Bug 562542: An invalid CRL should not cause all certificates issued by that
authorwtc%google.com
Thu, 20 May 2010 22:29:10 +0000
changeset 9659 4acc9dd111f6aeccaf36436a5e5fba6edb70b69e
parent 9657 c59fddf5137217d459da88d1304542054d8ea651
child 9660 abd68f7d161aed86dbf80a967ce746477bc99837
push idunknown
push userunknown
push dateunknown
bugs562542
Bug 562542: An invalid CRL should not cause all certificates issued by that CA to be considered revoked. Report the unknown status instead. r=nelson,rrelyea. Modified Files: certi.h crl.c
security/nss/lib/certdb/certi.h
security/nss/lib/certdb/crl.c
--- a/security/nss/lib/certdb/certi.h
+++ b/security/nss/lib/certdb/certi.h
@@ -173,19 +173,19 @@ struct CRLDPCacheStr {
 #if 0
     /* for future use */
     PRInt32 numdeltas;      /* number of delta CRLs used for the cache */
     CachedCrl** deltas;     /* delta CRLs used for the cache */
 #endif
     /* cache invalidity bitflag */
     PRUint16 invalid;       /* this state will be set if either
              CRL_CACHE_INVALID_CRLS or CRL_CACHE_LAST_FETCH_FAILED is set.
-             In those cases, all certs are considered revoked as a
-             security precaution. The invalid state can only be cleared
-             during an update if all error states are cleared */
+             In those cases, all certs are considered to have unknown status.
+             The invalid state can only be cleared during an update if all
+             error states are cleared */
     PRBool refresh;        /* manual refresh from tokens has been forced */
     PRBool mustchoose;     /* trigger reselection algorithm, for case when
                               RAM CRL objects are dropped from the cache */
     PRTime lastfetch;      /* time a CRL token fetch was last performed */
     PRTime lastcheck;      /* time CRL token objects were last checked for
                               existence */
 };
 
--- a/security/nss/lib/certdb/crl.c
+++ b/security/nss/lib/certdb/crl.c
@@ -1634,18 +1634,18 @@ static SECStatus CERT_VerifyCRL(
 
 /* verify a CRL and update cache state */
 static SECStatus CachedCrl_Verify(CRLDPCache* cache, CachedCrl* crlobject,
                           PRTime vfdate, void* wincx)
 {
     /*  Check if it is an invalid CRL
         if we got a bad CRL, we want to cache it in order to avoid
         subsequent fetches of this same identical bad CRL. We set
-        the cache to the invalid state to ensure that all certs
-        on this DP are considered revoked from now on. The cache
+        the cache to the invalid state to ensure that all certs on this
+        DP are considered to have unknown status from now on. The cache
         object will remain in this state until the bad CRL object
         is removed from the token it was fetched from. If the cause
         of the failure is that we didn't have the issuer cert to
         verify the signature, this state can be cleared when
         the issuer certificate becomes available if that causes the
         signature to verify */
 
     if (!cache || !crlobject)
@@ -1821,18 +1821,17 @@ dpcacheStatus DPCache_Lookup(CRLDPCache*
     {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         /* no cache or SN to look up, or no way to return entry */
         return dpcacheCallerError;
     }
     *returned = NULL;
     if (0 != cache->invalid)
     {
-        /* the cache contains a bad CRL, or there was a CRL fetching error.
-           consider all certs revoked as a security measure */
+        /* the cache contains a bad CRL, or there was a CRL fetching error. */
         PORT_SetError(SEC_ERROR_CRL_INVALID);
         return dpcacheInvalidCacheError;
     }
     if (!cache->selected)
     {
         /* no CRL means no entry to return. This is OK, except for
          * NIST policy */
         return dpcacheEmpty;
@@ -2789,22 +2788,19 @@ cert_CheckCertRevocationStatus(CERTCerti
             status = certRevocationStatusUnknown;
             break;
 
         case dpcacheNoEntry:
             status = certRevocationStatusValid;
             break;
 
         case dpcacheInvalidCacheError:
-            /* t of zero may have caused the CRL cache to fail to verify
-             * a CRL. treat it as unknown */
-            if (!t)
-            {
-                status = certRevocationStatusUnknown;
-            }
+            /* treat it as unknown and let the caller decide based on
+               the policy */
+            status = certRevocationStatusUnknown;
             break;
 
         default:
             /* leave status as revoked */
             break;
     }
 
     ReleaseDPCache(dpcache, lockedwrite);