How can i perform a CRL check to a certificate with Security.h

Privacy & Security General
tahaSuleyman OP
Created Mar ’18
Replies 2
Boosts 0
Views 2.3k
Participants 3

I am trying to check a certificate whether it is revoked or not with CRL. I downloaded CRL file from the host but I can't find any examples how I can create a trust object or check the certificate. I can validate my certificate with OCSP method but i am stuck in CRL. Appreciate any help 🙂.

Answered by DTS Engineer in 297866022

You should be able to do this by:

  1. Creating a policy object that does whatever standard checking you want; if you don’t need anything special, use 

    SecPolicyCreateBasicX509

  2. Calling 

    SecPolicyCreateRevocation
    to create a second policy to check revocation with 
    kSecRevocationRequirePositiveResponse
    and 
    kSecRevocationCRLMethod

  3. Passing both of those, along with the certificate in question and any intermediate certificates, to 

    SecTrustCreateWithCertificates

  4. Doing any extra configuration of the trust object; for example, if certificate was issued by a custom CA, call 

    SecTrustSetAnchorCertificates
    to trust that CA’s root certificate

  5. Evaluating trust on the trust object

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Replies  2
Boosts  0
Views  2.3k
Participants  3
DTS Engineer OP
Apple
Mar ’18
Accepted Answer

You should be able to do this by:

  1. Creating a policy object that does whatever standard checking you want; if you don’t need anything special, use 

    SecPolicyCreateBasicX509

  2. Calling 

    SecPolicyCreateRevocation
    to create a second policy to check revocation with 
    kSecRevocationRequirePositiveResponse
    and 
    kSecRevocationCRLMethod

  3. Passing both of those, along with the certificate in question and any intermediate certificates, to 

    SecTrustCreateWithCertificates

  4. Doing any extra configuration of the trust object; for example, if certificate was issued by a custom CA, call 

    SecTrustSetAnchorCertificates
    to trust that CA’s root certificate

  5. Evaluating trust on the trust object

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
digitizedx OP
Nov ’20
Hi,
I did the exact same steps. I can see the request for CRL file going to the distribution point and getting a positive response in Wireshark. But the evaluation is leading to 
Code Block 
INCOMPLETE_REVOCATION_CHECK
for leaf certificate. I cant find any documentation for this. What could this mean. It works fine on non apple OS.
5
How can i perform a CRL check to a certificate with Security.h
First post date Last post date
 
 
Q