Finding out which CA Certificate validated a CRL file authenticity

StackOverflow https://stackoverflow.com/questions/9151386

Pergunta

Given a certain CRL, for example:

http://crl.verisign.com/pca1.crl

Downloading it, and asking openssl to verify it and show its contents works like a charm:

wget http://crl.verisign.com/pca1.crl
openssl crl -in ./pca1.crl -inform DER -text
verify OK
Certificate Revocation List (CRL):
        Version 1 (0x0)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority
        Last Update: Nov 22 00:00:00 2011 GMT
        Next Update: Mar 21 23:59:59 2012 GMT
...
[truncated]

Is there a way to find out which CA certificate validated that this CRL's authenticity?

Or is the only way to loop over the certificates in the certificate store, and try them one by one until a match is hit?

Foi útil?

Solução

Easy way is to check the output of:

curl --silent http://crl.verisign.com/pca1.crl |openssl crl  -inform DER -noout -issuer

which will be something like:

issuer=/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority

as that will tell you the issuer, i.e., the entity which signed the CRL, not necessarily the entity which issued the certs which where revoked (though usually it is).

You can go a step further and verify this with:

 curl  --silent -O ca.pem http://www.verisign.com/repository/roots/root-certificates/PCA-1.pem
 curl --silent http://crl.verisign.com/pca1.crl |\
      openssl crl  -inform DER  -noout -CAfile PCA-1.pem

and check that you see a 

 verify OK

Or alternatively - if you have a cert store - look for an Issuer with a DN identical to the one you found with the issuer; and then check the signature (comparing the DNs is not good enough - someone could have inserted a fake/self-signed with that DN).

I do not think you can do much better than that as a lot of CAs, including Verisign, do not decorate their CRL with identifiers (you can confirm this with curl --silent http://crl.verisign.com/pca1.crl |openssl asn1parse -inform DER). So you are really down to extracting the DN, find a DN by string comparison on your stash and then check the signature. And ideally go as far as actually comparing against the part of the DN which is actually signed by the signature; as a nefarious entry could in theory make DNs of which little (e.g. just the country) is signed (and thus allowing last minute changes/matchings).

Licenciado em: CC-BY-SA com atribuição
Não afiliado a StackOverflow
scroll top