summaryrefslogtreecommitdiffstats
path: root/lib/x509/crl.c
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-28 07:33:12 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-28 07:33:12 +0000
commit36082a2fe36ecd800d784ae44c14f1f18c66a7e9 (patch)
tree6c68e0c0097987aff85a01dabddd34b862309a7c /lib/x509/crl.c
parentInitial commit. (diff)
downloadgnutls28-36082a2fe36ecd800d784ae44c14f1f18c66a7e9.tar.xz
gnutls28-36082a2fe36ecd800d784ae44c14f1f18c66a7e9.zip
Adding upstream version 3.7.9.upstream/3.7.9upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'lib/x509/crl.c')
-rw-r--r--lib/x509/crl.c1425
1 files changed, 1425 insertions, 0 deletions
diff --git a/lib/x509/crl.c b/lib/x509/crl.c
new file mode 100644
index 0000000..56103e1
--- /dev/null
+++ b/lib/x509/crl.c
@@ -0,0 +1,1425 @@
+/*
+ * Copyright (C) 2003-2016 Free Software Foundation, Inc.
+ * Copyright (C) 2015-2016 Red Hat, Inc.
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+ * This file is part of GnuTLS.
+ *
+ * The GnuTLS is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public License
+ * as published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>
+ *
+ */
+
+#include "gnutls_int.h"
+#include <libtasn1.h>
+
+#include <datum.h>
+#include <global.h>
+#include "errors.h"
+#include <common.h>
+#include <x509_b64.h>
+#include <x509_int.h>
+#include <x509.h>
+
+static int crl_reinit(gnutls_x509_crl_t crl)
+{
+int result;
+
+ if (crl->crl)
+ asn1_delete_structure(&crl->crl);
+
+ result = asn1_create_element(_gnutls_get_pkix(),
+ "PKIX1.CertificateList",
+ &crl->crl);
+ if (result != ASN1_SUCCESS) {
+ gnutls_assert();
+ return _gnutls_asn2err(result);
+ }
+ crl->rcache = NULL;
+ crl->rcache_idx = 0;
+ crl->raw_issuer_dn.size = 0;
+
+ return 0;
+}
+
+/**
+ * gnutls_x509_crl_init:
+ * @crl: A pointer to the type to be initialized
+ *
+ * This function will initialize a CRL structure. CRL stands for
+ * Certificate Revocation List. A revocation list usually contains
+ * lists of certificate serial numbers that have been revoked by an
+ * Authority. The revocation lists are always signed with the
+ * authority's private key.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error value.
+ **/
+int gnutls_x509_crl_init(gnutls_x509_crl_t * crl)
+{
+ FAIL_IF_LIB_ERROR;
+
+ *crl = gnutls_calloc(1, sizeof(gnutls_x509_crl_int));
+
+ if (*crl) {
+ int result = crl_reinit(*crl);
+ if (result < 0) {
+ gnutls_assert();
+ gnutls_free(*crl);
+ return result;
+ }
+ return 0; /* success */
+ }
+ return GNUTLS_E_MEMORY_ERROR;
+}
+
+/**
+ * gnutls_x509_crl_deinit:
+ * @crl: The data to be deinitialized
+ *
+ * This function will deinitialize a CRL structure.
+ **/
+void gnutls_x509_crl_deinit(gnutls_x509_crl_t crl)
+{
+ if (!crl)
+ return;
+
+ if (crl->crl)
+ asn1_delete_structure(&crl->crl);
+ gnutls_free(crl->der.data);
+
+ gnutls_free(crl);
+}
+
+/**
+ * gnutls_x509_crl_import:
+ * @crl: The data to store the parsed CRL.
+ * @data: The DER or PEM encoded CRL.
+ * @format: One of DER or PEM
+ *
+ * This function will convert the given DER or PEM encoded CRL
+ * to the native #gnutls_x509_crl_t format. The output will be stored in 'crl'.
+ *
+ * If the CRL is PEM encoded it should have a header of "X509 CRL".
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error value.
+ **/
+int
+gnutls_x509_crl_import(gnutls_x509_crl_t crl,
+ const gnutls_datum_t * data,
+ gnutls_x509_crt_fmt_t format)
+{
+ int result = 0;
+
+ if (crl == NULL) {
+ gnutls_assert();
+ return GNUTLS_E_INVALID_REQUEST;
+ }
+
+ _gnutls_free_datum(&crl->der);
+
+ /* If the CRL is in PEM format then decode it
+ */
+ if (format == GNUTLS_X509_FMT_PEM) {
+ result =
+ _gnutls_fbase64_decode(PEM_CRL, data->data, data->size,
+ &crl->der);
+
+ if (result < 0) {
+ gnutls_assert();
+ return result;
+ }
+ } else {
+ result = _gnutls_set_datum(&crl->der, data->data, data->size);
+ if (result < 0) {
+ gnutls_assert();
+ return result;
+ }
+ }
+
+ if (crl->expanded) {
+ result = crl_reinit(crl);
+ if (result < 0) {
+ gnutls_assert();
+ goto cleanup;
+ }
+ }
+ crl->expanded = 1;
+
+ result =
+ _asn1_strict_der_decode(&crl->crl, crl->der.data, crl->der.size, NULL);
+ if (result != ASN1_SUCCESS) {
+ result = _gnutls_asn2err(result);
+ gnutls_assert();
+ goto cleanup;
+ }
+
+ result = _gnutls_x509_get_raw_field2(crl->crl, &crl->der,
+ "tbsCertList.issuer.rdnSequence",
+ &crl->raw_issuer_dn);
+ if (result < 0) {
+ gnutls_assert();
+ goto cleanup;
+ }
+
+ return 0;
+
+ cleanup:
+ _gnutls_free_datum(&crl->der);
+ return result;
+}
+
+
+/**
+ * gnutls_x509_crl_get_issuer_dn:
+ * @crl: should contain a gnutls_x509_crl_t type
+ * @buf: a pointer to a structure to hold the peer's name (may be null)
+ * @sizeof_buf: initially holds the size of @buf
+ *
+ * This function will copy the name of the CRL issuer in the provided
+ * buffer. The name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as
+ * described in RFC4514. The output string will be ASCII or UTF-8
+ * encoded, depending on the certificate data.
+ *
+ * If buf is %NULL then only the size will be filled.
+ *
+ * This function does not output a fully RFC4514 compliant string, if
+ * that is required see gnutls_x509_crl_get_issuer_dn3().
+ *
+ * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is
+ * not long enough, and in that case the sizeof_buf will be updated
+ * with the required size, and 0 on success.
+ *
+ **/
+int
+gnutls_x509_crl_get_issuer_dn(gnutls_x509_crl_t crl, char *buf,
+ size_t * sizeof_buf)
+{
+ if (crl == NULL) {
+ gnutls_assert();
+ return GNUTLS_E_INVALID_REQUEST;
+ }
+
+ return _gnutls_x509_parse_dn(crl->crl,
+ "tbsCertList.issuer.rdnSequence",
+ buf, sizeof_buf, GNUTLS_X509_DN_FLAG_COMPAT);
+}
+
+/**
+ * gnutls_x509_crl_get_issuer_dn_by_oid:
+ * @crl: should contain a gnutls_x509_crl_t type
+ * @oid: holds an Object Identified in null terminated string
+ * @indx: In case multiple same OIDs exist in the RDN, this specifies which to send. Use (0) to get the first one.
+ * @raw_flag: If non-zero returns the raw DER data of the DN part.
+ * @buf: a pointer to a structure to hold the peer's name (may be null)
+ * @sizeof_buf: initially holds the size of @buf
+ *
+ * This function will extract the part of the name of the CRL issuer
+ * specified by the given OID. The output will be encoded as described
+ * in RFC4514. The output string will be ASCII or UTF-8 encoded,
+ * depending on the certificate data.
+ *
+ * Some helper macros with popular OIDs can be found in gnutls/x509.h
+ * If raw flag is (0), this function will only return known OIDs as
+ * text. Other OIDs will be DER encoded, as described in RFC4514 -- in
+ * hex format with a '#' prefix. You can check about known OIDs
+ * using gnutls_x509_dn_oid_known().
+ *
+ * If buf is null then only the size will be filled.
+ *
+ * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is
+ * not long enough, and in that case the sizeof_buf will be updated
+ * with the required size, and 0 on success.
+ **/
+int
+gnutls_x509_crl_get_issuer_dn_by_oid(gnutls_x509_crl_t crl,
+ const char *oid, unsigned indx,
+ unsigned int raw_flag, void *buf,
+ size_t * sizeof_buf)
+{
+ gnutls_datum_t td;
+ int ret;
+
+ if (crl == NULL) {
+ gnutls_assert();
+ return GNUTLS_E_INVALID_REQUEST;
+ }
+
+ ret = _gnutls_x509_parse_dn_oid(crl->crl,
+ "tbsCertList.issuer.rdnSequence",
+ oid, indx, raw_flag, &td);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ return _gnutls_strdatum_to_buf(&td, buf, sizeof_buf);
+}
+
+
+/**
+ * gnutls_x509_crl_get_dn_oid:
+ * @crl: should contain a gnutls_x509_crl_t type
+ * @indx: Specifies which DN OID to send. Use (0) to get the first one.
+ * @oid: a pointer to store the OID (may be null)
+ * @sizeof_oid: initially holds the size of 'oid'
+ *
+ * This function will extract the requested OID of the name of the CRL
+ * issuer, specified by the given index.
+ *
+ * If oid is null then only the size will be filled.
+ *
+ * Returns: %GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is
+ * not long enough, and in that case the sizeof_oid will be updated
+ * with the required size. On success 0 is returned.
+ **/
+int
+gnutls_x509_crl_get_dn_oid(gnutls_x509_crl_t crl,
+ unsigned indx, void *oid, size_t * sizeof_oid)
+{
+ if (crl == NULL) {
+ gnutls_assert();
+ return GNUTLS_E_INVALID_REQUEST;
+ }
+
+ return _gnutls_x509_get_dn_oid(crl->crl,
+ "tbsCertList.issuer.rdnSequence",
+ indx, oid, sizeof_oid);
+}
+
+/**
+ * gnutls_x509_crl_get_issuer_dn2:
+ * @crl: should contain a #gnutls_x509_crl_t type
+ * @dn: a pointer to a structure to hold the name; must be freed using gnutls_free()
+ *
+ * This function will allocate buffer and copy the name of the CRL issuer.
+ * The name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as
+ * described in RFC4514. The output string will be ASCII or UTF-8
+ * encoded, depending on the certificate data.
+ *
+ * This function does not output a fully RFC4514 compliant string, if
+ * that is required see gnutls_x509_crl_get_issuer_dn3().
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error value.
+ *
+ * Since: 3.1.10
+ **/
+int
+gnutls_x509_crl_get_issuer_dn2(gnutls_x509_crl_t crl, gnutls_datum_t * dn)
+{
+ if (crl == NULL) {
+ gnutls_assert();
+ return GNUTLS_E_INVALID_REQUEST;
+ }
+
+ return _gnutls_x509_get_dn(crl->crl,
+ "tbsCertList.issuer.rdnSequence",
+ dn, GNUTLS_X509_DN_FLAG_COMPAT);
+}
+
+/**
+ * gnutls_x509_crl_get_issuer_dn3:
+ * @crl: should contain a #gnutls_x509_crl_t type
+ * @dn: a pointer to a structure to hold the name; must be freed using gnutls_free()
+ * @flags: zero or %GNUTLS_X509_DN_FLAG_COMPAT
+ *
+ * This function will allocate buffer and copy the name of the CRL issuer.
+ * The name will be in the form "C=xxxx,O=yyyy,CN=zzzz" as
+ * described in RFC4514. The output string will be ASCII or UTF-8
+ * encoded, depending on the certificate data.
+ *
+ * When the flag %GNUTLS_X509_DN_FLAG_COMPAT is specified, the output
+ * format will match the format output by previous to 3.5.6 versions of GnuTLS
+ * which was not not fully RFC4514-compliant.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error value.
+ *
+ * Since: 3.5.7
+ **/
+int
+gnutls_x509_crl_get_issuer_dn3(gnutls_x509_crl_t crl, gnutls_datum_t * dn, unsigned flags)
+{
+ if (crl == NULL) {
+ gnutls_assert();
+ return GNUTLS_E_INVALID_REQUEST;
+ }
+
+ return _gnutls_x509_get_dn(crl->crl,
+ "tbsCertList.issuer.rdnSequence",
+ dn, flags);
+}
+
+/**
+ * gnutls_x509_crl_get_signature_algorithm:
+ * @crl: should contain a #gnutls_x509_crl_t type
+ *
+ * This function will return a value of the #gnutls_sign_algorithm_t
+ * enumeration that is the signature algorithm.
+ *
+ * Since 3.6.0 this function never returns a negative error code.
+ * Error cases and unknown/unsupported signature algorithms are
+ * mapped to %GNUTLS_SIGN_UNKNOWN.
+ *
+ * Returns: a #gnutls_sign_algorithm_t value
+ **/
+int gnutls_x509_crl_get_signature_algorithm(gnutls_x509_crl_t crl)
+{
+ return map_errs_to_zero(_gnutls_x509_get_signature_algorithm(crl->crl,
+ "signatureAlgorithm"));
+}
+
+/**
+ * gnutls_x509_crl_get_signature_oid:
+ * @crl: should contain a #gnutls_x509_crl_t type
+ * @oid: a pointer to a buffer to hold the OID (may be null)
+ * @oid_size: initially holds the size of @oid
+ *
+ * This function will return the OID of the signature algorithm
+ * that has been used to sign this CRL. This is function
+ * is useful in the case gnutls_x509_crl_get_signature_algorithm()
+ * returned %GNUTLS_SIGN_UNKNOWN.
+ *
+ * Returns: zero or a negative error code on error.
+ *
+ * Since: 3.5.0
+ **/
+int gnutls_x509_crl_get_signature_oid(gnutls_x509_crl_t crl, char *oid, size_t *oid_size)
+{
+ char str[MAX_OID_SIZE];
+ int len, result, ret;
+ gnutls_datum_t out;
+
+ len = sizeof(str);
+ result = asn1_read_value(crl->crl, "signatureAlgorithm.algorithm", str, &len);
+ if (result != ASN1_SUCCESS) {
+ gnutls_assert();
+ return _gnutls_asn2err(result);
+ }
+
+ out.data = (void*)str;
+ out.size = len;
+
+ ret = _gnutls_copy_string(&out, (void*)oid, oid_size);
+ if (ret < 0) {
+ gnutls_assert();
+ return ret;
+ }
+
+ return 0;
+}
+
+/**
+ * gnutls_x509_crl_get_signature:
+ * @crl: should contain a gnutls_x509_crl_t type
+ * @sig: a pointer where the signature part will be copied (may be null).
+ * @sizeof_sig: initially holds the size of @sig
+ *
+ * This function will extract the signature field of a CRL.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error value.
+ **/
+int
+gnutls_x509_crl_get_signature(gnutls_x509_crl_t crl,
+ char *sig, size_t * sizeof_sig)
+{
+ int result;
+ unsigned int bits;
+ int len;
+
+ if (crl == NULL) {
+ gnutls_assert();
+ return GNUTLS_E_INVALID_REQUEST;
+ }
+
+ len = 0;
+ result = asn1_read_value(crl->crl, "signature", NULL, &len);
+
+ if (result != ASN1_MEM_ERROR) {
+ gnutls_assert();
+ return _gnutls_asn2err(result);
+ }
+
+ bits = len;
+ if (bits % 8 != 0) {
+ gnutls_assert();
+ return GNUTLS_E_CERTIFICATE_ERROR;
+ }
+
+ len = bits / 8;
+
+ if (*sizeof_sig < (unsigned) len) {
+ *sizeof_sig = bits / 8;
+ return GNUTLS_E_SHORT_MEMORY_BUFFER;
+ }
+
+ result = asn1_read_value(crl->crl, "signature", sig, &len);
+ if (result != ASN1_SUCCESS) {
+ gnutls_assert();
+ return _gnutls_asn2err(result);
+ }
+
+ return 0;
+}
+
+/**
+ * gnutls_x509_crl_get_version:
+ * @crl: should contain a #gnutls_x509_crl_t type
+ *
+ * This function will return the version of the specified CRL.
+ *
+ * Returns: The version number, or a negative error code on error.
+ **/
+int gnutls_x509_crl_get_version(gnutls_x509_crl_t crl)
+{
+ if (crl == NULL) {
+ gnutls_assert();
+ return GNUTLS_E_INVALID_REQUEST;
+ }
+
+ return _gnutls_x509_get_version(crl->crl, "tbsCertList.version");
+}
+
+/**
+ * gnutls_x509_crl_get_this_update:
+ * @crl: should contain a #gnutls_x509_crl_t type
+ *
+ * This function will return the time this CRL was issued.
+ *
+ * Returns: when the CRL was issued, or (time_t)-1 on error.
+ **/
+time_t gnutls_x509_crl_get_this_update(gnutls_x509_crl_t crl)
+{
+ if (crl == NULL) {
+ gnutls_assert();
+ return (time_t) - 1;
+ }
+
+ return _gnutls_x509_get_time(crl->crl, "tbsCertList.thisUpdate",
+ 0);
+}
+
+/**
+ * gnutls_x509_crl_get_next_update:
+ * @crl: should contain a #gnutls_x509_crl_t type
+ *
+ * This function will return the time the next CRL will be issued.
+ * This field is optional in a CRL so it might be normal to get an
+ * error instead.
+ *
+ * Returns: when the next CRL will be issued, or (time_t)-1 on error.
+ **/
+time_t gnutls_x509_crl_get_next_update(gnutls_x509_crl_t crl)
+{
+ if (crl == NULL) {
+ gnutls_assert();
+ return (time_t) - 1;
+ }
+
+ return _gnutls_x509_get_time(crl->crl, "tbsCertList.nextUpdate",
+ 0);
+}
+
+/**
+ * gnutls_x509_crl_get_crt_count:
+ * @crl: should contain a #gnutls_x509_crl_t type
+ *
+ * This function will return the number of revoked certificates in the
+ * given CRL.
+ *
+ * Returns: number of certificates, a negative error code on failure.
+ **/
+int gnutls_x509_crl_get_crt_count(gnutls_x509_crl_t crl)
+{
+
+ int count, result;
+
+ if (crl == NULL) {
+ gnutls_assert();
+ return GNUTLS_E_INVALID_REQUEST;
+ }
+
+ result =
+ asn1_number_of_elements(crl->crl,
+ "tbsCertList.revokedCertificates",
+ &count);
+
+ if (result != ASN1_SUCCESS) {
+ gnutls_assert();
+ return 0; /* no certificates */
+ }
+
+ return count;
+}
+
+/**
+ * gnutls_x509_crl_get_crt_serial:
+ * @crl: should contain a #gnutls_x509_crl_t type
+ * @indx: the index of the certificate to extract (starting from 0)
+ * @serial: where the serial number will be copied
+ * @serial_size: initially holds the size of serial
+ * @t: if non null, will hold the time this certificate was revoked
+ *
+ * This function will retrieve the serial number of the specified, by
+ * the index, revoked certificate.
+ *
+ * Note that this function will have performance issues in large sequences
+ * of revoked certificates. In that case use gnutls_x509_crl_iter_crt_serial().
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error value.
+ **/
+int
+gnutls_x509_crl_get_crt_serial(gnutls_x509_crl_t crl, unsigned indx,
+ unsigned char *serial,
+ size_t * serial_size, time_t * t)
+{
+
+ int result, _serial_size;
+ char serial_name[MAX_NAME_SIZE];
+ char date_name[MAX_NAME_SIZE];
+
+ if (crl == NULL) {
+ gnutls_assert();
+ return GNUTLS_E_INVALID_REQUEST;
+ }
+
+ snprintf(serial_name, sizeof(serial_name),
+ "tbsCertList.revokedCertificates.?%u.userCertificate",
+ indx + 1);
+ snprintf(date_name, sizeof(date_name),
+ "tbsCertList.revokedCertificates.?%u.revocationDate",
+ indx + 1);
+
+ _serial_size = *serial_size;
+ result =
+ asn1_read_value(crl->crl, serial_name, serial, &_serial_size);
+
+ *serial_size = _serial_size;
+ if (result != ASN1_SUCCESS) {
+ gnutls_assert();
+ if (result == ASN1_ELEMENT_NOT_FOUND)
+ return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
+ return _gnutls_asn2err(result);
+ }
+
+ if (t) {
+ *t = _gnutls_x509_get_time(crl->crl, date_name, 0);
+ }
+
+ return 0;
+}
+
+/**
+ * gnutls_x509_crl_iter_deinit:
+ * @iter: The iterator to be deinitialized
+ *
+ * This function will deinitialize an iterator type.
+ **/
+void gnutls_x509_crl_iter_deinit(gnutls_x509_crl_iter_t iter)
+{
+ if (!iter)
+ return;
+
+ gnutls_free(iter);
+}
+
+/**
+ * gnutls_x509_crl_iter_crt_serial:
+ * @crl: should contain a #gnutls_x509_crl_t type
+ * @iter: A pointer to an iterator (initially the iterator should be %NULL)
+ * @serial: where the serial number will be copied
+ * @serial_size: initially holds the size of serial
+ * @t: if non null, will hold the time this certificate was revoked
+ *
+ * This function performs the same as gnutls_x509_crl_get_crt_serial(),
+ * but reads sequentially and keeps state in the iterator
+ * between calls. That allows it to provide better performance in sequences
+ * with many elements (50000+).
+ *
+ * When past the last element is accessed %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
+ * is returned and the iterator is reset.
+ *
+ * After use, the iterator must be deinitialized using gnutls_x509_crl_iter_deinit().
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error value.
+ **/
+int
+gnutls_x509_crl_iter_crt_serial(gnutls_x509_crl_t crl,
+ gnutls_x509_crl_iter_t *iter,
+ unsigned char *serial,
+ size_t * serial_size, time_t * t)
+{
+
+ int result, _serial_size;
+ char serial_name[MAX_NAME_SIZE];
+ char date_name[MAX_NAME_SIZE];
+
+ if (crl == NULL || iter == NULL) {
+ gnutls_assert();
+ return GNUTLS_E_INVALID_REQUEST;
+ }
+
+ if (*iter == NULL) {
+ *iter = gnutls_calloc(1, sizeof(struct gnutls_x509_crl_iter));
+ if (*iter == NULL)
+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+ }
+
+ if ((*iter)->rcache == NULL) {
+ (*iter)->rcache = asn1_find_node (crl->crl, "tbsCertList.revokedCertificates.?1");
+ (*iter)->rcache_idx = 1;
+ } else {
+ snprintf(serial_name, sizeof(serial_name),
+ "?%u", (*iter)->rcache_idx);
+ (*iter)->rcache = asn1_find_node ((*iter)->rcache, serial_name);
+ }
+ if ((*iter)->rcache == NULL) {
+ /* reset */
+ (*iter)->rcache = NULL;
+ return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
+ }
+
+ snprintf(serial_name, sizeof(serial_name),
+ "?%u.userCertificate", (*iter)->rcache_idx);
+
+ _serial_size = *serial_size;
+ result =
+ asn1_read_value((*iter)->rcache, serial_name, serial, &_serial_size);
+
+ *serial_size = _serial_size;
+ if (result != ASN1_SUCCESS) {
+ gnutls_assert();
+ if (result == ASN1_ELEMENT_NOT_FOUND) {
+ /* reset */
+ (*iter)->rcache = NULL;
+ return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
+ }
+ return _gnutls_asn2err(result);
+ }
+
+ if (t) {
+ snprintf(date_name, sizeof(date_name),
+ "?%u.revocationDate", (*iter)->rcache_idx);
+ *t = _gnutls_x509_get_time((*iter)->rcache, date_name, 0);
+ }
+
+ (*iter)->rcache_idx++;
+
+ return 0;
+}
+
+/**
+ * gnutls_x509_crl_get_raw_issuer_dn:
+ * @crl: should contain a gnutls_x509_crl_t type
+ * @dn: will hold the starting point of the DN
+ *
+ * This function will return a pointer to the DER encoded DN structure
+ * and the length.
+ *
+ * Returns: a negative error code on error, and (0) on success.
+ *
+ * Since: 2.12.0
+ **/
+int
+gnutls_x509_crl_get_raw_issuer_dn(gnutls_x509_crl_t crl,
+ gnutls_datum_t * dn)
+{
+ if (crl->raw_issuer_dn.size != 0) {
+ return _gnutls_set_datum(dn, crl->raw_issuer_dn.data,
+ crl->raw_issuer_dn.size);
+ } else {
+ return _gnutls_x509_get_raw_field(crl->crl, "tbsCertList.issuer.rdnSequence", dn);
+ }
+}
+
+/**
+ * gnutls_x509_crl_export:
+ * @crl: Holds the revocation list
+ * @format: the format of output params. One of PEM or DER.
+ * @output_data: will contain a private key PEM or DER encoded
+ * @output_data_size: holds the size of output_data (and will
+ * be replaced by the actual size of parameters)
+ *
+ * This function will export the revocation list to DER or PEM format.
+ *
+ * If the buffer provided is not long enough to hold the output, then
+ * %GNUTLS_E_SHORT_MEMORY_BUFFER will be returned.
+ *
+ * If the structure is PEM encoded, it will have a header
+ * of "BEGIN X509 CRL".
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error value.
+ **/
+int
+gnutls_x509_crl_export(gnutls_x509_crl_t crl,
+ gnutls_x509_crt_fmt_t format, void *output_data,
+ size_t * output_data_size)
+{
+ if (crl == NULL) {
+ gnutls_assert();
+ return GNUTLS_E_INVALID_REQUEST;
+ }
+
+ return _gnutls_x509_export_int(crl->crl, format, PEM_CRL,
+ output_data, output_data_size);
+}
+
+/**
+ * gnutls_x509_crl_export2:
+ * @crl: Holds the revocation list
+ * @format: the format of output params. One of PEM or DER.
+ * @out: will contain a private key PEM or DER encoded
+ *
+ * This function will export the revocation list to DER or PEM format.
+ *
+ * The output buffer is allocated using gnutls_malloc().
+ *
+ * If the structure is PEM encoded, it will have a header
+ * of "BEGIN X509 CRL".
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error value.
+ *
+ * Since 3.1.3
+ **/
+int
+gnutls_x509_crl_export2(gnutls_x509_crl_t crl,
+ gnutls_x509_crt_fmt_t format, gnutls_datum_t * out)
+{
+ if (crl == NULL) {
+ gnutls_assert();
+ return GNUTLS_E_INVALID_REQUEST;
+ }
+
+ return _gnutls_x509_export_int2(crl->crl, format, PEM_CRL, out);
+}
+
+/*-
+ * _gnutls_x509_crl_cpy - This function copies a gnutls_x509_crl_t type
+ * @dest: The data where to copy
+ * @src: The data to be copied
+ *
+ * This function will copy an X.509 certificate structure.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error value.
+ -*/
+int _gnutls_x509_crl_cpy(gnutls_x509_crl_t dest, gnutls_x509_crl_t src)
+{
+ int ret;
+ gnutls_datum_t tmp;
+
+ ret = gnutls_x509_crl_export2(src, GNUTLS_X509_FMT_DER, &tmp);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ ret = gnutls_x509_crl_import(dest, &tmp, GNUTLS_X509_FMT_DER);
+
+ gnutls_free(tmp.data);
+
+ if (ret < 0) {
+ gnutls_assert();
+ return ret;
+ }
+
+ return 0;
+
+}
+
+static int
+_get_authority_key_id(gnutls_x509_crl_t cert, asn1_node * c2,
+ unsigned int *critical)
+{
+ int ret;
+ gnutls_datum_t id;
+
+ *c2 = NULL;
+
+ if (cert == NULL) {
+ gnutls_assert();
+ return GNUTLS_E_INVALID_REQUEST;
+ }
+
+ if ((ret =
+ _gnutls_x509_crl_get_extension(cert, "2.5.29.35", 0, &id,
+ critical)) < 0) {
+ return gnutls_assert_val(ret);
+ }
+
+ if (id.size == 0 || id.data == NULL) {
+ gnutls_assert();
+ return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
+ }
+
+ ret = asn1_create_element
+ (_gnutls_get_pkix(), "PKIX1.AuthorityKeyIdentifier", c2);
+ if (ret != ASN1_SUCCESS) {
+ gnutls_assert();
+ _gnutls_free_datum(&id);
+ return _gnutls_asn2err(ret);
+ }
+
+ ret = _asn1_strict_der_decode(c2, id.data, id.size, NULL);
+ _gnutls_free_datum(&id);
+
+ if (ret != ASN1_SUCCESS) {
+ gnutls_assert();
+ asn1_delete_structure(c2);
+ return _gnutls_asn2err(ret);
+ }
+
+ return 0;
+}
+
+/**
+ * gnutls_x509_crl_get_authority_key_gn_serial:
+ * @crl: should contain a #gnutls_x509_crl_t type
+ * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
+ * @alt: is the place where the alternative name will be copied to
+ * @alt_size: holds the size of alt.
+ * @alt_type: holds the type of the alternative name (one of gnutls_x509_subject_alt_name_t).
+ * @serial: buffer to store the serial number (may be null)
+ * @serial_size: Holds the size of the serial field (may be null)
+ * @critical: will be non-zero if the extension is marked as critical (may be null)
+ *
+ * This function will return the X.509 authority key
+ * identifier when stored as a general name (authorityCertIssuer)
+ * and serial number.
+ *
+ * Because more than one general names might be stored
+ * @seq can be used as a counter to request them all until
+ * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned.
+ *
+ * Returns: Returns 0 on success, or an error code.
+ *
+ * Since: 3.0
+ **/
+int
+gnutls_x509_crl_get_authority_key_gn_serial(gnutls_x509_crl_t crl,
+ unsigned int seq,
+ void *alt,
+ size_t * alt_size,
+ unsigned int *alt_type,
+ void *serial,
+ size_t * serial_size,
+ unsigned int *critical)
+{
+ int ret, result, len;
+ asn1_node c2;
+
+ ret = _get_authority_key_id(crl, &c2, critical);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ ret =
+ _gnutls_parse_general_name(c2, "authorityCertIssuer", seq, alt,
+ alt_size, alt_type, 0);
+ if (ret < 0) {
+ ret = gnutls_assert_val(ret);
+ goto fail;
+ }
+
+ if (serial) {
+ len = *serial_size;
+ result =
+ asn1_read_value(c2, "authorityCertSerialNumber",
+ serial, &len);
+
+ *serial_size = len;
+
+ if (result < 0) {
+ ret = _gnutls_asn2err(result);
+ goto fail;
+ }
+
+ }
+
+ ret = 0;
+
+ fail:
+ asn1_delete_structure(&c2);
+
+ return ret;
+}
+
+
+/**
+ * gnutls_x509_crl_get_authority_key_id:
+ * @crl: should contain a #gnutls_x509_crl_t type
+ * @id: The place where the identifier will be copied
+ * @id_size: Holds the size of the result field.
+ * @critical: will be non-zero if the extension is marked as critical
+ * (may be null)
+ *
+ * This function will return the CRL authority's key identifier. This
+ * is obtained by the X.509 Authority Key identifier extension field
+ * (2.5.29.35). Note that this function
+ * only returns the keyIdentifier field of the extension and
+ * %GNUTLS_E_X509_UNSUPPORTED_EXTENSION, if the extension contains
+ * the name and serial number of the certificate. In that case
+ * gnutls_x509_crl_get_authority_key_gn_serial() may be used.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error code in case of an error.
+ *
+ * Since: 2.8.0
+ **/
+int
+gnutls_x509_crl_get_authority_key_id(gnutls_x509_crl_t crl, void *id,
+ size_t * id_size,
+ unsigned int *critical)
+{
+ int result, len, ret;
+ asn1_node c2;
+
+ ret = _get_authority_key_id(crl, &c2, critical);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ len = *id_size;
+ result = asn1_read_value(c2, "keyIdentifier", id, &len);
+
+ *id_size = len;
+ asn1_delete_structure(&c2);
+
+ if (result == ASN1_VALUE_NOT_FOUND
+ || result == ASN1_ELEMENT_NOT_FOUND)
+ return
+ gnutls_assert_val(GNUTLS_E_X509_UNSUPPORTED_EXTENSION);
+
+ if (result != ASN1_SUCCESS) {
+ gnutls_assert();
+ return _gnutls_asn2err(result);
+ }
+
+ return 0;
+}
+
+/**
+ * gnutls_x509_crl_get_number:
+ * @crl: should contain a #gnutls_x509_crl_t type
+ * @ret: The place where the number will be copied
+ * @ret_size: Holds the size of the result field.
+ * @critical: will be non-zero if the extension is marked as critical
+ * (may be null)
+ *
+ * This function will return the CRL number extension. This is
+ * obtained by the CRL Number extension field (2.5.29.20).
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error code in case of an error.
+ *
+ * Since: 2.8.0
+ **/
+int
+gnutls_x509_crl_get_number(gnutls_x509_crl_t crl, void *ret,
+ size_t * ret_size, unsigned int *critical)
+{
+ int result;
+ gnutls_datum_t id;
+
+ if (crl == NULL) {
+ gnutls_assert();
+ return GNUTLS_E_INVALID_REQUEST;
+ }
+
+ if (ret)
+ memset(ret, 0, *ret_size);
+ else
+ *ret_size = 0;
+
+ if ((result =
+ _gnutls_x509_crl_get_extension(crl, "2.5.29.20", 0, &id,
+ critical)) < 0) {
+ return result;
+ }
+
+ if (id.size == 0 || id.data == NULL) {
+ gnutls_assert();
+ return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
+ }
+
+ result =
+ _gnutls_x509_ext_extract_number(ret, ret_size, id.data,
+ id.size);
+
+ _gnutls_free_datum(&id);
+
+ if (result < 0) {
+ gnutls_assert();
+ return result;
+ }
+
+ return 0;
+}
+
+/**
+ * gnutls_x509_crl_get_extension_oid:
+ * @crl: should contain a #gnutls_x509_crl_t type
+ * @indx: Specifies which extension OID to send, use (0) to get the first one.
+ * @oid: a pointer to store the OID (may be null)
+ * @sizeof_oid: initially holds the size of @oid
+ *
+ * This function will return the requested extension OID in the CRL.
+ * The extension OID will be stored as a string in the provided
+ * buffer.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error code in case of an error. If your have reached the
+ * last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
+ * will be returned.
+ *
+ * Since: 2.8.0
+ **/
+int
+gnutls_x509_crl_get_extension_oid(gnutls_x509_crl_t crl, unsigned indx,
+ void *oid, size_t * sizeof_oid)
+{
+ int result;
+
+ if (crl == NULL) {
+ gnutls_assert();
+ return GNUTLS_E_INVALID_REQUEST;
+ }
+
+ result =
+ _gnutls_x509_crl_get_extension_oid(crl, indx, oid, sizeof_oid);
+ if (result < 0) {
+ return result;
+ }
+
+ return 0;
+
+}
+
+/**
+ * gnutls_x509_crl_get_extension_info:
+ * @crl: should contain a #gnutls_x509_crl_t type
+ * @indx: Specifies which extension OID to send, use (0) to get the first one.
+ * @oid: a pointer to store the OID
+ * @sizeof_oid: initially holds the maximum size of @oid, on return
+ * holds actual size of @oid.
+ * @critical: output variable with critical flag, may be NULL.
+ *
+ * This function will return the requested extension OID in the CRL,
+ * and the critical flag for it. The extension OID will be stored as
+ * a string in the provided buffer. Use
+ * gnutls_x509_crl_get_extension_data() to extract the data.
+ *
+ * If the buffer provided is not long enough to hold the output, then
+ * *@sizeof_oid is updated and %GNUTLS_E_SHORT_MEMORY_BUFFER will be
+ * returned.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error code in case of an error. If your have reached the
+ * last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
+ * will be returned.
+ *
+ * Since: 2.8.0
+ **/
+int
+gnutls_x509_crl_get_extension_info(gnutls_x509_crl_t crl, unsigned indx,
+ void *oid, size_t * sizeof_oid,
+ unsigned int *critical)
+{
+ int result;
+ char str_critical[10];
+ char name[MAX_NAME_SIZE];
+ int len;
+
+ if (!crl) {
+ gnutls_assert();
+ return GNUTLS_E_INVALID_REQUEST;
+ }
+
+ snprintf(name, sizeof(name),
+ "tbsCertList.crlExtensions.?%u.extnID", indx + 1);
+
+ len = *sizeof_oid;
+ result = asn1_read_value(crl->crl, name, oid, &len);
+ *sizeof_oid = len;
+
+ if (result == ASN1_ELEMENT_NOT_FOUND)
+ return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
+ else if (result != ASN1_SUCCESS) {
+ gnutls_assert();
+ return _gnutls_asn2err(result);
+ }
+
+ snprintf(name, sizeof(name),
+ "tbsCertList.crlExtensions.?%u.critical", indx + 1);
+ len = sizeof(str_critical);
+ result = asn1_read_value(crl->crl, name, str_critical, &len);
+ if (result != ASN1_SUCCESS) {
+ gnutls_assert();
+ return _gnutls_asn2err(result);
+ }
+
+ if (critical) {
+ if (str_critical[0] == 'T')
+ *critical = 1;
+ else
+ *critical = 0;
+ }
+
+ return 0;
+
+}
+
+/**
+ * gnutls_x509_crl_get_extension_data:
+ * @crl: should contain a #gnutls_x509_crl_t type
+ * @indx: Specifies which extension OID to send. Use (0) to get the first one.
+ * @data: a pointer to a structure to hold the data (may be null)
+ * @sizeof_data: initially holds the size of @oid
+ *
+ * This function will return the requested extension data in the CRL.
+ * The extension data will be stored as a string in the provided
+ * buffer.
+ *
+ * Use gnutls_x509_crl_get_extension_info() to extract the OID and
+ * critical flag. Use gnutls_x509_crl_get_extension_info() instead,
+ * if you want to get data indexed by the extension OID rather than
+ * sequence.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error code in case of an error. If your have reached the
+ * last extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE
+ * will be returned.
+ *
+ * Since: 2.8.0
+ **/
+int
+gnutls_x509_crl_get_extension_data(gnutls_x509_crl_t crl, unsigned indx,
+ void *data, size_t * sizeof_data)
+{
+ int result, len;
+ char name[MAX_NAME_SIZE];
+
+ if (!crl) {
+ gnutls_assert();
+ return GNUTLS_E_INVALID_REQUEST;
+ }
+
+ snprintf(name, sizeof(name),
+ "tbsCertList.crlExtensions.?%u.extnValue", indx + 1);
+
+ len = *sizeof_data;
+ result = asn1_read_value(crl->crl, name, data, &len);
+ *sizeof_data = len;
+
+ if (result == ASN1_ELEMENT_NOT_FOUND)
+ return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
+ else if (result < 0) {
+ gnutls_assert();
+ return _gnutls_asn2err(result);
+ }
+
+ return 0;
+}
+
+/**
+ * gnutls_x509_crl_list_import2:
+ * @crls: Will contain the parsed crl list.
+ * @size: It will contain the size of the list.
+ * @data: The PEM encoded CRL.
+ * @format: One of DER or PEM.
+ * @flags: must be (0) or an OR'd sequence of gnutls_certificate_import_flags.
+ *
+ * This function will convert the given PEM encoded CRL list
+ * to the native gnutls_x509_crl_t format. The output will be stored
+ * in @crls. They will be automatically initialized.
+ *
+ * If the Certificate is PEM encoded it should have a header of "X509
+ * CRL".
+ *
+ * Returns: the number of certificates read or a negative error value.
+ *
+ * Since: 3.0
+ **/
+int
+gnutls_x509_crl_list_import2(gnutls_x509_crl_t ** crls,
+ unsigned int *size,
+ const gnutls_datum_t * data,
+ gnutls_x509_crt_fmt_t format,
+ unsigned int flags)
+{
+ unsigned int init = 1024;
+ int ret;
+
+ *crls = _gnutls_reallocarray(NULL, init, sizeof(gnutls_x509_crl_t));
+ if (*crls == NULL) {
+ gnutls_assert();
+ return GNUTLS_E_MEMORY_ERROR;
+ }
+
+ ret =
+ gnutls_x509_crl_list_import(*crls, &init, data, format,
+ flags | GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
+ if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) {
+ *crls = _gnutls_reallocarray_fast(*crls, init,
+ sizeof(gnutls_x509_crl_t));
+ if (*crls == NULL) {
+ gnutls_assert();
+ return GNUTLS_E_MEMORY_ERROR;
+ }
+
+ ret =
+ gnutls_x509_crl_list_import(*crls, &init, data, format,
+ flags);
+ }
+
+ if (ret < 0) {
+ gnutls_free(*crls);
+ *crls = NULL;
+ return ret;
+ }
+
+ *size = init;
+ return 0;
+}
+
+/**
+ * gnutls_x509_crl_list_import:
+ * @crls: Indicates where the parsed CRLs will be copied to. Must not be initialized.
+ * @crl_max: Initially must hold the maximum number of crls. It will be updated with the number of crls available.
+ * @data: The PEM encoded CRLs
+ * @format: One of DER or PEM.
+ * @flags: must be (0) or an OR'd sequence of gnutls_certificate_import_flags.
+ *
+ * This function will convert the given PEM encoded CRL list
+ * to the native gnutls_x509_crl_t format. The output will be stored
+ * in @crls. They will be automatically initialized.
+ *
+ * If the Certificate is PEM encoded it should have a header of "X509 CRL".
+ *
+ * Returns: the number of certificates read or a negative error value.
+ *
+ * Since: 3.0
+ **/
+int
+gnutls_x509_crl_list_import(gnutls_x509_crl_t * crls,
+ unsigned int *crl_max,
+ const gnutls_datum_t * data,
+ gnutls_x509_crt_fmt_t format,
+ unsigned int flags)
+{
+ int size;
+ const char *ptr;
+ gnutls_datum_t tmp;
+ int ret, nocopy = 0;
+ unsigned int count = 0, j;
+
+ if (format == GNUTLS_X509_FMT_DER) {
+ if (*crl_max < 1) {
+ *crl_max = 1;
+ return GNUTLS_E_SHORT_MEMORY_BUFFER;
+ }
+
+ count = 1; /* import only the first one */
+
+ ret = gnutls_x509_crl_init(&crls[0]);
+ if (ret < 0) {
+ gnutls_assert();
+ goto error;
+ }
+
+ ret = gnutls_x509_crl_import(crls[0], data, format);
+ if (ret < 0) {
+ gnutls_assert();
+ goto error;
+ }
+
+ *crl_max = 1;
+ return 1;
+ }
+
+ /* move to the certificate
+ */
+ ptr = memmem(data->data, data->size,
+ PEM_CRL_SEP, sizeof(PEM_CRL_SEP) - 1);
+ if (ptr == NULL) {
+ gnutls_assert();
+ return GNUTLS_E_BASE64_DECODING_ERROR;
+ }
+
+ count = 0;
+
+ do {
+ if (count >= *crl_max) {
+ if (!
+ (flags &
+ GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED)) {
+ break;
+ } else if (nocopy == 0) {
+ for (j = 0; j < count; j++)
+ gnutls_x509_crl_deinit(crls[j]);
+ nocopy = 1;
+ }
+ }
+
+ if (!nocopy) {
+ ret = gnutls_x509_crl_init(&crls[count]);
+ if (ret < 0) {
+ gnutls_assert();
+ goto error;
+ }
+
+ tmp.data = (void *) ptr;
+ tmp.size =
+ data->size - (ptr - (char *) data->data);
+ ret =
+ gnutls_x509_crl_import(crls[count], &tmp,
+ GNUTLS_X509_FMT_PEM);
+ if (ret < 0) {
+ gnutls_assert();
+ count++;
+ goto error;
+ }
+ }
+
+ /* now we move ptr after the pem header
+ */
+ ptr++;
+ /* find the next certificate (if any)
+ */
+ size = data->size - (ptr - (char *) data->data);
+
+ if (size > 0) {
+ ptr =
+ memmem(ptr, size, PEM_CRL_SEP,
+ sizeof(PEM_CRL_SEP) - 1);
+ } else
+ ptr = NULL;
+
+ count++;
+ }
+ while (ptr != NULL);
+
+ *crl_max = count;
+
+ if (nocopy == 0)
+ return count;
+ else
+ return GNUTLS_E_SHORT_MEMORY_BUFFER;
+
+ error:
+ for (j = 0; j < count; j++)
+ gnutls_x509_crl_deinit(crls[j]);
+ return ret;
+}