wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2026-01-27 02:12:21 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #9628 from miyazakh/fix_crlnumber

Browse Source 
Fix CRL Number hex string buffer overflow in CRL parser
This commit is contained in:
Sean Parkinson
2026-01-12 08:52:57 +10:00
committed by GitHub
parent a091ed9151 7b577f8914
commit 84ca4a05fa
9 changed files with 205 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
certs/crl/extra-crls/large_crlnum.pem Normal file
View File

@@ -0,0 +1,43 @@
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com, emailAddress=info@wolfssl.com
Last Update: Jan 8 07:15:25 2026 GMT
Next Update: Oct 4 07:15:25 2028 GMT
CRL extensions:
X509v3 CRL Number:
0xD8AFADA7F08B38E6178BD0E5CD7B0DF80071BA74
Revoked Certificates:
Serial Number: 01
Revocation Date: Jan 8 07:15:25 2026 GMT
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
0c:45:a0:2e:ba:ad:28:48:eb:61:29:a6:fa:d0:76:8c:96:bb:
1a:9a:79:90:05:06:78:8e:d2:f6:4d:6d:4c:75:62:d2:b2:91:
f8:e4:59:a9:db:6f:e6:58:fe:f9:2e:7a:67:a7:01:a3:68:ee:
b1:23:a6:25:2a:85:84:3d:bf:86:bf:6d:d5:a6:2d:03:8e:d1:
ac:0f:73:4c:47:ea:fb:75:2e:85:1f:dc:fa:5e:b2:eb:d1:f4:
75:e9:ae:a9:90:6e:ec:c9:05:db:61:39:30:a8:4e:c3:d2:ce:
77:2d:ba:bf:fd:74:dc:c6:41:db:65:c4:83:66:9c:91:60:43:
57:a3:52:bb:9c:b7:fa:30:d3:01:89:7f:5e:c8:06:0a:34:1b:
77:ce:e8:b4:85:c5:6e:63:50:f3:88:cc:e3:54:7b:29:5c:08:
4a:7b:35:b4:3f:01:2e:c5:93:4f:7c:7a:17:bf:0d:bd:be:3e:
a9:1b:ef:a0:9c:bc:78:9e:91:99:91:e7:38:63:f1:24:86:02:
63:81:cb:67:3a:f7:3c:5c:45:87:54:f4:9a:16:25:a2:e5:bd:
ee:7e:9a:28:c0:db:4e:bc:4a:0d:c2:5f:14:ea:9c:8a:42:db:
d2:1d:27:b8:d2:3c:57:4a:bf:46:4a:95:ac:7f:f4:47:22:dd:
d5:dc:52:3f
-----BEGIN X509 CRL-----
MIICGTCCAQECAQEwDQYJKoZIhvcNAQELBQAwgZQxCzAJBgNVBAYTAlVTMRAwDgYD
VQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQKDAhTYXd0b290
aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29t
MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tFw0yNjAxMDgwNzE1MjVa
Fw0yODEwMDQwNzE1MjVaMBQwEgIBARcNMjYwMTA4MDcxNTI1WqAiMCAwHgYDVR0U
BBcCFQDYr62n8Is45heL0OXNew34AHG6dDANBgkqhkiG9w0BAQsFAAOCAQEADEWg
LrqtKEjrYSmm+tB2jJa7Gpp5kAUGeI7S9k1tTHVi0rKR+ORZqdtv5lj++S56Z6cB
o2jusSOmJSqFhD2/hr9t1aYtA47RrA9zTEfq+3UuhR/c+l6y69H0demuqZBu7MkF
22E5MKhOw9LOdy26v/103MZB22XEg2ackWBDV6NSu5y3+jDTAYl/XsgGCjQbd87o
tIXFbmNQ84jM41R7KVwISns1tD8BLsWTT3x6F78Nvb4+qRvvoJy8eJ6RmZHnOGPx
JIYCY4HLZzr3PFxFh1T0mhYlouW97n6aKMDbTrxKDcJfFOqcikLb0h0nuNI8V0q/
RkqVrH/0RyLd1dxSPw==
-----END X509 CRL-----

43
certs/crl/extra-crls/large_crlnum2.pem Normal file
View File

@@ -0,0 +1,43 @@
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com, emailAddress=info@wolfssl.com
Last Update: Jan 8 07:15:25 2026 GMT
Next Update: Oct 4 07:15:25 2028 GMT
CRL extensions:
X509v3 CRL Number:
0x8BC28C3B3F7A6344CD464A9FDC837F2009DEB94FD3
Revoked Certificates:
Serial Number: 01
Revocation Date: Jan 8 07:15:25 2026 GMT
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
47:71:aa:8d:29:11:90:57:c9:70:78:a5:de:40:ee:c3:da:81:
68:d0:20:09:af:5b:5f:30:f9:69:14:ff:8a:cf:46:0d:e8:0d:
45:df:1d:49:ce:05:01:28:a5:34:50:b6:cb:54:9d:a1:42:6c:
f6:e2:66:de:be:e4:90:55:c1:83:e5:4c:26:96:43:29:39:84:
ad:68:3c:0d:5a:d4:e7:ba:7c:21:e9:a1:c2:0c:ad:6f:0c:32:
71:81:9f:df:7d:c3:0d:92:a4:6f:43:9f:8f:b7:ef:2d:6d:92:
a6:17:cb:c7:4c:2e:3b:a5:2b:2c:74:fa:d1:be:6d:dc:19:04:
d6:b6:56:6c:26:94:8e:13:15:29:12:fe:1a:a4:73:55:df:a5:
c8:d3:d5:99:4a:c6:be:64:1f:90:a9:d8:94:d1:3b:b1:0e:ff:
e4:81:d0:e5:a4:8a:a7:a9:82:fb:a6:86:be:e7:e1:a8:b5:0d:
87:bb:76:5b:0e:05:1f:d4:82:3c:68:99:ec:ae:ae:8e:4a:72:
cf:3f:8a:7f:b0:a2:69:d9:8c:68:7d:2f:3e:54:e9:fb:70:cf:
d4:ed:1b:61:68:33:4f:93:9b:5f:5e:e9:de:e8:51:66:fd:c8:
35:40:a0:7d:42:bd:d7:f4:96:cd:c8:72:14:84:cd:f5:19:8c:
a0:5a:b7:72
-----BEGIN X509 CRL-----
MIICGjCCAQICAQEwDQYJKoZIhvcNAQELBQAwgZQxCzAJBgNVBAYTAlVTMRAwDgYD
VQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQKDAhTYXd0b290
aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29t
MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tFw0yNjAxMDgwNzE1MjVa
Fw0yODEwMDQwNzE1MjVaMBQwEgIBARcNMjYwMTA4MDcxNTI1WqAjMCEwHwYDVR0U
BBgCFgCLwow7P3pjRM1GSp/cg38gCd65T9MwDQYJKoZIhvcNAQELBQADggEBAEdx
qo0pEZBXyXB4pd5A7sPagWjQIAmvW18w+WkU/4rPRg3oDUXfHUnOBQEopTRQtstU
naFCbPbiZt6+5JBVwYPlTCaWQyk5hK1oPA1a1Oe6fCHpocIMrW8MMnGBn999ww2S
pG9Dn4+37y1tkqYXy8dMLjulKyx0+tG+bdwZBNa2VmwmlI4TFSkS/hqkc1XfpcjT
1ZlKxr5kH5Cp2JTRO7EO/+SB0OWkiqepgvumhr7n4ai1DYe7dlsOBR/Ugjxomeyu
ro5Kcs8/in+womnZjGh9Lz5U6ftwz9TtG2FoM0+Tm19e6d7oUWb9yDVAoH1Cvdf0
ls3IchSEzfUZjKBat3I=
-----END X509 CRL-----

22
certs/crl/gencrls.sh
View File

@@ -219,4 +219,26 @@ openssl crl -in crl_rsapss.pem -text > tmp
check_result $?
mv tmp crl_rsapss.pem
echo "Step 29 large CRL number( = 20 octets )"
echo d8afada7f08b38e6178bd0e5cd7b0df80071ba74 > crlnumber
openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out extra-crls/large_crlnum.pem -keyfile ../ca-key.pem -cert ../ca-cert.pem
check_result $?
# metadata
echo "Step 29"
openssl crl -in extra-crls/large_crlnum.pem -text > tmp
check_result $?
mv tmp extra-crls/large_crlnum.pem
echo "Step 30 large CRL number( > 20 octets )"
echo 8bc28c3b3f7a6344cd464a9fdc837f2009deb94fd3 > crlnumber
openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out extra-crls/large_crlnum2.pem -keyfile ../ca-key.pem -cert ../ca-cert.pem
check_result $?
# metadata
echo "Step 30"
openssl crl -in extra-crls/large_crlnum2.pem -text > tmp
check_result $?
mv tmp extra-crls/large_crlnum2.pem
exit 0

22
src/crl.c
View File

@@ -138,7 +138,7 @@ static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl, const byte* buff,
crle->totalCerts = dcrl->totalCerts;
crle->crlNumberSet = dcrl->crlNumberSet;
if (crle->crlNumberSet) {
XMEMCPY(crle->crlNumber, dcrl->crlNumber, CRL_MAX_NUM_SZ);
XMEMCPY(crle->crlNumber, dcrl->crlNumber, sizeof(crle->crlNumber));
}
crle->verified = verified;
if (!verified) {
@@ -597,7 +597,7 @@ static void SetCrlInfo(CRL_Entry* entry, CrlInfo *info)
info->nextDateFormat = entry->nextDateFormat;
info->crlNumberSet = entry->crlNumberSet;
if (info->crlNumberSet)
XMEMCPY(info->crlNumber, entry->crlNumber, CRL_MAX_NUM_SZ);
XMEMCPY(info->crlNumber, entry->crlNumber, sizeof(entry->crlNumber));
}
static void SetCrlInfoFromDecoded(DecodedCRL* entry, CrlInfo *info)
@@ -612,7 +612,7 @@ static void SetCrlInfoFromDecoded(DecodedCRL* entry, CrlInfo *info)
info->nextDateFormat = entry->nextDateFormat;
info->crlNumberSet = entry->crlNumberSet;
if (info->crlNumberSet)
XMEMCPY(info->crlNumber, entry->crlNumber, CRL_MAX_NUM_SZ);
XMEMCPY(info->crlNumber, entry->crlNumber, sizeof(entry->crlNumber));
}
#endif
@@ -622,14 +622,14 @@ static void SetCrlInfoFromDecoded(DecodedCRL* entry, CrlInfo *info)
static int CompareCRLnumber(CRL_Entry* prev, CRL_Entry* curr)
{
int ret = 0;
DECL_MP_INT_SIZE_DYN(prev_num, CRL_MAX_NUM_SZ * CHAR_BIT,
CRL_MAX_NUM_SZ * CHAR_BIT);
DECL_MP_INT_SIZE_DYN(curr_num, CRL_MAX_NUM_SZ * CHAR_BIT,
CRL_MAX_NUM_SZ * CHAR_BIT);
DECL_MP_INT_SIZE_DYN(prev_num, CRL_MAX_NUM_SZ_BITS,
CRL_MAX_NUM_SZ_BITS);
DECL_MP_INT_SIZE_DYN(curr_num, CRL_MAX_NUM_SZ_BITS,
CRL_MAX_NUM_SZ_BITS);
NEW_MP_INT_SIZE(prev_num, CRL_MAX_NUM_SZ * CHAR_BIT, NULL,
NEW_MP_INT_SIZE(prev_num, CRL_MAX_NUM_SZ_BITS, NULL,
DYNAMIC_TYPE_TMP_BUFFER);
NEW_MP_INT_SIZE(curr_num, CRL_MAX_NUM_SZ * CHAR_BIT, NULL,
NEW_MP_INT_SIZE(curr_num, CRL_MAX_NUM_SZ_BITS, NULL,
DYNAMIC_TYPE_TMP_BUFFER);
#ifdef MP_INT_SIZE_CHECK_NULL
if ((prev_num == NULL) || (curr_num == NULL)) {
@@ -637,9 +637,9 @@ static int CompareCRLnumber(CRL_Entry* prev, CRL_Entry* curr)
}
#endif
if (ret == 0 && ((INIT_MP_INT_SIZE(prev_num, CRL_MAX_NUM_SZ * CHAR_BIT)
if (ret == 0 && ((INIT_MP_INT_SIZE(prev_num, CRL_MAX_NUM_SZ_BITS)
!= MP_OKAY) || (INIT_MP_INT_SIZE(curr_num,
CRL_MAX_NUM_SZ * CHAR_BIT)) != MP_OKAY)) {
CRL_MAX_NUM_SZ_BITS)) != MP_OKAY)) {
ret = MP_INIT_E;
}

57
tests/api.c
View File

@@ -31518,6 +31518,58 @@ static int test_wolfSSL_CTX_LoadCRL(void)
return EXPECT_RESULT();
}
static int test_wolfSSL_CTX_LoadCRL_largeCRLnum(void)
{
EXPECT_DECLS;
#if defined(HAVE_CRL) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) && \
defined(HAVE_CRL_UPDATE_CB)
WOLFSSL_CERT_MANAGER* cm = NULL;
const char* caCert = "./certs/ca-cert.pem";
const char* crl_lrgcrlnum = "./certs/crl/extra-crls/large_crlnum.pem";
const char* crl_lrgcrlnum2 = "./certs/crl/extra-crls/large_crlnum2.pem";
const char* exp_crlnum = "D8AFADA7F08B38E6178BD0E5CD7B0DF80071BA74";
byte *crlLrgCrlNumBuff = NULL;
word32 crlLrgCrlNumSz;
CrlInfo crlInfo;
XFILE f;
word32 sz;
cm = wolfSSL_CertManagerNew();
ExpectNotNull(cm);
ExpectIntEQ(wolfSSL_CertManagerLoadCA(cm, caCert, NULL),
WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, crl_lrgcrlnum,
WOLFSSL_FILETYPE_PEM),
WOLFSSL_SUCCESS);
AssertTrue((f = XFOPEN(crl_lrgcrlnum, "rb")) != XBADFILE);
AssertTrue(XFSEEK(f, 0, XSEEK_END) == 0);
AssertIntGE(sz = (word32) XFTELL(f), 1);
AssertTrue(XFSEEK(f, 0, XSEEK_SET) == 0);
AssertTrue( \
(crlLrgCrlNumBuff =
(byte*)XMALLOC(sz, NULL, DYNAMIC_TYPE_FILE)) != NULL);
AssertTrue(XFREAD(crlLrgCrlNumBuff, 1, sz, f) == sz);
XFCLOSE(f);
crlLrgCrlNumSz = sz;
AssertIntEQ(wolfSSL_CertManagerGetCRLInfo(
cm, &crlInfo, crlLrgCrlNumBuff, crlLrgCrlNumSz, WOLFSSL_FILETYPE_PEM),
WOLFSSL_SUCCESS);
AssertIntEQ(XMEMCMP(
crlInfo.crlNumber, exp_crlnum, XSTRLEN(exp_crlnum)), 0);
/* Expect to fail loading CRL because of >21 octets CRL number */
ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, crl_lrgcrlnum2,
WOLFSSL_FILETYPE_PEM),
ASN_PARSE_E);
XFREE(crlLrgCrlNumBuff, NULL, DYNAMIC_TYPE_FILE);
wolfSSL_CertManagerFree(cm);
#endif
return EXPECT_RESULT();
}
#if defined(HAVE_CRL) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) && \
defined(HAVE_CRL_UPDATE_CB)
int crlUpdateTestStatus = 0;
@@ -31575,7 +31627,7 @@ static void updateCrlCb(CrlInfo* old, CrlInfo* cnew)
AssertIntEQ(crl1Info.nextDateMaxLen, old->nextDateMaxLen);
AssertIntEQ(crl1Info.nextDateFormat, old->nextDateFormat);
AssertIntEQ(XMEMCMP(
crl1Info.crlNumber, old->crlNumber, CRL_MAX_NUM_SZ), 0);
crl1Info.crlNumber, old->crlNumber, sizeof(old->crlNumber)), 0);
AssertIntEQ(XMEMCMP(
crl1Info.issuerHash, old->issuerHash, old->issuerHashLen), 0);
AssertIntEQ(XMEMCMP(
@@ -31590,7 +31642,7 @@ static void updateCrlCb(CrlInfo* old, CrlInfo* cnew)
AssertIntEQ(crlRevInfo.nextDateMaxLen, cnew->nextDateMaxLen);
AssertIntEQ(crlRevInfo.nextDateFormat, cnew->nextDateFormat);
AssertIntEQ(XMEMCMP(
crlRevInfo.crlNumber, cnew->crlNumber, CRL_MAX_NUM_SZ), 0);
crlRevInfo.crlNumber, cnew->crlNumber, sizeof(cnew->crlNumber)), 0);
AssertIntEQ(XMEMCMP(
crlRevInfo.issuerHash, cnew->issuerHash, cnew->issuerHashLen), 0);
AssertIntEQ(XMEMCMP(
@@ -42089,6 +42141,7 @@ TEST_CASE testCases[] = {
TEST_DECL(test_wolfSSL_use_certificate_chain_file),
TEST_DECL(test_wolfSSL_CTX_trust_peer_cert),
TEST_DECL(test_wolfSSL_CTX_LoadCRL),
TEST_DECL(test_wolfSSL_CTX_LoadCRL_largeCRLnum),
TEST_DECL(test_wolfSSL_crl_update_cb),
TEST_DECL(test_wolfSSL_CTX_SetTmpDH_file),
TEST_DECL(test_wolfSSL_CTX_SetTmpDH_buffer),

34
wolfcrypt/src/asn.c
View File

@@ -40772,6 +40772,7 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf,
word32* inOutIdx, word32 sz)
{
int length;
int needed;
word32 idx;
word32 ext_bound; /* boundary index for the sequence of extensions */
word32 oid;
@@ -40857,9 +40858,9 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf,
return ret;
}
else {
DECL_MP_INT_SIZE_DYN(m, CRL_MAX_NUM_SZ * CHAR_BIT,
CRL_MAX_NUM_SZ * CHAR_BIT);
NEW_MP_INT_SIZE(m, CRL_MAX_NUM_SZ * CHAR_BIT, NULL,
DECL_MP_INT_SIZE_DYN(m, CRL_MAX_NUM_SZ_BITS,
CRL_MAX_NUM_SZ_BITS);
NEW_MP_INT_SIZE(m, CRL_MAX_NUM_SZ_BITS, NULL,
DYNAMIC_TYPE_TMP_BUFFER);
#ifdef MP_INT_SIZE_CHECK_NULL
if (m == NULL) {
@@ -40877,7 +40878,15 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf,
if (ret != MP_OKAY)
ret = BUFFER_E;
/* Check CRL number size
* if it exceeds CRL_MAX_NUM_SZ(octets)
* and CRL_MAX_NUM_HEX_STR_SZ(hex string)
*/
if (((needed = mp_unsigned_bin_size(m)) > CRL_MAX_NUM_SZ) ||
((needed * 2 + 1) > CRL_MAX_NUM_HEX_STR_SZ)) {
WOLFSSL_MSG("CRL number exceeds limitation.");
ret = BUFFER_E;
}
if (ret == MP_OKAY && mp_toradix(m, (char*)dcrl->crlNumber,
MP_RADIX_HEX) != MP_OKAY)
ret = BUFFER_E;
@@ -40915,6 +40924,7 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf, word32 idx,
word32 maxIdx)
{
DECL_ASNGETDATA(dataASN, certExtASN_Length);
int needed;
int ret = 0;
/* Track if we've seen these extensions already */
word32 seenAuthKey = 0;
@@ -40975,9 +40985,9 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf, word32 idx,
#endif
}
else if (oid == CRL_NUMBER_OID) {
DECL_MP_INT_SIZE_DYN(m, CRL_MAX_NUM_SZ * CHAR_BIT,
CRL_MAX_NUM_SZ * CHAR_BIT);
NEW_MP_INT_SIZE(m, CRL_MAX_NUM_SZ * CHAR_BIT, NULL,
DECL_MP_INT_SIZE_DYN(m, CRL_MAX_NUM_SZ_BITS,
CRL_MAX_NUM_SZ_BITS);
NEW_MP_INT_SIZE(m, CRL_MAX_NUM_SZ_BITS, NULL,
DYNAMIC_TYPE_TMP_BUFFER);
#ifdef MP_INT_SIZE_CHECK_NULL
@@ -40994,7 +41004,15 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf, word32 idx,
if (ret == 0) {
ret = GetInt(m, buf, &localIdx, maxIdx);
}
/* Check CRL number size
* if it exceeds CRL_MAX_NUM_SZ(octets)
* and CRL_MAX_NUM_HEX_STR_SZ(hex string)
*/
if (((needed = mp_unsigned_bin_size(m)) > CRL_MAX_NUM_SZ) ||
((needed * 2 + 1) > CRL_MAX_NUM_HEX_STR_SZ)) {
WOLFSSL_MSG("CRL number exceeds limitation.");
ret = BUFFER_E;
}
if (ret == 0 && mp_toradix(m, (char*)dcrl->crlNumber,
MP_RADIX_HEX) != MP_OKAY)
ret = BUFFER_E;

2
wolfssl/internal.h
View File

@@ -2499,7 +2499,7 @@ struct CRL_Entry {
/* DupCRL_Entry copies data after the `verifyMutex` member. Using the mutex
* as the marker because clang-tidy doesn't like taking the sizeof a
* pointer. */
byte crlNumber[CRL_MAX_NUM_SZ]; /* CRL number extension */
char crlNumber[CRL_MAX_NUM_HEX_STR_SZ]; /* CRL number extension */
byte issuerHash[CRL_DIGEST_SIZE]; /* issuer hash */
/* byte crlHash[CRL_DIGEST_SIZE]; raw crl data hash */
/* restore the hash here if needed for optimized comparisons */

2
wolfssl/ssl.h
View File

@@ -3795,7 +3795,7 @@ typedef int (*CbCrlIO)(WOLFSSL_CRL* crl, const char* url, int urlSz);
#ifdef HAVE_CRL_UPDATE_CB
typedef struct CrlInfo {
byte crlNumber[CRL_MAX_NUM_SZ];
char crlNumber[CRL_MAX_NUM_HEX_STR_SZ];
byte *issuerHash;
word32 issuerHashLen;
byte *lastDate;

4
wolfssl/wolfcrypt/asn.h
View File

@@ -2693,6 +2693,8 @@ struct RevokedCert {
#define CRL_MAX_NUM_SZ 20 /* RFC5280 states that CRL number can be up to 20 */
#endif /* octets long */
#define CRL_MAX_NUM_HEX_STR_SZ (CRL_MAX_NUM_SZ * 2 + 1)
#define CRL_MAX_NUM_SZ_BITS (CRL_MAX_NUM_SZ * CHAR_BIT)
typedef struct DecodedCRL DecodedCRL;
@@ -2706,7 +2708,7 @@ struct DecodedCRL {
word32 sigParamsLength; /* length of signature parameters */
#endif
byte* signature; /* pointer into raw source, not owned */
byte crlNumber[CRL_MAX_NUM_SZ]; /* CRL number extension */
char crlNumber[CRL_MAX_NUM_HEX_STR_SZ]; /* CRL number extension */
byte issuerHash[SIGNER_DIGEST_SIZE]; /* issuer name hash */
byte crlHash[SIGNER_DIGEST_SIZE]; /* raw crl data hash */
byte lastDate[MAX_DATE_SIZE]; /* last date updated */