x509crl.h File Reference

X.509 certificate revocation list parsing, encoding, lookup, and verification interface. More...

#include "qsccommon.h"
#include "x509types.h"

Go to the source code of this file.

Data Structures
struct	qsc_x509_crl_entry_t
struct	qsc_x509_crl_t

Macros
#define	QSC_X509_CRL_ENTRY_MAX   512U
	Maximum encoded size, in bytes, of a single CRL revoked-certificate entry.
#define	QSC_X509_CRL_REVOKED_MAX   1024U
	The maximum number of revoked certificate entries retained in a decoded CRL.

Typedefs
typedef struct qsc_x509_crl_entry_t	qsc_x509_crl_entry
typedef struct qsc_x509_crl_t	qsc_x509_crl
typedef enum qsc_x509_crl_verify_status_t	qsc_x509_crl_verify_status
typedef bool(*	qsc_x509_crl_signature_verify_callback) (const qsc_x509_crl *crl, const qsc_x509_certificate *issuer, void *state)
	Caller supplied CRL signature verification callback.

Enumerations

enum

qsc_x509_crl_verify_status_t {   QSC_X509_CRL_VERIFY_STATUS_SUCCESS = 0 , QSC_X509_CRL_VERIFY_STATUS_INVALID_INPUT = 1 , QSC_X509_CRL_VERIFY_STATUS_INVALID_CRL = 2 , QSC_X509_CRL_VERIFY_STATUS_ALGORITHM_MISMATCH = 3 ,   QSC_X509_CRL_VERIFY_STATUS_ISSUER_MISMATCH = 4 , QSC_X509_CRL_VERIFY_STATUS_EXPIRED = 5 , QSC_X509_CRL_VERIFY_STATUS_NOT_YET_VALID = 6 , QSC_X509_CRL_VERIFY_STATUS_KEY_USAGE_REJECTED = 7 ,   QSC_X509_CRL_VERIFY_STATUS_SIGNATURE_REJECTED = 8 , QSC_X509_CRL_VERIFY_STATUS_CALLBACK_FAILURE = 9 , QSC_X509_CRL_VERIFY_STATUS_UNSUPPORTED = 10 }

Functions
QSC_EXPORT_API void	qsc_x509_crl_clear (qsc_x509_crl *crl)
	Clear a decoded CRL object.
QSC_EXPORT_API qsc_asn1_status	qsc_x509_crl_decode_der (const uint8_t *der, size_t derlen, qsc_x509_crl *crl)
	Decode a DER encoded X.509 CRL.
QSC_EXPORT_API qsc_asn1_status	qsc_x509_crl_encode_der (const qsc_x509_crl *crl, uint8_t *output, size_t *outputlen)
	Encode a decoded CRL object as DER.
QSC_EXPORT_API bool	qsc_x509_crl_is_current (const qsc_x509_crl *crl, const qsc_asn1_time *now)
	Test whether a CRL is current at a supplied evaluation time.
QSC_EXPORT_API qsc_x509_crl_verify_status	qsc_x509_crl_check_algorithms (const qsc_x509_crl *crl)
	Check CRL signature algorithm consistency.
QSC_EXPORT_API const qsc_x509_crl_entry *	qsc_x509_crl_find_serial (const qsc_x509_crl *crl, const uint8_t *serial, size_t seriallen)
	Find a revoked entry by certificate serial number.
QSC_EXPORT_API bool	qsc_x509_certificate_is_revoked_by_crl (const qsc_x509_certificate *certificate, const qsc_x509_crl *crl)
	Test whether a certificate is revoked by a CRL.
QSC_EXPORT_API bool	qsc_x509_crl_is_revoked (const qsc_x509_crl *crl, const qsc_x509_certificate *certificate)
	Test whether a certificate is revoked by a CRL.
QSC_EXPORT_API qsc_x509_crl_verify_status	qsc_x509_crl_verify (const qsc_x509_crl *crl, const qsc_x509_certificate *issuer, const qsc_asn1_time *now, qsc_x509_crl_signature_verify_callback callback, void *state)
	Verify a decoded CRL against an issuer certificate.

Detailed Description

X.509 certificate revocation list parsing, encoding, lookup, and verification interface.

This header declares the public types and functions used to decode, encode, inspect, and verify DER encoded X.509 Certificate Revocation Lists (CRLs). The interface provides a compact CertificateList representation containing the parsed issuer name, update times, revoked serial number entries, signature metadata, and references to the raw TBSCertList and source DER buffers. Helper functions are provided for revocation queries, CRL validity window checks, algorithm consistency checks, and callback-driven signature verification against an issuer certificate.

The design is algorithm-neutral. Signature verification is delegated through a caller supplied callback so the surrounding X.509 verification layer can apply its supported signature algorithms, including future post-quantum algorithms, without changing the CRL parser interface.

Macro Definition Documentation

QSC_X509_CRL_REVOKED_MAX

#define QSC_X509_CRL_REVOKED_MAX   1024U

The maximum number of revoked certificate entries retained in a decoded CRL.

This macro defines the fixed upper bound on the number of revoked certificate entries stored in the revoked array. CRLs containing more entries than this limit cannot be fully represented by this compact object model without additional application handling.

Typedef Documentation

qsc_x509_crl_signature_verify_callback

typedef bool(* qsc_x509_crl_signature_verify_callback) (const qsc_x509_crl *crl, const qsc_x509_certificate *issuer, void *state)

Caller supplied CRL signature verification callback.

The CRL module delegates cryptographic signature verification to this callback. The callback receives the decoded CRL, the candidate issuer certificate, and an opaque caller-defined state pointer, and returns true only when the CRL signature is accepted.

Parameters

crl	[const][struct] The decoded CRL to verify.
issuer	[const][struct] The issuer certificate used to verify the CRL signature.
state	Caller-defined opaque state passed through from the verification call.

Returns

Returns true on successful signature verification; otherwise returns false.

Enumeration Type Documentation

qsc_x509_crl_verify_status_t

enum qsc_x509_crl_verify_status_t

Enumerator
QSC_X509_CRL_VERIFY_STATUS_INVALID_INPUT	Verification completed successfully.
QSC_X509_CRL_VERIFY_STATUS_INVALID_CRL	One or more input arguments were invalid.
QSC_X509_CRL_VERIFY_STATUS_ALGORITHM_MISMATCH	The CRL structure was malformed or internally inconsistent.
QSC_X509_CRL_VERIFY_STATUS_ISSUER_MISMATCH	The inner and outer signature algorithm identifiers did not match.
QSC_X509_CRL_VERIFY_STATUS_EXPIRED	The CRL issuer did not match the supplied issuer certificate.
QSC_X509_CRL_VERIFY_STATUS_NOT_YET_VALID	The CRL was expired relative to the supplied evaluation time.
QSC_X509_CRL_VERIFY_STATUS_KEY_USAGE_REJECTED	The CRL was not yet valid relative to the supplied evaluation time.
QSC_X509_CRL_VERIFY_STATUS_SIGNATURE_REJECTED	The issuer certificate key-usage policy rejected CRL signing.
QSC_X509_CRL_VERIFY_STATUS_CALLBACK_FAILURE	The CRL signature was rejected by the verification callback.
QSC_X509_CRL_VERIFY_STATUS_UNSUPPORTED	The caller supplied verification callback failed to execute successfully.

Function Documentation

qsc_x509_certificate_is_revoked_by_crl()

QSC_EXPORT_API bool qsc_x509_certificate_is_revoked_by_crl	(	const qsc_x509_certificate *	certificate,
		const qsc_x509_crl *	crl )

Test whether a certificate is revoked by a CRL.

Compares the serial number of the supplied certificate against the revoked entries contained in the CRL and returns whether the certificate appears in the CRL revocation list.

Parameters

certificate	[const][struct] The certificate to test.
crl	[const][struct] The CRL to query.

Returns

Returns true if the certificate serial number is present in the CRL; otherwise returns false.

qsc_x509_crl_check_algorithms()

QSC_EXPORT_API qsc_x509_crl_verify_status qsc_x509_crl_check_algorithms

(

const qsc_x509_crl *

crl

)

Check CRL signature algorithm consistency.

Verifies that the TBSCertList signature algorithm identifier and the outer CertificateList signature algorithm identifier are mutually consistent.

Parameters

crl	[const][struct] The decoded CRL to inspect.

Returns

[enum] Returns a qsc_x509_crl_verify_status result code.

qsc_x509_crl_clear()

QSC_EXPORT_API void qsc_x509_crl_clear

(

qsc_x509_crl *

crl

)

Clear a decoded CRL object.

Resets all fields of the CRL object to their default state and clears any decoded content retained from a prior parse operation.

Parameters

crl	[struct] The CRL object to clear.

Returns

[void] This function does not return a value.

qsc_x509_crl_decode_der()

QSC_EXPORT_API qsc_asn1_status qsc_x509_crl_decode_der	(	const uint8_t *	der,
		size_t	derlen,
		qsc_x509_crl *	crl )

Decode a DER encoded X.509 CRL.

Parses a DER encoded CertificateList structure and populates the destination qsc_x509_crl object with the decoded version, issuer, update times, revoked serial entries, signature metadata, and raw DER slice references.

Parameters

der	[const] The input DER encoded CRL buffer.
derlen	The length of the input DER buffer in bytes.
crl	[struct] The destination decoded CRL object.

Returns

[enum] Returns a qsc_asn1_status code indicating decode success or failure.

qsc_x509_crl_encode_der()

QSC_EXPORT_API qsc_asn1_status qsc_x509_crl_encode_der	(	const qsc_x509_crl *	crl,
		uint8_t *	output,
		size_t *	outputlen )

Encode a decoded CRL object as DER.

Serializes the supplied CRL object into DER encoded CertificateList form. This routine is intended for CRL emission and round-trip testing when the CRL object model contains sufficient information to reconstruct the output.

Parameters

crl	[const][struct] The source CRL object.
output	The destination buffer receiving the DER encoded CRL.
outputlen	The input capacity of output and, on success, the number of bytes written.

Returns

[enum] Returns a qsc_asn1_status code indicating encode success or failure.

qsc_x509_crl_find_serial()

QSC_EXPORT_API const qsc_x509_crl_entry * qsc_x509_crl_find_serial	(	const qsc_x509_crl *	crl,
		const uint8_t *	serial,
		size_t	seriallen )

Find a revoked entry by certificate serial number.

Searches the decoded revoked entry set for a serial number match and returns a pointer to the matching entry when found.

Parameters

crl	[const][struct] The decoded CRL to search.
serial	[const] The certificate serial number to locate.
seriallen	The length of the serial number in bytes.

Returns

Returns a pointer to the matching revoked entry, or NULL if no match is found.

qsc_x509_crl_is_current()

QSC_EXPORT_API bool qsc_x509_crl_is_current	(	const qsc_x509_crl *	crl,
		const qsc_asn1_time *	now )

Test whether a CRL is current at a supplied evaluation time.

Compares the supplied time against the CRL thisUpdate and optional nextUpdate bounds and returns whether the CRL is valid for use at that time.

Parameters

crl	[const][struct] The decoded CRL.
now	[const][struct] The evaluation time.

Returns

Returns true if the CRL is current at the supplied time; otherwise returns false.

qsc_x509_crl_is_revoked()

QSC_EXPORT_API bool qsc_x509_crl_is_revoked	(	const qsc_x509_crl *	crl,
		const qsc_x509_certificate *	certificate )

Test whether a certificate is revoked by a CRL.

This function provides the inverse argument ordering of qsc_x509_certificate_is_revoked_by_crl while performing the same serial number membership test.

Parameters

crl	[const][struct] The CRL to query.
certificate	[const][struct] The certificate to test.

Returns

Returns true if the certificate serial number is present in the CRL; otherwise returns false.

qsc_x509_crl_verify()

QSC_EXPORT_API qsc_x509_crl_verify_status qsc_x509_crl_verify	(	const qsc_x509_crl *	crl,
		const qsc_x509_certificate *	issuer,
		const qsc_asn1_time *	now,
		qsc_x509_crl_signature_verify_callback	callback,
		void *	state )

Verify a decoded CRL against an issuer certificate.

Performs CRL validation checks including input validation, algorithm consistency, issuer matching, current-time validity checks, issuer policy checks, and callback-driven cryptographic signature verification.

Parameters

crl	[const][struct] The decoded CRL to verify.
issuer	[const][struct] The issuer certificate expected to have signed the CRL.
now	[const][struct] The evaluation time used for thisUpdate and nextUpdate checks.
callback	The caller supplied CRL signature verification callback.
state	Caller-defined opaque state passed through to callback.

Returns

[enum] Returns a qsc_x509_crl_verify_status result code.