support CRLs with no revoked certificates

4 files changed, 27 insertions, 7 deletions

diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst
index 2f49047d..9e8eb388 100644
--- a/docs/development/test-vectors.rst
+++ b/docs/development/test-vectors.rst
@@ -304,6 +304,7 @@ Custom X.509 Certificate Revocation List Vectors
   an unsupported reason code.
 * ``crl_inval_cert_issuer_entry_ext.pem`` - Contains a CRL with one revocation
   which has one entry extension for certificate issuer with an empty value.
+* ``crl_empty.pem`` - Contains a CRL with no revoked certificates.
 
 Hashes
 ~~~~~~
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
index 4e91bf43..f50a0d5d 100644
--- a/src/cryptography/hazmat/backends/openssl/x509.py
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -835,14 +835,13 @@ class _CertificateRevocationList(object):
 
     def _revoked_certificates(self):
         revoked = self._backend._lib.X509_CRL_get_REVOKED(self._x509_crl)
-        self._backend.openssl_assert(revoked != self._backend._ffi.NULL)
-
-        num = self._backend._lib.sk_X509_REVOKED_num(revoked)
         revoked_list = []
-        for i in range(num):
-            r = self._backend._lib.sk_X509_REVOKED_value(revoked, i)
-            self._backend.openssl_assert(r != self._backend._ffi.NULL)
-            revoked_list.append(_RevokedCertificate(self._backend, r))
+        if revoked != self._backend._ffi.NULL:
+            num = self._backend._lib.sk_X509_REVOKED_num(revoked)
+            for i in range(num):
+                r = self._backend._lib.sk_X509_REVOKED_value(revoked, i)
+                self._backend.openssl_assert(r != self._backend._ffi.NULL)
+                revoked_list.append(_RevokedCertificate(self._backend, r))
 
         return revoked_list
 
diff --git a/tests/test_x509.py b/tests/test_x509.py
index 67066f04..5e5944a4 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -299,6 +299,14 @@ class TestRevokedCertificate(object):
 
         assert len(flags) == 0
 
+    def test_no_revoked_certs(self, backend):
+        crl = _load_cert(
+            os.path.join("x509", "custom", "crl_empty.pem"),
+            x509.load_pem_x509_crl,
+            backend
+        )
+        assert len(crl) == 0
+
     def test_duplicate_entry_ext(self, backend):
         crl = _load_cert(
             os.path.join("x509", "custom", "crl_dup_entry_ext.pem"),
diff --git a/vectors/cryptography_vectors/x509/custom/crl_empty.pem b/vectors/cryptography_vectors/x509/custom/crl_empty.pem
new file mode 100644
index 00000000..3de41831
--- /dev/null
+++ b/vectors/cryptography_vectors/x509/custom/crl_empty.pem
@@ -0,0 +1,12 @@
+-----BEGIN X509 CRL-----
+MIIBxTCBrgIBATANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQGEwJVUzERMA8GA1UE
+CAwISWxsaW5vaXMxEDAOBgNVBAcMB0NoaWNhZ28xETAPBgNVBAoMCHI1MDkgTExD
+MRowGAYDVQQDDBFyNTA5IENSTCBEZWxlZ2F0ZRcNMTUxMjIwMjM0NDQ3WhcNMTUx
+MjI4MDA0NDQ3WqAZMBcwCgYDVR0UBAMCAQEwCQYDVR0jBAIwADANBgkqhkiG9w0B
+AQUFAAOCAQEAXebqoZfEVAC4NcSEB5oGqUviUn/AnY6TzB6hUe8XC7yqEkBcyTgk
+G1Zq+b+T/5X1ewTldvuUqv19WAU/Epbbu4488PoH5qMV8Aii2XcotLJOR9OBANp0
+Yy4ir/n6qyw8kM3hXJloE+xgkELhd5JmKCnlXihM1BTl7Xp7jyKeQ86omR+DhItb
+CU+9RoqOK9Hm087Z7RurXVrz5RKltQo7VLCp8VmrxFwfALCZENXGEQ+g5VkvoCjc
+ph5jqOSyzp7aZy1pnLE/6U6V32ItskrwqA+x4oj2Wvzir/Q23y2zYfqOkuq4fTd2
+lWW+w5mB167fIWmd6efecDn1ZqbdECDPUg==
+-----END X509 CRL-----