1817466cbSJens Wiklander /* 2*32b31808SJens Wiklander * X.509 Certificate Revocation List (CRL) parsing 3817466cbSJens Wiklander * 47901324dSJerome Forissier * Copyright The Mbed TLS Contributors 57901324dSJerome Forissier * SPDX-License-Identifier: Apache-2.0 6817466cbSJens Wiklander * 7817466cbSJens Wiklander * Licensed under the Apache License, Version 2.0 (the "License"); you may 8817466cbSJens Wiklander * not use this file except in compliance with the License. 9817466cbSJens Wiklander * You may obtain a copy of the License at 10817466cbSJens Wiklander * 11817466cbSJens Wiklander * http://www.apache.org/licenses/LICENSE-2.0 12817466cbSJens Wiklander * 13817466cbSJens Wiklander * Unless required by applicable law or agreed to in writing, software 14817466cbSJens Wiklander * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15817466cbSJens Wiklander * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16817466cbSJens Wiklander * See the License for the specific language governing permissions and 17817466cbSJens Wiklander * limitations under the License. 18817466cbSJens Wiklander */ 19817466cbSJens Wiklander /* 20817466cbSJens Wiklander * The ITU-T X.509 standard defines a certificate format for PKI. 21817466cbSJens Wiklander * 22817466cbSJens Wiklander * http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs) 23817466cbSJens Wiklander * http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs) 24817466cbSJens Wiklander * http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10) 25817466cbSJens Wiklander * 26817466cbSJens Wiklander * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf 27817466cbSJens Wiklander * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf 28817466cbSJens Wiklander */ 29817466cbSJens Wiklander 307901324dSJerome Forissier #include "common.h" 31817466cbSJens Wiklander 32817466cbSJens Wiklander #if defined(MBEDTLS_X509_CRL_PARSE_C) 33817466cbSJens Wiklander 34817466cbSJens Wiklander #include "mbedtls/x509_crl.h" 3511fa71b9SJerome Forissier #include "mbedtls/error.h" 36817466cbSJens Wiklander #include "mbedtls/oid.h" 373d3b0591SJens Wiklander #include "mbedtls/platform_util.h" 38817466cbSJens Wiklander 39817466cbSJens Wiklander #include <string.h> 40817466cbSJens Wiklander 41817466cbSJens Wiklander #if defined(MBEDTLS_PEM_PARSE_C) 42817466cbSJens Wiklander #include "mbedtls/pem.h" 43817466cbSJens Wiklander #endif 44817466cbSJens Wiklander 45817466cbSJens Wiklander #include "mbedtls/platform.h" 46817466cbSJens Wiklander 47039e02dfSJerome Forissier #if defined(MBEDTLS_HAVE_TIME) 48817466cbSJens Wiklander #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) 49817466cbSJens Wiklander #include <windows.h> 50817466cbSJens Wiklander #else 51817466cbSJens Wiklander #include <time.h> 52817466cbSJens Wiklander #endif 53039e02dfSJerome Forissier #endif 54817466cbSJens Wiklander 55817466cbSJens Wiklander #if defined(MBEDTLS_FS_IO) || defined(EFIX64) || defined(EFI32) 56817466cbSJens Wiklander #include <stdio.h> 57817466cbSJens Wiklander #endif 58817466cbSJens Wiklander 59817466cbSJens Wiklander /* 60817466cbSJens Wiklander * Version ::= INTEGER { v1(0), v2(1) } 61817466cbSJens Wiklander */ 62817466cbSJens Wiklander static int x509_crl_get_version(unsigned char **p, 63817466cbSJens Wiklander const unsigned char *end, 64817466cbSJens Wiklander int *ver) 65817466cbSJens Wiklander { 6611fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 67817466cbSJens Wiklander 68*32b31808SJens Wiklander if ((ret = mbedtls_asn1_get_int(p, end, ver)) != 0) { 69*32b31808SJens Wiklander if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) { 70817466cbSJens Wiklander *ver = 0; 71*32b31808SJens Wiklander return 0; 72817466cbSJens Wiklander } 73817466cbSJens Wiklander 74*32b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_VERSION, ret); 75817466cbSJens Wiklander } 76817466cbSJens Wiklander 77*32b31808SJens Wiklander return 0; 78817466cbSJens Wiklander } 79817466cbSJens Wiklander 80817466cbSJens Wiklander /* 813d3b0591SJens Wiklander * X.509 CRL v2 extensions 823d3b0591SJens Wiklander * 833d3b0591SJens Wiklander * We currently don't parse any extension's content, but we do check that the 843d3b0591SJens Wiklander * list of extensions is well-formed and abort on critical extensions (that 853d3b0591SJens Wiklander * are unsupported as we don't support any extension so far) 86817466cbSJens Wiklander */ 87817466cbSJens Wiklander static int x509_get_crl_ext(unsigned char **p, 88817466cbSJens Wiklander const unsigned char *end, 89817466cbSJens Wiklander mbedtls_x509_buf *ext) 90817466cbSJens Wiklander { 9111fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 92817466cbSJens Wiklander 93*32b31808SJens Wiklander if (*p == end) { 94*32b31808SJens Wiklander return 0; 95*32b31808SJens Wiklander } 965b25c76aSJerome Forissier 973d3b0591SJens Wiklander /* 983d3b0591SJens Wiklander * crlExtensions [0] EXPLICIT Extensions OPTIONAL 993d3b0591SJens Wiklander * -- if present, version MUST be v2 1003d3b0591SJens Wiklander */ 101*32b31808SJens Wiklander if ((ret = mbedtls_x509_get_ext(p, end, ext, 0)) != 0) { 102*32b31808SJens Wiklander return ret; 103*32b31808SJens Wiklander } 1045b25c76aSJerome Forissier 1055b25c76aSJerome Forissier end = ext->p + ext->len; 106817466cbSJens Wiklander 107*32b31808SJens Wiklander while (*p < end) { 1083d3b0591SJens Wiklander /* 1093d3b0591SJens Wiklander * Extension ::= SEQUENCE { 1103d3b0591SJens Wiklander * extnID OBJECT IDENTIFIER, 1113d3b0591SJens Wiklander * critical BOOLEAN DEFAULT FALSE, 1123d3b0591SJens Wiklander * extnValue OCTET STRING } 1133d3b0591SJens Wiklander */ 1143d3b0591SJens Wiklander int is_critical = 0; 1153d3b0591SJens Wiklander const unsigned char *end_ext_data; 1163d3b0591SJens Wiklander size_t len; 1173d3b0591SJens Wiklander 1183d3b0591SJens Wiklander /* Get enclosing sequence tag */ 119817466cbSJens Wiklander if ((ret = mbedtls_asn1_get_tag(p, end, &len, 120*32b31808SJens Wiklander MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { 121*32b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); 122*32b31808SJens Wiklander } 123817466cbSJens Wiklander 1243d3b0591SJens Wiklander end_ext_data = *p + len; 1253d3b0591SJens Wiklander 1263d3b0591SJens Wiklander /* Get OID (currently ignored) */ 1273d3b0591SJens Wiklander if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &len, 128*32b31808SJens Wiklander MBEDTLS_ASN1_OID)) != 0) { 129*32b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); 1303d3b0591SJens Wiklander } 131817466cbSJens Wiklander *p += len; 1323d3b0591SJens Wiklander 1333d3b0591SJens Wiklander /* Get optional critical */ 1343d3b0591SJens Wiklander if ((ret = mbedtls_asn1_get_bool(p, end_ext_data, 1353d3b0591SJens Wiklander &is_critical)) != 0 && 136*32b31808SJens Wiklander (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)) { 137*32b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); 1383d3b0591SJens Wiklander } 1393d3b0591SJens Wiklander 1403d3b0591SJens Wiklander /* Data should be octet string type */ 1413d3b0591SJens Wiklander if ((ret = mbedtls_asn1_get_tag(p, end_ext_data, &len, 142*32b31808SJens Wiklander MBEDTLS_ASN1_OCTET_STRING)) != 0) { 143*32b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); 144*32b31808SJens Wiklander } 1453d3b0591SJens Wiklander 1463d3b0591SJens Wiklander /* Ignore data so far and just check its length */ 1473d3b0591SJens Wiklander *p += len; 148*32b31808SJens Wiklander if (*p != end_ext_data) { 149*32b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 150*32b31808SJens Wiklander MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); 151817466cbSJens Wiklander } 152817466cbSJens Wiklander 153*32b31808SJens Wiklander /* Abort on (unsupported) critical extensions */ 154*32b31808SJens Wiklander if (is_critical) { 155*32b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 156*32b31808SJens Wiklander MBEDTLS_ERR_ASN1_UNEXPECTED_TAG); 157*32b31808SJens Wiklander } 158*32b31808SJens Wiklander } 159817466cbSJens Wiklander 160*32b31808SJens Wiklander if (*p != end) { 161*32b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 162*32b31808SJens Wiklander MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); 163*32b31808SJens Wiklander } 164*32b31808SJens Wiklander 165*32b31808SJens Wiklander return 0; 166817466cbSJens Wiklander } 167817466cbSJens Wiklander 168817466cbSJens Wiklander /* 169817466cbSJens Wiklander * X.509 CRL v2 entry extensions (no extensions parsed yet.) 170817466cbSJens Wiklander */ 171817466cbSJens Wiklander static int x509_get_crl_entry_ext(unsigned char **p, 172817466cbSJens Wiklander const unsigned char *end, 173817466cbSJens Wiklander mbedtls_x509_buf *ext) 174817466cbSJens Wiklander { 17511fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 176817466cbSJens Wiklander size_t len = 0; 177817466cbSJens Wiklander 178817466cbSJens Wiklander /* OPTIONAL */ 179*32b31808SJens Wiklander if (end <= *p) { 180*32b31808SJens Wiklander return 0; 181*32b31808SJens Wiklander } 182817466cbSJens Wiklander 183817466cbSJens Wiklander ext->tag = **p; 184817466cbSJens Wiklander ext->p = *p; 185817466cbSJens Wiklander 186817466cbSJens Wiklander /* 187817466cbSJens Wiklander * Get CRL-entry extension sequence header 188817466cbSJens Wiklander * crlEntryExtensions Extensions OPTIONAL -- if present, MUST be v2 189817466cbSJens Wiklander */ 190817466cbSJens Wiklander if ((ret = mbedtls_asn1_get_tag(p, end, &ext->len, 191*32b31808SJens Wiklander MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { 192*32b31808SJens Wiklander if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) { 193817466cbSJens Wiklander ext->p = NULL; 194*32b31808SJens Wiklander return 0; 195817466cbSJens Wiklander } 196*32b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); 197817466cbSJens Wiklander } 198817466cbSJens Wiklander 199817466cbSJens Wiklander end = *p + ext->len; 200817466cbSJens Wiklander 201*32b31808SJens Wiklander if (end != *p + ext->len) { 202*32b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 203*32b31808SJens Wiklander MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); 204*32b31808SJens Wiklander } 205817466cbSJens Wiklander 206*32b31808SJens Wiklander while (*p < end) { 207817466cbSJens Wiklander if ((ret = mbedtls_asn1_get_tag(p, end, &len, 208*32b31808SJens Wiklander MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { 209*32b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret); 210*32b31808SJens Wiklander } 211817466cbSJens Wiklander 212817466cbSJens Wiklander *p += len; 213817466cbSJens Wiklander } 214817466cbSJens Wiklander 215*32b31808SJens Wiklander if (*p != end) { 216*32b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 217*32b31808SJens Wiklander MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); 218*32b31808SJens Wiklander } 219817466cbSJens Wiklander 220*32b31808SJens Wiklander return 0; 221817466cbSJens Wiklander } 222817466cbSJens Wiklander 223817466cbSJens Wiklander /* 224817466cbSJens Wiklander * X.509 CRL Entries 225817466cbSJens Wiklander */ 226817466cbSJens Wiklander static int x509_get_entries(unsigned char **p, 227817466cbSJens Wiklander const unsigned char *end, 228817466cbSJens Wiklander mbedtls_x509_crl_entry *entry) 229817466cbSJens Wiklander { 23011fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 231817466cbSJens Wiklander size_t entry_len; 232817466cbSJens Wiklander mbedtls_x509_crl_entry *cur_entry = entry; 233817466cbSJens Wiklander 234*32b31808SJens Wiklander if (*p == end) { 235*32b31808SJens Wiklander return 0; 236*32b31808SJens Wiklander } 237817466cbSJens Wiklander 238817466cbSJens Wiklander if ((ret = mbedtls_asn1_get_tag(p, end, &entry_len, 239*32b31808SJens Wiklander MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED)) != 0) { 240*32b31808SJens Wiklander if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) { 241*32b31808SJens Wiklander return 0; 242*32b31808SJens Wiklander } 243817466cbSJens Wiklander 244*32b31808SJens Wiklander return ret; 245817466cbSJens Wiklander } 246817466cbSJens Wiklander 247817466cbSJens Wiklander end = *p + entry_len; 248817466cbSJens Wiklander 249*32b31808SJens Wiklander while (*p < end) { 250817466cbSJens Wiklander size_t len2; 251817466cbSJens Wiklander const unsigned char *end2; 252817466cbSJens Wiklander 2537901324dSJerome Forissier cur_entry->raw.tag = **p; 254817466cbSJens Wiklander if ((ret = mbedtls_asn1_get_tag(p, end, &len2, 255*32b31808SJens Wiklander MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED)) != 0) { 256*32b31808SJens Wiklander return ret; 257817466cbSJens Wiklander } 258817466cbSJens Wiklander 259817466cbSJens Wiklander cur_entry->raw.p = *p; 260817466cbSJens Wiklander cur_entry->raw.len = len2; 261817466cbSJens Wiklander end2 = *p + len2; 262817466cbSJens Wiklander 263*32b31808SJens Wiklander if ((ret = mbedtls_x509_get_serial(p, end2, &cur_entry->serial)) != 0) { 264*32b31808SJens Wiklander return ret; 265*32b31808SJens Wiklander } 266817466cbSJens Wiklander 267817466cbSJens Wiklander if ((ret = mbedtls_x509_get_time(p, end2, 268*32b31808SJens Wiklander &cur_entry->revocation_date)) != 0) { 269*32b31808SJens Wiklander return ret; 270*32b31808SJens Wiklander } 271817466cbSJens Wiklander 272817466cbSJens Wiklander if ((ret = x509_get_crl_entry_ext(p, end2, 273*32b31808SJens Wiklander &cur_entry->entry_ext)) != 0) { 274*32b31808SJens Wiklander return ret; 275*32b31808SJens Wiklander } 276817466cbSJens Wiklander 277*32b31808SJens Wiklander if (*p < end) { 278817466cbSJens Wiklander cur_entry->next = mbedtls_calloc(1, sizeof(mbedtls_x509_crl_entry)); 279817466cbSJens Wiklander 280*32b31808SJens Wiklander if (cur_entry->next == NULL) { 281*32b31808SJens Wiklander return MBEDTLS_ERR_X509_ALLOC_FAILED; 282*32b31808SJens Wiklander } 283817466cbSJens Wiklander 284817466cbSJens Wiklander cur_entry = cur_entry->next; 285817466cbSJens Wiklander } 286817466cbSJens Wiklander } 287817466cbSJens Wiklander 288*32b31808SJens Wiklander return 0; 289817466cbSJens Wiklander } 290817466cbSJens Wiklander 291817466cbSJens Wiklander /* 292817466cbSJens Wiklander * Parse one CRLs in DER format and append it to the chained list 293817466cbSJens Wiklander */ 294817466cbSJens Wiklander int mbedtls_x509_crl_parse_der(mbedtls_x509_crl *chain, 295817466cbSJens Wiklander const unsigned char *buf, size_t buflen) 296817466cbSJens Wiklander { 29711fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 298817466cbSJens Wiklander size_t len; 2993d3b0591SJens Wiklander unsigned char *p = NULL, *end = NULL; 300817466cbSJens Wiklander mbedtls_x509_buf sig_params1, sig_params2, sig_oid2; 301817466cbSJens Wiklander mbedtls_x509_crl *crl = chain; 302817466cbSJens Wiklander 303817466cbSJens Wiklander /* 304817466cbSJens Wiklander * Check for valid input 305817466cbSJens Wiklander */ 306*32b31808SJens Wiklander if (crl == NULL || buf == NULL) { 307*32b31808SJens Wiklander return MBEDTLS_ERR_X509_BAD_INPUT_DATA; 308*32b31808SJens Wiklander } 309817466cbSJens Wiklander 310817466cbSJens Wiklander memset(&sig_params1, 0, sizeof(mbedtls_x509_buf)); 311817466cbSJens Wiklander memset(&sig_params2, 0, sizeof(mbedtls_x509_buf)); 312817466cbSJens Wiklander memset(&sig_oid2, 0, sizeof(mbedtls_x509_buf)); 313817466cbSJens Wiklander 314817466cbSJens Wiklander /* 315817466cbSJens Wiklander * Add new CRL on the end of the chain if needed. 316817466cbSJens Wiklander */ 317*32b31808SJens Wiklander while (crl->version != 0 && crl->next != NULL) { 318817466cbSJens Wiklander crl = crl->next; 319*32b31808SJens Wiklander } 320817466cbSJens Wiklander 321*32b31808SJens Wiklander if (crl->version != 0 && crl->next == NULL) { 322817466cbSJens Wiklander crl->next = mbedtls_calloc(1, sizeof(mbedtls_x509_crl)); 323817466cbSJens Wiklander 324*32b31808SJens Wiklander if (crl->next == NULL) { 325817466cbSJens Wiklander mbedtls_x509_crl_free(crl); 326*32b31808SJens Wiklander return MBEDTLS_ERR_X509_ALLOC_FAILED; 327817466cbSJens Wiklander } 328817466cbSJens Wiklander 329817466cbSJens Wiklander mbedtls_x509_crl_init(crl->next); 330817466cbSJens Wiklander crl = crl->next; 331817466cbSJens Wiklander } 332817466cbSJens Wiklander 333817466cbSJens Wiklander /* 334817466cbSJens Wiklander * Copy raw DER-encoded CRL 335817466cbSJens Wiklander */ 336*32b31808SJens Wiklander if (buflen == 0) { 337*32b31808SJens Wiklander return MBEDTLS_ERR_X509_INVALID_FORMAT; 338*32b31808SJens Wiklander } 3393d3b0591SJens Wiklander 3403d3b0591SJens Wiklander p = mbedtls_calloc(1, buflen); 341*32b31808SJens Wiklander if (p == NULL) { 342*32b31808SJens Wiklander return MBEDTLS_ERR_X509_ALLOC_FAILED; 343*32b31808SJens Wiklander } 344817466cbSJens Wiklander 345817466cbSJens Wiklander memcpy(p, buf, buflen); 346817466cbSJens Wiklander 347817466cbSJens Wiklander crl->raw.p = p; 348817466cbSJens Wiklander crl->raw.len = buflen; 349817466cbSJens Wiklander 350817466cbSJens Wiklander end = p + buflen; 351817466cbSJens Wiklander 352817466cbSJens Wiklander /* 353817466cbSJens Wiklander * CertificateList ::= SEQUENCE { 354817466cbSJens Wiklander * tbsCertList TBSCertList, 355817466cbSJens Wiklander * signatureAlgorithm AlgorithmIdentifier, 356817466cbSJens Wiklander * signatureValue BIT STRING } 357817466cbSJens Wiklander */ 358817466cbSJens Wiklander if ((ret = mbedtls_asn1_get_tag(&p, end, &len, 359*32b31808SJens Wiklander MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { 360817466cbSJens Wiklander mbedtls_x509_crl_free(crl); 361*32b31808SJens Wiklander return MBEDTLS_ERR_X509_INVALID_FORMAT; 362817466cbSJens Wiklander } 363817466cbSJens Wiklander 364*32b31808SJens Wiklander if (len != (size_t) (end - p)) { 365817466cbSJens Wiklander mbedtls_x509_crl_free(crl); 366*32b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, 367*32b31808SJens Wiklander MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); 368817466cbSJens Wiklander } 369817466cbSJens Wiklander 370817466cbSJens Wiklander /* 371817466cbSJens Wiklander * TBSCertList ::= SEQUENCE { 372817466cbSJens Wiklander */ 373817466cbSJens Wiklander crl->tbs.p = p; 374817466cbSJens Wiklander 375817466cbSJens Wiklander if ((ret = mbedtls_asn1_get_tag(&p, end, &len, 376*32b31808SJens Wiklander MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { 377817466cbSJens Wiklander mbedtls_x509_crl_free(crl); 378*32b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret); 379817466cbSJens Wiklander } 380817466cbSJens Wiklander 381817466cbSJens Wiklander end = p + len; 382817466cbSJens Wiklander crl->tbs.len = end - crl->tbs.p; 383817466cbSJens Wiklander 384817466cbSJens Wiklander /* 385817466cbSJens Wiklander * Version ::= INTEGER OPTIONAL { v1(0), v2(1) } 386817466cbSJens Wiklander * -- if present, MUST be v2 387817466cbSJens Wiklander * 388817466cbSJens Wiklander * signature AlgorithmIdentifier 389817466cbSJens Wiklander */ 390817466cbSJens Wiklander if ((ret = x509_crl_get_version(&p, end, &crl->version)) != 0 || 391*32b31808SJens Wiklander (ret = mbedtls_x509_get_alg(&p, end, &crl->sig_oid, &sig_params1)) != 0) { 392817466cbSJens Wiklander mbedtls_x509_crl_free(crl); 393*32b31808SJens Wiklander return ret; 394817466cbSJens Wiklander } 395817466cbSJens Wiklander 396*32b31808SJens Wiklander if (crl->version < 0 || crl->version > 1) { 397817466cbSJens Wiklander mbedtls_x509_crl_free(crl); 398*32b31808SJens Wiklander return MBEDTLS_ERR_X509_UNKNOWN_VERSION; 399817466cbSJens Wiklander } 400817466cbSJens Wiklander 401817466cbSJens Wiklander crl->version++; 402817466cbSJens Wiklander 403817466cbSJens Wiklander if ((ret = mbedtls_x509_get_sig_alg(&crl->sig_oid, &sig_params1, 404817466cbSJens Wiklander &crl->sig_md, &crl->sig_pk, 405*32b31808SJens Wiklander &crl->sig_opts)) != 0) { 406817466cbSJens Wiklander mbedtls_x509_crl_free(crl); 407*32b31808SJens Wiklander return MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG; 408817466cbSJens Wiklander } 409817466cbSJens Wiklander 410817466cbSJens Wiklander /* 411817466cbSJens Wiklander * issuer Name 412817466cbSJens Wiklander */ 413817466cbSJens Wiklander crl->issuer_raw.p = p; 414817466cbSJens Wiklander 415817466cbSJens Wiklander if ((ret = mbedtls_asn1_get_tag(&p, end, &len, 416*32b31808SJens Wiklander MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) { 417817466cbSJens Wiklander mbedtls_x509_crl_free(crl); 418*32b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, ret); 419817466cbSJens Wiklander } 420817466cbSJens Wiklander 421*32b31808SJens Wiklander if ((ret = mbedtls_x509_get_name(&p, p + len, &crl->issuer)) != 0) { 422817466cbSJens Wiklander mbedtls_x509_crl_free(crl); 423*32b31808SJens Wiklander return ret; 424817466cbSJens Wiklander } 425817466cbSJens Wiklander 426817466cbSJens Wiklander crl->issuer_raw.len = p - crl->issuer_raw.p; 427817466cbSJens Wiklander 428817466cbSJens Wiklander /* 429817466cbSJens Wiklander * thisUpdate Time 430817466cbSJens Wiklander * nextUpdate Time OPTIONAL 431817466cbSJens Wiklander */ 432*32b31808SJens Wiklander if ((ret = mbedtls_x509_get_time(&p, end, &crl->this_update)) != 0) { 433817466cbSJens Wiklander mbedtls_x509_crl_free(crl); 434*32b31808SJens Wiklander return ret; 435817466cbSJens Wiklander } 436817466cbSJens Wiklander 437*32b31808SJens Wiklander if ((ret = mbedtls_x509_get_time(&p, end, &crl->next_update)) != 0) { 4387901324dSJerome Forissier if (ret != (MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_DATE, 4397901324dSJerome Forissier MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)) && 4407901324dSJerome Forissier ret != (MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_DATE, 441*32b31808SJens Wiklander MBEDTLS_ERR_ASN1_OUT_OF_DATA))) { 442817466cbSJens Wiklander mbedtls_x509_crl_free(crl); 443*32b31808SJens Wiklander return ret; 444817466cbSJens Wiklander } 445817466cbSJens Wiklander } 446817466cbSJens Wiklander 447817466cbSJens Wiklander /* 448817466cbSJens Wiklander * revokedCertificates SEQUENCE OF SEQUENCE { 449817466cbSJens Wiklander * userCertificate CertificateSerialNumber, 450817466cbSJens Wiklander * revocationDate Time, 451817466cbSJens Wiklander * crlEntryExtensions Extensions OPTIONAL 452817466cbSJens Wiklander * -- if present, MUST be v2 453817466cbSJens Wiklander * } OPTIONAL 454817466cbSJens Wiklander */ 455*32b31808SJens Wiklander if ((ret = x509_get_entries(&p, end, &crl->entry)) != 0) { 456817466cbSJens Wiklander mbedtls_x509_crl_free(crl); 457*32b31808SJens Wiklander return ret; 458817466cbSJens Wiklander } 459817466cbSJens Wiklander 460817466cbSJens Wiklander /* 461817466cbSJens Wiklander * crlExtensions EXPLICIT Extensions OPTIONAL 462817466cbSJens Wiklander * -- if present, MUST be v2 463817466cbSJens Wiklander */ 464*32b31808SJens Wiklander if (crl->version == 2) { 465817466cbSJens Wiklander ret = x509_get_crl_ext(&p, end, &crl->crl_ext); 466817466cbSJens Wiklander 467*32b31808SJens Wiklander if (ret != 0) { 468817466cbSJens Wiklander mbedtls_x509_crl_free(crl); 469*32b31808SJens Wiklander return ret; 470817466cbSJens Wiklander } 471817466cbSJens Wiklander } 472817466cbSJens Wiklander 473*32b31808SJens Wiklander if (p != end) { 474817466cbSJens Wiklander mbedtls_x509_crl_free(crl); 475*32b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, 476*32b31808SJens Wiklander MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); 477817466cbSJens Wiklander } 478817466cbSJens Wiklander 479817466cbSJens Wiklander end = crl->raw.p + crl->raw.len; 480817466cbSJens Wiklander 481817466cbSJens Wiklander /* 482817466cbSJens Wiklander * signatureAlgorithm AlgorithmIdentifier, 483817466cbSJens Wiklander * signatureValue BIT STRING 484817466cbSJens Wiklander */ 485*32b31808SJens Wiklander if ((ret = mbedtls_x509_get_alg(&p, end, &sig_oid2, &sig_params2)) != 0) { 486817466cbSJens Wiklander mbedtls_x509_crl_free(crl); 487*32b31808SJens Wiklander return ret; 488817466cbSJens Wiklander } 489817466cbSJens Wiklander 490817466cbSJens Wiklander if (crl->sig_oid.len != sig_oid2.len || 491817466cbSJens Wiklander memcmp(crl->sig_oid.p, sig_oid2.p, crl->sig_oid.len) != 0 || 492817466cbSJens Wiklander sig_params1.len != sig_params2.len || 493817466cbSJens Wiklander (sig_params1.len != 0 && 494*32b31808SJens Wiklander memcmp(sig_params1.p, sig_params2.p, sig_params1.len) != 0)) { 495817466cbSJens Wiklander mbedtls_x509_crl_free(crl); 496*32b31808SJens Wiklander return MBEDTLS_ERR_X509_SIG_MISMATCH; 497817466cbSJens Wiklander } 498817466cbSJens Wiklander 499*32b31808SJens Wiklander if ((ret = mbedtls_x509_get_sig(&p, end, &crl->sig)) != 0) { 500817466cbSJens Wiklander mbedtls_x509_crl_free(crl); 501*32b31808SJens Wiklander return ret; 502817466cbSJens Wiklander } 503817466cbSJens Wiklander 504*32b31808SJens Wiklander if (p != end) { 505817466cbSJens Wiklander mbedtls_x509_crl_free(crl); 506*32b31808SJens Wiklander return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_FORMAT, 507*32b31808SJens Wiklander MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); 508817466cbSJens Wiklander } 509817466cbSJens Wiklander 510*32b31808SJens Wiklander return 0; 511817466cbSJens Wiklander } 512817466cbSJens Wiklander 513817466cbSJens Wiklander /* 514817466cbSJens Wiklander * Parse one or more CRLs and add them to the chained list 515817466cbSJens Wiklander */ 516817466cbSJens Wiklander int mbedtls_x509_crl_parse(mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen) 517817466cbSJens Wiklander { 518817466cbSJens Wiklander #if defined(MBEDTLS_PEM_PARSE_C) 51911fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 52011fa71b9SJerome Forissier size_t use_len = 0; 521817466cbSJens Wiklander mbedtls_pem_context pem; 522817466cbSJens Wiklander int is_pem = 0; 523817466cbSJens Wiklander 524*32b31808SJens Wiklander if (chain == NULL || buf == NULL) { 525*32b31808SJens Wiklander return MBEDTLS_ERR_X509_BAD_INPUT_DATA; 526*32b31808SJens Wiklander } 527817466cbSJens Wiklander 528*32b31808SJens Wiklander do { 529817466cbSJens Wiklander mbedtls_pem_init(&pem); 530817466cbSJens Wiklander 531817466cbSJens Wiklander // Avoid calling mbedtls_pem_read_buffer() on non-null-terminated 532817466cbSJens Wiklander // string 533*32b31808SJens Wiklander if (buflen == 0 || buf[buflen - 1] != '\0') { 534817466cbSJens Wiklander ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; 535*32b31808SJens Wiklander } else { 536817466cbSJens Wiklander ret = mbedtls_pem_read_buffer(&pem, 537817466cbSJens Wiklander "-----BEGIN X509 CRL-----", 538817466cbSJens Wiklander "-----END X509 CRL-----", 539817466cbSJens Wiklander buf, NULL, 0, &use_len); 540*32b31808SJens Wiklander } 541817466cbSJens Wiklander 542*32b31808SJens Wiklander if (ret == 0) { 543817466cbSJens Wiklander /* 544817466cbSJens Wiklander * Was PEM encoded 545817466cbSJens Wiklander */ 546817466cbSJens Wiklander is_pem = 1; 547817466cbSJens Wiklander 548817466cbSJens Wiklander buflen -= use_len; 549817466cbSJens Wiklander buf += use_len; 550817466cbSJens Wiklander 551817466cbSJens Wiklander if ((ret = mbedtls_x509_crl_parse_der(chain, 552*32b31808SJens Wiklander pem.buf, pem.buflen)) != 0) { 553817466cbSJens Wiklander mbedtls_pem_free(&pem); 554*32b31808SJens Wiklander return ret; 555817466cbSJens Wiklander } 556*32b31808SJens Wiklander } else if (is_pem) { 557817466cbSJens Wiklander mbedtls_pem_free(&pem); 558*32b31808SJens Wiklander return ret; 559817466cbSJens Wiklander } 560817466cbSJens Wiklander 561817466cbSJens Wiklander mbedtls_pem_free(&pem); 562817466cbSJens Wiklander } 563817466cbSJens Wiklander /* In the PEM case, buflen is 1 at the end, for the terminated NULL byte. 564817466cbSJens Wiklander * And a valid CRL cannot be less than 1 byte anyway. */ 565817466cbSJens Wiklander while (is_pem && buflen > 1); 566817466cbSJens Wiklander 567*32b31808SJens Wiklander if (is_pem) { 568*32b31808SJens Wiklander return 0; 569*32b31808SJens Wiklander } else 570817466cbSJens Wiklander #endif /* MBEDTLS_PEM_PARSE_C */ 571*32b31808SJens Wiklander return mbedtls_x509_crl_parse_der(chain, buf, buflen); 572817466cbSJens Wiklander } 573817466cbSJens Wiklander 574817466cbSJens Wiklander #if defined(MBEDTLS_FS_IO) 575817466cbSJens Wiklander /* 576817466cbSJens Wiklander * Load one or more CRLs and add them to the chained list 577817466cbSJens Wiklander */ 578817466cbSJens Wiklander int mbedtls_x509_crl_parse_file(mbedtls_x509_crl *chain, const char *path) 579817466cbSJens Wiklander { 58011fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 581817466cbSJens Wiklander size_t n; 582817466cbSJens Wiklander unsigned char *buf; 583817466cbSJens Wiklander 584*32b31808SJens Wiklander if ((ret = mbedtls_pk_load_file(path, &buf, &n)) != 0) { 585*32b31808SJens Wiklander return ret; 586*32b31808SJens Wiklander } 587817466cbSJens Wiklander 588817466cbSJens Wiklander ret = mbedtls_x509_crl_parse(chain, buf, n); 589817466cbSJens Wiklander 5903d3b0591SJens Wiklander mbedtls_platform_zeroize(buf, n); 591817466cbSJens Wiklander mbedtls_free(buf); 592817466cbSJens Wiklander 593*32b31808SJens Wiklander return ret; 594817466cbSJens Wiklander } 595817466cbSJens Wiklander #endif /* MBEDTLS_FS_IO */ 596817466cbSJens Wiklander 597*32b31808SJens Wiklander #if !defined(MBEDTLS_X509_REMOVE_INFO) 598817466cbSJens Wiklander /* 599817466cbSJens Wiklander * Return an informational string about the certificate. 600817466cbSJens Wiklander */ 601817466cbSJens Wiklander #define BEFORE_COLON 14 602817466cbSJens Wiklander #define BC "14" 603817466cbSJens Wiklander /* 604817466cbSJens Wiklander * Return an informational string about the CRL. 605817466cbSJens Wiklander */ 606817466cbSJens Wiklander int mbedtls_x509_crl_info(char *buf, size_t size, const char *prefix, 607817466cbSJens Wiklander const mbedtls_x509_crl *crl) 608817466cbSJens Wiklander { 60911fa71b9SJerome Forissier int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 610817466cbSJens Wiklander size_t n; 611817466cbSJens Wiklander char *p; 612817466cbSJens Wiklander const mbedtls_x509_crl_entry *entry; 613817466cbSJens Wiklander 614817466cbSJens Wiklander p = buf; 615817466cbSJens Wiklander n = size; 616817466cbSJens Wiklander 617817466cbSJens Wiklander ret = mbedtls_snprintf(p, n, "%sCRL version : %d", 618817466cbSJens Wiklander prefix, crl->version); 619817466cbSJens Wiklander MBEDTLS_X509_SAFE_SNPRINTF; 620817466cbSJens Wiklander 621817466cbSJens Wiklander ret = mbedtls_snprintf(p, n, "\n%sissuer name : ", prefix); 622817466cbSJens Wiklander MBEDTLS_X509_SAFE_SNPRINTF; 623817466cbSJens Wiklander ret = mbedtls_x509_dn_gets(p, n, &crl->issuer); 624817466cbSJens Wiklander MBEDTLS_X509_SAFE_SNPRINTF; 625817466cbSJens Wiklander 626817466cbSJens Wiklander ret = mbedtls_snprintf(p, n, "\n%sthis update : " \ 627817466cbSJens Wiklander "%04d-%02d-%02d %02d:%02d:%02d", prefix, 628817466cbSJens Wiklander crl->this_update.year, crl->this_update.mon, 629817466cbSJens Wiklander crl->this_update.day, crl->this_update.hour, 630817466cbSJens Wiklander crl->this_update.min, crl->this_update.sec); 631817466cbSJens Wiklander MBEDTLS_X509_SAFE_SNPRINTF; 632817466cbSJens Wiklander 633817466cbSJens Wiklander ret = mbedtls_snprintf(p, n, "\n%snext update : " \ 634817466cbSJens Wiklander "%04d-%02d-%02d %02d:%02d:%02d", prefix, 635817466cbSJens Wiklander crl->next_update.year, crl->next_update.mon, 636817466cbSJens Wiklander crl->next_update.day, crl->next_update.hour, 637817466cbSJens Wiklander crl->next_update.min, crl->next_update.sec); 638817466cbSJens Wiklander MBEDTLS_X509_SAFE_SNPRINTF; 639817466cbSJens Wiklander 640817466cbSJens Wiklander entry = &crl->entry; 641817466cbSJens Wiklander 642817466cbSJens Wiklander ret = mbedtls_snprintf(p, n, "\n%sRevoked certificates:", 643817466cbSJens Wiklander prefix); 644817466cbSJens Wiklander MBEDTLS_X509_SAFE_SNPRINTF; 645817466cbSJens Wiklander 646*32b31808SJens Wiklander while (entry != NULL && entry->raw.len != 0) { 647817466cbSJens Wiklander ret = mbedtls_snprintf(p, n, "\n%sserial number: ", 648817466cbSJens Wiklander prefix); 649817466cbSJens Wiklander MBEDTLS_X509_SAFE_SNPRINTF; 650817466cbSJens Wiklander 651817466cbSJens Wiklander ret = mbedtls_x509_serial_gets(p, n, &entry->serial); 652817466cbSJens Wiklander MBEDTLS_X509_SAFE_SNPRINTF; 653817466cbSJens Wiklander 654817466cbSJens Wiklander ret = mbedtls_snprintf(p, n, " revocation date: " \ 655817466cbSJens Wiklander "%04d-%02d-%02d %02d:%02d:%02d", 656817466cbSJens Wiklander entry->revocation_date.year, entry->revocation_date.mon, 657817466cbSJens Wiklander entry->revocation_date.day, entry->revocation_date.hour, 658817466cbSJens Wiklander entry->revocation_date.min, entry->revocation_date.sec); 659817466cbSJens Wiklander MBEDTLS_X509_SAFE_SNPRINTF; 660817466cbSJens Wiklander 661817466cbSJens Wiklander entry = entry->next; 662817466cbSJens Wiklander } 663817466cbSJens Wiklander 664817466cbSJens Wiklander ret = mbedtls_snprintf(p, n, "\n%ssigned using : ", prefix); 665817466cbSJens Wiklander MBEDTLS_X509_SAFE_SNPRINTF; 666817466cbSJens Wiklander 667817466cbSJens Wiklander ret = mbedtls_x509_sig_alg_gets(p, n, &crl->sig_oid, crl->sig_pk, crl->sig_md, 668817466cbSJens Wiklander crl->sig_opts); 669817466cbSJens Wiklander MBEDTLS_X509_SAFE_SNPRINTF; 670817466cbSJens Wiklander 671817466cbSJens Wiklander ret = mbedtls_snprintf(p, n, "\n"); 672817466cbSJens Wiklander MBEDTLS_X509_SAFE_SNPRINTF; 673817466cbSJens Wiklander 674*32b31808SJens Wiklander return (int) (size - n); 675817466cbSJens Wiklander } 676*32b31808SJens Wiklander #endif /* MBEDTLS_X509_REMOVE_INFO */ 677817466cbSJens Wiklander 678817466cbSJens Wiklander /* 679817466cbSJens Wiklander * Initialize a CRL chain 680817466cbSJens Wiklander */ 681817466cbSJens Wiklander void mbedtls_x509_crl_init(mbedtls_x509_crl *crl) 682817466cbSJens Wiklander { 683817466cbSJens Wiklander memset(crl, 0, sizeof(mbedtls_x509_crl)); 684817466cbSJens Wiklander } 685817466cbSJens Wiklander 686817466cbSJens Wiklander /* 687817466cbSJens Wiklander * Unallocate all CRL data 688817466cbSJens Wiklander */ 689817466cbSJens Wiklander void mbedtls_x509_crl_free(mbedtls_x509_crl *crl) 690817466cbSJens Wiklander { 691817466cbSJens Wiklander mbedtls_x509_crl *crl_cur = crl; 692817466cbSJens Wiklander mbedtls_x509_crl *crl_prv; 693817466cbSJens Wiklander mbedtls_x509_crl_entry *entry_cur; 694817466cbSJens Wiklander mbedtls_x509_crl_entry *entry_prv; 695817466cbSJens Wiklander 696*32b31808SJens Wiklander while (crl_cur != NULL) { 697817466cbSJens Wiklander #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) 698817466cbSJens Wiklander mbedtls_free(crl_cur->sig_opts); 699817466cbSJens Wiklander #endif 700817466cbSJens Wiklander 701*32b31808SJens Wiklander mbedtls_asn1_free_named_data_list_shallow(crl_cur->issuer.next); 702817466cbSJens Wiklander 703817466cbSJens Wiklander entry_cur = crl_cur->entry.next; 704*32b31808SJens Wiklander while (entry_cur != NULL) { 705817466cbSJens Wiklander entry_prv = entry_cur; 706817466cbSJens Wiklander entry_cur = entry_cur->next; 7073d3b0591SJens Wiklander mbedtls_platform_zeroize(entry_prv, 7083d3b0591SJens Wiklander sizeof(mbedtls_x509_crl_entry)); 709817466cbSJens Wiklander mbedtls_free(entry_prv); 710817466cbSJens Wiklander } 711817466cbSJens Wiklander 712*32b31808SJens Wiklander if (crl_cur->raw.p != NULL) { 7133d3b0591SJens Wiklander mbedtls_platform_zeroize(crl_cur->raw.p, crl_cur->raw.len); 714817466cbSJens Wiklander mbedtls_free(crl_cur->raw.p); 715817466cbSJens Wiklander } 716817466cbSJens Wiklander 717817466cbSJens Wiklander crl_prv = crl_cur; 718817466cbSJens Wiklander crl_cur = crl_cur->next; 719817466cbSJens Wiklander 7203d3b0591SJens Wiklander mbedtls_platform_zeroize(crl_prv, sizeof(mbedtls_x509_crl)); 721*32b31808SJens Wiklander if (crl_prv != crl) { 722817466cbSJens Wiklander mbedtls_free(crl_prv); 723817466cbSJens Wiklander } 724*32b31808SJens Wiklander } 725817466cbSJens Wiklander } 726817466cbSJens Wiklander 727817466cbSJens Wiklander #endif /* MBEDTLS_X509_CRL_PARSE_C */ 728