Add CRL generation code

Author: padelsbach

.gitignore

@@ -104,6 +104,10 @@ ecc-key.der
 ecc-key.pem
 certreq.der
 certreq.pem
+crlRsaOut.pem
+crlRsaOut.der
+crlEccOut.pem
+crlEccOut.der
 pkcs7cert.der
 pkcs7authEnvelopedDataAES128GCM.der
 pkcs7authEnvelopedDataAES128GCM_ECDH_SHA1KDF.der
@@ -470,3 +474,6 @@ wolfssl/debug-trace-error-codes.h
 wolfssl/debug-untrace-error-codes.h
 
 AGENTS.md
+
+# Code navigation files
+compile_commands.json

scripts/crl-openssl-verify.test

@@ -0,0 +1,339 @@
+#!/usr/bin/env bash
+
+# crl-openssl-verify.test
+# Verifies CRL files generated by test_sk_X509_CRL_encode using OpenSSL
+
+# Exit on first error
+set -e
+
+# CRL files generated by test_sk_X509_CRL_encode
+CRL_RSA_PEM="./certs/crl/crlRsaOut.pem"
+CRL_RSA_DER="./certs/crl/crlRsaOut.der"
+CRL_ECC_PEM="./certs/crl/crlEccOut.pem"
+CRL_ECC_DER="./certs/crl/crlEccOut.der"
+
+# Issuer certificates used to sign the CRLs (must match the signing keys)
+# RSA CRL is signed with ca-key.pem, issuer is ca-cert.pem subject
+RSA_ISSUER_CERT="./certs/ca-cert.pem"
+# ECC CRL is signed with ecc-key.pem, issuer is server-ecc.pem subject
+ECC_ISSUER_CERT="./certs/server-ecc.pem"
+
+# Expected number of revoked certificates in each CRL
+EXPECTED_REVOKED_COUNT=4
+
+exit_code=0
+
+check_openssl() {
+    if ! command -v openssl &> /dev/null; then
+        echo "OpenSSL not found, skipping test"
+        exit 0
+    fi
+}
+
+print_openssl_info() {
+    echo "OpenSSL version: $(openssl version)"
+    echo "OpenSSL binary: $(command -v openssl)"
+}
+
+print_debug_info() {
+    local crl_file="$1"
+    local crl_text="$2"
+    
+    echo "    === DEBUG INFO ==="
+    echo "    OpenSSL version: $(openssl version)"
+    echo "    CRL file: $crl_file"
+    echo "    CRL file size: $(wc -c < "$crl_file" 2>/dev/null || echo "N/A") bytes"
+    echo "    --- CRL Text Output (first 100 lines) ---"
+    echo "$crl_text" | head -100 | sed 's/^/    /'
+    echo "    --- End CRL Text ---"
+}
+
+# Check if a serial number is present in CRL text
+# Handles various OpenSSL output formats:
+#   "Serial Number: 02"
+#   "Serial Number: 2"  
+#   "Serial Number: 0x02"
+#   Multi-line format with serial on next line
+check_serial_in_crl() {
+    local crl_text="$1"
+    local serial="$2"
+    
+    # Try exact match first (e.g., "Serial Number: 02")
+    if echo "$crl_text" | grep -qi "Serial Number:.*[^0-9a-f]0*$serial[^0-9a-f]"; then
+        return 0
+    fi
+    
+    # Try without leading zeros (e.g., "Serial Number: 2" for serial "02")
+    local serial_no_leading_zero=$(echo "$serial" | sed 's/^0*//')
+    if [ -n "$serial_no_leading_zero" ]; then
+        if echo "$crl_text" | grep -qi "Serial Number:.*[^0-9a-f]$serial_no_leading_zero[^0-9a-f]"; then
+            return 0
+        fi
+        # End of line match
+        if echo "$crl_text" | grep -qi "Serial Number:.*[^0-9a-f]$serial_no_leading_zero$"; then
+            return 0
+        fi
+    fi
+    
+    # Try hex format (e.g., "Serial Number: 0x02")
+    if echo "$crl_text" | grep -qi "Serial Number:.*0x0*$serial"; then
+        return 0
+    fi
+    
+    # Try exact match at end of line
+    if echo "$crl_text" | grep -qi "Serial Number: 0*$serial$"; then
+        return 0
+    fi
+    
+    # Try case-insensitive match for the serial anywhere after "Serial Number"
+    if echo "$crl_text" | grep -i "Serial Number" | grep -qi "[^0-9a-f]0*$serial[^0-9a-f]\|[^0-9a-f]0*$serial$"; then
+        return 0
+    fi
+    
+    return 1
+}
+
+verify_crl_pem() {
+    local crl_file="$1"
+    local issuer_cert="$2"
+    local crl_type="$3"
+
+    if [ ! -f "$crl_file" ]; then
+        echo "SKIP: $crl_type CRL PEM file not found: $crl_file"
+        echo "      (test_sk_X509_CRL_encode may not have run or feature disabled)"
+        return 0
+    fi
+
+    echo "Verifying $crl_type CRL (PEM): $crl_file"
+
+    # Parse and display CRL info
+    if ! openssl crl -in "$crl_file" -inform PEM -noout -text > /dev/null 2>&1; then
+        echo "FAIL: OpenSSL failed to parse $crl_type CRL PEM"
+        echo "    OpenSSL error output:"
+        openssl crl -in "$crl_file" -inform PEM -noout -text 2>&1 | sed 's/^/    /' || true
+        exit_code=1
+        return 1
+    fi
+    echo "  - OpenSSL can parse CRL: OK"
+
+    # Get the CRL text for further checks
+    crl_text=$(openssl crl -in "$crl_file" -inform PEM -noout -text 2>/dev/null)
+
+    # Verify CRL signature against issuer certificate
+    # This is the critical cryptographic verification using -CAfile and -verify
+    if [ -f "$issuer_cert" ]; then
+        verify_output=$(openssl crl -in "$crl_file" -inform PEM -noout -CAfile "$issuer_cert" -verify 2>&1)
+        if echo "$verify_output" | grep -q "verify OK"; then
+            echo "  - CRL signature verification (-CAfile -verify): OK"
+        else
+            echo "  - CRL signature verification (-CAfile -verify): FAIL"
+            echo "    Verification output: $verify_output"
+            echo "    Issuer cert: $issuer_cert"
+            print_debug_info "$crl_file" "$crl_text"
+            exit_code=1
+            return 1
+        fi
+    else
+        echo "  - CRL signature verification: SKIPPED (issuer cert not found: $issuer_cert)"
+    fi
+
+    # Count revoked certificates
+    revoked_count=$(echo "$crl_text" | grep -c "Serial Number:" || true)
+
+    if [ "$revoked_count" -eq "$EXPECTED_REVOKED_COUNT" ]; then
+        echo "  - Revoked certificate count: $revoked_count (expected $EXPECTED_REVOKED_COUNT) OK"
+    else
+        echo "  - Revoked certificate count: $revoked_count (expected $EXPECTED_REVOKED_COUNT) FAIL"
+        print_debug_info "$crl_file" "$crl_text"
+        exit_code=1
+        return 1
+    fi
+
+    # Check for required CRL fields
+    if echo "$crl_text" | grep -q "Issuer:"; then
+        echo "  - Issuer field: OK"
+    else
+        echo "  - Issuer field: MISSING"
+        print_debug_info "$crl_file" "$crl_text"
+        exit_code=1
+    fi
+
+    if echo "$crl_text" | grep -q "Last Update:"; then
+        echo "  - Last Update field: OK"
+    else
+        echo "  - Last Update field: MISSING"
+        print_debug_info "$crl_file" "$crl_text"
+        exit_code=1
+    fi
+
+    if echo "$crl_text" | grep -q "Next Update:"; then
+        echo "  - Next Update field: OK"
+    else
+        echo "  - Next Update field: MISSING"
+        print_debug_info "$crl_file" "$crl_text"
+        exit_code=1
+    fi
+
+    # Check signature algorithm is present
+    if echo "$crl_text" | grep -q "Signature Algorithm:"; then
+        sig_alg=$(echo "$crl_text" | grep "Signature Algorithm:" | head -1 | awk '{print $3}')
+        echo "  - Signature Algorithm: $sig_alg OK"
+    else
+        echo "  - Signature Algorithm: MISSING"
+        print_debug_info "$crl_file" "$crl_text"
+        exit_code=1
+    fi
+
+    # Check for signature value
+    # OpenSSL 3.x uses "Signature Value:" label
+    # OpenSSL 1.1.x just shows hex bytes after "Signature Algorithm:" without a label
+    if echo "$crl_text" | grep -q "Signature Value:"; then
+        echo "  - Signature Value: present OK"
+    elif echo "$crl_text" | grep -Eq "^\s+[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2}"; then
+        # Found hex signature bytes (OpenSSL 1.1.x format)
+        echo "  - Signature Value: present OK (hex bytes format)"
+    else
+        echo "  - Signature Value: MISSING"
+        print_debug_info "$crl_file" "$crl_text"
+        exit_code=1
+    fi
+
+    # Verify expected serial numbers are present (using flexible matching)
+    for serial in "02" "03" "04"; do
+        if check_serial_in_crl "$crl_text" "$serial"; then
+            echo "  - Serial $serial revoked: OK"
+        else
+            echo "  - Serial $serial revoked: MISSING"
+            echo "    Looking for serial: $serial"
+            echo "    Serial lines found in CRL:"
+            echo "$crl_text" | grep -i "Serial" | sed 's/^/      /'
+            print_debug_info "$crl_file" "$crl_text"
+            exit_code=1
+        fi
+    done
+
+    if [ $exit_code -eq 0 ]; then
+        echo "PASS: $crl_type CRL PEM structure verified"
+    else
+        echo "FAIL: $crl_type CRL PEM had errors (see above)"
+    fi
+    echo ""
+    return 0
+}
+
+verify_crl_der() {
+    local crl_file="$1"
+    local crl_type="$2"
+
+    if [ ! -f "$crl_file" ]; then
+        echo "SKIP: $crl_type CRL DER file not found: $crl_file"
+        return 0
+    fi
+
+    echo "Verifying $crl_type CRL (DER): $crl_file"
+
+    # Parse DER format
+    if ! openssl crl -in "$crl_file" -inform DER -noout -text > /dev/null 2>&1; then
+        echo "FAIL: OpenSSL failed to parse $crl_type CRL DER"
+        echo "    OpenSSL error output:"
+        openssl crl -in "$crl_file" -inform DER -noout -text 2>&1 | sed 's/^/    /' || true
+        exit_code=1
+        return 1
+    fi
+
+    # Count revoked certificates
+    revoked_count=$(openssl crl -in "$crl_file" -inform DER -noout -text 2>/dev/null | \
+        grep -c "Serial Number:" || true)
+
+    if [ "$revoked_count" -eq "$EXPECTED_REVOKED_COUNT" ]; then
+        echo "PASS: $crl_type CRL DER has $revoked_count revoked certificates (expected $EXPECTED_REVOKED_COUNT)"
+    else
+        echo "FAIL: $crl_type CRL DER has $revoked_count revoked certificates (expected $EXPECTED_REVOKED_COUNT)"
+        echo "    DER CRL content:"
+        openssl crl -in "$crl_file" -inform DER -noout -text 2>/dev/null | head -50 | sed 's/^/    /'
+        exit_code=1
+        return 1
+    fi
+
+    echo ""
+    return 0
+}
+
+compare_pem_der() {
+    local pem_file="$1"
+    local der_file="$2"
+    local crl_type="$3"
+
+    if [ ! -f "$pem_file" ] || [ ! -f "$der_file" ]; then
+        return 0
+    fi
+
+    echo "Comparing $crl_type CRL PEM vs DER..."
+
+    # Convert PEM to DER and compare
+    converted_der=$(mktemp)
+    trap "rm -f $converted_der" EXIT
+
+    openssl crl -in "$pem_file" -inform PEM -outform DER -out "$converted_der" 2>/dev/null
+
+    if cmp -s "$converted_der" "$der_file"; then
+        echo "PASS: $crl_type CRL PEM and DER are equivalent"
+    else
+        echo "FAIL: $crl_type CRL PEM and DER do not match after conversion"
+        echo "    PEM file size: $(wc -c < "$pem_file") bytes"
+        echo "    DER file size: $(wc -c < "$der_file") bytes"
+        echo "    Converted DER size: $(wc -c < "$converted_der") bytes"
+        exit_code=1
+    fi
+
+    rm -f "$converted_der"
+    trap - EXIT
+
+    echo ""
+}
+
+######### begin program #########
+
+echo "============================================"
+echo "CRL OpenSSL Verification Test"
+echo "============================================"
+echo ""
+
+check_openssl
+print_openssl_info
+echo ""
+
+# Check if CRL files exist at all
+echo "Checking for CRL files..."
+for f in "$CRL_RSA_PEM" "$CRL_RSA_DER" "$CRL_ECC_PEM" "$CRL_ECC_DER"; do
+    if [ -f "$f" ]; then
+        echo "  Found: $f ($(wc -c < "$f") bytes)"
+    else
+        echo "  Missing: $f"
+    fi
+done
+echo ""
+
+# Test RSA-signed CRL
+verify_crl_pem "$CRL_RSA_PEM" "$RSA_ISSUER_CERT" "RSA"
+verify_crl_der "$CRL_RSA_DER" "RSA"
+compare_pem_der "$CRL_RSA_PEM" "$CRL_RSA_DER" "RSA"
+
+# Test ECC-signed CRL
+verify_crl_pem "$CRL_ECC_PEM" "$ECC_ISSUER_CERT" "ECC"
+verify_crl_der "$CRL_ECC_DER" "ECC"
+compare_pem_der "$CRL_ECC_PEM" "$CRL_ECC_DER" "ECC"
+
+# Summary
+echo "============================================"
+if [ $exit_code -eq 0 ]; then
+    echo "All CRL verification tests PASSED"
+else
+    echo "Some CRL verification tests FAILED"
+    echo "(See detailed output above for failure reasons)"
+fi
+echo "============================================"
+
+exit $exit_code
+
+########## end program ##########

scripts/include.am

@@ -19,6 +19,13 @@ if BUILD_CRL
 # make revoked test rely on completion of resume test
 dist_noinst_SCRIPTS+= scripts/crl-revoked.test
 scripts/crl-revoked.log: scripts/resume.log
+
+# CRL OpenSSL verification test - verifies CRLs created by test_sk_X509_CRL_encode
+# depends on unit tests completing first (which creates the CRL files)
+# also depends on resume.log to ensure DTLS resume tests complete first
+dist_noinst_SCRIPTS+= scripts/crl-openssl-verify.test
+scripts/crl-openssl-verify.log: tests/unit.log
+scripts/crl-openssl-verify.log: scripts/resume.log
 endif
 
 # arrange to serialize ocsp.test, ocsp-stapling.test, ocsp-stapling-with-ca-as-responder.test, ocsp-stapling2.test, and testsuite,