Merge #214

214: Add support for certificate revocation lists r=raoulstrackx a=monokles

Originally introduced by PR #112 but never made it into master.
I cherry-picked the original commits onto a fresh branch and fixed the resulting code.

Since it changes the API, the version number is bumped.

Co-authored-by: Raoul Strackx <[email protected]>
Co-authored-by: koentange <[email protected]>

Author: 3 people

mbedtls/src/x509/certificate.rs

@@ -1009,58 +1009,35 @@ cYp0bH/RcPTC0Z+ZaqSWMtfxRrk63MJQF9EXpDCdvQRcTMD9D85DJrMKn8aumq0M
         let c_int2 = Certificate::from_pem(C_INT2.as_bytes()).unwrap();
         let mut c_root = Certificate::from_pem_multiple(C_ROOT.as_bytes()).unwrap();
 
-        {
-            let mut chain = MbedtlsList::<Certificate>::new();
-            chain.push(c_leaf.clone());
-            chain.push(c_int1.clone());
-
-            let err = Certificate::verify(&chain, &mut c_root, None).unwrap_err();
-            assert_eq!(err, Error::X509CertVerifyFailed);
-
-            // try again after fixing the chain
-            chain.push(c_int2.clone());
-
-
-            let mut err_str = String::new();
-
-            let verify_callback = |_crt: &Certificate, _depth: i32, verify_flags: &mut VerifyError| {
-                verify_flags.remove(VerifyError::CERT_EXPIRED);
-                Ok(())
-            };
+        // Certificate C_INT2 is missing at the beginning so the verification should fail at first
+        let mut chain = MbedtlsList::<Certificate>::new();
+        chain.push(c_leaf.clone());
+        chain.push(c_int1.clone());
 
-            Certificate::verify(&chain, &mut c_root, None).unwrap();
-            let res = Certificate::verify_with_callback(&chain, &mut c_root, Some(&mut err_str), verify_callback);
+        // The certificates used for this test are expired so we remove the CERT_EXPIRED flag with the callback
+        let verify_callback = |_crt: &Certificate, _depth: i32, verify_flags: &mut VerifyError| {
+            verify_flags.remove(VerifyError::CERT_EXPIRED);
+            Ok(())
+        };
 
-            match res {
-                Ok(()) => (),
-                Err(e) => assert!(false, "Failed to verify, error: {}, err_str: {}", e, err_str),
-            };
+        let res = Certificate::verify_with_callback(&chain, &mut c_root, None, verify_callback);
+        match res {
+            Ok(_) => panic!("Certificate chain verification should have failed, but it succeeded"),
+            Err(err) => assert_eq!(err, Error::X509CertVerifyFailed),
         }
 
-        {
-            let mut chain = MbedtlsList::<Certificate>::new();
-            chain.push(c_leaf.clone());
-            chain.push(c_int1.clone());
-            chain.push(c_int2.clone());
-
-            Certificate::verify(&chain, &mut c_root, None).unwrap();
+        // try again after fixing the chain
+        chain.push(c_int2.clone());
 
-            let verify_callback = |_crt: &Certificate, _depth: i32, verify_flags: &mut VerifyError| {
-                verify_flags.remove(VerifyError::CERT_EXPIRED);
-                Ok(())
-            };
+        let mut err_str = String::new();
 
-            let mut err_str = String::new();
-            let res = Certificate::verify_with_callback(&chain, &mut c_root, Some(&mut err_str), verify_callback);
+        let res = Certificate::verify_with_callback(&chain, &mut c_root, Some(&mut err_str), verify_callback);
 
-            match res {
-                Ok(()) => (),
-                Err(e) => assert!(false, "Failed to verify, error: {}, err_str: {}", e, err_str),
-            };
-        }
+        match res {
+            Ok(()) => (),
+            Err(e) => panic!("Failed to verify, error: {}, err_str: {}", e, err_str),
+        };
     }
-
-    
 
     #[test]
     fn clone_test() {