Skip to content

Commit

Permalink
Allow empty CRLs to be created (#22)
Browse files Browse the repository at this point in the history
  • Loading branch information
tsaarni authored Jun 23, 2022
1 parent adf39d5 commit fb8112f
Show file tree
Hide file tree
Showing 2 changed files with 37 additions and 8 deletions.
21 changes: 13 additions & 8 deletions crl.go
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,10 @@ type CRL struct {
// All Certificates must be issued by the same Issuer.
// Self-signed certificates cannot be added.
Revoked []*Certificate

// Issuer is the CA certificate issuing this CRL.
// If not set, it defaults to the issuer of certificates added to Revoked list.
Issuer *Certificate
}

// Add appends a Certificate to CRL list.
Expand All @@ -58,8 +62,11 @@ func (crl *CRL) Add(cert *Certificate) error {
// DER returns the CRL as DER buffer.
// Error is not nil if generation fails.
func (crl *CRL) DER() (crlBytes []byte, err error) {
if len(crl.Revoked) == 0 {
return nil, fmt.Errorf("certificates have not been added to CRL")
if crl.Issuer == nil {
if len(crl.Revoked) == 0 {
return nil, fmt.Errorf("Issuer not known: either set Issuer or add certificates to the CRL")
}
crl.Issuer = crl.Revoked[0].Issuer
}

effectiveRevocationTime := time.Now()
Expand All @@ -73,8 +80,6 @@ func (crl *CRL) DER() (crlBytes []byte, err error) {
effectiveExpiry = *crl.NextUpdate
}

issuer := crl.Revoked[0].Issuer

var revokedCerts []pkix.RevokedCertificate
for _, c := range crl.Revoked {
err := c.ensureGenerated()
Expand All @@ -83,21 +88,21 @@ func (crl *CRL) DER() (crlBytes []byte, err error) {
}
if c.Issuer == nil {
return nil, fmt.Errorf("cannot revoke self-signed certificate: %s", c.Subject)
} else if c.Issuer != issuer {
return nil, fmt.Errorf("CRL can contain certificates for single issuer only")
} else if c.Issuer != crl.Issuer {
return nil, fmt.Errorf("revoked certificates added from several issuers, or certificate does not match explicitly set Issuer")
}
revokedCerts = append(revokedCerts, pkix.RevokedCertificate{
SerialNumber: c.SerialNumber,
RevocationTime: effectiveRevocationTime,
})
}

ca, err := issuer.X509Certificate()
ca, err := crl.Issuer.X509Certificate()
if err != nil {
return nil, err
}

privateKey, err := issuer.PrivateKey()
privateKey, err := crl.Issuer.PrivateKey()
if err != nil {
return nil, err
}
Expand Down
24 changes: 24 additions & 0 deletions crl_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -73,4 +73,28 @@ func TestInvalidIssuers(t *testing.T) {
assert.Nil(t, err)
err = crl.Add(&input2)
assert.NotNil(t, err)

// Explicitly set issuer but add certificates issued by different CA.
crl = CRL{Issuer: &ca1, Revoked: []*Certificate{&input2}}
_, err = crl.DER()
assert.NotNil(t, err)

}

func TestEmptyCRL(t *testing.T) {
// Empty CRL can be created by explicitly defining Issuer.
ca := Certificate{Subject: "CN=ca"}
crl := CRL{Issuer: &ca}
crlBytes, err := crl.DER()
assert.Nil(t, err)

certList, err := x509.ParseCRL(crlBytes)
assert.Nil(t, err)
assert.Equal(t, 0, len(certList.TBSCertList.RevokedCertificates))
assert.Equal(t, "CN=ca", certList.TBSCertList.Issuer.String())

// Empty CRL with no issuer cannot be created.
crl = CRL{}
_, err = crl.DER()
assert.NotNil(t, err)
}

0 comments on commit fb8112f

Please sign in to comment.