Here is the problem, in cert_crl():
/* The rules changed for this... previously if a CRL contained
* unhandled critical extensions it could still be used to indicate
* a certificate was revoked. This has since been changed since
* critical extension can change the meaning of CRL entries.
*/
if (crl->flags & EXFLAG_CRITICAL)
{
if (ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
return 1;
ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
ok = ctx->verify_cb(0, ctx);
if(!ok)
return 0;
}
Why are we making this change, skipping the critical CRL extensions? This is
causing all the regressions. In this case, should we expect
X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION instead of the validation result
based on the CRL content? Basically we fail the validation once we encounter a
critical CRL extension, if flag IGNORE_CRITICAL is not set, or succeed if the
flag is set, regardless whatsoever in the CRL ???
Thanks,
-binlu
-----Original Message-----
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Dr. Stephen Henson
Sent: Thursday, January 09, 2014 5:08 AM
To: openssl-users@openssl.org
Subject: Re: CRL checking failing in 1.0.1
On Thu, Jan 09, 2014, Bin Lu wrote:
> Hi,
>
> I have a piece of code doing CRL revocation check which worked fine with
> 0.9.8 but now failing in 1.0.1.
> The code does something like:
> X509_STORE_add_crl(store,crl);
> X509_STORE_CTX_init(ctx, store, cert, NULL);
> Ctx->check_revocation(ctx);
>
> In openssl lib (x509_vfy.c), check_cert() does the following:
> while (ctx->current_reasons != CRLDP_ALL_REASONS)
> {
> /* Try to retrieve relevant CRL */
> if (ctx->get_crl) <== this is NULL
> ok = ctx->get_crl(ctx, &crl, x);
> else
> ok = get_crl_delta(ctx, &crl, &dcrl, x); <== this
> line gets called and returns the CRL in 'crl', 'dcrl' returns null.
> /* If error looking up CRL, nothing we can do except
> * notify callback
> */
> if(!ok)
> {
> ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
> ok = ctx->verify_cb(0, ctx);
> goto err;
> }
> ctx->current_crl = crl;
> ok = ctx->check_crl(ctx, crl); <== here it only checks the
> validity of the crl, but does not do CRL checking against the cert
> if (!ok)
> goto err;
>
> if (dcrl)
> {
> ok = ctx->check_crl(ctx, dcrl);
> if (!ok)
> goto err;
> ok = ctx->cert_crl(ctx, dcrl, x); <== this does not
> run since dcrl is NULL
> if (!ok)
> goto err;
> }
> else
> ok = 1; <== so always return success
>
> Is this something wrong, or am I missing something?
>
The next bit is:
/* Don't look in full CRL if delta reason is removefromCRL */
if (ok != 2)
{
ok = ctx->cert_crl(ctx, crl, x);
if (!ok)
goto err;
}
That looks for the certificate serial number in the CRL.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
