Closed Bug 95498 Opened 24 years ago Closed 22 years ago

CRL Reason Code removeFromCRL-(8) is not honored

Categories

(NSS :: Libraries, enhancement, P2)

Product:
NSS
Component:
Libraries
Platform:
x86
Windows NT
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 148214
Milestone:
Future

People

(Reporter: awnuk, Assigned: rrelyea)

Details

Certificate Manager indicates that certificate 00:C3:59 is revoked after importing the following CRL: Certificate Revocation List: Data: Version: v2 Signature Algorithm: SHA1withRSA - 1.2.840.113549.1.1.5 Issuer: CN=Certificate Manager,OU=CA1,O=Netscape,C=US This Update: Wednesday, August 15, 2001 1:08:25 PM GMT-08:00 Next Update: Friday, August 17, 2001 1:08:25 PM GMT-08:00 Revoked Certificates: Serial Number: 0xC359 Revocation Date: Wednesday, August 15, 2001 1:07:51 PM GMT-08:00 Extensions: Identifier: Revocation Reason - 2.5.29.21 Critical: no Reason: Remove_from_CRL Extensions: Identifier: Delta CRL Indicator - 2.5.29.27 Critical: yes Base CRL Number: 13 Identifier: CRL Number - 2.5.29.20 Critical: no Number: 14 Signature: Algorithm: SHA1withRSA - 1.2.840.113549.1.1.5 Signature: 92:59:C9:B4:BD:6F:AE:4A:08:83:3C:23:7C:04:FA:9E: 8B:2F:8E:44:73:38:C9:E5:3F:A7:3F:F3:05:5A:9B:50: B5:6D:03:1B:C7:5A:70:E9:36:35:62:5A:DF:28:2E:3F: 57:8A:45:4F:A5:3F:B0:20:07:B4:77:94:BE:27:17:1B: 64:1C:E4:F4:5B:FA:E6:DA:74:5A:8A:2E:92:77:60:16: 19:45:F6:D2:13:A2:E1:C2:ED:67:76:D0:39:51:72:13: C6:51:43:3D:37:6B:66:68:64:AC:4D:E8:87:1D:C5:70: 4F:04:9B:A8:7F:61:C1:91:C9:82:24:7D:F6:78:48:3B: 06:79:94:98:A7:8E:CC:61:56:19:9D:4C:5B:1B:07:95: 9C:C8:1D:DC:15:4E:65:57:99:FA:4F:D4:66:A2:66:F6: A6:7D:59:90:40:05:8C:FD:23:70:CD:22:B2:F4:97:40: 25:C4:9D:E4:69:24:5F:64:A4:5E:72:95:19:82:C0:A8: 9E:A5:76:02:8D:75:D0:2C:E2:87:89:BC:53:0B:78:8B: B0:E1:C9:F3:12:FA:45:85:7B:90:92:AF:AE:27:0B:D2: A9:08:3E:53:6E:4A:D2:0F:65:AB:BA:30:99:97:97:57: 12:CF:AA:6A:FA:CB:B3:82:8E:66:9B:FB:60:DB:53:70 Certificate revocation list base64 encoded: -----BEGIN CERTIFICATE REVOCATION LIST----- MIIB2jCBwwIBATANBgkqhkiG9w0BAQUFADBMMQswCQYDVQQGEwJVUzERMA8GA1UEChMITmV0c2Nh cGUxDDAKBgNVBAsTA0NBMTEcMBoGA1UEAxMTQ2VydGlmaWNhdGUgTWFuYWdlchcNMDEwODE1MjEw ODI1WhcNMDEwODE3MjEwODI1WjAkMCICAwDDWRcNMDEwODE1MjEwNzUxWjAMMAoGA1UdFQQDCgEI oB0wGzANBgNVHRsBAf8EAwIBDTAKBgNVHRQEAwIBDjANBgkqhkiG9w0BAQUFAAOCAQEAklnJtL1v rkoIgzwjfAT6nosvjkRzOMnlP6c/8wVam1C1bQMbx1pw6TY1YlrfKC4/V4pFT6U/sCAHtHeUvicX G2Qc5PRb+ubadFqKLpJ3YBYZRfbSE6Lhwu1ndtA5UXITxlFDPTdrZmhkrE3ohx3FcE8Em6h/YcGR yYIkffZ4SDsGeZSYp47MYVYZnUxbGweVnMgd3BVOZVeZ+k/UZqJm9qZ9WZBABYz9I3DNIrL0l0Al xJ3kaSRfZKRecpUZgsConqV2Ao110Czih4m8Uwt4i7DhyfMS+kWFe5CSr64nC9KpCD5TbkrSD2Wr ujCZl5dXEs+qavrLs4KOZpv7YNtTcA== -----END CERTIFICATE REVOCATION LIST----- Reason Code entry extension with the value removeFromCRL is used by delta CRLs to remove certificate entry from the full CRL. RFC 2459 (http://www.ietf.org/rfc/rfc2459.txt) defines in the section 5.3.1 CRL entry extension called "Reason Code" as follows: The reasonCode is a non-critical CRL entry extension that identifies the reason for the certificate revocation. CAs are strongly encouraged to include meaningful reason codes in CRL entries; however, the reason code CRL entry extension SHOULD be absent instead of using the unspecified (0) reasonCode value. id-ce-cRLReason OBJECT IDENTIFIER ::= { id-ce 21 } -- reasonCode ::= { CRLReason } CRLReason ::= ENUMERATED { unspecified (0), keyCompromise (1), cACompromise (2), affiliationChanged (3), superseded (4), cessationOfOperation (5), certificateHold (6), removeFromCRL (8) }
->future
Priority: -- → P2
Target Milestone: --- → Future
Marking NEW.
Status: UNCONFIRMED → NEW
Ever confirmed: true
QA Contact: ckritzer → junruh
This probably needs to be fixed in NSS.
Assignee: ssaux → rangansen
Two separate issues here: 1. NSS does not handle delta crls at present, and they are treated as full crls 2. To my understanding, crl extensions are not interpreted at present. ->nss
Assignee: rangansen → wtc
Component: Client Library → Libraries
Product: PSM → NSS
QA Contact: junruh → sonja.mirtitsch
Version: 2.0 → 3.0
Assigned the bug to Bob. Bug 103946 is the NSS bug that NSS imports Delta CRLs successfully even though it does not support Delta CRLs.
Assignee: wtc → relyea
Since the bug is requesting functionality that has never been supported or advertized I'm changing severity to enhancement. The base bug that we import delta CRL's already exists. bob
Severity: normal → enhancement
Changed the QA contact to Bishakha.
QA Contact: sonja.mirtitsch → bishakhabanerjee
This bug duplicates parts of two other bugs, bug 103946 and bug 148214 There are actually several bugs, and an RFE here. The bugs are/were: a) NSS doesn't understand delta CRLs (RFE: bug 148214) b) When a delta CRL was imported, NSS didn't detect that it was a CRL that NSS couldn't understand, and so NSS did not reject it (bug 103946, now fixed). The fact that NSS didn't handle the particular "reason code" is really just a small piece of the larger issue, which is support for delta CRLs. Anyway, today, if you attempted to import the CRL shown above, NSS would reject it because it is a delta CRL. I am marking this bug a duplicate of the RFE that asks to add delta CRL support to NSS. *** This bug has been marked as a duplicate of 148214 ***
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
Shortening subject.
Summary: CRL entry extension called "Reason Code" with the value removeFromCRL-(8) is not processed correctly → CRL Reason Code removeFromCRL-(8) is not honored
You need to log in before you can comment on or make changes to this bug.