CRLs are not verified when imported

RESOLVED INCOMPLETE

Status

Core Graveyard
Security: UI
RESOLVED INCOMPLETE
14 years ago
2 years ago

People

(Reporter: Julien Pierre, Unassigned)

Tracking

Other Branch

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [kerh-ehz])

(Reporter)

Description

14 years ago
PSM uses the SEC_NewCrl function to import CRLs. This function does not perform
any checks and blindly stores it into the certificate database (softoken).

The reasons invoked in the past were that we don't permanently store
intermediate CA certs, and therefore the CA cert needed to verify the CRL may be
unavailable.

I think we need the checks however. 

1. First, PSM should try to find the CRL issuer, using the new
CERT_FindCRLIssuer function (see bugzilla 217387) .

2. If the CRL issuer is found, PSM should import the CRL using the stricter
PK11_ImportCRL function which can perform checks.

3. I can't find a way to locate a URL for the issuer cert from the content of
the CRL itself. Only the issuer subject appears to be available. But if one
exists, we should use that URL to download the CA cert, and then go to step 2.

4. Typically, you would download the issuer cert before the CRL. The certs
contain an extension with a URL to download the CRL. But it is never actually
used by PSM to automatically download the CRLs. The CRL download should be
initiated that way.

Updated

13 years ago
Assignee: kaie → nobody

Updated

13 years ago
Component: Security: UI → Security: UI
Product: PSM → Core

Updated

13 years ago
Whiteboard: [kerh-ehz]
QA Contact: bmartin → ui
The CRL Manager / Revocation Lists feature was removed.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → INCOMPLETE
(Assignee)

Updated

2 years ago
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.