View Issue Details

IDProjectCategoryView StatusLast Update
0001438Main CAcert Websitecertificate issuingpublic2018-06-13 22:10
ReporterwytzeAssigned ToGuKKDevel 
PrioritynormalSeverityminorReproducibilityalways
Status needs review & testingResolutionopen 
PlatformDefaultOSanyOS Versionany
Product Version2017 Q4 
Target Version2017 Q4Fixed in Version 
Summary0001438: CRLs published by CAcert do not contain the field "CRL number"
DescriptionEBS EDI-Support <EDI-Support@eon.com> reported on April 16, 2018:

the CRL which you are publishing at URL "http://crl.cacert.org/revoke.crl" is missing the field "CRL number".
Therefore some applications might not validate the CRL correctly. Please add this field to the CRL. Thank you.
Steps To Reproduce$ wget http://crl.cacert.org/revoke.crl
$ openssl crl -in revoke.crl -inform der -noout -text -crlnumber | head

Something like this will appear:
crlNumber=<NONE>
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha512WithRSAEncryption
        Issuer: /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
        Last Update: Apr 17 14:28:54 2018 GMT
        Next Update: Apr 24 14:28:54 2018 GMT
Revoked Certificates:
    Serial Number: 11
        Revocation Date: Apr 1 14:25:08 2003 GMT

The crlNumber=<NONE> shows the problem.
Additional InformationAccording to RFC 5280 (May 2008), section 5.2:
   Conforming CRL issuers are REQUIRED to include the authority key
   identifier (Section 5.2.1) and the CRL number (Section 5.2.3)
   extensions in all CRLs issued.

The same requirement was already present in the predecessor of this RFC, namely RFC 3280 from April 2002, so it is somewhat surprising that this was never implemented in the CAcert signer.

This can be fixed by adding the crlnumber field to the openssl profile used on the CAcert signer for generating CRLs. The openssl software used for this is capable of maintaining a serial number per CRL in a separate text file, see the documentation for 'openssl ca'.
Tagscertificates
Reviewed by
Test InstructionsSee Steps To Reproduce

Activities

wytze

2018-04-17 15:36

developer   ~0005584

This can be tested with the signer installed on test.cacert.org.

GuKKDevel

2018-05-29 09:57

updater   ~0005591

as the revoke-request only uses one configfile for each rootcert for creating the CRL, only those two have to be changed.
 

GuKKDevel

2018-05-29 10:02

updater   ~0005592

Also must in each cert-directory (/etc/ssl/CA and /etc/ssl/class3) a file named crlnumber be created including a four digit number (echo 1000 > crlnumber)

diff-openssl (588 bytes)
--- openssl-client.cnf.old2	2018-05-28 11:05:32.472380875 +0200
+++ openssl-client.cnf	2018-05-29 11:41:33.863749235 +0200
@@ -31,6 +31,7 @@
 dir             = /etc/ssl/CA           # Where everything is kept
 certs           = $dir/certs            # Where the issued certs are kept
 crl_dir         = $dir/crl              # Where the issued crl are kept
+crlnumber       = $dir/crlnumber        # Where the current CRL-number is stored (bug-1438)
 database        = $dir/index.txt        # database index file.
 new_certs_dir   = $dir/newcerts         # default place for new certs.
 
diff-openssl (588 bytes)
diff-class3 (586 bytes)
--- class3-client.cnf.old2	2018-05-28 11:05:32.188380035 +0200
+++ class3-client.cnf	2018-05-29 11:44:27.252254679 +0200
@@ -31,6 +31,7 @@
 dir             = /etc/ssl/class3       # Where everything is kept
 certs           = $dir/certs            # Where the issued certs are kept
 crl_dir         = $dir/crl              # Where the issued crl are kept
+crlnumber       = $dir/crlnumber        # Where the current CRL-number is stored (bug-1438)
 database        = $dir/index.txt        # database index file.
 new_certs_dir   = $dir/newcerts         # default place for new certs.
 
diff-class3 (586 bytes)

dastrath

2018-06-06 09:29

administrator   ~0005593

Expected test is not possible as test.cacert.org will redirect the CRL-download to Live-System.

Test is only possible by accessing the test-server directly to get the CRLs for our test-environment.

As this is not possible for testers, I added the created CRLs for today (2018-06-06) to this bug, so a tester may check the existence of the missing CRLNumber.

In the next days I'll add another CRL-set so a tester can run its tests.

revoke.crl (332,445 bytes)
class3-revoke.crl (331,946 bytes)

GuKKDevel

2018-06-06 10:51

updater   ~0005596

tested: revoke.crl -> crlNumber=1249 (hex) -> X509v3 CRL Number: 4681 (dec)
tested: class3-revoke.crl -> crlNumber=010008 (hex) -> X509v3 CRL Number: 65544 (dec)

looks ok to me

testresult (958 bytes)
$ openssl crl -in test/revoke.crl -inform der -noout -text -crlnumber | head
crlNumber=1249
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha512WithRSAEncryption
        Issuer: /C=AU/ST=New South Wales/O=CAcert Testserver/OU=http://cacert1.it-sls.de/CN=CAcert Testserver Root
        Last Update: Jun  6 00:04:27 2018 GMT
        Next Update: Jun 13 00:04:27 2018 GMT
        CRL extensions:
            X509v3 CRL Number: 
                4681


$ openssl crl -in test/class3-revoke.crl -inform der -noout -text -crlnumber | head
crlNumber=010008
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha512WithRSAEncryption
        Issuer: /O=CAcert Testsever/OU=http://cacert1.it-sls.de/CN=CAcert Testserver Class 3
        Last Update: Jun  6 00:04:29 2018 GMT
        Next Update: Jun 13 00:04:29 2018 GMT
        CRL extensions:
            X509v3 CRL Number: 
                65544
testresult (958 bytes)

dastrath

2018-06-07 21:03

administrator   ~0005598

Second set of CRLs as of today (2018-06-07).

revoke-2.crl (332,445 bytes)
class3-revoke-2.crl (331,946 bytes)

GuKKDevel

2018-06-07 21:14

updater   ~0005599

works for this CRL's also

testresult-2 (1,820 bytes)
$ openssl crl -in test/class3-revoke-2.crl -inform der -noout -text -crlnumber | head
crlNumber=010009
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha512WithRSAEncryption
        Issuer: /O=CAcert Testsever/OU=http://cacert1.it-sls.de/CN=CAcert Testserver Class 3
        Last Update: Jun  7 00:02:46 2018 GMT
        Next Update: Jun 14 00:02:46 2018 GMT
        CRL extensions:
            X509v3 CRL Number: 
                65545
$ openssl crl -in test/revoke-2.crl -inform der -noout -text -crlnumber | head
crlNumber=124A
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha512WithRSAEncryption
        Issuer: /C=AU/ST=New South Wales/O=CAcert Testserver/OU=http://cacert1.it-sls.de/CN=CAcert Testserver Root                                                                                                
        Last Update: Jun  7 00:02:44 2018 GMT                                                                                                                                                                     
        Next Update: Jun 14 00:02:44 2018 GMT                                                                                                                                                                     
        CRL extensions:                                                                                                                                                                                           
            X509v3 CRL Number:                                                                                                                                                                                    
                4682                                                                     
testresult-2 (1,820 bytes)

Ted

2018-06-13 20:44

administrator   ~0005600

I just did some review of the proposed changes.

The modification of the config files is ok, according to OpenSSL documentation, as well as according to tests I did in another environment.

But for installation, a file containing the initial CRL number (probably 01 or 0100 or something similar) must be installed together with the change in the config file, otherwise the config option is ignored.

==> The diffs should include the "crlnumber" file with a convenient initial number

==> The current review status from me is FAILED

GuKKDevel

2018-06-13 22:10

updater  

diff-crlnumber-CA (132 bytes)
--- /dev/null   2018-06-12 13:28:15.631614377 +0200
+++ ./CA/crlnumber      2018-06-13 23:52:24.418658367 +0200
@@ -0,0 +1 @@
+1234
diff-crlnumber-CA (132 bytes)
diff-crlnumber-class3 (132 bytes)
--- /dev/null   2018-06-12 13:28:15.631614377 +0200
+++ ./class3/crlnumber  2018-06-13 23:52:09.602614135 +0200
@@ -0,0 +1 @@
+1234
diff-crlnumber-class3 (132 bytes)

Issue History

Date Modified Username Field Change
2018-04-17 15:24 wytze New Issue
2018-04-17 15:24 wytze Tag Attached: certificates
2018-04-17 15:33 wytze Status new => confirmed
2018-04-17 15:36 wytze Status confirmed => needs work
2018-04-17 15:36 wytze Note Added: 0005584
2018-05-01 12:42 dastrath Assigned To => GuKKDevel
2018-05-29 09:57 GuKKDevel Status needs work => fix available
2018-05-29 09:57 GuKKDevel Note Added: 0005591
2018-05-29 10:02 GuKKDevel File Added: diff-openssl
2018-05-29 10:02 GuKKDevel File Added: diff-class3
2018-05-29 10:02 GuKKDevel Note Added: 0005592
2018-06-03 15:21 GuKKDevel Status fix available => needs review & testing
2018-06-06 09:29 dastrath File Added: revoke.crl
2018-06-06 09:29 dastrath File Added: class3-revoke.crl
2018-06-06 09:29 dastrath Note Added: 0005593
2018-06-06 10:51 GuKKDevel File Added: testresult
2018-06-06 10:51 GuKKDevel Note Added: 0005596
2018-06-07 21:03 dastrath File Added: revoke-2.crl
2018-06-07 21:03 dastrath File Added: class3-revoke-2.crl
2018-06-07 21:03 dastrath Note Added: 0005598
2018-06-07 21:14 GuKKDevel File Added: testresult-2
2018-06-07 21:14 GuKKDevel Note Added: 0005599
2018-06-13 20:44 Ted Note Added: 0005600
2018-06-13 22:10 GuKKDevel File Added: diff-crlnumber-CA
2018-06-13 22:10 GuKKDevel File Added: diff-crlnumber-class3