Revocation checking sometimes finds multiple issuer certs #25
Comments
I had a new user from Dept. of Commerce call me with the same “stopped at 80%” problem. I told her to uncheck Revocation Checking and it worked. They're fine now but I'm curious about this and why it's happening now. Lee Powell |
It's doing a check solely on Issuer DN (end entity) = Subject DN (parent): https://github.com/GSA/gsa-doc-digital-signature/blob/platforms/microsoft/src/com/gsa/signingtool/app/CheckRevocationStatus.java#L108 This will return more than 1 match. In the example log provided, both those serial numbers are the Entrust Managed Services SSP CA certs. It could add this option:
|
Thanks. This will need to be updated in the code. To get by for now a quick fix is to disable or "uncheck" the Revocation Checking setting. You can do this by going to the top menu -> click options -> click "Revocation Checking". |
Link to the mac source with the same issue: https://github.com/GSA/gsa-doc-digital-signature/blob/platforms/apple/src/com/gsa/signingtool/app/CheckRevocationStatus.java#L95 Additional item:
|
Another regular user from Dept. of Commerce started getting the “stopped at 80%” problem. I told her to uncheck Revocation Checking and it worked. The gradual expansion of this problem among users indicates (to me, anyway) that some recent update (OS, MS Office, or Java) negatively impacts tool compatibility. Lee Powell |
New issue today where user's tool would hang at 80% complete. Looking at the logs and more into the code, seems like there may need to be an update to the revocationCheck method. Should only find one issuer that matches I believe.
NFO: Found a match! The issuer of the end-entity cert's serial number is: 1149264853
Aug 03, 2017 9:20:45 AM Tool.CheckRevocationStatus fetchIssuerCert
INFO: Seeing if their is a match between the end-entity issuerDN and certificates in p7c file subjectDN
Aug 03, 2017 9:20:45 AM Tool.CheckRevocationStatus fetchIssuerCert
INFO: Found a match! The issuer of the end-entity cert's serial number is: 1149213983
The text was updated successfully, but these errors were encountered: