177898 - Import a CRL: check issuer trust flags

Status: RESOLVED WONTFIX

(NSS :: Libraries, defect)

Description

[Patrick O. Cesard]

PK11_ImportCRL should do more than check the usage extensions on the issuer 
cert. I should also check the trust flags on the issuer cert, and only import 
the CRL if the issuer is trusted.

Comment 1

[Wan-Teh Chang]

Assigned the bug to Julien.

Comment 2

[Julien Pierre]

Patrick,

It would be useful if you set an NSS version number when opening a bug, as CRL
support in NSS has improved quite a bit over the past year.

As far as this problem goes, we should follow the same rules on importing CRLs
as we do for other objects, such as certs. We don't check trust when we import
certs.

PSM / Mozilla import the CRL explicitly without doing any check. This is
intentional because intermediate CAs may not be available to do a full cert
chain verification.

The trust check is performed when the CRL is used, which happens when you do a
leaf certificate verification, calling CERT_VerifyCertificate . At that point,
usage and trust are checked on the whole cert chain. At each level in the chain,
if these checks pass, we also check for the CRL's signature (if it passes, the
signature verification is cached).

We do not currently export a function that only checks a certificate against a
CRL, and therefore it is not necessary to do the trust check at import time.

Technically, the certificate database and other tokens may contain "rogue" certs
and/or CRLs, but this doesn't affect the security. In fact, if a rogue CRL is
detected, NSS will automatically consider all certificates from that CA to be
revoked, as a security precaution. See bug 162983 for more information.

Marking this bug WONTFIX.