fix: remove speculative CRL extension fallback matching

Signed-off-by: Vitor Mattos <[email protected]>

Author: vitormattos

lib/Handler/CertificateEngine/AEngineHandler.php

@@ -213,17 +213,18 @@ private function addCrlValidationInfo(array &$certData, string $certPem): void {
 	 */
 	private function extractCrlUrlsFromExtensions(array $extensions): array {
 		$values = [];
+		$acceptedCrlExtensionNames = [
+			'crldistributionpoints',
+			'x509v3 crl distribution points',
+			'2.5.29.31',
+		];
 		foreach ($extensions as $extensionName => $extensionValue) {
 			if (!is_string($extensionName)) {
 				continue;
 			}
 
 			$normalizedName = strtolower(trim($extensionName));
-			$isCrlDistributionPoints =
-				$normalizedName === 'crldistributionpoints'
-				|| $normalizedName === 'x509v3 crl distribution points'
-				|| $normalizedName === '2.5.29.31'
-				|| str_contains($normalizedName, 'crl distribution points');
+			$isCrlDistributionPoints = in_array($normalizedName, $acceptedCrlExtensionNames, true);
 
 			if (!$isCrlDistributionPoints) {
 				continue;

tests/php/Unit/Handler/CertificateEngine/OpenSslHandlerTest.php

@@ -496,6 +496,20 @@ public function testExtractCrlUrlsFromX509LabelExtensionName(): void {
 		$this->assertSame(['https://example.org/crl/issuer.crl'], $result['urls']);
 	}
 
+	public function testExtractCrlUrlsIgnoreUnknownExtensionNameWithSimilarText(): void {
+		$handler = $this->getInstance();
+
+		$method = new \ReflectionMethod('OCA\\Libresign\\Handler\\CertificateEngine\\AEngineHandler', 'extractCrlUrlsFromExtensions');
+		$method->setAccessible(true);
+
+		$result = $method->invoke($handler, [
+			'Issuer CRL Distribution Points' => "Full Name:\nURI:https://example.org/crl/issuer.crl",
+		]);
+
+		$this->assertFalse($result['hasExtension']);
+		$this->assertSame([], $result['urls']);
+	}
+
 	public function testRealCertificateRevocationInCrl(): void {
 		$this->caIdentifierService->generateCaId('openssl');