Support PSS signed CRLs
Open, NormalPublic


Some CAs use rsaPSS to sign CRLs. GnuPG's X.509 code does not fully support this RSA signature scheme. In particular libksba can't parse such a CRL and returns the wrong error: Invalid Digest Algorithm.

An example for such a CRL is F717521 (which has no revoked items, though)

werner created this task.May 24 2019, 8:58 AM

Interesting tinge: The main CRL of the CA uses a nextUpdate in the year 2034 (15 years in the future) which would force dirmngr to cache the CRL until then. However, the CRL of the intermediate certificate has a nextUpdate only one month in the future. There is currently no entry in that second level CRL, so their idea might be that an updated second level CRL will also trigger a reload of the main CRL. I have not checked how we implement that in Dirmngr but I doubt that such a thing will work for us and that it is in any way standard compliant.