How to use Chrome's CRL sets (or some master CRL list) as a CRL file?

Question

I am looking for a master CRL list. The closest thing I have found is the Chromium project's CRLSets. I used crlset-tools to get the crlset (crlset fetch > crl-set) and then dumped the serial numbers (crlset dump crl-set) so I see something like this:

f24196ae94078667348f02e8e37458a3a6e6aad1e0b0dc610118cce721427bfc
  03fb3b4d35074e
  03fbf94a0e6c39
  04097214d6c97c
  0442c6b3face55
  ....

I want to be able to pass to openssl or curl (which uses openssl) a CRL file containing a master list of all bad serials. For example rather than just passing in verisign's crl, I want everything passed in. I thought I could do this with crlset but I don't think the format is compatible. I tried openssl crl -inform DER -text -in crl-set but it says:

unable to load CRL
5532:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:
1319:
5532:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:ta
sn_dec.c:381:Type=X509_CRL

If anyone has any ideas on how to do what I'm talking about or any creative way to do this please let me know. Thanks

The format of the file from crlset is not compatible. – bentek Oct 04 '14 at 23:35 — bentek, Oct 04 '14 at 23:35

score 1 · Accepted Answer · edited Oct 07 '21 at 07:59

This may not be possible, at least in the form that you'd like.

Consider that in Chrome's CRLsets, there are (possibly) multiple revoked certificates from multiple CAs. A single CRL file which contains certificate from multiple CAs is known as an "indirect CRL". Indirect CRLs are poorly supported; see here and here; OpenSSL may not be able to do this.

In addition, as @bentek mentions, it looks like the CRLsets format is not compatible. Specifically, the CRLsets format does not contain all of the necessary CRL fields; see RFC 5280, Section 5.1. CRLsets contains (per its documentation) the SHA-256 hash of the Subject Public Key Info for the issuing certs, and the certificate serial numbers for revoked certificates from that issuing cert. There is not enough information to reconstruct a direct CRL (i.e. one CRL file per CA), sadly, if we wanted to. The biggest lack/omission, IMHO, is the name (DN) of the issuer of the revoked cert. CRLsets gives us a "fingerprint" (the SHA-256 SPKI hash), but mapping that fingerprint to the DN of the cert in question, given the scope of the Internet, would not be an easy task.

How to use Chrome's CRL sets (or some master CRL list) as a CRL file?

1 Answers1