Add -check_crl option to certverify

2026-06-17 10:23:47 +08:00 · 2023-01-31 22:14:41 +08:00
parent b5df2121d3
commit 8397280779
6 changed files with 194 additions and 11 deletions
--- a/src/x509_cer.c
+++ b/src/x509_cer.c
@@ -1495,6 +1495,31 @@ int x509_cert_get_issuer(const uint8_t *a, size_t alen, const uint8_t **d, size_
 		NULL, NULL); // signature
 }

+int x509_cert_get_exts(const uint8_t *a, size_t alen, const uint8_t **d, size_t *dlen)
+{
+	if (x509_cert_get_details(a, alen,
+		NULL, // version
+		NULL, NULL, // serial
+		NULL, // signature_algor
+		NULL, NULL, // issuer
+		NULL, NULL, // validity
+		NULL, NULL, // subject
+		NULL, // subject_public_key
+		NULL, NULL, // issuer_unique_id
+		NULL, NULL, // subject_unique_id
+		d, dlen, // extensions
+		NULL, // signature_algor
+		NULL, NULL // signature
+		) != 1) {
+		error_print();
+		return -1;
+	}
+	if (!d || !dlen) {
+		return 0;
+	}
+	return 1;
+}
+
 int x509_certs_to_pem(const uint8_t *d, size_t dlen, FILE *fp)
 {
 	const uint8_t *a;
--- a/src/x509_crl.c
+++ b/src/x509_crl.c
@@ -1732,3 +1732,115 @@ end:
 	if (buf) free(buf);
 	return ret;
 }
+
+int x509_crl_new_from_cert(uint8_t **crl, size_t *crl_len, const uint8_t *cert, size_t certlen)
+{
+	int ret;
+	const uint8_t *exts;
+	size_t extslen;
+
+	int critical;
+	const uint8_t *val;
+	size_t vlen;
+
+	const char *uri;
+	size_t urilen;
+	int reason;
+	const uint8_t *crl_issuer;
+	size_t crl_issuer_len;
+
+	if ((ret = x509_cert_get_exts(cert, certlen, &exts, &extslen)) != 1) {
+		if (ret < 0) error_print();
+		return ret;
+	}
+	if ((ret = x509_exts_get_ext_by_oid(exts, extslen,
+		OID_ce_crl_distribution_points, &critical, &val, &vlen)) != 1) {
+		if (ret < 0) error_print();
+		return ret;
+	}
+	if (x509_uri_as_distribution_points_from_der(&uri, &urilen,
+		&reason, &crl_issuer, &crl_issuer_len, &val, &vlen) != 1
+		|| asn1_length_is_zero(vlen) != 1) {
+		error_print();
+		return -1;
+	}
+	if (!uri) {
+		*crl = NULL;
+		*crl_len = 0;
+		return 0;
+	}
+	if (x509_crl_new_from_uri(crl, crl_len, uri, urilen) != 1) {
+		error_print();
+		return -1;
+	}
+	return 1;
+}
+
+int x509_cert_check_crl(const uint8_t *cert, size_t certlen, const uint8_t *cacert, size_t cacertlen,
+	const char *ca_signer_id, size_t ca_signer_id_len)
+{
+	int ret = -1;
+	uint8_t *crl = NULL;
+	size_t crl_len = 0;
+	const uint8_t *crl_issuer;
+	size_t crl_issuer_len;
+
+	const uint8_t *issuer;
+	size_t issuer_len;
+	const uint8_t *serial;
+	size_t serial_len;
+
+	time_t revoke_date;
+	const uint8_t *crl_entry_exts;
+	size_t crl_entry_exts_len;
+
+	// download CRL and do basic validation
+	if (x509_crl_new_from_cert(&crl, &crl_len, cert, certlen) != 1) {
+		error_print();
+		return -1;
+	}
+	if (x509_crl_validate(crl, crl_len, time(NULL)) != 1) {
+		error_print();
+		goto end;
+	}
+
+	if (x509_cert_get_issuer_and_serial_number(cert, certlen, &issuer, &issuer_len, &serial, &serial_len) != 1) {
+		error_print();
+		goto end;
+	}
+
+	// make sure CRL's issuer is the certificate issuer
+	if (x509_crl_get_issuer(crl, crl_len, &crl_issuer, &crl_issuer_len) != 1) {
+		error_print();
+		goto end;
+	}
+	if (x509_name_equ(issuer, issuer_len, crl_issuer, crl_issuer_len) != 1) {
+		error_print();
+		goto end;
+	}
+
+	// verify CRL
+	if (x509_crl_verify_by_ca_cert(crl, crl_len, cacert, cacertlen, ca_signer_id, ca_signer_id_len) != 1) {
+		error_print();
+		goto end;
+	}
+
+	// check if the certificate in the CRL
+	if ((ret = x509_crl_find_revoked_cert_by_serial_number(crl, crl_len, serial, serial_len,
+		&revoke_date, &crl_entry_exts, &crl_entry_exts_len)) < 0) {
+		error_print();
+		goto end;
+	}
+	if (ret == 1) {
+		ret = -1;
+		error_print();
+		goto end;
+	}
+	ret = 1;
+
+end:
+	if (crl) free(crl);
+	return ret;
+}
+
+