Skip Menu |
 

From: "Machin, Glenn D" <GMachin@sandia.gov>
To: "krb5-bugs@mit.edu" <krb5-bugs@mit.edu>
Subject: Bug in src/plugins/preauth/pkinit/pkinit_crypto_openssl.c function load_cas_and_crls
Date: Fri, 4 Dec 2015 13:45:08 +0000
Download (untitled) / with headers
text/plain 1.8KiB
DOE PIV certificates have 2 signing CAs that have the same subject name but different X509v3 Subject Key Identifiers.
Their CRL distribution links are:
Show quoted text
Their corresponding CRLs have issuer names and  Authority Key Identifier of:

Show quoted text
/C=US/O=Entrust/OU=Certification Authorities/OU=Entrust Managed Services SSP CA  
Hash file 99b3b749.r0
Show quoted text

X509v3 Authority Key Identifier:

                keyid:D3:CE:E7:5B:89:A7:CD:6C:91:C6:67:36:A9:58:72:09:EC:E2:39:F3


Show quoted text

The newer badges have an issuing CA with the same name but a different X509v3 Authority Key Identifier:

Show quoted text


/C=US/O=Entrust/OU=Certification Authorities/OU=Entrust Managed Services SSP CA

Hash file 99b3b749.r0

X509v3 Authority Key Identifier:

                keyid:55:B4:6C:33:3F:E3:60:1A:A7:FF:C3:ED:B4:F7:E4:04:DA:29:D0:63



The code below will not allow  both CRLs to be loaded because X509_CRL_cmp only compares issuer names and not both issuer name and Authority Key Identifier.
This causes pkinit certificate verification (X509_verify_cert) to fail with the code X509_V_ERR_UNABLE_TO_GET_CRL.

By eliminating the code and just calling "sk_X509_CRL_push(ca_crls, X509_CRL_dup(xi->crl));” fixes the problem.  
A better fix would to compare issuer name and Authority Key Identifier but I could not find an openssl calls that did that.

Show quoted text

In pkinit_crypto_openssl.c function load_cas_and_crls()


            for (j = 0; j < size; j++) {

                X509_CRL *x = sk_X509_CRL_value(ca_crls, j);

                flag = X509_CRL_cmp(x, xi->crl);

                if (flag == 0)

                    break;

                else

                    continue;

            }

            if (flag != 0) {

                pkiDebug("%s: pushing xi->crl onto ca_crl\n", __FUNCTION__);

                sk_X509_CRL_push(ca_crls, X509_CRL_dup(xi->crl));

            }


Show quoted text