On 2009-10-30 14:18 PDT, mAhAjAn wrote: > I am writing a client which connects to a secure server. I need to verify > the certificate obatined from the server for CRL Revocation. > > Could some one please tell which NSS api's are available.
Beginning in NSS 3.12.4, CERT_PKIXVerifyCert can do the CRL fetching and checking for you as an integral part of the cert path building and validation. Alternatively, if you've downloaded and imported the CRL properly, it will automatically be taken into account by any cert path building and validation done by calls to CERT_VerifyCert or CERT_VerifyCertificate. > These are the steps i am following currently. I extracted the CRL url > from distribution points and then downloaded the CRL. OK. Was it a binary CRL? Or was it encoded in PEM? Although the IETF RFCs are VERY CLEAR that CRLs downloaded from URLs in certificates MUST be binary CRLs, many CAs nonetheless fail to conform to the standards and download PEM encoded CRLs instead. If you got a PEM encoded CRL, then decode it back into binary DER, because NSS wants binary DER. > After reading the downloaded CRL file , i tried > CERT_CacheCRL() but it gives SEC_ERROR_BAD_DER everytime. I can think of 3 or 4 likely explanations: a) the CRL you gave it is not binary DER, but rather is PEM b) you gave it extra data besides the CRL, such as http response header or an extra trailing CR LF pair c) The CRL you have is not a "full" CRL, but rather is a "partitioned" CRL or a "delta" CRL, which NSS does not support. d) The CRL is just improperly encoded. > Also PK11_ImportCRL() only imports the CRL which are binary and not > the one those begin with ".....Begin CERTIFICATE" Files that begin with "---- BEGIN <something> ----" are called "PEM" format or "PEM encoded" files. One certain public key cryptography toolkit prefers to store all its data in files of that format, which has caused many people to erroneously think that that is a standard format. The standard format is the binary format. CERT_CacheCRL also wants the binary format. NSS has code and even helper utilities to facilitate conversion. > Could some one please tell me if i am going wrong some where and what > are the steps to be followed My guesses are above. Regards, /Nelson -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
