1817466cbSJens Wiklander /*
232b31808SJens Wiklander * X.509 Certificate Revocation List (CRL) parsing
3817466cbSJens Wiklander *
47901324dSJerome Forissier * Copyright The Mbed TLS Contributors
5*b0563631STom Van Eyck * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6817466cbSJens Wiklander */
7817466cbSJens Wiklander /*
8817466cbSJens Wiklander * The ITU-T X.509 standard defines a certificate format for PKI.
9817466cbSJens Wiklander *
10817466cbSJens Wiklander * http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs)
11817466cbSJens Wiklander * http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs)
12817466cbSJens Wiklander * http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10)
13817466cbSJens Wiklander *
14817466cbSJens Wiklander * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
15817466cbSJens Wiklander * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
16817466cbSJens Wiklander */
17817466cbSJens Wiklander
187901324dSJerome Forissier #include "common.h"
19817466cbSJens Wiklander
20817466cbSJens Wiklander #if defined(MBEDTLS_X509_CRL_PARSE_C)
21817466cbSJens Wiklander
22817466cbSJens Wiklander #include "mbedtls/x509_crl.h"
23*b0563631STom Van Eyck #include "x509_internal.h"
2411fa71b9SJerome Forissier #include "mbedtls/error.h"
25817466cbSJens Wiklander #include "mbedtls/oid.h"
263d3b0591SJens Wiklander #include "mbedtls/platform_util.h"
27817466cbSJens Wiklander
28817466cbSJens Wiklander #include <string.h>
29817466cbSJens Wiklander
30817466cbSJens Wiklander #if defined(MBEDTLS_PEM_PARSE_C)
31817466cbSJens Wiklander #include "mbedtls/pem.h"
32817466cbSJens Wiklander #endif
33817466cbSJens Wiklander
34817466cbSJens Wiklander #include "mbedtls/platform.h"
35817466cbSJens Wiklander
36039e02dfSJerome Forissier #if defined(MBEDTLS_HAVE_TIME)
37817466cbSJens Wiklander #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
38817466cbSJens Wiklander #include <windows.h>
39817466cbSJens Wiklander #else
40817466cbSJens Wiklander #include <time.h>
41817466cbSJens Wiklander #endif
42039e02dfSJerome Forissier #endif
43817466cbSJens Wiklander
44817466cbSJens Wiklander #if defined(MBEDTLS_FS_IO) || defined(EFIX64) || defined(EFI32)
45817466cbSJens Wiklander #include <stdio.h>
46817466cbSJens Wiklander #endif
47817466cbSJens Wiklander
48817466cbSJens Wiklander /*
49817466cbSJens Wiklander * Version ::= INTEGER { v1(0), v2(1) }
50817466cbSJens Wiklander */
x509_crl_get_version(unsigned char ** p,const unsigned char * end,int * ver)51817466cbSJens Wiklander static int x509_crl_get_version(unsigned char **p,
52817466cbSJens Wiklander const unsigned char *end,
53817466cbSJens Wiklander int *ver)
54817466cbSJens Wiklander {
5511fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
56817466cbSJens Wiklander
5732b31808SJens Wiklander if ((ret = mbedtls_asn1_get_int(p, end, ver)) != 0) {
5832b31808SJens Wiklander if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
59817466cbSJens Wiklander *ver = 0;
6032b31808SJens Wiklander return 0;
61817466cbSJens Wiklander }
62817466cbSJens Wiklander
6332b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_VERSION, ret);
64817466cbSJens Wiklander }
65817466cbSJens Wiklander
6632b31808SJens Wiklander return 0;
67817466cbSJens Wiklander }
68817466cbSJens Wiklander
69817466cbSJens Wiklander /*
703d3b0591SJens Wiklander * X.509 CRL v2 extensions
713d3b0591SJens Wiklander *
723d3b0591SJens Wiklander * We currently don't parse any extension's content, but we do check that the
733d3b0591SJens Wiklander * list of extensions is well-formed and abort on critical extensions (that
743d3b0591SJens Wiklander * are unsupported as we don't support any extension so far)
75817466cbSJens Wiklander */
x509_get_crl_ext(unsigned char ** p,const unsigned char * end,mbedtls_x509_buf * ext)76817466cbSJens Wiklander static int x509_get_crl_ext(unsigned char **p,
77817466cbSJens Wiklander const unsigned char *end,
78817466cbSJens Wiklander mbedtls_x509_buf *ext)
79817466cbSJens Wiklander {
8011fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
81817466cbSJens Wiklander
8232b31808SJens Wiklander if (*p == end) {
8332b31808SJens Wiklander return 0;
8432b31808SJens Wiklander }
855b25c76aSJerome Forissier
863d3b0591SJens Wiklander /*
873d3b0591SJens Wiklander * crlExtensions [0] EXPLICIT Extensions OPTIONAL
883d3b0591SJens Wiklander * -- if present, version MUST be v2
893d3b0591SJens Wiklander */
9032b31808SJens Wiklander if ((ret = mbedtls_x509_get_ext(p, end, ext, 0)) != 0) {
9132b31808SJens Wiklander return ret;
9232b31808SJens Wiklander }
935b25c76aSJerome Forissier
945b25c76aSJerome Forissier end = ext->p + ext->len;
95817466cbSJens Wiklander
9632b31808SJens Wiklander while (*p < end) {
973d3b0591SJens Wiklander /*
983d3b0591SJens Wiklander * Extension ::= SEQUENCE {
993d3b0591SJens Wiklander * extnID OBJECT IDENTIFIER,
1003d3b0591SJens Wiklander * critical BOOLEAN DEFAULT FALSE,
1013d3b0591SJens Wiklander * extnValue OCTET STRING }
1023d3b0591SJens Wiklander */
1033d3b0591SJens Wiklander int is_critical = 0;
1043d3b0591SJens Wiklander const unsigned char *end_ext_data;
1053d3b0591SJens Wiklander size_t len;
1063d3b0591SJens Wiklander
1073d3b0591SJens Wiklander /* Get enclosing sequence tag */
108817466cbSJens Wiklander if ((ret = mbedtls_asn1_get_tag(p, end, &len,
10932b31808SJens Wiklander MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
11032b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
11132b31808SJens Wiklander }
112817466cbSJens Wiklander
1133d3b0591SJens Wiklander end_ext_data = *p + len;
1143d3b0591SJens Wiklander
1153d3b0591SJens Wiklander /* Get OID (currently ignored) */
1163d3b0591SJens Wiklander if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &len,
11732b31808SJens Wiklander MBEDTLS_ASN1_OID)) != 0) {
11832b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
1193d3b0591SJens Wiklander }
120817466cbSJens Wiklander *p += len;
1213d3b0591SJens Wiklander
1223d3b0591SJens Wiklander /* Get optional critical */
1233d3b0591SJens Wiklander if ((ret = mbedtls_asn1_get_bool(p, end_ext_data,
1243d3b0591SJens Wiklander &is_critical)) != 0 &&
12532b31808SJens Wiklander (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)) {
12632b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
1273d3b0591SJens Wiklander }
1283d3b0591SJens Wiklander
1293d3b0591SJens Wiklander /* Data should be octet string type */
1303d3b0591SJens Wiklander if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &len,
13132b31808SJens Wiklander MBEDTLS_ASN1_OCTET_STRING)) != 0) {
13232b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
13332b31808SJens Wiklander }
1343d3b0591SJens Wiklander
1353d3b0591SJens Wiklander /* Ignore data so far and just check its length */
1363d3b0591SJens Wiklander *p += len;
13732b31808SJens Wiklander if (*p != end_ext_data) {
13832b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
13932b31808SJens Wiklander MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
140817466cbSJens Wiklander }
141817466cbSJens Wiklander
14232b31808SJens Wiklander /* Abort on (unsupported) critical extensions */
14332b31808SJens Wiklander if (is_critical) {
14432b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
14532b31808SJens Wiklander MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
14632b31808SJens Wiklander }
14732b31808SJens Wiklander }
148817466cbSJens Wiklander
14932b31808SJens Wiklander if (*p != end) {
15032b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
15132b31808SJens Wiklander MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
15232b31808SJens Wiklander }
15332b31808SJens Wiklander
15432b31808SJens Wiklander return 0;
155817466cbSJens Wiklander }
156817466cbSJens Wiklander
157817466cbSJens Wiklander /*
158817466cbSJens Wiklander * X.509 CRL v2 entry extensions (no extensions parsed yet.)
159817466cbSJens Wiklander */
x509_get_crl_entry_ext(unsigned char ** p,const unsigned char * end,mbedtls_x509_buf * ext)160817466cbSJens Wiklander static int x509_get_crl_entry_ext(unsigned char **p,
161817466cbSJens Wiklander const unsigned char *end,
162817466cbSJens Wiklander mbedtls_x509_buf *ext)
163817466cbSJens Wiklander {
16411fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
165817466cbSJens Wiklander size_t len = 0;
166817466cbSJens Wiklander
167817466cbSJens Wiklander /* OPTIONAL */
16832b31808SJens Wiklander if (end <= *p) {
16932b31808SJens Wiklander return 0;
17032b31808SJens Wiklander }
171817466cbSJens Wiklander
172817466cbSJens Wiklander ext->tag = **p;
173817466cbSJens Wiklander ext->p = *p;
174817466cbSJens Wiklander
175817466cbSJens Wiklander /*
176817466cbSJens Wiklander * Get CRL-entry extension sequence header
177817466cbSJens Wiklander * crlEntryExtensions Extensions OPTIONAL -- if present, MUST be v2
178817466cbSJens Wiklander */
179817466cbSJens Wiklander if ((ret = mbedtls_asn1_get_tag(p, end, &ext->len,
18032b31808SJens Wiklander MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
18132b31808SJens Wiklander if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
182817466cbSJens Wiklander ext->p = NULL;
18332b31808SJens Wiklander return 0;
184817466cbSJens Wiklander }
18532b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
186817466cbSJens Wiklander }
187817466cbSJens Wiklander
188817466cbSJens Wiklander end = *p + ext->len;
189817466cbSJens Wiklander
19032b31808SJens Wiklander if (end != *p + ext->len) {
19132b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
19232b31808SJens Wiklander MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
19332b31808SJens Wiklander }
194817466cbSJens Wiklander
19532b31808SJens Wiklander while (*p < end) {
196817466cbSJens Wiklander if ((ret = mbedtls_asn1_get_tag(p, end, &len,
19732b31808SJens Wiklander MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
19832b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
19932b31808SJens Wiklander }
200817466cbSJens Wiklander
201817466cbSJens Wiklander *p += len;
202817466cbSJens Wiklander }
203817466cbSJens Wiklander
20432b31808SJens Wiklander if (*p != end) {
20532b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
20632b31808SJens Wiklander MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
20732b31808SJens Wiklander }
208817466cbSJens Wiklander
20932b31808SJens Wiklander return 0;
210817466cbSJens Wiklander }
211817466cbSJens Wiklander
212817466cbSJens Wiklander /*
213817466cbSJens Wiklander * X.509 CRL Entries
214817466cbSJens Wiklander */
x509_get_entries(unsigned char ** p,const unsigned char * end,mbedtls_x509_crl_entry * entry)215817466cbSJens Wiklander static int x509_get_entries(unsigned char **p,
216817466cbSJens Wiklander const unsigned char *end,
217817466cbSJens Wiklander mbedtls_x509_crl_entry *entry)
218817466cbSJens Wiklander {
21911fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
220817466cbSJens Wiklander size_t entry_len;
221817466cbSJens Wiklander mbedtls_x509_crl_entry *cur_entry = entry;
222817466cbSJens Wiklander
22332b31808SJens Wiklander if (*p == end) {
22432b31808SJens Wiklander return 0;
22532b31808SJens Wiklander }
226817466cbSJens Wiklander
227817466cbSJens Wiklander if ((ret = mbedtls_asn1_get_tag(p, end, &entry_len,
22832b31808SJens Wiklander MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED)) != 0) {
22932b31808SJens Wiklander if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
23032b31808SJens Wiklander return 0;
23132b31808SJens Wiklander }
232817466cbSJens Wiklander
23332b31808SJens Wiklander return ret;
234817466cbSJens Wiklander }
235817466cbSJens Wiklander
236817466cbSJens Wiklander end = *p + entry_len;
237817466cbSJens Wiklander
23832b31808SJens Wiklander while (*p < end) {
239817466cbSJens Wiklander size_t len2;
240817466cbSJens Wiklander const unsigned char *end2;
241817466cbSJens Wiklander
2427901324dSJerome Forissier cur_entry->raw.tag = **p;
243817466cbSJens Wiklander if ((ret = mbedtls_asn1_get_tag(p, end, &len2,
24432b31808SJens Wiklander MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED)) != 0) {
24532b31808SJens Wiklander return ret;
246817466cbSJens Wiklander }
247817466cbSJens Wiklander
248817466cbSJens Wiklander cur_entry->raw.p = *p;
249817466cbSJens Wiklander cur_entry->raw.len = len2;
250817466cbSJens Wiklander end2 = *p + len2;
251817466cbSJens Wiklander
25232b31808SJens Wiklander if ((ret = mbedtls_x509_get_serial(p, end2, &cur_entry->serial)) != 0) {
25332b31808SJens Wiklander return ret;
25432b31808SJens Wiklander }
255817466cbSJens Wiklander
256817466cbSJens Wiklander if ((ret = mbedtls_x509_get_time(p, end2,
25732b31808SJens Wiklander &cur_entry->revocation_date)) != 0) {
25832b31808SJens Wiklander return ret;
25932b31808SJens Wiklander }
260817466cbSJens Wiklander
261817466cbSJens Wiklander if ((ret = x509_get_crl_entry_ext(p, end2,
26232b31808SJens Wiklander &cur_entry->entry_ext)) != 0) {
26332b31808SJens Wiklander return ret;
26432b31808SJens Wiklander }
265817466cbSJens Wiklander
26632b31808SJens Wiklander if (*p < end) {
267817466cbSJens Wiklander cur_entry->next = mbedtls_calloc(1, sizeof(mbedtls_x509_crl_entry));
268817466cbSJens Wiklander
26932b31808SJens Wiklander if (cur_entry->next == NULL) {
27032b31808SJens Wiklander return MBEDTLS_ERR_X509_ALLOC_FAILED;
27132b31808SJens Wiklander }
272817466cbSJens Wiklander
273817466cbSJens Wiklander cur_entry = cur_entry->next;
274817466cbSJens Wiklander }
275817466cbSJens Wiklander }
276817466cbSJens Wiklander
27732b31808SJens Wiklander return 0;
278817466cbSJens Wiklander }
279817466cbSJens Wiklander
280817466cbSJens Wiklander /*
281817466cbSJens Wiklander * Parse one CRLs in DER format and append it to the chained list
282817466cbSJens Wiklander */
mbedtls_x509_crl_parse_der(mbedtls_x509_crl * chain,const unsigned char * buf,size_t buflen)283817466cbSJens Wiklander int mbedtls_x509_crl_parse_der(mbedtls_x509_crl *chain,
284817466cbSJens Wiklander const unsigned char *buf, size_t buflen)
285817466cbSJens Wiklander {
28611fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
287817466cbSJens Wiklander size_t len;
2883d3b0591SJens Wiklander unsigned char *p = NULL, *end = NULL;
289817466cbSJens Wiklander mbedtls_x509_buf sig_params1, sig_params2, sig_oid2;
290817466cbSJens Wiklander mbedtls_x509_crl *crl = chain;
291817466cbSJens Wiklander
292817466cbSJens Wiklander /*
293817466cbSJens Wiklander * Check for valid input
294817466cbSJens Wiklander */
29532b31808SJens Wiklander if (crl == NULL || buf == NULL) {
29632b31808SJens Wiklander return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
29732b31808SJens Wiklander }
298817466cbSJens Wiklander
299817466cbSJens Wiklander memset(&sig_params1, 0, sizeof(mbedtls_x509_buf));
300817466cbSJens Wiklander memset(&sig_params2, 0, sizeof(mbedtls_x509_buf));
301817466cbSJens Wiklander memset(&sig_oid2, 0, sizeof(mbedtls_x509_buf));
302817466cbSJens Wiklander
303817466cbSJens Wiklander /*
304817466cbSJens Wiklander * Add new CRL on the end of the chain if needed.
305817466cbSJens Wiklander */
30632b31808SJens Wiklander while (crl->version != 0 && crl->next != NULL) {
307817466cbSJens Wiklander crl = crl->next;
30832b31808SJens Wiklander }
309817466cbSJens Wiklander
31032b31808SJens Wiklander if (crl->version != 0 && crl->next == NULL) {
311817466cbSJens Wiklander crl->next = mbedtls_calloc(1, sizeof(mbedtls_x509_crl));
312817466cbSJens Wiklander
31332b31808SJens Wiklander if (crl->next == NULL) {
314817466cbSJens Wiklander mbedtls_x509_crl_free(crl);
31532b31808SJens Wiklander return MBEDTLS_ERR_X509_ALLOC_FAILED;
316817466cbSJens Wiklander }
317817466cbSJens Wiklander
318817466cbSJens Wiklander mbedtls_x509_crl_init(crl->next);
319817466cbSJens Wiklander crl = crl->next;
320817466cbSJens Wiklander }
321817466cbSJens Wiklander
322817466cbSJens Wiklander /*
323817466cbSJens Wiklander * Copy raw DER-encoded CRL
324817466cbSJens Wiklander */
32532b31808SJens Wiklander if (buflen == 0) {
32632b31808SJens Wiklander return MBEDTLS_ERR_X509_INVALID_FORMAT;
32732b31808SJens Wiklander }
3283d3b0591SJens Wiklander
3293d3b0591SJens Wiklander p = mbedtls_calloc(1, buflen);
33032b31808SJens Wiklander if (p == NULL) {
33132b31808SJens Wiklander return MBEDTLS_ERR_X509_ALLOC_FAILED;
33232b31808SJens Wiklander }
333817466cbSJens Wiklander
334817466cbSJens Wiklander memcpy(p, buf, buflen);
335817466cbSJens Wiklander
336817466cbSJens Wiklander crl->raw.p = p;
337817466cbSJens Wiklander crl->raw.len = buflen;
338817466cbSJens Wiklander
339817466cbSJens Wiklander end = p + buflen;
340817466cbSJens Wiklander
341817466cbSJens Wiklander /*
342817466cbSJens Wiklander * CertificateList ::= SEQUENCE {
343817466cbSJens Wiklander * tbsCertList TBSCertList,
344817466cbSJens Wiklander * signatureAlgorithm AlgorithmIdentifier,
345817466cbSJens Wiklander * signatureValue BIT STRING }
346817466cbSJens Wiklander */
347817466cbSJens Wiklander if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
34832b31808SJens Wiklander MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
349817466cbSJens Wiklander mbedtls_x509_crl_free(crl);
35032b31808SJens Wiklander return MBEDTLS_ERR_X509_INVALID_FORMAT;
351817466cbSJens Wiklander }
352817466cbSJens Wiklander
35332b31808SJens Wiklander if (len != (size_t) (end - p)) {
354817466cbSJens Wiklander mbedtls_x509_crl_free(crl);
35532b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT,
35632b31808SJens Wiklander MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
357817466cbSJens Wiklander }
358817466cbSJens Wiklander
359817466cbSJens Wiklander /*
360817466cbSJens Wiklander * TBSCertList ::= SEQUENCE {
361817466cbSJens Wiklander */
362817466cbSJens Wiklander crl->tbs.p = p;
363817466cbSJens Wiklander
364817466cbSJens Wiklander if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
36532b31808SJens Wiklander MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
366817466cbSJens Wiklander mbedtls_x509_crl_free(crl);
36732b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret);
368817466cbSJens Wiklander }
369817466cbSJens Wiklander
370817466cbSJens Wiklander end = p + len;
371*b0563631STom Van Eyck crl->tbs.len = (size_t) (end - crl->tbs.p);
372817466cbSJens Wiklander
373817466cbSJens Wiklander /*
374817466cbSJens Wiklander * Version ::= INTEGER OPTIONAL { v1(0), v2(1) }
375817466cbSJens Wiklander * -- if present, MUST be v2
376817466cbSJens Wiklander *
377817466cbSJens Wiklander * signature AlgorithmIdentifier
378817466cbSJens Wiklander */
379817466cbSJens Wiklander if ((ret = x509_crl_get_version(&p, end, &crl->version)) != 0 ||
38032b31808SJens Wiklander (ret = mbedtls_x509_get_alg(&p, end, &crl->sig_oid, &sig_params1)) != 0) {
381817466cbSJens Wiklander mbedtls_x509_crl_free(crl);
38232b31808SJens Wiklander return ret;
383817466cbSJens Wiklander }
384817466cbSJens Wiklander
38532b31808SJens Wiklander if (crl->version < 0 || crl->version > 1) {
386817466cbSJens Wiklander mbedtls_x509_crl_free(crl);
38732b31808SJens Wiklander return MBEDTLS_ERR_X509_UNKNOWN_VERSION;
388817466cbSJens Wiklander }
389817466cbSJens Wiklander
390817466cbSJens Wiklander crl->version++;
391817466cbSJens Wiklander
392817466cbSJens Wiklander if ((ret = mbedtls_x509_get_sig_alg(&crl->sig_oid, &sig_params1,
393817466cbSJens Wiklander &crl->sig_md, &crl->sig_pk,
39432b31808SJens Wiklander &crl->sig_opts)) != 0) {
395817466cbSJens Wiklander mbedtls_x509_crl_free(crl);
39632b31808SJens Wiklander return MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG;
397817466cbSJens Wiklander }
398817466cbSJens Wiklander
399817466cbSJens Wiklander /*
400817466cbSJens Wiklander * issuer Name
401817466cbSJens Wiklander */
402817466cbSJens Wiklander crl->issuer_raw.p = p;
403817466cbSJens Wiklander
404817466cbSJens Wiklander if ((ret = mbedtls_asn1_get_tag(&p, end, &len,
40532b31808SJens Wiklander MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
406817466cbSJens Wiklander mbedtls_x509_crl_free(crl);
40732b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret);
408817466cbSJens Wiklander }
409817466cbSJens Wiklander
41032b31808SJens Wiklander if ((ret = mbedtls_x509_get_name(&p, p + len, &crl->issuer)) != 0) {
411817466cbSJens Wiklander mbedtls_x509_crl_free(crl);
41232b31808SJens Wiklander return ret;
413817466cbSJens Wiklander }
414817466cbSJens Wiklander
415*b0563631STom Van Eyck crl->issuer_raw.len = (size_t) (p - crl->issuer_raw.p);
416817466cbSJens Wiklander
417817466cbSJens Wiklander /*
418817466cbSJens Wiklander * thisUpdate Time
419817466cbSJens Wiklander * nextUpdate Time OPTIONAL
420817466cbSJens Wiklander */
42132b31808SJens Wiklander if ((ret = mbedtls_x509_get_time(&p, end, &crl->this_update)) != 0) {
422817466cbSJens Wiklander mbedtls_x509_crl_free(crl);
42332b31808SJens Wiklander return ret;
424817466cbSJens Wiklander }
425817466cbSJens Wiklander
42632b31808SJens Wiklander if ((ret = mbedtls_x509_get_time(&p, end, &crl->next_update)) != 0) {
4277901324dSJerome Forissier if (ret != (MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_DATE,
4287901324dSJerome Forissier MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)) &&
4297901324dSJerome Forissier ret != (MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_DATE,
43032b31808SJens Wiklander MBEDTLS_ERR_ASN1_OUT_OF_DATA))) {
431817466cbSJens Wiklander mbedtls_x509_crl_free(crl);
43232b31808SJens Wiklander return ret;
433817466cbSJens Wiklander }
434817466cbSJens Wiklander }
435817466cbSJens Wiklander
436817466cbSJens Wiklander /*
437817466cbSJens Wiklander * revokedCertificates SEQUENCE OF SEQUENCE {
438817466cbSJens Wiklander * userCertificate CertificateSerialNumber,
439817466cbSJens Wiklander * revocationDate Time,
440817466cbSJens Wiklander * crlEntryExtensions Extensions OPTIONAL
441817466cbSJens Wiklander * -- if present, MUST be v2
442817466cbSJens Wiklander * } OPTIONAL
443817466cbSJens Wiklander */
44432b31808SJens Wiklander if ((ret = x509_get_entries(&p, end, &crl->entry)) != 0) {
445817466cbSJens Wiklander mbedtls_x509_crl_free(crl);
44632b31808SJens Wiklander return ret;
447817466cbSJens Wiklander }
448817466cbSJens Wiklander
449817466cbSJens Wiklander /*
450817466cbSJens Wiklander * crlExtensions EXPLICIT Extensions OPTIONAL
451817466cbSJens Wiklander * -- if present, MUST be v2
452817466cbSJens Wiklander */
45332b31808SJens Wiklander if (crl->version == 2) {
454817466cbSJens Wiklander ret = x509_get_crl_ext(&p, end, &crl->crl_ext);
455817466cbSJens Wiklander
45632b31808SJens Wiklander if (ret != 0) {
457817466cbSJens Wiklander mbedtls_x509_crl_free(crl);
45832b31808SJens Wiklander return ret;
459817466cbSJens Wiklander }
460817466cbSJens Wiklander }
461817466cbSJens Wiklander
46232b31808SJens Wiklander if (p != end) {
463817466cbSJens Wiklander mbedtls_x509_crl_free(crl);
46432b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT,
46532b31808SJens Wiklander MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
466817466cbSJens Wiklander }
467817466cbSJens Wiklander
468817466cbSJens Wiklander end = crl->raw.p + crl->raw.len;
469817466cbSJens Wiklander
470817466cbSJens Wiklander /*
471817466cbSJens Wiklander * signatureAlgorithm AlgorithmIdentifier,
472817466cbSJens Wiklander * signatureValue BIT STRING
473817466cbSJens Wiklander */
47432b31808SJens Wiklander if ((ret = mbedtls_x509_get_alg(&p, end, &sig_oid2, &sig_params2)) != 0) {
475817466cbSJens Wiklander mbedtls_x509_crl_free(crl);
47632b31808SJens Wiklander return ret;
477817466cbSJens Wiklander }
478817466cbSJens Wiklander
479817466cbSJens Wiklander if (crl->sig_oid.len != sig_oid2.len ||
480817466cbSJens Wiklander memcmp(crl->sig_oid.p, sig_oid2.p, crl->sig_oid.len) != 0 ||
481817466cbSJens Wiklander sig_params1.len != sig_params2.len ||
482817466cbSJens Wiklander (sig_params1.len != 0 &&
48332b31808SJens Wiklander memcmp(sig_params1.p, sig_params2.p, sig_params1.len) != 0)) {
484817466cbSJens Wiklander mbedtls_x509_crl_free(crl);
48532b31808SJens Wiklander return MBEDTLS_ERR_X509_SIG_MISMATCH;
486817466cbSJens Wiklander }
487817466cbSJens Wiklander
48832b31808SJens Wiklander if ((ret = mbedtls_x509_get_sig(&p, end, &crl->sig)) != 0) {
489817466cbSJens Wiklander mbedtls_x509_crl_free(crl);
49032b31808SJens Wiklander return ret;
491817466cbSJens Wiklander }
492817466cbSJens Wiklander
49332b31808SJens Wiklander if (p != end) {
494817466cbSJens Wiklander mbedtls_x509_crl_free(crl);
49532b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT,
49632b31808SJens Wiklander MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
497817466cbSJens Wiklander }
498817466cbSJens Wiklander
49932b31808SJens Wiklander return 0;
500817466cbSJens Wiklander }
501817466cbSJens Wiklander
502817466cbSJens Wiklander /*
503817466cbSJens Wiklander * Parse one or more CRLs and add them to the chained list
504817466cbSJens Wiklander */
mbedtls_x509_crl_parse(mbedtls_x509_crl * chain,const unsigned char * buf,size_t buflen)505817466cbSJens Wiklander int mbedtls_x509_crl_parse(mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen)
506817466cbSJens Wiklander {
507817466cbSJens Wiklander #if defined(MBEDTLS_PEM_PARSE_C)
50811fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
50911fa71b9SJerome Forissier size_t use_len = 0;
510817466cbSJens Wiklander mbedtls_pem_context pem;
511817466cbSJens Wiklander int is_pem = 0;
512817466cbSJens Wiklander
51332b31808SJens Wiklander if (chain == NULL || buf == NULL) {
51432b31808SJens Wiklander return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
51532b31808SJens Wiklander }
516817466cbSJens Wiklander
51732b31808SJens Wiklander do {
518817466cbSJens Wiklander mbedtls_pem_init(&pem);
519817466cbSJens Wiklander
520817466cbSJens Wiklander // Avoid calling mbedtls_pem_read_buffer() on non-null-terminated
521817466cbSJens Wiklander // string
52232b31808SJens Wiklander if (buflen == 0 || buf[buflen - 1] != '\0') {
523817466cbSJens Wiklander ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
52432b31808SJens Wiklander } else {
525817466cbSJens Wiklander ret = mbedtls_pem_read_buffer(&pem,
526817466cbSJens Wiklander "-----BEGIN X509 CRL-----",
527817466cbSJens Wiklander "-----END X509 CRL-----",
528817466cbSJens Wiklander buf, NULL, 0, &use_len);
52932b31808SJens Wiklander }
530817466cbSJens Wiklander
53132b31808SJens Wiklander if (ret == 0) {
532817466cbSJens Wiklander /*
533817466cbSJens Wiklander * Was PEM encoded
534817466cbSJens Wiklander */
535817466cbSJens Wiklander is_pem = 1;
536817466cbSJens Wiklander
537817466cbSJens Wiklander buflen -= use_len;
538817466cbSJens Wiklander buf += use_len;
539817466cbSJens Wiklander
540817466cbSJens Wiklander if ((ret = mbedtls_x509_crl_parse_der(chain,
54132b31808SJens Wiklander pem.buf, pem.buflen)) != 0) {
542817466cbSJens Wiklander mbedtls_pem_free(&pem);
54332b31808SJens Wiklander return ret;
544817466cbSJens Wiklander }
54532b31808SJens Wiklander } else if (is_pem) {
546817466cbSJens Wiklander mbedtls_pem_free(&pem);
54732b31808SJens Wiklander return ret;
548817466cbSJens Wiklander }
549817466cbSJens Wiklander
550817466cbSJens Wiklander mbedtls_pem_free(&pem);
551817466cbSJens Wiklander }
552817466cbSJens Wiklander /* In the PEM case, buflen is 1 at the end, for the terminated NULL byte.
553817466cbSJens Wiklander * And a valid CRL cannot be less than 1 byte anyway. */
554817466cbSJens Wiklander while (is_pem && buflen > 1);
555817466cbSJens Wiklander
55632b31808SJens Wiklander if (is_pem) {
55732b31808SJens Wiklander return 0;
55832b31808SJens Wiklander } else
559817466cbSJens Wiklander #endif /* MBEDTLS_PEM_PARSE_C */
56032b31808SJens Wiklander return mbedtls_x509_crl_parse_der(chain, buf, buflen);
561817466cbSJens Wiklander }
562817466cbSJens Wiklander
563817466cbSJens Wiklander #if defined(MBEDTLS_FS_IO)
564817466cbSJens Wiklander /*
565817466cbSJens Wiklander * Load one or more CRLs and add them to the chained list
566817466cbSJens Wiklander */
mbedtls_x509_crl_parse_file(mbedtls_x509_crl * chain,const char * path)567817466cbSJens Wiklander int mbedtls_x509_crl_parse_file(mbedtls_x509_crl *chain, const char *path)
568817466cbSJens Wiklander {
56911fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
570817466cbSJens Wiklander size_t n;
571817466cbSJens Wiklander unsigned char *buf;
572817466cbSJens Wiklander
57332b31808SJens Wiklander if ((ret = mbedtls_pk_load_file(path, &buf, &n)) != 0) {
57432b31808SJens Wiklander return ret;
57532b31808SJens Wiklander }
576817466cbSJens Wiklander
577817466cbSJens Wiklander ret = mbedtls_x509_crl_parse(chain, buf, n);
578817466cbSJens Wiklander
579*b0563631STom Van Eyck mbedtls_zeroize_and_free(buf, n);
580817466cbSJens Wiklander
58132b31808SJens Wiklander return ret;
582817466cbSJens Wiklander }
583817466cbSJens Wiklander #endif /* MBEDTLS_FS_IO */
584817466cbSJens Wiklander
58532b31808SJens Wiklander #if !defined(MBEDTLS_X509_REMOVE_INFO)
586817466cbSJens Wiklander /*
587817466cbSJens Wiklander * Return an informational string about the certificate.
588817466cbSJens Wiklander */
589817466cbSJens Wiklander #define BEFORE_COLON 14
590817466cbSJens Wiklander #define BC "14"
591817466cbSJens Wiklander /*
592817466cbSJens Wiklander * Return an informational string about the CRL.
593817466cbSJens Wiklander */
mbedtls_x509_crl_info(char * buf,size_t size,const char * prefix,const mbedtls_x509_crl * crl)594817466cbSJens Wiklander int mbedtls_x509_crl_info(char *buf, size_t size, const char *prefix,
595817466cbSJens Wiklander const mbedtls_x509_crl *crl)
596817466cbSJens Wiklander {
59711fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
598817466cbSJens Wiklander size_t n;
599817466cbSJens Wiklander char *p;
600817466cbSJens Wiklander const mbedtls_x509_crl_entry *entry;
601817466cbSJens Wiklander
602817466cbSJens Wiklander p = buf;
603817466cbSJens Wiklander n = size;
604817466cbSJens Wiklander
605817466cbSJens Wiklander ret = mbedtls_snprintf(p, n, "%sCRL version : %d",
606817466cbSJens Wiklander prefix, crl->version);
607817466cbSJens Wiklander MBEDTLS_X509_SAFE_SNPRINTF;
608817466cbSJens Wiklander
609817466cbSJens Wiklander ret = mbedtls_snprintf(p, n, "\n%sissuer name : ", prefix);
610817466cbSJens Wiklander MBEDTLS_X509_SAFE_SNPRINTF;
611817466cbSJens Wiklander ret = mbedtls_x509_dn_gets(p, n, &crl->issuer);
612817466cbSJens Wiklander MBEDTLS_X509_SAFE_SNPRINTF;
613817466cbSJens Wiklander
614817466cbSJens Wiklander ret = mbedtls_snprintf(p, n, "\n%sthis update : " \
615817466cbSJens Wiklander "%04d-%02d-%02d %02d:%02d:%02d", prefix,
616817466cbSJens Wiklander crl->this_update.year, crl->this_update.mon,
617817466cbSJens Wiklander crl->this_update.day, crl->this_update.hour,
618817466cbSJens Wiklander crl->this_update.min, crl->this_update.sec);
619817466cbSJens Wiklander MBEDTLS_X509_SAFE_SNPRINTF;
620817466cbSJens Wiklander
621817466cbSJens Wiklander ret = mbedtls_snprintf(p, n, "\n%snext update : " \
622817466cbSJens Wiklander "%04d-%02d-%02d %02d:%02d:%02d", prefix,
623817466cbSJens Wiklander crl->next_update.year, crl->next_update.mon,
624817466cbSJens Wiklander crl->next_update.day, crl->next_update.hour,
625817466cbSJens Wiklander crl->next_update.min, crl->next_update.sec);
626817466cbSJens Wiklander MBEDTLS_X509_SAFE_SNPRINTF;
627817466cbSJens Wiklander
628817466cbSJens Wiklander entry = &crl->entry;
629817466cbSJens Wiklander
630817466cbSJens Wiklander ret = mbedtls_snprintf(p, n, "\n%sRevoked certificates:",
631817466cbSJens Wiklander prefix);
632817466cbSJens Wiklander MBEDTLS_X509_SAFE_SNPRINTF;
633817466cbSJens Wiklander
63432b31808SJens Wiklander while (entry != NULL && entry->raw.len != 0) {
635817466cbSJens Wiklander ret = mbedtls_snprintf(p, n, "\n%sserial number: ",
636817466cbSJens Wiklander prefix);
637817466cbSJens Wiklander MBEDTLS_X509_SAFE_SNPRINTF;
638817466cbSJens Wiklander
639817466cbSJens Wiklander ret = mbedtls_x509_serial_gets(p, n, &entry->serial);
640817466cbSJens Wiklander MBEDTLS_X509_SAFE_SNPRINTF;
641817466cbSJens Wiklander
642817466cbSJens Wiklander ret = mbedtls_snprintf(p, n, " revocation date: " \
643817466cbSJens Wiklander "%04d-%02d-%02d %02d:%02d:%02d",
644817466cbSJens Wiklander entry->revocation_date.year, entry->revocation_date.mon,
645817466cbSJens Wiklander entry->revocation_date.day, entry->revocation_date.hour,
646817466cbSJens Wiklander entry->revocation_date.min, entry->revocation_date.sec);
647817466cbSJens Wiklander MBEDTLS_X509_SAFE_SNPRINTF;
648817466cbSJens Wiklander
649817466cbSJens Wiklander entry = entry->next;
650817466cbSJens Wiklander }
651817466cbSJens Wiklander
652817466cbSJens Wiklander ret = mbedtls_snprintf(p, n, "\n%ssigned using : ", prefix);
653817466cbSJens Wiklander MBEDTLS_X509_SAFE_SNPRINTF;
654817466cbSJens Wiklander
655817466cbSJens Wiklander ret = mbedtls_x509_sig_alg_gets(p, n, &crl->sig_oid, crl->sig_pk, crl->sig_md,
656817466cbSJens Wiklander crl->sig_opts);
657817466cbSJens Wiklander MBEDTLS_X509_SAFE_SNPRINTF;
658817466cbSJens Wiklander
659817466cbSJens Wiklander ret = mbedtls_snprintf(p, n, "\n");
660817466cbSJens Wiklander MBEDTLS_X509_SAFE_SNPRINTF;
661817466cbSJens Wiklander
66232b31808SJens Wiklander return (int) (size - n);
663817466cbSJens Wiklander }
66432b31808SJens Wiklander #endif /* MBEDTLS_X509_REMOVE_INFO */
665817466cbSJens Wiklander
666817466cbSJens Wiklander /*
667817466cbSJens Wiklander * Initialize a CRL chain
668817466cbSJens Wiklander */
mbedtls_x509_crl_init(mbedtls_x509_crl * crl)669817466cbSJens Wiklander void mbedtls_x509_crl_init(mbedtls_x509_crl *crl)
670817466cbSJens Wiklander {
671817466cbSJens Wiklander memset(crl, 0, sizeof(mbedtls_x509_crl));
672817466cbSJens Wiklander }
673817466cbSJens Wiklander
674817466cbSJens Wiklander /*
675817466cbSJens Wiklander * Unallocate all CRL data
676817466cbSJens Wiklander */
mbedtls_x509_crl_free(mbedtls_x509_crl * crl)677817466cbSJens Wiklander void mbedtls_x509_crl_free(mbedtls_x509_crl *crl)
678817466cbSJens Wiklander {
679817466cbSJens Wiklander mbedtls_x509_crl *crl_cur = crl;
680817466cbSJens Wiklander mbedtls_x509_crl *crl_prv;
681817466cbSJens Wiklander mbedtls_x509_crl_entry *entry_cur;
682817466cbSJens Wiklander mbedtls_x509_crl_entry *entry_prv;
683817466cbSJens Wiklander
68432b31808SJens Wiklander while (crl_cur != NULL) {
685817466cbSJens Wiklander #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
686817466cbSJens Wiklander mbedtls_free(crl_cur->sig_opts);
687817466cbSJens Wiklander #endif
688817466cbSJens Wiklander
68932b31808SJens Wiklander mbedtls_asn1_free_named_data_list_shallow(crl_cur->issuer.next);
690817466cbSJens Wiklander
691817466cbSJens Wiklander entry_cur = crl_cur->entry.next;
69232b31808SJens Wiklander while (entry_cur != NULL) {
693817466cbSJens Wiklander entry_prv = entry_cur;
694817466cbSJens Wiklander entry_cur = entry_cur->next;
695*b0563631STom Van Eyck mbedtls_zeroize_and_free(entry_prv,
6963d3b0591SJens Wiklander sizeof(mbedtls_x509_crl_entry));
697817466cbSJens Wiklander }
698817466cbSJens Wiklander
69932b31808SJens Wiklander if (crl_cur->raw.p != NULL) {
700*b0563631STom Van Eyck mbedtls_zeroize_and_free(crl_cur->raw.p, crl_cur->raw.len);
701817466cbSJens Wiklander }
702817466cbSJens Wiklander
703817466cbSJens Wiklander crl_prv = crl_cur;
704817466cbSJens Wiklander crl_cur = crl_cur->next;
705817466cbSJens Wiklander
7063d3b0591SJens Wiklander mbedtls_platform_zeroize(crl_prv, sizeof(mbedtls_x509_crl));
70732b31808SJens Wiklander if (crl_prv != crl) {
708817466cbSJens Wiklander mbedtls_free(crl_prv);
709817466cbSJens Wiklander }
71032b31808SJens Wiklander }
711817466cbSJens Wiklander }
712817466cbSJens Wiklander
713817466cbSJens Wiklander #endif /* MBEDTLS_X509_CRL_PARSE_C */
714