(SERVER-2740) Fix how CRL number is updated

[Tu2607]

This commit contains a fix to the prune action so that the CRL number is properly updated after pruning. Before, the code would update the protocol version which is incorrect.

[Tu2607]

Got a new error now relate to parsing the extensions

Error:
    code: 500
    body: Internal Server Error: java.security.cert.CRLException: Short read of DER length
No certificates to list

at java.base/sun.security.x509.CRLExtensions.parseExtension(CRLExtensions.java:130)
    at java.base/sun.security.x509.CRLExtensions.init(CRLExtensions.java:102)
    at java.base/sun.security.x509.CRLExtensions.<init>(CRLExtensions.java:83)
    at java.base/sun.security.x509.X509CRLImpl.parse(X509CRLImpl.java:1203)
    at java.base/sun.security.x509.X509CRLImpl.<init>(X509CRLImpl.java:137)
    at java.base/sun.security.provider.X509Factory.engineGenerateCRL(X509Factory.java:395)
    at java.base/java.security.cert.CertificateFactory.generateCRL(CertificateFactory.java:513)
    at org.bouncycastle.cert.jcajce.JcaX509CRLConverter.getCRL(Unknown Source)
    at com.puppetlabs.ssl_utils.SSLUtils.pemToCRLs(SSLUtils.java:542)
    at puppetlabs.ssl_utils.core$eval3278$pem__GT_crls__3283$fn__3284.invoke(core.clj:624)
    at puppetlabs.ssl_utils.core$eval3278$pem__GT_crls__3283.invoke(core.clj:619)
    at puppetlabs.ssl_utils.core$eval3326$pem__GT_ca_crl__3331$fn__3332.invoke(core.clj:640)
    at puppetlabs.ssl_utils.core$eval3326$pem__GT_ca_crl__3331.invoke(core.clj:634)
    at puppetlabs.puppetserver.certificate_authority$eval40327$get_certificate_statuses__40332$fn__40336.invoke(certificate_authority.clj:1607)

[Tu2607]

The openssl output after a prune

Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: /CN=Puppet CA: TuVu-C02FJ00XML87.local
        Last Update: Jul 12 23:59:48 2021 GMT
        Next Update: Jul 12 23:59:49 2026 GMT
        CRL extensions:
            X509v3 CRL Number: 
                7
            X509v3 Authority Key Identifier: 
                keyid:57:62:1C:98:A2:AE:8C:D5:57:10:80:F2:B4:63:41:5E:B8:C8:8B:E1

Revoked Certificates:
    Serial Number: 03
        Revocation Date: Jun 29 19:20:17 2021 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code: 
                Key Compromise
    Serial Number: 04
        Revocation Date: Jul  9 20:40:34 2021 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code: 
                Key Compromise
    Serial Number: 05
        Revocation Date: Jul  9 22:16:47 2021 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code: 
                Key Compromise
    Serial Number: 06
        Revocation Date: Jul 12 23:59:43 2021 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code: 
                Key Compromise
    Signature Algorithm: sha256WithRSAEncryption
         95:09:a9:51:71:dc:24:07:39:01:97:ba:fe:cb:69:b7:46:f2:
         4d:9c:2d:e1:e8:cb:e5:e3:32:10:1d:7d:18:97:1b:1f:14:b2:
         46:d2:66:75:3c:ec:13:8f:c2:78:87:26:cf:ec:db:7c:b6:27:
         43:4f:9b:d1:a8:91:a2:5f:10:a8:4c:12:67:1a:1c:36:ac:62:
         98:87:02:79:3c:2e:ce:b8:ba:e5:24:16:5a:df:00:d5:79:49:
         57:05:ab:0d:fa:3c:f4:09:ef:ff:61:bc:6f:93:f4:c0:85:13:
         b1:30:70:18:26:82:bd:9b:f7:fe:ac:c3:bd:3a:60:c9:5a:a2:
         b6:a8:4c:0e:a7:1f:e9:03:ab:46:4c:ec:5e:08:8a:3e:31:92:
         61:6f:fe:ba:4d:95:48:b1:d3:9e:c7:df:fc:e6:9d:cf:6a:fc:
         e9:0d:02:05:8a:a0:86:67:29:b6:0a:42:b2:ea:1d:fc:47:ee:
         3f:0d:67:0b:8c:a7:9d:af:49:ae:a0:89:2d:78:0c:1a:bf:71:
         d6:ca:c1:8f:7e:bc:ed:11:6d:2e:b6:4a:a7:7c:45:6e:a1:d7:
         45:4c:ae:f2:61:25:0f:58:15:b3:99:1c:5f:e9:d5:5e:6e:0d:
         a5:93:4b:d8:e4:27:e6:a2:06:3e:d4:d5:3c:67:75:ae:67:ee:
         17:eb:8b:c7:83:fc:ef:37:9f:6b:d2:68:ac:cd:23:ed:bd:ad:
         d4:7b:48:3b:4b:fa:ed:0f:c2:f5:37:35:94:ea:7d:4c:8d:9d:
         93:99:75:51:b8:dd:1c:a1:29:a3:18:0e:bf:59:11:b2:8a:3f:
         a5:1f:10:ec:23:76:04:12:bb:08:44:b0:79:b5:40:06:02:83:
         14:31:ee:3a:2e:d6:d4:a1:86:c2:da:f0:40:5f:3e:49:3d:11:
         d6:cd:eb:61:e0:97:8d:fa:35:eb:54:2f:b1:d5:32:ea:75:3b:
         2f:ea:60:03:6c:cb:2a:ce:12:55:3c:a7:83:80:43:8e:7f:91:
         e9:d0:1e:e3:56:bc:fd:1e:cd:d5:95:57:bf:40:b8:46:da:4c:
         6a:c5:64:bf:f4:92:34:3d:54:5f:20:3a:10:2e:04:23:18:35:
         6c:b8:87:11:d9:40:f7:7f:f0:aa:8d:45:52:b0:aa:1c:59:c6:
         cf:36:ef:9a:d4:b6:2d:a4:5e:77:0c:59:8d:55:45:a5:18:54:
         bd:84:e9:e8:9d:2d:75:5c:eb:0a:42:9f:25:eb:76:84:d2:5e:
         07:a4:43:66:9e:fe:d1:11:3d:2d:8d:24:f3:e4:51:58:65:70:
         85:06:93:11:a6:50:d8:ad:f1:b6:0f:6e:13:49:ab:ca:c8:89:
         81:ef:3e:a1:19:26:ae:d4

The only thing that remain constant after a prune is the Authority Key Identifier

[justinstoller]

I'm seeing those failures locally as well. I'm not sure what's causing them though. I'm wondering if there's a bug in OpenSSL and we need to be calling CRL#add_extension instead of CRL#extensions= (it would seem like the bytesize of an extension isn't being computed correctly but OpenSSL can infer the correct length).

[Tu2607]

I'm seeing those failures locally as well. I'm not sure what's causing them though. I'm wondering if there's a bug in OpenSSL and we need to be calling CRL#add_extension instead of CRL#extensions= (it would seem like the bytesize of an extension isn't being computed correctly but OpenSSL can infer the correct length).

When I switched to using partition instead of select, somehow those failures went away. I check the ca_crl.pem file size after pruning and the file size when using partition is larger by a few bytes, so that might be the issue. And wouldn't CRL#add_extension create a duplicate of the same CRL::Extensions with the OID being crlNumber? From what I interpret from the doc, CRL#extensions= delete the existing extensions and use the array of CRL::Extensions that I supply to repopulate the CRL's extensions.