Given a certain CRL, for example:
http://crl.verisign.com/pca1.crl
Downloading it, and asking openssl to verify it and show its contents works like a charm:
wget http://crl.verisign.com/pca1.crl
openssl crl -in ./pca1.crl -inform DER -text
verify OK
Certificate Revocation List (CRL):
Version 1 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority
Last Update: Nov 22 00:00:00 2011 GMT
Next Update: Mar 21 23:59:59 2012 GMT
...
[truncated]
Is there a way to find out which CA certificate validated that this CRL’s authenticity?
Or is the only way to loop over the certificates in the certificate store, and try them one by one until a match is hit?
Easy way is to check the output of:
which will be something like:
as that will tell you the issuer, i.e., the entity which signed the CRL, not necessarily the entity which issued the certs which where revoked (though usually it is).
You can go a step further and verify this with:
and check that you see a
Or alternatively – if you have a cert store – look for an Issuer with a DN identical to the one you found with the issuer; and then check the signature (comparing the DNs is not good enough – someone could have inserted a fake/self-signed with that DN).
I do not think you can do much better than that as a lot of CAs, including Verisign, do not decorate their CRL with identifiers (you can confirm this with
curl --silent http://crl.verisign.com/pca1.crl |openssl asn1parse -inform DER). So you are really down to extracting the DN, find a DN by string comparison on your stash and then check the signature. And ideally go as far as actually comparing against the part of the DN which is actually signed by the signature; as a nefarious entry could in theory make DNs of which little (e.g. just the country) is signed (and thus allowing last minute changes/matchings).