How to verify a PKCS#7 signature with CRL checking?
Edson Watanabe
certificate revocation? PKCS7_verify() does a very
good job, but its source (crypto/pkcs7/pk7_smime.c)
has this comment:
--- snip ----
/*Check for revocation status here */
--- snip ----
Does that mean that I must check the certificates
manually? Or calling X509_STORE_add_crl is enough?
What must I do for checking CRL's? (Reading the
source brings several CRL-related routines like
d2i_x509_CRL_fp, X509_STORE_add_crl etc).
I hope that anyone can help me.
Thanks!
Edson E. Watanabe
__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35
a year! http://personal.mail.yahoo.com/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
Dr S N Henson
>
> How to verify a PKCS#7 signature checking for
> certificate revocation? PKCS7_verify() does a very
> good job, but its source (crypto/pkcs7/pk7_smime.c)
> has this comment:
>
> --- snip ----
> /*Check for revocation status here */
> --- snip ----
>
> Does that mean that I must check the certificates
> manually? Or calling X509_STORE_add_crl is enough?
>
It means that revocation checking might be placed there but alas it
isn't so far. You have to do revocation checking manually at present by
loading a CRL and seraching for the relevant serial number.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: she...@drh-consultancy.demon.co.uk
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: d...@celocom.com PGP key: via homepage.