For the crl's idp check, in function idp_check_dp(), 
        if (!a || !b)
                return 1;

It means if the cert's crldp's dp is omitted, then the check is ok.

But in RFC 5280 
6.3.3 CRL processing:
  (b)  Verify the issuer and scope of the complete CRL as follows:
         (2)  If the complete CRL includes an issuing distribution point
              (IDP) CRL extension, check the following:

            (i)   If the distribution point name is present in the IDP
                  CRL extension and the distribution field is present in
                  the DP, then verify that one of the names in the IDP
                  matches one of the names in the DP.  If the
                                                                                
   -----------
                  distribution point name is present in the IDP CRL
                  
---------------------------------------------------------------------------------------
                  extension and the distribution field is omitted from
                 -------------------------------------------------------
                  the DP, then verify that one of the names in the IDP
                  
---------------------------------------------------------------------------------------
                  matches one of the names in the cRLIssuer field of the DP.
                  
------------------------------------------------------------------------------------------------

I think the code here is not RFC compliant. Can any one tell me why it doesn't 
coding as the RFC logic?


Regards,
Kurt Zhu



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to