support CRLs with no revoked certificates
diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst
index 2f49047..9e8eb38 100644
--- a/docs/development/test-vectors.rst
+++ b/docs/development/test-vectors.rst
@@ -304,6 +304,7 @@
an unsupported reason code.
* ``crl_inval_cert_issuer_entry_ext.pem`` - Contains a CRL with one revocation
which has one entry extension for certificate issuer with an empty value.
+* ``crl_empty.pem`` - Contains a CRL with no revoked certificates.
Hashes
~~~~~~
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
index 4e91bf4..f50a0d5 100644
--- a/src/cryptography/hazmat/backends/openssl/x509.py
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -835,14 +835,13 @@
def _revoked_certificates(self):
revoked = self._backend._lib.X509_CRL_get_REVOKED(self._x509_crl)
- self._backend.openssl_assert(revoked != self._backend._ffi.NULL)
-
- num = self._backend._lib.sk_X509_REVOKED_num(revoked)
revoked_list = []
- for i in range(num):
- r = self._backend._lib.sk_X509_REVOKED_value(revoked, i)
- self._backend.openssl_assert(r != self._backend._ffi.NULL)
- revoked_list.append(_RevokedCertificate(self._backend, r))
+ if revoked != self._backend._ffi.NULL:
+ num = self._backend._lib.sk_X509_REVOKED_num(revoked)
+ for i in range(num):
+ r = self._backend._lib.sk_X509_REVOKED_value(revoked, i)
+ self._backend.openssl_assert(r != self._backend._ffi.NULL)
+ revoked_list.append(_RevokedCertificate(self._backend, r))
return revoked_list
diff --git a/tests/test_x509.py b/tests/test_x509.py
index 67066f0..5e5944a 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -299,6 +299,14 @@
assert len(flags) == 0
+ def test_no_revoked_certs(self, backend):
+ crl = _load_cert(
+ os.path.join("x509", "custom", "crl_empty.pem"),
+ x509.load_pem_x509_crl,
+ backend
+ )
+ assert len(crl) == 0
+
def test_duplicate_entry_ext(self, backend):
crl = _load_cert(
os.path.join("x509", "custom", "crl_dup_entry_ext.pem"),
diff --git a/vectors/cryptography_vectors/x509/custom/crl_empty.pem b/vectors/cryptography_vectors/x509/custom/crl_empty.pem
new file mode 100644
index 0000000..3de4183
--- /dev/null
+++ b/vectors/cryptography_vectors/x509/custom/crl_empty.pem
@@ -0,0 +1,12 @@
+-----BEGIN X509 CRL-----
+MIIBxTCBrgIBATANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQGEwJVUzERMA8GA1UE
+CAwISWxsaW5vaXMxEDAOBgNVBAcMB0NoaWNhZ28xETAPBgNVBAoMCHI1MDkgTExD
+MRowGAYDVQQDDBFyNTA5IENSTCBEZWxlZ2F0ZRcNMTUxMjIwMjM0NDQ3WhcNMTUx
+MjI4MDA0NDQ3WqAZMBcwCgYDVR0UBAMCAQEwCQYDVR0jBAIwADANBgkqhkiG9w0B
+AQUFAAOCAQEAXebqoZfEVAC4NcSEB5oGqUviUn/AnY6TzB6hUe8XC7yqEkBcyTgk
+G1Zq+b+T/5X1ewTldvuUqv19WAU/Epbbu4488PoH5qMV8Aii2XcotLJOR9OBANp0
+Yy4ir/n6qyw8kM3hXJloE+xgkELhd5JmKCnlXihM1BTl7Xp7jyKeQ86omR+DhItb
+CU+9RoqOK9Hm087Z7RurXVrz5RKltQo7VLCp8VmrxFwfALCZENXGEQ+g5VkvoCjc
+ph5jqOSyzp7aZy1pnLE/6U6V32ItskrwqA+x4oj2Wvzir/Q23y2zYfqOkuq4fTd2
+lWW+w5mB167fIWmd6efecDn1ZqbdECDPUg==
+-----END X509 CRL-----