Re: [openssl-users] CRL signature verification
➢ I was more talking about the parsing. Currently I have 40 LOC [1] to Look at X509_get1_ocsp which is in crypto/x509v3/v3_utl.c That’s in 1.0.2 and later ➢ > X509_CRL_verify. And yes, looking through to find the serial# is what you have to do. ➢ That's 1.1-specific, correct? Yes. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] CRL signature verification
Hi Rich, On 18-10-17 17:46, Salz, Rich via openssl-users wrote: > ➢ I used libcrypto to parse out the OCSP URL from the certificate validate > it against a whitelist of valid OCSP URLs, send an OCSP request and > validate the response and its signature against a custom certificate > store, and then parse out the result. > > Two points on that: > ➢ - This seems like something that should be in libcrypto rather than in > my own code. Did I miss something obvious? > > We generally don’t do any kind of network traffic (except SSL) and would > rather leave that up to the application. Especially because there are all > sorts of other frameworks, blocking issues, DNS, etc., that make things a > non-simple matter. Sorry, I should have been clearer. I didn't mean the HTTP requests etc. I agree that that should not be done by libcrypto. I was more talking about the parsing. Currently I have 40 LOC [1] to find the OCSP URL from a certificate; it seems to me that that's a lot of stuff that I shouldn't have to be doing, and that asking OpenSSL to parse out that URL (or really, any other X.509v3 extension's data) should not be too complicated. Perhaps I missed the call that I should have been using, though ;-) [1] https://github.com/Fedict/eid-mw/blob/master/plugins_tools/eid-viewer/verify.c#L89-L129 > ➢ - Currently I don't fall back to CRLs when the OCSP server is > unavailable. I would like to do so; however, I can't figure out how to > validate the signature on a CRL (which would be a pretty obvious > failure). Alternatively, is there an obvious alternative thing that I > should be doing, rather than manually parsing the CRL? > > X509_CRL_verify. And yes, looking through to find the serial# is what you > have to do. That's 1.1-specific, correct? -- Wouter Verhelst -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] CRL signature verification
➢ I used libcrypto to parse out the OCSP URL from the certificate validate it against a whitelist of valid OCSP URLs, send an OCSP request and validate the response and its signature against a custom certificate store, and then parse out the result. Two points on that: ➢ - This seems like something that should be in libcrypto rather than in my own code. Did I miss something obvious? We generally don’t do any kind of network traffic (except SSL) and would rather leave that up to the application. Especially because there are all sorts of other frameworks, blocking issues, DNS, etc., that make things a non-simple matter. ➢ - Currently I don't fall back to CRLs when the OCSP server is unavailable. I would like to do so; however, I can't figure out how to validate the signature on a CRL (which would be a pretty obvious failure). Alternatively, is there an obvious alternative thing that I should be doing, rather than manually parsing the CRL? X509_CRL_verify. And yes, looking through to find the serial# is what you have to do. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] CRL signature verification
Hi, I have an application which wants to do verification of a certificate. Not in the context of a context or a signature, but simply to verify if the certificates are still valid and from a source that is correct in the context in which the application runs. I used libcrypto to parse out the OCSP URL from the certificate validate it against a whitelist of valid OCSP URLs, send an OCSP request and validate the response and its signature against a custom certificate store, and then parse out the result. Two points on that: - This seems like something that should be in libcrypto rather than in my own code. Did I miss something obvious? - Currently I don't fall back to CRLs when the OCSP server is unavailable. I would like to do so; however, I can't figure out how to validate the signature on a CRL (which would be a pretty obvious failure). Alternatively, is there an obvious alternative thing that I should be doing, rather than manually parsing the CRL? Thanks, -- Wouter Verhelst -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users