Verify CRL signature against trust CA

dkehn · July 9, 2020, 9:06pm

Hi All,

I would like to do something similar to openssl crl -in crl.pem -CAfile ca.pem (see stackOverflow) with Mbed TLS. I don’t see a method for verifying a CRL (e.g. mbedtls_x509_crl_verify()).

The use-case I’m trying to implement is:

Upload CRL to device
Verify that the uploaded CRL is signed by the trust CA

Is there a way to implement this use-case? (mbedtls_x509_crt_verify() requires a certificate, which may not be available.)

Thanks in advance,
…doug

dkehn · July 30, 2020, 3:51pm

Hi All,

I was able to verify CRL signature against trust CA with the following sequence:

mbedtls_x509_crl_parse(&crl, buf, sz)
mbedtls_x509_crt_parse(&ca, buf, sz)
md_info = mbedtls_md_info_from_type(crl.sig_md)
mbedtls_md(md_info, crl.tbs.p, crl.tbs.len, hash)
mbedtls_pk_verify_ext(crl.sig_pk, crl.sig_opts, &ca.pk, crl.sig_md, hash, 
                                                   mbedtls_md_get_size(md_info), crl.sig.p, crl.sig.len)

Regards,
…doug

Topic		Replies	Views
Mbedtls_x509_crt_verify fails while verifying self-signed CA Crypto and SSL questions mbed_tls	0	957	January 3, 2022
Certificate parsing to mbedtls_x509_crt to char buffer Crypto and SSL questions mbed_tls	3	4048	March 7, 2019
Verify a certificate with a list of untrusted intermediate certificates Generic	1	971	July 8, 2018
Program stops execution on the mbedtls_x509_crt_verify() call Mbed TLS mbed_tls	3	257	July 14, 2023
Differenciate a CA and a user certificate Mbed TLS	2	314	April 9, 2019

Verify CRL signature against trust CA

Related Topics