Skip to content

UPSTREAM PR #30945: Fix CRL issuer lookup for partial chains#681

Open
loci-dev wants to merge 1 commit into
mainfrom
loci/pr-30945-fix-30932-partial-chain-crl
Open

UPSTREAM PR #30945: Fix CRL issuer lookup for partial chains#681
loci-dev wants to merge 1 commit into
mainfrom
loci/pr-30945-fix-30932-partial-chain-crl

Conversation

@loci-dev
Copy link
Copy Markdown

@loci-dev loci-dev commented Apr 23, 2026

Note

Source pull request: openssl/openssl#30945

Fixes #30932

When X509_V_FLAG_PARTIAL_CHAIN is used with X509_V_FLAG_CRL_CHECK_ALL, chain construction can stop at a trusted intermediate. In that case, checking the trusted intermediate's revocation status may require a CRL whose issuer certificate is available from the trust store but is not present in the constructed chain.

Previously, CRL issuer selection could accept the truncated chain anchor as the CRL issuer when the CRL had no AKID, because the adjacent-candidate path checked only the CRL AKID result. Since X509_check_akid(cert, NULL) succeeds, this could select a certificate whose subject did not match the CRL issuer name. CRL signature verification was then attempted with the wrong public key, producing the misleading error X509_V_ERR_CRL_SIGNATURE_FAILURE.

This change:

  • requires candidate CRL issuer certificate subjects to match the CRL issuer name before accepting an AKID match
  • for direct CRLs on the last certificate of a partial chain, looks up matching CRL issuer certificates through the configured certificate lookup method
  • accepts a looked-up CRL issuer only if check_issued(x, candidate) holds and the candidate matches the CRL issuer name and AKID
  • keeps looked-up CRL issuer certificates alive for the lifetime of the X509_STORE_CTX
  • restricts the additional lookup to the partial-chain anchor case
  • adds regression coverage for PARTIAL_CHAIN | CRL_CHECK | CRL_CHECK_ALL

Backport status:

  • openssl-4.0: applies cleanly
  • openssl-3.6: applies cleanly
  • openssl-3.5: applies cleanly
  • openssl-3.4: library changes apply cleanly. test/crltest.c needs a small manual conflict resolution due to test layout differences

@openssl-machine
Fix CRL issuer lookup for partial chains
5c28dd8 
With X509_V_FLAG_PARTIAL_CHAIN, chain construction can stop at a trusted intermediate, leaving the issuer of that intermediate's CRL outside the built chain. Avoid treating the truncated chain anchor as the CRL issuer unless its subject matches the CRL issuer name, and for direct CRLs on the truncated anchor, look up the actual issuer from the trusted lookup source.

Keep looked-up CRL issuer certificates alive for the store context and treat the verified direct issuer like the normal adjacent issuer case.

Add regression coverage for PARTIAL_CHAIN with CRL_CHECK_ALL using RSA keys so it does not depend on EC support.
@loci-review
Copy link
Copy Markdown

loci-review Bot commented Apr 23, 2026

Base version:
Flame Graph: libcrypto.so::x509_vfy.c_get_crl_score

Target version:
Flame Graph: libcrypto.so::x509_vfy.c_get_crl_score

Base version dominated by lightweight X509_NAME_cmp (43 µs) and X509_check_akid (43 µs). Target version introduces expensive certificate operations: X509_add_cert (9.5 ms, 62%), X509_cmp (5.2 ms, 34%), X509_self_signed (4.3 ms, 28%), and ossl_x509v3_cache_extensions (2.6 ms, 17%), explaining the 35x slowdown.

💬 Questions? Tag @loci-dev

@loci-dev loci-dev mentioned this pull request Apr 23, 2026
Open
@loci-dev loci-dev force-pushed the main branch 4 times, most recently from 421b135 to 770bf14 Compare April 28, 2026 03:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@loci-dev @openssl-machine