR_X509_INVALID_FORMAT );
  310. p = mbedtls_calloc( 1, buflen );
  311. if( p == NULL )
  312. return( MBEDTLS_ERR_X509_ALLOC_FAILED );
  313. memcpy( p, buf, buflen );
  314. crl->raw.p = p;
  315. crl->raw.len = buflen;
  316. end = p + buflen;
  317. /*
  318. * CertificateList ::= SEQUENCE {
  319. * tbsCertList TBSCertList,
  320. * signatureAlgorithm AlgorithmIdentifier,
  321. * signatureValue BIT STRING }
  322. */
  323. if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
  324. MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
  325. {
  326. mbedtls_x509_crl_free( crl );
  327. return( MBEDTLS_ERR_X509_INVALID_FORMAT );
  328. }
  329. if( len != (size_t) ( end - p ) )
  330. {
  331. mbedtls_x509_crl_free( crl );
  332. return( MBEDTLS_ERR_X509_INVALID_FORMAT +
  333. MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
  334. }
  335. /*
  336. * TBSCertList ::= SEQUENCE {
  337. */
  338. crl->tbs.p = p;
  339. if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
  340. MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
  341. {
  342. mbedtls_x509_crl_free( crl );
  343. return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
  344. }
  345. end = p + len;
  346. crl->tbs.len = end - crl->tbs.p;
  347. /*
  348. * Version ::= INTEGER OPTIONAL { v1(0), v2(1) }
  349. * -- if present, MUST be v2
  350. *
  351. * signature AlgorithmIdentifier
  352. */
  353. if( ( ret = x509_crl_get_version( &p, end, &crl->version ) ) != 0 ||
  354. ( ret = mbedtls_x509_get_alg( &p, end, &crl->sig_oid, &sig_params1 ) ) != 0 )
  355. {
  356. mbedtls_x509_crl_free( crl );
  357. return( ret );
  358. }
  359. if( crl->version < 0 || crl->version > 1 )
  360. {
  361. mbedtls_x509_crl_free( crl );
  362. return( MBEDTLS_ERR_X509_UNKNOWN_VERSION );
  363. }
  364. crl->version++;
  365. if( ( ret = mbedtls_x509_get_sig_alg( &crl->sig_oid, &sig_params1,
  366. &crl->sig_md, &crl->sig_pk,
  367. &crl->sig_opts ) ) != 0 )
  368. {
  369. mbedtls_x509_crl_free( crl );
  370. return( MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG );
  371. }
  372. /*
  373. * issuer Name
  374. */
  375. crl->issuer_raw.p = p;
  376. if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
  377. MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
  378. {
  379. mbedtls_x509_crl_free( crl );
  380. return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
  381. }
  382. if( ( ret = mbedtls_x509_get_name( &p, p + len, &crl->issuer ) ) != 0 )
  383. {
  384. mbedtls_x509_crl_free( crl );
  385. return( ret );
  386. }
  387. crl->issuer_raw.len = p - crl->issuer_raw.p;
  388. /*
  389. * thisUpdate Time
  390. * nextUpdate Time OPTIONAL
  391. */
  392. if( ( ret = mbedtls_x509_get_time( &p, end, &crl->this_update ) ) != 0 )
  393. {
  394. mbedtls_x509_crl_free( crl );
  395. return( ret );
  396. }
  397. if( ( ret = mbedtls_x509_get_time( &p, end, &crl->next_update ) ) != 0 )
  398. {
  399. if( ret != ( MBEDTLS_ERR_X509_INVALID_DATE +
  400. MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) &&
  401. ret != ( MBEDTLS_ERR_X509_INVALID_DATE +
  402. MBEDTLS_ERR_ASN1_OUT_OF_DATA ) )
  403. {
  404. mbedtls_x509_crl_free( crl );
  405. return( ret );
  406. }
  407. }
  408. /*
  409. * revokedCertificates SEQUENCE OF SEQUENCE {
  410. * userCertificate CertificateSerialNumber,
  411. * revocationDate Time,
  412. * crlEntryExtensions Extensions OPTIONAL
  413. * -- if present, MUST be v2
  414. * } OPTIONAL
  415. */
  416. if( ( ret = x509_get_entries( &p, end, &crl->entry ) ) != 0 )
  417. {
  418. mbedtls_x509_crl_free( crl );
  419. return( ret );
  420. }
  421. /*
  422. * crlExtensions EXPLICIT Extensions OPTIONAL
  423. * -- if present, MUST be v2
  424. */
  425. if( crl->version == 2 )
  426. {
  427. ret = x509_get_crl_ext( &p, end, &crl->crl_ext );
  428. if( ret != 0 )
  429. {
  430. mbedtls_x509_crl_free( crl );
  431. return( ret );
  432. }
  433. }
  434. if( p != end )
  435. {
  436. mbedtls_x509_crl_free( crl );
  437. return( MBEDTLS_ERR_X509_INVALID_FORMAT +
  438. MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
  439. }
  440. end = crl->raw.p + crl->raw.len;
  441. /*
  442. * signatureAlgorithm AlgorithmIdentifier,
  443. * signatureValue BIT STRING
  444. */
  445. if( ( ret = mbedtls_x509_get_alg( &p, end, &sig_oid2, &sig_params2 ) ) != 0 )
  446. {
  447. mbedtls_x509_crl_free( crl );
  448. return( ret );
  449. }
  450. if( crl->sig_oid.len != sig_oid2.len ||
  451. memcmp( crl->sig_oid.p, sig_oid2.p, crl->sig_oid.len ) != 0 ||
  452. sig_params1.len != sig_params2.len ||
  453. ( sig_params1.len != 0 &&
  454. memcmp( sig_params1.p, sig_params2.p, sig_params1.len ) != 0 ) )
  455. {
  456. mbedtls_x509_crl_free( crl );
  457. return( MBEDTLS_ERR_X509_SIG_MISMATCH );
  458. }
  459. if( ( ret = mbedtls_x509_get_sig( &p, end, &crl->sig ) ) != 0 )
  460. {
  461. mbedtls_x509_crl_free( crl );
  462. return( ret );
  463. }
  464. if( p != end )
  465. {
  466. mbedtls_x509_crl_free( crl );
  467. return( MBEDTLS_ERR_X509_INVALID_FORMAT +
  468. MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
  469. }
  470. return( 0 );
  471. }
  472. /*
  473. * Parse one or more CRLs and add them to the chained list
  474. */
  475. int mbedtls_x509_crl_parse( mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen )
  476. {
  477. #if defined(MBEDTLS_PEM_PARSE_C)
  478. int ret;
  479. size_t use_len;
  480. mbedtls_pem_context pem;
  481. int is_pem = 0;
  482. if( chain == NULL || buf == NULL )
  483. return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
  484. do
  485. {
  486. mbedtls_pem_init( &pem );
  487. // Avoid calling mbedtls_pem_read_buffer() on non-null-terminated
  488. // string
  489. if( buflen == 0 || buf[buflen - 1] != '\0' )
  490. ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
  491. else
  492. ret = mbedtls_pem_read_buffer( &pem,
  493. "-----BEGIN X509 CRL-----",
  494. "-----END X509 CRL-----",
  495. buf, NULL, 0, &use_len );
  496. if( ret == 0 )
  497. {
  498. /*
  499. * Was PEM encoded
  500. */
  501. is_pem = 1;
  502. buflen -= use_len;
  503. buf += use_len;
  504. if( ( ret = mbedtls_x509_crl_parse_der( chain,
  505. pem.buf, pem.buflen ) ) != 0 )
  506. {
  507. mbedtls_pem_free( &pem );
  508. return( ret );
  509. }
  510. }
  511. else if( is_pem )
  512. {
  513. mbedtls_pem_free( &pem );
  514. return( ret );
  515. }
  516. mbedtls_pem_free( &pem );
  517. }
  518. /* In the PEM case, buflen is 1 at the end, for the terminated NULL byte.
  519. * And a valid CRL cannot be less than 1 byte anyway. */
  520. while( is_pem && buflen > 1 );
  521. if( is_pem )
  522. return( 0 );
  523. else
  524. #endif /* MBEDTLS_PEM_PARSE_C */
  525. return( mbedtls_x509_crl_parse_der( chain, buf, buflen ) );
  526. }
  527. #if defined(MBEDTLS_FS_IO)
  528. /*
  529. * Load one or more CRLs and add them to the chained list
  530. */
  531. int mbedtls_x509_crl_parse_file( mbedtls_x509_crl *chain, const char *path )
  532. {
  533. int ret;
  534. size_t n;
  535. unsigned char *buf;
  536. if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 )
  537. return( ret );
  538. ret = mbedtls_x509_crl_parse( chain, buf, n );
  539. mbedtls_platform_zeroize( buf, n );
  540. mbedtls_free( buf );
  541. return( ret );
  542. }
  543. #endif /* MBEDTLS_FS_IO */
  544. /*
  545. * Return an informational string about the certificate.
  546. */
  547. #define BEFORE_COLON 14
  548. #define BC "14"
  549. /*
  550. * Return an informational string about the CRL.
  551. */
  552. int mbedtls_x509_crl_info( char *buf, size_t size, const char *prefix,
  553. const mbedtls_x509_crl *crl )
  554. {
  555. int ret;
  556. size_t n;
  557. char *p;
  558. const mbedtls_x509_crl_entry *entry;
  559. p = buf;
  560. n = size;
  561. ret = mbedtls_snprintf( p, n, "%sCRL version : %d",
  562. prefix, crl->version );
  563. MBEDTLS_X509_SAFE_SNPRINTF;
  564. ret = mbedtls_snprintf( p, n, "\n%sissuer name : ", prefix );
  565. MBEDTLS_X509_SAFE_SNPRINTF;
  566. ret = mbedtls_x509_dn_gets( p, n, &crl->issuer );
  567. MBEDTLS_X509_SAFE_SNPRINTF;
  568. ret = mbedtls_snprintf( p, n, "\n%sthis update : " \
  569. "%04d-%02d-%02d %02d:%02d:%02d", prefix,
  570. crl->this_update.year, crl->this_update.mon,
  571. crl->this_update.day, crl->this_update.hour,
  572. crl->this_update.min, crl->this_update.sec );
  573. MBEDTLS_X509_SAFE_SNPRINTF;
  574. ret = mbedtls_snprintf( p, n, "\n%snext update : " \
  575. "%04d-%02d-%02d %02d:%02d:%02d", prefix,
  576. crl->next_update.year, crl->next_update.mon,
  577. crl->next_update.day, crl->next_update.hour,
  578. crl->next_update.min, crl->next_update.sec );
  579. MBEDTLS_X509_SAFE_SNPRINTF;
  580. entry = &crl->entry;
  581. ret = mbedtls_snprintf( p, n, "\n%sRevoked certificates:",
  582. prefix );
  583. MBEDTLS_X509_SAFE_SNPRINTF;
  584. while( entry != NULL && entry->raw.len != 0 )
  585. {
  586. ret = mbedtls_snprintf( p, n, "\n%sserial number: ",
  587. prefix );
  588. MBEDTLS_X509_SAFE_SNPRINTF;
  589. ret = mbedtls_x509_serial_gets( p, n, &entry->serial );
  590. MBEDTLS_X509_SAFE_SNPRINTF;
  591. ret = mbedtls_snprintf( p, n, " revocation date: " \
  592. "%04d-%02d-%02d %02d:%02d:%02d",
  593. entry->revocation_date.year, entry->revocation_date.mon,
  594. entry->revocation_date.day, entry->revocation_date.hour,
  595. entry->revocation_date.min, entry->revocation_date.sec );
  596. MBEDTLS_X509_SAFE_SNPRINTF;
  597. entry = entry->next;
  598. }
  599. ret = mbedtls_snprintf( p, n, "\n%ssigned using : ", prefix );
  600. MBEDTLS_X509_SAFE_SNPRINTF;
  601. ret = mbedtls_x509_sig_alg_gets( p, n, &crl->sig_oid, crl->sig_pk, crl->sig_md,
  602. crl->sig_opts );
  603. MBEDTLS_X509_SAFE_SNPRINTF;
  604. ret = mbedtls_snprintf( p, n, "\n" );
  605. MBEDTLS_X509_SAFE_SNPRINTF;
  606. return( (int) ( size - n ) );
  607. }
  608. /*
  609. * Initialize a CRL chain
  610. */
  611. void mbedtls_x509_crl_init( mbedtls_x509_crl *crl )
  612. {
  613. memset( crl, 0, sizeof(mbedtls_x509_crl) );
  614. }
  615. /*
  616. * Unallocate all CRL data
  617. */
  618. void mbedtls_x509_crl_free( mbedtls_x509_crl *crl )
  619. {
  620. mbedtls_x509_crl *crl_cur = crl;
  621. mbedtls_x509_crl *crl_prv;
  622. mbedtls_x509_name *name_cur;
  623. mbedtls_x509_name *name_prv;
  624. mbedtls_x509_crl_entry *entry_cur;
  625. mbedtls_x509_crl_entry *entry_prv;
  626. if( crl == NULL )
  627. return;
  628. do
  629. {
  630. #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
  631. mbedtls_free( crl_cur->sig_opts );
  632. #endif
  633. name_cur = crl_cur->issuer.next;
  634. while( name_cur != NULL )
  635. {
  636. name_prv = name_cur;
  637. name_cur = name_cur->next;
  638. mbedtls_platform_zeroize( name_prv, sizeof( mbedtls_x509_name ) );
  639. mbedtls_free( name_prv );
  640. }
  641. entry_cur = crl_cur->entry.next;
  642. while( entry_cur != NULL )
  643. {
  644. entry_prv = entry_cur;
  645. entry_cur = entry_cur->next;
  646. mbedtls_platform_zeroize( entry_prv,
  647. sizeof( mbedtls_x509_crl_entry ) );
  648. mbedtls_free( entry_prv );
  649. }
  650. if( crl_cur->raw.p != NULL )
  651. {
  652. mbedtls_platform_zeroize( crl_cur->raw.p, crl_cur->raw.len );
  653. mbedtls_free( crl_cur->raw.p );
  654. }
  655. crl_cur = crl_cur->next;
  656. }
  657. while( crl_cur != NULL );
  658. crl_cur = crl;
  659. do
  660. {
  661. crl_prv = crl_cur;
  662. crl_cur = crl_cur->next;
  663. mbedtls_platform_zeroize( crl_prv, sizeof( mbedtls_x509_crl ) );
  664. if( crl_prv != crl )
  665. mbedtls_free( crl_prv );
  666. }
  667. while( crl_cur != NULL );
  668. }
  669. #endif /* MBEDTLS_X509_CRL_PARSE_C */