Parse CRLReason a concep imported from CRL profile

Strictly speaking, the CRLReason is a concept imported from the CRL profile defined in RFC 5280 Section 5.3.1. However, this is a CRL extension that is not implemented in mbed TLS. Therefore, this patch introduces the relevant macros with revocation reasons and error return codes in x509_crt.h. Also the function x509_ocsp_get_crl_reason() to parse the CRLReason. If necessary, this code can later be migrated to x509_crl.c. The CRL reason ASN1. structure is specified in RFC 5280 Section 5.3.1 as follows: CRLReason ::= ENUMERATED { unspecified (0), keyCompromise (1), cACompromise (2), affiliationChanged (3), superseded (4), cessationOfOperation (5), certificateHold (6), -- value 7 is not used removeFromCRL (8), privilegeWithdrawn (9), aACompromise (10) }
2026-04-06 04:25:43 +02:00 · 2017-08-25 12:34:02 +01:00
parent ba6e0c534c
commit 51e6b34cdb
2 changed files with 61 additions and 0 deletions
--- a/include/mbedtls/x509_crl.h
+++ b/include/mbedtls/x509_crl.h
@@ -35,6 +35,19 @@
 extern "C" {
 #endif

+#define MBEDTLS_ERR_X509_CRL_INVALID_CRL_REASON         -0x2B00
+
+#define MBEDTLS_X509_CRL_REASON_UNSPECIFIED                 0
+#define MBEDTLS_X509_CRL_REASON_KEY_COMPROMISE              1
+#define MBEDTLS_X509_CRL_REASON_CA_COMPROMISE               2
+#define MBEDTLS_X509_CRL_REASON_AFFILIATION_CHANGED         3
+#define MBEDTLS_X509_CRL_REASON_SUPERSEDED                  4
+#define MBEDTLS_X509_CRL_REASON_CESSATION_OF_OPERATION      5
+#define MBEDTLS_X509_CRL_REASON_CERTIFICATE_HOLD            6
+#define MBEDTLS_X509_CRL_REASON_REMOVE_FROM_CRL             8
+#define MBEDTLS_X509_CRL_REASON_PRIVILEGE_WITHDRAWN         9
+#define MBEDTLS_X509_CRL_REASON_AA_COMPROMISE               10
+
 /**
 * \addtogroup x509_module
 * \{ */
--- a/library/x509_ocsp.c
+++ b/library/x509_ocsp.c
@@ -35,6 +35,7 @@

 #include "mbedtls/x509.h"
 #include "mbedtls/x509_crt.h"
+#include "mbedtls/x509_crl.h"
 #include "mbedtls/x509_ocsp.h"
 #include "mbedtls/asn1.h"
 #include "mbedtls/md.h"
@@ -339,6 +340,53 @@ static int x509_ocsp_get_crl_reason( unsigned char **p,
                                     const unsigned char *end,
                                     uint8_t *reason )
 {
+    int ret;
+    size_t len;
+
+    /*
+     * CRLReason ::= ENUMERATED {
+     *  unspecified             (0),
+     *  keyCompromise           (1),
+     *  cACompromise            (2),
+     *  affiliationChanged      (3),
+     *  superseded              (4),
+     *  cessationOfOperation    (5),
+     *  certificateHold         (6),
+     *  removeFromCRL           (8),
+     *  privilegeWithdrawn      (9),
+     *  aACompromise            (10) }
+     */
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+                                      MBEDTLS_ASN1_ENUMERATED ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+    }
+
+    if( len != 1 )
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    *reason = *( *p )++;
+
+    /* Ensure the parsed response status is valid */
+    switch( *reason )
+    {
+        case MBEDTLS_X509_CRL_REASON_UNSPECIFIED:
+        case MBEDTLS_X509_CRL_REASON_KEY_COMPROMISE:
+        case MBEDTLS_X509_CRL_REASON_CA_COMPROMISE:
+        case MBEDTLS_X509_CRL_REASON_AFFILIATION_CHANGED:
+        case MBEDTLS_X509_CRL_REASON_SUPERSEDED:
+        case MBEDTLS_X509_CRL_REASON_CESSATION_OF_OPERATION:
+        case MBEDTLS_X509_CRL_REASON_CERTIFICATE_HOLD:
+        case MBEDTLS_X509_CRL_REASON_REMOVE_FROM_CRL:
+        case MBEDTLS_X509_CRL_REASON_PRIVILEGE_WITHDRAWN:
+        case MBEDTLS_X509_CRL_REASON_AA_COMPROMISE:
+            break;
+        default:
+            return( MBEDTLS_ERR_X509_CRL_INVALID_CRL_REASON );
+    }
+
    return( 0 );
 }