From d58acef8952ab1afaf390fb395af5467acd4859a Mon Sep 17 00:00:00 2001
From: JacobBarthelmeh <jacob@wolfssl.com>
Date: Fri, 5 Jan 2024 14:47:53 -0800
Subject: [PATCH] add RSA-PSS CRL test case

---
 certs/crl/crl_rsapss.pem | 16 ++++++++++++++++
 certs/crl/gencrls.sh     |  4 ++++
 certs/renewcerts.sh      |  1 +
 tests/api.c              | 16 ++++++++++++++++
 4 files changed, 37 insertions(+)
 create mode 100644 certs/crl/crl_rsapss.pem

diff --git a/certs/crl/crl_rsapss.pem b/certs/crl/crl_rsapss.pem
new file mode 100644
index 000000000..d98db4108
--- /dev/null
+++ b/certs/crl/crl_rsapss.pem
@@ -0,0 +1,16 @@
+-----BEGIN X509 CRL-----
+MIICbjCCASYCAQEwPQYJKoZIhvcNAQEKMDCgDTALBglghkgBZQMEAgGhGjAYBgkq
+hkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCASAwgZ0xCzAJBgNVBAYTAlVTMRAwDgYD
+VQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRgwFgYDVQQKDA93b2xmU1NM
+X1JTQS1QU1MxFTATBgNVBAsMDFJvb3QtUlNBLVBTUzEYMBYGA1UEAwwPd3d3Lndv
+bGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tFw0yNDAx
+MDUyMjM0MDNaFw0yNjEwMDEyMjM0MDNaMBQwEgIBAhcNMjQwMTA1MjIzNDAzWqAO
+MAwwCgYDVR0UBAMCAQMwPQYJKoZIhvcNAQEKMDCgDTALBglghkgBZQMEAgGhGjAY
+BgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogMCASADggEBADcOR4Ay7OIHoQeH9AJ9
+y26uPqALflnmCTv8uUKkPhWvPoXZpAF7Sq0xCFAyYxbEtonLV0yQMWlPJWYtr3w8
+R6GIa+9A2iFR0MiDD/pppgIem+aP2DK72HObH96CgM5vRLlQ3ti8g72wfVVTZdi5
+G6QX1tZH8M8FMRcGyyiFeMaA1fLVry0uAyer9bIqPQ1JZ7VE1GzFnVByQ+BtPK8b
+8OSIZud1VvxgETKYkRjvzA+fOwz/J4sum2MS4oLMXZ4DOt3RKDzqXc8o5NpZGOah
+ViGgZLWhsCeuBqmJV9+gHJUDv4EFnE4UE6U75qZvkKgSvYxNL7u9sNSU8tu7a+Ay
+oxw=
+-----END X509 CRL-----
diff --git a/certs/crl/gencrls.sh b/certs/crl/gencrls.sh
index e509d9623..bb48b5387 100755
--- a/certs/crl/gencrls.sh
+++ b/certs/crl/gencrls.sh
@@ -56,6 +56,10 @@ echo "Step 3"
 openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out crl.pem -keyfile ../ca-key.pem -cert ../ca-cert.pem
 check_result $?
 
+echo "Step 3 RSA-PSS"
+openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out crl_rsapss.pem -keyfile ../rsapss/root-rsapss-priv.pem -cert ../rsapss/root-rsapss.pem
+check_result $?
+
 # metadata
 echo "Step 4"
 openssl crl -in crl.pem -text > tmp
diff --git a/certs/renewcerts.sh b/certs/renewcerts.sh
index a25385d54..5485656b6 100755
--- a/certs/renewcerts.sh
+++ b/certs/renewcerts.sh
@@ -838,6 +838,7 @@ run_renewcerts(){
     cd ./crl || { echo "Failed to switch to dir ./crl"; exit 1; }
     echo "changed directory: cd/crl"
     echo ""
+    # has dependency on rsapss generation (rsapss should be ran first)
     ./gencrls.sh
     check_result $? "gencrls.sh"
     echo "ran ./gencrls.sh"
diff --git a/tests/api.c b/tests/api.c
index 5641c939c..194a3607b 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -3044,6 +3044,10 @@ static int test_wolfSSL_CertManagerCRL(void)
     const char* ca_cert = "./certs/ca-cert.pem";
     const char* crl1     = "./certs/crl/crl.pem";
     const char* crl2     = "./certs/crl/crl2.pem";
+#ifdef WC_RSA_PSS
+    const char* crl_rsapss = "./certs/crl/crl_rsapss.pem";
+    const char* ca_rsapss  = "certs/rsapss/root-rsapss.pem";
+#endif
     const unsigned char crl_buff[] = {
         0x30, 0x82, 0x02, 0x04, 0x30, 0x81, 0xed, 0x02,
         0x01, 0x01, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
@@ -3199,6 +3203,18 @@ static int test_wolfSSL_CertManagerCRL(void)
     ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(cm, crl_buff, sizeof(crl_buff),
         WOLFSSL_FILETYPE_ASN1), 1);
 
+#if !defined(NO_FILESYSTEM) && defined(WC_RSA_PSS)
+    /* loading should fail without the CA set */
+    ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, crl_rsapss,
+        WOLFSSL_FILETYPE_PEM), ASN_CRL_NO_SIGNER_E);
+
+    /* now successfully load the RSA-PSS crl once loading in it's CA */
+    ExpectIntEQ(WOLFSSL_SUCCESS,
+        wolfSSL_CertManagerLoadCA(cm, ca_rsapss, NULL));
+    ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, crl_rsapss,
+        WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
+#endif
+
     wolfSSL_CertManagerFree(cm);
 #endif