From: Daniel Kubec <kubec@openssl.org>
Date: Tue, 28 Oct 2025 14:18:53 +0000 (+0100)
Subject: CRL: RFC 5280 compliance for Certificate Issuer extension
X-Git-Tag: 4.0-PRE-CLANG-FORMAT-WEBKIT~216
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e2990825a238363c4afac60f5f0e335c3fd33f28;p=thirdparty%2Fopenssl.git

CRL: RFC 5280 compliance for Certificate Issuer extension

Add validation to ensure Certificate Issuer extensions in CRL entries
only appear when the Indirect CRL flag is TRUE in the Issuing
Distribution Point (IDP) extension, as required by RFC 5280 section
5.3.3.

Fixes #27465

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29018)
---

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index b62ad860e04..2e99fff4d09 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -1669,9 +1669,7 @@ static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
     }
 
     *preasons = tmp_reasons;
-
     return crl_score;
-
 }
 
 static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c
index 7af3e9a7e7f..eccd57e2433 100644
--- a/crypto/x509/x_crl.c
+++ b/crypto/x509/x_crl.c
@@ -103,6 +103,18 @@ static int crl_set_issuers(X509_CRL *crl)
         }
 
         if (gtmp != NULL) {
+            /*
+             * Validation to ensure Certificate Issuer extensions in CRL
+             * entries only appear when the Indirect CRL flag is TRUE in the
+             * Issuing Distribution Point (IDP) extension, as required by
+             * RFC 5280 section 5.3.3.
+             */
+            if (crl->idp == NULL || !crl->idp->indirectCRL) {
+                crl->flags |= EXFLAG_INVALID;
+                GENERAL_NAMES_free(gtmp);
+                return 0;
+            }
+
             if (crl->issuers == NULL) {
                 crl->issuers = sk_GENERAL_NAMES_new_null();
                 if (crl->issuers == NULL) {
diff --git a/test/crltest.c b/test/crltest.c
index cb35c15d9c8..fb47567f58d 100644
--- a/test/crltest.c
+++ b/test/crltest.c
@@ -270,6 +270,35 @@ static const char **unknown_critical_crls[] = {
     kUnknownCriticalCRL, kUnknownCriticalCRL2
 };
 
+/*
+ * RFC 5280 states that only CRL files with the Indirect CRL flag set to True in
+ * the IDP extension require the certificate_issuer extension.
+ * https://github.com/openssl/openssl/issues/27465
+ */
+
+static const char *kCertIssuerNoIDPCRL[] = {
+    "-----BEGIN X509 CRL-----\n",
+    "MIIDBDCCAewCAQEwDQYJKoZIhvcNAQELBQAweTELMAkGA1UEBhMCVVMxEzARBgNV\n",
+    "BAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoM\n",
+    "Ck15IENvbXBhbnkxEzARBgNVBAMMCk15IFJvb3QgQ0ExEzARBgNVBAsMCk15IFJv\n",
+    "b3QgQ0EXDTI1MDEwMTAwMDAwMFoXDTI1MTIwMTAwMDAwMFowgf8wJQIUHIACLvgf\n",
+    "JAXulqYS3LYf4KxwHl4XDTI1MDQxNzEwMTY1MVowgdUCEQCMuBk+zOZx7AAAAABY\n",
+    "LIp6Fw0yNTAzMDQwMDAwMDBaMIGwMAoGA1UdFQQDCgEEMBgGA1UdGAQRGA8yMDI1\n",
+    "MDMxNDAwMDAwMFowgYcGA1UdHQEB/wR9MHukeTB3MQswCQYDVQQGDAJVTjEPMA0G\n",
+    "A1UECAwGTXkgU1QxMRUwEwYDVQQHDAxNWSBMb2NhbGl0eTExETAPBgNVBAoTCE15\n",
+    "IFVuaXQxMREwDwYDVQQLDAhNeSBVbml0MTEaMBgGA1UEAwwRd3d3Lm15Y29tcGFu\n",
+    "eS5jb22gPTA7MBgGA1UdFAQRAg8Zz//e2nTt8vakRgzO4UAwHwYDVR0jBBgwFoAU\n",
+    "12GJH5OWi3ZUFunld9x8t2UbgCQwDQYJKoZIhvcNAQELBQADggEBAFOSlDm/mLRm\n",
+    "YnnKJr4lZb6HzjY3KvJ/p//uIh9/OOOGBlVNF+wwrCi/JtPMY/N29DHH17l6dV9d\n",
+    "hmyeg/8KScZUKxvDGyQxkd3sKrK/nahjmcLR5FGx5sqhnBUl7wzcdgObey5pAwYv\n",
+    "azVKH4EkKJ5KE/a9sGgxiAXHp8anSu8xvmqjSA6M9mS1X643QvCsPDdGHWD2iHom\n",
+    "0/FegR60yNqYaMERJz0jJv8SJ3Co38TlhH/Zr+N86RLYj3tPOsxcY5K1P8VZVPV/\n",
+    "DxVqhesv7EaeiXDhiSTFcRXytqOQX3wju4RdxiyqMd4iT98N8nTxRdbBo4EVQKql\n",
+    "PNhJBxQG0VQ=\n",
+    "-----END X509 CRL-----\n",
+    NULL
+};
+
 static X509 *test_root = NULL;
 static X509 *test_leaf = NULL;
 static X509 *test_root2 = NULL;
@@ -506,6 +535,21 @@ static int test_reuse_crl(int idx)
     return r;
 }
 
+/*
+ * Validation to ensure Certificate Issuer extensions in CRL entries only appear
+ * when the Indirect CRL flag is TRUE in the Issuing Distribution Point (IDP)
+ * extension, as required by RFC 5280 section 5.3.3.
+ */
+
+static int test_crl_cert_issuer_ext(void)
+{
+    X509_CRL *crl = CRL_from_strings(kCertIssuerNoIDPCRL);
+    int test = TEST_ptr_null(crl);
+
+    X509_CRL_free(crl);
+    return test;
+}
+
 int setup_tests(void)
 {
     if (!TEST_ptr(test_root = X509_from_strings(kCRLTestRoot))
@@ -519,8 +563,10 @@ int setup_tests(void)
     ADD_TEST(test_bad_issuer_crl);
     ADD_TEST(test_crl_empty_idp);
     ADD_TEST(test_known_critical_crl);
+    ADD_TEST(test_crl_cert_issuer_ext);
     ADD_ALL_TESTS(test_unknown_critical_crl, OSSL_NELEM(unknown_critical_crls));
     ADD_ALL_TESTS(test_reuse_crl, 6);
+
     return 1;
 }