| Antonio de Angelis | 8bb9851 | 2024-01-16 14:13:36 +0000 | [diff] [blame^] | 1 | /** |
| 2 | * \file x509_crl.h |
| 3 | * |
| 4 | * \brief X.509 certificate revocation list parsing |
| 5 | */ |
| 6 | /* |
| 7 | * Copyright The Mbed TLS Contributors |
| 8 | * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later |
| 9 | */ |
| 10 | #ifndef MBEDTLS_X509_CRL_H |
| 11 | #define MBEDTLS_X509_CRL_H |
| 12 | #include "mbedtls/private_access.h" |
| 13 | |
| 14 | #include "mbedtls/build_info.h" |
| 15 | |
| 16 | #include "mbedtls/x509.h" |
| 17 | |
| 18 | #ifdef __cplusplus |
| 19 | extern "C" { |
| 20 | #endif |
| 21 | |
| 22 | /** |
| 23 | * \addtogroup x509_module |
| 24 | * \{ */ |
| 25 | |
| 26 | /** |
| 27 | * \name Structures and functions for parsing CRLs |
| 28 | * \{ |
| 29 | */ |
| 30 | |
| 31 | /** |
| 32 | * Certificate revocation list entry. |
| 33 | * Contains the CA-specific serial numbers and revocation dates. |
| 34 | * |
| 35 | * Some fields of this structure are publicly readable. Do not modify |
| 36 | * them except via Mbed TLS library functions: the effect of modifying |
| 37 | * those fields or the data that those fields points to is unspecified. |
| 38 | */ |
| 39 | typedef struct mbedtls_x509_crl_entry { |
| 40 | /** Direct access to the whole entry inside the containing buffer. */ |
| 41 | mbedtls_x509_buf raw; |
| 42 | /** The serial number of the revoked certificate. */ |
| 43 | mbedtls_x509_buf serial; |
| 44 | /** The revocation date of this entry. */ |
| 45 | mbedtls_x509_time revocation_date; |
| 46 | /** Direct access to the list of CRL entry extensions |
| 47 | * (an ASN.1 constructed sequence). |
| 48 | * |
| 49 | * If there are no extensions, `entry_ext.len == 0` and |
| 50 | * `entry_ext.p == NULL`. */ |
| 51 | mbedtls_x509_buf entry_ext; |
| 52 | |
| 53 | /** Next element in the linked list of entries. |
| 54 | * \p NULL indicates the end of the list. |
| 55 | * Do not modify this field directly. */ |
| 56 | struct mbedtls_x509_crl_entry *next; |
| 57 | } |
| 58 | mbedtls_x509_crl_entry; |
| 59 | |
| 60 | /** |
| 61 | * Certificate revocation list structure. |
| 62 | * Every CRL may have multiple entries. |
| 63 | */ |
| 64 | typedef struct mbedtls_x509_crl { |
| 65 | mbedtls_x509_buf raw; /**< The raw certificate data (DER). */ |
| 66 | mbedtls_x509_buf tbs; /**< The raw certificate body (DER). The part that is To Be Signed. */ |
| 67 | |
| 68 | int version; /**< CRL version (1=v1, 2=v2) */ |
| 69 | mbedtls_x509_buf sig_oid; /**< CRL signature type identifier */ |
| 70 | |
| 71 | mbedtls_x509_buf issuer_raw; /**< The raw issuer data (DER). */ |
| 72 | |
| 73 | mbedtls_x509_name issuer; /**< The parsed issuer data (named information object). */ |
| 74 | |
| 75 | mbedtls_x509_time this_update; |
| 76 | mbedtls_x509_time next_update; |
| 77 | |
| 78 | mbedtls_x509_crl_entry entry; /**< The CRL entries containing the certificate revocation times for this CA. */ |
| 79 | |
| 80 | mbedtls_x509_buf crl_ext; |
| 81 | |
| 82 | mbedtls_x509_buf MBEDTLS_PRIVATE(sig_oid2); |
| 83 | mbedtls_x509_buf MBEDTLS_PRIVATE(sig); |
| 84 | mbedtls_md_type_t MBEDTLS_PRIVATE(sig_md); /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */ |
| 85 | mbedtls_pk_type_t MBEDTLS_PRIVATE(sig_pk); /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */ |
| 86 | void *MBEDTLS_PRIVATE(sig_opts); /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */ |
| 87 | |
| 88 | /** Next element in the linked list of CRL. |
| 89 | * \p NULL indicates the end of the list. |
| 90 | * Do not modify this field directly. */ |
| 91 | struct mbedtls_x509_crl *next; |
| 92 | } |
| 93 | mbedtls_x509_crl; |
| 94 | |
| 95 | /** |
| 96 | * \brief Parse a DER-encoded CRL and append it to the chained list |
| 97 | * |
| 98 | * \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto |
| 99 | * subsystem must have been initialized by calling |
| 100 | * psa_crypto_init() before calling this function. |
| 101 | * |
| 102 | * \param chain points to the start of the chain |
| 103 | * \param buf buffer holding the CRL data in DER format |
| 104 | * \param buflen size of the buffer |
| 105 | * (including the terminating null byte for PEM data) |
| 106 | * |
| 107 | * \return 0 if successful, or a specific X509 or PEM error code |
| 108 | */ |
| 109 | int mbedtls_x509_crl_parse_der(mbedtls_x509_crl *chain, |
| 110 | const unsigned char *buf, size_t buflen); |
| 111 | /** |
| 112 | * \brief Parse one or more CRLs and append them to the chained list |
| 113 | * |
| 114 | * \note Multiple CRLs are accepted only if using PEM format |
| 115 | * |
| 116 | * \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto |
| 117 | * subsystem must have been initialized by calling |
| 118 | * psa_crypto_init() before calling this function. |
| 119 | * |
| 120 | * \param chain points to the start of the chain |
| 121 | * \param buf buffer holding the CRL data in PEM or DER format |
| 122 | * \param buflen size of the buffer |
| 123 | * (including the terminating null byte for PEM data) |
| 124 | * |
| 125 | * \return 0 if successful, or a specific X509 or PEM error code |
| 126 | */ |
| 127 | int mbedtls_x509_crl_parse(mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen); |
| 128 | |
| 129 | #if defined(MBEDTLS_FS_IO) |
| 130 | /** |
| 131 | * \brief Load one or more CRLs and append them to the chained list |
| 132 | * |
| 133 | * \note Multiple CRLs are accepted only if using PEM format |
| 134 | * |
| 135 | * \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto |
| 136 | * subsystem must have been initialized by calling |
| 137 | * psa_crypto_init() before calling this function. |
| 138 | * |
| 139 | * \param chain points to the start of the chain |
| 140 | * \param path filename to read the CRLs from (in PEM or DER encoding) |
| 141 | * |
| 142 | * \return 0 if successful, or a specific X509 or PEM error code |
| 143 | */ |
| 144 | int mbedtls_x509_crl_parse_file(mbedtls_x509_crl *chain, const char *path); |
| 145 | #endif /* MBEDTLS_FS_IO */ |
| 146 | |
| 147 | #if !defined(MBEDTLS_X509_REMOVE_INFO) |
| 148 | /** |
| 149 | * \brief Returns an informational string about the CRL. |
| 150 | * |
| 151 | * \param buf Buffer to write to |
| 152 | * \param size Maximum size of buffer |
| 153 | * \param prefix A line prefix |
| 154 | * \param crl The X509 CRL to represent |
| 155 | * |
| 156 | * \return The length of the string written (not including the |
| 157 | * terminated nul byte), or a negative error code. |
| 158 | */ |
| 159 | int mbedtls_x509_crl_info(char *buf, size_t size, const char *prefix, |
| 160 | const mbedtls_x509_crl *crl); |
| 161 | #endif /* !MBEDTLS_X509_REMOVE_INFO */ |
| 162 | |
| 163 | /** |
| 164 | * \brief Initialize a CRL (chain) |
| 165 | * |
| 166 | * \param crl CRL chain to initialize |
| 167 | */ |
| 168 | void mbedtls_x509_crl_init(mbedtls_x509_crl *crl); |
| 169 | |
| 170 | /** |
| 171 | * \brief Unallocate all CRL data |
| 172 | * |
| 173 | * \param crl CRL chain to free |
| 174 | */ |
| 175 | void mbedtls_x509_crl_free(mbedtls_x509_crl *crl); |
| 176 | |
| 177 | /** \} name Structures and functions for parsing CRLs */ |
| 178 | /** \} addtogroup x509_module */ |
| 179 | |
| 180 | #ifdef __cplusplus |
| 181 | } |
| 182 | #endif |
| 183 | |
| 184 | #endif /* mbedtls_x509_crl.h */ |