Page MenuHome GnuPG

Support CRL extension issuingDistributionPoint
Open, NormalPublic

Event Timeline

werner created this task.

For support reasons I would say that it might make sense to also ignore the extensions from "ignore-cert-extension" when checking CRLs?

Nah, the description for that extension is pretty strict and I won't feel comfortable to just ignore it. BTW there is also T6398 (nameConstraints) which needs support. But for debugging a ignore extension makes sense.

rGb1ecc8353ae3 is just what I meant, so that we can recommend such an option in the future as a workaround until a new update becomes available which supports such an extension.

We had one request to support this back in 2017 but it was closed because the respective CA stopped using this extension. See T2039.

werner renamed this task from Support CRL exension issuingDistributionPoint to Support CRL extension issuingDistributionPoint.Jun 22 2023, 11:44 AM

While remembering this I added to our standard.conf (and for testing first to my local conf):

# Unsupported CRL extensions
# See: https://dev.gnupg.org/T6677
ignore-crl-extension 2.5.29.36
# See: https://dev.gnupg.org/T6678
ignore-crl-extension 2.5.29.54
But at least with 2.4.3 this did not seem to have an effect:
2023-10-13 10:12:23 dirmngr[28076.6] DBG: BEGIN Certificate 'crl_issuer_cert':
2023-10-13 10:12:23 dirmngr[28076.6] DBG:      serial: 215E78D99648B021C6394A6566D8E00F46A1E595
2023-10-13 10:12:23 dirmngr[28076.6] DBG:   notBefore: 2020-11-18 14:30:34
2023-10-13 10:12:23 dirmngr[28076.6] DBG:    notAfter: 2029-08-14 13:30:34
2023-10-13 10:12:23 dirmngr[28076.6] DBG:      issuer: CN=Federal Common Policy CA G2,OU=FPKI,O=U.S. Government,C=US
2023-10-13 10:12:23 dirmngr[28076.6] DBG:     subject: OU=Entrust Managed Services Root CA,OU=Certification Authorities,O=Entrust,C=US
2023-10-13 10:12:23 dirmngr[28076.6] DBG:   hash algo: 1.2.840.113549.1.1.12
2023-10-13 10:12:23 dirmngr[28076.6] DBG:   SHA1 fingerprint: 07F5DC58F83778D5B5738A988292C00A674A0F40
2023-10-13 10:12:23 dirmngr[28076.6] DBG: END Certificate
2023-10-13 10:12:23 dirmngr[28076.6] DBG: PKCS#1 block type 1 encoded data:+01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                                   ffffffffffffffffffffff003031300d06096086480165030402010500042078 \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                                   19e98b02adf329453721c022ba03120cdecdf958e2baff9673a47c8fc048ac
2023-10-13 10:12:23 dirmngr[28076.6] DBG: rsa_verify data:+01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  ffffffffffffffffffffff003031300d06096086480165030402010500042078 \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  19e98b02adf329453721c022ba03120cdecdf958e2baff9673a47c8fc048ac
2023-10-13 10:12:23 dirmngr[28076.6] DBG: rsa_verify  sig:+4754fa79b140d922e16c983aa1672437f2dcd119e2d89f6fd43de5b8ddf93645 \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  7d8b3b62494cb1b03870ab8bd35216ff49aa93339d5c06dba6eea5731b20d339 \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  9a16ba0bcc524fa851dc23832f5da69a122e2a9fd6098a7e222c6358fbb17bdc \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  6d84ea7125b8460ccd8359a1082e13c95ea98f99f22f434929d296100e700632 \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  2419faa4e91368334ede1f158c6d1aea210d712c99e390b1c0aaf1291a7aee5f \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  8a290498e964c3ed353e51bb2d2c09375f4f1a69f762a5a8b10f99aa3fcedcbf \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  c8b21b21d3ce4c4fffa18f6c99bb551027932ff509bae0f297a16a33791d7634 \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  302e0d4191f28c44dfbd9a025f79073a99fcb2c059064a79964dd7d8abd051ae
2023-10-13 10:12:23 dirmngr[28076.6] DBG: rsa_verify    n:+e7bda06a815bef8fa0b0278cae5a27dddbf9a632c9c94e2708ed10aa24a1cd72 \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  bc66a83035ae3bcfe29d177c35a1f791c58b2ed2a83fea0ce5414e6cd436e51b \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  c09e36c5d7a308da6300c0328b03491e07aec2edb6bd42ff8c712e429e8d7e06 \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  434d64a531d631e8eda62a06307dc5aa02be13d19aee1194f6b832d02795336f \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  cba09dde92ddfac5da6774211b51f7bdc902258842026c96ca87170c79b24a00 \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  e6fa83c8f2af40b378a5e70eac15314127e11103b15c50804ce640caf259daff \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  2c165c912e340041217380f5a23b6cb0006f2ab6fd373a469d208f483157158f \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  0de42fbe0a60363a165a64e1e0fffa7ce4f1316f8015066c9971e21acb5c1ecd
2023-10-13 10:12:23 dirmngr[28076.6] DBG: rsa_verify    e:+010001
2023-10-13 10:12:23 dirmngr[28076.6] DBG: rsa_verify  cmp:+01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  ffffffffffffffffffffff003031300d06096086480165030402010500042078 \
2023-10-13 10:12:23 dirmngr[28076.6] DBG:                  19e98b02adf329453721c022ba03120cdecdf958e2baff9673a47c8fc048ac
2023-10-13 10:12:23 dirmngr[28076.6] DBG: rsa_verify    => Good
2023-10-13 10:12:23 dirmngr[28076.6] DBG: finish_sig_check: gcry_pk_verify: Success
2023-10-13 10:12:23 dirmngr[28076.6] DBG: BEGIN Certificate 'subject':
2023-10-13 10:12:23 dirmngr[28076.6] DBG:      serial: 215E78D99648B021C6394A6566D8E00F46A1E595
2023-10-13 10:12:23 dirmngr[28076.6] DBG:   notBefore: 2020-11-18 14:30:34
2023-10-13 10:12:23 dirmngr[28076.6] DBG:    notAfter: 2029-08-14 13:30:34
2023-10-13 10:12:23 dirmngr[28076.6] DBG:      issuer: CN=Federal Common Policy CA G2,OU=FPKI,O=U.S. Government,C=US
2023-10-13 10:12:23 dirmngr[28076.6] DBG:     subject: OU=Entrust Managed Services Root CA,OU=Certification Authorities,O=Entrust,C=US
2023-10-13 10:12:23 dirmngr[28076.6] DBG:   hash algo: 1.2.840.113549.1.1.12
2023-10-13 10:12:23 dirmngr[28076.6] DBG:   SHA1 fingerprint: 07F5DC58F83778D5B5738A988292C00A674A0F40
2023-10-13 10:12:23 dirmngr[28076.6] DBG: END Certificate
2023-10-13 10:12:23 dirmngr[28076.6] critical certificate extension 2.5.29.36 is not supported
2023-10-13 10:12:23 dirmngr[28076.6] critical certificate extension 2.5.29.54 is not supported
2023-10-13 10:12:23 dirmngr[28076.6] error checking validity of CRL issuer certificate: Unsupported certificate
2023-10-13 10:12:23 dirmngr[28076.6] crl_parse_insert failed: Unsupported certificate
2023-10-13 10:12:23 dirmngr[28076.6] crl_cache_insert via DP failed: Unsupported certificate
2023-10-13 10:12:23 dirmngr[28076.6] command 'ISVALID' failed: Unsupported certificate

Both with the entrust chain and the greenbone test chain.

And yes in gpgsm.conf both the extensions are also marked with ignore-cert-extension.

A workaround exists with the new option --ignore-crl-extensions.