Closed
Bug 103946
Opened 23 years ago
Closed 23 years ago
Delta CRL is imported successfully, though not supported now
Categories
(NSS :: Libraries, defect, P1)
Tracking
(Not tracked)
VERIFIED
FIXED
3.4
People
(Reporter: rangansen, Assigned: rrelyea)
References
()
Details
Attachments
(1 file)
1007 bytes,
application/octet-stream
|
Details |
Visit http://131.107.152.153/certsrv/certcarc.asp and click on the link for 'Download Latest Delta CRL'. The Delta CRL gets successfully downloaded and is shown in the PSM CRL Manager, though Delta CRL's are not actually supported right now. Bug# 101038 is a related bug.
Comment 1•23 years ago
|
||
Julien, could you take a look at this bug? The scope of this bug should be limited to making the import of Delta CRLs fail. This bug is not a RFE for Delta CRL support.
Assignee: wtc → jpierre
Priority: -- → P1
Target Milestone: --- → 3.4
Version: unspecified → 3.3.1
Comment 3•23 years ago
|
||
The PSM team informed me that they need this bug fixed in NSS 3.4. Again, what needs to be done in NSS 3.4 is to make the import of Delta CRLs fail (with a "not supported" error). It is not necessary to add Delta CRL support to NSS 3.4.
Target Milestone: 4.0 → 3.4
Comment 4•23 years ago
|
||
Rangan, When I try importing that CRL in the browser, it works the first time around, but the second time I get an error that CRL cannot be imported. FYI, when I try importing it with crlutil, I get this error : crlutil: unable to import CRL: Peer's Certificate issuer is not recognized. In fact, the crlutil code tries to find the cert of the issuer of the CRL, and fails because apparently an untrusted Microsoft test CA signed it. I am surprised that you did not run into that problem. The code that does the check is in CERT_ImportCRL. Is that the NSS function you are using in PSM ? caCert = CERT_FindCertByName (handle, &newCrl->crl.derName); if (caCert == NULL) { PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER); break; } caCert = CERT_FindCertByName (handle, &newCrl->crl.derName); if (caCert == NULL) { PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER); break; }
Comment 5•23 years ago
|
||
Sorry about the checking code being pasted twice. Netscape 6.2 is really junk and wasn't showing the text in the dialog box after pasting, and I couldn't see my comments on this bug anymore in the middle of the edit.
Reporter | ||
Comment 6•23 years ago
|
||
in PSM we use SEC_NewCrl [certdb\pcertdb.c] for importing the CRL, which possibly does not do this check. PSM as such does not care if the ca is trusted when importing a crl. That should be fine for PSM for anyway it doesn't let you visit a site whose CA is not trusted or cert for the ca is not available. It pops up a dislog in that case, and the user can decide whether to trust that ca / import its certificate at that point of time. THe reason you get the error when trying to download the crl a second time is that nss [pre-3.4] does not allow importing a crl if one from the same ca with same of later 'this-update' field is already available [bug# 108031]
Comment 7•23 years ago
|
||
I'm not sure how to check if the CRL is a delta CRL or not. Is it part of a cert extension ? The only reference I found to delta CRLs were in nss/lib/pki1/oids.txt . There doesn't seem to be any code to check for that. Bob, I'd appreciate any suggestion on how to do this.
Assignee | ||
Comment 8•23 years ago
|
||
I don't know the answer either. You'll have to go look at the pkix (I think) documentation. bob
Assignee | ||
Comment 9•23 years ago
|
||
I happened to trip over this in ietf RFC 2459. The indication that the CRL is a delta CRL is supposed to be in an extension. BTW there may actually be a problem with the Delta CRL itself. RFC 2459 explicitly states that the delta CRL extension must be marked critical. If the extension was marked critical, we should have already rejected the CRL. If it wasn't, there's a bug in the CRL issuer. In any case we probably should check if the crl is a delta crl for sanity's sake, and also verify we can't load a CRL with a critical extension that we don't understand.
Comment 10•23 years ago
|
||
Bob, we may need you to help with this bug too. We can address this issue after NSS 3.4 because PSM is building NSS from source, so it can pick up NSS bug fixes more easily.
Assignee | ||
Comment 11•23 years ago
|
||
I'm almost positive that this one is invalid. Delta CRL's are supposed to mark the delta CRL extention critical. If they do, then the Delta CRL will not load. It doesn't mean we shouldn't also do a sanity check, but the base problem is probably in the CRL. The only reason I haven't closed this as invalid is because I haven't had a check to verify that the offendind CRL does not have the extention marked critical. bob
Comment 12•23 years ago
|
||
The CRL does have the delta CRL extension (OID 2.5.29.27) and it is marked critical. We should be rejecting it. (strange)/u/jpierre/nss/33/mozilla/dist/SunOS5.8_DBG.OBJ/bin{70} pp -t crl -i crl2.der CRL: Data: Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Name: CN=SECTESTCA1, OU="Microsoft, Interopability Testing Only", O="Microsoft, Interopability Testing Only", L=Redmond, ST=WA, C=US, E=testca@microsoft.com Last Update: Tue Nov 27 16:45:29 2001 Next Update: Thu Nov 29 05:05:29 2001 Signed CRL Extension: Name: Certificate Authority Key Identifier Data: Sequence { 80:14:fd:20:f0:c7:b1:25:66:9d:2d:ac:1b:06:21:17: 78:8b:9c:c2:94:36 } Name: 2b:06:01:04:01:82:37:15:01 Data: 131328 (0x20100) Name: CRL Number Data: 33685890 (0x2020182) Name: 2b:06:01:04:01:82:37:15:04 Name: 55:1d:1b Critical: True Data: 33685883 (0x202017b) Name: 2b:06:01:04:01:82:37:15:0e Data: Sequence { 4b:30:82:01:47:a0:82:01:43:a0:82:01:3f:86:2e:66: 69:6c:65:3a:2f:2f:5c:5c:53:45:43:54:45:53:54:43: 41:34:5c:43:65:72:74:45:6e:72:6f:6c:6c:5c:53:45: 43:54 Segmentation fault (core dumped)
Assignee | ||
Comment 14•23 years ago
|
||
OK, I've checked in a fix for this, but I can't get to the web site to check it. I'll close it when I can get there, or someone can pass me a delta CRL I can use.
Comment 15•23 years ago
|
||
Assignee | ||
Comment 16•23 years ago
|
||
Thanks Julian. The patch does work. Marking fixed
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Comment 17•23 years ago
|
||
Verified fixed. (strange)/u/jpierre/nss/34/mozilla/dist/SunOS5.8_DBG.OBJ/bin{192} crlutil -d . -I -i ./crl2.der crlutil: unable to import CRL: Certificate contains unknown critical extension. (strange)/u/jpierre/nss/34/mozilla/dist/SunOS5.8_DBG.OBJ/bin{193}
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•