[Pki-devel] [PATCH] 0017-2 Enable Authority Key Identifier CRL extension

Fraser Tweedale ftweedal at redhat.com
Wed Dec 17 03:50:45 UTC 2014 

On Wed, Dec 17, 2014 at 12:36:39PM +1000, Fraser Tweedale wrote:
> Hi Christina,
> 
> Following up on your request for further testing, see below.
> 
> On Thu, Oct 30, 2014 at 09:25:56AM -0700, Christina Fu wrote:
> > Fraser,
> > 
> > Good catch!
> > 
> > I'm wondering why it was disabled.  Could there be a reason? Fraser, if you
> > have not done so, may I trouble you to take one more step in the testing and
> > see if you can
> > 1. verify the CRLs generated after the enabling of AKI indeed has the
> > extension
> >
> The extension is present.
> 
> > 2. the CRL is accepted by the OCSP
> >
> The OCSP responder works fine with the CRLs when the AKI extension
> has been enabled.
> 
> > 3. test FF cert verification with both CRL and OCSP
> > 
> Firefox OCSP check works fine.  I'm not sure how to test the CRL in
> Firefox.  Advice?
> 
> > Regarding upgrade script, I'll say yes if possible.  But we should try to
> > conform to the existing upgrade mechanisms/decision.
> > 
> Patch will be out shortly.
> 
Updated patch attached.

> Cheers,
> 
> Fraser
> 
> > thanks,
> > Christina
> > 
> > On 10/29/2014 11:09 PM, Fraser Tweedale wrote:
> > >This patch enables the Authority Key Identifier CRL Extension, which
> > >is REQUIRED by RFC 5280, by default.
> > >
> > >Should existing instances be left alone or should I also look at an
> > >upgrade script that offers to upgrade CS.cfg to be conformant?
> > >
> > >Fraser
> > >
> > >
> > >_______________________________________________
> > >Pki-devel mailing list
> > >Pki-devel at redhat.com
> > >https://www.redhat.com/mailman/listinfo/pki-devel
> > 
> 
> > _______________________________________________
> > Pki-devel mailing list
> > Pki-devel at redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-devel
> 
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
-------------- next part --------------
>From 748666bf88b38a9eac6d82dcd865250f5d01d6c7 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Thu, 30 Oct 2014 01:58:15 -0400
Subject: [PATCH] Enable Authority Key Identifier CRL extension by default

RFC 5280 states:

   Conforming CRL issuers are REQUIRED to include the authority key
   identifier (Section 5.2.1) and the CRL number (Section 5.2.3)
   extensions in all CRLs issued.

Accordingly, update CS.cfg so that the Authority Key Identifier
extension is enabled by default.  Also add an upgrade script to
enable it on existing instances.
---
 base/ca/shared/conf/CS.cfg.in                      |  2 +-
 .../server/upgrade/10.2.2/01-EnableCRLAKIExtension | 46 ++++++++++++++++++++++
 2 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100755 base/server/upgrade/10.2.2/01-EnableCRLAKIExtension

diff --git a/base/ca/shared/conf/CS.cfg.in b/base/ca/shared/conf/CS.cfg.in
index 4ab8974e6340d81d23bb7f5ea05a07b0936b6463..f5469408b5a2da26321871d64e76da8e07344aeb 100644
--- a/base/ca/shared/conf/CS.cfg.in
+++ b/base/ca/shared/conf/CS.cfg.in
@@ -604,7 +604,7 @@ ca.crl.MasterCRL.extension.AuthorityInformationAccess.numberOfAccessDescriptions
 ca.crl.MasterCRL.extension.AuthorityInformationAccess.type=CRLExtension
 ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.class=com.netscape.cms.crl.CMSAuthorityKeyIdentifierExtension
 ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.critical=false
-ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.enable=false
+ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.enable=true
 ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.type=CRLExtension
 ca.crl.MasterCRL.extension.CRLNumber.class=com.netscape.cms.crl.CMSCRLNumberExtension
 ca.crl.MasterCRL.extension.CRLNumber.critical=false
diff --git a/base/server/upgrade/10.2.2/01-EnableCRLAKIExtension b/base/server/upgrade/10.2.2/01-EnableCRLAKIExtension
new file mode 100755
index 0000000000000000000000000000000000000000..85e4f33cad3ca961c94a84ce97128cbbdb251068
--- /dev/null
+++ b/base/server/upgrade/10.2.2/01-EnableCRLAKIExtension
@@ -0,0 +1,46 @@
+#!/usr/bin/python
+# Authors:
+#     Fraser Tweedale <ftweedal at redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2014 Red Hat, Inc.
+# All rights reserved.
+
+import os
+
+import pki.server.upgrade
+
+class EnableCRLAKIExtension(pki.server.upgrade.PKIServerUpgradeScriptlet):
+    def __init__(self):
+        self.message = "Enable CRL AuthorityKeyIdentifier extension"
+
+    def upgrade_subsystem(self, instance, subsystem):
+        cfg_path = os.path.join(instance.base_dir, 'conf', subsystem.name, 'CS.cfg')
+
+        lines = []
+        with open(cfg_path) as f:
+            lines = f.readlines()
+
+        prop = "ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.enable"
+
+        try:
+            prop_index = lines.index(prop + "=false\n")
+        except ValueError:
+            prop_index = None
+
+        if prop_index is not None:
+            lines[prop_index] = prop + "=true\n"
+            with open(cfg_path, 'w') as f:
+                f.writelines(lines)
-- 
1.9.3

More information about the Pki-devel mailing list