Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

How to verify a PKCS#7 signature with CRL checking?

33 views
Skip to first unread message

Edson Watanabe

unread,
Feb 20, 2001, 4:44:18 PM2/20/01
to
How to verify a PKCS#7 signature checking for
certificate revocation? PKCS7_verify() does a very
good job, but its source (crypto/pkcs7/pk7_smime.c)
has this comment:

--- snip ----
/*Check for revocation status here */
--- snip ----

Does that mean that I must check the certificates
manually? Or calling X509_STORE_add_crl is enough?

What must I do for checking CRL's? (Reading the
source brings several CRL-related routines like
d2i_x509_CRL_fp, X509_STORE_add_crl etc).

I hope that anyone can help me.

Thanks!

Edson E. Watanabe

__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35
a year! http://personal.mail.yahoo.com/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

Dr S N Henson

unread,
Feb 20, 2001, 6:15:42 PM2/20/01
to
Edson Watanabe wrote:
>
> How to verify a PKCS#7 signature checking for
> certificate revocation? PKCS7_verify() does a very
> good job, but its source (crypto/pkcs7/pk7_smime.c)
> has this comment:
>
> --- snip ----
> /*Check for revocation status here */
> --- snip ----
>
> Does that mean that I must check the certificates
> manually? Or calling X509_STORE_add_crl is enough?
>

It means that revocation checking might be placed there but alas it
isn't so far. You have to do revocation checking manually at present by
loading a CRL and seraching for the relevant serial number.

Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: she...@drh-consultancy.demon.co.uk
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: d...@celocom.com PGP key: via homepage.

0 new messages