Closed Bug 103946 Opened 24 years ago Closed 23 years ago

Delta CRL is imported successfully, though not supported now

Categories

(NSS :: Libraries, defect, P1)

Product:
NSS
Component:
Libraries
Version:
3.3.1
Platform:
x86
Windows NT
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: rangansen, Assigned: rrelyea)

References

(
URL
)

Details

Attachments

(1 file)

CRL in DER format
1007 bytes, application/octet-stream
Details
Visit http://131.107.152.153/certsrv/certcarc.asp and click on the link for 'Download Latest Delta CRL'. The Delta CRL gets successfully downloaded and is shown in the PSM CRL Manager, though Delta CRL's are not actually supported right now. Bug# 101038 is a related bug.
Julien, could you take a look at this bug? The scope of this bug should be limited to making the import of Delta CRLs fail. This bug is not a RFE for Delta CRL support.
Assignee: wtc → jpierre
Priority: -- → P1
Target Milestone: --- → 3.4
Version: unspecified → 3.3.1
Blocks: 101038
Defer to NSS 4.0.
Target Milestone: 3.4 → 4.0
The PSM team informed me that they need this bug fixed in NSS 3.4. Again, what needs to be done in NSS 3.4 is to make the import of Delta CRLs fail (with a "not supported" error). It is not necessary to add Delta CRL support to NSS 3.4.
Target Milestone: 4.0 → 3.4
Rangan, When I try importing that CRL in the browser, it works the first time around, but the second time I get an error that CRL cannot be imported. FYI, when I try importing it with crlutil, I get this error : crlutil: unable to import CRL: Peer's Certificate issuer is not recognized. In fact, the crlutil code tries to find the cert of the issuer of the CRL, and fails because apparently an untrusted Microsoft test CA signed it. I am surprised that you did not run into that problem. The code that does the check is in CERT_ImportCRL. Is that the NSS function you are using in PSM ? caCert = CERT_FindCertByName (handle, &newCrl->crl.derName); if (caCert == NULL) { PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER); break; } caCert = CERT_FindCertByName (handle, &newCrl->crl.derName); if (caCert == NULL) { PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER); break; }
Sorry about the checking code being pasted twice. Netscape 6.2 is really junk and wasn't showing the text in the dialog box after pasting, and I couldn't see my comments on this bug anymore in the middle of the edit.
in PSM we use SEC_NewCrl [certdb\pcertdb.c] for importing the CRL, which possibly does not do this check. PSM as such does not care if the ca is trusted when importing a crl. That should be fine for PSM for anyway it doesn't let you visit a site whose CA is not trusted or cert for the ca is not available. It pops up a dislog in that case, and the user can decide whether to trust that ca / import its certificate at that point of time. THe reason you get the error when trying to download the crl a second time is that nss [pre-3.4] does not allow importing a crl if one from the same ca with same of later 'this-update' field is already available [bug# 108031]
I'm not sure how to check if the CRL is a delta CRL or not. Is it part of a cert extension ? The only reference I found to delta CRLs were in nss/lib/pki1/oids.txt . There doesn't seem to be any code to check for that. Bob, I'd appreciate any suggestion on how to do this.
I don't know the answer either. You'll have to go look at the pkix (I think) documentation. bob
I happened to trip over this in ietf RFC 2459. The indication that the CRL is a delta CRL is supposed to be in an extension. BTW there may actually be a problem with the Delta CRL itself. RFC 2459 explicitly states that the delta CRL extension must be marked critical. If the extension was marked critical, we should have already rejected the CRL. If it wasn't, there's a bug in the CRL issuer. In any case we probably should check if the crl is a delta crl for sanity's sake, and also verify we can't load a CRL with a critical extension that we don't understand.
Bob, we may need you to help with this bug too. We can address this issue after NSS 3.4 because PSM is building NSS from source, so it can pick up NSS bug fixes more easily.
I'm almost positive that this one is invalid. Delta CRL's are supposed to mark the delta CRL extention critical. If they do, then the Delta CRL will not load. It doesn't mean we shouldn't also do a sanity check, but the base problem is probably in the CRL. The only reason I haven't closed this as invalid is because I haven't had a check to verify that the offendind CRL does not have the extention marked critical. bob
The CRL does have the delta CRL extension (OID 2.5.29.27) and it is marked critical. We should be rejecting it. (strange)/u/jpierre/nss/33/mozilla/dist/SunOS5.8_DBG.OBJ/bin{70} pp -t crl -i crl2.der CRL: Data: Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Name: CN=SECTESTCA1, OU="Microsoft, Interopability Testing Only", O="Microsoft, Interopability Testing Only", L=Redmond, ST=WA, C=US, E=testca@microsoft.com Last Update: Tue Nov 27 16:45:29 2001 Next Update: Thu Nov 29 05:05:29 2001 Signed CRL Extension: Name: Certificate Authority Key Identifier Data: Sequence { 80:14:fd:20:f0:c7:b1:25:66:9d:2d:ac:1b:06:21:17: 78:8b:9c:c2:94:36 } Name: 2b:06:01:04:01:82:37:15:01 Data: 131328 (0x20100) Name: CRL Number Data: 33685890 (0x2020182) Name: 2b:06:01:04:01:82:37:15:04 Name: 55:1d:1b Critical: True Data: 33685883 (0x202017b) Name: 2b:06:01:04:01:82:37:15:0e Data: Sequence { 4b:30:82:01:47:a0:82:01:43:a0:82:01:3f:86:2e:66: 69:6c:65:3a:2f:2f:5c:5c:53:45:43:54:45:53:54:43: 41:34:5c:43:65:72:74:45:6e:72:6f:6c:6c:5c:53:45: 43:54 Segmentation fault (core dumped)
Grabbing the other blocker from julien
Assignee: jpierre → relyea
OK, I've checked in a fix for this, but I can't get to the web site to check it. I'll close it when I can get there, or someone can pass me a delta CRL I can use.
Attached file CRL in DER format
Thanks Julian. The patch does work. Marking fixed
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Verified fixed. (strange)/u/jpierre/nss/34/mozilla/dist/SunOS5.8_DBG.OBJ/bin{192} crlutil -d . -I -i ./crl2.der crlutil: unable to import CRL: Certificate contains unknown critical extension. (strange)/u/jpierre/nss/34/mozilla/dist/SunOS5.8_DBG.OBJ/bin{193}
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: