Merge pull request #9873 from miyazakh/fix_larger_crlnum

fix lareger(>57 octets) CRL number
This commit is contained in:
Daniel Pouzzner
2026-03-06 22:49:03 -06:00
committed by GitHub
6 changed files with 139 additions and 24 deletions
+44
View File
@@ -0,0 +1,44 @@
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com, emailAddress=info@wolfssl.com
Last Update: Mar 5 05:15:20 2026 GMT
Next Update: Nov 29 05:15:20 2028 GMT
CRL extensions:
X509v3 CRL Number:
0x444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444
Revoked Certificates:
Serial Number: 01
Revocation Date: Mar 5 05:15:20 2026 GMT
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
2d:38:2c:0e:27:b8:55:dd:0c:c5:1b:9d:13:b9:6a:c4:05:6d:
43:37:41:ee:d7:e1:5e:7f:2c:3e:72:14:9d:0b:f0:89:f8:06:
3c:75:21:cf:8a:5d:3b:56:3c:c6:a9:b1:56:2e:84:c2:05:60:
8b:86:33:d0:0b:ab:ba:37:9f:13:af:a1:2e:40:c6:35:f0:b3:
e3:ce:40:2f:4a:65:2b:72:ab:54:c2:56:b7:ca:8a:54:22:c9:
ba:d2:fb:ab:f6:e1:cb:05:ae:25:3a:11:ce:bf:9b:0a:9a:37:
1a:05:3e:a2:c4:98:68:71:78:70:58:d6:6b:93:97:36:54:7b:
73:1c:24:5b:19:a8:f4:da:c6:73:f1:58:1a:e6:53:0d:88:d9:
b8:b1:e7:f7:f6:13:4c:8d:86:d7:51:c8:89:93:1f:f0:e5:0a:
4c:01:21:9b:ad:fe:ed:5b:0f:77:71:8e:3b:ec:3c:e0:c9:3e:
ed:a0:20:f8:51:6c:bc:a9:57:27:13:ff:1d:28:70:41:ce:42:
05:9f:f5:1f:d4:73:13:89:c0:9e:34:d1:8f:12:9d:07:2b:2e:
1d:3b:ba:5e:18:72:b7:11:f7:3b:54:59:7d:81:57:1f:25:02:
c5:e1:58:b5:f8:01:e0:62:6d:92:50:bc:c4:f9:26:4e:72:37:
16:42:e0:c1
-----BEGIN X509 CRL-----
MIICPTCCASUCAQEwDQYJKoZIhvcNAQELBQAwgZQxCzAJBgNVBAYTAlVTMRAwDgYD
VQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQKDAhTYXd0b290
aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29t
MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tFw0yNjAzMDUwNTE1MjBa
Fw0yODExMjkwNTE1MjBaMBQwEgIBARcNMjYwMzA1MDUxNTIwWqBGMEQwQgYDVR0U
BDsCOURERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
RERERERERERERERERDANBgkqhkiG9w0BAQsFAAOCAQEALTgsDie4Vd0MxRudE7lq
xAVtQzdB7tfhXn8sPnIUnQvwifgGPHUhz4pdO1Y8xqmxVi6EwgVgi4Yz0Aurujef
E6+hLkDGNfCz485AL0plK3KrVMJWt8qKVCLJutL7q/bhywWuJToRzr+bCpo3GgU+
osSYaHF4cFjWa5OXNlR7cxwkWxmo9NrGc/FYGuZTDYjZuLHn9/YTTI2G11HIiZMf
8OUKTAEhm63+7VsPd3GOO+w84Mk+7aAg+FFsvKlXJxP/HShwQc5CBZ/1H9RzE4nA
njTRjxKdBysuHTu6XhhytxH3O1RZfYFXHyUCxeFYtfgB4GJtklC8xPkmTnI3FkLg
wQ==
-----END X509 CRL-----
+44
View File
@@ -0,0 +1,44 @@
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com, emailAddress=info@wolfssl.com
Last Update: Mar 5 05:15:20 2026 GMT
Next Update: Nov 29 05:15:20 2028 GMT
CRL extensions:
X509v3 CRL Number:
0x44444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444
Revoked Certificates:
Serial Number: 01
Revocation Date: Mar 5 05:15:20 2026 GMT
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
24:11:b9:3a:df:b5:07:d0:94:b7:1a:73:10:02:f6:13:c5:57:
e3:48:6e:e7:fc:8c:c6:07:15:0b:21:f4:4b:61:d4:1f:98:79:
8d:02:d6:b5:30:e5:72:85:36:a2:8f:73:32:9b:6c:e1:5b:0f:
9e:e9:e7:ba:0c:a2:f9:4e:87:84:40:dd:4b:5d:26:e5:87:23:
01:3e:87:3b:19:86:a6:25:6a:48:73:1c:d5:a0:56:1a:52:65:
7e:aa:00:b0:2a:6b:ce:95:ce:c0:4f:7c:d7:ef:78:c2:78:b0:
ce:ad:4f:02:e2:ce:56:de:a5:43:5b:ad:78:5a:a7:bc:8d:6e:
ef:86:e1:9e:47:5c:e7:c8:12:81:8d:5a:63:c4:5a:2c:20:54:
da:1e:7f:f0:16:c9:f5:fc:9a:fa:ca:03:73:90:38:11:d1:0e:
98:34:84:fe:62:1e:8a:20:66:ee:40:09:f1:8d:bc:b5:52:af:
22:b8:a7:e5:0c:a7:38:e8:4a:9c:09:99:95:ae:cf:a2:8e:a8:
21:cd:5e:96:a7:ea:4f:bc:a5:be:37:a1:c7:5b:27:3f:b5:99:
08:62:35:7f:98:2a:20:27:3e:c3:1b:9d:c2:51:66:7c:dd:64:
38:89:fc:89:fc:c0:54:f9:0d:16:72:44:3c:25:3c:a3:88:b9:
c7:00:df:81
-----BEGIN X509 CRL-----
MIICRDCCASwCAQEwDQYJKoZIhvcNAQELBQAwgZQxCzAJBgNVBAYTAlVTMRAwDgYD
VQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQKDAhTYXd0b290
aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29t
MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tFw0yNjAzMDUwNTE1MjBa
Fw0yODExMjkwNTE1MjBaMBQwEgIBARcNMjYwMzA1MDUxNTIwWqBNMEswSQYDVR0U
BEICQERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
REREREREREREREREREREREREREQwDQYJKoZIhvcNAQELBQADggEBACQRuTrftQfQ
lLcacxAC9hPFV+NIbuf8jMYHFQsh9Eth1B+YeY0C1rUw5XKFNqKPczKbbOFbD57p
57oMovlOh4RA3UtdJuWHIwE+hzsZhqYlakhzHNWgVhpSZX6qALAqa86VzsBPfNfv
eMJ4sM6tTwLizlbepUNbrXhap7yNbu+G4Z5HXOfIEoGNWmPEWiwgVNoef/AWyfX8
mvrKA3OQOBHRDpg0hP5iHoogZu5ACfGNvLVSryK4p+UMpzjoSpwJmZWuz6KOqCHN
Xpan6k+8pb43ocdbJz+1mQhiNX+YKiAnPsMbncJRZnzdZDiJ/In8wFT5DRZyRDwl
PKOIuccA34E=
-----END X509 CRL-----
+22 -1
View File
@@ -236,7 +236,7 @@ openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out extra-cr
check_result $?
# metadata
echo "Step 30"
echo "Step 31"
openssl crl -in extra-crls/large_crlnum2.pem -text > tmp
check_result $?
mv tmp extra-crls/large_crlnum2.pem
@@ -254,4 +254,25 @@ openssl crl -in ../ocsp/root-ca-crl.pem -text > tmp
check_result $?
mv tmp ../ocsp/root-ca-crl.pem
echo "Step 33 larger CRL number( 57 octets )"
python3 -c "print('4' * 114)" > crlnumber # 0x41 * 57 = 114 hex chars crlnumber
openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out extra-crls/crlnum_57oct.pem -keyfile ../ca-key.pem -cert ../ca-cert.pem
check_result $?
# metadata
echo "Step 34"
openssl crl -in extra-crls/crlnum_57oct.pem -text > tmp
check_result $?
mv tmp extra-crls/crlnum_57oct.pem
echo "Step 35 larger CRL number( 64 octets )"
python3 -c "print('4' * 128)" > crlnumber # 0x41 * 64 = 128 hex chars crlnumber
openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out extra-crls/crlnum_64oct.pem -keyfile ../ca-key.pem -cert ../ca-cert.pem
check_result $?
# metadata
echo "Step 36"
openssl crl -in extra-crls/crlnum_64oct.pem -text > tmp
check_result $?
mv tmp extra-crls/crlnum_64oct.pem
exit 0
+3 -1
View File
@@ -24,7 +24,9 @@ EXTRA_DIST += \
certs/crl/extra-crls/ca-int-cert-revoked.pem \
certs/crl/extra-crls/general-server-crl.pem \
certs/crl/extra-crls/large_crlnum.pem \
certs/crl/extra-crls/large_crlnum2.pem
certs/crl/extra-crls/large_crlnum2.pem \
certs/crl/extra-crls/crlnum_57oct.pem \
certs/crl/extra-crls/crlnum_64oct.pem
# Intermediate cert CRL's
EXTRA_DIST += \
+11
View File
@@ -23136,6 +23136,8 @@ static int test_wolfSSL_CTX_LoadCRL_largeCRLnum(void)
const char* caCert = "./certs/ca-cert.pem";
const char* crl_lrgcrlnum = "./certs/crl/extra-crls/large_crlnum.pem";
const char* crl_lrgcrlnum2 = "./certs/crl/extra-crls/large_crlnum2.pem";
const char* crl_57oct = "./certs/crl/extra-crls/crlnum_57oct.pem";
const char* crl_64oct = "./certs/crl/extra-crls/crlnum_64oct.pem";
const char* exp_crlnum = "D8AFADA7F08B38E6178BD0E5CD7B0DF80071BA74";
byte *crlLrgCrlNumBuff = NULL;
word32 crlLrgCrlNumSz;
@@ -23172,6 +23174,15 @@ static int test_wolfSSL_CTX_LoadCRL_largeCRLnum(void)
WOLFSSL_FILETYPE_PEM),
ASN_PARSE_E);
/* Expect to fail loading CRL because of >57 octets CRL number */
ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, crl_57oct,
WOLFSSL_FILETYPE_PEM),
ASN_PARSE_E);
/* Expect to fail loading CRL because of >64 octets CRL number */
ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, crl_64oct,
WOLFSSL_FILETYPE_PEM),
ASN_PARSE_E);
XFREE(crlLrgCrlNumBuff, NULL, DYNAMIC_TYPE_FILE);
wolfSSL_CertManagerFree(cm);
#endif
+15 -22
View File
@@ -41719,7 +41719,6 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf,
word32* inOutIdx, word32 sz)
{
int length;
int needed;
word32 idx;
word32 ext_bound; /* boundary index for the sequence of extensions */
word32 oid;
@@ -41804,7 +41803,7 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf,
WOLFSSL_MSG("\tcouldn't parse CRL number extension");
return ret;
}
else {
else if (length <= CRL_MAX_NUM_SZ) {
DECL_MP_INT_SIZE_DYN(m, CRL_MAX_NUM_SZ_BITS,
CRL_MAX_NUM_SZ_BITS);
NEW_MP_INT_SIZE(m, CRL_MAX_NUM_SZ_BITS, NULL,
@@ -41825,15 +41824,7 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf,
if (ret != MP_OKAY)
ret = BUFFER_E;
/* Check CRL number size
* if it exceeds CRL_MAX_NUM_SZ(octets)
* and CRL_MAX_NUM_HEX_STR_SZ(hex string)
*/
if (((needed = mp_unsigned_bin_size(m)) > CRL_MAX_NUM_SZ) ||
((needed * 2 + 1) > CRL_MAX_NUM_HEX_STR_SZ)) {
WOLFSSL_MSG("CRL number exceeds limitation.");
ret = BUFFER_E;
}
if (ret == MP_OKAY && mp_toradix(m, (char*)dcrl->crlNumber,
MP_RADIX_HEX) != MP_OKAY)
ret = BUFFER_E;
@@ -41846,6 +41837,9 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf,
if (ret != MP_OKAY)
return ret;
} else {
WOLFSSL_MSG("CRL number exceeds limitation");
ret = BUFFER_E;
}
}
}
@@ -41871,7 +41865,6 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf, word32 idx,
word32 maxIdx)
{
DECL_ASNGETDATA(dataASN, certExtASN_Length);
int needed;
int ret = 0;
/* Track if we've seen these extensions already */
word32 seenAuthKey = 0;
@@ -41949,16 +41942,16 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf, word32 idx,
}
if (ret == 0) {
ret = GetInt(m, buf, &localIdx, maxIdx);
}
/* Check CRL number size
* if it exceeds CRL_MAX_NUM_SZ(octets)
* and CRL_MAX_NUM_HEX_STR_SZ(hex string)
*/
if (((needed = mp_unsigned_bin_size(m)) > CRL_MAX_NUM_SZ) ||
((needed * 2 + 1) > CRL_MAX_NUM_HEX_STR_SZ)) {
WOLFSSL_MSG("CRL number exceeds limitation.");
ret = BUFFER_E;
int crlNumLen = 0;
word32 tmpIdx = localIdx;
ret = GetASNInt(buf, &tmpIdx, &crlNumLen, maxIdx);
if (ret == 0 && (crlNumLen > CRL_MAX_NUM_SZ)) {
WOLFSSL_MSG("CRL number exceeds limitation");
ret = BUFFER_E;
}
if (ret == 0) {
ret = GetInt(m, buf, &localIdx, maxIdx);
}
}
if (ret == 0 && mp_toradix(m, (char*)dcrl->crlNumber,
MP_RADIX_HEX) != MP_OKAY)