PSM uses the SEC_NewCrl function to import CRLs. This function does not perform any checks and blindly stores it into the certificate database (softoken). The reasons invoked in the past were that we don't permanently store intermediate CA certs, and therefore the CA cert needed to verify the CRL may be unavailable. I think we need the checks however. 1. First, PSM should try to find the CRL issuer, using the new CERT_FindCRLIssuer function (see bugzilla 217387) . 2. If the CRL issuer is found, PSM should import the CRL using the stricter PK11_ImportCRL function which can perform checks. 3. I can't find a way to locate a URL for the issuer cert from the content of the CRL itself. Only the issuer subject appears to be available. But if one exists, we should use that URL to download the CA cert, and then go to step 2. 4. Typically, you would download the issuer cert before the CRL. The certs contain an extension with a URL to download the CRL. But it is never actually used by PSM to automatically download the CRLs. The CRL download should be initiated that way.
The CRL Manager / Revocation Lists feature was removed.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → INCOMPLETE
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.