Closed Bug 233126 Opened 21 years ago Closed 11 years ago

CRLs are not verified when imported

Categories

(Core Graveyard :: Security: UI, defect)

Product:
Core Graveyard
Component:
Security: UI
Version:
Other Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: julien.pierre, Unassigned)

References

Details

(Whiteboard: [kerh-ehz])

PSM uses the SEC_NewCrl function to import CRLs. This function does not perform any checks and blindly stores it into the certificate database (softoken). The reasons invoked in the past were that we don't permanently store intermediate CA certs, and therefore the CA cert needed to verify the CRL may be unavailable. I think we need the checks however. 1. First, PSM should try to find the CRL issuer, using the new CERT_FindCRLIssuer function (see bugzilla 217387) . 2. If the CRL issuer is found, PSM should import the CRL using the stricter PK11_ImportCRL function which can perform checks. 3. I can't find a way to locate a URL for the issuer cert from the content of the CRL itself. Only the issuer subject appears to be available. But if one exists, we should use that URL to download the CA cert, and then go to step 2. 4. Typically, you would download the issuer cert before the CRL. The certs contain an extension with a URL to download the CRL. But it is never actually used by PSM to automatically download the CRLs. The CRL download should be initiated that way.
Assignee: kaie → nobody
Product: PSM → Core
Whiteboard: [kerh-ehz]
QA Contact: bmartin → ui
The CRL Manager / Revocation Lists feature was removed.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → INCOMPLETE
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.