[openssl-users] CRL signature verification

Wouter Verhelst wouter.verhelst at fedict.be
Wed Oct 18 14:47:28 UTC 2017


I have an application which wants to do verification of a certificate.
Not in the context of a context or a signature, but simply to verify if
the certificates are still valid and from a source that is correct in
the context in which the application runs.

I used libcrypto to parse out the OCSP URL from the certificate validate
it against a whitelist of valid OCSP URLs, send an OCSP request and
validate the response and its signature against a custom certificate
store, and then parse out the result.

Two points on that:
- This seems like something that should be in libcrypto rather than in
my own code. Did I miss something obvious?
- Currently I don't fall back to CRLs when the OCSP server is
unavailable. I would like to do so; however, I can't figure out how to
validate the signature on a CRL (which would be a pretty obvious
failure). Alternatively, is there an obvious alternative thing that I
should be doing, rather than manually parsing the CRL?


Wouter Verhelst

More information about the openssl-users mailing list