[gnutls-devel] Revoked certificate count in CRL is capped at 34

Zsolt Horvath zsolt.horvath at skype.net
Wed Aug 12 18:32:44 CEST 2015 

Dear Team,

I am working on a small project where I'm planning to do periodic CRL generation with GNUTLS from concatenated to-be-revoked-certificates. The CRL is generated as per the guide:

     certtool --generate-crl --load-ca-privkey $CAPRIVKEY \
        --load-ca-certificate $CACERT \
        --load-certificate syssec-int.pem \
        --template infosec-vpn-int.cfg \
        --d 900

The template is really simple:
# Options for generating a CRL

# next CRL update will be in 43 days
crl_next_update = 43

# this is the 7th CRL by this CA
crl_number = 7

When running the command this is what I see in the debug:
Setting log level to 900
Generating a signed CRL...
Loading certificate list...
|<2>| ASSERT: x509_b64.c:485
|<2>| ASSERT: x509_b64.c:453
|<2>| Could not find '-----BEGIN X509 CERTIFICATE'
|<2>| ASSERT: x509.c:200
Loaded 34 certificates.
Update times.

|<2>| ASSERT: dn.c:305
|<2>| ASSERT: crl.c:789
X.509 Certificate Revocation List Information:
        Version: 2
        Issuer: <snip>
        Update dates:
                Issued: Wed Aug 12 15:39:16 UTC 2015
                Next at: Thu Sep 24 15:39:16 UTC 2015
        Extensions:
                Authority Key Identifier (not critical):
                        655c2d73509da33031986648e57d47df78319aa9
                CRL Number (not critical): 07
        Revoked certificates (34):
<snip>

However:
certtool -i --infile syssec-int.pem | grep -i subject: | wc -l
329

Using stock certtool on Debian Wheezy:
certtool (GnuTLS) 2.12.20
Packaged by Debian (2.12.20-8+deb7u3)

And on Debian Jessie:
certtool 3.3.8

I know the Debian supplied versions are always lagging behind, but I haven't seen any open/fixed bugs with this issue.

One thing that might be important to mention is that the certificates have been issued by openssl originally, but as the debug doesn't say anything if it had problems with the formatting or anything I assume this is not a problem.

Also, as far as I learned, there should be no reason of any capping, as I read there could be CRLs with size reaching several MBs so I am suspecting that there is either a bug with files having too many certs in them or something is missing from the documentation.

Looking forward to hearing from you,
Zsolt


--
Zsolt Horvath
Systems Security Analyst
CCIE#23475 (Security, R&S); CCDP
Skype

see & chat: koma931
write: zsolt.horvath at skype.net<mailto:zsolt.horvath at skype.net>
speak: +44 7814 144424

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20150812/8adec399/attachment-0001.html>

More information about the Gnutls-devel mailing list