[PKI Library]: Handle CRL issuingDistributionPoints extension with URI in fullName

This is used to limit a CRL to a subset of the certs issued by a single issuer. (Does not support any other issuingDistributionPoints features.) Bug: 749276 Change-Id: Ifb5122bf7fdea17d8a884fe76896a65c570d2d31 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1671367 Commit-Queue: Matt Mueller <mattm@chromium.org> Reviewed-by: Eric Roman <eroman@chromium.org> Cr-Commit-Position: refs/heads/master@{#671471}

[PKI Library]: Handle CRL issuingDistributionPoints extension with URI in fullName
This is used to limit a CRL to a subset of the certs issued by a single issuer. (Does not support any other issuingDistributionPoints features.) Bug: 749276 Change-Id: Ifb5122bf7fdea17d8a884fe76896a65c570d2d31 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1671367 Commit-Queue: Matt Mueller <mattm@chromium.org> Reviewed-by: Eric Roman <eroman@chromium.org> Cr-Commit-Position: refs/heads/master@{#671471}
e0065696 · Matt Mueller · Commit Bot · b231f9b5 · e0065696 · e0065696
Commit e0065696 authored Jun 22, 2019 by Matt Mueller Committed by Commit Bot Jun 22, 2019
20 changed files
--- a/net/BUILD.gn
+++ b/net/BUILD.gn
@@ -3733,6 +3733,8 @@ bundle_data("net_unittests_bundle_data") {
    "data/crl_unittest/bad_crldp_has_crlissuer.pem",
    "data/crl_unittest/bad_fake_critical_crlentryextension.pem",
    "data/crl_unittest/bad_fake_critical_extension.pem",
+    "data/crl_unittest/bad_idp_contains_wrong_uri.pem",
+    "data/crl_unittest/bad_idp_indirectcrl.pem",
    "data/crl_unittest/bad_key_rollover_signature.pem",
    "data/crl_unittest/bad_nextupdate_too_old.pem",
    "data/crl_unittest/bad_signature.pem",
@@ -3743,6 +3745,7 @@ bundle_data("net_unittests_bundle_data") {
    "data/crl_unittest/good_fake_extension.pem",
    "data/crl_unittest/good_fake_extension_no_nextupdate.pem",
    "data/crl_unittest/good_generalizedtime.pem",
+    "data/crl_unittest/good_idp_contains_uri.pem",
    "data/crl_unittest/good_issuer_name_normalization.pem",
    "data/crl_unittest/good_issuer_no_keyusage.pem",
    "data/crl_unittest/good_key_rollover.pem",
@@ -3766,6 +3769,8 @@ bundle_data("net_unittests_bundle_data") {
    "data/crl_unittest/invalid_garbage_tbscertlist.pem",
    "data/crl_unittest/invalid_garbage_thisupdate.pem",
    "data/crl_unittest/invalid_garbage_version.pem",
+    "data/crl_unittest/invalid_idp_dpname_choice_extra_data.pem",
+    "data/crl_unittest/invalid_idp_empty_sequence.pem",
    "data/crl_unittest/invalid_issuer_keyusage_no_crlsign.pem",
    "data/crl_unittest/invalid_key_rollover_issuer_keyusage_no_crlsign.pem",
    "data/crl_unittest/invalid_mismatched_signature_algorithm.pem",
@@ -6346,6 +6351,17 @@ fuzzer_test("net_cert_crl_parse_crl_tbscertlist_fuzzer") {
  ]
 }
+fuzzer_test("net_cert_crl_parse_issuing_distribution_point_fuzzer") {
+  sources = [
+    "cert/internal/crl_parse_issuing_distribution_point_fuzzer.cc",
+  ]
+  seed_corpus = "data/fuzzer_data/crl_parse_issuing_distribution_point_fuzzer"
+  deps = [
+    "//base",
+    "//net",
+  ]
+}
 fuzzer_test("net_cert_crl_getcrlstatusforcert_fuzzer") {
  sources = [
    "cert/internal/crl_getcrlstatusforcert_fuzzer.cc",

--- a/net/cert/internal/crl.cc
+++ b/net/cert/internal/crl.cc
@@ -19,6 +19,13 @@ namespace net {
 namespace {
+// id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 }
+// In dotted notation: 2.5.29.28
+der::Input IssuingDistributionPointOid() {
+  static const uint8_t oid[] = {0x55, 0x1d, 0x1c};
+  return der::Input(oid);
+}
 WARN_UNUSED_RESULT bool NormalizeNameTLV(const der::Input& name_tlv,
                                         std::string* out_normalized_name) {
  der::Parser parser(name_tlv);
@@ -29,6 +36,14 @@ WARN_UNUSED_RESULT bool NormalizeNameTLV(const der::Input& name_tlv,
         !parser.HasMore();
 }
+bool ContainsExactMatchingName(std::vector<base::StringPiece> a,
+                               std::vector<base::StringPiece> b) {
+  std::sort(a.begin(), a.end());
+  std::sort(b.begin(), b.end());
+  return !base::STLSetIntersection<std::vector<base::StringPiece>>(a, b)
+              .empty();
+}
 }  // namespace
 bool ParseCrlCertificateList(const der::Input& crl_tlv,
@@ -158,6 +173,70 @@ bool ParseCrlTbsCertList(const der::Input& tbs_tlv, ParsedCrlTbsCertList* out) {
  return true;
 }
+bool ParseIssuingDistributionPoint(
+    const der::Input& extension_value,
+    std::unique_ptr<GeneralNames>* out_distribution_point_names) {
+  der::Parser idp_extension_value_parser(extension_value);
+  // IssuingDistributionPoint ::= SEQUENCE {
+  der::Parser idp_parser;
+  if (!idp_extension_value_parser.ReadSequence(&idp_parser))
+    return false;
+  // 5.2.5.  Conforming CRLs issuers MUST NOT issue CRLs where the DER
+  //    encoding of the issuing distribution point extension is an empty
+  //    sequence.
+  if (!idp_parser.HasMore())
+    return false;
+  //  distributionPoint          [0] DistributionPointName OPTIONAL,
+  base::Optional<der::Input> distribution_point;
+  if (!idp_parser.ReadOptionalTag(
+          der::kTagContextSpecific | der::kTagConstructed | 0,
+          &distribution_point)) {
+    return false;
+  }
+  if (distribution_point.has_value()) {
+    //   DistributionPointName ::= CHOICE {
+    der::Parser dp_name_parser(*distribution_point);
+    //        fullName                [0]     GeneralNames,
+    //        nameRelativeToCRLIssuer [1]     RelativeDistinguishedName }
+    base::Optional<der::Input> der_full_name;
+    if (!dp_name_parser.ReadOptionalTag(
+            der::kTagContextSpecific | der::kTagConstructed | 0,
+            &der_full_name)) {
+      return false;
+    }
+    if (!der_full_name) {
+      // Only fullName is supported.
+      return false;
+    }
+    CertErrors errors;
+    *out_distribution_point_names =
+        GeneralNames::CreateFromValue(*der_full_name, &errors);
+    if (!*out_distribution_point_names)
+      return false;
+    if (dp_name_parser.HasMore()) {
+      // CHOICE represents a single value.
+      return false;
+    }
+  }
+  //  onlyContainsUserCerts      [1] BOOLEAN DEFAULT FALSE,
+  //  onlyContainsCACerts        [2] BOOLEAN DEFAULT FALSE,
+  //  onlySomeReasons            [3] ReasonFlags OPTIONAL,
+  //  indirectCRL                [4] BOOLEAN DEFAULT FALSE,
+  //  onlyContainsAttributeCerts [5] BOOLEAN DEFAULT FALSE }
+  // onlyContainsUserCerts, onlyContainsCACerts, onlySomeReasons, indirectCRL,
+  // and onlyContainsAttributeCerts are not supported, fail parsing if they are
+  // present.
+  if (idp_parser.HasMore())
+    return false;
+  return true;
+}
 CRLRevocationStatus GetCRLStatusForCert(
    const der::Input& cert_serial,
    CrlVersion crl_version,
@@ -336,16 +415,65 @@ CRLRevocationStatus CheckCRL(base::StringPiece raw_crl,
  if (der::Input(&normalized_crl_issuer) != target_cert->normalized_issuer())
    return CRLRevocationStatus::UNKNOWN;
-  // 6.3.3 (b) (2) If the complete CRL includes an issuing distribution point
-  //               (IDP) CRL extension ...
-  // This implementation does not support CRL extensions, fail if any critical
-  // CRL extensions are present.
  if (tbs_cert_list.crl_extensions_tlv.has_value()) {
    std::map<der::Input, ParsedExtension> extensions;
    if (!ParseExtensions(*tbs_cert_list.crl_extensions_tlv, &extensions))
      return CRLRevocationStatus::UNKNOWN;
+    // 6.3.3 (b) (2) If the complete CRL includes an issuing distribution point
+    //               (IDP) CRL extension, check the following:
+    ParsedExtension idp_extension;
+    if (ConsumeExtension(IssuingDistributionPointOid(), &extensions,
+                         &idp_extension)) {
+      std::unique_ptr<GeneralNames> distribution_point_names;
+      if (!ParseIssuingDistributionPoint(idp_extension.value,
+                                         &distribution_point_names)) {
+        return CRLRevocationStatus::UNKNOWN;
+      }
+      if (distribution_point_names) {
+        // 6.3.3. [If the CRL was not specified in a distribution point], assume
+        //        a DP with both the reasons and the cRLIssuer fields omitted
+        //        and a distribution point name of the certificate issuer.
+        // Since only URI distribution point names are supported currently,
+        // just fail in this case.
+        // TODO(https://crbug.com/749276): update this if all distribution
+        // point name types are supported.
+        if (!cert_dp)
+          return CRLRevocationStatus::UNKNOWN;
+        // 6.3.3. (b) (2) (i) If the distribution point name is present in the
+        //                    IDP CRL extension and the distribution field is
+        //                    present in the DP, then verify that one of the
+        //                    names in the IDP matches one of the names in the
+        //                    DP.
+        // 5.2.5.  The identical encoding MUST be used in the distributionPoint
+        //         fields of the certificate and the CRL.
+        // TODO(https://crbug.com/749276): Check other name types?
+        if (!ContainsExactMatchingName(
+                cert_dp->uris,
+                distribution_point_names->uniform_resource_identifiers)) {
+          return CRLRevocationStatus::UNKNOWN;
+        }
+        // 6.3.3. (b) (2) (i) If the distribution point name is present in the
+        //                    IDP CRL extension and the distribution field is
+        //                    omitted from the DP, then verify that one of the
+        //                    names in the IDP matches one of the names in the
+        //                    cRLIssuer field of the DP.
+        // Indirect CRLs are not supported, if indirectCRL was specified,
+        // ParseIssuingDistributionPoint would already have failed.
+      }
+      // 6.3.3. (b) (2) (ii - iiii): onlyContainsUserCerts,
+      // onlyContainsCACerts, onlyContainsAttributeCerts not supported.
+      // TODO(https://crbug.com/749276): handle onlyContainsUserCerts &
+      // onlyContainsCACerts. Some random sampling of public CRLs found a few
+      // that use those and it should be easy enough to implement.
+    }
    for (const auto& ext : extensions) {
+      // Fail if any unhandled critical CRL extensions are present.
      if (ext.second.critical)
        return CRLRevocationStatus::UNKNOWN;
    }

--- a/net/cert/internal/crl.h
+++ b/net/cert/internal/crl.h
@@ -9,6 +9,7 @@
 #include "base/strings/string_piece_forward.h"
 #include "base/time/time.h"
 #include "net/base/net_export.h"
+#include "net/cert/internal/general_names.h"
 #include "net/cert/internal/parsed_certificate.h"
 #include "net/der/input.h"
 #include "net/der/parse_values.h"
@@ -145,6 +146,35 @@ struct NET_EXPORT_PRIVATE ParsedCrlTbsCertList {
  base::Optional<der::Input> crl_extensions_tlv;
 };
+// Parses a DER-encoded IssuingDistributionPoint extension value.
+// Returns true on success and sets the results in the
+// |out_distribution_point_names| parameter.
+//
+// If the IssuingDistributionPoint contains a distributionPoint fullName field,
+// |out_distribution_point_names| will contain the parsed representation.
+// If the distributionPoint type is nameRelativeToCRLIssuer, parsing will fail.
+//
+// onlyContainsUserCerts, onlyContainsCACerts, indirectCRL and
+// onlyContainsAttributeCerts are not supported and parsing will fail if they
+// are present.
+//
+// Note that on success |out_distribution_point_names| aliases data from the
+// input |extension_value|.
+//
+// On failure |out_distribution_point_names| has undefined state.
+//
+// IssuingDistributionPoint ::= SEQUENCE {
+//     distributionPoint          [0] DistributionPointName OPTIONAL,
+//     onlyContainsUserCerts      [1] BOOLEAN DEFAULT FALSE,
+//     onlyContainsCACerts        [2] BOOLEAN DEFAULT FALSE,
+//     onlySomeReasons            [3] ReasonFlags OPTIONAL,
+//     indirectCRL                [4] BOOLEAN DEFAULT FALSE,
+//     onlyContainsAttributeCerts [5] BOOLEAN DEFAULT FALSE }
+NET_EXPORT_PRIVATE bool ParseIssuingDistributionPoint(
+    const der::Input& extension_value,
+    std::unique_ptr<GeneralNames>* out_distribution_point_names)
+    WARN_UNUSED_RESULT;
 NET_EXPORT_PRIVATE CRLRevocationStatus
 GetCRLStatusForCert(const der::Input& cert_serial,
                    CrlVersion crl_version,

--- a/net/cert/internal/crl_parse_issuing_distribution_point_fuzzer.cc
+++ b/net/cert/internal/crl_parse_issuing_distribution_point_fuzzer.cc
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+#include <stddef.h>
+#include <stdint.h>
+#include "net/cert/internal/crl.h"
+#include "net/der/input.h"
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  net::der::Input idp_der(data, size);
+  std::unique_ptr<net::GeneralNames> distribution_point_names;
+  if (net::ParseIssuingDistributionPoint(idp_der, &distribution_point_names)) {
+    CHECK((distribution_point_names &&
+           distribution_point_names->present_name_types !=
+               net::GENERAL_NAME_NONE));
+  }
+  return 0;
+}
--- a/net/cert/internal/crl_unittest.cc
+++ b/net/cert/internal/crl_unittest.cc
@@ -47,6 +47,7 @@ constexpr char const* kTestParams[] = {
    "good_no_version.pem",
    "good_no_crldp.pem",
    "good_key_rollover.pem",
+    "good_idp_contains_uri.pem",
    "revoked.pem",
    "revoked_no_nextupdate.pem",
    "revoked_fake_crlentryextension.pem",
@@ -61,6 +62,8 @@ constexpr char const* kTestParams[] = {
    "bad_nextupdate_too_old.pem",
    "bad_wrong_issuer.pem",
    "bad_key_rollover_signature.pem",
+    "bad_idp_contains_wrong_uri.pem",
+    "bad_idp_indirectcrl.pem",
    "invalid_mismatched_signature_algorithm.pem",
    "invalid_revoked_empty_sequence.pem",
    "invalid_v1_with_extension.pem",
@@ -86,6 +89,8 @@ constexpr char const* kTestParams[] = {
    "invalid_garbage_after_revocationdate.pem",
    "invalid_garbage_after_crlentryextensions.pem",
    "invalid_garbage_crlentry.pem",
+    "invalid_idp_dpname_choice_extra_data.pem",
+    "invalid_idp_empty_sequence.pem",
 };
 struct PrintTestName {

--- a/net/data/crl_unittest/bad_idp_contains_wrong_uri.pem
+++ b/net/data/crl_unittest/bad_idp_contains_wrong_uri.pem
+Generated by generate_crl_test_data.py. Do not edit.
+Leaf not covered by CRL (IDP with different URI)
+SEQUENCE {
+  SEQUENCE {
+    INTEGER { 1 }
+    SEQUENCE {
+      # sha256WithRSAEncryption
+      OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 }
+      NULL {}
+    }
+    SEQUENCE {
+      SET {
+        SEQUENCE {
+          # commonName
+          OBJECT_IDENTIFIER { 2.5.4.3 }
+          UTF8String { "Test Intermediate CA" }
+        }
+      }
+    }
+    UTCTime { "170302001122Z" }
+    UTCTime { "170602001122Z" }
+    [0] {
+      SEQUENCE {
+        SEQUENCE {
+          # issuingDistributionPoint
+          OBJECT_IDENTIFIER { 2.5.29.28 }
+          BOOLEAN { `ff` }
+          OCTET_STRING {
+            SEQUENCE {
+              [0] {
+                [0] {
+                  [6 PRIMITIVE] { "http://example.com/FOO.CRL" }
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+  SEQUENCE {
+    # sha256WithRSAEncryption
+    OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 }
+    NULL {}
+  }
+  BIT_STRING { `0060e4465673e30d5d312b2e3b5cc724cf4a1e927d37f92927d55ac6ae4a76f5fc6ca6e6564dc536d5b2559b238691397d83aa0f2265c70033c5060ede8540e92c5495eda163cf145841357e219c0a0e6db03f0ee2161e9f4759cfc6fc89e08a84fc8a3b2c92c29a01c2ae48ca02687e052bbd37a843e0fea0078331fb2d78c061` }
+}
+-----BEGIN CRL-----
+MIIBGTCBgwIBATANBgkqhkiG9w0BAQsFADAfMR0wGwYDVQQDDBRUZXN0IEludGVy
+bWVkaWF0ZSBDQRcNMTcwMzAyMDAxMTIyWhcNMTcwNjAyMDAxMTIyWqAwMC4wLAYD
+VR0cAQH/BCIwIKAeoByGGmh0dHA6Ly9leGFtcGxlLmNvbS9GT08uQ1JMMA0GCSqG
+SIb3DQEBCwUAA4GBAGDkRlZz4w1dMSsuO1zHJM9KHpJ9N/kpJ9Vaxq5KdvX8bKbm
+Vk3FNtWyVZsjhpE5fYOqDyJlxwAzxQYO3oVA6SxUle2hY88UWEE1fiGcCg5tsD8O
+4hYen0dZz8b8ieCKhPyKOyySwpoBwq5IygJofgUrvTeoQ+D+oAeDMfsteMBh
+-----END CRL-----
+SEQUENCE {
+  SEQUENCE {
+    [0] {
+      INTEGER { 2 }
+    }
+    INTEGER { 1 }
+    SEQUENCE {
+      # sha256WithRSAEncryption
+      OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 }
+      NULL {}
+    }
+    SEQUENCE {
+      SET {
+        SEQUENCE {
+          # commonName
+          OBJECT_IDENTIFIER { 2.5.4.3 }
+          UTF8String { "Test CA" }
+        }
+      }
+    }
+    SEQUENCE {
+      GeneralizedTime { "20170101000000Z" }
+      GeneralizedTime { "20180101000000Z" }
+    }
+    SEQUENCE {
+      SET {
+        SEQUENCE {
+          # commonName
+          OBJECT_IDENTIFIER { 2.5.4.3 }
+          UTF8String { "Test Intermediate CA" }
+        }
+      }
+    }
+    SEQUENCE {
+      SEQUENCE {
+        # rsaEncryption
+        OBJECT_IDENTIFIER { 1.2.840.113549.1.1.1 }
+        NULL {}
+      }
+      BIT_STRING {
+        `00`
+        SEQUENCE {
+          INTEGER { `00a35afbe7508b58895a28f81ebe71ea37f659fe29d1da13bd5b12460b8cf570dc57966aa97f06382fd01c4fbafc46564de12aa0d1d90d2060ad3f845189dab146559409c673b170edeb83bb56ecd2a7257b2283626d53f62e352c3edbb1a2198ddc73a92deb96b1beffd855f1e1aa005ae2ade2f763cbb0d0bd6cce4b768808c5` }
+          INTEGER { 65537 }
+        }
+      }
+    }
+    [3] {
+      SEQUENCE {
+        SEQUENCE {
+          # keyUsage
+          OBJECT_IDENTIFIER { 2.5.29.15 }
+          BOOLEAN { `ff` }
+          OCTET_STRING {
+            BIT_STRING { `0106` }
+          }
+        }
+      }
+    }
+  }
+  SEQUENCE {
+    # sha256WithRSAEncryption
+    OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 }
+    NULL {}
+  }
+  BIT_STRING { `0043b0323ab8f10378ccd100d12068c5bad3c32fdaa1b441ed1a4d52baa46aa967237345db8fdf03e0513825fd43c747aa710e371a88ae5ee4f460c59ddb6c5b08505feaa3cce3272e5c3d9b08a878822d5e601517b903537cb90e9085ec954c460f88af5217cb86e7c48be7d0847ec10f36a8df6177599d4a0d2ad4ea0ca857b2` }
+}
+-----BEGIN CA CERTIFICATE-----
+MIIBvTCCASagAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0
+IENBMCIYDzIwMTcwMTAxMDAwMDAwWhgPMjAxODAxMDEwMDAwMDBaMB8xHTAbBgNV
+BAMMFFRlc3QgSW50ZXJtZWRpYXRlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
+iQKBgQCjWvvnUItYiVoo+B6+ceo39ln+KdHaE71bEkYLjPVw3FeWaql/Bjgv0BxP
+uvxGVk3hKqDR2Q0gYK0/hFGJ2rFGVZQJxnOxcO3rg7tW7NKnJXsig2JtU/YuNSw+
+27GiGY3cc6kt65axvv/YVfHhqgBa4q3i92PLsNC9bM5LdogIxQIDAQABoxIwEDAO
+BgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEAQ7AyOrjxA3jM0QDRIGjF
+utPDL9qhtEHtGk1SuqRqqWcjc0Xbj98D4FE4Jf1Dx0eqcQ43GoiuXuT0YMWd22xb
+CFBf6qPM4ycuXD2bCKh4gi1eYBUXuQNTfLkOkIXslUxGD4ivUhfLhufEi+fQhH7B
+Dzao32F3WZ1KDSrU6gyoV7I=
+-----END CA CERTIFICATE-----
+SEQUENCE {
+  SEQUENCE {
+    [0] {
+      INTEGER { 2 }
+    }
+    INTEGER { 5 }
+    SEQUENCE {
+      # sha256WithRSAEncryption
+      OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 }
+      NULL {}
+    }
+    SEQUENCE {
+      SET {
+        SEQUENCE {
+          # commonName
+          OBJECT_IDENTIFIER { 2.5.4.3 }
+          UTF8String { "Test Intermediate CA" }
+        }
+      }
+    }
+    SEQUENCE {
+      GeneralizedTime { "20170101000000Z" }
+      GeneralizedTime { "20180101000000Z" }
+    }
+    SEQUENCE {
+      SET {
+        SEQUENCE {
+          # commonName
+          OBJECT_IDENTIFIER { 2.5.4.3 }
+          UTF8String { "Test Cert" }
+        }
+      }
+    }
+    SEQUENCE {
+      SEQUENCE {
+        # rsaEncryption
+        OBJECT_IDENTIFIER { 1.2.840.113549.1.1.1 }
+        NULL {}
+      }
+      BIT_STRING {
+        `00`
+        SEQUENCE {
+          INTEGER { `00abdd04e5f0239dace20256547addf9df3ebb4081eacb549675116355e574620e2a350118cc9a03f754f73f93e1f95555db4f1533d14c50bebe6823c7e4032e2fa65536bdf33ff918c739680a809f4164f4c901c56d2c18785fc205f705b16086339be26d77d60de259dfbac76780ee5f2b416ff84566c5cc52a9d167ab818c67` }
+          INTEGER { 65537 }
+        }
+      }
+    }
+    [3] {
+      SEQUENCE {
+        SEQUENCE {
+          # cRLDistributionPoints
+          OBJECT_IDENTIFIER { 2.5.29.31 }
+          OCTET_STRING {
+            SEQUENCE {
+              SEQUENCE {
+                [0] {
+                  [0] {
+                    [6 PRIMITIVE] { "http://example.com/foo.crl" }
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+  SEQUENCE {
+    # sha256WithRSAEncryption
+    OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 }
+    NULL {}
+  }
+  BIT_STRING { `000e3be5de5d0a6a2a155fa41f786443e6921899ed5566a1ba9fed2cec41dd925d1e077e3b9ce0aeacdf01261d31b828247da6d83d45a2ce469007d4dafda3603463b78bf18eff05e7b97521cbe10e44f185e945fdc09f637b982abbb2f1d380705305c0d63c207f622e6f14ed5509c68ecf907794de3a055137502ba47e37074d` }
+}
+-----BEGIN CERTIFICATE-----
+MIIB3DCCAUWgAwIBAgIBBTANBgkqhkiG9w0BAQsFADAfMR0wGwYDVQQDDBRUZXN0
+IEludGVybWVkaWF0ZSBDQTAiGA8yMDE3MDEwMTAwMDAwMFoYDzIwMTgwMTAxMDAw
+MDAwWjAUMRIwEAYDVQQDDAlUZXN0IENlcnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
+MIGJAoGBAKvdBOXwI52s4gJWVHrd+d8+u0CB6stUlnURY1XldGIOKjUBGMyaA/dU
+9z+T4flVVdtPFTPRTFC+vmgjx+QDLi+mVTa98z/5GMc5aAqAn0Fk9MkBxW0sGHhf
+wgX3BbFghjOb4m131g3iWd+6x2eA7l8rQW/4RWbFzFKp0WergYxnAgMBAAGjLzAt
+MCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6Ly9leGFtcGxlLmNvbS9mb28uY3JsMA0G
+CSqGSIb3DQEBCwUAA4GBAA475d5dCmoqFV+kH3hkQ+aSGJntVWahup/tLOxB3ZJd
+Hgd+O5zgrqzfASYdMbgoJH2m2D1Fos5GkAfU2v2jYDRjt4vxjv8F57l1IcvhDkTx
+helF/cCfY3uYKruy8dOAcFMFwNY8IH9iLm8U7VUJxo7PkHeU3joFUTdQK6R+NwdN
+-----END CERTIFICATE-----
\ No newline at end of file
--- a/net/data/crl_unittest/bad_idp_indirectcrl.pem
+++ b/net/data/crl_unittest/bad_idp_indirectcrl.pem
+Generated by generate_crl_test_data.py. Do not edit.
+CRL IDP name matches, but has indirectCRL flag set
+SEQUENCE {
+  SEQUENCE {
+    INTEGER { 1 }
+    SEQUENCE {
+      # sha256WithRSAEncryption
+      OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 }
+      NULL {}
+    }
+    SEQUENCE {
+      SET {
+        SEQUENCE {
+          # commonName
+          OBJECT_IDENTIFIER { 2.5.4.3 }
+          UTF8String { "Test Intermediate CA" }
+        }
+      }
+    }
+    UTCTime { "170302001122Z" }
+    UTCTime { "170602001122Z" }
+    [0] {
+      SEQUENCE {
+        SEQUENCE {
+          # issuingDistributionPoint
+          OBJECT_IDENTIFIER { 2.5.29.28 }
+          BOOLEAN { `ff` }
+          OCTET_STRING {
+            SEQUENCE {
+              [0] {
+                [0] {
+                  [6 PRIMITIVE] { "http://example.com/foo.crl" }
+                }
+              }
+              [4 PRIMITIVE] { `ff` }
+            }
+          }
+        }
+      }
+    }
+  }
+  SEQUENCE {
+    # sha256WithRSAEncryption
+    OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 }
+    NULL {}
+  }
+  BIT_STRING { `008575e0844de9900f4ffe043ecf057212ec75c3f5736249ce3f9491c51afecc63b0fd68684419a99b72e6b075054f220ef4574c53bc3502f2751743326633551baf2888bcc3939d9ca4a22660a86be5ef766c872a4640386156905aff45c8bc40b2d2f648275d687c873fa7dfc080b89cd49d528bf1e3166022baee75907aa48a` }
+}
+-----BEGIN CRL-----
+MIIBHDCBhgIBATANBgkqhkiG9w0BAQsFADAfMR0wGwYDVQQDDBRUZXN0IEludGVy
+bWVkaWF0ZSBDQRcNMTcwMzAyMDAxMTIyWhcNMTcwNjAyMDAxMTIyWqAzMDEwLwYD
+VR0cAQH/BCUwI6AeoByGGmh0dHA6Ly9leGFtcGxlLmNvbS9mb28uY3JshAH/MA0G
+CSqGSIb3DQEBCwUAA4GBAIV14IRN6ZAPT/4EPs8FchLsdcP1c2JJzj+UkcUa/sxj
+sP1oaEQZqZty5rB1BU8iDvRXTFO8NQLydRdDMmYzVRuvKIi8w5OdnKSiJmCoa+Xv
+dmyHKkZAOGFWkFr/Rci8QLLS9kgnXWh8hz+n38CAuJzUnVKL8eMWYCK67nWQeqSK
+-----END CRL-----
+SEQUENCE {
+  SEQUENCE {
+    [0] {
+      INTEGER { 2 }
+    }
+    INTEGER { 1 }
+    SEQUENCE {
+      # sha256WithRSAEncryption
+      OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 }
+      NULL {}
+    }
+    SEQUENCE {
+      SET {
+        SEQUENCE {
+          # commonName
+          OBJECT_IDENTIFIER { 2.5.4.3 }
+          UTF8String { "Test CA" }
+        }
+      }
+    }
+    SEQUENCE {
+      GeneralizedTime { "20170101000000Z" }
+      GeneralizedTime { "20180101000000Z" }
+    }
+    SEQUENCE {
+      SET {
+        SEQUENCE {
+          # commonName
+          OBJECT_IDENTIFIER { 2.5.4.3 }
+          UTF8String { "Test Intermediate CA" }
+        }
+      }
+    }
+    SEQUENCE {
+      SEQUENCE {
+        # rsaEncryption
+        OBJECT_IDENTIFIER { 1.2.840.113549.1.1.1 }
+        NULL {}
+      }
+      BIT_STRING {
+        `00`
+        SEQUENCE {
+          INTEGER { `00bd60ec89240bf0ea7b3f4a6a3f14406eae57ba2becb1b9479cda724cd41d71cd948871c969589c8199f4196193475abbf12e4a660865801695f5904046286522c9e4c7d09ccd28c8a3afc68b15d6917e04be426e26e5c7b3b734b68fe4b9ceb1f3738ebf285c98d89e65b931f2a2986c0bfb3cac53b2320199e4c75885dbd3ef` }
+          INTEGER { 65537 }
+        }
+      }
+    }
+    [3] {
+      SEQUENCE {
+        SEQUENCE {
+          # keyUsage
+          OBJECT_IDENTIFIER { 2.5.29.15 }
+          BOOLEAN { `ff` }
+          OCTET_STRING {
+            BIT_STRING { `0106` }
+          }
+        }
+      }
+    }
+  }
+  SEQUENCE {
+    # sha256WithRSAEncryption
+    OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 }
+    NULL {}
+  }
+  BIT_STRING { `00c4ed6f392c591e97505d31c5f2d966754a5ab9279b95d251ddc7391ded5052f130a3ea1b6cbb718acd19ee47e75e0811c8a1f0b2548779f6bcc28e4f110d4e242f4197c4cb7d8d27149ef1ae28af45c2d3fcb83c9c1bc2fb4cd44d9508ec64d54864244e9be13ec1575a6e3951dc233be5859995c6d0ee9be69d098273296065` }
+}
+-----BEGIN CA CERTIFICATE-----
+MIIBvTCCASagAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0
+IENBMCIYDzIwMTcwMTAxMDAwMDAwWhgPMjAxODAxMDEwMDAwMDBaMB8xHTAbBgNV
+BAMMFFRlc3QgSW50ZXJtZWRpYXRlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
+iQKBgQC9YOyJJAvw6ns/Smo/FEBurle6K+yxuUec2nJM1B1xzZSIcclpWJyBmfQZ
+YZNHWrvxLkpmCGWAFpX1kEBGKGUiyeTH0JzNKMijr8aLFdaRfgS+Qm4m5ceztzS2
+j+S5zrHzc46/KFyY2J5luTHyophsC/s8rFOyMgGZ5MdYhdvT7wIDAQABoxIwEDAO
+BgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEAxO1vOSxZHpdQXTHF8tlm
+dUpauSebldJR3cc5He1QUvEwo+obbLtxis0Z7kfnXggRyKHwslSHefa8wo5PEQ1O
+JC9Bl8TLfY0nFJ7xriivRcLT/Lg8nBvC+0zUTZUI7GTVSGQkTpvhPsFXWm45Udwj
+O+WFmZXG0O6b5p0JgnMpYGU=
+-----END CA CERTIFICATE-----
+SEQUENCE {
+  SEQUENCE {
+    [0] {
+      INTEGER { 2 }
+    }
+    INTEGER { 5 }
+    SEQUENCE {
+      # sha256WithRSAEncryption
+      OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 }
+      NULL {}
+    }
+    SEQUENCE {
+      SET {
+        SEQUENCE {
+          # commonName
+          OBJECT_IDENTIFIER { 2.5.4.3 }
+          UTF8String { "Test Intermediate CA" }
+        }
+      }
+    }
+    SEQUENCE {
+      GeneralizedTime { "20170101000000Z" }
+      GeneralizedTime { "20180101000000Z" }
+    }
+    SEQUENCE {
+      SET {
+        SEQUENCE {
+          # commonName
+          OBJECT_IDENTIFIER { 2.5.4.3 }
+          UTF8String { "Test Cert" }
+        }
+      }
+    }
+    SEQUENCE {
+      SEQUENCE {
+        # rsaEncryption
+        OBJECT_IDENTIFIER { 1.2.840.113549.1.1.1 }
+        NULL {}
+      }
+      BIT_STRING {
+        `00`
+        SEQUENCE {
+          INTEGER { `00fbff662387c3e71432d3188342014cee96bfd313373db79f4f427c4e6d2b8949b0597f6d3649428dc4eb93f72710f08c9aedf46c38fa6eecb235dad488681e526588be960402e971e14155d065c5ab2213ccb199c195246bfc604173bb4d31e1c7beffe84a3007feb05e5f51c6c1fc942f1fc2e62e6a095271b69665aebd9ae3` }
+          INTEGER { 65537 }
+        }
+      }
+    }
+    [3] {
+      SEQUENCE {
+        SEQUENCE {
+          # cRLDistributionPoints
+          OBJECT_IDENTIFIER { 2.5.29.31 }
+          OCTET_STRING {
+            SEQUENCE {
+              SEQUENCE {
+                [0] {
+                  [0] {
+                    [6 PRIMITIVE] { "http://example.com/foo.crl" }
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+  SEQUENCE {
+    # sha256WithRSAEncryption
+    OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 }
+    NULL {}
+  }
+  BIT_STRING { `005eae7b92f2a53dc2350b6041bb514239a999c326708a6b6337aceb4f0b871f70bdfa7caaf218e8daa4a8e0f6ee968ccdc7a1cf13fc5c319e53c5e067cbe4c0602b5bf1f7201cff6c927e406c8021176722969268cacbf1766ad61d967a329e376ac0a8d33eeef2f185304f22a351d80a1ad0969c64e14a41b2783710bc7560c6` }
+}
+-----BEGIN CERTIFICATE-----
+MIIB3DCCAUWgAwIBAgIBBTANBgkqhkiG9w0BAQsFADAfMR0wGwYDVQQDDBRUZXN0
+IEludGVybWVkaWF0ZSBDQTAiGA8yMDE3MDEwMTAwMDAwMFoYDzIwMTgwMTAxMDAw
+MDAwWjAUMRIwEAYDVQQDDAlUZXN0IENlcnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
+MIGJAoGBAPv/ZiOHw+cUMtMYg0IBTO6Wv9MTNz23n09CfE5tK4lJsFl/bTZJQo3E
+65P3JxDwjJrt9Gw4+m7ssjXa1IhoHlJliL6WBALpceFBVdBlxasiE8yxmcGVJGv8
+YEFzu00x4ce+/+hKMAf+sF5fUcbB/JQvH8LmLmoJUnG2lmWuvZrjAgMBAAGjLzAt
+MCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6Ly9leGFtcGxlLmNvbS9mb28uY3JsMA0G
+CSqGSIb3DQEBCwUAA4GBAF6ue5LypT3CNQtgQbtRQjmpmcMmcIprYzes608Lhx9w
+vfp8qvIY6NqkqOD27paMzcehzxP8XDGeU8XgZ8vkwGArW/H3IBz/bJJ+QGyAIRdn
+IpaSaMrL8XZq1h2WejKeN2rAqNM+7vLxhTBPIqNR2Aoa0JacZOFKQbJ4NxC8dWDG
+-----END CERTIFICATE-----
\ No newline at end of file
--- a/net/data/crl_unittest/generate_crl_test_data.py
+++ b/net/data/crl_unittest/generate_crl_test_data.py
@@ -351,6 +351,61 @@ crl_strings = {
       OCTET_STRING { `5678` }
     }
  ''',
+  # An issuingDistributionPoint with multiple fullName values, one of which
+  # matches the URI in |LEAF|'s crlDistributionPoints extension.
+  'issuingDistributionPoint': '''
+     SEQUENCE {
+       OBJECT_IDENTIFIER { 2.5.29.28 }
+       BOOLEAN { `ff` }
+       OCTET_STRING {
+         SEQUENCE {
+           [0] {
+             [0] {
+               [1 PRIMITIVE] { "foo@example.com" }
+               [6 PRIMITIVE] { "http://zexample.com/foo.crl" }
+               [6 PRIMITIVE] { "http://example.com/foo.crl" }
+               [6 PRIMITIVE] { "http://aexample.com/foo.crl" }
+             }
+           }
+         }
+       }
+     }
+  ''',
+  'issuingDistributionPoint_wrong_uri': '''
+     SEQUENCE {
+       OBJECT_IDENTIFIER { 2.5.29.28 }
+       BOOLEAN { `ff` }
+       OCTET_STRING {
+         SEQUENCE {
+           [0] {
+             [0] {
+               [6 PRIMITIVE] { "http://example.com/FOO.CRL" }
+             }
+           }
+         }
+       }
+     }
+  ''',
+  'issuingDistributionPoint_with_indirectCRL': '''
+     SEQUENCE {
+       OBJECT_IDENTIFIER { 2.5.29.28 }
+       BOOLEAN { `ff` }
+       OCTET_STRING {
+         SEQUENCE {
+           [0] {
+             [0] {
+               [6 PRIMITIVE] { "http://example.com/foo.crl" }
+             }
+           }
+           [4 PRIMITIVE] { `ff` }
+         }
+       }
+     }
+  ''',
 }
@@ -493,6 +548,26 @@ Store(
 ''' % crl_strings))
+Store(
+    'good_idp_contains_uri',
+    'Leaf covered by CRLs and not revoked, CRL has IDP with URI matching '
+    'cert DP',
+    LEAF, CA,
+    SignAsciiCRL('''
+  INTEGER { 1 }
+  %(sha256WithRSAEncryption)s
+  %(CA_name)s
+  %(thisUpdate)s
+  %(nextUpdate)s
+  # no revoked certs list
+  [0] {
+    SEQUENCE {
+      %(issuingDistributionPoint)s
+    }
+  }
+''' % crl_strings))
 Store(
    'good_no_crldp',
    'Leaf covered by CRLs and not revoked, leaf has no crlDistributionPoints',
@@ -757,6 +832,44 @@ Store(
 ''' % crl_strings, signer=OTHER_CA))
+Store(
+    'bad_idp_contains_wrong_uri',
+    'Leaf not covered by CRL (IDP with different URI)',
+    LEAF, CA,
+    SignAsciiCRL('''
+  INTEGER { 1 }
+  %(sha256WithRSAEncryption)s
+  %(CA_name)s
+  %(thisUpdate)s
+  %(nextUpdate)s
+  # no revoked certs list
+  [0] {
+    SEQUENCE {
+      %(issuingDistributionPoint_wrong_uri)s
+    }
+  }
+''' % crl_strings))
+Store(
+    'bad_idp_indirectcrl',
+    'CRL IDP name matches, but has indirectCRL flag set',
+    LEAF, CA,
+    SignAsciiCRL('''
+  INTEGER { 1 }
+  %(sha256WithRSAEncryption)s
+  %(CA_name)s
+  %(thisUpdate)s
+  %(nextUpdate)s
+  # no revoked certs list
+  [0] {
+    SEQUENCE {
+      %(issuingDistributionPoint_with_indirectCRL)s
+    }
+  }
+''' % crl_strings))
 Store(
    'invalid_mismatched_signature_algorithm',
    'Leaf covered by CRLs and not revoked, but signatureAlgorithm in '
@@ -1227,3 +1340,67 @@ Store(
                 {'LEAF_SERIAL':LEAF['cert'].get_serial_number()}))))
+Store(
+    'invalid_idp_dpname_choice_extra_data',
+    'IssuingDistributionPoint extension distributionPoint is invalid',
+    LEAF, CA,
+    SignAsciiCRL('''
+  INTEGER { 1 }
+  %(sha256WithRSAEncryption)s
+  %(CA_name)s
+  %(thisUpdate)s
+  %(nextUpdate)s
+  # no revoked certs list
+  [0] {
+    SEQUENCE {
+      SEQUENCE {
+        OBJECT_IDENTIFIER { 2.5.29.28 }
+        BOOLEAN { `ff` }
+        OCTET_STRING {
+          SEQUENCE {
+            [0] {
+              [0] {
+                [6 PRIMITIVE] { "http://example.com/foo.crl" }
+              }
+              [1] {
+                SET {
+                  SEQUENCE {
+                    # countryName
+                    OBJECT_IDENTIFIER { 2.5.4.6 }
+                    PrintableString { "US" }
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+''' % crl_strings))
+Store(
+    'invalid_idp_empty_sequence',
+    'IssuingDistributionPoint extension is invalid',
+    LEAF, CA,
+    SignAsciiCRL('''
+  INTEGER { 1 }
+  %(sha256WithRSAEncryption)s
+  %(CA_name)s
+  %(thisUpdate)s
+  %(nextUpdate)s
+  # no revoked certs list
+  [0] {
+    SEQUENCE {
+      SEQUENCE {
+        OBJECT_IDENTIFIER { 2.5.29.28 }
+        BOOLEAN { `ff` }
+        OCTET_STRING {
+          SEQUENCE {
+          }
+        }
+      }
+    }
+  }
+''' % crl_strings))
--- a/net/data/crl_unittest/good_idp_contains_uri.pem
+++ b/net/data/crl_unittest/good_idp_contains_uri.pem
+Generated by generate_crl_test_data.py. Do not edit.
+Leaf covered by CRLs and not revoked, CRL has IDP with URI matching cert DP
+SEQUENCE {
+  SEQUENCE {
+    INTEGER { 1 }
+    SEQUENCE {
+      # sha256WithRSAEncryption
+      OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 }
+      NULL {}
+    }
+    SEQUENCE {
+      SET {
+        SEQUENCE {
+          # commonName
+          OBJECT_IDENTIFIER { 2.5.4.3 }
+          UTF8String { "Test Intermediate CA" }
+        }
+      }
+    }
+    UTCTime { "170302001122Z" }
+    UTCTime { "170602001122Z" }
+    [0] {
+      SEQUENCE {
+        SEQUENCE {
+          # issuingDistributionPoint
+          OBJECT_IDENTIFIER { 2.5.29.28 }
+          BOOLEAN { `ff` }
+          OCTET_STRING {
+            SEQUENCE {
+              [0] {
+                [0] {
+                  [1 PRIMITIVE] { "foo@example.com" }
+                  [6 PRIMITIVE] { "http://zexample.com/foo.crl" }
+                  [6 PRIMITIVE] { "http://example.com/foo.crl" }
+                  [6 PRIMITIVE] { "http://aexample.com/foo.crl" }
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+  SEQUENCE {
+    # sha256WithRSAEncryption
+    OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 }
+    NULL {}
+  }
+  BIT_STRING { `006b659179378a15aac130d45749d08a24c91888959d8fb5356343e453d024c6517ad657f7ee509fa368b0ef54e6cc50077e25b67ee6caed57a15abd2dfd9e13564eb8bc39b75d96ca25215f00851293536d6e988c38e86339a9694d75e03e089116c74cb20f1bf1e8091d5dd946cda218af2810abe5854a2e17c77110b2fa263c` }
+}
+-----BEGIN CRL-----
+MIIBZDCBzgIBATANBgkqhkiG9w0BAQsFADAfMR0wGwYDVQQDDBRUZXN0IEludGVy
+bWVkaWF0ZSBDQRcNMTcwMzAyMDAxMTIyWhcNMTcwNjAyMDAxMTIyWqB7MHkwdwYD
+VR0cAQH/BG0wa6BpoGeBD2Zvb0BleGFtcGxlLmNvbYYbaHR0cDovL3pleGFtcGxl
+LmNvbS9mb28uY3JshhpodHRwOi8vZXhhbXBsZS5jb20vZm9vLmNybIYbaHR0cDov
+L2FleGFtcGxlLmNvbS9mb28uY3JsMA0GCSqGSIb3DQEBCwUAA4GBAGtlkXk3ihWq
+wTDUV0nQiiTJGIiVnY+1NWND5FPQJMZRetZX9+5Qn6NosO9U5sxQB34ltn7myu1X
+oVq9Lf2eE1ZOuLw5t12WyiUhXwCFEpNTbW6YjDjoYzmpaU114D4IkRbHTLIPG/Ho
+CR1d2UbNohivKBCr5YVKLhfHcRCy+iY8
+-----END CRL-----
+SEQUENCE {
+  SEQUENCE {
+    [0] {
+      INTEGER { 2 }
+    }
+    INTEGER { 1 }
+    SEQUENCE {
+      # sha256WithRSAEncryption
+      OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 }
+      NULL {}
+    }
+    SEQUENCE {
+      SET {
+        SEQUENCE {
+          # commonName
+          OBJECT_IDENTIFIER { 2.5.4.3 }
+          UTF8String { "Test CA" }
+        }
+      }
+    }
+    SEQUENCE {
+      GeneralizedTime { "20170101000000Z" }
+      GeneralizedTime { "20180101000000Z" }
+    }
+    SEQUENCE {
+      SET {
+        SEQUENCE {
+          # commonName
+          OBJECT_IDENTIFIER { 2.5.4.3 }
+          UTF8String { "Test Intermediate CA" }
+        }
+      }
+    }
+    SEQUENCE {
+      SEQUENCE {
+        # rsaEncryption
+        OBJECT_IDENTIFIER { 1.2.840.113549.1.1.1 }
+        NULL {}
+      }
+      BIT_STRING {
+        `00`
+        SEQUENCE {
+          INTEGER { `00a35afbe7508b58895a28f81ebe71ea37f659fe29d1da13bd5b12460b8cf570dc57966aa97f06382fd01c4fbafc46564de12aa0d1d90d2060ad3f845189dab146559409c673b170edeb83bb56ecd2a7257b2283626d53f62e352c3edbb1a2198ddc73a92deb96b1beffd855f1e1aa005ae2ade2f763cbb0d0bd6cce4b768808c5` }
+          INTEGER { 65537 }
+        }
+      }
+    }
+    [3] {
+      SEQUENCE {
+        SEQUENCE {
+          # keyUsage
+          OBJECT_IDENTIFIER { 2.5.29.15 }
+          BOOLEAN { `ff` }
+          OCTET_STRING {
+            BIT_STRING { `0106` }
+          }
+        }
+      }
+    }
+  }
+  SEQUENCE {
+    # sha256WithRSAEncryption
+    OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 }
+    NULL {}
+  }
+  BIT_STRING { `0043b0323ab8f10378ccd100d12068c5bad3c32fdaa1b441ed1a4d52baa46aa967237345db8fdf03e0513825fd43c747aa710e371a88ae5ee4f460c59ddb6c5b08505feaa3cce3272e5c3d9b08a878822d5e601517b903537cb90e9085ec954c460f88af5217cb86e7c48be7d0847ec10f36a8df6177599d4a0d2ad4ea0ca857b2` }
+}
+-----BEGIN CA CERTIFICATE-----
+MIIBvTCCASagAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0
+IENBMCIYDzIwMTcwMTAxMDAwMDAwWhgPMjAxODAxMDEwMDAwMDBaMB8xHTAbBgNV
+BAMMFFRlc3QgSW50ZXJtZWRpYXRlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
+iQKBgQCjWvvnUItYiVoo+B6+ceo39ln+KdHaE71bEkYLjPVw3FeWaql/Bjgv0BxP
+uvxGVk3hKqDR2Q0gYK0/hFGJ2rFGVZQJxnOxcO3rg7tW7NKnJXsig2JtU/YuNSw+
+27GiGY3cc6kt65axvv/YVfHhqgBa4q3i92PLsNC9bM5LdogIxQIDAQABoxIwEDAO
+BgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEAQ7AyOrjxA3jM0QDRIGjF
+utPDL9qhtEHtGk1SuqRqqWcjc0Xbj98D4FE4Jf1Dx0eqcQ43GoiuXuT0YMWd22xb
+CFBf6qPM4ycuXD2bCKh4gi1eYBUXuQNTfLkOkIXslUxGD4ivUhfLhufEi+fQhH7B
+Dzao32F3WZ1KDSrU6gyoV7I=
+-----END CA CERTIFICATE-----
+SEQUENCE {
+  SEQUENCE {
+    [0] {
+      INTEGER { 2 }
+    }
+    INTEGER { 5 }
+    SEQUENCE {
+      # sha256WithRSAEncryption
+      OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 }
+      NULL {}
+    }
+    SEQUENCE {
+      SET {
+        SEQUENCE {
+          # commonName
+          OBJECT_IDENTIFIER { 2.5.4.3 }
+          UTF8String { "Test Intermediate CA" }
+        }
+      }
+    }
+    SEQUENCE {
+      GeneralizedTime { "20170101000000Z" }
+      GeneralizedTime { "20180101000000Z" }
+    }
+    SEQUENCE {
+      SET {
+        SEQUENCE {
+          # commonName
+          OBJECT_IDENTIFIER { 2.5.4.3 }
+          UTF8String { "Test Cert" }
+        }
+      }
+    }
+    SEQUENCE {
+      SEQUENCE {
+        # rsaEncryption
+        OBJECT_IDENTIFIER { 1.2.840.113549.1.1.1 }
+        NULL {}
+      }
+      BIT_STRING {
+        `00`
+        SEQUENCE {
+          INTEGER { `00abdd04e5f0239dace20256547addf9df3ebb4081eacb549675116355e574620e2a350118cc9a03f754f73f93e1f95555db4f1533d14c50bebe6823c7e4032e2fa65536bdf33ff918c739680a809f4164f4c901c56d2c18785fc205f705b16086339be26d77d60de259dfbac76780ee5f2b416ff84566c5cc52a9d167ab818c67` }
+          INTEGER { 65537 }
+        }
+      }
+    }
+    [3] {
+      SEQUENCE {
+        SEQUENCE {
+          # cRLDistributionPoints
+          OBJECT_IDENTIFIER { 2.5.29.31 }
+          OCTET_STRING {
+            SEQUENCE {
+              SEQUENCE {
+                [0] {
+                  [0] {
+                    [6 PRIMITIVE] { "http://example.com/foo.crl" }
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+  SEQUENCE {
+    # sha256WithRSAEncryption
+    OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 }
+    NULL {}
+  }
+  BIT_STRING { `000e3be5de5d0a6a2a155fa41f786443e6921899ed5566a1ba9fed2cec41dd925d1e077e3b9ce0aeacdf01261d31b828247da6d83d45a2ce469007d4dafda3603463b78bf18eff05e7b97521cbe10e44f185e945fdc09f637b982abbb2f1d380705305c0d63c207f622e6f14ed5509c68ecf907794de3a055137502ba47e37074d` }
+}
+-----BEGIN CERTIFICATE-----
+MIIB3DCCAUWgAwIBAgIBBTANBgkqhkiG9w0BAQsFADAfMR0wGwYDVQQDDBRUZXN0
+IEludGVybWVkaWF0ZSBDQTAiGA8yMDE3MDEwMTAwMDAwMFoYDzIwMTgwMTAxMDAw
+MDAwWjAUMRIwEAYDVQQDDAlUZXN0IENlcnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
+MIGJAoGBAKvdBOXwI52s4gJWVHrd+d8+u0CB6stUlnURY1XldGIOKjUBGMyaA/dU
+9z+T4flVVdtPFTPRTFC+vmgjx+QDLi+mVTa98z/5GMc5aAqAn0Fk9MkBxW0sGHhf
+wgX3BbFghjOb4m131g3iWd+6x2eA7l8rQW/4RWbFzFKp0WergYxnAgMBAAGjLzAt
+MCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6Ly9leGFtcGxlLmNvbS9mb28uY3JsMA0G
+CSqGSIb3DQEBCwUAA4GBAA475d5dCmoqFV+kH3hkQ+aSGJntVWahup/tLOxB3ZJd
+Hgd+O5zgrqzfASYdMbgoJH2m2D1Fos5GkAfU2v2jYDRjt4vxjv8F57l1IcvhDkTx
+helF/cCfY3uYKruy8dOAcFMFwNY8IH9iLm8U7VUJxo7PkHeU3joFUTdQK6R+NwdN
+-----END CERTIFICATE-----
\ No newline at end of file
--- a/net/data/crl_unittest/invalid_idp_dpname_choice_extra_data.pem
+++ b/net/data/crl_unittest/invalid_idp_dpname_choice_extra_data.pem
+Generated by generate_crl_test_data.py. Do not edit.
+IssuingDistributionPoint extension distributionPoint is invalid
+SEQUENCE {
+  SEQUENCE {
+    INTEGER { 1 }
+    SEQUENCE {
+      # sha256WithRSAEncryption
+      OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 }
+      NULL {}
+    }
+    SEQUENCE {
+      SET {
+        SEQUENCE {
+          # commonName
+          OBJECT_IDENTIFIER { 2.5.4.3 }
+          UTF8String { "Test Intermediate CA" }
+        }
+      }
+    }
+    UTCTime { "170302001122Z" }
+    UTCTime { "170602001122Z" }
+    [0] {
+      SEQUENCE {
+        SEQUENCE {
+          # issuingDistributionPoint
+          OBJECT_IDENTIFIER { 2.5.29.28 }
+          BOOLEAN { `ff` }
+          OCTET_STRING {
+            SEQUENCE {
+              [0] {
+                [0] {
+                  [6 PRIMITIVE] { "http://example.com/foo.crl" }
+                }
+                [1] {
+                  SET {
+                    SEQUENCE {
+                      # countryName
+                      OBJECT_IDENTIFIER { 2.5.4.6 }
+                      PrintableString { "US" }
+                    }
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+  SEQUENCE {
+    # sha256WithRSAEncryption
+    OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 }
+    NULL {}
+  }
+  BIT_STRING { `0006c98c9191f2a57043ef6422f23c2a6f458a5bdcd995b70dc6e5c2525e61c09bab709c79ef892dc5a406bbe4f8409ae1e33e0bb243318f339f5472134c14d0a183ea1dccc520063868534e74a64abfe5302c182fee2cde2f035c1c8bf8f4f75f9fcc7c6a66a172de8c0b3dab3fe6b8d52f7321e0b7f5a89535b602f9f20f6394` }
+}
+-----BEGIN CRL-----
+MIIBKDCBkgIBATANBgkqhkiG9w0BAQsFADAfMR0wGwYDVQQDDBRUZXN0IEludGVy
+bWVkaWF0ZSBDQRcNMTcwMzAyMDAxMTIyWhcNMTcwNjAyMDAxMTIyWqA/MD0wOwYD
+VR0cAQH/BDEwL6AtoByGGmh0dHA6Ly9leGFtcGxlLmNvbS9mb28uY3JsoQ0xCzAJ
+BgNVBAYTAlVTMA0GCSqGSIb3DQEBCwUAA4GBAAbJjJGR8qVwQ+9kIvI8Km9Filvc
+2ZW3DcblwlJeYcCbq3Ccee+JLcWkBrvk+ECa4eM+C7JDMY8zn1RyE0wU0KGD6h3M
+xSAGOGhTTnSmSr/lMCwYL+4s3i8DXByL+PT3X5/MfGpmoXLejAs9qz/muNUvcyHg
+t/WolTW2AvnyD2OU
+-----END CRL-----
+SEQUENCE {
+  SEQUENCE {
+    [0] {
+      INTEGER { 2 }
+    }
+    INTEGER { 1 }
+    SEQUENCE {
+      # sha256WithRSAEncryption
+      OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 }
+      NULL {}
+    }
+    SEQUENCE {
+      SET {
+        SEQUENCE {
+          # commonName
+          OBJECT_IDENTIFIER { 2.5.4.3 }
+          UTF8String { "Test CA" }
+        }
+      }
+    }
+    SEQUENCE {
+      GeneralizedTime { "20170101000000Z" }
+      GeneralizedTime { "20180101000000Z" }
+    }
+    SEQUENCE {
+      SET {
+        SEQUENCE {
+          # commonName
+          OBJECT_IDENTIFIER { 2.5.4.3 }
+          UTF8String { "Test Intermediate CA" }
+        }
+      }
+    }
+    SEQUENCE {
+      SEQUENCE {
+        # rsaEncryption
+        OBJECT_IDENTIFIER { 1.2.840.113549.1.1.1 }
+        NULL {}
+      }
+      BIT_STRING {
+        `00`
+        SEQUENCE {
+          INTEGER { `00d8f829b13d9a2659010e0313b15f2d11e54598cfb739bc936522719d585f86b7e81b4ed40007618edb03fea56c65b8bfb68c560984de16c02db43eed00d6d2409661c7976def87811cdce44f3e9498bfb1316f7c1d79158495780660e07c5fc4d302288fe0a9c409a7c708f48f1c1dd8e878bc00f4e7c596edaf3994ac0eb4dd` }
+          INTEGER { 65537 }
+        }
+      }
+    }
+    [3] {
+      SEQUENCE {
+        SEQUENCE {
+          # keyUsage
+          OBJECT_IDENTIFIER { 2.5.29.15 }
+          BOOLEAN { `ff` }
+          OCTET_STRING {
+            BIT_STRING { `0106` }
+          }
+        }
+      }
+    }
+  }
+  SEQUENCE {
+    # sha256WithRSAEncryption
+    OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 }
+    NULL {}
+  }
+  BIT_STRING { `003f30d040e2a230cd961b63ba65ccf7c61f60f364d0a5c4a5afa72303ebbdd7be2a879e57d9c09ca28495cd8bd62678207214e36c80dfbf8a722f808260c52a9713a27518c9a1075ab786268cf29972e82ad4a750502491de00e3cec21f7fc424830a5382fc2ff6db4c7ddbf3f6cf89985a9de7002a78556c6a778e9ff6cc369d` }
+}
+-----BEGIN CA CERTIFICATE-----
+MIIBvTCCASagAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0
+IENBMCIYDzIwMTcwMTAxMDAwMDAwWhgPMjAxODAxMDEwMDAwMDBaMB8xHTAbBgNV
+BAMMFFRlc3QgSW50ZXJtZWRpYXRlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
+iQKBgQDY+CmxPZomWQEOAxOxXy0R5UWYz7c5vJNlInGdWF+Gt+gbTtQAB2GO2wP+
+pWxluL+2jFYJhN4WwC20Pu0A1tJAlmHHl23vh4Ec3ORPPpSYv7Exb3wdeRWElXgG
+YOB8X8TTAiiP4KnECafHCPSPHB3Y6Hi8APTnxZbtrzmUrA603QIDAQABoxIwEDAO
+BgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEAPzDQQOKiMM2WG2O6Zcz3
+xh9g82TQpcSlr6cjA+u9174qh55X2cCcooSVzYvWJnggchTjbIDfv4pyL4CCYMUq
+lxOidRjJoQdat4YmjPKZcugq1KdQUCSR3gDjzsIff8QkgwpTgvwv9ttMfdvz9s+J
+mFqd5wAqeFVsaneOn/bMNp0=
+-----END CA CERTIFICATE-----
+SEQUENCE {
+  SEQUENCE {
+    [0] {
+      INTEGER { 2 }
+    }
+    INTEGER { 5 }
+    SEQUENCE {
+      # sha256WithRSAEncryption
+      OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 }
+      NULL {}
+    }
+    SEQUENCE {
+      SET {
+        SEQUENCE {
+          # commonName
+          OBJECT_IDENTIFIER { 2.5.4.3 }
+          UTF8String { "Test Intermediate CA" }
+        }
+      }
+    }
+    SEQUENCE {
+      GeneralizedTime { "20170101000000Z" }
+      GeneralizedTime { "20180101000000Z" }
+    }
+    SEQUENCE {
+      SET {
+        SEQUENCE {
+          # commonName
+          OBJECT_IDENTIFIER { 2.5.4.3 }
+          UTF8String { "Test Cert" }
+        }
+      }
+    }
+    SEQUENCE {
+      SEQUENCE {
+        # rsaEncryption
+        OBJECT_IDENTIFIER { 1.2.840.113549.1.1.1 }
+        NULL {}
+      }
+      BIT_STRING {
+        `00`
+        SEQUENCE {
+          INTEGER { `00a5c695feb8c268dd012b8f112f5bcd7e0ad91f4e7491bd4903ccfc4d9e88e96d6b43fbfb89ad6e88028e7bcad2aeee3c735fb31639ed92455daee9d8fafd468d2ba9ddcf487880498b64e95a3d47d8358d8cfdaeb8a962fdbf1e8fb4e06deda0a072996f46495b5de9ff39a8b1bdc995afe9b453988cbc33d0d467e49dca1349` }
+          INTEGER { 65537 }
+        }
+      }
+    }
+    [3] {
+      SEQUENCE {
+        SEQUENCE {
+          # cRLDistributionPoints
+          OBJECT_IDENTIFIER { 2.5.29.31 }
+          OCTET_STRING {
+            SEQUENCE {
+              SEQUENCE {
+                [0] {
+                  [0] {
+                    [6 PRIMITIVE] { "http://example.com/foo.crl" }
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+  SEQUENCE {
+    # sha256WithRSAEncryption
+    OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 }
+    NULL {}
+  }
+  BIT_STRING { `00549634347f1e456ae66f4ef3cff73c1176a61305805ed402505471e23b58a9c61ad2f77c2e13da450a60bf54958a69841a4102f296881689d95f10e604b36e6082504c433083591399d020c7f3d173fb261156d8a60a889bac1a755338c7daba530750e249c88ad5657e7832337507ae3c65101aba15f83635d351f07b548de3` }
+}
+-----BEGIN CERTIFICATE-----
+MIIB3DCCAUWgAwIBAgIBBTANBgkqhkiG9w0BAQsFADAfMR0wGwYDVQQDDBRUZXN0
+IEludGVybWVkaWF0ZSBDQTAiGA8yMDE3MDEwMTAwMDAwMFoYDzIwMTgwMTAxMDAw
+MDAwWjAUMRIwEAYDVQQDDAlUZXN0IENlcnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
+MIGJAoGBAKXGlf64wmjdASuPES9bzX4K2R9OdJG9SQPM/E2eiOlta0P7+4mtbogC
+jnvK0q7uPHNfsxY57ZJFXa7p2Pr9Ro0rqd3PSHiASYtk6Vo9R9g1jYz9rripYv2/
+Ho+04G3toKBymW9GSVtd6f85qLG9yZWv6bRTmIy8M9DUZ+SdyhNJAgMBAAGjLzAt
+MCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6Ly9leGFtcGxlLmNvbS9mb28uY3JsMA0G
+CSqGSIb3DQEBCwUAA4GBAFSWNDR/HkVq5m9O88/3PBF2phMFgF7UAlBUceI7WKnG
+GtL3fC4T2kUKYL9UlYpphBpBAvKWiBaJ2V8Q5gSzbmCCUExDMINZE5nQIMfz0XP7
+JhFW2KYKiJusGnVTOMfaulMHUOJJyIrVZX54MjN1B648ZRAauhX4NjXTUfB7VI3j
+-----END CERTIFICATE-----
\ No newline at end of file
--- a/net/data/crl_unittest/invalid_idp_empty_sequence.pem
+++ b/net/data/crl_unittest/invalid_idp_empty_sequence.pem
+Generated by generate_crl_test_data.py. Do not edit.
+IssuingDistributionPoint extension is invalid
+SEQUENCE {
+  SEQUENCE {
+    INTEGER { 1 }
+    SEQUENCE {
+      # sha256WithRSAEncryption
+      OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 }
+      NULL {}
+    }
+    SEQUENCE {
+      SET {
+        SEQUENCE {
+          # commonName
+          OBJECT_IDENTIFIER { 2.5.4.3 }
+          UTF8String { "Test Intermediate CA" }
+        }
+      }
+    }
+    UTCTime { "170302001122Z" }
+    UTCTime { "170602001122Z" }
+    [0] {
+      SEQUENCE {
+        SEQUENCE {
+          # issuingDistributionPoint
+          OBJECT_IDENTIFIER { 2.5.29.28 }
+          BOOLEAN { `ff` }
+          OCTET_STRING {
+            SEQUENCE {}
+          }
+        }
+      }
+    }
+  }
+  SEQUENCE {
+    # sha256WithRSAEncryption
+    OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 }
+    NULL {}
+  }
+  BIT_STRING { `007e30782faeb5a9b4aed94ade2d1aafe5b17af96ee9ebe1696b6bb6f92815a3d8643acbfa59bacb4255e635e02cd62c14cdfc13e128ceace0ffc96da315eee2dd35995f322c972c3ee4ff7fc7b463339cfc85eec97cde4b7e1a1e8ce2f336fcab4a548164d84f6b83d652c4e08c5b31468c69fb3478bd2af335ab6e27cdb52583` }
+}
+-----BEGIN CRL-----
+MIH4MGMCAQEwDQYJKoZIhvcNAQELBQAwHzEdMBsGA1UEAwwUVGVzdCBJbnRlcm1l
+ZGlhdGUgQ0EXDTE3MDMwMjAwMTEyMloXDTE3MDYwMjAwMTEyMlqgEDAOMAwGA1Ud
+HAEB/wQCMAAwDQYJKoZIhvcNAQELBQADgYEAfjB4L661qbSu2UreLRqv5bF6+W7p
+6+Fpa2u2+SgVo9hkOsv6WbrLQlXmNeAs1iwUzfwT4SjOrOD/yW2jFe7i3TWZXzIs
+lyw+5P9/x7RjM5z8he7JfN5LfhoejOLzNvyrSlSBZNhPa4PWUsTgjFsxRoxp+zR4
+vSrzNatuJ821JYM=
+-----END CRL-----
+SEQUENCE {
+  SEQUENCE {
+    [0] {
+      INTEGER { 2 }
+    }
+    INTEGER { 1 }
+    SEQUENCE {
+      # sha256WithRSAEncryption
+      OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 }
+      NULL {}
+    }
+    SEQUENCE {
+      SET {
+        SEQUENCE {
+          # commonName
+          OBJECT_IDENTIFIER { 2.5.4.3 }
+          UTF8String { "Test CA" }
+        }
+      }
+    }
+    SEQUENCE {
+      GeneralizedTime { "20170101000000Z" }
+      GeneralizedTime { "20180101000000Z" }
+    }
+    SEQUENCE {
+      SET {
+        SEQUENCE {
+          # commonName
+          OBJECT_IDENTIFIER { 2.5.4.3 }
+          UTF8String { "Test Intermediate CA" }
+        }
+      }
+    }
+    SEQUENCE {
+      SEQUENCE {
+        # rsaEncryption
+        OBJECT_IDENTIFIER { 1.2.840.113549.1.1.1 }
+        NULL {}
+      }
+      BIT_STRING {
+        `00`
+        SEQUENCE {
+          INTEGER { `00b17ca575a8ed4c57e6290feec7641298cb22569fc6cdaed87186b5fb9fa201c7986b7a758753c7b407606487c3ed223a402c7ee930e22654e9390b4cdae8b8e135ca73e5550c116d29d10ef59ccff23f63e50399a7430ea3b8e040ebe63776450642b895ca20468038980c23ca30e49e93633f6507da641b4db1518f74958d8b` }
+          INTEGER { 65537 }
+        }
+      }
+    }
+    [3] {
+      SEQUENCE {
+        SEQUENCE {
+          # keyUsage
+          OBJECT_IDENTIFIER { 2.5.29.15 }
+          BOOLEAN { `ff` }
+          OCTET_STRING {
+            BIT_STRING { `0106` }
+          }
+        }
+      }
+    }
+  }
+  SEQUENCE {
+    # sha256WithRSAEncryption
+    OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 }
+    NULL {}
+  }
+  BIT_STRING { `00a329373d689f35e199ce1b0a1eef4f6c36b926344368f00687b37489ab486407ea3cadb4441d4f383d18feebb68fcee74fa2204c645c2369ef0bdce02bc646a1d36a2383625b7b46d23e344ef5e85e015f1176ab7ce112a7604e34767ef9c47b818e6599ec752255b04fb3339dfc56bb7c3c62bd8109deff2fc75d615b64d65d` }
+}
+-----BEGIN CA CERTIFICATE-----
+MIIBvTCCASagAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0
+IENBMCIYDzIwMTcwMTAxMDAwMDAwWhgPMjAxODAxMDEwMDAwMDBaMB8xHTAbBgNV
+BAMMFFRlc3QgSW50ZXJtZWRpYXRlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
+iQKBgQCxfKV1qO1MV+YpD+7HZBKYyyJWn8bNrthxhrX7n6IBx5hrenWHU8e0B2Bk
+h8PtIjpALH7pMOImVOk5C0za6LjhNcpz5VUMEW0p0Q71nM/yP2PlA5mnQw6juOBA
+6+Y3dkUGQriVyiBGgDiYDCPKMOSek2M/ZQfaZBtNsVGPdJWNiwIDAQABoxIwEDAO
+BgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADgYEAoyk3PWifNeGZzhsKHu9P
+bDa5JjRDaPAGh7N0iatIZAfqPK20RB1POD0Y/uu2j87nT6IgTGRcI2nvC9zgK8ZG
+odNqI4NiW3tG0j40TvXoXgFfEXarfOESp2BONHZ++cR7gY5lmex1IlWwT7MznfxW
+u3w8Yr2BCd7/L8ddYVtk1l0=
+-----END CA CERTIFICATE-----
+SEQUENCE {
+  SEQUENCE {
+    [0] {
+      INTEGER { 2 }
+    }
+    INTEGER { 5 }
+    SEQUENCE {
+      # sha256WithRSAEncryption
+      OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 }
+      NULL {}
+    }
+    SEQUENCE {
+      SET {
+        SEQUENCE {
+          # commonName
+          OBJECT_IDENTIFIER { 2.5.4.3 }
+          UTF8String { "Test Intermediate CA" }
+        }
+      }
+    }
+    SEQUENCE {
+      GeneralizedTime { "20170101000000Z" }
+      GeneralizedTime { "20180101000000Z" }
+    }
+    SEQUENCE {
+      SET {
+        SEQUENCE {
+          # commonName
+          OBJECT_IDENTIFIER { 2.5.4.3 }
+          UTF8String { "Test Cert" }
+        }
+      }
+    }
+    SEQUENCE {
+      SEQUENCE {
+        # rsaEncryption
+        OBJECT_IDENTIFIER { 1.2.840.113549.1.1.1 }
+        NULL {}
+      }
+      BIT_STRING {
+        `00`
+        SEQUENCE {
+          INTEGER { `00d1f551f3f9137e84c706271349971ec0fea83a78d7cfcb86f37eacbcdd4cf6f76e8b8f158efacf1c5d8c9a37dc273b8e547c2c86c97ef744b1efc523b5470449b99889b46265668e5a3d61d2f75bb03a528f68abd56cac295abd47ac19532e72ccc8e40e914d276504f2f738d1b32c19dea39a1ca011ec91ded82eef136323ed` }
+          INTEGER { 65537 }
+        }
+      }
+    }
+    [3] {
+      SEQUENCE {
+        SEQUENCE {
+          # cRLDistributionPoints
+          OBJECT_IDENTIFIER { 2.5.29.31 }
+          OCTET_STRING {
+            SEQUENCE {
+              SEQUENCE {
+                [0] {
+                  [0] {
+                    [6 PRIMITIVE] { "http://example.com/foo.crl" }
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+  SEQUENCE {
+    # sha256WithRSAEncryption
+    OBJECT_IDENTIFIER { 1.2.840.113549.1.1.11 }
+    NULL {}
+  }
+  BIT_STRING { `0030608eee0754a85a3ea4caba97270ed8222c007aa3986916a47a0658ea7df85aac02ceb7b30a80d8decb1090e28e09d1481b61312554466e2b8d640c79e4d266c527b4e875ad372666f2e877f0edca1503273377381c76b383396106689c17a967cc6b290ddc6c146405b15a2ca6bc47f1a6b65fd65810bef9347bb2e04bf2dc` }
+}
+-----BEGIN CERTIFICATE-----
+MIIB3DCCAUWgAwIBAgIBBTANBgkqhkiG9w0BAQsFADAfMR0wGwYDVQQDDBRUZXN0
+IEludGVybWVkaWF0ZSBDQTAiGA8yMDE3MDEwMTAwMDAwMFoYDzIwMTgwMTAxMDAw
+MDAwWjAUMRIwEAYDVQQDDAlUZXN0IENlcnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
+MIGJAoGBANH1UfP5E36ExwYnE0mXHsD+qDp418/LhvN+rLzdTPb3bouPFY76zxxd
+jJo33Cc7jlR8LIbJfvdEse/FI7VHBEm5mIm0YmVmjlo9YdL3W7A6Uo9oq9VsrCla
+vUesGVMucszI5A6RTSdlBPL3ONGzLBneo5ocoBHskd7YLu8TYyPtAgMBAAGjLzAt
+MCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6Ly9leGFtcGxlLmNvbS9mb28uY3JsMA0G
+CSqGSIb3DQEBCwUAA4GBADBgju4HVKhaPqTKupcnDtgiLAB6o5hpFqR6Bljqffha
+rALOt7MKgNjeyxCQ4o4J0UgbYTElVEZuK41kDHnk0mbFJ7Toda03Jmby6Hfw7coV
+AyczdzgcdrODOWEGaJwXqWfMaykN3GwUZAWxWiymvEfxprZf1lgQvvk0e7LgS/Lc
+-----END CERTIFICATE-----
\ No newline at end of file
--- a/net/data/fuzzer_data/crl_parse_issuing_distribution_point_fuzzer/empty_sequence
+++ b/net/data/fuzzer_data/crl_parse_issuing_distribution_point_fuzzer/empty_sequence
--- a/net/data/fuzzer_data/crl_parse_issuing_distribution_point_fuzzer/idp_with_distributionPoint_fullName_uri
+++ b/net/data/fuzzer_data/crl_parse_issuing_distribution_point_fuzzer/idp_with_distributionPoint_fullName_uri
+0 http://example.com/foo.crl
\ No newline at end of file
--- a/net/data/fuzzer_data/crl_parse_issuing_distribution_point_fuzzer/idp_with_distributionPoint_nameRelativeToCRLIssuer
+++ b/net/data/fuzzer_data/crl_parse_issuing_distribution_point_fuzzer/idp_with_distributionPoint_nameRelativeToCRLIssuer
+0
10	UUS
\ No newline at end of file
--- a/net/data/fuzzer_data/crl_parse_issuing_distribution_point_fuzzer/idp_with_dpname_onlyca_reasons_and_indirectcrl
+++ b/net/data/fuzzer_data/crl_parse_issuing_distribution_point_fuzzer/idp_with_dpname_onlyca_reasons_and_indirectcrl
+0+http://example.com/foo.crl
\ No newline at end of file
--- a/net/data/fuzzer_data/crl_parse_issuing_distribution_point_fuzzer/idp_with_indirectCrl
+++ b/net/data/fuzzer_data/crl_parse_issuing_distribution_point_fuzzer/idp_with_indirectCrl
+0
\ No newline at end of file
--- a/net/data/fuzzer_data/crl_parse_issuing_distribution_point_fuzzer/idp_with_onlyContainsAttributeCerts
+++ b/net/data/fuzzer_data/crl_parse_issuing_distribution_point_fuzzer/idp_with_onlyContainsAttributeCerts
+0
\ No newline at end of file
--- a/net/data/fuzzer_data/crl_parse_issuing_distribution_point_fuzzer/idp_with_onlyContainsCaCerts
+++ b/net/data/fuzzer_data/crl_parse_issuing_distribution_point_fuzzer/idp_with_onlyContainsCaCerts
+0
\ No newline at end of file
--- a/net/data/fuzzer_data/crl_parse_issuing_distribution_point_fuzzer/idp_with_onlyContainsUserCerts
+++ b/net/data/fuzzer_data/crl_parse_issuing_distribution_point_fuzzer/idp_with_onlyContainsUserCerts
+0
\ No newline at end of file
--- a/net/data/fuzzer_data/crl_parse_issuing_distribution_point_fuzzer/idp_with_onlySomeReasons
+++ b/net/data/fuzzer_data/crl_parse_issuing_distribution_point_fuzzer/idp_with_onlySomeReasons
+0
\ No newline at end of file