@@ -3,15 +3,14 @@ use pem::Pem;
33use pki_types:: CertificateRevocationListDer ;
44use time:: OffsetDateTime ;
55use yasna:: DERWriter ;
6- use yasna:: DERWriterSeq ;
76use yasna:: Tag ;
87
98#[ cfg( feature = "pem" ) ]
109use crate :: ENCODE_CONFIG ;
1110use crate :: {
1211 oid, write_distinguished_name, write_dt_utc_or_generalized,
13- write_x509_authority_key_identifier, write_x509_extension, Certificate , DistinguishedName ,
14- Error , KeyIdMethod , KeyPair , KeyUsagePurpose , SerialNumber ,
12+ write_x509_authority_key_identifier, write_x509_extension, Certificate , Error , KeyIdMethod ,
13+ KeyPair , KeyUsagePurpose , SerialNumber ,
1514} ;
1615
1716/// A certificate revocation list (CRL)
@@ -193,102 +192,95 @@ impl CertificateRevocationListParams {
193192 return Err ( Error :: IssuerNotCrlSigner ) ;
194193 }
195194
196- let issuer_name = & issuer. params . distinguished_name ;
197- issuer_key
198- . sign_der ( |writer| self . write_crl ( issuer_key, issuer_name, writer) )
199- . map ( |der| CertificateRevocationList {
200- params : self ,
201- der : der. into ( ) ,
202- } )
203- }
204-
205- fn write_crl (
206- & self ,
207- issuer : & KeyPair ,
208- issuer_name : & DistinguishedName ,
209- writer : & mut DERWriterSeq ,
210- ) -> Result < ( ) , Error > {
211- // Write CRL version.
212- // RFC 5280 §5.1.2.1:
213- // This optional field describes the version of the encoded CRL. When
214- // extensions are used, as required by this profile, this field MUST be
215- // present and MUST specify version 2 (the integer value is 1).
216- // RFC 5280 §5.2:
217- // Conforming CRL issuers are REQUIRED to include the authority key
218- // identifier (Section 5.2.1) and the CRL number (Section 5.2.3)
219- // extensions in all CRLs issued.
220- writer. next ( ) . write_u8 ( 1 ) ;
221-
222- // Write algorithm identifier.
223- // RFC 5280 §5.1.2.2:
224- // This field MUST contain the same algorithm identifier as the
225- // signatureAlgorithm field in the sequence CertificateList
226- issuer. alg . write_alg_ident ( writer. next ( ) ) ;
227-
228- // Write issuer.
229- // RFC 5280 §5.1.2.3:
230- // The issuer field MUST contain a non-empty X.500 distinguished name (DN).
231- write_distinguished_name ( writer. next ( ) , issuer_name) ;
232-
233- // Write thisUpdate date.
234- // RFC 5280 §5.1.2.4:
235- // This field indicates the issue date of this CRL. thisUpdate may be
236- // encoded as UTCTime or GeneralizedTime.
237- write_dt_utc_or_generalized ( writer. next ( ) , self . this_update ) ;
238-
239- // Write nextUpdate date.
240- // While OPTIONAL in the ASN.1 module, RFC 5280 §5.1.2.5 says:
241- // Conforming CRL issuers MUST include the nextUpdate field in all CRLs.
242- write_dt_utc_or_generalized ( writer. next ( ) , self . next_update ) ;
243-
244- // Write revokedCertificates.
245- // RFC 5280 §5.1.2.6:
246- // When there are no revoked certificates, the revoked certificates list
247- // MUST be absent
248- if !self . revoked_certs . is_empty ( ) {
249- writer. next ( ) . write_sequence ( |writer| {
250- for revoked_cert in & self . revoked_certs {
251- revoked_cert. write_der ( writer. next ( ) ) ;
252- }
253- } ) ;
254- }
255-
256- // Write crlExtensions.
257- // RFC 5280 §5.1.2.7:
258- // This field may only appear if the version is 2 (Section 5.1.2.1). If
259- // present, this field is a sequence of one or more CRL extensions.
260- // RFC 5280 §5.2:
261- // Conforming CRL issuers are REQUIRED to include the authority key
262- // identifier (Section 5.2.1) and the CRL number (Section 5.2.3)
263- // extensions in all CRLs issued.
264- writer. next ( ) . write_tagged ( Tag :: context ( 0 ) , |writer| {
265- writer. write_sequence ( |writer| {
266- // Write authority key identifier.
267- write_x509_authority_key_identifier (
268- writer. next ( ) ,
269- self . key_identifier_method . derive ( issuer. public_key_der ( ) ) ,
270- ) ;
271-
272- // Write CRL number.
273- write_x509_extension ( writer. next ( ) , oid:: CRL_NUMBER , false , |writer| {
274- writer. write_bigint_bytes ( self . crl_number . as_ref ( ) , true ) ;
195+ let der = issuer_key. sign_der ( |writer| {
196+ // Write CRL version.
197+ // RFC 5280 §5.1.2.1:
198+ // This optional field describes the version of the encoded CRL. When
199+ // extensions are used, as required by this profile, this field MUST be
200+ // present and MUST specify version 2 (the integer value is 1).
201+ // RFC 5280 §5.2:
202+ // Conforming CRL issuers are REQUIRED to include the authority key
203+ // identifier (Section 5.2.1) and the CRL number (Section 5.2.3)
204+ // extensions in all CRLs issued.
205+ writer. next ( ) . write_u8 ( 1 ) ;
206+
207+ // Write algorithm identifier.
208+ // RFC 5280 §5.1.2.2:
209+ // This field MUST contain the same algorithm identifier as the
210+ // signatureAlgorithm field in the sequence CertificateList
211+ issuer_key. alg . write_alg_ident ( writer. next ( ) ) ;
212+
213+ // Write issuer.
214+ // RFC 5280 §5.1.2.3:
215+ // The issuer field MUST contain a non-empty X.500 distinguished name (DN).
216+ write_distinguished_name ( writer. next ( ) , & issuer. params . distinguished_name ) ;
217+
218+ // Write thisUpdate date.
219+ // RFC 5280 §5.1.2.4:
220+ // This field indicates the issue date of this CRL. thisUpdate may be
221+ // encoded as UTCTime or GeneralizedTime.
222+ write_dt_utc_or_generalized ( writer. next ( ) , self . this_update ) ;
223+
224+ // Write nextUpdate date.
225+ // While OPTIONAL in the ASN.1 module, RFC 5280 §5.1.2.5 says:
226+ // Conforming CRL issuers MUST include the nextUpdate field in all CRLs.
227+ write_dt_utc_or_generalized ( writer. next ( ) , self . next_update ) ;
228+
229+ // Write revokedCertificates.
230+ // RFC 5280 §5.1.2.6:
231+ // When there are no revoked certificates, the revoked certificates list
232+ // MUST be absent
233+ if !self . revoked_certs . is_empty ( ) {
234+ writer. next ( ) . write_sequence ( |writer| {
235+ for revoked_cert in & self . revoked_certs {
236+ revoked_cert. write_der ( writer. next ( ) ) ;
237+ }
275238 } ) ;
239+ }
276240
277- // Write issuing distribution point (if present).
278- if let Some ( issuing_distribution_point) = & self . issuing_distribution_point {
279- write_x509_extension (
241+ // Write crlExtensions.
242+ // RFC 5280 §5.1.2.7:
243+ // This field may only appear if the version is 2 (Section 5.1.2.1). If
244+ // present, this field is a sequence of one or more CRL extensions.
245+ // RFC 5280 §5.2:
246+ // Conforming CRL issuers are REQUIRED to include the authority key
247+ // identifier (Section 5.2.1) and the CRL number (Section 5.2.3)
248+ // extensions in all CRLs issued.
249+ writer. next ( ) . write_tagged ( Tag :: context ( 0 ) , |writer| {
250+ writer. write_sequence ( |writer| {
251+ // Write authority key identifier.
252+ write_x509_authority_key_identifier (
280253 writer. next ( ) ,
281- oid:: CRL_ISSUING_DISTRIBUTION_POINT ,
282- true ,
283- |writer| {
284- issuing_distribution_point. write_der ( writer) ;
285- } ,
254+ self . key_identifier_method
255+ . derive ( issuer_key. public_key_der ( ) ) ,
286256 ) ;
287- }
257+
258+ // Write CRL number.
259+ write_x509_extension ( writer. next ( ) , oid:: CRL_NUMBER , false , |writer| {
260+ writer. write_bigint_bytes ( self . crl_number . as_ref ( ) , true ) ;
261+ } ) ;
262+
263+ // Write issuing distribution point (if present).
264+ if let Some ( issuing_distribution_point) = & self . issuing_distribution_point {
265+ write_x509_extension (
266+ writer. next ( ) ,
267+ oid:: CRL_ISSUING_DISTRIBUTION_POINT ,
268+ true ,
269+ |writer| {
270+ issuing_distribution_point. write_der ( writer) ;
271+ } ,
272+ ) ;
273+ }
274+ } ) ;
288275 } ) ;
289- } ) ;
290276
291- Ok ( ( ) )
277+ Ok ( ( ) )
278+ } ) ?;
279+
280+ Ok ( CertificateRevocationList {
281+ params : self ,
282+ der : der. into ( ) ,
283+ } )
292284 }
293285}
294286
0 commit comments