Skip to content

Add test case for CRL with empty revocation list #8

New issue
New issue
Open
Open
Add test case for CRL with empty revocation list#8
@jvdprng

Description

@jvdprng
jvdprng
opened on Nov 24, 2025

Context

RFC 5280 Section 5.1.2.6 specifies that the revokedCertificates field in a CRL is optional. When present, it contains a sequence of revoked certificate entries. An edge case exists when the field is present but contains an empty sequence.

Different implementations may handle this differently:

  • Some may treat empty revokedCertificates the same as the field being absent (no revocations)
  • Others may treat it as a malformed CRL
  • RFC 5280 doesn't explicitly forbid an empty sequence

Why this matters:

  • Interoperability: ensures consistent handling of edge case CRL structures
  • Security: clarifies whether empty list is valid or indicates CRL corruption
  • Implementation robustness: tests parser handling of edge case ASN.1 structures

Test Case Description

Create test CRLs with empty revocation lists:

Empty Sequence Present:

  1. CRL with revokedCertificates field present but empty (SEQUENCE OF size 0)
    • Certificate not on CRL should validate successfully
    • Need to determine if this CRL structure itself is valid

Comparison Cases:

  1. CRL with revokedCertificates field absent (field omitted entirely)

    • Standard case: no revocations (should ACCEPT)

  2. CRL with one revoked certificate

    • Standard case: revocations present (should REJECT if cert is listed)

Expected behavior: Clarify whether empty revokedCertificates sequence is valid per RFC 5280

Implementation Requirements

CRL Builder Modifications:

  • Add ability to create CRL with revokedCertificates field present but empty
  • Ensure distinction between "field absent" vs "field present but empty"
  • Support standard CRLs (no revocations, field omitted) for comparison

Test Harness:

  • Validate CRL structure itself
  • Test certificate validation against CRL with empty revokedCertificates
  • Compare results with CRL where field is absent

Test Case Examples:

  • crl::revoked-certificates-empty-sequence
  • crl::revoked-certificates-absent
  • crl::certificate-not-on-crl-empty-list

References

  • RFC 5280 Section 5.1: CRL Fields
  • RFC 5280 Section 5.1.2.6: revokedCertificates field specification
  • ASN.1 encoding: X.690 SEQUENCE OF handling

Acceptance Criteria

  • CRL created with revokedCertificates present but empty
  • CRL created with revokedCertificates absent for comparison
  • Test cases validate against x509-limbo schema
  • Document expected behavior (valid vs invalid CRL structure)
  • Test certificate validation results with both CRL variants
  • Implementation survey to determine common behavior

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions