On Fri May 09 09:59:51 2014, [email protected] wrote: > Am 09.05.14 00:53, schrieb Stephen Henson via RT: > > On Thu May 08 15:49:11 2014, [email protected] wrote: > >> > >> I can confirm that with this patch applied my use case with > >> X509_verify_cert() works as expected (misidentification of signing > >> certificate as CRL issuer no longer occurs). > >> > > > > Could you give me more details of this case? If possible if you > could send the > > certificates and CRLs involved (privately if you wish). > > > > It may be possible to address this case in X509_verify_cert() > itself. > > I have prepared a second test certificate "testcert2.pem", a > corresponding CRL "testcrl.pem", and a new test program > "x509_verify.c" > that reproduces the issue in the full context of X509_verify_cert(). > > The callback function verify_cb() for X509_verify_cert() ignores all > errors related to the validation of the certificate chain, in order to > allow verification of other formal certificate requirements. > > Actual result of running the test program: > > verify_cb: certificate subject: CN=ATS PLOP User AKID,O=PDFlib > GmbH,L=Munich,C=DE > X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ignored > verify_cb: certificate subject: CN=ATS PLOP User AKID,O=PDFlib > GmbH,L=Munich,C=DE > X509_V_ERR_KEYUSAGE_NO_CRL_SIGN not ignored > error 35 at 0 depth lookup: key usage does not include CRL > signing > X509_verify_cert returns false > > Expected result: > > The verify_cb() function should not be invoked with the > X509_V_ERR_KEYUSAGE_NO_CRL_SIGN error, and X509_verify_cert() should > return true. >
Well what is happening in this case is that OpenSSL uses various criteria to decide which CRL to use. To aid debugging if it can't find a CRL meeting the exact criteria it uses the nearest it can so that hopefully the error message will alert the user as to what's wrong. If it rejected that CRL outright because the issuer wasn't valid you'd get an error about a missing CRL which is arguably misleading because there is a CRL, it's just not suitable. With the current situation it helps indicate why that CRL isn't suitable. Now in the above case if there are two certificates which might be a CRL issuer one of which has CRL signing set in keyUsage and the other does not it should use the former.... but curently it doesn't do that. It could be fixed to do that but you'd still end up with the above error if the correct CRL issuer was absent. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
