1 /*
2 * X.509 Certidicate Revocation List (CRL) parsing
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 *
7 * This file is provided under the Apache License 2.0, or the
8 * GNU General Public License v2.0 or later.
9 *
10 * **********
11 * Apache License 2.0:
12 *
13 * Licensed under the Apache License, Version 2.0 (the "License"); you may
14 * not use this file except in compliance with the License.
15 * You may obtain a copy of the License at
16 *
17 * http://www.apache.org/licenses/LICENSE-2.0
18 *
19 * Unless required by applicable law or agreed to in writing, software
20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
22 * See the License for the specific language governing permissions and
23 * limitations under the License.
24 *
25 * **********
26 *
27 * **********
28 * GNU General Public License v2.0 or later:
29 *
30 * This program is free software; you can redistribute it and/or modify
31 * it under the terms of the GNU General Public License as published by
32 * the Free Software Foundation; either version 2 of the License, or
33 * (at your option) any later version.
34 *
35 * This program is distributed in the hope that it will be useful,
36 * but WITHOUT ANY WARRANTY; without even the implied warranty of
37 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
38 * GNU General Public License for more details.
39 *
40 * You should have received a copy of the GNU General Public License along
41 * with this program; if not, write to the Free Software Foundation, Inc.,
42 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
43 *
44 * **********
45 */
46 /*
47 * The ITU-T X.509 standard defines a certificate format for PKI.
48 *
49 * http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs)
50 * http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs)
51 * http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10)
52 *
53 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
54 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
55 */
56
57 #if !defined(MBEDTLS_CONFIG_FILE)
58 #include "mbedtls/config.h"
59 #else
60 #include MBEDTLS_CONFIG_FILE
61 #endif
62
63 #if defined(MBEDTLS_X509_CRL_PARSE_C)
64
65 #include "mbedtls/x509_crl.h"
66 #include "mbedtls/oid.h"
67 #include "mbedtls/platform_util.h"
68
69 #include <string.h>
70
71 #if defined(MBEDTLS_PEM_PARSE_C)
72 #include "mbedtls/pem.h"
73 #endif
74
75 #if defined(MBEDTLS_PLATFORM_C)
76 #include "mbedtls/platform.h"
77 #else
78 #include <stdlib.h>
79 #include <stdio.h>
80 #define mbedtls_free free
81 #define mbedtls_calloc calloc
82 #define mbedtls_snprintf snprintf
83 #endif
84
85 #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
86 #include <windows.h>
87 #else
88 #include <time.h>
89 #endif
90
91 #if defined(MBEDTLS_FS_IO) || defined(EFIX64) || defined(EFI32)
92 #include <stdio.h>
93 #endif
94
95 /*
96 * Version ::= INTEGER { v1(0), v2(1) }
97 */
x509_crl_get_version(unsigned char ** p,const unsigned char * end,int * ver)98 static int x509_crl_get_version( unsigned char **p,
99 const unsigned char *end,
100 int *ver )
101 {
102 int ret;
103
104 if( ( ret = mbedtls_asn1_get_int( p, end, ver ) ) != 0 )
105 {
106 if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
107 {
108 *ver = 0;
109 return( 0 );
110 }
111
112 return( MBEDTLS_ERR_X509_INVALID_VERSION + ret );
113 }
114
115 return( 0 );
116 }
117
118 /*
119 * X.509 CRL v2 extensions
120 *
121 * We currently don't parse any extension's content, but we do check that the
122 * list of extensions is well-formed and abort on critical extensions (that
123 * are unsupported as we don't support any extension so far)
124 */
x509_get_crl_ext(unsigned char ** p,const unsigned char * end,mbedtls_x509_buf * ext)125 static int x509_get_crl_ext( unsigned char **p,
126 const unsigned char *end,
127 mbedtls_x509_buf *ext )
128 {
129 int ret;
130
131 if( *p == end )
132 return( 0 );
133
134 /*
135 * crlExtensions [0] EXPLICIT Extensions OPTIONAL
136 * -- if present, version MUST be v2
137 */
138 if( ( ret = mbedtls_x509_get_ext( p, end, ext, 0 ) ) != 0 )
139 return( ret );
140
141 end = ext->p + ext->len;
142
143 while( *p < end )
144 {
145 /*
146 * Extension ::= SEQUENCE {
147 * extnID OBJECT IDENTIFIER,
148 * critical BOOLEAN DEFAULT FALSE,
149 * extnValue OCTET STRING }
150 */
151 int is_critical = 0;
152 const unsigned char *end_ext_data;
153 size_t len;
154
155 /* Get enclosing sequence tag */
156 if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
157 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
158 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
159
160 end_ext_data = *p + len;
161
162 /* Get OID (currently ignored) */
163 if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &len,
164 MBEDTLS_ASN1_OID ) ) != 0 )
165 {
166 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
167 }
168 *p += len;
169
170 /* Get optional critical */
171 if( ( ret = mbedtls_asn1_get_bool( p, end_ext_data,
172 &is_critical ) ) != 0 &&
173 ( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) )
174 {
175 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
176 }
177
178 /* Data should be octet string type */
179 if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &len,
180 MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
181 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
182
183 /* Ignore data so far and just check its length */
184 *p += len;
185 if( *p != end_ext_data )
186 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
187 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
188
189 /* Abort on (unsupported) critical extensions */
190 if( is_critical )
191 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
192 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
193 }
194
195 if( *p != end )
196 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
197 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
198
199 return( 0 );
200 }
201
202 /*
203 * X.509 CRL v2 entry extensions (no extensions parsed yet.)
204 */
x509_get_crl_entry_ext(unsigned char ** p,const unsigned char * end,mbedtls_x509_buf * ext)205 static int x509_get_crl_entry_ext( unsigned char **p,
206 const unsigned char *end,
207 mbedtls_x509_buf *ext )
208 {
209 int ret;
210 size_t len = 0;
211
212 /* OPTIONAL */
213 if( end <= *p )
214 return( 0 );
215
216 ext->tag = **p;
217 ext->p = *p;
218
219 /*
220 * Get CRL-entry extension sequence header
221 * crlEntryExtensions Extensions OPTIONAL -- if present, MUST be v2
222 */
223 if( ( ret = mbedtls_asn1_get_tag( p, end, &ext->len,
224 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
225 {
226 if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
227 {
228 ext->p = NULL;
229 return( 0 );
230 }
231 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
232 }
233
234 end = *p + ext->len;
235
236 if( end != *p + ext->len )
237 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
238 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
239
240 while( *p < end )
241 {
242 if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
243 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
244 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
245
246 *p += len;
247 }
248
249 if( *p != end )
250 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
251 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
252
253 return( 0 );
254 }
255
256 /*
257 * X.509 CRL Entries
258 */
x509_get_entries(unsigned char ** p,const unsigned char * end,mbedtls_x509_crl_entry * entry)259 static int x509_get_entries( unsigned char **p,
260 const unsigned char *end,
261 mbedtls_x509_crl_entry *entry )
262 {
263 int ret;
264 size_t entry_len;
265 mbedtls_x509_crl_entry *cur_entry = entry;
266
267 if( *p == end )
268 return( 0 );
269
270 if( ( ret = mbedtls_asn1_get_tag( p, end, &entry_len,
271 MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED ) ) != 0 )
272 {
273 if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
274 return( 0 );
275
276 return( ret );
277 }
278
279 end = *p + entry_len;
280
281 while( *p < end )
282 {
283 size_t len2;
284 const unsigned char *end2;
285
286 cur_entry->raw.tag = **p;
287 if( ( ret = mbedtls_asn1_get_tag( p, end, &len2,
288 MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED ) ) != 0 )
289 {
290 return( ret );
291 }
292
293 cur_entry->raw.p = *p;
294 cur_entry->raw.len = len2;
295 end2 = *p + len2;
296
297 if( ( ret = mbedtls_x509_get_serial( p, end2, &cur_entry->serial ) ) != 0 )
298 return( ret );
299
300 if( ( ret = mbedtls_x509_get_time( p, end2,
301 &cur_entry->revocation_date ) ) != 0 )
302 return( ret );
303
304 if( ( ret = x509_get_crl_entry_ext( p, end2,
305 &cur_entry->entry_ext ) ) != 0 )
306 return( ret );
307
308 if( *p < end )
309 {
310 cur_entry->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_crl_entry ) );
311
312 if( cur_entry->next == NULL )
313 return( MBEDTLS_ERR_X509_ALLOC_FAILED );
314
315 cur_entry = cur_entry->next;
316 }
317 }
318
319 return( 0 );
320 }
321
322 /*
323 * Parse one CRLs in DER format and append it to the chained list
324 */
mbedtls_x509_crl_parse_der(mbedtls_x509_crl * chain,const unsigned char * buf,size_t buflen)325 int mbedtls_x509_crl_parse_der( mbedtls_x509_crl *chain,
326 const unsigned char *buf, size_t buflen )
327 {
328 int ret;
329 size_t len;
330 unsigned char *p = NULL, *end = NULL;
331 mbedtls_x509_buf sig_params1, sig_params2, sig_oid2;
332 mbedtls_x509_crl *crl = chain;
333
334 /*
335 * Check for valid input
336 */
337 if( crl == NULL || buf == NULL )
338 return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
339
340 memset( &sig_params1, 0, sizeof( mbedtls_x509_buf ) );
341 memset( &sig_params2, 0, sizeof( mbedtls_x509_buf ) );
342 memset( &sig_oid2, 0, sizeof( mbedtls_x509_buf ) );
343
344 /*
345 * Add new CRL on the end of the chain if needed.
346 */
347 while( crl->version != 0 && crl->next != NULL )
348 crl = crl->next;
349
350 if( crl->version != 0 && crl->next == NULL )
351 {
352 crl->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_crl ) );
353
354 if( crl->next == NULL )
355 {
356 mbedtls_x509_crl_free( crl );
357 return( MBEDTLS_ERR_X509_ALLOC_FAILED );
358 }
359
360 mbedtls_x509_crl_init( crl->next );
361 crl = crl->next;
362 }
363
364 /*
365 * Copy raw DER-encoded CRL
366 */
367 if( buflen == 0 )
368 return( MBEDTLS_ERR_X509_INVALID_FORMAT );
369
370 p = mbedtls_calloc( 1, buflen );
371 if( p == NULL )
372 return( MBEDTLS_ERR_X509_ALLOC_FAILED );
373
374 memcpy( p, buf, buflen );
375
376 crl->raw.p = p;
377 crl->raw.len = buflen;
378
379 end = p + buflen;
380
381 /*
382 * CertificateList ::= SEQUENCE {
383 * tbsCertList TBSCertList,
384 * signatureAlgorithm AlgorithmIdentifier,
385 * signatureValue BIT STRING }
386 */
387 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
388 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
389 {
390 mbedtls_x509_crl_free( crl );
391 return( MBEDTLS_ERR_X509_INVALID_FORMAT );
392 }
393
394 if( len != (size_t) ( end - p ) )
395 {
396 mbedtls_x509_crl_free( crl );
397 return( MBEDTLS_ERR_X509_INVALID_FORMAT +
398 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
399 }
400
401 /*
402 * TBSCertList ::= SEQUENCE {
403 */
404 crl->tbs.p = p;
405
406 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
407 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
408 {
409 mbedtls_x509_crl_free( crl );
410 return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
411 }
412
413 end = p + len;
414 crl->tbs.len = end - crl->tbs.p;
415
416 /*
417 * Version ::= INTEGER OPTIONAL { v1(0), v2(1) }
418 * -- if present, MUST be v2
419 *
420 * signature AlgorithmIdentifier
421 */
422 if( ( ret = x509_crl_get_version( &p, end, &crl->version ) ) != 0 ||
423 ( ret = mbedtls_x509_get_alg( &p, end, &crl->sig_oid, &sig_params1 ) ) != 0 )
424 {
425 mbedtls_x509_crl_free( crl );
426 return( ret );
427 }
428
429 if( crl->version < 0 || crl->version > 1 )
430 {
431 mbedtls_x509_crl_free( crl );
432 return( MBEDTLS_ERR_X509_UNKNOWN_VERSION );
433 }
434
435 crl->version++;
436
437 if( ( ret = mbedtls_x509_get_sig_alg( &crl->sig_oid, &sig_params1,
438 &crl->sig_md, &crl->sig_pk,
439 &crl->sig_opts ) ) != 0 )
440 {
441 mbedtls_x509_crl_free( crl );
442 return( MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG );
443 }
444
445 /*
446 * issuer Name
447 */
448 crl->issuer_raw.p = p;
449
450 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
451 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
452 {
453 mbedtls_x509_crl_free( crl );
454 return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
455 }
456
457 if( ( ret = mbedtls_x509_get_name( &p, p + len, &crl->issuer ) ) != 0 )
458 {
459 mbedtls_x509_crl_free( crl );
460 return( ret );
461 }
462
463 crl->issuer_raw.len = p - crl->issuer_raw.p;
464
465 /*
466 * thisUpdate Time
467 * nextUpdate Time OPTIONAL
468 */
469 if( ( ret = mbedtls_x509_get_time( &p, end, &crl->this_update ) ) != 0 )
470 {
471 mbedtls_x509_crl_free( crl );
472 return( ret );
473 }
474
475 if( ( ret = mbedtls_x509_get_time( &p, end, &crl->next_update ) ) != 0 )
476 {
477 if( ret != ( MBEDTLS_ERR_X509_INVALID_DATE +
478 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) &&
479 ret != ( MBEDTLS_ERR_X509_INVALID_DATE +
480 MBEDTLS_ERR_ASN1_OUT_OF_DATA ) )
481 {
482 mbedtls_x509_crl_free( crl );
483 return( ret );
484 }
485 }
486
487 /*
488 * revokedCertificates SEQUENCE OF SEQUENCE {
489 * userCertificate CertificateSerialNumber,
490 * revocationDate Time,
491 * crlEntryExtensions Extensions OPTIONAL
492 * -- if present, MUST be v2
493 * } OPTIONAL
494 */
495 if( ( ret = x509_get_entries( &p, end, &crl->entry ) ) != 0 )
496 {
497 mbedtls_x509_crl_free( crl );
498 return( ret );
499 }
500
501 /*
502 * crlExtensions EXPLICIT Extensions OPTIONAL
503 * -- if present, MUST be v2
504 */
505 if( crl->version == 2 )
506 {
507 ret = x509_get_crl_ext( &p, end, &crl->crl_ext );
508
509 if( ret != 0 )
510 {
511 mbedtls_x509_crl_free( crl );
512 return( ret );
513 }
514 }
515
516 if( p != end )
517 {
518 mbedtls_x509_crl_free( crl );
519 return( MBEDTLS_ERR_X509_INVALID_FORMAT +
520 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
521 }
522
523 end = crl->raw.p + crl->raw.len;
524
525 /*
526 * signatureAlgorithm AlgorithmIdentifier,
527 * signatureValue BIT STRING
528 */
529 if( ( ret = mbedtls_x509_get_alg( &p, end, &sig_oid2, &sig_params2 ) ) != 0 )
530 {
531 mbedtls_x509_crl_free( crl );
532 return( ret );
533 }
534
535 if( crl->sig_oid.len != sig_oid2.len ||
536 memcmp( crl->sig_oid.p, sig_oid2.p, crl->sig_oid.len ) != 0 ||
537 sig_params1.len != sig_params2.len ||
538 ( sig_params1.len != 0 &&
539 memcmp( sig_params1.p, sig_params2.p, sig_params1.len ) != 0 ) )
540 {
541 mbedtls_x509_crl_free( crl );
542 return( MBEDTLS_ERR_X509_SIG_MISMATCH );
543 }
544
545 if( ( ret = mbedtls_x509_get_sig( &p, end, &crl->sig ) ) != 0 )
546 {
547 mbedtls_x509_crl_free( crl );
548 return( ret );
549 }
550
551 if( p != end )
552 {
553 mbedtls_x509_crl_free( crl );
554 return( MBEDTLS_ERR_X509_INVALID_FORMAT +
555 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
556 }
557
558 return( 0 );
559 }
560
561 /*
562 * Parse one or more CRLs and add them to the chained list
563 */
mbedtls_x509_crl_parse(mbedtls_x509_crl * chain,const unsigned char * buf,size_t buflen)564 int mbedtls_x509_crl_parse( mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen )
565 {
566 #if defined(MBEDTLS_PEM_PARSE_C)
567 int ret;
568 size_t use_len;
569 mbedtls_pem_context pem;
570 int is_pem = 0;
571
572 if( chain == NULL || buf == NULL )
573 return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
574
575 do
576 {
577 mbedtls_pem_init( &pem );
578
579 // Avoid calling mbedtls_pem_read_buffer() on non-null-terminated
580 // string
581 if( buflen == 0 || buf[buflen - 1] != '\0' )
582 ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
583 else
584 ret = mbedtls_pem_read_buffer( &pem,
585 "-----BEGIN X509 CRL-----",
586 "-----END X509 CRL-----",
587 buf, NULL, 0, &use_len );
588
589 if( ret == 0 )
590 {
591 /*
592 * Was PEM encoded
593 */
594 is_pem = 1;
595
596 buflen -= use_len;
597 buf += use_len;
598
599 if( ( ret = mbedtls_x509_crl_parse_der( chain,
600 pem.buf, pem.buflen ) ) != 0 )
601 {
602 mbedtls_pem_free( &pem );
603 return( ret );
604 }
605 }
606 else if( is_pem )
607 {
608 mbedtls_pem_free( &pem );
609 return( ret );
610 }
611
612 mbedtls_pem_free( &pem );
613 }
614 /* In the PEM case, buflen is 1 at the end, for the terminated NULL byte.
615 * And a valid CRL cannot be less than 1 byte anyway. */
616 while( is_pem && buflen > 1 );
617
618 if( is_pem )
619 return( 0 );
620 else
621 #endif /* MBEDTLS_PEM_PARSE_C */
622 return( mbedtls_x509_crl_parse_der( chain, buf, buflen ) );
623 }
624
625 #if defined(MBEDTLS_FS_IO)
626 /*
627 * Load one or more CRLs and add them to the chained list
628 */
mbedtls_x509_crl_parse_file(mbedtls_x509_crl * chain,const char * path)629 int mbedtls_x509_crl_parse_file( mbedtls_x509_crl *chain, const char *path )
630 {
631 int ret;
632 size_t n;
633 unsigned char *buf;
634
635 if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 )
636 return( ret );
637
638 ret = mbedtls_x509_crl_parse( chain, buf, n );
639
640 mbedtls_platform_zeroize( buf, n );
641 mbedtls_free( buf );
642
643 return( ret );
644 }
645 #endif /* MBEDTLS_FS_IO */
646
647 /*
648 * Return an informational string about the certificate.
649 */
650 #define BEFORE_COLON 14
651 #define BC "14"
652 /*
653 * Return an informational string about the CRL.
654 */
mbedtls_x509_crl_info(char * buf,size_t size,const char * prefix,const mbedtls_x509_crl * crl)655 int mbedtls_x509_crl_info( char *buf, size_t size, const char *prefix,
656 const mbedtls_x509_crl *crl )
657 {
658 int ret;
659 size_t n;
660 char *p;
661 const mbedtls_x509_crl_entry *entry;
662
663 p = buf;
664 n = size;
665
666 ret = mbedtls_snprintf( p, n, "%sCRL version : %d",
667 prefix, crl->version );
668 MBEDTLS_X509_SAFE_SNPRINTF;
669
670 ret = mbedtls_snprintf( p, n, "\n%sissuer name : ", prefix );
671 MBEDTLS_X509_SAFE_SNPRINTF;
672 ret = mbedtls_x509_dn_gets( p, n, &crl->issuer );
673 MBEDTLS_X509_SAFE_SNPRINTF;
674
675 ret = mbedtls_snprintf( p, n, "\n%sthis update : " \
676 "%04d-%02d-%02d %02d:%02d:%02d", prefix,
677 crl->this_update.year, crl->this_update.mon,
678 crl->this_update.day, crl->this_update.hour,
679 crl->this_update.min, crl->this_update.sec );
680 MBEDTLS_X509_SAFE_SNPRINTF;
681
682 ret = mbedtls_snprintf( p, n, "\n%snext update : " \
683 "%04d-%02d-%02d %02d:%02d:%02d", prefix,
684 crl->next_update.year, crl->next_update.mon,
685 crl->next_update.day, crl->next_update.hour,
686 crl->next_update.min, crl->next_update.sec );
687 MBEDTLS_X509_SAFE_SNPRINTF;
688
689 entry = &crl->entry;
690
691 ret = mbedtls_snprintf( p, n, "\n%sRevoked certificates:",
692 prefix );
693 MBEDTLS_X509_SAFE_SNPRINTF;
694
695 while( entry != NULL && entry->raw.len != 0 )
696 {
697 ret = mbedtls_snprintf( p, n, "\n%sserial number: ",
698 prefix );
699 MBEDTLS_X509_SAFE_SNPRINTF;
700
701 ret = mbedtls_x509_serial_gets( p, n, &entry->serial );
702 MBEDTLS_X509_SAFE_SNPRINTF;
703
704 ret = mbedtls_snprintf( p, n, " revocation date: " \
705 "%04d-%02d-%02d %02d:%02d:%02d",
706 entry->revocation_date.year, entry->revocation_date.mon,
707 entry->revocation_date.day, entry->revocation_date.hour,
708 entry->revocation_date.min, entry->revocation_date.sec );
709 MBEDTLS_X509_SAFE_SNPRINTF;
710
711 entry = entry->next;
712 }
713
714 ret = mbedtls_snprintf( p, n, "\n%ssigned using : ", prefix );
715 MBEDTLS_X509_SAFE_SNPRINTF;
716
717 ret = mbedtls_x509_sig_alg_gets( p, n, &crl->sig_oid, crl->sig_pk, crl->sig_md,
718 crl->sig_opts );
719 MBEDTLS_X509_SAFE_SNPRINTF;
720
721 ret = mbedtls_snprintf( p, n, "\n" );
722 MBEDTLS_X509_SAFE_SNPRINTF;
723
724 return( (int) ( size - n ) );
725 }
726
727 /*
728 * Initialize a CRL chain
729 */
mbedtls_x509_crl_init(mbedtls_x509_crl * crl)730 void mbedtls_x509_crl_init( mbedtls_x509_crl *crl )
731 {
732 memset( crl, 0, sizeof(mbedtls_x509_crl) );
733 }
734
735 /*
736 * Unallocate all CRL data
737 */
mbedtls_x509_crl_free(mbedtls_x509_crl * crl)738 void mbedtls_x509_crl_free( mbedtls_x509_crl *crl )
739 {
740 mbedtls_x509_crl *crl_cur = crl;
741 mbedtls_x509_crl *crl_prv;
742 mbedtls_x509_name *name_cur;
743 mbedtls_x509_name *name_prv;
744 mbedtls_x509_crl_entry *entry_cur;
745 mbedtls_x509_crl_entry *entry_prv;
746
747 if( crl == NULL )
748 return;
749
750 do
751 {
752 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
753 mbedtls_free( crl_cur->sig_opts );
754 #endif
755
756 name_cur = crl_cur->issuer.next;
757 while( name_cur != NULL )
758 {
759 name_prv = name_cur;
760 name_cur = name_cur->next;
761 mbedtls_platform_zeroize( name_prv, sizeof( mbedtls_x509_name ) );
762 mbedtls_free( name_prv );
763 }
764
765 entry_cur = crl_cur->entry.next;
766 while( entry_cur != NULL )
767 {
768 entry_prv = entry_cur;
769 entry_cur = entry_cur->next;
770 mbedtls_platform_zeroize( entry_prv,
771 sizeof( mbedtls_x509_crl_entry ) );
772 mbedtls_free( entry_prv );
773 }
774
775 if( crl_cur->raw.p != NULL )
776 {
777 mbedtls_platform_zeroize( crl_cur->raw.p, crl_cur->raw.len );
778 mbedtls_free( crl_cur->raw.p );
779 }
780
781 crl_cur = crl_cur->next;
782 }
783 while( crl_cur != NULL );
784
785 crl_cur = crl;
786 do
787 {
788 crl_prv = crl_cur;
789 crl_cur = crl_cur->next;
790
791 mbedtls_platform_zeroize( crl_prv, sizeof( mbedtls_x509_crl ) );
792 if( crl_prv != crl )
793 mbedtls_free( crl_prv );
794 }
795 while( crl_cur != NULL );
796 }
797
798 #endif /* MBEDTLS_X509_CRL_PARSE_C */
799