000021981 - C_CheckCertRevocation returns 'E_UNKNOWN_CRITICAL_EXTENSION (0x073C)' in RSA BSAFE Cert-C

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021981
Applies ToRSA BSAFE Cert-C
CRL contains a critical extension
IssueC_CheckCertRevocation returns "E_UNKNOWN_CRITICAL_EXTENSION (0x073C)" in RSA BSAFE Cert-C
CauseAs you can see from the comments in provider\revoke\CRL\crlstat.c, the provider currently returns this error for any critical extensions in the CRL:

/*
 * ProcessCRLExtensions handles a CRL's extensions.
 *
 * Note:  At the current time, NO extensions are
 *        handled or processed.  The presence of
 *        any critical extensions will cause an error
 *        to be returned.   Later, if some extensions
 *        are processed, additional parameters may need
 *        to be added to the function.
 *
 * Parameters
 *   ctx        (input) Cert-C context
 *   pathCtx    (input) path context (for options)
 *   CRL        (input) the CRL object to check
 *
 * Possible return codes:
 *  0                               Successful
 *  E_UNKNOWN_CRITICAL_EXTENSION    an un-handled critical extension was found
 */


static int ProcessCRLExtensions(
  CERTC_CTX      ctx,
  CERT_PATH_CTX* pathCtx,
  CRL_OBJ        CRL )
{
...



 /* Insert here handling for known CRL extensions */
 
 /* Test for unhandled critical extensions */
    if (pathCtx->pathOptions&PF_IGNORE_CRITICALITY) {
      continue;
    } else if ( ei.criticalFlag == CRITICAL ) {
      status = C_Log( ctx, E_UNKNOWN_CRITICAL_EXTENSION, ST_ERROR,
                      __FILE__, __LINE__, 0);
      break;
    }
  }

ResolutionTo correct this issue, set the PF_IGNORE_CRITICALITY flag in the pathCtx.pathOptions before calling C_CheckCertRevocation().
Legacy Article IDa26023

Attachments

    Outcomes