Fix: intermediate CRLs were self-signed, not root-signed as it should

elonen · Sep 21, 2024 · 5ff4061 · 5ff4061
1 parent 7660c39
commit 5ff4061
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 1 deletion.
diff --git a/hsm_secrets/x509/__init__.py b/hsm_secrets/x509/__init__.py
@@ -155,6 +155,13 @@ def _do_it(ses: HSMSession|None):
             issuer = scid_to_opq_def[cd.sign_by] if cd.sign_by and cd.sign_by != cd.id else None
             signer = f"signed by: '{issuer.label}'" if issuer else 'self-signed'
 
+            # Get CRL distribution points from issuer (if not self-signed)
+            crl_url_list = []
+            if issuer:
+                issuer_ca_def = find_ca_def(ctx.conf, issuer.id)
+                assert issuer_ca_def, f"CA cert ID not found: 0x{issuer.id:04x}"
+                crl_url_list = issuer_ca_def.crl_distribution_points
+
             cli_info(f"\nCreating 0x{cd.id:04x}: '{cd.label}' ({signer})")
             cli_info(indent(pretty_x509_info(x509_info), "    "))
 
@@ -184,7 +191,7 @@ def _do_it(ses: HSMSession|None):
                 builder = X509CertBuilder(ctx.conf, x509_ca.x509_info, priv_key)
                 if issuer_cert:
                     assert issuer_key
-                    id_to_cert_obj[cd.id] = builder.build_and_sign(issuer_cert, issuer_key, x509_ca.crl_distribution_points)
+                    id_to_cert_obj[cd.id] = builder.build_and_sign(issuer_cert, issuer_key, crl_url_list)
                     # NOTE: We'll assume all signed certs on HSM are CA -- fix this if storing leaf certs for some reason
                     issues = X509IntermediateCACertificateChecker(id_to_cert_obj[cd.id]).check_and_show_issues()
                     cert_issues.append((cd, issues))

diff --git a/run-tests.sh b/run-tests.sh
@@ -151,9 +151,18 @@ test_tls_certificates() {
     run_cmd -q x509 cert get --all | openssl x509 -text -noout
     assert_success
 
+    for CERT in cert_tls-t1-rsa3072  cert_tls-t1-ed25519_ed25519-root  cert_tls-t1-ecp384_ecp384-root; do
+        # Check that intermediate's CRL distribution point is set to root-signed one
+        local intermediate_cert=$(run_cmd -q x509 cert get $CERT | openssl x509 -in /dev/stdin -text -noout)
+        assert_success
+        echo "$intermediate_cert"
+        assert_grep "URI:http.*/root-a1-.*crl" "$intermediate_cert"
+    done
+
     for KEYTYPE in ed25519 ecp256 ecp384 rsa3072; do
         KEYBITS=$(echo $KEYTYPE | sed -E 's/[^0-9]//g')
 
+        # Generate a server (end-entity) certificate
         local output=$(run_cmd tls server-cert --out $TEMPDIR/www-example-com_$KEYTYPE.pem --common-name www.example.com --san-dns www.example.org --san-ip 192.168.0.1 --san-ip fd12:123::80 --keyfmt $KEYTYPE)
         assert_success
         echo "$output"