wolfSSL · dgarske · Mar 16, 2026 · Mar 13, 2026 · Mar 16, 2026
diff --git a/certs/crl/crl_reason.pem b/certs/crl/crl_reason.pem
@@ -0,0 +1,46 @@
+Certificate Revocation List (CRL):
+    Version 2 (0x1)
+    Signature Algorithm: sha256WithRSAEncryption
+    Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com, emailAddress=info@wolfssl.com
+    Last Update: Mar 13 22:04:13 2026 GMT
+    Next Update: Mar 10 22:04:13 2036 GMT
+    CRL extensions:
+        X509v3 CRL Number: 
+            1
+Revoked Certificates:
+    Serial Number: 01
+        Revocation Date: Mar 13 22:04:13 2026 GMT
+        CRL entry extensions:
+            X509v3 CRL Reason Code: 
+                Key Compromise
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        82:60:c0:f2:bb:e1:94:e2:2e:d3:80:80:c6:16:d0:7e:12:20:
+        61:64:7b:29:2e:63:68:79:99:43:81:c3:85:e7:d3:65:7a:bb:
+        ea:50:6d:90:26:aa:a9:66:a8:fb:42:9e:54:6e:7f:7e:4d:59:
+        2c:90:21:df:3f:85:82:28:d1:c8:43:66:6c:90:31:e5:d9:89:
+        1b:ee:22:61:1f:1a:19:63:e1:5b:11:e4:ca:4d:f8:5c:0b:0c:
+        ca:df:dc:7b:03:c1:d4:99:3b:a7:39:f9:24:de:8e:51:e6:29:
+        f1:bc:db:3f:d1:23:1d:08:51:26:2e:a4:9a:58:9a:bc:d0:59:
+        f2:33:56:c3:c1:d0:d7:0a:d9:e4:99:e0:4e:f5:36:58:b8:7d:
+        69:2e:79:d7:5a:67:13:c9:09:f3:95:2c:23:fa:f2:0a:d1:d6:
+        6a:32:74:7a:c7:c4:33:8f:38:90:8d:16:7b:d7:03:9a:5c:d3:
+        f2:b0:b9:d1:a1:de:30:28:0a:b5:65:26:6f:5b:dd:84:b0:f5:
+        30:ef:80:2e:34:b9:2d:cd:50:e8:d7:2a:f9:33:86:02:d1:44:
+        e9:87:91:5e:f1:be:01:40:3f:fc:ec:57:1c:9e:f9:66:fd:78:
+        2b:dd:a7:3c:b7:aa:08:a5:50:6f:9d:96:b6:3a:a6:0e:38:27:
+        b2:f8:a3:e4
+-----BEGIN X509 CRL-----
+MIICEjCB+wIBATANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMxEDAOBgNV
+BAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNhd3Rvb3Ro
+MRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20x
+HzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20XDTI2MDMxMzIyMDQxM1oX
+DTM2MDMxMDIyMDQxM1owIjAgAgEBFw0yNjAzMTMyMjA0MTNaMAwwCgYDVR0VBAMK
+AQGgDjAMMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBCwUAA4IBAQCCYMDyu+GU4i7T
+gIDGFtB+EiBhZHspLmNoeZlDgcOF59NlervqUG2QJqqpZqj7Qp5Ubn9+TVkskCHf
+P4WCKNHIQ2ZskDHl2Ykb7iJhHxoZY+FbEeTKTfhcCwzK39x7A8HUmTunOfkk3o5R
+5inxvNs/0SMdCFEmLqSaWJq80FnyM1bDwdDXCtnkmeBO9TZYuH1pLnnXWmcTyQnz
+lSwj+vIK0dZqMnR6x8QzjziQjRZ71wOaXNPysLnRod4wKAq1ZSZvW92EsPUw74Au
+NLktzVDo1yr5M4YC0UTph5Fe8b4BQD/87Fccnvlm/Xgr3ac8t6oIpVBvnZa2OqYO
+OCey+KPk
+-----END X509 CRL-----
diff --git a/certs/crl/gencrls.sh b/certs/crl/gencrls.sh
@@ -275,4 +275,27 @@ openssl crl -in extra-crls/crlnum_64oct.pem -text > tmp
 check_result $?
 mv tmp extra-crls/crlnum_64oct.pem
 
+# CRL with revoked-entry reason extension for parser/cleanup tests.
+cp blank.index.txt demoCA/index.txt
+# Reset CRL number state so this test fixture is independent of the
+# preceding large-CRL-number steps.
+echo "01" > crlnumber
+echo "01" > ../crl/crlnumber
+echo "Step 37 reason-extension CRL revoke"
+openssl ca -config ../renewcerts/wolfssl.cnf -revoke ../server-cert.pem \
+    -crl_reason keyCompromise -keyfile ../ca-key.pem -cert ../ca-cert.pem
+check_result $?
+
+echo "Step 38 reason-extension CRL"
+openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 3650 \
+    -out crl_reason.pem -keyfile ../ca-key.pem -cert ../ca-cert.pem
+check_result $?
+
+# metadata
+echo "Step 39"
+openssl crl -in crl_reason.pem -text > tmp
+check_result $?
+mv tmp crl_reason.pem
+cp blank.index.txt demoCA/index.txt
+
 exit 0
diff --git a/certs/crl/include.am b/certs/crl/include.am
@@ -17,6 +17,7 @@ EXTRA_DIST += \
 		certs/crl/crl.der \
 		certs/crl/crl2.der \
 		certs/crl/crl_rsapss.pem \
+		certs/crl/crl_reason.pem \
 		certs/crl/bad_time_fmt.pem
 
 EXTRA_DIST += \

diff --git a/certs/renewcerts.sh b/certs/renewcerts.sh
@@ -42,6 +42,7 @@
 #                       crl/cliCrl.pem
 #                       crl/crl.pem
 #                       crl/crl.revoked
+#                       crl/crl_reason.pem
 #                       crl/eccCliCRL.pem
 #                       crl/eccSrvCRL.pem
 #

diff --git a/tests/api/test_certman.c b/tests/api/test_certman.c
@@ -1781,6 +1781,32 @@ int test_wolfSSL_CertManagerCRL(void)
     return EXPECT_RESULT();
 }
 
+int test_wolfSSL_CRL_reason_extensions_cleanup(void)
+{
+    EXPECT_DECLS;
+#if defined(HAVE_CRL) && defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \
+    defined(WOLFSSL_PEM_TO_DER) && !defined(NO_FILESYSTEM) && \
+    !defined(NO_STDIO_FILESYSTEM)
+    WOLFSSL_CERT_MANAGER* cm = NULL;
+    const char* crlReasonFile = "./certs/crl/crl_reason.pem";
+
+    ExpectNotNull(cm = wolfSSL_CertManagerNew());
+    if (cm != NULL) {
+        ExpectIntEQ(wolfSSL_CertManagerEnableCRL(cm, WOLFSSL_CRL_CHECKALL),
+                    WOLFSSL_SUCCESS);
+        ExpectIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, ca_cert_der_2048,
+                    sizeof_ca_cert_der_2048, WOLFSSL_FILETYPE_ASN1),
+                    WOLFSSL_SUCCESS);
+        /* Exercises ParseCRL/GetRevoked path that allocates entry extensions;
+         * cleanup runs via FreeDecodedCRL in BufferLoadCRL. */
+        ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, crlReasonFile,
+                    WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
+        wolfSSL_CertManagerFree(cm);
+    }
+#endif
+    return EXPECT_RESULT();
+}
+
 int test_wolfSSL_CRL_static_revoked_list(void)
 {
     EXPECT_DECLS;

diff --git a/tests/api/test_certman.h b/tests/api/test_certman.h
@@ -36,6 +36,7 @@ int test_wolfSSL_CertManagerNameConstraint3(void);
 int test_wolfSSL_CertManagerNameConstraint4(void);
 int test_wolfSSL_CertManagerNameConstraint5(void);
 int test_wolfSSL_CertManagerCRL(void);
+int test_wolfSSL_CRL_reason_extensions_cleanup(void);
 int test_wolfSSL_CRL_static_revoked_list(void);
 int test_wolfSSL_CRL_duplicate_extensions(void);
 int test_wolfSSL_CertManagerCheckOCSPResponse(void);
@@ -54,6 +55,7 @@ int test_various_pathlen_chains(void);
     TEST_DECL_GROUP("certman", test_wolfSSL_CertManagerNameConstraint4),    \
     TEST_DECL_GROUP("certman", test_wolfSSL_CertManagerNameConstraint5),    \
     TEST_DECL_GROUP("certman", test_wolfSSL_CertManagerCRL),                \
+    TEST_DECL_GROUP("certman", test_wolfSSL_CRL_reason_extensions_cleanup), \
     TEST_DECL_GROUP("certman", test_wolfSSL_CRL_static_revoked_list),      \
     TEST_DECL_GROUP("certman", test_wolfSSL_CRL_duplicate_extensions),      \
     TEST_DECL_GROUP("certman", test_wolfSSL_CertManagerCheckOCSPResponse),  \

diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
@@ -42012,6 +42012,9 @@ void FreeDecodedCRL(DecodedCRL* dcrl)
 
     while(tmp) {
         RevokedCert* next = tmp->next;
+#ifdef OPENSSL_EXTRA
+        XFREE(tmp->extensions, dcrl->heap, DYNAMIC_TYPE_REVOKED);
+#endif
         XFREE(tmp, dcrl->heap, DYNAMIC_TYPE_REVOKED);
         tmp = next;
     }