wolfSSL
diff --git a/‎.gitignore‎
Lines changed: 7 additions & 0 deletions b/‎.gitignore‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎certs/client-ca-cert.der‎
1.22 KB b/‎certs/client-ca-cert.der‎
1.22 KB
diff --git a/‎certs/client-ca-cert.pem‎
Lines changed: 92 additions & 0 deletions b/‎certs/client-ca-cert.pem‎
Lines changed: 92 additions & 0 deletions
diff --git a/‎certs/client-ecc-ca-cert.der‎
655 Bytes b/‎certs/client-ecc-ca-cert.der‎
655 Bytes
diff --git a/‎certs/client-ecc-ca-cert.pem‎
Lines changed: 54 additions & 0 deletions b/‎certs/client-ecc-ca-cert.pem‎
Lines changed: 54 additions & 0 deletions
diff --git a/‎certs/include.am‎
Lines changed: 4 additions & 1 deletion b/‎certs/include.am‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎certs/renewcerts.sh‎
Lines changed: 59 additions & 0 deletions b/‎certs/renewcerts.sh‎
Lines changed: 59 additions & 0 deletions
diff --git a/‎scripts/crl-gen-openssl.test‎
Lines changed: 112 additions & 0 deletions b/‎scripts/crl-gen-openssl.test‎
Lines changed: 112 additions & 0 deletions
diff --git a/‎scripts/include.am‎
Lines changed: 2 additions & 0 deletions b/‎scripts/include.am‎
Lines changed: 2 additions & 0 deletions
@@ -104,6 +104,10 @@ ecc-key.der
 ecc-key.pem
 certreq.der
 certreq.pem
+crlRsaOut.pem
+crlRsaOut.der
+crlEccOut.pem
+crlEccOut.der
 pkcs7cert.der
 pkcs7authEnvelopedDataAES128GCM.der
 pkcs7authEnvelopedDataAES128GCM_ECDH_SHA1KDF.der
@@ -470,3 +474,6 @@ wolfssl/debug-trace-error-codes.h
 wolfssl/debug-untrace-error-codes.h
 
 AGENTS.md
+
+# Code navigation files
+compile_commands.json
@@ -0,0 +1,92 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4661 (0x1235)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, O = Sawtooth, OU = Consulting, CN = www.wolfssl.com, emailAddress = [email protected]
+        Validity
+            Not Before: Jan 24 20:31:13 2026 GMT
+            Not After : Oct 20 20:31:13 2028 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_2048, OU = Programming-2048, CN = www.wolfssl.com, emailAddress = [email protected]
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:c3:03:d1:2b:fe:39:a4:32:45:3b:53:c8:84:2b:
+                    2a:7c:74:9a:bd:aa:2a:52:07:47:d6:a6:36:b2:07:
+                    32:8e:d0:ba:69:7b:c6:c3:44:9e:d4:81:48:fd:2d:
+                    68:a2:8b:67:bb:a1:75:c8:36:2c:4a:d2:1b:f7:8b:
+                    ba:cf:0d:f9:ef:ec:f1:81:1e:7b:9b:03:47:9a:bf:
+                    65:cc:7f:65:24:69:a6:e8:14:89:5b:e4:34:f7:c5:
+                    b0:14:93:f5:67:7b:3a:7a:78:e1:01:56:56:91:a6:
+                    13:42:8d:d2:3c:40:9c:4c:ef:d1:86:df:37:51:1b:
+                    0c:a1:3b:f5:f1:a3:4a:35:e4:e1:ce:96:df:1b:7e:
+                    bf:4e:97:d0:10:e8:a8:08:30:81:af:20:0b:43:14:
+                    c5:74:67:b4:32:82:6f:8d:86:c2:88:40:99:36:83:
+                    ba:1e:40:72:22:17:d7:52:65:24:73:b0:ce:ef:19:
+                    cd:ae:ff:78:6c:7b:c0:12:03:d4:4e:72:0d:50:6d:
+                    3b:a3:3b:a3:99:5e:9d:c8:d9:0c:85:b3:d9:8a:d9:
+                    54:26:db:6d:fa:ac:bb:ff:25:4c:c4:d1:79:f4:71:
+                    d3:86:40:18:13:b0:63:b5:72:4e:30:c4:97:84:86:
+                    2d:56:2f:d7:15:f7:7f:c0:ae:f5:fc:5b:e5:fb:a1:
+                    ba:d3
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+            X509v3 Subject Key Identifier: 
+                33:D8:45:66:D7:68:87:18:7E:54:0D:70:27:91:C7:26:D7:85:65:C0
+            X509v3 Authority Key Identifier: 
+                keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5
+                DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/[email protected]
+                serial:3F:29:11:20:57:71:E7:8E:F9:18:0D:CA:70:4D:5B:15:2A:43:D6:24
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        7f:71:41:b2:72:c1:a9:ba:c9:52:40:ea:6d:3d:3d:c0:ae:1e:
+        44:cd:f9:a5:d6:ac:34:5f:8b:ed:cd:91:81:0f:05:0f:5e:4b:
+        b3:18:bf:33:7a:61:a5:25:f1:91:55:c1:12:66:b7:26:3b:9c:
+        bb:21:1a:0c:72:78:88:57:fa:49:22:e7:80:2f:c1:40:01:66:
+        3d:20:63:e7:e3:38:a9:54:39:52:42:d2:b6:38:6b:08:7d:45:
+        49:1a:de:b5:64:70:c9:65:ce:0b:94:24:ee:b4:46:67:3c:74:
+        f0:2a:61:4d:b2:fc:6e:ca:c0:36:a9:b0:d3:5a:e2:15:72:f5:
+        a4:90:73:b2:37:58:b4:10:39:d3:85:5f:56:91:7e:cf:54:5d:
+        c6:a7:40:36:bd:ed:f2:af:e5:ce:b6:ea:38:be:47:32:6f:ed:
+        d2:ba:9d:70:e1:74:2e:f0:27:e4:72:53:75:43:ce:0a:07:b4:
+        7e:74:17:00:55:b5:d1:92:e4:42:39:ca:84:51:84:f8:23:a6:
+        41:27:fb:20:e2:43:e3:74:d3:ce:95:4e:1f:06:de:65:5e:e3:
+        38:e2:eb:f1:a6:ca:6b:7c:56:51:c0:02:1e:6e:3f:51:c1:d5:
+        04:c0:3d:57:56:15:65:76:a4:f4:eb:43:27:2c:c3:58:29:5c:
+        18:da:e8:fd
+-----BEGIN CERTIFICATE-----
+MIIE3zCCA8egAwIBAgICEjUwDQYJKoZIhvcNAQELBQAwgZQxCzAJBgNVBAYTAlVT
+MRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQKDAhT
+YXd0b290aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwPd3d3LndvbGZz
+c2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTI2MDEy
+NDIwMzExM1oXDTI4MTAyMDIwMzExM1owgZ4xCzAJBgNVBAYTAlVTMRAwDgYDVQQI
+DAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRUwEwYDVQQKDAx3b2xmU1NMXzIw
+NDgxGTAXBgNVBAsMEFByb2dyYW1taW5nLTIwNDgxGDAWBgNVBAMMD3d3dy53b2xm
+c3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMMD0Sv+OaQyRTtTyIQrKnx0mr2qKlIH
+R9amNrIHMo7Quml7xsNEntSBSP0taKKLZ7uhdcg2LErSG/eLus8N+e/s8YEee5sD
+R5q/Zcx/ZSRppugUiVvkNPfFsBST9Wd7Onp44QFWVpGmE0KN0jxAnEzv0YbfN1Eb
+DKE79fGjSjXk4c6W3xt+v06X0BDoqAgwga8gC0MUxXRntDKCb42GwohAmTaDuh5A
+ciIX11JlJHOwzu8Zza7/eGx7wBID1E5yDVBtO6M7o5lencjZDIWz2YrZVCbbbfqs
+u/8lTMTRefRx04ZAGBOwY7VyTjDEl4SGLVYv1xX3f8Cu9fxb5fuhutMCAwEAAaOC
+AS0wggEpMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoG
+CCsGAQUFBwMCMB0GA1UdDgQWBBQz2EVm12iHGH5UDXAnkccm14VlwDCB1AYDVR0j
+BIHMMIHJgBQnjmcRdMMmHT/tM2OzpNgdMOXo1aGBmqSBlzCBlDELMAkGA1UEBhMC
+VVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoM
+CFNhd3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29s
+ZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CFD8pESBX
+ceeO+RgNynBNWxUqQ9YkMA0GCSqGSIb3DQEBCwUAA4IBAQB/cUGycsGpuslSQOpt
+PT3Arh5Ezfml1qw0X4vtzZGBDwUPXkuzGL8zemGlJfGRVcESZrcmO5y7IRoMcniI
+V/pJIueAL8FAAWY9IGPn4zipVDlSQtK2OGsIfUVJGt61ZHDJZc4LlCTutEZnPHTw
+KmFNsvxuysA2qbDTWuIVcvWkkHOyN1i0EDnThV9WkX7PVF3Gp0A2ve3yr+XOtuo4
+vkcyb+3Sup1w4XQu8CfkclN1Q84KB7R+dBcAVbXRkuRCOcqEUYT4I6ZBJ/sg4kPj
+dNPOlU4fBt5lXuM44uvxpsprfFZRwAIebj9RwdUEwD1XVhVldqT060MnLMNYKVwY
+2uj9
+-----END CERTIFICATE-----
@@ -0,0 +1,54 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4660 (0x1234)
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Development, CN = www.wolfssl.com, emailAddress = [email protected]
+        Validity
+            Not Before: Jan 24 20:12:22 2026 GMT
+            Not After : Oct 20 20:12:22 2028 GMT
+        Subject: C = US, ST = Oregon, L = Salem, O = Client ECC, OU = Fast, CN = www.wolfssl.com, emailAddress = [email protected]
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:55:bf:f4:0f:44:50:9a:3d:ce:9b:b7:f0:c5:4d:
+                    f5:70:7b:d4:ec:24:8e:19:80:ec:5a:4c:a2:24:03:
+                    62:2c:9b:da:ef:a2:35:12:43:84:76:16:c6:56:95:
+                    06:cc:01:a9:bd:f6:75:1a:42:f7:bd:a9:b2:36:22:
+                    5f:c7:5d:7f:b4
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                EB:D4:4B:59:6B:95:61:3F:51:57:B6:04:4D:89:41:88:44:5C:AB:F2
+            X509v3 Authority Key Identifier: 
+                56:8E:9A:C3:F0:42:DE:18:B9:45:55:6E:F9:93:CF:EA:C3:F3:A5:21
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment, Key Agreement
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication
+    Signature Algorithm: ecdsa-with-SHA256
+    Signature Value:
+        30:45:02:21:00:9d:4d:72:4a:fb:f7:19:96:e3:d3:c2:75:ed:
+        b5:39:18:44:e7:61:7d:5e:31:d0:3c:eb:45:b3:6f:38:68:f9:
+        1d:02:20:57:c1:19:e8:c8:8a:14:e7:37:d1:93:b3:46:f5:eb:
+        8f:24:31:6c:78:d7:cd:b7:c9:8e:09:54:6e:4d:3b:7b:7b
+-----BEGIN CERTIFICATE-----
+MIICizCCAjGgAwIBAgICEjQwCgYIKoZIzj0EAwIwgZcxCzAJBgNVBAYTAlVTMRMw
+EQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAd3
+b2xmU1NMMRQwEgYDVQQLDAtEZXZlbG9wbWVudDEYMBYGA1UEAwwPd3d3LndvbGZz
+c2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTI2MDEy
+NDIwMTIyMloXDTI4MTAyMDIwMTIyMlowgY0xCzAJBgNVBAYTAlVTMQ8wDQYDVQQI
+DAZPcmVnb24xDjAMBgNVBAcMBVNhbGVtMRMwEQYDVQQKDApDbGllbnQgRUNDMQ0w
+CwYDVQQLDARGYXN0MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG
+9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC
+AARVv/QPRFCaPc6bt/DFTfVwe9TsJI4ZgOxaTKIkA2Ism9rvojUSQ4R2FsZWlQbM
+Aam99nUaQve9qbI2Il/HXX+0o3UwczAdBgNVHQ4EFgQU69RLWWuVYT9RV7YETYlB
+iERcq/IwHwYDVR0jBBgwFoAUVo6aw/BC3hi5RVVu+ZPP6sPzpSEwDAYDVR0TAQH/
+BAIwADAOBgNVHQ8BAf8EBAMCA6gwEwYDVR0lBAwwCgYIKwYBBQUHAwIwCgYIKoZI
+zj0EAwIDSAAwRQIhAJ1Nckr79xmW49PCde21ORhE52F9XjHQPOtFs284aPkdAiBX
+wRnoyIoU5zfRk7NG9euPJDFseNfNt8mOCVRuTTt7ew==
+-----END CERTIFICATE-----
@@ -32,7 +32,9 @@ EXTRA_DIST += \
              certs/ecc-client-keyPub.pem \
              certs/empty-issuer-cert.pem \
              certs/client-ecc-cert.pem \
+             certs/client-ecc-ca-cert.pem \
              certs/client-ca.pem \
+             certs/client-ca-cert.pem \
              certs/dh2048.pem \
              certs/server-cert.pem \
              certs/server-ecc.pem \
@@ -91,6 +93,8 @@ EXTRA_DIST += \
              certs/client-cert.der \
              certs/client-key.der \
              certs/client-ecc-cert.der \
+             certs/client-ecc-ca-cert.der \
+             certs/client-ca-cert.der \
              certs/client-keyPub.der \
              certs/client-keyPub.pem \
              certs/dh2048.der \
@@ -154,4 +158,3 @@ include certs/sphincs/include.am
 include certs/rpk/include.am
 include certs/acert/include.am
 include certs/mldsa/include.am
-
 
@@ -21,6 +21,10 @@
 #                       1024/client-cert.pem
 #                       server-ecc-comp.pem
 #                       client-ca.pem
+#                       client-ca-cert.der
+#                       client-ca-cert.pem
+#                       client-ecc-ca-cert.der
+#                       client-ecc-ca-cert.pem
 #                       test/digsigku.pem
 #                       ecc-privOnlyCert.pem
 #                       client-uri-cert.pem
@@ -896,6 +900,61 @@ run_renewcerts(){
     echo "End of section"
     echo "---------------------------------------------------------------------"
 
+    ############################################################
+    ########## update and sign client-ca-cert.pem ##############
+    ############################################################
+    echo "Updating client-ca-cert.pem"
+    echo ""
+    cat > client-ca-ext.cnf <<'EOF'
+[ client_ca ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints=critical, CA:FALSE
+keyUsage=critical, digitalSignature, keyEncipherment
+extendedKeyUsage=clientAuth
+EOF
+    check_result $? "Step 1"
+
+    #pipe the following arguments to openssl req...
+    echo -e "US\\nMontana\\nBozeman\\nwolfSSL_2048\\nProgramming-2048\\nwww.wolfssl.com\\[email protected]\\n.\\n.\\n" | openssl req -new -key client-key.pem -config ./wolfssl.cnf -nodes > client-ca-cert-req.pem
+    check_result $? "Step 2"
+
+    openssl x509 -req -in client-ca-cert-req.pem -extfile client-ca-ext.cnf -extensions client_ca -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 0x1235 > client-ca-cert.pem
+    check_result $? "Step 3"
+    rm client-ca-cert-req.pem
+
+    openssl x509 -in client-ca-cert.pem -text > tmp.pem
+    check_result $? "Step 4"
+    mv tmp.pem client-ca-cert.pem
+
+    openssl x509 -inform PEM -in client-ca-cert.pem -outform DER -out client-ca-cert.der
+    check_result $? "Step 5"
+    rm client-ca-ext.cnf
+    echo "End of section"
+    echo "---------------------------------------------------------------------"
+
+    ############################################################
+    ####### update and sign client-ecc-ca-cert.pem #############
+    ############################################################
+    echo "Updating client-ecc-ca-cert.pem"
+    echo ""
+    #pipe the following arguments to openssl req...
+    echo -e "US\\nOregon\\nSalem\\nClient ECC\\nFast\\nwww.wolfssl.com\\[email protected]\\n.\\n.\\n" | openssl req -new -key ecc-client-key.pem -config ./wolfssl.cnf -nodes > client-ecc-ca-cert-req.pem
+    check_result $? "Step 1"
+
+    openssl x509 -req -in client-ecc-ca-cert-req.pem -extfile wolfssl.cnf -extensions client_ecc -days 1000 -CA ca-ecc-cert.pem -CAkey ca-ecc-key.pem -set_serial 0x1234 > client-ecc-ca-cert.pem
+    check_result $? "Step 2"
+    rm client-ecc-ca-cert-req.pem
+
+    openssl x509 -in client-ecc-ca-cert.pem -text > tmp.pem
+    check_result $? "Step 3"
+    mv tmp.pem client-ecc-ca-cert.pem
+
+    openssl x509 -inform PEM -in client-ecc-ca-cert.pem -outform DER -out client-ecc-ca-cert.der
+    check_result $? "Step 4"
+    echo "End of section"
+    echo "---------------------------------------------------------------------"
+
     #cleanup the file system now that we're done
     echo "Performing final steps, cleaning up the file system..."
     echo ""
 
@@ -0,0 +1,112 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+# Verifies CRLs generated by the C API unit tests (tests/api.c).
+# Uses OpenSSL to validate CRL structure, signature, and revocation behavior.
+# RSA: ca-cert.pem + server-cert.pem (revoked) + client-ca-cert.pem (good).
+# ECC: ca-ecc-cert.pem + server-ecc.pem (revoked) + client-ecc-ca-cert.pem (good).
+
+OPENSSL=${OPENSSL:-openssl}
+
+if ! command -v "$OPENSSL" >/dev/null 2>&1; then
+    echo "skipping crl-gen-openssl.test: openssl not found"
+    exit 77
+fi
+
+normalize_dn() {
+    sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//' \
+        -e 's/^issuer=//' -e 's/^subject=//' \
+        -e 's/[[:space:]]*=[[:space:]]*/=/g' \
+        -e 's/[[:space:]]*,[[:space:]]*/,/g'
+}
+
+check_crl() {
+    local crl="$1"
+    local ca_cert="$2"
+    local revoked_cert="$3"
+    local good_cert="$4"
+    local label="$5"
+
+    echo "Checking $label CRL: $crl"
+
+    local issuer subject
+    issuer=$("$OPENSSL" crl -in "$crl" -noout -issuer | normalize_dn)
+    subject=$("$OPENSSL" x509 -in "$ca_cert" -noout -subject | normalize_dn)
+    if [ "$issuer" != "$subject" ]; then
+        echo "issuer mismatch for $label CRL"
+        echo "issuer : $issuer"
+        echo "subject: $subject"
+        return 1
+    fi
+
+    local last_update next_update
+    last_update=$("$OPENSSL" crl -in "$crl" -noout -lastupdate)
+    next_update=$("$OPENSSL" crl -in "$crl" -noout -nextupdate)
+    if [ -z "$last_update" ] || [ -z "$next_update" ]; then
+        echo "missing lastUpdate/nextUpdate for $label CRL"
+        return 1
+    fi
+
+    if ! "$OPENSSL" crl -in "$crl" -noout -verify -CAfile "$ca_cert" >/dev/null 2>&1; then
+        echo "CRL signature verification failed for $label"
+        return 1
+    fi
+
+    local revoked_count
+    revoked_count=$("$OPENSSL" crl -in "$crl" -text -noout | grep -c "Serial Number" || true)
+    if [ "$revoked_count" -ne 4 ]; then
+        echo "unexpected revoked count for $label CRL: $revoked_count (expected 4)"
+        return 1
+    fi
+
+    local serial crl_text
+    serial=$("$OPENSSL" x509 -in "$revoked_cert" -noout -serial | cut -d= -f2 | tr 'A-F' 'a-f')
+    crl_text=$("$OPENSSL" crl -in "$crl" -text -noout | tr 'A-F' 'a-f')
+    if ! echo "$crl_text" | grep -q "$serial"; then
+        echo "revoked serial not found in $label CRL: $serial"
+        return 1
+    fi
+
+    local verify_out verify_rc
+    verify_out=$("$OPENSSL" verify -CAfile "$ca_cert" -crl_check -CRLfile "$crl" \
+        "$revoked_cert" 2>&1) || verify_rc=$?
+    verify_rc=${verify_rc:-0}
+    if [ "$verify_rc" -eq 0 ] || ! echo "$verify_out" | grep -qi "certificate revoked"; then
+        echo "expected revoked verification failure for $label CRL"
+        echo "$verify_out"
+        return 1
+    fi
+
+    if [ -n "$good_cert" ]; then
+        if ! "$OPENSSL" verify -CAfile "$ca_cert" -crl_check -CRLfile "$crl" \
+            "$good_cert" >/dev/null 2>&1; then
+            echo "expected successful verification for $label CRL with $good_cert"
+            return 1
+        fi
+    fi
+}
+
+crl_rsa="certs/crl/crlRsaOut.pem"
+crl_ecc="certs/crl/crlEccOut.pem"
+
+if [ ! -f "$crl_rsa" ] && [ ! -f "$crl_ecc" ]; then
+    echo "skipping crl-gen-openssl.test: CRL outputs not found"
+    exit 77
+fi
+
+if [ -f "$crl_rsa" ]; then
+    ca_rsa="certs/ca-cert.pem"
+    revoked_rsa="certs/server-cert.pem"
+    good_rsa="certs/client-ca-cert.pem"
+    check_crl "$crl_rsa" "$ca_rsa" "$revoked_rsa" "$good_rsa" "RSA"
+fi
+
+if [ -f "$crl_ecc" ]; then
+    ca_ecc="certs/ca-ecc-cert.pem"
+    revoked_ecc="certs/server-ecc.pem"
+    good_ecc="certs/client-ecc-ca-cert.pem"
+    check_crl "$crl_ecc" "$ca_ecc" "$revoked_ecc" "${good_ecc:-}" "ECC"
+fi
+
+echo "crl-gen-openssl.test: OK"
@@ -18,7 +18,9 @@ if BUILD_RSA
 if BUILD_CRL
 # make revoked test rely on completion of resume test
 dist_noinst_SCRIPTS+= scripts/crl-revoked.test
+dist_noinst_SCRIPTS+= scripts/crl-gen-openssl.test
 scripts/crl-revoked.log: scripts/resume.log
+scripts/crl-gen-openssl.log: scripts/crl-revoked.log
 endif
 
 # arrange to serialize ocsp.test, ocsp-stapling.test, ocsp-stapling-with-ca-as-responder.test, ocsp-stapling2.test, and testsuite,