OpenSSL C API：使用CRL进行证书链验证

Question

I'm trying to perform certificate chain validation for Windows executable files, which also includes check for revoked certificates, using OpenSSL 1.0.2 C API.

I have the CRL files stored locally and I want to load them during verification (as opposed to download the CRL via "CRL Distribution Points" URL from certificates which have it).

Here's my simplified example of loading a single CRL file (omitting any error checking):

X509_STORE *store = NULL;
X509_STORE_CTX *ctx = NULL;
X509_VERIFY_PARAM *params = NULL;

X509_CRL *crl = d2i_X509_CRL_fp(fc, NULL);  // fc is a file pointer to CRL file
X509_STORE_add_crl(store, crl);
X509_STORE_CTX_init(ctx, store, NULL, NULL);

params = X509_STORE_CTX_get0_param(ctx);
X509_VERIFY_PARAM_set_purpose(params, X509_PURPOSE_ANY);
X509_VERIFY_PARAM_set_flags(params, X509_V_FLAG_CRL_CHECK);  // only want to check end entity
X509_STORE_set1_param(store, params);

// assume p7 is properly initialized PKCS7*
// assume bio is properly initialized BIO*
int ret = PKCS7_verify(p7, p7->d.sign->cert, store, bio, NULL, 0);

Above code will return ret == 0 with error: unable to get certificate CRL , which from my understanding means that OpenSSL is still trying to search CRL from the certificate itself instead of using the one I load locally.

What is the proper way of achieving this task?

Answer 1

Actually the code above is already correct to achieve my goal in performing CRL check. One potential pitfall for someone new to X509 certificate structure is that the "CRL Distribution Points" URL for the certificate of interest is contained within that certificate itself, and not on the issuer's certificate . This was my mistake which led to the error I mentioned. I hope this may help people who just get started in understanding the X509 standard.