How to validate a CRL

Asked by Randall Smith on 2011-05-16

How does one validate the signature of a CRL using pyOpenSSL?

Question information

Language:
English Edit question
Status:
Answered
For:
pyOpenSSL Edit question
Assignee:
No assignee Edit question
Last query:
2011-05-16
Last reply:
2011-05-17
Jean-Paul Calderone (exarkun) said : #1

As of 0.12, pyOpenSSL only provides four APIs related to CRLs. One for loading a CRL from a file. One for adding a certificate to the list of revoked certificates represented by the CRL. One for enumerating the certificates in that same list. And lastly, one for exporting the CRL as bytes in some format.

Conspicuously, you will notice the absence of any APIs dealing with signatures or verification. So I think that the OpenSSL APIs which might do what you want are not wrapped by pyOpenSSL at this time.

Adi Roiban (adiroiban) said : #2

Good question.

At first I was thinking that CRL signature is checked at load time, but it looks I was wrong.

Randall, do you know what openSSL calls are required for signing a CRL?

I think that I could check the source code for `openssl crl -CAfile` and see what calls are made to verify the CRL.

A wild guess would be that you can load the CRL as a normal certificate and then check its signature.

Cheers,

Can you help with this problem?

Provide an answer of your own, or ask Randall Smith for more information if necessary.

To post a message you must log in.