Add CRL decode

Author: padelsbach

examples/certs/test/crl-decode.der

@@ -0,0 +1,12 @@
+-----BEGIN X509 CRL-----
+MIIB1jCBvwIBATANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQGEwJVUzEQMA4GA1UE
+CAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEVMBMGA1UECgwMd29sZlNTTCBJ
+bmMuMRkwFwYDVQQLDBBEZXZlbG9wbWVudCBUZXN0MRgwFgYDVQQDDA93b2xmU1NM
+IFRlc3QgQ0EXDTI2MDIxOTAwMzYyMloXDTM2MDIxNzAwMzYyMlqgDjAMMAoGA1Ud
+FAQDAgEBMA0GCSqGSIb3DQEBCwUAA4IBAQCvwOGtRd31ztiKj6SPIe3Oo0bW0MC+
+bBqd5oCpupUR9qEdV391PNT2F/h6P61asKJbj5ItPoFAKjOKmCFm6UvJp24ypxmr
+n3pbvjFH+ki77+3fyzvZmkbyQC5vrdb8X9dEvwk3/z98x9QB47d2zVyQLMG9ZEHT
+uTQXL9liz8V1q2BHy3V8/wwsPJhZTm3sViayixQA80YOtp1+7K08GnOhvAr78Vqd
+CvN4lY3GUkzgjt6n4gFSrsahIAyGb7hZ9opSQBAO/SMg1P6J85bYshTWSiD6aLCY
+uUxLGPkJSEKdqQph/vAr4JifZQIaIHY9oP4HmDHw8ChFlvz571YHyDLV
+-----END X509 CRL-----

examples/certs/test/crl-decode.pem

@@ -148,6 +148,62 @@ rm intermediate/ca-int-ecc-cert.pem.bak
 rm intermediate/server-int-cert.pem.bak
 rm intermediate/server-int-ecc-cert.pem.bak
 
+# Generate test CRL (PEM and DER) for WolfSSLCRL decode testing.
+# Creates a self-signed CA, revokes a dummy serial, produces CRL in
+# both PEM and DER formats under test/.
+printf "\nGenerating test CRL for CRL decode testing...\n"
+TMP_DIR="$(mktemp -d)"
+
+# CA key + self-signed cert
+openssl genrsa -out "${TMP_DIR}/crl-test-ca-key.pem" 2048 2>/dev/null
+openssl req -x509 -new -nodes \
+  -key "${TMP_DIR}/crl-test-ca-key.pem" \
+  -sha256 -days 3650 \
+  -subj "/C=US/ST=Montana/L=Bozeman/O=wolfSSL Inc./OU=Development Test/CN=wolfSSL Test CA" \
+  -out "${TMP_DIR}/crl-test-ca-cert.pem" 2>/dev/null
+
+# CRL index / database files required by openssl ca
+touch "${TMP_DIR}/index.txt"
+echo "01" > "${TMP_DIR}/crlnumber"
+
+cat > "${TMP_DIR}/openssl-ca.cnf" <<EOF
+[ ca ]
+default_ca = CA_default
+
+[ CA_default ]
+database       = ${TMP_DIR}/index.txt
+crlnumber      = ${TMP_DIR}/crlnumber
+default_md     = sha256
+default_crl_days = 3650
+
+[ crl_ext ]
+authorityKeyIdentifier = keyid:always
+EOF
+
+# Generate CRL with empty revocation list. Decode tests only need to parse
+# the CRL structure (issuer, signature, dates, etc.), not iterate entries.
+openssl ca -gencrl \
+  -keyfile "${TMP_DIR}/crl-test-ca-key.pem" \
+  -cert "${TMP_DIR}/crl-test-ca-cert.pem" \
+  -config "${TMP_DIR}/openssl-ca.cnf" \
+  -out test/crl-decode.pem 2>/dev/null
+if [ $? -ne 0 ]; then
+    printf "Failed to generate test/crl-decode.pem\n"
+    rm -rf "${TMP_DIR}"
+    exit 1
+fi
+
+# Convert PEM CRL to DER
+openssl crl -in test/crl-decode.pem -outform DER \
+  -out test/crl-decode.der 2>/dev/null
+if [ $? -ne 0 ]; then
+    printf "Failed to generate test/crl-decode.der\n"
+    rm -rf "${TMP_DIR}"
+    exit 1
+fi
+rm -rf "${TMP_DIR}"
+printf "Generated test/crl-decode.pem and test/crl-decode.der\n"
+
 # Generate SAN test certificates for WolfSSLAltName testing
 printf "\nGenerating SAN test certificates...\n"
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"

examples/certs/update-certs.sh

@@ -1093,6 +1093,19 @@ JNIEXPORT jboolean JNICALL Java_com_wolfssl_WolfSSL_CrlGenerationEnabled
 #endif
 }
 
+JNIEXPORT jboolean JNICALL Java_com_wolfssl_WolfSSL_CrlDecodeEnabled
+  (JNIEnv* jenv, jclass jcl)
+{
+    (void)jenv;
+    (void)jcl;
+
+#if defined(HAVE_CRL) && defined(OPENSSL_EXTRA)
+    return JNI_TRUE;
+#else
+    return JNI_FALSE;
+#endif
+}
+
 JNIEXPORT jboolean JNICALL Java_com_wolfssl_WolfSSL_certReqEnabled
   (JNIEnv* jenv, jclass jcl)
 {

native/com_wolfssl_WolfSSL.c

@@ -44,6 +44,10 @@
 #define WOLFSSL_JNI_CRL_GEN_ENABLED
 #endif
 
+#if defined(HAVE_CRL) && defined(OPENSSL_EXTRA)
+#define WOLFSSL_JNI_CRL_DECODE_ENABLED
+#endif
+
 JNIEXPORT jlong JNICALL Java_com_wolfssl_WolfSSLCRL_X509_1CRL_1new
   (JNIEnv* jenv, jclass jcl)
 {
@@ -847,3 +851,273 @@ JNIEXPORT jbyteArray JNICALL Java_com_wolfssl_WolfSSLCRL_X509_1CRL_1get_1signatu
     return NULL;
 #endif
 }
+
+JNIEXPORT jlong JNICALL Java_com_wolfssl_WolfSSLCRL_X509_1CRL_1load_1buffer
+  (JNIEnv* jenv, jclass jcl, jbyteArray buf, jint format)
+{
+#if defined(WOLFSSL_JNI_CRL_DECODE_ENABLED)
+    WOLFSSL_X509_CRL* crl = NULL;
+    byte* bufPtr = NULL;
+    int bufSz = 0;
+    (void)jcl;
+
+    if (jenv == NULL || buf == NULL) {
+        return 0;
+    }
+
+    bufPtr = (byte*)(*jenv)->GetByteArrayElements(
+        jenv, buf, NULL);
+    bufSz = (*jenv)->GetArrayLength(jenv, buf);
+
+    if (bufPtr == NULL || bufSz <= 0) {
+        if (bufPtr != NULL) {
+            (*jenv)->ReleaseByteArrayElements(
+                jenv, buf, (jbyte*)bufPtr, JNI_ABORT);
+        }
+        return 0;
+    }
+
+    if ((int)format == WOLFSSL_FILETYPE_PEM) {
+        /* PEM format: use BIO to decode */
+        WOLFSSL_BIO* bio = wolfSSL_BIO_new_mem_buf(
+            bufPtr, bufSz);
+        if (bio != NULL) {
+            crl = wolfSSL_PEM_read_bio_X509_CRL(
+                bio, NULL, NULL, NULL);
+            wolfSSL_BIO_free(bio);
+        }
+    }
+    else {
+        /* DER format: decode directly */
+        crl = wolfSSL_d2i_X509_CRL(
+            NULL, (const unsigned char*)bufPtr, bufSz);
+    }
+
+    (*jenv)->ReleaseByteArrayElements(
+        jenv, buf, (jbyte*)bufPtr, JNI_ABORT);
+
+    return (jlong)(uintptr_t)crl;
+#else
+    (void)jenv;
+    (void)jcl;
+    (void)buf;
+    (void)format;
+    return 0;
+#endif
+}
+
+JNIEXPORT jlong JNICALL Java_com_wolfssl_WolfSSLCRL_X509_1CRL_1load_1file
+  (JNIEnv* jenv, jclass jcl, jstring path, jint format)
+{
+#if defined(WOLFSSL_JNI_CRL_DECODE_ENABLED) && \
+    !defined(NO_FILESYSTEM)
+    WOLFSSL_X509_CRL* crl = NULL;
+    const char* cPath = NULL;
+    XFILE fp = XBADFILE;
+    (void)jcl;
+
+    if (jenv == NULL || path == NULL) {
+        return 0;
+    }
+
+    cPath = (*jenv)->GetStringUTFChars(jenv, path, NULL);
+    if (cPath == NULL) {
+        return 0;
+    }
+
+    fp = XFOPEN(cPath, "rb");
+    if (fp == XBADFILE) {
+        (*jenv)->ReleaseStringUTFChars(jenv, path, cPath);
+        return 0;
+    }
+
+    if ((int)format == WOLFSSL_FILETYPE_PEM) {
+        crl = wolfSSL_PEM_read_X509_CRL(
+            fp, NULL, NULL, NULL);
+    }
+    else {
+        crl = wolfSSL_d2i_X509_CRL_fp(fp, NULL);
+    }
+
+    XFCLOSE(fp);
+    (*jenv)->ReleaseStringUTFChars(jenv, path, cPath);
+
+    return (jlong)(uintptr_t)crl;
+#else
+    (void)jenv;
+    (void)jcl;
+    (void)path;
+    (void)format;
+    return 0;
+#endif
+}
+
+JNIEXPORT jstring JNICALL Java_com_wolfssl_WolfSSLCRL_X509_1CRL_1get_1issuer_1name_1string
+  (JNIEnv* jenv, jclass jcl, jlong crlPtr)
+{
+#if defined(WOLFSSL_JNI_CRL_DECODE_ENABLED)
+    WOLFSSL_X509_CRL* crl =
+        (WOLFSSL_X509_CRL*)(uintptr_t)crlPtr;
+    WOLFSSL_X509_NAME* name = NULL;
+    char* nameStr = NULL;
+    jstring ret = NULL;
+    (void)jcl;
+
+    if (jenv == NULL || crl == NULL) {
+        return NULL;
+    }
+
+    name = wolfSSL_X509_CRL_get_issuer_name(crl);
+    if (name != NULL) {
+        nameStr = wolfSSL_X509_NAME_oneline(name, NULL, 0);
+        if (nameStr == NULL) {
+            return NULL;
+        }
+        ret = (*jenv)->NewStringUTF(jenv, nameStr);
+        XFREE(nameStr, NULL, DYNAMIC_TYPE_OPENSSL);
+        return ret;
+    }
+    return NULL;
+#else
+    (void)jenv;
+    (void)jcl;
+    (void)crlPtr;
+    return NULL;
+#endif
+}
+
+JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLCRL_X509_1CRL_1get_1signature_1type
+  (JNIEnv* jenv, jclass jcl, jlong crlPtr)
+{
+#if defined(WOLFSSL_JNI_CRL_DECODE_ENABLED)
+    WOLFSSL_X509_CRL* crl =
+        (WOLFSSL_X509_CRL*)(uintptr_t)crlPtr;
+    (void)jcl;
+
+    if (jenv == NULL || crl == NULL) {
+        return 0;
+    }
+
+    return (jint)wolfSSL_X509_CRL_get_signature_type(crl);
+#else
+    (void)jenv;
+    (void)jcl;
+    (void)crlPtr;
+    return 0;
+#endif
+}
+
+JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLCRL_X509_1CRL_1get_1signature_1nid
+  (JNIEnv* jenv, jclass jcl, jlong crlPtr)
+{
+#if defined(WOLFSSL_JNI_CRL_DECODE_ENABLED)
+    WOLFSSL_X509_CRL* crl =
+        (WOLFSSL_X509_CRL*)(uintptr_t)crlPtr;
+    (void)jcl;
+
+    if (jenv == NULL || crl == NULL) {
+        return 0;
+    }
+
+    return (jint)wolfSSL_X509_CRL_get_signature_nid(crl);
+#else
+    (void)jenv;
+    (void)jcl;
+    (void)crlPtr;
+    return 0;
+#endif
+}
+
+/* TODO: wolfSSL_X509_CRL_verify() is currently a stub in wolfSSL
+ * (src/x509.c, guarded by NO_WOLFSSL_STUB) and always returns 0.
+ * This JNI wrapper is provided for API completeness and will work
+ * correctly once the native implementation is completed. */
+JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLCRL_X509_1CRL_1verify
+  (JNIEnv* jenv, jclass jcl, jlong crlPtr, jbyteArray pubKey,
+   jint pubKeySz)
+{
+#if defined(WOLFSSL_JNI_CRL_DECODE_ENABLED)
+    WOLFSSL_X509_CRL* crl =
+        (WOLFSSL_X509_CRL*)(uintptr_t)crlPtr;
+    WOLFSSL_EVP_PKEY* pkey = NULL;
+    unsigned char* buf = NULL;
+#if LIBWOLFSSL_VERSION_HEX >= 0x04004000
+    const unsigned char* ptr = NULL;
+#else
+    unsigned char* ptr = NULL;
+#endif
+    int ret;
+    (void)jcl;
+
+    if (jenv == NULL || crl == NULL ||
+        pubKey == NULL || (int)pubKeySz < 0) {
+        return BAD_FUNC_ARG;
+    }
+
+    buf = (unsigned char*)XMALLOC(pubKeySz, NULL,
+        DYNAMIC_TYPE_TMP_BUFFER);
+    if (buf == NULL) {
+        return MEMORY_E;
+    }
+    XMEMSET(buf, 0, pubKeySz);
+
+    (*jenv)->GetByteArrayRegion(jenv, pubKey, 0,
+        pubKeySz, (jbyte*)buf);
+    if ((*jenv)->ExceptionOccurred(jenv)) {
+        (*jenv)->ExceptionDescribe(jenv);
+        (*jenv)->ExceptionClear(jenv);
+        XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        return WOLFSSL_FAILURE;
+    }
+    ptr = buf;
+
+    pkey = wolfSSL_d2i_PUBKEY(NULL, &ptr,
+        (int)pubKeySz);
+    if (pkey == NULL) {
+        XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        return WOLFSSL_FAILURE;
+    }
+
+    ret = wolfSSL_X509_CRL_verify(crl, pkey);
+
+    wolfSSL_EVP_PKEY_free(pkey);
+    XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+
+    return ret;
+#else
+    (void)jenv;
+    (void)jcl;
+    (void)crlPtr;
+    (void)pubKey;
+    (void)pubKeySz;
+    return 0;
+#endif
+}
+
+/* TODO: wolfSSL_X509_CRL_get_REVOKED() is currently a stub in wolfSSL
+ * (src/x509.c, guarded by NO_WOLFSSL_STUB) and always returns NULL.
+ * This JNI wrapper is provided for API completeness and will work
+ * correctly once the native implementation is completed. */
+JNIEXPORT jlong JNICALL Java_com_wolfssl_WolfSSLCRL_X509_1CRL_1get_1REVOKED
+  (JNIEnv* jenv, jclass jcl, jlong crlPtr)
+{
+#if defined(WOLFSSL_JNI_CRL_DECODE_ENABLED)
+    WOLFSSL_X509_CRL* crl =
+        (WOLFSSL_X509_CRL*)(uintptr_t)crlPtr;
+    WOLFSSL_X509_REVOKED* revoked = NULL;
+    (void)jcl;
+
+    if (jenv == NULL || crl == NULL) {
+        return 0;
+    }
+
+    revoked = wolfSSL_X509_CRL_get_REVOKED(crl);
+
+    return (jlong)(uintptr_t)revoked;
+#else
+    (void)jenv;
+    (void)jcl;
+    (void)crlPtr;
+    return 0;
+#endif
+}