Correctly encode a CRL with empty revokedCertificates. (#295)

This PR fixes the encoding of CRLs by leaving out the revokedCertificates element entirely if it is empty as required by section 5.1.2.6 of RFC 5280. There is no test whether it is actually left out since I can’t quite think of a way to do that. I have, however, manually verified the encoding and there are now tests for both cases that check that we ourselves accept the result.
NLnetLabs · Jun 12, 2024 · bdf9a32 · bdf9a32
1 parent 367fea7
commit bdf9a32
Showing 1 changed file with 27 additions and 3 deletions.
diff --git a/src/repository/crl.rs b/src/repository/crl.rs
@@ -563,7 +563,9 @@ impl RevokedCertificates {
 
     /// Returns a value encoder for a reference to the value.
     pub fn encode_ref(&self) -> impl encode::Values + '_ {
-        encode::sequence(&self.0)
+        (!self.0.is_empty()).then(|| {
+            encode::sequence(&self.0)
+        })
     }
 
     /// Create a value from an iterator over CRL entries.
@@ -818,6 +820,7 @@ mod signer_test {
 
     #[test]
     fn build_ta_cert() {
+        // CRL with two CrlEntries.
         let signer = OpenSslSigner::new();
         let key = signer.create_key(PublicKeyFormat::Rsa).unwrap();
         let pubkey = signer.get_key_info(&key).unwrap();
@@ -826,12 +829,33 @@ mod signer_test {
             pubkey.to_subject_name(),
             Time::now(),
             Time::tomorrow(),
-            vec![CrlEntry::new(12u64.into(), Time::now())],
+            vec![
+                CrlEntry::new(12u64.into(), Time::now()),
+                CrlEntry::new(42u64.into(), Time::now())
+            ],
+            pubkey.key_identifier(),
+            12u64.into()
+        );
+        let crl = crl.into_crl(&signer, &key).unwrap().to_captured();
+        let crl = Crl::decode(crl.as_slice()).unwrap();
+        assert_eq!(
+            crl.revoked_certs().iter().collect::<Vec<_>>().len(),
+            2
+        );
+
+        // CRL with no CrlEntries.
+        let crl = TbsCertList::new(
+            Default::default(),
+            pubkey.to_subject_name(),
+            Time::now(),
+            Time::tomorrow(),
+            vec![],
             pubkey.key_identifier(),
             12u64.into()
         );
         let crl = crl.into_crl(&signer, &key).unwrap().to_captured();
-        let _crl = Crl::decode(crl.as_slice()).unwrap();
+        let crl = Crl::decode(crl.as_slice()).unwrap();
+        assert!(crl.revoked_certs().iter().next().is_none());
     }
 }