On Tue, Nov 03, 2009, Adam Rosenstein wrote: > I definitely get better results with the latest snapshot. However I still > don't get my "0 depth lookup:certificate revoked" but instead get a "0 depth > lookup:CRL path validation error" > > Looking at the differences between my application logic and verify.c, I see > that the command line uses an X509 Lookup with a file source for -CAFile, > where as I simply pass in a trusted chain in my verify call, which I can > achieve in the verify app using the -trusted command line switch instead. > > /opt/openssl_1_0_0/bin/openssl verify -x509_strict -verbose -crl_check > -extended_crl -CRLfile /tmp/ind.crl -untrusted /tmp/CA0iCRL.pem -trusted > /tmp/CA0.pem /tmp/AdamRosenstein.pem /tmp/AdamRosenstein.pem: O = Red > Condor, OU = PKI, CN = CA0iCRL [CRL path]error 20 at 0 depth lookup:unable > to get local issuer certificate O = Red Condor, OU = PKI, CN = > AdamRosenstein error 54 at 0 depth lookup:CRL path validation error > > Am I misunderstanding the intention of the trusted stack? Does openssl > provide an in-memory x509 lookup method (from a stack of X509 *'s) or do I > have to roll my own? > > Thanks for all of your answers Dr Henson, >
Ah that must be a problem with the trusted stack stuff. I'll check that. You can get an in-memory store by doing: store = X509_STORE_new(); /* Do this for each cert */ X509_STORE_add_cert(store, cert); Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
