On Thu, Mar 17, 2011, Jeff Saremi wrote: > Does anyone have an example of how an indirect CRL issuer is handled? > This is my understanding of needs to be done. > If at least someone could verify that, I'd be really appreciative: > > 1. download the CRL > 2. If not indirect, handle as usual (let's pretend for now that we know > how to handle these in OpenSSL) > 3. If Indirect flag is set, check Authority Information Access. > (possibly using something like: > AUTHORITY_INFO_ACCESS *info = (AUTHORITY_INFO_ACCESS*) > X509_CRL_get_ext_d2i(crl, NID_info_access, NULL, NULL);) > 4. Download the issuer's certificate using the URL above. > 5. Add the cert to the store? (using X509_STORE_add_cert()?) >
First thing: do you need to worry about indirect CRLs: they are pretty rare outside compliance tests. Indirect CRLs are not supported unless an explicit flag is set btw: this is due to unresolved security issues in the standards. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org