CRL is limited in size (3110) in cryptography 38

[thierryba]

I'm using brew (Mac) installed version of python 3.10.6 (also tried with 3.9 with the same effect).
Together with it, I have cryptography 38.0.0, cffi 1.15.1, pip 22.2.2 and setuptools 63.4.3

When I create a CRL, it seems there is a limit to how many items it can contain

from cryptography import x509
import datetime
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import hashes

private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
builder = x509.CertificateRevocationListBuilder()
builder = builder.issuer_name(x509.Name([
                        x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, u'cryptography.io CA'),
                    ]))
builder = builder.last_update(datetime.datetime.today())
one_day = datetime.timedelta(1, 0, 0)
builder = builder.next_update(datetime.datetime.today() + one_day)
for serial_number in range(1, 3111):  # problem starting with 3111
    builder = builder.add_revoked_certificate(
               x509.RevokedCertificateBuilder().serial_number(serial_number).revocation_date(datetime.datetime.now()).build())
crl = builder.sign(private_key=private_key, algorithm=hashes.SHA256())
print("DONE", crl)

When I run the same code with cryptography 37.X, it just worked. And it seems to work fine up to 3110 items.

BTW when it fails I'm getting

Traceback (most recent call last):
  File "/Users/thierry/temp/test.py", line 17, in <module>
    crl = builder.sign(private_key=private_key, algorithm=hashes.SHA256())
  File "/usr/local/lib/python3.10/site-packages/cryptography/x509/base.py", line 1020, in sign
    return rust_x509.create_x509_crl(self, private_key, algorithm)
ValueError: error parsing asn1 value: ParseError { kind: InvalidLength }

[reaperhulk]

Thanks for the report, I am able to easily reproduce this and it seems likely it's related to our recent choice to limit TLV length in rust-asn1 to 65535 maximum. @alex it looks like we're going to need to support substantially longer values.

[reaperhulk]

@thierryba how many certificates do you expect to be able to add here as a practical maximum?

Normally I'd use the Apple WWDRCA CRL as the barometer for largest existing number of revoked certificates, but glancing at a recent certificate from them it appears they stopped using CRL entirely. With some napkin math if we raise our TLV limit to 2**24 we'd support ~800k entries (possibly only half that with reason codes, etc).

[reaperhulk]

We decided to lift the limit to 4GiB for TLV length (see alex/rust-asn1#328) and we'll be doing a 38.0.1 shortly to release that fix. Thanks again for the report.

[thierryba]

@reaperhulk thank you so much.