On Thu, Aug 26, 2004, Joseph Bruni wrote: > I did as you suggested and dumped the CRL object from within the validation routine. > Using the X509_STORE_CTX pointer passed in, I used the current_crl member to get > to a X509_CRL pointer, and fed that to a PEM_write() routine. > > Interestingly, the PEM_write routine did NOT complain about the CRL. Examining > the output file, it is exactly correct. >
Well PEM_write doesn't make any checks on the CRL validity so if it had an invalid signature it wouldn't complain. So using 'openssl crl -in crl.pem -CAfile crlissuer.pem' also verified OK? > So what's going on? Why am I getting this error (CRL sig failure) when the > CRL object is not invalid? > Well that specific error you are getting suggests the signature field of the CRL isn't being corrupted neither is the issuer certificate. The only way to get that is if the digest of the CRL does not match the signature. That could be because the signature routines are being confused but I'd think that is unlikely because other operations would be affected. The only thing I can think of at this stage is that something (as yet unknown) is modifying or corrupting on or more of the CRL fields. Could you send me the original CRL and the one you dumped after it starts misbehaving along with the issuer CA certificate? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
