1 (edited by Eric_2014 2014-03-04 06:36:18)

Topic: [SOLVED]Unable to verify certificate w/ certificate manager and CRLs

Hi everyone,

Here is my problem, I use the wolfSSL embedded SSL certificate manager API to verify some certificate. It works perfectly when CRL option is disable.
Once I turn it on it fails...
I load CRL (DER format) without any error code but then, when I try to verify a certificate, I got an -262 error code (which says "CRL Not Loaded")... I don't understand where is the problem...

Here is my code:

        certManager = CyaSSL_CertManagerNew();
    if (certManager == NULL) {
        cout << "Failure cm new!" << endl;
    } else cout << "Success cm new!" << endl;
    
    ret = CyaSSL_CertManagerLoadCA(certManager, "CACert.pem", 0);
    if (ret != SSL_SUCCESS) {
        cout << "Failure Loading CA certificate!" << endl;
    } else cout << "Success Loading CA certificate!" << endl;
    
    ret = CyaSSL_CertManagerEnableCRL(certManager, 0);
    if (ret != SSL_SUCCESS) {
        cout << "Failure Enable CRL!" << endl << endl;
    } else cout << "Success Enable CRL!" << endl << endl;
    
    ret = CyaSSL_CertManagerLoadCRL(certManager, "CRL/", SSL_FILETYPE_ASN1, 0);
    if (ret != SSL_SUCCESS) {
        cout << "Failure Loading CRL!" << endl << endl;
    } else cout << "Success Loading CRL!" << endl << endl;
    
    cout << "Validation of a certificate...." << endl;
    ret = CyaSSL_CertManagerVerify(certManager,  "certificate.der", SSL_FILETYPE_ASN1);
    cout << ret << endl; //Here I get -262 error code - MISSING_CRL
    if (ret != SSL_SUCCESS) {
        cout << "Failure verify certificate!" << endl << endl;
    } else cout << "Success verify certificate!" << endl << endl;

Any idea?

Thanks in advance,

Eric

Share

Re: [SOLVED]Unable to verify certificate w/ certificate manager and CRLs

Hi Eric,

Can you verify that you have loaded the correct CRL for the issuer (CA) of the certificate you are trying to verify?

Thanks,
Chris

3 (edited by Eric_2014 2014-03-04 06:35:29)

Re: [SOLVED]Unable to verify certificate w/ certificate manager and CRLs

Hi Chris,

Thanks for the response.
I check that and everything is ok. But I still got the problem... I think that I miss something but I don't know what...

Here are more informations about the certificates:
CA certificate (Self-Signed):

-----BEGIN CERTIFICATE-----
MIIBkTCB+6ADAgECAgEBMA0GCSqGSIb3DQEBBQUAMA8xDTALBgNVBAMMBFRlc3Qw
HhcNMTMwMTAxMTAyOTI5WhcNMTcwMTAxMTAyOTI5WjAPMQ0wCwYDVQQDDARUZXN0
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCPFNyv0i29DbGDRkGPjXBub6q2
ZNdMQoT6YWxsmfBuzgIuF3F8Dd80NUTXfOfCxRnndCUmjgfhOekRI1AlEOXWw6vD
yrcUNu/spJxILVeiq+bCw3VwVhs1Xiztc9Cvvk9CTxLT+NhQpvS17djwhLMrMDnZ
nZMwKsOpzIlW0LG4PQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAG7wI8WlzynLTl7U
1fS9ty/4WjRrpuMmawbt6owy92NdWmC0j+u8sEWB/q318AqhxgQRNSfmBcVobff8
CYYsLcfBCiNmn12d3osu12O6FF9yZEOBQ5pmwzBe+Xzu/8c+4uDuduBLIvq1PcKP
L8EuNu0JuMRSe2Tk+LvqcZkm5t2I
-----END CERTIFICATE-----

Certificate that I want to verify:

-----BEGIN CERTIFICATE-----
MIIBkTCB+6ADAgECAgEBMA0GCSqGSIb3DQEBBQUAMA8xDTALBgNVBAMMBFRlc3Qw
HhcNMTMwMTAxMTAyOTI5WhcNMTcwMTAxMTAyOTI5WjAPMQ0wCwYDVQQDDARUZXN0
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCPFNyv0i29DbGDRkGPjXBub6q2
ZNdMQoT6YWxsmfBuzgIuF3F8Dd80NUTXfOfCxRnndCUmjgfhOekRI1AlEOXWw6vD
yrcUNu/spJxILVeiq+bCw3VwVhs1Xiztc9Cvvk9CTxLT+NhQpvS17djwhLMrMDnZ
nZMwKsOpzIlW0LG4PQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAG7wI8WlzynLTl7U
1fS9ty/4WjRrpuMmawbt6owy92NdWmC0j+u8sEWB/q318AqhxgQRNSfmBcVobff8
CYYsLcfBCiNmn12d3osu12O6FF9yZEOBQ5pmwzBe+Xzu/8c+4uDuduBLIvq1PcKP
L8EuNu0JuMRSe2Tk+LvqcZkm5t2I
-----END CERTIFICATE-----

And the CRL (PEM filetype):

-----BEGIN X509 CRL-----
MIIBOTCBowIBATANBgkqhkiG9w0BAQUFADAPMQ0wCwYDVQQDDARUZXN0Fw0xNDAy
MjExMDI5MjlaFw0xNzAxMDExMDI5MjlaMBQwEgIBAhcNMTQwMjIxMTAyOTI5WqBK
MEgwOgYDVR0jAQH/BDAwLoAUqOWqy6shef9NnNyVchZVhrDteQmhE6QRMA8xDTAL
BgNVBAMMBFRlc3SCAQEwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAIdw7
xiP/xlPi9uCbmF7V2dBAmRH+UICTTf6pwAZwdeNgbdASZr5Uco4pt9fSLACBmEGU
1yThSHwSpnBYyOYjsu82aZ2kkBlGXXBOCJ+lWVTW79+QvsAv6j61c8e7LOPjTnXt
hS6hONmAa0dQvGXYhH4QIhUhVCY8i0HqQpKxokY=
-----END X509 CRL-----

I just test crl under windows and it don't work too, so the problem seems to come from the crl certificate generation... I'll try to find the problem.

Thanks,

Eric

EDIT: I solve the problem, I made some mistakes when generating CRL. Now everything works fine wink

Share