1 /* $OpenBSD: x_crl.c,v 1.45 2024/07/08 14:48:49 beck Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 59 #include <stdio.h> 60 61 #include <openssl/opensslconf.h> 62 63 #include <openssl/asn1t.h> 64 #include <openssl/err.h> 65 #include <openssl/x509.h> 66 #include <openssl/x509v3.h> 67 68 #include "asn1_local.h" 69 #include "x509_local.h" 70 71 static int X509_REVOKED_cmp(const X509_REVOKED * const *a, 72 const X509_REVOKED * const *b); 73 static void setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp); 74 75 static const ASN1_TEMPLATE X509_REVOKED_seq_tt[] = { 76 { 77 .offset = offsetof(X509_REVOKED, serialNumber), 78 .field_name = "serialNumber", 79 .item = &ASN1_INTEGER_it, 80 }, 81 { 82 .offset = offsetof(X509_REVOKED, revocationDate), 83 .field_name = "revocationDate", 84 .item = &ASN1_TIME_it, 85 }, 86 { 87 .flags = ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL, 88 .offset = offsetof(X509_REVOKED, extensions), 89 .field_name = "extensions", 90 .item = &X509_EXTENSION_it, 91 }, 92 }; 93 94 const ASN1_ITEM X509_REVOKED_it = { 95 .itype = ASN1_ITYPE_SEQUENCE, 96 .utype = V_ASN1_SEQUENCE, 97 .templates = X509_REVOKED_seq_tt, 98 .tcount = sizeof(X509_REVOKED_seq_tt) / sizeof(ASN1_TEMPLATE), 99 .size = sizeof(X509_REVOKED), 100 .sname = "X509_REVOKED", 101 }; 102 LCRYPTO_ALIAS(X509_REVOKED_it); 103 104 /* The X509_CRL_INFO structure needs a bit of customisation. 105 * Since we cache the original encoding the signature wont be affected by 106 * reordering of the revoked field. 107 */ 108 static int 109 crl_inf_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) 110 { 111 X509_CRL_INFO *a = (X509_CRL_INFO *)*pval; 112 113 if (!a || !a->revoked) 114 return 1; 115 switch (operation) { 116 /* Just set cmp function here. We don't sort because that 117 * would affect the output of X509_CRL_print(). 118 */ 119 case ASN1_OP_D2I_POST: 120 (void)sk_X509_REVOKED_set_cmp_func(a->revoked, X509_REVOKED_cmp); 121 break; 122 } 123 return 1; 124 } 125 126 127 static const ASN1_AUX X509_CRL_INFO_aux = { 128 .flags = ASN1_AFLG_ENCODING, 129 .asn1_cb = crl_inf_cb, 130 .enc_offset = offsetof(X509_CRL_INFO, enc), 131 }; 132 static const ASN1_TEMPLATE X509_CRL_INFO_seq_tt[] = { 133 { 134 .flags = ASN1_TFLG_OPTIONAL, 135 .offset = offsetof(X509_CRL_INFO, version), 136 .field_name = "version", 137 .item = &ASN1_INTEGER_it, 138 }, 139 { 140 .offset = offsetof(X509_CRL_INFO, sig_alg), 141 .field_name = "sig_alg", 142 .item = &X509_ALGOR_it, 143 }, 144 { 145 .offset = offsetof(X509_CRL_INFO, issuer), 146 .field_name = "issuer", 147 .item = &X509_NAME_it, 148 }, 149 { 150 .offset = offsetof(X509_CRL_INFO, lastUpdate), 151 .field_name = "lastUpdate", 152 .item = &ASN1_TIME_it, 153 }, 154 { 155 .flags = ASN1_TFLG_OPTIONAL, 156 .offset = offsetof(X509_CRL_INFO, nextUpdate), 157 .field_name = "nextUpdate", 158 .item = &ASN1_TIME_it, 159 }, 160 { 161 .flags = ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL, 162 .offset = offsetof(X509_CRL_INFO, revoked), 163 .field_name = "revoked", 164 .item = &X509_REVOKED_it, 165 }, 166 { 167 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL, 168 .offset = offsetof(X509_CRL_INFO, extensions), 169 .field_name = "extensions", 170 .item = &X509_EXTENSION_it, 171 }, 172 }; 173 174 const ASN1_ITEM X509_CRL_INFO_it = { 175 .itype = ASN1_ITYPE_SEQUENCE, 176 .utype = V_ASN1_SEQUENCE, 177 .templates = X509_CRL_INFO_seq_tt, 178 .tcount = sizeof(X509_CRL_INFO_seq_tt) / sizeof(ASN1_TEMPLATE), 179 .funcs = &X509_CRL_INFO_aux, 180 .size = sizeof(X509_CRL_INFO), 181 .sname = "X509_CRL_INFO", 182 }; 183 LCRYPTO_ALIAS(X509_CRL_INFO_it); 184 185 /* Set CRL entry issuer according to CRL certificate issuer extension. 186 * Check for unhandled critical CRL entry extensions. 187 */ 188 189 static int 190 crl_set_issuers(X509_CRL *crl) 191 { 192 int i, j; 193 GENERAL_NAMES *gens, *gtmp; 194 STACK_OF(X509_REVOKED) *revoked; 195 196 revoked = X509_CRL_get_REVOKED(crl); 197 198 gens = NULL; 199 for (i = 0; i < sk_X509_REVOKED_num(revoked); i++) { 200 X509_REVOKED *rev = sk_X509_REVOKED_value(revoked, i); 201 STACK_OF(X509_EXTENSION) *exts; 202 ASN1_ENUMERATED *reason; 203 X509_EXTENSION *ext; 204 gtmp = X509_REVOKED_get_ext_d2i(rev, NID_certificate_issuer, 205 &j, NULL); 206 if (!gtmp && (j != -1)) { 207 crl->flags |= EXFLAG_INVALID; 208 return 1; 209 } 210 211 if (gtmp) { 212 gens = gtmp; 213 if (!crl->issuers) { 214 crl->issuers = sk_GENERAL_NAMES_new_null(); 215 if (!crl->issuers) 216 return 0; 217 } 218 if (!sk_GENERAL_NAMES_push(crl->issuers, gtmp)) 219 return 0; 220 } 221 rev->issuer = gens; 222 223 reason = X509_REVOKED_get_ext_d2i(rev, NID_crl_reason, 224 &j, NULL); 225 if (!reason && (j != -1)) { 226 crl->flags |= EXFLAG_INVALID; 227 return 1; 228 } 229 230 if (reason) { 231 rev->reason = ASN1_ENUMERATED_get(reason); 232 ASN1_ENUMERATED_free(reason); 233 } else 234 rev->reason = CRL_REASON_NONE; 235 236 /* Check for critical CRL entry extensions */ 237 238 exts = rev->extensions; 239 240 for (j = 0; j < sk_X509_EXTENSION_num(exts); j++) { 241 ext = sk_X509_EXTENSION_value(exts, j); 242 if (ext->critical > 0) { 243 if (OBJ_obj2nid(ext->object) == 244 NID_certificate_issuer) 245 continue; 246 crl->flags |= EXFLAG_CRITICAL; 247 break; 248 } 249 } 250 } 251 252 return 1; 253 } 254 255 /* The X509_CRL structure needs a bit of customisation. Cache some extensions 256 * and hash of the whole CRL. 257 */ 258 static int 259 crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) 260 { 261 X509_CRL *crl = (X509_CRL *)*pval; 262 STACK_OF(X509_EXTENSION) *exts; 263 X509_EXTENSION *ext; 264 int idx; 265 int rc = 1; 266 267 switch (operation) { 268 case ASN1_OP_NEW_POST: 269 crl->idp = NULL; 270 crl->akid = NULL; 271 crl->flags = 0; 272 crl->idp_flags = 0; 273 crl->idp_reasons = CRLDP_ALL_REASONS; 274 crl->issuers = NULL; 275 crl->crl_number = NULL; 276 crl->base_crl_number = NULL; 277 break; 278 279 case ASN1_OP_D2I_POST: 280 X509_CRL_digest(crl, X509_CRL_HASH_EVP, crl->hash, NULL); 281 crl->idp = X509_CRL_get_ext_d2i(crl, 282 NID_issuing_distribution_point, NULL, NULL); 283 if (crl->idp) 284 setup_idp(crl, crl->idp); 285 286 crl->akid = X509_CRL_get_ext_d2i(crl, 287 NID_authority_key_identifier, NULL, NULL); 288 289 crl->crl_number = X509_CRL_get_ext_d2i(crl, 290 NID_crl_number, NULL, NULL); 291 292 crl->base_crl_number = X509_CRL_get_ext_d2i(crl, 293 NID_delta_crl, NULL, NULL); 294 /* Delta CRLs must have CRL number */ 295 if (crl->base_crl_number && !crl->crl_number) 296 crl->flags |= EXFLAG_INVALID; 297 298 /* See if we have any unhandled critical CRL extensions and 299 * indicate this in a flag. We only currently handle IDP, 300 * AKID and deltas, so anything else critical sets the flag. 301 * 302 * This code accesses the X509_CRL structure directly: 303 * applications shouldn't do this. 304 */ 305 306 exts = crl->crl->extensions; 307 308 for (idx = 0; idx < sk_X509_EXTENSION_num(exts); idx++) { 309 int nid; 310 ext = sk_X509_EXTENSION_value(exts, idx); 311 nid = OBJ_obj2nid(ext->object); 312 if (nid == NID_freshest_crl) 313 crl->flags |= EXFLAG_FRESHEST; 314 if (ext->critical > 0) { 315 /* We handle IDP, AKID and deltas */ 316 if (nid == NID_issuing_distribution_point || 317 nid == NID_authority_key_identifier || 318 nid == NID_delta_crl) 319 break; 320 crl->flags |= EXFLAG_CRITICAL; 321 break; 322 } 323 } 324 325 if (!crl_set_issuers(crl)) 326 return 0; 327 break; 328 329 case ASN1_OP_FREE_POST: 330 if (crl->akid) 331 AUTHORITY_KEYID_free(crl->akid); 332 if (crl->idp) 333 ISSUING_DIST_POINT_free(crl->idp); 334 ASN1_INTEGER_free(crl->crl_number); 335 ASN1_INTEGER_free(crl->base_crl_number); 336 sk_GENERAL_NAMES_pop_free(crl->issuers, GENERAL_NAMES_free); 337 break; 338 } 339 return rc; 340 } 341 342 /* Convert IDP into a more convenient form */ 343 344 static void 345 setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp) 346 { 347 int idp_only = 0; 348 349 /* Set various flags according to IDP */ 350 crl->idp_flags |= IDP_PRESENT; 351 if (idp->onlyuser > 0) { 352 idp_only++; 353 crl->idp_flags |= IDP_ONLYUSER; 354 } 355 if (idp->onlyCA > 0) { 356 idp_only++; 357 crl->idp_flags |= IDP_ONLYCA; 358 } 359 if (idp->onlyattr > 0) { 360 idp_only++; 361 crl->idp_flags |= IDP_ONLYATTR; 362 } 363 364 if (idp_only > 1) 365 crl->idp_flags |= IDP_INVALID; 366 367 if (idp->indirectCRL > 0) 368 crl->idp_flags |= IDP_INDIRECT; 369 370 if (idp->onlysomereasons) { 371 crl->idp_flags |= IDP_REASONS; 372 if (idp->onlysomereasons->length > 0) 373 crl->idp_reasons = idp->onlysomereasons->data[0]; 374 if (idp->onlysomereasons->length > 1) 375 crl->idp_reasons |= 376 (idp->onlysomereasons->data[1] << 8); 377 crl->idp_reasons &= CRLDP_ALL_REASONS; 378 } 379 380 DIST_POINT_set_dpname(idp->distpoint, X509_CRL_get_issuer(crl)); 381 } 382 383 static const ASN1_AUX X509_CRL_aux = { 384 .app_data = NULL, 385 .flags = ASN1_AFLG_REFCOUNT, 386 .ref_offset = offsetof(X509_CRL, references), 387 .ref_lock = CRYPTO_LOCK_X509_CRL, 388 .asn1_cb = crl_cb, 389 }; 390 static const ASN1_TEMPLATE X509_CRL_seq_tt[] = { 391 { 392 .offset = offsetof(X509_CRL, crl), 393 .field_name = "crl", 394 .item = &X509_CRL_INFO_it, 395 }, 396 { 397 .offset = offsetof(X509_CRL, sig_alg), 398 .field_name = "sig_alg", 399 .item = &X509_ALGOR_it, 400 }, 401 { 402 .offset = offsetof(X509_CRL, signature), 403 .field_name = "signature", 404 .item = &ASN1_BIT_STRING_it, 405 }, 406 }; 407 408 const ASN1_ITEM X509_CRL_it = { 409 .itype = ASN1_ITYPE_SEQUENCE, 410 .utype = V_ASN1_SEQUENCE, 411 .templates = X509_CRL_seq_tt, 412 .tcount = sizeof(X509_CRL_seq_tt) / sizeof(ASN1_TEMPLATE), 413 .funcs = &X509_CRL_aux, 414 .size = sizeof(X509_CRL), 415 .sname = "X509_CRL", 416 }; 417 LCRYPTO_ALIAS(X509_CRL_it); 418 419 420 X509_REVOKED * 421 d2i_X509_REVOKED(X509_REVOKED **a, const unsigned char **in, long len) 422 { 423 return (X509_REVOKED *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, 424 &X509_REVOKED_it); 425 } 426 LCRYPTO_ALIAS(d2i_X509_REVOKED); 427 428 int 429 i2d_X509_REVOKED(X509_REVOKED *a, unsigned char **out) 430 { 431 return ASN1_item_i2d((ASN1_VALUE *)a, out, &X509_REVOKED_it); 432 } 433 LCRYPTO_ALIAS(i2d_X509_REVOKED); 434 435 X509_REVOKED * 436 X509_REVOKED_new(void) 437 { 438 return (X509_REVOKED *)ASN1_item_new(&X509_REVOKED_it); 439 } 440 LCRYPTO_ALIAS(X509_REVOKED_new); 441 442 void 443 X509_REVOKED_free(X509_REVOKED *a) 444 { 445 ASN1_item_free((ASN1_VALUE *)a, &X509_REVOKED_it); 446 } 447 LCRYPTO_ALIAS(X509_REVOKED_free); 448 449 X509_REVOKED * 450 X509_REVOKED_dup(X509_REVOKED *a) 451 { 452 return ASN1_item_dup(&X509_REVOKED_it, a); 453 } 454 LCRYPTO_ALIAS(X509_REVOKED_dup); 455 456 X509_CRL_INFO * 457 d2i_X509_CRL_INFO(X509_CRL_INFO **a, const unsigned char **in, long len) 458 { 459 return (X509_CRL_INFO *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, 460 &X509_CRL_INFO_it); 461 } 462 LCRYPTO_ALIAS(d2i_X509_CRL_INFO); 463 464 int 465 i2d_X509_CRL_INFO(X509_CRL_INFO *a, unsigned char **out) 466 { 467 return ASN1_item_i2d((ASN1_VALUE *)a, out, &X509_CRL_INFO_it); 468 } 469 LCRYPTO_ALIAS(i2d_X509_CRL_INFO); 470 471 X509_CRL_INFO * 472 X509_CRL_INFO_new(void) 473 { 474 return (X509_CRL_INFO *)ASN1_item_new(&X509_CRL_INFO_it); 475 } 476 LCRYPTO_ALIAS(X509_CRL_INFO_new); 477 478 void 479 X509_CRL_INFO_free(X509_CRL_INFO *a) 480 { 481 ASN1_item_free((ASN1_VALUE *)a, &X509_CRL_INFO_it); 482 } 483 LCRYPTO_ALIAS(X509_CRL_INFO_free); 484 485 X509_CRL * 486 d2i_X509_CRL(X509_CRL **a, const unsigned char **in, long len) 487 { 488 return (X509_CRL *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, 489 &X509_CRL_it); 490 } 491 LCRYPTO_ALIAS(d2i_X509_CRL); 492 493 int 494 i2d_X509_CRL(X509_CRL *a, unsigned char **out) 495 { 496 return ASN1_item_i2d((ASN1_VALUE *)a, out, &X509_CRL_it); 497 } 498 LCRYPTO_ALIAS(i2d_X509_CRL); 499 500 X509_CRL * 501 X509_CRL_new(void) 502 { 503 return (X509_CRL *)ASN1_item_new(&X509_CRL_it); 504 } 505 LCRYPTO_ALIAS(X509_CRL_new); 506 507 void 508 X509_CRL_free(X509_CRL *a) 509 { 510 ASN1_item_free((ASN1_VALUE *)a, &X509_CRL_it); 511 } 512 LCRYPTO_ALIAS(X509_CRL_free); 513 514 X509_CRL * 515 X509_CRL_dup(X509_CRL *x) 516 { 517 return ASN1_item_dup(&X509_CRL_it, x); 518 } 519 LCRYPTO_ALIAS(X509_CRL_dup); 520 521 static int 522 X509_REVOKED_cmp(const X509_REVOKED * const *a, const X509_REVOKED * const *b) 523 { 524 return(ASN1_INTEGER_cmp((*a)->serialNumber, (*b)->serialNumber)); 525 } 526 527 int 528 X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev) 529 { 530 X509_CRL_INFO *inf; 531 532 inf = crl->crl; 533 if (!inf->revoked) 534 inf->revoked = sk_X509_REVOKED_new(X509_REVOKED_cmp); 535 if (!inf->revoked || !sk_X509_REVOKED_push(inf->revoked, rev)) { 536 ASN1error(ERR_R_MALLOC_FAILURE); 537 return 0; 538 } 539 inf->enc.modified = 1; 540 return 1; 541 } 542 LCRYPTO_ALIAS(X509_CRL_add0_revoked); 543 544 int 545 X509_CRL_verify(X509_CRL *crl, EVP_PKEY *pkey) 546 { 547 return ASN1_item_verify(&X509_CRL_INFO_it, crl->sig_alg, crl->signature, 548 crl->crl, pkey); 549 } 550 LCRYPTO_ALIAS(X509_CRL_verify); 551 552 static int 553 crl_revoked_issuer_match(X509_CRL *crl, X509_NAME *nm, X509_REVOKED *rev) 554 { 555 int i; 556 557 if (!rev->issuer) { 558 if (!nm) 559 return 1; 560 if (!X509_NAME_cmp(nm, X509_CRL_get_issuer(crl))) 561 return 1; 562 return 0; 563 } 564 565 if (!nm) 566 nm = X509_CRL_get_issuer(crl); 567 568 for (i = 0; i < sk_GENERAL_NAME_num(rev->issuer); i++) { 569 GENERAL_NAME *gen = sk_GENERAL_NAME_value(rev->issuer, i); 570 if (gen->type != GEN_DIRNAME) 571 continue; 572 if (!X509_NAME_cmp(nm, gen->d.directoryName)) 573 return 1; 574 } 575 return 0; 576 577 } 578 579 static int 580 crl_lookup(X509_CRL *crl, X509_REVOKED **ret, ASN1_INTEGER *serial, 581 X509_NAME *issuer) 582 { 583 X509_REVOKED rtmp, *rev; 584 int idx; 585 586 rtmp.serialNumber = serial; 587 if (!sk_X509_REVOKED_is_sorted(crl->crl->revoked)) { 588 CRYPTO_w_lock(CRYPTO_LOCK_X509_CRL); 589 sk_X509_REVOKED_sort(crl->crl->revoked); 590 CRYPTO_w_unlock(CRYPTO_LOCK_X509_CRL); 591 } 592 idx = sk_X509_REVOKED_find(crl->crl->revoked, &rtmp); 593 if (idx < 0) 594 return 0; 595 /* Need to look for matching name */ 596 for (; idx < sk_X509_REVOKED_num(crl->crl->revoked); idx++) { 597 rev = sk_X509_REVOKED_value(crl->crl->revoked, idx); 598 if (ASN1_INTEGER_cmp(rev->serialNumber, serial)) 599 return 0; 600 if (crl_revoked_issuer_match(crl, issuer, rev)) { 601 if (ret) 602 *ret = rev; 603 if (rev->reason == CRL_REASON_REMOVE_FROM_CRL) 604 return 2; 605 return 1; 606 } 607 } 608 return 0; 609 } 610 611 int 612 X509_CRL_get0_by_serial(X509_CRL *crl, X509_REVOKED **ret, 613 ASN1_INTEGER *serial) 614 { 615 return crl_lookup(crl, ret, serial, NULL); 616 } 617 LCRYPTO_ALIAS(X509_CRL_get0_by_serial); 618 619 int 620 X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x) 621 { 622 return crl_lookup(crl, ret, X509_get_serialNumber(x), 623 X509_get_issuer_name(x)); 624 } 625 LCRYPTO_ALIAS(X509_CRL_get0_by_cert); 626 627 int 628 X509_CRL_get_signature_nid(const X509_CRL *crl) 629 { 630 return OBJ_obj2nid(crl->sig_alg->algorithm); 631 } 632 LCRYPTO_ALIAS(X509_CRL_get_signature_nid); 633 634 const STACK_OF(X509_EXTENSION) * 635 X509_CRL_get0_extensions(const X509_CRL *crl) 636 { 637 return crl->crl->extensions; 638 } 639 LCRYPTO_ALIAS(X509_CRL_get0_extensions); 640 641 long 642 X509_CRL_get_version(const X509_CRL *crl) 643 { 644 return ASN1_INTEGER_get(crl->crl->version); 645 } 646 LCRYPTO_ALIAS(X509_CRL_get_version); 647 648 const ASN1_TIME * 649 X509_CRL_get0_lastUpdate(const X509_CRL *crl) 650 { 651 return crl->crl->lastUpdate; 652 } 653 LCRYPTO_ALIAS(X509_CRL_get0_lastUpdate); 654 655 ASN1_TIME * 656 X509_CRL_get_lastUpdate(X509_CRL *crl) 657 { 658 return crl->crl->lastUpdate; 659 } 660 LCRYPTO_ALIAS(X509_CRL_get_lastUpdate); 661 662 const ASN1_TIME * 663 X509_CRL_get0_nextUpdate(const X509_CRL *crl) 664 { 665 return crl->crl->nextUpdate; 666 } 667 LCRYPTO_ALIAS(X509_CRL_get0_nextUpdate); 668 669 ASN1_TIME * 670 X509_CRL_get_nextUpdate(X509_CRL *crl) 671 { 672 return crl->crl->nextUpdate; 673 } 674 LCRYPTO_ALIAS(X509_CRL_get_nextUpdate); 675 676 X509_NAME * 677 X509_CRL_get_issuer(const X509_CRL *crl) 678 { 679 return crl->crl->issuer; 680 } 681 LCRYPTO_ALIAS(X509_CRL_get_issuer); 682 683 STACK_OF(X509_REVOKED) * 684 X509_CRL_get_REVOKED(X509_CRL *crl) 685 { 686 return crl->crl->revoked; 687 } 688 LCRYPTO_ALIAS(X509_CRL_get_REVOKED); 689 690 void 691 X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig, 692 const X509_ALGOR **palg) 693 { 694 if (psig != NULL) 695 *psig = crl->signature; 696 if (palg != NULL) 697 *palg = crl->sig_alg; 698 } 699 LCRYPTO_ALIAS(X509_CRL_get0_signature); 700 701 const X509_ALGOR * 702 X509_CRL_get0_tbs_sigalg(const X509_CRL *crl) 703 { 704 return crl->crl->sig_alg; 705 } 706 LCRYPTO_ALIAS(X509_CRL_get0_tbs_sigalg); 707