[openssl-dev] Possible deficiency verifying with indirect crl

[weber at infotech.de]

Dear openssl developers,

using the older version 1.0.2d we recently stumbled upon a possible 
deficiency in verifying a cert using an indirect crl.
We went through the scoring code and found the CRL_SCORE_AKID flag unset 
although the crl issuers cert contained a skid.
Snippet
In the source x509_vfy.c, at the end of function crl_akid_check the 
possible crl_issuer is being looked up from the untrusted certs stack. 
But the untrusted certs aren't guaranteed to have the extensions cached. 
So in our case the crl_issuer->skid was empty causing the function 
X509_check_akid to return X509_V_ERR_AKID_SKID_MISMATCH.

Inserting a X509_check_purpose(crl_issuer, -1, 0); just before the call 
fixed this issue.

We compared the source against the latest version 1.0.2g and found no 
changes regarding this behavior.

Please consider applying following patch
+++ openssl-1.0.2d/crypto/x509/x509_vfy.c    2015-07-09 13:57 +0200
@@ -1234,6 +1234,7 @@ (excluded from the next commit)
          crl_issuer = sk_X509_value(ctx->untrusted, i);
          if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
              continue;
+        X509_check_purpose(crl_issuer, -1, 0);
          if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
              *pissuer = crl_issuer;
              *pcrl_score |= CRL_SCORE_AKID;

BTW: We didn't check if the certs taken from the chain happen to have 
extension values cached (about 30 lines up).

Thanks in advance
--
Christian Weber
Snippet