On yet another response to myself, Robert, after some more
sherlockholmesing of the buggy code, suggests adding a non-critical
extension to the CRL, as the code would, it is suggested, then return an
empty list rather than a null pointer.
Unlike a critical extension, this is much, much safer to do even on a
production CRL, and there are a few of them out there already; we have
an extension on our 2A CRL (cRLNumber), and lots of others have it, too:
[jj47@vm102]/etc/grid-security/certificates% for n in *.r0 ; do if
openssl crl -text -noout -in $n |grep -qi xtens ; then echo $n ; fi ;
done|wc -l
160
(This'll pick up both CRL extensions and entry extensions.) Even CERN
has it; their intermediate CRL, for example, is full of cra^W useful
information [*]
What I can propose is that Tuesday morning (5 Dec), I put AKI into the
production CRL for 2B, and then generate and deploy a fresh CRL. It
would be easy to rerun the tests against the other two VOMS servers
(Oxford and Imperial).
But do let me know about that critical extension. I am curious. As I
said, I could not replicate the problem myself, even on SL6.
Cheers
--jens
[*]
[jj47@vm102]/etc/grid-security/certificates% openssl crl -text -noout
-in 4339b4bc.r0
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha512WithRSAEncryption
Issuer: /DC=ch/DC=cern/CN=CERN Grid Certification Authority
Last Update: Nov 30 06:20:16 2017 GMT
Next Update: Dec 4 16:16:16 2017 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:A5:A0:FD:66:58:FD:B9:DD:7A:E1:B2:9D:9F:A3:D1:E5:50:18:94:E7
1.3.6.1.4.1.311.21.1:
...
X509v3 CRL Number:
1869
1.3.6.1.4.1.311.21.4:
.^M171204063016Z
X509v3 Freshest CRL:
Full Name:
URI:http://cafiles.cern.ch/cafiles/crl/CERN%20Grid%20Certification%20Authority+.crl
URI:ldap:///CN=CERN%20Grid%20Certification%20Authority,CN=CERNPKI05,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=cern,DC=ch?deltaRevocationList?base?objectClass=cRLDistributionPoint
1.3.6.1.4.1.311.21.14:
0..0...........ldap:///CN=CERN%20Grid%20Certification%20Authority,CN=CERNPKI05,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=cern,DC=ch?certificateRevocationList?base?objectClass=cRLDistributionPoint
Revoked Certificates:
Serial Number: 1E69C1740000000330E6
Revocation Date: Jan 17 20:12:45 2017 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Superseded
[..]
|