I noticed that about 15% of CRLs in the RPKI currently contain an empty list of revoked certificates. I suspect this is a bug in either krill or rpki-rs (or both).
Per RFC 5280, section 5.1.2.6: "When there are no revoked certificates, the revoked certificates list MUST be absent."
I suspect that Revocations::to_crl_entries() returns a zero-length vector if there are no certificates to revoke
Thank you for the report! This should be relatively easy to fix directly in rpki-rs – if the RevokedCertifcates are empty, don’t encode the outer sequence either.
I noticed that about 15% of CRLs in the RPKI currently contain an empty list of revoked certificates. I suspect this is a bug in either krill or rpki-rs (or both).
Per RFC 5280, section 5.1.2.6: "When there are no revoked certificates, the revoked certificates list MUST be absent."
I suspect that
Revocations::to_crl_entries()
returns a zero-length vector if there are no certificates to revokehttps://github.com/NLnetLabs/krill/blob/33e072ef44e60e1e9bdadc153ffc1f809d1f7912/src/commons/api/ca.rs#L728-L733
which
rpki-rs
'sRevokedCertificates::encode_ref()
then encodes as an empty sequence.Presumably the
TbsCertList
either needs to turn therevoked_certs
into anOption<C>
or its encoding needs to handle the empty sequence specially.