[xmlsec] xmlSecDSigCtxVerify ignores expired CRL
pfx
pf.prologue at gmail.com
Tue May 27 23:38:17 PDT 2014
Hello,
I found a strange behaviour in management of CRLs (IMHO)
Suppose I use a valid CRL and I verify a signature with a revoked
certificate : xmlSecDSigCtxVerify() succeeded and status ==
xmlSecDSigStatusInvalid : Well all is fine !
A few days later, (the same CRL has expired), I retry the same operation
with the same signature : this time the verification succeeds !
In fact, xmlSecOpenSSLX509VerifyCertAgainstCrls() checks the validity of
CRL.
If the CRL is out of date, the function returns 1 (not revoked), and the
process of verification is not aborted
(cf. x509vfy.c/xmlSecOpenSSLX509VerifyCertAgainstCrls)
/*
* Check date of CRL to make sure it's not expired
*/
ret = X509_cmp_current_time(X509_CRL_get_nextUpdate(crl));
if (ret == 0) {
/* crl expired */
return(1);
}
I expected a different behavior ...
1/ If I try to use a expired CRL, when I add this CRL,
xmlSecOpenSSLX509StoreAdoptCrl() emits a warning or a error.
(this is a bit drastic)
or
2/ If I try to use a expired CRL,
xmlSecOpenSSLX509VerifyCertAgainstCrls() must use this CRL even if the
CRL has expired (a revoked certificate remains a revoked certificate)
and the result of the signature verification will be "invalid"
Your opinion ?
More information about the xmlsec
mailing list