Looking at the code of X509_load_cert_crl_file (OpenSSL 0.9.7e), it
seems that it will add any certificates found in the file to the trusted
store, which is undesireable behaviour.
What, then, is the correct way to load CRLs from a file containing both
the CRLs themselves and any non-root certificates needed to verify the
signatures of those CRLs? The certificates in the file should all be
ultimately be signed by a common root CA, which I already have in my
trusted store.
I'm thinking of something like this:
- Iterate over the file, loading each X509 object.
- If it's a certificate, verify its signature against my trusted store,
and if it passes, load it into the same store.
- If it's a CRL, verify its signature against my trusted store, and if
it passes, load it into the store.
I can verify a certificate, but how does one verify a CRL?
Also, what should be done when there is a new, replacement CRL file? Is
it possible to remove the existing CRLs from the store before performing
the above process on the new file?
Regards,
Dan.
--
Dan Ellis, Software Engineer, BSC Team
ip.access ltd < http://www.ipaccess.com >
Building 2020, Cambourne Business Park, Cambourne, Cambridge, CB3 6DW
Tel: 01954 713790, Fax: 01954 713799
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
