diff --git a/certs/crl/extra-crls/crlnum_57oct.pem b/certs/crl/extra-crls/crlnum_57oct.pem new file mode 100644 index 00000000000..b112523afec --- /dev/null +++ b/certs/crl/extra-crls/crlnum_57oct.pem @@ -0,0 +1,44 @@ +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com, emailAddress=info@wolfssl.com + Last Update: Mar 5 05:15:20 2026 GMT + Next Update: Nov 29 05:15:20 2028 GMT + CRL extensions: + X509v3 CRL Number: + 0x444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444 +Revoked Certificates: + Serial Number: 01 + Revocation Date: Mar 5 05:15:20 2026 GMT + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 2d:38:2c:0e:27:b8:55:dd:0c:c5:1b:9d:13:b9:6a:c4:05:6d: + 43:37:41:ee:d7:e1:5e:7f:2c:3e:72:14:9d:0b:f0:89:f8:06: + 3c:75:21:cf:8a:5d:3b:56:3c:c6:a9:b1:56:2e:84:c2:05:60: + 8b:86:33:d0:0b:ab:ba:37:9f:13:af:a1:2e:40:c6:35:f0:b3: + e3:ce:40:2f:4a:65:2b:72:ab:54:c2:56:b7:ca:8a:54:22:c9: + ba:d2:fb:ab:f6:e1:cb:05:ae:25:3a:11:ce:bf:9b:0a:9a:37: + 1a:05:3e:a2:c4:98:68:71:78:70:58:d6:6b:93:97:36:54:7b: + 73:1c:24:5b:19:a8:f4:da:c6:73:f1:58:1a:e6:53:0d:88:d9: + b8:b1:e7:f7:f6:13:4c:8d:86:d7:51:c8:89:93:1f:f0:e5:0a: + 4c:01:21:9b:ad:fe:ed:5b:0f:77:71:8e:3b:ec:3c:e0:c9:3e: + ed:a0:20:f8:51:6c:bc:a9:57:27:13:ff:1d:28:70:41:ce:42: + 05:9f:f5:1f:d4:73:13:89:c0:9e:34:d1:8f:12:9d:07:2b:2e: + 1d:3b:ba:5e:18:72:b7:11:f7:3b:54:59:7d:81:57:1f:25:02: + c5:e1:58:b5:f8:01:e0:62:6d:92:50:bc:c4:f9:26:4e:72:37: + 16:42:e0:c1 +-----BEGIN X509 CRL----- +MIICPTCCASUCAQEwDQYJKoZIhvcNAQELBQAwgZQxCzAJBgNVBAYTAlVTMRAwDgYD +VQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQKDAhTYXd0b290 +aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29t +MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tFw0yNjAzMDUwNTE1MjBa +Fw0yODExMjkwNTE1MjBaMBQwEgIBARcNMjYwMzA1MDUxNTIwWqBGMEQwQgYDVR0U +BDsCOURERERERERERERERERERERERERERERERERERERERERERERERERERERERERE +RERERERERERERERERDANBgkqhkiG9w0BAQsFAAOCAQEALTgsDie4Vd0MxRudE7lq +xAVtQzdB7tfhXn8sPnIUnQvwifgGPHUhz4pdO1Y8xqmxVi6EwgVgi4Yz0Aurujef +E6+hLkDGNfCz485AL0plK3KrVMJWt8qKVCLJutL7q/bhywWuJToRzr+bCpo3GgU+ +osSYaHF4cFjWa5OXNlR7cxwkWxmo9NrGc/FYGuZTDYjZuLHn9/YTTI2G11HIiZMf +8OUKTAEhm63+7VsPd3GOO+w84Mk+7aAg+FFsvKlXJxP/HShwQc5CBZ/1H9RzE4nA +njTRjxKdBysuHTu6XhhytxH3O1RZfYFXHyUCxeFYtfgB4GJtklC8xPkmTnI3FkLg +wQ== +-----END X509 CRL----- diff --git a/certs/crl/extra-crls/crlnum_64oct.pem b/certs/crl/extra-crls/crlnum_64oct.pem new file mode 100644 index 00000000000..1e0bb6205c3 --- /dev/null +++ b/certs/crl/extra-crls/crlnum_64oct.pem @@ -0,0 +1,44 @@ +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com, emailAddress=info@wolfssl.com + Last Update: Mar 5 05:15:20 2026 GMT + Next Update: Nov 29 05:15:20 2028 GMT + CRL extensions: + X509v3 CRL Number: + 0x44444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444 +Revoked Certificates: + Serial Number: 01 + Revocation Date: Mar 5 05:15:20 2026 GMT + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 24:11:b9:3a:df:b5:07:d0:94:b7:1a:73:10:02:f6:13:c5:57: + e3:48:6e:e7:fc:8c:c6:07:15:0b:21:f4:4b:61:d4:1f:98:79: + 8d:02:d6:b5:30:e5:72:85:36:a2:8f:73:32:9b:6c:e1:5b:0f: + 9e:e9:e7:ba:0c:a2:f9:4e:87:84:40:dd:4b:5d:26:e5:87:23: + 01:3e:87:3b:19:86:a6:25:6a:48:73:1c:d5:a0:56:1a:52:65: + 7e:aa:00:b0:2a:6b:ce:95:ce:c0:4f:7c:d7:ef:78:c2:78:b0: + ce:ad:4f:02:e2:ce:56:de:a5:43:5b:ad:78:5a:a7:bc:8d:6e: + ef:86:e1:9e:47:5c:e7:c8:12:81:8d:5a:63:c4:5a:2c:20:54: + da:1e:7f:f0:16:c9:f5:fc:9a:fa:ca:03:73:90:38:11:d1:0e: + 98:34:84:fe:62:1e:8a:20:66:ee:40:09:f1:8d:bc:b5:52:af: + 22:b8:a7:e5:0c:a7:38:e8:4a:9c:09:99:95:ae:cf:a2:8e:a8: + 21:cd:5e:96:a7:ea:4f:bc:a5:be:37:a1:c7:5b:27:3f:b5:99: + 08:62:35:7f:98:2a:20:27:3e:c3:1b:9d:c2:51:66:7c:dd:64: + 38:89:fc:89:fc:c0:54:f9:0d:16:72:44:3c:25:3c:a3:88:b9: + c7:00:df:81 +-----BEGIN X509 CRL----- +MIICRDCCASwCAQEwDQYJKoZIhvcNAQELBQAwgZQxCzAJBgNVBAYTAlVTMRAwDgYD +VQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQKDAhTYXd0b290 +aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29t +MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tFw0yNjAzMDUwNTE1MjBa +Fw0yODExMjkwNTE1MjBaMBQwEgIBARcNMjYwMzA1MDUxNTIwWqBNMEswSQYDVR0U +BEICQERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE +REREREREREREREREREREREREREQwDQYJKoZIhvcNAQELBQADggEBACQRuTrftQfQ +lLcacxAC9hPFV+NIbuf8jMYHFQsh9Eth1B+YeY0C1rUw5XKFNqKPczKbbOFbD57p +57oMovlOh4RA3UtdJuWHIwE+hzsZhqYlakhzHNWgVhpSZX6qALAqa86VzsBPfNfv +eMJ4sM6tTwLizlbepUNbrXhap7yNbu+G4Z5HXOfIEoGNWmPEWiwgVNoef/AWyfX8 +mvrKA3OQOBHRDpg0hP5iHoogZu5ACfGNvLVSryK4p+UMpzjoSpwJmZWuz6KOqCHN +Xpan6k+8pb43ocdbJz+1mQhiNX+YKiAnPsMbncJRZnzdZDiJ/In8wFT5DRZyRDwl +PKOIuccA34E= +-----END X509 CRL----- diff --git a/certs/crl/gencrls.sh b/certs/crl/gencrls.sh index 43339df9464..70da1543e8e 100755 --- a/certs/crl/gencrls.sh +++ b/certs/crl/gencrls.sh @@ -236,7 +236,7 @@ openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out extra-cr check_result $? # metadata -echo "Step 30" +echo "Step 31" openssl crl -in extra-crls/large_crlnum2.pem -text > tmp check_result $? mv tmp extra-crls/large_crlnum2.pem @@ -254,4 +254,25 @@ openssl crl -in ../ocsp/root-ca-crl.pem -text > tmp check_result $? mv tmp ../ocsp/root-ca-crl.pem +echo "Step 33 larger CRL number( 57 octets )" +python3 -c "print('4' * 114)" > crlnumber # 0x41 * 57 = 114 hex chars crlnumber +openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out extra-crls/crlnum_57oct.pem -keyfile ../ca-key.pem -cert ../ca-cert.pem +check_result $? +# metadata +echo "Step 34" +openssl crl -in extra-crls/crlnum_57oct.pem -text > tmp +check_result $? +mv tmp extra-crls/crlnum_57oct.pem + +echo "Step 35 larger CRL number( 64 octets )" +python3 -c "print('4' * 128)" > crlnumber # 0x41 * 64 = 128 hex chars crlnumber +openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out extra-crls/crlnum_64oct.pem -keyfile ../ca-key.pem -cert ../ca-cert.pem +check_result $? + +# metadata +echo "Step 36" +openssl crl -in extra-crls/crlnum_64oct.pem -text > tmp +check_result $? +mv tmp extra-crls/crlnum_64oct.pem + exit 0 diff --git a/certs/crl/include.am b/certs/crl/include.am index f3ca111ecf2..ec1b15d9d31 100644 --- a/certs/crl/include.am +++ b/certs/crl/include.am @@ -24,7 +24,9 @@ EXTRA_DIST += \ certs/crl/extra-crls/ca-int-cert-revoked.pem \ certs/crl/extra-crls/general-server-crl.pem \ certs/crl/extra-crls/large_crlnum.pem \ - certs/crl/extra-crls/large_crlnum2.pem + certs/crl/extra-crls/large_crlnum2.pem \ + certs/crl/extra-crls/crlnum_57oct.pem \ + certs/crl/extra-crls/crlnum_64oct.pem # Intermediate cert CRL's EXTRA_DIST += \ diff --git a/tests/api.c b/tests/api.c index e3f5250422e..a4e09ab0951 100644 --- a/tests/api.c +++ b/tests/api.c @@ -23136,6 +23136,8 @@ static int test_wolfSSL_CTX_LoadCRL_largeCRLnum(void) const char* caCert = "./certs/ca-cert.pem"; const char* crl_lrgcrlnum = "./certs/crl/extra-crls/large_crlnum.pem"; const char* crl_lrgcrlnum2 = "./certs/crl/extra-crls/large_crlnum2.pem"; + const char* crl_57oct = "./certs/crl/extra-crls/crlnum_57oct.pem"; + const char* crl_64oct = "./certs/crl/extra-crls/crlnum_64oct.pem"; const char* exp_crlnum = "D8AFADA7F08B38E6178BD0E5CD7B0DF80071BA74"; byte *crlLrgCrlNumBuff = NULL; word32 crlLrgCrlNumSz; @@ -23172,6 +23174,15 @@ static int test_wolfSSL_CTX_LoadCRL_largeCRLnum(void) WOLFSSL_FILETYPE_PEM), ASN_PARSE_E); + /* Expect to fail loading CRL because of >57 octets CRL number */ + ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, crl_57oct, + WOLFSSL_FILETYPE_PEM), + ASN_PARSE_E); + /* Expect to fail loading CRL because of >64 octets CRL number */ + ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, crl_64oct, + WOLFSSL_FILETYPE_PEM), + ASN_PARSE_E); + XFREE(crlLrgCrlNumBuff, NULL, DYNAMIC_TYPE_FILE); wolfSSL_CertManagerFree(cm); #endif diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 78644c263aa..bfa90e54233 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -41719,7 +41719,6 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf, word32* inOutIdx, word32 sz) { int length; - int needed; word32 idx; word32 ext_bound; /* boundary index for the sequence of extensions */ word32 oid; @@ -41804,7 +41803,7 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf, WOLFSSL_MSG("\tcouldn't parse CRL number extension"); return ret; } - else { + else if (length <= CRL_MAX_NUM_SZ) { DECL_MP_INT_SIZE_DYN(m, CRL_MAX_NUM_SZ_BITS, CRL_MAX_NUM_SZ_BITS); NEW_MP_INT_SIZE(m, CRL_MAX_NUM_SZ_BITS, NULL, @@ -41825,15 +41824,7 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf, if (ret != MP_OKAY) ret = BUFFER_E; - /* Check CRL number size - * if it exceeds CRL_MAX_NUM_SZ(octets) - * and CRL_MAX_NUM_HEX_STR_SZ(hex string) - */ - if (((needed = mp_unsigned_bin_size(m)) > CRL_MAX_NUM_SZ) || - ((needed * 2 + 1) > CRL_MAX_NUM_HEX_STR_SZ)) { - WOLFSSL_MSG("CRL number exceeds limitation."); - ret = BUFFER_E; - } + if (ret == MP_OKAY && mp_toradix(m, (char*)dcrl->crlNumber, MP_RADIX_HEX) != MP_OKAY) ret = BUFFER_E; @@ -41846,6 +41837,9 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf, if (ret != MP_OKAY) return ret; + } else { + WOLFSSL_MSG("CRL number exceeds limitation"); + ret = BUFFER_E; } } } @@ -41871,7 +41865,6 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf, word32 idx, word32 maxIdx) { DECL_ASNGETDATA(dataASN, certExtASN_Length); - int needed; int ret = 0; /* Track if we've seen these extensions already */ word32 seenAuthKey = 0; @@ -41949,16 +41942,16 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf, word32 idx, } if (ret == 0) { - ret = GetInt(m, buf, &localIdx, maxIdx); - } - /* Check CRL number size - * if it exceeds CRL_MAX_NUM_SZ(octets) - * and CRL_MAX_NUM_HEX_STR_SZ(hex string) - */ - if (((needed = mp_unsigned_bin_size(m)) > CRL_MAX_NUM_SZ) || - ((needed * 2 + 1) > CRL_MAX_NUM_HEX_STR_SZ)) { - WOLFSSL_MSG("CRL number exceeds limitation."); - ret = BUFFER_E; + int crlNumLen = 0; + word32 tmpIdx = localIdx; + ret = GetASNInt(buf, &tmpIdx, &crlNumLen, maxIdx); + if (ret == 0 && (crlNumLen > CRL_MAX_NUM_SZ)) { + WOLFSSL_MSG("CRL number exceeds limitation"); + ret = BUFFER_E; + } + if (ret == 0) { + ret = GetInt(m, buf, &localIdx, maxIdx); + } } if (ret == 0 && mp_toradix(m, (char*)dcrl->crlNumber, MP_RADIX_HEX) != MP_OKAY)