@@ -42,6 +42,9 @@ CRL Options:
4242#include <wolfssl/wolfcrypt/logging.h>
4343#include <wolfssl/wolfcrypt/ecc.h>
4444#include <wolfssl/wolfcrypt/rsa.h>
45+ #if defined(OPENSSL_EXTRA )
46+ #include <wolfssl/openssl/x509v3.h>
47+ #endif
4548
4649#ifndef NO_STRING_H
4750 #include <string.h>
@@ -93,6 +96,9 @@ int InitCRL(WOLFSSL_CRL* crl, WOLFSSL_CERT_MANAGER* cm)
9396 (void )ret ;
9497 }
9598#endif
99+ #if defined(OPENSSL_EXTRA )
100+ crl -> revokedStack = NULL ;
101+ #endif
96102
97103 return 0 ;
98104}
@@ -250,6 +256,14 @@ static void CRL_Entry_free(CRL_Entry* crle, void* heap)
250256 return ;
251257 }
252258#ifdef CRL_STATIC_REVOKED_LIST
259+ #if defined(OPENSSL_EXTRA )
260+ {
261+ int i ;
262+ for (i = 0 ; i < CRL_MAX_REVOKED_CERTS ; i ++ ) {
263+ XFREE (crle -> certs [i ].extensions , heap , DYNAMIC_TYPE_REVOKED );
264+ }
265+ }
266+ #endif
253267 XMEMSET (crle -> certs , 0 , CRL_MAX_REVOKED_CERTS * sizeof (RevokedCert ));
254268#else
255269 {
@@ -258,6 +272,9 @@ static void CRL_Entry_free(CRL_Entry* crle, void* heap)
258272
259273 for (tmp = crle -> certs ; tmp != NULL ; tmp = next ) {
260274 next = tmp -> next ;
275+ #if defined(OPENSSL_EXTRA )
276+ XFREE (tmp -> extensions , heap , DYNAMIC_TYPE_REVOKED );
277+ #endif
261278 XFREE (tmp , heap , DYNAMIC_TYPE_REVOKED );
262279 }
263280
@@ -312,6 +329,12 @@ void FreeCRL(WOLFSSL_CRL* crl, int dynamic)
312329 XFREE (crl -> monitors [1 ].path , crl -> heap , DYNAMIC_TYPE_CRL_MONITOR );
313330#endif
314331
332+ #if defined(OPENSSL_EXTRA )
333+ if (crl -> revokedStack != NULL ) {
334+ wolfSSL_sk_pop_free (crl -> revokedStack , NULL );
335+ crl -> revokedStack = NULL ;
336+ }
337+ #endif
315338 XFREE (crl -> currentEntry , crl -> heap , DYNAMIC_TYPE_CRL_ENTRY );
316339 crl -> currentEntry = NULL ;
317340 while (tmp ) {
@@ -1024,7 +1047,10 @@ int BufferStoreCRL(WOLFSSL_CRL* crl, byte* buff, long* inOutSz, int type)
10241047 pos += SetAlgoID ((int )sigOID , buff + pos , oidSigType , 0 );
10251048 }
10261049
1027- if (ret == 0 ) {
1050+ #ifdef WC_RSA_PSS
1051+ if (ret == 0 )
1052+ #endif
1053+ {
10281054 /* signature BIT STRING and bytes */
10291055 pos += SetBitString (sigSz , 0 , buff + pos );
10301056 XMEMCPY (buff + pos , sig , sigSz );
@@ -1076,7 +1102,10 @@ int BufferStoreCRL(WOLFSSL_CRL* crl, byte* buff, long* inOutSz, int type)
10761102 {
10771103 pos += SetAlgoID ((int )sigOID , derTmp + pos , oidSigType , 0 );
10781104 }
1079- if (ret == 0 ) {
1105+ #ifdef WC_RSA_PSS
1106+ if (ret == 0 )
1107+ #endif
1108+ {
10801109 pos += SetBitString (sigSz , 0 , derTmp + pos );
10811110 XMEMCPY (derTmp + pos , sig , sigSz );
10821111 }
@@ -1231,6 +1260,20 @@ static RevokedCert *DupRevokedCertList(RevokedCert* in, void* heap)
12311260 XMEMCPY (tmp -> revDate , current -> revDate ,
12321261 MAX_DATE_SIZE );
12331262 tmp -> revDateFormat = current -> revDateFormat ;
1263+ tmp -> reasonCode = current -> reasonCode ;
1264+ #if defined(OPENSSL_EXTRA )
1265+ tmp -> extensions = NULL ;
1266+ tmp -> extensionsSz = 0 ;
1267+ if (current -> extensions != NULL && current -> extensionsSz > 0 ) {
1268+ tmp -> extensions = (byte * )XMALLOC (current -> extensionsSz , heap ,
1269+ DYNAMIC_TYPE_REVOKED );
1270+ if (tmp -> extensions != NULL ) {
1271+ XMEMCPY (tmp -> extensions , current -> extensions ,
1272+ current -> extensionsSz );
1273+ tmp -> extensionsSz = current -> extensionsSz ;
1274+ }
1275+ }
1276+ #endif
12341277 tmp -> next = NULL ;
12351278 if (prev != NULL )
12361279 prev -> next = tmp ;
@@ -1244,6 +1287,9 @@ static RevokedCert *DupRevokedCertList(RevokedCert* in, void* heap)
12441287 while (head != NULL ) {
12451288 current = head ;
12461289 head = head -> next ;
1290+ #if defined(OPENSSL_EXTRA )
1291+ XFREE (current -> extensions , heap , DYNAMIC_TYPE_REVOKED );
1292+ #endif
12471293 XFREE (current , heap , DYNAMIC_TYPE_REVOKED );
12481294 }
12491295 return NULL ;
@@ -2360,35 +2406,30 @@ WOLFSSL_X509_CRL* wolfSSL_X509_CRL_new(void)
23602406#ifdef WOLFSSL_CERT_GEN
23612407/* Add a revoked certificate entry to CRL.
23622408 * crl: target CRL
2363- * rev: serial number of revoked certificate
2409+ * rev: revoked certificate entry (serial, date, reason, etc.)
23642410 * Returns WOLFSSL_SUCCESS on success.
2365- * TODO: support other fields for OpenSSL compatibility: revocationDate,
2366- * extensions, issuer, etc.
23672411 */
23682412int wolfSSL_X509_CRL_add_revoked (WOLFSSL_X509_CRL * crl ,
23692413 WOLFSSL_X509_REVOKED * rev )
23702414{
23712415 CRL_Entry * entry ;
23722416 RevokedCert * rc ;
23732417 RevokedCert * curr ;
2374- WOLFSSL_ASN1_TIME revDate ;
23752418
23762419 WOLFSSL_ENTER ("wolfSSL_X509_CRL_add_revoked" );
23772420
23782421 if (crl == NULL || rev == NULL || rev -> serialNumber == NULL ) {
23792422 return BAD_FUNC_ARG ;
23802423 }
23812424
2382- entry = crl -> crlList ;
2383- if ( entry == NULL ) {
2425+ if ( rev -> revocationDate != NULL && ( rev -> revocationDate -> length <= 0 ||
2426+ ( unsigned ) rev -> revocationDate -> length > sizeof ( rc -> revDate )) ) {
23842427 return BAD_FUNC_ARG ;
23852428 }
23862429
2387- /* Set the revocation date to the current time */
2388- XMEMSET (& revDate , 0 , sizeof (revDate ));
2389- if (wolfSSL_ASN1_TIME_adj (& revDate , XTIME (NULL ), 0 , 0 ) == NULL ) {
2390- WOLFSSL_MSG ("Failed to get current time" );
2391- return BAD_STATE_E ;
2430+ entry = crl -> crlList ;
2431+ if (entry == NULL ) {
2432+ return BAD_FUNC_ARG ;
23922433 }
23932434
23942435 {
@@ -2427,8 +2468,25 @@ int wolfSSL_X509_CRL_add_revoked(WOLFSSL_X509_CRL* crl,
24272468 rc -> serialSz = serialSz ;
24282469 }
24292470
2430- XMEMCPY (rc -> revDate , revDate .data , revDate .length );
2431- rc -> revDateFormat = (byte )revDate .type ;
2471+ /* Use caller-provided revocation date, or fall back to current time */
2472+ if (rev -> revocationDate != NULL && rev -> revocationDate -> length > 0 ) {
2473+ XMEMCPY (rc -> revDate , rev -> revocationDate -> data ,
2474+ (size_t )rev -> revocationDate -> length );
2475+ rc -> revDateFormat = (byte )rev -> revocationDate -> type ;
2476+ }
2477+ else {
2478+ WOLFSSL_ASN1_TIME revDate ;
2479+ XMEMSET (& revDate , 0 , sizeof (revDate ));
2480+ if (wolfSSL_ASN1_TIME_adj (& revDate , XTIME (NULL ), 0 , 0 ) == NULL ) {
2481+ WOLFSSL_MSG ("Failed to get current time" );
2482+ XFREE (rc , crl -> heap , DYNAMIC_TYPE_REVOKED );
2483+ return BAD_STATE_E ;
2484+ }
2485+ XMEMCPY (rc -> revDate , revDate .data , revDate .length );
2486+ rc -> revDateFormat = (byte )revDate .type ;
2487+ }
2488+
2489+ rc -> reasonCode = rev -> reason ;
24322490 rc -> next = NULL ;
24332491
24342492 /* Add to end of list */
@@ -2442,6 +2500,12 @@ int wolfSSL_X509_CRL_add_revoked(WOLFSSL_X509_CRL* crl,
24422500 }
24432501 entry -> totalCerts ++ ;
24442502
2503+ /* Invalidate cached STACK_OF(X509_REVOKED) since list changed */
2504+ if (crl -> revokedStack != NULL ) {
2505+ wolfSSL_sk_pop_free (crl -> revokedStack , NULL );
2506+ crl -> revokedStack = NULL ;
2507+ }
2508+
24452509 WOLFSSL_LEAVE ("wolfSSL_X509_CRL_add_revoked" , WOLFSSL_SUCCESS );
24462510 return WOLFSSL_SUCCESS ;
24472511}
@@ -2513,7 +2577,9 @@ int wolfSSL_X509_CRL_add_revoked_cert(WOLFSSL_X509_CRL* crl,
25132577 XMEMCPY (serialInt -> data , cert -> serial , cert -> serialSz );
25142578 serialInt -> length = cert -> serialSz ;
25152579
2580+ XMEMSET (& revoked , 0 , sizeof (revoked ));
25162581 revoked .serialNumber = serialInt ;
2582+ revoked .reason = CRL_REASON_NONE ;
25172583
25182584 /* Add the revoked certificate entry */
25192585 ret = wolfSSL_X509_CRL_add_revoked (crl , & revoked );
0 commit comments