From 0c15f260f11a5c3f63a6963a9c5fb156d6c4df10 Mon Sep 17 00:00:00 2001
From: Carl Wallace <crwallace1970@gmail.com>
Date: Mon, 7 Mar 2022 13:45:55 -0500
Subject: [PATCH] feat(x509): add CRL type support

---
 x509/src/crl.rs                       |  86 ++++++++++++++++++++++++++
 x509/src/lib.rs                       |   1 +
 x509/tests/crl.rs                     |  17 +++++
 x509/tests/examples/tscpbcasha256.crl | Bin 0 -> 660 bytes
 4 files changed, 104 insertions(+)
 create mode 100644 x509/src/crl.rs
 create mode 100644 x509/tests/crl.rs
 create mode 100644 x509/tests/examples/tscpbcasha256.crl

diff --git a/x509/src/crl.rs b/x509/src/crl.rs
new file mode 100644
index 000000000..bc2538ac1
--- /dev/null
+++ b/x509/src/crl.rs
@@ -0,0 +1,86 @@
+//! Certificate Revocation List types
+
+use crate::ext::Extensions;
+use crate::name::Name;
+use crate::time::Time;
+use crate::Version;
+
+use alloc::vec::Vec;
+
+use der::asn1::{BitString, UIntBytes};
+use der::Sequence;
+use spki::AlgorithmIdentifier;
+
+/// `CertificateList` as defined in [RFC 5280 Section 5.1].
+///
+///```text
+/// CertificateList  ::=  SEQUENCE  {
+///     tbsCertList          TBSCertList,
+///     signatureAlgorithm   AlgorithmIdentifier,
+///     signatureValue       BIT STRING
+/// }
+/// ```
+///
+/// [RFC 5280 Section 5.1]: https://datatracker.ietf.org/doc/html/rfc5280#section-5.1
+#[derive(Clone, Debug, Eq, PartialEq, Sequence)]
+#[allow(missing_docs)]
+pub struct CertificateList<'a> {
+    pub tbs_cert_list: TbsCertList<'a>,
+    pub signature_algorithm: AlgorithmIdentifier<'a>,
+    pub signature: BitString<'a>,
+}
+
+/// Implicit intermediate structure from the ASN.1 definition of `TBSCertList`.
+///
+/// This type is used for the `revoked_certificates` field of `TbsCertList`.
+/// See [RFC 5280 Section 5.1].
+///
+///```text
+/// RevokedCert ::= SEQUENCE {
+///     userCertificate         CertificateSerialNumber,
+///     revocationDate          Time,
+///     crlEntryExtensions      Extensions OPTIONAL
+/// }
+/// ```
+///
+/// [RFC 5280 Section 5.1]: https://datatracker.ietf.org/doc/html/rfc5280#section-5.1
+#[derive(Clone, Debug, Eq, PartialEq, Sequence)]
+#[allow(missing_docs)]
+pub struct RevokedCert<'a> {
+    pub serial_number: UIntBytes<'a>,
+    pub revocation_date: Time,
+    pub crl_entry_extensions: Option<Extensions<'a>>,
+}
+
+/// `TbsCertList` as defined in [RFC 5280 Section 5.1].
+///
+/// ```text
+/// TBSCertList  ::=  SEQUENCE  {
+///      version                 Version OPTIONAL, -- if present, MUST be v2
+///      signature               AlgorithmIdentifier,
+///      issuer                  Name,
+///      thisUpdate              Time,
+///      nextUpdate              Time OPTIONAL,
+///      revokedCertificates     SEQUENCE OF SEQUENCE  {
+///           userCertificate         CertificateSerialNumber,
+///           revocationDate          Time,
+///           crlEntryExtensions      Extensions OPTIONAL -- if present, version MUST be v2
+///      }  OPTIONAL,
+///      crlExtensions           [0]  EXPLICIT Extensions OPTIONAL -- if present, version MUST be v2
+/// }
+/// ```
+///
+/// [RFC 5280 Section 5.1]: https://datatracker.ietf.org/doc/html/rfc5280#section-5.1
+#[derive(Clone, Debug, Eq, PartialEq, Sequence)]
+#[allow(missing_docs)]
+pub struct TbsCertList<'a> {
+    pub version: Version,
+    pub signature: AlgorithmIdentifier<'a>,
+    pub issuer: Name<'a>,
+    pub this_update: Time,
+    pub next_update: Option<Time>,
+    pub revoked_certificates: Option<Vec<RevokedCert<'a>>>,
+
+    #[asn1(context_specific = "0", tag_mode = "EXPLICIT", optional = "true")]
+    pub crl_extensions: Option<Extensions<'a>>,
+}
diff --git a/x509/src/lib.rs b/x509/src/lib.rs
index cf02acca0..1f9ed35be 100644
--- a/x509/src/lib.rs
+++ b/x509/src/lib.rs
@@ -16,6 +16,7 @@ extern crate std;
 
 pub mod anchor;
 pub mod attr;
+pub mod crl;
 pub mod ext;
 pub mod name;
 pub mod request;
diff --git a/x509/tests/crl.rs b/x509/tests/crl.rs
new file mode 100644
index 000000000..71b4374fa
--- /dev/null
+++ b/x509/tests/crl.rs
@@ -0,0 +1,17 @@
+use der::Decodable;
+use x509::crl::CertificateList;
+
+#[test]
+fn decode_crl() {
+    // vanilla CRL from PKITS
+    let der_encoded_cert = include_bytes!("examples/GoodCACRL.crl");
+    let crl = CertificateList::from_der(der_encoded_cert).unwrap();
+    assert_eq!(2, crl.tbs_cert_list.crl_extensions.unwrap().len());
+    assert_eq!(2, crl.tbs_cert_list.revoked_certificates.unwrap().len());
+
+    // CRL with an entry with no entry extensions
+    let der_encoded_cert = include_bytes!("examples/tscpbcasha256.crl");
+    let crl = CertificateList::from_der(der_encoded_cert).unwrap();
+    assert_eq!(2, crl.tbs_cert_list.crl_extensions.unwrap().len());
+    assert_eq!(4, crl.tbs_cert_list.revoked_certificates.unwrap().len());
+}
diff --git a/x509/tests/examples/tscpbcasha256.crl b/x509/tests/examples/tscpbcasha256.crl
new file mode 100644
index 0000000000000000000000000000000000000000..e7fe3795af0c093ad35d52ea809b27aec1974886
GIT binary patch
literal 660
zcmXqLVwzyk#8|<^$Y{XJ#;Mij(e|B}k&&B~!NA{;+klgeIh2J>m?<>aP{=?4#NiU=
z3<-7)Q1Hx4)-&WW-~x$p3o|=A78}YL$bfjv!lGam!5)rAre+FGMVTq-sS3`H;=D#i
z21bVF24D~c<{BGX8X22fnp#E~G#)ZAWfHI}`Eyq&^n%-llusUxj`u3Wd4U>C4J{1K
z4b6;<q6{FekQHa)WMc<9_M8P1lYu^yfc?xHA}M#+>VEWzZP<GCl>yLjLjyx2Lql^@
za|4qo1BgRqMOm1+7+FE~c=9Dkrd*XWV_tWLJMY4}JrH}0j1A3zx_}z6*`vrLkaUlE
z>el#xjWU+IEl*|4m;}^jW?%tynt`#IfpOFV0|Pw+ZeSqDim<RSF)>UrkOy&;StJa^
z8bo#kCZ!p;?t97;E~A`L_ssu0x7~NNKxb}ZWMr_N)mj+IaK=$_N%QxQKW$1?zpV`s
z-syZQWZUPmo43mt>}ss!FHgRfJmKWw``3={owoA0_q!!ZJF|8$PdG2c@u=L<WbL*#
zPyJ~pv+AyO-4b23d8+WFDV=SC-<dx&pS*Wxl6r{a!-nIMU1jq>{i%9o{;zHNx`-3!
z93uA0q#DGQ)L&Kg**tT?{r>-xAM4vrO6Ks8*vqF|(_H5MXxEdaw;2n{x0e0-A!w)m
z_*Punm7*unH;zs!Yi7Q7Vf(wQR<%Z4tc&HJL})NfK0b4c<NLmYeP@)_+&&ewZ=9MF
urtIc;B1o&~bL-|8i~q0NS^MI0v0v=&$hiD`73I)VMw$vnlCOVW<^upM@8rz@

literal 0
HcmV?d00001