1

I am programming a certificate revocation check using CRL that is present in the verified certificate. For the check, I also need the issuer certificate.

Where can I find the URL address for the issuer?

I know that I can get the name of the issuer using this function:

X509_NAME *X509_get_issuer_name(const X509 *);

But I need to get the url, from where I can get the issuer certificate to call X509_CRL_verify(X509_CRL *, EVP_PKEY *) function.

jww
  • 97,681
  • 90
  • 411
  • 885
Dracke
  • 651
  • 2
  • 11
  • 30
  • You might want to refrain from accepting an answer. Off-site links are not really considered answers on Stack Overflow. No one has provided you with the code for that portion of the task. – jww Apr 26 '17 at 12:54

1 Answers1

1

There is no such thing as a URL for an issuer and I don't see why you need one. For CRL checks you need instead the CRL distribution points which are contained in the original certificate. See C++ Check CRL For Revocation for code which is using X509_get_ext_d2i with NID_crl_distribution_points to extract these information from the certificate.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • That is the exact source code I was looking at. Though there is the function is_revoked_by_crl(X509 *x509, X509 *issuer, X509_CRL *crl_file) which needs the X509 file of the issuer. The only think I have is the whole chain of certificates from the machine I am on. – Dracke Apr 25 '17 at 08:55
  • @Dracke: so you don't need the URL of the issuer but the certificate of the issuer, which is very different, i.e. link vs. actual data. In order to use a CRL signed by the issuer you need to trust the issuer already which means that the certificate should be in your trust store (i.e. usually special file or directory with openssl). You get this certificate if you build the certificate chain which you should do anyway to validate the certificate. See [Programmatically verify certificate chain using OpenSSL API](https://stackoverflow.com/questions/16291809/) for details. – Steffen Ullrich Apr 25 '17 at 09:23
  • Is it alright to skip the crl revocation with the issuer parameter if I am making the verification of the input certificate anyway? – Dracke Apr 25 '17 at 09:27
  • 1
    @Dracke: No, you cannot skip it. Path validation just checks if the certificate is issued by a trusted CA, CRL/OCSP checks if this CA has revoked the certificate later. And of course you should also check that the subject of the certificate matches the expectation (i.e. hostname of URL in case of HTTPS server certificate). And expiration time, and key usage... – Steffen Ullrich Apr 25 '17 at 10:14
  • How can I extract the issuer certificate from the chain to check if he revoked the certificate later? Or can I use the whole chain in the X509* issuer place? Because if I do I am getting the -1 answer, which means that it cannot be answered – Dracke Apr 25 '17 at 10:26
  • 1
    @Dracke: It's too complex for a comment and it is actually no longer about what you asked originally. But I recommend to have a look at [apps/verify.c](https://github.com/openssl/openssl/blob/master/apps/verify.c) from the OpenSSL source code and especially at the function check there. There you can see how the certificate is checked (using `X509_verify_cert`) and how the chain is extracted (look for `show_chain`). – Steffen Ullrich Apr 25 '17 at 11:17