[openssl-users] CRL signature verification

Wouter Verhelst wouter.verhelst at fedict.be
Thu Oct 19 10:09:27 UTC 2017


Hi Rich,

On 18-10-17 17:46, Salz, Rich via openssl-users wrote:
> ➢ I used libcrypto to parse out the OCSP URL from the certificate validate
>     it against a whitelist of valid OCSP URLs, send an OCSP request and
>     validate the response and its signature against a custom certificate
>     store, and then parse out the result.
>     
>     Two points on that:
> ➢     - This seems like something that should be in libcrypto rather than in
>     my own code. Did I miss something obvious?
> 
> We generally don’t do any kind of network traffic (except SSL) and would rather leave that up to the application.  Especially because there are all sorts of other frameworks, blocking issues, DNS, etc., that make things a non-simple matter.

Sorry, I should have been clearer.

I didn't mean the HTTP requests etc. I agree that that should not be
done by libcrypto.

I was more talking about the parsing. Currently I have 40 LOC [1] to
find the OCSP URL from a certificate; it seems to me that that's a lot
of stuff that I shouldn't have to be doing, and that asking OpenSSL to
parse out that URL (or really, any other X.509v3 extension's data)
should not be too complicated.

Perhaps I missed the call that I should have been using, though ;-)

[1]
https://github.com/Fedict/eid-mw/blob/master/plugins_tools/eid-viewer/verify.c#L89-L129

> ➢     - Currently I don't fall back to CRLs when the OCSP server is
>     unavailable. I would like to do so; however, I can't figure out how to
>     validate the signature on a CRL (which would be a pretty obvious
>     failure). Alternatively, is there an obvious alternative thing that I
>     should be doing, rather than manually parsing the CRL?
>   
> X509_CRL_verify.  And yes, looking through to find the serial# is what you have to do.

That's 1.1-specific, correct?

-- 
Wouter Verhelst


More information about the openssl-users mailing list