maxRequests and issuerName in DownloadCARevocationRequests don't work as expected

[andrew-entrust]

Problems

The API request used to “downloadRevocationRequests” accepts two parameters, and neither of which work as expected. Furthermore, the Endpoint being queried is not documented and doesn’t appear to have any pagination features.

Request Parameter: issuerName:

• Expected Behavior: Should return a list of certificates to be revoked which were issued by the “issuerName”.
• Actual Behavior: issuerName maps to caConfiguration.
• Concerns about fixing: All existing integrations between InTune and 3rd Party SCEP Certificate Authorities rely on this incorrect mapping. Any existing integration which makes use of this parameter will need to be updated should the behavior of the API be corrected.

Request Parameter: maxRequests:

• Expected Behavior: Submitting a request with both "issuerName" and "maxRequests" defined should return a list of certificates issued by "issuerName". The list should contain at most "maxRequests" certificates for revocation.
• Actual Behavior: It appears like the order of operations on the back-end is incorrect. “issuerName” filtering seems to be getting applied only after truncating the response to based on the value of “maxRequests”. A result of the above behavior is that the list of "CARevocationRequests" returned to the 3rd Party SCEP Certificate Authority may be "empty" instead of actually containing a list of certificates to revoke.
• Reason why this needs to be fixed: Revoked certificates should never be used. The moment a Certificate is marked for revocation, the Certificate Authority has a responsibility to actually revoke that certificate, and furthermore to notify all clients of the revocation using methods such as CRLs or OCSP. If a Certificate Authority lacks the ability to reliably know which certificate need to be revoked, then the certificates issued from that Certificate Authority cannot be trusted.

Samples

maxRequests=10. issuerName=testb3d9b17c51~testroot Expected Response given the fact that issuerName is mismatched: A list of 4 certificates to be revoked. Actual Response: 0 Certificates (empty response).

{
  "@odata.context":https://fef.msua01.manage.microsoft.com/RACerts/StatelessPkiConnectorService/6fc027cc-ffff-0265-1009-102518023364/$metadata#Collection(microsoft.management.services.api.caRevocationRequest),"value":[

  ]

} 

maxRequests=500. issuerName=testb3d9b17c51~testroot Expected Response given the fact that issuerName is mismatched: A list of 4 certificates to be revoked. Actual Response: A list of 4 certificates to be revoked.

{
  "@odata.context":https://fef.msua01.manage.microsoft.com/RACerts/StatelessPkiConnectorService/6fc027cc-ffff-0965-1009-102517542417/$metadata#Collection(microsoft.management.services.api.caRevocationRequest),"value":[
    {
      "requestContext":"2:092d620fb3d30a731a0454f4791398e0c350a212:5b2726c0-dbe3-40c9-998d-d080b96e9404:a61791ec-36fb-4ffc-8a89-62a2a8dda771","serialNumber":"7dafad71a092690b8eb030dae55348c2","issuerName":"CN=Root CA,OU=Smoke Test,O=Entrust","caConfiguration":"testb3d9b17c51~testroot"
    },{
      "requestContext":"2:7b75c4206d059a4e0ac335c2589b96fb21203c3f:5b2726c0-dbe3-40c9-998d-d080b96e9404:a61791ec-36fb-4ffc-8a89-62a2a8dda771","serialNumber":"55f05c880048d6f487db7927d83808ee","issuerName":"CN=Root CA,OU=Smoke Test,O=Entrust","caConfiguration":"testb3d9b17c51~testroot"
    },{
      "requestContext":"2:d7136ebeb113f1ce42b568f612b4e6ccbdcc4625:5b2726c0-dbe3-40c9-998d-d080b96e9404:a61791ec-36fb-4ffc-8a89-62a2a8dda771","serialNumber":"408d5cbf6fe165f84a17629efa38286c","issuerName":"CN=Root CA,OU=Smoke Test,O=Entrust","caConfiguration":"testb3d9b17c51~testroot"
    },{
      "requestContext":"2:d89db377283350b6abe362a479479ac71deb1c51:5b2726c0-dbe3-40c9-998d-d080b96e9404:a61791ec-36fb-4ffc-8a89-62a2a8dda771","serialNumber":"67b2d0faeaf43d673880b6bd3bcb0756","issuerName":"CN=Root CA,OU=Smoke Test,O=Entrust","caConfiguration":"testb3d9b17c51~testroot"
    }
  ]

} 

Questions

We were left with the following questions after experiencing the above behavior:

1. Why does a request of maxResults=10 return with a list of 0 certificates, but a request with maxResults=500 returns with a list of 4 certificates. Our assumption was that this is due to an error with the order of operations (truncating before filtering) in the backend.
2. If there is actually an issue with regards to the order of operations (i.e. truncating the list prior to filtering the list), then how can we guarantee that the list returned for maxRequest=500 is actually the full list of certificates? There doesn't appear to be any kind of pagination feature for this API endpoint... does one exist?
3. Where is the documentation for the StatelessPkiConnectorService?