On Thu, Dec 09, 2004, prakash babu wrote: > Hello Steve, > > Thanks for your explanation. It was very informative, > > In OpenSSL 0.9.7e while doing the CRL checking, the following steps are > performed > > a. Caching the original CRL list into cache > b. Sorting the CRL list. > c. Searching the given certificate in the sorted CRL list. > d. Verify the signature using the original CRL list from cache. > > Please clarify the following doubts. > 1. Suppose we request for the revocation status of many certificates in a > single request > > eg (openssl verify -crl_check -CAfile demoCA/crl/chain cert1 cert2 > cert3 ....) > > threads are created for each request.So during the first certificate > verification the revoked list is sorted. During this time all the remaining > threads must > not interfere the sorting process so we are locking the CRL structure > inside the sorting function. Am I right ? >
Only if the application is multithreaded. The openssl verify utility isn't. > 2. Suppose we request for the revocation status of many certificates in a > single request > > eg. (openssl verify -crl_check -CAfile demoCA/crl/chain cert1 cert2 > cert3 ....) > > Do we have to verify the CRL signature for each certificate (or) is it > enough to verify the CRL signature only once? > The current verify function will verify the signature each time, the cached encoding will make this quicker than before though. > 3. We uses quick sort and binary search for sorting and searching > respectively. > Can we go for hashing algorithm (or) indexed search algorithms which > do not need any sorting ? > The sorting is only done the first time a CRL is searched. After that it is already sorted and only the binary search is performed. > 4. Does ASN1_ENCODING_enc element added to X509_crl_info_st structure used > for caching the original CRL encoded list for verification ? > > Well it stores the original encoding of the signed portion of the CRL which is effectively the same thing. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
