Here are some more interesting points that I'm banging my head against
the wall until I find the answer:
- Overwriting get_crl forces you to provide your own CRL checking logic
as well. Specifically two things need to be set during this check which
are required witin check_cert():
a) score of this CRL
b) current_reason
For now -- just to get going to the next step -- I had to come up with
the following kludge in my get_crl():
#define CRL_SCORE_VALID (/*CRL_SCORE_NOCRITICAL*/
0x100|/*CRL_SCORE_TIME*/
0x040|/*CRL_SCORE_SCOPE*/0x080|/*CRL_SCORE_SAME_PATH*/0x008)
ctx->current_crl_score |= CRL_SCORE_VALID;
ctx->current_reasons = 0x807f; // CRLDP_ALL_REASONS;
- It isn't clear if I need to add my CRL -- after being downloaded -- to
the X509_STORE within get_crl(). For now I have added it similar to the
following:
STACK_OF(X509_CRL)* crl_sk = X509_STORE_get1_crls(ctx,
X509_CRL_get_issuer(*crl));
if(!sk_X509_CRL_num(crl_sk))
{
if ((rc = X509_STORE_add_crl(ctx->ctx, *crl)) <= 0)
break;
}
sk_X509_CRL_free(crl_sk);
- It seems that at the end of the chain, when usually there is a
self-signing certificate, one will end up with two of the same calls to
get_crl() with the same issuer. There is a possibility that one could
check X509_STORE and fill the passed parameter X509_CRL** with that.
- For certificates which do not have a CRL distribution point, what is
one supposed to do? Return 0 or 1? What should the X509_CRL** be filled
with?
thanks
Jeff
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
