On Wed, Oct 21, 2009, Adam Rosenstein wrote:
> Hi, I'm trying to use indirect CRLs in my application. I cannot figure out
> how to get the CRL signer's cert to be verified though. I keep getting "CRL
> path validation error"
>
> I do something like this:
>
> cs_ctx = X509_STORE_CTX_new();
> if (!cs_ctx) {
> error="malloc error";
> goto CERTIFICATE_VERIFY_FAILURE;
> }
> if(! X509_STORE_CTX_init(cs_ctx,cert_store,cert,untrusted)) {
> error="error initializing cs_ctx";
> goto CERTIFICATE_VERIFY_FAILURE;
> }
> X509_STORE_CTX_trusted_stack(cs_ctx, trusted);
>
> if (purpose) X509_STORE_CTX_set_purpose(cs_ctx, purpose);
> if (crls) X509_STORE_CTX_set0_crls(cs_ctx,crls);
>
> verifyResult = X509_verify_cert(cs_ctx);
>
> Where 'untrusted' is a stack of potential intermediate CA's, 'trusted' is a
> stack of trusted root CA's, crls is a stack of crls, and cert_store was setup
> previously.
>
> I have tried chains like this:
>
> RootCert-+->IndCRLSigner(crldp=http://x.y.z,issrname=IndCRLSigner)->crl
> |
> +->EndEntityCert(crldp=http://x.y.z,issrname=IndCRLSigner)
>
> Crl idp == http://x.y.z<http://x.y.z/>
>
>
>
I'm assuming you are using OpenSSL 1.0.0 otherwise this isn't supported at
all.
Have you set the flags to X509_V_FLAG_EXTENDED_CRL_SUPPORT?
What other flags have you set?
What other extensions are present in the CRL and CRL signer?
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
