[openssl-users] CRL signature verification

Salz, Rich rsalz at akamai.com
Wed Oct 18 15:46:00 UTC 2017

➢ I used libcrypto to parse out the OCSP URL from the certificate validate
    it against a whitelist of valid OCSP URLs, send an OCSP request and
    validate the response and its signature against a custom certificate
    store, and then parse out the result.
    Two points on that:
➢     - This seems like something that should be in libcrypto rather than in
    my own code. Did I miss something obvious?

We generally don’t do any kind of network traffic (except SSL) and would rather leave that up to the application.  Especially because there are all sorts of other frameworks, blocking issues, DNS, etc., that make things a non-simple matter.

➢     - Currently I don't fall back to CRLs when the OCSP server is
    unavailable. I would like to do so; however, I can't figure out how to
    validate the signature on a CRL (which would be a pretty obvious
    failure). Alternatively, is there an obvious alternative thing that I
    should be doing, rather than manually parsing the CRL?
X509_CRL_verify.  And yes, looking through to find the serial# is what you have to do.

More information about the openssl-users mailing list