[openssl-users] CRL signature verification
rsalz at akamai.com
Wed Oct 18 15:46:00 UTC 2017
➢ I used libcrypto to parse out the OCSP URL from the certificate validate
it against a whitelist of valid OCSP URLs, send an OCSP request and
validate the response and its signature against a custom certificate
store, and then parse out the result.
Two points on that:
➢ - This seems like something that should be in libcrypto rather than in
my own code. Did I miss something obvious?
We generally don’t do any kind of network traffic (except SSL) and would rather leave that up to the application. Especially because there are all sorts of other frameworks, blocking issues, DNS, etc., that make things a non-simple matter.
➢ - Currently I don't fall back to CRLs when the OCSP server is
unavailable. I would like to do so; however, I can't figure out how to
validate the signature on a CRL (which would be a pretty obvious
failure). Alternatively, is there an obvious alternative thing that I
should be doing, rather than manually parsing the CRL?
X509_CRL_verify. And yes, looking through to find the serial# is what you have to do.
More information about the openssl-users