[openssl-users] CRL signature verification

[Wouter Verhelst]

Hi,

I have an application which wants to do verification of a certificate.
Not in the context of a context or a signature, but simply to verify if
the certificates are still valid and from a source that is correct in
the context in which the application runs.

I used libcrypto to parse out the OCSP URL from the certificate validate
it against a whitelist of valid OCSP URLs, send an OCSP request and
validate the response and its signature against a custom certificate
store, and then parse out the result.

Two points on that:
- This seems like something that should be in libcrypto rather than in
my own code. Did I miss something obvious?
- Currently I don't fall back to CRLs when the OCSP server is
unavailable. I would like to do so; however, I can't figure out how to
validate the signature on a CRL (which would be a pretty obvious
failure). Alternatively, is there an obvious alternative thing that I
should be doing, rather than manually parsing the CRL?

Thanks,

-- 
Wouter Verhelst