It looks like we need to support indirect CRL Issuers at least for CRL's
issued for ourselves.
I have done most of the work. It looks I don't quite know how to
generate CRLs with the indirect CRL issuer or I don't know how to
generate the CRL issuer's certificate using the root certificate.
So I have added the CRL issuer's cert to the trusted ones. But when I'm
trying to use the CRL i get stopped here:
crl_akid_check()
{
...
if(X509_check_akid()
// this is where if fails
and inside X509_check_akid()
...
/* Check key ids (if present) */
if(akid->keyid && issuer->skid &&
ASN1_OCTET_STRING_cmp(akid->keyid, issuer->skid) )
return X509_V_ERR_AKID_SKID_MISMATCH;
There's definitely something I don't know about AKID's and how to set
them properly.
To help you out here are the certificates and CRLs (i have masked some
fields):
******* Our ROOT cert *************************************
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=TestMoregaRootCA, C=CA, O=TestMorega
Validity
Not Before: Jun 8 00:29:30 2010 GMT
Not After : Jun 3 00:29:30 2030 GMT
Subject: CN=TestMoregaRootCA, C=CA, O=TestMorega
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
...
6c:68:70:a5:c1:7e:5e:b8:e4:82:ff:6d:c6:3
X509v3 extensions:
X509v3 Subject Key Identifier:
70:8F:22:BC:D7:55:20:6E:00:D7:3A:D3:70:40:F5:49:91:20:90:60
X509v3 Authority Key Identifier:
keyid:70:8F:22:BC:D7:55:20:6E:00:D7:3A:D3:70:40:F5:49:91:20:90:60
DirName:/CN=TestMoregaRootCA/C=CA/O=TestMorega
serial:00
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
******** CRL Issuer Cert issued by the root ****************
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 20 (0x14)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=TestMoregaRootCA, C=CA, O=TestMorega
Validity
Not Before: Mar 16 18:31:26 2011 GMT
Not After : Mar 11 18:31:26 2031 GMT
Subject: C=CA, O=TestMorega, CN=TestMoregaCRLIssuer
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
...
1c:52:ce:81:2c:50:52:30:43
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
7F:AC:68:90:EE:3C:8B:7B:6D:0E:A0:71:68:BE:57:D0:45:42:E9:C6
X509v3 Authority Key Identifier:
keyid:70:8F:22:BC:D7:55:20:6E:00:D7:3A:D3:70:40:F5:49:91:20:90:60
DirName:/CN=TestMoregaRootCA/C=CA/O=TestMorega
serial:00
X509v3 Key Usage: critical
Digital Signature, CRL Sign
******** A sample CRL issued by the Indirect CRL Issuer ****
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=CA/O=TestMorega/CN=TestMoregaCRLIssuer
Last Update: Mar 17 12:56:55 2011 GMT
Next Update: Apr 16 12:56:55 2011 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:7F:AC:68:90:EE:3C:8B:7B:6D:0E:A0:71:68:BE:57:D0:45:42:E9:C6
DirName:/CN=TestMoregaRootCA/C=CA/O=TestMorega
serial:14
X509v3 Issuing Distrubution Point: critical
Full Name:
URI:http://localhost/
Indirect CRL
Authority Information Access:
CA Issuers - URI:http://localhost/crlissuer.cer
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
