Bug 241423 - Revoked certs must appear on the 1 CRL after expiration
Revoked certs must appear on the 1 CRL after expiration
Status: CLOSED ERRATA
Product: Red Hat Certificate System
Classification: Red Hat
Component: CA (Show other bugs)
7.1
All Linux
urgent Severity medium
: 8.0
: ---
Assigned To: Andrew Wnuk
Chandrasekar Kannan
:
Depends On:
Blocks: 443788
  Show dependency treegraph
 
Reported: 2007-05-25 17:16 EDT by Issue Tracker
Modified: 2015-01-04 18:27 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-22 19:25:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
proposed fix - part 1 (14.99 KB, patch)
2009-03-05 20:33 EST, Andrew Wnuk
no flags Details | Diff
proposed fix - part 2 (6.05 KB, patch)
2009-03-06 15:12 EST, Andrew Wnuk
no flags Details | Diff
proposed fix - part 3 (small corrections to part 1) (6.52 KB, patch)
2009-03-06 17:43 EST, Andrew Wnuk
no flags Details | Diff
minor correction (708 bytes, patch)
2009-03-09 21:46 EDT, Andrew Wnuk
no flags Details | Diff

  None (edit)
Description Issue Tracker 2007-05-25 17:16:51 EDT
Escalated to Bugzilla from IssueTracker
Comment 2 Thomas Kwan 2007-07-09 13:57:20 EDT
Target fix to 8.0
Comment 3 Red Hat Bugzilla 2007-10-27 11:32:04 EDT
User nkwan@redhat.com's account has been closed
Comment 11 Andrew Wnuk 2009-03-06 18:23:29 EST
This issue is now fixed in 8.0.
Comment 15 Jenny Galipeau 2009-06-04 10:17:56 EDT
It appears there are options for now for CRL content publishing:
   Include expired certificates
   Include certificates one extra time after their expiration

Is this bug because these did not work, or is this a new feature to address this bug?
Comment 16 Andrew Wnuk 2009-06-04 11:12:37 EDT
(In reply to comment #15)
> It appears there are options for now for CRL content publishing:
>    Include expired certificates
>    Include certificates one extra time after their expiration
> 
> Is this bug because these did not work, or is this a new feature to address
> this bug?  

Including certificates in CRL for one extra time after their expiration is a new feature due to required compliance with RFCs 5280, 3280 (see comment #1).
Comment 17 Jenny Galipeau 2009-06-04 13:31:47 EDT
Verified:

With Include certificates one extra time after their expiration enable, first CRL update after expiration included revoked expired certificate:

Certificate Revocation List: 
        Data: 
            Version:  v2
            Signature Algorithm: SHA1withRSA - 1.2.840.113549.1.1.5
            Issuer: CN=Certificate Authority,O=redhat
            This Update: Thursday, June 4, 2009 9:22:58 AM EDT America/New_York
            Next Update: Thursday, June 4, 2009 1:00:00 PM EDT America/New_York
            Revoked Certificates: 1-1 of 1
                Serial Number: 0xC
                Revocation Date: Thursday, June 4, 2009 8:57:49 AM EDT America/New_York
                Extensions: 
                    Identifier: Revocation Reason - 2.5.29.21
                        Critical: no 
                        Reason: Privilege_Withdrawn
        Extensions: 
            Identifier: CRL Number - 2.5.29.20
                Critical: no 
                Number: 6
        Signature: 
            Algorithm: SHA1withRSA - 1.2.840.113549.1.1.5
            Signature: 
                6A:96:1B:A9:EA:84:A8:65:C8:26:88:85:36:87:78:27:
                82:FE:50:1A:68:51:96:27:A0:BE:8B:52:35:38:48:99:
                D9:A6:89:9A:D3:61:47:61:8D:9E:73:BC:75:30:2A:D2:
                72:92:1E:95:52:C3:EA:8F:F9:61:E5:45:BB:F0:15:8F:
                75:3C:F1:E6:CA:4A:38:ED:CF:B3:E7:A3:41:9F:F4:AA:
                4A:77:55:95:BE:50:43:FA:AB:53:91:96:E9:1C:C0:EF:
                26:E6:CB:91:6F:2E:69:8F:49:6E:10:CC:08:CE:E4:3D:
                42:AA:91:A7:16:A6:85:1D:36:39:46:6A:CF:16:94:34:
                2E:35:23:90:AF:1E:CB:AB:CD:3B:79:48:E7:DB:35:A5:
                A1:F2:6C:A4:6E:C2:FB:85:88:CD:8A:98:22:E1:71:20:
                3A:1C:0D:0C:4E:34:47:6C:D4:47:46:D3:27:E0:22:1F:
                E6:02:65:DB:5D:ED:00:9D:5F:40:8D:53:D6:95:C9:D6:
                D2:F0:A4:51:98:77:AD:BD:51:B7:8B:35:8B:17:AB:02:
                0A:0D:AF:D2:42:7B:DF:BA:5D:1F:D3:D1:64:FA:BE:43:
                05:4E:23:32:9A:ED:0B:8F:67:52:7E:45:F3:8C:FF:F6:
                D2:E9:50:85:FE:47:5D:85:03:6B:34:09:83:8A:B7:81



Second update to CRL did not include the revoked expired certificate:

    Certificate Revocation List: 
        Data: 
            Version:  v2
            Signature Algorithm: SHA1withRSA - 1.2.840.113549.1.1.5
            Issuer: CN=Certificate Authority,O=redhat
            This Update: Thursday, June 4, 2009 9:24:58 AM EDT America/New_York
            Next Update: Thursday, June 4, 2009 1:00:00 PM EDT America/New_York
            Revoked Certificates: 1
        Signature: 
            Algorithm: SHA1withRSA - 1.2.840.113549.1.1.5
            Signature: 
                2E:09:8F:79:AC:D0:AF:20:8D:23:2D:94:90:43:44:80:
                08:05:D6:ED:3A:00:14:7C:00:EE:31:FC:38:15:33:AD:
                5B:90:C7:0D:BF:95:5F:BF:8E:70:28:07:0A:56:DC:7F:
                FD:48:D8:BE:EE:DE:1F:4D:D8:A2:E0:69:15:E8:E5:C9:
                8B:D6:C2:C8:A0:BF:47:6C:73:D5:32:70:BD:A3:94:98:
                46:16:DB:E1:33:FF:81:53:09:66:EC:B5:0B:C5:E1:B3:
                E4:36:B9:CC:95:67:DE:5C:BA:30:79:D9:55:4C:FB:4D:
                5B:1A:30:A2:62:58:6B:D3:9C:24:64:9E:2C:91:39:27:
                9C:BF:78:B0:05:08:52:98:90:5A:80:5D:59:EC:2B:73:
                D1:BD:9A:41:AE:02:86:57:FB:CB:E0:4C:40:27:C4:8C:
                80:40:DA:2B:55:0F:C7:FB:0D:C4:E7:78:83:51:D1:DF:
                A7:04:EA:C7:3C:31:A2:D4:C5:BA:81:07:AD:0D:2D:F9:
                99:6E:3F:98:5B:A7:05:FC:EA:07:D1:00:31:C6:B8:60:
                B7:77:C9:50:9E:5F:6E:12:56:CA:E8:60:B1:32:72:B7:
                13:2F:F0:8E:07:29:C5:A9:FA:03:B7:2B:0F:A0:19:85:
                2F:21:E3:57:8F:6A:A6:61:08:43:78:73:6D:A2:92:35

Subsequently enable Include expired certificates and generating new CRL again included the expired revoked certificate.

Certificate Revocation List: 
        Data: 
            Version:  v2
            Signature Algorithm: SHA1withRSA - 1.2.840.113549.1.1.5
            Issuer: CN=Certificate Authority,O=redhat
            This Update: Thursday, June 4, 2009 9:29:24 AM EDT America/New_York
            Next Update: Thursday, June 4, 2009 1:00:00 PM EDT America/New_York
            Revoked Certificates: 1-1 of 1
                Serial Number: 0xC
                Revocation Date: Thursday, June 4, 2009 8:57:49 AM EDT America/New_York
                Extensions: 
                    Identifier: Revocation Reason - 2.5.29.21
                        Critical: no 
                        Reason: Privilege_Withdrawn
        Extensions: 
            Identifier: CRL Number - 2.5.29.20
                Critical: no 
                Number: 8
        Signature: 
            Algorithm: SHA1withRSA - 1.2.840.113549.1.1.5
            Signature: 
                03:A1:F1:77:8B:40:85:28:43:A6:5B:BD:CE:36:6C:BC:
                DE:6D:36:D2:4F:5B:C6:35:1E:F5:7D:94:B3:2B:8C:E6:
                6B:E0:54:3F:D8:21:16:52:AC:08:69:60:27:12:2B:79:
                39:66:7F:FD:BE:EA:6B:4B:64:FA:72:72:DD:AB:CD:6B:
                78:D2:BF:C1:15:99:F1:A5:D6:26:48:CF:8D:A8:3A:36:
                D4:F3:8C:F9:16:34:04:5C:66:27:C6:04:69:64:36:29:
                B4:E9:29:01:7F:C3:B5:B4:F5:D7:9C:81:91:9C:3C:43:
                38:5F:7A:E5:1D:67:E1:F6:14:F8:10:67:DD:C6:95:FD:
                88:F6:60:1C:C7:9B:CF:15:8C:5E:C3:2B:F1:19:E0:AA:
                6B:A3:D9:1B:80:B8:3C:FB:E6:94:D5:F2:97:8F:24:87:
                DB:9B:B0:73:86:1B:1A:59:D4:C3:5B:49:8A:05:6B:63:
                BC:E1:D8:CF:6E:F3:80:2E:5E:D3:8E:6D:05:BC:D4:B1:
                46:FF:E8:0C:17:6B:E0:0B:D6:00:8C:D4:23:35:94:14:
                8B:66:77:48:DA:3A:A9:71:C8:E2:79:04:8B:91:91:83:
                3F:0B:FC:5B:9C:3F:96:FB:DA:7F:6B:31:1A:25:F9:3A:
                75:2F:2B:83:CA:53:5C:6E:62:A0:F0:BF:33:71:FD:F2

Note You need to log in before you can comment on or make changes to this bug.