On Mon, Jul 29, 2013 at 7:24 PM, Stephen Henson via RT <[email protected]> wrote:
> I had a quick look and I think the problem is that it is an indirect CRL which
> can cover multiple CAs and that in the absence of other information it is
> defaulting to the CRL issuer name for CRL entries rather than the CA name. As
> a
> result it can't find any entries for CA name and so doesn't return revoked. By
> using the Certificate Issuer CRL extension you can change that but OpenSSL
> doesn't currently include an option to set it in the ca utility.
Thanks for the quick response. This definitely explains the issue. I
completely overlooked the fact that the CRL entries were missing
issuer extensions. Is this feature on your road map? I'd be happy to
try implementing it if it's a generally useful feature.
> There is a rather simpler way you can achieve what I think you want. What you
> do in the CA certificate is to include keyUsage *without* the CRLSign bit set
> and then issue a certificate from that CA with the *same name* as the CA but
> with CRLSign asserted. Make sure you include SKID/AKID in the certificates and
> CRLs.
Ah, interesting. I've managed to get this to work and included an
example below for completeness. Am I correct in interpreting that
this is no longer an indirect CRL? The RFC states:
"If the scope of the CRL includes one or more certificates issued by
an entity other than the CRL issuer, then it is an indirect CRL."
In this context, is 'issuer' simply issuing subject? It doesn't seem
obvious from the RFC that this technique would work. Do you know if
this technique is a common practice or will work in other certificate
verification implementations?
I also managed to get my original example working, which includes the
CRL distribution point extension in the certificate and the issuing
distribution point extension in the CRL (with the indirect CRL flag)
by using matching names for the CA and CRL issuer. As you mentioned,
this relies on the fact that the default scope for a CRL entry is the
CRL issuer unless the certificate issuer extension is present. This
seems like a slightly 'safer' CRL delegation method in that it's
explicit delegation. However, it does rely on several extensions
which may not be supported by all implementations...
I'm still not completely sure which method I think is more
appropriate, but I guess it's good to have both options.
Thanks again for your help,
Craig
openssl verify -crl_check -extended_crl \
-CAfile ca.pem \
-CRLfile crl.pem \
-untrusted crl-issuer.pem \
happy.pem \
revoked.pem
happy.pem: OK
revoked.pem: C = US, O = example, CN = revoked
error 23 at 0 depth lookup:certificate revoked
-- ca.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=example, CN=root
Validity
Not Before: Jul 30 01:13:56 2013 GMT
Not After : Jul 28 01:13:56 2023 GMT
Subject: C=US, O=example, CN=root
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:d0:af:c9:d2:2b:a0:36:4f:e0:36:1b:dc:8d:67:
ae:cb:0e:f5:9b:57:33:e8:e9:cd:b3:ed:e2:0b:39:
ce:24:33:e3:fe:a3:ed:6f:51:1b:2b:8a:0c:6d:f9:
f4:7c:c2:cb:d0:6c:a2:cd:90:56:58:f1:06:15:e4:
44:6c:4a:f4:16:c9:f8:39:70:5c:6e:92:b3:dd:61:
83:1d:4d:fd:da:56:91:be:97:bb:23:fe:d1:2f:bd:
b4:34:56:0e:b7:61:f2:0e:c1:ed:2a:c3:ce:9a:9a:
92:a7:b8:92:ea:18:63:4c:ad:1c:10:0b:d4:06:24:
39:a6:89:5f:41:0d:de:0f:55
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
74:FD:B3:A6:26:C7:BB:DA:2C:5B:26:41:98:F9:9A:27:CC:32:CA:EF
X509v3 Authority Key Identifier:
keyid:74:FD:B3:A6:26:C7:BB:DA:2C:5B:26:41:98:F9:9A:27:CC:32:CA:EF
DirName:/C=US/O=example/CN=root
serial:01
X509v3 Key Usage: critical
Certificate Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
Signature Algorithm: sha1WithRSAEncryption
95:6a:80:8a:98:be:2d:54:b0:ee:95:ec:fe:d3:9e:c7:87:6d:
5c:97:48:c0:9a:ac:82:af:e9:ac:62:52:26:61:da:24:05:d6:
ab:aa:8a:46:a5:c2:fe:a6:af:d1:a6:6b:ee:6f:76:ab:27:5f:
4a:06:d9:9e:cb:d5:44:7e:ec:86:0b:fb:03:2f:ab:af:b9:a3:
4e:49:59:a1:98:48:ea:1c:7d:3a:ba:c5:17:2a:d7:f7:ca:49:
71:c7:da:9f:36:fd:67:f4:d4:51:37:2f:d7:b1:24:4a:83:05:
fe:65:40:36:2e:25:be:07:33:15:d1:03:3c:a1:72:1c:13:fa:
5d:9b
-----BEGIN CERTIFICATE-----
MIICcTCCAdqgAwIBAgIBATANBgkqhkiG9w0BAQUFADAuMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHZXhhbXBsZTENMAsGA1UEAxMEcm9vdDAeFw0xMzA3MzAwMTEzNTZa
Fw0yMzA3MjgwMTEzNTZaMC4xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdleGFtcGxl
MQ0wCwYDVQQDEwRyb290MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDQr8nS
K6A2T+A2G9yNZ67LDvWbVzPo6c2z7eILOc4kM+P+o+1vURsrigxt+fR8wsvQbKLN
kFZY8QYV5ERsSvQWyfg5cFxukrPdYYMdTf3aVpG+l7sj/tEvvbQ0Vg63YfIOwe0q
w86ampKnuJLqGGNMrRwQC9QGJDmmiV9BDd4PVQIDAQABo4GeMIGbMB0GA1UdDgQW
BBR0/bOmJse72ixbJkGY+ZonzDLK7zBWBgNVHSMETzBNgBR0/bOmJse72ixbJkGY
+ZonzDLK76EypDAwLjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB2V4YW1wbGUxDTAL
BgNVBAMTBHJvb3SCAQEwDgYDVR0PAQH/BAQDAgIEMBIGA1UdEwEB/wQIMAYBAf8C
AQAwDQYJKoZIhvcNAQEFBQADgYEAlWqAipi+LVSw7pXs/tOex4dtXJdIwJqsgq/p
rGJSJmHaJAXWq6qKRqXC/qav0aZr7m92qydfSgbZnsvVRH7shgv7Ay+rr7mjTklZ
oZhI6hx9OrrFFyrX98pJccfanzb9Z/TUUTcv17EkSoMF/mVANi4lvgczFdEDPKFy
HBP6XZs=
-----END CERTIFICATE-----
-- crl-issuer.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=example, CN=root
Validity
Not Before: Jul 30 01:14:07 2013 GMT
Not After : Jul 30 01:14:07 2015 GMT
Subject: C=US, O=example, CN=root
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:a5:5f:d9:74:f2:04:f3:61:db:09:88:c7:30:cb:
3e:c8:3c:05:fc:f9:88:ed:be:8a:41:3b:53:5b:5e:
e0:02:67:cf:c1:a7:73:57:83:4c:ec:a5:3e:74:6a:
a0:45:5f:39:0c:ea:f8:df:48:cc:1d:e8:af:d5:5d:
c6:d2:89:03:10:5b:cb:d2:0b:78:3a:62:75:ac:d5:
d5:8c:1f:d1:07:33:e3:de:1e:5c:d2:cd:57:ab:7e:
0f:78:8e:08:75:aa:95:34:b3:1e:9b:ba:03:50:f8:
4f:52:82:54:76:8c:55:15:55:77:eb:67:cd:ee:ba:
b3:c2:b4:bc:fa:ae:b7:65:73
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
27:A8:DC:67:7D:C6:F4:60:4E:1A:1B:5F:1C:9C:5D:50:05:F4:E3:72
X509v3 Authority Key Identifier:
keyid:74:FD:B3:A6:26:C7:BB:DA:2C:5B:26:41:98:F9:9A:27:CC:32:CA:EF
DirName:/C=US/O=example/CN=root
serial:01
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
CRL Sign
Signature Algorithm: sha1WithRSAEncryption
26:b9:50:17:a7:d9:0d:25:f3:16:42:cd:85:b3:e1:c8:53:a4:
45:df:be:ef:e4:65:32:04:8d:5c:d2:b6:59:5a:b9:83:66:23:
e0:d8:c3:51:46:ff:4d:dc:c9:78:e6:2a:72:41:b9:63:db:07:
24:e1:d1:e3:ff:3e:bf:7e:61:cb:ef:7e:5b:ed:14:38:0a:33:
82:60:ec:22:4e:cb:ce:e7:a1:03:8e:98:b7:5c:7b:2e:e8:a0:
21:d8:d0:7d:a5:17:f8:ca:34:d1:54:d2:f4:81:e2:3a:48:7b:
29:e6:9d:52:bc:d8:00:c5:14:44:c1:5c:5d:a0:80:82:c1:83:
d5:4f
-----BEGIN CERTIFICATE-----
MIICazCCAdSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADAuMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHZXhhbXBsZTENMAsGA1UEAxMEcm9vdDAeFw0xMzA3MzAwMTE0MDda
Fw0xNTA3MzAwMTE0MDdaMC4xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdleGFtcGxl
MQ0wCwYDVQQDEwRyb290MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQClX9l0
8gTzYdsJiMcwyz7IPAX8+YjtvopBO1NbXuACZ8/Bp3NXg0zspT50aqBFXzkM6vjf
SMwd6K/VXcbSiQMQW8vSC3g6YnWs1dWMH9EHM+PeHlzSzVerfg94jgh1qpU0sx6b
ugNQ+E9SglR2jFUVVXfrZ83uurPCtLz6rrdlcwIDAQABo4GYMIGVMB0GA1UdDgQW
BBQnqNxnfcb0YE4aG18cnF1QBfTjcjBWBgNVHSMETzBNgBR0/bOmJse72ixbJkGY
+ZonzDLK76EypDAwLjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB2V4YW1wbGUxDTAL
BgNVBAMTBHJvb3SCAQEwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCAQIwDQYJ
KoZIhvcNAQEFBQADgYEAJrlQF6fZDSXzFkLNhbPhyFOkRd++7+RlMgSNXNK2WVq5
g2Yj4NjDUUb/TdzJeOYqckG5Y9sHJOHR4/8+v35hy+9+W+0UOAozgmDsIk7Lzueh
A46Yt1x7LuigIdjQfaUX+Mo00VTS9IHiOkh7KeadUrzYAMUURMFcXaCAgsGD1U8=
-----END CERTIFICATE-----
-- happy.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=example, CN=root
Validity
Not Before: Jul 30 01:14:38 2013 GMT
Not After : Jul 30 01:14:38 2015 GMT
Subject: C=US, O=example, CN=happy
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:b8:5e:4d:83:ae:1e:bc:7e:6b:66:34:b6:9a:14:
c1:1d:59:05:91:10:e3:17:b7:cf:2c:ac:79:c4:0b:
42:33:aa:28:a8:29:1c:e8:3c:6f:99:a8:c4:78:88:
81:9b:b6:71:45:a0:49:36:0c:59:8d:df:ad:6a:2f:
72:38:c9:9a:4c:f4:74:66:d5:53:aa:21:d5:ed:44:
a6:66:7a:3d:55:9a:90:09:59:f5:99:a9:b9:c6:ab:
2f:47:a8:ad:67:bd:c6:51:60:92:66:58:98:1b:b0:
3c:e6:d9:e5:8f:90:dd:6a:1b:fc:f3:55:7e:8c:7b:
e8:88:71:d1:9f:c9:29:d7:79
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
B0:08:2B:9A:CD:99:6F:B1:03:76:E4:74:4C:CC:A6:A4:9B:40:25:20
X509v3 Authority Key Identifier:
keyid:74:FD:B3:A6:26:C7:BB:DA:2C:5B:26:41:98:F9:9A:27:CC:32:CA:EF
DirName:/C=US/O=example/CN=root
serial:01
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature
Signature Algorithm: sha1WithRSAEncryption
a5:ee:76:14:22:91:1f:d0:70:79:3f:1c:0f:e1:d2:2b:aa:20:
d6:c0:3e:65:f7:47:49:fe:08:e2:b7:15:d1:da:57:71:67:3f:
52:d6:f0:82:8b:90:04:2f:24:94:19:75:11:20:0c:ba:25:76:
7a:af:aa:f4:fc:de:01:9c:e9:55:95:aa:6d:0f:cc:69:77:07:
9e:ab:48:1e:42:73:b6:ff:fc:f1:f7:39:be:c0:47:13:9d:e1:
a3:6f:0b:fa:89:5f:67:92:e6:5b:52:be:b5:1f:72:d7:23:95:
2d:0f:ef:f1:43:5f:7b:2c:ca:e7:88:fa:af:6f:8f:c0:3a:9a:
6e:92
-----BEGIN CERTIFICATE-----
MIICbDCCAdWgAwIBAgIBAzANBgkqhkiG9w0BAQUFADAuMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHZXhhbXBsZTENMAsGA1UEAxMEcm9vdDAeFw0xMzA3MzAwMTE0Mzha
Fw0xNTA3MzAwMTE0MzhaMC8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdleGFtcGxl
MQ4wDAYDVQQDEwVoYXBweTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuF5N
g64evH5rZjS2mhTBHVkFkRDjF7fPLKx5xAtCM6ooqCkc6DxvmajEeIiBm7ZxRaBJ
NgxZjd+tai9yOMmaTPR0ZtVTqiHV7USmZno9VZqQCVn1mam5xqsvR6itZ73GUWCS
ZliYG7A85tnlj5Ddahv881V+jHvoiHHRn8kp13kCAwEAAaOBmDCBlTAdBgNVHQ4E
FgQUsAgrms2Zb7EDduR0TMympJtAJSAwVgYDVR0jBE8wTYAUdP2zpibHu9osWyZB
mPmaJ8wyyu+hMqQwMC4xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdleGFtcGxlMQ0w
CwYDVQQDEwRyb290ggEBMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMA0G
CSqGSIb3DQEBBQUAA4GBAKXudhQikR/QcHk/HA/h0iuqINbAPmX3R0n+COK3FdHa
V3FnP1LW8IKLkAQvJJQZdREgDLoldnqvqvT83gGc6VWVqm0PzGl3B56rSB5Cc7b/
/PH3Ob7ARxOd4aNvC/qJX2eS5ltSvrUfctcjlS0P7/FDX3ssyueI+q9vj8A6mm6S
-----END CERTIFICATE-----
-- revoked.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4 (0x4)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=example, CN=root
Validity
Not Before: Jul 30 01:14:45 2013 GMT
Not After : Jul 30 01:14:45 2015 GMT
Subject: C=US, O=example, CN=revoked
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:de:50:75:1c:86:39:83:0e:72:13:db:da:0c:35:
f3:78:04:4b:30:3c:8e:df:bf:ed:c9:18:af:93:cb:
21:0f:27:b5:ab:2c:25:86:69:87:8c:d1:c6:ce:f9:
04:6e:0d:cf:d8:9e:b3:31:a5:ec:ab:91:5a:9d:c7:
e3:56:1e:82:6e:fa:69:60:4a:d8:ab:8c:19:2d:87:
83:c7:de:58:3a:c9:b5:eb:7e:09:9e:44:59:5e:e0:
e7:e7:57:99:d5:91:c8:8b:43:f5:ad:87:5a:9c:25:
07:64:07:eb:3a:ab:3a:79:86:4d:c8:c9:7a:41:e0:
1f:5a:59:3a:48:49:dc:66:69
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
8A:34:D4:E5:18:77:7C:91:E4:8A:D7:39:FC:14:50:BE:17:FA:D2:59
X509v3 Authority Key Identifier:
keyid:74:FD:B3:A6:26:C7:BB:DA:2C:5B:26:41:98:F9:9A:27:CC:32:CA:EF
DirName:/C=US/O=example/CN=root
serial:01
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature
Signature Algorithm: sha1WithRSAEncryption
70:e4:ee:c7:a8:73:a7:ff:e0:e3:a3:b4:13:ec:39:e2:1d:30:
7f:a8:20:fd:7a:0c:7d:79:1c:e4:fb:68:29:cd:0d:7c:2a:29:
f9:bd:9a:d8:59:e1:c0:be:fc:98:80:6d:97:4e:2b:cd:ff:1c:
1a:4c:10:85:33:65:c1:2e:1e:14:ad:61:34:64:0f:9d:42:07:
fa:2b:33:f1:ca:fb:4f:86:cf:74:9d:1c:4d:4d:be:e9:96:37:
14:53:e5:03:ea:7f:30:1d:60:c4:f0:4c:b7:0d:18:e2:59:a9:
77:90:5b:9b:71:5c:02:e4:64:89:6f:d3:9a:32:72:98:89:f6:
f6:da
-----BEGIN CERTIFICATE-----
MIICbjCCAdegAwIBAgIBBDANBgkqhkiG9w0BAQUFADAuMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHZXhhbXBsZTENMAsGA1UEAxMEcm9vdDAeFw0xMzA3MzAwMTE0NDVa
Fw0xNTA3MzAwMTE0NDVaMDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdleGFtcGxl
MRAwDgYDVQQDEwdyZXZva2VkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDe
UHUchjmDDnIT29oMNfN4BEswPI7fv+3JGK+TyyEPJ7WrLCWGaYeM0cbO+QRuDc/Y
nrMxpeyrkVqdx+NWHoJu+mlgStirjBkth4PH3lg6ybXrfgmeRFle4OfnV5nVkciL
Q/Wth1qcJQdkB+s6qzp5hk3IyXpB4B9aWTpISdxmaQIDAQABo4GYMIGVMB0GA1Ud
DgQWBBSKNNTlGHd8keSK1zn8FFC+F/rSWTBWBgNVHSMETzBNgBR0/bOmJse72ixb
JkGY+ZonzDLK76EypDAwLjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB2V4YW1wbGUx
DTALBgNVBAMTBHJvb3SCAQEwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCB4Aw
DQYJKoZIhvcNAQEFBQADgYEAcOTux6hzp//g46O0E+w54h0wf6gg/XoMfXkc5Pto
Kc0NfCop+b2a2FnhwL78mIBtl04rzf8cGkwQhTNlwS4eFK1hNGQPnUIH+isz8cr7
T4bPdJ0cTU2+6ZY3FFPlA+p/MB1gxPBMtw0Y4lmpd5Bbm3FcAuRkiW/TmjJymIn2
9to=
-----END CERTIFICATE-----
-- crl.pem
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=US/O=example/CN=root
Last Update: Jul 30 01:14:47 2013 GMT
Next Update: Jul 30 01:14:47 2014 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:27:A8:DC:67:7D:C6:F4:60:4E:1A:1B:5F:1C:9C:5D:50:05:F4:E3:72
DirName:/C=US/O=example/CN=root
serial:02
X509v3 CRL Number:
1
Revoked Certificates:
Serial Number: 04
Revocation Date: Jul 30 01:14:47 2013 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Key Compromise
Signature Algorithm: sha1WithRSAEncryption
41:90:cb:1f:06:ba:bb:cd:2b:19:e4:c7:5d:93:a6:f7:9c:a1:
a7:69:8e:08:4a:90:66:2a:3b:12:ad:71:14:3a:69:d1:ee:8c:
4a:35:25:e5:b9:b2:98:5e:b0:1b:83:60:e5:79:6b:d7:25:4d:
92:6d:60:66:a7:15:db:47:47:e3:1f:13:1a:ee:d4:9d:9d:b6:
c6:77:75:9b:5b:4c:ba:08:79:16:55:2e:49:dd:d2:bf:57:5a:
87:c5:9d:ed:b7:80:7a:db:b9:75:43:cd:58:21:3f:2f:9e:79:
64:e8:c9:f1:71:34:06:71:a7:6a:ce:cb:8f:fe:58:38:d1:da:
c0:3d
-----BEGIN X509 CRL-----
MIIBgjCB7AIBATANBgkqhkiG9w0BAQUFADAuMQswCQYDVQQGEwJVUzEQMA4GA1UE
ChMHZXhhbXBsZTENMAsGA1UEAxMEcm9vdBcNMTMwNzMwMDExNDQ3WhcNMTQwNzMw
MDExNDQ3WjAiMCACAQQXDTEzMDczMDAxMTQ0N1owDDAKBgNVHRUEAwoBAaBmMGQw
VgYDVR0jBE8wTYAUJ6jcZ33G9GBOGhtfHJxdUAX043KhMqQwMC4xCzAJBgNVBAYT
AlVTMRAwDgYDVQQKEwdleGFtcGxlMQ0wCwYDVQQDEwRyb290ggECMAoGA1UdFAQD
AgEBMA0GCSqGSIb3DQEBBQUAA4GBAEGQyx8GurvNKxnkx12TpvecoadpjghKkGYq
OxKtcRQ6adHujEo1JeW5sphesBuDYOV5a9clTZJtYGanFdtHR+MfExru1J2dtsZ3
dZtbTLoIeRZVLknd0r9XWofFne23gHrbuXVDzVghPy+eeWToyfFxNAZxp2rOy4/+
WDjR2sA9
-----END X509 CRL-----
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
