Allow empty CRLs to be created (#22)

tsaarni · Jun 23, 2022 · fb8112f · fb8112f
1 parent adf39d5
commit fb8112f
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 8 deletions.
diff --git a/crl.go b/crl.go
@@ -38,6 +38,10 @@ type CRL struct {
 	// All Certificates must be issued by the same Issuer.
 	// Self-signed certificates cannot be added.
 	Revoked []*Certificate
+
+	// Issuer is the CA certificate issuing this CRL.
+	// If not set, it defaults to the issuer of certificates added to Revoked list.
+	Issuer *Certificate
 }
 
 // Add appends a Certificate to CRL list.
@@ -58,8 +62,11 @@ func (crl *CRL) Add(cert *Certificate) error {
 // DER returns the CRL as DER buffer.
 // Error is not nil if generation fails.
 func (crl *CRL) DER() (crlBytes []byte, err error) {
-	if len(crl.Revoked) == 0 {
-		return nil, fmt.Errorf("certificates have not been added to CRL")
+	if crl.Issuer == nil {
+		if len(crl.Revoked) == 0 {
+			return nil, fmt.Errorf("Issuer not known: either set Issuer or add certificates to the CRL")
+		}
+		crl.Issuer = crl.Revoked[0].Issuer
 	}
 
 	effectiveRevocationTime := time.Now()
@@ -73,8 +80,6 @@ func (crl *CRL) DER() (crlBytes []byte, err error) {
 		effectiveExpiry = *crl.NextUpdate
 	}
 
-	issuer := crl.Revoked[0].Issuer
-
 	var revokedCerts []pkix.RevokedCertificate
 	for _, c := range crl.Revoked {
 		err := c.ensureGenerated()
@@ -83,21 +88,21 @@ func (crl *CRL) DER() (crlBytes []byte, err error) {
 		}
 		if c.Issuer == nil {
 			return nil, fmt.Errorf("cannot revoke self-signed certificate: %s", c.Subject)
-		} else if c.Issuer != issuer {
-			return nil, fmt.Errorf("CRL can contain certificates for single issuer only")
+		} else if c.Issuer != crl.Issuer {
+			return nil, fmt.Errorf("revoked certificates added from several issuers, or certificate does not match explicitly set Issuer")
 		}
 		revokedCerts = append(revokedCerts, pkix.RevokedCertificate{
 			SerialNumber:   c.SerialNumber,
 			RevocationTime: effectiveRevocationTime,
 		})
 	}
 
-	ca, err := issuer.X509Certificate()
+	ca, err := crl.Issuer.X509Certificate()
 	if err != nil {
 		return nil, err
 	}
 
-	privateKey, err := issuer.PrivateKey()
+	privateKey, err := crl.Issuer.PrivateKey()
 	if err != nil {
 		return nil, err
 	}

diff --git a/crl_test.go b/crl_test.go
@@ -73,4 +73,28 @@ func TestInvalidIssuers(t *testing.T) {
 	assert.Nil(t, err)
 	err = crl.Add(&input2)
 	assert.NotNil(t, err)
+
+	// Explicitly set issuer but add certificates issued by different CA.
+	crl = CRL{Issuer: &ca1, Revoked: []*Certificate{&input2}}
+	_, err = crl.DER()
+	assert.NotNil(t, err)
+
+}
+
+func TestEmptyCRL(t *testing.T) {
+	// Empty CRL can be created by explicitly defining Issuer.
+	ca := Certificate{Subject: "CN=ca"}
+	crl := CRL{Issuer: &ca}
+	crlBytes, err := crl.DER()
+	assert.Nil(t, err)
+
+	certList, err := x509.ParseCRL(crlBytes)
+	assert.Nil(t, err)
+	assert.Equal(t, 0, len(certList.TBSCertList.RevokedCertificates))
+	assert.Equal(t, "CN=ca", certList.TBSCertList.Issuer.String())
+
+	// Empty CRL with no issuer cannot be created.
+	crl = CRL{}
+	_, err = crl.DER()
+	assert.NotNil(t, err)
 }