x509_crl_validate.c
Go to the documentation of this file.
1 /**
2  * @file x509_crl_validate.c
3  * @brief CRL validation
4  *
5  * @section License
6  *
7  * SPDX-License-Identifier: GPL-2.0-or-later
8  *
9  * Copyright (C) 2010-2019 Oryx Embedded SARL. All rights reserved.
10  *
11  * This file is part of CycloneCrypto Open.
12  *
13  * This program is free software; you can redistribute it and/or
14  * modify it under the terms of the GNU General Public License
15  * as published by the Free Software Foundation; either version 2
16  * of the License, or (at your option) any later version.
17  *
18  * This program is distributed in the hope that it will be useful,
19  * but WITHOUT ANY WARRANTY; without even the implied warranty of
20  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21  * GNU General Public License for more details.
22  *
23  * You should have received a copy of the GNU General Public License
24  * along with this program; if not, write to the Free Software Foundation,
25  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
26  *
27  * @author Oryx Embedded SARL (www.oryx-embedded.com)
28  * @version 1.9.6
29  **/
30 
31 //Switch to the appropriate trace level
32 #define TRACE_LEVEL CRYPTO_TRACE_LEVEL
33 
34 //Dependencies
35 #include "core/crypto.h"
36 #include "pkix/x509_crl_parse.h"
37 #include "pkix/x509_crl_validate.h"
38 #include "pkix/x509_cert_parse.h"
40 #include "debug.h"
41 
42 //Check crypto library configuration
43 #if (X509_SUPPORT == ENABLED)
44 
45 
46 /**
47  * @brief CRL validation
48  * @param[in] crlInfo Pointer to the CRL to be verified
49  * @param[in] issuerCertInfo Issuer certificate
50  * @return Error code
51  **/
52 
54  const X509CertificateInfo *issuerCertInfo)
55 {
56  error_t error;
57  time_t currentTime;
59 
60  //Check parameters
61  if(crlInfo == NULL || issuerCertInfo == NULL)
63 
64  //Retrieve current time
65  currentTime = getCurrentUnixTime();
66 
67  //Any real-time clock implemented?
68  if(currentTime != 0)
69  {
70  DateTime currentDate;
71 
72  //Convert Unix timestamp to date
73  convertUnixTimeToDate(currentTime, &currentDate);
74 
75  //The thisUpdate field indicates the issue date of the CRL
76  if(compareDateTime(&currentDate, &crlInfo->tbsCertList.thisUpdate) < 0)
77  {
78  //The CRL is not yet valid
80  }
81 
82  //The nextUpdate field indicates the date by which the next CRL will
83  //be issued
84  if(compareDateTime(&currentDate, &crlInfo->tbsCertList.nextUpdate) > 0)
85  {
86  //The CRL has expired
88  }
89  }
90 
91  //Verify the issuer of the CRL
93  crlInfo->tbsCertList.issuer.rawDataLen,
94  issuerCertInfo->tbsCert.subject.rawData,
95  issuerCertInfo->tbsCert.subject.rawDataLen))
96  {
97  //Report an error
98  return ERROR_BAD_CERTIFICATE;
99  }
100 
101  //Point to the X.509 extensions of the issuer certificate
102  extensions = &issuerCertInfo->tbsCert.extensions;
103 
104  //Check if the keyUsage extension is present
105  if(extensions->keyUsage.bitmap != 0)
106  {
107  //If the keyUsage extension is present, then the subject public key
108  //must not be used to verify signatures on CRLs unless the cRLSign bit
109  //is set (refer to RFC 5280, section 4.2.1.3)
110  if(!(extensions->keyUsage.bitmap & X509_KEY_USAGE_CRL_SIGN))
111  return ERROR_BAD_CERTIFICATE;
112  }
113 
114  //The ASN.1 DER-encoded TBSCertList is used as the input to the signature
115  //function
116  error = x509VerifySignature(crlInfo->tbsCertList.rawData,
117  crlInfo->tbsCertList.rawDataLen, &crlInfo->signatureAlgo,
118  &issuerCertInfo->tbsCert.subjectPublicKeyInfo, &crlInfo->signatureValue);
119 
120  //Return status code
121  return error;
122 }
123 
124 
125 /**
126  * @brief Check whether a certificate is revoked
127  * @param[in] certInfo Pointer to the certificate to be verified
128  * @param[in] crlInfo Pointer to the CRL
129  * @return Error code
130  **/
131 
133  const X509CrlInfo *crlInfo)
134 {
135  error_t error;
136  uint_t i;
137  size_t n;
138  size_t length;
139  const uint8_t *data;
140  X509CertificateIssuer issuer;
141  X509RevokedCertificate revokedCert;
142 
143  //Initialize status code
144  error = NO_ERROR;
145 
146  //Initialize the certificate issuer
147  cryptoMemset(&issuer, 0, sizeof(X509CertificateIssuer));
148 
149  //If the CertificateIssuer extension is not present on the first entry in
150  //an indirect CRL, the certificate issuer defaults to the CRL issuer
151  issuer.numGeneralNames = 1;
153  issuer.generalNames[0].value = (char_t *) crlInfo->tbsCertList.issuer.rawData;
154  issuer.generalNames[0].length = crlInfo->tbsCertList.issuer.rawDataLen;
155 
156  //Point to the first entry of the list
157  data = crlInfo->tbsCertList.revokedCerts;
159 
160  //Loop through the list of revoked certificates
161  while(length > 0)
162  {
163  //Parse current entry
164  error = x509ParseRevokedCertificate(data, length, &n, &revokedCert);
165  //Any error to report?
166  if(error)
167  break;
168 
169  //Indirect CRL?
171  {
172  //Check whether the CertificateIssuer is present?
173  if(revokedCert.crlEntryExtensions.certIssuer.numGeneralNames > 0)
174  {
175  //Save certificate issuer
176  issuer = revokedCert.crlEntryExtensions.certIssuer;
177  }
178  else
179  {
180  //On subsequent entries in an indirect CRL, if this extension is not
181  //present, the certificate issuer for the entry is the same as that
182  //for the preceding entry (refer to RFC 5280, section 5.3.3)
183  }
184  }
185 
186  //Check whether the issuer of the certificate matches the current entry
187  for(i = 0; i < issuer.numGeneralNames && i < X509_MAX_CERT_ISSUER_NAMES; i++)
188  {
189  //Distinguished name?
191  {
192  //Compare distinguished names
193  if(x509CompareName((uint8_t *) issuer.generalNames[i].value,
194  issuer.generalNames[i].length, certInfo->tbsCert.issuer.rawData,
195  certInfo->tbsCert.issuer.rawDataLen))
196  {
197  break;
198  }
199  }
200  }
201 
202  //Matching certificate issuer?
203  if(i < issuer.numGeneralNames && i < X509_MAX_CERT_ISSUER_NAMES)
204  {
205  //Check the length of the serial number
206  if(certInfo->tbsCert.serialNumber.length == revokedCert.userCert.length)
207  {
208  //Compare serial numbers
209  if(!memcmp(certInfo->tbsCert.serialNumber.data,
210  revokedCert.userCert.data, revokedCert.userCert.length))
211  {
212  //The certificate has been revoked
214  break;
215  }
216  }
217  }
218 
219  //Next item
220  data += n;
221  length -= n;
222  }
223 
224  //Return status code
225  return error;
226 }
227 
228 #endif
X.509 certificate parsing.
uint8_t length
Definition: dtls_misc.h:149
X509GeneralNameType type
Definition: x509_common.h:768
X509Extensions extensions
Definition: x509_common.h:912
size_t rawDataLen
Definition: x509_common.h:571
X.509 certificate.
Definition: x509_common.h:920
void convertUnixTimeToDate(time_t t, DateTime *date)
Convert Unix timestamp to date.
Definition: date_time.c:198
CRL (Certificate Revocation List)
X509GeneralName generalNames[X509_MAX_CERT_ISSUER_NAMES]
Definition: x509_common.h:960
CRL (Certificate Revocation List)
Definition: x509_common.h:1082
error_t x509VerifySignature(const uint8_t *tbsCert, size_t tbsCertLen, const X509SignatureAlgoId *signatureAlgoId, const X509SubjectPublicKeyInfo *publicKeyInfo, const X509SignatureValue *signatureValue)
Certificate signature verification.
const uint8_t * rawData
Definition: x509_common.h:1065
bool_t x509CompareName(const uint8_t *name1, size_t nameLen1, const uint8_t *name2, size_t nameLen2)
Compare distinguished names.
Certificate issuer.
Definition: x509_common.h:954
Invalid parameter.
Definition: error.h:47
error_t
Error codes.
Definition: error.h:42
X509CrlEntryExtensions crlEntryExtensions
Definition: x509_common.h:986
General definitions for cryptographic algorithms.
X509SerialNumber serialNumber
Definition: x509_common.h:906
size_t revokedCertsLen
Definition: x509_common.h:1073
error_t x509CheckRevokedCertificate(const X509CertificateInfo *certInfo, const X509CrlInfo *crlInfo)
Check whether a certificate is revoked.
error_t x509ParseRevokedCertificate(const uint8_t *data, size_t length, size_t *totalLength, X509RevokedCertificate *revokedCertificate)
Parse RevokedCertificate field.
Date and time representation.
Definition: date_time.h:46
const uint8_t * rawData
Definition: x509_common.h:570
Revoked certificate.
Definition: x509_common.h:982
X509TbsCertList tbsCertList
Definition: x509_common.h:1084
X509CrlExtensions crlExtensions
Definition: x509_common.h:1074
#define X509_MAX_CERT_ISSUER_NAMES
Definition: x509_common.h:352
const char_t * value
Definition: x509_common.h:769
const uint8_t * data
Definition: x509_common.h:559
#define cryptoMemset(p, value, length)
Definition: crypto.h:636
char char_t
Definition: compiler_port.h:43
X509IssuingDistrPoint issuingDistrPoint
Definition: x509_common.h:1054
CRL validation.
uint8_t n
X509CertificateIssuer certIssuer
Definition: x509_common.h:974
uint8_t extensions[]
Definition: tls13_misc.h:327
X509SignatureValue signatureValue
Definition: x509_common.h:1086
const uint8_t * revokedCerts
Definition: x509_common.h:1072
DateTime thisUpdate
Definition: x509_common.h:1070
time_t getCurrentUnixTime(void)
Get current time.
Definition: date_time.c:180
X509SignatureAlgoId signatureAlgo
Definition: x509_common.h:1085
X.509 certificate validation.
X.509 certificate extensions.
Definition: x509_common.h:841
error_t x509ValidateCrl(const X509CrlInfo *crlInfo, const X509CertificateInfo *issuerCertInfo)
CRL validation.
X509SerialNumber userCert
Definition: x509_common.h:984
unsigned int uint_t
Definition: compiler_port.h:45
DateTime nextUpdate
Definition: x509_common.h:1071
uint8_t data[]
Definition: dtls_misc.h:176
X509SubjectPublicKeyInfo subjectPublicKeyInfo
Definition: x509_common.h:911
X509TbsCertificate tbsCert
Definition: x509_common.h:922
Success.
Definition: error.h:44
Debugging facilities.
int_t compareDateTime(const DateTime *date1, const DateTime *date2)
Compare dates.
Definition: date_time.c:302