On Tue, Dec 05, 2006, Dan Ellis wrote: > Looking at the code of X509_load_cert_crl_file (OpenSSL 0.9.7e), it > seems that it will add any certificates found in the file to the trusted > store, which is undesireable behaviour. > > What, then, is the correct way to load CRLs from a file containing both > the CRLs themselves and any non-root certificates needed to verify the > signatures of those CRLs? The certificates in the file should all be > ultimately be signed by a common root CA, which I already have in my > trusted store. > > I'm thinking of something like this: > - Iterate over the file, loading each X509 object. > - If it's a certificate, verify its signature against my trusted store, > and if it passes, load it into the same store. > - If it's a CRL, verify its signature against my trusted store, and if > it passes, load it into the store. > > I can verify a certificate, but how does one verify a CRL? >
A CRL signature is verified before use so there is no need to verify it before adding it to the store. The certificate needed to verify the CRL signature will be part of the certificate chain during normal chain verification. > Also, what should be done when there is a new, replacement CRL file? Is > it possible to remove the existing CRLs from the store before performing > the above process on the new file? > The CRL handling in 0.9.7 and 0.9.8 doesn't support this with the built in stores. It is possible to override the get_crl() callback used during verification to supply whichever CRL is needed. The latest dev version allow multiple CRLs from the same issuer to be added to the store and it will automatically retrieve and use the correct one. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
