Hi, I'm trying to use indirect CRLs in my application. I cannot figure out how
to get the CRL signer's cert to be verified though. I keep getting "CRL path
validation error"
I do something like this:
cs_ctx = X509_STORE_CTX_new();
if (!cs_ctx) {
error="malloc error";
goto CERTIFICATE_VERIFY_FAILURE;
}
if(! X509_STORE_CTX_init(cs_ctx,cert_store,cert,untrusted)) {
error="error initializing cs_ctx";
goto CERTIFICATE_VERIFY_FAILURE;
}
X509_STORE_CTX_trusted_stack(cs_ctx, trusted);
if (purpose) X509_STORE_CTX_set_purpose(cs_ctx, purpose);
if (crls) X509_STORE_CTX_set0_crls(cs_ctx,crls);
verifyResult = X509_verify_cert(cs_ctx);
Where 'untrusted' is a stack of potential intermediate CA's, 'trusted' is a
stack of trusted root CA's, crls is a stack of crls, and cert_store was setup
previously.
I have tried chains like this:
RootCert-+->IndCRLSigner(crldp=http://x.y.z,issrname=IndCRLSigner)->crl
|
+->EndEntityCert(crldp=http://x.y.z,issrname=IndCRLSigner)
Crl idp == http://x.y.z<http://x.y.z/>
Thanks
Adam Rosenstein,
Red Condor
