Has anyone noticed that Windows doesn't verify the digital signature of CRL files (*.crl). After you modify the content of a CRL file, Windows doesn't tell you it has been tampered.
I found this problem under Windows2000/XP. Did Microsoft plan to do so or is it an OS bug?
You can test this with the following steps:
1) download a CRL file from any CA to your Windows machine, eg. http://crl.verisign.com/RSASecureServer.crl
2) double click the file "RSASecureServer.crl" in Windows Explorer, open the "Revoked List" tab. Remember the serial number of any revoked certificate, for example, the serial number of the first cert in the list is:
" 0101 CD5F A174 D413 BE0F 666A 034A 004A "
3) close the opened file "RSASecureServer.crl"
4) Re-open the file with a Hex editor (eg.ultraedit), and find the Hex String " 0101 CD5F......", modify it and save the changes.
5) double-click the file in Windows Explorer, switch to the "Revoked List" tab, and you will find the changes have been there and Windows didn't do the signature verification work!
Now the cert "0101 CD5F ..." is no longer "REVOKED" if a relying-party would make a CRL-based certificate status check.
But if you do the same thing with a certificate file(*.crt, *.cer),Windows will tell you the certificate has an invalid signature.
Hi,everybody!
Has anyone noticed that Windows doesn't verify the digital signature of CRL files (*.crl). After you modify the content of a CRL file, Windows doesn't tell you it has been tampered.
I found this problem under Windows2000/XP. Did Microsoft plan to do so or is it an OS bug?
You can test this with the following steps:
1) download a CRL file from any CA to your Windows machine, eg. http://crl.verisign.com/RSASecureServer.crl
2) double click the file "RSASecureServer.crl" in Windows Explorer, open the "Revoked List" tab. Remember the serial number of any revoked certificate, for example, the serial number of the first cert in the list is:
" 0101 CD5F A174 D413 BE0F 666A 034A 004A "
3) close the opened file "RSASecureServer.crl"
4) Re-open the file with a Hex editor (eg.ultraedit), and find the Hex String " 0101 CD5F......", modify it and save the changes.
5) double-click the file in Windows Explorer, switch to the "Revoked List" tab, and you will find the changes have been there and Windows didn't do the signature verification work!
Now the cert "0101 CD5F ..." is no longer "REVOKED" if a relying-party would make a CRL-based certificate status check.
But if you do the same thing with a certificate file(*.crt, *.cer),Windows will tell you the certificate has an invalid signature.
Any comments are welcome.
[ reply ]