Skip to content

Commit

Permalink
crl: add OwnedCertRevocationList constructor
Browse files Browse the repository at this point in the history 
Previously it was only possible to build an `OwnedCertRevocationList` by
first parsing a `BorrowedCertRevocationList` and then calling
`to_owned`. This is convenient if you already have
a `BorrowedCertRevocationList`, but downstream consumers like Rustls
may want to construct a `OwnedCertRevocationList` directly.

This commit adds a new `OwnedCertRevocationList::from_der` fn that can
perform the construction in one step, avoiding the caller having to deal
with two `Result`'s (one from creating the `BorrowedCertRevocationList`
and then one from calling `to_owned`).
  • Loading branch information
@cpu
cpu committed Oct 24, 2023
1 parent e725533 commit 4759083
Showing 1 changed file with 25 additions and 0 deletions.
25 changes: 25 additions & 0 deletions src/crl/types.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,22 @@ pub struct OwnedCertRevocationList {

#[cfg(feature = "alloc")]
impl OwnedCertRevocationList {
/// Try to parse the given bytes as a RFC 5280[^1] profile Certificate Revocation List (CRL).
///
/// Webpki does not support:
/// * CRL versions other than version 2.
/// * CRLs missing the next update field.
/// * CRLs missing certificate revocation list extensions.
/// * Delta CRLs.
/// * CRLs larger than (2^32)-1 bytes in size.
///
/// See [BorrowedCertRevocationList::from_der] for more details.
///
/// [^1]: <https://www.rfc-editor.org/rfc/rfc5280#section-5>
pub fn from_der(crl_der: &[u8]) -> Result<Self, Error> {
BorrowedCertRevocationList::from_der(crl_der)?.to_owned()
}

fn find_serial(&self, serial: &[u8]) -> Result<Option<BorrowedRevokedCert>, Error> {
// note: this is infallible for the owned representation because we process all
// revoked certificates at the time of construction to build the `revoked_certs` map,
Expand Down Expand Up @@ -1216,4 +1232,13 @@ mod tests {
// cert has no CRL DPs.
assert!(crl.authoritative(&path.node()));
}

#[test]
fn test_construct_owned_crl() {
// It should be possible to construct an owned CRL directly from DER without needing
// to build a borrowed representation first.
let crl =
include_bytes!("../../tests/client_auth_revocation/ee_revoked_crl_ku_ee_depth.crl.der");
assert!(OwnedCertRevocationList::from_der(crl).is_ok())
}
}

0 comments on commit 4759083

Please sign in to comment.