search

NLnetLabs / krill

RPKI Certificate Authority and Publication Server written in Rust
https://nlnetlabs.nl/projects/routing/krill/
Mozilla Public License 2.0
279 stars 36 forks source link

Empty revokedCertificates in CRLs #1197

Open botovq opened 1 month ago

botovq commented 1 month ago

I noticed that about 15% of CRLs in the RPKI currently contain an empty list of revoked certificates. I suspect this is a bug in either krill or rpki-rs (or both).

Per RFC 5280, section 5.1.2.6: "When there are no revoked certificates, the revoked certificates list MUST be absent."

I suspect that Revocations::to_crl_entries() returns a zero-length vector if there are no certificates to revoke

https://github.com/NLnetLabs/krill/blob/33e072ef44e60e1e9bdadc153ffc1f809d1f7912/src/commons/api/ca.rs#L728-L733

which rpki-rs's RevokedCertificates::encode_ref() then encodes as an empty sequence.

Presumably the TbsCertList either needs to turn the revoked_certs into an Option<C> or its encoding needs to handle the empty sequence specially.

partim commented 3 weeks ago

Thank you for the report! This should be relatively easy to fix directly in rpki-rs – if the RevokedCertifcates are empty, don’t encode the outer sequence either.