Closed Bug 233126 Opened 18 years ago Closed 8 years ago

CRLs are not verified when imported


(Core Graveyard :: Security: UI, defect)

Other Branch
Not set


(Not tracked)



(Reporter: julien.pierre, Unassigned)



(Whiteboard: [kerh-ehz])

PSM uses the SEC_NewCrl function to import CRLs. This function does not perform
any checks and blindly stores it into the certificate database (softoken).

The reasons invoked in the past were that we don't permanently store
intermediate CA certs, and therefore the CA cert needed to verify the CRL may be

I think we need the checks however. 

1. First, PSM should try to find the CRL issuer, using the new
CERT_FindCRLIssuer function (see bugzilla 217387) .

2. If the CRL issuer is found, PSM should import the CRL using the stricter
PK11_ImportCRL function which can perform checks.

3. I can't find a way to locate a URL for the issuer cert from the content of
the CRL itself. Only the issuer subject appears to be available. But if one
exists, we should use that URL to download the CA cert, and then go to step 2.

4. Typically, you would download the issuer cert before the CRL. The certs
contain an extension with a URL to download the CRL. But it is never actually
used by PSM to automatically download the CRLs. The CRL download should be
initiated that way.
Assignee: kaie → nobody
Product: PSM → Core
Whiteboard: [kerh-ehz]
QA Contact: bmartin → ui
The CRL Manager / Revocation Lists feature was removed.
Closed: 8 years ago
Resolution: --- → INCOMPLETE
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.