Skip to content

Fix CRL distribution point scope check logic in crl_crldp_check#3106

Merged
samuel40791765 merged 1 commit intoaws:fips-2024-09-27from
samuel40791765:fix-crl-fips-3
Mar 19, 2026
Merged

Fix CRL distribution point scope check logic in crl_crldp_check#3106
samuel40791765 merged 1 commit intoaws:fips-2024-09-27from
samuel40791765:fix-crl-fips-3

Conversation

@samuel40791765
Copy link
Copy Markdown
Contributor

@samuel40791765 samuel40791765 commented Mar 19, 2026

Commit authored by @nebeid.

Description of changes:

A logic error in crl_crldp_check() (crypto/x509/x509_vfy.c) prevents CRL distribution point matching from ever running for normal certificates. When a CRL has an Issuing Distribution Point (IDP) extension, the CRL is incorrectly considered out of scope and a revoked certificate escapes detection.

Three bugs in one condition:

  1. && should be || — the comment says skip DPs with reasons OR CRLissuer, but the code only triggers when BOTH are present.
  2. return 1 should be continue — when the condition matches, the code declares the CRL in scope instead of skipping the DP.
  3. idp_check_dp is in the wrong branch — it only runs for DPs with reasons+CRLissuer, never for normal clean DPs.

Fix

Took upstream commit 5386d90.

Testing

Two test scenarios added in crypto/x509/x509_test.cc:

Scenario 1: Cert with a single clean CRLDP + CRL with matching IDP

Leaf has a clean CRLDP (distpoint URI only, no reasons, no CRLissuer). CRL has a matching IDP and revokes the leaf's serial.

  • Before fix: idp_check_dp is never called for clean DPs → CRL is out-of-scope.
  • After fix: idp_check_dp matches the distpoints → CRL in scope → CERT_REVOKED.

Scenario 2: Cert with two DPs + two CRLs

Leaf has two distribution points:

  • DP1: distpoint matching CRL-B IDP + reasons + CRLissuer (should be skipped)
  • DP2: clean distpoint (matches the revoking CRL-A)

CRL-A (matching IDP) revokes the leaf. CRL-B (other IDP) has no revocations.

  • Before fix:
    • DP1 has reasons+CRLissuer so the && condition is true. idp_check_dp matches DP1 against CRL-B → return 1 → CRL-B is in scope → no revocations → cert appears valid.
    • DP2 never gets checked against CRL-A; it's skipped both by the && check and by the fallback because it has an IDP.
  • After fix:
    • DP1 is skipped (|| catches reasons).
    • DP2 matches CRL-A via idp_check_dpCERT_REVOKED.

PoC output without fix:

Scenario 1: Cert with clean CRLDP (distpoint only) + CRL with matching IDP
 Result: 44 (Different CRL scope)
 FAIL: Expected CERT_REVOKED (23), got 44

Scenario 2: Cert with two DPs (reasons+CRLissuer DP and clean DP) + two CRLs
 Result: 0 (ok)
 FAIL: Expected CERT_REVOKED (23), got 0

PoC output with fix:

Scenario 1: Cert with clean CRLDP (distpoint only) + CRL with matching IDP
 Result: 23 (certificate revoked)
 PASS: Revoked cert correctly detected

Scenario 2: Cert with two DPs (reasons+CRLissuer DP and clean DP) + two CRLs
 Result: 23 (certificate revoked)
 PASS: Revoked cert correctly detected

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

@samuel40791765 samuel40791765 requested a review from a team as a code owner March 19, 2026 15:36
@samuel40791765 samuel40791765 enabled auto-merge (squash) March 19, 2026 15:44
@samuel40791765 samuel40791765 merged commit 83d8582 into aws:fips-2024-09-27 Mar 19, 2026
56 of 119 checks passed
@samuel40791765 samuel40791765 deleted the fix-crl-fips-3 branch March 19, 2026 16:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@WillChilds-Klein WillChilds-Klein WillChilds-Klein approved these changes

@justsmth justsmth justsmth approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@samuel40791765 @WillChilds-Klein @justsmth