While attempting to build an indirect CRL signing role, I managed to
come up with a way to revoke a certificate but allow it to pass the
CRL checks of the verify utility. I'm not yet sure if this is a bug
or if the chain I created is invalid in some way.
My goal was to create an authority for signing user certificates and
to delegate CRL signing to an independent role signed by the same
authority. Below is an example of a self-signed CA used to sign a CRL
issuer and two user certificates. One of the certificates was revoked
and the CRL was generated using the CRL issuer. When verified with
the verify command below, both the valid and revoked certificates are
reported valid.
This was done using version 1.0.1e compiled from source as linux-x86_64.
Thanks in advance for any advice,
Craig
openssl verify -crl_check -extended_crl \
-CAfile ca.pem \
-CRLfile crl.pem \
-untrusted crl-issuer.pem \
happy.pem \
revoked.pem
happy.pem: OK
revoked.pem: OK
-- ca.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=example, CN=root
Validity
Not Before: Jul 28 17:45:04 2013 GMT
Not After : Jul 26 17:45:04 2023 GMT
Subject: C=US, O=example, CN=root
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:b2:6e:82:8e:a0:ae:7c:2c:d4:ab:e1:91:dd:35:
e5:ab:8c:06:ac:31:d0:9c:52:65:de:59:87:24:da:
de:9b:73:d5:f1:d9:bf:34:e1:4f:4c:47:51:19:e8:
cf:fa:6e:b6:81:02:a8:29:ea:33:b7:19:55:99:f4:
14:3b:5a:6d:2f:9b:3c:da:c4:69:61:ba:2c:9e:9b:
5d:c6:ed:1b:47:cf:64:65:1d:68:a4:74:49:42:b5:
0e:98:1a:5c:e4:41:c1:59:ab:99:d5:57:78:1d:3b:
1c:ba:cd:9d:e9:38:cd:21:32:6b:31:13:11:01:fe:
26:40:3a:f5:df:25:44:bf:53
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
Signature Algorithm: sha1WithRSAEncryption
a3:29:06:98:f9:a3:90:5c:c8:ca:d2:38:ed:b2:09:ff:fb:d5:
92:ad:63:1a:48:b3:a2:52:57:18:37:83:a8:e6:21:18:d3:4e:
ef:f8:49:ff:43:07:6a:4a:ad:89:a7:b3:e0:e5:35:90:f7:39:
a7:68:24:23:77:aa:2c:fd:ed:77:3c:72:f7:1e:29:90:b9:33:
0f:4e:2d:23:d1:0a:e8:1f:42:8a:ac:23:47:f3:37:9f:5d:e9:
5e:b0:ed:df:f2:ec:3a:c1:c2:56:a1:ac:dc:73:04:0a:6e:80:
c8:ba:df:cb:43:83:8f:2b:93:db:90:8e:57:38:82:16:72:54:
ee:c3
-----BEGIN CERTIFICATE-----
MIIB+DCCAWGgAwIBAgIBATANBgkqhkiG9w0BAQUFADAuMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHZXhhbXBsZTENMAsGA1UEAxMEcm9vdDAeFw0xMzA3MjgxNzQ1MDRa
Fw0yMzA3MjYxNzQ1MDRaMC4xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdleGFtcGxl
MQ0wCwYDVQQDEwRyb290MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCyboKO
oK58LNSr4ZHdNeWrjAasMdCcUmXeWYck2t6bc9Xx2b804U9MR1EZ6M/6braBAqgp
6jO3GVWZ9BQ7Wm0vmzzaxGlhuiyem13G7RtHz2RlHWikdElCtQ6YGlzkQcFZq5nV
V3gdOxy6zZ3pOM0hMmsxExEB/iZAOvXfJUS/UwIDAQABoyYwJDAOBgNVHQ8BAf8E
BAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQUFAAOBgQCjKQaY
+aOQXMjK0jjtsgn/+9WSrWMaSLOiUlcYN4Oo5iEY007v+En/QwdqSq2Jp7Pg5TWQ
9zmnaCQjd6os/e13PHL3HimQuTMPTi0j0QroH0KKrCNH8zefXelesO3f8uw6wcJW
oazccwQKboDIut/LQ4OPK5PbkI5XOIIWclTuww==
-----END CERTIFICATE-----
-- crl-issuer.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=example, CN=root
Validity
Not Before: Jul 28 17:45:20 2013 GMT
Not After : Jul 28 17:45:20 2015 GMT
Subject: C=US, O=example, CN=crl issuer
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:c0:94:c7:a2:d8:e6:ad:71:a8:92:d9:f2:a1:67:
15:19:3b:99:55:64:18:5f:6a:10:b4:5c:a0:0d:70:
86:13:80:22:29:2f:a8:42:a3:23:07:13:9a:7f:6c:
62:78:92:00:e5:a4:e8:3f:d1:27:52:a5:cd:b2:ca:
13:3f:26:b9:0e:2e:e7:6e:96:30:b5:f2:ab:26:8d:
c7:43:7d:50:74:68:95:40:0a:fa:91:26:a7:4b:86:
f2:cc:5f:10:68:a1:00:20:27:0b:c0:cb:60:48:2a:
80:71:12:bf:88:79:9e:97:e9:73:00:70:cb:f6:86:
0b:4e:0d:df:c5:04:8e:d2:c5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
CRL Sign
Signature Algorithm: sha1WithRSAEncryption
3b:2c:e5:d8:a1:bb:69:df:62:4d:a1:0a:2b:69:bb:fc:44:37:
81:65:53:b2:81:42:a6:49:17:52:e4:1d:e7:b4:9f:fd:bb:ae:
1f:fa:02:a1:8e:00:fd:a6:ac:24:5d:8a:f5:00:a5:81:42:25:
98:8e:a2:2b:8c:27:86:01:3b:ed:dc:5c:c2:a7:90:7b:47:09:
e7:a9:ce:e5:1d:8a:b8:5f:8d:63:f7:0d:33:8b:0d:d9:9b:08:
17:a3:04:4d:fd:74:b4:19:56:18:41:70:e8:4b:ef:77:66:39:
31:15:03:de:41:53:e0:fd:14:6a:a9:7e:dc:08:8e:15:e5:f9:
07:d0
-----BEGIN CERTIFICATE-----
MIIB+DCCAWGgAwIBAgIBAjANBgkqhkiG9w0BAQUFADAuMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHZXhhbXBsZTENMAsGA1UEAxMEcm9vdDAeFw0xMzA3MjgxNzQ1MjBa
Fw0xNTA3MjgxNzQ1MjBaMDQxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdleGFtcGxl
MRMwEQYDVQQDEwpjcmwgaXNzdWVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQDAlMei2OatcaiS2fKhZxUZO5lVZBhfahC0XKANcIYTgCIpL6hCoyMHE5p/bGJ4
kgDlpOg/0SdSpc2yyhM/JrkOLuduljC18qsmjcdDfVB0aJVACvqRJqdLhvLMXxBo
oQAgJwvAy2BIKoBxEr+IeZ6X6XMAcMv2hgtODd/FBI7SxQIDAQABoyAwHjAMBgNV
HRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIBAjANBgkqhkiG9w0BAQUFAAOBgQA7LOXY
obtp32JNoQorabv8RDeBZVOygUKmSRdS5B3ntJ/9u64f+gKhjgD9pqwkXYr1AKWB
QiWYjqIrjCeGATvt3FzCp5B7Rwnnqc7lHYq4X41j9w0ziw3ZmwgXowRN/XS0GVYY
QXDoS+93ZjkxFQPeQVPg/RRqqX7cCI4V5fkH0A==
-----END CERTIFICATE-----
-- happy.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=example, CN=root
Validity
Not Before: Jul 28 17:45:24 2013 GMT
Not After : Jul 28 17:45:24 2015 GMT
Subject: C=US, O=example, CN=happy
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:dd:c9:5c:68:6f:64:b5:37:46:00:7f:c2:72:c1:
6e:a5:cc:46:fc:f0:0b:f3:10:f0:be:ef:cf:a1:5f:
71:18:d2:82:dd:3f:f0:ca:c2:fc:99:c9:82:61:61:
34:ff:90:e6:8f:74:69:02:de:a5:62:41:f2:f0:f7:
73:47:b4:65:08:78:a3:99:d9:7c:1a:8a:7d:f5:e8:
f1:0b:e9:1f:46:79:2d:2a:3b:43:53:f4:0b:af:5d:
f4:4c:7e:85:7b:8c:1e:51:26:e9:ef:f7:b8:18:0b:
bc:47:a0:2a:56:e5:4a:56:3a:38:17:c5:5c:0f:87:
bd:da:7b:4f:98:5d:9a:3b:19
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 CRL Distribution Points:
Full Name:
URI:http://example.com/example.crl
CRL Issuer:
DirName: C = US, O = example, CN = crl issuer
X509v3 Key Usage: critical
Digital Signature
Signature Algorithm: sha1WithRSAEncryption
81:9f:ab:02:1d:29:01:b9:91:b1:37:2a:00:e1:54:7e:b7:a0:
a5:50:20:41:9c:85:27:b1:90:1a:37:70:21:82:f7:b3:13:1c:
10:77:2f:14:2b:72:a6:d3:22:b4:67:97:14:5c:7c:5b:97:0a:
63:18:5c:ec:d6:ad:da:aa:98:de:ff:40:51:a8:f0:2f:83:cc:
e0:a4:9f:30:64:be:da:2e:e9:2b:cc:df:86:2b:8b:d6:a7:d1:
a8:7c:55:92:4c:9e:6f:12:c9:cd:46:cd:3e:93:9c:a2:53:9c:
45:ae:d9:df:40:c4:d8:b8:1e:9b:ac:c0:1b:ac:25:de:7b:44:
02:b4
-----BEGIN CERTIFICATE-----
MIICYDCCAcmgAwIBAgIBAzANBgkqhkiG9w0BAQUFADAuMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHZXhhbXBsZTENMAsGA1UEAxMEcm9vdDAeFw0xMzA3MjgxNzQ1MjRa
Fw0xNTA3MjgxNzQ1MjRaMC8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdleGFtcGxl
MQ4wDAYDVQQDEwVoYXBweTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3clc
aG9ktTdGAH/CcsFupcxG/PAL8xDwvu/PoV9xGNKC3T/wysL8mcmCYWE0/5Dmj3Rp
At6lYkHy8PdzR7RlCHijmdl8Gop99ejxC+kfRnktKjtDU/QLr130TH6Fe4weUSbp
7/e4GAu8R6AqVuVKVjo4F8VcD4e92ntPmF2aOxkCAwEAAaOBjDCBiTAMBgNVHRMB
Af8EAjAAMGkGA1UdHwRiMGAwXqAioCCGHmh0dHA6Ly9leGFtcGxlLmNvbS9leGFt
cGxlLmNybKI4pDYwNDELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB2V4YW1wbGUxEzAR
BgNVBAMTCmNybCBpc3N1ZXIwDgYDVR0PAQH/BAQDAgeAMA0GCSqGSIb3DQEBBQUA
A4GBAIGfqwIdKQG5kbE3KgDhVH63oKVQIEGchSexkBo3cCGC97MTHBB3LxQrcqbT
IrRnlxRcfFuXCmMYXOzWrdqqmN7/QFGo8C+DzOCknzBkvtou6SvM34Yri9an0ah8
VZJMnm8Syc1GzT6TnKJTnEWu2d9AxNi4HpuswBusJd57RAK0
-----END CERTIFICATE-----
-- revoked.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4 (0x4)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=example, CN=root
Validity
Not Before: Jul 28 17:45:25 2013 GMT
Not After : Jul 28 17:45:25 2015 GMT
Subject: C=US, O=example, CN=revoked
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:e6:f7:3c:5e:96:2e:a6:7e:2f:a4:5a:53:0a:22:
74:71:81:a8:09:9c:94:c7:bc:06:00:7c:90:1c:af:
4e:97:11:0d:cb:85:d1:41:6a:59:8e:d6:6f:a4:b5:
1d:d6:30:3e:2d:84:c7:67:99:2a:9c:b9:20:d1:59:
c0:58:e4:41:b2:3b:a4:23:fa:74:81:e9:bf:c0:aa:
4d:48:d9:87:a2:d7:2c:d3:1f:37:c5:e0:90:0d:c5:
5d:28:24:fb:1b:38:d5:dd:2a:4a:3d:fe:2b:96:26:
ec:67:d2:76:e2:be:a6:5d:ea:65:9f:a3:9d:cc:90:
9e:9a:28:1a:9a:ac:1b:3e:3b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 CRL Distribution Points:
Full Name:
URI:http://example.com/example.crl
CRL Issuer:
DirName: C = US, O = example, CN = crl issuer
X509v3 Key Usage: critical
Digital Signature
Signature Algorithm: sha1WithRSAEncryption
70:32:43:27:28:79:e7:13:60:17:47:92:c6:39:9e:ab:06:e8:
b4:08:9c:c5:8b:00:2d:c1:5e:fc:e3:01:c5:07:f1:fc:11:79:
1f:31:fe:f8:9f:57:3a:39:6c:80:79:fa:3d:e2:0c:e1:6a:b0:
83:32:a2:47:3f:28:33:44:5b:58:31:1d:63:f1:e5:15:a7:7e:
44:b4:a4:f8:66:1a:e8:0a:77:69:cd:db:d2:1e:a6:fb:46:60:
6f:48:b8:1c:b0:08:7a:9a:53:56:f4:eb:ad:5f:31:9e:bd:38:
68:82:2c:8a:4a:35:9f:a0:02:bd:9d:23:2d:34:36:21:c1:2c:
b2:fc
-----BEGIN CERTIFICATE-----
MIICYjCCAcugAwIBAgIBBDANBgkqhkiG9w0BAQUFADAuMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHZXhhbXBsZTENMAsGA1UEAxMEcm9vdDAeFw0xMzA3MjgxNzQ1MjVa
Fw0xNTA3MjgxNzQ1MjVaMDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdleGFtcGxl
MRAwDgYDVQQDEwdyZXZva2VkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDm
9zxeli6mfi+kWlMKInRxgagJnJTHvAYAfJAcr06XEQ3LhdFBalmO1m+ktR3WMD4t
hMdnmSqcuSDRWcBY5EGyO6Qj+nSB6b/Aqk1I2Yei1yzTHzfF4JANxV0oJPsbONXd
Kko9/iuWJuxn0nbivqZd6mWfo53MkJ6aKBqarBs+OwIDAQABo4GMMIGJMAwGA1Ud
EwEB/wQCMAAwaQYDVR0fBGIwYDBeoCKgIIYeaHR0cDovL2V4YW1wbGUuY29tL2V4
YW1wbGUuY3JsojikNjA0MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHZXhhbXBsZTET
MBEGA1UEAxMKY3JsIGlzc3VlcjAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQEF
BQADgYEAcDJDJyh55xNgF0eSxjmeqwbotAicxYsALcFe/OMBxQfx/BF5HzH++J9X
OjlsgHn6PeIM4WqwgzKiRz8oM0RbWDEdY/HlFad+RLSk+GYa6Ap3ac3b0h6m+0Zg
b0i4HLAIeppTVvTrrV8xnr04aIIsiko1n6ACvZ0jLTQ2IcEssvw=
-----END CERTIFICATE-----
-- crl.pem
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=US/O=example/CN=crl issuer
Last Update: Jul 28 17:45:25 2013 GMT
Next Update: Jul 28 17:45:25 2014 GMT
CRL extensions:
X509v3 Issuing Distrubution Point:
Full Name:
URI:http://example.com/example.crl
Indirect CRL
X509v3 CRL Number:
1
Revoked Certificates:
Serial Number: 04
Revocation Date: Jul 28 17:45:25 2013 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Key Compromise
Signature Algorithm: sha1WithRSAEncryption
68:3d:75:4f:bf:51:a6:6e:33:4d:9f:a1:80:02:14:99:f6:0a:
d0:c0:82:a1:bc:d4:72:15:3f:f3:6d:cf:ce:95:1b:7d:91:5a:
32:61:8f:81:9e:66:9d:5c:dc:d4:7c:e0:16:c7:f4:c7:65:18:
11:1e:8e:5a:4b:79:df:dc:b7:c5:bd:1b:be:5e:02:23:0d:61:
11:4e:db:9b:ff:e5:ab:f9:d9:2f:da:77:42:65:f8:f5:6e:44:
cf:9e:92:fd:40:ea:a3:eb:de:59:16:23:a7:e0:71:66:f4:f8:
04:d3:ec:63:0a:25:fb:96:2c:2b:49:98:43:bd:61:fe:e8:76:
ec:64
-----BEGIN X509 CRL-----
MIIBYjCBzAIBATANBgkqhkiG9w0BAQUFADA0MQswCQYDVQQGEwJVUzEQMA4GA1UE
ChMHZXhhbXBsZTETMBEGA1UEAxMKY3JsIGlzc3VlchcNMTMwNzI4MTc0NTI1WhcN
MTQwNzI4MTc0NTI1WjAiMCACAQQXDTEzMDcyODE3NDUyNVowDDAKBgNVHRUEAwoB
AaBAMD4wMAYDVR0cBCkwJ6AioCCGHmh0dHA6Ly9leGFtcGxlLmNvbS9leGFtcGxl
LmNybIQB/zAKBgNVHRQEAwIBATANBgkqhkiG9w0BAQUFAAOBgQBoPXVPv1GmbjNN
n6GAAhSZ9grQwIKhvNRyFT/zbc/OlRt9kVoyYY+BnmadXNzUfOAWx/THZRgRHo5a
S3nf3LfFvRu+XgIjDWERTtub/+Wr+dkv2ndCZfj1bkTPnpL9QOqj695ZFiOn4HFm
9PgE0+xjCiX7liwrSZhDvWH+6HbsZA==
-----END X509 CRL-----
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
