Hello folks,
ther might be a problem in X509_verify_cert() (at least 0.9.7d): if you set a verification time and the CRL was not yet valid at this time, the error X509_V_ERR_CRL_NOT_YET_VALID will be generated. (see check_crl() in x509_verify.c)
It seems to me that a logic like: If check_time (and X509_V_FLAG_USE_CHECK_TIME) are set: accept the CRL if it is (now or after the check_time) valid. And if the certificate is set in the CRL, return X509_V_ERR_CERT_REVOKED if no revocationDate is set or if it is older than the check_time. (in cert_crl() in x509_verify.c)
But this opens another can of worms:
If the certificate expired before the CRL was issued the revocation entry might be dropped from the CRL...
Any Ideas how to handle this ?
Bye
Goetz
-- Goetz Babin-Ebell, software designer, TC TrustCenter AG, Sonninstr. 24-28, 20097 Hamburg, Germany Office: +49-(0)40 80 80 26 -0, Fax: +49-(0)40 80 80 26 -126 www.trustcenter.de www.betrusted.com
smime.p7s
Description: S/MIME Cryptographic Signature