blob: c79c797c7ecf667b908c090ec4a0666f477a77f3 [file] [log] [blame]
// Copyright 2011 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// Package crl exposes low-level details of PKIX Certificate Revocation Lists
// as specified in RFC 5280, section 5.
package crl
import (
"asn1"
"bytes"
"encoding/pem"
"os"
"time"
)
// CertificateList represents the ASN.1 structure of the same name. See RFC
// 5280, section 5.1. Use crypto/x509/Certificate.CheckCRLSignature to verify
// the signature.
type CertificateList struct {
TBSCertList TBSCertificateList
SignatureAlgorithm AlgorithmIdentifier
SignatureValue asn1.BitString
}
// HasExpired returns true iff currentTimeSeconds is past the expiry time of
// certList.
func (certList *CertificateList) HasExpired(currentTimeSeconds int64) bool {
return certList.TBSCertList.NextUpdate.Seconds() <= currentTimeSeconds
}
// TBSCertificateList represents the ASN.1 structure of the same name. See RFC
// 5280, section 5.1.
type TBSCertificateList struct {
Raw asn1.RawContent
Version int "optional,default:2"
Signature AlgorithmIdentifier
Issuer asn1.RawValue
ThisUpdate *time.Time
NextUpdate *time.Time
RevokedCertificates []RevokedCertificate "optional"
Extensions []Extension "tag:0,optional,explicit"
}
// AlgorithmIdentifier represents the ASN.1 structure of the same name. See RFC
// 5280, section 4.1.1.2.
type AlgorithmIdentifier struct {
Algo asn1.ObjectIdentifier
Params asn1.RawValue "optional"
}
// AlgorithmIdentifier represents the ASN.1 structure of the same name. See RFC
// 5280, section 5.1.
type RevokedCertificate struct {
SerialNumber asn1.RawValue
RevocationTime *time.Time
Extensions []Extension "optional"
}
// AlgorithmIdentifier represents the ASN.1 structure of the same name. See RFC
// 5280, section 4.2.
type Extension struct {
Id asn1.ObjectIdentifier
IsCritial bool "optional"
Value []byte
}
// pemCRLPrefix is the magic string that indicates that we have a PEM encoded
// CRL.
var pemCRLPrefix = []byte("-----BEGIN X509 CRL")
// pemType is the type of a PEM encoded CRL.
var pemType = "X509 CRL"
// Parse parses a CRL from the given bytes. It's often the case that PEM
// encoded CRLs will appear where they should be DER encoded, so this function
// will transparently handle PEM encoding as long as there isn't any leading
// garbage.
func Parse(crlBytes []byte) (certList *CertificateList, err os.Error) {
if bytes.HasPrefix(crlBytes, pemCRLPrefix) {
block, _ := pem.Decode(crlBytes)
if block != nil && block.Type == pemType {
crlBytes = block.Bytes
}
}
return ParseDER(crlBytes)
}
// ParseDER parses a DER encoded CRL from the given bytes.
func ParseDER(derBytes []byte) (certList *CertificateList, err os.Error) {
certList = new(CertificateList)
_, err = asn1.Unmarshal(derBytes, certList)
if err != nil {
certList = nil
}
return
}