Closed
Bug 233126
Opened 21 years ago
Closed 11 years ago
CRLs are not verified when imported
Categories
(Core Graveyard :: Security: UI, defect)
Tracking
(Not tracked)
RESOLVED
INCOMPLETE
People
(Reporter: julien.pierre, Unassigned)
References
Details
(Whiteboard: [kerh-ehz])
PSM uses the SEC_NewCrl function to import CRLs. This function does not perform any checks and blindly stores it into the certificate database (softoken). The reasons invoked in the past were that we don't permanently store intermediate CA certs, and therefore the CA cert needed to verify the CRL may be unavailable. I think we need the checks however. 1. First, PSM should try to find the CRL issuer, using the new CERT_FindCRLIssuer function (see bugzilla 217387) . 2. If the CRL issuer is found, PSM should import the CRL using the stricter PK11_ImportCRL function which can perform checks. 3. I can't find a way to locate a URL for the issuer cert from the content of the CRL itself. Only the issuer subject appears to be available. But if one exists, we should use that URL to download the CA cert, and then go to step 2. 4. Typically, you would download the issuer cert before the CRL. The certs contain an extension with a URL to download the CRL. But it is never actually used by PSM to automatically download the CRLs. The CRL download should be initiated that way.
Updated•20 years ago
|
Assignee: kaie → nobody
Updated•19 years ago
|
Whiteboard: [kerh-ehz]
Updated•17 years ago
|
QA Contact: bmartin → ui
Comment 1•11 years ago
|
||
The CRL Manager / Revocation Lists feature was removed.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → INCOMPLETE
Assignee | ||
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•