krill icon indicating copy to clipboard operation
krill copied to clipboard
verified publisher icon NLnetLabs

Empty revokedCertificates in CRLs

Open botovq opened this issue 1 year ago • 1 comments

I noticed that about 15% of CRLs in the RPKI currently contain an empty list of revoked certificates. I suspect this is a bug in either krill or rpki-rs (or both).

Per RFC 5280, section 5.1.2.6: "When there are no revoked certificates, the revoked certificates list MUST be absent."

I suspect that Revocations::to_crl_entries() returns a zero-length vector if there are no certificates to revoke

https://github.com/NLnetLabs/krill/blob/33e072ef44e60e1e9bdadc153ffc1f809d1f7912/src/commons/api/ca.rs#L728-L733

which rpki-rs's RevokedCertificates::encode_ref() then encodes as an empty sequence.

Presumably the TbsCertList either needs to turn the revoked_certs into an Option<C> or its encoding needs to handle the empty sequence specially.

botovq avatar May 21 '24 17:05 botovq

Thank you for the report! This should be relatively easy to fix directly in rpki-rs – if the RevokedCertifcates are empty, don’t encode the outer sequence either.

partim avatar Jun 11 '24 14:06 partim

Fixed in #1200 which accidentally referenced the wrong issue.

botovq avatar Jul 25 '24 08:07 botovq