View Issue Details

IDProjectCategoryView StatusLast Update
0001438Main CAcert Websitecertificate issuingpublic2021-04-25 11:15
Reporterwytze Assigned Toegal  
PrioritynormalSeverityminorReproducibilityalways
Status solved?Resolutionfixed 
PlatformDefaultOSanyOS Versionany
Product Version2017 Q4 
Target Version2017 Q4 
Summary0001438: CRLs published by CAcert do not contain the field "CRL number"
DescriptionEBS EDI-Support <EDI-Support@eon.com> reported on April 16, 2018:

the CRL which you are publishing at URL "http://crl.cacert.org/revoke.crl" is missing the field "CRL number".
Therefore some applications might not validate the CRL correctly. Please add this field to the CRL. Thank you.
Steps To Reproduce$ wget http://crl.cacert.org/revoke.crl
$ openssl crl -in revoke.crl -inform der -noout -text -crlnumber | head

Something like this will appear:
crlNumber=<NONE>
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha512WithRSAEncryption
        Issuer: /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
        Last Update: Apr 17 14:28:54 2018 GMT
        Next Update: Apr 24 14:28:54 2018 GMT
Revoked Certificates:
    Serial Number: 11
        Revocation Date: Apr 1 14:25:08 2003 GMT

The crlNumber=<NONE> shows the problem.
Additional InformationAccording to RFC 5280 (May 2008), section 5.2:
   Conforming CRL issuers are REQUIRED to include the authority key
   identifier (Section 5.2.1) and the CRL number (Section 5.2.3)
   extensions in all CRLs issued.

The same requirement was already present in the predecessor of this RFC, namely RFC 3280 from April 2002, so it is somewhat surprising that this was never implemented in the CAcert signer.

This can be fixed by adding the crlnumber field to the openssl profile used on the CAcert signer for generating CRLs. The openssl software used for this is capable of maintaining a serial number per CRL in a separate text file, see the documentation for 'openssl ca'.
Tagscertificates
Reviewed byegal, Ted
Test InstructionsSee Steps To Reproduce

Activities

wytze

2018-04-17 15:36

developer   ~0005584

This can be tested with the signer installed on test.cacert.org.

GuKKDevel

2018-05-29 09:57

updater   ~0005591

as the revoke-request only uses one configfile for each rootcert for creating the CRL, only those two have to be changed.
 

GuKKDevel

2018-05-29 10:02

updater   ~0005592

Also must in each cert-directory (/etc/ssl/CA and /etc/ssl/class3) a file named crlnumber be created including a four digit number (echo 1000 > crlnumber)
diff-openssl (588 bytes)   
--- openssl-client.cnf.old2	2018-05-28 11:05:32.472380875 +0200
+++ openssl-client.cnf	2018-05-29 11:41:33.863749235 +0200
@@ -31,6 +31,7 @@
 dir             = /etc/ssl/CA           # Where everything is kept
 certs           = $dir/certs            # Where the issued certs are kept
 crl_dir         = $dir/crl              # Where the issued crl are kept
+crlnumber       = $dir/crlnumber        # Where the current CRL-number is stored (bug-1438)
 database        = $dir/index.txt        # database index file.
 new_certs_dir   = $dir/newcerts         # default place for new certs.
 
diff-openssl (588 bytes)   
diff-class3 (586 bytes)   
--- class3-client.cnf.old2	2018-05-28 11:05:32.188380035 +0200
+++ class3-client.cnf	2018-05-29 11:44:27.252254679 +0200
@@ -31,6 +31,7 @@
 dir             = /etc/ssl/class3       # Where everything is kept
 certs           = $dir/certs            # Where the issued certs are kept
 crl_dir         = $dir/crl              # Where the issued crl are kept
+crlnumber       = $dir/crlnumber        # Where the current CRL-number is stored (bug-1438)
 database        = $dir/index.txt        # database index file.
 new_certs_dir   = $dir/newcerts         # default place for new certs.
 
diff-class3 (586 bytes)   

egal

2018-06-06 09:29

administrator   ~0005593

Expected test is not possible as test.cacert.org will redirect the CRL-download to Live-System.

Test is only possible by accessing the test-server directly to get the CRLs for our test-environment.

As this is not possible for testers, I added the created CRLs for today (2018-06-06) to this bug, so a tester may check the existence of the missing CRLNumber.

In the next days I'll add another CRL-set so a tester can run its tests.
revoke.crl (332,445 bytes)
class3-revoke.crl (331,946 bytes)

GuKKDevel

2018-06-06 10:51

updater   ~0005596

tested: revoke.crl -> crlNumber=1249 (hex) -> X509v3 CRL Number: 4681 (dec)
tested: class3-revoke.crl -> crlNumber=010008 (hex) -> X509v3 CRL Number: 65544 (dec)

looks ok to me
testresult (958 bytes)   
$ openssl crl -in test/revoke.crl -inform der -noout -text -crlnumber | head
crlNumber=1249
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha512WithRSAEncryption
        Issuer: /C=AU/ST=New South Wales/O=CAcert Testserver/OU=http://cacert1.it-sls.de/CN=CAcert Testserver Root
        Last Update: Jun  6 00:04:27 2018 GMT
        Next Update: Jun 13 00:04:27 2018 GMT
        CRL extensions:
            X509v3 CRL Number: 
                4681


$ openssl crl -in test/class3-revoke.crl -inform der -noout -text -crlnumber | head
crlNumber=010008
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha512WithRSAEncryption
        Issuer: /O=CAcert Testsever/OU=http://cacert1.it-sls.de/CN=CAcert Testserver Class 3
        Last Update: Jun  6 00:04:29 2018 GMT
        Next Update: Jun 13 00:04:29 2018 GMT
        CRL extensions:
            X509v3 CRL Number: 
                65544
testresult (958 bytes)   

egal

2018-06-07 21:03

administrator   ~0005598

Second set of CRLs as of today (2018-06-07).
revoke-2.crl (332,445 bytes)
class3-revoke-2.crl (331,946 bytes)

GuKKDevel

2018-06-07 21:14

updater   ~0005599

works for this CRL's also
testresult-2 (1,820 bytes)   
$ openssl crl -in test/class3-revoke-2.crl -inform der -noout -text -crlnumber | head
crlNumber=010009
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha512WithRSAEncryption
        Issuer: /O=CAcert Testsever/OU=http://cacert1.it-sls.de/CN=CAcert Testserver Class 3
        Last Update: Jun  7 00:02:46 2018 GMT
        Next Update: Jun 14 00:02:46 2018 GMT
        CRL extensions:
            X509v3 CRL Number: 
                65545
$ openssl crl -in test/revoke-2.crl -inform der -noout -text -crlnumber | head
crlNumber=124A
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha512WithRSAEncryption
        Issuer: /C=AU/ST=New South Wales/O=CAcert Testserver/OU=http://cacert1.it-sls.de/CN=CAcert Testserver Root                                                                                                
        Last Update: Jun  7 00:02:44 2018 GMT                                                                                                                                                                     
        Next Update: Jun 14 00:02:44 2018 GMT                                                                                                                                                                     
        CRL extensions:                                                                                                                                                                                           
            X509v3 CRL Number:                                                                                                                                                                                    
                4682                                                                     
testresult-2 (1,820 bytes)   

Ted

2018-06-13 20:44

administrator   ~0005600

I just did some review of the proposed changes.

The modification of the config files is ok, according to OpenSSL documentation, as well as according to tests I did in another environment.

But for installation, a file containing the initial CRL number (probably 01 or 0100 or something similar) must be installed together with the change in the config file, otherwise the config option is ignored.

==> The diffs should include the "crlnumber" file with a convenient initial number

==> The current review status from me is FAILED

GuKKDevel

2018-06-13 22:10

updater  

diff-crlnumber-CA (132 bytes)   
--- /dev/null   2018-06-12 13:28:15.631614377 +0200
+++ ./CA/crlnumber      2018-06-13 23:52:24.418658367 +0200
@@ -0,0 +1 @@
+1234
diff-crlnumber-CA (132 bytes)   
diff-crlnumber-class3 (132 bytes)   
--- /dev/null   2018-06-12 13:28:15.631614377 +0200
+++ ./class3/crlnumber  2018-06-13 23:52:09.602614135 +0200
@@ -0,0 +1 @@
+1234
diff-crlnumber-class3 (132 bytes)   

Ted

2018-11-05 21:53

administrator   ~0005655

I modified the openssl config files for all client certificates, so the testserver is CRL Distribution Point.

Sadly, for server certificates the CRL Distribution Point is hardcoded in server.pl, and I don't wand to change that without urgent need.

GuKKDevel

2018-11-10 12:40

updater   ~0005661

As stated in https://bugs.cacert.org/view.php?id=1438#c5591 while revoking only two of the configurationfiles are used (openssl-client.cnf and class3-client.cnf).
Therefor for this issue only those two were to change. Also the necessary file crlnumber in the responding subdirectorys were to add.

attached diff: diff_Old-New

control if production and test are congruent:
diff_Old-Prod_Old-Test and diff_New-Prod_New-Test
diff_Old_New (3,820 bytes)   
diff -turNs ConfigsOld/ConfigsProd/CA/crlnumber ConfigsNew/ConfigsProd/CA/crlnumber
--- ConfigsOld/ConfigsProd/CA/crlnumber	1970-01-01 01:00:00.000000000 +0100
+++ ConfigsNew/ConfigsProd/CA/crlnumber	2018-11-09 12:22:59.000000000 +0100
@@ -0,0 +1 @@
+1000 
diff -turNs ConfigsOld/ConfigsProd/class3/crlnumber ConfigsNew/ConfigsProd/class3/crlnumber
--- ConfigsOld/ConfigsProd/class3/crlnumber	1970-01-01 01:00:00.000000000 +0100
+++ ConfigsNew/ConfigsProd/class3/crlnumber	2018-11-09 12:22:59.000000000 +0100
@@ -0,0 +1 @@
+1000 
diff -turNs ConfigsOld/ConfigsProd/class3-client.cnf ConfigsNew/ConfigsProd/class3-client.cnf
--- ConfigsOld/ConfigsProd/class3-client.cnf	2018-11-09 13:55:37.000000000 +0100
+++ ConfigsNew/ConfigsProd/class3-client.cnf	2018-11-10 13:04:51.777228727 +0100
@@ -36,6 +36,7 @@
 
 certificate     = $dir/cacert.crt       # The CA certificate
 serial          = $dir/serial           # The current serial number
+crlnumber       = $dir/crlnumber        # Where the current CRL-number is stored (bug-1438)
 crl             = $dir/crl.pem          # The current CRL
 private_key     = $dir/cacert.pem       # The private key
 RANDFILE        = $dir/private/.rand    # private random number file
diff -turNs ConfigsOld/ConfigsProd/openssl-client.cnf ConfigsNew/ConfigsProd/openssl-client.cnf
--- ConfigsOld/ConfigsProd/openssl-client.cnf	2018-11-09 14:01:39.000000000 +0100
+++ ConfigsNew/ConfigsProd/openssl-client.cnf	2018-11-10 13:05:11.709286010 +0100
@@ -36,6 +36,7 @@
 
 certificate     = $dir/cacert.crt       # The CA certificate
 serial          = $dir/serial           # The current serial number
+crlnumber       = $dir/crlnumber        # Where the current CRL-number is stored (bug-1438)
 crl             = $dir/crl.pem          # The current CRL
 private_key     = $dir/cacert.pem       # The private key
 RANDFILE        = $dir/private/.rand    # private random number file
diff -turNs ConfigsOld/ConfigsTest/CA/crlnumber ConfigsNew/ConfigsTest/CA/crlnumber
--- ConfigsOld/ConfigsTest/CA/crlnumber	1970-01-01 01:00:00.000000000 +0100
+++ ConfigsNew/ConfigsTest/CA/crlnumber	2018-11-09 12:22:59.000000000 +0100
@@ -0,0 +1 @@
+1000 
diff -turNs ConfigsOld/ConfigsTest/class3/crlnumber ConfigsNew/ConfigsTest/class3/crlnumber
--- ConfigsOld/ConfigsTest/class3/crlnumber	1970-01-01 01:00:00.000000000 +0100
+++ ConfigsNew/ConfigsTest/class3/crlnumber	2018-11-09 12:22:59.000000000 +0100
@@ -0,0 +1 @@
+1000 
diff -turNs ConfigsOld/ConfigsTest/class3-client.cnf ConfigsNew/ConfigsTest/class3-client.cnf
--- ConfigsOld/ConfigsTest/class3-client.cnf	2018-11-09 12:02:01.000000000 +0100
+++ ConfigsNew/ConfigsTest/class3-client.cnf	2018-11-10 13:08:24.413839820 +0100
@@ -36,6 +36,7 @@
 
 certificate     = $dir/cacert.crt       # The CA certificate
 serial          = $dir/serial           # The current serial number
+crlnumber       = $dir/crlnumber        # Where the current CRL-number is stored (bug-1438)
 crl             = $dir/crl.pem          # The current CRL
 private_key     = $dir/cacert.pem       # The private key
 RANDFILE        = $dir/private/.rand    # private random number file
diff -turNs ConfigsOld/ConfigsTest/openssl-client.cnf ConfigsNew/ConfigsTest/openssl-client.cnf
--- ConfigsOld/ConfigsTest/openssl-client.cnf	2018-11-09 12:02:20.000000000 +0100
+++ ConfigsNew/ConfigsTest/openssl-client.cnf	2018-11-10 13:08:45.029899069 +0100
@@ -36,6 +36,7 @@
 
 certificate     = $dir/cacert.crt       # The CA certificate
 serial          = $dir/serial           # The current serial number
+crlnumber       = $dir/crlnumber        # Where the current CRL-number is stored (bug-1438)
 crl             = $dir/crl.pem          # The current CRL
 private_key     = $dir/cacert.pem       # The private key
 RANDFILE        = $dir/private/.rand    # private random number file
diff_Old_New (3,820 bytes)   
diff_Old-Prod_Old-Test (2,686 bytes)   
diff -turNs ConfigsOld/ConfigsProd/class3-client.cnf ConfigsOld/ConfigsTest/class3-client.cnf
--- ConfigsOld/ConfigsProd/class3-client.cnf	2018-11-09 13:55:37.000000000 +0100
+++ ConfigsOld/ConfigsTest/class3-client.cnf	2018-11-09 12:02:01.000000000 +0100
@@ -48,7 +48,7 @@
 
 default_days    = 200                   # how long to certify for
 default_crl_days= 30                    # how long before next CRL
-default_md      = sha512                        # which md to use.
+default_md      = sha512                # which md to use.
 preserve        = no                    # keep passed DN ordering
 
 # A few difference way of specifying how similar the request should look
@@ -146,7 +146,7 @@
 keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
 extendedKeyUsage        = emailProtection, clientAuth, msEFS, msSGC, nsSGC
 authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
-crlDistributionPoints   = URI:http://crl.cacert.org/class3-revoke.crl
+crlDistributionPoints   = URI:http://test.cacert.org/test-class3-revoke.crl
 subjectAltName          = email:copy
 
 
@@ -158,7 +158,7 @@
 [ v3_ca ]
 
 basicConstraints = CA:false
-crlDistributionPoints           = URI:http://www.CAcert.org/class3-revoke.crl
+crlDistributionPoints           = URI:http://test.cacert.org/test-class3-revoke.crl
 
 [ crl_ext ]
 
diff -turNs ConfigsOld/ConfigsProd/openssl-client.cnf ConfigsOld/ConfigsTest/openssl-client.cnf
--- ConfigsOld/ConfigsProd/openssl-client.cnf	2018-11-09 14:01:39.000000000 +0100
+++ ConfigsOld/ConfigsTest/openssl-client.cnf	2018-11-09 12:02:20.000000000 +0100
@@ -48,7 +48,7 @@
 
 default_days    = 200                   # how long to certify for
 default_crl_days= 30                    # how long before next CRL
-default_md      = sha512                        # which md to use.
+default_md      = sha512                # which md to use.
 preserve        = no                    # keep passed DN ordering
 
 # A few difference way of specifying how similar the request should look
@@ -146,7 +146,7 @@
 keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
 extendedKeyUsage        = emailProtection, clientAuth, msEFS, msSGC, nsSGC
 authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
-crlDistributionPoints   = URI:http://crl.cacert.org/revoke.crl
+crlDistributionPoints   = URI:http://test.cacert.org/test-revoke.crl
 subjectAltName          = email:copy
 
 
@@ -158,7 +158,6 @@
 [ v3_ca ]
 
 basicConstraints = CA:false
-crlDistributionPoints           = URI:http://www.CAcert.org/revoke.crl
+crlDistributionPoints           = URI:http://test.cacert.org/test-revoke.crl
 
 [ crl_ext ]
-
diff_Old-Prod_Old-Test (2,686 bytes)   
diff_New-Prod_New-Test (2,894 bytes)   
Dateien ConfigsNew/ConfigsProd/CA/crlnumber und ConfigsNew/ConfigsTest/CA/crlnumber sind identisch.
Dateien ConfigsNew/ConfigsProd/class3/crlnumber und ConfigsNew/ConfigsTest/class3/crlnumber sind identisch.
diff -turNs ConfigsNew/ConfigsProd/class3-client.cnf ConfigsNew/ConfigsTest/class3-client.cnf
--- ConfigsNew/ConfigsProd/class3-client.cnf	2018-11-10 13:04:51.777228727 +0100
+++ ConfigsNew/ConfigsTest/class3-client.cnf	2018-11-10 13:08:24.413839820 +0100
@@ -49,7 +49,7 @@
 
 default_days    = 200                   # how long to certify for
 default_crl_days= 30                    # how long before next CRL
-default_md      = sha512                        # which md to use.
+default_md      = sha512                # which md to use.
 preserve        = no                    # keep passed DN ordering
 
 # A few difference way of specifying how similar the request should look
@@ -147,7 +147,7 @@
 keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
 extendedKeyUsage        = emailProtection, clientAuth, msEFS, msSGC, nsSGC
 authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
-crlDistributionPoints   = URI:http://crl.cacert.org/class3-revoke.crl
+crlDistributionPoints   = URI:http://test.cacert.org/test-class3-revoke.crl
 subjectAltName          = email:copy
 
 
@@ -159,7 +159,7 @@
 [ v3_ca ]
 
 basicConstraints = CA:false
-crlDistributionPoints           = URI:http://www.CAcert.org/class3-revoke.crl
+crlDistributionPoints           = URI:http://test.cacert.org/test-class3-revoke.crl
 
 [ crl_ext ]
 
diff -turNs ConfigsNew/ConfigsProd/openssl-client.cnf ConfigsNew/ConfigsTest/openssl-client.cnf
--- ConfigsNew/ConfigsProd/openssl-client.cnf	2018-11-10 13:05:11.709286010 +0100
+++ ConfigsNew/ConfigsTest/openssl-client.cnf	2018-11-10 13:08:45.029899069 +0100
@@ -49,7 +49,7 @@
 
 default_days    = 200                   # how long to certify for
 default_crl_days= 30                    # how long before next CRL
-default_md      = sha512                        # which md to use.
+default_md      = sha512                # which md to use.
 preserve        = no                    # keep passed DN ordering
 
 # A few difference way of specifying how similar the request should look
@@ -147,7 +147,7 @@
 keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
 extendedKeyUsage        = emailProtection, clientAuth, msEFS, msSGC, nsSGC
 authorityInfoAccess     = OCSP;URI:http://ocsp.cacert.org
-crlDistributionPoints   = URI:http://crl.cacert.org/revoke.crl
+crlDistributionPoints   = URI:http://test.cacert.org/test-revoke.crl
 subjectAltName          = email:copy
 
 
@@ -159,7 +159,6 @@
 [ v3_ca ]
 
 basicConstraints = CA:false
-crlDistributionPoints           = URI:http://www.CAcert.org/revoke.crl
+crlDistributionPoints           = URI:http://test.cacert.org/test-revoke.crl
 
 [ crl_ext ]
-
diff_New-Prod_New-Test (2,894 bytes)   

Ted

2018-11-12 19:43

administrator   ~0005664

Hmm, the code in server.pl does not restrict revocations on those two specific configurations, but client.pl does only request those two.

I'm tending towards making all configurations fit to be used for revocation, just to be on the safe side, but I'm not really decided yet...

egal

2021-04-05 17:55

administrator   ~0005975

reviewed the configuration change successfully:

I don't have any objection adding these parameters to signer-configuration for two (or all) used root certificates

Ted

2021-04-11 12:57

administrator   ~0005977

I reviewed diff_Old_New once more, and now it is a PASS from me.

egal

2021-04-25 11:13

administrator   ~0005987

Patch installed on signer, new CRLs now contain a serial number

Issue History

Date Modified Username Field Change
2018-04-17 15:24 wytze New Issue
2018-04-17 15:24 wytze Tag Attached: certificates
2018-04-17 15:33 wytze Status new => confirmed
2018-04-17 15:36 wytze Status confirmed => needs work
2018-04-17 15:36 wytze Note Added: 0005584
2018-05-01 12:42 egal Assigned To => GuKKDevel
2018-05-29 09:57 GuKKDevel Status needs work => fix available
2018-05-29 09:57 GuKKDevel Note Added: 0005591
2018-05-29 10:02 GuKKDevel File Added: diff-openssl
2018-05-29 10:02 GuKKDevel File Added: diff-class3
2018-05-29 10:02 GuKKDevel Note Added: 0005592
2018-06-03 15:21 GuKKDevel Status fix available => needs review & testing
2018-06-06 09:29 egal File Added: revoke.crl
2018-06-06 09:29 egal File Added: class3-revoke.crl
2018-06-06 09:29 egal Note Added: 0005593
2018-06-06 10:51 GuKKDevel File Added: testresult
2018-06-06 10:51 GuKKDevel Note Added: 0005596
2018-06-07 21:03 egal File Added: revoke-2.crl
2018-06-07 21:03 egal File Added: class3-revoke-2.crl
2018-06-07 21:03 egal Note Added: 0005598
2018-06-07 21:14 GuKKDevel File Added: testresult-2
2018-06-07 21:14 GuKKDevel Note Added: 0005599
2018-06-13 20:44 Ted Note Added: 0005600
2018-06-13 22:10 GuKKDevel File Added: diff-crlnumber-CA
2018-06-13 22:10 GuKKDevel File Added: diff-crlnumber-class3
2018-11-05 21:53 Ted Note Added: 0005655
2018-11-10 12:40 GuKKDevel File Added: diff_Old_New
2018-11-10 12:40 GuKKDevel File Added: diff_Old-Prod_Old-Test
2018-11-10 12:40 GuKKDevel File Added: diff_New-Prod_New-Test
2018-11-10 12:40 GuKKDevel Note Added: 0005661
2018-11-12 19:43 Ted Note Added: 0005664
2021-04-05 17:55 egal Reviewed by => egal
2021-04-05 17:55 egal Note Added: 0005975
2021-04-05 17:55 egal Assigned To GuKKDevel => Ted
2021-04-05 17:55 egal Status needs review & testing => needs review
2021-04-11 12:57 Ted Status needs review => ready to deploy
2021-04-11 12:57 Ted Note Added: 0005977
2021-04-11 12:57 Ted Reviewed by egal => egal, Ted
2021-04-11 12:57 Ted Assigned To Ted => egal
2021-04-25 11:13 egal Note Added: 0005987
2021-04-25 11:15 egal Status ready to deploy => solved?
2021-04-25 11:15 egal Resolution open => fixed