Hi, when rebuilding the index.txt file in the node interface, revoked certificates are marked with an incorrect revocation date in the index.txt files. This leads to incorrect data in CRLs.
I found the cause for the bug, but I am not sure how to fix it (0.9.2): In common/lib/functions/crypto-utils.lib, sub export_openssl_db, the index.txt file is rebuilt from the DB. For each revoked certificate the corresponding CRR is queried from the database. The idea is to use the SUBMIT_DATE of this CRR as revocation date in index.txt. If the date cannot be determined, 9999-12-31 23:59:59 is used insted. The problem is that the CRR is searched via $db->searchitem(DATATYPE => "ARCHIVED_CRR", REVOKE_CERTIFICATE_DN => ...) Unfortunately the order of RDNs in the DN in the database and in the query do not match, one starts with CN=..., O=..., C=..., whereas the other uses the reversed order C=...,O=...,CN=.... In addition one contains blanks after the commas, the other does not. Now one could simply reverse(split(...)), but there might be a better way, e. g. a different way to check the Database DN against a given one. I did not find something like that in the rest of the code, however. Is there a preferred way to fix it? I'd volunteer to do it, but I cannot assign the bug to me... cheers Martin ------------------------------------------------------- This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar _______________________________________________ OpenCA-Devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-devel
