Skip to content

fix lareger(>57 octets) CRL number #9873

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
douzzer merged 4 commits into from
Mar 7, 2026
Merged

fix lareger(>57 octets) CRL number #9873

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
cfb7f35
fix lareger(>57 octets) crlnum
miyazakh Mar 5, 2026
4877c0e
fix PRB tests failures
miyazakh Mar 5, 2026
5ce86cf
fix multi-test.sh failure
miyazakh Mar 5, 2026
f59b9fd
fix number in sh
miyazakh Mar 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions certs/crl/extra-crls/crlnum_57oct.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com, emailAddress=info@wolfssl.com
Last Update: Mar 5 05:15:20 2026 GMT
Next Update: Nov 29 05:15:20 2028 GMT
CRL extensions:
X509v3 CRL Number:
0x444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444
Revoked Certificates:
Serial Number: 01
Revocation Date: Mar 5 05:15:20 2026 GMT
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
2d:38:2c:0e:27:b8:55:dd:0c:c5:1b:9d:13:b9:6a:c4:05:6d:
43:37:41:ee:d7:e1:5e:7f:2c:3e:72:14:9d:0b:f0:89:f8:06:
3c:75:21:cf:8a:5d:3b:56:3c:c6:a9:b1:56:2e:84:c2:05:60:
8b:86:33:d0:0b:ab:ba:37:9f:13:af:a1:2e:40:c6:35:f0:b3:
e3:ce:40:2f:4a:65:2b:72:ab:54:c2:56:b7:ca:8a:54:22:c9:
ba:d2:fb:ab:f6:e1:cb:05:ae:25:3a:11:ce:bf:9b:0a:9a:37:
1a:05:3e:a2:c4:98:68:71:78:70:58:d6:6b:93:97:36:54:7b:
73:1c:24:5b:19:a8:f4:da:c6:73:f1:58:1a:e6:53:0d:88:d9:
b8:b1:e7:f7:f6:13:4c:8d:86:d7:51:c8:89:93:1f:f0:e5:0a:
4c:01:21:9b:ad:fe:ed:5b:0f:77:71:8e:3b:ec:3c:e0:c9:3e:
ed:a0:20:f8:51:6c:bc:a9:57:27:13:ff:1d:28:70:41:ce:42:
05:9f:f5:1f:d4:73:13:89:c0:9e:34:d1:8f:12:9d:07:2b:2e:
1d:3b:ba:5e:18:72:b7:11:f7:3b:54:59:7d:81:57:1f:25:02:
c5:e1:58:b5:f8:01:e0:62:6d:92:50:bc:c4:f9:26:4e:72:37:
16:42:e0:c1
-----BEGIN X509 CRL-----
MIICPTCCASUCAQEwDQYJKoZIhvcNAQELBQAwgZQxCzAJBgNVBAYTAlVTMRAwDgYD
VQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQKDAhTYXd0b290
aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29t
MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tFw0yNjAzMDUwNTE1MjBa
Fw0yODExMjkwNTE1MjBaMBQwEgIBARcNMjYwMzA1MDUxNTIwWqBGMEQwQgYDVR0U
BDsCOURERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
RERERERERERERERERDANBgkqhkiG9w0BAQsFAAOCAQEALTgsDie4Vd0MxRudE7lq
xAVtQzdB7tfhXn8sPnIUnQvwifgGPHUhz4pdO1Y8xqmxVi6EwgVgi4Yz0Aurujef
E6+hLkDGNfCz485AL0plK3KrVMJWt8qKVCLJutL7q/bhywWuJToRzr+bCpo3GgU+
osSYaHF4cFjWa5OXNlR7cxwkWxmo9NrGc/FYGuZTDYjZuLHn9/YTTI2G11HIiZMf
8OUKTAEhm63+7VsPd3GOO+w84Mk+7aAg+FFsvKlXJxP/HShwQc5CBZ/1H9RzE4nA
njTRjxKdBysuHTu6XhhytxH3O1RZfYFXHyUCxeFYtfgB4GJtklC8xPkmTnI3FkLg
wQ==
-----END X509 CRL-----
44 changes: 44 additions & 0 deletions certs/crl/extra-crls/crlnum_64oct.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com, emailAddress=info@wolfssl.com
Last Update: Mar 5 05:15:20 2026 GMT
Next Update: Nov 29 05:15:20 2028 GMT
CRL extensions:
X509v3 CRL Number:
0x44444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444
Revoked Certificates:
Serial Number: 01
Revocation Date: Mar 5 05:15:20 2026 GMT
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
24:11:b9:3a:df:b5:07:d0:94:b7:1a:73:10:02:f6:13:c5:57:
e3:48:6e:e7:fc:8c:c6:07:15:0b:21:f4:4b:61:d4:1f:98:79:
8d:02:d6:b5:30:e5:72:85:36:a2:8f:73:32:9b:6c:e1:5b:0f:
9e:e9:e7:ba:0c:a2:f9:4e:87:84:40:dd:4b:5d:26:e5:87:23:
01:3e:87:3b:19:86:a6:25:6a:48:73:1c:d5:a0:56:1a:52:65:
7e:aa:00:b0:2a:6b:ce:95:ce:c0:4f:7c:d7:ef:78:c2:78:b0:
ce:ad:4f:02:e2:ce:56:de:a5:43:5b:ad:78:5a:a7:bc:8d:6e:
ef:86:e1:9e:47:5c:e7:c8:12:81:8d:5a:63:c4:5a:2c:20:54:
da:1e:7f:f0:16:c9:f5:fc:9a:fa:ca:03:73:90:38:11:d1:0e:
98:34:84:fe:62:1e:8a:20:66:ee:40:09:f1:8d:bc:b5:52:af:
22:b8:a7:e5:0c:a7:38:e8:4a:9c:09:99:95:ae:cf:a2:8e:a8:
21:cd:5e:96:a7:ea:4f:bc:a5:be:37:a1:c7:5b:27:3f:b5:99:
08:62:35:7f:98:2a:20:27:3e:c3:1b:9d:c2:51:66:7c:dd:64:
38:89:fc:89:fc:c0:54:f9:0d:16:72:44:3c:25:3c:a3:88:b9:
c7:00:df:81
-----BEGIN X509 CRL-----
MIICRDCCASwCAQEwDQYJKoZIhvcNAQELBQAwgZQxCzAJBgNVBAYTAlVTMRAwDgYD
VQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQKDAhTYXd0b290
aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29t
MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tFw0yNjAzMDUwNTE1MjBa
Fw0yODExMjkwNTE1MjBaMBQwEgIBARcNMjYwMzA1MDUxNTIwWqBNMEswSQYDVR0U
BEICQERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
REREREREREREREREREREREREREQwDQYJKoZIhvcNAQELBQADggEBACQRuTrftQfQ
lLcacxAC9hPFV+NIbuf8jMYHFQsh9Eth1B+YeY0C1rUw5XKFNqKPczKbbOFbD57p
57oMovlOh4RA3UtdJuWHIwE+hzsZhqYlakhzHNWgVhpSZX6qALAqa86VzsBPfNfv
eMJ4sM6tTwLizlbepUNbrXhap7yNbu+G4Z5HXOfIEoGNWmPEWiwgVNoef/AWyfX8
mvrKA3OQOBHRDpg0hP5iHoogZu5ACfGNvLVSryK4p+UMpzjoSpwJmZWuz6KOqCHN
Xpan6k+8pb43ocdbJz+1mQhiNX+YKiAnPsMbncJRZnzdZDiJ/In8wFT5DRZyRDwl
PKOIuccA34E=
-----END X509 CRL-----
23 changes: 22 additions & 1 deletion certs/crl/gencrls.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -236,7 +236,7 @@ openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out extra-cr
check_result $?

# metadata
echo "Step 30"
echo "Step 31"
openssl crl -in extra-crls/large_crlnum2.pem -text > tmp
check_result $?
mv tmp extra-crls/large_crlnum2.pem
Expand All @@ -254,4 +254,25 @@ openssl crl -in ../ocsp/root-ca-crl.pem -text > tmp
check_result $?
mv tmp ../ocsp/root-ca-crl.pem

echo "Step 33 larger CRL number( 57 octets )"
python3 -c "print('4' * 114)" > crlnumber # 0x41 * 57 = 114 hex chars crlnumber
openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out extra-crls/crlnum_57oct.pem -keyfile ../ca-key.pem -cert ../ca-cert.pem
check_result $?
# metadata
echo "Step 34"
openssl crl -in extra-crls/crlnum_57oct.pem -text > tmp
check_result $?
mv tmp extra-crls/crlnum_57oct.pem

echo "Step 35 larger CRL number( 64 octets )"
python3 -c "print('4' * 128)" > crlnumber # 0x41 * 64 = 128 hex chars crlnumber
openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out extra-crls/crlnum_64oct.pem -keyfile ../ca-key.pem -cert ../ca-cert.pem
check_result $?

# metadata
echo "Step 36"
openssl crl -in extra-crls/crlnum_64oct.pem -text > tmp
check_result $?
mv tmp extra-crls/crlnum_64oct.pem

exit 0
4 changes: 3 additions & 1 deletion certs/crl/include.am
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,9 @@ EXTRA_DIST += \
certs/crl/extra-crls/ca-int-cert-revoked.pem \
certs/crl/extra-crls/general-server-crl.pem \
certs/crl/extra-crls/large_crlnum.pem \
certs/crl/extra-crls/large_crlnum2.pem
certs/crl/extra-crls/large_crlnum2.pem \
certs/crl/extra-crls/crlnum_57oct.pem \
certs/crl/extra-crls/crlnum_64oct.pem

# Intermediate cert CRL's
EXTRA_DIST += \
Expand Down
11 changes: 11 additions & 0 deletions tests/api.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23136,6 +23136,8 @@ static int test_wolfSSL_CTX_LoadCRL_largeCRLnum(void)
const char* caCert = "./certs/ca-cert.pem";
const char* crl_lrgcrlnum = "./certs/crl/extra-crls/large_crlnum.pem";
const char* crl_lrgcrlnum2 = "./certs/crl/extra-crls/large_crlnum2.pem";
const char* crl_57oct = "./certs/crl/extra-crls/crlnum_57oct.pem";
const char* crl_64oct = "./certs/crl/extra-crls/crlnum_64oct.pem";
const char* exp_crlnum = "D8AFADA7F08B38E6178BD0E5CD7B0DF80071BA74";
byte *crlLrgCrlNumBuff = NULL;
word32 crlLrgCrlNumSz;
Expand Down Expand Up @@ -23172,6 +23174,15 @@ static int test_wolfSSL_CTX_LoadCRL_largeCRLnum(void)
WOLFSSL_FILETYPE_PEM),
ASN_PARSE_E);

/* Expect to fail loading CRL because of >57 octets CRL number */
ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, crl_57oct,
WOLFSSL_FILETYPE_PEM),
ASN_PARSE_E);
/* Expect to fail loading CRL because of >64 octets CRL number */
ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, crl_64oct,
WOLFSSL_FILETYPE_PEM),
ASN_PARSE_E);

XFREE(crlLrgCrlNumBuff, NULL, DYNAMIC_TYPE_FILE);
wolfSSL_CertManagerFree(cm);
#endif
Expand Down
37 changes: 15 additions & 22 deletions wolfcrypt/src/asn.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41719,7 +41719,6 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf,
word32* inOutIdx, word32 sz)
{
int length;
int needed;
word32 idx;
word32 ext_bound; /* boundary index for the sequence of extensions */
word32 oid;
Expand Down Expand Up @@ -41804,7 +41803,7 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf,
WOLFSSL_MSG("\tcouldn't parse CRL number extension");
return ret;
}
else {
else if (length <= CRL_MAX_NUM_SZ) {
DECL_MP_INT_SIZE_DYN(m, CRL_MAX_NUM_SZ_BITS,
CRL_MAX_NUM_SZ_BITS);
NEW_MP_INT_SIZE(m, CRL_MAX_NUM_SZ_BITS, NULL,
Expand All @@ -41825,15 +41824,7 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf,

if (ret != MP_OKAY)
ret = BUFFER_E;
/* Check CRL number size
* if it exceeds CRL_MAX_NUM_SZ(octets)
* and CRL_MAX_NUM_HEX_STR_SZ(hex string)
*/
if (((needed = mp_unsigned_bin_size(m)) > CRL_MAX_NUM_SZ) ||
((needed * 2 + 1) > CRL_MAX_NUM_HEX_STR_SZ)) {
WOLFSSL_MSG("CRL number exceeds limitation.");
ret = BUFFER_E;
}

if (ret == MP_OKAY && mp_toradix(m, (char*)dcrl->crlNumber,
MP_RADIX_HEX) != MP_OKAY)
ret = BUFFER_E;
Expand All @@ -41846,6 +41837,9 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf,

if (ret != MP_OKAY)
return ret;
} else {
WOLFSSL_MSG("CRL number exceeds limitation");
ret = BUFFER_E;
}
}
}
Expand All @@ -41871,7 +41865,6 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf, word32 idx,
word32 maxIdx)
{
DECL_ASNGETDATA(dataASN, certExtASN_Length);
int needed;
int ret = 0;
/* Track if we've seen these extensions already */
word32 seenAuthKey = 0;
Expand Down Expand Up @@ -41949,16 +41942,16 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf, word32 idx,
}

if (ret == 0) {
ret = GetInt(m, buf, &localIdx, maxIdx);
}
/* Check CRL number size
* if it exceeds CRL_MAX_NUM_SZ(octets)
* and CRL_MAX_NUM_HEX_STR_SZ(hex string)
*/
if (((needed = mp_unsigned_bin_size(m)) > CRL_MAX_NUM_SZ) ||
((needed * 2 + 1) > CRL_MAX_NUM_HEX_STR_SZ)) {
WOLFSSL_MSG("CRL number exceeds limitation.");
ret = BUFFER_E;
int crlNumLen = 0;
word32 tmpIdx = localIdx;
ret = GetASNInt(buf, &tmpIdx, &crlNumLen, maxIdx);
if (ret == 0 && (crlNumLen > CRL_MAX_NUM_SZ)) {
WOLFSSL_MSG("CRL number exceeds limitation");
ret = BUFFER_E;
}
if (ret == 0) {
ret = GetInt(m, buf, &localIdx, maxIdx);
}
}
if (ret == 0 && mp_toradix(m, (char*)dcrl->crlNumber,
MP_RADIX_HEX) != MP_OKAY)
Expand Down