From 51e6b34cdb59063277a084e9c380f17c1502cf9d Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Fri, 25 Aug 2017 12:34:02 +0100 Subject: [PATCH] Parse CRLReason a concep imported from CRL profile Strictly speaking, the CRLReason is a concept imported from the CRL profile defined in RFC 5280 Section 5.3.1. However, this is a CRL extension that is not implemented in mbed TLS. Therefore, this patch introduces the relevant macros with revocation reasons and error return codes in x509_crt.h. Also the function x509_ocsp_get_crl_reason() to parse the CRLReason. If necessary, this code can later be migrated to x509_crl.c. The CRL reason ASN1. structure is specified in RFC 5280 Section 5.3.1 as follows: CRLReason ::= ENUMERATED { unspecified (0), keyCompromise (1), cACompromise (2), affiliationChanged (3), superseded (4), cessationOfOperation (5), certificateHold (6), -- value 7 is not used removeFromCRL (8), privilegeWithdrawn (9), aACompromise (10) } --- include/mbedtls/x509_crl.h | 13 +++++++++++ library/x509_ocsp.c | 48 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 61 insertions(+) diff --git a/include/mbedtls/x509_crl.h b/include/mbedtls/x509_crl.h index 7988439900..18ad775e15 100644 --- a/include/mbedtls/x509_crl.h +++ b/include/mbedtls/x509_crl.h @@ -35,6 +35,19 @@ extern "C" { #endif +#define MBEDTLS_ERR_X509_CRL_INVALID_CRL_REASON -0x2B00 + +#define MBEDTLS_X509_CRL_REASON_UNSPECIFIED 0 +#define MBEDTLS_X509_CRL_REASON_KEY_COMPROMISE 1 +#define MBEDTLS_X509_CRL_REASON_CA_COMPROMISE 2 +#define MBEDTLS_X509_CRL_REASON_AFFILIATION_CHANGED 3 +#define MBEDTLS_X509_CRL_REASON_SUPERSEDED 4 +#define MBEDTLS_X509_CRL_REASON_CESSATION_OF_OPERATION 5 +#define MBEDTLS_X509_CRL_REASON_CERTIFICATE_HOLD 6 +#define MBEDTLS_X509_CRL_REASON_REMOVE_FROM_CRL 8 +#define MBEDTLS_X509_CRL_REASON_PRIVILEGE_WITHDRAWN 9 +#define MBEDTLS_X509_CRL_REASON_AA_COMPROMISE 10 + /** * \addtogroup x509_module * \{ */ diff --git a/library/x509_ocsp.c b/library/x509_ocsp.c index 8c554e57b9..899f3b4697 100644 --- a/library/x509_ocsp.c +++ b/library/x509_ocsp.c @@ -35,6 +35,7 @@ #include "mbedtls/x509.h" #include "mbedtls/x509_crt.h" +#include "mbedtls/x509_crl.h" #include "mbedtls/x509_ocsp.h" #include "mbedtls/asn1.h" #include "mbedtls/md.h" @@ -339,6 +340,53 @@ static int x509_ocsp_get_crl_reason( unsigned char **p, const unsigned char *end, uint8_t *reason ) { + int ret; + size_t len; + + /* + * CRLReason ::= ENUMERATED { + * unspecified (0), + * keyCompromise (1), + * cACompromise (2), + * affiliationChanged (3), + * superseded (4), + * cessationOfOperation (5), + * certificateHold (6), + * removeFromCRL (8), + * privilegeWithdrawn (9), + * aACompromise (10) } + */ + + if( ( ret = mbedtls_asn1_get_tag( p, end, &len, + MBEDTLS_ASN1_ENUMERATED ) ) != 0 ) + { + return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret ); + } + + if( len != 1 ) + return( MBEDTLS_ERR_X509_INVALID_FORMAT + + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); + + *reason = *( *p )++; + + /* Ensure the parsed response status is valid */ + switch( *reason ) + { + case MBEDTLS_X509_CRL_REASON_UNSPECIFIED: + case MBEDTLS_X509_CRL_REASON_KEY_COMPROMISE: + case MBEDTLS_X509_CRL_REASON_CA_COMPROMISE: + case MBEDTLS_X509_CRL_REASON_AFFILIATION_CHANGED: + case MBEDTLS_X509_CRL_REASON_SUPERSEDED: + case MBEDTLS_X509_CRL_REASON_CESSATION_OF_OPERATION: + case MBEDTLS_X509_CRL_REASON_CERTIFICATE_HOLD: + case MBEDTLS_X509_CRL_REASON_REMOVE_FROM_CRL: + case MBEDTLS_X509_CRL_REASON_PRIVILEGE_WITHDRAWN: + case MBEDTLS_X509_CRL_REASON_AA_COMPROMISE: + break; + default: + return( MBEDTLS_ERR_X509_CRL_INVALID_CRL_REASON ); + } + return( 0 ); }