openssl 0.9.7b: -crl_check vs -crl_check_all in smime -verify

Fri, 30 May 2003 04:44:03 -0700 

I'm confused regarding the difference between -crl_check and -crl_check_all
when using openssl smime -verify.

I have a signed email with a Thawte free-mail certificate, it's Mensagem.eml 
(attached).
I signed it with mozilla. The hierarchy is the following:

Thawte Personal Freemail CA
        Personal Freemail RSA 2000.8.30
                Thawte Freemail Member <--- that's my certificate

$ openssl smime -in Mensagem.eml -verify -out /dev/null -CApath mycerts/               
Verification successful

I have downloaded Thawte's CRLs from their site:
$ l mycerts/*Thawte*crl*
-rw-rw-r--    1 andreas  andreas       597 2003-05-20 18:22 
mycerts/ThawtePersonalBasicCA.crl.pem
-rw-rw-r--    1 andreas  andreas    580905 2003-05-20 18:23 
mycerts/ThawtePersonalFreemailRSA2000830.crl.pem
-rw-rw-r--    1 andreas  andreas     10607 2003-05-20 18:23 
mycerts/ThawteServerCA.crl.pem

They all have the symlinks set with c_rehash.

The following doesn't work:
$ openssl smime -in Mensagem.eml -verify -out /dev/null -CApath mycerts/ -crl_check
Verification failure
12333:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify 
error:pk7_smime.c:222:Verify error:unable to get certificate CRL

Using strace, I can see that openssl is trying to open a crl for the first CA (the one 
at
the top of the hierarchy), as well as a crl for the RSA CA. This CRL I have, but not 
the
CRL for the first CA.

However, using -crl_check_all, it "works":
$ openssl smime -in Mensagem.eml -verify -out /dev/null -CApath mycerts/ -crl_check_all
Verification successful

Here, strace shows it only opening the crl for the RSA CA. According to the 
description of
these parameters:
$ openssl smime 2>&1|grep crl
-crl_check     check revocation status of signer's certificate using CRLs
-crl_check_all check revocation status of signer's certificate chain using CRLs

I would think crl_check_all would check the whole chain, but it seems that crl_check 
is doing
that instead. Any hints?

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to