281448 - CRL extension check in decoder is incorrect

Status: NEW

(NSS :: Libraries, defect, P2)

Description

[Julien Pierre]

The CRL decoding functions (CERT_DecodeDERCrl and CERT_DecodeDERCrlWithFlags)
implement the extension check on the CRL and CRL entries by calling the internal
functions cert_HasCriticalExtension and cert_HasUnknownCriticalExten, which in
turn refer to a global table of OID and use the function SECOID_KnownCertExtenOI .

Unfortunately, this code is only correct for checking certificate extensions .
Even though the OIDs are the same for cert and CRL extension, the NSS code to
support the extension isn't .

To name just one, we support AKID/SKID correctly on cert, but not on CRLs (there
is a bug filed on that).

Therefore, the extension check should be replaced by a more appropriate one. We
should probably maintain a separate list of extensions that apply to certain
type of objects (most cert extensions don't apply to CRLs or CRL entries).

The same problem may exist for other types of objects (eg. OCSP
request/responses, CRMF).

The net effect of this bug is that some CRLs will decode, even though NSS
doesn't know how to process them (eg. CRLs with AKID/SKID) . A failure may
happen later on at CRL verification time .

Currently, the CRL code doesn't support any extensions for the CRL itself, and
only the reason code extension for the entries.

Comment 1

[Julien Pierre]

This needs to be resolved for 3.12. 

Comment 2

[Nelson Bolyard (seldom reads bugmail)]

Unsetting target milestone in unresolved bugs whose targets have passed.

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

The bug assignee is inactive on Bugzilla, and this bug has priority 'P2'.
:beurdouche, could you have a look please?

For more information, please visit auto_nag documentation.

Comment 4

[Marco Castelluccio [:marco]]

We have modified the bot to only consider P1 as high priority, so I'm cancelling the needinfo here.