Search code examples
bashsslopensslssl-certificateverify

Verify SSL certificate against various CRL files

I am given multiple certificate files e.g. "cert1.crt", "cert2.crt" etc, and multiple CRL lists, "list1.crl", "list2.crl" etc. No rootCA or any other type of files are provided. My task is to find out what certificates have NOT been revoked. Despite extensive search for "verification" command I failed to find any command or procedure that would provide me at least a clue. In the end, I managed to do some bash script aerobatics which let me manually test serial number for each .crt file

for((i=1;i<9;i++))
do
echo $i
fileIn="crl"$i".crl"
#serial is manually c/p from each .crt file
serial="1319447396"
OUTPUT="$(openssl crl -in $fileIn -noout -text | grep $serial)"
echo $OUTPUT
done

This way I could do it manually one at a time, but it will work only for small number of files (9 at present). With tens of files it would get tiresome and ineffective, with 100+ it would get impossible to do it like this.

I was wondering is there a "smart" way to validate .crt against .crl? Or at least is there a way to bash script the job so I wouldn't have to check each .crt manually? Right now it's way beyond my scripting knowledge.

So, in pseudo, I would be thrilled if something like this existed:

openssl x509 -verify cert1.cert -crl_list list8.crl
Solution

  • In general, yes, each certificate is checked against a CRL, as is detailed in this guide.

    But, Actually, each crl is a simple list of revoked certificate serial numbers.
    The list contained in a crl could be expanded with:

    openssl crl -inform DER -text -noout -in mycrl.crl

    Asuming the crl is in DER form (adapt as needed).

    1. Expand each (all) crl to a text file, like:

      openssl crl -inform DER -text -noout -in mycrl.crl > mycrl.crl.txt

      The out file could be reduced to only the Serial Number: lines.

    2. Get the Serial Number from the text expansion of a cert:

      mycrt=$(openssl x509 -in mycrt.com.crt -serial -noout)
mycrt=${mycrt#*=}

    3. grep the serial number in all text files from step one (if one match the cert is revoked) in one call to grep:

      if grep -rl "$mycrt" *.crl.txt 2>/dev/null; then
    echo "the certificate has been revoked"
fi

    Full script:

    #!/bin/bash

# Create (if they don't exist) files for all the crl given.
for crl in *.crl; do
    if [[ ! -e "$crl.txt" ]]; then
    openssl crl -inform DER -text -noout -in "$crl" |
        awk -F ': ' '/Serial Number:/{print $2}'> "$crl.txt"
    fi
done

# Process all certificates
for crt in *.crt; do
    mycrt=$(openssl x509 -in "$crt" -serial -noout)
    mycrt=${mycrt#*=}
    if grep -rl "$mycrt" *.crl.txt; then
        echo "Certificate $crt has been revoked"
    fi
done