1 /* 2 * X.509 Certidicate Revocation List (CRL) parsing 3 * 4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 6 * 7 * This file is provided under the Apache License 2.0, or the 8 * GNU General Public License v2.0 or later. 9 * 10 * ********** 11 * Apache License 2.0: 12 * 13 * Licensed under the Apache License, Version 2.0 (the "License"); you may 14 * not use this file except in compliance with the License. 15 * You may obtain a copy of the License at 16 * 17 * http://www.apache.org/licenses/LICENSE-2.0 18 * 19 * Unless required by applicable law or agreed to in writing, software 20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 22 * See the License for the specific language governing permissions and 23 * limitations under the License. 24 * 25 * ********** 26 * 27 * ********** 28 * GNU General Public License v2.0 or later: 29 * 30 * This program is free software; you can redistribute it and/or modify 31 * it under the terms of the GNU General Public License as published by 32 * the Free Software Foundation; either version 2 of the License, or 33 * (at your option) any later version. 34 * 35 * This program is distributed in the hope that it will be useful, 36 * but WITHOUT ANY WARRANTY; without even the implied warranty of 37 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 38 * GNU General Public License for more details. 39 * 40 * You should have received a copy of the GNU General Public License along 41 * with this program; if not, write to the Free Software Foundation, Inc., 42 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 43 * 44 * ********** 45 * 46 * This file is part of mbed TLS (https://tls.mbed.org) 47 */ 48 /* 49 * The ITU-T X.509 standard defines a certificate format for PKI. 50 * 51 * http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs) 52 * http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs) 53 * http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10) 54 * 55 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf 56 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf 57 */ 58 59 #if !defined(MBEDTLS_CONFIG_FILE) 60 #include "mbedtls/config.h" 61 #else 62 #include MBEDTLS_CONFIG_FILE 63 #endif 64 65 #if defined(MBEDTLS_X509_CRL_PARSE_C) 66 67 #include "mbedtls/x509_crl.h" 68 #include "mbedtls/oid.h" 69 70 #include <string.h> 71 72 #if defined(MBEDTLS_PEM_PARSE_C) 73 #include "mbedtls/pem.h" 74 #endif 75 76 #if defined(MBEDTLS_PLATFORM_C) 77 #include "mbedtls/platform.h" 78 #else 79 #include <stdlib.h> 80 #include <stdio.h> 81 #define mbedtls_free free 82 #define mbedtls_calloc calloc 83 #define mbedtls_snprintf snprintf 84 #endif 85 86 #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) 87 #include <windows.h> 88 #else 89 #include <time.h> 90 #endif 91 92 #if defined(MBEDTLS_FS_IO) || defined(EFIX64) || defined(EFI32) 93 #include <stdio.h> 94 #endif 95 96 /* Implementation that should never be optimized out by the compiler */ 97 static void mbedtls_zeroize( void *v, size_t n ) { 98 volatile unsigned char *p = v; while( n-- ) *p++ = 0; 99 } 100 101 /* 102 * Version ::= INTEGER { v1(0), v2(1) } 103 */ 104 static int x509_crl_get_version( unsigned char **p, 105 const unsigned char *end, 106 int *ver ) 107 { 108 int ret; 109 110 if( ( ret = mbedtls_asn1_get_int( p, end, ver ) ) != 0 ) 111 { 112 if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) 113 { 114 *ver = 0; 115 return( 0 ); 116 } 117 118 return( MBEDTLS_ERR_X509_INVALID_VERSION + ret ); 119 } 120 121 return( 0 ); 122 } 123 124 /* 125 * X.509 CRL v2 extensions 126 * 127 * We currently don't parse any extension's content, but we do check that the 128 * list of extensions is well-formed and abort on critical extensions (that 129 * are unsupported as we don't support any extension so far) 130 */ 131 static int x509_get_crl_ext( unsigned char **p, 132 const unsigned char *end, 133 mbedtls_x509_buf *ext ) 134 { 135 int ret; 136 137 if( *p == end ) 138 return( 0 ); 139 140 /* 141 * crlExtensions [0] EXPLICIT Extensions OPTIONAL 142 * -- if present, version MUST be v2 143 */ 144 if( ( ret = mbedtls_x509_get_ext( p, end, ext, 0 ) ) != 0 ) 145 return( ret ); 146 147 end = ext->p + ext->len; 148 149 while( *p < end ) 150 { 151 /* 152 * Extension ::= SEQUENCE { 153 * extnID OBJECT IDENTIFIER, 154 * critical BOOLEAN DEFAULT FALSE, 155 * extnValue OCTET STRING } 156 */ 157 int is_critical = 0; 158 const unsigned char *end_ext_data; 159 size_t len; 160 161 /* Get enclosing sequence tag */ 162 if( ( ret = mbedtls_asn1_get_tag( p, end, &len, 163 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 164 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); 165 166 end_ext_data = *p + len; 167 168 /* Get OID (currently ignored) */ 169 if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &len, 170 MBEDTLS_ASN1_OID ) ) != 0 ) 171 { 172 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); 173 } 174 *p += len; 175 176 /* Get optional critical */ 177 if( ( ret = mbedtls_asn1_get_bool( p, end_ext_data, 178 &is_critical ) ) != 0 && 179 ( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) ) 180 { 181 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); 182 } 183 184 /* Data should be octet string type */ 185 if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &len, 186 MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ) 187 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); 188 189 /* Ignore data so far and just check its length */ 190 *p += len; 191 if( *p != end_ext_data ) 192 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + 193 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 194 195 /* Abort on (unsupported) critical extensions */ 196 if( is_critical ) 197 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + 198 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ); 199 } 200 201 if( *p != end ) 202 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + 203 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 204 205 return( 0 ); 206 } 207 208 /* 209 * X.509 CRL v2 entry extensions (no extensions parsed yet.) 210 */ 211 static int x509_get_crl_entry_ext( unsigned char **p, 212 const unsigned char *end, 213 mbedtls_x509_buf *ext ) 214 { 215 int ret; 216 size_t len = 0; 217 218 /* OPTIONAL */ 219 if( end <= *p ) 220 return( 0 ); 221 222 ext->tag = **p; 223 ext->p = *p; 224 225 /* 226 * Get CRL-entry extension sequence header 227 * crlEntryExtensions Extensions OPTIONAL -- if present, MUST be v2 228 */ 229 if( ( ret = mbedtls_asn1_get_tag( p, end, &ext->len, 230 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 231 { 232 if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) 233 { 234 ext->p = NULL; 235 return( 0 ); 236 } 237 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); 238 } 239 240 end = *p + ext->len; 241 242 if( end != *p + ext->len ) 243 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + 244 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 245 246 while( *p < end ) 247 { 248 if( ( ret = mbedtls_asn1_get_tag( p, end, &len, 249 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 250 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret ); 251 252 *p += len; 253 } 254 255 if( *p != end ) 256 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + 257 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 258 259 return( 0 ); 260 } 261 262 /* 263 * X.509 CRL Entries 264 */ 265 static int x509_get_entries( unsigned char **p, 266 const unsigned char *end, 267 mbedtls_x509_crl_entry *entry ) 268 { 269 int ret; 270 size_t entry_len; 271 mbedtls_x509_crl_entry *cur_entry = entry; 272 273 if( *p == end ) 274 return( 0 ); 275 276 if( ( ret = mbedtls_asn1_get_tag( p, end, &entry_len, 277 MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED ) ) != 0 ) 278 { 279 if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) 280 return( 0 ); 281 282 return( ret ); 283 } 284 285 end = *p + entry_len; 286 287 while( *p < end ) 288 { 289 size_t len2; 290 const unsigned char *end2; 291 292 if( ( ret = mbedtls_asn1_get_tag( p, end, &len2, 293 MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED ) ) != 0 ) 294 { 295 return( ret ); 296 } 297 298 cur_entry->raw.tag = **p; 299 cur_entry->raw.p = *p; 300 cur_entry->raw.len = len2; 301 end2 = *p + len2; 302 303 if( ( ret = mbedtls_x509_get_serial( p, end2, &cur_entry->serial ) ) != 0 ) 304 return( ret ); 305 306 if( ( ret = mbedtls_x509_get_time( p, end2, 307 &cur_entry->revocation_date ) ) != 0 ) 308 return( ret ); 309 310 if( ( ret = x509_get_crl_entry_ext( p, end2, 311 &cur_entry->entry_ext ) ) != 0 ) 312 return( ret ); 313 314 if( *p < end ) 315 { 316 cur_entry->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_crl_entry ) ); 317 318 if( cur_entry->next == NULL ) 319 return( MBEDTLS_ERR_X509_ALLOC_FAILED ); 320 321 cur_entry = cur_entry->next; 322 } 323 } 324 325 return( 0 ); 326 } 327 328 /* 329 * Parse one CRLs in DER format and append it to the chained list 330 */ 331 int mbedtls_x509_crl_parse_der( mbedtls_x509_crl *chain, 332 const unsigned char *buf, size_t buflen ) 333 { 334 int ret; 335 size_t len; 336 unsigned char *p = NULL, *end = NULL; 337 mbedtls_x509_buf sig_params1, sig_params2, sig_oid2; 338 mbedtls_x509_crl *crl = chain; 339 340 /* 341 * Check for valid input 342 */ 343 if( crl == NULL || buf == NULL ) 344 return( MBEDTLS_ERR_X509_BAD_INPUT_DATA ); 345 346 memset( &sig_params1, 0, sizeof( mbedtls_x509_buf ) ); 347 memset( &sig_params2, 0, sizeof( mbedtls_x509_buf ) ); 348 memset( &sig_oid2, 0, sizeof( mbedtls_x509_buf ) ); 349 350 /* 351 * Add new CRL on the end of the chain if needed. 352 */ 353 while( crl->version != 0 && crl->next != NULL ) 354 crl = crl->next; 355 356 if( crl->version != 0 && crl->next == NULL ) 357 { 358 crl->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_crl ) ); 359 360 if( crl->next == NULL ) 361 { 362 mbedtls_x509_crl_free( crl ); 363 return( MBEDTLS_ERR_X509_ALLOC_FAILED ); 364 } 365 366 mbedtls_x509_crl_init( crl->next ); 367 crl = crl->next; 368 } 369 370 /* 371 * Copy raw DER-encoded CRL 372 */ 373 if( buflen == 0 ) 374 return( MBEDTLS_ERR_X509_INVALID_FORMAT ); 375 376 p = mbedtls_calloc( 1, buflen ); 377 if( p == NULL ) 378 return( MBEDTLS_ERR_X509_ALLOC_FAILED ); 379 380 memcpy( p, buf, buflen ); 381 382 crl->raw.p = p; 383 crl->raw.len = buflen; 384 385 end = p + buflen; 386 387 /* 388 * CertificateList ::= SEQUENCE { 389 * tbsCertList TBSCertList, 390 * signatureAlgorithm AlgorithmIdentifier, 391 * signatureValue BIT STRING } 392 */ 393 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 394 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 395 { 396 mbedtls_x509_crl_free( crl ); 397 return( MBEDTLS_ERR_X509_INVALID_FORMAT ); 398 } 399 400 if( len != (size_t) ( end - p ) ) 401 { 402 mbedtls_x509_crl_free( crl ); 403 return( MBEDTLS_ERR_X509_INVALID_FORMAT + 404 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 405 } 406 407 /* 408 * TBSCertList ::= SEQUENCE { 409 */ 410 crl->tbs.p = p; 411 412 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 413 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 414 { 415 mbedtls_x509_crl_free( crl ); 416 return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret ); 417 } 418 419 end = p + len; 420 crl->tbs.len = end - crl->tbs.p; 421 422 /* 423 * Version ::= INTEGER OPTIONAL { v1(0), v2(1) } 424 * -- if present, MUST be v2 425 * 426 * signature AlgorithmIdentifier 427 */ 428 if( ( ret = x509_crl_get_version( &p, end, &crl->version ) ) != 0 || 429 ( ret = mbedtls_x509_get_alg( &p, end, &crl->sig_oid, &sig_params1 ) ) != 0 ) 430 { 431 mbedtls_x509_crl_free( crl ); 432 return( ret ); 433 } 434 435 if( crl->version < 0 || crl->version > 1 ) 436 { 437 mbedtls_x509_crl_free( crl ); 438 return( MBEDTLS_ERR_X509_UNKNOWN_VERSION ); 439 } 440 441 crl->version++; 442 443 if( ( ret = mbedtls_x509_get_sig_alg( &crl->sig_oid, &sig_params1, 444 &crl->sig_md, &crl->sig_pk, 445 &crl->sig_opts ) ) != 0 ) 446 { 447 mbedtls_x509_crl_free( crl ); 448 return( MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG ); 449 } 450 451 /* 452 * issuer Name 453 */ 454 crl->issuer_raw.p = p; 455 456 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, 457 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) 458 { 459 mbedtls_x509_crl_free( crl ); 460 return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret ); 461 } 462 463 if( ( ret = mbedtls_x509_get_name( &p, p + len, &crl->issuer ) ) != 0 ) 464 { 465 mbedtls_x509_crl_free( crl ); 466 return( ret ); 467 } 468 469 crl->issuer_raw.len = p - crl->issuer_raw.p; 470 471 /* 472 * thisUpdate Time 473 * nextUpdate Time OPTIONAL 474 */ 475 if( ( ret = mbedtls_x509_get_time( &p, end, &crl->this_update ) ) != 0 ) 476 { 477 mbedtls_x509_crl_free( crl ); 478 return( ret ); 479 } 480 481 if( ( ret = mbedtls_x509_get_time( &p, end, &crl->next_update ) ) != 0 ) 482 { 483 if( ret != ( MBEDTLS_ERR_X509_INVALID_DATE + 484 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) && 485 ret != ( MBEDTLS_ERR_X509_INVALID_DATE + 486 MBEDTLS_ERR_ASN1_OUT_OF_DATA ) ) 487 { 488 mbedtls_x509_crl_free( crl ); 489 return( ret ); 490 } 491 } 492 493 /* 494 * revokedCertificates SEQUENCE OF SEQUENCE { 495 * userCertificate CertificateSerialNumber, 496 * revocationDate Time, 497 * crlEntryExtensions Extensions OPTIONAL 498 * -- if present, MUST be v2 499 * } OPTIONAL 500 */ 501 if( ( ret = x509_get_entries( &p, end, &crl->entry ) ) != 0 ) 502 { 503 mbedtls_x509_crl_free( crl ); 504 return( ret ); 505 } 506 507 /* 508 * crlExtensions EXPLICIT Extensions OPTIONAL 509 * -- if present, MUST be v2 510 */ 511 if( crl->version == 2 ) 512 { 513 ret = x509_get_crl_ext( &p, end, &crl->crl_ext ); 514 515 if( ret != 0 ) 516 { 517 mbedtls_x509_crl_free( crl ); 518 return( ret ); 519 } 520 } 521 522 if( p != end ) 523 { 524 mbedtls_x509_crl_free( crl ); 525 return( MBEDTLS_ERR_X509_INVALID_FORMAT + 526 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 527 } 528 529 end = crl->raw.p + crl->raw.len; 530 531 /* 532 * signatureAlgorithm AlgorithmIdentifier, 533 * signatureValue BIT STRING 534 */ 535 if( ( ret = mbedtls_x509_get_alg( &p, end, &sig_oid2, &sig_params2 ) ) != 0 ) 536 { 537 mbedtls_x509_crl_free( crl ); 538 return( ret ); 539 } 540 541 if( crl->sig_oid.len != sig_oid2.len || 542 memcmp( crl->sig_oid.p, sig_oid2.p, crl->sig_oid.len ) != 0 || 543 sig_params1.len != sig_params2.len || 544 ( sig_params1.len != 0 && 545 memcmp( sig_params1.p, sig_params2.p, sig_params1.len ) != 0 ) ) 546 { 547 mbedtls_x509_crl_free( crl ); 548 return( MBEDTLS_ERR_X509_SIG_MISMATCH ); 549 } 550 551 if( ( ret = mbedtls_x509_get_sig( &p, end, &crl->sig ) ) != 0 ) 552 { 553 mbedtls_x509_crl_free( crl ); 554 return( ret ); 555 } 556 557 if( p != end ) 558 { 559 mbedtls_x509_crl_free( crl ); 560 return( MBEDTLS_ERR_X509_INVALID_FORMAT + 561 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); 562 } 563 564 return( 0 ); 565 } 566 567 /* 568 * Parse one or more CRLs and add them to the chained list 569 */ 570 int mbedtls_x509_crl_parse( mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen ) 571 { 572 #if defined(MBEDTLS_PEM_PARSE_C) 573 int ret; 574 size_t use_len; 575 mbedtls_pem_context pem; 576 int is_pem = 0; 577 578 if( chain == NULL || buf == NULL ) 579 return( MBEDTLS_ERR_X509_BAD_INPUT_DATA ); 580 581 do 582 { 583 mbedtls_pem_init( &pem ); 584 585 // Avoid calling mbedtls_pem_read_buffer() on non-null-terminated 586 // string 587 if( buflen == 0 || buf[buflen - 1] != '\0' ) 588 ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; 589 else 590 ret = mbedtls_pem_read_buffer( &pem, 591 "-----BEGIN X509 CRL-----", 592 "-----END X509 CRL-----", 593 buf, NULL, 0, &use_len ); 594 595 if( ret == 0 ) 596 { 597 /* 598 * Was PEM encoded 599 */ 600 is_pem = 1; 601 602 buflen -= use_len; 603 buf += use_len; 604 605 if( ( ret = mbedtls_x509_crl_parse_der( chain, 606 pem.buf, pem.buflen ) ) != 0 ) 607 { 608 mbedtls_pem_free( &pem ); 609 return( ret ); 610 } 611 } 612 else if( is_pem ) 613 { 614 mbedtls_pem_free( &pem ); 615 return( ret ); 616 } 617 618 mbedtls_pem_free( &pem ); 619 } 620 /* In the PEM case, buflen is 1 at the end, for the terminated NULL byte. 621 * And a valid CRL cannot be less than 1 byte anyway. */ 622 while( is_pem && buflen > 1 ); 623 624 if( is_pem ) 625 return( 0 ); 626 else 627 #endif /* MBEDTLS_PEM_PARSE_C */ 628 return( mbedtls_x509_crl_parse_der( chain, buf, buflen ) ); 629 } 630 631 #if defined(MBEDTLS_FS_IO) 632 /* 633 * Load one or more CRLs and add them to the chained list 634 */ 635 int mbedtls_x509_crl_parse_file( mbedtls_x509_crl *chain, const char *path ) 636 { 637 int ret; 638 size_t n; 639 unsigned char *buf; 640 641 if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 ) 642 return( ret ); 643 644 ret = mbedtls_x509_crl_parse( chain, buf, n ); 645 646 mbedtls_zeroize( buf, n ); 647 mbedtls_free( buf ); 648 649 return( ret ); 650 } 651 #endif /* MBEDTLS_FS_IO */ 652 653 /* 654 * Return an informational string about the certificate. 655 */ 656 #define BEFORE_COLON 14 657 #define BC "14" 658 /* 659 * Return an informational string about the CRL. 660 */ 661 int mbedtls_x509_crl_info( char *buf, size_t size, const char *prefix, 662 const mbedtls_x509_crl *crl ) 663 { 664 int ret; 665 size_t n; 666 char *p; 667 const mbedtls_x509_crl_entry *entry; 668 669 p = buf; 670 n = size; 671 672 ret = mbedtls_snprintf( p, n, "%sCRL version : %d", 673 prefix, crl->version ); 674 MBEDTLS_X509_SAFE_SNPRINTF; 675 676 ret = mbedtls_snprintf( p, n, "\n%sissuer name : ", prefix ); 677 MBEDTLS_X509_SAFE_SNPRINTF; 678 ret = mbedtls_x509_dn_gets( p, n, &crl->issuer ); 679 MBEDTLS_X509_SAFE_SNPRINTF; 680 681 ret = mbedtls_snprintf( p, n, "\n%sthis update : " \ 682 "%04d-%02d-%02d %02d:%02d:%02d", prefix, 683 crl->this_update.year, crl->this_update.mon, 684 crl->this_update.day, crl->this_update.hour, 685 crl->this_update.min, crl->this_update.sec ); 686 MBEDTLS_X509_SAFE_SNPRINTF; 687 688 ret = mbedtls_snprintf( p, n, "\n%snext update : " \ 689 "%04d-%02d-%02d %02d:%02d:%02d", prefix, 690 crl->next_update.year, crl->next_update.mon, 691 crl->next_update.day, crl->next_update.hour, 692 crl->next_update.min, crl->next_update.sec ); 693 MBEDTLS_X509_SAFE_SNPRINTF; 694 695 entry = &crl->entry; 696 697 ret = mbedtls_snprintf( p, n, "\n%sRevoked certificates:", 698 prefix ); 699 MBEDTLS_X509_SAFE_SNPRINTF; 700 701 while( entry != NULL && entry->raw.len != 0 ) 702 { 703 ret = mbedtls_snprintf( p, n, "\n%sserial number: ", 704 prefix ); 705 MBEDTLS_X509_SAFE_SNPRINTF; 706 707 ret = mbedtls_x509_serial_gets( p, n, &entry->serial ); 708 MBEDTLS_X509_SAFE_SNPRINTF; 709 710 ret = mbedtls_snprintf( p, n, " revocation date: " \ 711 "%04d-%02d-%02d %02d:%02d:%02d", 712 entry->revocation_date.year, entry->revocation_date.mon, 713 entry->revocation_date.day, entry->revocation_date.hour, 714 entry->revocation_date.min, entry->revocation_date.sec ); 715 MBEDTLS_X509_SAFE_SNPRINTF; 716 717 entry = entry->next; 718 } 719 720 ret = mbedtls_snprintf( p, n, "\n%ssigned using : ", prefix ); 721 MBEDTLS_X509_SAFE_SNPRINTF; 722 723 ret = mbedtls_x509_sig_alg_gets( p, n, &crl->sig_oid, crl->sig_pk, crl->sig_md, 724 crl->sig_opts ); 725 MBEDTLS_X509_SAFE_SNPRINTF; 726 727 ret = mbedtls_snprintf( p, n, "\n" ); 728 MBEDTLS_X509_SAFE_SNPRINTF; 729 730 return( (int) ( size - n ) ); 731 } 732 733 /* 734 * Initialize a CRL chain 735 */ 736 void mbedtls_x509_crl_init( mbedtls_x509_crl *crl ) 737 { 738 memset( crl, 0, sizeof(mbedtls_x509_crl) ); 739 } 740 741 /* 742 * Unallocate all CRL data 743 */ 744 void mbedtls_x509_crl_free( mbedtls_x509_crl *crl ) 745 { 746 mbedtls_x509_crl *crl_cur = crl; 747 mbedtls_x509_crl *crl_prv; 748 mbedtls_x509_name *name_cur; 749 mbedtls_x509_name *name_prv; 750 mbedtls_x509_crl_entry *entry_cur; 751 mbedtls_x509_crl_entry *entry_prv; 752 753 if( crl == NULL ) 754 return; 755 756 do 757 { 758 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) 759 mbedtls_free( crl_cur->sig_opts ); 760 #endif 761 762 name_cur = crl_cur->issuer.next; 763 while( name_cur != NULL ) 764 { 765 name_prv = name_cur; 766 name_cur = name_cur->next; 767 mbedtls_zeroize( name_prv, sizeof( mbedtls_x509_name ) ); 768 mbedtls_free( name_prv ); 769 } 770 771 entry_cur = crl_cur->entry.next; 772 while( entry_cur != NULL ) 773 { 774 entry_prv = entry_cur; 775 entry_cur = entry_cur->next; 776 mbedtls_zeroize( entry_prv, sizeof( mbedtls_x509_crl_entry ) ); 777 mbedtls_free( entry_prv ); 778 } 779 780 if( crl_cur->raw.p != NULL ) 781 { 782 mbedtls_zeroize( crl_cur->raw.p, crl_cur->raw.len ); 783 mbedtls_free( crl_cur->raw.p ); 784 } 785 786 crl_cur = crl_cur->next; 787 } 788 while( crl_cur != NULL ); 789 790 crl_cur = crl; 791 do 792 { 793 crl_prv = crl_cur; 794 crl_cur = crl_cur->next; 795 796 mbedtls_zeroize( crl_prv, sizeof( mbedtls_x509_crl ) ); 797 if( crl_prv != crl ) 798 mbedtls_free( crl_prv ); 799 } 800 while( crl_cur != NULL ); 801 } 802 803 #endif /* MBEDTLS_X509_CRL_PARSE_C */ 804