x509 crl handling
Problem to solve
As certificates can revoked (after a commit signature has been verified), we should reset the commit verification status as the certificate used to sign the commit is no longer trustworthy.
Certificates can be revoked for a variety of reasons, including
- private key is compromised
- mis-use of certificate
Background
based on !17773 (merged) certificate revocation shall be handled for x509 signed commits, see !17773 (comment 241058311)
Proposal
- [-]
Adoptapp/workers/update_x509_signature_worker.rb(feature flag:update_x509_signature_worker) update_signature_worker.diff - Add rake task to update signatures in case of changed trust store => !28406 (merged)
- download crl and set certificate_status if certificate is revoked => !28336 (merged)
- Revoked is a certificate detail, so we might just display "revoked" within the certificate details and set the verification status to unverified !24889 (merged)
require 'openssl'
def check_crl (crl_file, serials)
revoked_serials = []
crl = OpenSSL::X509::CRL.new(crl_file)
puts "crl last_update : " + crl.last_update.to_s
puts "crl next_update : " + crl.next_update.to_s
puts "crl issuer : " + crl.issuer.to_s
puts "crl versions : " + crl.version.to_s
crl.extensions.each_with_index{|ext, i|
puts "crl extenstion : " + ext.oid + '=' + ext.value
}
crl.revoked().each_with_index{ | rev |
if serials.include? rev.serial
revoked_serials.push(rev.serial)
end
}
revoked_serials.empty? ? nil : revoked_serials
end
crl_serials = [ 2139164901, 1810356222 ]
puts "Check CRL file without revoked serial"
puts check_crl(File.read("ZZZZZZA6__2651.crl"), crl_serials)
puts "---------"
puts "Check CRL file with revoked serial"
puts check_crl(File.read("ZZZZZZA6.crl"), crl_serials)