[xmlsec] xmlSecDSigCtxVerify ignores multiples CRL

pfx pf.prologue at gmail.com
Fri May 23 00:42:23 PDT 2014 

I tried your patch (under windows) from the master . It works !

... and the next question is : When do you release a new version of xmlsec ?

Patrick,

Le 22/05/2014 17:51, Aleksey Sanin a écrit :
> Good catch! The original code makes no sense (compares the same values).
>
> I applied your patch, just moved the X509_get_issuer_name() call
> outside of the loop since it is not changing anyway. The change is
> pushed to master. Could you please try it out?
>
>
> Thanks for bug report and the patch!
>
> Aleksey
>
> On 5/22/14, 12:34 AM, pfx wrote:
>> Hello,
>>
>> xmlSecDSigCtxVerify() uses a stack of CRL to ignore revoked certificates.
>> for this purpose, xmlSecOpenSSLX509VerifyCertAgainstCrls() is called by
>> xmlSecDSigCtxVerify() to check a certificate against the stack of CRL
>>
>> In this routine, the first loop try to find the CRL that matches the
>> certificate (same issuer)
>>      issuer = X509_CRL_get_issuer(crl);
>>      if(xmlSecOpenSSLX509NamesCompare(X509_CRL_get_issuer(crl), issuer)
>> == 0) {
>> but this expression is always true and
>> xmlSecOpenSSLX509VerifyCertAgainstCrls always uses the first CRL
>>
>> a possible patch : compare CRL issuer against certificate issuer as below
>>
>> diff -Naur -x configure.txt -x config.h -x Makefile -x '*.pdb'
>> temp/orig/xmlsec1-1.2.13/src/openssl/x509vfy.c
>> temp/current/xmlsec1-1.2.13/src/openssl/x509vfy.c
>> --- temp/orig/xmlsec1-1.2.13/src/openssl/x509vfy.c    2009-09-12
>> 22:08:31.000000000 +0200
>> +++ temp/current/xmlsec1-1.2.13/src/openssl/x509vfy.c 2014-05-21
>> 19:46:17.193896800 +0200
>> @@ -967,7 +967,7 @@
>>           continue;
>>       }
>>
>> -    issuer = X509_CRL_get_issuer(crl);
>> +    issuer = X509_get_issuer_name(cert);
>>       if(xmlSecOpenSSLX509NamesCompare(X509_CRL_get_issuer(crl), issuer)
>> == 0) {
>>           break;
>>       }
>>
>> Regards,
>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list