parseCRLExtensions parses the extensions for a CRL and checks that they're supported by the parser.
(c *x509.RevocationList)
| 314 | // parseCRLExtensions parses the extensions for a CRL |
| 315 | // and checks that they're supported by the parser. |
| 316 | func parseCRLExtensions(c *x509.RevocationList) (*CRL, error) { |
| 317 | if c == nil { |
| 318 | return nil, errors.New("c is nil, expected any value") |
| 319 | } |
| 320 | certList := &CRL{certList: c} |
| 321 | |
| 322 | for _, ext := range c.Extensions { |
| 323 | switch { |
| 324 | case oidDeltaCRLIndicator.Equal(ext.Id): |
| 325 | return nil, fmt.Errorf("delta CRLs unsupported") |
| 326 | |
| 327 | case oidAuthorityKeyIdentifier.Equal(ext.Id): |
| 328 | var a authKeyID |
| 329 | if rest, err := asn1.Unmarshal(ext.Value, &a); err != nil { |
| 330 | return nil, fmt.Errorf("asn1.Unmarshal failed: %v", err) |
| 331 | } else if len(rest) != 0 { |
| 332 | return nil, errors.New("trailing data after AKID extension") |
| 333 | } |
| 334 | certList.authorityKeyID = a.ID |
| 335 | |
| 336 | case oidIssuingDistributionPoint.Equal(ext.Id): |
| 337 | var dp issuingDistributionPoint |
| 338 | if rest, err := asn1.Unmarshal(ext.Value, &dp); err != nil { |
| 339 | return nil, fmt.Errorf("asn1.Unmarshal failed: %v", err) |
| 340 | } else if len(rest) != 0 { |
| 341 | return nil, errors.New("trailing data after IssuingDistributionPoint extension") |
| 342 | } |
| 343 | |
| 344 | if dp.OnlyContainsUserCerts || dp.OnlyContainsCACerts || dp.OnlyContainsAttributeCerts { |
| 345 | return nil, errors.New("CRL only contains some certificate types") |
| 346 | } |
| 347 | if dp.IndirectCRL { |
| 348 | return nil, errors.New("indirect CRLs unsupported") |
| 349 | } |
| 350 | if dp.OnlySomeReasons.BitLength != 0 { |
| 351 | return nil, errors.New("onlySomeReasons unsupported") |
| 352 | } |
| 353 | |
| 354 | case ext.Critical: |
| 355 | return nil, fmt.Errorf("unsupported critical extension: %v", ext.Id) |
| 356 | } |
| 357 | } |
| 358 | |
| 359 | if len(certList.authorityKeyID) == 0 { |
| 360 | return nil, errors.New("authority key identifier extension missing") |
| 361 | } |
| 362 | return certList, nil |
| 363 | } |
| 364 | |
| 365 | func verifyCRL(crl *CRL, chain []*x509.Certificate) error { |
| 366 | // RFC5280, 6.3.3 (f) Obtain and validate the certification path for the issuer of the complete CRL |