On Fri, Jan 14, 2005, Massimiliano Pala wrote: > > Hello guys, > > I have a problem with X509 certificate and CRL checking. > When using the > X509_CRL_verify(crl, pkey) function (I get an error also > by using the > 'openssl crl -CAfile... ' command), I get the following > Error: > > 7322:error:0407006A:rsa > routines:RSA_padding_check_PKCS1_type_1:block type is not > 01:rsa_pk1.c:100: > 7322:error:04067072:rsa > routines:RSA_EAY_PUBLIC_DECRYPT:padding check > failed:rsa_eay.c:580: > 7322:error:0D089006:asn1 encoding routines:ASN1_verify:EVP > lib:a_verify.c:162: > > Anyway, separately both the certificate and the CRL seems > to look good. > If you have ideas I can send you the certificate and the > CRL, I am not > sending them to the list as them are quite big (~1.6Mb). >
Check to see if the CRL has an authority key id and if so if it matches the subject key id of the CA you are using. If not then the problem is that the wong CA and hence wrong public key is being used to verify the CRL signature. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
