-
Notifications
You must be signed in to change notification settings - Fork 90
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Calculate a hash for CRL with x509_crl_info #200
Comments
I assume this is basically what the This is blocked by #150 though, since it would introduce serious conflicts. I'll start moving the first few commits into separate PRs, then these can be reviewed and merged individually. Once the PR for 3cd0056 is merged, this can be implemented without causing great pain for #150 :) |
I went ahead and moved the commit to #203. Once that's reviewed and merged, I'll start working on this. |
I am not sure that is the same thing. Looking at the openssl crl commands there is the option to calculate the hash and the fingerprint and they are different results here is an example for one of my crls openssl crl -in files/pki/crl/tmp/crl.pem -noout -hash
b01b3c03
openssl crl -in files/pki/crl/tmp/crl.pem -noout -fingerprint
SHA1 Fingerprint=4A:17:C7:2F:11:B2:92:34:20:D6:D7:1A:7F:E0:95:DA:AC:F9:88:7C |
Hmm, so |
Sounds like something OpenSSL specific (https://stackoverflow.com/questions/34095440/hash-algorithm-for-certificate-crl-directory) Aaaand of course they also changed it over the years (there's also an |
@MarkusTeufelberger the old one is using MD5 instead of SHA1. Let's see when SHA1 will be replaced by SHA2, and we end up having |
I played around with this a bit. Generating the old hash is pretty simple. Generating the new (current) hash is more complicated: OpenSSL uses the 'canonical' encoding of the X.509 Name, which seems to be something OpenSSL internal: https://github.com/openssl/openssl/blob/master/crypto/x509/x_name.c#L293-L379 Unsurprisingly, cryptography does not provide any functionality to retrieve that. |
I appreciate you looking at it. I think think the functionally that I was requesting would be useful for others, but I have had some performance issues with x509_crl_info and large crls that have made me re-evaluate using the module. Some of the CRLs would take 30 minutes to process and that would not work in the long run for what I would need this functionality. Since cryptography doesn't support it, I am not opposed to closing this request and just keep using the scripts for the time being. |
@JuddTracy-DAS would you mind sharing a CRL which needs 30 minutes to process with me? I'm curious why it is so slow. I would guess the problem is exporting all entries, which has to be tunnelled through JSON to ansible. If that's the only problem, we could add a switch to disable exporting all entries. (You can find my email address in my commits.) |
I am running this on an older system and it took around 15 minutes to process not 30, but I wouldn't expect it to cause too much of a speed difference. There a many DISA DoD CRLs that are slow to process. I don't know what it is behind the scenes that is cause it but there are a massive amount of entries in the CRL. Here are a couple you can download DODEMAILCA_49.crl DODEMAILCA_51.crl and a complete list of them can be found unclass-dod_eca_crldps_nipr_20190529 |
Also when I would process them all in a loop things would slow down even more. Not sure if memory was an issue or what, but it would take a very long time to process them all. |
I ran
So I guess having an option to not return the list of revoked certificates would speed it up dramatically for you. |
I created #232 to allow to not return the list of revoked certificates. |
Here a similar question has been asked about subject and issuer hash for certificates: https://groups.google.com/g/ansible-project/c/KnonsMNLxeY/m/TrNO2ghcAgAJ |
|
SUMMARY
I would like x509_crl_info to return a hash that can be used for CRL checking.
ISSUE TYPE
COMPONENT NAME
x509_crl_info
ADDITIONAL INFORMATION
Using the option SSLCARevocationPath in apache expects each crl to have a link with the hash as the name pointing to the crl in the directory. The hash can be generated in openssl using:
The text was updated successfully, but these errors were encountered: