mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-05 20:30:48 +02:00
Merge pull request #9873 from miyazakh/fix_larger_crlnum
fix lareger(>57 octets) CRL number
This commit is contained in:
@@ -0,0 +1,44 @@
|
||||
Certificate Revocation List (CRL):
|
||||
Version 2 (0x1)
|
||||
Signature Algorithm: sha256WithRSAEncryption
|
||||
Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com, emailAddress=info@wolfssl.com
|
||||
Last Update: Mar 5 05:15:20 2026 GMT
|
||||
Next Update: Nov 29 05:15:20 2028 GMT
|
||||
CRL extensions:
|
||||
X509v3 CRL Number:
|
||||
0x444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444
|
||||
Revoked Certificates:
|
||||
Serial Number: 01
|
||||
Revocation Date: Mar 5 05:15:20 2026 GMT
|
||||
Signature Algorithm: sha256WithRSAEncryption
|
||||
Signature Value:
|
||||
2d:38:2c:0e:27:b8:55:dd:0c:c5:1b:9d:13:b9:6a:c4:05:6d:
|
||||
43:37:41:ee:d7:e1:5e:7f:2c:3e:72:14:9d:0b:f0:89:f8:06:
|
||||
3c:75:21:cf:8a:5d:3b:56:3c:c6:a9:b1:56:2e:84:c2:05:60:
|
||||
8b:86:33:d0:0b:ab:ba:37:9f:13:af:a1:2e:40:c6:35:f0:b3:
|
||||
e3:ce:40:2f:4a:65:2b:72:ab:54:c2:56:b7:ca:8a:54:22:c9:
|
||||
ba:d2:fb:ab:f6:e1:cb:05:ae:25:3a:11:ce:bf:9b:0a:9a:37:
|
||||
1a:05:3e:a2:c4:98:68:71:78:70:58:d6:6b:93:97:36:54:7b:
|
||||
73:1c:24:5b:19:a8:f4:da:c6:73:f1:58:1a:e6:53:0d:88:d9:
|
||||
b8:b1:e7:f7:f6:13:4c:8d:86:d7:51:c8:89:93:1f:f0:e5:0a:
|
||||
4c:01:21:9b:ad:fe:ed:5b:0f:77:71:8e:3b:ec:3c:e0:c9:3e:
|
||||
ed:a0:20:f8:51:6c:bc:a9:57:27:13:ff:1d:28:70:41:ce:42:
|
||||
05:9f:f5:1f:d4:73:13:89:c0:9e:34:d1:8f:12:9d:07:2b:2e:
|
||||
1d:3b:ba:5e:18:72:b7:11:f7:3b:54:59:7d:81:57:1f:25:02:
|
||||
c5:e1:58:b5:f8:01:e0:62:6d:92:50:bc:c4:f9:26:4e:72:37:
|
||||
16:42:e0:c1
|
||||
-----BEGIN X509 CRL-----
|
||||
MIICPTCCASUCAQEwDQYJKoZIhvcNAQELBQAwgZQxCzAJBgNVBAYTAlVTMRAwDgYD
|
||||
VQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQKDAhTYXd0b290
|
||||
aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29t
|
||||
MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tFw0yNjAzMDUwNTE1MjBa
|
||||
Fw0yODExMjkwNTE1MjBaMBQwEgIBARcNMjYwMzA1MDUxNTIwWqBGMEQwQgYDVR0U
|
||||
BDsCOURERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
||||
RERERERERERERERERDANBgkqhkiG9w0BAQsFAAOCAQEALTgsDie4Vd0MxRudE7lq
|
||||
xAVtQzdB7tfhXn8sPnIUnQvwifgGPHUhz4pdO1Y8xqmxVi6EwgVgi4Yz0Aurujef
|
||||
E6+hLkDGNfCz485AL0plK3KrVMJWt8qKVCLJutL7q/bhywWuJToRzr+bCpo3GgU+
|
||||
osSYaHF4cFjWa5OXNlR7cxwkWxmo9NrGc/FYGuZTDYjZuLHn9/YTTI2G11HIiZMf
|
||||
8OUKTAEhm63+7VsPd3GOO+w84Mk+7aAg+FFsvKlXJxP/HShwQc5CBZ/1H9RzE4nA
|
||||
njTRjxKdBysuHTu6XhhytxH3O1RZfYFXHyUCxeFYtfgB4GJtklC8xPkmTnI3FkLg
|
||||
wQ==
|
||||
-----END X509 CRL-----
|
||||
@@ -0,0 +1,44 @@
|
||||
Certificate Revocation List (CRL):
|
||||
Version 2 (0x1)
|
||||
Signature Algorithm: sha256WithRSAEncryption
|
||||
Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com, emailAddress=info@wolfssl.com
|
||||
Last Update: Mar 5 05:15:20 2026 GMT
|
||||
Next Update: Nov 29 05:15:20 2028 GMT
|
||||
CRL extensions:
|
||||
X509v3 CRL Number:
|
||||
0x44444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444
|
||||
Revoked Certificates:
|
||||
Serial Number: 01
|
||||
Revocation Date: Mar 5 05:15:20 2026 GMT
|
||||
Signature Algorithm: sha256WithRSAEncryption
|
||||
Signature Value:
|
||||
24:11:b9:3a:df:b5:07:d0:94:b7:1a:73:10:02:f6:13:c5:57:
|
||||
e3:48:6e:e7:fc:8c:c6:07:15:0b:21:f4:4b:61:d4:1f:98:79:
|
||||
8d:02:d6:b5:30:e5:72:85:36:a2:8f:73:32:9b:6c:e1:5b:0f:
|
||||
9e:e9:e7:ba:0c:a2:f9:4e:87:84:40:dd:4b:5d:26:e5:87:23:
|
||||
01:3e:87:3b:19:86:a6:25:6a:48:73:1c:d5:a0:56:1a:52:65:
|
||||
7e:aa:00:b0:2a:6b:ce:95:ce:c0:4f:7c:d7:ef:78:c2:78:b0:
|
||||
ce:ad:4f:02:e2:ce:56:de:a5:43:5b:ad:78:5a:a7:bc:8d:6e:
|
||||
ef:86:e1:9e:47:5c:e7:c8:12:81:8d:5a:63:c4:5a:2c:20:54:
|
||||
da:1e:7f:f0:16:c9:f5:fc:9a:fa:ca:03:73:90:38:11:d1:0e:
|
||||
98:34:84:fe:62:1e:8a:20:66:ee:40:09:f1:8d:bc:b5:52:af:
|
||||
22:b8:a7:e5:0c:a7:38:e8:4a:9c:09:99:95:ae:cf:a2:8e:a8:
|
||||
21:cd:5e:96:a7:ea:4f:bc:a5:be:37:a1:c7:5b:27:3f:b5:99:
|
||||
08:62:35:7f:98:2a:20:27:3e:c3:1b:9d:c2:51:66:7c:dd:64:
|
||||
38:89:fc:89:fc:c0:54:f9:0d:16:72:44:3c:25:3c:a3:88:b9:
|
||||
c7:00:df:81
|
||||
-----BEGIN X509 CRL-----
|
||||
MIICRDCCASwCAQEwDQYJKoZIhvcNAQELBQAwgZQxCzAJBgNVBAYTAlVTMRAwDgYD
|
||||
VQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQKDAhTYXd0b290
|
||||
aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29t
|
||||
MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tFw0yNjAzMDUwNTE1MjBa
|
||||
Fw0yODExMjkwNTE1MjBaMBQwEgIBARcNMjYwMzA1MDUxNTIwWqBNMEswSQYDVR0U
|
||||
BEICQERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
||||
REREREREREREREREREREREREREQwDQYJKoZIhvcNAQELBQADggEBACQRuTrftQfQ
|
||||
lLcacxAC9hPFV+NIbuf8jMYHFQsh9Eth1B+YeY0C1rUw5XKFNqKPczKbbOFbD57p
|
||||
57oMovlOh4RA3UtdJuWHIwE+hzsZhqYlakhzHNWgVhpSZX6qALAqa86VzsBPfNfv
|
||||
eMJ4sM6tTwLizlbepUNbrXhap7yNbu+G4Z5HXOfIEoGNWmPEWiwgVNoef/AWyfX8
|
||||
mvrKA3OQOBHRDpg0hP5iHoogZu5ACfGNvLVSryK4p+UMpzjoSpwJmZWuz6KOqCHN
|
||||
Xpan6k+8pb43ocdbJz+1mQhiNX+YKiAnPsMbncJRZnzdZDiJ/In8wFT5DRZyRDwl
|
||||
PKOIuccA34E=
|
||||
-----END X509 CRL-----
|
||||
+22
-1
@@ -236,7 +236,7 @@ openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out extra-cr
|
||||
check_result $?
|
||||
|
||||
# metadata
|
||||
echo "Step 30"
|
||||
echo "Step 31"
|
||||
openssl crl -in extra-crls/large_crlnum2.pem -text > tmp
|
||||
check_result $?
|
||||
mv tmp extra-crls/large_crlnum2.pem
|
||||
@@ -254,4 +254,25 @@ openssl crl -in ../ocsp/root-ca-crl.pem -text > tmp
|
||||
check_result $?
|
||||
mv tmp ../ocsp/root-ca-crl.pem
|
||||
|
||||
echo "Step 33 larger CRL number( 57 octets )"
|
||||
python3 -c "print('4' * 114)" > crlnumber # 0x41 * 57 = 114 hex chars crlnumber
|
||||
openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out extra-crls/crlnum_57oct.pem -keyfile ../ca-key.pem -cert ../ca-cert.pem
|
||||
check_result $?
|
||||
# metadata
|
||||
echo "Step 34"
|
||||
openssl crl -in extra-crls/crlnum_57oct.pem -text > tmp
|
||||
check_result $?
|
||||
mv tmp extra-crls/crlnum_57oct.pem
|
||||
|
||||
echo "Step 35 larger CRL number( 64 octets )"
|
||||
python3 -c "print('4' * 128)" > crlnumber # 0x41 * 64 = 128 hex chars crlnumber
|
||||
openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out extra-crls/crlnum_64oct.pem -keyfile ../ca-key.pem -cert ../ca-cert.pem
|
||||
check_result $?
|
||||
|
||||
# metadata
|
||||
echo "Step 36"
|
||||
openssl crl -in extra-crls/crlnum_64oct.pem -text > tmp
|
||||
check_result $?
|
||||
mv tmp extra-crls/crlnum_64oct.pem
|
||||
|
||||
exit 0
|
||||
|
||||
@@ -24,7 +24,9 @@ EXTRA_DIST += \
|
||||
certs/crl/extra-crls/ca-int-cert-revoked.pem \
|
||||
certs/crl/extra-crls/general-server-crl.pem \
|
||||
certs/crl/extra-crls/large_crlnum.pem \
|
||||
certs/crl/extra-crls/large_crlnum2.pem
|
||||
certs/crl/extra-crls/large_crlnum2.pem \
|
||||
certs/crl/extra-crls/crlnum_57oct.pem \
|
||||
certs/crl/extra-crls/crlnum_64oct.pem
|
||||
|
||||
# Intermediate cert CRL's
|
||||
EXTRA_DIST += \
|
||||
|
||||
+11
@@ -23136,6 +23136,8 @@ static int test_wolfSSL_CTX_LoadCRL_largeCRLnum(void)
|
||||
const char* caCert = "./certs/ca-cert.pem";
|
||||
const char* crl_lrgcrlnum = "./certs/crl/extra-crls/large_crlnum.pem";
|
||||
const char* crl_lrgcrlnum2 = "./certs/crl/extra-crls/large_crlnum2.pem";
|
||||
const char* crl_57oct = "./certs/crl/extra-crls/crlnum_57oct.pem";
|
||||
const char* crl_64oct = "./certs/crl/extra-crls/crlnum_64oct.pem";
|
||||
const char* exp_crlnum = "D8AFADA7F08B38E6178BD0E5CD7B0DF80071BA74";
|
||||
byte *crlLrgCrlNumBuff = NULL;
|
||||
word32 crlLrgCrlNumSz;
|
||||
@@ -23172,6 +23174,15 @@ static int test_wolfSSL_CTX_LoadCRL_largeCRLnum(void)
|
||||
WOLFSSL_FILETYPE_PEM),
|
||||
ASN_PARSE_E);
|
||||
|
||||
/* Expect to fail loading CRL because of >57 octets CRL number */
|
||||
ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, crl_57oct,
|
||||
WOLFSSL_FILETYPE_PEM),
|
||||
ASN_PARSE_E);
|
||||
/* Expect to fail loading CRL because of >64 octets CRL number */
|
||||
ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, crl_64oct,
|
||||
WOLFSSL_FILETYPE_PEM),
|
||||
ASN_PARSE_E);
|
||||
|
||||
XFREE(crlLrgCrlNumBuff, NULL, DYNAMIC_TYPE_FILE);
|
||||
wolfSSL_CertManagerFree(cm);
|
||||
#endif
|
||||
|
||||
+15
-22
@@ -41719,7 +41719,6 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf,
|
||||
word32* inOutIdx, word32 sz)
|
||||
{
|
||||
int length;
|
||||
int needed;
|
||||
word32 idx;
|
||||
word32 ext_bound; /* boundary index for the sequence of extensions */
|
||||
word32 oid;
|
||||
@@ -41804,7 +41803,7 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf,
|
||||
WOLFSSL_MSG("\tcouldn't parse CRL number extension");
|
||||
return ret;
|
||||
}
|
||||
else {
|
||||
else if (length <= CRL_MAX_NUM_SZ) {
|
||||
DECL_MP_INT_SIZE_DYN(m, CRL_MAX_NUM_SZ_BITS,
|
||||
CRL_MAX_NUM_SZ_BITS);
|
||||
NEW_MP_INT_SIZE(m, CRL_MAX_NUM_SZ_BITS, NULL,
|
||||
@@ -41825,15 +41824,7 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf,
|
||||
|
||||
if (ret != MP_OKAY)
|
||||
ret = BUFFER_E;
|
||||
/* Check CRL number size
|
||||
* if it exceeds CRL_MAX_NUM_SZ(octets)
|
||||
* and CRL_MAX_NUM_HEX_STR_SZ(hex string)
|
||||
*/
|
||||
if (((needed = mp_unsigned_bin_size(m)) > CRL_MAX_NUM_SZ) ||
|
||||
((needed * 2 + 1) > CRL_MAX_NUM_HEX_STR_SZ)) {
|
||||
WOLFSSL_MSG("CRL number exceeds limitation.");
|
||||
ret = BUFFER_E;
|
||||
}
|
||||
|
||||
if (ret == MP_OKAY && mp_toradix(m, (char*)dcrl->crlNumber,
|
||||
MP_RADIX_HEX) != MP_OKAY)
|
||||
ret = BUFFER_E;
|
||||
@@ -41846,6 +41837,9 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf,
|
||||
|
||||
if (ret != MP_OKAY)
|
||||
return ret;
|
||||
} else {
|
||||
WOLFSSL_MSG("CRL number exceeds limitation");
|
||||
ret = BUFFER_E;
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -41871,7 +41865,6 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf, word32 idx,
|
||||
word32 maxIdx)
|
||||
{
|
||||
DECL_ASNGETDATA(dataASN, certExtASN_Length);
|
||||
int needed;
|
||||
int ret = 0;
|
||||
/* Track if we've seen these extensions already */
|
||||
word32 seenAuthKey = 0;
|
||||
@@ -41949,16 +41942,16 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf, word32 idx,
|
||||
}
|
||||
|
||||
if (ret == 0) {
|
||||
ret = GetInt(m, buf, &localIdx, maxIdx);
|
||||
}
|
||||
/* Check CRL number size
|
||||
* if it exceeds CRL_MAX_NUM_SZ(octets)
|
||||
* and CRL_MAX_NUM_HEX_STR_SZ(hex string)
|
||||
*/
|
||||
if (((needed = mp_unsigned_bin_size(m)) > CRL_MAX_NUM_SZ) ||
|
||||
((needed * 2 + 1) > CRL_MAX_NUM_HEX_STR_SZ)) {
|
||||
WOLFSSL_MSG("CRL number exceeds limitation.");
|
||||
ret = BUFFER_E;
|
||||
int crlNumLen = 0;
|
||||
word32 tmpIdx = localIdx;
|
||||
ret = GetASNInt(buf, &tmpIdx, &crlNumLen, maxIdx);
|
||||
if (ret == 0 && (crlNumLen > CRL_MAX_NUM_SZ)) {
|
||||
WOLFSSL_MSG("CRL number exceeds limitation");
|
||||
ret = BUFFER_E;
|
||||
}
|
||||
if (ret == 0) {
|
||||
ret = GetInt(m, buf, &localIdx, maxIdx);
|
||||
}
|
||||
}
|
||||
if (ret == 0 && mp_toradix(m, (char*)dcrl->crlNumber,
|
||||
MP_RADIX_HEX) != MP_OKAY)
|
||||
|
||||
Reference in New Issue
Block a user