Re: [xmlsec] xmlSecDSigCtxVerify ignores expired CRL

Wed, 28 May 2014 10:50:29 -0700 

Many thanks for your answer.
Regards,

Le 28/05/2014 18:34, Aleksey Sanin a écrit :

One of the "pick your poison" problems without a good clean answer.

1) Rejecting expired CRL in xmlSecOpenSSLX509StoreAdoptCrl()

The problem here is that XMLSec supports a mode when signature
verification happens at some defined point in time and not necessarily
"now". This is useful if you want to find out whether signature was
valid a year ago, for example. Thus, we can not reject CRL early
in the process because we don't know this verification time until
much later.

2) Ignore expired CRL

Technically expired CRL should not be used for any purposes. While it is
completely weird, I can revoke a cert in one crl and then do not revoke
it in the next one.


The bottom line is that XMLSec is leaving the CRL management question
out of scope. Your application should be refreshing CRLs (if necessary)
to make sure XMLSec always has a fresh one.

Aleksey

On 5/27/14, 11:38 PM, pfx wrote:

Hello,

I found a strange behaviour in management of CRLs (IMHO)

Suppose I use a valid CRL and I verify a signature with a revoked
certificate : xmlSecDSigCtxVerify() succeeded and status ==
xmlSecDSigStatusInvalid : Well all is fine !
A few days later, (the same CRL has expired), I retry the same operation
with the same signature : this time the verification succeeds !

In fact, xmlSecOpenSSLX509VerifyCertAgainstCrls() checks the validity of
CRL.
If the CRL is out of date, the function returns 1 (not revoked), and the
process of verification is not aborted

(cf. x509vfy.c/xmlSecOpenSSLX509VerifyCertAgainstCrls)
     /*
      * Check date of CRL to make sure it's not expired
      */
     ret = X509_cmp_current_time(X509_CRL_get_nextUpdate(crl));
     if (ret == 0) {
     /* crl expired */
     return(1);
     }

I expected a different behavior ...

1/ If I try to use a expired CRL, when I add this CRL,
xmlSecOpenSSLX509StoreAdoptCrl() emits a warning or a error.
(this is a bit drastic)

or

2/ If I try to use a expired CRL,
xmlSecOpenSSLX509VerifyCertAgainstCrls() must use this CRL even if the
CRL has expired (a revoked certificate remains a revoked certificate)
and the result of the signature verification will be "invalid"

Your opinion ?
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec


_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec

Reply via email to