x509 certificate revocation

[Dex Wood]

I am currently generating OpenVPN certificates using the x509 library. The library has been great, but I have ran into a snag. I was generating certificate revocation lists with OpenSSL, but I wanted to use Go's standard library for revocation. When I generated a CRL using CreateCRL, OpenVPN complains that the CRL is from a different issuer. 

I noticed that the Issuer string on the generated CRL was different, in that it didn't include the emailAddress attribute to the certificate, so I went in and made my own function to append the email address to the RDN sequence. This still didn't seem to work, so I am not sure how to proceed.

Here is the function's code. https://gist.github.com/anonymous/f40ea969c1aa69ca4828

parentKey and parentCert are the CA and the constants are just paths to different files on the system

This may be a hard problem to debug, but it may also be something simple that I've missed. Thanks for your help.

[Arne Hormann]

Is parentCert the CA you also use for the clients? It should be, the subject must match.

Maybe you also need this x509 extension:

'authorityKeyIdentifier': 'keyid:always,issuer:always'

... that's included in the example configuration.

I had the same problem but detracted from Go to Ruby + OpenSSL: https://gist.github.com/arnehormann/9744964#file-vpngen-rb-L603 (start of CRL part)

It generates CA, client and server config plus embedded certificates with configuration for UDP in tun mode and also manages the CRL.

Some of the options took me some digging, maybe it can help you.

If I got something wrong I'm also glad for comments - but my file is pretty dense and not overly well documented. Still readable (I think)...

Usage etc in comments at the bottom.

It's tested manually - the VPN, CA, CRL and configurations work.

Regards

Arne

[Dex Wood]

Thanks for the reply.

The parentCert is the CA that I used to sign the client's certs. I will try those extensions as soon as possible and get back with you.

[agl]

On Monday, April 14, 2014 3:37:12 PM UTC-7, Dex Wood wrote:

The parentCert is the CA that I used to sign the client's certs. I will try those extensions as soon as possible and get back with you.

This is one of those things that I should be done differently from the start I'm afraid.

X.509 Names are staggeringly complex compared to what they should be. The code is loosing some of the AttributeAndTypeValues in the parse/serialise cycle. The certificate code uses the raw bytes from the parent, but the CRL code doesn't because it exports the ASN.1 type directly.

Let me see if I can come up with a backwards-compatible fix tomorrow.

Cheers

AGL

[Arne Hormann]

@Dex

Your CA could also be the reason.

Extensions used in OpenVPN's EasyRSA config file:

'basicConstraints'       => 'CA:TRUE,pathlen:1'
'subjectKeyIdentifier'   => 'hash'
'authorityKeyIdentifier' => 'keyid,issuer:always'
'keyUsage'               => 'cRLSign,keyCertSign'

@Agl

I only started to get my feet wet in crypto because of the Matasano challenge and what Go provides.

Thanks for a really great library!

Cheers,

Arne

[Dex Wood]

The CRL generated from "full-revoke" in easy-rsa doesn't seem include any extensions and it seems to work. I verified this with openssl crl -in /etc/openvpn/crl.pem -noout -text

I generated a new CRL using the same code, but added the mentioned extensions. OpenVPN still detected it as being from a different issuer. I tried it in combination with the tweak I mentioned earlier to make sure that the Issuer string was the same, but still unsuccessful. I will wait for agl to see if a backwards-compatible fix is possible.