Thanks for the clarification David. Your help is much appreciated. David von Oheimb <d...@ddvo.net>, 31 Ağu 2021 Sal, 08:50 tarihinde şunu yazdı:
> Hello Dennis, > > here are answers to your questions. > > > - All CRL signatures are (by default) verified - otherwise status > checking by CRLs would be insecure. The function used is def_crl_verify() > in crypto/x509/x_crl.c > - All CRLs are kept in the X509_STORE such that they can be reused for > multiple cert verification calls, which typically have their own > X509_STORE_CTX. > When the cert chain has been build during verification of the target > cert, > the public keys of the intermediate (untrusted, but then verified) CA > certs are used to verify the CRL signatures. > - One needs to interpret "Untrusted objects should not be added in > this way." in the context of the preceding sentence : > "X509_STORE_add_cert() and X509_STORE_add_crl() add the respective > object to the X509_STORE's local storage." > Certs can be trusted or not, but CRLs are not trusted by themselves. > So the above sentence is in fact a bit misleading > and should better be re-phrased to: "Untrusted certificates should not > be added in this way." > > Regards, > > David > On 28.08.21 03:52, bl4ck ness wrote: > > Hello, > > I'm trying to use OpenSSL to validate a certificate chain with CRLs. To > achieve this, I create a X509_STORE and add trusted (root) certificates > into it via X509_STORE_add_cert(). I also add CRLs published by root and > intermediate CAs into the store using X509_STORE_add_crl(). Then I create a > X509_STORE_CTX for this store and using X509_STORE_CTX_init() function I > set intermediate certs via its chain parameter and target (leaf) cert via > its x509 parameter. > > When I verify cert chain using X509_verify_cert: > > - Are these CRLs checked for a valid digital signature (both CRLs root > & intermediate) ? > - Since store should only contain trusted root certificates why should > I add CRLs published by intermediate certificates into the store but not to > somewhere else (for example ctx)? > - Documentation for X509_STORE_add_crl "Untrusted objects should not > be added in this way". What does this mean? > > > Dennis K. > >
