1 Topic by Eric_2014 (edited by Eric_2014 2014-03-04 06:36:18)

  • Registered: 2014-02-18
  • Posts: 5

Topic: [SOLVED]Unable to verify certificate w/ certificate manager and CRLs

Hi everyone,

Here is my problem, I use the wolfSSL embedded SSL certificate manager API to verify some certificate. It works perfectly when CRL option is disable.
Once I turn it on it fails...
I load CRL (DER format) without any error code but then, when I try to verify a certificate, I got an -262 error code (which says "CRL Not Loaded")... I don't understand where is the problem...

Here is my code:

        certManager = CyaSSL_CertManagerNew();
    if (certManager == NULL) {
        cout << "Failure cm new!" << endl;
    } else cout << "Success cm new!" << endl;
    
    ret = CyaSSL_CertManagerLoadCA(certManager, "CACert.pem", 0);
    if (ret != SSL_SUCCESS) {
        cout << "Failure Loading CA certificate!" << endl;
    } else cout << "Success Loading CA certificate!" << endl;
    
    ret = CyaSSL_CertManagerEnableCRL(certManager, 0);
    if (ret != SSL_SUCCESS) {
        cout << "Failure Enable CRL!" << endl << endl;
    } else cout << "Success Enable CRL!" << endl << endl;
    
    ret = CyaSSL_CertManagerLoadCRL(certManager, "CRL/", SSL_FILETYPE_ASN1, 0);
    if (ret != SSL_SUCCESS) {
        cout << "Failure Loading CRL!" << endl << endl;
    } else cout << "Success Loading CRL!" << endl << endl;
    
    cout << "Validation of a certificate...." << endl;
    ret = CyaSSL_CertManagerVerify(certManager,  "certificate.der", SSL_FILETYPE_ASN1);
    cout << ret << endl; //Here I get -262 error code - MISSING_CRL
    if (ret != SSL_SUCCESS) {
        cout << "Failure verify certificate!" << endl << endl;
    } else cout << "Success verify certificate!" << endl << endl;

Any idea?

Thanks in advance,

Eric

Share

  • From: Bozeman, MT
  • Registered: 2010-10-20
  • Posts: 650

Re: [SOLVED]Unable to verify certificate w/ certificate manager and CRLs

Hi Eric,

Can you verify that you have loaded the correct CRL for the issuer (CA) of the certificate you are trying to verify?

Thanks,
Chris

https://www.wolfssl.com

chrisc's Website

Share

3 Reply by Eric_2014 (edited by Eric_2014 2014-03-04 06:35:29)

  • Registered: 2014-02-18
  • Posts: 5

Re: [SOLVED]Unable to verify certificate w/ certificate manager and CRLs

Hi Chris,

Thanks for the response.
I check that and everything is ok. But I still got the problem... I think that I miss something but I don't know what...

Here are more informations about the certificates:
CA certificate (Self-Signed):

-----BEGIN CERTIFICATE-----
MIIBkTCB+6ADAgECAgEBMA0GCSqGSIb3DQEBBQUAMA8xDTALBgNVBAMMBFRlc3Qw
HhcNMTMwMTAxMTAyOTI5WhcNMTcwMTAxMTAyOTI5WjAPMQ0wCwYDVQQDDARUZXN0
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCPFNyv0i29DbGDRkGPjXBub6q2
ZNdMQoT6YWxsmfBuzgIuF3F8Dd80NUTXfOfCxRnndCUmjgfhOekRI1AlEOXWw6vD
yrcUNu/spJxILVeiq+bCw3VwVhs1Xiztc9Cvvk9CTxLT+NhQpvS17djwhLMrMDnZ
nZMwKsOpzIlW0LG4PQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAG7wI8WlzynLTl7U
1fS9ty/4WjRrpuMmawbt6owy92NdWmC0j+u8sEWB/q318AqhxgQRNSfmBcVobff8
CYYsLcfBCiNmn12d3osu12O6FF9yZEOBQ5pmwzBe+Xzu/8c+4uDuduBLIvq1PcKP
L8EuNu0JuMRSe2Tk+LvqcZkm5t2I
-----END CERTIFICATE-----

Certificate that I want to verify:

-----BEGIN CERTIFICATE-----
MIIBkTCB+6ADAgECAgEBMA0GCSqGSIb3DQEBBQUAMA8xDTALBgNVBAMMBFRlc3Qw
HhcNMTMwMTAxMTAyOTI5WhcNMTcwMTAxMTAyOTI5WjAPMQ0wCwYDVQQDDARUZXN0
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCPFNyv0i29DbGDRkGPjXBub6q2
ZNdMQoT6YWxsmfBuzgIuF3F8Dd80NUTXfOfCxRnndCUmjgfhOekRI1AlEOXWw6vD
yrcUNu/spJxILVeiq+bCw3VwVhs1Xiztc9Cvvk9CTxLT+NhQpvS17djwhLMrMDnZ
nZMwKsOpzIlW0LG4PQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAG7wI8WlzynLTl7U
1fS9ty/4WjRrpuMmawbt6owy92NdWmC0j+u8sEWB/q318AqhxgQRNSfmBcVobff8
CYYsLcfBCiNmn12d3osu12O6FF9yZEOBQ5pmwzBe+Xzu/8c+4uDuduBLIvq1PcKP
L8EuNu0JuMRSe2Tk+LvqcZkm5t2I
-----END CERTIFICATE-----

And the CRL (PEM filetype):

-----BEGIN X509 CRL-----
MIIBOTCBowIBATANBgkqhkiG9w0BAQUFADAPMQ0wCwYDVQQDDARUZXN0Fw0xNDAy
MjExMDI5MjlaFw0xNzAxMDExMDI5MjlaMBQwEgIBAhcNMTQwMjIxMTAyOTI5WqBK
MEgwOgYDVR0jAQH/BDAwLoAUqOWqy6shef9NnNyVchZVhrDteQmhE6QRMA8xDTAL
BgNVBAMMBFRlc3SCAQEwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADgYEAIdw7
xiP/xlPi9uCbmF7V2dBAmRH+UICTTf6pwAZwdeNgbdASZr5Uco4pt9fSLACBmEGU
1yThSHwSpnBYyOYjsu82aZ2kkBlGXXBOCJ+lWVTW79+QvsAv6j61c8e7LOPjTnXt
hS6hONmAa0dQvGXYhH4QIhUhVCY8i0HqQpKxokY=
-----END X509 CRL-----

I just test crl under windows and it don't work too, so the problem seems to come from the crl certificate generation... I'll try to find the problem.

Thanks,

Eric

EDIT: I solve the problem, I made some mistakes when generating CRL. Now everything works fine wink

Share