OpenSSL API CRL Revoke Check: Coverage

David von Oheimb dev at ddvo.net
Tue Aug 31 05:50:40 UTC 2021 

Hello Dennis,

here are answers to your questions.

  * All CRL signatures are (by default) verified - otherwise status
    checking by CRLs would be insecure. The function used is
    def_crl_verify() in crypto/x509/x_crl.c
  * All CRLs are kept in the X509_STORE such that they can be reused for
    multiple cert verification calls, which typically have their own
    X509_STORE_CTX.
    When the cert chain has been build during verification of the target
    cert,
    the public keys of the intermediate (untrusted, but then verified)
    CA certs are used to verify the CRL signatures.
  * One needs to interpret "Untrusted objects should not be added in
    this way." in the context of the preceding sentence :
    "X509_STORE_add_cert() and X509_STORE_add_crl() add the respective
    object to the X509_STORE's local storage."
    Certs can be trusted or not, but CRLs are not trusted by themselves.
    So the above sentence is in fact a bit misleading
    and should better be re-phrased to: "Untrusted certificates should
    not be added in this way."

Regards,

    David

On 28.08.21 03:52, bl4ck ness wrote:
>
> Hello,
>
> I'm trying to use OpenSSL to validate a certificate chain with CRLs.
> To achieve this, I create a X509_STORE and add trusted (root)
> certificates into it via X509_STORE_add_cert(). I also add CRLs
> published by root and intermediate CAs into the store using
> X509_STORE_add_crl(). Then I create a X509_STORE_CTX for this store
> and using X509_STORE_CTX_init() function I set intermediate certs via
> its chain parameter and target (leaf) cert via its x509 parameter.
>
> When I verify cert chain using X509_verify_cert:
>
>   * Are these CRLs checked for a valid digital signature (both CRLs
>     root & intermediate) ?
>   * Since store should only contain trusted root certificates why
>     should I add CRLs published by intermediate certificates into the
>     store but not to somewhere else (for example ctx)?
>   * Documentation for X509_STORE_add_crl "Untrusted objects should not
>     be added in this way". What does this mean?
>
>
> Dennis K.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20210831/c0e5f85e/attachment.html>

More information about the openssl-users mailing list