Description

Currently, Keycloak does CRL checking either locally or remotely and will fail x509 authentication if the CRL is not reachable. Though it will check the CRL for validity with a signature check, it does not do a comparison of the current time against the nextUpdate time in the CRL to check if the CRL is date valid. According to RFC 3280 Section 6.3 that there should be a mechanism implemented in software to do that check and if the date isn't valid to fetch a new version. If Keycloak has no mechanism to retrieve a newer version, the authentication should fail similarly to not being able to fetch it in the first place.

Feature request is to, by default fail closed (more secure) if the CRL is not fetchable or not date valid, with an administrative configuration option to fail open like OCSP or allow expired CRL (allowNonUpdatedCRLs) which would allow current functional state.

Communication took place through keycloak security email to ensure this was not considered a CVE before submitting.

Discussion

No response

Motivation

No response

Details

No response