x509_crl_validate.c

Go to the documentation of this file.

/**
 * @file x509_crl_validate.c
 * @brief CRL validation
 *
 * @section License
 *
 * SPDX-License-Identifier: GPL-2.0-or-later
 *
 * Copyright (C) 2010-2024 Oryx Embedded SARL. All rights reserved.
 *
 * This file is part of CycloneCRYPTO Open.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * as published by the Free Software Foundation; either version 2
 * of the License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 *
 * @author Oryx Embedded SARL (www.oryx-embedded.com)
 * @version 2.4.0
 **/
 
//Switch to the appropriate trace level
#define TRACE_LEVEL CRYPTO_TRACE_LEVEL
 
//Dependencies
#include "core/crypto.h"
#include "pkix/x509_crl_parse.h"
#include "pkix/x509_crl_validate.h"
#include "pkix/x509_cert_parse.h"
#include "pkix/x509_cert_validate.h"
#include "pkix/x509_sign_verify.h"
#include "debug.h"
 
//Check crypto library configuration
#if (X509_SUPPORT == ENABLED)
 
 
/**
 * @brief CRL validation
 * @param[in] crlInfo Pointer to the CRL to be verified
 * @param[in] issuerCertInfo Issuer's certificate
 * @return Error code
 **/
 
error_t x509ValidateCrl(const X509CrlInfo *crlInfo,
   const X509CertInfo *issuerCertInfo)
{
   error_t error;
   time_t currentTime;
   const X509Extensions *extensions;
 
   //Check parameters
   if(crlInfo == NULL || issuerCertInfo == NULL)
      return ERROR_INVALID_PARAMETER;
 
   //Retrieve current time
   currentTime = getCurrentUnixTime();
 
   //Any real-time clock implemented?
   if(currentTime != 0)
   {
      DateTime currentDate;
 
      //Convert Unix timestamp to date
      convertUnixTimeToDate(currentTime, &currentDate);
 
      //The thisUpdate field indicates the issue date of the CRL
      if(compareDateTime(&currentDate, &crlInfo->tbsCertList.thisUpdate) < 0)
      {
         //The CRL is not yet valid
         return ERROR_CRL_EXPIRED;
      }
 
      //The nextUpdate field indicates the date by which the next CRL will
      //be issued
      if(compareDateTime(&currentDate, &crlInfo->tbsCertList.nextUpdate) > 0)
      {
         //The CRL has expired
         return ERROR_CRL_EXPIRED;
      }
   }
 
   //Verify the issuer of the CRL
   if(!x509CompareName(crlInfo->tbsCertList.issuer.raw.value,
      crlInfo->tbsCertList.issuer.raw.length,
      issuerCertInfo->tbsCert.subject.raw.value,
      issuerCertInfo->tbsCert.subject.raw.length))
   {
      //Report an error
      return ERROR_WRONG_ISSUER;
   }
 
   //Point to the X.509 extensions of the issuer certificate
   extensions = &issuerCertInfo->tbsCert.extensions;
 
   //Check if the keyUsage extension is present
   if(extensions->keyUsage.bitmap != 0)
   {
      //If the keyUsage extension is present, then the subject public key
      //must not be used to verify signatures on CRLs unless the cRLSign bit
      //is set (refer to RFC 5280, section 4.2.1.3)
      if((extensions->keyUsage.bitmap & X509_KEY_USAGE_CRL_SIGN) == 0)
         return ERROR_BAD_CERTIFICATE;
   }
 
   //The ASN.1 DER-encoded TBSCertList is used as the input to the signature
   //function
   error = x509VerifySignature(&crlInfo->tbsCertList.raw, &crlInfo->signatureAlgo,
      &issuerCertInfo->tbsCert.subjectPublicKeyInfo, &crlInfo->signatureValue);
 
   //Return status code
   return error;
}
 
 
/**
 * @brief Check whether a certificate is revoked
 * @param[in] certInfo Pointer to the certificate to be verified
 * @param[in] crlInfo Pointer to the CRL
 * @return Error code
 **/
 
error_t x509CheckRevokedCertificate(const X509CertInfo *certInfo,
   const X509CrlInfo *crlInfo)
{
   error_t error;
   uint_t i;
   size_t n;
   size_t length;
   const uint8_t *data;
   X509CertificateIssuer issuer;
   X509RevokedCertificate revokedCert;
 
   //Initialize status code
   error = NO_ERROR;
 
   //Initialize the certificate issuer
   osMemset(&issuer, 0, sizeof(X509CertificateIssuer));
 
   //If the CertificateIssuer extension is not present on the first entry in
   //an indirect CRL, the certificate issuer defaults to the CRL issuer
   issuer.numGeneralNames = 1;
   issuer.generalNames[0].type = X509_GENERAL_NAME_TYPE_DIRECTORY;
   issuer.generalNames[0].value = (char_t *) crlInfo->tbsCertList.issuer.raw.value;
   issuer.generalNames[0].length = crlInfo->tbsCertList.issuer.raw.length;
 
   //Point to the first entry of the list
   data = crlInfo->tbsCertList.revokedCerts.value;
   length = crlInfo->tbsCertList.revokedCerts.length;
 
   //Loop through the list of revoked certificates
   while(length > 0)
   {
      //Parse current entry
      error = x509ParseRevokedCertificate(data, length, &n, &revokedCert);
      //Any error to report?
      if(error)
         break;
 
      //Indirect CRL?
      if(crlInfo->tbsCertList.crlExtensions.issuingDistrPoint.indirectCrl)
      {
         //Check whether the CertificateIssuer is present?
         if(revokedCert.crlEntryExtensions.certIssuer.numGeneralNames > 0)
         {
            //Save certificate issuer
            issuer = revokedCert.crlEntryExtensions.certIssuer;
         }
         else
         {
            //On subsequent entries in an indirect CRL, if this extension is not
            //present, the certificate issuer for the entry is the same as that
            //for the preceding entry (refer to RFC 5280, section 5.3.3)
         }
      }
 
      //Check whether the issuer of the certificate matches the current entry
      for(i = 0; i < issuer.numGeneralNames && i < X509_MAX_CRL_ISSUERS; i++)
      {
         //Distinguished name?
         if(issuer.generalNames[i].type == X509_GENERAL_NAME_TYPE_DIRECTORY)
         {
            //Compare distinguished names
            if(x509CompareName((uint8_t *) issuer.generalNames[i].value,
               issuer.generalNames[i].length, certInfo->tbsCert.issuer.raw.value,
               certInfo->tbsCert.issuer.raw.length))
            {
               break;
            }
         }
      }
 
      //Matching certificate issuer?
      if(i < issuer.numGeneralNames && i < X509_MAX_CRL_ISSUERS)
      {
         //Check the length of the serial number
         if(certInfo->tbsCert.serialNumber.length == revokedCert.userCert.length)
         {
            //Compare serial numbers
            if(osMemcmp(certInfo->tbsCert.serialNumber.value,
               revokedCert.userCert.value, revokedCert.userCert.length) == 0)
            {
               //The certificate has been revoked
               error = ERROR_CERTIFICATE_REVOKED;
               break;
            }
         }
      }
 
      //Next item
      data += n;
      length -= n;
   }
 
   //Return status code
   return error;
}
 
#endif