[Ejbca-develop] Expired certificates entries being included in two CRLs issued beyond the certificate validity period

[Jaime H. <hab...@gm...>]

>From RFC 5280, "3.3. Revocation":

An entry MUST NOT be removed
> from the CRL until it appears on one regularly scheduled CRL issued
> beyond the revoked certificate’s validity period.


But, if you look carefully at the following code from
org.ejbca.core.ejb.crl.PublishingCrlSessionBean#internalCreateCRL (r32721):

for (final RevokedCertInfo revokedCertInfo : revokedCertificates) {
    ...
    if ( !keepexpiredcertsoncrl && revokedCertInfo.getExpireDate() != null
&& *revokedCertInfo.getExpireDate().before(lastCrlCreationDate)* ) {
        ...
        noConflictCertificateStoreSession.setStatus(archiveAdmin,
revokedCertInfo.getCertificateFingerprint(),
CertificateConstants.CERT_ARCHIVED);
    } else {
        ...
    }
}
final byte[] crlBytes = generateAndStoreCRL(admin, ca, crlPartitionIndex,
revokedCertificates, lastBaseCrlInfo, false);

You can see that the highlighted snippet won't become true until it is
executed for a second time after a given certificate has expired, producing
that expired certificate entries get into two CRLs instead of only one.

So, is there are reason to keep that code like that instead of replacing it
with something like the following:

if ( !keepexpiredcertsoncrl && revokedCertInfo.getExpireDate() != null &&
*revokedCertInfo.getExpireDate().before(now)* ) {

Which would allow to include the expired certificate entries in only one
CRL beyond the certificate validity period, providing this way a more
precise RFC 5280 implementation?.

PS: The previous is not a production ready patch as it could have side
effects that haven't been checked in detail.

-- 
Jaime Hablutzel -  +51 994690880