OpenSSL C API CRL check

Question

I'm trying to write a CertificatePathValidation Test using the OpenSSL C API. I'm currently stuck at testing for revoked intermediate (ca-)certs. There are two test cases: 1. EndCert is revoked and 2. SubCACert is revoked. The part of my code:

FILE* fl = NULL;
int i;
for(i=0; i<crl_count; i++){
  fl = fopen(pem_crl_files[i],"r");
  x509 = PEM_read_X509_CRL(fl, NULL,0,NULL);
  X509_STORE_add_crl(store, x509);
  fclose(fl); 
}
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK);

So now when I use the X509_V_FLAG_CRL_CHECK flag, test case 1 works out fine, test case 2 fails (returns cert is valid). If I use the X509_V_FLAG_CRL_CHECK_ALL flag, cases 1 and 2 both fail. Does anyone know what I missed?

Answer 1

The behavior of this settings is slightly different than the documentation suggests:

• X509_V_FLAG_CRL_CHECK enables CRL checking. If this option if off no checking will be done.
• If X509_V_FLAG_CRL_CHECK_ALL is also set the whole chain will be checked, otherwise only the leaf certificate.

This means you need to set both X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL.

The relevant code from OpenSSL 1.0.1e, file crypto/x509/x509_vfy.c:

669 static int check_revocation(X509_STORE_CTX *ctx)
670         {
671         int i, last, ok;
672         if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK))
673                 return 1;
674         if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL)
675                 last = sk_X509_num(ctx->chain) - 1;

As you can see it will skip the whole revocation check in lines 672,673 if X509_V_FLAG_CRL_CHECK is not set.