[xmlsec] xmlSecDSigCtxVerify ignores expired CRL

Aleksey Sanin aleksey at aleksey.com
Wed May 28 09:34:59 PDT 2014 

One of the "pick your poison" problems without a good clean answer.

1) Rejecting expired CRL in xmlSecOpenSSLX509StoreAdoptCrl()

The problem here is that XMLSec supports a mode when signature
verification happens at some defined point in time and not necessarily
"now". This is useful if you want to find out whether signature was
valid a year ago, for example. Thus, we can not reject CRL early
in the process because we don't know this verification time until
much later.

2) Ignore expired CRL

Technically expired CRL should not be used for any purposes. While it is
completely weird, I can revoke a cert in one crl and then do not revoke
it in the next one.


The bottom line is that XMLSec is leaving the CRL management question
out of scope. Your application should be refreshing CRLs (if necessary)
to make sure XMLSec always has a fresh one.


Aleksey

On 5/27/14, 11:38 PM, pfx wrote:
> Hello,
> 
> I found a strange behaviour in management of CRLs (IMHO)
> 
> Suppose I use a valid CRL and I verify a signature with a revoked
> certificate : xmlSecDSigCtxVerify() succeeded and status ==
> xmlSecDSigStatusInvalid : Well all is fine !
> A few days later, (the same CRL has expired), I retry the same operation
> with the same signature : this time the verification succeeds !
> 
> In fact, xmlSecOpenSSLX509VerifyCertAgainstCrls() checks the validity of
> CRL.
> If the CRL is out of date, the function returns 1 (not revoked), and the
> process of verification is not aborted
> 
> (cf. x509vfy.c/xmlSecOpenSSLX509VerifyCertAgainstCrls)
>     /*
>      * Check date of CRL to make sure it's not expired
>      */
>     ret = X509_cmp_current_time(X509_CRL_get_nextUpdate(crl));
>     if (ret == 0) {
>     /* crl expired */
>     return(1);
>     }
> 
> I expected a different behavior ...
> 
> 1/ If I try to use a expired CRL, when I add this CRL,
> xmlSecOpenSSLX509StoreAdoptCrl() emits a warning or a error.
> (this is a bit drastic)
> 
> or
> 
> 2/ If I try to use a expired CRL,
> xmlSecOpenSSLX509VerifyCertAgainstCrls() must use this CRL even if the
> CRL has expired (a revoked certificate remains a revoked certificate)
> and the result of the signature verification will be "invalid"
> 
> Your opinion ?
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list