[openssl-dev] Fwd: [openssl.org #4615] Cache utility behaving strange with X509_LOOKUP_add_dir

Anirudh Patel via RT rt at openssl.org
Fri Jul 15 05:52:55 UTC 2016 

It will be very helpful if you could provide your inputs on this as soon as
possible so that I can move ahead quickly.

Regards,
Anirudh

---------- Forwarded message ----------
From: The default queue via RT <rt at openssl.org>
Date: Thu, Jul 14, 2016 at 4:55 PM
Subject: [openssl.org #4615] AutoReply: Cache utility behaving strange with
X509_LOOKUP_add_dir
To: patel3.anirudh at gmail.com



Greetings,

This message has been automatically generated in response to the
creation of a trouble ticket regarding:
        "Cache utility behaving strange with X509_LOOKUP_add_dir",
a summary of which appears below.

There is no need to reply to this message right now.  Your ticket has been
assigned an ID of [openssl.org #4615].

Please include the string:

         [openssl.org #4615]

in the subject line of all future correspondence about this issue. To do so,
you may reply to this message.

                        Thank you,
                        rt at openssl.org

-------------------------------------------------------------------------
Hi,

I have a query related to how these APIs X509_STORE_add_lookup()
and X509_LOOKUP_add_dir() work. Let me give you a brief explanation of what
I am doing:

Purpose was to add lookup for CRLs.

First when my server starts and my SSL initializes I have successfully
created a store to which lookup has been added for CRL directory.

   - pLookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
   - X509_LOOKUP_add_dir(pLookup, mCRLPath.c_str(), X509_FILETYPE_PEM)

Example CRL Directory: /var/cert/CRL/
Scenario:
1) When the system start no CRL files are present in the CRL Directory
2) Client_1 initiates a connection to my server (using openssl s_client)
3) Openssl does the lookup of CRLs for the corresponding (Sub) CAs and does
not find anything thus, giving error in the verify_callback
(UNABLE_TO_GET_CRL). In the application code I have     handled these
errors gracefully Callback is again called for further validation and the
connection is accepted.
*Result: Satisfied*

1) Now, I place two CRLs (Sub CA,Root CA) in the CRL directory (server was
still up and I did not stopped it)
    I have created a crl -hash (issuer hash) and linked them to CRL pem
certificates.
    *$hash(rootca).r0 -> root_ca.pem*
    *$hash(subca).r0 -> sub_ca.pem*
2) Client_1 again initiates a connection to my server (using openssl
s_client) (client certificate chain is : ID/Sub CA/Root CA)
3) Openssl does a lookup of CRLs and does not throw any error. Validation
happened with verify_callback getting invoked 3 times with preverify_ok =
1. Client connection is accepted
*Result: Satisfied*

1) Now, I removed the above CRL files (Sub CA/Root CA) from the CRL
directory. Based on the manual page these CRLs should be now in the cached
memory of X509_OBJECT.
2) I repeated steps (2) and (3). Connection gets accepted from the client.
Everything still works fine because openssl maintined CRL files in its
cache and found them during the lookup.
*Result: Satisfied*

Now from here the problem starts:
=========================
1) My Sub_CA revoked Client_1 certificate (since Sub_CA was the issuing CA
in the first place)
2) I recreated Sub_CA CRL and placed it in the CRL Directory.
3) Created the hash and linked it as follows:
    *$hash(sub_ca).r1* -> sub_ca.pem  (hoping that openssl still has
$hash(sub_ca).r0 in its cache, since above we have seen that the lookup
worked even when I removed the CRL files from       the CRL Directory)
4) Client_1 initiates a connection to my server and gets accepted
successfully ==== Should Not Have Happened
Based on the manual page for *X509_LOOKUP_hash_dir
- https://www.openssl.org/docs/manmaster/crypto/X509_LOOKUP_file.html
<https://www.openssl.org/docs/manmaster/crypto/X509_LOOKUP_file.html>*

> When checking for new CRLs once one CRL for given hash value is loaded,
> hash_dir lookup method checks only for certificates with sequence number
> greater than that of the already cached CRL.

Since, the sequence number has changed from r0 to r1 for same issuer
(sub_ca in my case) openssl should have done a lookup and based on the
latest sequence number should have given me an error stating Client
Certificate has been revoked.

Just to let you know, I have tested revoked certificates with the CRL and
it works fine. So no problem with that.
Openssl Version I am using is *OpenSSL 1.0.1e-fips 11 Feb 2013*

Eagerly awaiting your response. Need to implement CRL functionality ASAP
and hoping to get all the help from you guys.

Regards,
Anirudh


-------------------------------------------------------------------------
http://rt.openssl.org/Ticket/Display.html?id=4615&user=guest&pass=guest

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4615
Please log in as guest with password guest if prompted

More information about the openssl-dev mailing list