Re: OpenSSL API CRL Revoke Check: Coverage

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello Dennis,

here are answers to your questions.

Regards,

    David

On 28.08.21 03:52, bl4ck ness wrote:

Hello,

I'm trying to use OpenSSL to validate a certificate chain with CRLs. To achieve this, I create a X509_STORE and add trusted (root) certificates into it via X509_STORE_add_cert(). I also add CRLs published by root and intermediate CAs into the store using X509_STORE_add_crl(). Then I create a X509_STORE_CTX for this store and using X509_STORE_CTX_init() function I set intermediate certs via its chain parameter and target (leaf) cert via its x509 parameter.

When I verify cert chain using X509_verify_cert:

  • Are these CRLs checked for a valid digital signature (both CRLs root & intermediate) ?
  • Since store should only contain trusted root certificates why should I add CRLs published by intermediate certificates into the store but not to somewhere else (for example ctx)?
  • Documentation for X509_STORE_add_crl "Untrusted objects should not be added in this way". What does this mean?

Dennis K.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux