[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Problem with validateChkCRL. (Bug?)

To: "CML List (E-mail)" <imc-cml@xxxxxxx>
Subject: RE: Problem with validateChkCRL. (Bug?)
From: "Nicholas, Richard" <Richard.Nicholas@xxxxxxxxxxxxxxxx>
Date: Wed, 11 Jul 2001 08:15:38 -0400
List-archive: <http://www.imc.org/imc-cml/mail-archive/>
List-id: <imc-cml.imc.org>
List-unsubscribe: <mailto:imc-cml-request@imc.org?body=unsubscribe>
Sender: owner-imc-cml@xxxxxxxxxxxx

William,

You are correct, the call to validateChkCRL() is incorrect.  I'm not sure if
a fix for this bug will be incorporated into CML v1.9.2 or not, as its
release is imminent.  In v2.0, this function and the other CRL processing
functions were re-written.

- Rich
---------------------------
Richard E. Nicholas
Principal Secure Systems Engineer
Getronics Government Solutions, LLC
Richard.Nicholas@xxxxxxxxxxxxxxxx
(301) 939-2722

> -----Original Message-----
> From: William Adams [mailto:William.Adams@xxxxxxxxxxx]
> Sent: Wednesday, July 11, 2001 4:40 AM
> To: CML List (E-mail)
> Subject: Problem with validateChkCRL. (Bug?)
> 
> 
> 
> I am trying to use CM_RetrieveKey to obtain a public key and 
> validate a
> certificate. I am using a certificate that I know has been 
> revoked, and upon
> calling CM_RequestCRLs and CM_DecodeCRL I can see that the 
> CRL does revoke
> the certificate. However CM_RetrieveKey would always return 
> CM_NO_ERROR.
> 
> I stepped through CM_RetrieveKey to find the problem and it 
> occurred in
> validateChkCRL. The revoked certificate contains a CRL 
> Distribution point
> that points to the CRL. During the call to CMU_Get_DistPts 
> after the CRL(s)
> have been retrieved and the best CRL chosen then the 
> following call is made;
> 
> validateChkCRL	(	sessionID,
> 			cert_type,
> 			my_crl,
> 			new_dist_pts->reasons,
> 			FALSE,
> 			work_cert,
> 			NULL );
> 
> The last parameter passed in to validateChkCRL is the 
> certIssuer. In this
> function there is a check to make sure that the CRL came from 
> the correct
> place by comparing the issuing distribution point of the CRL with the
> certissuer. If the issDistPoint name is of type 
> CM_DIST_PT_FULL_NAME and is
> a CM_X500_NAME then the following code is executed;
> 
> if (genNames->gen_name.flag == CM_X500_NAME)
> {
> 	if (CMU_DNcmp(certIssuer, genNames->gen_name.name.dn) == 0)
> 	{
> 		nameFound = TRUE;
> 		break;
> 	}
> }
> 
> However since NULL was passed in as cert_issuer then this 
> will always fail,
> thus the CRL will be regarded as invalid (returns 
> CMI_DP_CRL_NAME_MISMATCH)
> and not used to check the revocation status of the 
> certificate. To fix this
> I think you would pass in the name of the CRL distribution 
> point on the
> certificate, in this specific case the validateChkCRL call would be;
> 
> validateChkCRL	(	sessionID,
> 			cert_type,
> 			my_crl,
> 			new_dist_pts->reasons,
> 			FALSE,
> 			work_cert,
> 			
> new_dist_pts->dpName.name.full->gen_name.name.dn );
> 
> Obviously you would want to perform some kind of check so 
> that the correct
> dpName.name is passed in depending on dpName.flag. Is this a 
> bug or have I
> misunderstood the processes involved?
> 
> William Adams
> Software Engineer
> Nexor.
> ================
> Tel:  +44 115 9535536
> Fax: +44 115 9520519
> 
> 
>

Prev by Date: Problem with validateChkCRL. (Bug?)
Next by Date: RE: Using cpdlib in MFC applications
Previous by thread: Problem with validateChkCRL. (Bug?)
Next by thread: v1.9.2 Certificate Management Library Now Available
Index(es):
- Date
- Thread