Topic: x509 serial number

Hi,

I need to obtain the serial-number of a peer-certificate, and figured I'd be able to retrieve it via X509_get_serialNumber() in conjunction with ASN1_INTEGER_get().  However, this always returns 0 and it seems to be hard-coded that way in the wolfSSL source?

Am I doing something daft?

Share

Re: x509 serial number

Hi,

wolfSSL does all verification internally (signature, date, domain name).  The X509_get_serialNumber() function is part of wolfSSL's OpenSSL Compatibility layer, and is currently just a stub that always returns 0.

Why do you need the serial number?

Regards,
Chris

Re: x509 serial number

chrisc wrote:

Why do you need the serial number?

Hi chrisc,

I require some means of implementing a CRL (of client certs) ... how would you recommend I go about doing that?

Thanks much;

Share

Re: x509 serial number

Hi,

Have you considered using OCSP instead of a CRL? There are several issues surrounding CRLs (See the "Problems" section of the CRL wikipedia page: http://en.wikipedia.org/wiki/Certificat … ation_list. OCSP is the current method to deal with those problems.

If using OCSP, you could enable SESSION_CERTS in wolfSSL, and use the cert chain to hand off to an OCSP server you had access to.  With OCSP, one of the things you would still need though is the cert serial number.

If you want to implement OCSP with wolfSSL, we could help if you would like.

Regards,
Chris

5 (edited by topher 2011-03-09 19:06:36)

Re: x509 serial number

chrisc wrote:

Hi,

Have you considered using OCSP instead of a CRL? There are several issues surrounding CRLs (See the "Problems" section of the CRL wikipedia page: http://en.wikipedia.org/wiki/Certificat … ation_list. OCSP is the current method to deal with those problems.

If using OCSP, you could enable SESSION_CERTS in wolfSSL, and use the cert chain to hand off to an OCSP server you had access to.  With OCSP, one of the things you would still need though is the cert serial number.

If you want to implement OCSP with wolfSSL, we could help if you would like.

Regards,
Chris

Yes, the OCSP route was consideration but (as you say) we still need the serial number. 

Also, it's not actually a "CRL" in the traditional sense ... that's just a convenient name to label the functionality. Think of it as some kind of embedded server that cannot depend on an external OCSP service.  Revoked serial-numbers are pushed to the "embedded server", persisted there, and cached in memory for runtime lookups.  It's intended to be a very lightweight environment and the number of revocations will remain low over time. Resolving any of this, though, requires the equivalent of peerCert.getSerialNumber(). 

Is there a plan to add this to wolfSSL and, if so, when is that likely to happen?

Thanks chrisc

Share

Re: x509 serial number

topher,

Sounds like an interesting embedded SSL project.  What kind of server are you creating?  Currently, getSerialNumber() functionality isn't on our list, but if you have a need for it, we can work with you to add the functionality.

Regards,
Chris

Re: x509 serial number

thanks chrisc

Share