commit c84fd1cd95160520089eecd075eefe6baee4bfef
author Hanno Becker <hanno.becker@arm.com> Fri Feb 22 15:01:03 2019 +0000
committer Hanno Becker <hanno.becker@arm.com> Tue Jun 25 09:06:26 2019 +0100
tree f4a3c190ae2652afa1aa4ac785150378dd59a5c3
parent b3def1d341129db4ab4d19df44fcf05ece13df76

Check whether CRT is revoked by passing its serial number only

CRLs reference revoked CRTs through their serial number only.

library/x509_crt.c

diff --git a/library/x509_crt.c b/library/x509_crt.c
index 5959c0a..c6d310d 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -1740,14 +1740,16 @@
 /*
  * Return 1 if the certificate is revoked, or 0 otherwise.
  */
-int mbedtls_x509_crt_is_revoked( const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl )
+static int x509_serial_is_revoked( unsigned char const *serial,
+                                 size_t serial_len,
+                                 const mbedtls_x509_crl *crl )
 {
     const mbedtls_x509_crl_entry *cur = &crl->entry;
 
     while( cur != NULL && cur->serial.len != 0 )
     {
-        if( crt->serial.len == cur->serial.len &&
-            memcmp( crt->serial.p, cur->serial.p, crt->serial.len ) == 0 )
+        if( serial_len == cur->serial.len &&
+            memcmp( serial, cur->serial.p, serial_len ) == 0 )
         {
             if( mbedtls_x509_time_is_past( &cur->revocation_date ) )
                 return( 1 );
@@ -1759,11 +1761,21 @@
     return( 0 );
 }
 
+int mbedtls_x509_crt_is_revoked( const mbedtls_x509_crt *crt,
+                                 const mbedtls_x509_crl *crl )
+{
+    return( x509_serial_is_revoked( crt->serial.p,
+                                    crt->serial.len,
+                                    crl ) );
+}
+
 /*
  * Check that the given certificate is not revoked according to the CRL.
  * Skip validation if no CRL for the given CA is present.
  */
-static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
+static int x509_crt_verifycrl( unsigned char *crt_serial,
+                               size_t crt_serial_len,
+                               mbedtls_x509_crt *ca,
                                mbedtls_x509_crl *crl_list,
                                const mbedtls_x509_crt_profile *profile )
 {
@@ -1837,7 +1849,8 @@
         /*
          * Check if certificate is revoked
          */
-        if( mbedtls_x509_crt_is_revoked( crt, crl_list ) )
+        if( x509_serial_is_revoked( crt_serial, crt_serial_len,
+                                    crl_list ) )
         {
             flags |= MBEDTLS_X509_BADCERT_REVOKED;
             break;
@@ -2365,7 +2378,9 @@
 
 #if defined(MBEDTLS_X509_CRL_PARSE_C)
         /* Check trusted CA's CRL for the given crt */
-        *flags |= x509_crt_verifycrl( child, parent, ca_crl, profile );
+        *flags |= x509_crt_verifycrl( child->serial.p,
+                                      child->serial.len,
+                                      parent, ca_crl, profile );
 #else
         (void) ca_crl;
 #endif