[xmlsec] xmlSecDSigCtxVerify ignores expired CRL

pfx pf.prologue at gmail.com
Tue May 27 23:38:17 PDT 2014


I found a strange behaviour in management of CRLs (IMHO)

Suppose I use a valid CRL and I verify a signature with a revoked 
certificate : xmlSecDSigCtxVerify() succeeded and status == 
xmlSecDSigStatusInvalid : Well all is fine !
A few days later, (the same CRL has expired), I retry the same operation 
with the same signature : this time the verification succeeds !

In fact, xmlSecOpenSSLX509VerifyCertAgainstCrls() checks the validity of 
If the CRL is out of date, the function returns 1 (not revoked), and the 
process of verification is not aborted

(cf. x509vfy.c/xmlSecOpenSSLX509VerifyCertAgainstCrls)
      * Check date of CRL to make sure it's not expired
     ret = X509_cmp_current_time(X509_CRL_get_nextUpdate(crl));
     if (ret == 0) {
     /* crl expired */

I expected a different behavior ...

1/ If I try to use a expired CRL, when I add this CRL, 
xmlSecOpenSSLX509StoreAdoptCrl() emits a warning or a error.
(this is a bit drastic)


2/ If I try to use a expired CRL, 
xmlSecOpenSSLX509VerifyCertAgainstCrls() must use this CRL even if the 
CRL has expired (a revoked certificate remains a revoked certificate) 
and the result of the signature verification will be "invalid"

Your opinion ?

More information about the xmlsec mailing list