diff --git a/src/authm_mad/remotes/x509/x509_auth.conf b/src/authm_mad/remotes/x509/x509_auth.conf
index b841529176..570843835a 100644
--- a/src/authm_mad/remotes/x509/x509_auth.conf
+++ b/src/authm_mad/remotes/x509/x509_auth.conf
@@ -2,3 +2,6 @@
# the server, each CA certificate shoud be name CA_hash.0
#:ca_dir: "/etc/one/auth/certificates"
+
+# Uncoment this line if you want to force crl checking
+#:check_crl: true
diff --git a/src/authm_mad/remotes/x509/x509_auth.rb b/src/authm_mad/remotes/x509/x509_auth.rb
index 4cdb0c7890..34afa5c20a 100644
--- a/src/authm_mad/remotes/x509/x509_auth.rb
+++ b/src/authm_mad/remotes/x509/x509_auth.rb
@@ -213,6 +213,8 @@ private
# Validate the proxy certifcates
signee = @cert_chain[0]
+ check_crl(signee)
+
@cert_chain[1..-1].each do |cert|
if !((signee.issuer.to_s == cert.subject.to_s) &&
(signee.verify(cert.public_key)))
@@ -247,4 +249,39 @@ private
raise
end
end
+
+ def check_crl(signee)
+ ca_hash = signee.issuer.hash.to_s(16)
+ ca_path = @options[:ca_dir] + '/' + ca_hash + '.0'
+
+ crl_path = @options[:ca_dir] + '/' + ca_hash + '.r0'
+
+ if !File.exist?(crl_path)
+ if @options[:check_crl]
+ raise failed + "CRL file #{crl_path} does not exist"
+ else
+ return
+ end
+ end
+
+ ca_cert = OpenSSL::X509::Certificate.new( File.read(ca_path) )
+ crl_cert = OpenSSL::X509::CRL.new( File.read(crl_path) )
+
+ # First verify the CRL itself with its signer
+ unless crl_cert.verify( ca_cert.public_key ) then
+ raise failed + "CRL is not verified by its Signer"
+ end
+
+ # Extract the list of revoked certificates from the CRL
+ rc_array = crl_cert.revoked
+
+ # Loop over the list and compare with the target personal
+ # certificate
+ rc_array.each do |e|
+ if e.serial.eql?(signee.serial) then
+ raise failed + "#{signee.subject.to_s} is found in the "<<
+ "CRL, i.e. it is revoked"
+ end
+ end
+ end
end