1 /**
2  * \file x509_crl.h
3  *
4  * \brief X.509 certificate revocation list parsing
5  */
6 /*
7  *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
8  *  SPDX-License-Identifier: Apache-2.0
9  *
10  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
11  *  not use this file except in compliance with the License.
12  *  You may obtain a copy of the License at
13  *
14  *  http://www.apache.org/licenses/LICENSE-2.0
15  *
16  *  Unless required by applicable law or agreed to in writing, software
17  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
18  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19  *  See the License for the specific language governing permissions and
20  *  limitations under the License.
21  *
22  *  This file is part of mbed TLS (https://tls.mbed.org)
23  */
24 #ifndef MBEDTLS_X509_CRL_H
25 #define MBEDTLS_X509_CRL_H
26 
27 #if !defined(MBEDTLS_CONFIG_FILE)
28 #include "config.h"
29 #else
30 #include MBEDTLS_CONFIG_FILE
31 #endif
32 
33 #include "x509.h"
34 
35 #ifdef __cplusplus
36 extern "C" {
37 #endif
38 
39 /**
40  * \addtogroup x509_module
41  * \{ */
42 
43 /**
44  * \name Structures and functions for parsing CRLs
45  * \{
46  */
47 
48 /**
49  * Certificate revocation list entry.
50  * Contains the CA-specific serial numbers and revocation dates.
51  */
52 typedef struct mbedtls_x509_crl_entry
53 {
54     mbedtls_x509_buf raw;
55 
56     mbedtls_x509_buf serial;
57 
58     mbedtls_x509_time revocation_date;
59 
60     mbedtls_x509_buf entry_ext;
61 
62     struct mbedtls_x509_crl_entry *next;
63 }
64 mbedtls_x509_crl_entry;
65 
66 /**
67  * Certificate revocation list structure.
68  * Every CRL may have multiple entries.
69  */
70 typedef struct mbedtls_x509_crl
71 {
72     mbedtls_x509_buf raw;           /**< The raw certificate data (DER). */
73     mbedtls_x509_buf tbs;           /**< The raw certificate body (DER). The part that is To Be Signed. */
74 
75     int version;            /**< CRL version (1=v1, 2=v2) */
76     mbedtls_x509_buf sig_oid;       /**< CRL signature type identifier */
77 
78     mbedtls_x509_buf issuer_raw;    /**< The raw issuer data (DER). */
79 
80     mbedtls_x509_name issuer;       /**< The parsed issuer data (named information object). */
81 
82     mbedtls_x509_time this_update;
83     mbedtls_x509_time next_update;
84 
85     mbedtls_x509_crl_entry entry;   /**< The CRL entries containing the certificate revocation times for this CA. */
86 
87     mbedtls_x509_buf crl_ext;
88 
89     mbedtls_x509_buf sig_oid2;
90     mbedtls_x509_buf sig;
91     mbedtls_md_type_t sig_md;           /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */
92     mbedtls_pk_type_t sig_pk;           /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */
93     void *sig_opts;             /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */
94 
95     struct mbedtls_x509_crl *next;
96 }
97 mbedtls_x509_crl;
98 
99 /**
100  * \brief          Parse a DER-encoded CRL and append it to the chained list
101  *
102  * \param chain    points to the start of the chain
103  * \param buf      buffer holding the CRL data in DER format
104  * \param buflen   size of the buffer
105  *                 (including the terminating null byte for PEM data)
106  *
107  * \return         0 if successful, or a specific X509 or PEM error code
108  */
109 int mbedtls_x509_crl_parse_der( mbedtls_x509_crl *chain,
110                         const unsigned char *buf, size_t buflen );
111 /**
112  * \brief          Parse one or more CRLs and append them to the chained list
113  *
114  * \note           Mutliple CRLs are accepted only if using PEM format
115  *
116  * \param chain    points to the start of the chain
117  * \param buf      buffer holding the CRL data in PEM or DER format
118  * \param buflen   size of the buffer
119  *                 (including the terminating null byte for PEM data)
120  *
121  * \return         0 if successful, or a specific X509 or PEM error code
122  */
123 int mbedtls_x509_crl_parse( mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen );
124 
125 #if defined(MBEDTLS_FS_IO)
126 /**
127  * \brief          Load one or more CRLs and append them to the chained list
128  *
129  * \note           Mutliple CRLs are accepted only if using PEM format
130  *
131  * \param chain    points to the start of the chain
132  * \param path     filename to read the CRLs from (in PEM or DER encoding)
133  *
134  * \return         0 if successful, or a specific X509 or PEM error code
135  */
136 int mbedtls_x509_crl_parse_file( mbedtls_x509_crl *chain, const char *path );
137 #endif /* MBEDTLS_FS_IO */
138 
139 /**
140  * \brief          Returns an informational string about the CRL.
141  *
142  * \param buf      Buffer to write to
143  * \param size     Maximum size of buffer
144  * \param prefix   A line prefix
145  * \param crl      The X509 CRL to represent
146  *
147  * \return         The length of the string written (not including the
148  *                 terminated nul byte), or a negative error code.
149  */
150 int mbedtls_x509_crl_info( char *buf, size_t size, const char *prefix,
151                    const mbedtls_x509_crl *crl );
152 
153 /**
154  * \brief          Initialize a CRL (chain)
155  *
156  * \param crl      CRL chain to initialize
157  */
158 void mbedtls_x509_crl_init( mbedtls_x509_crl *crl );
159 
160 /**
161  * \brief          Unallocate all CRL data
162  *
163  * \param crl      CRL chain to free
164  */
165 void mbedtls_x509_crl_free( mbedtls_x509_crl *crl );
166 
167 /* \} name */
168 /* \} addtogroup x509_module */
169 
170 #ifdef __cplusplus
171 }
172 #endif
173 
174 #endif /* mbedtls_x509_crl.h */
175