[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: having CML problems with CRL validation

To: "Ken Stillson" <stillson@xxxxxxxxxxxx>, <imc-cml@xxxxxxx>
Subject: RE: having CML problems with CRL validation
From: "Nicholas, Richard" <Richard.Nicholas@xxxxxxxxxxxxxxxx>
Date: Tue, 22 Oct 2002 12:01:00 -0400
List-archive: <http://www.imc.org/imc-cml/mail-archive/>
List-id: <imc-cml.imc.org>
List-unsubscribe: <mailto:imc-cml-request@imc.org?body=unsubscribe>
Sender: owner-imc-cml@xxxxxxxxxxxx
Thread-index: AcJv2RSSrYlvlxN9TIaVsTOdAaN9OgKCYNPQ
Thread-topic: having CML problems with CRL validation

All,

Ken is correct that there are two bugs in CML v2.1.  Much thanks to Ken
Stillson for finding and reporting those bugs.

The first bug is that the cmlErr variable should have been set to
something other than CM_NO_ERROR prior to entering the loop.

The second bug, the infinite recursion, only showed up when validating
certain paths and was caused by trying the validate the same CRL more
than once in a single path.

Both bugs have been fixed and tested.  The v2.1.1 patch containing those
bug fixes (and others) should be available from the CML web site by
tomorrow.

- Rich
---------------------------
Richard E. Nicholas
Principal Secure Systems Engineer
Getronics Government Solutions, LLC
Richard.Nicholas@xxxxxxxxxxxxxxxx
(301) 939-2722

> Hi folks,
> 
> I'm busily updating to CML 2.1 in the CAM and DAVE software 
> used by various federal relying parties for PKI validation, 
> and I've run into a problem validating, and I'm hoping 
> someone can help me understand it.
> 
> In cmapi\CM_crl.cpp:validateCRL(),
> 
> About mid-way through the routine, there's a part that says
> // Try to validate the CRL issuer's certificate(s)
> 
> If one looks at the previous few lines of code, you can see 
> that this section can only be reached if cmlErr==CM_NO_ERROR, 
> because otherwise it would have error-exited above.
> 
> However, the for loop just after the comment iterates while:
>    (iCert != certList.end()) && (cmlErr != CM_NO_ERROR)
> 
> This causes the loop to never execute, because cmlErr==CM_NO_ERROR
> 
> However, this means that the side effect of assigning signersKey in
>    cmlErr = iCert->Validate(sessionID, boundsFlag, NULL, 
> &signersKey); is never executed.
> 
> This causes inevitable failure when one hits
>     // Validate the CRL
>     short valErr = crl.Validate(sessionID, signersKey, 
> &errors); a few lines down, and signersKey is uninitialized.
> 
> Thus, validation _never_ works for me, and I'm not quite sure 
> how it's supposed to work.
> 
> (I'm guessing that during testing the early-exit clause
>  "// If the cert issuer issued the CRL, just validate the CRL 
> and return"  was generally utilized.  Turns out this doesn't 
> fire in the FBCA  environment where there are multiple certs 
> with different keyID's for  most certs, and the chances that 
> the one that would pass the
>  isIssuer() test is the one being tested is small.)
> 
> I tried initializing "cmlErr=99;" just before the for loop, 
> just to force it to enter once, but this resulted in infinite 
> recursion of calls to the
> validateCRL() function.
> 
> Any ideas?
> Thanks!
> 
>   - Ken Stillson
> 
> 
> -- 
>       |   Ken Stillson             |    stillson@xxxxxxxxxxxx    |
>       |   Sr. Principal Engineer   |    voice: (703) 610-2965    |
>       |   Mitretek Systems         |      fax: (703) 610-2399    |
> 
>

Prev by Date: question on intermediate CA extended key usage
Next by Date: RE: found and fixed allocation problem in SRL_ldap.c
Previous by thread: question on intermediate CA extended key usage
Next by thread: CML v2.1.1 Patch Now Available
Index(es):
- Date
- Thread