1817466cbSJens Wiklander /* 2817466cbSJens Wiklander * X.509 Certidicate Revocation List (CRL) parsing 3817466cbSJens Wiklander * 47901324dSJerome Forissier * Copyright The Mbed TLS Contributors 57901324dSJerome Forissier * SPDX-License-Identifier: Apache-2.0 6817466cbSJens Wiklander * 7817466cbSJens Wiklander * Licensed under the Apache License, Version 2.0 (the "License"); you may 8817466cbSJens Wiklander * not use this file except in compliance with the License. 9817466cbSJens Wiklander * You may obtain a copy of the License at 10817466cbSJens Wiklander * 11817466cbSJens Wiklander * http://www.apache.org/licenses/LICENSE-2.0 12817466cbSJens Wiklander * 13817466cbSJens Wiklander * Unless required by applicable law or agreed to in writing, software 14817466cbSJens Wiklander * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15817466cbSJens Wiklander * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16817466cbSJens Wiklander * See the License for the specific language governing permissions and 17817466cbSJens Wiklander * limitations under the License. 18817466cbSJens Wiklander */ 19817466cbSJens Wiklander /* 20817466cbSJens Wiklander * The ITU-T X.509 standard defines a certificate format for PKI. 21817466cbSJens Wiklander * 22817466cbSJens Wiklander * http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs) 23817466cbSJens Wiklander * http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs) 24817466cbSJens Wiklander * http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10) 25817466cbSJens Wiklander * 26817466cbSJens Wiklander * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf 27817466cbSJens Wiklander * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf 28817466cbSJens Wiklander */ 29817466cbSJens Wiklander 307901324dSJerome Forissier #include "common.h" 31817466cbSJens Wiklander 32817466cbSJens Wiklander #if defined(MBEDTLS_X509_CRL_PARSE_C) 33817466cbSJens Wiklander 34817466cbSJens Wiklander #include "mbedtls/x509_crl.h" 3511fa71b9SJerome Forissier #include "mbedtls/error.h" 36817466cbSJens Wiklander #include "mbedtls/oid.h" 373d3b0591SJens Wiklander #include "mbedtls/platform_util.h" 38817466cbSJens Wiklander 39817466cbSJens Wiklander #include <string.h> 40817466cbSJens Wiklander 41817466cbSJens Wiklander #if defined(MBEDTLS_PEM_PARSE_C) 42817466cbSJens Wiklander #include "mbedtls/pem.h" 43817466cbSJens Wiklander #endif 44817466cbSJens Wiklander 45817466cbSJens Wiklander #if defined(MBEDTLS_PLATFORM_C) 46817466cbSJens Wiklander #include "mbedtls/platform.h" 47817466cbSJens Wiklander #else 48817466cbSJens Wiklander #include <stdlib.h> 49817466cbSJens Wiklander #include <stdio.h> 50817466cbSJens Wiklander #define mbedtls_free free 51817466cbSJens Wiklander #define mbedtls_calloc calloc 52817466cbSJens Wiklander #define mbedtls_snprintf snprintf 53817466cbSJens Wiklander #endif 54817466cbSJens Wiklander 55*039e02dfSJerome Forissier #if defined(MBEDTLS_HAVE_TIME) 56817466cbSJens Wiklander #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) 57817466cbSJens Wiklander #include <windows.h> 58817466cbSJens Wiklander #else 59817466cbSJens Wiklander #include <time.h> 60817466cbSJens Wiklander #endif 61*039e02dfSJerome Forissier #endif 62817466cbSJens Wiklander 63817466cbSJens Wiklander #if defined(MBEDTLS_FS_IO) || defined(EFIX64) || defined(EFI32) 64817466cbSJens Wiklander #include <stdio.h> 65817466cbSJens Wiklander #endif 66817466cbSJens Wiklander 67817466cbSJens Wiklander /* 68817466cbSJens Wiklander * Version ::= INTEGER { v1(0), v2(1) } 69817466cbSJens Wiklander */ 70817466cbSJens Wiklander static int x509_crl_get_version( unsigned char **p, 71817466cbSJens Wiklander const unsigned char *end, 72817466cbSJens Wiklander int *ver ) 73817466cbSJens Wiklander { 7411fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 75817466cbSJens Wiklander 76817466cbSJens Wiklander if( ( ret = mbedtls_asn1_get_int( p, end, ver ) ) != 0 ) 77817466cbSJens Wiklander { 78817466cbSJens Wiklander if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) 79817466cbSJens Wiklander { 80817466cbSJens Wiklander *ver = 0; 81817466cbSJens Wiklander return( 0 ); 82817466cbSJens Wiklander } 83817466cbSJens Wiklander 847901324dSJerome Forissier return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_VERSION, ret ) ); 85817466cbSJens Wiklander } 86817466cbSJens Wiklander 87817466cbSJens Wiklander return( 0 ); 88817466cbSJens Wiklander } 89817466cbSJens Wiklander 90817466cbSJens Wiklander /* 913d3b0591SJens Wiklander * X.509 CRL v2 extensions 923d3b0591SJens Wiklander * 933d3b0591SJens Wiklander * We currently don't parse any extension's content, but we do check that the 943d3b0591SJens Wiklander * list of extensions is well-formed and abort on critical extensions (that 953d3b0591SJens Wiklander * are unsupported as we don't support any extension so far) 96817466cbSJens Wiklander */ 97817466cbSJens Wiklander static int x509_get_crl_ext( unsigned char **p, 98817466cbSJens Wiklander const unsigned char *end, 99817466cbSJens Wiklander mbedtls_x509_buf *ext ) 100817466cbSJens Wiklander { 10111fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 102817466cbSJens Wiklander 1035b25c76aSJerome Forissier if( *p == end ) 1045b25c76aSJerome Forissier return( 0 ); 1055b25c76aSJerome Forissier 1063d3b0591SJens Wiklander /* 1073d3b0591SJens Wiklander * crlExtensions [0] EXPLICIT Extensions OPTIONAL 1083d3b0591SJens Wiklander * -- if present, version MUST be v2 1093d3b0591SJens Wiklander */ 110817466cbSJens Wiklander if( ( ret = mbedtls_x509_get_ext( p, end, ext, 0 ) ) != 0 ) 111817466cbSJens Wiklander return( ret ); 1125b25c76aSJerome Forissier 1135b25c76aSJerome Forissier end = ext->p + ext->len; 114817466cbSJens Wiklander 115817466cbSJens Wiklander while( *p < end ) 116817466cbSJens Wiklander { 1173d3b0591SJens Wiklander /* 1183d3b0591SJens Wiklander * Extension ::= SEQUENCE { 1193d3b0591SJens Wiklander * extnID OBJECT IDENTIFIER, 1203d3b0591SJens Wiklander * critical BOOLEAN DEFAULT FALSE, 1213d3b0591SJens Wiklander * extnValue OCTET STRING } 1223d3b0591SJens Wiklander */ 1233d3b0591SJens Wiklander int is_critical = 0; 1243d3b0591SJens Wiklander const unsigned char *end_ext_data; 1253d3b0591SJens Wiklander size_t len; 1263d3b0591SJens Wiklander 1273d3b0591SJens Wiklander /* Get enclosing sequence tag */ 128817466cbSJens Wiklander if( ( ret = mbedtls_asn1_get_tag( p, end, &len, 129817466cbSJens Wiklander MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 1307901324dSJerome Forissier return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) ); 131817466cbSJens Wiklander 1323d3b0591SJens Wiklander end_ext_data = *p + len; 1333d3b0591SJens Wiklander 1343d3b0591SJens Wiklander /* Get OID (currently ignored) */ 1353d3b0591SJens Wiklander if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &len, 1363d3b0591SJens Wiklander MBEDTLS_ASN1_OID ) ) != 0 ) 1373d3b0591SJens Wiklander { 1387901324dSJerome Forissier return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) ); 1393d3b0591SJens Wiklander } 140817466cbSJens Wiklander *p += len; 1413d3b0591SJens Wiklander 1423d3b0591SJens Wiklander /* Get optional critical */ 1433d3b0591SJens Wiklander if( ( ret = mbedtls_asn1_get_bool( p, end_ext_data, 1443d3b0591SJens Wiklander &is_critical ) ) != 0 && 1453d3b0591SJens Wiklander ( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) ) 1463d3b0591SJens Wiklander { 1477901324dSJerome Forissier return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) ); 1483d3b0591SJens Wiklander } 1493d3b0591SJens Wiklander 1503d3b0591SJens Wiklander /* Data should be octet string type */ 1513d3b0591SJens Wiklander if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &len, 1523d3b0591SJens Wiklander MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ) 1537901324dSJerome Forissier return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) ); 1543d3b0591SJens Wiklander 1553d3b0591SJens Wiklander /* Ignore data so far and just check its length */ 1563d3b0591SJens Wiklander *p += len; 1573d3b0591SJens Wiklander if( *p != end_ext_data ) 1587901324dSJerome Forissier return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 1597901324dSJerome Forissier MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) ); 1603d3b0591SJens Wiklander 1613d3b0591SJens Wiklander /* Abort on (unsupported) critical extensions */ 1623d3b0591SJens Wiklander if( is_critical ) 1637901324dSJerome Forissier return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 1647901324dSJerome Forissier MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) ); 165817466cbSJens Wiklander } 166817466cbSJens Wiklander 167817466cbSJens Wiklander if( *p != end ) 1687901324dSJerome Forissier return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 1697901324dSJerome Forissier MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) ); 170817466cbSJens Wiklander 171817466cbSJens Wiklander return( 0 ); 172817466cbSJens Wiklander } 173817466cbSJens Wiklander 174817466cbSJens Wiklander /* 175817466cbSJens Wiklander * X.509 CRL v2 entry extensions (no extensions parsed yet.) 176817466cbSJens Wiklander */ 177817466cbSJens Wiklander static int x509_get_crl_entry_ext( unsigned char **p, 178817466cbSJens Wiklander const unsigned char *end, 179817466cbSJens Wiklander mbedtls_x509_buf *ext ) 180817466cbSJens Wiklander { 18111fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 182817466cbSJens Wiklander size_t len = 0; 183817466cbSJens Wiklander 184817466cbSJens Wiklander /* OPTIONAL */ 185817466cbSJens Wiklander if( end <= *p ) 186817466cbSJens Wiklander return( 0 ); 187817466cbSJens Wiklander 188817466cbSJens Wiklander ext->tag = **p; 189817466cbSJens Wiklander ext->p = *p; 190817466cbSJens Wiklander 191817466cbSJens Wiklander /* 192817466cbSJens Wiklander * Get CRL-entry extension sequence header 193817466cbSJens Wiklander * crlEntryExtensions Extensions OPTIONAL -- if present, MUST be v2 194817466cbSJens Wiklander */ 195817466cbSJens Wiklander if( ( ret = mbedtls_asn1_get_tag( p, end, &ext->len, 196817466cbSJens Wiklander MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 197817466cbSJens Wiklander { 198817466cbSJens Wiklander if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) 199817466cbSJens Wiklander { 200817466cbSJens Wiklander ext->p = NULL; 201817466cbSJens Wiklander return( 0 ); 202817466cbSJens Wiklander } 2037901324dSJerome Forissier return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) ); 204817466cbSJens Wiklander } 205817466cbSJens Wiklander 206817466cbSJens Wiklander end = *p + ext->len; 207817466cbSJens Wiklander 208817466cbSJens Wiklander if( end != *p + ext->len ) 2097901324dSJerome Forissier return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 2107901324dSJerome Forissier MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) ); 211817466cbSJens Wiklander 212817466cbSJens Wiklander while( *p < end ) 213817466cbSJens Wiklander { 214817466cbSJens Wiklander if( ( ret = mbedtls_asn1_get_tag( p, end, &len, 215817466cbSJens Wiklander MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 2167901324dSJerome Forissier return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) ); 217817466cbSJens Wiklander 218817466cbSJens Wiklander *p += len; 219817466cbSJens Wiklander } 220817466cbSJens Wiklander 221817466cbSJens Wiklander if( *p != end ) 2227901324dSJerome Forissier return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 2237901324dSJerome Forissier MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) ); 224817466cbSJens Wiklander 225817466cbSJens Wiklander return( 0 ); 226817466cbSJens Wiklander } 227817466cbSJens Wiklander 228817466cbSJens Wiklander /* 229817466cbSJens Wiklander * X.509 CRL Entries 230817466cbSJens Wiklander */ 231817466cbSJens Wiklander static int x509_get_entries( unsigned char **p, 232817466cbSJens Wiklander const unsigned char *end, 233817466cbSJens Wiklander mbedtls_x509_crl_entry *entry ) 234817466cbSJens Wiklander { 23511fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 236817466cbSJens Wiklander size_t entry_len; 237817466cbSJens Wiklander mbedtls_x509_crl_entry *cur_entry = entry; 238817466cbSJens Wiklander 239817466cbSJens Wiklander if( *p == end ) 240817466cbSJens Wiklander return( 0 ); 241817466cbSJens Wiklander 242817466cbSJens Wiklander if( ( ret = mbedtls_asn1_get_tag( p, end, &entry_len, 243817466cbSJens Wiklander MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED ) ) != 0 ) 244817466cbSJens Wiklander { 245817466cbSJens Wiklander if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) 246817466cbSJens Wiklander return( 0 ); 247817466cbSJens Wiklander 248817466cbSJens Wiklander return( ret ); 249817466cbSJens Wiklander } 250817466cbSJens Wiklander 251817466cbSJens Wiklander end = *p + entry_len; 252817466cbSJens Wiklander 253817466cbSJens Wiklander while( *p < end ) 254817466cbSJens Wiklander { 255817466cbSJens Wiklander size_t len2; 256817466cbSJens Wiklander const unsigned char *end2; 257817466cbSJens Wiklander 2587901324dSJerome Forissier cur_entry->raw.tag = **p; 259817466cbSJens Wiklander if( ( ret = mbedtls_asn1_get_tag( p, end, &len2, 260817466cbSJens Wiklander MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED ) ) != 0 ) 261817466cbSJens Wiklander { 262817466cbSJens Wiklander return( ret ); 263817466cbSJens Wiklander } 264817466cbSJens Wiklander 265817466cbSJens Wiklander cur_entry->raw.p = *p; 266817466cbSJens Wiklander cur_entry->raw.len = len2; 267817466cbSJens Wiklander end2 = *p + len2; 268817466cbSJens Wiklander 269817466cbSJens Wiklander if( ( ret = mbedtls_x509_get_serial( p, end2, &cur_entry->serial ) ) != 0 ) 270817466cbSJens Wiklander return( ret ); 271817466cbSJens Wiklander 272817466cbSJens Wiklander if( ( ret = mbedtls_x509_get_time( p, end2, 273817466cbSJens Wiklander &cur_entry->revocation_date ) ) != 0 ) 274817466cbSJens Wiklander return( ret ); 275817466cbSJens Wiklander 276817466cbSJens Wiklander if( ( ret = x509_get_crl_entry_ext( p, end2, 277817466cbSJens Wiklander &cur_entry->entry_ext ) ) != 0 ) 278817466cbSJens Wiklander return( ret ); 279817466cbSJens Wiklander 280817466cbSJens Wiklander if( *p < end ) 281817466cbSJens Wiklander { 282817466cbSJens Wiklander cur_entry->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_crl_entry ) ); 283817466cbSJens Wiklander 284817466cbSJens Wiklander if( cur_entry->next == NULL ) 285817466cbSJens Wiklander return( MBEDTLS_ERR_X509_ALLOC_FAILED ); 286817466cbSJens Wiklander 287817466cbSJens Wiklander cur_entry = cur_entry->next; 288817466cbSJens Wiklander } 289817466cbSJens Wiklander } 290817466cbSJens Wiklander 291817466cbSJens Wiklander return( 0 ); 292817466cbSJens Wiklander } 293817466cbSJens Wiklander 294817466cbSJens Wiklander /* 295817466cbSJens Wiklander * Parse one CRLs in DER format and append it to the chained list 296817466cbSJens Wiklander */ 297817466cbSJens Wiklander int mbedtls_x509_crl_parse_der( mbedtls_x509_crl *chain, 298817466cbSJens Wiklander const unsigned char *buf, size_t buflen ) 299817466cbSJens Wiklander { 30011fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 301817466cbSJens Wiklander size_t len; 3023d3b0591SJens Wiklander unsigned char *p = NULL, *end = NULL; 303817466cbSJens Wiklander mbedtls_x509_buf sig_params1, sig_params2, sig_oid2; 304817466cbSJens Wiklander mbedtls_x509_crl *crl = chain; 305817466cbSJens Wiklander 306817466cbSJens Wiklander /* 307817466cbSJens Wiklander * Check for valid input 308817466cbSJens Wiklander */ 309817466cbSJens Wiklander if( crl == NULL || buf == NULL ) 310817466cbSJens Wiklander return( MBEDTLS_ERR_X509_BAD_INPUT_DATA ); 311817466cbSJens Wiklander 312817466cbSJens Wiklander memset( &sig_params1, 0, sizeof( mbedtls_x509_buf ) ); 313817466cbSJens Wiklander memset( &sig_params2, 0, sizeof( mbedtls_x509_buf ) ); 314817466cbSJens Wiklander memset( &sig_oid2, 0, sizeof( mbedtls_x509_buf ) ); 315817466cbSJens Wiklander 316817466cbSJens Wiklander /* 317817466cbSJens Wiklander * Add new CRL on the end of the chain if needed. 318817466cbSJens Wiklander */ 319817466cbSJens Wiklander while( crl->version != 0 && crl->next != NULL ) 320817466cbSJens Wiklander crl = crl->next; 321817466cbSJens Wiklander 322817466cbSJens Wiklander if( crl->version != 0 && crl->next == NULL ) 323817466cbSJens Wiklander { 324817466cbSJens Wiklander crl->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_crl ) ); 325817466cbSJens Wiklander 326817466cbSJens Wiklander if( crl->next == NULL ) 327817466cbSJens Wiklander { 328817466cbSJens Wiklander mbedtls_x509_crl_free( crl ); 329817466cbSJens Wiklander return( MBEDTLS_ERR_X509_ALLOC_FAILED ); 330817466cbSJens Wiklander } 331817466cbSJens Wiklander 332817466cbSJens Wiklander mbedtls_x509_crl_init( crl->next ); 333817466cbSJens Wiklander crl = crl->next; 334817466cbSJens Wiklander } 335817466cbSJens Wiklander 336817466cbSJens Wiklander /* 337817466cbSJens Wiklander * Copy raw DER-encoded CRL 338817466cbSJens Wiklander */ 3393d3b0591SJens Wiklander if( buflen == 0 ) 3403d3b0591SJens Wiklander return( MBEDTLS_ERR_X509_INVALID_FORMAT ); 3413d3b0591SJens Wiklander 3423d3b0591SJens Wiklander p = mbedtls_calloc( 1, buflen ); 3433d3b0591SJens Wiklander if( p == NULL ) 344817466cbSJens Wiklander return( MBEDTLS_ERR_X509_ALLOC_FAILED ); 345817466cbSJens Wiklander 346817466cbSJens Wiklander memcpy( p, buf, buflen ); 347817466cbSJens Wiklander 348817466cbSJens Wiklander crl->raw.p = p; 349817466cbSJens Wiklander crl->raw.len = buflen; 350817466cbSJens Wiklander 351817466cbSJens Wiklander end = p + buflen; 352817466cbSJens Wiklander 353817466cbSJens Wiklander /* 354817466cbSJens Wiklander * CertificateList ::= SEQUENCE { 355817466cbSJens Wiklander * tbsCertList TBSCertList, 356817466cbSJens Wiklander * signatureAlgorithm AlgorithmIdentifier, 357817466cbSJens Wiklander * signatureValue BIT STRING } 358817466cbSJens Wiklander */ 359817466cbSJens Wiklander if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 360817466cbSJens Wiklander MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 361817466cbSJens Wiklander { 362817466cbSJens Wiklander mbedtls_x509_crl_free( crl ); 363817466cbSJens Wiklander return( MBEDTLS_ERR_X509_INVALID_FORMAT ); 364817466cbSJens Wiklander } 365817466cbSJens Wiklander 366817466cbSJens Wiklander if( len != (size_t) ( end - p ) ) 367817466cbSJens Wiklander { 368817466cbSJens Wiklander mbedtls_x509_crl_free( crl ); 3697901324dSJerome Forissier return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_FORMAT, 3707901324dSJerome Forissier MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) ); 371817466cbSJens Wiklander } 372817466cbSJens Wiklander 373817466cbSJens Wiklander /* 374817466cbSJens Wiklander * TBSCertList ::= SEQUENCE { 375817466cbSJens Wiklander */ 376817466cbSJens Wiklander crl->tbs.p = p; 377817466cbSJens Wiklander 378817466cbSJens Wiklander if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 379817466cbSJens Wiklander MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 380817466cbSJens Wiklander { 381817466cbSJens Wiklander mbedtls_x509_crl_free( crl ); 3827901324dSJerome Forissier return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_FORMAT, ret ) ); 383817466cbSJens Wiklander } 384817466cbSJens Wiklander 385817466cbSJens Wiklander end = p + len; 386817466cbSJens Wiklander crl->tbs.len = end - crl->tbs.p; 387817466cbSJens Wiklander 388817466cbSJens Wiklander /* 389817466cbSJens Wiklander * Version ::= INTEGER OPTIONAL { v1(0), v2(1) } 390817466cbSJens Wiklander * -- if present, MUST be v2 391817466cbSJens Wiklander * 392817466cbSJens Wiklander * signature AlgorithmIdentifier 393817466cbSJens Wiklander */ 394817466cbSJens Wiklander if( ( ret = x509_crl_get_version( &p, end, &crl->version ) ) != 0 || 395817466cbSJens Wiklander ( ret = mbedtls_x509_get_alg( &p, end, &crl->sig_oid, &sig_params1 ) ) != 0 ) 396817466cbSJens Wiklander { 397817466cbSJens Wiklander mbedtls_x509_crl_free( crl ); 398817466cbSJens Wiklander return( ret ); 399817466cbSJens Wiklander } 400817466cbSJens Wiklander 401817466cbSJens Wiklander if( crl->version < 0 || crl->version > 1 ) 402817466cbSJens Wiklander { 403817466cbSJens Wiklander mbedtls_x509_crl_free( crl ); 404817466cbSJens Wiklander return( MBEDTLS_ERR_X509_UNKNOWN_VERSION ); 405817466cbSJens Wiklander } 406817466cbSJens Wiklander 407817466cbSJens Wiklander crl->version++; 408817466cbSJens Wiklander 409817466cbSJens Wiklander if( ( ret = mbedtls_x509_get_sig_alg( &crl->sig_oid, &sig_params1, 410817466cbSJens Wiklander &crl->sig_md, &crl->sig_pk, 411817466cbSJens Wiklander &crl->sig_opts ) ) != 0 ) 412817466cbSJens Wiklander { 413817466cbSJens Wiklander mbedtls_x509_crl_free( crl ); 414817466cbSJens Wiklander return( MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG ); 415817466cbSJens Wiklander } 416817466cbSJens Wiklander 417817466cbSJens Wiklander /* 418817466cbSJens Wiklander * issuer Name 419817466cbSJens Wiklander */ 420817466cbSJens Wiklander crl->issuer_raw.p = p; 421817466cbSJens Wiklander 422817466cbSJens Wiklander if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 423817466cbSJens Wiklander MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 424817466cbSJens Wiklander { 425817466cbSJens Wiklander mbedtls_x509_crl_free( crl ); 4267901324dSJerome Forissier return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_FORMAT, ret ) ); 427817466cbSJens Wiklander } 428817466cbSJens Wiklander 429817466cbSJens Wiklander if( ( ret = mbedtls_x509_get_name( &p, p + len, &crl->issuer ) ) != 0 ) 430817466cbSJens Wiklander { 431817466cbSJens Wiklander mbedtls_x509_crl_free( crl ); 432817466cbSJens Wiklander return( ret ); 433817466cbSJens Wiklander } 434817466cbSJens Wiklander 435817466cbSJens Wiklander crl->issuer_raw.len = p - crl->issuer_raw.p; 436817466cbSJens Wiklander 437817466cbSJens Wiklander /* 438817466cbSJens Wiklander * thisUpdate Time 439817466cbSJens Wiklander * nextUpdate Time OPTIONAL 440817466cbSJens Wiklander */ 441817466cbSJens Wiklander if( ( ret = mbedtls_x509_get_time( &p, end, &crl->this_update ) ) != 0 ) 442817466cbSJens Wiklander { 443817466cbSJens Wiklander mbedtls_x509_crl_free( crl ); 444817466cbSJens Wiklander return( ret ); 445817466cbSJens Wiklander } 446817466cbSJens Wiklander 447817466cbSJens Wiklander if( ( ret = mbedtls_x509_get_time( &p, end, &crl->next_update ) ) != 0 ) 448817466cbSJens Wiklander { 4497901324dSJerome Forissier if( ret != ( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_DATE, 4507901324dSJerome Forissier MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) ) && 4517901324dSJerome Forissier ret != ( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_DATE, 4527901324dSJerome Forissier MBEDTLS_ERR_ASN1_OUT_OF_DATA ) ) ) 453817466cbSJens Wiklander { 454817466cbSJens Wiklander mbedtls_x509_crl_free( crl ); 455817466cbSJens Wiklander return( ret ); 456817466cbSJens Wiklander } 457817466cbSJens Wiklander } 458817466cbSJens Wiklander 459817466cbSJens Wiklander /* 460817466cbSJens Wiklander * revokedCertificates SEQUENCE OF SEQUENCE { 461817466cbSJens Wiklander * userCertificate CertificateSerialNumber, 462817466cbSJens Wiklander * revocationDate Time, 463817466cbSJens Wiklander * crlEntryExtensions Extensions OPTIONAL 464817466cbSJens Wiklander * -- if present, MUST be v2 465817466cbSJens Wiklander * } OPTIONAL 466817466cbSJens Wiklander */ 467817466cbSJens Wiklander if( ( ret = x509_get_entries( &p, end, &crl->entry ) ) != 0 ) 468817466cbSJens Wiklander { 469817466cbSJens Wiklander mbedtls_x509_crl_free( crl ); 470817466cbSJens Wiklander return( ret ); 471817466cbSJens Wiklander } 472817466cbSJens Wiklander 473817466cbSJens Wiklander /* 474817466cbSJens Wiklander * crlExtensions EXPLICIT Extensions OPTIONAL 475817466cbSJens Wiklander * -- if present, MUST be v2 476817466cbSJens Wiklander */ 477817466cbSJens Wiklander if( crl->version == 2 ) 478817466cbSJens Wiklander { 479817466cbSJens Wiklander ret = x509_get_crl_ext( &p, end, &crl->crl_ext ); 480817466cbSJens Wiklander 481817466cbSJens Wiklander if( ret != 0 ) 482817466cbSJens Wiklander { 483817466cbSJens Wiklander mbedtls_x509_crl_free( crl ); 484817466cbSJens Wiklander return( ret ); 485817466cbSJens Wiklander } 486817466cbSJens Wiklander } 487817466cbSJens Wiklander 488817466cbSJens Wiklander if( p != end ) 489817466cbSJens Wiklander { 490817466cbSJens Wiklander mbedtls_x509_crl_free( crl ); 4917901324dSJerome Forissier return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_FORMAT, 4927901324dSJerome Forissier MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) ); 493817466cbSJens Wiklander } 494817466cbSJens Wiklander 495817466cbSJens Wiklander end = crl->raw.p + crl->raw.len; 496817466cbSJens Wiklander 497817466cbSJens Wiklander /* 498817466cbSJens Wiklander * signatureAlgorithm AlgorithmIdentifier, 499817466cbSJens Wiklander * signatureValue BIT STRING 500817466cbSJens Wiklander */ 501817466cbSJens Wiklander if( ( ret = mbedtls_x509_get_alg( &p, end, &sig_oid2, &sig_params2 ) ) != 0 ) 502817466cbSJens Wiklander { 503817466cbSJens Wiklander mbedtls_x509_crl_free( crl ); 504817466cbSJens Wiklander return( ret ); 505817466cbSJens Wiklander } 506817466cbSJens Wiklander 507817466cbSJens Wiklander if( crl->sig_oid.len != sig_oid2.len || 508817466cbSJens Wiklander memcmp( crl->sig_oid.p, sig_oid2.p, crl->sig_oid.len ) != 0 || 509817466cbSJens Wiklander sig_params1.len != sig_params2.len || 510817466cbSJens Wiklander ( sig_params1.len != 0 && 511817466cbSJens Wiklander memcmp( sig_params1.p, sig_params2.p, sig_params1.len ) != 0 ) ) 512817466cbSJens Wiklander { 513817466cbSJens Wiklander mbedtls_x509_crl_free( crl ); 514817466cbSJens Wiklander return( MBEDTLS_ERR_X509_SIG_MISMATCH ); 515817466cbSJens Wiklander } 516817466cbSJens Wiklander 517817466cbSJens Wiklander if( ( ret = mbedtls_x509_get_sig( &p, end, &crl->sig ) ) != 0 ) 518817466cbSJens Wiklander { 519817466cbSJens Wiklander mbedtls_x509_crl_free( crl ); 520817466cbSJens Wiklander return( ret ); 521817466cbSJens Wiklander } 522817466cbSJens Wiklander 523817466cbSJens Wiklander if( p != end ) 524817466cbSJens Wiklander { 525817466cbSJens Wiklander mbedtls_x509_crl_free( crl ); 5267901324dSJerome Forissier return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_FORMAT, 5277901324dSJerome Forissier MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) ); 528817466cbSJens Wiklander } 529817466cbSJens Wiklander 530817466cbSJens Wiklander return( 0 ); 531817466cbSJens Wiklander } 532817466cbSJens Wiklander 533817466cbSJens Wiklander /* 534817466cbSJens Wiklander * Parse one or more CRLs and add them to the chained list 535817466cbSJens Wiklander */ 536817466cbSJens Wiklander int mbedtls_x509_crl_parse( mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen ) 537817466cbSJens Wiklander { 538817466cbSJens Wiklander #if defined(MBEDTLS_PEM_PARSE_C) 53911fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 54011fa71b9SJerome Forissier size_t use_len = 0; 541817466cbSJens Wiklander mbedtls_pem_context pem; 542817466cbSJens Wiklander int is_pem = 0; 543817466cbSJens Wiklander 544817466cbSJens Wiklander if( chain == NULL || buf == NULL ) 545817466cbSJens Wiklander return( MBEDTLS_ERR_X509_BAD_INPUT_DATA ); 546817466cbSJens Wiklander 547817466cbSJens Wiklander do 548817466cbSJens Wiklander { 549817466cbSJens Wiklander mbedtls_pem_init( &pem ); 550817466cbSJens Wiklander 551817466cbSJens Wiklander // Avoid calling mbedtls_pem_read_buffer() on non-null-terminated 552817466cbSJens Wiklander // string 553817466cbSJens Wiklander if( buflen == 0 || buf[buflen - 1] != '\0' ) 554817466cbSJens Wiklander ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; 555817466cbSJens Wiklander else 556817466cbSJens Wiklander ret = mbedtls_pem_read_buffer( &pem, 557817466cbSJens Wiklander "-----BEGIN X509 CRL-----", 558817466cbSJens Wiklander "-----END X509 CRL-----", 559817466cbSJens Wiklander buf, NULL, 0, &use_len ); 560817466cbSJens Wiklander 561817466cbSJens Wiklander if( ret == 0 ) 562817466cbSJens Wiklander { 563817466cbSJens Wiklander /* 564817466cbSJens Wiklander * Was PEM encoded 565817466cbSJens Wiklander */ 566817466cbSJens Wiklander is_pem = 1; 567817466cbSJens Wiklander 568817466cbSJens Wiklander buflen -= use_len; 569817466cbSJens Wiklander buf += use_len; 570817466cbSJens Wiklander 571817466cbSJens Wiklander if( ( ret = mbedtls_x509_crl_parse_der( chain, 572817466cbSJens Wiklander pem.buf, pem.buflen ) ) != 0 ) 573817466cbSJens Wiklander { 574817466cbSJens Wiklander mbedtls_pem_free( &pem ); 575817466cbSJens Wiklander return( ret ); 576817466cbSJens Wiklander } 577817466cbSJens Wiklander } 578817466cbSJens Wiklander else if( is_pem ) 579817466cbSJens Wiklander { 580817466cbSJens Wiklander mbedtls_pem_free( &pem ); 581817466cbSJens Wiklander return( ret ); 582817466cbSJens Wiklander } 583817466cbSJens Wiklander 584817466cbSJens Wiklander mbedtls_pem_free( &pem ); 585817466cbSJens Wiklander } 586817466cbSJens Wiklander /* In the PEM case, buflen is 1 at the end, for the terminated NULL byte. 587817466cbSJens Wiklander * And a valid CRL cannot be less than 1 byte anyway. */ 588817466cbSJens Wiklander while( is_pem && buflen > 1 ); 589817466cbSJens Wiklander 590817466cbSJens Wiklander if( is_pem ) 591817466cbSJens Wiklander return( 0 ); 592817466cbSJens Wiklander else 593817466cbSJens Wiklander #endif /* MBEDTLS_PEM_PARSE_C */ 594817466cbSJens Wiklander return( mbedtls_x509_crl_parse_der( chain, buf, buflen ) ); 595817466cbSJens Wiklander } 596817466cbSJens Wiklander 597817466cbSJens Wiklander #if defined(MBEDTLS_FS_IO) 598817466cbSJens Wiklander /* 599817466cbSJens Wiklander * Load one or more CRLs and add them to the chained list 600817466cbSJens Wiklander */ 601817466cbSJens Wiklander int mbedtls_x509_crl_parse_file( mbedtls_x509_crl *chain, const char *path ) 602817466cbSJens Wiklander { 60311fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 604817466cbSJens Wiklander size_t n; 605817466cbSJens Wiklander unsigned char *buf; 606817466cbSJens Wiklander 607817466cbSJens Wiklander if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 ) 608817466cbSJens Wiklander return( ret ); 609817466cbSJens Wiklander 610817466cbSJens Wiklander ret = mbedtls_x509_crl_parse( chain, buf, n ); 611817466cbSJens Wiklander 6123d3b0591SJens Wiklander mbedtls_platform_zeroize( buf, n ); 613817466cbSJens Wiklander mbedtls_free( buf ); 614817466cbSJens Wiklander 615817466cbSJens Wiklander return( ret ); 616817466cbSJens Wiklander } 617817466cbSJens Wiklander #endif /* MBEDTLS_FS_IO */ 618817466cbSJens Wiklander 619817466cbSJens Wiklander /* 620817466cbSJens Wiklander * Return an informational string about the certificate. 621817466cbSJens Wiklander */ 622817466cbSJens Wiklander #define BEFORE_COLON 14 623817466cbSJens Wiklander #define BC "14" 624817466cbSJens Wiklander /* 625817466cbSJens Wiklander * Return an informational string about the CRL. 626817466cbSJens Wiklander */ 627817466cbSJens Wiklander int mbedtls_x509_crl_info( char *buf, size_t size, const char *prefix, 628817466cbSJens Wiklander const mbedtls_x509_crl *crl ) 629817466cbSJens Wiklander { 63011fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 631817466cbSJens Wiklander size_t n; 632817466cbSJens Wiklander char *p; 633817466cbSJens Wiklander const mbedtls_x509_crl_entry *entry; 634817466cbSJens Wiklander 635817466cbSJens Wiklander p = buf; 636817466cbSJens Wiklander n = size; 637817466cbSJens Wiklander 638817466cbSJens Wiklander ret = mbedtls_snprintf( p, n, "%sCRL version : %d", 639817466cbSJens Wiklander prefix, crl->version ); 640817466cbSJens Wiklander MBEDTLS_X509_SAFE_SNPRINTF; 641817466cbSJens Wiklander 642817466cbSJens Wiklander ret = mbedtls_snprintf( p, n, "\n%sissuer name : ", prefix ); 643817466cbSJens Wiklander MBEDTLS_X509_SAFE_SNPRINTF; 644817466cbSJens Wiklander ret = mbedtls_x509_dn_gets( p, n, &crl->issuer ); 645817466cbSJens Wiklander MBEDTLS_X509_SAFE_SNPRINTF; 646817466cbSJens Wiklander 647817466cbSJens Wiklander ret = mbedtls_snprintf( p, n, "\n%sthis update : " \ 648817466cbSJens Wiklander "%04d-%02d-%02d %02d:%02d:%02d", prefix, 649817466cbSJens Wiklander crl->this_update.year, crl->this_update.mon, 650817466cbSJens Wiklander crl->this_update.day, crl->this_update.hour, 651817466cbSJens Wiklander crl->this_update.min, crl->this_update.sec ); 652817466cbSJens Wiklander MBEDTLS_X509_SAFE_SNPRINTF; 653817466cbSJens Wiklander 654817466cbSJens Wiklander ret = mbedtls_snprintf( p, n, "\n%snext update : " \ 655817466cbSJens Wiklander "%04d-%02d-%02d %02d:%02d:%02d", prefix, 656817466cbSJens Wiklander crl->next_update.year, crl->next_update.mon, 657817466cbSJens Wiklander crl->next_update.day, crl->next_update.hour, 658817466cbSJens Wiklander crl->next_update.min, crl->next_update.sec ); 659817466cbSJens Wiklander MBEDTLS_X509_SAFE_SNPRINTF; 660817466cbSJens Wiklander 661817466cbSJens Wiklander entry = &crl->entry; 662817466cbSJens Wiklander 663817466cbSJens Wiklander ret = mbedtls_snprintf( p, n, "\n%sRevoked certificates:", 664817466cbSJens Wiklander prefix ); 665817466cbSJens Wiklander MBEDTLS_X509_SAFE_SNPRINTF; 666817466cbSJens Wiklander 667817466cbSJens Wiklander while( entry != NULL && entry->raw.len != 0 ) 668817466cbSJens Wiklander { 669817466cbSJens Wiklander ret = mbedtls_snprintf( p, n, "\n%sserial number: ", 670817466cbSJens Wiklander prefix ); 671817466cbSJens Wiklander MBEDTLS_X509_SAFE_SNPRINTF; 672817466cbSJens Wiklander 673817466cbSJens Wiklander ret = mbedtls_x509_serial_gets( p, n, &entry->serial ); 674817466cbSJens Wiklander MBEDTLS_X509_SAFE_SNPRINTF; 675817466cbSJens Wiklander 676817466cbSJens Wiklander ret = mbedtls_snprintf( p, n, " revocation date: " \ 677817466cbSJens Wiklander "%04d-%02d-%02d %02d:%02d:%02d", 678817466cbSJens Wiklander entry->revocation_date.year, entry->revocation_date.mon, 679817466cbSJens Wiklander entry->revocation_date.day, entry->revocation_date.hour, 680817466cbSJens Wiklander entry->revocation_date.min, entry->revocation_date.sec ); 681817466cbSJens Wiklander MBEDTLS_X509_SAFE_SNPRINTF; 682817466cbSJens Wiklander 683817466cbSJens Wiklander entry = entry->next; 684817466cbSJens Wiklander } 685817466cbSJens Wiklander 686817466cbSJens Wiklander ret = mbedtls_snprintf( p, n, "\n%ssigned using : ", prefix ); 687817466cbSJens Wiklander MBEDTLS_X509_SAFE_SNPRINTF; 688817466cbSJens Wiklander 689817466cbSJens Wiklander ret = mbedtls_x509_sig_alg_gets( p, n, &crl->sig_oid, crl->sig_pk, crl->sig_md, 690817466cbSJens Wiklander crl->sig_opts ); 691817466cbSJens Wiklander MBEDTLS_X509_SAFE_SNPRINTF; 692817466cbSJens Wiklander 693817466cbSJens Wiklander ret = mbedtls_snprintf( p, n, "\n" ); 694817466cbSJens Wiklander MBEDTLS_X509_SAFE_SNPRINTF; 695817466cbSJens Wiklander 696817466cbSJens Wiklander return( (int) ( size - n ) ); 697817466cbSJens Wiklander } 698817466cbSJens Wiklander 699817466cbSJens Wiklander /* 700817466cbSJens Wiklander * Initialize a CRL chain 701817466cbSJens Wiklander */ 702817466cbSJens Wiklander void mbedtls_x509_crl_init( mbedtls_x509_crl *crl ) 703817466cbSJens Wiklander { 704817466cbSJens Wiklander memset( crl, 0, sizeof(mbedtls_x509_crl) ); 705817466cbSJens Wiklander } 706817466cbSJens Wiklander 707817466cbSJens Wiklander /* 708817466cbSJens Wiklander * Unallocate all CRL data 709817466cbSJens Wiklander */ 710817466cbSJens Wiklander void mbedtls_x509_crl_free( mbedtls_x509_crl *crl ) 711817466cbSJens Wiklander { 712817466cbSJens Wiklander mbedtls_x509_crl *crl_cur = crl; 713817466cbSJens Wiklander mbedtls_x509_crl *crl_prv; 714817466cbSJens Wiklander mbedtls_x509_name *name_cur; 715817466cbSJens Wiklander mbedtls_x509_name *name_prv; 716817466cbSJens Wiklander mbedtls_x509_crl_entry *entry_cur; 717817466cbSJens Wiklander mbedtls_x509_crl_entry *entry_prv; 718817466cbSJens Wiklander 719817466cbSJens Wiklander if( crl == NULL ) 720817466cbSJens Wiklander return; 721817466cbSJens Wiklander 722817466cbSJens Wiklander do 723817466cbSJens Wiklander { 724817466cbSJens Wiklander #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) 725817466cbSJens Wiklander mbedtls_free( crl_cur->sig_opts ); 726817466cbSJens Wiklander #endif 727817466cbSJens Wiklander 728817466cbSJens Wiklander name_cur = crl_cur->issuer.next; 729817466cbSJens Wiklander while( name_cur != NULL ) 730817466cbSJens Wiklander { 731817466cbSJens Wiklander name_prv = name_cur; 732817466cbSJens Wiklander name_cur = name_cur->next; 7333d3b0591SJens Wiklander mbedtls_platform_zeroize( name_prv, sizeof( mbedtls_x509_name ) ); 734817466cbSJens Wiklander mbedtls_free( name_prv ); 735817466cbSJens Wiklander } 736817466cbSJens Wiklander 737817466cbSJens Wiklander entry_cur = crl_cur->entry.next; 738817466cbSJens Wiklander while( entry_cur != NULL ) 739817466cbSJens Wiklander { 740817466cbSJens Wiklander entry_prv = entry_cur; 741817466cbSJens Wiklander entry_cur = entry_cur->next; 7423d3b0591SJens Wiklander mbedtls_platform_zeroize( entry_prv, 7433d3b0591SJens Wiklander sizeof( mbedtls_x509_crl_entry ) ); 744817466cbSJens Wiklander mbedtls_free( entry_prv ); 745817466cbSJens Wiklander } 746817466cbSJens Wiklander 747817466cbSJens Wiklander if( crl_cur->raw.p != NULL ) 748817466cbSJens Wiklander { 7493d3b0591SJens Wiklander mbedtls_platform_zeroize( crl_cur->raw.p, crl_cur->raw.len ); 750817466cbSJens Wiklander mbedtls_free( crl_cur->raw.p ); 751817466cbSJens Wiklander } 752817466cbSJens Wiklander 753817466cbSJens Wiklander crl_cur = crl_cur->next; 754817466cbSJens Wiklander } 755817466cbSJens Wiklander while( crl_cur != NULL ); 756817466cbSJens Wiklander 757817466cbSJens Wiklander crl_cur = crl; 758817466cbSJens Wiklander do 759817466cbSJens Wiklander { 760817466cbSJens Wiklander crl_prv = crl_cur; 761817466cbSJens Wiklander crl_cur = crl_cur->next; 762817466cbSJens Wiklander 7633d3b0591SJens Wiklander mbedtls_platform_zeroize( crl_prv, sizeof( mbedtls_x509_crl ) ); 764817466cbSJens Wiklander if( crl_prv != crl ) 765817466cbSJens Wiklander mbedtls_free( crl_prv ); 766817466cbSJens Wiklander } 767817466cbSJens Wiklander while( crl_cur != NULL ); 768817466cbSJens Wiklander } 769817466cbSJens Wiklander 770817466cbSJens Wiklander #endif /* MBEDTLS_X509_CRL_PARSE_C */ 771