std::shared_ptr<const X509_CRL> Certificate_Store_In_Memory::find_crl_for(const X509_Certificate& subject) const
{
const std::vector<uint8_t>& key_id = subject.authority_key_id();
for(const auto& c : m_crls)
{
// Only compare key ids if set in both call and in the CRL
if(key_id.size())
{
std::vector<uint8_t> akid = c->authority_key_id();
if(akid.size() && akid != key_id) // no match
continue;
}
if(c->issuer_dn() == subject.issuer_dn())
return c;
}
return {};
}
/**
* Check if this particular certificate is listed in the CRL
*/
bool X509_CRL::is_revoked(const X509_Certificate& cert) const
{
/*
If the cert wasn't issued by the CRL issuer, it's possible the cert
is revoked, but not by this CRL. Maybe throw an exception instead?
*/
if(cert.issuer_dn() != issuer_dn())
return false;
std::vector<uint8_t> crl_akid = authority_key_id();
std::vector<uint8_t> cert_akid = cert.authority_key_id();
if(!crl_akid.empty() && !cert_akid.empty())
{
if(crl_akid != cert_akid)
return false;
}
std::vector<uint8_t> cert_serial = cert.serial_number();
bool is_revoked = false;
// FIXME would be nice to avoid a linear scan here - maybe sort the entries?
for(const CRL_Entry& entry : get_revoked())
{
if(cert_serial == entry.serial_number())
{
if(entry.reason_code() == REMOVE_FROM_CRL)
is_revoked = false;
else
is_revoked = true;
}
}
return is_revoked;
}
