Update x509_certs_verify to check crl

src/tlcp.c

@@ -808,7 +808,8 @@ int tlcp_recv_server_certificate(TLS_CONNECT *conn)
 
 	if (conn->ctx->cacertslen) {
 		if (x509_certs_verify_tlcp(conn->peer_cert_chain, conn->peer_cert_chain_len, X509_cert_chain_server,
-			conn->ctx->cacerts, conn->ctx->cacertslen, conn->ctx->verify_depth, &verify_result) != 1) {
+			conn->ctx->cacerts, conn->ctx->cacertslen, NULL, 0,
+			conn->ctx->verify_depth, &verify_result) != 1) {
 			error_print();
 			tls_send_alert(conn, TLS_alert_bad_certificate);
 			return -1;

src/tls12.c

@@ -1285,7 +1285,8 @@ int tls_recv_server_certificate(TLS_CONNECT *conn)
 	// verify server Certificate
 	if (conn->ctx->cacertslen) {
 		if (x509_certs_verify(conn->peer_cert_chain, conn->peer_cert_chain_len, X509_cert_chain_server,
-			conn->ctx->cacerts, conn->ctx->cacertslen, conn->ctx->verify_depth, &verify_result) != 1) {
+			conn->ctx->cacerts, conn->ctx->cacertslen, NULL, 0,
+			conn->ctx->verify_depth, &verify_result) != 1) {
 			error_print();
 			conn->verify_result = verify_result;
 			tls_send_alert(conn, TLS_alert_bad_certificate);
@@ -2584,7 +2585,8 @@ int tls_recv_client_certificate(TLS_CONNECT *conn)
 		return -1;
 	}
 	if (x509_certs_verify(conn->client_certs, conn->client_certs_len, X509_cert_chain_client,
-		conn->ctx->cacerts, conn->ctx->cacertslen, verify_depth, &verify_result) != 1) {
+		conn->ctx->cacerts, conn->ctx->cacertslen, NULL, 0,
+		verify_depth, &verify_result) != 1) {
 		error_print();
 		tls_send_alert(conn, TLS_alert_bad_certificate);
 		return -1;

src/tls13.c

@@ -6261,6 +6261,7 @@ int tls13_recv_server_certificate(TLS_CONNECT *conn)
 	if (x509_certs_verify(
 		conn->peer_cert_chain, conn->peer_cert_chain_len, X509_cert_chain_server,
 		conn->ctx->cacerts, conn->ctx->cacertslen,
+		NULL, 0,
 		conn->ctx->verify_depth, &verify_result) != 1) {
 		error_print();
 		tls13_send_alert(conn, TLS_alert_bad_certificate);
@@ -8619,6 +8620,7 @@ int tls13_recv_client_certificate(TLS_CONNECT *conn)
 	// verify client cert_chain
 	if (x509_certs_verify(conn->peer_cert_chain, conn->peer_cert_chain_len, X509_cert_chain_client,
 		conn->ctx->cacerts, conn->ctx->cacertslen,
+		NULL, 0,
 		conn->ctx->verify_depth, &verify_result) != 1) {
 		error_print();
 		tls13_send_alert(conn, TLS_alert_bad_certificate);

src/x509_cer.c

@@ -23,6 +23,7 @@
 #include <gmssl/x509_alg.h>
 #include <gmssl/x509_ext.h>
 #include <gmssl/x509.h>
+#include <gmssl/x509_crl.h>
 #include <gmssl/error.h>
 
 
@@ -1892,9 +1893,46 @@ int x509_cert_check(const uint8_t *cert, size_t certlen, int cert_type)
 }
 
 // 这个函数应该打印到底是哪个证书验证出错了
+
+static int x509_cert_check_optional_crl(const uint8_t *cert, size_t certlen,
+	const uint8_t *crl, size_t crl_len)
+{
+	const uint8_t *issuer;
+	size_t issuer_len;
+	const uint8_t *crl_issuer;
+	size_t crl_issuer_len;
+	int ret;
+
+	if (!crl && crl_len == 0) {
+		return 0;
+	}
+	if (!cert || !certlen || !crl || !crl_len) {
+		error_print();
+		return -1;
+	}
+	if (x509_cert_get_issuer(cert, certlen, &issuer, &issuer_len) != 1
+		|| x509_crl_get_issuer(crl, crl_len, &crl_issuer, &crl_issuer_len) != 1) {
+		error_print();
+		return -1;
+	}
+	if ((ret = x509_name_equ(issuer, issuer_len, crl_issuer, crl_issuer_len)) < 0) {
+		error_print();
+		return -1;
+	}
+	if (ret == 0) {
+		return 0;
+	}
+	if ((ret = x509_cert_is_revoked_by_crl(cert, certlen, crl, crl_len)) < 0) {
+		error_print();
+		return -1;
+	}
+	return ret;
+}
 				
 int x509_certs_verify(const uint8_t *certs, size_t certslen, int certs_type,
-	const uint8_t *rootcerts, size_t rootcertslen, int depth, int *verify_result)
+	const uint8_t *rootcerts, size_t rootcertslen,
+	const uint8_t *crl, size_t crl_len,
+	int depth, int *verify_result)
 {
 	int entity_cert_type;
 	const uint8_t *cert_chain = certs;
@@ -1929,6 +1967,14 @@ int x509_certs_verify(const uint8_t *certs, size_t certslen, int certs_type,
 		x509_cert_print(stderr, 0, 10, "Invalid Entity Certificate", cert, certlen);
 		return -1;
 	}
+	if ((ret = x509_cert_check_optional_crl(cert, certlen, crl, crl_len)) < 0) {
+		error_print();
+		return -1;
+	}
+	if (ret == 1) {
+		error_print();
+		return 0;
+	}
 
 	while (certslen) {
 
@@ -1941,6 +1987,14 @@ int x509_certs_verify(const uint8_t *certs, size_t certslen, int certs_type,
 			x509_cert_print(stderr, 0, 10, "Invalid CA Certificate", cacert, cacertlen);
 			return -1;
 		}
+		if ((ret = x509_cert_check_optional_crl(cacert, cacertlen, crl, crl_len)) < 0) {
+			error_print();
+			return -1;
+		}
+		if (ret == 1) {
+			error_print();
+			return 0;
+		}
 
 		if (path_len > depth) {
 			error_print();
@@ -1997,7 +2051,9 @@ int x509_certs_verify(const uint8_t *certs, size_t certslen, int certs_type,
 }
 
 int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen, int certs_type,
-	const uint8_t *rootcerts, size_t rootcertslen, int depth, int *verify_result)
+	const uint8_t *rootcerts, size_t rootcertslen,
+	const uint8_t *crl, size_t crl_len,
+	int depth, int *verify_result)
 {
 	int sign_cert_type;
 	int kenc_cert_type;
@@ -2035,6 +2091,14 @@ int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen, int certs_type
 		error_print();
 		return -1;
 	}
+	if ((ret = x509_cert_check_optional_crl(cert, certlen, crl, crl_len)) < 0) {
+		error_print();
+		return -1;
+	}
+	if (ret == 1) {
+		error_print();
+		return 0;
+	}
 
 	// entity key encipherment cert
 	if (x509_cert_from_der(&kenc_cert, &kenc_certlen, &certs, &certslen) != 1) {
@@ -2045,6 +2109,14 @@ int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen, int certs_type
 		error_print();
 		return -1;
 	}
+	if ((ret = x509_cert_check_optional_crl(kenc_cert, kenc_certlen, crl, crl_len)) < 0) {
+		error_print();
+		return -1;
+	}
+	if (ret == 1) {
+		error_print();
+		return 0;
+	}
 	if ((ret = x509_tlcp_cert_pair_entity_match(cert, certlen,
 		kenc_cert, kenc_certlen)) < 0) {
 		error_print();
@@ -2065,6 +2137,14 @@ int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen, int certs_type
 			error_print();
 			return -1;
 		}
+		if ((ret = x509_cert_check_optional_crl(cacert, cacertlen, crl, crl_len)) < 0) {
+			error_print();
+			return -1;
+		}
+		if (ret == 1) {
+			error_print();
+			return 0;
+		}
 
 		if (path_len == 0) {
 			// verify entity key encipherment cert

src/x509_vrf.c

@@ -10,12 +10,14 @@
 
 #include <stdio.h>
 #include <string.h>
+#include <time.h>
 #include <stdint.h>
 #include <gmssl/asn1.h>
 #include <gmssl/endian.h>
 #include <gmssl/oid.h>
 #include <gmssl/x509_ext.h>
 #include <gmssl/x509_cer.h>
+#include <gmssl/x509_crl.h>
 #include <gmssl/error.h>
 
 
@@ -2571,3 +2573,45 @@ int x509_tlcp_cert_pair_entity_match(const uint8_t *sign_cert, size_t sign_certl
 	match = 1;
 	return match;
 }
+
+int x509_cert_is_revoked_by_crl(const uint8_t *cert, size_t certlen,
+	const uint8_t *crl, size_t crl_len)
+{
+	const uint8_t *issuer;
+	size_t issuer_len;
+	const uint8_t *serial;
+	size_t serial_len;
+	const uint8_t *crl_issuer;
+	size_t crl_issuer_len;
+	time_t revoke_date;
+	const uint8_t *crl_entry_exts;
+	size_t crl_entry_exts_len;
+	int ret;
+
+	if (!cert || !certlen || !crl || !crl_len) {
+		error_print();
+		return -1;
+	}
+	if (x509_cert_get_issuer_and_serial_number(cert, certlen,
+			&issuer, &issuer_len, &serial, &serial_len) != 1
+		|| x509_crl_get_issuer(crl, crl_len, &crl_issuer, &crl_issuer_len) != 1) {
+		error_print();
+		return -1;
+	}
+	if ((ret = x509_name_equ(issuer, issuer_len, crl_issuer, crl_issuer_len)) != 1) {
+		if (ret < 0) error_print();
+		else error_print();
+		return -1;
+	}
+	if (x509_crl_check(crl, crl_len, time(NULL)) != 1) {
+		error_print();
+		return -1;
+	}
+	if ((ret = x509_crl_find_revoked_cert_by_serial_number(crl, crl_len,
+			serial, serial_len, &revoke_date,
+			&crl_entry_exts, &crl_entry_exts_len)) < 0) {
+		error_print();
+		return -1;
+	}
+	return ret;
+}