wolfSSL
[Bug]: Questions about wolfssl verify
Contact Details
No response
Version
I am using version 0.1.7 of the wolfssl Command Line Utility. Linked to wolfSSL version 5.7.6
Description
Hello developer, I'm not sure if wolfssl has a command for CRL revocation checks. When I perform a revocation check using openssl, openssl indicates that the certificate has been revoked, but wolfssl does not display any information related to the certificate being revoked.
command: wolfssl verify -CAfile root_cert_1.pem -CRLfile crl_revokedCert_02.pem ca1.pem
test cases:
Reproduction steps
No response
Relevant log output
Hello @onepeople158 ,
How are you building wolfSSL? You will need to pass in --enable-crl to enable CRL support.
Please use wolfSSL 5.8.2 with wolfCLU master, we have had significant changes to both since 0.1.7/5.7.6.
Hello @onepeople158 ,
How are you building wolfSSL? You will need to pass in to enable CRL support. Please use wolfSSL 5.8.2 with wolfCLU master, we have had significant changes to both since 0.1.7/5.7.6.
--enable-crl
Hello Developers,
Hello. I have installed the latest version of wolfSSL.
The following is the displayed result: You are using version 0.1.8 of the wolfssl Command Line Utility. Linked to wolfSSL version 5.8.2
I ran the command below and am not sure if wolfSSL supports CRL revocation checking: wolfssl verify -CAfile root_cert_1.pem -CRLfile crl_revokedCert_02.pem ca1.pem
The command output was: verifying certificate file ca1.pem using CA file root_cert_1.pem OK
Hello @onepeople158, I will take a look at this. I see your test case files in the isRevoked.zip file. Can you include the openssl verify commands you are using for comparison?
Hello @onepeople158, I will take a look at this. I see your test case files in the isRevoked.zip file. Can you include the openssl verify commands you are using for comparison?
openssl verify -crl_check -x509_strict -CAfile root_cert_1.pem -CRLfile crl_revokedCert_02.pem ca1.pem C=CN, ST=Beijing, L=Beijing, O=My Organization, CN=My Intermediate CA error 23 at 0 depth lookup: certificate revoked error ca1.pem: verification failed
Hello @onepeople158 . wolfssl verify does have a -crl_check flag as well.
$ wolfssl verify -help
./wolfssl verify -CAfile <ca file name> [-untrusted <intermidate file>] [-crl_check] [-partial_chain] <cert to verify>
If I include that flag in the wolfssl command and use the same flags as with your openssl verify command, I do also get an error from wolfssl, although the error message is different:
$ wolfssl verify -crl_check -x509_strict -CAfile root_cert_1.pem -CRLfile crl_revokedCert_02.pem ca1.pem
verifying certificate file ca1.pem
using CA file root_cert_1.pem
Verification Failed
Err (3): non-blocking socket write buffer full
Error wolfcrypt/src/asn.c:26140: ASN self-signed certificate error (-275)
Error returned: -1.
This is with the latest version of wolfssl from git.
You are correct that wolfssl does not say that the certificate was revoked in this case. I'll check with the team to see about improving the error message.
Hello @onepeople158 .
wolfssl verifydoes have a-crl_checkflag as well.$ wolfssl verify -help ./wolfssl verify -CAfile <ca file name> [-untrusted <intermidate file>] [-crl_check] [-partial_chain] <cert to verify>If I include that flag in the wolfssl command and use the same flags as with your openssl verify command, I do also get an error from wolfssl, although the error message is different:
$ wolfssl verify -crl_check -x509_strict -CAfile root_cert_1.pem -CRLfile crl_revokedCert_02.pem ca1.pem verifying certificate file ca1.pem using CA file root_cert_1.pem Verification Failed Err (3): non-blocking socket write buffer full Error wolfcrypt/src/asn.c:26140: ASN self-signed certificate error (-275) Error returned: -1.This is with the latest version of wolfssl from git.
If you use this command, it will also report an error for the correct CRL.
wolfssl verify -crl_check -x509_strict -CAfile root_cert_1.pem -CRLfile right_crl.pem ca1.pem
verifying certificate file ca1.pem
using CA file root_cert_1.pem
Verification Failed
Err (-362): CRL missing, not loaded
Error returned: -1.
openssl verify -crl_check -x509_strict -CAfile root_cert_1.pem -CRLfile right_crl.pem ca1.pem
ca1.pem: OK
Hello @onepeople158 , I will take a look at this as well.
For comparison, can you share the commands you used to create the test certificates in the two .zip archives that you shared?
Hello @onepeople158 , I will take a look at this as well.
For comparison, can you share the commands you used to create the test certificates in the two .zip archives that you shared?
These certificates were created using the cryptography library in Python.
@onepeople158 Are you able to reproduce this by only using openssl commands to generate the test certificates/CRL?
@onepeople158 Are you able to reproduce this by only using openssl commands to generate the test certificates/CRL?
These are the CRL, target certificate, and root certificate I generated using the OpenSSL command line (CRL: rootCA.crl, Root Certificate: rootCA.crt, Target Certificate: target.crt).
command:
1.Generate the root certificate private key:
openssl genrsa -out rootCA.key 2048
2.Generate the self-signed root certificate:
openssl req -new -x509 -days 3650 -key rootCA.key -out rootCA.crt
3.Generate the target certificate private key:
openssl genrsa -out target.key 2048
4.Generate the target certificate request (CSR):
openssl req -new -key target.key -out target.csr
5.Sign the target certificate with the root certificate:
openssl x509 -req -in target.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out target.crt -days 365
6.Create CRL index file and serial number file:
mkdir -p crl
touch crl/index.txt
echo 01 > crl/crlnumber
7.Revoke the target certificate (obtain the certificate serial number):
openssl x509 -in target.crt -noout -serial
openssl ca -revoke target.crt -keyfile rootCA.key -cert rootCA.crt -config openssl.cnf
8.Generate the CRL file:
openssl ca -gencrl -out rootCA.crt -keyfile rootCA.key -cert rootCA.crt -config openssl.cnf