My case:
We have an AC with 2 public keys, one is used to sign our SmartCard
certificate and the other is used to sign the CRL according to the SmartCard
certificate.
The DN is the same for the both keys but the Subject Key Identifier are
differents.
When you look into the certificat and the CRL, you have then two differents
Authority Key Identifier.
We are 100% X509v3 compliant in our certificate structure.
When I want to authenticate a Client certificate, I have this message :
Invalid signature on CRL.
I know Why. In the pkg.sslmod/ssl_engine_kernel.c file, in the function
ssl_callback_SSLVerify_CRL() there is this part :
/* * Verify the signature on this CRL */
if (X509_CRL_verify(crl, X509_get_pubkey(xs)) <= 0)
{
ssl_log(s, SSL_LOG_WARN, "Invalid signature on CRL");
X509_STORE_CTX_set_error(ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE);
X509_OBJECT_free_contents(&obj);
return FALSE;
}
I suppose that it means, You check the CRL signature with the AC who signed
the client certificate.
Which is wrong in my case.
The X509v3 RFC allow to sign the CRL with another key (with same DN).
We are, maybe, the only in the world who are using this functionality but
it's in the STANDARD.
Because, I am not a C programmer and I have no skills in it.
The C code need to be updated to manage this case.
Can you help me ?
Kind Regards,
Philippe Jourdain (mailto:[EMAIL PROTECTED])
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
