[Pulp-list] Update on "Certificate Revocation Lists"

Wed Aug 31 02:16:34 UTC 2011

Wiki Page:  https://fedorahosted.org/pulp/wiki/CertRevocationList

I pushed the first change to Pulp to support CRLs.
This requires an updated M2Crypto.  If Pulp can't find what it needs in M2Crypto it will fallback to previous behavior for cert validation.
Besides CRL verification, this work has exposed more of the OpenSSL C APIs to Pulp.  Our certificate verification now leverages the same code as the OpenSSL CLI.  

I am assuming that CRLs will be placed on the Pulp server manually. No mechanism has been added to Pulp to upload a CRL, we are focused solely on functionality of CRL verification for this sprint.

Pulp will support multiple CRLs, we are following the convention Apache uses.
 1. repo_auth.conf specifies a directory for CRLs.
 2. In the directory are CRLs with names of ISSUER_HASH.r{0,1,2,....}
    Recommended way to configure Pulp for using CRLs is the same as Apache,
    run a command like this: ln -s some_ca.crl `openssl crl -hash -noout -in some_ca.crl`.r0
    /etc/pki/content/418c05ff.r0
    Notice that: 418c05ff is the hash of the CA
    $ openssl x509 -hash -in ./Pulp_CA.cert -noout
      418c05ff

    Multiple CRLs can be configured for the same CA, just bump up the extension: .r0->.r1, etc 
    The -hash is a hash of the issuer name only, the CRL file can be updated and it will keep the same issuer hash.

You can see the patch to M2Crypto here:  http://git.fedorahosted.org/git/?p=pulp.git;a=blob_plain;f=rpm/m2crypto/m2crypto-0.21.1-x509_crl.patch;hb=HEAD

I am in the process of getting this added back into upstream M2Crypto.

The wiki page, https://fedorahosted.org/pulp/wiki/CertRevocationList also shows some of the highlights of patching M2Crypto for those who are curious.