Using openssl to check if root certificate in PKCS#7 is revoked












3














Here's pkcs7_verify signature taken from C/C++ library: 



int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,

             BIO *indata, BIO *out, int flags);


It can be used with PKCS7 block (p7) and the section that it suppose to sign (in data).



I wonder how does this check detect if one of the certificate in the chain is revoked...



From what I know, revocation check can be made only if matching against another certificate outside the pkcs7 block, which is marked as revoked.



I checked the function arguments and found one that represent the list of store trusted certificates.



This arg should hold the certificate which is the issuer of the lower-most certificate in the pkcs7 chain. So my guess is that if this certificate is marked as revoked, we fail the check on revocation reason...



But what if another certificate higher in the chain is revoked ? how do I provide this piece of information to pkcs7_verify ?



Or perhaps there's another openssl method that decide if a certificate in the chain is revoked or not ?



UPDATE:



I've found an alternative way to check whether a certificate is revoked. In the example below we can see that revoked_test.pem is identified as revoked by matching against the list in crl_chain.pem. How can I do it programmatically ? 



openssl verify -crl_check -CAfile crl_chain.pem revoked-test.pem 

revoked-test.pem: OU = Domain Control Validated, OU = PositiveSSL, CN = xs4all.nl

error 23 at 0 depth lookup:certificate revoked


thanks






c++ c openssl x509certificate pkcs#7







share|improve this question





























    3














    Here's pkcs7_verify signature taken from C/C++ library: 



    int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
    
             BIO *indata, BIO *out, int flags);


    It can be used with PKCS7 block (p7) and the section that it suppose to sign (in data).



    I wonder how does this check detect if one of the certificate in the chain is revoked...



    From what I know, revocation check can be made only if matching against another certificate outside the pkcs7 block, which is marked as revoked.



    I checked the function arguments and found one that represent the list of store trusted certificates.



    This arg should hold the certificate which is the issuer of the lower-most certificate in the pkcs7 chain. So my guess is that if this certificate is marked as revoked, we fail the check on revocation reason...



    But what if another certificate higher in the chain is revoked ? how do I provide this piece of information to pkcs7_verify ?



    Or perhaps there's another openssl method that decide if a certificate in the chain is revoked or not ?



    UPDATE:



    I've found an alternative way to check whether a certificate is revoked. In the example below we can see that revoked_test.pem is identified as revoked by matching against the list in crl_chain.pem. How can I do it programmatically ? 



    openssl verify -crl_check -CAfile crl_chain.pem revoked-test.pem 
    
revoked-test.pem: OU = Domain Control Validated, OU = PositiveSSL, CN = xs4all.nl
    
error 23 at 0 depth lookup:certificate revoked


    thanks






    c++ c openssl x509certificate pkcs#7







    share|improve this question



























      3












      3








      3


      3





      Here's pkcs7_verify signature taken from C/C++ library: 



      int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
      
             BIO *indata, BIO *out, int flags);


      It can be used with PKCS7 block (p7) and the section that it suppose to sign (in data).



      I wonder how does this check detect if one of the certificate in the chain is revoked...



      From what I know, revocation check can be made only if matching against another certificate outside the pkcs7 block, which is marked as revoked.



      I checked the function arguments and found one that represent the list of store trusted certificates.



      This arg should hold the certificate which is the issuer of the lower-most certificate in the pkcs7 chain. So my guess is that if this certificate is marked as revoked, we fail the check on revocation reason...



      But what if another certificate higher in the chain is revoked ? how do I provide this piece of information to pkcs7_verify ?



      Or perhaps there's another openssl method that decide if a certificate in the chain is revoked or not ?



      UPDATE:



      I've found an alternative way to check whether a certificate is revoked. In the example below we can see that revoked_test.pem is identified as revoked by matching against the list in crl_chain.pem. How can I do it programmatically ? 



      openssl verify -crl_check -CAfile crl_chain.pem revoked-test.pem 
      
revoked-test.pem: OU = Domain Control Validated, OU = PositiveSSL, CN = xs4all.nl
      
error 23 at 0 depth lookup:certificate revoked


      thanks






      c++ c openssl x509certificate pkcs#7







      share|improve this question















      Here's pkcs7_verify signature taken from C/C++ library: 



      int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
      
             BIO *indata, BIO *out, int flags);


      It can be used with PKCS7 block (p7) and the section that it suppose to sign (in data).



      I wonder how does this check detect if one of the certificate in the chain is revoked...



      From what I know, revocation check can be made only if matching against another certificate outside the pkcs7 block, which is marked as revoked.



      I checked the function arguments and found one that represent the list of store trusted certificates.



      This arg should hold the certificate which is the issuer of the lower-most certificate in the pkcs7 chain. So my guess is that if this certificate is marked as revoked, we fail the check on revocation reason...



      But what if another certificate higher in the chain is revoked ? how do I provide this piece of information to pkcs7_verify ?



      Or perhaps there's another openssl method that decide if a certificate in the chain is revoked or not ?



      UPDATE:



      I've found an alternative way to check whether a certificate is revoked. In the example below we can see that revoked_test.pem is identified as revoked by matching against the list in crl_chain.pem. How can I do it programmatically ? 



      openssl verify -crl_check -CAfile crl_chain.pem revoked-test.pem 
      
revoked-test.pem: OU = Domain Control Validated, OU = PositiveSSL, CN = xs4all.nl
      
error 23 at 0 depth lookup:certificate revoked


      thanks






      c++ c openssl x509certificate pkcs#7




      c++ c openssl x509certificate pkcs#7






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 22 '18 at 18:24







      Zohar81

















      asked Nov 21 '18 at 9:07









      Zohar81Zohar81

      2,1221832




      2,1221832
























          1 Answer
          1






          active

          oldest

          votes


















          1














          Most of the rules of the certification path validation is set in the X509_STORE structure you are passing to the PKCS7_verify function.



          This example show how to build a complete X509_STORE and explain how to activate the CRL validation in the X509_STORE. (the example is good for setting up the crl validation but not for the certificate chain handling)



          The core functions are:




          • X509_STORE_set_flags


          • X509_STORE_add_crl

          • X509_STORE_add_lookup


          You use the X509_STORE_set_flags to tell the certificate store to perform CRL validation. The flags you need are: X509_V_FLAG_CRL_CHECK_ALL | X509_V_FLAG_CRL_CHECK. You can find all flags here.



          You use theX509_STORE_add_crl to add CRLs for the validation. The CRL doesn't need to be from a root CA.



          As an option to theX509_STORE_add_crl, you have the X509_STORE_add_lookup, to add a function to lookup for CRLs in any place (e.g.: file system, database, urls, etc.).



          When performing the chain validation, OpenSSl will use the CRLs and lookup functions in the X509_STORE to validate all certificates in the chain. If any certificate in the chain is revoked, an error is returned.



          It's important to add that the X.509 certification path validation specification doesn't include the validation of trust anchors (usually root certificates). All certificates in the chain under the trust anchor have to be verified, but the trust anchor is trusted because the verifier set it as so (i.e.: the trust anchor validation is made out-of-bounds by the verifier).






          share|improve this answer























          • Hi and thanks a lot for you response. I've read carefully throw the article you provided, but I still cannot figure out how should we detect if one of the certificates in the chain is revoked (not the root one). The store contains only list of root certificates, so it must be that the pkcs7_verify get this information otherwise ... perhaps you can elaborate some theoretically explanation as well ? thanks again !
            – Zohar81
            Nov 25 '18 at 7:08










          • The X509_STORE also contains the CRLs to be used in the validation and the lookup functions to look up for CRLs. I updated the answer to point that.
            – Lucas Martins
            Nov 25 '18 at 11:29













          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53408547%2fusing-openssl-to-check-if-root-certificate-in-pkcs7-is-revoked%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          1














          Most of the rules of the certification path validation is set in the X509_STORE structure you are passing to the PKCS7_verify function.



          This example show how to build a complete X509_STORE and explain how to activate the CRL validation in the X509_STORE. (the example is good for setting up the crl validation but not for the certificate chain handling)



          The core functions are:




          • X509_STORE_set_flags


          • X509_STORE_add_crl

          • X509_STORE_add_lookup


          You use the X509_STORE_set_flags to tell the certificate store to perform CRL validation. The flags you need are: X509_V_FLAG_CRL_CHECK_ALL | X509_V_FLAG_CRL_CHECK. You can find all flags here.



          You use theX509_STORE_add_crl to add CRLs for the validation. The CRL doesn't need to be from a root CA.



          As an option to theX509_STORE_add_crl, you have the X509_STORE_add_lookup, to add a function to lookup for CRLs in any place (e.g.: file system, database, urls, etc.).



          When performing the chain validation, OpenSSl will use the CRLs and lookup functions in the X509_STORE to validate all certificates in the chain. If any certificate in the chain is revoked, an error is returned.



          It's important to add that the X.509 certification path validation specification doesn't include the validation of trust anchors (usually root certificates). All certificates in the chain under the trust anchor have to be verified, but the trust anchor is trusted because the verifier set it as so (i.e.: the trust anchor validation is made out-of-bounds by the verifier).






          share|improve this answer























          • Hi and thanks a lot for you response. I've read carefully throw the article you provided, but I still cannot figure out how should we detect if one of the certificates in the chain is revoked (not the root one). The store contains only list of root certificates, so it must be that the pkcs7_verify get this information otherwise ... perhaps you can elaborate some theoretically explanation as well ? thanks again !
            – Zohar81
            Nov 25 '18 at 7:08










          • The X509_STORE also contains the CRLs to be used in the validation and the lookup functions to look up for CRLs. I updated the answer to point that.
            – Lucas Martins
            Nov 25 '18 at 11:29


















          1














          Most of the rules of the certification path validation is set in the X509_STORE structure you are passing to the PKCS7_verify function.



          This example show how to build a complete X509_STORE and explain how to activate the CRL validation in the X509_STORE. (the example is good for setting up the crl validation but not for the certificate chain handling)



          The core functions are:




          • X509_STORE_set_flags


          • X509_STORE_add_crl

          • X509_STORE_add_lookup


          You use the X509_STORE_set_flags to tell the certificate store to perform CRL validation. The flags you need are: X509_V_FLAG_CRL_CHECK_ALL | X509_V_FLAG_CRL_CHECK. You can find all flags here.



          You use theX509_STORE_add_crl to add CRLs for the validation. The CRL doesn't need to be from a root CA.



          As an option to theX509_STORE_add_crl, you have the X509_STORE_add_lookup, to add a function to lookup for CRLs in any place (e.g.: file system, database, urls, etc.).



          When performing the chain validation, OpenSSl will use the CRLs and lookup functions in the X509_STORE to validate all certificates in the chain. If any certificate in the chain is revoked, an error is returned.



          It's important to add that the X.509 certification path validation specification doesn't include the validation of trust anchors (usually root certificates). All certificates in the chain under the trust anchor have to be verified, but the trust anchor is trusted because the verifier set it as so (i.e.: the trust anchor validation is made out-of-bounds by the verifier).






          share|improve this answer























          • Hi and thanks a lot for you response. I've read carefully throw the article you provided, but I still cannot figure out how should we detect if one of the certificates in the chain is revoked (not the root one). The store contains only list of root certificates, so it must be that the pkcs7_verify get this information otherwise ... perhaps you can elaborate some theoretically explanation as well ? thanks again !
            – Zohar81
            Nov 25 '18 at 7:08










          • The X509_STORE also contains the CRLs to be used in the validation and the lookup functions to look up for CRLs. I updated the answer to point that.
            – Lucas Martins
            Nov 25 '18 at 11:29
















          1












          1








          1






          Most of the rules of the certification path validation is set in the X509_STORE structure you are passing to the PKCS7_verify function.



          This example show how to build a complete X509_STORE and explain how to activate the CRL validation in the X509_STORE. (the example is good for setting up the crl validation but not for the certificate chain handling)



          The core functions are:




          • X509_STORE_set_flags


          • X509_STORE_add_crl

          • X509_STORE_add_lookup


          You use the X509_STORE_set_flags to tell the certificate store to perform CRL validation. The flags you need are: X509_V_FLAG_CRL_CHECK_ALL | X509_V_FLAG_CRL_CHECK. You can find all flags here.



          You use theX509_STORE_add_crl to add CRLs for the validation. The CRL doesn't need to be from a root CA.



          As an option to theX509_STORE_add_crl, you have the X509_STORE_add_lookup, to add a function to lookup for CRLs in any place (e.g.: file system, database, urls, etc.).



          When performing the chain validation, OpenSSl will use the CRLs and lookup functions in the X509_STORE to validate all certificates in the chain. If any certificate in the chain is revoked, an error is returned.



          It's important to add that the X.509 certification path validation specification doesn't include the validation of trust anchors (usually root certificates). All certificates in the chain under the trust anchor have to be verified, but the trust anchor is trusted because the verifier set it as so (i.e.: the trust anchor validation is made out-of-bounds by the verifier).






          share|improve this answer














          Most of the rules of the certification path validation is set in the X509_STORE structure you are passing to the PKCS7_verify function.



          This example show how to build a complete X509_STORE and explain how to activate the CRL validation in the X509_STORE. (the example is good for setting up the crl validation but not for the certificate chain handling)



          The core functions are:




          • X509_STORE_set_flags


          • X509_STORE_add_crl

          • X509_STORE_add_lookup


          You use the X509_STORE_set_flags to tell the certificate store to perform CRL validation. The flags you need are: X509_V_FLAG_CRL_CHECK_ALL | X509_V_FLAG_CRL_CHECK. You can find all flags here.



          You use theX509_STORE_add_crl to add CRLs for the validation. The CRL doesn't need to be from a root CA.



          As an option to theX509_STORE_add_crl, you have the X509_STORE_add_lookup, to add a function to lookup for CRLs in any place (e.g.: file system, database, urls, etc.).



          When performing the chain validation, OpenSSl will use the CRLs and lookup functions in the X509_STORE to validate all certificates in the chain. If any certificate in the chain is revoked, an error is returned.



          It's important to add that the X.509 certification path validation specification doesn't include the validation of trust anchors (usually root certificates). All certificates in the chain under the trust anchor have to be verified, but the trust anchor is trusted because the verifier set it as so (i.e.: the trust anchor validation is made out-of-bounds by the verifier).







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Nov 25 '18 at 11:09

























          answered Nov 23 '18 at 22:39









          Lucas MartinsLucas Martins

          586




          586












          • Hi and thanks a lot for you response. I've read carefully throw the article you provided, but I still cannot figure out how should we detect if one of the certificates in the chain is revoked (not the root one). The store contains only list of root certificates, so it must be that the pkcs7_verify get this information otherwise ... perhaps you can elaborate some theoretically explanation as well ? thanks again !
            – Zohar81
            Nov 25 '18 at 7:08










          • The X509_STORE also contains the CRLs to be used in the validation and the lookup functions to look up for CRLs. I updated the answer to point that.
            – Lucas Martins
            Nov 25 '18 at 11:29




















          • Hi and thanks a lot for you response. I've read carefully throw the article you provided, but I still cannot figure out how should we detect if one of the certificates in the chain is revoked (not the root one). The store contains only list of root certificates, so it must be that the pkcs7_verify get this information otherwise ... perhaps you can elaborate some theoretically explanation as well ? thanks again !
            – Zohar81
            Nov 25 '18 at 7:08










          • The X509_STORE also contains the CRLs to be used in the validation and the lookup functions to look up for CRLs. I updated the answer to point that.
            – Lucas Martins
            Nov 25 '18 at 11:29


















          Hi and thanks a lot for you response. I've read carefully throw the article you provided, but I still cannot figure out how should we detect if one of the certificates in the chain is revoked (not the root one). The store contains only list of root certificates, so it must be that the pkcs7_verify get this information otherwise ... perhaps you can elaborate some theoretically explanation as well ? thanks again !
          – Zohar81
          Nov 25 '18 at 7:08




          Hi and thanks a lot for you response. I've read carefully throw the article you provided, but I still cannot figure out how should we detect if one of the certificates in the chain is revoked (not the root one). The store contains only list of root certificates, so it must be that the pkcs7_verify get this information otherwise ... perhaps you can elaborate some theoretically explanation as well ? thanks again !
          – Zohar81
          Nov 25 '18 at 7:08












          The X509_STORE also contains the CRLs to be used in the validation and the lookup functions to look up for CRLs. I updated the answer to point that.
          – Lucas Martins
          Nov 25 '18 at 11:29






          The X509_STORE also contains the CRLs to be used in the validation and the lookup functions to look up for CRLs. I updated the answer to point that.
          – Lucas Martins
          Nov 25 '18 at 11:29




















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53408547%2fusing-openssl-to-check-if-root-certificate-in-pkcs7-is-revoked%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          Ottavio Pratesi

          Image
          .mw-parser-output .avviso .mbox-text-div>div,.mw-parser-output .avviso .mbox-text-full-div>div{font-size:90%}.mw-parser-output .avviso .mbox-image div{width:52px}.mw-parser-output .avviso .mbox-text-full-div .hide-when-compact{display:block} Questa voce sull'argomento ciclisti italiani è solo un abbozzo . Contribuisci a migliorarla secondo le convenzioni di Wikipedia. Ottavio Pratesi Nazionalità   Italia Ciclismo Specialità Strada Ritirato 1927 Carriera Squadre di club 1910-1911 Individuale 1912   Alcyon-Dunlop 1913 Globo-Dunlop 1914   Alcyon-Dunlop 1915-1922 Individuale 1923 Lygie 1924 Ostende 1925 Individuale   Modifica dati su Wikidata  · Manuale Ottavio Pratesi (Rosignano Marittimo, 1º gennaio 1889 – Livorno, 3 novembre 1977) è stato un ciclista su strada italiano, professionista tra il 1910 ed il 1925, era soprannominato il "Falco di ...
          Read more

          Tricia Helfer

          Image
          Tricia Helfer Tricia Helfer al Comic-Con 2015 Altezza 179 [1]  cm Misure 86-61-89 [1] Taglia 38 [1] (UE) - 8 [1] (US) Scarpe 40 [1] (UE) - 9 [1] (US) Occhi Azzurri [1] Capelli Biondo scuro [1] Modifica dati su Wikidata  · Manuale Tricia Helfer (Donalda, 11 aprile 1974) è una supermodella e attrice canadese, conosciuta principalmente per il suo ruolo di Numero Sei nella serie televisiva Battlestar Galactica . Indice 1 Carriera 2 Filmografia 2.1 Cinema 2.2 Televisione 2.3 Video musicali 2.4 Doppiatrice 2.4.1 Cinema 2.4.2 Televisione 2.4.3 Videogiochi 2.5 Produttrice 2.6 Agenzie 3 Doppiatrici italiane 4 Note 5 Altri progetti 6 Collegamenti esterni Carriera | Di origine inglese, tedesca, norvegese e svedese, nel 1992 Tricia vinse il concorso di "Ford Models Supermodel of the World", organizzato dall'agenzia Ford Models e fu poi assunta dall'agenzia ...
          Read more

          15 giugno

          Image
          gennaio  · febbraio  · marzo  · aprile  · maggio  · giugno 2018  · luglio  · agosto  · settembre  · ottobre  · novembre  · dicembre Ve Sa Do Lu Ma Me Gi Ve Sa Do Lu Ma Me Gi Ve Sa Do Lu Ma Me Gi Ve Sa Do Lu Ma Me Gi Ve Sa ← 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 → Il 15 giugno è il 166º giorno del calendario gregoriano (il 167º negli anni bisestili). Mancano 199 giorni alla fine dell'anno. Indice 1 Eventi 2 Nati 3 Morti 4 Feste e ricorrenze 4.1 Civili 4.2 Religiose 5 Altri progetti Eventi | 763 a.C. – Gli Assiri registrano un'eclissi solare 923 – Battaglia di Soissons: re Roberto I di Francia viene ucciso, re Carlo il Semplice viene arrestato dai sostenitori del duca Rodolfo di Borgogna 1094 – Reconquista: Valencia cade nelle mani di El Cid 1215 – Re Giovanni d'Inghilterra appone i...
          Read more