<div dir="ltr">Thanks for the clarification David. Your help is much appreciated.<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">David von Oheimb <<a href="mailto:dev@ddvo.net">dev@ddvo.net</a>>, 31 Ağu 2021 Sal, 08:50 tarihinde şunu yazdı:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Hello Dennis,</p>
<p>here are answers to your questions.<br>
</p>
<p></p>
<ul>
<li>All CRL signatures are (by default) verified - otherwise
status checking by CRLs would be insecure. The function used is
def_crl_verify() in crypto/x509/x_crl.c</li>
<li>All CRLs are kept in the X509_STORE such that they can be
reused for multiple cert verification calls, which typically
have their own X509_STORE_CTX.<br>
When the cert chain has been build during verification of the
target cert, <br>
the public keys of the intermediate (untrusted, but then
verified) CA certs are used to verify the CRL signatures. <br>
</li>
<li>One needs to interpret "Untrusted objects should not be added
in this way." in the context of the preceding sentence :<br>
"X509_STORE_add_cert() and X509_STORE_add_crl() add the
respective object to the X509_STORE's local storage."<br>
Certs can be trusted or not, but CRLs are not trusted by
themselves. So the above sentence is in fact a bit misleading<br>
and should better be re-phrased to: "Untrusted certificates
should not be added in this way."</li>
</ul>
<p>Regards,</p>
<p> David<br>
</p>
<div>On 28.08.21 03:52, bl4ck ness wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<p>Hello,</p>
<p>I'm trying to use OpenSSL to validate a certificate chain
with CRLs. To achieve this, I create a X509_STORE and add
trusted (root) certificates into it via
X509_STORE_add_cert(). I also add CRLs published by root and
intermediate CAs into the store using X509_STORE_add_crl().
Then I create a X509_STORE_CTX for this store and using
X509_STORE_CTX_init() function I set intermediate certs via
its chain parameter and target (leaf) cert via its x509
parameter.</p>
<p>When I verify cert chain using X509_verify_cert:</p>
<ul>
<li>Are these CRLs checked for a valid digital signature
(both CRLs root & intermediate) ?</li>
<li>Since store should only contain trusted root
certificates why should I add CRLs published by
intermediate certificates into the store but not to
somewhere else (for example ctx)?</li>
<li>Documentation for X509_STORE_add_crl "Untrusted objects
should not be added in this way". What does this mean?</li>
</ul>
<div><br>
</div>
<div>Dennis K.<br>
</div>
</div>
</div>
</blockquote>
</div>
</blockquote></div>