MCPcopy
hub / github.com/grpc/grpc-go / parseCRLExtensions

Function parseCRLExtensions

security/advancedtls/crl.go:316–363  ·  view source on GitHub ↗

parseCRLExtensions parses the extensions for a CRL and checks that they're supported by the parser.

(c *x509.RevocationList)

Source from the content-addressed store, hash-verified

314// parseCRLExtensions parses the extensions for a CRL
315// and checks that they're supported by the parser.
316func parseCRLExtensions(c *x509.RevocationList) (*CRL, error) {
317 if c == nil {
318 return nil, errors.New("c is nil, expected any value")
319 }
320 certList := &CRL{certList: c}
321
322 for _, ext := range c.Extensions {
323 switch {
324 case oidDeltaCRLIndicator.Equal(ext.Id):
325 return nil, fmt.Errorf("delta CRLs unsupported")
326
327 case oidAuthorityKeyIdentifier.Equal(ext.Id):
328 var a authKeyID
329 if rest, err := asn1.Unmarshal(ext.Value, &a); err != nil {
330 return nil, fmt.Errorf("asn1.Unmarshal failed: %v", err)
331 } else if len(rest) != 0 {
332 return nil, errors.New("trailing data after AKID extension")
333 }
334 certList.authorityKeyID = a.ID
335
336 case oidIssuingDistributionPoint.Equal(ext.Id):
337 var dp issuingDistributionPoint
338 if rest, err := asn1.Unmarshal(ext.Value, &dp); err != nil {
339 return nil, fmt.Errorf("asn1.Unmarshal failed: %v", err)
340 } else if len(rest) != 0 {
341 return nil, errors.New("trailing data after IssuingDistributionPoint extension")
342 }
343
344 if dp.OnlyContainsUserCerts || dp.OnlyContainsCACerts || dp.OnlyContainsAttributeCerts {
345 return nil, errors.New("CRL only contains some certificate types")
346 }
347 if dp.IndirectCRL {
348 return nil, errors.New("indirect CRLs unsupported")
349 }
350 if dp.OnlySomeReasons.BitLength != 0 {
351 return nil, errors.New("onlySomeReasons unsupported")
352 }
353
354 case ext.Critical:
355 return nil, fmt.Errorf("unsupported critical extension: %v", ext.Id)
356 }
357 }
358
359 if len(certList.authorityKeyID) == 0 {
360 return nil, errors.New("authority key identifier extension missing")
361 }
362 return certList, nil
363}
364
365func verifyCRL(crl *CRL, chain []*x509.Certificate) error {
366 // RFC5280, 6.3.3 (f) Obtain and validate the certification path for the issuer of the complete CRL

Callers 2

TestUnsupportedCRLsFunction · 0.85
NewCRLFunction · 0.85

Calls 3

EqualMethod · 0.65
ErrorfMethod · 0.65
UnmarshalMethod · 0.65

Tested by 1

TestUnsupportedCRLsFunction · 0.68