From cd07e32b13af329e63c98c35a669ade8540e876d Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Mon, 8 Jan 2024 16:38:11 -0800 Subject: [PATCH] update crl files and add in compat support for RSA-PSS --- certs/crl/caEcc384Crl.pem | 12 +-- certs/crl/caEccCrl.pem | 12 +-- certs/crl/cliCrl.pem | 54 +++++----- certs/crl/crl.der | Bin 520 -> 520 bytes certs/crl/crl.pem | 52 +++++----- certs/crl/crl.revoked | 56 +++++----- certs/crl/crl2.der | Bin 520 -> 520 bytes certs/crl/crl2.pem | 102 +++++++++---------- certs/crl/crl_rsapss.pem | 65 +++++++++--- certs/crl/eccCliCRL.pem | 22 ++-- certs/crl/eccSrvCRL.pem | 22 ++-- certs/crl/extra-crls/ca-int-cert-revoked.pem | 16 +-- certs/crl/extra-crls/general-server-crl.pem | 16 +-- certs/crl/gencrls.sh | 21 +++- src/crl.c | 44 ++++++-- tests/api.c | 14 ++- wolfssl/internal.h | 4 +- 17 files changed, 301 insertions(+), 211 deletions(-) diff --git a/certs/crl/caEcc384Crl.pem b/certs/crl/caEcc384Crl.pem index ab0833e06..cf3f9a1b1 100644 --- a/certs/crl/caEcc384Crl.pem +++ b/certs/crl/caEcc384Crl.pem @@ -1,10 +1,10 @@ -----BEGIN X509 CRL----- -MIIBcjCB+AIBATAKBggqhkjOPQQDAjCBlzELMAkGA1UEBhMCVVMxEzARBgNVBAgM +MIIBcTCB+AIBATAKBggqhkjOPQQDAjCBlzELMAkGA1UEBhMCVVMxEzARBgNVBAgM Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZTU0wx FDASBgNVBAsMC0RldmVsb3BtZW50MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20x -HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20XDTIzMTIxMzIyMTkzM1oX -DTI2MDkwODIyMTkzM1qgLzAtMB8GA1UdIwQYMBaAFKvgwyZMGNRyu9KEjJwKBZKA -ElNSMAoGA1UdFAQDAgEMMAoGCCqGSM49BAMCA2kAMGYCMQDiAhgtXMrlvYjxh1+q -uqluR12ThFI1k8wTdFiGF0yToo3zpoxbaN5w33vBYVUZzCYCMQD76v5cIfO8RUBc -f5tVsV7n7fGhwMPREOw0f0nmtl+qwNWSDDegMLtTdZyYF9ERdV0= +HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20XDTI0MDEwOTAwMzQzMFoX +DTI2MTAwNTAwMzQzMFqgLzAtMB8GA1UdIwQYMBaAFKvgwyZMGNRyu9KEjJwKBZKA +ElNSMAoGA1UdFAQDAgEMMAoGCCqGSM49BAMCA2gAMGUCMQCjqo2bmsEzvBpsVBfA +7CXvvAoldG0sFKW75EvAUOFZYWC92/GDULxTxzOGqg81B5ICMEeFr+vl+RMQZfju +ZY3eOC5PKW4z1LwneOUyoKu2joHBENLhsD+tSixSHumx+kmh2g== -----END X509 CRL----- diff --git a/certs/crl/caEccCrl.pem b/certs/crl/caEccCrl.pem index 4729407bc..8574c307d 100644 --- a/certs/crl/caEccCrl.pem +++ b/certs/crl/caEccCrl.pem @@ -1,10 +1,10 @@ -----BEGIN X509 CRL----- -MIIBUTCB+AIBATAKBggqhkjOPQQDAjCBlzELMAkGA1UEBhMCVVMxEzARBgNVBAgM +MIIBUDCB+AIBATAKBggqhkjOPQQDAjCBlzELMAkGA1UEBhMCVVMxEzARBgNVBAgM Cldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZTU0wx FDASBgNVBAsMC0RldmVsb3BtZW50MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20x -HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20XDTIzMTIxMzIyMTkzM1oX -DTI2MDkwODIyMTkzM1qgLzAtMB8GA1UdIwQYMBaAFFaOmsPwQt4YuUVVbvmTz+rD -86UhMAoGA1UdFAQDAgELMAoGCCqGSM49BAMCA0gAMEUCICFj5IcBuGatpURtIwMU -hSKkP11GeUUb5crLMcBKI2u9AiEArWyOTYXvODOGebzJONGEy7UQ9d+HUba3ROqc -aGu35HE= +HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20XDTI0MDEwOTAwMzQzMFoX +DTI2MTAwNTAwMzQzMFqgLzAtMB8GA1UdIwQYMBaAFFaOmsPwQt4YuUVVbvmTz+rD +86UhMAoGA1UdFAQDAgELMAoGCCqGSM49BAMCA0cAMEQCIFuy1ACI/xzHowxHb4+6 +Ey9EPuLVgbvwLmVVSnDiwEkAAiB8BrOHHUMxK0ZFMZoAdRBgE/p32q9FdJJfAO0n +VnFcxg== -----END X509 CRL----- diff --git a/certs/crl/cliCrl.pem b/certs/crl/cliCrl.pem index 00c485372..e20203ef7 100644 --- a/certs/crl/cliCrl.pem +++ b/certs/crl/cliCrl.pem @@ -2,41 +2,41 @@ Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_2048, OU = Programming-2048, CN = www.wolfssl.com, emailAddress = info@wolfssl.com - Last Update: Dec 13 22:19:33 2023 GMT - Next Update: Sep 8 22:19:33 2026 GMT + Last Update: Jan 9 00:34:30 2024 GMT + Next Update: Oct 5 00:34:30 2026 GMT CRL extensions: X509v3 CRL Number: 8 Revoked Certificates: Serial Number: 02 - Revocation Date: Dec 13 22:19:33 2023 GMT + Revocation Date: Jan 9 00:34:30 2024 GMT Signature Algorithm: sha256WithRSAEncryption - 74:17:9b:40:81:d2:a0:f3:26:68:44:5b:f8:a2:6c:3f:7e:71: - 75:a2:7f:c6:e6:71:cb:f9:08:57:42:cd:3e:3f:ab:cd:0c:85: - 36:45:58:8b:59:28:81:d9:b0:6b:10:4a:d0:7d:59:ad:cf:53: - 05:cb:13:c7:c1:ec:65:64:6b:4d:e6:87:0b:ae:06:60:ab:8a: - 3c:ae:c1:7d:ed:8f:ee:09:02:7a:3a:f2:21:bf:89:ef:cd:14: - b1:03:64:2d:b2:b6:45:15:da:2d:ee:2d:c0:15:3b:a8:01:a8: - 4f:30:61:ae:99:b9:16:07:b5:8b:71:8f:38:ac:69:82:39:90: - 92:ff:d6:41:33:3b:92:5b:f2:dd:56:5a:8f:82:d1:1f:76:ee: - ca:01:a2:ac:c0:22:41:dd:6e:e1:ce:06:b0:6f:bc:e2:da:91: - 11:c1:a0:41:16:7d:ba:7e:a1:53:13:14:4b:54:3b:b9:44:cf: - 4f:1c:ef:ce:a8:bd:e8:ab:ba:de:97:f7:b7:7d:4f:ab:7a:e7: - 73:65:97:a1:d9:a3:f3:92:f1:95:06:6d:52:7b:6e:fd:26:56: - 55:83:c7:71:f7:a4:8f:9a:2c:52:04:dd:9f:85:ab:9c:88:e1: - 30:c6:4a:88:7d:20:1b:c6:47:8b:82:cc:9d:0f:51:69:b1:90: - b2:8a:9c:74 + 52:11:97:57:04:d7:e2:14:1f:c4:7f:a2:d8:cf:4c:b7:5b:0c: + d3:ac:ca:29:10:74:09:2f:3d:fb:4d:75:3e:32:21:5a:0f:41: + 5f:cc:e7:98:f8:ea:8e:e2:c9:57:60:b6:a3:b0:70:10:18:b9: + 86:a3:65:1e:3a:88:13:df:44:18:15:51:00:f6:33:d6:ab:90: + 18:93:df:ac:7d:15:5c:6a:63:55:d1:4d:41:37:03:89:86:65: + fa:fb:d7:b1:73:db:c3:43:08:ff:89:94:89:b1:b4:ad:96:78: + 52:92:50:8c:0a:5d:ca:29:8b:e0:bc:ca:88:c0:7a:52:48:d3: + cf:09:03:08:5f:a1:b9:16:b0:55:5e:11:60:7f:73:9a:98:05: + 54:97:bf:eb:0e:04:61:4f:b4:40:23:61:9a:07:69:78:fc:16: + de:f4:54:04:cf:f0:2b:07:8d:51:9e:6b:b5:77:c4:13:2c:a3: + 40:99:ed:fa:f4:00:4a:45:36:da:52:9d:dc:88:66:3e:03:f0: + 20:ce:54:a4:56:58:a8:9e:30:78:e8:42:2d:a8:0f:9b:c4:a9: + ab:13:c2:4e:ec:be:2e:99:16:56:2f:22:86:96:27:1d:30:80: + 7d:a5:f8:45:ef:93:b4:63:13:96:4f:6a:df:a0:11:3b:52:be: + 93:03:7a:81 -----BEGIN X509 CRL----- MIICDjCB9wIBATANBgkqhkiG9w0BAQsFADCBnjELMAkGA1UEBhMCVVMxEDAOBgNV BAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTATBgNVBAoMDHdvbGZTU0xf MjA0ODEZMBcGA1UECwwQUHJvZ3JhbW1pbmctMjA0ODEYMBYGA1UEAwwPd3d3Lndv -bGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tFw0yMzEy -MTMyMjE5MzNaFw0yNjA5MDgyMjE5MzNaMBQwEgIBAhcNMjMxMjEzMjIxOTMzWqAO -MAwwCgYDVR0UBAMCAQgwDQYJKoZIhvcNAQELBQADggEBAHQXm0CB0qDzJmhEW/ii -bD9+cXWif8bmccv5CFdCzT4/q80MhTZFWItZKIHZsGsQStB9Wa3PUwXLE8fB7GVk -a03mhwuuBmCrijyuwX3tj+4JAno68iG/ie/NFLEDZC2ytkUV2i3uLcAVO6gBqE8w -Ya6ZuRYHtYtxjzisaYI5kJL/1kEzO5Jb8t1WWo+C0R927soBoqzAIkHdbuHOBrBv -vOLakRHBoEEWfbp+oVMTFEtUO7lEz08c786oveirut6X97d9T6t653Nll6HZo/OS -8ZUGbVJ7bv0mVlWDx3H3pI+aLFIE3Z+Fq5yI4TDGSoh9IBvGR4uCzJ0PUWmxkLKK -nHQ= +bGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tFw0yNDAx +MDkwMDM0MzBaFw0yNjEwMDUwMDM0MzBaMBQwEgIBAhcNMjQwMTA5MDAzNDMwWqAO +MAwwCgYDVR0UBAMCAQgwDQYJKoZIhvcNAQELBQADggEBAFIRl1cE1+IUH8R/otjP +TLdbDNOsyikQdAkvPftNdT4yIVoPQV/M55j46o7iyVdgtqOwcBAYuYajZR46iBPf +RBgVUQD2M9arkBiT36x9FVxqY1XRTUE3A4mGZfr717Fz28NDCP+JlImxtK2WeFKS +UIwKXcopi+C8yojAelJI088JAwhfobkWsFVeEWB/c5qYBVSXv+sOBGFPtEAjYZoH +aXj8Ft70VATP8CsHjVGea7V3xBMso0CZ7fr0AEpFNtpSndyIZj4D8CDOVKRWWKie +MHjoQi2oD5vEqasTwk7svi6ZFlYvIoaWJx0wgH2l+EXvk7RjE5ZPat+gETtSvpMD +eoE= -----END X509 CRL----- diff --git a/certs/crl/crl.der b/certs/crl/crl.der index c6ec65c4bf2185a61b97c7c2f19a6293c7727900..7ce490cdabbb14e5d7a4702a4bac1ab3948224a4 100644 GIT binary patch delta 317 zcmeBR>0p_#*}%lW(7@8bz}UptAWEFq$js2dz!b_g5HS#9Vq_BMH9}G}@v&_gjVT36aPu+>>?YZ0v-uDZSDk9(YuLs%C2oPM&>3MO0v;`{ZGF>Th z?P^@`W0Sd`y4fXX%YS6zXK{P6W80_R;|E0T?E0n^i^?T^^V9miYQe+?q54Li)H4?Q zB638QDlY8(-nCQZi|(ld>CW6IWVX}_)z>eQmgJjqzIuM?0*+bf_U)Z^KO&ZPN$cL4 zeL-4c(&0;4*Jb{=W|kigPc5A}&s|GF_5FlT@z%9-Y8hTl3VF@_TztKX)X$pcfDG9? z(FsD!gDP&W+#nz6VRn4kbd%%l_Urzx42$(R(^*xS&_7!{*=93~Z2WhHOMgEFZk#q* LIC^ynQ&Tqpr%H%_ delta 317 zcmeBR>0p_#*}&M)$k5ox$k5W*I7*z?$jrdfzyiuO5HS#9Vq_BMH9}G}@v&;XhuI7X zr#U>0fs&=(YO@}&OLQ(;xObc1#7{1hr2-cA7s(%4H?#35gVhw~dkiWwuIPwA-StV+ z%K3!yuHvkinX$VX?(X$J8@%kiv7n)W`lCyRY^gi!&i`Xj{Ld@l|L5=3hSH)MJ(q(E z)s}U2oH&psb!Dd6ss41Q{+drx&!sO+V69i;)x2yPuH3WxQt-hQ3^rFbPgm~pm+d}T zoHfm1!;+21@3HwVj?KFCHAe1(BLBs|ik*+<*&f{Vfj_QN&fR0u{@2qq)^c~oS-+jG zxw}{8&@;8C#_v1C4@yn{73i|)%%+s5F;ha`TG#fQczItwmGo1Ap-t_T^vW&w`@i_! Mu$#Kdn#oxP0Jz0p_#*}%lW(7@8bz}UptAWEFq$js2dz!b_g5HS#9Vq_BMH9}G}@v&_gjVT36aPu+>>?YZ0v-uDZSDk9(YuLs%C2oPM&>3MO0v;`{ZGF>Th z?P^@`W0Sd`y4fXX%YS6zXK{P6W80_R;|E0T?E0n^i^?T^^V9miYQe+?q54Li)H4?Q zB638QDlY8(-nCQZi|(ld>CW6IWVX}_)z>eQmgJjqzIuM?0*+bf_U)Z^KO&ZPN$cL4 zeL-4c(&0;4*Jb{=W|kigPc5A}&s|GF_5FlT@z%9-Y8hTl3VF@_TztKX)X$pcfDG9? z(FsD!gDP&W+#nz6VRn4kbd%%l_Urzx42$(R(^*xS&_7!{*=93~Z2WhHOMgEFZk#q* LIC^ynQ&Tqpr%H%_ delta 317 zcmeBR>0p_#*}&M)$k5ox$k5W*I7*z?$jrdfzyiuO5HS#9Vq_BMH9}G}@v&;XhuI7X zr#U>0fs&=(YO@}&OLQ(;xObc1#7{1hr2-cA7s(%4H?#35gVhw~dkiWwuIPwA-StV+ z%K3!yuHvkinX$VX?(X$J8@%kiv7n)W`lCyRY^gi!&i`Xj{Ld@l|L5=3hSH)MJ(q(E z)s}U2oH&psb!Dd6ss41Q{+drx&!sO+V69i;)x2yPuH3WxQt-hQ3^rFbPgm~pm+d}T zoHfm1!;+21@3HwVj?KFCHAe1(BLBs|ik*+<*&f{Vfj_QN&fR0u{@2qq)^c~oS-+jG zxw}{8&@;8C#_v1C4@yn{73i|)%%+s5F;ha`TG#fQczItwmGo1Ap-t_T^vW&w`@i_! Mu$#Kdn#oxP0Jz tmp @@ -206,4 +202,21 @@ echo "Step 26" openssl crl -in crl.pem -inform PEM -out crl.der -outform DER openssl crl -in crl2.pem -inform PEM -out crl2.der -outform DER +# clear state for RSA-PSS revoke +cp blank.index.txt demoCA/index.txt + +echo "Step 27 RSA-PSS revoke" +openssl ca -config ../renewcerts/wolfssl.cnf -revoke ../rsapss/server-rsapss.pem -keyfile ../rsapss/ca-rsapss-priv.pem -cert ../rsapss/ca-rsapss.pem +check_result $? + +echo "Step 28 RSA-PSS" +openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out crl_rsapss.pem -keyfile ../rsapss/ca-rsapss-priv.pem -cert ../rsapss/ca-rsapss.pem +check_result $? + +# metadata +echo "Step 29" +openssl crl -in crl_rsapss.pem -text > tmp +check_result $? +mv tmp crl_rsapss.pem + exit 0 diff --git a/src/crl.c b/src/crl.c index 9a49f219f..8a617dd34 100644 --- a/src/crl.c +++ b/src/crl.c @@ -138,6 +138,7 @@ static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl, const byte* buff, crle->tbsSz = dcrl->sigIndex - dcrl->certBegin; crle->signatureSz = dcrl->sigLength; crle->signatureOID = dcrl->signatureOID; + crle->sigParamsSz = dcrl->sigParamsLength; crle->toBeSigned = (byte*)XMALLOC(crle->tbsSz, heap, DYNAMIC_TYPE_CRL_ENTRY); if (crle->toBeSigned == NULL) @@ -149,6 +150,20 @@ static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl, const byte* buff, crle->toBeSigned = NULL; return -1; } + + if (dcrl->sigParamsLength > 0) { + crle->sigParams = (byte*)XMALLOC(crle->sigParamsSz, heap, + DYNAMIC_TYPE_CRL_ENTRY); + if (crle->sigParams== NULL) { + XFREE(crle->toBeSigned, heap, DYNAMIC_TYPE_CRL_ENTRY); + crle->toBeSigned = NULL; + XFREE(crle->signature, heap, DYNAMIC_TYPE_CRL_ENTRY); + crle->signature = NULL; + return -1; + } + XMEMCPY(crle->sigParams, buff + dcrl->sigParamsIndex, + crle->sigParamsSz); + } XMEMCPY(crle->toBeSigned, buff + dcrl->certBegin, crle->tbsSz); XMEMCPY(crle->signature, dcrl->signature, crle->signatureSz); #ifndef NO_SKID @@ -206,6 +221,8 @@ static void CRL_Entry_free(CRL_Entry* crle, void* heap) XFREE(crle->signature, heap, DYNAMIC_TYPE_CRL_ENTRY); if (crle->toBeSigned != NULL) XFREE(crle->toBeSigned, heap, DYNAMIC_TYPE_CRL_ENTRY); + if (crle->sigParams != NULL) + XFREE(crle->sigParams, heap, DYNAMIC_TYPE_CRL_ENTRY); #if defined(OPENSSL_EXTRA) if (crle->issuer != NULL) { FreeX509Name(crle->issuer); @@ -338,16 +355,19 @@ static int VerifyCRLE(const WOLFSSL_CRL* crl, CRL_Entry* crle) ret = VerifyCRL_Signature(&sigCtx, crle->toBeSigned, crle->tbsSz, crle->signature, crle->signatureSz, crle->signatureOID, + #ifdef WC_RSA_PSS + crle->sigParams, crle->sigParamsSz, + #else + NULL, 0, + #endif + ca, crl->heap); - /* @TODO RSA PSS params */ NULL, 0, - - ca, - crl->heap); - - if (ret == 0) + if (ret == 0) { crle->verified = 1; - else + } + else { crle->verified = ret; + } return ret; } @@ -739,11 +759,15 @@ static CRL_Entry* DupCRL_Entry(const CRL_Entry* ent, void* heap) DYNAMIC_TYPE_CRL_ENTRY); dupl->signature = (byte*)XMALLOC(dupl->signatureSz, heap, DYNAMIC_TYPE_CRL_ENTRY); - if (dupl->toBeSigned == NULL || dupl->signature == NULL) { + dupl->sigParams = (byte*)XMALLOC(dupl->sigParamsSz, heap, + DYNAMIC_TYPE_CRL_ENTRY); + if (dupl->toBeSigned == NULL || dupl->signature == NULL || + dupl->sigParams == NULL) { CRL_Entry_free(dupl, heap); return NULL; } XMEMCPY(dupl->toBeSigned, ent->toBeSigned, dupl->tbsSz); + XMEMCPY(dupl->sigParams, ent->sigParams, dupl->sigParamsSz); XMEMCPY(dupl->signature, ent->signature, dupl->signatureSz); } else { @@ -751,6 +775,10 @@ static CRL_Entry* DupCRL_Entry(const CRL_Entry* ent, void* heap) dupl->tbsSz = 0; dupl->signature = NULL; dupl->signatureSz = 0; +#ifdef WC_RSA_PSS + dupl->sigParams = NULL; + dupl->sigParamsSz = 0; +#endif #if !defined(NO_SKID) && !defined(NO_ASN) dupl->extAuthKeyIdSet = 0; #endif diff --git a/tests/api.c b/tests/api.c index 194a3607b..b878fcd14 100644 --- a/tests/api.c +++ b/tests/api.c @@ -3046,7 +3046,7 @@ static int test_wolfSSL_CertManagerCRL(void) const char* crl2 = "./certs/crl/crl2.pem"; #ifdef WC_RSA_PSS const char* crl_rsapss = "./certs/crl/crl_rsapss.pem"; - const char* ca_rsapss = "certs/rsapss/root-rsapss.pem"; + const char* ca_rsapss = "certs/rsapss/ca-rsapss.pem"; #endif const unsigned char crl_buff[] = { 0x30, 0x82, 0x02, 0x04, 0x30, 0x81, 0xed, 0x02, @@ -54537,6 +54537,9 @@ static int test_wolfSSL_X509_load_crl_file(void) "./certs/crl/caEccCrl.pem", "./certs/crl/eccCliCRL.pem", "./certs/crl/eccSrvCRL.pem", + #ifdef WC_RSA_PSS + "./certs/crl/crl_rsapss.pem", + #endif "" }; char der[][100] = { @@ -54552,6 +54555,10 @@ static int test_wolfSSL_X509_load_crl_file(void) ExpectIntEQ(X509_LOOKUP_load_file(lookup, "certs/ca-cert.pem", X509_FILETYPE_PEM), 1); +#ifdef WC_RSA_PSS + ExpectIntEQ(X509_LOOKUP_load_file(lookup, "certs/rsapss/ca-rsapss.pem", + X509_FILETYPE_PEM), 1); +#endif ExpectIntEQ(X509_LOOKUP_load_file(lookup, "certs/server-revoked-cert.pem", X509_FILETYPE_PEM), 1); if (store) { @@ -54572,6 +54579,11 @@ static int test_wolfSSL_X509_load_crl_file(void) ExpectIntEQ(wolfSSL_CertManagerVerify(store->cm, "certs/server-revoked-cert.pem", WOLFSSL_FILETYPE_PEM), CRL_CERT_REVOKED); +#ifdef WC_RSA_PSS + ExpectIntEQ(wolfSSL_CertManagerVerify(store->cm, + "certs/rsapss/server-rsapss-cert.pem", WOLFSSL_FILETYPE_PEM), + CRL_CERT_REVOKED); +#endif } /* once feeing store */ X509_STORE_free(store); diff --git a/wolfssl/internal.h b/wolfssl/internal.h index d32e8d6ed..2291e0c4d 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2500,8 +2500,8 @@ struct CRL_Entry { word32 signatureSz; word32 signatureOID; #ifdef WC_RSA_PSS - word32 sigParamsIndex; /* start of signature parameters */ - word32 sigParamsLength; /* length of signature parameters */ + word32 sigParamsSz; /* length of signature parameters */ + byte* sigParams; /* buffer with signature parameters */ #endif #if !defined(NO_SKID) && !defined(NO_ASN) byte extAuthKeyIdSet;