Revocation checking sometimes finds multiple issuer certs

GSA / gsa-doc-digital-signature

This tool is deprecated. Please follow these new procedures - https://playbooks.idmanagement.gov/signfedregister/

Other

20 stars 7 forks source link

Revocation checking sometimes finds multiple issuer certs #25

Open djpackham opened 7 years ago

djpackham commented 7 years ago

New issue today where user's tool would hang at 80% complete. Looking at the logs and more into the code, seems like there may need to be an update to the revocationCheck method. Should only find one issuer that matches I believe.

NFO: Found a match! The issuer of the end-entity cert's serial number is: 1149264853 Aug 03, 2017 9:20:45 AM Tool.CheckRevocationStatus fetchIssuerCert INFO: Seeing if their is a match between the end-entity issuerDN and certificates in p7c file subjectDN Aug 03, 2017 9:20:45 AM Tool.CheckRevocationStatus fetchIssuerCert INFO: Found a match! The issuer of the end-entity cert's serial number is: 1149213983

powell-ofr commented 7 years ago

I had a new user from Dept. of Commerce call me with the same “stopped at 80%” problem. I told her to uncheck Revocation Checking and it worked. They're fine now but I'm curious about this and why it's happening now.

Lee Powell OFR

lachellel commented 7 years ago

@djpackham

It's doing a check solely on Issuer DN (end entity) = Subject DN (parent): https://github.com/GSA/gsa-doc-digital-signature/blob/platforms/microsoft/src/com/gsa/signingtool/app/CheckRevocationStatus.java#L108

This will return more than 1 match. In the example log provided, both those serial numbers are the Entrust Managed Services SSP CA certs.

It could add this option:

AKI (end entity) = SKI (parent)

djpackham commented 7 years ago

Thanks. This will need to be updated in the code.

To get by for now a quick fix is to disable or "uncheck" the Revocation Checking setting. You can do this by going to the top menu -> click options -> click "Revocation Checking".

lachellel commented 6 years ago

Link to the mac source with the same issue: https://github.com/GSA/gsa-doc-digital-signature/blob/platforms/apple/src/com/gsa/signingtool/app/CheckRevocationStatus.java#L95

Additional item:

only doing the revocation check on end entity and issuer (not any successive intermediates/issuers)

powell-ofr commented 6 years ago

Another regular user from Dept. of Commerce started getting the “stopped at 80%” problem. I told her to uncheck Revocation Checking and it worked. The gradual expansion of this problem among users indicates (to me, anyway) that some recent update (OS, MS Office, or Java) negatively impacts tool compatibility.

Lee Powell OFR