Hello Dennis,
here are answers to your questions.
- All CRL signatures are (by default) verified - otherwise status checking by CRLs would be insecure. The function used is def_crl_verify() in crypto/x509/x_crl.c
- All CRLs are kept in the X509_STORE such that they can be
reused for multiple cert verification calls, which typically
have their own X509_STORE_CTX.
When the cert chain has been build during verification of the target cert,
the public keys of the intermediate (untrusted, but then verified) CA certs are used to verify the CRL signatures.
- One needs to interpret "Untrusted objects should not be added
in this way." in the context of the preceding sentence :
"X509_STORE_add_cert() and X509_STORE_add_crl() add the respective object to the X509_STORE's local storage."
Certs can be trusted or not, but CRLs are not trusted by themselves. So the above sentence is in fact a bit misleading
and should better be re-phrased to: "Untrusted certificates should not be added in this way."
Regards,
David
On 28.08.21 03:52, bl4ck ness wrote:
Hello,
I'm trying to use OpenSSL to validate a certificate chain with CRLs. To achieve this, I create a X509_STORE and add trusted (root) certificates into it via X509_STORE_add_cert(). I also add CRLs published by root and intermediate CAs into the store using X509_STORE_add_crl(). Then I create a X509_STORE_CTX for this store and using X509_STORE_CTX_init() function I set intermediate certs via its chain parameter and target (leaf) cert via its x509 parameter.
When I verify cert chain using X509_verify_cert:
- Are these CRLs checked for a valid digital signature (both CRLs root & intermediate) ?
- Since store should only contain trusted root certificates why should I add CRLs published by intermediate certificates into the store but not to somewhere else (for example ctx)?
- Documentation for X509_STORE_add_crl "Untrusted objects should not be added in this way". What does this mean?
Dennis K.
