From d1740672b8f9e0b5be1cd3d9f5da9ffd76c7c300 Mon Sep 17 00:00:00 2001 From: lloyd Date: Thu, 7 Oct 2010 18:59:19 +0000 Subject: Fix CRL reason codes and updating of CRLs. Add tests for both cases. --- checks/check.cpp | 1 + checks/pk.cpp | 1 - checks/x509.cpp | 2 -- src/cert/x509ca/x509_ca.cpp | 34 +++++----------------------------- src/cert/x509cert/x509_ext.cpp | 2 ++ src/cert/x509crl/crl_ent.cpp | 8 -------- src/cert/x509crl/crl_ent.h | 5 ----- 7 files changed, 8 insertions(+), 45 deletions(-) diff --git a/checks/check.cpp b/checks/check.cpp index cacc07cb0..ca9ec84e9 100644 --- a/checks/check.cpp +++ b/checks/check.cpp @@ -215,6 +215,7 @@ int run_test_suite(RandomNumberGenerator& rng) errors += do_validation_tests(EXPECTED_FAIL_FILE, rng, false); errors += do_bigint_tests(BIGINT_VALIDATION_FILE, rng); errors += do_pk_validation_tests(PK_VALIDATION_FILE, rng); + do_x509_tests(rng); //errors += do_cvc_tests(rng); } catch(std::exception& e) diff --git a/checks/pk.cpp b/checks/pk.cpp index eb93cc531..f38cf97a6 100644 --- a/checks/pk.cpp +++ b/checks/pk.cpp @@ -916,7 +916,6 @@ u32bit do_pk_validation_tests(const std::string& filename, errors += do_ecdsa_tests(rng); errors += do_ecdh_tests(rng); do_pk_keygen_tests(rng); - do_x509_tests(rng); return errors; } diff --git a/checks/x509.cpp b/checks/x509.cpp index 24d67dc1c..43d374411 100644 --- a/checks/x509.cpp +++ b/checks/x509.cpp @@ -220,7 +220,6 @@ void do_x509_tests(RandomNumberGenerator& rng) if(store.validate_cert(user2_cert) != CERT_IS_REVOKED) std::cout << "\nFAILED: User cert #2 was not revoked" << std::endl; -#if 0 revoked.clear(); revoked.push_back(CRL_Entry(user1_cert, REMOVE_FROM_CRL)); X509_CRL crl3 = ca.update_crl(crl2, revoked, rng); @@ -230,7 +229,6 @@ void do_x509_tests(RandomNumberGenerator& rng) if(store.validate_cert(user1_cert) != VERIFIED) std::cout << "\nFAILED: User cert #1 was not un-revoked" << std::endl; -#endif check_against_copy(ca_key, rng); check_against_copy(user1_key, rng); diff --git a/src/cert/x509ca/x509_ca.cpp b/src/cert/x509ca/x509_ca.cpp index be7849ec4..4379488e9 100644 --- a/src/cert/x509ca/x509_ca.cpp +++ b/src/cert/x509ca/x509_ca.cpp @@ -1,6 +1,6 @@ /* * X.509 Certificate Authority -* (C) 1999-2008 Jack Lloyd +* (C) 1999-2010 Jack Lloyd * * Distributed under the terms of the Botan license */ @@ -151,36 +151,12 @@ X509_CRL X509_CA::update_crl(const X509_CRL& crl, RandomNumberGenerator& rng, u32bit next_update) const { - std::vector already_revoked = crl.get_revoked(); - std::vector all_revoked; + std::vector revoked = crl.get_revoked(); - if(!crl.check_signature(cert.subject_public_key())) - throw Invalid_Argument("X509_CA::update_crl: Invalid CRL provided"); + std::copy(new_revoked.begin(), new_revoked.end(), + std::back_inserter(revoked)); - std::set > removed_from_crl; - for(u32bit j = 0; j != new_revoked.size(); ++j) - { - if(new_revoked[j].reason_code() == DELETE_CRL_ENTRY) - removed_from_crl.insert(new_revoked[j].serial_number()); - else - all_revoked.push_back(new_revoked[j]); - } - - for(u32bit j = 0; j != already_revoked.size(); ++j) - { - std::set >::const_iterator i; - i = removed_from_crl.find(already_revoked[j].serial_number()); - - if(i == removed_from_crl.end()) - all_revoked.push_back(already_revoked[j]); - } - std::sort(all_revoked.begin(), all_revoked.end()); - - std::vector cert_list; - std::unique_copy(all_revoked.begin(), all_revoked.end(), - std::back_inserter(cert_list)); - - return make_crl(cert_list, crl.crl_number() + 1, next_update, rng); + return make_crl(revoked, crl.crl_number() + 1, next_update, rng); } /* diff --git a/src/cert/x509cert/x509_ext.cpp b/src/cert/x509cert/x509_ext.cpp index 8c3f66de8..616644e5c 100644 --- a/src/cert/x509cert/x509_ext.cpp +++ b/src/cert/x509cert/x509_ext.cpp @@ -34,6 +34,7 @@ Certificate_Extension* Extensions::get_extension(const OID& oid) X509_EXTENSION("X509v3.SubjectAlternativeName", Subject_Alternative_Name); X509_EXTENSION("X509v3.CRLNumber", CRL_Number); X509_EXTENSION("X509v3.CertificatePolicies", Certificate_Policies); + X509_EXTENSION("X509v3.ReasonCode", CRL_ReasonCode); return 0; } @@ -109,6 +110,7 @@ void Extensions::decode_from(BER_Decoder& from_source) extensions.clear(); BER_Decoder sequence = from_source.start_cons(SEQUENCE); + while(sequence.more_items()) { OID oid; diff --git a/src/cert/x509crl/crl_ent.cpp b/src/cert/x509crl/crl_ent.cpp index bdc35b038..d566637f6 100644 --- a/src/cert/x509crl/crl_ent.cpp +++ b/src/cert/x509crl/crl_ent.cpp @@ -57,14 +57,6 @@ bool operator!=(const CRL_Entry& a1, const CRL_Entry& a2) return !(a1 == a2); } -/* -* Compare two CRL_Entrys -*/ -bool operator<(const CRL_Entry& a1, const CRL_Entry& a2) - { - return (a1.expire_time().cmp(a2.expire_time()) < 0); - } - /* * DER encode a CRL_Entry */ diff --git a/src/cert/x509crl/crl_ent.h b/src/cert/x509crl/crl_ent.h index ec90750db..b3e696a86 100644 --- a/src/cert/x509crl/crl_ent.h +++ b/src/cert/x509crl/crl_ent.h @@ -69,11 +69,6 @@ BOTAN_DLL bool operator==(const CRL_Entry&, const CRL_Entry&); */ BOTAN_DLL bool operator!=(const CRL_Entry&, const CRL_Entry&); -/** -* Order two entries based on the revocation date. -*/ -BOTAN_DLL bool operator<(const CRL_Entry&, const CRL_Entry&); - } #endif -- cgit v1.2.3