Re: CSR verification

Mon, 08 Aug 2005 08:57:59 -0700

Arsen Hayrapetyan writes: 
Hello all,
I have a question that comes from a real-life situation.
Suppose you have a CA that signed a CSR and prodused a certificate for
some user.
After sometime the CA revokes that certificate. Then that user sends to
a CA a new CSR.
The policy of the CA does not permit it to sign a CSR generated using a
key which has been revoked (well, the corresponding certificate has been
revoked). How can the CA verify that the new  CSR hasn't been signed
with the old (revoked) key. Is there an elegant method? One option is to
get out a public key both from CSR and from (possibly all!) revoked
certificates and compare them. If there is a match then CA rejects a CSR
as doesn't matching its policy. But this method is too cumbersome. Is
there some option to a verification command (say openssl req -verify
...) to verify a CSR which allows to pass a directories or files that
contain a list of untrusted certificates?



A quick solution (which seems a bit complicated because 'openssl req' has no 
way to print the key fingerprint): 

Have a file with public key hashes for all revoked certificates, say 
'revoked-hash.txt'.  It's fairly easily generated by doing the following 
when revoking a certificate (in addition to doing 'openssl x509 -revoke 
...'): 


openssl x509 -pubkey -outform DER -in {certfile} | \

  openssl sha1 -hex >> revoked-hash.txt 

Comparing is just as easy: 


CSRHASH=`openssl req -pubkey -outform DER -in {csrfile} | \
         openssl sha1 -hex`
if grep $CSRHASH revoked-hash.txt; then
  # refuse
else
  # sign

fi 

That's Unixly shell, of course.  You will need to translate it if you don't 
do this on Unix... 

Also, I haven't tested the above code.  You will have to do that yourself.  
All I wanted was to give you something to draw inspiration from... 


-----
Please consider sponsoring my work on free software.

See http://www.free.lp.se/sponsoring.html for details. 


--
Richard Levitte                         [EMAIL PROTECTED]

                                      http://richard.levitte.org/ 


"When I became a man I put away childish things, including
the fear of childishness and the desire to be very grown up."

                                              -- C.S. Lewis 


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]






















					Reply via email to