[fix] handle CRL with optional nextUpdate absent

kares · kares · commit bc49456be53f · 2026-03-30T20:34:48.000+02:00
RFC 5280 allows omitting nextUpdate from CRLs;
X509CRL.getNextUpdate() returns null in that case, causing NPE
during both CRL parsing (initialize) and signing
diff --git a/src/main/java/org/jruby/ext/openssl/X509CRL.java b/src/main/java/org/jruby/ext/openssl/X509CRL.java
@@ -218,7 +218,10 @@ public IRubyObject initialize(final ThreadContext context, final IRubyObject[] a
         }
 
         set_last_update( context, RubyTime.newTime(runtime, crl.getThisUpdate().getTime()) );
-        set_next_update( context, RubyTime.newTime(runtime, crl.getNextUpdate().getTime()) );
+        final java.util.Date nextUpdate = crl.getNextUpdate();
+        if ( nextUpdate != null ) {
+            set_next_update( context, RubyTime.newTime(runtime, nextUpdate.getTime()) );
+        }
         set_issuer( X509Name.newName(runtime, crl.getIssuerX500Principal()) );
 
         final int version = crl.getVersion();
@@ -544,8 +547,8 @@ public IRubyObject sign(final ThreadContext context, final IRubyObject key, IRub
         final X500Name issuerName = ((X509Name) issuer).getX500Name();
         final java.util.Date thisUpdate = getLastUpdate().toDate();
         final X509v2CRLBuilder generator = new X509v2CRLBuilder(issuerName, thisUpdate);
-        final java.util.Date nextUpdate = getNextUpdate().toDate();
-        generator.setNextUpdate(nextUpdate);
+        final DateTime nextUpdate = getNextUpdate();
+        if ( nextUpdate != null ) generator.setNextUpdate(nextUpdate.toDate());
 
         //signature_algorithm = RubyString.newString(runtime, digAlg);
         //generator.setSignatureAlgorithm( signatureAlgorithm );
diff --git a/src/test/ruby/x509/test_x509crl.rb b/src/test/ruby/x509/test_x509crl.rb
@@ -164,6 +164,41 @@ def test_extension
     assert_equal(false, exts[2].critical?)
   end
 
+  def test_crl_without_next_update
+    # RFC 5280 allows omitting nextUpdate from CRLs
+    _rsa2048 = OpenSSL::PKey::RSA.new TEST_KEY_RSA2048
+    _ca = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA")
+
+    now = Time.now
+    cert_exts = [
+      ["basicConstraints", "CA:TRUE", true],
+      ["subjectKeyIdentifier", "hash", false],
+      ["keyUsage", "cRLSign, keyCertSign", true],
+    ]
+    ca_cert = issue_cert(_ca, _rsa2048, 1, cert_exts, nil, nil, not_before: now, not_after: now + 3600)
+
+    # create and sign CRL without setting next_update
+    crl = OpenSSL::X509::CRL.new
+    crl.issuer = ca_cert.subject
+    crl.version = 1
+    crl.last_update = now
+    # deliberately NOT setting next_update
+    crl.sign(_rsa2048, OpenSSL::Digest::SHA256.new)
+
+    assert_nil crl.next_update
+    assert_equal 1, crl.version
+
+    # round-trip through DER
+    crl2 = OpenSSL::X509::CRL.new(crl.to_der)
+    assert_nil crl2.next_update
+    assert_equal crl.last_update.to_i, crl2.last_update.to_i
+    assert_equal crl.issuer.to_s, crl2.issuer.to_s
+    assert crl2.verify(_rsa2048)
+
+    # to_text should show NONE for next_update
+    assert_match(/Next Update: NONE/, crl2.to_text)
+  end
+
   def test_to_java
     crl = OpenSSL::X509::CRL.new File.read(File.expand_path('../revoked.crl', __FILE__))
     assert_kind_of java.security.cert.X509CRL, crl.to_java
