1 (edited by HAPPY 2025-03-10 02:17:15)

Topic: Can wolfCLU parse CRL files with CRL extensions?

Hello Developer,

        While using wolfCLU to parse CRL files, I found that wolfCLU can only parse CRL files without CRL extensions, including extensions like Authority Key Identifier (AKI), Issuer Directory Prefix (IDP), and Freshest CRL (FDP), etc. Could this be an issue with wolfCLU, or is it possible that I missed selecting some options when building wolfCLU?

Share

Re: Can wolfCLU parse CRL files with CRL extensions?

Hi HAPPY. 

Can you send over an example CRL with these extensions?

Warm regards, Anthony.

Share

Re: Can wolfCLU parse CRL files with CRL extensions?

Thank you for noticing this.  Can I ask you if you need support for extensions?  If so, you can register a feature request by sending a message to support@wolfssl.com .

Warm regards, Anthony

Share

Re: Can wolfCLU parse CRL files with CRL extensions?

Hello,

I did the following:

cd wolfssl 
./autogen.sh 
./configure --enable-wolfclu --enable-crl
make all
sudo make install
sudo ldconfig 
cd ..
cd wolfCLU
./autogen.sh
./configure 
make all 
./wolfssl crl -in /path/to/wolfssl/certs/crl/ca-int.pem -text -noout

Here is the output from the last command:

Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Development, CN = wolfSSL Intermediate CA, emailAddress = info@wolfssl.com
        Last Update: Sep 27 12:10:09 2023 GMT
        Next Update: Jun 23 12:10:09 2026 GMT
        CRL extensions:
            X509v3 Authority Key Identifier: 
                EF:69:E0:F7:D5:1D:E6:99:EC:DC:6D:D0:F7:E2:B9:5C:64:71:83:35
            X509v3 CRL Number: 
                8192
No Revoked Certificates.
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        4b:7f:45:20:16:f5:77:18:35:70:b5:d3:fe:d8:3f:1b:90:0e:
        f7:aa:dc:39:85:b3:df:52:a8:65:e7:b5:01:34:c3:9a:01:bf:
        59:f9:79:79:9c:b3:a8:8a:e3:eb:23:41:af:48:ad:ab:01:0a:
        e2:b7:09:47:3e:42:19:13:c2:6b:cd:4c:dd:54:5c:42:77:23:
        f7:4f:1b:a0:4b:95:b1:a8:96:ce:86:d6:63:3d:53:61:31:54:
        be:79:50:a5:13:b7:67:5d:b8:fa:60:6e:71:9f:95:c6:20:a5:
        66:a7:02:7d:1f:f4:23:cb:49:14:c6:03:96:dc:16:b5:aa:7c:
        55:87:88:57:aa:a1:a8:ac:3b:11:64:cf:87:01:be:99:ed:7c:
        8f:28:5c:94:f6:aa:ea:c1:e2:50:16:a7:79:c4:0e:0f:3a:e5:
        5e:c2:c6:80:2e:b8:13:d8:74:cd:b1:5c:ef:14:17:ae:72:d6:
        46:ea:df:b8:b0:38:bd:8d:b1:a3:2c:a3:c7:04:dc:75:22:c3:
        2f:8a:e5:a8:0d:9d:54:4c:7f:16:b6:c0:d5:20:63:81:4a:c9:
        cb:85:c9:b6:1b:05:22:ee:0c:d9:f8:98:f3:57:16:29:09:84:
        0b:fd:aa:ee:a3:ca:36:b1:86:f1:bd:b8:12:43:ef:15:77:a9:
        52:d9:5e:25

As you can see, the AKI is parsed and output properly.

Warm regards, Anthony

Share

5 (edited by HAPPY 2025-03-19 20:08:59)

Re: Can wolfCLU parse CRL files with CRL extensions?

Hello developer, I successfully printed the ca-int.pem using my wolfclu, but when I try to print the CRL file I created with the AKI extension using wolfclu, it throws an error.Here, below is the OpenSSL parsing result.

openssl crl -in crl_extention_test.der -inform DER -text
Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=California, L=San Francisco, O=My Company, CN=My Root CA, OU=My Root CA
        Last Update: Sep  1 00:00:00 2024 GMT
        Next Update: Dec  1 00:00:00 2025 GMT
        CRL extensions:
            X509v3 CRL Number: 
                1
            X509v3 Authority Key Identifier: 
                EF:69:E0:F7:D5:1D:E6:99:EC:DC:6D:D0:F7:E2:B9:5C:64:71:83:35
No Revoked Certificates.
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        a1:7b:7c:c7:60:51:58:1b:ed:b0:e5:7c:9f:0e:fd:ec:bd:f1:
        e5:67:67:1d:0f:cd:70:fe:ce:15:77:ed:a8:0f:24:d5:67:99:
        ff:f1:4d:b9:83:53:99:b4:be:30:21:be:d8:a8:b7:2b:90:02:
        4c:33:ff:89:0e:68:25:49:bf:09:b7:43:88:00:8f:7e:98:bf:
        ba:74:11:fb:1c:02:8c:b1:eb:29:68:ef:d2:27:00:e0:c0:73:
        28:ed:07:3c:df:d6:06:3d:c9:b2:c1:65:04:e8:7b:07:db:71:
        c6:24:f7:ae:27:39:da:af:bd:97:43:86:5d:ec:bb:6e:b5:37:
        e6:b1:22:6b:3b:ae:7d:b3:13:57:8d:6f:9d:96:81:41:60:19:
        f6:8b:c6:a8:e0:08:d4:5d:26:7f:a0:cc:c7:51:7e:16:68:1f:
        17:73:24:e4:dc:76:3d:37:96:f2:11:df:52:bb:60:dd:06:44:
        10:5c:40:1b:c9:29:5f:9f:61:ea:e9:45:b6:63:26:1b:52:0d:
        a6:df:ab:f0:8b:ee:26:65:af:b4:fd:f0:96:2c:da:1d:31:b9:
        fc:53:43:bb:2f:5a:f8:77:c8:20:72:12:ed:76:c9:77:7b:e7:
        fd:7a:37:51:9a:49:f0:0b:a3:06:e1:db:66:0b:58:45:8c:d8:
        63:04:21:4f
-----BEGIN X509 CRL-----
MIIB8zCB3AIBATANBgkqhkiG9w0BAQsFADB5MQswCQYDVQQGEwJVUzETMBEGA1UE
CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzETMBEGA1UECgwK
TXkgQ29tcGFueTETMBEGA1UEAwwKTXkgUm9vdCBDQTETMBEGA1UECwwKTXkgUm9v
dCBDQRcNMjQwOTAxMDAwMDAwWhcNMjUxMjAxMDAwMDAwWqAvMC0wCgYDVR0UBAMC
AQEwHwYDVR0jBBgwFoAU72ng99Ud5pns3G3Q9+K5XGRxgzUwDQYJKoZIhvcNAQEL
BQADggEBAKF7fMdgUVgb7bDlfJ8O/ey98eVnZx0PzXD+zhV37agPJNVnmf/xTbmD
U5m0vjAhvtiotyuQAkwz/4kOaCVJvwm3Q4gAj36Yv7p0EfscAoyx6ylo79InAODA
cyjtBzzf1gY9ybLBZQToewfbccYk964nOdqvvZdDhl3su261N+axIms7rn2zE1eN
b52WgUFgGfaLxqjgCNRdJn+gzMdRfhZoHxdzJOTcdj03lvIR31K7YN0GRBBcQBvJ
KV+fYerpRbZjJhtSDabfq/CL7iZlr7T98JYs2h0xufxTQ7svWvh3yCByEu12yXd7
5/16N1GaSfALowbh22YLWEWM2GMEIU8=
-----END X509 CRL-----

the wolfclu parsing result

wolfssl crl -in crl_extention_test.pem -text
wolfSSL Entering wolfSSL_Init
wolfSSL Entering wolfCrypt_Init
RNG_HEALTH_TEST_CHECK_SIZE = 128
sizeof(seedB_data)         = 128
opened /dev/urandom.
rnd read...
wolfSSL Entering wolfSSL_BIO_new_file
wolfSSL Entering wolfSSL_BIO_s_file
wolfSSL Entering wolfSSL_BIO_new
wolfSSL Entering wolfSSL_BIO_set_fp
wolfSSL Entering wolfSSL_BIO_get_len
wolfSSL Entering wolfSSL_BIO_get_fp
wolfSSL Entering wolfSSL_BIO_read
wolfSSL Entering PemToDer
wolfSSL Entering wolfSSL_d2i_X509_CRL
wolfSSL Entering InitCRL
wolfSSL Entering BufferLoadCRL
InitDecodedCRL
ParseCRL
ERR TRACE: wolfcrypt/src/asn.c L 1622 ASN_PARSE_E (-140)
ERR TRACE: wolfcrypt/src/asn.c L 39029 ASN_PARSE_E (-140)
ParseCRL error
wolfSSL Entering FreeCRL_Entry
FreeDecodedCRL
Buffer Load CRL failed
wolfSSL Entering wolfSSL_X509_CRL_free
wolfSSL Entering FreeCRL
Unable to parse CRL file
wolfSSL Entering wolfSSL_ERR_get_error_line_data
No Error found in queue
ERR TRACE: wolfcrypt/src/logging.c L 686 BAD_STATE_E (-192)
wolfSSL Entering wolfSSL_X509_CRL_free
wolfSSL Entering wolfSSL_BIO_free
wolfSSL Entering wolfSSL_BIO_free
ERR TRACE: ./src/bio.c L 3088 WOLFSSL_FAILURE (0)
Error returned: -1.
wolfSSL Entering wolfSSL_ERR_get_error_line_data
No Error found in queue
ERR TRACE: wolfcrypt/src/logging.c L 686 BAD_STATE_E (-192)
wolfSSL Entering wolfSSL_Cleanup
wolfSSL Entering wolfCrypt_Cleanup

Share

6 (edited by HAPPY 2025-03-20 19:48:10)

Re: Can wolfCLU parse CRL files with CRL extensions?

Hello, Developer, I believe I have identified the issue. I have written about my findings at https://github.com/wolfSSL/wolfssl/issues/8574.

Share