1 /**
2  * \file x509_crl.h
3  *
4  * \brief X.509 certificate revocation list parsing
5  */
6 /*
7  *  Copyright The Mbed TLS Contributors
8  *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
9  */
10 #ifndef MBEDTLS_X509_CRL_H
11 #define MBEDTLS_X509_CRL_H
12 #include "mbedtls/private_access.h"
13 
14 #include "mbedtls/build_info.h"
15 
16 #include "mbedtls/x509.h"
17 
18 #ifdef __cplusplus
19 extern "C" {
20 #endif
21 
22 /**
23  * \addtogroup x509_module
24  * \{ */
25 
26 /**
27  * \name Structures and functions for parsing CRLs
28  * \{
29  */
30 
31 /**
32  * Certificate revocation list entry.
33  * Contains the CA-specific serial numbers and revocation dates.
34  *
35  * Some fields of this structure are publicly readable. Do not modify
36  * them except via Mbed TLS library functions: the effect of modifying
37  * those fields or the data that those fields points to is unspecified.
38  */
39 typedef struct mbedtls_x509_crl_entry {
40     /** Direct access to the whole entry inside the containing buffer. */
41     mbedtls_x509_buf raw;
42     /** The serial number of the revoked certificate. */
43     mbedtls_x509_buf serial;
44     /** The revocation date of this entry. */
45     mbedtls_x509_time revocation_date;
46     /** Direct access to the list of CRL entry extensions
47      * (an ASN.1 constructed sequence).
48      *
49      * If there are no extensions, `entry_ext.len == 0` and
50      * `entry_ext.p == NULL`. */
51     mbedtls_x509_buf entry_ext;
52 
53     /** Next element in the linked list of entries.
54      * \p NULL indicates the end of the list.
55      * Do not modify this field directly. */
56     struct mbedtls_x509_crl_entry *next;
57 }
58 mbedtls_x509_crl_entry;
59 
60 /**
61  * Certificate revocation list structure.
62  * Every CRL may have multiple entries.
63  */
64 typedef struct mbedtls_x509_crl {
65     mbedtls_x509_buf raw;           /**< The raw certificate data (DER). */
66     mbedtls_x509_buf tbs;           /**< The raw certificate body (DER). The part that is To Be Signed. */
67 
68     int version;            /**< CRL version (1=v1, 2=v2) */
69     mbedtls_x509_buf sig_oid;       /**< CRL signature type identifier */
70 
71     mbedtls_x509_buf issuer_raw;    /**< The raw issuer data (DER). */
72 
73     mbedtls_x509_name issuer;       /**< The parsed issuer data (named information object). */
74 
75     mbedtls_x509_time this_update;
76     mbedtls_x509_time next_update;
77 
78     mbedtls_x509_crl_entry entry;   /**< The CRL entries containing the certificate revocation times for this CA. */
79 
80     mbedtls_x509_buf crl_ext;
81 
82     mbedtls_x509_buf MBEDTLS_PRIVATE(sig_oid2);
83     mbedtls_x509_buf MBEDTLS_PRIVATE(sig);
84     mbedtls_md_type_t MBEDTLS_PRIVATE(sig_md);           /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */
85     mbedtls_pk_type_t MBEDTLS_PRIVATE(sig_pk);           /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */
86     void *MBEDTLS_PRIVATE(sig_opts);             /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */
87 
88     /** Next element in the linked list of CRL.
89      * \p NULL indicates the end of the list.
90      * Do not modify this field directly. */
91     struct mbedtls_x509_crl *next;
92 }
93 mbedtls_x509_crl;
94 
95 /**
96  * \brief          Parse a DER-encoded CRL and append it to the chained list
97  *
98  * \note           If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
99  *                 subsystem must have been initialized by calling
100  *                 psa_crypto_init() before calling this function.
101  *
102  * \param chain    points to the start of the chain
103  * \param buf      buffer holding the CRL data in DER format
104  * \param buflen   size of the buffer
105  *                 (including the terminating null byte for PEM data)
106  *
107  * \return         0 if successful, or a specific X509 or PEM error code
108  */
109 int mbedtls_x509_crl_parse_der(mbedtls_x509_crl *chain,
110                                const unsigned char *buf, size_t buflen);
111 /**
112  * \brief          Parse one or more CRLs and append them to the chained list
113  *
114  * \note           Multiple CRLs are accepted only if using PEM format
115  *
116  * \note           If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
117  *                 subsystem must have been initialized by calling
118  *                 psa_crypto_init() before calling this function.
119  *
120  * \param chain    points to the start of the chain
121  * \param buf      buffer holding the CRL data in PEM or DER format
122  * \param buflen   size of the buffer
123  *                 (including the terminating null byte for PEM data)
124  *
125  * \return         0 if successful, or a specific X509 or PEM error code
126  */
127 int mbedtls_x509_crl_parse(mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen);
128 
129 #if defined(MBEDTLS_FS_IO)
130 /**
131  * \brief          Load one or more CRLs and append them to the chained list
132  *
133  * \note           Multiple CRLs are accepted only if using PEM format
134  *
135  * \note           If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
136  *                 subsystem must have been initialized by calling
137  *                 psa_crypto_init() before calling this function.
138  *
139  * \param chain    points to the start of the chain
140  * \param path     filename to read the CRLs from (in PEM or DER encoding)
141  *
142  * \return         0 if successful, or a specific X509 or PEM error code
143  */
144 int mbedtls_x509_crl_parse_file(mbedtls_x509_crl *chain, const char *path);
145 #endif /* MBEDTLS_FS_IO */
146 
147 #if !defined(MBEDTLS_X509_REMOVE_INFO)
148 /**
149  * \brief          Returns an informational string about the CRL.
150  *
151  * \param buf      Buffer to write to
152  * \param size     Maximum size of buffer
153  * \param prefix   A line prefix
154  * \param crl      The X509 CRL to represent
155  *
156  * \return         The length of the string written (not including the
157  *                 terminated nul byte), or a negative error code.
158  */
159 int mbedtls_x509_crl_info(char *buf, size_t size, const char *prefix,
160                           const mbedtls_x509_crl *crl);
161 #endif /* !MBEDTLS_X509_REMOVE_INFO */
162 
163 /**
164  * \brief          Initialize a CRL (chain)
165  *
166  * \param crl      CRL chain to initialize
167  */
168 void mbedtls_x509_crl_init(mbedtls_x509_crl *crl);
169 
170 /**
171  * \brief          Unallocate all CRL data
172  *
173  * \param crl      CRL chain to free
174  */
175 void mbedtls_x509_crl_free(mbedtls_x509_crl *crl);
176 
177 /** \} name Structures and functions for parsing CRLs */
178 /** \} addtogroup x509_module */
179 
180 #ifdef __cplusplus
181 }
182 #endif
183 
184 #endif /* mbedtls_x509_crl.h */
185