➢ I was more talking about the parsing. Currently I have 40 LOC [1] to
Look at X509_get1_ocsp which is in crypto/x509v3/v3_utl.c That’s in 1.0.2 and
later
➢ > X509_CRL_verify. And yes, looking through to find the serial# is what you
have to do.
➢ That's 1.1-specific, correct?
Hi Rich,
On 18-10-17 17:46, Salz, Rich via openssl-users wrote:
> ➢ I used libcrypto to parse out the OCSP URL from the certificate validate
> it against a whitelist of valid OCSP URLs, send an OCSP request and
> validate the response and its signature against a custom certificate
> st
➢ I used libcrypto to parse out the OCSP URL from the certificate validate
it against a whitelist of valid OCSP URLs, send an OCSP request and
validate the response and its signature against a custom certificate
store, and then parse out the result.
Two points on that:
➢ -
Hi,
I have an application which wants to do verification of a certificate.
Not in the context of a context or a signature, but simply to verify if
the certificates are still valid and from a source that is correct in
the context in which the application runs.
I used libcrypto to parse out the OCS
>
>
> * The CRL is sorted before creating the CRL signature.
> * So the signature is that of the sorted CRL .
> Why do we need to original order for CRL Signature verification ?
>
Because CRLs not generated by OpenSSL m
L_sign(crl,pkey,EVP_md5());
**
* The CRL is sorted before creating the CRL signature. * So
the signature is that of the sorted CRL . Why do we need
to original order for CRL
