Discuss this help topic in SecureBlackbox Forum
Validate CRL signature
Each CRL is signed with the certificate of the authority it has been issued by. It is vital to validate these signatures carefully, as invalid or missing signature indicates that a CRL has been tampered and cannot be trusted.
To validate a signature you need to find the certificate that has signed the CRL first. This is done by matching the CRL's Issuer property with the SubjectRDN property of the certificate. You can use the TElCertificateLookup class along with the lcSubject criterion to look for the necessary certificate in the certificate storage:
Lookup.Criteria = SBCustomCertStorage.Unit.lcSubject;
Lookup.SubjectRDN.Assign(crl.Issuer);
Lookup.Options = SBCustomCertStorage.Unit.loExactMatch | SBCustomCertStorage.Unit.loMatchAll;
int res = crl.Validate(cert);
The res value of 0 indicates that the signature over the CRL is valid.
You can also get one of the following self-explaining errors:
SB_CRL_ERROR_INVALID_CERTIFICATE (bad certificate object was provided)
SB_CRL_ERROR_INVALID_ISSUER (certificate subject doesn't match the issuer of the CRL)
SB_CRL_ERROR_UNSUPPORTED_ALGORITHM (signature algorithm not supported)
SB_CRL_ERROR_INVALID_SIGNATURE (signature is bad, CRL content likely to be corrupted)
SB_CRL_ERROR_INTERNAL_ERROR (undefined error)
SB_CRL_ERROR_NOTHING_TO_VERIFY (CRL is empty - e.g. the CRL object is brand new)