Hello folks,

ther might be a problem in X509_verify_cert() (at least 0.9.7d):
if you set a verification time and
the CRL was not yet valid at this time,
the error X509_V_ERR_CRL_NOT_YET_VALID will be generated.
(see check_crl() in x509_verify.c)

It seems to me that a logic like:
If check_time (and X509_V_FLAG_USE_CHECK_TIME) are set:
  accept the CRL if it is (now or after the check_time) valid.
  And if the certificate is set in the CRL,
  return X509_V_ERR_CERT_REVOKED if no revocationDate
  is set or if it is older than the check_time.
  (in cert_crl() in x509_verify.c)

But this opens another can of worms:

If the certificate expired before the CRL was issued
the revocation entry might be dropped from the CRL...


Any Ideas how to handle this ?

Bye

Goetz

--
Goetz Babin-Ebell, software designer,
TC TrustCenter AG, Sonninstr. 24-28, 20097 Hamburg, Germany
Office: +49-(0)40 80 80 26 -0,  Fax: +49-(0)40 80 80 26 -126
www.trustcenter.de www.betrusted.com

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature



Reply via email to