diff --git a/certs/crl/extra-crls/large_crlnum.pem b/certs/crl/extra-crls/large_crlnum.pem new file mode 100644 index 00000000000..8b5d79745ed --- /dev/null +++ b/certs/crl/extra-crls/large_crlnum.pem @@ -0,0 +1,43 @@ +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com, emailAddress=info@wolfssl.com + Last Update: Jan 8 07:15:25 2026 GMT + Next Update: Oct 4 07:15:25 2028 GMT + CRL extensions: + X509v3 CRL Number: + 0xD8AFADA7F08B38E6178BD0E5CD7B0DF80071BA74 +Revoked Certificates: + Serial Number: 01 + Revocation Date: Jan 8 07:15:25 2026 GMT + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 0c:45:a0:2e:ba:ad:28:48:eb:61:29:a6:fa:d0:76:8c:96:bb: + 1a:9a:79:90:05:06:78:8e:d2:f6:4d:6d:4c:75:62:d2:b2:91: + f8:e4:59:a9:db:6f:e6:58:fe:f9:2e:7a:67:a7:01:a3:68:ee: + b1:23:a6:25:2a:85:84:3d:bf:86:bf:6d:d5:a6:2d:03:8e:d1: + ac:0f:73:4c:47:ea:fb:75:2e:85:1f:dc:fa:5e:b2:eb:d1:f4: + 75:e9:ae:a9:90:6e:ec:c9:05:db:61:39:30:a8:4e:c3:d2:ce: + 77:2d:ba:bf:fd:74:dc:c6:41:db:65:c4:83:66:9c:91:60:43: + 57:a3:52:bb:9c:b7:fa:30:d3:01:89:7f:5e:c8:06:0a:34:1b: + 77:ce:e8:b4:85:c5:6e:63:50:f3:88:cc:e3:54:7b:29:5c:08: + 4a:7b:35:b4:3f:01:2e:c5:93:4f:7c:7a:17:bf:0d:bd:be:3e: + a9:1b:ef:a0:9c:bc:78:9e:91:99:91:e7:38:63:f1:24:86:02: + 63:81:cb:67:3a:f7:3c:5c:45:87:54:f4:9a:16:25:a2:e5:bd: + ee:7e:9a:28:c0:db:4e:bc:4a:0d:c2:5f:14:ea:9c:8a:42:db: + d2:1d:27:b8:d2:3c:57:4a:bf:46:4a:95:ac:7f:f4:47:22:dd: + d5:dc:52:3f +-----BEGIN X509 CRL----- +MIICGTCCAQECAQEwDQYJKoZIhvcNAQELBQAwgZQxCzAJBgNVBAYTAlVTMRAwDgYD +VQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQKDAhTYXd0b290 +aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29t +MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tFw0yNjAxMDgwNzE1MjVa +Fw0yODEwMDQwNzE1MjVaMBQwEgIBARcNMjYwMTA4MDcxNTI1WqAiMCAwHgYDVR0U +BBcCFQDYr62n8Is45heL0OXNew34AHG6dDANBgkqhkiG9w0BAQsFAAOCAQEADEWg +LrqtKEjrYSmm+tB2jJa7Gpp5kAUGeI7S9k1tTHVi0rKR+ORZqdtv5lj++S56Z6cB +o2jusSOmJSqFhD2/hr9t1aYtA47RrA9zTEfq+3UuhR/c+l6y69H0demuqZBu7MkF +22E5MKhOw9LOdy26v/103MZB22XEg2ackWBDV6NSu5y3+jDTAYl/XsgGCjQbd87o +tIXFbmNQ84jM41R7KVwISns1tD8BLsWTT3x6F78Nvb4+qRvvoJy8eJ6RmZHnOGPx +JIYCY4HLZzr3PFxFh1T0mhYlouW97n6aKMDbTrxKDcJfFOqcikLb0h0nuNI8V0q/ +RkqVrH/0RyLd1dxSPw== +-----END X509 CRL----- diff --git a/certs/crl/extra-crls/large_crlnum2.pem b/certs/crl/extra-crls/large_crlnum2.pem new file mode 100644 index 00000000000..162b44c0f08 --- /dev/null +++ b/certs/crl/extra-crls/large_crlnum2.pem @@ -0,0 +1,43 @@ +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com, emailAddress=info@wolfssl.com + Last Update: Jan 8 07:15:25 2026 GMT + Next Update: Oct 4 07:15:25 2028 GMT + CRL extensions: + X509v3 CRL Number: + 0x8BC28C3B3F7A6344CD464A9FDC837F2009DEB94FD3 +Revoked Certificates: + Serial Number: 01 + Revocation Date: Jan 8 07:15:25 2026 GMT + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 47:71:aa:8d:29:11:90:57:c9:70:78:a5:de:40:ee:c3:da:81: + 68:d0:20:09:af:5b:5f:30:f9:69:14:ff:8a:cf:46:0d:e8:0d: + 45:df:1d:49:ce:05:01:28:a5:34:50:b6:cb:54:9d:a1:42:6c: + f6:e2:66:de:be:e4:90:55:c1:83:e5:4c:26:96:43:29:39:84: + ad:68:3c:0d:5a:d4:e7:ba:7c:21:e9:a1:c2:0c:ad:6f:0c:32: + 71:81:9f:df:7d:c3:0d:92:a4:6f:43:9f:8f:b7:ef:2d:6d:92: + a6:17:cb:c7:4c:2e:3b:a5:2b:2c:74:fa:d1:be:6d:dc:19:04: + d6:b6:56:6c:26:94:8e:13:15:29:12:fe:1a:a4:73:55:df:a5: + c8:d3:d5:99:4a:c6:be:64:1f:90:a9:d8:94:d1:3b:b1:0e:ff: + e4:81:d0:e5:a4:8a:a7:a9:82:fb:a6:86:be:e7:e1:a8:b5:0d: + 87:bb:76:5b:0e:05:1f:d4:82:3c:68:99:ec:ae:ae:8e:4a:72: + cf:3f:8a:7f:b0:a2:69:d9:8c:68:7d:2f:3e:54:e9:fb:70:cf: + d4:ed:1b:61:68:33:4f:93:9b:5f:5e:e9:de:e8:51:66:fd:c8: + 35:40:a0:7d:42:bd:d7:f4:96:cd:c8:72:14:84:cd:f5:19:8c: + a0:5a:b7:72 +-----BEGIN X509 CRL----- +MIICGjCCAQICAQEwDQYJKoZIhvcNAQELBQAwgZQxCzAJBgNVBAYTAlVTMRAwDgYD +VQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQKDAhTYXd0b290 +aDETMBEGA1UECwwKQ29uc3VsdGluZzEYMBYGA1UEAwwPd3d3LndvbGZzc2wuY29t +MR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tFw0yNjAxMDgwNzE1MjVa +Fw0yODEwMDQwNzE1MjVaMBQwEgIBARcNMjYwMTA4MDcxNTI1WqAjMCEwHwYDVR0U +BBgCFgCLwow7P3pjRM1GSp/cg38gCd65T9MwDQYJKoZIhvcNAQELBQADggEBAEdx +qo0pEZBXyXB4pd5A7sPagWjQIAmvW18w+WkU/4rPRg3oDUXfHUnOBQEopTRQtstU +naFCbPbiZt6+5JBVwYPlTCaWQyk5hK1oPA1a1Oe6fCHpocIMrW8MMnGBn999ww2S +pG9Dn4+37y1tkqYXy8dMLjulKyx0+tG+bdwZBNa2VmwmlI4TFSkS/hqkc1XfpcjT +1ZlKxr5kH5Cp2JTRO7EO/+SB0OWkiqepgvumhr7n4ai1DYe7dlsOBR/Ugjxomeyu +ro5Kcs8/in+womnZjGh9Lz5U6ftwz9TtG2FoM0+Tm19e6d7oUWb9yDVAoH1Cvdf0 +ls3IchSEzfUZjKBat3I= +-----END X509 CRL----- diff --git a/certs/crl/gencrls.sh b/certs/crl/gencrls.sh index 9a1c67f16d9..3fcff56400c 100755 --- a/certs/crl/gencrls.sh +++ b/certs/crl/gencrls.sh @@ -219,4 +219,26 @@ openssl crl -in crl_rsapss.pem -text > tmp check_result $? mv tmp crl_rsapss.pem +echo "Step 29 large CRL number( = 20 octets )" +echo d8afada7f08b38e6178bd0e5cd7b0df80071ba74 > crlnumber +openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out extra-crls/large_crlnum.pem -keyfile ../ca-key.pem -cert ../ca-cert.pem +check_result $? + +# metadata +echo "Step 29" +openssl crl -in extra-crls/large_crlnum.pem -text > tmp +check_result $? +mv tmp extra-crls/large_crlnum.pem + +echo "Step 30 large CRL number( > 20 octets )" +echo 8bc28c3b3f7a6344cd464a9fdc837f2009deb94fd3 > crlnumber +openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out extra-crls/large_crlnum2.pem -keyfile ../ca-key.pem -cert ../ca-cert.pem +check_result $? + +# metadata +echo "Step 30" +openssl crl -in extra-crls/large_crlnum2.pem -text > tmp +check_result $? +mv tmp extra-crls/large_crlnum2.pem + exit 0 diff --git a/src/crl.c b/src/crl.c index 8b3e319ffc6..be7ad2144d4 100644 --- a/src/crl.c +++ b/src/crl.c @@ -138,7 +138,7 @@ static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl, const byte* buff, crle->totalCerts = dcrl->totalCerts; crle->crlNumberSet = dcrl->crlNumberSet; if (crle->crlNumberSet) { - XMEMCPY(crle->crlNumber, dcrl->crlNumber, CRL_MAX_NUM_SZ); + XMEMCPY(crle->crlNumber, dcrl->crlNumber, sizeof(crle->crlNumber)); } crle->verified = verified; if (!verified) { @@ -597,7 +597,7 @@ static void SetCrlInfo(CRL_Entry* entry, CrlInfo *info) info->nextDateFormat = entry->nextDateFormat; info->crlNumberSet = entry->crlNumberSet; if (info->crlNumberSet) - XMEMCPY(info->crlNumber, entry->crlNumber, CRL_MAX_NUM_SZ); + XMEMCPY(info->crlNumber, entry->crlNumber, sizeof(entry->crlNumber)); } static void SetCrlInfoFromDecoded(DecodedCRL* entry, CrlInfo *info) @@ -612,7 +612,7 @@ static void SetCrlInfoFromDecoded(DecodedCRL* entry, CrlInfo *info) info->nextDateFormat = entry->nextDateFormat; info->crlNumberSet = entry->crlNumberSet; if (info->crlNumberSet) - XMEMCPY(info->crlNumber, entry->crlNumber, CRL_MAX_NUM_SZ); + XMEMCPY(info->crlNumber, entry->crlNumber, sizeof(entry->crlNumber)); } #endif @@ -622,14 +622,14 @@ static void SetCrlInfoFromDecoded(DecodedCRL* entry, CrlInfo *info) static int CompareCRLnumber(CRL_Entry* prev, CRL_Entry* curr) { int ret = 0; - DECL_MP_INT_SIZE_DYN(prev_num, CRL_MAX_NUM_SZ * CHAR_BIT, - CRL_MAX_NUM_SZ * CHAR_BIT); - DECL_MP_INT_SIZE_DYN(curr_num, CRL_MAX_NUM_SZ * CHAR_BIT, - CRL_MAX_NUM_SZ * CHAR_BIT); + DECL_MP_INT_SIZE_DYN(prev_num, CRL_MAX_NUM_SZ_BITS, + CRL_MAX_NUM_SZ_BITS); + DECL_MP_INT_SIZE_DYN(curr_num, CRL_MAX_NUM_SZ_BITS, + CRL_MAX_NUM_SZ_BITS); - NEW_MP_INT_SIZE(prev_num, CRL_MAX_NUM_SZ * CHAR_BIT, NULL, + NEW_MP_INT_SIZE(prev_num, CRL_MAX_NUM_SZ_BITS, NULL, DYNAMIC_TYPE_TMP_BUFFER); - NEW_MP_INT_SIZE(curr_num, CRL_MAX_NUM_SZ * CHAR_BIT, NULL, + NEW_MP_INT_SIZE(curr_num, CRL_MAX_NUM_SZ_BITS, NULL, DYNAMIC_TYPE_TMP_BUFFER); #ifdef MP_INT_SIZE_CHECK_NULL if ((prev_num == NULL) || (curr_num == NULL)) { @@ -637,9 +637,9 @@ static int CompareCRLnumber(CRL_Entry* prev, CRL_Entry* curr) } #endif - if (ret == 0 && ((INIT_MP_INT_SIZE(prev_num, CRL_MAX_NUM_SZ * CHAR_BIT) + if (ret == 0 && ((INIT_MP_INT_SIZE(prev_num, CRL_MAX_NUM_SZ_BITS) != MP_OKAY) || (INIT_MP_INT_SIZE(curr_num, - CRL_MAX_NUM_SZ * CHAR_BIT)) != MP_OKAY)) { + CRL_MAX_NUM_SZ_BITS)) != MP_OKAY)) { ret = MP_INIT_E; } diff --git a/tests/api.c b/tests/api.c index 5f8406b20ae..751942dd323 100644 --- a/tests/api.c +++ b/tests/api.c @@ -31518,6 +31518,58 @@ static int test_wolfSSL_CTX_LoadCRL(void) return EXPECT_RESULT(); } +static int test_wolfSSL_CTX_LoadCRL_largeCRLnum(void) +{ + EXPECT_DECLS; +#if defined(HAVE_CRL) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) && \ + defined(HAVE_CRL_UPDATE_CB) + WOLFSSL_CERT_MANAGER* cm = NULL; + const char* caCert = "./certs/ca-cert.pem"; + const char* crl_lrgcrlnum = "./certs/crl/extra-crls/large_crlnum.pem"; + const char* crl_lrgcrlnum2 = "./certs/crl/extra-crls/large_crlnum2.pem"; + const char* exp_crlnum = "D8AFADA7F08B38E6178BD0E5CD7B0DF80071BA74"; + byte *crlLrgCrlNumBuff = NULL; + word32 crlLrgCrlNumSz; + CrlInfo crlInfo; + XFILE f; + word32 sz; + + cm = wolfSSL_CertManagerNew(); + ExpectNotNull(cm); + ExpectIntEQ(wolfSSL_CertManagerLoadCA(cm, caCert, NULL), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, crl_lrgcrlnum, + WOLFSSL_FILETYPE_PEM), + WOLFSSL_SUCCESS); + + AssertTrue((f = XFOPEN(crl_lrgcrlnum, "rb")) != XBADFILE); + AssertTrue(XFSEEK(f, 0, XSEEK_END) == 0); + AssertIntGE(sz = (word32) XFTELL(f), 1); + AssertTrue(XFSEEK(f, 0, XSEEK_SET) == 0); + AssertTrue( \ + (crlLrgCrlNumBuff = + (byte*)XMALLOC(sz, NULL, DYNAMIC_TYPE_FILE)) != NULL); + AssertTrue(XFREAD(crlLrgCrlNumBuff, 1, sz, f) == sz); + XFCLOSE(f); + crlLrgCrlNumSz = sz; + + AssertIntEQ(wolfSSL_CertManagerGetCRLInfo( + cm, &crlInfo, crlLrgCrlNumBuff, crlLrgCrlNumSz, WOLFSSL_FILETYPE_PEM), + WOLFSSL_SUCCESS); + AssertIntEQ(XMEMCMP( + crlInfo.crlNumber, exp_crlnum, XSTRLEN(exp_crlnum)), 0); + /* Expect to fail loading CRL because of >21 octets CRL number */ + ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, crl_lrgcrlnum2, + WOLFSSL_FILETYPE_PEM), + ASN_PARSE_E); + + XFREE(crlLrgCrlNumBuff, NULL, DYNAMIC_TYPE_FILE); + wolfSSL_CertManagerFree(cm); +#endif + return EXPECT_RESULT(); + +} + #if defined(HAVE_CRL) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) && \ defined(HAVE_CRL_UPDATE_CB) int crlUpdateTestStatus = 0; @@ -31575,7 +31627,7 @@ static void updateCrlCb(CrlInfo* old, CrlInfo* cnew) AssertIntEQ(crl1Info.nextDateMaxLen, old->nextDateMaxLen); AssertIntEQ(crl1Info.nextDateFormat, old->nextDateFormat); AssertIntEQ(XMEMCMP( - crl1Info.crlNumber, old->crlNumber, CRL_MAX_NUM_SZ), 0); + crl1Info.crlNumber, old->crlNumber, sizeof(old->crlNumber)), 0); AssertIntEQ(XMEMCMP( crl1Info.issuerHash, old->issuerHash, old->issuerHashLen), 0); AssertIntEQ(XMEMCMP( @@ -31590,7 +31642,7 @@ static void updateCrlCb(CrlInfo* old, CrlInfo* cnew) AssertIntEQ(crlRevInfo.nextDateMaxLen, cnew->nextDateMaxLen); AssertIntEQ(crlRevInfo.nextDateFormat, cnew->nextDateFormat); AssertIntEQ(XMEMCMP( - crlRevInfo.crlNumber, cnew->crlNumber, CRL_MAX_NUM_SZ), 0); + crlRevInfo.crlNumber, cnew->crlNumber, sizeof(cnew->crlNumber)), 0); AssertIntEQ(XMEMCMP( crlRevInfo.issuerHash, cnew->issuerHash, cnew->issuerHashLen), 0); AssertIntEQ(XMEMCMP( @@ -42089,6 +42141,7 @@ TEST_CASE testCases[] = { TEST_DECL(test_wolfSSL_use_certificate_chain_file), TEST_DECL(test_wolfSSL_CTX_trust_peer_cert), TEST_DECL(test_wolfSSL_CTX_LoadCRL), + TEST_DECL(test_wolfSSL_CTX_LoadCRL_largeCRLnum), TEST_DECL(test_wolfSSL_crl_update_cb), TEST_DECL(test_wolfSSL_CTX_SetTmpDH_file), TEST_DECL(test_wolfSSL_CTX_SetTmpDH_buffer), diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index dc17a3357a0..385eefa7293 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -40748,6 +40748,7 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf, word32* inOutIdx, word32 sz) { int length; + int needed; word32 idx; word32 ext_bound; /* boundary index for the sequence of extensions */ word32 oid; @@ -40833,9 +40834,9 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf, return ret; } else { - DECL_MP_INT_SIZE_DYN(m, CRL_MAX_NUM_SZ * CHAR_BIT, - CRL_MAX_NUM_SZ * CHAR_BIT); - NEW_MP_INT_SIZE(m, CRL_MAX_NUM_SZ * CHAR_BIT, NULL, + DECL_MP_INT_SIZE_DYN(m, CRL_MAX_NUM_SZ_BITS, + CRL_MAX_NUM_SZ_BITS); + NEW_MP_INT_SIZE(m, CRL_MAX_NUM_SZ_BITS, NULL, DYNAMIC_TYPE_TMP_BUFFER); #ifdef MP_INT_SIZE_CHECK_NULL if (m == NULL) { @@ -40853,7 +40854,15 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf, if (ret != MP_OKAY) ret = BUFFER_E; - + /* Check CRL number size + * if it exceeds CRL_MAX_NUM_SZ(octets) + * and CRL_MAX_NUM_HEX_STR_SZ(hex string) + */ + if (((needed = mp_unsigned_bin_size(m)) > CRL_MAX_NUM_SZ) || + ((needed * 2 + 1) > CRL_MAX_NUM_HEX_STR_SZ)) { + WOLFSSL_MSG("CRL number exceeds limitation."); + ret = BUFFER_E; + } if (ret == MP_OKAY && mp_toradix(m, (char*)dcrl->crlNumber, MP_RADIX_HEX) != MP_OKAY) ret = BUFFER_E; @@ -40891,6 +40900,7 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf, word32 idx, word32 maxIdx) { DECL_ASNGETDATA(dataASN, certExtASN_Length); + int needed; int ret = 0; /* Track if we've seen these extensions already */ word32 seenAuthKey = 0; @@ -40951,9 +40961,9 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf, word32 idx, #endif } else if (oid == CRL_NUMBER_OID) { - DECL_MP_INT_SIZE_DYN(m, CRL_MAX_NUM_SZ * CHAR_BIT, - CRL_MAX_NUM_SZ * CHAR_BIT); - NEW_MP_INT_SIZE(m, CRL_MAX_NUM_SZ * CHAR_BIT, NULL, + DECL_MP_INT_SIZE_DYN(m, CRL_MAX_NUM_SZ_BITS, + CRL_MAX_NUM_SZ_BITS); + NEW_MP_INT_SIZE(m, CRL_MAX_NUM_SZ_BITS, NULL, DYNAMIC_TYPE_TMP_BUFFER); #ifdef MP_INT_SIZE_CHECK_NULL @@ -40970,7 +40980,15 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf, word32 idx, if (ret == 0) { ret = GetInt(m, buf, &localIdx, maxIdx); } - + /* Check CRL number size + * if it exceeds CRL_MAX_NUM_SZ(octets) + * and CRL_MAX_NUM_HEX_STR_SZ(hex string) + */ + if (((needed = mp_unsigned_bin_size(m)) > CRL_MAX_NUM_SZ) || + ((needed * 2 + 1) > CRL_MAX_NUM_HEX_STR_SZ)) { + WOLFSSL_MSG("CRL number exceeds limitation."); + ret = BUFFER_E; + } if (ret == 0 && mp_toradix(m, (char*)dcrl->crlNumber, MP_RADIX_HEX) != MP_OKAY) ret = BUFFER_E; diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 3187bea290d..4988a378a5b 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2504,7 +2504,7 @@ struct CRL_Entry { /* DupCRL_Entry copies data after the `verifyMutex` member. Using the mutex * as the marker because clang-tidy doesn't like taking the sizeof a * pointer. */ - byte crlNumber[CRL_MAX_NUM_SZ]; /* CRL number extension */ + char crlNumber[CRL_MAX_NUM_HEX_STR_SZ]; /* CRL number extension */ byte issuerHash[CRL_DIGEST_SIZE]; /* issuer hash */ /* byte crlHash[CRL_DIGEST_SIZE]; raw crl data hash */ /* restore the hash here if needed for optimized comparisons */ diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 2b58808a1d9..b6549d9a2a1 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -3795,7 +3795,7 @@ typedef int (*CbCrlIO)(WOLFSSL_CRL* crl, const char* url, int urlSz); #ifdef HAVE_CRL_UPDATE_CB typedef struct CrlInfo { - byte crlNumber[CRL_MAX_NUM_SZ]; + char crlNumber[CRL_MAX_NUM_HEX_STR_SZ]; byte *issuerHash; word32 issuerHashLen; byte *lastDate; diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 99da1e84fa3..bbdeaf019db 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -2693,6 +2693,8 @@ struct RevokedCert { #define CRL_MAX_NUM_SZ 20 /* RFC5280 states that CRL number can be up to 20 */ #endif /* octets long */ +#define CRL_MAX_NUM_HEX_STR_SZ (CRL_MAX_NUM_SZ * 2 + 1) +#define CRL_MAX_NUM_SZ_BITS (CRL_MAX_NUM_SZ * CHAR_BIT) typedef struct DecodedCRL DecodedCRL; @@ -2706,7 +2708,7 @@ struct DecodedCRL { word32 sigParamsLength; /* length of signature parameters */ #endif byte* signature; /* pointer into raw source, not owned */ - byte crlNumber[CRL_MAX_NUM_SZ]; /* CRL number extension */ + char crlNumber[CRL_MAX_NUM_HEX_STR_SZ]; /* CRL number extension */ byte issuerHash[SIGNER_DIGEST_SIZE]; /* issuer name hash */ byte crlHash[SIGNER_DIGEST_SIZE]; /* raw crl data hash */ byte lastDate[MAX_DATE_SIZE]; /* last date updated */