[ssl-users] checking CRL

Vadim Fedukovich Mon, 25 May 1998 12:49:45 -0400
Hello,

I'm interested in checking CRL while certificate validation because
SSL and SSLeay are widely used in our intranet. I'd like to hear
some feedback on whether CRL check was implemented good enough.
No restriction to use diff below provided that origin is not dropped.


*** x509_vfy.c.orig     Thu Apr  9 18:47:14 1998
--- x509_vfy.c  Mon May 25 16:55:05 1998
***************
*** 298,303 ****
--- 298,310 ----
        X509 *xs,*xi;
        EVP_PKEY *pkey=NULL;
        int (*cb)();
+       X509_NAME *xn;
+       X509_OBJECT obj;
+       X509_CRL *crl;
+       STACK *revlist;
+       int revcount; 
+       ASN1_INTEGER *certserial;
+       X509_REVOKED *en; 
  
        cb=ctx->ctx->verify_cb;
        if (cb == NULL) cb=null_callback;
***************
*** 384,389 ****
--- 391,414 ----
                        }
  
                /* CRL CHECK */
+               xn=X509_get_issuer_name(xs);
+               ok=X509_STORE_get_by_subject(ctx,X509_LU_CRL,xn,&obj);
+               if(ok == 1 &&
+                  X509_CRL_verify((crl = obj.data.crl), X509_get_pubkey(xs))) {
+ 
+                 revlist = crl->crl->revoked;
+                 revcount = sk_num( revlist );
+                 for( i=0; i < revcount; i++ )
+                   en = (X509_REVOKED *) sk_value( revlist, i );
+                   certserial = X509_get_serialNumber(xs); 
+                   if( ASN1_INTEGER_cmp( en -> serialNumber, certserial ))
+                     /* yes, serial number of cert in question listed in CRL */
+                       ctx->error=X509_V_ERR_CERT_REVOKED;
+                       ctx->current_cert=xs;
+                       ok=0;
+                       goto end;
+                       ;
+               }
  
                /* The last error (if any) is still in the error value */
                ctx->current_cert=xs;

Patch was debugged with s_client and s_server:
s_client -CAfile ${PATH}/cacert.pem -cert cl-rev.cert -key cl-rev.key
s_server -CApath {PATH}/certs -cert serv.cert -key serv.key -Verify 2

s_server output on stderror:
verify depth is 2, must return a certificate
ERROR
verify error:error number 23

s_client output on stderror:
depth=1 /C=UA/L=Dnepropetrovsk/O=Ukrsotsbank development/OU=CRL check/CN=demo 
[EMAIL PROTECTED]
verify return:1
depth=0 /C=UA/O=Ukrsotsbank development/OU=CRL check/CN=demo 
[EMAIL PROTECTED]
verify return:1
write:errno=32

CRL lookup is by_dir, to make CRL known to lookup one should make a link like
ln -s ${CRLFILE} `crl -noout -hash -in ${CRLFILE}`.r0
Hash is computed on CRL issuer's name so there should be two links,
first (HASH.0) pointing to CA cert, second (HASH.r0) to current CRL.

here's some entries in wishlist to check lastUpdate, nextUpdate, extensions
too when local policy will specify requirements.

hope this helps someone,
Vadim Fedukovich
Ukrsotsbank, Dnepropetrovsk office.
+-------------------------------------------------------------------------+
| Administrative requests should be sent to [EMAIL PROTECTED] |
| List service provided by Open Software Associates, http://www.osa.com/  |
+-------------------------------------------------------------------------+
[ssl-users] checking CRL

Reply via email to
