[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6466) certificateListValidate rejects valid X.509 CRLs (but not RFC-compliant)

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6466) certificateListValidate rejects valid X.509 CRLs (but not RFC-compliant)
From: hyc@symas.com
Date: Sat, 30 Jan 2010 22:40:25 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

erwann.abalea@keynectis.com wrote:
> Full_Name: Erwann Abalea
> Version: 2.4.17
> OS: Debian/testing
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (217.167.155.1)
>
>
> As indicated in the subject, certificateListValidate() doesn't validate some
> valid CRLs. Those CRLs are valid from X.509 point of view, but do not conform to
> RFC5280 (which is only a profile of the standard).
>
> When no certificate is revoked, the revokedCertificate element SHOULD be
> omitted, instead of being included as an empty SEQUENCE OF SEQUENCE. RFC5280 has
> changed the SHOULD into a MUST, but I don't think this is checked by the
> function. I think it only skips over the next element (in my case, the
> crlExtensions).

Thanks for the report. The code in CVS HEAD has been patched to silently 
accept this case. However, it's worth pointing out that even in X.509(2005):

 >>>>
         If none of the certificates covered by this CRL have been revoked,
it is strongly recommended that
revokedCertificates parameter be omitted from the CRL, rather than being
included with an empty SEQUENCE.
<<<<

Also note that, technically, LDAP is defined to conform to the 1993 edition of 
the X.500 specs, and X.509(1993) makes no such allowance here.

We may consider logging a warning for this case. What software generated this 
CRL? It seems to be defective...

> Here's a real-life CRL:
> certificateRevocationList;binary:: MIIBPTCBpwIBATANBgkqhkiG9w0BAQUFADAkMQswCQY
>   DVQQGEwJGUjEVMBMGA1UEChMMR0lQLUNQUy1URVNUFw0wOTA5MTcxMDEyNTdaFw0xMDA2MjQxMDEy
>   NTdaMACgTTBLMB8GA1UdIwQYMBaAFOH6F/gUI8Xen3tJVqLlQphs5EovMAoGA1UdFAQDAgECMBwGA
>   1UdEgQVMBOBEWFjLWdpcEBnaXAtY3BzLmZyMA0GCSqGSIb3DQEBBQUAA4GBAByCwHi4fZG95ScpLO
>   2HW+5I1zeodXlbTOCgnbLVLLz0WjXXZpa5ecn2aHpqrc5L70UIKBhrk/LJ8+y03UBtx6z1gdGNL3u
>   +rbVQcMgbKJ5AbLojfyWeS4d6n8TZBlM0Wd5eJ6AlwPKRvNV//QH3vjMPVWeD2XYtwQhBYqEGJrvn
>
> And a real-life deltaCRL:
> deltaRevocationList;binary:: MIIBTjCBuAIBATANBgkqhkiG9w0BAQUFADAkMQswCQYDVQQGE
>   wJGUjEVMBMGA1UEChMMR0lQLUNQUy1URVNUFw0wODEyMjQwMzAwMjNaFw0wODEyMzAwMzAwMjNaMA
>   CgXjBcMB8GA1UdIwQYMBaAFOH6F/gUI8Xen3tJVqLlQphs5EovMAsGA1UdFAQEAgIKAjAOBgNVHRs
>   BAf8EBAICCgEwHAYDVR0SBBUwE4ERYWMtZ2lwQGdpcC1jcHMuZnIwDQYJKoZIhvcNAQEFBQADgYEA
>   gEk/dBR5Vz+RtfBp4hpPaSX1aXFAzx6pZCSBaQ4dFfbXV9HkbPM/2dh32HRDueyhJnXmfn/m5Q9Vo
>   syEzF1MQEDYZV0A5Liu8oiZtY9gfe522pz7+oehZdOyzkLx6nUw6uLLTL62q8lRbDsNbZNsu22sz7
>   dAucnBo63ksdGgdFQ=
>
> You'll see empty SEQUENCEs. Bug probably around line 314 of file schema_init.c,
> but I don't know openldap internals enough to correct it by myself.
>
> Thanks.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: (ITS#6466) certificateListValidate rejects valid X.509 CRLs (but not RFC-compliant)
Next by Date: Re: (ITS#6464) Buffer overflow
Index(es):
- Chronological
- Thread