randombit/botan-rs

feature request: Expose CRL support

cpu opened this issue ยท 5 comments

cpu commented

๐Ÿ‘‹ Hi there,

While implementing CRL generation support for rcgen I noticed that botan-rs doesn't expose any of the underlying Botan lib's support for certificate revocation lists, e.g. the X509_CRL type.

Is this something you would be willing to add? I'm unlikely to have the time to dig into doing it myself but would commit to using the feature for ecosystem compatibility testing if it were available.

Thanks!

Hi - thanks for pointing this out.

At the moment adding support for CRLs is a little tricky in that the C89 API that the actual crypto library exports has only very limited number of options for CRLs. We can/should expose those to Rust ASAP. But I suspect any practical use is going to require more than what we currently have, so first step would be defining the C89 APIs that are needed.

Can you take a look at the current set of CRL related interfaces https://github.com/randombit/botan/blob/master/src/lib/ffi/ffi.h#L1809-L1840 and comment on what additional functionality you would require?

cpu commented

Thanks for the quick response :-)

Can you take a look at the current set of CRL related interfaces https://github.com/randombit/botan/blob/master/src/lib/ffi/ffi.h#L1809-L1840 and comment on what additional functionality you would require?

For my purposes I'm largely interested in testing that an externally generated CRL parses, and has the expected contents. I'm less interested in using the CRLs during path validation, so I think API-wise it'd be nice to have:

  • int botan_x509_crl_load(botan_x509_crl_t* crl_obj, const uint8_t crl_bits[], size_t crl_bits_len); (I don't need the file variant, providing DER bytes directly is fine)
  • int botan_x509_crl_destroy(botan_x509_crl_t crl);
  • int botan_x509_is_revoked(botan_x509_crl_t crl, botan_x509_cert_t cert);

If there were an API to validate the signature on a botan_x509_crl given a botan_x509_cert_t CRL issuer that would be helpful. Separate from my use-case it might be tempting for someone to use botan_x509_is_revoked in isolation and it seems problematic to do so without validating the CRL signature from the issuer. (Edit: though of course I suspect that's a feature request that should be made on the botan repo since the Rust crate can't export what doesn't exist :-))

I don't think botan_x509_cert_verify_with_crl will be helpful for me, but I echo your thought that practical use for folks using Botan outside a testing capacity would probably appreciate that API in the future.

#99 adds support for everything currently available regarding CRLs, with the exception of botan_x509_cert_verify_with_crl

I'll look at expanding the set of operations available, but as I mentioned above it's a two step process since we need to update the C++ library first.

cpu commented

Thank you! From my perspective this issue can be closed as fixed but if you want to leave it open to track the follow-up work that's a-ok too.

For any further progress here we need to make new APIs available from the C++ library so I'm going to close this and leave it to randombit/botan#3627 to track the needed work.