[xmlsec] xmlSecDSigCtxVerify ignores multiples CRL

Aleksey Sanin aleksey at aleksey.com
Thu May 22 08:51:53 PDT 2014


Good catch! The original code makes no sense (compares the same values).

I applied your patch, just moved the X509_get_issuer_name() call
outside of the loop since it is not changing anyway. The change is
pushed to master. Could you please try it out?


Thanks for bug report and the patch!

Aleksey

On 5/22/14, 12:34 AM, pfx wrote:
> Hello,
> 
> xmlSecDSigCtxVerify() uses a stack of CRL to ignore revoked certificates.
> for this purpose, xmlSecOpenSSLX509VerifyCertAgainstCrls() is called by
> xmlSecDSigCtxVerify() to check a certificate against the stack of CRL
> 
> In this routine, the first loop try to find the CRL that matches the
> certificate (same issuer)
>     issuer = X509_CRL_get_issuer(crl);
>     if(xmlSecOpenSSLX509NamesCompare(X509_CRL_get_issuer(crl), issuer)
> == 0) {
> but this expression is always true and
> xmlSecOpenSSLX509VerifyCertAgainstCrls always uses the first CRL
> 
> a possible patch : compare CRL issuer against certificate issuer as below
> 
> diff -Naur -x configure.txt -x config.h -x Makefile -x '*.pdb'
> temp/orig/xmlsec1-1.2.13/src/openssl/x509vfy.c
> temp/current/xmlsec1-1.2.13/src/openssl/x509vfy.c
> --- temp/orig/xmlsec1-1.2.13/src/openssl/x509vfy.c    2009-09-12
> 22:08:31.000000000 +0200
> +++ temp/current/xmlsec1-1.2.13/src/openssl/x509vfy.c 2014-05-21
> 19:46:17.193896800 +0200
> @@ -967,7 +967,7 @@
>          continue;
>      }
> 
> -    issuer = X509_CRL_get_issuer(crl);
> +    issuer = X509_get_issuer_name(cert);
>      if(xmlSecOpenSSLX509NamesCompare(X509_CRL_get_issuer(crl), issuer)
> == 0) {
>          break;
>      }
> 
> Regards,
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec


More information about the xmlsec mailing list