CRL PQC signing: address review feedback

- wc_SignCRL_ex: move the new ML-DSA/SLH-DSA key pointers to the end of the
  parameter list (after rng) so the original RSA/ECC parameter order is
  preserved instead of being split by the inserted PQC params. Update the
  prototype and all callers accordingly.
- wc_SignCRL_ex: brace the single-statement key-count ifs to match file style.
- Tests: size the CRL output buffer from the signing key's actual signature
  length (wc_MlDsaKey_GetSigLen / wc_SlhDsaKey_SigSize) plus wrapper headroom
  instead of a fixed 32768 magic number, so it scales to any parameter set.
- Tests: add a post-quantum sigType/key mismatch negative case (a classic OID
  with a PQC key must return ALGO_ID_E).
- Tests: assert the exact ASN_CRL_CONFIRM_E on the tampered-signature case
  rather than just "not success".
- Tests: heap-allocate the issuer DER buffer instead of a 1 KB stack array.

Author: claude

src/crl.c

@@ -2903,7 +2903,7 @@ int wolfSSL_X509_CRL_sign(WOLFSSL_X509_CRL* crl, WOLFSSL_EVP_PKEY* pkey,
      */
     if (ret == WOLFSSL_SUCCESS) {
         totalSz = wc_SignCRL_ex(buf, tbsSz, sigType, buf, bufSz,
-                                rsaKey, eccKey, NULL, NULL, &rng);
+                                rsaKey, eccKey, &rng, NULL, NULL);
         if (totalSz < 0) {
             WOLFSSL_MSG("wc_SignCRL_ex failed");
             ret = totalSz;

tests/api.c

@@ -24338,7 +24338,7 @@ static int test_wc_MakeCRL_max_crlnum(void)
     }
     if (EXPECT_SUCCESS()) {
         crlSz = wc_SignCRL_ex(tbsBuf, tbsSz, CTC_SHA256wRSA,
-            crlBuf, (word32)bufSz, &rsaKey, NULL, NULL, NULL, &rng);
+            crlBuf, (word32)bufSz, &rsaKey, NULL, &rng, NULL, NULL);
         ExpectIntGT(crlSz, 0);
     }
 
@@ -24347,7 +24347,7 @@ static int test_wc_MakeCRL_max_crlnum(void)
      * paired with an ECDSA OID must return ALGO_ID_E. --- */
     if (EXPECT_SUCCESS()) {
         ExpectIntEQ(wc_SignCRL_ex(tbsBuf, tbsSz, CTC_SHA256wECDSA,
-            crlBuf, (word32)bufSz, &rsaKey, NULL, NULL, NULL, &rng),
+            crlBuf, (word32)bufSz, &rsaKey, NULL, &rng, NULL, NULL),
             WC_NO_ERR_TRACE(ALGO_ID_E));
     }
 
@@ -24430,13 +24430,14 @@ static int pqc_crl_sign_verify(const byte* caCertDer, word32 caCertDerSz,
     int caCertInit = 0;
     WC_RNG rng;
     int rngInit = 0;
-    byte issuerDer[1024];
+    byte* issuerDer = NULL;
     word32 issuerDerSz = 0;
     byte* tbsBuf = NULL;
     byte* crlBuf = NULL;
     int tbsSz = 0;
     int crlSz = 0;
     int bufSz = 0;
+    int sigSz = 0;
 
     /* thisUpdate in the past, nextUpdate far in the future so the CRL is
      * current whenever the test runs. */
@@ -24451,15 +24452,16 @@ static int pqc_crl_sign_verify(const byte* caCertDer, word32 caCertDerSz,
     wc_InitDecodedCert(&caCert, caCertDer, caCertDerSz, NULL);
     caCertInit = 1;
     ExpectIntEQ(wc_ParseCert(&caCert, CERT_TYPE, 0, NULL), 0);
+    if (EXPECT_SUCCESS()) {
+        ExpectNotNull(issuerDer = (byte*)XMALLOC(
+            (size_t)caCert.subjectRawLen + MAX_SEQ_SZ, NULL,
+            DYNAMIC_TYPE_TMP_BUFFER));
+    }
     if (EXPECT_SUCCESS()) {
         word32 seqHdrSz = SetSequence((word32)caCert.subjectRawLen, issuerDer);
-        ExpectIntLE((int)(seqHdrSz + (word32)caCert.subjectRawLen),
-            (int)sizeof(issuerDer));
-        if (EXPECT_SUCCESS()) {
-            XMEMCPY(issuerDer + seqHdrSz, caCert.subjectRaw,
-                (size_t)caCert.subjectRawLen);
-            issuerDerSz = seqHdrSz + (word32)caCert.subjectRawLen;
-        }
+        XMEMCPY(issuerDer + seqHdrSz, caCert.subjectRaw,
+            (size_t)caCert.subjectRawLen);
+        issuerDerSz = seqHdrSz + (word32)caCert.subjectRawLen;
     }
 
     ExpectIntEQ(wc_InitRng(&rng), 0);
@@ -24473,10 +24475,25 @@ static int pqc_crl_sign_verify(const byte* caCertDer, word32 caCertDerSz,
             NULL, crlNum, (word32)sizeof(crlNum), sigType, 2, NULL, 0);
         ExpectIntGT(tbsSz, 0);
     }
+    /* Size the output from the key's actual signature length (PQC signatures
+     * range from a few KB for ML-DSA to tens of KB for large SLH-DSA sets)
+     * plus headroom for the AlgorithmIdentifier, BIT STRING and SEQUENCE
+     * wrappers, rather than a fixed magic number. */
+#ifdef WOLFSSL_HAVE_MLDSA
+    if (mldsaKey != NULL) {
+        int l = 0;
+        ExpectIntEQ(wc_MlDsaKey_GetSigLen(mldsaKey, &l), 0);
+        sigSz = l;
+    }
+#endif
+#ifdef WOLFSSL_HAVE_SLHDSA
+    if (slhDsaKey != NULL) {
+        sigSz = wc_SlhDsaKey_SigSize(slhDsaKey);
+    }
+#endif
+    ExpectIntGT(sigSz, 0);
     if (EXPECT_SUCCESS()) {
-        /* Generous room for the (large) PQC signature and ASN.1 wrappers;
-         * SLH-DSA signatures alone are several KB. */
-        bufSz = tbsSz + 32768;
+        bufSz = tbsSz + sigSz + 512;
         ExpectNotNull(tbsBuf = (byte*)XMALLOC(bufSz, NULL,
             DYNAMIC_TYPE_TMP_BUFFER));
         ExpectNotNull(crlBuf = (byte*)XMALLOC(bufSz, NULL,
@@ -24493,10 +24510,19 @@ static int pqc_crl_sign_verify(const byte* caCertDer, word32 caCertDerSz,
     /* Sign the CRL with the post-quantum key. */
     if (EXPECT_SUCCESS()) {
         crlSz = wc_SignCRL_ex(tbsBuf, tbsSz, sigType, crlBuf, (word32)bufSz,
-            NULL, NULL, mldsaKey, slhDsaKey, &rng);
+            NULL, NULL, &rng, mldsaKey, slhDsaKey);
         ExpectIntGT(crlSz, 0);
     }
 
+    /* Negative: a classic signatureAlgorithm OID must be rejected for a PQC
+     * key before any signature is produced. CheckSigTypeForKey runs before the
+     * TBS is copied into the output, so crlBuf still holds the valid CRL. */
+    if (EXPECT_SUCCESS()) {
+        ExpectIntEQ(wc_SignCRL_ex(tbsBuf, tbsSz, CTC_SHA256wRSA, crlBuf,
+            (word32)bufSz, NULL, NULL, &rng, mldsaKey, slhDsaKey),
+            WC_NO_ERR_TRACE(ALGO_ID_E));
+    }
+
     /* Load the issuing CA and verify the freshly signed CRL. */
     ExpectNotNull(cm = wolfSSL_CertManagerNew());
     ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, caCertDer, caCertDerSz,
@@ -24506,7 +24532,9 @@ static int pqc_crl_sign_verify(const byte* caCertDer, word32 caCertDerSz,
     ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(cm, crlBuf, crlSz,
         WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
 
-    /* Negative: corrupt the last signature byte; verification must now fail. */
+    /* Negative: flip a byte of the signature *value*. The DER lengths are
+     * unchanged so the CRL still parses; only the signature check can reject
+     * it, which must surface as ASN_CRL_CONFIRM_E. */
     if (EXPECT_SUCCESS()) {
         WOLFSSL_CERT_MANAGER* cm2 = NULL;
         crlBuf[crlSz - 1] ^= 0xFF;
@@ -24515,12 +24543,13 @@ static int pqc_crl_sign_verify(const byte* caCertDer, word32 caCertDerSz,
             caCertDerSz, WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
         ExpectIntEQ(wolfSSL_CertManagerEnableCRL(cm2, WOLFSSL_CRL_CHECKALL),
             WOLFSSL_SUCCESS);
-        ExpectIntNE(wolfSSL_CertManagerLoadCRLBuffer(cm2, crlBuf, crlSz,
-            WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
+        ExpectIntEQ(wolfSSL_CertManagerLoadCRLBuffer(cm2, crlBuf, crlSz,
+            WOLFSSL_FILETYPE_ASN1), WC_NO_ERR_TRACE(ASN_CRL_CONFIRM_E));
         wolfSSL_CertManagerFree(cm2);
     }
 
     wolfSSL_CertManagerFree(cm);
+    XFREE(issuerDer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     XFREE(crlBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     XFREE(tbsBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     if (rngInit)

wolfcrypt/src/asn.c

@@ -36920,15 +36920,17 @@ int wc_MakeCRL_ex(const byte* issuerDer, word32 issuerSz,
  * bufSz: size of output buffer
  * rsaKey/eccKey/mldsaKey/slhDsaKey: signing key (exactly one must be non-NULL).
  *     ML-DSA and SLH-DSA produce post-quantum signatures; their (much larger)
- *     signature buffer is sized from the key rather than assumed classic.
+ *     signature buffer is sized from the key rather than assumed classic. The
+ *     PQC key pointers are last so the original RSA/ECC parameter order is
+ *     preserved.
  * rng: random number generator
  *
  * Returns: size of complete CRL on success, negative error on failure
  */
 int wc_SignCRL_ex(const byte* tbsBuf, int tbsSz, int sType,
                   byte* buf, word32 bufSz,
-                  RsaKey* rsaKey, ecc_key* eccKey,
-                  wc_MlDsaKey* mldsaKey, SlhDsaKey* slhDsaKey, WC_RNG* rng)
+                  RsaKey* rsaKey, ecc_key* eccKey, WC_RNG* rng,
+                  wc_MlDsaKey* mldsaKey, SlhDsaKey* slhDsaKey)
 {
     int ret;
     int sigSz;
@@ -36942,10 +36944,10 @@ int wc_SignCRL_ex(const byte* tbsBuf, int tbsSz, int sType,
         return BAD_FUNC_ARG;
 
     /* Exactly one signing key must be supplied. */
-    if (rsaKey    != NULL) nKeys++;
-    if (eccKey    != NULL) nKeys++;
-    if (mldsaKey  != NULL) nKeys++;
-    if (slhDsaKey != NULL) nKeys++;
+    if (rsaKey    != NULL) { nKeys++; }
+    if (eccKey    != NULL) { nKeys++; }
+    if (mldsaKey  != NULL) { nKeys++; }
+    if (slhDsaKey != NULL) { nKeys++; }
     if (nKeys != 1)
         return BAD_FUNC_ARG;
 

wolfssl/wolfcrypt/asn_public.h

@@ -716,8 +716,8 @@ WOLFSSL_API int wc_MakeCRL_ex(const byte* issuerDer, word32 issuerSz,
                   byte* output, word32 outputSz);
 WOLFSSL_API int wc_SignCRL_ex(const byte* tbsBuf, int tbsSz, int sType,
                   byte* buf, word32 bufSz,
-                  RsaKey* rsaKey, ecc_key* eccKey,
-                  wc_MlDsaKey* mldsaKey, SlhDsaKey* slhDsaKey, WC_RNG* rng);
+                  RsaKey* rsaKey, ecc_key* eccKey, WC_RNG* rng,
+                  wc_MlDsaKey* mldsaKey, SlhDsaKey* slhDsaKey);
 #endif /* WOLFSSL_CERT_GEN && HAVE_CRL */
 
 WOLFSSL_API int wc_GetDateInfo(const byte* certDate, int certDateSz,