-
Notifications
You must be signed in to change notification settings - Fork 96
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incorrect LCP Certificate Revocation List URL (Distribution Point) #218
Comments
Readium_LCP_Root_CA.crl is the Authority Revocation List (ARL) and EDRLab_CA.crl is the Certificate Revocation List (CRL). Both are managed by a tier, not EDRLab. |
Oh I see, so the fact that |
What is strange is that the ARL should not be advertised as a CRL ... unless maybe this is normal procedure in x509 certs (I am no expert in this field). |
Regarding Readium1 / Just to verify my assumptions in Naturally, I double-checked (once again) that the existing |
Yes, The CRL control is still not ready on the iOS R2 Reader test app, but it should be ok on the Android R2 Reader, Aferdita is checking that. |
Resolution: However, if the URL changes in the future, the implementations will break, because even though newly-generated LCP licenses will contain provider certificates with the correct updated CRL "Distribution Point" URL, implementations will continue to use the old one which may resolve in error (in which case: CRL ignored, dummy used instead), or success (in which case: probably outdated list of revoked certs). |
The other CRL "Distribution Point" URL supplied by the "root" certificate that shipped with the app (in Readium1, via the app bundle itself, in Readium2, hard-coded into the native Closing this issue now (and the other platforms too). |
@llemeurfr @aferditamuriqi @clebeaupin
In R2 test apps, the URL is currently hard-coded as:
http://crl.edrlab.telesec.de/rl/EDRLab_CA.crl
.However, the "official" CRL Distribution Point embedded inside the app-provided ECDSA certificate for LCP 1.0-production profile is:
http://crl.edrlab.telesec.de/rl/Readium_LCP_Root_CA.crl
openssl x509 -noout -text -in cert.pem | grep -A 4 'CRL Distribution Points'
==>
There are three possible options:
So, quite clearly, the most realistic option with the least overhead is number 1. In fact, this may already be solved, for example is one URL is just a redirect to the other! (Laurent?) :)
Note that Readium1 implementations (i.e. based on
readium-lcp-client
lib) extract the CRL Distribution Point URLs directly from the shipped certificate, so they use the "official" URL instead of an arbitrary hard-coded one. Code reference:https://github.com/readium/readium-lcp-client/blob/e4c02fdd396157062b80dcd6b787a2c6a72a0da0/src/lcp-client-lib/Certificate.cpp#L134
Note that the RSA certificate for LCP basic-test profile does not contain any CRL Dsitribution Points.
Note that in Readium2 apps, the Base64-encoded certificate PEM is shipped as hard-coded data inside the native C++ LCP lib, whereas in Readium1 apps it is shipped at the app level / inside the app bundle, as a separate text resource.
Code references:
iOS-Swift:
https://github.com/readium/r2-testapp-swift/blob/0fe5624fa6134a17ef5ed320575b547433d9f16a/r2-testapp-swift/AppDelegate.swift#L469
Android-Kotlin:
https://github.com/readium/r2-testapp-kotlin/blob/7adfc5c42a0d6b1e8ada7f11e79f11ccaaecf9b6/r2-testapp/src/withlcp/java/org/readium/r2/testapp/CatalogActivity.kt#L208
Electron-NodeJS:
https://github.com/readium/r2-lcp-js/blob/0ddb51b46ae8d2233394f7ede46ee8f93c6a2851/src/parser/epub/lcp-certificate.ts#L8
(as you can see, I decided to align with iOS/Android apps, but I do reference the alternative URL as well .. just in case we need a reminder of it later)
The text was updated successfully, but these errors were encountered: