Arm Mbed OS support forum

Verify CRL signature against trust CA

Hi All,

I would like to do something similar to openssl crl -in crl.pem -CAfile ca.pem (see stackOverflow) with Mbed TLS. I don’t see a method for verifying a CRL (e.g. mbedtls_x509_crl_verify()).

The use-case I’m trying to implement is:

  1. Upload CRL to device
  2. Verify that the uploaded CRL is signed by the trust CA

Is there a way to implement this use-case? (mbedtls_x509_crt_verify() requires a certificate, which may not be available.)

Thanks in advance,
…doug

Hi All,

I was able to verify CRL signature against trust CA with the following sequence:

mbedtls_x509_crl_parse(&crl, buf, sz)
mbedtls_x509_crt_parse(&ca, buf, sz)
md_info = mbedtls_md_info_from_type(crl.sig_md)
mbedtls_md(md_info, crl.tbs.p, crl.tbs.len, hash)
mbedtls_pk_verify_ext(crl.sig_pk, crl.sig_opts, &ca.pk, crl.sig_md, hash, 
                                                   mbedtls_md_get_size(md_info), crl.sig.p, crl.sig.len)

Regards,
…doug