@@ -42,6 +42,9 @@ CRL Options:
4242#include <wolfssl/wolfcrypt/logging.h>
4343#include <wolfssl/wolfcrypt/ecc.h>
4444#include <wolfssl/wolfcrypt/rsa.h>
45+ #if defined(OPENSSL_EXTRA )
46+ #include <wolfssl/openssl/x509v3.h>
47+ #endif
4548
4649#ifndef NO_STRING_H
4750 #include <string.h>
@@ -93,6 +96,9 @@ int InitCRL(WOLFSSL_CRL* crl, WOLFSSL_CERT_MANAGER* cm)
9396 (void )ret ;
9497 }
9598#endif
99+ #if defined(OPENSSL_EXTRA )
100+ crl -> revokedStack = NULL ;
101+ #endif
96102
97103 return 0 ;
98104}
@@ -250,6 +256,14 @@ static void CRL_Entry_free(CRL_Entry* crle, void* heap)
250256 return ;
251257 }
252258#ifdef CRL_STATIC_REVOKED_LIST
259+ #if defined(OPENSSL_EXTRA )
260+ {
261+ int i ;
262+ for (i = 0 ; i < CRL_MAX_REVOKED_CERTS ; i ++ ) {
263+ XFREE (crle -> certs [i ].extensions , heap , DYNAMIC_TYPE_REVOKED );
264+ }
265+ }
266+ #endif
253267 XMEMSET (crle -> certs , 0 , CRL_MAX_REVOKED_CERTS * sizeof (RevokedCert ));
254268#else
255269 {
@@ -258,6 +272,9 @@ static void CRL_Entry_free(CRL_Entry* crle, void* heap)
258272
259273 for (tmp = crle -> certs ; tmp != NULL ; tmp = next ) {
260274 next = tmp -> next ;
275+ #if defined(OPENSSL_EXTRA )
276+ XFREE (tmp -> extensions , heap , DYNAMIC_TYPE_REVOKED );
277+ #endif
261278 XFREE (tmp , heap , DYNAMIC_TYPE_REVOKED );
262279 }
263280
@@ -312,6 +329,12 @@ void FreeCRL(WOLFSSL_CRL* crl, int dynamic)
312329 XFREE (crl -> monitors [1 ].path , crl -> heap , DYNAMIC_TYPE_CRL_MONITOR );
313330#endif
314331
332+ #if defined(OPENSSL_EXTRA )
333+ if (crl -> revokedStack != NULL ) {
334+ wolfSSL_sk_pop_free (crl -> revokedStack , NULL );
335+ crl -> revokedStack = NULL ;
336+ }
337+ #endif
315338 XFREE (crl -> currentEntry , crl -> heap , DYNAMIC_TYPE_CRL_ENTRY );
316339 crl -> currentEntry = NULL ;
317340 while (tmp ) {
@@ -1231,6 +1254,20 @@ static RevokedCert *DupRevokedCertList(RevokedCert* in, void* heap)
12311254 XMEMCPY (tmp -> revDate , current -> revDate ,
12321255 MAX_DATE_SIZE );
12331256 tmp -> revDateFormat = current -> revDateFormat ;
1257+ tmp -> reasonCode = current -> reasonCode ;
1258+ #if defined(OPENSSL_EXTRA )
1259+ tmp -> extensions = NULL ;
1260+ tmp -> extensionsSz = 0 ;
1261+ if (current -> extensions != NULL && current -> extensionsSz > 0 ) {
1262+ tmp -> extensions = (byte * )XMALLOC (current -> extensionsSz , heap ,
1263+ DYNAMIC_TYPE_REVOKED );
1264+ if (tmp -> extensions != NULL ) {
1265+ XMEMCPY (tmp -> extensions , current -> extensions ,
1266+ current -> extensionsSz );
1267+ tmp -> extensionsSz = current -> extensionsSz ;
1268+ }
1269+ }
1270+ #endif
12341271 tmp -> next = NULL ;
12351272 if (prev != NULL )
12361273 prev -> next = tmp ;
@@ -1244,6 +1281,9 @@ static RevokedCert *DupRevokedCertList(RevokedCert* in, void* heap)
12441281 while (head != NULL ) {
12451282 current = head ;
12461283 head = head -> next ;
1284+ #if defined(OPENSSL_EXTRA )
1285+ XFREE (current -> extensions , heap , DYNAMIC_TYPE_REVOKED );
1286+ #endif
12471287 XFREE (current , heap , DYNAMIC_TYPE_REVOKED );
12481288 }
12491289 return NULL ;
@@ -2360,35 +2400,30 @@ WOLFSSL_X509_CRL* wolfSSL_X509_CRL_new(void)
23602400#ifdef WOLFSSL_CERT_GEN
23612401/* Add a revoked certificate entry to CRL.
23622402 * crl: target CRL
2363- * rev: serial number of revoked certificate
2403+ * rev: revoked certificate entry (serial, date, reason, etc.)
23642404 * Returns WOLFSSL_SUCCESS on success.
2365- * TODO: support other fields for OpenSSL compatibility: revocationDate,
2366- * extensions, issuer, etc.
23672405 */
23682406int wolfSSL_X509_CRL_add_revoked (WOLFSSL_X509_CRL * crl ,
23692407 WOLFSSL_X509_REVOKED * rev )
23702408{
23712409 CRL_Entry * entry ;
23722410 RevokedCert * rc ;
23732411 RevokedCert * curr ;
2374- WOLFSSL_ASN1_TIME revDate ;
23752412
23762413 WOLFSSL_ENTER ("wolfSSL_X509_CRL_add_revoked" );
23772414
23782415 if (crl == NULL || rev == NULL || rev -> serialNumber == NULL ) {
23792416 return BAD_FUNC_ARG ;
23802417 }
23812418
2382- entry = crl -> crlList ;
2383- if ( entry == NULL ) {
2419+ if ( rev -> revocationDate != NULL && ( rev -> revocationDate -> length <= 0 ||
2420+ ( unsigned ) rev -> revocationDate -> length > sizeof ( rc -> revDate )) ) {
23842421 return BAD_FUNC_ARG ;
23852422 }
23862423
2387- /* Set the revocation date to the current time */
2388- XMEMSET (& revDate , 0 , sizeof (revDate ));
2389- if (wolfSSL_ASN1_TIME_adj (& revDate , XTIME (NULL ), 0 , 0 ) == NULL ) {
2390- WOLFSSL_MSG ("Failed to get current time" );
2391- return BAD_STATE_E ;
2424+ entry = crl -> crlList ;
2425+ if (entry == NULL ) {
2426+ return BAD_FUNC_ARG ;
23922427 }
23932428
23942429 {
@@ -2427,8 +2462,25 @@ int wolfSSL_X509_CRL_add_revoked(WOLFSSL_X509_CRL* crl,
24272462 rc -> serialSz = serialSz ;
24282463 }
24292464
2430- XMEMCPY (rc -> revDate , revDate .data , revDate .length );
2431- rc -> revDateFormat = (byte )revDate .type ;
2465+ /* Use caller-provided revocation date, or fall back to current time */
2466+ if (rev -> revocationDate != NULL && rev -> revocationDate -> length > 0 ) {
2467+ XMEMCPY (rc -> revDate , rev -> revocationDate -> data ,
2468+ (size_t )rev -> revocationDate -> length );
2469+ rc -> revDateFormat = (byte )rev -> revocationDate -> type ;
2470+ }
2471+ else {
2472+ WOLFSSL_ASN1_TIME revDate ;
2473+ XMEMSET (& revDate , 0 , sizeof (revDate ));
2474+ if (wolfSSL_ASN1_TIME_adj (& revDate , XTIME (NULL ), 0 , 0 ) == NULL ) {
2475+ WOLFSSL_MSG ("Failed to get current time" );
2476+ XFREE (rc , crl -> heap , DYNAMIC_TYPE_REVOKED );
2477+ return BAD_STATE_E ;
2478+ }
2479+ XMEMCPY (rc -> revDate , revDate .data , revDate .length );
2480+ rc -> revDateFormat = (byte )revDate .type ;
2481+ }
2482+
2483+ rc -> reasonCode = rev -> reason ;
24322484 rc -> next = NULL ;
24332485
24342486 /* Add to end of list */
@@ -2442,6 +2494,12 @@ int wolfSSL_X509_CRL_add_revoked(WOLFSSL_X509_CRL* crl,
24422494 }
24432495 entry -> totalCerts ++ ;
24442496
2497+ /* Invalidate cached STACK_OF(X509_REVOKED) since list changed */
2498+ if (crl -> revokedStack != NULL ) {
2499+ wolfSSL_sk_pop_free (crl -> revokedStack , NULL );
2500+ crl -> revokedStack = NULL ;
2501+ }
2502+
24452503 WOLFSSL_LEAVE ("wolfSSL_X509_CRL_add_revoked" , WOLFSSL_SUCCESS );
24462504 return WOLFSSL_SUCCESS ;
24472505}
@@ -2513,7 +2571,9 @@ int wolfSSL_X509_CRL_add_revoked_cert(WOLFSSL_X509_CRL* crl,
25132571 XMEMCPY (serialInt -> data , cert -> serial , cert -> serialSz );
25142572 serialInt -> length = cert -> serialSz ;
25152573
2574+ XMEMSET (& revoked , 0 , sizeof (revoked ));
25162575 revoked .serialNumber = serialInt ;
2576+ revoked .reason = CRL_REASON_NONE ;
25172577
25182578 /* Add the revoked certificate entry */
25192579 ret = wolfSSL_X509_CRL_add_revoked (crl , & revoked );
0 commit comments