x509-cert: add a CRL builder (#1759)

* x509-cert: Create a `CrlNumber` from native types

* x509-cert: add a CRL builder

Author: baloo

x509-cert/src/builder.rs

@@ -13,9 +13,13 @@ use spki::{
 use crate::{
     AlgorithmIdentifier, SubjectPublicKeyInfo,
     certificate::{Certificate, TbsCertificate, Version},
-    ext::{AsExtension, Extensions},
+    crl::{CertificateList, RevokedCert, TbsCertList},
+    ext::{
+        AsExtension, Extensions,
+        pkix::{AuthorityKeyIdentifier, CrlNumber, SubjectKeyIdentifier},
+    },
     serial_number::SerialNumber,
-    time::Validity,
+    time::{Time, Validity},
 };
 
 pub mod profile;
@@ -564,3 +568,119 @@ where
         <T as Builder>::finalize(self, signer)
     }
 }
+
+/// X.509 CRL builder
+pub struct CrlBuilder {
+    tbs: TbsCertList,
+}
+
+impl CrlBuilder {
+    /// Create a `CrlBuilder` with the given issuer and the given monotonic [`CrlNumber`]
+    #[cfg(feature = "std")]
+    pub fn new(issuer: &Certificate, crl_number: CrlNumber) -> der::Result<Self> {
+        let this_update = Time::now()?;
+        Self::new_with_this_update(issuer, crl_number, this_update)
+    }
+
+    /// Create a `CrlBuilder` with the given issuer, a given monotonic [`CrlNumber`], and valid
+    /// from the given `this_update` start validity date.
+    pub fn new_with_this_update(
+        issuer: &Certificate,
+        crl_number: CrlNumber,
+        this_update: Time,
+    ) -> der::Result<Self> {
+        // Replaced later when the finalize is called
+        let signature_alg = AlgorithmIdentifier {
+            oid: NULL_OID,
+            parameters: None,
+        };
+
+        let issuer_name = issuer.tbs_certificate.subject().clone();
+
+        let mut crl_extensions = Extensions::new();
+        crl_extensions.push(crl_number.to_extension(&issuer_name, &crl_extensions)?);
+        let aki = match issuer
+            .tbs_certificate
+            .get_extension::<AuthorityKeyIdentifier>()?
+        {
+            Some((_, aki)) => aki,
+            None => {
+                let ski = SubjectKeyIdentifier::try_from(
+                    issuer
+                        .tbs_certificate
+                        .subject_public_key_info()
+                        .owned_to_ref(),
+                )?;
+                AuthorityKeyIdentifier {
+                    // KeyIdentifier must be the same as subjectKeyIdentifier
+                    key_identifier: Some(ski.0.clone()),
+                    // other fields must not be present.
+                    ..Default::default()
+                }
+            }
+        };
+        crl_extensions.push(aki.to_extension(&issuer_name, &crl_extensions)?);
+
+        let tbs = TbsCertList {
+            version: Version::V2,
+            signature: signature_alg,
+            issuer: issuer_name,
+            this_update,
+            next_update: None,
+            revoked_certificates: None,
+            crl_extensions: Some(crl_extensions),
+        };
+
+        Ok(Self { tbs })
+    }
+
+    /// Make the CRL valid until the given `next_update`
+    pub fn with_next_update(mut self, next_update: Option<Time>) -> Self {
+        self.tbs.next_update = next_update;
+        self
+    }
+
+    /// Add certificates to the revocation list
+    pub fn with_certificates<I>(mut self, revoked: I) -> Self
+    where
+        I: Iterator<Item = RevokedCert>,
+    {
+        let certificates = self
+            .tbs
+            .revoked_certificates
+            .get_or_insert_with(vec::Vec::new);
+
+        let mut revoked: vec::Vec<RevokedCert> = revoked.collect();
+        certificates.append(&mut revoked);
+
+        self
+    }
+}
+
+impl Builder for CrlBuilder {
+    type Output = CertificateList;
+
+    fn finalize<S>(&mut self, cert_signer: &S) -> Result<vec::Vec<u8>>
+    where
+        S: Keypair + DynSignatureAlgorithmIdentifier,
+        S::VerifyingKey: EncodePublicKey,
+    {
+        self.tbs.signature = cert_signer.signature_algorithm_identifier()?;
+
+        self.tbs.to_der().map_err(Error::from)
+    }
+
+    fn assemble<S>(self, signature: BitString, _signer: &S) -> Result<Self::Output>
+    where
+        S: Keypair + DynSignatureAlgorithmIdentifier,
+        S::VerifyingKey: EncodePublicKey,
+    {
+        let signature_algorithm = self.tbs.signature.clone();
+
+        Ok(CertificateList {
+            tbs_cert_list: self.tbs,
+            signature_algorithm,
+            signature,
+        })
+    }
+}

x509-cert/src/crl.rs

@@ -14,6 +14,9 @@ use alloc::vec::Vec;
 use der::asn1::BitString;
 use der::{Sequence, ValueOrd};
 
+#[cfg(feature = "pem")]
+use der::pem::PemLabel;
+
 /// `CertificateList` as defined in [RFC 5280 Section 5.1].
 ///
 /// ```text
@@ -33,6 +36,11 @@ pub struct CertificateList<P: Profile = Rfc5280> {
     pub signature: BitString,
 }
 
+#[cfg(feature = "pem")]
+impl<P: Profile> PemLabel for CertificateList<P> {
+    const PEM_LABEL: &'static str = "X509 CRL";
+}
+
 /// Implicit intermediate structure from the ASN.1 definition of `TBSCertList`.
 ///
 /// This type is used for the `revoked_certificates` field of `TbsCertList`.

x509-cert/src/ext/pkix/crl.rs

@@ -30,6 +30,22 @@ impl AssociatedOid for CrlNumber {
 impl_newtype!(CrlNumber, Uint);
 impl_extension!(CrlNumber, critical = false);
 
+macro_rules! impl_from_traits {
+    ($($uint:ty),+) => {
+        $(
+            impl TryFrom<$uint> for CrlNumber {
+                type Error = der::Error;
+
+                fn try_from(value: $uint) -> der::Result<Self> {
+                    Uint::try_from(value).map(Self)
+                }
+            }
+        )+
+    }
+}
+
+impl_from_traits!(u8, u16, u32, u64, u128);
+
 /// BaseCRLNumber as defined in [RFC 5280 Section 5.2.4].
 ///
 /// ```text

x509-cert/test-support/src/openssl.rs

@@ -1,7 +1,7 @@
 use std::{
-    fs::File,
+    fs::{self, File},
     io::{Read, Write},
-    process::{Command, Stdio},
+    process::{Command, ExitStatus, Stdio},
 };
 use tempfile::tempdir;
 
@@ -21,7 +21,7 @@ fn check_openssl_output(command_and_args: &[&str], pem: &[u8]) -> String {
         .stderr(Stdio::inherit())
         .stdout(Stdio::piped())
         .spawn()
-        .expect("zlint failed");
+        .expect("openssl failed");
     let mut stdout = child.stdout.take().unwrap();
     let exit_status = child.wait().expect("get openssl x509 status");
 
@@ -38,6 +38,53 @@ pub fn check_certificate(pem: &[u8]) -> String {
     check_openssl_output(&["x509"], pem)
 }
 
+pub fn check_crl(pem: &[u8]) -> String {
+    check_openssl_output(&["crl"], pem)
+}
+
 pub fn check_request(pem: &[u8]) -> String {
     check_openssl_output(&["req", "-verify"], pem)
 }
+
+pub fn verify(trust_anchor: &[u8], leaf: &[u8], crl: &[u8]) -> (ExitStatus, String, String) {
+    let tmp_dir = tempdir().expect("create tempdir");
+    let trust_anchor_path = tmp_dir.path().join("trust_anchor.pem");
+    let leaf_path = tmp_dir.path().join("leaf.pem");
+    let crl_path = tmp_dir.path().join("crl.pem");
+
+    fs::write(&trust_anchor_path, trust_anchor).expect("Write trust anchor");
+    fs::write(&leaf_path, leaf).expect("Write leaf");
+    fs::write(&crl_path, crl).expect("Write crl");
+
+    let mut child = Command::new("openssl")
+        .arg("verify")
+        .arg("-crl_check")
+        .arg("-CRLfile")
+        .arg(&crl_path)
+        .arg("-trusted")
+        .arg(&trust_anchor_path)
+        .arg("--")
+        .arg(&leaf_path)
+        .stderr(Stdio::piped())
+        .stdout(Stdio::piped())
+        .spawn()
+        .expect("openssl failed");
+    let mut stdout = child.stdout.take().unwrap();
+    let mut stderr = child.stderr.take().unwrap();
+
+    let mut output_buf = Vec::new();
+    stdout
+        .read_to_end(&mut output_buf)
+        .expect("read openssl output");
+    let mut stderr_buf = Vec::new();
+    stderr
+        .read_to_end(&mut stderr_buf)
+        .expect("read openssl output");
+    let exit_status = child.wait().expect("get openssl verify status");
+
+    (
+        exit_status,
+        String::from_utf8(output_buf.clone()).unwrap(),
+        String::from_utf8(stderr_buf.clone()).unwrap(),
+    )
+}