[gnutls-devel] GnuTLS | Does GnuTLS need to check “last update” or “next update” of CRL during revoking certificate(s)? (#1003)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Sat May 23 09:58:35 CEST 2020



yuemonangong created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1003



I created two CRLs [test1.crl, test2.crl] and a certificate chain revoked by test1.crl. When “**next update**” of two CRLs is **earlier than current time** (or “last update” is later than current time), **GnuTLS 3.6.10** takes them as normal CRLs during certificate(s) validation, **lacking check on last update/next update of CRL**. 

Comparatively, **OpenSSL will check the validity** of CRL no matter using it to revoke certificate(s) or not.

The command I used is:
```
certtool --verify --load_crl=test1.crl --load_ca_certificate=root.pem < leaf.pem
```
and
```
certtool --verify --load_crl=test2.crl --load_ca_certificate=root.pem < leaf.pem
```

Results of test1.crl:

GnuTLS:
```
Loaded CAs (2 available)
	Subject: O=My Company Ltd,L=Newbury,ST=Berkshire,C=GB
	Issuer: CN=NCRL,OU=DDST,O=SJTU,ST=SH,C=CN
	Checked against: CN=NCRL,OU=DDST,O=SJTU,ST=SH,C=CN
	Signature algorithm: RSA-SHA256
	Output: Verified. The certificate is trusted. 

	Subject: O=My Company Ltd,L=Newbury,ST=Berkshire,C=GB
	Issuer: CN=NCRL,OU=DDST,O=SJTU,ST=SH,C=CN
	Signature algorithm: RSA-SHA256
	Checked against CRL[00] of: CN=NCRL,OU=DDST,O=SJTU,ST=SH,C=CN
	Output: Not verified. The certificate is NOT trusted. The certificate chain is revoked. 

Chain verification output: Not verified. The certificate is NOT trusted. The certificate chain is revoked.
```

OpenSSL:
```
C = GB, ST = Berkshire, L = Newbury, O = My Company Ltd
error 12 at 0 depth lookup: CRL has expired
C = GB, ST = Berkshire, L = Newbury, O = My Company Ltd
error 23 at 0 depth lookup: certificate revoked
error leaf.pem: verification failed
```

Results of test2.crl:

GnuTLS:
```
Loaded CAs (2 available)
	Subject: O=My Company Ltd,L=Newbury,ST=Berkshire,C=GB
	Issuer: CN=NCRL,OU=DDST,O=SJTU,ST=SH,C=CN
	Checked against: CN=NCRL,OU=DDST,O=SJTU,ST=SH,C=CN
	Signature algorithm: RSA-SHA256
	Output: Verified. The certificate is trusted. 

	Subject: O=My Company Ltd,L=Newbury,ST=Berkshire,C=GB
	Issuer: CN=NCRL,OU=DDST,O=SJTU,ST=SH,C=CN
	Signature algorithm: RSA-SHA256
	Checked against CRL[00] of: CN=NCRL,OU=DDST,O=SJTU,ST=SH,C=CN
	Output: Verified. The certificate is trusted. 

Chain verification output: Verified. The certificate is trusted.
```

OpenSSL:
```
C = GB, ST = Berkshire, L = Newbury, O = My Company Ltd
error 12 at 0 depth lookup: CRL has expired
C = CN, ST = SH, O = SJTU, OU = DDST, CN = NCRL
error 12 at 1 depth lookup: CRL has expired
error leaf.pem: verification failed
```

root.pem:
```
-----BEGIN CERTIFICATE-----
MIIDNDCCAhygAwIBAgIJAPU0AU3ad04vMA0GCSqGSIb3DQEBCwUAMEcxCzAJBgNV
BAYTAkNOMQswCQYDVQQIDAJTSDENMAsGA1UECgwEU0pUVTENMAsGA1UECwwERERT
VDENMAsGA1UEAwwETkNSTDAeFw0yMDAzMjYwODI3NDlaFw0yMzAxMTQwODI3NDla
MEcxCzAJBgNVBAYTAkNOMQswCQYDVQQIDAJTSDENMAsGA1UECgwEU0pUVTENMAsG
A1UECwwERERTVDENMAsGA1UEAwwETkNSTDCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAPNLlu+KPCcjj1KiZ1/sUFvFRDt3Z7WZTWjOYeJUFvycHNcYN9cE
laGJ32hfjgaPw9u3cOgs0JJHwIhlQkNhSexUvgGatw336H/3FjPQCJKs48lDJG13
sDF7TK1MvG5wcF1pgRkfvoRSWOyr30aqoeQHaRnqMnT0lWBy26mmV6mgM7LPeNq8
E6jh6aLy7uep3+rO/Ef7LvFi/QWqy+vVVmr5MljXtFyWI+aLs4uFtZZ6rFw5Va4U
Y6OffwchjkVex1eML4D593fobkmkubxZEm2o2Upi/Eiech7CM8HuwgqrAwoIVxi6
FlObraD90sUSUKUwohvl03tkjCTXakXF2TUCAwEAAaMjMCEwEgYDVR0TAQH/BAgw
BgEB/wIBAzALBgNVHQ8EBAMCAeYwDQYJKoZIhvcNAQELBQADggEBACb6hOtUCqD5
sH4VucCO4FYFHM6nfBvB9vx+c2RPC/psam9clOvL5llrUhY070pXbZnd2hwxfnzj
cdr448sVyJkHosukzZj/MyEBV9BERTUMOaY4etQxM2L33uyzn5++/NeRC2Yd53AL
vY/s4znat7txqBK/izvLemLerp1Z5E58VFzLOvYNz+7vEoxMmNaU55TGh88VJIvo
THaZ3LflTc7hv9eUWin0LTV0mg7cvM+/qWrM2N2hyOukztF5gCcMEgoVkpEgUCJP
WsrvOumtDNuXnPr80r4N54n5TaQCTBG22Tj89klc6jUji63+UR9KKACCV44KT8hc
+0ecJPmXqEU=
-----END CERTIFICATE-----
```

leaf.pem:
```
-----BEGIN CERTIFICATE-----
MIIDITCCAgmgAwIBAgIBATANBgkqhkiG9w0BAQsFADBHMQswCQYDVQQGEwJDTjEL
MAkGA1UECAwCU0gxDTALBgNVBAoMBFNKVFUxDTALBgNVBAsMBEREU1QxDTALBgNV
BAMMBE5DUkwwHhcNOTYwODAxMDAwMDAwWhcNMjAxMjMxMjM1OTU5WjBMMQswCQYD
VQQGEwJHQjESMBAGA1UECBMJQmVya3NoaXJlMRAwDgYDVQQHEwdOZXdidXJ5MRcw
FQYDVQQKEw5NeSBDb21wYW55IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAL+N0yePi18I/+MxN/31iBehb2rO5s8MzykUz3aGp3BG/5uEFueqoYZN
CNLA38wIUT/ry8wIw+jlTNj29L7Q9uOX8+10XgF4VTVtN14KT0s7tZ5dLjGRD7ft
fZF03ifbGYp39fW2Wjutjo4Jyop+Bm7g6SrSJB3uaioITpZh8Xf7MHo+kNjJKPsu
ZlVVNQ3T5WQWzoskcpRRIujv7U/NATuRzXODUzqnw+HGavu2qTX3falo5i0dzzrt
9yCtLKqtC+0oX+kZPIi3ib/o20fY3hEXwYstq5sKpvV25xgKTbtwRN1KlMIhfSQN
uFXIg/Rd6rbd9P60zPYxzOTwMsaEysECAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB
/zANBgkqhkiG9w0BAQsFAAOCAQEAKhf5CQGxsJCzkFJv26ggzi2HxN/X/eXcwJyy
3gfPP0JZNLzRb6bmracLui58LyCX+0tmY5TA1G3V94Vdu2LIUMRoANwKszTxhW/n
8oNvXDji+E62EsivCtoPgYRAwFE0q4flvcWzDwGlqCfEdaG1uqYGLlLxW8gmHdFs
pKJf4yCzQOn04RmReXOhaAtyUT+xp9AUzawzr2PPGA75x7B07HT4ezLPWy+l1X0o
gMBOWm3AwrwTD8k1B488NiKivCYjBn6UPG0r9/gKxSvdEJEJ6SyM8+Jw+f7lij8i
55LYqy8oyPPknQOAWzB+KZkCbqkcBGJLEPR35agBN/SDSdioXA==
-----END CERTIFICATE-----
```

test1.crl:
```
-----BEGIN X509 CRL-----
MIIBtjCBnwIBATANBgkqhkiG9w0BAQ4FADBHMQswCQYDVQQGEwJDTjELMAkGA1UE
CAwCU0gxDTALBgNVBAoMBFNKVFUxDTALBgNVBAsMBEREU1QxDTALBgNVBAMMBE5D
UkwXDTIwMDIxMDAzMjczMloXDTIwMDMzMTAzMjczMlowFDASAgEBFw0yMTAzMTYw
MzI3MzJaoA4wDDAKBgNVHRQEAwIBADANBgkqhkiG9w0BAQ4FAAOCAQEA2Pdr+xMb
XqLhN50342Kvv7QZyr8ocgVDjmeg15PjbbdubTqFwxgvBy62VscE46NuYBFHBL9D
aDXGngVgxyQeBDFDTozcb2AcqbMtT1UtFQ/KnkYL9FZg+Vv4xJywAz0GjXvjcUiw
wMzL4nzwarnLyLElNdyXA9+aMWdCYySaumUDS0fWFEpAKgjByNJ2neDPW/SF8G87
E5tbdC28lMNJepewQC5lJONeleNOz65U5zjd60KY+vjEPtf85RAf8W3dzSSWzY6W
qe2IOt4hGrE6aOVc+yE4ykrPoagZeA4c4oOZTq7b3T+MidrDV3ckdIYYC4vWvcVj
/CoixkTJXBRnYw==
-----END X509 CRL-----
```

test2.crl:
```
-----BEGIN X509 CRL-----
MIIBoDCBiQIBATANBgkqhkiG9w0BAQ4FADBHMQswCQYDVQQGEwJDTjELMAkGA1UE
CAwCU0gxDTALBgNVBAoMBFNKVFUxDTALBgNVBAsMBEREU1QxDTALBgNVBAMMBE5D
UkwXDTIwMDIxMDAzMzEyNloXDTIwMDMzMTAzMzEyNlqgDjAMMAoGA1UdFAQDAgEA
MA0GCSqGSIb3DQEBDgUAA4IBAQCYxlVo38+wlB1zt+VIWusPZGJhe5Kda5B7lgB7
qxoAio79rY/in0ydTKbvPa4CJk4HfwcFxbDlZE/9uDlt9teVsYSvrswQnCriab02
DvQMA8pi7qtOB0I6l+3jajojZ4TqulDhJiZAqnjjEUmkXgbN+oIdj4+TVt4mGGBA
HGjQdDpnDLpYEqNqhLvP7H8D0ErsSIw+M74iTP/1hMWdhfPjdYDwrtJ2EyIo5OpW
HQ23xQRgTh/65qqdc7165vI6PTUCAeB2rIFiDX5SSF+teCjQM47sONLFoglFz1me
gqHldvb5wHvdhrSbTNCgCCkksgnJmnm9w7vYwnaNvD1BK+n7
-----END X509 CRL-----
```

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1003
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200523/3725de67/attachment-0001.html>


More information about the Gnutls-devel mailing list