OpenSSL API CRL Revoke Check: Coverage

bl4ck ness bl4cknesstr at
Tue Aug 31 19:19:07 UTC 2021

Thanks for the clarification David. Your help is much appreciated.

David von Oheimb <dev at>, 31 Ağu 2021 Sal, 08:50 tarihinde şunu

> Hello Dennis,
> here are answers to your questions.
>    - All CRL signatures are (by default) verified - otherwise status
>    checking by CRLs would be insecure. The function used is def_crl_verify()
>    in crypto/x509/x_crl.c
>    - All CRLs are kept in the X509_STORE such that they can be reused for
>    multiple cert verification calls, which typically have their own
>    X509_STORE_CTX.
>    When the cert chain has been build during verification of the target
>    cert,
>    the public keys of the intermediate (untrusted, but then verified) CA
>    certs are used to verify the CRL signatures.
>    - One needs to interpret "Untrusted objects should not be added in
>    this way." in the context of the preceding sentence :
>    "X509_STORE_add_cert() and X509_STORE_add_crl() add the respective
>    object to the X509_STORE's local storage."
>    Certs can be trusted or not, but CRLs are not trusted by themselves.
>    So the above sentence is in fact a bit misleading
>    and should better be re-phrased to: "Untrusted certificates should not
>    be added in this way."
> Regards,
>     David
> On 28.08.21 03:52, bl4ck ness wrote:
> Hello,
> I'm trying to use OpenSSL to validate a certificate chain with CRLs. To
> achieve this, I create a X509_STORE and add trusted (root) certificates
> into it via X509_STORE_add_cert(). I also add CRLs published by root and
> intermediate CAs into the store using X509_STORE_add_crl(). Then I create a
> X509_STORE_CTX for this store and using X509_STORE_CTX_init() function I
> set intermediate certs via its chain parameter and target (leaf) cert via
> its x509 parameter.
> When I verify cert chain using X509_verify_cert:
>    - Are these CRLs checked for a valid digital signature (both CRLs root
>    & intermediate) ?
>    - Since store should only contain trusted root certificates why should
>    I add CRLs published by intermediate certificates into the store but not to
>    somewhere else (for example ctx)?
>    - Documentation for X509_STORE_add_crl "Untrusted objects should not
>    be added in this way". What does this mean?
> Dennis K.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list