[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
having CML problems with CRL validation
Hi folks,
I'm busily updating to CML 2.1 in the CAM and DAVE software used by
various federal relying parties for PKI validation, and I've run into a
problem validating, and I'm hoping someone can help me understand it.
In cmapi\CM_crl.cpp:validateCRL(),
About mid-way through the routine, there's a part that says
// Try to validate the CRL issuer's certificate(s)
If one looks at the previous few lines of code, you can see that this
section can only be reached if cmlErr==CM_NO_ERROR, because otherwise it
would have error-exited above.
However, the for loop just after the comment iterates while:
(iCert != certList.end()) && (cmlErr != CM_NO_ERROR)
This causes the loop to never execute, because cmlErr==CM_NO_ERROR
However, this means that the side effect of assigning signersKey in
cmlErr = iCert->Validate(sessionID, boundsFlag, NULL, &signersKey);
is never executed.
This causes inevitable failure when one hits
// Validate the CRL
short valErr = crl.Validate(sessionID, signersKey, &errors);
a few lines down, and signersKey is uninitialized.
Thus, validation _never_ works for me, and I'm not quite sure how it's
supposed to work.
(I'm guessing that during testing the early-exit clause
"// If the cert issuer issued the CRL, just validate the CRL and return"
was generally utilized. Turns out this doesn't fire in the FBCA
environment where there are multiple certs with different keyID's for
most certs, and the chances that the one that would pass the
isIssuer() test is the one being tested is small.)
I tried initializing "cmlErr=99;" just before the for loop, just to force
it to enter once, but this resulted in infinite recursion of calls to the
validateCRL() function.
Any ideas?
Thanks!
- Ken Stillson
--
| Ken Stillson | stillson@xxxxxxxxxxxx |
| Sr. Principal Engineer | voice: (703) 610-2965 |
| Mitretek Systems | fax: (703) 610-2399 |