Affects Version/s: EJBCA 7.3.0
Issue discovered during:Ad Hoc
Sprint:EJBCA Team Bob - 2019 w40, EJBCA Team Bob - 2019 w42
This ticket concerns delta CRL generation when certificates are released from hold. In this scenario, a subsequent delta CRL should list the certificate as "removed from CRL", but EJBCA does not list such certificates at all, indicating that the certificate is still on hold. This is a violation of how delta CRLs are defined in RFC 5280.
From RFC 5280:
CRL issuers MUST ensure that the combination of a delta CRL and any appropriate complete CRL accurately reflects the current revocation status. The CRL issuer MUST include an entry in the delta CRL for each certificate within the scope of the delta CRL whose status has changed since the generation of the referenced base CRL [...]
If the certificate is valid and was listed on the referenced base CRL or any subsequent CRL with reason code certificateHold, and the reason code certificateHold is included in the scope of the CRL, list the certificate with the reason code removeFromCRL.
Note that base CRLs are still generated correctly. The issue was reproduced on EJBCA 7.3, but is likely affecting older versions as well. The steps for reproducing the issue are as follows:
1. Go to the RA web and search for a certificate to put on hold.
2. Click "View" to view the certificate.
3. Choose the revocation reason "Certificate hold" and click "Revoke" to suspend the certificate.
4. Issue a new base CRL. The certificate is listed as revoked with reasonCode = certificateHold. This is correct.
5. Click "Reactivate" to remove the certificate from hold.
6. Issue a new delta CRL. Observe that the delta CRL does not list any certificates. This is incorrect. The certificate released from hold should be listed with reasonCode = removeFromCRL.
During analysis, we found that the revocationDate is not updated when the certificate is released from hold. While this is not incorrect per se, it clashes with the CRL generation logic. The bean responsible for compiling a list of all certificates to be included on the next delta CRL, filters out certificates whose revocationDate exceeds the thisUpdate date of the most recent base CRL. As a consequence, the certificate released from hold will never appear on this list.