Discuss this help topic in SecureBlackbox Forum

Validate CRL signature

Each CRL is signed with the certificate of the authority it has been issued by. It is vital to validate these signatures carefully, as invalid or missing signature indicates that a CRL has been tampered and cannot be trusted.

To validate a signature you need to find the certificate that has signed the CRL first. This is done by matching the CRL's Issuer property with the SubjectRDN property of the certificate. You can use the TElCertificateLookup class along with the lcSubject criterion to look for the necessary certificate in the certificate storage:

Lookup.Criteria = SBCustomCertStorage.Unit.lcSubject;
Lookup.Options = SBCustomCertStorage.Unit.loExactMatch | SBCustomCertStorage.Unit.loMatchAll;
When you have found the certificate, pass it to the Validate() method of the CRL object: int res = crl.Validate(cert); The res value of 0 indicates that the signature over the CRL is valid. You can also get one of the following self-explaining errors:

SB_CRL_ERROR_INVALID_CERTIFICATE (bad certificate object was provided)
SB_CRL_ERROR_INVALID_ISSUER (certificate subject doesn't match the issuer of the CRL)
SB_CRL_ERROR_UNSUPPORTED_ALGORITHM (signature algorithm not supported)
SB_CRL_ERROR_INVALID_SIGNATURE (signature is bad, CRL content likely to be corrupted)
SB_CRL_ERROR_NOTHING_TO_VERIFY (CRL is empty - e.g. the CRL object is brand new)

How To articles about certificate revocation lists (CRLs)

Discuss this help topic in SecureBlackbox Forum