CRL Signature verification

[prakash babu]

Hello All,              The following is a snippet from the code that creates a crl.                    *****************************************************                       for (i=0; i<sk_num(db->db->data); i++)                         {                         pp=(char **)sk_value(db->db->data,i);         /* Check if the first field is 'R' ie revoked .If so add the entry to the CRL using the X509_REVOKED structure */                               if (pp[DB_type][0] == DB_TYPE_REV)                           {                            r=X509_REVOKED_new();                            char *tmp,*p,*str;                            rtime_str = pp[DB_rev_date];                            revDate =ASN1_UTCTIME_new();                            ASN1_UTCTIME_set_string(revDate,rtime_str);               /* Set the Revocation date in the X509_REVOKED structure */                            X509_REVOKED_set_revocationDate(r,revDate);                            BN_hex2bn(&serial, pp[DB_serial]);                            tmpser = BN_to_ASN1_INTEGER(serial, NULL);               /* Set the Serial number in the X509_REVOKED structure */                            X509_REVOKED_set_serialNumber(r, tmpser);                            X509_CRL_add0_revoked(crl,r);                           }             /* Sort the CRL */                       X509_CRL_sort(crl);              /*Sign the CRL */                       X509_CRL_sign(crl,pkey,EVP_md5());                                     **********************************************************                                              * The CRL is sorted before creating the CRL signature.   * So the signature is that of the sorted CRL .     Why do we need to original order for CRL Signature verification  ?   Thanks, Prakash   Do you Yahoo!? Yahoo! Mail - You care about security. So do we.