1 files changed, 96 insertions, 0 deletions
diff --git a/src/pkg/crypto/x509/crl/crl.go b/src/pkg/crypto/x509/crl/crl.go
new file mode 100644
index 000000000..c79c797c7
--- /dev/null
+++ b/src/pkg/crypto/x509/crl/crl.go
@@ -0,0 +1,96 @@
+// Copyright 2011 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package crl exposes low-level details of PKIX Certificate Revocation Lists
+// as specified in RFC 5280, section 5.
+package crl
+
+import (
+	"asn1"
+	"bytes"
+	"encoding/pem"
+	"os"
+	"time"
+)
+
+// CertificateList represents the ASN.1 structure of the same name. See RFC
+// 5280, section 5.1. Use crypto/x509/Certificate.CheckCRLSignature to verify
+// the signature.
+type CertificateList struct {
+	TBSCertList        TBSCertificateList
+	SignatureAlgorithm AlgorithmIdentifier
+	SignatureValue     asn1.BitString
+}
+
+// HasExpired returns true iff currentTimeSeconds is past the expiry time of
+// certList.
+func (certList *CertificateList) HasExpired(currentTimeSeconds int64) bool {
+	return certList.TBSCertList.NextUpdate.Seconds() <= currentTimeSeconds
+}
+
+// TBSCertificateList represents the ASN.1 structure of the same name. See RFC
+// 5280, section 5.1.
+type TBSCertificateList struct {
+	Raw                 asn1.RawContent
+	Version             int "optional,default:2"
+	Signature           AlgorithmIdentifier
+	Issuer              asn1.RawValue
+	ThisUpdate          *time.Time
+	NextUpdate          *time.Time
+	RevokedCertificates []RevokedCertificate "optional"
+	Extensions          []Extension          "tag:0,optional,explicit"
+}
+
+// AlgorithmIdentifier represents the ASN.1 structure of the same name. See RFC
+// 5280, section 4.1.1.2.
+type AlgorithmIdentifier struct {
+	Algo   asn1.ObjectIdentifier
+	Params asn1.RawValue "optional"
+}
+
+// AlgorithmIdentifier represents the ASN.1 structure of the same name. See RFC
+// 5280, section 5.1.
+type RevokedCertificate struct {
+	SerialNumber   asn1.RawValue
+	RevocationTime *time.Time
+	Extensions     []Extension "optional"
+}
+
+// AlgorithmIdentifier represents the ASN.1 structure of the same name. See RFC
+// 5280, section 4.2.
+type Extension struct {
+	Id        asn1.ObjectIdentifier
+	IsCritial bool "optional"
+	Value     []byte
+}
+
+// pemCRLPrefix is the magic string that indicates that we have a PEM encoded
+// CRL.
+var pemCRLPrefix = []byte("-----BEGIN X509 CRL")
+// pemType is the type of a PEM encoded CRL.
+var pemType = "X509 CRL"
+
+// Parse parses a CRL from the given bytes. It's often the case that PEM
+// encoded CRLs will appear where they should be DER encoded, so this function
+// will transparently handle PEM encoding as long as there isn't any leading
+// garbage.
+func Parse(crlBytes []byte) (certList *CertificateList, err os.Error) {
+	if bytes.HasPrefix(crlBytes, pemCRLPrefix) {
+		block, _ := pem.Decode(crlBytes)
+		if block != nil && block.Type == pemType {
+			crlBytes = block.Bytes
+		}
+	}
+	return ParseDER(crlBytes)
+}
+
+// ParseDER parses a DER encoded CRL from the given bytes.
+func ParseDER(derBytes []byte) (certList *CertificateList, err os.Error) {
+	certList = new(CertificateList)
+	_, err = asn1.Unmarshal(derBytes, certList)
+	if err != nil {
+		certList = nil
+	}
+	return
+}