Closed Bug 103946 Opened 23 years ago Closed 23 years ago

Delta CRL is imported successfully, though not supported now

Categories

(NSS :: Libraries, defect, P1)

Product:
NSS
Component:
Libraries
Version:
3.3.1
Platform:
x86
Windows NT
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: rangansen, Assigned: rrelyea)

References

(
URL
)

Details

Attachments

(1 file)

CRL in DER format
1007 bytes, application/octet-stream
Details 
Visit http://131.107.152.153/certsrv/certcarc.asp
and click on the link for 'Download Latest Delta CRL'.
The Delta CRL gets successfully downloaded and is shown in the 
PSM CRL Manager, though Delta CRL's are not actually supported 
right now.
Bug# 101038 is a related bug.
Julien, could you take a look at this bug?

The scope of this bug should be limited to
making the import of Delta CRLs fail.  This
bug is not a RFE for Delta CRL support.
Assignee: wtc → jpierre
Priority: -- → P1
Target Milestone: --- → 3.4
Version: unspecified → 3.3.1
Blocks: 101038
Defer to NSS 4.0.
Target Milestone: 3.4 → 4.0
The PSM team informed me that they need this bug
fixed in NSS 3.4.

Again, what needs to be done in NSS 3.4 is to
make the import of Delta CRLs fail (with a
"not supported" error).  It is not necessary to
add Delta CRL support to NSS 3.4.
Target Milestone: 4.0 → 3.4
Rangan,

When I try importing that CRL in the browser, it works the first time around,
but the second time I get an error that CRL cannot be imported.

FYI, when I try importing it with crlutil, I get this error :

crlutil: unable to import CRL: Peer's Certificate issuer is not recognized.
In fact, the crlutil code tries to find the cert of the issuer of the CRL, and
fails because apparently an untrusted Microsoft test CA signed it. I am
surprised that you did not run into that problem.

The code that does the check is in CERT_ImportCRL. Is that the NSS function you
are using in PSM ?

	caCert = CERT_FindCertByName (handle, &newCrl->crl.derName);
	if (caCert == NULL) {
	    PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);	    
	    break;
	}
	caCert = CERT_FindCertByName (handle, &newCrl->crl.derName);
	if (caCert == NULL) {
	    PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);	    
	    break;
	}

Sorry about the checking code being pasted twice. Netscape 6.2 is really junk
and wasn't showing the text in the dialog box after pasting, and I couldn't see
my comments on this bug anymore in the middle of the edit.

in PSM we use SEC_NewCrl [certdb\pcertdb.c] for importing the CRL, which
possibly does not do this check. PSM as such does not care if the ca is trusted
 when importing a crl. That should be fine for PSM for anyway it doesn't let you
visit a site whose CA is not trusted or cert for the ca is not available. It
pops up a dislog in that case, and the user can decide whether to trust that ca
/ import its certificate at that point of time.
THe reason you get the error when trying to download the crl a second time is
that nss [pre-3.4] does not allow importing a crl if one from the same ca with
same of later 'this-update' field is already available [bug# 108031] 
I'm not sure how to check if the CRL is a delta CRL or not. Is it part of a cert
extension ? The only reference I found to delta CRLs were in
nss/lib/pki1/oids.txt . There doesn't seem to be any code to check for that.

Bob, I'd appreciate any suggestion on how to do this.



I don't know the answer either. You'll have to go look at the pkix (I think)
documentation.

bob
I happened to trip over this in ietf RFC 2459. The indication that the CRL is a
delta CRL is supposed to be in an extension.

BTW there may actually be a problem with the Delta CRL itself. RFC 2459
explicitly states that the delta CRL extension must be marked critical. If the
extension was marked critical, we should have already rejected the CRL. If it
wasn't, there's a bug in the CRL issuer. In any case we probably should check if
the crl is a delta crl for sanity's sake, and also verify we can't load a CRL
with a critical extension that we don't understand.
Bob, we may need you to help with this bug too.

We can address this issue after NSS 3.4 because PSM
is building NSS from source, so it can pick up NSS
bug fixes more easily.
I'm almost positive that this one is invalid. Delta CRL's are supposed to mark
the delta CRL extention critical. If they do, then the Delta CRL will not load.

It doesn't mean we shouldn't also do a sanity check, but the base problem is
probably in the CRL. The only reason I haven't closed this as invalid is because
I haven't had a check to verify that the offendind CRL does not have the
extention marked critical.

bob
The CRL does have the delta CRL extension (OID 2.5.29.27) and it is marked
critical. We should be rejecting it.

(strange)/u/jpierre/nss/33/mozilla/dist/SunOS5.8_DBG.OBJ/bin{70} pp -t crl -i
crl2.der
CRL:
    Data:
        Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
        Name: CN=SECTESTCA1, OU="Microsoft, Interopability Testing Only",
O="Microsoft, Interopability Testing Only", L=Redmond, ST=WA, C=US,
E=testca@microsoft.com
        Last Update: Tue Nov 27 16:45:29 2001
        Next Update: Thu Nov 29 05:05:29 2001
        Signed CRL Extension:
            Name:
                Certificate Authority Key Identifier
            Data: Sequence {
                80:14:fd:20:f0:c7:b1:25:66:9d:2d:ac:1b:06:21:17:
                78:8b:9c:c2:94:36
            }

            Name:
                2b:06:01:04:01:82:37:15:01
            Data: 131328 (0x20100)

            Name:
                CRL     Number
            Data: 33685890 (0x2020182)

            Name:
                2b:06:01:04:01:82:37:15:04

            Name:
                55:1d:1b
            Critical:
                True
            Data: 33685883 (0x202017b)

            Name:
                2b:06:01:04:01:82:37:15:0e
            Data: Sequence {
                4b:30:82:01:47:a0:82:01:43:a0:82:01:3f:86:2e:66:
                69:6c:65:3a:2f:2f:5c:5c:53:45:43:54:45:53:54:43:
                41:34:5c:43:65:72:74:45:6e:72:6f:6c:6c:5c:53:45:
                43:54
Segmentation fault (core dumped)

Grabbing the other blocker from julien
Assignee: jpierre → relyea
OK, I've checked in a fix for this, but I can't get to the web site to check it.
I'll close it when I can get there, or someone can pass me a delta CRL I can use.
Attached file CRL in DER format 

    
    

    
  
Thanks Julian.

The patch does work. Marking fixed
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED

    
    

    
  
Verified fixed.

(strange)/u/jpierre/nss/34/mozilla/dist/SunOS5.8_DBG.OBJ/bin{192} crlutil -d .
-I -i ./crl2.der
crlutil: unable to import CRL: Certificate contains unknown critical extension.
(strange)/u/jpierre/nss/34/mozilla/dist/SunOS5.8_DBG.OBJ/bin{193}
Status: RESOLVED → VERIFIED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: