Never mind, I found an extremely ugly solution: 1) I split the signature extracted (signers.tmp) in single signature files (signer1.tmp e signer2.tmp) by python script 2) I test them both with the following command, using as CAfile the complete one:
openssl verify -verbose -CRLfile "chain.tmp" -CAfile "signers.tmp" -CApath ./cadir -crl_check_all "signer1.tmp" "signer2.tmp" this way it works and recognizes correctly if a certificate has been revoked.. If anyone comes up with a cleaner solution I'd really like to hear about it! Mario Il giorno 01/mar/2012, alle ore 15.58, Jakob Bohm ha scritto: > On 3/1/2012 12:41 PM, mario piccinelli wrote: >> Hi everyone >> >> I'm stuck with a situation about openssl and I really don't know how to get >> out.. >> >> What I'm trying to do is build a three level chain to sign files: >> - a root cert >> - an user cert >> - and end cert >> >> At the user level a revocation list can be produced to revoke the user's end >> certs. >> I create a PEM file with a detached signature, and I include in that the >> user cert and the end cert. >> >> After receiving the file, I do the following: >> - concatenate all the CRLs AND the root cert in a single file named chain.tmp >> - extract the certs from the SMIME message: >> openssl pkcs7 -print_certs -in "data.p7m" -out "signers.tmp" >> >> then I try to verify the signers' certs (user cert and end cert) in >> signers.tmp with the CRLs and root cert in chain.tmp: >> >> openssl verify -CAfile "chain.tmp" -crl_check "signers.tmp" > What makes you think the CRLs should be in the file passed as -CAfile > argument? >> but I always get the error: unable to get certificate CRL >> >> I'm sure the CRL is correctly included in chain.tmp.. what am I doing wrong? >> I noticed that if I remove the root cert from chain.tmp it (obviously) >> complains about the lack of issuer certificate.. but it seems unable to see >> the CRL in the same file! >> >> Thanks to anyone who took the time even for reading through all of this :-) >> > > -- > Jakob Bohm, CIO, partner, WiseMo A/S. http://www.wisemo.com > Transformervej 29, 2730 Herlev, Denmark. direct: +45 31 13 16 10 > <call:+4531131610> > This message is only for its intended recipient, delete if misaddressed. > WiseMo - Remote Service Management for PCs, Phones and Embedded > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org Mario Piccinelli --------------------------------------- "Dreamers come and go, but a dream's forever Freedom for all minds, let us go together Neverending ways, got to roam forever Always carry on!" --------------------------------------- Mail/Gtalk: mario.piccine...@gmail.com (GNUPG Key id: EE74003E) MSN: iamtheheroyoutr...@email.it Web: http://www.mariopiccinelli.it Blog: http://piccimario.wordpress.com Skype: piccimario Mobile (NEW!!!): 392-2488673 --------------------------------------- Proud & Happy Mac (and Linux) User --------------------------------------- Confidentiality Notice: This message, together with its annexes, contains strictly confidential information and is destined only to the addressee(s) identified above who only may use it under his/their responsibility. Anyone who receives this message by mistake or reads it without entitlement is forewarned that keeping, copying, disseminating or distributing this message to persons other than the addressee(s) is strictly forbidden. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
