linux - CRL validity openssl

Question

I need to verify that the downloaded crl is actually the one generated by the CA, and not modified by a potential attacker. is there any way to verify this with openssl commands from linux os?

In other words, i need to verify CRL signature against its root CA, i already found this link, but not helps me much. Verify CRL signature against its root CA

question from:https://stackoverflow.com/questions/65882840/crl-validity-openssl

Answer 1

openssl has a command to verify the signature of the downloaded crl against the issuing certificate authority.

openssl crl -verify -in <crl file> -CAfile < issue certificate or cert chain>

Here is a hello-world example of verifying GOOGLE CRL against the Google issuer CA certificate

1. Download the google crl using wget

   wget http://crl.pki.goog/GTS1O1core.crl

2. Downloaded CRL is DER format , convert it to PEM format

   openssl crl -inform DER -in GTS1O1core.crl -outform PEM -out google_crl.pem

3. Download google certificate chain

   OLDIFS=$IFS; IFS=':' certificates=$(openssl s_client -connect google.com:443 -showcerts -tlsextdebug -tls1 2>&1 </dev/null | sed -n '/-----BEGIN/,/-----END/ {/-----BEGIN/ s/^/:/; p}'); for certificate in ${certificates#:}; do echo $certificate | tee -a google-cert-chain.pem ; done; IFS=$OLDIFS

4. Verify the downloaded CRL against issue certificate ( available in the downloaded cert chain in 3)

   openssl crl -verify -in google_crl.pem -CAfile google-cert-chain.pem