Re: Error on verify crl_check

Thu, 14 Apr 2005 04:25:49 -0700 

On Wed, Apr 13, 2005, Eddy Tan wrote:

> --- "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote:
> > > Certificate Revocation List (CRL):
> > >   Issuer: /C=AU/O=SecureNet Limited/CN=SecureNet Health OCA
> > >   CRL extensions:
> > >      X509v3 CRL Number:
> > >        57775
> > >      X509v3 Authority Key Identifier:
> > >        keyid:4F:AA:A5:B6:A9:E2:EF:B6
> [...snip...]
> 
> > That's Issuer Distribution Point (IDP). 
> 
> what does IDP mean?
> 

See RFC3280 et al.

In general IDP needs quite a bit of work to handle. It can (for example)
imply that multiple CRLs need to be checked to determin the revocation status
or it is signed by a certificate other than the CA. 

That's one reason why it is rejected: because OpenSSL doesn't support the
extension it might end up giving a false positive (because it hadn't checked
all the CRLs) or signature verification failure (because it isn't using the
correct certificate to verify the CRL signature).

> > Unfortunately adding full support for that CRL extension 
> > is not easy. 
> 
> Does it say, itīs not possible to verify user certificate using
> that CRL? if so, how do we check if the certificate has been
> revoked?
> 

Well it would normally mean that OpenSSL can't use that CRL but see below...

> > Can you send me that CRL?
> 
> Attached with this email (in PEM format).
> 

Thanks.

Now if we look at this CRL using asn1parse.

109402:d=5  hl=2 l=   3 prim: OBJECT            :2.5.29.28
109407:d=5  hl=2 l=   1 prim: BOOLEAN           :255
109410:d=5  hl=2 l=   2 prim: OCTET STRING

then using -strparse 109410:

    0:d=0  hl=2 l=   0 cons: SEQUENCE

This is not the cleverest thing for them to do. What it is effectively saying
is that IDP is present but it doesn't have any influence on the CRL at all.
They could get exactly the same effect by omitting IDP entirely without
causing interop problems.

So *in this case* that critical extension can be safely ignored.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to