Hi Rich, On 18-10-17 17:46, Salz, Rich via openssl-users wrote: > ➢ I used libcrypto to parse out the OCSP URL from the certificate validate > it against a whitelist of valid OCSP URLs, send an OCSP request and > validate the response and its signature against a custom certificate > store, and then parse out the result. > > Two points on that: > ➢ - This seems like something that should be in libcrypto rather than in > my own code. Did I miss something obvious? > > We generally don’t do any kind of network traffic (except SSL) and would > rather leave that up to the application. Especially because there are all > sorts of other frameworks, blocking issues, DNS, etc., that make things a > non-simple matter.
Sorry, I should have been clearer. I didn't mean the HTTP requests etc. I agree that that should not be done by libcrypto. I was more talking about the parsing. Currently I have 40 LOC [1] to find the OCSP URL from a certificate; it seems to me that that's a lot of stuff that I shouldn't have to be doing, and that asking OpenSSL to parse out that URL (or really, any other X.509v3 extension's data) should not be too complicated. Perhaps I missed the call that I should have been using, though ;-) [1] https://github.com/Fedict/eid-mw/blob/master/plugins_tools/eid-viewer/verify.c#L89-L129 > ➢ - Currently I don't fall back to CRLs when the OCSP server is > unavailable. I would like to do so; however, I can't figure out how to > validate the signature on a CRL (which would be a pretty obvious > failure). Alternatively, is there an obvious alternative thing that I > should be doing, rather than manually parsing the CRL? > > X509_CRL_verify. And yes, looking through to find the serial# is what you > have to do. That's 1.1-specific, correct? -- Wouter Verhelst -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
