[xmlsec] xmlSecDSigCtxVerify ignores multiples CRL

Aleksey Sanin aleksey at aleksey.com
Fri May 23 09:48:34 PDT 2014


I didn't have any specific plans but I will see what I can do :0

Aleksey

On 5/23/14, 12:42 AM, pfx wrote:
> I tried your patch (under windows) from the master . It works !
> 
> ... and the next question is : When do you release a new version of
> xmlsec ?
> 
> Patrick,
> 
> Le 22/05/2014 17:51, Aleksey Sanin a écrit :
>> Good catch! The original code makes no sense (compares the same values).
>>
>> I applied your patch, just moved the X509_get_issuer_name() call
>> outside of the loop since it is not changing anyway. The change is
>> pushed to master. Could you please try it out?
>>
>>
>> Thanks for bug report and the patch!
>>
>> Aleksey
>>
>> On 5/22/14, 12:34 AM, pfx wrote:
>>> Hello,
>>>
>>> xmlSecDSigCtxVerify() uses a stack of CRL to ignore revoked
>>> certificates.
>>> for this purpose, xmlSecOpenSSLX509VerifyCertAgainstCrls() is called by
>>> xmlSecDSigCtxVerify() to check a certificate against the stack of CRL
>>>
>>> In this routine, the first loop try to find the CRL that matches the
>>> certificate (same issuer)
>>>      issuer = X509_CRL_get_issuer(crl);
>>>      if(xmlSecOpenSSLX509NamesCompare(X509_CRL_get_issuer(crl), issuer)
>>> == 0) {
>>> but this expression is always true and
>>> xmlSecOpenSSLX509VerifyCertAgainstCrls always uses the first CRL
>>>
>>> a possible patch : compare CRL issuer against certificate issuer as
>>> below
>>>
>>> diff -Naur -x configure.txt -x config.h -x Makefile -x '*.pdb'
>>> temp/orig/xmlsec1-1.2.13/src/openssl/x509vfy.c
>>> temp/current/xmlsec1-1.2.13/src/openssl/x509vfy.c
>>> --- temp/orig/xmlsec1-1.2.13/src/openssl/x509vfy.c    2009-09-12
>>> 22:08:31.000000000 +0200
>>> +++ temp/current/xmlsec1-1.2.13/src/openssl/x509vfy.c 2014-05-21
>>> 19:46:17.193896800 +0200
>>> @@ -967,7 +967,7 @@
>>>           continue;
>>>       }
>>>
>>> -    issuer = X509_CRL_get_issuer(crl);
>>> +    issuer = X509_get_issuer_name(cert);
>>>       if(xmlSecOpenSSLX509NamesCompare(X509_CRL_get_issuer(crl), issuer)
>>> == 0) {
>>>           break;
>>>       }
>>>
>>> Regards,
>>>
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec


More information about the xmlsec mailing list