cryptutil: update CRL parsing (#4454)

Move the parseCRLs() method from package 'authorize/evaluator' to 'pkg/cryptutil', replacing the existing DecodeCRL() method. This method will parse all CRLs found in the PEM input, rather than just the first. (This removes our usage of the deprecated method x509.ParseDERCRL.) Update this method to return an error if there is non-PEM data found in the input, to satisfy the existing test that raw DER-encoded CRLs are not permitted. Delete the CRLFromBase64() and CRLFromFile() methods, as these are no longer used.
2025-05-11 08:07:38 +02:00 · 2023-08-11 08:33:22 -07:00 · 2023-08-11 08:33:22 -07:00 · cc1ef1ae18
commit cc1ef1ae18
parent ed9a93fe5b
6 changed files with 29 additions and 91 deletions
--- a/authorize/evaluator/functions.go
+++ b/authorize/evaluator/functions.go
@ -11,6 +11,7 @@ import (
 	lru "github.com/hashicorp/golang-lru/v2"

 	"github.com/pomerium/pomerium/internal/log"
+	"github.com/pomerium/pomerium/pkg/cryptutil"
 )

 // ClientCertConstraints contains additional constraints to validate when
@ -61,7 +62,7 @@ func isValidClientCertificate(
 		return false, err
 	}

-	crls, err := parseCRLs([]byte(crl))
+	crls, err := cryptutil.ParseCRLs([]byte(crl))
 	if err != nil {
 		return false, err
 	}
@ -168,22 +169,3 @@ func parseCertificate(pemStr string) (*x509.Certificate, error) {
 	}
 	return x509.ParseCertificate(block.Bytes)
 }
-
-func parseCRLs(crl []byte) (map[string]*x509.RevocationList, error) {
-	m := make(map[string]*x509.RevocationList)
-	for {
-		var block *pem.Block
-		block, crl = pem.Decode(crl)
-		if block == nil {
-			return m, nil
-		}
-		if block.Type != "X509 CRL" {
-			continue
-		}
-		l, err := x509.ParseRevocationList(block.Bytes)
-		if err != nil {
-			return nil, err
-		}
-		m[string(l.RawIssuer)] = l
-	}
-}