Skip to content

Commit b3f08f3

Browse files
douzzerdouzzer
authored
Merge pull request wolfSSL#9873 from miyazakh/fix_larger_crlnum
fix lareger(>57 octets) CRL number
2 parents 04e2adc + f59b9fd commit b3f08f3

6 files changed

Lines changed: 139 additions & 24 deletions

File tree

certs/crl/extra-crls/crlnum_57oct.pem

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
Certificate Revocation List (CRL):
2+
Version 2 (0x1)
3+
Signature Algorithm: sha256WithRSAEncryption
4+
Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com, emailAddress=info@wolfssl.com
5+
Last Update: Mar 5 05:15:20 2026 GMT
6+
Next Update: Nov 29 05:15:20 2028 GMT
7+
CRL extensions:
8+
X509v3 CRL Number:
9+
0x444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444
10+
Revoked Certificates:
11+
Serial Number: 01
12+
Revocation Date: Mar 5 05:15:20 2026 GMT
13+
Signature Algorithm: sha256WithRSAEncryption
14+
Signature Value:
15+
2d:38:2c:0e:27:b8:55:dd:0c:c5:1b:9d:13:b9:6a:c4:05:6d:
16+
43:37:41:ee:d7:e1:5e:7f:2c:3e:72:14:9d:0b:f0:89:f8:06:
17+
3c:75:21:cf:8a:5d:3b:56:3c:c6:a9:b1:56:2e:84:c2:05:60:
18+
8b:86:33:d0:0b:ab:ba:37:9f:13:af:a1:2e:40:c6:35:f0:b3:
19+
e3:ce:40:2f:4a:65:2b:72:ab:54:c2:56:b7:ca:8a:54:22:c9:
20+
ba:d2:fb:ab:f6:e1:cb:05:ae:25:3a:11:ce:bf:9b:0a:9a:37:
21+
1a:05:3e:a2:c4:98:68:71:78:70:58:d6:6b:93:97:36:54:7b:
22+
73:1c:24:5b:19:a8:f4:da:c6:73:f1:58:1a:e6:53:0d:88:d9:
23+
b8:b1:e7:f7:f6:13:4c:8d:86:d7:51:c8:89:93:1f:f0:e5:0a:
24+
4c:01:21:9b:ad:fe:ed:5b:0f:77:71:8e:3b:ec:3c:e0:c9:3e:
25+
ed:a0:20:f8:51:6c:bc:a9:57:27:13:ff:1d:28:70:41:ce:42:
26+
05:9f:f5:1f:d4:73:13:89:c0:9e:34:d1:8f:12:9d:07:2b:2e:
27+
1d:3b:ba:5e:18:72:b7:11:f7:3b:54:59:7d:81:57:1f:25:02:
28+
c5:e1:58:b5:f8:01:e0:62:6d:92:50:bc:c4:f9:26:4e:72:37:
29+
16:42:e0:c1
30+
-----BEGIN X509 CRL-----
31+
MIICPTCCASUCAQEwDQYJKoZIhvcNAQELBQAwgZQxCzAJBgNVBAYTAlVTMRAwDgYD
32+
VQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQKDAhTYXd0b290
33+
aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29t
34+
MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tFw0yNjAzMDUwNTE1MjBa
35+
Fw0yODExMjkwNTE1MjBaMBQwEgIBARcNMjYwMzA1MDUxNTIwWqBGMEQwQgYDVR0U
36+
BDsCOURERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
37+
RERERERERERERERERDANBgkqhkiG9w0BAQsFAAOCAQEALTgsDie4Vd0MxRudE7lq
38+
xAVtQzdB7tfhXn8sPnIUnQvwifgGPHUhz4pdO1Y8xqmxVi6EwgVgi4Yz0Aurujef
39+
E6+hLkDGNfCz485AL0plK3KrVMJWt8qKVCLJutL7q/bhywWuJToRzr+bCpo3GgU+
40+
osSYaHF4cFjWa5OXNlR7cxwkWxmo9NrGc/FYGuZTDYjZuLHn9/YTTI2G11HIiZMf
41+
8OUKTAEhm63+7VsPd3GOO+w84Mk+7aAg+FFsvKlXJxP/HShwQc5CBZ/1H9RzE4nA
42+
njTRjxKdBysuHTu6XhhytxH3O1RZfYFXHyUCxeFYtfgB4GJtklC8xPkmTnI3FkLg
43+
wQ==
44+
-----END X509 CRL-----

certs/crl/extra-crls/crlnum_64oct.pem

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
Certificate Revocation List (CRL):
2+
Version 2 (0x1)
3+
Signature Algorithm: sha256WithRSAEncryption
4+
Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com, emailAddress=info@wolfssl.com
5+
Last Update: Mar 5 05:15:20 2026 GMT
6+
Next Update: Nov 29 05:15:20 2028 GMT
7+
CRL extensions:
8+
X509v3 CRL Number:
9+
0x44444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444
10+
Revoked Certificates:
11+
Serial Number: 01
12+
Revocation Date: Mar 5 05:15:20 2026 GMT
13+
Signature Algorithm: sha256WithRSAEncryption
14+
Signature Value:
15+
24:11:b9:3a:df:b5:07:d0:94:b7:1a:73:10:02:f6:13:c5:57:
16+
e3:48:6e:e7:fc:8c:c6:07:15:0b:21:f4:4b:61:d4:1f:98:79:
17+
8d:02:d6:b5:30:e5:72:85:36:a2:8f:73:32:9b:6c:e1:5b:0f:
18+
9e:e9:e7:ba:0c:a2:f9:4e:87:84:40:dd:4b:5d:26:e5:87:23:
19+
01:3e:87:3b:19:86:a6:25:6a:48:73:1c:d5:a0:56:1a:52:65:
20+
7e:aa:00:b0:2a:6b:ce:95:ce:c0:4f:7c:d7:ef:78:c2:78:b0:
21+
ce:ad:4f:02:e2:ce:56:de:a5:43:5b:ad:78:5a:a7:bc:8d:6e:
22+
ef:86:e1:9e:47:5c:e7:c8:12:81:8d:5a:63:c4:5a:2c:20:54:
23+
da:1e:7f:f0:16:c9:f5:fc:9a:fa:ca:03:73:90:38:11:d1:0e:
24+
98:34:84:fe:62:1e:8a:20:66:ee:40:09:f1:8d:bc:b5:52:af:
25+
22:b8:a7:e5:0c:a7:38:e8:4a:9c:09:99:95:ae:cf:a2:8e:a8:
26+
21:cd:5e:96:a7:ea:4f:bc:a5:be:37:a1:c7:5b:27:3f:b5:99:
27+
08:62:35:7f:98:2a:20:27:3e:c3:1b:9d:c2:51:66:7c:dd:64:
28+
38:89:fc:89:fc:c0:54:f9:0d:16:72:44:3c:25:3c:a3:88:b9:
29+
c7:00:df:81
30+
-----BEGIN X509 CRL-----
31+
MIICRDCCASwCAQEwDQYJKoZIhvcNAQELBQAwgZQxCzAJBgNVBAYTAlVTMRAwDgYD
32+
VQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQKDAhTYXd0b290
33+
aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29t
34+
MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tFw0yNjAzMDUwNTE1MjBa
35+
Fw0yODExMjkwNTE1MjBaMBQwEgIBARcNMjYwMzA1MDUxNTIwWqBNMEswSQYDVR0U
36+
BEICQERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
37+
REREREREREREREREREREREREREQwDQYJKoZIhvcNAQELBQADggEBACQRuTrftQfQ
38+
lLcacxAC9hPFV+NIbuf8jMYHFQsh9Eth1B+YeY0C1rUw5XKFNqKPczKbbOFbD57p
39+
57oMovlOh4RA3UtdJuWHIwE+hzsZhqYlakhzHNWgVhpSZX6qALAqa86VzsBPfNfv
40+
eMJ4sM6tTwLizlbepUNbrXhap7yNbu+G4Z5HXOfIEoGNWmPEWiwgVNoef/AWyfX8
41+
mvrKA3OQOBHRDpg0hP5iHoogZu5ACfGNvLVSryK4p+UMpzjoSpwJmZWuz6KOqCHN
42+
Xpan6k+8pb43ocdbJz+1mQhiNX+YKiAnPsMbncJRZnzdZDiJ/In8wFT5DRZyRDwl
43+
PKOIuccA34E=
44+
-----END X509 CRL-----

certs/crl/gencrls.sh

Lines changed: 22 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -236,7 +236,7 @@ openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out extra-cr
236236
check_result $?
237237

238238
# metadata
239-
echo "Step 30"
239+
echo "Step 31"
240240
openssl crl -in extra-crls/large_crlnum2.pem -text > tmp
241241
check_result $?
242242
mv tmp extra-crls/large_crlnum2.pem
@@ -254,4 +254,25 @@ openssl crl -in ../ocsp/root-ca-crl.pem -text > tmp
254254
check_result $?
255255
mv tmp ../ocsp/root-ca-crl.pem
256256

257+
echo "Step 33 larger CRL number( 57 octets )"
258+
python3 -c "print('4' * 114)" > crlnumber # 0x41 * 57 = 114 hex chars crlnumber
259+
openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out extra-crls/crlnum_57oct.pem -keyfile ../ca-key.pem -cert ../ca-cert.pem
260+
check_result $?
261+
# metadata
262+
echo "Step 34"
263+
openssl crl -in extra-crls/crlnum_57oct.pem -text > tmp
264+
check_result $?
265+
mv tmp extra-crls/crlnum_57oct.pem
266+
267+
echo "Step 35 larger CRL number( 64 octets )"
268+
python3 -c "print('4' * 128)" > crlnumber # 0x41 * 64 = 128 hex chars crlnumber
269+
openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out extra-crls/crlnum_64oct.pem -keyfile ../ca-key.pem -cert ../ca-cert.pem
270+
check_result $?
271+
272+
# metadata
273+
echo "Step 36"
274+
openssl crl -in extra-crls/crlnum_64oct.pem -text > tmp
275+
check_result $?
276+
mv tmp extra-crls/crlnum_64oct.pem
277+
257278
exit 0

certs/crl/include.am

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,9 @@ EXTRA_DIST += \
2424
certs/crl/extra-crls/ca-int-cert-revoked.pem \
2525
certs/crl/extra-crls/general-server-crl.pem \
2626
certs/crl/extra-crls/large_crlnum.pem \
27-
certs/crl/extra-crls/large_crlnum2.pem
27+
certs/crl/extra-crls/large_crlnum2.pem \
28+
certs/crl/extra-crls/crlnum_57oct.pem \
29+
certs/crl/extra-crls/crlnum_64oct.pem
2830

2931
# Intermediate cert CRL's
3032
EXTRA_DIST += \

tests/api.c

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23136,6 +23136,8 @@ static int test_wolfSSL_CTX_LoadCRL_largeCRLnum(void)
2313623136
const char* caCert = "./certs/ca-cert.pem";
2313723137
const char* crl_lrgcrlnum = "./certs/crl/extra-crls/large_crlnum.pem";
2313823138
const char* crl_lrgcrlnum2 = "./certs/crl/extra-crls/large_crlnum2.pem";
23139+
const char* crl_57oct = "./certs/crl/extra-crls/crlnum_57oct.pem";
23140+
const char* crl_64oct = "./certs/crl/extra-crls/crlnum_64oct.pem";
2313923141
const char* exp_crlnum = "D8AFADA7F08B38E6178BD0E5CD7B0DF80071BA74";
2314023142
byte *crlLrgCrlNumBuff = NULL;
2314123143
word32 crlLrgCrlNumSz;
@@ -23172,6 +23174,15 @@ static int test_wolfSSL_CTX_LoadCRL_largeCRLnum(void)
2317223174
WOLFSSL_FILETYPE_PEM),
2317323175
ASN_PARSE_E);
2317423176

23177+
/* Expect to fail loading CRL because of >57 octets CRL number */
23178+
ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, crl_57oct,
23179+
WOLFSSL_FILETYPE_PEM),
23180+
ASN_PARSE_E);
23181+
/* Expect to fail loading CRL because of >64 octets CRL number */
23182+
ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, crl_64oct,
23183+
WOLFSSL_FILETYPE_PEM),
23184+
ASN_PARSE_E);
23185+
2317523186
XFREE(crlLrgCrlNumBuff, NULL, DYNAMIC_TYPE_FILE);
2317623187
wolfSSL_CertManagerFree(cm);
2317723188
#endif

wolfcrypt/src/asn.c

Lines changed: 15 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -41719,7 +41719,6 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf,
4171941719
word32* inOutIdx, word32 sz)
4172041720
{
4172141721
int length;
41722-
int needed;
4172341722
word32 idx;
4172441723
word32 ext_bound; /* boundary index for the sequence of extensions */
4172541724
word32 oid;
@@ -41804,7 +41803,7 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf,
4180441803
WOLFSSL_MSG("\tcouldn't parse CRL number extension");
4180541804
return ret;
4180641805
}
41807-
else {
41806+
else if (length <= CRL_MAX_NUM_SZ) {
4180841807
DECL_MP_INT_SIZE_DYN(m, CRL_MAX_NUM_SZ_BITS,
4180941808
CRL_MAX_NUM_SZ_BITS);
4181041809
NEW_MP_INT_SIZE(m, CRL_MAX_NUM_SZ_BITS, NULL,
@@ -41825,15 +41824,7 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf,
4182541824

4182641825
if (ret != MP_OKAY)
4182741826
ret = BUFFER_E;
41828-
/* Check CRL number size
41829-
* if it exceeds CRL_MAX_NUM_SZ(octets)
41830-
* and CRL_MAX_NUM_HEX_STR_SZ(hex string)
41831-
*/
41832-
if (((needed = mp_unsigned_bin_size(m)) > CRL_MAX_NUM_SZ) ||
41833-
((needed * 2 + 1) > CRL_MAX_NUM_HEX_STR_SZ)) {
41834-
WOLFSSL_MSG("CRL number exceeds limitation.");
41835-
ret = BUFFER_E;
41836-
}
41827+
4183741828
if (ret == MP_OKAY && mp_toradix(m, (char*)dcrl->crlNumber,
4183841829
MP_RADIX_HEX) != MP_OKAY)
4183941830
ret = BUFFER_E;
@@ -41846,6 +41837,9 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf,
4184641837

4184741838
if (ret != MP_OKAY)
4184841839
return ret;
41840+
} else {
41841+
WOLFSSL_MSG("CRL number exceeds limitation");
41842+
ret = BUFFER_E;
4184941843
}
4185041844
}
4185141845
}
@@ -41871,7 +41865,6 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf, word32 idx,
4187141865
word32 maxIdx)
4187241866
{
4187341867
DECL_ASNGETDATA(dataASN, certExtASN_Length);
41874-
int needed;
4187541868
int ret = 0;
4187641869
/* Track if we've seen these extensions already */
4187741870
word32 seenAuthKey = 0;
@@ -41949,16 +41942,16 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf, word32 idx,
4194941942
}
4195041943

4195141944
if (ret == 0) {
41952-
ret = GetInt(m, buf, &localIdx, maxIdx);
41953-
}
41954-
/* Check CRL number size
41955-
* if it exceeds CRL_MAX_NUM_SZ(octets)
41956-
* and CRL_MAX_NUM_HEX_STR_SZ(hex string)
41957-
*/
41958-
if (((needed = mp_unsigned_bin_size(m)) > CRL_MAX_NUM_SZ) ||
41959-
((needed * 2 + 1) > CRL_MAX_NUM_HEX_STR_SZ)) {
41960-
WOLFSSL_MSG("CRL number exceeds limitation.");
41961-
ret = BUFFER_E;
41945+
int crlNumLen = 0;
41946+
word32 tmpIdx = localIdx;
41947+
ret = GetASNInt(buf, &tmpIdx, &crlNumLen, maxIdx);
41948+
if (ret == 0 && (crlNumLen > CRL_MAX_NUM_SZ)) {
41949+
WOLFSSL_MSG("CRL number exceeds limitation");
41950+
ret = BUFFER_E;
41951+
}
41952+
if (ret == 0) {
41953+
ret = GetInt(m, buf, &localIdx, maxIdx);
41954+
}
4196241955
}
4196341956
if (ret == 0 && mp_toradix(m, (char*)dcrl->crlNumber,
4196441957
MP_RADIX_HEX) != MP_OKAY)

0 commit comments

Comments
 (0)