Add CRL generation capability

[padelsbach]

Add wrappers for CRL generation logic. Requires wolfSSL/wolfssl#9631 to be merged.

Android and JNI CI failures are fixed with #326. Please merge that first.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[Copilot]

Pull request overview

Copilot reviewed 18 out of 18 changed files in this pull request and generated 15 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The workflow is pointing to a temporary repository (padelsbach/wolfssl) and branch (crl-generation) for testing. The TODO comment indicates this should be changed back to wolfSSL/wolfssl after merge. This is acceptable for development but must be reverted before merging this PR to ensure CI uses the official repository.

Suggested change

	# Point to PR branch until merge
	# TODO: Switch back to wolfssl/wolfssl after merge
	repository: padelsbach/wolfssl
	ref: crl-generation
	repository: wolfSSL/wolfssl

[Copilot]

The workflow is pointing to a temporary repository (padelsbach/wolfssl) and branch (crl-generation) for testing. The TODO comment indicates this should be changed back to wolfSSL/wolfssl after merge. This is acceptable for development but must be reverted before merging this PR to ensure CI uses the official repository.

Suggested change

	# Point to PR branch until merge
	# TODO: Switch back to wolfssl/wolfssl after merge
	repository: padelsbach/wolfssl
	ref: crl-generation
	# Use official wolfSSL repository for CI builds
	repository: wolfSSL/wolfssl

[padelsbach]

The FIPS failures are due to the use of the main wolfSSL repo and are expected to be fixed once the CRL PR is merged on the wolfSSL repo.

I will also revert the yamls at that point.

[cconlon]

Could we add a small comment saying what 8 represents here?

[cconlon]

I was pondering if we should use the native CTC_DATE_SIZE here rather than the JNI-defined equivalent (com_wolfssl_WolfSSLCRL_CTC_DATE_SIZE)? If it were me I probably would use CTC_DATE_SIZE since we are calling down to native wolfSSL from this layer, and it's shorter to read.

Comment applies across all usages of that define.

[cconlon]

Same comment as above, a small comment about what 8 represents would be nice.

[cconlon]

Would it be better to initialize ret = WOLFSSL_SUCCESS at variable declaration, then just worry about setting ret = WOLFSSL_FAILURE when needed?

[cconlon]

Should this be wrapped in a if (timeBuf != NULL), in case GetByteArrayElements() failed up above? Same comment applies to different functions where ReleaseByteArrayElements() is called as well.

[padelsbach]

That pattern exists in places in this repo, but the large majority of calls to ReleaseByteArrayElements() don't perform the null check

[cconlon]

This seems a little odd, at least different than how most of our native wolfSSL code looks:

    if (ret == WOLFSSL_FAILURE) {
        /* skip if already failed */
    }

In wolfSSL I think you would typically see a pattern like the following instead of the if(skip)/else:

if (ret == WOLFSSL_SUCCESS) {
    if (digestAlg != NULL) {
        ...
    }
}

Or:

if ((ret == WOLFSSL_SUCCESS) && (digestAlg != NULL)) {
    ...
}

[cconlon]

Hasn't ret already been initialized to WOLFSSL_SUCCESS at this point, unless it has been overridden by WOLFSSL_FAILURE (but then we shouldn't get to this point).

[cconlon]

A comment about why 32 is used here would be good, or maybe use of MAX_TIME_STRING_SZ instead?

[padelsbach]

Ok. I'll update a couple similar methods in com_wolfssl_WolfSSLCertificate.c which follow this pattern

[cconlon]

Same as above, for possible use of MAX_TIME_STRING_SZ

[cconlon]

Would it be easier just to add a native wolfSSL API that returns back a byte array of the CRL? That seems easier and less error prone to me than making a temporary file, especially if this is running in some sort of restricted Java environment where file creation isn't allowed (maybe Android or such).

[padelsbach]

Good idea