[36063] in bugtraq
Re: Windows doesn't verify digital signature of CRL files
daemon@ATHENA.MIT.EDU (Neil Gierman)
Tue Aug 10 12:47:35 2004
Message-ID: <1479.192.138.31.191.1092154067.squirrel@192.138.31.191>
In-Reply-To: <20040810073239.GB5926@unproved.org>
Date: Tue, 10 Aug 2004 11:07:47 -0500 (CDT)
From: "Neil Gierman" <ngierman@roadrunn.com>
To: "Thomas Walpuski" <thomas-bugtraq@unproved.org>
Cc: "Faro Poplar" <faropoplar@yahoo.com>, bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Correct me if I am wrong but I understood that certificate validation was
processed by the information in the certificate to be validated (CDP or
AIA extension). If the CDP location contains a valid CRL URL and that CA's
CRL is not already in cache, then the CRL is retreived from that CDP URL
in the certificate. If a person was able to inject a modified CRL into
that CDP URL, or redirect the client machine to an alternate server for
LDAP/HTTP CRL download, and CAPI is not validating signatures on CRL's
then a person could use a revoked certificate for access to systems among
other things.
While this may not be a bug I think it would be a wise security practice
to validate a signature if it is there.
Neil
> * Faro Poplar wrote:
>> Has anyone noticed that Windows doesn't verify the digital signature
>> of CRL files (*.crl).
>
> Yes, I noticed that about 2 years ago. IMO this is no security issue.
> CRLs are retrieved from the certificate store via CertGetCRLFromStore.
> Sane use of CertGetCRLFromStore makes sure only properly signed CRLs are
> used (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/
> seccrypto/security/certverifycrlrevocation.asp).
>
> Thomas Walpuski
>
