Re: Windows doesn't verify digital signature of CRL files

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Windows doesn't verify digital signature of CRL files
From: Thomas Walpuski <thomas-bugtraq@xxxxxxxxxxxx>
Date: Wed, 11 Aug 2004 06:52:34 +0000
In-reply-to: <20040810182507.GA15318@xxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mail-followup-to: bugtraq@xxxxxxxxxxxxxxxxx
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20040809143138.25202.qmail@xxxxxxxxxxxxxxxxxxxxx> <20040810073239.GB5926@xxxxxxxxxxxx> <1479.192.138.31.191.1092154067.squirrel@xxxxxxxxxxxxxx> <20040810182507.GA15318@xxxxxxxxxxx>
User-agent: Mutt/1.3.28i

* Jack Lloyd wrote:
> If Windows is not checking the signature, not only can you remove or alter
> revocations, you can also add ones.

Microsoft's CryptoAPI does check the CRL's signature. It just does not
check it on retrieval, but in the process of verifying certificates.

> Oddly, I couldn't find any language in RFC 3280 that actually requires
> verifying the signature in a CRL. Strange.

RFC 3280, 6.3.3  CRL Processing:

   For each distribution point (DP) in the certificate CRL distribution
   points extension, for each corresponding CRL in the local CRL cache,
   while ((reasons_mask is not all-reasons) and (cert_status is
   UNREVOKED)) perform the following:

   [..]

   (f)  Obtain and validate the certification path for the complete CRL
   issuer.  If a key usage extension is present in the CRL issuer's
   certificate, verify that the cRLSign bit is set.

   (g)  Validate the signature on the complete CRL using the public key
   validated in step (f).

That's almost exactly what Microsoft's CryptoAPI does.

Thomas Walpuski

References:
- Windows doesn't verify digital signature of CRL files
  - From: Faro Poplar
- Re: Windows doesn't verify digital signature of CRL files
  - From: Thomas Walpuski
- Re: Windows doesn't verify digital signature of CRL files
  - From: Neil Gierman
- Re: Windows doesn't verify digital signature of CRL files
  - From: Jack Lloyd

Prev by Date: Re: Windows doesn't verify digital signature of CRL files
Next by Date: BlackICE unprivileged local user attack
Previous by thread: Re: Windows doesn't verify digital signature of CRL files
Next by thread: Re: Windows doesn't verify digital signature of CRL files
Index(es):
- Date
- Thread