[xmlsec] xmlSecDSigCtxVerify ignores multiples CRL

pfx pf.prologue at gmail.com
Thu May 22 00:34:24 PDT 2014


Hello,

xmlSecDSigCtxVerify() uses a stack of CRL to ignore revoked certificates.
for this purpose, xmlSecOpenSSLX509VerifyCertAgainstCrls() is called by 
xmlSecDSigCtxVerify() to check a certificate against the stack of CRL

In this routine, the first loop try to find the CRL that matches the 
certificate (same issuer)
     issuer = X509_CRL_get_issuer(crl);
     if(xmlSecOpenSSLX509NamesCompare(X509_CRL_get_issuer(crl), issuer) 
== 0) {
but this expression is always true and 
xmlSecOpenSSLX509VerifyCertAgainstCrls always uses the first CRL

a possible patch : compare CRL issuer against certificate issuer as below

diff -Naur -x configure.txt -x config.h -x Makefile -x '*.pdb' 
temp/orig/xmlsec1-1.2.13/src/openssl/x509vfy.c 
temp/current/xmlsec1-1.2.13/src/openssl/x509vfy.c
--- temp/orig/xmlsec1-1.2.13/src/openssl/x509vfy.c    2009-09-12 
22:08:31.000000000 +0200
+++ temp/current/xmlsec1-1.2.13/src/openssl/x509vfy.c 2014-05-21 
19:46:17.193896800 +0200
@@ -967,7 +967,7 @@
          continue;
      }

-    issuer = X509_CRL_get_issuer(crl);
+    issuer = X509_get_issuer_name(cert);
      if(xmlSecOpenSSLX509NamesCompare(X509_CRL_get_issuer(crl), issuer) 
== 0) {
          break;
      }

Regards,



More information about the xmlsec mailing list