Full_Name: Philippe Jourdain
Version: 2.8.8
OS: Linux & Windows
Submission from: (NULL) (62.23.37.12)
My case:
We have an AC with 2 public keys, one is used to sign our SmartCard certificate
and the other is used to sign the CRL according to the SmartCard certificate.
The DN is the same for the both keys but the Subject Key Identifier are
differents.
When you look into the certificat and the CRL, you have then two differents
Authority Key Identifier.
We are 100% X509v3 compliant in our certificate structure.
When I want to authenticate a Client certificate, I have this message : Invalid
signature on CRL.
I know Why.
In the pkg.sslmod/ssl_engine_kernel.c file, in the function
ssl_callback_SSLVerify_CRL() there is this part :
/*
* Verify the signature on this CRL
*/
if (X509_CRL_verify(crl, X509_get_pubkey(xs)) <= 0)
{
ssl_log(s, SSL_LOG_WARN, "Invalid signature on CRL");
X509_STORE_CTX_set_error(ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE);
X509_OBJECT_free_contents(&obj);
return FALSE;
}
I suppose that it means, You check the CRL signature with the AC who signed the
client certificate. Which is wrong in my case.
The X509v3 RFC allow to sign the CRL with another key (with same DN).
We are, maybe, the only in the world who are using this functionality but it's
in the STANDARD.
Because, I am not a C programmer and I have no skills in it, Can you help me ?
This feature could be in the next version of ModSSL. What do you think ?
We are the public PKI of the French health government.
We provide (give for FREE) certificate on smartcard for doctors and more.
There are more than 400 000 cards in action in FRANCE and most of our Hospitals
are using Apache/ModSSL/Openssl as webserver that's why is a real problem for
promoting the CPS's certificate.
Kind Regards,
Philippe JOURDAIN (mailto:[EMAIL PROTECTED])
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
