search

smallstep / certificates

🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.
https://smallstep.com/certificates
Apache License 2.0
6.8k stars 446 forks source link

[Bug]: CA HTTPS server certificates do not contain "CRLDistributionPoints" extension after enabling CRL in ca.json. #1846

Open devourer66 opened 6 months ago

devourer66 commented 6 months ago

Steps to Reproduce

On windows

> curl -k -LO https://acme.lan:8443/roots.pem
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   619  100   619    0     0  17150      0 --:--:-- --:--:-- --:--:-- 18757
> certutil -addstore -enterprise -f "Root" roots.pem
Root "Trusted Root Certification Authorities"
Signature matches Public Key
Certificate "Homelab Root CA" added to store.
CertUtil: -addstore command completed successfully.
> curl https://acme.lan:8443/roots.pem
curl: (35) schannel: next InitializeSecurityContext failed: CRYPT_E_NO_REVOCATION_CHECK (0x80092012) - The revocation function was unable to check revocation for the certificate.

Your Environment

Server:

# step-ca --version
Smallstep CA/0.26.1 (linux/arm64) 
Release Date: 2024-04-22T20:39:11Z
# cat /etc/os-release
NAME="OpenWrt"
VERSION="22.03.5"
ID="openwrt"
ID_LIKE="lede openwrt"
PRETTY_NAME="OpenWrt 22.03.5"
VERSION_ID="22.03.5"
HOME_URL="https://openwrt.org/"
BUG_URL="https://bugs.openwrt.org/"
SUPPORT_URL="https://forum.openwrt.org/"
BUILD_ID="r20134-5f15225c1e"
OPENWRT_BOARD="mediatek/mt7622"
OPENWRT_ARCH="aarch64_cortex-a53"
OPENWRT_TAINTS=""
OPENWRT_DEVICE_MANUFACTURER="OpenWrt"
OPENWRT_DEVICE_MANUFACTURER_URL="https://openwrt.org/"
OPENWRT_DEVICE_PRODUCT="Generic"
OPENWRT_DEVICE_REVISION="v0"
OPENWRT_RELEASE="OpenWrt 22.03.5 r20134-5f15225c1e"

Client

> cmd
Microsoft Windows [Version 10.0.19045.4291]
(c) Microsoft Corporation. All rights reserved.
> curl --version
curl 8.7.1 (x86_64-w64-mingw32) libcurl/8.7.1 Schannel zlib/1.3.1 brotli/1.1.0 zstd/1.5.6 libidn2/2.3.7 libpsl/0.21.5 libssh2/1.11.0
Release-Date: 2024-03-27
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli HSTS HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM PSL SPNEGO SSL SSPI threadsafe UnixSockets zstd

Expected Behavior

After enabling crl in ca.json it is expected:

  1. X509v3 extension X509v3 CRL Distribution Points: be present in the certificate that CA HTTPS server presents to clients.
  2. X509v3 CRL Distribution Points: Full Name: URI: equates to URL configured in crl.idpURL

Actual Behavior

After enabling crl in ca.json, CRLDistributionPoints wont appear on certificates that CA HTTPS server presents to clients.

Additional Context

Such curl behavior is specific to windows, curl in linux does not complain.

CRL works fine (CRLDistributionPoints appears on certs) for my JWK and ACME provisioners. They were configured following these guidelines https://github.com/smallstep/certificates/issues/1423#issuecomment-1581568312

It seems that CA HTTPS server does not use for its certificates any particular template that the user could configure. I was not able to immediately identify any dependence on a.config.CRL.IsEnabled() in authority.GetTLSCertificate function https://github.com/smallstep/certificates/blob/9355923799d55254ed18fe2de43b206a57ca2e41/authority/tls.go#L859

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

devourer66 commented 6 months ago

Just in case 

$ echo | openssl s_client -showcerts -servername acme.lan:8443/roots.pem -connect acme.lan:8443 
| openssl x509 -inform pem -noout -text
Warning: Reading certificate from stdin since no -in or -new option is given
Connecting to 10.1.2.100
depth=1 O=Homelab, CN=Homelab Intermediate CA
verify error:num=20:unable to get local issuer certificate 
verify return:1
depth=0 CN=Step Online CA
verify return:1
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            44:60:ea:76:46:4c:cb:fb:d0:75:b7:e5:cd:3c:cc:c6
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: O=Homelab, CN=Homelab Intermediate CA
        Validity
            Not Before: May 15 09:37:49 2024 GMT     
            Not After : May 16 09:38:49 2024 GMT     
        Subject: CN=Step Online CA
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey     
                Public-Key: (256 bit)
                pub:
                    04:e3:84:91:f2:92:ec:df:37:d7:43:82:77:45:bb:
                    1e:1d:9c:b8:5d:1e:9f:75:7f:ed:84:2e:39:70:c5:
                    28:44:09:8d:aa:7e:b6:df:3f:d6:ee:0c:33:b6:35:
                    05:98:49:f4:3a:5f:ab:92:cb:71:18:3d:b3:7c:5f:
                    25:5f:15:85:8d
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Key Identifier:
                4A:C6:A2:E0:48:3F:32:01:91:EE:F7:27:0C:E6:9B:CB:CF:2E:B3:87
            X509v3 Authority Key Identifier:
                8F:70:91:D8:53:F3:6A:B8:F4:85:6A:5E:77:D2:75:F2:36:D4:46:9E
            X509v3 Subject Alternative Name:
                DNS:acme.lan, IP Address:10.1.2.100
    Signature Algorithm: ecdsa-with-SHA256
    Signature Value:
        30:46:02:21:00:ed:ae:83:9d:bc:8a:f1:c3:47:9e:0d:c2:96:
        b6:0f:68:1d:68:ea:20:c0:00:0d:4a:ec:b4:0f:7e:f3:57:9c:
        f2:02:21:00:ba:40:db:47:8f:71:68:25:49:28:83:58:7e:9d:
        a2:d3:11:06:db:59:4a:24:5b:bd:a5:cb:2c:0b:68:31:43:f8