On Jan 31 a certificate was issued by GLOBALTRUST 2020 SERVER OV 1 with serial number 32daef359edc5cdaa0b9fa. The same serial number was used in a precertificate with a different validity period. This serial number collision caused the CRLite ct-fetch process to store the the same serial number in two different issuer+notAfter bins in its database, which caused the serial number to appear twice in the "known" list for the issuer.
Rust-create-cascade assumes that it cannot store the full "known" list in memory, so it does not check for duplicates. When rust-create-cascade is building a filter, it iterates over the known list and checks whether the serial is in the "revoked" set. If it is, rust-create-cascade inserts the serial into the filter.
The duplicate serial number caused rust-create-cascade to insert the same issuer+serial key into the filter twice. This triggered a safety check built into rust-cascade, which caused rust-create-cascade to exit without producing a filter.
This patch removes serials from the "revoked" set as they are used, so that duplicate entries in the "known" list will not cause this problem.
On Jan 31 a certificate was issued by GLOBALTRUST 2020 SERVER OV 1 with serial number 32daef359edc5cdaa0b9fa. The same serial number was used in a precertificate with a different validity period. This serial number collision caused the CRLite ct-fetch process to store the the same serial number in two different issuer+notAfter bins in its database, which caused the serial number to appear twice in the "known" list for the issuer.
Rust-create-cascade assumes that it cannot store the full "known" list in memory, so it does not check for duplicates. When rust-create-cascade is building a filter, it iterates over the known list and checks whether the serial is in the "revoked" set. If it is, rust-create-cascade inserts the serial into the filter.
The duplicate serial number caused rust-create-cascade to insert the same issuer+serial key into the filter twice. This triggered a safety check built into rust-cascade, which caused rust-create-cascade to exit without producing a filter.
This patch removes serials from the "revoked" set as they are used, so that duplicate entries in the "known" list will not cause this problem.