crl: retain issuing distribution point extension #128

This commit adds an iterator over all possible `crl::RevocationReason` values. This avoids needing to hard-code the variant values into a range, or remember to skip the unused values.

Previously we implemented support for parsing the optional `DistributionPointName` from a certificate's CRL distribution points extension with code/types in `cert.rs`. While the top-level extension differs slightly for the CRL issuing distribution point extension, it shares the same encoding for the `distributionPoint` field holding a `DistributionPointName.` In anticipation of sharing this code between `cert.rs` and `crl.rs` this commit lifts the existing code from `cert.rs` into `x509.rs` where it can more easily be shared between the two, similar to other bits common to both certs and CRLs.

This commit updates both the `BorrowedCertRevocationList` and `OwnedCertRevocationList` to retain the raw DER encoding of the CRL issuing distribution point extension, if present. The `CertRevocationList` trait is then updated with a `issuing_distribution_point` fn that can return the raw DER for further processing when considering a CRL during CRL validation (not yet implemented). This commit additionally adds crate-local functions and types for working with a parsed representation of the CRL issuing distribution point extension. This mostly involves recognizing the top level extension properties. We're able to share some code with the certificate CRL distribution point extension (notably for handling the distribution point names). Since, when present, the IDP extension can assert that the CRL has features we don't support (e.g. that it's an indirect CRL, or that it has a distribution point name relative to an issuer name) we parse it up-front and validate that the CRL meets our requirements. Having both the certificate CRL distribution points, and the CRL issuing distribution point will allow subsequent work to tighten up the CRL validation process by matching information between the two.

This commit adds test coverage for the new parsing logic for CRL issuing distribution point extensions. For the "happy" paths we use a small Python script that uses pyca cryptography to generate test CRLs with the required extensions. For some invalid testcases we can't easily use pyca cryptography due to its (sensible) error checking. Instead, we use ascii2der, tweaking the ASCII representation of previously generated CRLs to produce the required invalid DER, converting back to DER with der2ascii. The associated .txt and .der files are checked in for convenience. The new test case generation is done separately from `tests/generate.py` because these test files are used in unit tests (since the code under test is internal to the crate) as opposed to integration tests (like `tests/generate.py` creates).

This commit extends the existing `testgen.yml` workflow to also ensure that running the CRL issuing distribution point testcase generation produces no diffs from what's checked-in.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

crl: retain issuing distribution point extension #128

crl: retain issuing distribution point extension #128

Commits on Jul 27, 2023