> Try supplying your own lookup_crls() implementation instead. This can be much > simpler and just needs to return any CRLs which match the supplied X509_NAME > value. If there are multiple CRLs it will pick the most appopriate. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org
That's a lot better. Thanks I'd like to describe the steps I'm taking in my lookup function. If someone could verify them I would be grateful: 1. try to get crls by calling X509_STORE_get1_crls with passed arguments. 2. If the stack is not empty then return it to the caller 3. Otherwise, get the current certificate's CRL distribution point by using X509_STORE_CTX_get_current_cert() and a bunch of other lines I pasted in my other email 4. Get the CRL by fetching the URL 5. Now do another call to the store based on the name of the CRL issuer: X509_STORE_get1_crls(ctx, X509_CRL_get_issuer(crl)) 6. If this call return any CRLs that means the CRL existed in the store but the CRL Issuer was different than the certificate Issuer. (if I understood the spec correctly, this is quite possible) 7. If no CRLs were found, then add the downloaded CRL: X509_STORE_add_crl() 8. Do another call to X509_STORE_get1_crls() and return the results ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
