admin管理员组

文章数量:1201032

I'm following this guide to check for CRL revocation for all the certificates in the certificate chain:

This is the relevant part from the above guide:

#include <openssl/ssl.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>

/* Retrieve the server's certificate chain from the OpenSSL connection. */
/* Another option: SSL_get0_verified_chain() */
STACK_OF(X509) *cert_chain_stack = SSL_get_peer_cert_chain(s_connection);
if (cert_chain_stack == NULL) {
    exit(EXIT_FAILURE);
}
int cert_chain_stack_size = sk_X509_num(cert_chain_stack);

/* Check that the certificate chain contains at least 2 certificates. */
if (cert_chain_stack_size < 2) {
    exit(EXIT_FAILURE);
}

/* Check the revocation status for every certificate from the chain (except the root one). */
X509 *certificate;
X509 *issuer_certificate;
for (int index = 0; index < cert_chain_stack_size - 1; index++) {
    certificate = sk_X509_value(cert_chain_stack, index);
    issuer_certificate = sk_X509_value(cert_chain_stack, index+1);

    /* Download all the possible CRL lists for each certificate in the chain */
    /* and verify that the certificate is not included in one of the downloaded CRLs. */
    /* This procedure is demonstrated in the following steps. */
}

Now, AFAIK the server does not send the Root certificate of the certificate chain (since it'll be meaningless). Thus, the SSL_get_peer_cert_chain(s_connection) call would not contain the root certificate.

The issue here is if the certificate being checked is issued by the Root CA, then an issuer mapping could not be created and thus, the CRL verification cannot be performed.

This seems like an off-by-one error in the guide.

My question is, how do I perform a CRL check for a certificate that's been issued by the Root CA?

From the code snippet above it would fail when:

  1. End entity issued by Root CA (cert_chain_stack will be 1).
  2. The intermediate certificate being checked is issued by Root CA. (index < cert_chain_stack_size - 1 condition would fail).

本文标签: cOpenSSLHow to check for CRL revocation for a certificate issued by a Root CAStack Overflow

版权声明:本文标题:c - OpenSSL - How to check for CRL revocation for a certificate issued by a Root CA - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1738569575a2100511.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。