wolfSSL · padelsbach · Feb 27, 2026
diff --git a/src/crl.c b/src/crl.c
@@ -42,6 +42,9 @@ CRL Options:
 #include <wolfssl/wolfcrypt/logging.h>
 #include <wolfssl/wolfcrypt/ecc.h>
 #include <wolfssl/wolfcrypt/rsa.h>
+#if defined(OPENSSL_EXTRA)
+#include <wolfssl/openssl/x509v3.h>
+#endif
 
 #ifndef NO_STRING_H
     #include <string.h>
@@ -93,6 +96,9 @@ int InitCRL(WOLFSSL_CRL* crl, WOLFSSL_CERT_MANAGER* cm)
         (void)ret;
     }
 #endif
+#if defined(OPENSSL_EXTRA)
+    crl->revokedStack = NULL;
+#endif
 
     return 0;
 }
@@ -250,6 +256,14 @@ static void CRL_Entry_free(CRL_Entry* crle, void* heap)
         return;
     }
 #ifdef CRL_STATIC_REVOKED_LIST
+#if defined(OPENSSL_EXTRA)
+    {
+        int i;
+        for (i = 0; i < CRL_MAX_REVOKED_CERTS; i++) {
+            XFREE(crle->certs[i].extensions, heap, DYNAMIC_TYPE_REVOKED);
+        }
+    }
+#endif
     XMEMSET(crle->certs, 0, CRL_MAX_REVOKED_CERTS*sizeof(RevokedCert));
 #else
     {
@@ -258,6 +272,9 @@ static void CRL_Entry_free(CRL_Entry* crle, void* heap)
 
         for (tmp = crle->certs; tmp != NULL; tmp = next) {
             next = tmp->next;
+#if defined(OPENSSL_EXTRA)
+            XFREE(tmp->extensions, heap, DYNAMIC_TYPE_REVOKED);
+#endif
             XFREE(tmp, heap, DYNAMIC_TYPE_REVOKED);
         }
 
@@ -312,6 +329,12 @@ void FreeCRL(WOLFSSL_CRL* crl, int dynamic)
         XFREE(crl->monitors[1].path, crl->heap, DYNAMIC_TYPE_CRL_MONITOR);
 #endif
 
+#if defined(OPENSSL_EXTRA)
+    if (crl->revokedStack != NULL) {
+        wolfSSL_sk_pop_free(crl->revokedStack, NULL);
+        crl->revokedStack = NULL;
+    }
+#endif
     XFREE(crl->currentEntry, crl->heap, DYNAMIC_TYPE_CRL_ENTRY);
     crl->currentEntry = NULL;
     while(tmp) {
@@ -1231,6 +1254,20 @@ static RevokedCert *DupRevokedCertList(RevokedCert* in, void* heap)
             XMEMCPY(tmp->revDate, current->revDate,
                     MAX_DATE_SIZE);
             tmp->revDateFormat = current->revDateFormat;
+            tmp->reasonCode = current->reasonCode;
+#if defined(OPENSSL_EXTRA)
+            tmp->extensions = NULL;
+            tmp->extensionsSz = 0;
+            if (current->extensions != NULL && current->extensionsSz > 0) {
+                tmp->extensions = (byte*)XMALLOC(current->extensionsSz, heap,
+                                                 DYNAMIC_TYPE_REVOKED);
+                if (tmp->extensions != NULL) {
+                    XMEMCPY(tmp->extensions, current->extensions,
+                            current->extensionsSz);
+                    tmp->extensionsSz = current->extensionsSz;
+                }
+            }
+#endif
             tmp->next = NULL;
             if (prev != NULL)
                 prev->next = tmp;
@@ -1244,6 +1281,9 @@ static RevokedCert *DupRevokedCertList(RevokedCert* in, void* heap)
             while (head != NULL) {
                 current = head;
                 head = head->next;
+#if defined(OPENSSL_EXTRA)
+                XFREE(current->extensions, heap, DYNAMIC_TYPE_REVOKED);
+#endif
                 XFREE(current, heap, DYNAMIC_TYPE_REVOKED);
             }
             return NULL;
@@ -2360,35 +2400,30 @@ WOLFSSL_X509_CRL* wolfSSL_X509_CRL_new(void)
 #ifdef WOLFSSL_CERT_GEN
 /* Add a revoked certificate entry to CRL.
  * crl: target CRL
- * rev: serial number of revoked certificate
+ * rev: revoked certificate entry (serial, date, reason, etc.)
  * Returns WOLFSSL_SUCCESS on success.
- * TODO: support other fields for OpenSSL compatibility: revocationDate,
- * extensions, issuer, etc.
  */
 int wolfSSL_X509_CRL_add_revoked(WOLFSSL_X509_CRL* crl,
                                  WOLFSSL_X509_REVOKED* rev)
 {
     CRL_Entry* entry;
     RevokedCert* rc;
     RevokedCert* curr;
-    WOLFSSL_ASN1_TIME revDate;
 
     WOLFSSL_ENTER("wolfSSL_X509_CRL_add_revoked");
 
     if (crl == NULL || rev == NULL || rev->serialNumber == NULL) {
         return BAD_FUNC_ARG;
     }
 
-    entry = crl->crlList;
-    if (entry == NULL) {
+    if (rev->revocationDate != NULL && (rev->revocationDate->length <= 0 ||
+        (unsigned)rev->revocationDate->length > sizeof(rc->revDate))) {
         return BAD_FUNC_ARG;
     }
 
-    /* Set the revocation date to the current time */
-    XMEMSET(&revDate, 0, sizeof(revDate));
-    if (wolfSSL_ASN1_TIME_adj(&revDate, XTIME(NULL), 0, 0) == NULL) {
-        WOLFSSL_MSG("Failed to get current time");
-        return BAD_STATE_E;
+    entry = crl->crlList;
+    if (entry == NULL) {
+        return BAD_FUNC_ARG;
     }
 
     {
@@ -2427,8 +2462,25 @@ int wolfSSL_X509_CRL_add_revoked(WOLFSSL_X509_CRL* crl,
         rc->serialSz = serialSz;
     }
 
-    XMEMCPY(rc->revDate, revDate.data, revDate.length);
-    rc->revDateFormat = (byte)revDate.type;
+    /* Use caller-provided revocation date, or fall back to current time */
+    if (rev->revocationDate != NULL && rev->revocationDate->length > 0) {
+        XMEMCPY(rc->revDate, rev->revocationDate->data,
+                 (size_t)rev->revocationDate->length);
+        rc->revDateFormat = (byte)rev->revocationDate->type;
+    }
+    else {
+        WOLFSSL_ASN1_TIME revDate;
+        XMEMSET(&revDate, 0, sizeof(revDate));
+        if (wolfSSL_ASN1_TIME_adj(&revDate, XTIME(NULL), 0, 0) == NULL) {
+            WOLFSSL_MSG("Failed to get current time");
+            XFREE(rc, crl->heap, DYNAMIC_TYPE_REVOKED);
+            return BAD_STATE_E;
+        }
+        XMEMCPY(rc->revDate, revDate.data, revDate.length);
+        rc->revDateFormat = (byte)revDate.type;
+    }
+
+    rc->reasonCode = rev->reason;
     rc->next = NULL;
 
     /* Add to end of list */
@@ -2442,6 +2494,12 @@ int wolfSSL_X509_CRL_add_revoked(WOLFSSL_X509_CRL* crl,
     }
     entry->totalCerts++;
 
+    /* Invalidate cached STACK_OF(X509_REVOKED) since list changed */
+    if (crl->revokedStack != NULL) {
+        wolfSSL_sk_pop_free(crl->revokedStack, NULL);
+        crl->revokedStack = NULL;
+    }
+
     WOLFSSL_LEAVE("wolfSSL_X509_CRL_add_revoked", WOLFSSL_SUCCESS);
     return WOLFSSL_SUCCESS;
 }
@@ -2513,7 +2571,9 @@ int wolfSSL_X509_CRL_add_revoked_cert(WOLFSSL_X509_CRL* crl,
     XMEMCPY(serialInt->data, cert->serial, cert->serialSz);
     serialInt->length = cert->serialSz;
 
+    XMEMSET(&revoked, 0, sizeof(revoked));
     revoked.serialNumber = serialInt;
+    revoked.reason = CRL_REASON_NONE;
 
     /* Add the revoked certificate entry */
     ret = wolfSSL_X509_CRL_add_revoked(crl, &revoked);

diff --git a/src/ssl_sk.c b/src/ssl_sk.c
@@ -168,6 +168,7 @@ static void* wolfssl_sk_node_get_data(WOLFSSL_STACK* node, int no_static)
         case STACK_TYPE_X509_OBJ:
         case STACK_TYPE_DIST_POINT:
         case STACK_TYPE_X509_CRL:
+        case STACK_TYPE_X509_REVOKED:
         case STACK_TYPE_GENERAL_SUBTREE:
         default:
             ret = node->data.generic;
@@ -213,6 +214,7 @@ static void wolfssl_sk_node_set_data(WOLFSSL_STACK* node, WOLF_STACK_TYPE type,
         case STACK_TYPE_X509_OBJ:
         case STACK_TYPE_DIST_POINT:
         case STACK_TYPE_X509_CRL:
+        case STACK_TYPE_X509_REVOKED:
         case STACK_TYPE_GENERAL_SUBTREE:
         default:
             node->data.generic = (void*)data;
@@ -494,6 +496,7 @@ static int wolfssl_sk_dup_data(WOLFSSL_STACK* dst, WOLFSSL_STACK* src)
         case STACK_TYPE_BY_DIR_entry:
         case STACK_TYPE_BY_DIR_hash:
         case STACK_TYPE_DIST_POINT:
+        case STACK_TYPE_X509_REVOKED:
         case STACK_TYPE_GENERAL_SUBTREE:
         default:
             WOLFSSL_MSG("Unsupported stack type");
@@ -688,6 +691,7 @@ void* wolfSSL_sk_value(const WOLFSSL_STACK* sk, int i)
             case STACK_TYPE_X509_OBJ:
             case STACK_TYPE_DIST_POINT:
             case STACK_TYPE_X509_CRL:
+            case STACK_TYPE_X509_REVOKED:
             case STACK_TYPE_GENERAL_SUBTREE:
             default:
                 val = sk->data.generic;
@@ -940,6 +944,11 @@ static wolfSSL_sk_freefunc wolfssl_sk_get_free_func(WOLF_STACK_TYPE type)
             func = (wolfSSL_sk_freefunc)wolfSSL_X509_CRL_free;
         #endif
             break;
+        case STACK_TYPE_X509_REVOKED:
+        #if defined(HAVE_CRL) && defined(OPENSSL_EXTRA)
+            func = (wolfSSL_sk_freefunc)wolfSSL_X509_REVOKED_free;
+        #endif
+            break;
         case STACK_TYPE_CIPHER:
             /* Static copy kept in node. */
         case STACK_TYPE_NULL: