View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001438 | Main CAcert Website | certificate issuing | public | 2018-04-17 15:24 | 2021-04-25 11:15 |
| Reporter | wytze | Assigned To | egal | ||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | solved? | Resolution | fixed | ||
| Platform | Default | OS | any | OS Version | any |
| Product Version | 2017 Q4 | ||||
| Target Version | 2017 Q4 | ||||
| Summary | 0001438: CRLs published by CAcert do not contain the field "CRL number" | ||||
| Description | EBS EDI-Support <EDI-Support@eon.com> reported on April 16, 2018: the CRL which you are publishing at URL "http://crl.cacert.org/revoke.crl" is missing the field "CRL number". Therefore some applications might not validate the CRL correctly. Please add this field to the CRL. Thank you. | ||||
| Steps To Reproduce | $ wget http://crl.cacert.org/revoke.crl $ openssl crl -in revoke.crl -inform der -noout -text -crlnumber | head Something like this will appear: crlNumber=<NONE> Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha512WithRSAEncryption Issuer: /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org Last Update: Apr 17 14:28:54 2018 GMT Next Update: Apr 24 14:28:54 2018 GMT Revoked Certificates: Serial Number: 11 Revocation Date: Apr 1 14:25:08 2003 GMT The crlNumber=<NONE> shows the problem. | ||||
| Additional Information | According to RFC 5280 (May 2008), section 5.2: Conforming CRL issuers are REQUIRED to include the authority key identifier (Section 5.2.1) and the CRL number (Section 5.2.3) extensions in all CRLs issued. The same requirement was already present in the predecessor of this RFC, namely RFC 3280 from April 2002, so it is somewhat surprising that this was never implemented in the CAcert signer. This can be fixed by adding the crlnumber field to the openssl profile used on the CAcert signer for generating CRLs. The openssl software used for this is capable of maintaining a serial number per CRL in a separate text file, see the documentation for 'openssl ca'. | ||||
| Tags | certificates | ||||
| Attached Files | diff-crlnumber-CA (132 bytes)
--- /dev/null 2018-06-12 13:28:15.631614377 +0200 +++ ./CA/crlnumber 2018-06-13 23:52:24.418658367 +0200 @@ -0,0 +1 @@ +1234 diff-crlnumber-class3 (132 bytes)
--- /dev/null 2018-06-12 13:28:15.631614377 +0200 +++ ./class3/crlnumber 2018-06-13 23:52:09.602614135 +0200 @@ -0,0 +1 @@ +1234 | ||||
| Reviewed by | egal, Ted | ||||
| Test Instructions | See Steps To Reproduce | ||||
|
|
This can be tested with the signer installed on test.cacert.org. |
|
|
as the revoke-request only uses one configfile for each rootcert for creating the CRL, only those two have to be changed. |
|
|
Also must in each cert-directory (/etc/ssl/CA and /etc/ssl/class3) a file named crlnumber be created including a four digit number (echo 1000 > crlnumber) diff-openssl (588 bytes)
--- openssl-client.cnf.old2 2018-05-28 11:05:32.472380875 +0200 +++ openssl-client.cnf 2018-05-29 11:41:33.863749235 +0200 @@ -31,6 +31,7 @@ dir = /etc/ssl/CA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept +crlnumber = $dir/crlnumber # Where the current CRL-number is stored (bug-1438) database = $dir/index.txt # database index file. new_certs_dir = $dir/newcerts # default place for new certs. diff-class3 (586 bytes)
--- class3-client.cnf.old2 2018-05-28 11:05:32.188380035 +0200 +++ class3-client.cnf 2018-05-29 11:44:27.252254679 +0200 @@ -31,6 +31,7 @@ dir = /etc/ssl/class3 # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept +crlnumber = $dir/crlnumber # Where the current CRL-number is stored (bug-1438) database = $dir/index.txt # database index file. new_certs_dir = $dir/newcerts # default place for new certs. |
|
|
Expected test is not possible as test.cacert.org will redirect the CRL-download to Live-System. Test is only possible by accessing the test-server directly to get the CRLs for our test-environment. As this is not possible for testers, I added the created CRLs for today (2018-06-06) to this bug, so a tester may check the existence of the missing CRLNumber. In the next days I'll add another CRL-set so a tester can run its tests. |
|
|
tested: revoke.crl -> crlNumber=1249 (hex) -> X509v3 CRL Number: 4681 (dec) tested: class3-revoke.crl -> crlNumber=010008 (hex) -> X509v3 CRL Number: 65544 (dec) looks ok to me testresult (958 bytes)
$ openssl crl -in test/revoke.crl -inform der -noout -text -crlnumber | head
crlNumber=1249
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha512WithRSAEncryption
Issuer: /C=AU/ST=New South Wales/O=CAcert Testserver/OU=http://cacert1.it-sls.de/CN=CAcert Testserver Root
Last Update: Jun 6 00:04:27 2018 GMT
Next Update: Jun 13 00:04:27 2018 GMT
CRL extensions:
X509v3 CRL Number:
4681
$ openssl crl -in test/class3-revoke.crl -inform der -noout -text -crlnumber | head
crlNumber=010008
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha512WithRSAEncryption
Issuer: /O=CAcert Testsever/OU=http://cacert1.it-sls.de/CN=CAcert Testserver Class 3
Last Update: Jun 6 00:04:29 2018 GMT
Next Update: Jun 13 00:04:29 2018 GMT
CRL extensions:
X509v3 CRL Number:
65544
|
|
|
Second set of CRLs as of today (2018-06-07). |
|
|
works for this CRL's also testresult-2 (1,820 bytes)
$ openssl crl -in test/class3-revoke-2.crl -inform der -noout -text -crlnumber | head
crlNumber=010009
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha512WithRSAEncryption
Issuer: /O=CAcert Testsever/OU=http://cacert1.it-sls.de/CN=CAcert Testserver Class 3
Last Update: Jun 7 00:02:46 2018 GMT
Next Update: Jun 14 00:02:46 2018 GMT
CRL extensions:
X509v3 CRL Number:
65545
$ openssl crl -in test/revoke-2.crl -inform der -noout -text -crlnumber | head
crlNumber=124A
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha512WithRSAEncryption
Issuer: /C=AU/ST=New South Wales/O=CAcert Testserver/OU=http://cacert1.it-sls.de/CN=CAcert Testserver Root
Last Update: Jun 7 00:02:44 2018 GMT
Next Update: Jun 14 00:02:44 2018 GMT
CRL extensions:
X509v3 CRL Number:
4682 |
|
|
I just did some review of the proposed changes. The modification of the config files is ok, according to OpenSSL documentation, as well as according to tests I did in another environment. But for installation, a file containing the initial CRL number (probably 01 or 0100 or something similar) must be installed together with the change in the config file, otherwise the config option is ignored. ==> The diffs should include the "crlnumber" file with a convenient initial number ==> The current review status from me is FAILED |
|
|
I modified the openssl config files for all client certificates, so the testserver is CRL Distribution Point. Sadly, for server certificates the CRL Distribution Point is hardcoded in server.pl, and I don't wand to change that without urgent need. |
|
|
As stated in https://bugs.cacert.org/view.php?id=1438#c5591 while revoking only two of the configurationfiles are used (openssl-client.cnf and class3-client.cnf). Therefor for this issue only those two were to change. Also the necessary file crlnumber in the responding subdirectorys were to add. attached diff: diff_Old-New control if production and test are congruent: diff_Old-Prod_Old-Test and diff_New-Prod_New-Test diff_Old_New (3,820 bytes)
diff -turNs ConfigsOld/ConfigsProd/CA/crlnumber ConfigsNew/ConfigsProd/CA/crlnumber --- ConfigsOld/ConfigsProd/CA/crlnumber 1970-01-01 01:00:00.000000000 +0100 +++ ConfigsNew/ConfigsProd/CA/crlnumber 2018-11-09 12:22:59.000000000 +0100 @@ -0,0 +1 @@ +1000 diff -turNs ConfigsOld/ConfigsProd/class3/crlnumber ConfigsNew/ConfigsProd/class3/crlnumber --- ConfigsOld/ConfigsProd/class3/crlnumber 1970-01-01 01:00:00.000000000 +0100 +++ ConfigsNew/ConfigsProd/class3/crlnumber 2018-11-09 12:22:59.000000000 +0100 @@ -0,0 +1 @@ +1000 diff -turNs ConfigsOld/ConfigsProd/class3-client.cnf ConfigsNew/ConfigsProd/class3-client.cnf --- ConfigsOld/ConfigsProd/class3-client.cnf 2018-11-09 13:55:37.000000000 +0100 +++ ConfigsNew/ConfigsProd/class3-client.cnf 2018-11-10 13:04:51.777228727 +0100 @@ -36,6 +36,7 @@ certificate = $dir/cacert.crt # The CA certificate serial = $dir/serial # The current serial number +crlnumber = $dir/crlnumber # Where the current CRL-number is stored (bug-1438) crl = $dir/crl.pem # The current CRL private_key = $dir/cacert.pem # The private key RANDFILE = $dir/private/.rand # private random number file diff -turNs ConfigsOld/ConfigsProd/openssl-client.cnf ConfigsNew/ConfigsProd/openssl-client.cnf --- ConfigsOld/ConfigsProd/openssl-client.cnf 2018-11-09 14:01:39.000000000 +0100 +++ ConfigsNew/ConfigsProd/openssl-client.cnf 2018-11-10 13:05:11.709286010 +0100 @@ -36,6 +36,7 @@ certificate = $dir/cacert.crt # The CA certificate serial = $dir/serial # The current serial number +crlnumber = $dir/crlnumber # Where the current CRL-number is stored (bug-1438) crl = $dir/crl.pem # The current CRL private_key = $dir/cacert.pem # The private key RANDFILE = $dir/private/.rand # private random number file diff -turNs ConfigsOld/ConfigsTest/CA/crlnumber ConfigsNew/ConfigsTest/CA/crlnumber --- ConfigsOld/ConfigsTest/CA/crlnumber 1970-01-01 01:00:00.000000000 +0100 +++ ConfigsNew/ConfigsTest/CA/crlnumber 2018-11-09 12:22:59.000000000 +0100 @@ -0,0 +1 @@ +1000 diff -turNs ConfigsOld/ConfigsTest/class3/crlnumber ConfigsNew/ConfigsTest/class3/crlnumber --- ConfigsOld/ConfigsTest/class3/crlnumber 1970-01-01 01:00:00.000000000 +0100 +++ ConfigsNew/ConfigsTest/class3/crlnumber 2018-11-09 12:22:59.000000000 +0100 @@ -0,0 +1 @@ +1000 diff -turNs ConfigsOld/ConfigsTest/class3-client.cnf ConfigsNew/ConfigsTest/class3-client.cnf --- ConfigsOld/ConfigsTest/class3-client.cnf 2018-11-09 12:02:01.000000000 +0100 +++ ConfigsNew/ConfigsTest/class3-client.cnf 2018-11-10 13:08:24.413839820 +0100 @@ -36,6 +36,7 @@ certificate = $dir/cacert.crt # The CA certificate serial = $dir/serial # The current serial number +crlnumber = $dir/crlnumber # Where the current CRL-number is stored (bug-1438) crl = $dir/crl.pem # The current CRL private_key = $dir/cacert.pem # The private key RANDFILE = $dir/private/.rand # private random number file diff -turNs ConfigsOld/ConfigsTest/openssl-client.cnf ConfigsNew/ConfigsTest/openssl-client.cnf --- ConfigsOld/ConfigsTest/openssl-client.cnf 2018-11-09 12:02:20.000000000 +0100 +++ ConfigsNew/ConfigsTest/openssl-client.cnf 2018-11-10 13:08:45.029899069 +0100 @@ -36,6 +36,7 @@ certificate = $dir/cacert.crt # The CA certificate serial = $dir/serial # The current serial number +crlnumber = $dir/crlnumber # Where the current CRL-number is stored (bug-1438) crl = $dir/crl.pem # The current CRL private_key = $dir/cacert.pem # The private key RANDFILE = $dir/private/.rand # private random number file diff_Old-Prod_Old-Test (2,686 bytes)
diff -turNs ConfigsOld/ConfigsProd/class3-client.cnf ConfigsOld/ConfigsTest/class3-client.cnf --- ConfigsOld/ConfigsProd/class3-client.cnf 2018-11-09 13:55:37.000000000 +0100 +++ ConfigsOld/ConfigsTest/class3-client.cnf 2018-11-09 12:02:01.000000000 +0100 @@ -48,7 +48,7 @@ default_days = 200 # how long to certify for default_crl_days= 30 # how long before next CRL -default_md = sha512 # which md to use. +default_md = sha512 # which md to use. preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look @@ -146,7 +146,7 @@ keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement extendedKeyUsage = emailProtection, clientAuth, msEFS, msSGC, nsSGC authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -crlDistributionPoints = URI:http://crl.cacert.org/class3-revoke.crl +crlDistributionPoints = URI:http://test.cacert.org/test-class3-revoke.crl subjectAltName = email:copy @@ -158,7 +158,7 @@ [ v3_ca ] basicConstraints = CA:false -crlDistributionPoints = URI:http://www.CAcert.org/class3-revoke.crl +crlDistributionPoints = URI:http://test.cacert.org/test-class3-revoke.crl [ crl_ext ] diff -turNs ConfigsOld/ConfigsProd/openssl-client.cnf ConfigsOld/ConfigsTest/openssl-client.cnf --- ConfigsOld/ConfigsProd/openssl-client.cnf 2018-11-09 14:01:39.000000000 +0100 +++ ConfigsOld/ConfigsTest/openssl-client.cnf 2018-11-09 12:02:20.000000000 +0100 @@ -48,7 +48,7 @@ default_days = 200 # how long to certify for default_crl_days= 30 # how long before next CRL -default_md = sha512 # which md to use. +default_md = sha512 # which md to use. preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look @@ -146,7 +146,7 @@ keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement extendedKeyUsage = emailProtection, clientAuth, msEFS, msSGC, nsSGC authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -crlDistributionPoints = URI:http://crl.cacert.org/revoke.crl +crlDistributionPoints = URI:http://test.cacert.org/test-revoke.crl subjectAltName = email:copy @@ -158,7 +158,6 @@ [ v3_ca ] basicConstraints = CA:false -crlDistributionPoints = URI:http://www.CAcert.org/revoke.crl +crlDistributionPoints = URI:http://test.cacert.org/test-revoke.crl [ crl_ext ] - diff_New-Prod_New-Test (2,894 bytes)
Dateien ConfigsNew/ConfigsProd/CA/crlnumber und ConfigsNew/ConfigsTest/CA/crlnumber sind identisch. Dateien ConfigsNew/ConfigsProd/class3/crlnumber und ConfigsNew/ConfigsTest/class3/crlnumber sind identisch. diff -turNs ConfigsNew/ConfigsProd/class3-client.cnf ConfigsNew/ConfigsTest/class3-client.cnf --- ConfigsNew/ConfigsProd/class3-client.cnf 2018-11-10 13:04:51.777228727 +0100 +++ ConfigsNew/ConfigsTest/class3-client.cnf 2018-11-10 13:08:24.413839820 +0100 @@ -49,7 +49,7 @@ default_days = 200 # how long to certify for default_crl_days= 30 # how long before next CRL -default_md = sha512 # which md to use. +default_md = sha512 # which md to use. preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look @@ -147,7 +147,7 @@ keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement extendedKeyUsage = emailProtection, clientAuth, msEFS, msSGC, nsSGC authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -crlDistributionPoints = URI:http://crl.cacert.org/class3-revoke.crl +crlDistributionPoints = URI:http://test.cacert.org/test-class3-revoke.crl subjectAltName = email:copy @@ -159,7 +159,7 @@ [ v3_ca ] basicConstraints = CA:false -crlDistributionPoints = URI:http://www.CAcert.org/class3-revoke.crl +crlDistributionPoints = URI:http://test.cacert.org/test-class3-revoke.crl [ crl_ext ] diff -turNs ConfigsNew/ConfigsProd/openssl-client.cnf ConfigsNew/ConfigsTest/openssl-client.cnf --- ConfigsNew/ConfigsProd/openssl-client.cnf 2018-11-10 13:05:11.709286010 +0100 +++ ConfigsNew/ConfigsTest/openssl-client.cnf 2018-11-10 13:08:45.029899069 +0100 @@ -49,7 +49,7 @@ default_days = 200 # how long to certify for default_crl_days= 30 # how long before next CRL -default_md = sha512 # which md to use. +default_md = sha512 # which md to use. preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look @@ -147,7 +147,7 @@ keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement extendedKeyUsage = emailProtection, clientAuth, msEFS, msSGC, nsSGC authorityInfoAccess = OCSP;URI:http://ocsp.cacert.org -crlDistributionPoints = URI:http://crl.cacert.org/revoke.crl +crlDistributionPoints = URI:http://test.cacert.org/test-revoke.crl subjectAltName = email:copy @@ -159,7 +159,6 @@ [ v3_ca ] basicConstraints = CA:false -crlDistributionPoints = URI:http://www.CAcert.org/revoke.crl +crlDistributionPoints = URI:http://test.cacert.org/test-revoke.crl [ crl_ext ] - |
|
|
Hmm, the code in server.pl does not restrict revocations on those two specific configurations, but client.pl does only request those two. I'm tending towards making all configurations fit to be used for revocation, just to be on the safe side, but I'm not really decided yet... |
|
|
reviewed the configuration change successfully: I don't have any objection adding these parameters to signer-configuration for two (or all) used root certificates |
|
|
I reviewed diff_Old_New once more, and now it is a PASS from me. |
|
|
Patch installed on signer, new CRLs now contain a serial number |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2018-04-17 15:24 | wytze | New Issue | |
| 2018-04-17 15:24 | wytze | Tag Attached: certificates | |
| 2018-04-17 15:33 | wytze | Status | new => confirmed |
| 2018-04-17 15:36 | wytze | Status | confirmed => needs work |
| 2018-04-17 15:36 | wytze | Note Added: 0005584 | |
| 2018-05-01 12:42 | egal | Assigned To | => GuKKDevel |
| 2018-05-29 09:57 | GuKKDevel | Status | needs work => fix available |
| 2018-05-29 09:57 | GuKKDevel | Note Added: 0005591 | |
| 2018-05-29 10:02 | GuKKDevel | File Added: diff-openssl | |
| 2018-05-29 10:02 | GuKKDevel | File Added: diff-class3 | |
| 2018-05-29 10:02 | GuKKDevel | Note Added: 0005592 | |
| 2018-06-03 15:21 | GuKKDevel | Status | fix available => needs review & testing |
| 2018-06-06 09:29 | egal | File Added: revoke.crl | |
| 2018-06-06 09:29 | egal | File Added: class3-revoke.crl | |
| 2018-06-06 09:29 | egal | Note Added: 0005593 | |
| 2018-06-06 10:51 | GuKKDevel | File Added: testresult | |
| 2018-06-06 10:51 | GuKKDevel | Note Added: 0005596 | |
| 2018-06-07 21:03 | egal | File Added: revoke-2.crl | |
| 2018-06-07 21:03 | egal | File Added: class3-revoke-2.crl | |
| 2018-06-07 21:03 | egal | Note Added: 0005598 | |
| 2018-06-07 21:14 | GuKKDevel | File Added: testresult-2 | |
| 2018-06-07 21:14 | GuKKDevel | Note Added: 0005599 | |
| 2018-06-13 20:44 | Ted | Note Added: 0005600 | |
| 2018-06-13 22:10 | GuKKDevel | File Added: diff-crlnumber-CA | |
| 2018-06-13 22:10 | GuKKDevel | File Added: diff-crlnumber-class3 | |
| 2018-11-05 21:53 | Ted | Note Added: 0005655 | |
| 2018-11-10 12:40 | GuKKDevel | File Added: diff_Old_New | |
| 2018-11-10 12:40 | GuKKDevel | File Added: diff_Old-Prod_Old-Test | |
| 2018-11-10 12:40 | GuKKDevel | File Added: diff_New-Prod_New-Test | |
| 2018-11-10 12:40 | GuKKDevel | Note Added: 0005661 | |
| 2018-11-12 19:43 | Ted | Note Added: 0005664 | |
| 2021-04-05 17:55 | egal | Reviewed by | => egal |
| 2021-04-05 17:55 | egal | Note Added: 0005975 | |
| 2021-04-05 17:55 | egal | Assigned To | GuKKDevel => Ted |
| 2021-04-05 17:55 | egal | Status | needs review & testing => needs review |
| 2021-04-11 12:57 | Ted | Status | needs review => ready to deploy |
| 2021-04-11 12:57 | Ted | Note Added: 0005977 | |
| 2021-04-11 12:57 | Ted | Reviewed by | egal => egal, Ted |
| 2021-04-11 12:57 | Ted | Assigned To | Ted => egal |
| 2021-04-25 11:13 | egal | Note Added: 0005987 | |
| 2021-04-25 11:15 | egal | Status | ready to deploy => solved? |
| 2021-04-25 11:15 | egal | Resolution | open => fixed |
