Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scope of reasons for revocation #104

Closed
zzzsz opened this issue Aug 30, 2024 · 4 comments · Fixed by #112
Closed

Scope of reasons for revocation #104

zzzsz opened this issue Aug 30, 2024 · 4 comments · Fixed by #112
Labels
bug Something isn't working

Comments

@zzzsz
Copy link

zzzsz commented Aug 30, 2024

Why are there only keyCompromise, affiliationChanged, superseded, cessationOfOperation, and privilegeWithdrawn reasons for revocation? I did not find such a revocation range restriction in RFC 5280.

And why can revocation reason cACompromise only exist in CA crl? My point is that if a leaf certificate is revoked because the CA is compromised, then its revocation reason should also be cACompromise.

def create_reason_code_validator(
        crl_type: crl.CertificateRevocationListType
):
    allowed_reasons = [
        rfc5280.CRLReason.namedValues[r]
        for r in [
            'keyCompromise',
            'affiliationChanged',
            'superseded',
            'cessationOfOperation',
            'privilegeWithdrawn',
        ]
    ]

    if crl_type == crl.CertificateRevocationListType.ARL:
        allowed_reasons.append(rfc5280.CRLReason.namedValues['cACompromise'])

    return crl_extension.CrlReasonCodeAllowlistValidator(
        allowed_reason_codes=allowed_reasons
    )
@CBonnell
Copy link
Collaborator

CBonnell commented Sep 3, 2024

The restriction is from X.509 (08/2005), clause 8.5.2.2:

cACompromise is used in revoking a CA-certificate; it indicates that it is known or suspected that the
subject's private key, or other aspects of the subject validated in the certificate, have been compromised;

Thus, the cACompromise reason code is only appropriate for revoking CA certificates.

@CBonnell CBonnell added the question Further information is requested label Sep 3, 2024
@zzzsz
Copy link
Author

zzzsz commented Sep 4, 2024

I have a question. What is the range of pkix in the error message pkix.xxx written in your code? For example pkix.crl_prohibited_reason_code.

At first I thought the scope of pkix refers to rfc, but now you say that the scope of cACompromise comes from itu's x509, which confuses me.
Also, why not just set the error message of CrlReasonCodeAllowlistValidator to itu.xxx?

@CBonnell
Copy link
Collaborator

CBonnell commented Sep 4, 2024

Your understanding of the finding code classifications is correct. This finding code should be prefixed with "itu" instead of "pkix".

I'll mark this as a bug and look into getting this fixed.

@CBonnell CBonnell added bug Something isn't working and removed question Further information is requested labels Sep 4, 2024
@zzzsz zzzsz closed this as completed Sep 5, 2024
@CBonnell CBonnell reopened this Sep 5, 2024
@CBonnell
Copy link
Collaborator

CBonnell commented Sep 5, 2024

Keeping this open so the finding code can be fixed.

@zzzsz zzzsz closed this as completed Sep 6, 2024
@zzzsz zzzsz reopened this Sep 6, 2024
@CBonnell CBonnell mentioned this issue Sep 27, 2024
Merged
@CBonnell CBonnell linked a pull request Sep 27, 2024 that will close this issue
CRL linter fixes #112
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

CRL linter fixes digicert/pkilint
2 participants
@CBonnell @zzzsz