Update soon to be expired crl

[RonEld]

Description

Update crl.pem, as it will expire on November 25 2019.
Resolves #2357.

Status

READY

Requires Backporting

Yes

As this crl will be expired on the LTS branch, which will still be supported on November 25 2019, need to backport as well.

Todos

• Tests
• Documentation
• Changelog updated
• Backported

[mpg]

LGTM

[RonEld]

@mpg Thank you for your review!

I have just noticed I have missed adding crl.pem as a dependency in the Makefile.

Backported to 2.7 and 2.16 in #2418 and #2419

[mpg]

Thanks for catching the server1_all issue. Still looks good to me.

[hanno-becker]

@RonEld Have you checked other test CRLs for the expiration time?

[RonEld]

@hanno-arm Yes. All the other CRLs we have, the soonest year they expire is 2024.

We have other CRLs that expired at 2011, so since we didn't get any errors sine, they are probably not used in our tests, and we require some house cleaning for certificates and crls not used in tests.

[mpg]

Or perhaps the expired CRLs are used in tests that actually need the CRL to be expired?

[RonEld]

perhaps.
Anyway, when I run:
faketime -f '+2y' make test , the tests pass. ( 3 years ahead I get failures.

I have noticed that: data_files/test-ca.crt is valid until:

Not After : Feb 12 14:44:00 2021 GMT

and that data_files/server3.crt is valid until:

Not After : Aug  7 09:17:03 2023 GMT

I haven't checked other certificates. Anyway, this should be handled in a different PR, and maintained regularly.

[hanno-becker]

@RonEld I'd prefer those CRTs to be regenerated (and their build-instructions to be rewritten) so that they don't expire in the next 3 years. Now you/we are into the issue and it's easy to fix along the way, while waiting for another report to come up in a year's time or so and triaging and fixing it again will be more work.

[mpg]

In addition to what Hanno wrote, our LTS branches are supported for 3 years, so I think it would make sense for us to always ensure faketime -f '+3y' make test pass when we release a new LTS (and released one very recently, so I think we should have it pass now).

[RonEld]

@hanno-arm @mpg I agree that we should have a test that will ensure faketime -f '+3y' make test will pass. However, I disagree that this should be handled in this PR, as it is an entirely different task, as I think we should align all our certificates and crls to be expired on the same time, for simplicity

[mpg]

@RonEld I'm not sure this is an entirely different task - this PR is about making tests pass in 1 year, so just changing the numeric value from 1 to 3 hardly changes the nature of the task IMO. (The larger work you suggest in your email would indeed be a pretty different task.)

However, if you really to handle the two remaining certs necessary to pass in 3 years in this PR, I'll still approve this PR as it stands in the interest of unblocking it, as it already brings a valuable improvement that I don't want to block by requesting more of the same.

[RonEld]

I am working on making the tests pass in three years. however htis is more than just changing two certificates

[mpg]

@RonEld Why is that more than just changing the two certificates you mentioned in this earlier message? How much more?

I based my previous comment on the assumption that it would be just changing two certs, so if it's much more that than I could change my mind.

[RonEld]

The task for making it pass in three years include:

1. As you can see in the list I stated in my email, you will see many certificates that expire in three years. ( I listed the main server1.crt and test-ca.crt but all their derivatives as well). THis is not a big issue though.
2. Changing the Makefile in data_files to generate update certificates. Not a big issue.
3. Modifying the .data file in the x509parse test suite, to have the correc tinformation. This is not difficult, only takes time.

As mentioned, I am currently working on this, probably be ready by end of day

[RonEld]

@hanno-arm @mpg I have updated the certificates and corresponding test data files to make our tests pass 3 years ahead.
I still think this is a patch, as it should be handled in a more maintained way though.

I ran the following tests to verify:

faketime -f '+3y' make test
faketime -f '+3y' tests/ssl-opts.sh
faketime -f '+3y' programs/ssl/ssl_server2 and faketime -f '+3y' programs/ssl/ssl_client2

A few notes:

• server2-badsign.crt was generated manually, using a debugger to corrupt the signature, so no Makefile entry done for that.
• enco-ca-prstr.pem was generated through mbedtls_cert_write program, since openssl didn't generate the CN in printablestring. Our certificate write writes in UTF8, so manually modified this. Therefore no Makefile entry for that as well.
• I am not sure what is the purpose of test-ca_uppercase.crt, as the content of original file was not in uppercase. I generated the file, as original CN.

Please review

[RonEld]

Note: I think it's worth fixing #822 as part of this PR

[RonEld]

@k-stachowiak @AndrzejKurek I amended the commit "Update certificates to expire in 2029 " to fix CI failure.
It was only removing of an extra ; character in certs.c line 203. This caused a failure in ARMCC5:

"certs.c", line 205: Error:  #381-D: extra ";" ignored
  const char mbedtls_test_srv_crt_rsa[]     =  
EST_SRV_CRT_RSA_SHA256;
                                                                      ^
certs.c: 0 warnings, 1 error
Makefile:164: recipe for target 'certs.o' failed
make[1]: *** [certs.o] Error 1
make[1]: *** Waiting for unfinished jobs....
make: *** [lib] Error 2
Makefile:18: recipe for target 'lib' failed
^^^^build_armcc: build: ARM Compiler 5, make: command make CC=/usr/local/ARM_Compiler_5.06u3/bin//armcc AR=/usr/local/ARM_Compiler_5.06u3/bin//armar WARNING_CFLAGS=--strict --c99 lib -> 2^^^^

Please review

[k-stachowiak]

LGTM

[RonEld]

This PR and its backports have been fully reviewed and approved. Removing the "needs backports" label

cc @Patater

[bmwiedemann]

Hi, I'm wondering what is missing here for this to get merged? The 2019-11-25 expiry of the crl is not that far away.

[bmwiedemann]

collides with

commit 53756b32282d0b36a6900cf2459250a328ae6214
Author: Hanno Becker <[email protected]>
Date:   Mon Jun 3 14:14:38 2019 +0100

    Add MD[245] test CRTs to tree

[RonEld]

@k-stachowiak @AndrzejKurek I have rebased to resolve conflicts
During rebasing, I found new certificates that need to be updated, and other certificates that fail with faketime -f '+3y' since this PR was raised.
Please review

[RonEld]

This PR is fully reviewed, so removing the "needs backports" label
cc @Patater