Revocation list handling

[Niederb]

• Part of the collateral are certificate revocation lists (CRL). I think they should be in X.509 format, but we should double check
  • https://www.rfc-editor.org/rfc/rfc5280
• Therefore we somehow need to parse them and I think our current dependency for certificate parsing does not support CRLs. Again we should double check
• Probably we need a new dependency and have to make sure it works in our runtime (no_std/webassembly)

[Niederb]

The CRL can be parsed with x509_cert but the problem is verifying the issuer certificate chain. I don't know yet how to solve this, but given that there are currently no revoked certificates for our setup this is less important than other verification checks.

[Niederb]

Some notes regarding the root CA CRL:

• The Intel Collateral API has not interface to get the root CA CRL (only for the PCK Certificate, see)
• The URL for the root CA CRL is actually encoded in the certificate itself as cRLDistributionPoints and currently points to https://certificates.trustedservices.intel.com/IntelSGXRootCA.der
  • I think I would just hard-code this URL for now
• Note that some of the code implies that it is available in the API under /rootcacrl but this does not seem to work…