Merge pull request wolfSSL#9873 from miyazakh/fix_larger_crlnum

fix lareger(>57 octets) CRL number

Author: douzzer

certs/crl/extra-crls/crlnum_57oct.pem

@@ -0,0 +1,44 @@
+Certificate Revocation List (CRL):
+        Version 2 (0x1)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com, emailAddress=info@wolfssl.com
+        Last Update: Mar  5 05:15:20 2026 GMT
+        Next Update: Nov 29 05:15:20 2028 GMT
+        CRL extensions:
+            X509v3 CRL Number: 
+                0x444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444
+Revoked Certificates:
+    Serial Number: 01
+        Revocation Date: Mar  5 05:15:20 2026 GMT
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        2d:38:2c:0e:27:b8:55:dd:0c:c5:1b:9d:13:b9:6a:c4:05:6d:
+        43:37:41:ee:d7:e1:5e:7f:2c:3e:72:14:9d:0b:f0:89:f8:06:
+        3c:75:21:cf:8a:5d:3b:56:3c:c6:a9:b1:56:2e:84:c2:05:60:
+        8b:86:33:d0:0b:ab:ba:37:9f:13:af:a1:2e:40:c6:35:f0:b3:
+        e3:ce:40:2f:4a:65:2b:72:ab:54:c2:56:b7:ca:8a:54:22:c9:
+        ba:d2:fb:ab:f6:e1:cb:05:ae:25:3a:11:ce:bf:9b:0a:9a:37:
+        1a:05:3e:a2:c4:98:68:71:78:70:58:d6:6b:93:97:36:54:7b:
+        73:1c:24:5b:19:a8:f4:da:c6:73:f1:58:1a:e6:53:0d:88:d9:
+        b8:b1:e7:f7:f6:13:4c:8d:86:d7:51:c8:89:93:1f:f0:e5:0a:
+        4c:01:21:9b:ad:fe:ed:5b:0f:77:71:8e:3b:ec:3c:e0:c9:3e:
+        ed:a0:20:f8:51:6c:bc:a9:57:27:13:ff:1d:28:70:41:ce:42:
+        05:9f:f5:1f:d4:73:13:89:c0:9e:34:d1:8f:12:9d:07:2b:2e:
+        1d:3b:ba:5e:18:72:b7:11:f7:3b:54:59:7d:81:57:1f:25:02:
+        c5:e1:58:b5:f8:01:e0:62:6d:92:50:bc:c4:f9:26:4e:72:37:
+        16:42:e0:c1
+-----BEGIN X509 CRL-----
+MIICPTCCASUCAQEwDQYJKoZIhvcNAQELBQAwgZQxCzAJBgNVBAYTAlVTMRAwDgYD
+VQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQKDAhTYXd0b290
+aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29t
+MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tFw0yNjAzMDUwNTE1MjBa
+Fw0yODExMjkwNTE1MjBaMBQwEgIBARcNMjYwMzA1MDUxNTIwWqBGMEQwQgYDVR0U
+BDsCOURERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERDANBgkqhkiG9w0BAQsFAAOCAQEALTgsDie4Vd0MxRudE7lq
+xAVtQzdB7tfhXn8sPnIUnQvwifgGPHUhz4pdO1Y8xqmxVi6EwgVgi4Yz0Aurujef
+E6+hLkDGNfCz485AL0plK3KrVMJWt8qKVCLJutL7q/bhywWuJToRzr+bCpo3GgU+
+osSYaHF4cFjWa5OXNlR7cxwkWxmo9NrGc/FYGuZTDYjZuLHn9/YTTI2G11HIiZMf
+8OUKTAEhm63+7VsPd3GOO+w84Mk+7aAg+FFsvKlXJxP/HShwQc5CBZ/1H9RzE4nA
+njTRjxKdBysuHTu6XhhytxH3O1RZfYFXHyUCxeFYtfgB4GJtklC8xPkmTnI3FkLg
+wQ==
+-----END X509 CRL-----

certs/crl/extra-crls/crlnum_64oct.pem

@@ -0,0 +1,44 @@
+Certificate Revocation List (CRL):
+        Version 2 (0x1)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com, emailAddress=info@wolfssl.com
+        Last Update: Mar  5 05:15:20 2026 GMT
+        Next Update: Nov 29 05:15:20 2028 GMT
+        CRL extensions:
+            X509v3 CRL Number: 
+                0x44444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444
+Revoked Certificates:
+    Serial Number: 01
+        Revocation Date: Mar  5 05:15:20 2026 GMT
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        24:11:b9:3a:df:b5:07:d0:94:b7:1a:73:10:02:f6:13:c5:57:
+        e3:48:6e:e7:fc:8c:c6:07:15:0b:21:f4:4b:61:d4:1f:98:79:
+        8d:02:d6:b5:30:e5:72:85:36:a2:8f:73:32:9b:6c:e1:5b:0f:
+        9e:e9:e7:ba:0c:a2:f9:4e:87:84:40:dd:4b:5d:26:e5:87:23:
+        01:3e:87:3b:19:86:a6:25:6a:48:73:1c:d5:a0:56:1a:52:65:
+        7e:aa:00:b0:2a:6b:ce:95:ce:c0:4f:7c:d7:ef:78:c2:78:b0:
+        ce:ad:4f:02:e2:ce:56:de:a5:43:5b:ad:78:5a:a7:bc:8d:6e:
+        ef:86:e1:9e:47:5c:e7:c8:12:81:8d:5a:63:c4:5a:2c:20:54:
+        da:1e:7f:f0:16:c9:f5:fc:9a:fa:ca:03:73:90:38:11:d1:0e:
+        98:34:84:fe:62:1e:8a:20:66:ee:40:09:f1:8d:bc:b5:52:af:
+        22:b8:a7:e5:0c:a7:38:e8:4a:9c:09:99:95:ae:cf:a2:8e:a8:
+        21:cd:5e:96:a7:ea:4f:bc:a5:be:37:a1:c7:5b:27:3f:b5:99:
+        08:62:35:7f:98:2a:20:27:3e:c3:1b:9d:c2:51:66:7c:dd:64:
+        38:89:fc:89:fc:c0:54:f9:0d:16:72:44:3c:25:3c:a3:88:b9:
+        c7:00:df:81
+-----BEGIN X509 CRL-----
+MIICRDCCASwCAQEwDQYJKoZIhvcNAQELBQAwgZQxCzAJBgNVBAYTAlVTMRAwDgYD
+VQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQKDAhTYXd0b290
+aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29t
+MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tFw0yNjAzMDUwNTE1MjBa
+Fw0yODExMjkwNTE1MjBaMBQwEgIBARcNMjYwMzA1MDUxNTIwWqBNMEswSQYDVR0U
+BEICQERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+REREREREREREREREREREREREREQwDQYJKoZIhvcNAQELBQADggEBACQRuTrftQfQ
+lLcacxAC9hPFV+NIbuf8jMYHFQsh9Eth1B+YeY0C1rUw5XKFNqKPczKbbOFbD57p
+57oMovlOh4RA3UtdJuWHIwE+hzsZhqYlakhzHNWgVhpSZX6qALAqa86VzsBPfNfv
+eMJ4sM6tTwLizlbepUNbrXhap7yNbu+G4Z5HXOfIEoGNWmPEWiwgVNoef/AWyfX8
+mvrKA3OQOBHRDpg0hP5iHoogZu5ACfGNvLVSryK4p+UMpzjoSpwJmZWuz6KOqCHN
+Xpan6k+8pb43ocdbJz+1mQhiNX+YKiAnPsMbncJRZnzdZDiJ/In8wFT5DRZyRDwl
+PKOIuccA34E=
+-----END X509 CRL-----

certs/crl/gencrls.sh

@@ -236,7 +236,7 @@ openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out extra-cr
 check_result $?
 
 # metadata
-echo "Step 30"
+echo "Step 31"
 openssl crl -in extra-crls/large_crlnum2.pem -text > tmp
 check_result $?
 mv tmp extra-crls/large_crlnum2.pem
@@ -254,4 +254,25 @@ openssl crl -in ../ocsp/root-ca-crl.pem -text > tmp
 check_result $?
 mv tmp ../ocsp/root-ca-crl.pem
 
+echo "Step 33 larger CRL number( 57 octets )"
+python3 -c "print('4' * 114)" > crlnumber # 0x41 * 57 = 114 hex chars crlnumber
+openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out extra-crls/crlnum_57oct.pem -keyfile ../ca-key.pem -cert ../ca-cert.pem
+check_result $?
+# metadata
+echo "Step 34"
+openssl crl -in extra-crls/crlnum_57oct.pem -text > tmp
+check_result $?
+mv tmp extra-crls/crlnum_57oct.pem
+
+echo "Step 35 larger CRL number( 64 octets )"
+python3 -c "print('4' * 128)" > crlnumber # 0x41 * 64 = 128 hex chars crlnumber
+openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out extra-crls/crlnum_64oct.pem -keyfile ../ca-key.pem -cert ../ca-cert.pem
+check_result $?
+
+# metadata
+echo "Step 36"
+openssl crl -in extra-crls/crlnum_64oct.pem -text > tmp
+check_result $?
+mv tmp extra-crls/crlnum_64oct.pem
+
 exit 0

certs/crl/include.am

@@ -24,7 +24,9 @@ EXTRA_DIST += \
 		certs/crl/extra-crls/ca-int-cert-revoked.pem \
 		certs/crl/extra-crls/general-server-crl.pem \
 		certs/crl/extra-crls/large_crlnum.pem \
-		certs/crl/extra-crls/large_crlnum2.pem
+		certs/crl/extra-crls/large_crlnum2.pem \
+		certs/crl/extra-crls/crlnum_57oct.pem \
+		certs/crl/extra-crls/crlnum_64oct.pem
 
 # Intermediate cert CRL's
 EXTRA_DIST += \

tests/api.c

@@ -23136,6 +23136,8 @@ static int test_wolfSSL_CTX_LoadCRL_largeCRLnum(void)
     const char* caCert     =  "./certs/ca-cert.pem";
     const char* crl_lrgcrlnum = "./certs/crl/extra-crls/large_crlnum.pem";
     const char* crl_lrgcrlnum2 = "./certs/crl/extra-crls/large_crlnum2.pem";
+    const char* crl_57oct = "./certs/crl/extra-crls/crlnum_57oct.pem";
+    const char* crl_64oct = "./certs/crl/extra-crls/crlnum_64oct.pem";
     const char* exp_crlnum = "D8AFADA7F08B38E6178BD0E5CD7B0DF80071BA74";
     byte *crlLrgCrlNumBuff = NULL;
     word32  crlLrgCrlNumSz;
@@ -23172,6 +23174,15 @@ static int test_wolfSSL_CTX_LoadCRL_largeCRLnum(void)
                                                 WOLFSSL_FILETYPE_PEM),
         ASN_PARSE_E);
 
+    /* Expect to fail loading CRL because of >57 octets CRL number */
+    ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, crl_57oct,
+                                                WOLFSSL_FILETYPE_PEM),
+        ASN_PARSE_E);
+    /* Expect to fail loading CRL because of >64 octets CRL number */
+    ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, crl_64oct,
+                                                WOLFSSL_FILETYPE_PEM),
+        ASN_PARSE_E);
+
     XFREE(crlLrgCrlNumBuff, NULL, DYNAMIC_TYPE_FILE);
     wolfSSL_CertManagerFree(cm);
 #endif

wolfcrypt/src/asn.c

@@ -41719,7 +41719,6 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf,
         word32* inOutIdx, word32 sz)
 {
     int length;
-    int needed;
     word32 idx;
     word32 ext_bound; /* boundary index for the sequence of extensions */
     word32 oid;
@@ -41804,7 +41803,7 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf,
                     WOLFSSL_MSG("\tcouldn't parse CRL number extension");
                     return ret;
                 }
-                else {
+                else if (length <= CRL_MAX_NUM_SZ) {
                     DECL_MP_INT_SIZE_DYN(m, CRL_MAX_NUM_SZ_BITS,
                                    CRL_MAX_NUM_SZ_BITS);
                     NEW_MP_INT_SIZE(m, CRL_MAX_NUM_SZ_BITS, NULL,
@@ -41825,15 +41824,7 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf,
 
                     if (ret != MP_OKAY)
                         ret = BUFFER_E;
-                    /* Check CRL number size
-                     * if it exceeds CRL_MAX_NUM_SZ(octets)
-                     * and CRL_MAX_NUM_HEX_STR_SZ(hex string)
-                     */
-                    if (((needed = mp_unsigned_bin_size(m)) > CRL_MAX_NUM_SZ) ||
-                        ((needed * 2 + 1) > CRL_MAX_NUM_HEX_STR_SZ)) {
-                        WOLFSSL_MSG("CRL number exceeds limitation.");
-                        ret = BUFFER_E;
-                    }
+
                     if (ret == MP_OKAY && mp_toradix(m, (char*)dcrl->crlNumber,
                                 MP_RADIX_HEX) != MP_OKAY)
                         ret = BUFFER_E;
@@ -41846,6 +41837,9 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf,
 
                     if (ret != MP_OKAY)
                         return ret;
+                } else {
+                    WOLFSSL_MSG("CRL number exceeds limitation");
+                    ret = BUFFER_E;
                 }
             }
         }
@@ -41871,7 +41865,6 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf, word32 idx,
         word32 maxIdx)
 {
     DECL_ASNGETDATA(dataASN, certExtASN_Length);
-    int needed;
     int ret = 0;
     /* Track if we've seen these extensions already */
     word32 seenAuthKey = 0;
@@ -41949,16 +41942,16 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf, word32 idx,
                     }
 
                     if (ret == 0) {
-                        ret = GetInt(m, buf, &localIdx, maxIdx);
-                    }
-                    /* Check CRL number size
-                     * if it exceeds CRL_MAX_NUM_SZ(octets)
-                     * and CRL_MAX_NUM_HEX_STR_SZ(hex string)
-                     */
-                    if (((needed = mp_unsigned_bin_size(m)) > CRL_MAX_NUM_SZ) ||
-                        ((needed * 2 + 1) > CRL_MAX_NUM_HEX_STR_SZ)) {
-                        WOLFSSL_MSG("CRL number exceeds limitation.");
-                        ret = BUFFER_E;
+                        int crlNumLen = 0;
+                        word32 tmpIdx = localIdx;
+                        ret = GetASNInt(buf, &tmpIdx, &crlNumLen, maxIdx);
+                        if (ret == 0 && (crlNumLen > CRL_MAX_NUM_SZ)) {
+                            WOLFSSL_MSG("CRL number exceeds limitation");
+                            ret = BUFFER_E;
+                        }
+                        if (ret == 0) {
+                            ret = GetInt(m, buf, &localIdx, maxIdx);
+                        }
                     }
                     if (ret == 0 && mp_toradix(m, (char*)dcrl->crlNumber,
                                  MP_RADIX_HEX) != MP_OKAY)