Is your feature request related to a problem? Please describe.
Currently LibreSign validates certificates by downloading the CRL (Certificate Revocation List) from the URL defined in the CRL Distribution Points extension.
This works when the CRL URL uses HTTP/HTTPS.
However, some government-issued certificates (e.g. Spanish FNMT / CERES certificates) provide the CRL Distribution Point using the LDAP protocol instead of HTTP.
Example of CRL Distribution Point:
ldap://ldapusu.cert.fnmt.es/cn=CRL6916,cn=AC%20FNMT%20Usuarios,ou=CERES,o=FNMT-RCM,c=ES?certificateRevocationList;binary?base?objectclass=cRLDistributionPoint
LibreSign currently cannot handle LDAP URLs for CRL retrieval. As a result, CRL validation fails and the certificate is treated as invalid, even though it is valid and not revoked.
This prevents proper usage of official government certificates that rely on LDAP-based CRL distribution.
Describe the solution you'd like
Add support for LDAP-based CRL Distribution Points in LibreSign.
Specifically:
- Detect when the CRL Distribution Point uses the ldap:// protocol
- Retrieve the CRL via LDAP
- Parse and validate the CRL as currently done for HTTP-based CRLs
- Continue the normal revocation check workflow
This would allow LibreSign to correctly validate certificates issued by authorities that publish CRLs via LDAP instead of HTTP.
Describe alternatives you've considered
Temporary alternatives considered:
- Disabling CRL validation in isolated environments
- Adding an administrative option to skip CRL validation for non-HTTP distribution points
- Manually mirroring the CRL via HTTP (not ideal and not always possible)
However, the proper solution is to implement native LDAP support for CRL retrieval.
Additional context
Environment:
- Nextcloud 32.0.5
- LibreSign 12.2.3
This behavior was observed with Spanish FNMT / CERES certificates.
The certificate itself is valid and not expired. The issue occurs because LibreSign expects an HTTP CRL URL, but the certificate defines an LDAP CRL Distribution Point.
According to FNMT documentation, LDAP is an officially supported method for CRL access.
Supporting LDAP-based CRLs would improve compatibility with government-issued certificates and enterprise PKI environments.
Is your feature request related to a problem? Please describe.
Currently LibreSign validates certificates by downloading the CRL (Certificate Revocation List) from the URL defined in the CRL Distribution Points extension.
This works when the CRL URL uses HTTP/HTTPS.
However, some government-issued certificates (e.g. Spanish FNMT / CERES certificates) provide the CRL Distribution Point using the LDAP protocol instead of HTTP.
Example of CRL Distribution Point:
ldap://ldapusu.cert.fnmt.es/cn=CRL6916,cn=AC%20FNMT%20Usuarios,ou=CERES,o=FNMT-RCM,c=ES?certificateRevocationList;binary?base?objectclass=cRLDistributionPoint
LibreSign currently cannot handle LDAP URLs for CRL retrieval. As a result, CRL validation fails and the certificate is treated as invalid, even though it is valid and not revoked.
This prevents proper usage of official government certificates that rely on LDAP-based CRL distribution.
Describe the solution you'd like
Add support for LDAP-based CRL Distribution Points in LibreSign.
Specifically:
This would allow LibreSign to correctly validate certificates issued by authorities that publish CRLs via LDAP instead of HTTP.
Describe alternatives you've considered
Temporary alternatives considered:
However, the proper solution is to implement native LDAP support for CRL retrieval.
Additional context
Environment:
This behavior was observed with Spanish FNMT / CERES certificates.
The certificate itself is valid and not expired. The issue occurs because LibreSign expects an HTTP CRL URL, but the certificate defines an LDAP CRL Distribution Point.
According to FNMT documentation, LDAP is an officially supported method for CRL access.
Supporting LDAP-based CRLs would improve compatibility with government-issued certificates and enterprise PKI environments.