[xmlsec] xmlSecDSigCtxVerify ignores expired CRL

pfx pf.prologue at gmail.com
Wed May 28 10:48:04 PDT 2014


Many thanks for your answer.
Regards,

Le 28/05/2014 18:34, Aleksey Sanin a écrit :
> One of the "pick your poison" problems without a good clean answer.
>
> 1) Rejecting expired CRL in xmlSecOpenSSLX509StoreAdoptCrl()
>
> The problem here is that XMLSec supports a mode when signature
> verification happens at some defined point in time and not necessarily
> "now". This is useful if you want to find out whether signature was
> valid a year ago, for example. Thus, we can not reject CRL early
> in the process because we don't know this verification time until
> much later.
>
> 2) Ignore expired CRL
>
> Technically expired CRL should not be used for any purposes. While it is
> completely weird, I can revoke a cert in one crl and then do not revoke
> it in the next one.
>
>
> The bottom line is that XMLSec is leaving the CRL management question
> out of scope. Your application should be refreshing CRLs (if necessary)
> to make sure XMLSec always has a fresh one.
>
> Aleksey
>
> On 5/27/14, 11:38 PM, pfx wrote:
>> Hello,
>>
>> I found a strange behaviour in management of CRLs (IMHO)
>>
>> Suppose I use a valid CRL and I verify a signature with a revoked
>> certificate : xmlSecDSigCtxVerify() succeeded and status ==
>> xmlSecDSigStatusInvalid : Well all is fine !
>> A few days later, (the same CRL has expired), I retry the same operation
>> with the same signature : this time the verification succeeds !
>>
>> In fact, xmlSecOpenSSLX509VerifyCertAgainstCrls() checks the validity of
>> CRL.
>> If the CRL is out of date, the function returns 1 (not revoked), and the
>> process of verification is not aborted
>>
>> (cf. x509vfy.c/xmlSecOpenSSLX509VerifyCertAgainstCrls)
>>      /*
>>       * Check date of CRL to make sure it's not expired
>>       */
>>      ret = X509_cmp_current_time(X509_CRL_get_nextUpdate(crl));
>>      if (ret == 0) {
>>      /* crl expired */
>>      return(1);
>>      }
>>
>> I expected a different behavior ...
>>
>> 1/ If I try to use a expired CRL, when I add this CRL,
>> xmlSecOpenSSLX509StoreAdoptCrl() emits a warning or a error.
>> (this is a bit drastic)
>>
>> or
>>
>> 2/ If I try to use a expired CRL,
>> xmlSecOpenSSLX509VerifyCertAgainstCrls() must use this CRL even if the
>> CRL has expired (a revoked certificate remains a revoked certificate)
>> and the result of the signature verification will be "invalid"
>>
>> Your opinion ?
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec



More information about the xmlsec mailing list