For the crl's idp check, in function idp_check_dp(), if (!a || !b) return 1;
It means if the cert's crldp's dp is omitted, then the check is ok. But in RFC 5280 6.3.3 CRL processing: (b) Verify the issuer and scope of the complete CRL as follows: (2) If the complete CRL includes an issuing distribution point (IDP) CRL extension, check the following: (i) If the distribution point name is present in the IDP CRL extension and the distribution field is present in the DP, then verify that one of the names in the IDP matches one of the names in the DP. If the ----------- distribution point name is present in the IDP CRL --------------------------------------------------------------------------------------- extension and the distribution field is omitted from ------------------------------------------------------- the DP, then verify that one of the names in the IDP --------------------------------------------------------------------------------------- matches one of the names in the cRLIssuer field of the DP. ------------------------------------------------------------------------------------------------ I think the code here is not RFC compliant. Can any one tell me why it doesn't coding as the RFC logic? Regards, Kurt Zhu ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org