Updating extentions in-place does not work with all Ruby implementations.

smortex · smortex · commit da736e618ccf · 2025-06-29T18:05:58.000-10:00
At least with jruby, the code fail to update the `crlNumber` correctly. While this is arguably a but in jruby, similar issues have been experienced with MRI, e.g.: https://github.com/smortex/puppet-renew-certificate/blob/761d5e768933aae0233e77aeac4aea01d3fd2fa8/exe/puppet-renew-certificate#L125 To avoid this issue, copy the extensions and re-create them one by one.
diff --git a/lib/puppetserver/ca/action/prune.rb b/lib/puppetserver/ca/action/prune.rb
@@ -136,12 +136,21 @@ def prune_CRL(crl)
         end
 
         def update_pruned_CRL(crl, pkey)
-          number_ext, other_ext = crl.extensions.partition{ |ext| ext.oid == "crlNumber" }
-          number_ext.each do |crl_number|
-            updated_crl_number = OpenSSL::BN.new(crl_number.value) + OpenSSL::BN.new(1)
-            crl_number.value=(OpenSSL::ASN1::Integer(updated_crl_number))
+          ef = OpenSSL::X509::ExtensionFactory.new
+          ef.crl = crl
+
+          # Updating extensions in-place does not work with some ruby versions / implementation. Copy & recreate them.
+          extensions = crl.extensions
+          crl.extensions = []
+
+          extensions.each do |ext|
+            if ext.oid == "crlNumber"
+              crl.add_extension(ef.create_extension("crlNumber", OpenSSL::ASN1::Integer.new(ext.value.next)))
+            else
+              crl.add_extension(ext)
+            end
           end
-          crl.extensions=(number_ext + other_ext)
+
           crl.sign(pkey, OpenSSL::Digest::SHA256.new)
         end
 
