[openssl-dev] [openssl.org #3853] Indirect CRL issuer (issuer outside cert's chain)
Ghetolay via RT
rt at openssl.org
Tue May 19 18:59:18 UTC 2015
Version: 1.0.1f to 1.0.2a
OS: Linux/Ubuntu (not relevant)
Type: enhancement request
Hello,
First here is the setup I'm confronted with (not mine just have to work
with it) :
Root
CA
|
-------------------------------
/ \
Root CRL Signing CA |
| |
---------------- ---------------
/ \ / \
CRL Intermediate CA ... Cert Intermediate CA ...
| |
CRL... Cert...
Root CA and Root CRL Signing CA have same DN also both Intermediate CA have
same DN.
Both crl and cert have the same origin point as trusted CA so this setup
seems to be compliant with RFC5280.
But when I wanted to to verify a cert with -check_crl I got errors like
"unable to get certificate CRL" and "unable to get local issuer certificate"
depending on the openssl version and if crl was part of -CAfile or was set
with -CRLfile. In all case -CAfile was a concatenation of at least all CA's
(Root CA, Root CRL Signing CA and both Intermediate CA).
The only way I was able to get verify working was using latest openssl
version as such :
openssl verify -CAfile="Cert Intermediate CA|Root CA" -untrusted="CRL
Intermediate CA|Root CRL Signing CA" -extended_crl -crl_check -CRLfile ...
But this seem more like a workaround I don't think crl related CA's should
be on the untrusted chain. As per my understanding the untrusted chain
should contain intermediate cert, this is the first chain checked to find
certificate's issuer.
After some digging (on the latest source) I found out the problem come from
crl_akid_check() because this function will try to find the crl issuer on
the previously established certificate chain. On this setup neither "Root
CRL Signing CA" nor "CRL Intermediate CA" will ever be part of the
certificate chain. crl_akid_check() is then never able to find the crl
issuer and fail (except with the workaround explain earlier).
So as a quick fix/POC I changed the function as follow :
static void crl_akid_check(..)
static void crl_akid_check(..)
{ {
[...]
[...]
int cidx = ctx->error_depth;
int cidx = ctx->error_depth;
if (cidx != sk_X509_num(ctx->chain) - 1)
if (cidx != sk_X509_num(ctx->chain) - 1)
cidx++;
cidx++;
crl_issuer = sk_X509_value(ctx->chain, cidx);
crl_issuer = sk_X509_value(ctx->chain, cidx);
if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
[...]
[...]
}
}
*STACK_OF(X509)* certs = ctx->lookup_certs(ctx, cnm);*
for (cidx++; cidx < sk_X509_num(ctx->chain); cidx++){
for *(i=0; i < sk_X509_num(certs); i++)*{
[...]
[...]
}
}
[...]
[..]
} }
Basically I'm looking for a corresponding issuer into all trusted cert
instead of just inside the certificate chain.
With this little modification I'm now able to verify my certificates.
As I said it's just a demonstration, if we go that way we should probably
create a crl_chain and change accordingly check_revocation(), check_cert(),
check_crl()...
I'm not familiar with openssl code but it seems there is already a notion
of crl_chain on check_crl_path() and check_crl_chain() but theses functions
aren't called until we check the AKID so maybe we should just build an
independent crl_chain sooner (when we look for crl's issuer ?).
Well like I said I'm not familiar with openssl code so I would like
your feedback before going further :)
I don't know if I'm allowed to share the certificates and it didn't seem
necessary for the understanding but if you need them I could ask or at
least share the text output.
P.S.: I was about to prettify diagram and code but I wasn't sure if html
was supported so I kept it plain text. Should I open an issue/pull request
on github ?
Ghetolay.
More information about the openssl-dev
mailing list