Patrick wrote: > > 1. Why isn't this utility mentioned in > http://www.mozilla.org/projects/security/pki/nss/tools?
'cause we're too busy answering questions in this newsgroup. <grin> > 2. The utility has the "-u url" option when importing. What for? Many CRLs can be fetched with a URL, but the URL to fetch it is not always in the CRL itself. This option lets you record the URL that is used to fetch updated versions of the CRL. > 3. When it imports a CRL, what exactly is the validation that is performed > on the CRL, besides signature verification of the issuing CA? Use the Source, Luke! Starting at http://lxr.mozilla.org/mozilla/source/security/nss/cmd/crlutil/crlutil.c#451 we see that crlutil calls ImportCRL. The underlined link for that function call takes us to a page with a link to the function, which is at http://lxr.mozilla.org/mozilla/source/security/nss/cmd/crlutil/crlutil.c#189 There, we see that it reads the DER cert from a file, finds the internal token, and at line http://lxr.mozilla.org/mozilla/source/security/nss/cmd/crlutil/crlutil.c#215 it calls PK11_ImportCRL. That underlined link takes us to a page with a link to http://lxr.mozilla.org/mozilla/source/security/nss/lib/pk11wrap/pk11cert.c#4066 where we see the CRL is decoded. AT line http://lxr.mozilla.org/mozilla/source/security/nss/lib/pk11wrap/pk11cert.c#4093 it finds the issuer cert and checks to see if the cert's usage permits it to issue CRLs (which isn't as strong a check as seeing if it's trusted to issue CRLs). Then it verifies the signature on the CRL using that cert. Finally at line http://lxr.mozilla.org/mozilla/source/security/nss/lib/pk11wrap/pk11cert.c#4119 it calls crl_storeCRL. The link there takes us to http://lxr.mozilla.org/mozilla/source/security/nss/lib/certdb/crl.c#640 where we see that it first removes an older copy of the CRL from the token, if one exists, then at http://lxr.mozilla.org/mozilla/source/security/nss/lib/certdb/crl.c#700 it calls PK11_PutCRL to put the new CRL in the token. > Shouldn't it > also check the trust flags of the CA, and only import the CRL if the issuing > CA is *trusted*? It does seem to me that PK11_ImportCRL should do more than check the usage extensions on the issuer cert. Why don't you file a bug about this? -- Obi Wan
