Skip to content
This repository has been archived by the owner on Sep 3, 2021. It is now read-only.

Revocation checking sometimes finds multiple issuer certs #25

Open
djpackham opened this issue Aug 3, 2017 · 5 comments
Open

Revocation checking sometimes finds multiple issuer certs #25

djpackham opened this issue Aug 3, 2017 · 5 comments
Labels
bug

Comments

@djpackham
Copy link
Contributor

New issue today where user's tool would hang at 80% complete. Looking at the logs and more into the code, seems like there may need to be an update to the revocationCheck method. Should only find one issuer that matches I believe.

NFO: Found a match! The issuer of the end-entity cert's serial number is: 1149264853
Aug 03, 2017 9:20:45 AM Tool.CheckRevocationStatus fetchIssuerCert
INFO: Seeing if their is a match between the end-entity issuerDN and certificates in p7c file subjectDN
Aug 03, 2017 9:20:45 AM Tool.CheckRevocationStatus fetchIssuerCert
INFO: Found a match! The issuer of the end-entity cert's serial number is: 1149213983
@djpackham djpackham added the bug label Aug 3, 2017
@powell-ofr
Copy link

I had a new user from Dept. of Commerce call me with the same “stopped at 80%” problem. I told her to uncheck Revocation Checking and it worked. They're fine now but I'm curious about this and why it's happening now.

Lee Powell
OFR

@lachellel
Copy link
Member

@djpackham

It's doing a check solely on Issuer DN (end entity) = Subject DN (parent): https://github.com/GSA/gsa-doc-digital-signature/blob/platforms/microsoft/src/com/gsa/signingtool/app/CheckRevocationStatus.java#L108

This will return more than 1 match. In the example log provided, both those serial numbers are the Entrust Managed Services SSP CA certs.

It could add this option:

  • AKI (end entity) = SKI (parent)

@djpackham
Copy link
Contributor Author

Thanks. This will need to be updated in the code.

To get by for now a quick fix is to disable or "uncheck" the Revocation Checking setting. You can do this by going to the top menu -> click options -> click "Revocation Checking".

@djpackham djpackham mentioned this issue Sep 13, 2017
Open
@lachellel
Copy link
Member

Link to the mac source with the same issue: https://github.com/GSA/gsa-doc-digital-signature/blob/platforms/apple/src/com/gsa/signingtool/app/CheckRevocationStatus.java#L95

Additional item:

  • only doing the revocation check on end entity and issuer (not any successive intermediates/issuers)

@powell-ofr
Copy link

Another regular user from Dept. of Commerce started getting the “stopped at 80%” problem. I told her to uncheck Revocation Checking and it worked. The gradual expansion of this problem among users indicates (to me, anyway) that some recent update (OS, MS Office, or Java) negatively impacts tool compatibility.

Lee Powell
OFR

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lachellel @djpackham @powell-ofr