The cryptography library parsed a CRL file with duplicate revoked certificate entries.

[onepeople158]

Version:
cryptography-44.0.2

Hello developer, I successfully parsed a CRL file with duplicate revoked certificate entries using cryptography. According to RFC 5280:

Each revocation entry is uniquely identified by its serial number.

So, is this a bug?

Code:

from cryptography.x509 import load_pem_x509_crl, load_der_x509_crl
from cryptography.x509 import ExtensionNotFound
import sys

def load_crl(file_path):
    with open(file_path, "rb") as f:
        crl_data = f.read()
    try:
        crl = load_pem_x509_crl(crl_data)
    except ValueError:
        crl = load_der_x509_crl(crl_data)
    return crl

def print_crl_issuer(file_path):
    crl=load_crl(file_path)
    try:
        for entry in crl:
               print(f"Serial Number: {entry.serial_number}")
               print(f"Revocation Date: {entry.revocation_date_utc}")
               if entry.extensions:
                    for ext in entry.extensions:
                          if ext.oid ==x509.oid.CRLEntryExtensionOID.CRL_REASON:
                                 print(f"reason: {ext.value.reason}")
    except Exception as e:
        print(f"Error occurred: {e}")

file_path = 'crl_revoked_dublicate.der'
print_crl_issuer(file_path)

Test Case:
crl_revoked_dublicate.zip

[alex]

From my perspective this isn't a bug, this is something that doesn't make sense to validate on parse. If/when we add CRLs to X.509 path validation, we should enfoce this there (#10393).

Do you disagree?

[onepeople158]

Hello, developer. If we encounter a situation when viewing the CRL where there are two entries with the same certificate serial number, but different expiration dates and revocation reasons, would this cause an issue?The relying party cannot determine which entry should be trusted.
Test Case:

crl_revoked_dublicate_serial.zip

[alex]

It does make the revocation date/reason ambigious, but I don't know if this is a problem in practice.

If we do this check in X.509 validation, we avoid this problem.

[onepeople158]

It does make the revocation date/reason ambigious, but I don't know if this is a problem in practice.

If we do this check in X.509 validation, we avoid this problem.

Indeed, this is just a potential issue.

[github-actions]

This issue has been waiting for a reporter response for 3 days. It will be auto-closed if no activity occurs in the next 5 days.

[onepeople158]

It does make the revocation date/reason ambigious, but I don't know if this is a problem in practice.

If we do this check in X.509 validation, we avoid this problem.

Hello Developer, will a check be added to the X.509 verification process to reject CRL files that contain either duplicate revocation entries or duplicate serial numbers within the revoked list?

[alex]

We don't yet process CRLs in X.509 validation, when we do we will check for this.

…

On Wed, Apr 23, 2025 at 3:15 AM onepeople158 ***@***.***> wrote: It does make the revocation date/reason ambigious, but I don't know if this is a problem in practice. If we do this check in X.509 validation, we avoid this problem. Hello, developer. Could you please tell me if the X509 verify process checks for duplicate revocation entries in the CRL? — Reply to this email directly, view it on GitHub <#12780 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAAGBDIHDKU3EBAVSWLOAD22442NAVCNFSM6AAAAAB3M7KXC2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDQMRTGI4TEOJVGE> . You are receiving this because you commented.Message ID: ***@***.***> *onepeople158* left a comment (pyca/cryptography#12780) <#12780 (comment)> It does make the revocation date/reason ambigious, but I don't know if this is a problem in practice. If we do this check in X.509 validation, we avoid this problem. Hello, developer. Could you please tell me if the X509 verify process checks for duplicate revocation entries in the CRL? — Reply to this email directly, view it on GitHub <#12780 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAAGBDIHDKU3EBAVSWLOAD22442NAVCNFSM6AAAAAB3M7KXC2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDQMRTGI4TEOJVGE> . You are receiving this because you commented.Message ID: ***@***.***>

-- All that is necessary for evil to succeed is for good people to do nothing.

[onepeople158]

We don't yet process CRLs in X.509 validation, when we do we will check for
this.
…

On Wed, Apr 23, 2025 at 3:15 AM onepeople158 @.***> wrote:
It does make the revocation date/reason ambigious, but I don't know if
this is a problem in practice.

If we do this check in X.509 validation, we avoid this problem.

Hello, developer. Could you please tell me if the X509 verify process
checks for duplicate revocation entries in the CRL?

—
Reply to this email directly, view it on GitHub
<#12780 (comment)>,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAAAGBDIHDKU3EBAVSWLOAD22442NAVCNFSM6AAAAAB3M7KXC2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDQMRTGI4TEOJVGE
.
You are receiving this because you commented.Message ID:
@.***>
onepeople158 left a comment (pyca/cryptography#12780)
<#12780 (comment)>

It does make the revocation date/reason ambigious, but I don't know if
this is a problem in practice.

If we do this check in X.509 validation, we avoid this problem.

Hello, developer. Could you please tell me if the X509 verify process
checks for duplicate revocation entries in the CRL?

—
Reply to this email directly, view it on GitHub
<#12780 (comment)>,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAAAGBDIHDKU3EBAVSWLOAD22442NAVCNFSM6AAAAAB3M7KXC2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDQMRTGI4TEOJVGE
.
You are receiving this because you commented.Message ID:
@.***>

--
All that is necessary for evil to succeed is for good people to do nothing.

Sure, I understand.