With OpenSSL library, how do I check if the peer certificate is revoked or not. From what I googled:
What OpenSSL APIs do I use to accomplish this? Also, is this the right way of checking if the certificate is revoked or not?
Unfortunately the CRL verification API in OpenSSL isn't very high-level, so you have code do many operations yourself.
For a brief overview of what is needed:
Of course this should be done after checking that the certificate itself is "valid" in the sense that it is issued by a trusted (or trustworthy) CA, it has the right usage extensions, and that it (along with its trust chain) is within it's validity period. OpenSSL has some low- and mid-level functions to help with that.
Some additional details that might complicate things for a completely generic implementation:
The RFC 5280 describes the complete PKIX validation algorithm. You don't have to implement everything, but it's a good reference to check that you don't forget something important. You should look at the mod_ssl
(contained in the Apache httpd
server) module for an implementation that checks for CRL locally and implements OCSP checking.
If you know in advance which CAs you trust (from a security point of view it's better), then you could have a cron job downloading and updating the CRLs. This would save you from implementing the part about locating/downloading/caching CRLs inside your program.
Check this thread:
Does OpenSSL automatically handle CRLs (Certificate Revocation Lists) now?
The X509_STORE supports CRL handling. You can extract the CRL from the X509 cert with PEM_read_bio_X509_CRL command wich is not explained in the link.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With