Re: CRL checking failing in 1.0.1

Thu, 09 Jan 2014 11:27:56 -0800 

On 1/9/2014 8:14 PM, Dr. Stephen Henson wrote:

On Thu, Jan 09, 2014, Bin Lu wrote:


  Here is the problem, in cert_crl():

        /* The rules changed for this... previously if a CRL contained
          * unhandled critical extensions it could still be used to indicate
          * a certificate was revoked. This has since been changed since
          * critical extension can change the meaning of CRL entries.
          */
         if (crl->flags & EXFLAG_CRITICAL)
                 {
                 if (ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
                         return 1;
                 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
                 ok = ctx->verify_cb(0, ctx);
                 if(!ok)
                         return 0;
                 }

Why are we making this change, skipping the critical CRL extensions? This is 
causing all the regressions. In this case, should we expect 
X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION instead of the validation result 
based on the CRL content? Basically we fail the validation once we encounter a 
critical CRL extension, if flag IGNORE_CRITICAL is not set, or succeed if the 
flag is set, regardless whatsoever in the CRL ???



This is now a requirement of RFC5280 5.2:

    If a CRL contains a critical extension
    that the application cannot process, then the application MUST NOT
    use that CRL to determine the status of certificates.



That seems a strange reading of the RFC.  If a flag to IGNORE this rule
is passed to OpenSSL, that should certainly ignore the rule, not the CRL.

A flag to ignore a MUST rule in an RFC, while obviously violating said
rule, also brings an implementation outside the scope of that rule, if
not the entire RFC (but only when that flag is specified).


What extension in your CRLs is critical?

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org




Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to