CRL signature verification

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

CRL signature verification

Wouter Verhelst
Hi,

I have an application which wants to do verification of a certificate.
Not in the context of a context or a signature, but simply to verify if
the certificates are still valid and from a source that is correct in
the context in which the application runs.

I used libcrypto to parse out the OCSP URL from the certificate validate
it against a whitelist of valid OCSP URLs, send an OCSP request and
validate the response and its signature against a custom certificate
store, and then parse out the result.

Two points on that:
- This seems like something that should be in libcrypto rather than in
my own code. Did I miss something obvious?
- Currently I don't fall back to CRLs when the OCSP server is
unavailable. I would like to do so; however, I can't figure out how to
validate the signature on a CRL (which would be a pretty obvious
failure). Alternatively, is there an obvious alternative thing that I
should be doing, rather than manually parsing the CRL?

Thanks,

--
Wouter Verhelst
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: CRL signature verification

OpenSSL - User mailing list
➢ I used libcrypto to parse out the OCSP URL from the certificate validate
    it against a whitelist of valid OCSP URLs, send an OCSP request and
    validate the response and its signature against a custom certificate
    store, and then parse out the result.
   
    Two points on that:
➢     - This seems like something that should be in libcrypto rather than in
    my own code. Did I miss something obvious?

We generally don’t do any kind of network traffic (except SSL) and would rather leave that up to the application.  Especially because there are all sorts of other frameworks, blocking issues, DNS, etc., that make things a non-simple matter.

➢     - Currently I don't fall back to CRLs when the OCSP server is
    unavailable. I would like to do so; however, I can't figure out how to
    validate the signature on a CRL (which would be a pretty obvious
    failure). Alternatively, is there an obvious alternative thing that I
    should be doing, rather than manually parsing the CRL?
 
X509_CRL_verify.  And yes, looking through to find the serial# is what you have to do.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: CRL signature verification

Wouter Verhelst
Hi Rich,

On 18-10-17 17:46, Salz, Rich via openssl-users wrote:

> ➢ I used libcrypto to parse out the OCSP URL from the certificate validate
>     it against a whitelist of valid OCSP URLs, send an OCSP request and
>     validate the response and its signature against a custom certificate
>     store, and then parse out the result.
>    
>     Two points on that:
> ➢     - This seems like something that should be in libcrypto rather than in
>     my own code. Did I miss something obvious?
>
> We generally don’t do any kind of network traffic (except SSL) and would rather leave that up to the application.  Especially because there are all sorts of other frameworks, blocking issues, DNS, etc., that make things a non-simple matter.

Sorry, I should have been clearer.

I didn't mean the HTTP requests etc. I agree that that should not be
done by libcrypto.

I was more talking about the parsing. Currently I have 40 LOC [1] to
find the OCSP URL from a certificate; it seems to me that that's a lot
of stuff that I shouldn't have to be doing, and that asking OpenSSL to
parse out that URL (or really, any other X.509v3 extension's data)
should not be too complicated.

Perhaps I missed the call that I should have been using, though ;-)

[1]
https://github.com/Fedict/eid-mw/blob/master/plugins_tools/eid-viewer/verify.c#L89-L129

> ➢     - Currently I don't fall back to CRLs when the OCSP server is
>     unavailable. I would like to do so; however, I can't figure out how to
>     validate the signature on a CRL (which would be a pretty obvious
>     failure). Alternatively, is there an obvious alternative thing that I
>     should be doing, rather than manually parsing the CRL?
>  
> X509_CRL_verify.  And yes, looking through to find the serial# is what you have to do.

That's 1.1-specific, correct?

--
Wouter Verhelst
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: CRL signature verification

OpenSSL - User mailing list

➢   I was more talking about the parsing. Currently I have 40 LOC [1] to

Look at X509_get1_ocsp which is in crypto/x509v3/v3_utl.c  That’s in 1.0.2 and later

➢ > X509_CRL_verify.  And yes, looking through to find the serial# is what you have to do.
   
➢     That's 1.1-specific, correct?
   
Yes.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users