1 /*
2 * X.509 Certificate Revocation List (CRL) parsing
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19 /*
20 * The ITU-T X.509 standard defines a certificate format for PKI.
21 *
22 * http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs)
23 * http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs)
24 * http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10)
25 *
26 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
27 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
28 */
29
30 #include "common.h"
31
32 #if defined(MBEDTLS_X509_CRL_PARSE_C)
33
34 #include "mbedtls/x509_crl.h"
35 #include "mbedtls/error.h"
36 #include "mbedtls/oid.h"
37 #include "mbedtls/platform_util.h"
38
39 #include <string.h>
40
41 #if defined(MBEDTLS_PEM_PARSE_C)
42 #include "mbedtls/pem.h"
43 #endif
44
45 #include "mbedtls/platform.h"
46
47 #if defined(MBEDTLS_HAVE_TIME)
48 #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
49 #include <windows.h>
50 #else
51 #include <time.h>
52 #endif
53 #endif
54
55 #if defined(MBEDTLS_FS_IO) || defined(EFIX64) || defined(EFI32)
56 #include <stdio.h>
57 #endif
58
59 /*
60 * Version ::= INTEGER { v1(0), v2(1) }
61 */
x509_crl_get_version(unsigned char ** p,const unsigned char * end,int * ver)62 static int x509_crl_get_version( unsigned char **p,
63 const unsigned char *end,
64 int *ver )
65 {
66 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
67
68 if( ( ret = mbedtls_asn1_get_int( p, end, ver ) ) != 0 )
69 {
70 if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
71 {
72 *ver = 0;
73 return( 0 );
74 }
75
76 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_VERSION, ret ) );
77 }
78
79 return( 0 );
80 }
81
82 /*
83 * X.509 CRL v2 extensions
84 *
85 * We currently don't parse any extension's content, but we do check that the
86 * list of extensions is well-formed and abort on critical extensions (that
87 * are unsupported as we don't support any extension so far)
88 */
x509_get_crl_ext(unsigned char ** p,const unsigned char * end,mbedtls_x509_buf * ext)89 static int x509_get_crl_ext( unsigned char **p,
90 const unsigned char *end,
91 mbedtls_x509_buf *ext )
92 {
93 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
94
95 if( *p == end )
96 return( 0 );
97
98 /*
99 * crlExtensions [0] EXPLICIT Extensions OPTIONAL
100 * -- if present, version MUST be v2
101 */
102 if( ( ret = mbedtls_x509_get_ext( p, end, ext, 0 ) ) != 0 )
103 return( ret );
104
105 end = ext->p + ext->len;
106
107 while( *p < end )
108 {
109 /*
110 * Extension ::= SEQUENCE {
111 * extnID OBJECT IDENTIFIER,
112 * critical BOOLEAN DEFAULT FALSE,
113 * extnValue OCTET STRING }
114 */
115 int is_critical = 0;
116 const unsigned char *end_ext_data;
117 size_t len;
118
119 /* Get enclosing sequence tag */
120 if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
121 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
122 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) );
123
124 end_ext_data = *p + len;
125
126 /* Get OID (currently ignored) */
127 if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &len,
128 MBEDTLS_ASN1_OID ) ) != 0 )
129 {
130 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) );
131 }
132 *p += len;
133
134 /* Get optional critical */
135 if( ( ret = mbedtls_asn1_get_bool( p, end_ext_data,
136 &is_critical ) ) != 0 &&
137 ( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) )
138 {
139 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) );
140 }
141
142 /* Data should be octet string type */
143 if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &len,
144 MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
145 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) );
146
147 /* Ignore data so far and just check its length */
148 *p += len;
149 if( *p != end_ext_data )
150 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
151 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
152
153 /* Abort on (unsupported) critical extensions */
154 if( is_critical )
155 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
156 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) );
157 }
158
159 if( *p != end )
160 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
161 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
162
163 return( 0 );
164 }
165
166 /*
167 * X.509 CRL v2 entry extensions (no extensions parsed yet.)
168 */
x509_get_crl_entry_ext(unsigned char ** p,const unsigned char * end,mbedtls_x509_buf * ext)169 static int x509_get_crl_entry_ext( unsigned char **p,
170 const unsigned char *end,
171 mbedtls_x509_buf *ext )
172 {
173 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
174 size_t len = 0;
175
176 /* OPTIONAL */
177 if( end <= *p )
178 return( 0 );
179
180 ext->tag = **p;
181 ext->p = *p;
182
183 /*
184 * Get CRL-entry extension sequence header
185 * crlEntryExtensions Extensions OPTIONAL -- if present, MUST be v2
186 */
187 if( ( ret = mbedtls_asn1_get_tag( p, end, &ext->len,
188 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
189 {
190 if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
191 {
192 ext->p = NULL;
193 return( 0 );
194 }
195 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) );
196 }
197
198 end = *p + ext->len;
199
200 if( end != *p + ext->len )
201 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
202 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
203
204 while( *p < end )
205 {
206 if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
207 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
208 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) );
209
210 *p += len;
211 }
212
213 if( *p != end )
214 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
215 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
216
217 return( 0 );
218 }
219
220 /*
221 * X.509 CRL Entries
222 */
x509_get_entries(unsigned char ** p,const unsigned char * end,mbedtls_x509_crl_entry * entry)223 static int x509_get_entries( unsigned char **p,
224 const unsigned char *end,
225 mbedtls_x509_crl_entry *entry )
226 {
227 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
228 size_t entry_len;
229 mbedtls_x509_crl_entry *cur_entry = entry;
230
231 if( *p == end )
232 return( 0 );
233
234 if( ( ret = mbedtls_asn1_get_tag( p, end, &entry_len,
235 MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED ) ) != 0 )
236 {
237 if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
238 return( 0 );
239
240 return( ret );
241 }
242
243 end = *p + entry_len;
244
245 while( *p < end )
246 {
247 size_t len2;
248 const unsigned char *end2;
249
250 cur_entry->raw.tag = **p;
251 if( ( ret = mbedtls_asn1_get_tag( p, end, &len2,
252 MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED ) ) != 0 )
253 {
254 return( ret );
255 }
256
257 cur_entry->raw.p = *p;
258 cur_entry->raw.len = len2;
259 end2 = *p + len2;
260
261 if( ( ret = mbedtls_x509_get_serial( p, end2, &cur_entry->serial ) ) != 0 )
262 return( ret );
263
264 if( ( ret = mbedtls_x509_get_time( p, end2,
265 &cur_entry->revocation_date ) ) != 0 )
266 return( ret );
267
268 if( ( ret = x509_get_crl_entry_ext( p, end2,
269 &cur_entry->entry_ext ) ) != 0 )
270 return( ret );
271
272 if( *p < end )
273 {
274 cur_entry->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_crl_entry ) );
275
276 if( cur_entry->next == NULL )
277 return( MBEDTLS_ERR_X509_ALLOC_FAILED );
278
279 cur_entry = cur_entry->next;
280 }
281 }
282
283 return( 0 );
284 }
285
286 /*
287 * Parse one CRLs in DER format and append it to the chained list
288 */
mbedtls_x509_crl_parse_der(mbedtls_x509_crl * chain,const unsigned char * buf,size_t buflen)289 int mbedtls_x509_crl_parse_der( mbedtls_x509_crl *chain,
290 const unsigned char *buf, size_t buflen )
291 {
292 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
293 size_t len;
294 unsigned char *p = NULL, *end = NULL;
295 mbedtls_x509_buf sig_params1, sig_params2, sig_oid2;
296 mbedtls_x509_crl *crl = chain;
297
298 /*
299 * Check for valid input
300 */
301 if( crl == NULL || buf == NULL )
302 return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
303
304 memset( &sig_params1, 0, sizeof( mbedtls_x509_buf ) );
305 memset( &sig_params2, 0, sizeof( mbedtls_x509_buf ) );
306 memset( &sig_oid2, 0, sizeof( mbedtls_x509_buf ) );
307
308 /*
309 * Add new CRL on the end of the chain if needed.
310 */
311 while( crl->version != 0 && crl->next != NULL )
312 crl = crl->next;
313
314 if( crl->version != 0 && crl->next == NULL )
315 {
316 crl->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_crl ) );
317
318 if( crl->next == NULL )
319 {
320 mbedtls_x509_crl_free( crl );
321 return( MBEDTLS_ERR_X509_ALLOC_FAILED );
322 }
323
324 mbedtls_x509_crl_init( crl->next );
325 crl = crl->next;
326 }
327
328 /*
329 * Copy raw DER-encoded CRL
330 */
331 if( buflen == 0 )
332 return( MBEDTLS_ERR_X509_INVALID_FORMAT );
333
334 p = mbedtls_calloc( 1, buflen );
335 if( p == NULL )
336 return( MBEDTLS_ERR_X509_ALLOC_FAILED );
337
338 memcpy( p, buf, buflen );
339
340 crl->raw.p = p;
341 crl->raw.len = buflen;
342
343 end = p + buflen;
344
345 /*
346 * CertificateList ::= SEQUENCE {
347 * tbsCertList TBSCertList,
348 * signatureAlgorithm AlgorithmIdentifier,
349 * signatureValue BIT STRING }
350 */
351 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
352 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
353 {
354 mbedtls_x509_crl_free( crl );
355 return( MBEDTLS_ERR_X509_INVALID_FORMAT );
356 }
357
358 if( len != (size_t) ( end - p ) )
359 {
360 mbedtls_x509_crl_free( crl );
361 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_FORMAT,
362 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
363 }
364
365 /*
366 * TBSCertList ::= SEQUENCE {
367 */
368 crl->tbs.p = p;
369
370 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
371 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
372 {
373 mbedtls_x509_crl_free( crl );
374 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_FORMAT, ret ) );
375 }
376
377 end = p + len;
378 crl->tbs.len = end - crl->tbs.p;
379
380 /*
381 * Version ::= INTEGER OPTIONAL { v1(0), v2(1) }
382 * -- if present, MUST be v2
383 *
384 * signature AlgorithmIdentifier
385 */
386 if( ( ret = x509_crl_get_version( &p, end, &crl->version ) ) != 0 ||
387 ( ret = mbedtls_x509_get_alg( &p, end, &crl->sig_oid, &sig_params1 ) ) != 0 )
388 {
389 mbedtls_x509_crl_free( crl );
390 return( ret );
391 }
392
393 if( crl->version < 0 || crl->version > 1 )
394 {
395 mbedtls_x509_crl_free( crl );
396 return( MBEDTLS_ERR_X509_UNKNOWN_VERSION );
397 }
398
399 crl->version++;
400
401 if( ( ret = mbedtls_x509_get_sig_alg( &crl->sig_oid, &sig_params1,
402 &crl->sig_md, &crl->sig_pk,
403 &crl->sig_opts ) ) != 0 )
404 {
405 mbedtls_x509_crl_free( crl );
406 return( MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG );
407 }
408
409 /*
410 * issuer Name
411 */
412 crl->issuer_raw.p = p;
413
414 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
415 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
416 {
417 mbedtls_x509_crl_free( crl );
418 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_FORMAT, ret ) );
419 }
420
421 if( ( ret = mbedtls_x509_get_name( &p, p + len, &crl->issuer ) ) != 0 )
422 {
423 mbedtls_x509_crl_free( crl );
424 return( ret );
425 }
426
427 crl->issuer_raw.len = p - crl->issuer_raw.p;
428
429 /*
430 * thisUpdate Time
431 * nextUpdate Time OPTIONAL
432 */
433 if( ( ret = mbedtls_x509_get_time( &p, end, &crl->this_update ) ) != 0 )
434 {
435 mbedtls_x509_crl_free( crl );
436 return( ret );
437 }
438
439 if( ( ret = mbedtls_x509_get_time( &p, end, &crl->next_update ) ) != 0 )
440 {
441 if( ret != ( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_DATE,
442 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) ) &&
443 ret != ( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_DATE,
444 MBEDTLS_ERR_ASN1_OUT_OF_DATA ) ) )
445 {
446 mbedtls_x509_crl_free( crl );
447 return( ret );
448 }
449 }
450
451 /*
452 * revokedCertificates SEQUENCE OF SEQUENCE {
453 * userCertificate CertificateSerialNumber,
454 * revocationDate Time,
455 * crlEntryExtensions Extensions OPTIONAL
456 * -- if present, MUST be v2
457 * } OPTIONAL
458 */
459 if( ( ret = x509_get_entries( &p, end, &crl->entry ) ) != 0 )
460 {
461 mbedtls_x509_crl_free( crl );
462 return( ret );
463 }
464
465 /*
466 * crlExtensions EXPLICIT Extensions OPTIONAL
467 * -- if present, MUST be v2
468 */
469 if( crl->version == 2 )
470 {
471 ret = x509_get_crl_ext( &p, end, &crl->crl_ext );
472
473 if( ret != 0 )
474 {
475 mbedtls_x509_crl_free( crl );
476 return( ret );
477 }
478 }
479
480 if( p != end )
481 {
482 mbedtls_x509_crl_free( crl );
483 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_FORMAT,
484 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
485 }
486
487 end = crl->raw.p + crl->raw.len;
488
489 /*
490 * signatureAlgorithm AlgorithmIdentifier,
491 * signatureValue BIT STRING
492 */
493 if( ( ret = mbedtls_x509_get_alg( &p, end, &sig_oid2, &sig_params2 ) ) != 0 )
494 {
495 mbedtls_x509_crl_free( crl );
496 return( ret );
497 }
498
499 if( crl->sig_oid.len != sig_oid2.len ||
500 memcmp( crl->sig_oid.p, sig_oid2.p, crl->sig_oid.len ) != 0 ||
501 sig_params1.len != sig_params2.len ||
502 ( sig_params1.len != 0 &&
503 memcmp( sig_params1.p, sig_params2.p, sig_params1.len ) != 0 ) )
504 {
505 mbedtls_x509_crl_free( crl );
506 return( MBEDTLS_ERR_X509_SIG_MISMATCH );
507 }
508
509 if( ( ret = mbedtls_x509_get_sig( &p, end, &crl->sig ) ) != 0 )
510 {
511 mbedtls_x509_crl_free( crl );
512 return( ret );
513 }
514
515 if( p != end )
516 {
517 mbedtls_x509_crl_free( crl );
518 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_FORMAT,
519 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
520 }
521
522 return( 0 );
523 }
524
525 /*
526 * Parse one or more CRLs and add them to the chained list
527 */
mbedtls_x509_crl_parse(mbedtls_x509_crl * chain,const unsigned char * buf,size_t buflen)528 int mbedtls_x509_crl_parse( mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen )
529 {
530 #if defined(MBEDTLS_PEM_PARSE_C)
531 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
532 size_t use_len = 0;
533 mbedtls_pem_context pem;
534 int is_pem = 0;
535
536 if( chain == NULL || buf == NULL )
537 return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
538
539 do
540 {
541 mbedtls_pem_init( &pem );
542
543 // Avoid calling mbedtls_pem_read_buffer() on non-null-terminated
544 // string
545 if( buflen == 0 || buf[buflen - 1] != '\0' )
546 ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
547 else
548 ret = mbedtls_pem_read_buffer( &pem,
549 "-----BEGIN X509 CRL-----",
550 "-----END X509 CRL-----",
551 buf, NULL, 0, &use_len );
552
553 if( ret == 0 )
554 {
555 /*
556 * Was PEM encoded
557 */
558 is_pem = 1;
559
560 buflen -= use_len;
561 buf += use_len;
562
563 if( ( ret = mbedtls_x509_crl_parse_der( chain,
564 pem.buf, pem.buflen ) ) != 0 )
565 {
566 mbedtls_pem_free( &pem );
567 return( ret );
568 }
569 }
570 else if( is_pem )
571 {
572 mbedtls_pem_free( &pem );
573 return( ret );
574 }
575
576 mbedtls_pem_free( &pem );
577 }
578 /* In the PEM case, buflen is 1 at the end, for the terminated NULL byte.
579 * And a valid CRL cannot be less than 1 byte anyway. */
580 while( is_pem && buflen > 1 );
581
582 if( is_pem )
583 return( 0 );
584 else
585 #endif /* MBEDTLS_PEM_PARSE_C */
586 return( mbedtls_x509_crl_parse_der( chain, buf, buflen ) );
587 }
588
589 #if defined(MBEDTLS_FS_IO)
590 /*
591 * Load one or more CRLs and add them to the chained list
592 */
mbedtls_x509_crl_parse_file(mbedtls_x509_crl * chain,const char * path)593 int mbedtls_x509_crl_parse_file( mbedtls_x509_crl *chain, const char *path )
594 {
595 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
596 size_t n;
597 unsigned char *buf;
598
599 if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 )
600 return( ret );
601
602 ret = mbedtls_x509_crl_parse( chain, buf, n );
603
604 mbedtls_platform_zeroize( buf, n );
605 mbedtls_free( buf );
606
607 return( ret );
608 }
609 #endif /* MBEDTLS_FS_IO */
610
611 #if !defined(MBEDTLS_X509_REMOVE_INFO)
612 /*
613 * Return an informational string about the certificate.
614 */
615 #define BEFORE_COLON 14
616 #define BC "14"
617 /*
618 * Return an informational string about the CRL.
619 */
mbedtls_x509_crl_info(char * buf,size_t size,const char * prefix,const mbedtls_x509_crl * crl)620 int mbedtls_x509_crl_info( char *buf, size_t size, const char *prefix,
621 const mbedtls_x509_crl *crl )
622 {
623 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
624 size_t n;
625 char *p;
626 const mbedtls_x509_crl_entry *entry;
627
628 p = buf;
629 n = size;
630
631 ret = mbedtls_snprintf( p, n, "%sCRL version : %d",
632 prefix, crl->version );
633 MBEDTLS_X509_SAFE_SNPRINTF;
634
635 ret = mbedtls_snprintf( p, n, "\n%sissuer name : ", prefix );
636 MBEDTLS_X509_SAFE_SNPRINTF;
637 ret = mbedtls_x509_dn_gets( p, n, &crl->issuer );
638 MBEDTLS_X509_SAFE_SNPRINTF;
639
640 ret = mbedtls_snprintf( p, n, "\n%sthis update : " \
641 "%04d-%02d-%02d %02d:%02d:%02d", prefix,
642 crl->this_update.year, crl->this_update.mon,
643 crl->this_update.day, crl->this_update.hour,
644 crl->this_update.min, crl->this_update.sec );
645 MBEDTLS_X509_SAFE_SNPRINTF;
646
647 ret = mbedtls_snprintf( p, n, "\n%snext update : " \
648 "%04d-%02d-%02d %02d:%02d:%02d", prefix,
649 crl->next_update.year, crl->next_update.mon,
650 crl->next_update.day, crl->next_update.hour,
651 crl->next_update.min, crl->next_update.sec );
652 MBEDTLS_X509_SAFE_SNPRINTF;
653
654 entry = &crl->entry;
655
656 ret = mbedtls_snprintf( p, n, "\n%sRevoked certificates:",
657 prefix );
658 MBEDTLS_X509_SAFE_SNPRINTF;
659
660 while( entry != NULL && entry->raw.len != 0 )
661 {
662 ret = mbedtls_snprintf( p, n, "\n%sserial number: ",
663 prefix );
664 MBEDTLS_X509_SAFE_SNPRINTF;
665
666 ret = mbedtls_x509_serial_gets( p, n, &entry->serial );
667 MBEDTLS_X509_SAFE_SNPRINTF;
668
669 ret = mbedtls_snprintf( p, n, " revocation date: " \
670 "%04d-%02d-%02d %02d:%02d:%02d",
671 entry->revocation_date.year, entry->revocation_date.mon,
672 entry->revocation_date.day, entry->revocation_date.hour,
673 entry->revocation_date.min, entry->revocation_date.sec );
674 MBEDTLS_X509_SAFE_SNPRINTF;
675
676 entry = entry->next;
677 }
678
679 ret = mbedtls_snprintf( p, n, "\n%ssigned using : ", prefix );
680 MBEDTLS_X509_SAFE_SNPRINTF;
681
682 ret = mbedtls_x509_sig_alg_gets( p, n, &crl->sig_oid, crl->sig_pk, crl->sig_md,
683 crl->sig_opts );
684 MBEDTLS_X509_SAFE_SNPRINTF;
685
686 ret = mbedtls_snprintf( p, n, "\n" );
687 MBEDTLS_X509_SAFE_SNPRINTF;
688
689 return( (int) ( size - n ) );
690 }
691 #endif /* MBEDTLS_X509_REMOVE_INFO */
692
693 /*
694 * Initialize a CRL chain
695 */
mbedtls_x509_crl_init(mbedtls_x509_crl * crl)696 void mbedtls_x509_crl_init( mbedtls_x509_crl *crl )
697 {
698 memset( crl, 0, sizeof(mbedtls_x509_crl) );
699 }
700
701 /*
702 * Unallocate all CRL data
703 */
mbedtls_x509_crl_free(mbedtls_x509_crl * crl)704 void mbedtls_x509_crl_free( mbedtls_x509_crl *crl )
705 {
706 mbedtls_x509_crl *crl_cur = crl;
707 mbedtls_x509_crl *crl_prv;
708 mbedtls_x509_crl_entry *entry_cur;
709 mbedtls_x509_crl_entry *entry_prv;
710
711 while( crl_cur != NULL )
712 {
713 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
714 mbedtls_free( crl_cur->sig_opts );
715 #endif
716
717 mbedtls_asn1_free_named_data_list_shallow( crl_cur->issuer.next );
718
719 entry_cur = crl_cur->entry.next;
720 while( entry_cur != NULL )
721 {
722 entry_prv = entry_cur;
723 entry_cur = entry_cur->next;
724 mbedtls_platform_zeroize( entry_prv,
725 sizeof( mbedtls_x509_crl_entry ) );
726 mbedtls_free( entry_prv );
727 }
728
729 if( crl_cur->raw.p != NULL )
730 {
731 mbedtls_platform_zeroize( crl_cur->raw.p, crl_cur->raw.len );
732 mbedtls_free( crl_cur->raw.p );
733 }
734
735 crl_prv = crl_cur;
736 crl_cur = crl_cur->next;
737
738 mbedtls_platform_zeroize( crl_prv, sizeof( mbedtls_x509_crl ) );
739 if( crl_prv != crl )
740 mbedtls_free( crl_prv );
741 }
742 }
743
744 #endif /* MBEDTLS_X509_CRL_PARSE_C */
745
