Skip to content

Commit 021b73c

Browse files
randombitrandombit
authored
Merge pull request #5511 from randombit/jack/add-crl-index
Add an index of serial numbers to X509_CRL for fast lookups
2 parents ec092a5 + dba123f commit 021b73c

File tree

1 file changed

+21
-17
lines changed

1 file changed

+21
-17
lines changed

src/lib/x509/x509_crl.cpp

Lines changed: 21 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@
1313
#include <botan/data_src.h>
1414
#include <botan/x509_ext.h>
1515
#include <botan/x509cert.h>
16+
#include <set>
1617

1718
namespace Botan {
1819

@@ -22,10 +23,23 @@ class CRL_Data final {
2223
const X509_Time& this_update,
2324
const X509_Time& next_update,
2425
const std::vector<CRL_Entry>& revoked) :
25-
m_issuer(issuer), m_this_update(this_update), m_next_update(next_update), m_entries(revoked) {}
26+
m_issuer(issuer), m_this_update(this_update), m_next_update(next_update), m_entries(revoked) {
27+
this->update_index();
28+
}
2629

2730
CRL_Data() = default;
2831

32+
void update_index() {
33+
m_revoked_serials.clear();
34+
for(const auto& entry : m_entries) {
35+
if(entry.reason_code() == CRL_Code::RemoveFromCrl) {
36+
m_revoked_serials.erase(entry.serial_number());
37+
} else {
38+
m_revoked_serials.insert(entry.serial_number());
39+
}
40+
}
41+
}
42+
2943
// NOLINTBEGIN(*non-private-member-variables-in-classes)
3044
X509_DN m_issuer;
3145
size_t m_version{};
@@ -34,6 +48,9 @@ class CRL_Data final {
3448
std::vector<CRL_Entry> m_entries;
3549
Extensions m_extensions;
3650

51+
// cached values from entries
52+
std::set<std::vector<uint8_t>> m_revoked_serials;
53+
3754
// cached values from extensions
3855
size_t m_crl_number = 0;
3956
std::vector<uint8_t> m_auth_key_id;
@@ -93,22 +110,7 @@ bool X509_CRL::is_revoked(const X509_Certificate& cert) const {
93110
}
94111
}
95112

96-
const std::vector<uint8_t>& cert_serial = cert.serial_number();
97-
98-
bool is_revoked = false;
99-
100-
// FIXME would be nice to avoid a linear scan here - maybe sort the entries?
101-
for(const CRL_Entry& entry : get_revoked()) {
102-
if(cert_serial == entry.serial_number()) {
103-
if(entry.reason_code() == CRL_Code::RemoveFromCrl) {
104-
is_revoked = false;
105-
} else {
106-
is_revoked = true;
107-
}
108-
}
109-
}
110-
111-
return is_revoked;
113+
return data().m_revoked_serials.contains(cert.serial_number());
112114
}
113115

114116
/*
@@ -184,6 +186,8 @@ std::unique_ptr<CRL_Data> decode_crl_body(const std::vector<uint8_t>& body, cons
184186
data->m_idp_urls = ext->get_point().get_attribute("URL");
185187
}
186188

189+
data->update_index();
190+
187191
return data;
188192
}
189193

0 commit comments

Comments
 (0)