Forward port CRL fixes from rev 7bb2001cd554a1acc3d345914ea710ff0e1d3a6b

3 files changed, 29 insertions, 7 deletions

diff --git a/checks/x509.cpp b/checks/x509.cpp
index 6041d975d..24d67dc1c 100644
--- a/checks/x509.cpp
+++ b/checks/x509.cpp
@@ -206,6 +206,7 @@ void do_x509_tests(RandomNumberGenerator& rng)
       std::cout << "\nFAILED: CRL #1 did not validate" << std::endl;
 
    std::vector<CRL_Entry> revoked;
+   revoked.push_back(CRL_Entry(user1_cert, CESSATION_OF_OPERATION));
    revoked.push_back(user2_cert);
 
    X509_CRL crl2 = ca.update_crl(crl1, revoked, rng);
@@ -213,9 +214,24 @@ void do_x509_tests(RandomNumberGenerator& rng)
    if(store.add_crl(crl2) != VERIFIED)
       std::cout << "\nFAILED: CRL #2 did not validate" << std::endl;
 
+   if(store.validate_cert(user1_cert) != CERT_IS_REVOKED)
+      std::cout << "\nFAILED: User cert #1 was not revoked" << std::endl;
+
    if(store.validate_cert(user2_cert) != CERT_IS_REVOKED)
       std::cout << "\nFAILED: User cert #2 was not revoked" << std::endl;
 
+#if 0
+   revoked.clear();
+   revoked.push_back(CRL_Entry(user1_cert, REMOVE_FROM_CRL));
+   X509_CRL crl3 = ca.update_crl(crl2, revoked, rng);
+
+   if(store.add_crl(crl3) != VERIFIED)
+      std::cout << "\nFAILED: CRL #3 did not validate" << std::endl;
+
+   if(store.validate_cert(user1_cert) != VERIFIED)
+      std::cout << "\nFAILED: User cert #1 was not un-revoked" << std::endl;
+#endif
+
    check_against_copy(ca_key, rng);
    check_against_copy(user1_key, rng);
    check_against_copy(user2_key, rng);
diff --git a/doc/log.txt b/doc/log.txt
index 1c1baf3fe..15904cd00 100644
--- a/doc/log.txt
+++ b/doc/log.txt
@@ -1,6 +1,7 @@
 
 * 1.9.11-dev, ????-??-??
  - Fix SSL handshake failures when using RC4 ciphersuites
+ - Fix a number of CRL encoding and decoding bugs
  - Use small tables in the first round of AES
  - Add hex encoding/decoding functions that can be used without a Pipe
  - Add support for dynamic engine loading on Windows
diff --git a/src/cert/x509crl/crl_ent.cpp b/src/cert/x509crl/crl_ent.cpp
index 807e99ac9..bdc35b038 100644
--- a/src/cert/x509crl/crl_ent.cpp
+++ b/src/cert/x509crl/crl_ent.cpp
@@ -1,6 +1,6 @@
 /*
 * CRL Entry
-* (C) 1999-2007 Jack Lloyd
+* (C) 1999-2010 Jack Lloyd
 *
 * Distributed under the terms of the Botan license
 */
@@ -77,7 +77,9 @@ void CRL_Entry::encode_into(DER_Encoder& der) const
    der.start_cons(SEQUENCE)
       .encode(BigInt::decode(serial))
          .encode(time)
-         .encode(extensions)
+         .start_cons(SEQUENCE)
+            .encode(extensions)
+          .end_cons()
       .end_cons();
    }
 
@@ -87,20 +89,23 @@ void CRL_Entry::encode_into(DER_Encoder& der) const
 void CRL_Entry::decode_from(BER_Decoder& source)
    {
    BigInt serial_number_bn;
+   reason = UNSPECIFIED;
+
+   BER_Decoder entry = source.start_cons(SEQUENCE);
 
-   source.start_cons(SEQUENCE)
-      .decode(serial_number_bn)
-      .decode(time);
+   entry.decode(serial_number_bn).decode(time);
 
-   if(source.more_items())
+   if(entry.more_items())
       {
       Extensions extensions(throw_on_unknown_critical);
-      source.decode(extensions);
+      entry.decode(extensions);
       Data_Store info;
       extensions.contents_to(info, info);
       reason = CRL_Code(info.get1_u32bit("X509v3.CRLReasonCode"));
       }
 
+   entry.end_cons();
+
    serial = BigInt::encode(serial_number_bn);
    }