diff --git a/certs/crl/crl.der b/certs/crl/crl.der new file mode 100644 index 000000000..f8726dd52 Binary files /dev/null and b/certs/crl/crl.der differ diff --git a/certs/crl/crl2.der b/certs/crl/crl2.der new file mode 100644 index 000000000..f8726dd52 Binary files /dev/null and b/certs/crl/crl2.der differ diff --git a/certs/crl/gencrls.sh b/certs/crl/gencrls.sh index 7cf4bf6e4..4f2e22ad0 100755 --- a/certs/crl/gencrls.sh +++ b/certs/crl/gencrls.sh @@ -177,4 +177,9 @@ echo "Step 22" openssl ca -config ./wolfssl.cnf -gencrl -crldays 1000 -out caEcc384Crl.pem -keyfile ../ca-ecc384-key.pem -cert ../ca-ecc384-cert.pem check_result $? +# create crl and crl2 der files for unit test +echo "Step 23" +openssl crl -in crl.pem -inform PEM -out crl.der -outform DER +openssl crl -in crl2.pem -inform PEM -out crl2.der -outform DER + exit 0 diff --git a/certs/crl/include.am b/certs/crl/include.am index c5da8de99..6d6d9b2c6 100644 --- a/certs/crl/include.am +++ b/certs/crl/include.am @@ -10,7 +10,9 @@ EXTRA_DIST += \ certs/crl/crl2.pem \ certs/crl/caEccCrl.pem \ certs/crl/caEcc384Crl.pem \ - certs/crl/wolfssl.cnf + certs/crl/wolfssl.cnf \ + certs/crl/crl.der \ + certs/crl/crl2.der EXTRA_DIST += \ certs/crl/crl.revoked diff --git a/src/ssl.c b/src/ssl.c index d2533eed8..bff47af33 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -26058,6 +26058,8 @@ WOLFSSL_API int wolfSSL_X509_load_crl_file(WOLFSSL_X509_LOOKUP *ctx, ret = wolfSSL_X509_STORE_add_crl(ctx->store, crl); if (ret == WOLFSSL_FAILURE) { WOLFSSL_MSG("Adding crl failed"); + } else { + ret = 1;/* handled a file */ } } } else { diff --git a/tests/api.c b/tests/api.c index f64ff3dd5..3ef4d884c 100644 --- a/tests/api.c +++ b/tests/api.c @@ -38801,6 +38801,11 @@ static void test_wolfSSL_X509_load_crl_file(void) "./certs/crl/eccSrvCRL.pem", "" }; + char der[][100] = { + "./certs/crl/crl.der", + "./certs/crl/crl2.der", + "" + }; WOLFSSL_X509_STORE* store; WOLFSSL_X509_LOOKUP* lookup; @@ -38809,12 +38814,57 @@ static void test_wolfSSL_X509_load_crl_file(void) AssertNotNull(store = wolfSSL_X509_STORE_new()); AssertNotNull(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file())); + AssertIntEQ(wolfSSL_X509_LOOKUP_load_file(lookup, "certs/ca-cert.pem", + X509_FILETYPE_PEM), 1); + AssertIntEQ(wolfSSL_X509_LOOKUP_load_file(lookup, "certs/server-revoked-cert.pem", + X509_FILETYPE_PEM), 1); + if (store) { + AssertIntEQ(wolfSSL_CertManagerVerify(store->cm, svrCertFile, + WOLFSSL_FILETYPE_PEM), 1); + /* since store hasn't yet known the revoked cert*/ + AssertIntEQ(wolfSSL_CertManagerVerify(store->cm, "certs/server-revoked-cert.pem", + WOLFSSL_FILETYPE_PEM), 1); + } + for (i = 0; pem[i][0] != '\0'; i++) { AssertIntEQ(wolfSSL_X509_load_crl_file(lookup, pem[i], WOLFSSL_FILETYPE_PEM), 1); } + if (store) { + /* since store knows crl list */ + AssertIntEQ(wolfSSL_CertManagerVerify(store->cm, "certs/server-revoked-cert.pem", + WOLFSSL_FILETYPE_PEM ), CRL_CERT_REVOKED); + } + /* once feeing store */ wolfSSL_X509_STORE_free(store); + store = NULL; + + AssertNotNull(store = wolfSSL_X509_STORE_new()); + AssertNotNull(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file())); + + AssertIntEQ(wolfSSL_X509_LOOKUP_load_file(lookup, "certs/ca-cert.pem", + X509_FILETYPE_PEM), 1); + AssertIntEQ(wolfSSL_X509_LOOKUP_load_file(lookup, "certs/server-revoked-cert.pem", + X509_FILETYPE_PEM), 1); + if (store) { + AssertIntEQ(wolfSSL_CertManagerVerify(store->cm, svrCertFile, + WOLFSSL_FILETYPE_PEM), 1); + /* since store hasn't yet known the revoked cert*/ + AssertIntEQ(wolfSSL_CertManagerVerify(store->cm, "certs/server-revoked-cert.pem", + WOLFSSL_FILETYPE_PEM), 1); + } + + for (i = 0; der[i][0] != '\0'; i++) + { + AssertIntEQ(wolfSSL_X509_load_crl_file(lookup, der[i], WOLFSSL_FILETYPE_ASN1), 1); + } + + if (store) { + /* since store knows crl list */ + AssertIntEQ(wolfSSL_CertManagerVerify(store->cm, "certs/server-revoked-cert.pem", + WOLFSSL_FILETYPE_PEM ), CRL_CERT_REVOKED); + } printf(resultFmt, passed);