2 * X.509 Certidicate Revocation List (CRL) parsing
\r
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
\r
5 * SPDX-License-Identifier: Apache-2.0
\r
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
\r
8 * not use this file except in compliance with the License.
\r
9 * You may obtain a copy of the License at
\r
11 * http://www.apache.org/licenses/LICENSE-2.0
\r
13 * Unless required by applicable law or agreed to in writing, software
\r
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
\r
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
\r
16 * See the License for the specific language governing permissions and
\r
17 * limitations under the License.
\r
19 * This file is part of mbed TLS (https://tls.mbed.org)
\r
22 * The ITU-T X.509 standard defines a certificate format for PKI.
\r
24 * http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs)
\r
25 * http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs)
\r
26 * http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10)
\r
28 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
\r
29 * http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
\r
32 #if !defined(MBEDTLS_CONFIG_FILE)
\r
33 #include "mbedtls/config.h"
\r
35 #include MBEDTLS_CONFIG_FILE
\r
38 #if defined(MBEDTLS_X509_CRL_PARSE_C)
\r
40 #include "mbedtls/x509_crl.h"
\r
41 #include "mbedtls/oid.h"
\r
42 #include "mbedtls/platform_util.h"
\r
46 #if defined(MBEDTLS_PEM_PARSE_C)
\r
47 #include "mbedtls/pem.h"
\r
50 #if defined(MBEDTLS_PLATFORM_C)
\r
51 #include "mbedtls/platform.h"
\r
55 #define mbedtls_free free
\r
56 #define mbedtls_calloc calloc
\r
57 #define mbedtls_snprintf snprintf
\r
60 #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
\r
61 #include <windows.h>
\r
66 #if defined(MBEDTLS_FS_IO) || defined(EFIX64) || defined(EFI32)
\r
71 * Version ::= INTEGER { v1(0), v2(1) }
\r
73 static int x509_crl_get_version( unsigned char **p,
\r
74 const unsigned char *end,
\r
79 if( ( ret = mbedtls_asn1_get_int( p, end, ver ) ) != 0 )
\r
81 if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
\r
87 return( MBEDTLS_ERR_X509_INVALID_VERSION + ret );
\r
94 * X.509 CRL v2 extensions
\r
96 * We currently don't parse any extension's content, but we do check that the
\r
97 * list of extensions is well-formed and abort on critical extensions (that
\r
98 * are unsupported as we don't support any extension so far)
\r
100 static int x509_get_crl_ext( unsigned char **p,
\r
101 const unsigned char *end,
\r
102 mbedtls_x509_buf *ext )
\r
107 * crlExtensions [0] EXPLICIT Extensions OPTIONAL
\r
108 * -- if present, version MUST be v2
\r
110 if( ( ret = mbedtls_x509_get_ext( p, end, ext, 0 ) ) != 0 )
\r
112 if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
\r
121 * Extension ::= SEQUENCE {
\r
122 * extnID OBJECT IDENTIFIER,
\r
123 * critical BOOLEAN DEFAULT FALSE,
\r
124 * extnValue OCTET STRING }
\r
126 int is_critical = 0;
\r
127 const unsigned char *end_ext_data;
\r
130 /* Get enclosing sequence tag */
\r
131 if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
\r
132 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
\r
133 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
\r
135 end_ext_data = *p + len;
\r
137 /* Get OID (currently ignored) */
\r
138 if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &len,
\r
139 MBEDTLS_ASN1_OID ) ) != 0 )
\r
141 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
\r
145 /* Get optional critical */
\r
146 if( ( ret = mbedtls_asn1_get_bool( p, end_ext_data,
\r
147 &is_critical ) ) != 0 &&
\r
148 ( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) )
\r
150 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
\r
153 /* Data should be octet string type */
\r
154 if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &len,
\r
155 MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
\r
156 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
\r
158 /* Ignore data so far and just check its length */
\r
160 if( *p != end_ext_data )
\r
161 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
\r
162 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
\r
164 /* Abort on (unsupported) critical extensions */
\r
166 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
\r
167 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
\r
171 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
\r
172 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
\r
178 * X.509 CRL v2 entry extensions (no extensions parsed yet.)
\r
180 static int x509_get_crl_entry_ext( unsigned char **p,
\r
181 const unsigned char *end,
\r
182 mbedtls_x509_buf *ext )
\r
195 * Get CRL-entry extension sequence header
\r
196 * crlEntryExtensions Extensions OPTIONAL -- if present, MUST be v2
\r
198 if( ( ret = mbedtls_asn1_get_tag( p, end, &ext->len,
\r
199 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
\r
201 if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
\r
206 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
\r
209 end = *p + ext->len;
\r
211 if( end != *p + ext->len )
\r
212 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
\r
213 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
\r
217 if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
\r
218 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
\r
219 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
\r
225 return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
\r
226 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
\r
232 * X.509 CRL Entries
\r
234 static int x509_get_entries( unsigned char **p,
\r
235 const unsigned char *end,
\r
236 mbedtls_x509_crl_entry *entry )
\r
240 mbedtls_x509_crl_entry *cur_entry = entry;
\r
245 if( ( ret = mbedtls_asn1_get_tag( p, end, &entry_len,
\r
246 MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED ) ) != 0 )
\r
248 if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
\r
254 end = *p + entry_len;
\r
259 const unsigned char *end2;
\r
261 if( ( ret = mbedtls_asn1_get_tag( p, end, &len2,
\r
262 MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED ) ) != 0 )
\r
267 cur_entry->raw.tag = **p;
\r
268 cur_entry->raw.p = *p;
\r
269 cur_entry->raw.len = len2;
\r
272 if( ( ret = mbedtls_x509_get_serial( p, end2, &cur_entry->serial ) ) != 0 )
\r
275 if( ( ret = mbedtls_x509_get_time( p, end2,
\r
276 &cur_entry->revocation_date ) ) != 0 )
\r
279 if( ( ret = x509_get_crl_entry_ext( p, end2,
\r
280 &cur_entry->entry_ext ) ) != 0 )
\r
285 cur_entry->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_crl_entry ) );
\r
287 if( cur_entry->next == NULL )
\r
288 return( MBEDTLS_ERR_X509_ALLOC_FAILED );
\r
290 cur_entry = cur_entry->next;
\r
298 * Parse one CRLs in DER format and append it to the chained list
\r
300 int mbedtls_x509_crl_parse_der( mbedtls_x509_crl *chain,
\r
301 const unsigned char *buf, size_t buflen )
\r
305 unsigned char *p = NULL, *end = NULL;
\r
306 mbedtls_x509_buf sig_params1, sig_params2, sig_oid2;
\r
307 mbedtls_x509_crl *crl = chain;
\r
310 * Check for valid input
\r
312 if( crl == NULL || buf == NULL )
\r
313 return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
\r
315 memset( &sig_params1, 0, sizeof( mbedtls_x509_buf ) );
\r
316 memset( &sig_params2, 0, sizeof( mbedtls_x509_buf ) );
\r
317 memset( &sig_oid2, 0, sizeof( mbedtls_x509_buf ) );
\r
320 * Add new CRL on the end of the chain if needed.
\r
322 while( crl->version != 0 && crl->next != NULL )
\r
325 if( crl->version != 0 && crl->next == NULL )
\r
327 crl->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_crl ) );
\r
329 if( crl->next == NULL )
\r
331 mbedtls_x509_crl_free( crl );
\r
332 return( MBEDTLS_ERR_X509_ALLOC_FAILED );
\r
335 mbedtls_x509_crl_init( crl->next );
\r
340 * Copy raw DER-encoded CRL
\r
343 return( MBEDTLS_ERR_X509_INVALID_FORMAT );
\r
345 p = mbedtls_calloc( 1, buflen );
\r
347 return( MBEDTLS_ERR_X509_ALLOC_FAILED );
\r
349 memcpy( p, buf, buflen );
\r
352 crl->raw.len = buflen;
\r
357 * CertificateList ::= SEQUENCE {
\r
358 * tbsCertList TBSCertList,
\r
359 * signatureAlgorithm AlgorithmIdentifier,
\r
360 * signatureValue BIT STRING }
\r
362 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
\r
363 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
\r
365 mbedtls_x509_crl_free( crl );
\r
366 return( MBEDTLS_ERR_X509_INVALID_FORMAT );
\r
369 if( len != (size_t) ( end - p ) )
\r
371 mbedtls_x509_crl_free( crl );
\r
372 return( MBEDTLS_ERR_X509_INVALID_FORMAT +
\r
373 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
\r
377 * TBSCertList ::= SEQUENCE {
\r
381 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
\r
382 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
\r
384 mbedtls_x509_crl_free( crl );
\r
385 return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
\r
389 crl->tbs.len = end - crl->tbs.p;
\r
392 * Version ::= INTEGER OPTIONAL { v1(0), v2(1) }
\r
393 * -- if present, MUST be v2
\r
395 * signature AlgorithmIdentifier
\r
397 if( ( ret = x509_crl_get_version( &p, end, &crl->version ) ) != 0 ||
\r
398 ( ret = mbedtls_x509_get_alg( &p, end, &crl->sig_oid, &sig_params1 ) ) != 0 )
\r
400 mbedtls_x509_crl_free( crl );
\r
404 if( crl->version < 0 || crl->version > 1 )
\r
406 mbedtls_x509_crl_free( crl );
\r
407 return( MBEDTLS_ERR_X509_UNKNOWN_VERSION );
\r
412 if( ( ret = mbedtls_x509_get_sig_alg( &crl->sig_oid, &sig_params1,
\r
413 &crl->sig_md, &crl->sig_pk,
\r
414 &crl->sig_opts ) ) != 0 )
\r
416 mbedtls_x509_crl_free( crl );
\r
417 return( MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG );
\r
423 crl->issuer_raw.p = p;
\r
425 if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
\r
426 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
\r
428 mbedtls_x509_crl_free( crl );
\r
429 return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
\r
432 if( ( ret = mbedtls_x509_get_name( &p, p + len, &crl->issuer ) ) != 0 )
\r
434 mbedtls_x509_crl_free( crl );
\r
438 crl->issuer_raw.len = p - crl->issuer_raw.p;
\r
442 * nextUpdate Time OPTIONAL
\r
444 if( ( ret = mbedtls_x509_get_time( &p, end, &crl->this_update ) ) != 0 )
\r
446 mbedtls_x509_crl_free( crl );
\r
450 if( ( ret = mbedtls_x509_get_time( &p, end, &crl->next_update ) ) != 0 )
\r
452 if( ret != ( MBEDTLS_ERR_X509_INVALID_DATE +
\r
453 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) &&
\r
454 ret != ( MBEDTLS_ERR_X509_INVALID_DATE +
\r
455 MBEDTLS_ERR_ASN1_OUT_OF_DATA ) )
\r
457 mbedtls_x509_crl_free( crl );
\r
463 * revokedCertificates SEQUENCE OF SEQUENCE {
\r
464 * userCertificate CertificateSerialNumber,
\r
465 * revocationDate Time,
\r
466 * crlEntryExtensions Extensions OPTIONAL
\r
467 * -- if present, MUST be v2
\r
470 if( ( ret = x509_get_entries( &p, end, &crl->entry ) ) != 0 )
\r
472 mbedtls_x509_crl_free( crl );
\r
477 * crlExtensions EXPLICIT Extensions OPTIONAL
\r
478 * -- if present, MUST be v2
\r
480 if( crl->version == 2 )
\r
482 ret = x509_get_crl_ext( &p, end, &crl->crl_ext );
\r
486 mbedtls_x509_crl_free( crl );
\r
493 mbedtls_x509_crl_free( crl );
\r
494 return( MBEDTLS_ERR_X509_INVALID_FORMAT +
\r
495 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
\r
498 end = crl->raw.p + crl->raw.len;
\r
501 * signatureAlgorithm AlgorithmIdentifier,
\r
502 * signatureValue BIT STRING
\r
504 if( ( ret = mbedtls_x509_get_alg( &p, end, &sig_oid2, &sig_params2 ) ) != 0 )
\r
506 mbedtls_x509_crl_free( crl );
\r
510 if( crl->sig_oid.len != sig_oid2.len ||
\r
511 memcmp( crl->sig_oid.p, sig_oid2.p, crl->sig_oid.len ) != 0 ||
\r
512 sig_params1.len != sig_params2.len ||
\r
513 ( sig_params1.len != 0 &&
\r
514 memcmp( sig_params1.p, sig_params2.p, sig_params1.len ) != 0 ) )
\r
516 mbedtls_x509_crl_free( crl );
\r
517 return( MBEDTLS_ERR_X509_SIG_MISMATCH );
\r
520 if( ( ret = mbedtls_x509_get_sig( &p, end, &crl->sig ) ) != 0 )
\r
522 mbedtls_x509_crl_free( crl );
\r
528 mbedtls_x509_crl_free( crl );
\r
529 return( MBEDTLS_ERR_X509_INVALID_FORMAT +
\r
530 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
\r
537 * Parse one or more CRLs and add them to the chained list
\r
539 int mbedtls_x509_crl_parse( mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen )
\r
541 #if defined(MBEDTLS_PEM_PARSE_C)
\r
544 mbedtls_pem_context pem;
\r
547 if( chain == NULL || buf == NULL )
\r
548 return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
\r
552 mbedtls_pem_init( &pem );
\r
554 // Avoid calling mbedtls_pem_read_buffer() on non-null-terminated
\r
556 if( buflen == 0 || buf[buflen - 1] != '\0' )
\r
557 ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
\r
559 ret = mbedtls_pem_read_buffer( &pem,
\r
560 "-----BEGIN X509 CRL-----",
\r
561 "-----END X509 CRL-----",
\r
562 buf, NULL, 0, &use_len );
\r
574 if( ( ret = mbedtls_x509_crl_parse_der( chain,
\r
575 pem.buf, pem.buflen ) ) != 0 )
\r
577 mbedtls_pem_free( &pem );
\r
583 mbedtls_pem_free( &pem );
\r
587 mbedtls_pem_free( &pem );
\r
589 /* In the PEM case, buflen is 1 at the end, for the terminated NULL byte.
\r
590 * And a valid CRL cannot be less than 1 byte anyway. */
\r
591 while( is_pem && buflen > 1 );
\r
596 #endif /* MBEDTLS_PEM_PARSE_C */
\r
597 return( mbedtls_x509_crl_parse_der( chain, buf, buflen ) );
\r
600 #if defined(MBEDTLS_FS_IO)
\r
602 * Load one or more CRLs and add them to the chained list
\r
604 int mbedtls_x509_crl_parse_file( mbedtls_x509_crl *chain, const char *path )
\r
608 unsigned char *buf;
\r
610 if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 )
\r
613 ret = mbedtls_x509_crl_parse( chain, buf, n );
\r
615 mbedtls_platform_zeroize( buf, n );
\r
616 mbedtls_free( buf );
\r
620 #endif /* MBEDTLS_FS_IO */
\r
623 * Return an informational string about the certificate.
\r
625 #define BEFORE_COLON 14
\r
628 * Return an informational string about the CRL.
\r
630 int mbedtls_x509_crl_info( char *buf, size_t size, const char *prefix,
\r
631 const mbedtls_x509_crl *crl )
\r
636 const mbedtls_x509_crl_entry *entry;
\r
641 ret = mbedtls_snprintf( p, n, "%sCRL version : %d",
\r
642 prefix, crl->version );
\r
643 MBEDTLS_X509_SAFE_SNPRINTF;
\r
645 ret = mbedtls_snprintf( p, n, "\n%sissuer name : ", prefix );
\r
646 MBEDTLS_X509_SAFE_SNPRINTF;
\r
647 ret = mbedtls_x509_dn_gets( p, n, &crl->issuer );
\r
648 MBEDTLS_X509_SAFE_SNPRINTF;
\r
650 ret = mbedtls_snprintf( p, n, "\n%sthis update : " \
\r
651 "%04d-%02d-%02d %02d:%02d:%02d", prefix,
\r
652 crl->this_update.year, crl->this_update.mon,
\r
653 crl->this_update.day, crl->this_update.hour,
\r
654 crl->this_update.min, crl->this_update.sec );
\r
655 MBEDTLS_X509_SAFE_SNPRINTF;
\r
657 ret = mbedtls_snprintf( p, n, "\n%snext update : " \
\r
658 "%04d-%02d-%02d %02d:%02d:%02d", prefix,
\r
659 crl->next_update.year, crl->next_update.mon,
\r
660 crl->next_update.day, crl->next_update.hour,
\r
661 crl->next_update.min, crl->next_update.sec );
\r
662 MBEDTLS_X509_SAFE_SNPRINTF;
\r
664 entry = &crl->entry;
\r
666 ret = mbedtls_snprintf( p, n, "\n%sRevoked certificates:",
\r
668 MBEDTLS_X509_SAFE_SNPRINTF;
\r
670 while( entry != NULL && entry->raw.len != 0 )
\r
672 ret = mbedtls_snprintf( p, n, "\n%sserial number: ",
\r
674 MBEDTLS_X509_SAFE_SNPRINTF;
\r
676 ret = mbedtls_x509_serial_gets( p, n, &entry->serial );
\r
677 MBEDTLS_X509_SAFE_SNPRINTF;
\r
679 ret = mbedtls_snprintf( p, n, " revocation date: " \
\r
680 "%04d-%02d-%02d %02d:%02d:%02d",
\r
681 entry->revocation_date.year, entry->revocation_date.mon,
\r
682 entry->revocation_date.day, entry->revocation_date.hour,
\r
683 entry->revocation_date.min, entry->revocation_date.sec );
\r
684 MBEDTLS_X509_SAFE_SNPRINTF;
\r
686 entry = entry->next;
\r
689 ret = mbedtls_snprintf( p, n, "\n%ssigned using : ", prefix );
\r
690 MBEDTLS_X509_SAFE_SNPRINTF;
\r
692 ret = mbedtls_x509_sig_alg_gets( p, n, &crl->sig_oid, crl->sig_pk, crl->sig_md,
\r
694 MBEDTLS_X509_SAFE_SNPRINTF;
\r
696 ret = mbedtls_snprintf( p, n, "\n" );
\r
697 MBEDTLS_X509_SAFE_SNPRINTF;
\r
699 return( (int) ( size - n ) );
\r
703 * Initialize a CRL chain
\r
705 void mbedtls_x509_crl_init( mbedtls_x509_crl *crl )
\r
707 memset( crl, 0, sizeof(mbedtls_x509_crl) );
\r
711 * Unallocate all CRL data
\r
713 void mbedtls_x509_crl_free( mbedtls_x509_crl *crl )
\r
715 mbedtls_x509_crl *crl_cur = crl;
\r
716 mbedtls_x509_crl *crl_prv;
\r
717 mbedtls_x509_name *name_cur;
\r
718 mbedtls_x509_name *name_prv;
\r
719 mbedtls_x509_crl_entry *entry_cur;
\r
720 mbedtls_x509_crl_entry *entry_prv;
\r
727 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
\r
728 mbedtls_free( crl_cur->sig_opts );
\r
731 name_cur = crl_cur->issuer.next;
\r
732 while( name_cur != NULL )
\r
734 name_prv = name_cur;
\r
735 name_cur = name_cur->next;
\r
736 mbedtls_platform_zeroize( name_prv, sizeof( mbedtls_x509_name ) );
\r
737 mbedtls_free( name_prv );
\r
740 entry_cur = crl_cur->entry.next;
\r
741 while( entry_cur != NULL )
\r
743 entry_prv = entry_cur;
\r
744 entry_cur = entry_cur->next;
\r
745 mbedtls_platform_zeroize( entry_prv,
\r
746 sizeof( mbedtls_x509_crl_entry ) );
\r
747 mbedtls_free( entry_prv );
\r
750 if( crl_cur->raw.p != NULL )
\r
752 mbedtls_platform_zeroize( crl_cur->raw.p, crl_cur->raw.len );
\r
753 mbedtls_free( crl_cur->raw.p );
\r
756 crl_cur = crl_cur->next;
\r
758 while( crl_cur != NULL );
\r
764 crl_cur = crl_cur->next;
\r
766 mbedtls_platform_zeroize( crl_prv, sizeof( mbedtls_x509_crl ) );
\r
767 if( crl_prv != crl )
\r
768 mbedtls_free( crl_prv );
\r
770 while( crl_cur != NULL );
\r
773 #endif /* MBEDTLS_X509_CRL_PARSE_C */
\r