Skip to content

x509 crl handling

Problem to solve

As certificates can revoked (after a commit signature has been verified), we should reset the commit verification status as the certificate used to sign the commit is no longer trustworthy.

Certificates can be revoked for a variety of reasons, including

  • private key is compromised
  • mis-use of certificate

Background

based on !17773 (merged) certificate revocation shall be handled for x509 signed commits, see !17773 (comment 241058311)

Proposal

  • [-] Adopt app/workers/update_x509_signature_worker.rb (feature flag :update_x509_signature_worker) update_signature_worker.diff
  • Add rake task to update signatures in case of changed trust store => !28406 (merged)
  • download crl and set certificate_status if certificate is revoked => !28336 (merged)
  • Revoked is a certificate detail, so we might just display "revoked" within the certificate details and set the verification status to unverified !24889 (merged)
require 'openssl'

def check_crl (crl_file, serials)
    revoked_serials = []
    crl = OpenSSL::X509::CRL.new(crl_file)
    puts "crl last_update : " + crl.last_update.to_s
    puts "crl next_update : " + crl.next_update.to_s
    puts "crl issuer      : " + crl.issuer.to_s
    puts "crl versions    : " + crl.version.to_s
    crl.extensions.each_with_index{|ext, i|
        puts "crl extenstion  : " + ext.oid + '=' + ext.value
    }
    crl.revoked().each_with_index{ | rev |
        if serials.include? rev.serial
            revoked_serials.push(rev.serial)
        end
    }
    revoked_serials.empty? ? nil : revoked_serials
end

crl_serials = [ 2139164901, 1810356222 ]

puts "Check CRL file without revoked serial"
puts check_crl(File.read("ZZZZZZA6__2651.crl"), crl_serials)
puts "---------"
puts "Check CRL file with revoked serial"
puts check_crl(File.read("ZZZZZZA6.crl"), crl_serials)
Edited by Roger Meier