1 /* 2 * X.509 Certidicate Revocation List (CRL) parsing 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may 8 * not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 */ 19 /* 20 * The ITU-T X.509 standard defines a certificate format for PKI. 21 * 22 * http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs) 23 * http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs) 24 * http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10) 25 * 26 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf 27 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf 28 */ 29 30 #include "common.h" 31 32 #if defined(MBEDTLS_X509_CRL_PARSE_C) 33 34 #include "mbedtls/x509_crl.h" 35 #include "mbedtls/error.h" 36 #include "mbedtls/oid.h" 37 #include "mbedtls/platform_util.h" 38 39 #include <string.h> 40 41 #if defined(MBEDTLS_PEM_PARSE_C) 42 #include "mbedtls/pem.h" 43 #endif 44 45 #if defined(MBEDTLS_PLATFORM_C) 46 #include "mbedtls/platform.h" 47 #else 48 #include <stdlib.h> 49 #include <stdio.h> 50 #define mbedtls_free free 51 #define mbedtls_calloc calloc 52 #define mbedtls_snprintf snprintf 53 #endif 54 55 #if defined(MBEDTLS_HAVE_TIME) 56 #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) 57 #include <windows.h> 58 #else 59 #include <time.h> 60 #endif 61 #endif 62 63 #if defined(MBEDTLS_FS_IO) || defined(EFIX64) || defined(EFI32) 64 #include <stdio.h> 65 #endif 66 67 /* 68 * Version ::= INTEGER { v1(0), v2(1) } 69 */ 70 static int x509_crl_get_version( unsigned char **p, 71 const unsigned char *end, 72 int *ver ) 73 { 74 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 75 76 if( ( ret = mbedtls_asn1_get_int( p, end, ver ) ) != 0 ) 77 { 78 if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) 79 { 80 *ver = 0; 81 return( 0 ); 82 } 83 84 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_VERSION, ret ) ); 85 } 86 87 return( 0 ); 88 } 89 90 /* 91 * X.509 CRL v2 extensions 92 * 93 * We currently don't parse any extension's content, but we do check that the 94 * list of extensions is well-formed and abort on critical extensions (that 95 * are unsupported as we don't support any extension so far) 96 */ 97 static int x509_get_crl_ext( unsigned char **p, 98 const unsigned char *end, 99 mbedtls_x509_buf *ext ) 100 { 101 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 102 103 if( *p == end ) 104 return( 0 ); 105 106 /* 107 * crlExtensions [0] EXPLICIT Extensions OPTIONAL 108 * -- if present, version MUST be v2 109 */ 110 if( ( ret = mbedtls_x509_get_ext( p, end, ext, 0 ) ) != 0 ) 111 return( ret ); 112 113 end = ext->p + ext->len; 114 115 while( *p < end ) 116 { 117 /* 118 * Extension ::= SEQUENCE { 119 * extnID OBJECT IDENTIFIER, 120 * critical BOOLEAN DEFAULT FALSE, 121 * extnValue OCTET STRING } 122 */ 123 int is_critical = 0; 124 const unsigned char *end_ext_data; 125 size_t len; 126 127 /* Get enclosing sequence tag */ 128 if( ( ret = mbedtls_asn1_get_tag( p, end, &len, 129 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 130 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) ); 131 132 end_ext_data = *p + len; 133 134 /* Get OID (currently ignored) */ 135 if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &len, 136 MBEDTLS_ASN1_OID ) ) != 0 ) 137 { 138 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) ); 139 } 140 *p += len; 141 142 /* Get optional critical */ 143 if( ( ret = mbedtls_asn1_get_bool( p, end_ext_data, 144 &is_critical ) ) != 0 && 145 ( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) ) 146 { 147 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) ); 148 } 149 150 /* Data should be octet string type */ 151 if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &len, 152 MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ) 153 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) ); 154 155 /* Ignore data so far and just check its length */ 156 *p += len; 157 if( *p != end_ext_data ) 158 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 159 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) ); 160 161 /* Abort on (unsupported) critical extensions */ 162 if( is_critical ) 163 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 164 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) ); 165 } 166 167 if( *p != end ) 168 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 169 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) ); 170 171 return( 0 ); 172 } 173 174 /* 175 * X.509 CRL v2 entry extensions (no extensions parsed yet.) 176 */ 177 static int x509_get_crl_entry_ext( unsigned char **p, 178 const unsigned char *end, 179 mbedtls_x509_buf *ext ) 180 { 181 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 182 size_t len = 0; 183 184 /* OPTIONAL */ 185 if( end <= *p ) 186 return( 0 ); 187 188 ext->tag = **p; 189 ext->p = *p; 190 191 /* 192 * Get CRL-entry extension sequence header 193 * crlEntryExtensions Extensions OPTIONAL -- if present, MUST be v2 194 */ 195 if( ( ret = mbedtls_asn1_get_tag( p, end, &ext->len, 196 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 197 { 198 if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) 199 { 200 ext->p = NULL; 201 return( 0 ); 202 } 203 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) ); 204 } 205 206 end = *p + ext->len; 207 208 if( end != *p + ext->len ) 209 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 210 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) ); 211 212 while( *p < end ) 213 { 214 if( ( ret = mbedtls_asn1_get_tag( p, end, &len, 215 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 216 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) ); 217 218 *p += len; 219 } 220 221 if( *p != end ) 222 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, 223 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) ); 224 225 return( 0 ); 226 } 227 228 /* 229 * X.509 CRL Entries 230 */ 231 static int x509_get_entries( unsigned char **p, 232 const unsigned char *end, 233 mbedtls_x509_crl_entry *entry ) 234 { 235 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 236 size_t entry_len; 237 mbedtls_x509_crl_entry *cur_entry = entry; 238 239 if( *p == end ) 240 return( 0 ); 241 242 if( ( ret = mbedtls_asn1_get_tag( p, end, &entry_len, 243 MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED ) ) != 0 ) 244 { 245 if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) 246 return( 0 ); 247 248 return( ret ); 249 } 250 251 end = *p + entry_len; 252 253 while( *p < end ) 254 { 255 size_t len2; 256 const unsigned char *end2; 257 258 cur_entry->raw.tag = **p; 259 if( ( ret = mbedtls_asn1_get_tag( p, end, &len2, 260 MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED ) ) != 0 ) 261 { 262 return( ret ); 263 } 264 265 cur_entry->raw.p = *p; 266 cur_entry->raw.len = len2; 267 end2 = *p + len2; 268 269 if( ( ret = mbedtls_x509_get_serial( p, end2, &cur_entry->serial ) ) != 0 ) 270 return( ret ); 271 272 if( ( ret = mbedtls_x509_get_time( p, end2, 273 &cur_entry->revocation_date ) ) != 0 ) 274 return( ret ); 275 276 if( ( ret = x509_get_crl_entry_ext( p, end2, 277 &cur_entry->entry_ext ) ) != 0 ) 278 return( ret ); 279 280 if( *p < end ) 281 { 282 cur_entry->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_crl_entry ) ); 283 284 if( cur_entry->next == NULL ) 285 return( MBEDTLS_ERR_X509_ALLOC_FAILED ); 286 287 cur_entry = cur_entry->next; 288 } 289 } 290 291 return( 0 ); 292 } 293 294 /* 295 * Parse one CRLs in DER format and append it to the chained list 296 */ 297 int mbedtls_x509_crl_parse_der( mbedtls_x509_crl *chain, 298 const unsigned char *buf, size_t buflen ) 299 { 300 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 301 size_t len; 302 unsigned char *p = NULL, *end = NULL; 303 mbedtls_x509_buf sig_params1, sig_params2, sig_oid2; 304 mbedtls_x509_crl *crl = chain; 305 306 /* 307 * Check for valid input 308 */ 309 if( crl == NULL || buf == NULL ) 310 return( MBEDTLS_ERR_X509_BAD_INPUT_DATA ); 311 312 memset( &sig_params1, 0, sizeof( mbedtls_x509_buf ) ); 313 memset( &sig_params2, 0, sizeof( mbedtls_x509_buf ) ); 314 memset( &sig_oid2, 0, sizeof( mbedtls_x509_buf ) ); 315 316 /* 317 * Add new CRL on the end of the chain if needed. 318 */ 319 while( crl->version != 0 && crl->next != NULL ) 320 crl = crl->next; 321 322 if( crl->version != 0 && crl->next == NULL ) 323 { 324 crl->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_crl ) ); 325 326 if( crl->next == NULL ) 327 { 328 mbedtls_x509_crl_free( crl ); 329 return( MBEDTLS_ERR_X509_ALLOC_FAILED ); 330 } 331 332 mbedtls_x509_crl_init( crl->next ); 333 crl = crl->next; 334 } 335 336 /* 337 * Copy raw DER-encoded CRL 338 */ 339 if( buflen == 0 ) 340 return( MBEDTLS_ERR_X509_INVALID_FORMAT ); 341 342 p = mbedtls_calloc( 1, buflen ); 343 if( p == NULL ) 344 return( MBEDTLS_ERR_X509_ALLOC_FAILED ); 345 346 memcpy( p, buf, buflen ); 347 348 crl->raw.p = p; 349 crl->raw.len = buflen; 350 351 end = p + buflen; 352 353 /* 354 * CertificateList ::= SEQUENCE { 355 * tbsCertList TBSCertList, 356 * signatureAlgorithm AlgorithmIdentifier, 357 * signatureValue BIT STRING } 358 */ 359 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 360 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 361 { 362 mbedtls_x509_crl_free( crl ); 363 return( MBEDTLS_ERR_X509_INVALID_FORMAT ); 364 } 365 366 if( len != (size_t) ( end - p ) ) 367 { 368 mbedtls_x509_crl_free( crl ); 369 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_FORMAT, 370 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) ); 371 } 372 373 /* 374 * TBSCertList ::= SEQUENCE { 375 */ 376 crl->tbs.p = p; 377 378 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 379 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 380 { 381 mbedtls_x509_crl_free( crl ); 382 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_FORMAT, ret ) ); 383 } 384 385 end = p + len; 386 crl->tbs.len = end - crl->tbs.p; 387 388 /* 389 * Version ::= INTEGER OPTIONAL { v1(0), v2(1) } 390 * -- if present, MUST be v2 391 * 392 * signature AlgorithmIdentifier 393 */ 394 if( ( ret = x509_crl_get_version( &p, end, &crl->version ) ) != 0 || 395 ( ret = mbedtls_x509_get_alg( &p, end, &crl->sig_oid, &sig_params1 ) ) != 0 ) 396 { 397 mbedtls_x509_crl_free( crl ); 398 return( ret ); 399 } 400 401 if( crl->version < 0 || crl->version > 1 ) 402 { 403 mbedtls_x509_crl_free( crl ); 404 return( MBEDTLS_ERR_X509_UNKNOWN_VERSION ); 405 } 406 407 crl->version++; 408 409 if( ( ret = mbedtls_x509_get_sig_alg( &crl->sig_oid, &sig_params1, 410 &crl->sig_md, &crl->sig_pk, 411 &crl->sig_opts ) ) != 0 ) 412 { 413 mbedtls_x509_crl_free( crl ); 414 return( MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG ); 415 } 416 417 /* 418 * issuer Name 419 */ 420 crl->issuer_raw.p = p; 421 422 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 423 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 424 { 425 mbedtls_x509_crl_free( crl ); 426 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_FORMAT, ret ) ); 427 } 428 429 if( ( ret = mbedtls_x509_get_name( &p, p + len, &crl->issuer ) ) != 0 ) 430 { 431 mbedtls_x509_crl_free( crl ); 432 return( ret ); 433 } 434 435 crl->issuer_raw.len = p - crl->issuer_raw.p; 436 437 /* 438 * thisUpdate Time 439 * nextUpdate Time OPTIONAL 440 */ 441 if( ( ret = mbedtls_x509_get_time( &p, end, &crl->this_update ) ) != 0 ) 442 { 443 mbedtls_x509_crl_free( crl ); 444 return( ret ); 445 } 446 447 if( ( ret = mbedtls_x509_get_time( &p, end, &crl->next_update ) ) != 0 ) 448 { 449 if( ret != ( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_DATE, 450 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) ) && 451 ret != ( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_DATE, 452 MBEDTLS_ERR_ASN1_OUT_OF_DATA ) ) ) 453 { 454 mbedtls_x509_crl_free( crl ); 455 return( ret ); 456 } 457 } 458 459 /* 460 * revokedCertificates SEQUENCE OF SEQUENCE { 461 * userCertificate CertificateSerialNumber, 462 * revocationDate Time, 463 * crlEntryExtensions Extensions OPTIONAL 464 * -- if present, MUST be v2 465 * } OPTIONAL 466 */ 467 if( ( ret = x509_get_entries( &p, end, &crl->entry ) ) != 0 ) 468 { 469 mbedtls_x509_crl_free( crl ); 470 return( ret ); 471 } 472 473 /* 474 * crlExtensions EXPLICIT Extensions OPTIONAL 475 * -- if present, MUST be v2 476 */ 477 if( crl->version == 2 ) 478 { 479 ret = x509_get_crl_ext( &p, end, &crl->crl_ext ); 480 481 if( ret != 0 ) 482 { 483 mbedtls_x509_crl_free( crl ); 484 return( ret ); 485 } 486 } 487 488 if( p != end ) 489 { 490 mbedtls_x509_crl_free( crl ); 491 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_FORMAT, 492 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) ); 493 } 494 495 end = crl->raw.p + crl->raw.len; 496 497 /* 498 * signatureAlgorithm AlgorithmIdentifier, 499 * signatureValue BIT STRING 500 */ 501 if( ( ret = mbedtls_x509_get_alg( &p, end, &sig_oid2, &sig_params2 ) ) != 0 ) 502 { 503 mbedtls_x509_crl_free( crl ); 504 return( ret ); 505 } 506 507 if( crl->sig_oid.len != sig_oid2.len || 508 memcmp( crl->sig_oid.p, sig_oid2.p, crl->sig_oid.len ) != 0 || 509 sig_params1.len != sig_params2.len || 510 ( sig_params1.len != 0 && 511 memcmp( sig_params1.p, sig_params2.p, sig_params1.len ) != 0 ) ) 512 { 513 mbedtls_x509_crl_free( crl ); 514 return( MBEDTLS_ERR_X509_SIG_MISMATCH ); 515 } 516 517 if( ( ret = mbedtls_x509_get_sig( &p, end, &crl->sig ) ) != 0 ) 518 { 519 mbedtls_x509_crl_free( crl ); 520 return( ret ); 521 } 522 523 if( p != end ) 524 { 525 mbedtls_x509_crl_free( crl ); 526 return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_FORMAT, 527 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) ); 528 } 529 530 return( 0 ); 531 } 532 533 /* 534 * Parse one or more CRLs and add them to the chained list 535 */ 536 int mbedtls_x509_crl_parse( mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen ) 537 { 538 #if defined(MBEDTLS_PEM_PARSE_C) 539 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 540 size_t use_len = 0; 541 mbedtls_pem_context pem; 542 int is_pem = 0; 543 544 if( chain == NULL || buf == NULL ) 545 return( MBEDTLS_ERR_X509_BAD_INPUT_DATA ); 546 547 do 548 { 549 mbedtls_pem_init( &pem ); 550 551 // Avoid calling mbedtls_pem_read_buffer() on non-null-terminated 552 // string 553 if( buflen == 0 || buf[buflen - 1] != '\0' ) 554 ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; 555 else 556 ret = mbedtls_pem_read_buffer( &pem, 557 "-----BEGIN X509 CRL-----", 558 "-----END X509 CRL-----", 559 buf, NULL, 0, &use_len ); 560 561 if( ret == 0 ) 562 { 563 /* 564 * Was PEM encoded 565 */ 566 is_pem = 1; 567 568 buflen -= use_len; 569 buf += use_len; 570 571 if( ( ret = mbedtls_x509_crl_parse_der( chain, 572 pem.buf, pem.buflen ) ) != 0 ) 573 { 574 mbedtls_pem_free( &pem ); 575 return( ret ); 576 } 577 } 578 else if( is_pem ) 579 { 580 mbedtls_pem_free( &pem ); 581 return( ret ); 582 } 583 584 mbedtls_pem_free( &pem ); 585 } 586 /* In the PEM case, buflen is 1 at the end, for the terminated NULL byte. 587 * And a valid CRL cannot be less than 1 byte anyway. */ 588 while( is_pem && buflen > 1 ); 589 590 if( is_pem ) 591 return( 0 ); 592 else 593 #endif /* MBEDTLS_PEM_PARSE_C */ 594 return( mbedtls_x509_crl_parse_der( chain, buf, buflen ) ); 595 } 596 597 #if defined(MBEDTLS_FS_IO) 598 /* 599 * Load one or more CRLs and add them to the chained list 600 */ 601 int mbedtls_x509_crl_parse_file( mbedtls_x509_crl *chain, const char *path ) 602 { 603 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 604 size_t n; 605 unsigned char *buf; 606 607 if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 ) 608 return( ret ); 609 610 ret = mbedtls_x509_crl_parse( chain, buf, n ); 611 612 mbedtls_platform_zeroize( buf, n ); 613 mbedtls_free( buf ); 614 615 return( ret ); 616 } 617 #endif /* MBEDTLS_FS_IO */ 618 619 /* 620 * Return an informational string about the certificate. 621 */ 622 #define BEFORE_COLON 14 623 #define BC "14" 624 /* 625 * Return an informational string about the CRL. 626 */ 627 int mbedtls_x509_crl_info( char *buf, size_t size, const char *prefix, 628 const mbedtls_x509_crl *crl ) 629 { 630 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 631 size_t n; 632 char *p; 633 const mbedtls_x509_crl_entry *entry; 634 635 p = buf; 636 n = size; 637 638 ret = mbedtls_snprintf( p, n, "%sCRL version : %d", 639 prefix, crl->version ); 640 MBEDTLS_X509_SAFE_SNPRINTF; 641 642 ret = mbedtls_snprintf( p, n, "\n%sissuer name : ", prefix ); 643 MBEDTLS_X509_SAFE_SNPRINTF; 644 ret = mbedtls_x509_dn_gets( p, n, &crl->issuer ); 645 MBEDTLS_X509_SAFE_SNPRINTF; 646 647 ret = mbedtls_snprintf( p, n, "\n%sthis update : " \ 648 "%04d-%02d-%02d %02d:%02d:%02d", prefix, 649 crl->this_update.year, crl->this_update.mon, 650 crl->this_update.day, crl->this_update.hour, 651 crl->this_update.min, crl->this_update.sec ); 652 MBEDTLS_X509_SAFE_SNPRINTF; 653 654 ret = mbedtls_snprintf( p, n, "\n%snext update : " \ 655 "%04d-%02d-%02d %02d:%02d:%02d", prefix, 656 crl->next_update.year, crl->next_update.mon, 657 crl->next_update.day, crl->next_update.hour, 658 crl->next_update.min, crl->next_update.sec ); 659 MBEDTLS_X509_SAFE_SNPRINTF; 660 661 entry = &crl->entry; 662 663 ret = mbedtls_snprintf( p, n, "\n%sRevoked certificates:", 664 prefix ); 665 MBEDTLS_X509_SAFE_SNPRINTF; 666 667 while( entry != NULL && entry->raw.len != 0 ) 668 { 669 ret = mbedtls_snprintf( p, n, "\n%sserial number: ", 670 prefix ); 671 MBEDTLS_X509_SAFE_SNPRINTF; 672 673 ret = mbedtls_x509_serial_gets( p, n, &entry->serial ); 674 MBEDTLS_X509_SAFE_SNPRINTF; 675 676 ret = mbedtls_snprintf( p, n, " revocation date: " \ 677 "%04d-%02d-%02d %02d:%02d:%02d", 678 entry->revocation_date.year, entry->revocation_date.mon, 679 entry->revocation_date.day, entry->revocation_date.hour, 680 entry->revocation_date.min, entry->revocation_date.sec ); 681 MBEDTLS_X509_SAFE_SNPRINTF; 682 683 entry = entry->next; 684 } 685 686 ret = mbedtls_snprintf( p, n, "\n%ssigned using : ", prefix ); 687 MBEDTLS_X509_SAFE_SNPRINTF; 688 689 ret = mbedtls_x509_sig_alg_gets( p, n, &crl->sig_oid, crl->sig_pk, crl->sig_md, 690 crl->sig_opts ); 691 MBEDTLS_X509_SAFE_SNPRINTF; 692 693 ret = mbedtls_snprintf( p, n, "\n" ); 694 MBEDTLS_X509_SAFE_SNPRINTF; 695 696 return( (int) ( size - n ) ); 697 } 698 699 /* 700 * Initialize a CRL chain 701 */ 702 void mbedtls_x509_crl_init( mbedtls_x509_crl *crl ) 703 { 704 memset( crl, 0, sizeof(mbedtls_x509_crl) ); 705 } 706 707 /* 708 * Unallocate all CRL data 709 */ 710 void mbedtls_x509_crl_free( mbedtls_x509_crl *crl ) 711 { 712 mbedtls_x509_crl *crl_cur = crl; 713 mbedtls_x509_crl *crl_prv; 714 mbedtls_x509_name *name_cur; 715 mbedtls_x509_name *name_prv; 716 mbedtls_x509_crl_entry *entry_cur; 717 mbedtls_x509_crl_entry *entry_prv; 718 719 if( crl == NULL ) 720 return; 721 722 do 723 { 724 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) 725 mbedtls_free( crl_cur->sig_opts ); 726 #endif 727 728 name_cur = crl_cur->issuer.next; 729 while( name_cur != NULL ) 730 { 731 name_prv = name_cur; 732 name_cur = name_cur->next; 733 mbedtls_platform_zeroize( name_prv, sizeof( mbedtls_x509_name ) ); 734 mbedtls_free( name_prv ); 735 } 736 737 entry_cur = crl_cur->entry.next; 738 while( entry_cur != NULL ) 739 { 740 entry_prv = entry_cur; 741 entry_cur = entry_cur->next; 742 mbedtls_platform_zeroize( entry_prv, 743 sizeof( mbedtls_x509_crl_entry ) ); 744 mbedtls_free( entry_prv ); 745 } 746 747 if( crl_cur->raw.p != NULL ) 748 { 749 mbedtls_platform_zeroize( crl_cur->raw.p, crl_cur->raw.len ); 750 mbedtls_free( crl_cur->raw.p ); 751 } 752 753 crl_cur = crl_cur->next; 754 } 755 while( crl_cur != NULL ); 756 757 crl_cur = crl; 758 do 759 { 760 crl_prv = crl_cur; 761 crl_cur = crl_cur->next; 762 763 mbedtls_platform_zeroize( crl_prv, sizeof( mbedtls_x509_crl ) ); 764 if( crl_prv != crl ) 765 mbedtls_free( crl_prv ); 766 } 767 while( crl_cur != NULL ); 768 } 769 770 #endif /* MBEDTLS_X509_CRL_PARSE_C */ 771