You are not logged in. Please login or register.
Please post questions or comments you have about wolfSSL products here. It is helpful to be as descriptive as possible when asking your questions.
ReferenceswolfSSL - Embedded SSL Library → Posts by HAPPY
Pages 1
Hello, Developer, I believe I have identified the issue. I have written about my findings at https://github.com/wolfSSL/wolfssl/issues/8574.
Hello developer, I successfully printed the ca-int.pem using my wolfclu, but when I try to print the CRL file I created with the AKI extension using wolfclu, it throws an error.Here, below is the OpenSSL parsing result.
openssl crl -in crl_extention_test.der -inform DER -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=California, L=San Francisco, O=My Company, CN=My Root CA, OU=My Root CA
Last Update: Sep 1 00:00:00 2024 GMT
Next Update: Dec 1 00:00:00 2025 GMT
CRL extensions:
X509v3 CRL Number:
1
X509v3 Authority Key Identifier:
EF:69:E0:F7:D5:1D:E6:99:EC:DC:6D:D0:F7:E2:B9:5C:64:71:83:35
No Revoked Certificates.
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
a1:7b:7c:c7:60:51:58:1b:ed:b0:e5:7c:9f:0e:fd:ec:bd:f1:
e5:67:67:1d:0f:cd:70:fe:ce:15:77:ed:a8:0f:24:d5:67:99:
ff:f1:4d:b9:83:53:99:b4:be:30:21:be:d8:a8:b7:2b:90:02:
4c:33:ff:89:0e:68:25:49:bf:09:b7:43:88:00:8f:7e:98:bf:
ba:74:11:fb:1c:02:8c:b1:eb:29:68:ef:d2:27:00:e0:c0:73:
28:ed:07:3c:df:d6:06:3d:c9:b2:c1:65:04:e8:7b:07:db:71:
c6:24:f7:ae:27:39:da:af:bd:97:43:86:5d:ec:bb:6e:b5:37:
e6:b1:22:6b:3b:ae:7d:b3:13:57:8d:6f:9d:96:81:41:60:19:
f6:8b:c6:a8:e0:08:d4:5d:26:7f:a0:cc:c7:51:7e:16:68:1f:
17:73:24:e4:dc:76:3d:37:96:f2:11:df:52:bb:60:dd:06:44:
10:5c:40:1b:c9:29:5f:9f:61:ea:e9:45:b6:63:26:1b:52:0d:
a6:df:ab:f0:8b:ee:26:65:af:b4:fd:f0:96:2c:da:1d:31:b9:
fc:53:43:bb:2f:5a:f8:77:c8:20:72:12:ed:76:c9:77:7b:e7:
fd:7a:37:51:9a:49:f0:0b:a3:06:e1:db:66:0b:58:45:8c:d8:
63:04:21:4f
-----BEGIN X509 CRL-----
MIIB8zCB3AIBATANBgkqhkiG9w0BAQsFADB5MQswCQYDVQQGEwJVUzETMBEGA1UE
CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzETMBEGA1UECgwK
TXkgQ29tcGFueTETMBEGA1UEAwwKTXkgUm9vdCBDQTETMBEGA1UECwwKTXkgUm9v
dCBDQRcNMjQwOTAxMDAwMDAwWhcNMjUxMjAxMDAwMDAwWqAvMC0wCgYDVR0UBAMC
AQEwHwYDVR0jBBgwFoAU72ng99Ud5pns3G3Q9+K5XGRxgzUwDQYJKoZIhvcNAQEL
BQADggEBAKF7fMdgUVgb7bDlfJ8O/ey98eVnZx0PzXD+zhV37agPJNVnmf/xTbmD
U5m0vjAhvtiotyuQAkwz/4kOaCVJvwm3Q4gAj36Yv7p0EfscAoyx6ylo79InAODA
cyjtBzzf1gY9ybLBZQToewfbccYk964nOdqvvZdDhl3su261N+axIms7rn2zE1eN
b52WgUFgGfaLxqjgCNRdJn+gzMdRfhZoHxdzJOTcdj03lvIR31K7YN0GRBBcQBvJ
KV+fYerpRbZjJhtSDabfq/CL7iZlr7T98JYs2h0xufxTQ7svWvh3yCByEu12yXd7
5/16N1GaSfALowbh22YLWEWM2GMEIU8=
-----END X509 CRL-----the wolfclu parsing result
wolfssl crl -in crl_extention_test.pem -text
wolfSSL Entering wolfSSL_Init
wolfSSL Entering wolfCrypt_Init
RNG_HEALTH_TEST_CHECK_SIZE = 128
sizeof(seedB_data) = 128
opened /dev/urandom.
rnd read...
wolfSSL Entering wolfSSL_BIO_new_file
wolfSSL Entering wolfSSL_BIO_s_file
wolfSSL Entering wolfSSL_BIO_new
wolfSSL Entering wolfSSL_BIO_set_fp
wolfSSL Entering wolfSSL_BIO_get_len
wolfSSL Entering wolfSSL_BIO_get_fp
wolfSSL Entering wolfSSL_BIO_read
wolfSSL Entering PemToDer
wolfSSL Entering wolfSSL_d2i_X509_CRL
wolfSSL Entering InitCRL
wolfSSL Entering BufferLoadCRL
InitDecodedCRL
ParseCRL
ERR TRACE: wolfcrypt/src/asn.c L 1622 ASN_PARSE_E (-140)
ERR TRACE: wolfcrypt/src/asn.c L 39029 ASN_PARSE_E (-140)
ParseCRL error
wolfSSL Entering FreeCRL_Entry
FreeDecodedCRL
Buffer Load CRL failed
wolfSSL Entering wolfSSL_X509_CRL_free
wolfSSL Entering FreeCRL
Unable to parse CRL file
wolfSSL Entering wolfSSL_ERR_get_error_line_data
No Error found in queue
ERR TRACE: wolfcrypt/src/logging.c L 686 BAD_STATE_E (-192)
wolfSSL Entering wolfSSL_X509_CRL_free
wolfSSL Entering wolfSSL_BIO_free
wolfSSL Entering wolfSSL_BIO_free
ERR TRACE: ./src/bio.c L 3088 WOLFSSL_FAILURE (0)
Error returned: -1.
wolfSSL Entering wolfSSL_ERR_get_error_line_data
No Error found in queue
ERR TRACE: wolfcrypt/src/logging.c L 686 BAD_STATE_E (-192)
wolfSSL Entering wolfSSL_Cleanup
wolfSSL Entering wolfCrypt_CleanupHello Developer,
While using wolfCLU to parse CRL files, I found that wolfCLU can only parse CRL files without CRL extensions, including extensions like Authority Key Identifier (AKI), Issuer Directory Prefix (IDP), and Freshest CRL (FDP), etc. Could this be an issue with wolfCLU, or is it possible that I missed selecting some options when building wolfCLU?
Hi Happy,
Thanks for you interest in the wolfCLU project. Did you configure wolfSSL with --enable-crl ?
The CRL parser is capable of handling the command you mentioned:
./wolfssl crl -help ./wolfssl crl -CAfile <ca file name> -inform pem or der in format -in the file to read from -outform pem or der out format -out output file to write to -noout do not print output if set -text output human readable text of CRL
Thanks
Hello developer, I have been using wolfCLU recently, and I saw in the documentation that wolfCLU has CRL-related commands. However, the documentation doesn't provide specific details on how to parse CRL files. Based on the documentation, I wrote the following command: wolfssl crl -in crl_file.der -inform DER -noout. Can this command successfully parse the CRL?
Hello Developer, thank you for your previous response. Could you please confirm if the wolfSSL_X509_CRL_print() API is part of the ssl.h library? I could not find the wolfSSL_X509_CRL_print() API in the ssl.h library. I am doing this out of professional interest.
Hello developer, may I ask if wolfSSL also has a command to print CRL information?
Hello, developer. What is the purpose of WOLFSSL_CRL_ALLOW_MISSING_CDP and how does it affect the CRL revocation checking?
Hello, developer. I am a beginner, and while using the wolfSSL_CertManagerCheckCRL function for revocation checking, I found that it does not check the CRL scope as specified in RFC 5280. For example, the Distribution Point Name in the CDP extension of the certificate does not match the Distribution Point Name in the IDP extension of the CRL. According to RFC 5280, this CRL should be rejected, but when performing the revocation check using wolfSSL_CertManagerCheckCRL, the CRL is not rejected.
Can you confirm whether wolfSSL_CertManagerCheckCRL follows the RFC 5280 guidelines for CRL revocation checking? If not, are there other functions in wolfSSL that perform CRL revocation checks according to RFC 5280?
Hello developer,
This is the result of wolfSSL_CertManagerCheckCRL after enabling debug logging. I used an unexpired certificate and CRL. Could you please help me understand what could be causing the verification to fail?
1
SSL handshake skipped. CRL checks will still be performed.
wolfSSL Entering wolfSSL_CertManagerCheckCRL
ParseCert failed
CRL verification failed: -140Hello Developer,
I am using the wolfSSL_CertManagerLoadCRLBuffer function, and as you mentioned, I have used the wolfSSL_CertManagerLoadCA function as well. However, wolfSSL_CertManagerLoadCRLBuffer is returning -179. Could you please tell me what might be the cause of this?
Hello Developer, I am using the wolfSSL_CertManagerLoadCRLBuffer function, and it returns a value of -190. Could you please let me know the reason for this?
Hello, developer. I now know that the wolfSSL_CTX_EnableCRL API can be used to enable CRL revocation checking. How can I obtain the results after the revocation check, such as whether it succeeded or failed, after calling wolfSSL_CTX_EnableCRL?
Hello developer, I used
long verify_result = wolfSSL_get_verify_result(ssl); from wolfSSL to check the certificate revocation status, and I have already included
#include <wolfssl/ssl.h>. Why do I still get the following error?
/usr/bin/ld: /tmp/ccjSsmqw.o: in function `main':
wolfssl_crl_test.c:(.text+0x55f): undefined reference to `wolfSSL_get_verify_result'
collect2: error: ld returned 1 exit statusHello, developer. Can you tell me if the command cmake .. -DENABLE_CRL=ON -DCMAKE can enable CRL?
Hello, developer. When I use the wolfSSL_CTX_LoadCRL and wolfSSL_CTX_EnableCRL functions from wolfSSL, I get the following error:
Severity: Error
Code: LNK2019
Description: Unresolved external symbol wolfSSL_CTX_EnableCRL referenced in function main.
I have already linked the package directory. What could be causing this issue, and how should I resolve it?
Hello, developer:
The default certificate revocation mechanism used by wolfSSL is what? Or does it default to not enabling any certificate revocation mechanism?
Hello developer, if wolfSSL is built without using the --enable-crl option to enable CRL, does wolfSSL default to using OCSP for certificate revocation?
Hello Developer,
I would like to inquire whether wolfSSL still uses CRLs to validate certificate validity, or if wolfSSL still has the capability to use CRLs for certificate validation.
Pages 1
wolfSSL - Embedded SSL Library → Posts by HAPPY
Powered by PunBB, supported by Informer Technologies, Inc.
Generated in 0.020 seconds (96% PHP - 4% DB) with 4 queries