diff options
Diffstat (limited to 'src/cert/x509crl')
-rw-r--r-- | src/cert/x509crl/crl_ent.h | 20 | ||||
-rw-r--r-- | src/cert/x509crl/x509_crl.cpp | 38 | ||||
-rw-r--r-- | src/cert/x509crl/x509_crl.h | 7 |
3 files changed, 65 insertions, 0 deletions
diff --git a/src/cert/x509crl/crl_ent.h b/src/cert/x509crl/crl_ent.h index b3e696a86..ae9535484 100644 --- a/src/cert/x509crl/crl_ent.h +++ b/src/cert/x509crl/crl_ent.h @@ -13,6 +13,26 @@ namespace Botan { /** +* X.509v2 CRL Reason Code. +*/ +enum CRL_Code { + UNSPECIFIED = 0, + KEY_COMPROMISE = 1, + CA_COMPROMISE = 2, + AFFILIATION_CHANGED = 3, + SUPERSEDED = 4, + CESSATION_OF_OPERATION = 5, + CERTIFICATE_HOLD = 6, + REMOVE_FROM_CRL = 8, + PRIVLEDGE_WITHDRAWN = 9, + AA_COMPROMISE = 10, + + DELETE_CRL_ENTRY = 0xFF00, + OCSP_GOOD = 0xFF01, + OCSP_UNKNOWN = 0xFF02 +}; + +/** * This class represents CRL entries */ class BOTAN_DLL CRL_Entry : public ASN1_Object diff --git a/src/cert/x509crl/x509_crl.cpp b/src/cert/x509crl/x509_crl.cpp index 01fce4c52..9c6b891c7 100644 --- a/src/cert/x509crl/x509_crl.cpp +++ b/src/cert/x509crl/x509_crl.cpp @@ -7,6 +7,7 @@ #include <botan/x509_crl.h> #include <botan/x509_ext.h> +#include <botan/x509cert.h> #include <botan/ber_dec.h> #include <botan/parsing.h> #include <botan/bigint.h> @@ -32,6 +33,43 @@ X509_CRL::X509_CRL(const std::string& in, bool touc) : do_decode(); } +/** +* Check if this particular certificate is listed in the CRL +*/ +bool X509_CRL::is_revoked(const X509_Certificate& cert) const + { + /* + If the cert wasn't issued by the CRL issuer, it's possible the cert + is revoked, but not by this CRL. Maybe throw an exception instead? + */ + if(cert.issuer_dn() != issuer_dn()) + return false; + + MemoryVector<byte> crl_akid = authority_key_id(); + MemoryVector<byte> cert_akid = cert.authority_key_id(); + + if(!crl_akid.empty() && !cert_akid.empty()) + if(crl_akid != cert_akid) + return false; + + MemoryVector<byte> cert_serial = cert.serial_number(); + + bool is_revoked = false; + + for(size_t i = 0; i != revoked.size(); ++i) + { + if(cert_serial == revoked[i].serial_number()) + { + if(revoked[i].reason_code() == REMOVE_FROM_CRL) + is_revoked = false; + else + is_revoked = true; + } + } + + return is_revoked; + } + /* * Decode the TBSCertList data */ diff --git a/src/cert/x509crl/x509_crl.h b/src/cert/x509crl/x509_crl.h index c2b3c4f5c..55eb8424b 100644 --- a/src/cert/x509crl/x509_crl.h +++ b/src/cert/x509crl/x509_crl.h @@ -14,6 +14,8 @@ namespace Botan { +class X509_Certificate; + /** * This class represents X.509 Certificate Revocation Lists (CRLs). */ @@ -30,6 +32,11 @@ class BOTAN_DLL X509_CRL : public X509_Object }; /** + * Check if this particular certificate is listed in the CRL + */ + bool is_revoked(const X509_Certificate& cert) const; + + /** * Get the entries of this CRL in the form of a vector. * @return vector containing the entries of this CRL. */ |