Security-59754.80.3.tar.gz

[apple/security.git] / OSX / libsecurity_apple_x509_tp / lib / TPCrlInfo.cpp

/*
 * Copyright (c) 2002,2011-2012,2014-2015 Apple Inc. All Rights Reserved.
 *
 * The contents of this file constitute Original Code as defined in and are
 * subject to the Apple Public Source License Version 1.2 (the 'License').
 * You may not use this file except in compliance with the License. Please obtain
 * a copy of the License at http://www.apple.com/publicsource and read it before
 * using this file.
 *
 * This Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
 * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
 * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
 * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
 * specific language governing rights and limitations under the License.
 */


/*
 * TPCrlInfo.h - TP's private CRL and CRL group
 *
 */

#include "TPCrlInfo.h"
#include "tpdebugging.h"
#include "certGroupUtils.h"
#include "tpCrlVerify.h"
#include "tpPolicies.h"
#include "tpTime.h"
#include <Security/cssmapi.h>
#include <Security/x509defs.h>
#include <Security/oidscert.h>
#include <Security/oidscrl.h>
#include <security_cdsa_utilities/cssmerrors.h>
#include <utilities/SecCFRelease.h>
#include <string.h>						/* for memcmp */
#include <Security/cssmapple.h>

/*
 * Replacement for CSSM_CL_CrlGetFirstCachedFieldValue for use with
 * TPCrlItemInfo's generic getFirstCachedField mechanism.
 */
static CSSM_RETURN tpGetFirstCachedFieldValue (CSSM_CL_HANDLE CLHandle,
                                     CSSM_HANDLE CrlHandle,
                                     const CSSM_OID *CrlField,
                                     CSSM_HANDLE_PTR ResultsHandle,
                                     uint32 *NumberOfMatchedFields,
                                     CSSM_DATA_PTR *Value)
{
	return CSSM_CL_CrlGetFirstCachedFieldValue(CLHandle,
		CrlHandle,
        NULL,		// const CSSM_DATA *CrlRecordIndex,
		CrlField,
		ResultsHandle,
		NumberOfMatchedFields,
		Value);
}

static const TPClItemCalls tpCrlClCalls =
{
	tpGetFirstCachedFieldValue,
	CSSM_CL_CrlAbortQuery,
	CSSM_CL_CrlCache,
	CSSM_CL_CrlAbortCache,
	CSSM_CL_CrlVerify,
	&CSSMOID_X509V1CRLThisUpdate,
	&CSSMOID_X509V1CRLNextUpdate,
	CSSMERR_TP_INVALID_CRL_POINTER,
	CSSMERR_APPLETP_CRL_EXPIRED,
	CSSMERR_APPLETP_CRL_NOT_VALID_YET
};


/*
 * No default constructor - this is the only way.
 * This caches the cert and fetches subjectName and issuerName
 * to ensure the incoming certData is well-constructed.
 */
TPCrlInfo::TPCrlInfo(
	CSSM_CL_HANDLE		clHand,
	CSSM_CSP_HANDLE		cspHand,
	const CSSM_DATA		*crlData,
	TPItemCopy			copyCrlData,		// true: we copy, we free
											// false - caller owns
	const char 			*verifyTime)		// = NULL

	: TPClItemInfo(clHand, cspHand, tpCrlClCalls, crlData,
			copyCrlData, verifyTime),
		mRefCount(0),
		mFromWhere(CFW_Nowhere),
		mX509Crl(NULL),
		mCrlFieldToFree(NULL),
		mVerifyState(CVS_Unknown),
		mVerifyError(CSSMERR_TP_INTERNAL_ERROR)
{
	CSSM_RETURN	crtn;

	mUri.Data = NULL;
	mUri.Length = 0;

	/* fetch parsed CRL */
	crtn = fetchField(&CSSMOID_X509V2CRLSignedCrlCStruct, &mCrlFieldToFree);
	if(crtn) {
		/* bad CRL */
		releaseResources();
		CssmError::throwMe(crtn);
	}
	if(mCrlFieldToFree->Length != sizeof(CSSM_X509_SIGNED_CRL)) {
		tpErrorLog("fetchField(SignedCrlCStruct) length error\n");
		releaseResources();
		CssmError::throwMe(CSSMERR_TP_INTERNAL_ERROR);
	}
	mX509Crl = (CSSM_X509_SIGNED_CRL *)mCrlFieldToFree->Data;
	/* any other other commonly used fields? */
}

TPCrlInfo::~TPCrlInfo()
{
	releaseResources();
}

void TPCrlInfo::releaseResources()
{
	if(mCrlFieldToFree) {
		freeField(&CSSMOID_X509V2CRLSignedCrlCStruct, mCrlFieldToFree);
		mCrlFieldToFree = NULL;
	}
	if(mUri.Data) {
		Allocator::standard().free(mUri.Data);
		mUri.Data = NULL;
		mUri.Length = 0;
	}
	TPClItemInfo::releaseResources();
}

void TPCrlInfo::uri(const CSSM_DATA &uri)
{
	tpCopyCssmData(Allocator::standard(), &uri, &mUri);
}

/*
 * List of extensions we understand and can accept as critical.
 */
static const CSSM_OID *const TPGoodCrlExtens[] =
{
	&CSSMOID_CrlNumber,
	/* Note NOT CSSMOID_DeltaCrlIndicator! That's fatal */
	&CSSMOID_CrlReason,
	&CSSMOID_CertIssuer,
	&CSSMOID_IssuingDistributionPoint,
	&CSSMOID_HoldInstructionCode,
	&CSSMOID_InvalidityDate,
	&CSSMOID_AuthorityKeyIdentifier,
	&CSSMOID_SubjectAltName,
	&CSSMOID_IssuerAltName
};

#define NUM_KNOWN_EXTENS (sizeof(TPGoodCrlExtens) / sizeof(CSSM_OID_PTR))

/*
 * Do our best to understand all the entries in a CSSM_X509_EXTENSIONS,
 * which may be per-CRL or per-entry.
 *
 * For now, we just ensure that for every critical extension,
 * we actually understand it and can deal it.
 */
CSSM_RETURN TPCrlInfo::parseExtensions(
	TPVerifyContext				&vfyCtx,
	bool						isPerEntry,
	uint32						entryIndex,		// if isPerEntry
	const CSSM_X509_EXTENSIONS	&extens,
	TPCertInfo					*forCert,		// optional
	bool						&isIndirectCrl)	// RETURNED
{
	isIndirectCrl = false;
	for(uint32 dex=0; dex<extens.numberOfExtensions; dex++) {
		CSSM_X509_EXTENSION_PTR exten = &extens.extensions[dex];
		if(exten->critical) {
			/* critical: is it in our list of understood extensions? */
			unsigned i;
			for(i=0; i<NUM_KNOWN_EXTENS; i++) {
				if(tpCompareOids(&exten->extnId, TPGoodCrlExtens[i])) {
					/* we're cool with this one */
					break;
				}
			}
			if(i == NUM_KNOWN_EXTENS) {
				tpCrlDebug("parseExtensions: Unknown Critical Extension\n");
				return CSSMERR_APPLETP_UNKNOWN_CRL_EXTEN;
			}
		}

		/* Specific extension handling. */
		if(tpCompareOids(&exten->extnId,
				&CSSMOID_IssuingDistributionPoint)) {
			/*
			 * If this assertion fails, we're out of sync with the CL
			 */
			assert(exten->format == CSSM_X509_DATAFORMAT_PARSED);
			CE_IssuingDistributionPoint *idp =
				(CE_IssuingDistributionPoint *)
					exten->value.parsedValue;

			/*
			 * Snag indirectCrl flag for caller in any case
			 */
			if(idp->indirectCrlPresent && idp->indirectCrl) {
				isIndirectCrl = true;
			}
			if(forCert != NULL) {
				/* If no target cert, i.e., we're just verifying a CRL,
				 * skip the remaining IDP checks. */

				/* verify onlyCACerts/onlyUserCerts */
				bool isUserCert;
				if(forCert->isLeaf() &&
					!(vfyCtx.actionFlags & CSSM_TP_ACTION_LEAF_IS_CA)) {
						isUserCert = true;
				}
				else {
					isUserCert = false;
				}
				if((idp->onlyUserCertsPresent) && (idp->onlyUserCerts)) {
					if(!isUserCert) {
						tpCrlDebug("parseExtensions: onlyUserCerts, "
							"!leaf\n");
						return CSSMERR_APPLETP_IDP_FAIL;
					}
				}
				if((idp->onlyCACertsPresent) && (idp->onlyCACerts)) {
					if(isUserCert) {
						tpCrlDebug("parseExtensions: onlyCACerts, leaf\n");
						return CSSMERR_APPLETP_IDP_FAIL;
					}
				}

                /* Verify DistributionPointName matches cRLDistributionPoints
                 * in cert.
                 */
                if(idp->distPointName) {
                    CSSM_DATA_PTR certDistPoints;
                    CSSM_RETURN crtn = forCert->fetchField(&CSSMOID_CrlDistributionPoints, &certDistPoints);
                    switch(crtn) {
                        case CSSM_OK:
                            break;
                        case CSSMERR_CL_NO_FIELD_VALUES:
                            return CSSM_OK;
                        default:
                            return crtn;
                    }
                    if (certDistPoints->Length != sizeof(CSSM_X509_EXTENSION)) {
                        forCert->freeField(&CSSMOID_CrlDistributionPoints, certDistPoints);
                        return CSSMERR_TP_UNKNOWN_FORMAT;
                    }
                    CSSM_X509_EXTENSION *cssmExt = (CSSM_X509_EXTENSION *)certDistPoints->Data;
                    if (cssmExt == NULL) {
                        forCert->freeField(&CSSMOID_CrlDistributionPoints, certDistPoints);
                        return CSSMERR_TP_UNKNOWN_FORMAT;
                    }
                    CE_CRLDistPointsSyntax *dps = (CE_CRLDistPointsSyntax *)cssmExt->value.parsedValue;
                    if (dps == NULL) {
                        forCert->freeField(&CSSMOID_CrlDistributionPoints, certDistPoints);
                        return CSSMERR_TP_UNKNOWN_FORMAT;
                    }
                    if (!dps->numDistPoints) {
                        /* no distribution points in the cert extension */
                        forCert->freeField(&CSSMOID_CrlDistributionPoints, certDistPoints);
                        return CSSM_OK;
                    }

                    /* Loop over the cRLDistributionPoints in the cert. */
                    CSSM_BOOL sameType = CSSM_FALSE;
                    CSSM_BOOL found = CSSM_FALSE;
                    for (unsigned dex=0; dex<dps->numDistPoints; dex++) {
                        CE_CRLDistributionPoint *dp = &dps->distPoints[dex];
                        if (dp->distPointName == NULL) {
                            continue;
                        }
                        if (idp->distPointName->nameType != dp->distPointName->nameType) {
                            /* Not the same name type; move on. */
                            continue;
                        }
                        sameType = CSSM_TRUE;
                        switch (dp->distPointName->nameType) {
                            case CE_CDNT_NameRelativeToCrlIssuer: {
                                if (true) {
                                    /* RDN code below is not tested, so we won't use it.
                                     * Defaulting to prior behavior of accepting without testing.
                                     */
                                    found = CSSM_TRUE;
                                    tpErrorLog("parseExtensions: "
                                               "CE_CDNT_NameRelativeToCrlIssuer not implemented\n");
                                    break;
                                }
#if 0
                                /* relativeName is a RDN sequence */
                                CSSM_X509_RDN_PTR idpName = idp->distPointName->dpn.rdn;
                                CSSM_X509_RDN_PTR certName = dp->distPointName->dpn.rdn;
                                if (idpName == NULL || certName == NULL || idpName->numberOfPairs != certName->numberOfPairs) {
                                    /* They don't have the same number of attribute/value pairs; move on. */
                                    continue;
                                }
                                unsigned nDex;
                                for (nDex=0; nDex<idpName->numberOfPairs; nDex++) {
                                    CSSM_X509_TYPE_VALUE_PAIR_PTR iPair = idpName->AttributeTypeAndValue;
                                    CSSM_X509_TYPE_VALUE_PAIR_PTR cPair = certName->AttributeTypeAndValue;
                                    if (!tpCompareCssmData(&iPair->type, &cPair->type) ||
                                        !tpCompareCssmData(&iPair->value, &cPair->value)) {
                                        break;
                                    }
                                }
                                if (nDex==idpName->numberOfPairs) {
                                    /* All the pairs matched. */
                                    found = CSSM_TRUE;
                                }
#endif
                            }
                            case CE_CDNT_FullName: {
                                /* fullName is a GeneralNames sequence */
                                CE_GeneralNames *idpNames = idp->distPointName->dpn.fullName;
                                CE_GeneralNames *certNames = dp->distPointName->dpn.fullName;
                                if (idpNames == NULL || certNames == NULL || idpNames->numNames != certNames->numNames) {
                                    /* They don't have the same number of names; move on. */
                                    continue;
                                }
                                unsigned nDex;
                                for (nDex=0; nDex<idpNames->numNames; nDex++) {
                                    CE_GeneralName *idpName = &idpNames->generalName[nDex];
                                    CE_GeneralName *certName = &certNames->generalName[nDex];
                                    if ((idpName->nameType != certName->nameType) ||
                                        (!tpCompareCssmData(&idpName->name, &certName->name))) {
                                            break;
                                    }
                                }
                                if (nDex==idpNames->numNames) {
                                    /* All the names matched. */
                                    found = CSSM_TRUE;
                                }
                                break;
                            }
                            default: {
                                forCert->freeField(&CSSMOID_CrlDistributionPoints, certDistPoints);
                                return CSSMERR_TP_UNKNOWN_FORMAT;
                            }
                        }
                        if (found) {
                            break; /* out of loop over crlDistribtionPoints in cert. */
                        }
                    }
                    forCert->freeField(&CSSMOID_CrlDistributionPoints, certDistPoints);
                    if(sameType && !found) {
                        return CSSMERR_APPLETP_IDP_FAIL;
                    }
                } /* distPointName check */
			}	/* IDP */
		} 		/* have target cert */
	}

	return CSSM_OK;
}

/*
 * The heavyweight "perform full verification of this CRL" op.
 * Must verify to an anchor cert in tpVerifyContext or via
 * Trust Settings if so enabled.
 * Intermediate certs can come from signerCerts or dBList.
 */
CSSM_RETURN TPCrlInfo::verifyWithContext(
	TPVerifyContext			&tpVerifyContext,
	TPCertInfo				*forCert,		// optional
	bool					doCrlVerify)
{
	/*
	 * Step 1: this CRL must be current. Caller might have re-evaluated
	 * expired/notValidYet since our construction via calculateCurrent().
	 */
	if(isExpired()) {
		return CSSMERR_APPLETP_CRL_EXPIRED;
	}
	if(isNotValidYet()) {
		return CSSMERR_APPLETP_CRL_NOT_VALID_YET;
	}

	/* subsequent verify state is cached */
	switch(mVerifyState) {
		case CVS_Good:
			return CSSM_OK;
		case CVS_Bad:
			return mVerifyError;
		case CVS_Unknown:
			break;
		default:
			tpErrorLog("verifyWithContext: bad verifyState\n");
			return CSSMERR_TP_INTERNAL_ERROR;
	}

	/*
	 * Step 2: parse & understand all critical CRL extensions.
	 */
	CSSM_RETURN crtn;
	bool isIndirectCrl;
	crtn = parseExtensions(tpVerifyContext,
		false,
		0,
		mX509Crl->tbsCertList.extensions,
		forCert,
		isIndirectCrl);
	if(crtn) {
		mVerifyState = CVS_Bad;
		if(!forCert || forCert->addStatusCode(crtn)) {
			return crtn;
		}
		/* else continue */
	}
	CSSM_X509_REVOKED_CERT_LIST_PTR revoked =
			mX509Crl->tbsCertList.revokedCertificates;
	if(revoked != NULL) {
		for(uint32 dex=0; dex<revoked->numberOfRevokedCertEntries; dex++) {
			bool dummyIsIndirect;	// can't be set here
			crtn = parseExtensions(tpVerifyContext,
				true,
				dex,
				revoked->revokedCertEntry[dex].extensions,
				forCert,
				dummyIsIndirect);
			if(crtn) {
				if(!forCert || forCert->addStatusCode(crtn)) {
					mVerifyState = CVS_Bad;
					return crtn;
				}
			}
		}
	}

	/*
	 * Step 3: obtain a fully verified cert chain which verifies this CRL.
	 */
	CSSM_BOOL	verifiedToRoot;
	CSSM_BOOL	verifiedToAnchor;
	CSSM_BOOL	verifiedViaTrustSetting;

	TPCertGroup outCertGroup(tpVerifyContext.alloc,
		TGO_Caller);			// CRLs owned by inCertGroup

	/* set up for disposal of TPCertInfos created by
	 * CertGroupConstructPriv */
	TPCertGroup	certsToBeFreed(tpVerifyContext.alloc, TGO_Group);

	if(tpVerifyContext.signerCerts) {
		/* start from scratch with this group */
		tpVerifyContext.signerCerts->setAllUnused();
	}
	crtn = outCertGroup.buildCertGroup(
			*this,							// subject item
			tpVerifyContext.signerCerts,	// inCertGroup, optional
			tpVerifyContext.dbList,			// optional
			tpVerifyContext.clHand,
			tpVerifyContext.cspHand,
			tpVerifyContext.verifyTime,
			tpVerifyContext.numAnchorCerts,
			tpVerifyContext.anchorCerts,
			certsToBeFreed,
			&tpVerifyContext.gatheredCerts,
			CSSM_FALSE,						// subjectIsInGroup
			tpVerifyContext.actionFlags,
			tpVerifyContext.policyOid,
			tpVerifyContext.policyStr,
			tpVerifyContext.policyStrLen,
			kSecTrustSettingsKeyUseSignRevocation,
			verifiedToRoot,
			verifiedToAnchor,
			verifiedViaTrustSetting);
	/* subsequent errors to errOut: */

	if(crtn) {
		tpCrlDebug("TPCrlInfo::verifyWithContext buildCertGroup failure "
			"index %u",	index());
		if(!forCert || forCert->addStatusCode(crtn)) {
			goto errOut;
		}
	}
	if (verifiedToRoot && (tpVerifyContext.actionFlags & CSSM_TP_ACTION_IMPLICIT_ANCHORS))
		verifiedToAnchor = CSSM_TRUE;
	if(!verifiedToAnchor && !verifiedViaTrustSetting) {
		/* required */
		if(verifiedToRoot) {
			/* verified to root which is not an anchor */
			tpCrlDebug("TPCrlInfo::verifyWithContext root, no anchor, "
				"index %u",	index());
			crtn = CSSMERR_APPLETP_CRL_INVALID_ANCHOR_CERT;
		}
		else {
			/* partial chain, no root, not verifiable by anchor */
			tpCrlDebug("TPCrlInfo::verifyWithContext no root, no anchor, "
				"index %u",	index());
			crtn = CSSMERR_APPLETP_CRL_NOT_TRUSTED;
		}
		if(!forCert || forCert->addStatusCode(crtn)) {
			mVerifyState = CVS_Bad;
			goto errOut;
		}
	}

	/*
	 * Step 4: policy verification on the returned cert group
	 * We need to (temporarily) assert the "leaf cert is a CA" flag
	 * here.
	 */
	outCertGroup.certAtIndex(0)->isLeaf(true);
	crtn = tp_policyVerify(kCrlPolicy,
		tpVerifyContext.alloc,
		tpVerifyContext.clHand,
		tpVerifyContext.cspHand,
		&outCertGroup,
		verifiedToRoot,
		verifiedViaTrustSetting,
		tpVerifyContext.actionFlags | CSSM_TP_ACTION_LEAF_IS_CA,
		NULL,							// sslOpts
		NULL);							// policyOpts, not currently used
	if(crtn) {
		tpCrlDebug("   ...verifyWithContext policy FAILURE CRL %u",
			index());
		if(!forCert || forCert->addStatusCode(CSSMERR_APPLETP_CRL_POLICY_FAIL)) {
			mVerifyState = CVS_Bad;
			goto errOut;
		}
	}

	/*
	 * Step 5: recursively perform CRL verification on the certs
	 * gathered to verify this CRL.
	 * Only performed if this CRL is an indirect CRL or the caller
	 * explicitly told us to do this (i.e., caller is verifying a
	 * CRL, not a cert chain).
	 */
	if(isIndirectCrl || doCrlVerify) {
		tpCrlDebug("verifyWithContext recursing to "
			"tpVerifyCertGroupWithCrls");
		crtn = tpVerifyCertGroupWithCrls(tpVerifyContext,
			outCertGroup);
		if(crtn) {
			tpCrlDebug("   ...verifyWithContext CRL reverify FAILURE CRL %u",
				index());
			if(!forCert || forCert->addStatusCode(crtn)) {
				mVerifyState = CVS_Bad;
				goto errOut;
			}
		}
	}

	tpCrlDebug("   ...verifyWithContext CRL %u SUCCESS", index());
	mVerifyState = CVS_Good;
errOut:
	/* we own these, we free the DB records */
	certsToBeFreed.freeDbRecords();
	return crtn;
}

/*
 * Wrapper for verifyWithContext for use when evaluating a CRL
 * "now" instead of at the time in TPVerifyContext.verifyTime.
 * In this case, on entry, TPVerifyContext.verifyTime is the
 * time at which a cert is being evaluated.
 */
CSSM_RETURN TPCrlInfo::verifyWithContextNow(
	TPVerifyContext		&tpVerifyContext,
	TPCertInfo			*forCert,			// optional
	bool				doCrlVerify)
{
	CSSM_TIMESTRING ctxTime = tpVerifyContext.verifyTime;
	CSSM_RETURN crtn = verifyWithContext(tpVerifyContext, forCert, doCrlVerify);
	tpVerifyContext.verifyTime = ctxTime;
	return crtn;
}

/*
 * Do I have the same issuer as the specified subject cert? Returns
 * true if so.
 */
bool TPCrlInfo::hasSameIssuer(
	const TPCertInfo	&subject)
{
	assert(subject.issuerName() != NULL);
	if(tpCompareCssmData(issuerName(), subject.issuerName())) {
		return true;
	}
	else {
		return false;
	}
}

/*
 * Determine if specified cert has been revoked as of the
 * provided time; a NULL timestring indicates "now".
 *
 * Assumes current CRL is verified good and that issuer names of
 * the cert and CRL match.
 *
 * This duplicates similar logic in the CL, but to avoid re-parsing
 * the subject cert (which we have parsed and cached), we just do it
 * here.
 *
 * Possible errors are
 *	CSSMERR_TP_CERT_REVOKED
 * 	CSSMERR_TP_CERT_SUSPENDED
 *  TBD
 *
 * Error status is added to subjectCert.
 */
CSSM_RETURN TPCrlInfo::isCertRevoked(
	TPCertInfo &subjectCert,
	CSSM_TIMESTRING verifyTime)
{
	assert(mVerifyState == CVS_Good);
	CSSM_X509_TBS_CERTLIST_PTR tbs = &mX509Crl->tbsCertList;

	/* trivial case - empty CRL */
	if((tbs->revokedCertificates == NULL) ||
	   (tbs->revokedCertificates->numberOfRevokedCertEntries == 0)) {
	   tpCrlDebug("   isCertRevoked: empty CRL at index %u", index());
	   return CSSM_OK;
	}

	/* is subject cert's serial number in this CRL? */
	CSSM_DATA_PTR subjSerial = NULL;
	CSSM_RETURN crtn;
	crtn = subjectCert.fetchField(&CSSMOID_X509V1SerialNumber, &subjSerial);
	if(crtn) {
		/* should never happen */
		tpErrorLog("TPCrlInfo:isCertRevoked: error fetching serial number\n");
		if(subjectCert.addStatusCode(crtn)) {
			return crtn;
		}
		else {
			/* allowed error - can't proceed; punt with success */
			return CSSM_OK;
		}
	}
	/* subsequent errors to errOut: */

	uint32 numEntries = tbs->revokedCertificates->numberOfRevokedCertEntries;
	CSSM_X509_REVOKED_CERT_ENTRY_PTR entries =
		tbs->revokedCertificates->revokedCertEntry;
	crtn = CSSM_OK;
	CFDateRef cfRevokedTime = NULL;
	CFDateRef cfVerifyTime = NULL;

	for(uint32 dex=0; dex<numEntries; dex++) {
		CSSM_X509_REVOKED_CERT_ENTRY_PTR entry = &entries[dex];
		if(tpCompareCssmData(subjSerial, &entry->certificateSerialNumber)) {
			/*
			 * It's in there. Compare revocation time in the CRL to
			 * our caller-specified verifyTime.
			 */
			CSSM_X509_TIME_PTR xTime = &entry->revocationDate;
			int rtn;
			rtn = timeStringToCfDate((char *)xTime->time.Data, (unsigned)xTime->time.Length,
				&cfRevokedTime);
			if(rtn) {
				tpErrorLog("fetchNotBeforeAfter: malformed revocationDate\n");
			}
			else {
				if(verifyTime != NULL) {
					rtn = timeStringToCfDate((char *)verifyTime, (unsigned)strlen(verifyTime),
											 &cfVerifyTime);
				}
				else {
					/* verify right now */
					cfVerifyTime = CFDateCreate(NULL, CFAbsoluteTimeGetCurrent());
				}
				if((rtn == 0) && cfVerifyTime != NULL) {
					CFComparisonResult res = CFDateCompare(cfVerifyTime, cfRevokedTime, NULL);
					if(res == kCFCompareLessThan) {
						/* cfVerifyTime < cfRevokedTime; I guess this one's OK */
						tpCrlDebug("   isCertRevoked: cert %u NOT YET REVOKED by CRL %u",
								   subjectCert.index(), index());
						break;
					}
				}
			}

			/*
			 * REQUIRED TBD: parse the entry's extensions, specifically to
			 * get a reason. This will entail a bunch of new TP/cert specific
			 * CSSM_RETURNS.
			 * For now, just flag it revoked.
			 */
			crtn = CSSMERR_TP_CERT_REVOKED;
			subjectCert.crlReason(1);
			tpCrlDebug("   isCertRevoked: cert %u REVOKED by CRL %u",
				subjectCert.index(), index());
			break;
		}
	}

	subjectCert.freeField(&CSSMOID_X509V1SerialNumber, subjSerial);

    CFReleaseNull(cfRevokedTime);
    CFReleaseNull(cfVerifyTime);

	if(crtn && !subjectCert.addStatusCode(crtn)) {
		return CSSM_OK;
	}
	return crtn;
}

/***
 *** TPCrlGroup class
 ***/

/* build empty group */
TPCrlGroup::TPCrlGroup(
	Allocator			&alloc,
	TPGroupOwner		whoOwns) :
		mAlloc(alloc),
		mCrlInfo(NULL),
		mNumCrls(0),
		mSizeofCrlInfo(0),
		mWhoOwns(whoOwns)
{
	/* nothing for now */
}

/*
 * Construct from unordered, untrusted CSSM_CRLGROUP. Resulting
 * TPCrlInfos are more or less in the same order as the incoming
 * CRLs, though incoming CRLs are discarded if they don't parse.
 * No verification of any sort is performed.
 */
TPCrlGroup::TPCrlGroup(
	const CSSM_CRLGROUP 	*cssmCrlGroup,			// optional
	CSSM_CL_HANDLE 			clHand,
	CSSM_CSP_HANDLE 		cspHand,
	Allocator				&alloc,
	const char				*verifyTime,			// may be NULL
	TPGroupOwner			whoOwns) :
		mAlloc(alloc),
		mCrlInfo(NULL),
		mNumCrls(0),
		mSizeofCrlInfo(0),
		mWhoOwns(whoOwns)
{
	/* verify input args */
	if((cssmCrlGroup == NULL) || (cssmCrlGroup->NumberOfCrls == 0)) {
		return;
	}
	if(cspHand == CSSM_INVALID_HANDLE) {
		CssmError::throwMe(CSSMERR_TP_INVALID_CSP_HANDLE);
	}
	if(clHand == CSSM_INVALID_HANDLE)	{
		CssmError::throwMe(CSSMERR_TP_INVALID_CL_HANDLE);
	}
	if(cssmCrlGroup->CrlGroupType != CSSM_CRLGROUP_DATA) {
		CssmError::throwMe(CSSMERR_TP_INVALID_CERTGROUP);
	}
	switch(cssmCrlGroup->CrlType) {
		case CSSM_CRL_TYPE_X_509v1:
		case CSSM_CRL_TYPE_X_509v2:
			break;
		default:
			CssmError::throwMe(CSSMERR_TP_UNKNOWN_FORMAT);
	}
	switch(cssmCrlGroup->CrlEncoding) {
		case CSSM_CRL_ENCODING_BER:
		case CSSM_CRL_ENCODING_DER:
			break;
		default:
			CssmError::throwMe(CSSMERR_TP_UNKNOWN_FORMAT);
	}

	/*
	 * Add remaining input certs to mCrlInfo.
	 */
	TPCrlInfo *crlInfo = NULL;
	for(unsigned crlDex=0; crlDex<cssmCrlGroup->NumberOfCrls; crlDex++) {
		try {
			crlInfo = new TPCrlInfo(clHand,
				cspHand,
				&cssmCrlGroup->GroupCrlList.CrlList[crlDex],
				TIC_NoCopy,			// don't copy data
				verifyTime);
		}
		catch (...) {
			/* just ignore this CRL */
			continue;
		}
		crlInfo->index(crlDex);
		appendCrl(*crlInfo);
	}
}

/*
 * Deletes all TPCrlInfo's if appropriate.
 */
TPCrlGroup::~TPCrlGroup()
{
	if(mWhoOwns == TGO_Group) {
		unsigned i;
		for(i=0; i<mNumCrls; i++) {
			delete mCrlInfo[i];
		}
	}
	mAlloc.free(mCrlInfo);
}

/* add/remove/access TPTCrlInfo's. */
/*
 * NOTE: I am aware that most folks would just use an array<> here, but
 * gdb is so lame that it doesn't even let one examine the contents
 * of an array<> (or just about anything else in the STL). I prefer
 * debuggability over saving a few lines of trivial code.
 */
void TPCrlGroup::appendCrl(
	TPCrlInfo			&crlInfo)
{
	if(mNumCrls == mSizeofCrlInfo) {
		if(mSizeofCrlInfo == 0) {
			/* appending to empty array */
			mSizeofCrlInfo = 1;
		}
		else {
			mSizeofCrlInfo *= 2;
		}
		mCrlInfo = (TPCrlInfo **)mAlloc.realloc(mCrlInfo,
			mSizeofCrlInfo * sizeof(TPCrlInfo *));
	}
	mCrlInfo[mNumCrls++] = &crlInfo;
}

TPCrlInfo *TPCrlGroup::crlAtIndex(
	unsigned			index)
{
	if(index > (mNumCrls - 1)) {
		CssmError::throwMe(CSSMERR_TP_INTERNAL_ERROR);
	}
	return mCrlInfo[index];
}

TPCrlInfo &TPCrlGroup::removeCrlAtIndex(
	unsigned			index)				// doesn't delete the cert, just
											// removes it from our list
{
	if(index > (mNumCrls - 1)) {
		CssmError::throwMe(CSSMERR_TP_INTERNAL_ERROR);
	}
	TPCrlInfo &rtn = *mCrlInfo[index];

	/* removed requested element and compact remaining array */
	unsigned i;
	for(i=index; i<(mNumCrls - 1); i++) {
		mCrlInfo[i] = mCrlInfo[i+1];
	}
	mNumCrls--;
	return rtn;
}

void TPCrlGroup::removeCrl(
	TPCrlInfo			&crlInfo)
{
	for(unsigned dex=0; dex<mNumCrls; dex++) {
		if(mCrlInfo[dex] == &crlInfo) {
			removeCrlAtIndex(dex);
			return;
		}
	}
	tpErrorLog("TPCrlGroup::removeCrl: CRL NOT FOUND\n");
	assert(0);
}

TPCrlInfo *TPCrlGroup::firstCrl()
{
	if(mNumCrls == 0) {
		/* the caller really should not do this... */
		CssmError::throwMe(CSSMERR_TP_INTERNAL_ERROR);
	}
	else {
		return mCrlInfo[0];
	}
}

TPCrlInfo *TPCrlGroup::lastCrl()
{
	if(mNumCrls == 0) {
		/* the caller really should not do this... */
		CssmError::throwMe(CSSMERR_TP_INTERNAL_ERROR);
	}
	else {
		return mCrlInfo[mNumCrls - 1];
	}
}

	/*
	 * Find a CRL whose issuer matches specified subject cert.
	 * Returned CRL has not necessarily been verified.
	 */
TPCrlInfo *TPCrlGroup::findCrlForCert(
		TPCertInfo			&subject)
{
	for(unsigned dex=0; dex<mNumCrls; dex++) {
		TPCrlInfo *crl = mCrlInfo[dex];
		if(crl->hasSameIssuer(subject)) {
			return crl;
		}
	}
	return NULL;
}