I tried many experiments how to generate CRL and create tests where vfychain would not validate cert because of revoked CRL, but I always got chain validated. I also tried to use this tests for revoked certs generated by cert.sh, but vfychain again returned positive result even if tests should fail. Seems that vfychain CRL check doesn't work or I'm doing something wrong. In first case please fix this ASAP, in second please let me know what I'm doing wrong. I prepared short script with steps: 1. Generate DB + CA. 2. Generate EE cert request + sign it + import cert to DB. 3. Verify EE cert (should pass). 4. Revoke EE cert. 5. Verify EE cert again (should fail but passes). I'm attaching this script, if there is a bug, please send me correct version where second verify check would fail.
Created attachment 355893 [details] [diff] [review] Fix use of wrong member of the state structure Slavo, please use the patch. The state structure in pkix_build.c has a couple confusing variable that are pointers to a different certs obtained during chain building. I've misused one of them. state need to be cleaned up, but it will be in the main patch.
Alexei, I tried your patch but it didn't help, vfychain still says that chain is OK. Is there any existing main patch that works ?
Slavo, I've forgotten to tell you to replace the word "chain" in your vfychain command to "leaf". EE is a leaf cert, so crl leaf settings should be applied.
Comment on attachment 355893 [details] [diff] [review] Fix use of wrong member of the state structure Nelson, please review. This bug effects only chains that consist only of two certs with the condition of having an explicit set of trust anchors. There are two places of misuse both of them however have to do with an attempt of trying to chain to one of the trust anchor. In both cases we found a trusted anchor to which we chain, and we want to check the cert status. First chunk though related to general case when build function has gone though multiple steps of chain construction and it found a link to a trust anchor. In the second chunk the function has found that EE cert is linked to one of the trust anchor directly and now needs to verify revocation status of the cert.
So there is another problem, crlutil ignores local time zone - that's why it works in US and doesn't work in Europe. I just reported this as bug 473169.
Comment on attachment 355893 [details] [diff] [review] Fix use of wrong member of the state structure r=nelson
Patch is integrated