Dr. Stephen Henson wrote: [...]
Check to see if the CRL has an authority key id and if so if it matches the subject key id of the CA you are using. If not then the problem is that the wong CA and hence wrong public key is being used to verify the CRL signature.
You are right, unfortunately I have to deal with a PKI where multiple certs are issued to every SubCA -- all of them are valid at the same time, and issued to the same Subject, what changes is the Key and the keyUsage... a real mess...
I guess no 'standard' client is capable of verifying correctly the CRLs as the certificate used to issue certs is not the same used to sign CRLs... aaaarrrgghh!
The problem was that :-( In my opinion the error reported
> 7322:error:0407006A:rsa > routines:RSA_padding_check_PKCS1_type_1:block type is not > 01:rsa_pk1.c:100: > 7322:error:04067072:rsa > routines:RSA_EAY_PUBLIC_DECRYPT:padding check > failed:rsa_eay.c:580: > 7322:error:0D089006:asn1 encoding routines:ASN1_verify:EVP > lib:a_verify.c:162:
should be changed as it is not really clear :-D
Thank you again.
--
Best Regards,
Massimiliano Pala
--o------------------------------------------------------------------------ Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED] Tel.: +39 (0)11 564 7081 http://security.polito.it Fax: +39 178 270 2077 Mobile: +39 (0)347 7222 365
Politecnico di Torino (EuroPKI) Certification Authority Informations:
Authority Access Point http://ca.polito.it Authority's Certificate: http://ca.polito.it/ca_cert/en_index.html Certificate Revocation List: http://ca.polito.it/crl02/crl.crl --o------------------------------------------------------------------------
smime.p7s
Description: S/MIME Cryptographic Signature