Arno Garrels wrote:
>Nima Sharifimehr wrote: >> When you specify the flag X509_V_FLAG_CRL_CHECK for the cert >> verification, then you will need to have a valid corresponding CRL >> for the last cert in the cert chain. And if you specify the flag >> X509_V_FLAG_CRL_CHECK then you will need to have corresponding CRLs >> for all the certs available in the chain. > >Ok, it works as expected with both the CRL included in the CA-bundle >file or explicitly added by a call to X509_STORE_add_crl after >SSL_CTX_load_verify_locations. However it fails as described in my >previous mail when I try to verify a cert on demand against some >custom store. > >> So, I am guessing you are >> missing to load corresponding CRLs for your cert before performing >> the verification and that's why you get the error >> "X509_V_ERR_UNABLE_TO_GET_CRL". > >When the revoked cert is verified the CRL must have been loaded since >the verify result sounds correct, I get error X509_V_ERR_UNABLE_TO_GET_CRL >only if the certificate is not revoked. > >I use a simple test: >#1 Self-signed root >#2 Intermediate signed by #1 >#3..#4 server certs signed by #2 >#3 revoked >CRL signed by #2. >#1 and #2 both in the same TrustedCA.pem > If using the X509_V_FLAG_CRL_CHECK_ALL flag, then you must include a CRL from each CA in the chain of trust (i.e. #1 and #2). Hope this helps. >Basically what I'm doing is this: >Store = X509_STORE_new; >StoreCtx = X509_STORE_CTX_new; >Lookup = X509_STORE_add_lookup(Store, X509_LOOKUP_file); >X509_LOOKUP_load_file(Lookup, TrustedCAFileName, X509_FILETYPE_PEM); >X509_STORE_add_crl(Store, Crl); >X509_STORE_set_flags(Store, VerifyFlags); >X509_STORE_CTX_init(StoreCtx, Store, X509ToCheck, UntrustedChain); >X509_STORE_CTX_set_ex_data(StoreCtx, 0, Self) >X509_STORE_CTX_set_verify_cb(StoreCtx, StoreVerifyCallback); >X509_STORE_CTX_trusted_stack(StoreCtx, TrustedChain); >X509_STORE_CTX_set_purpose(StoreCtx, Purpose); >X509_verify_cert(StoreCtx); >-- >Arno Garrels --- Ryan Smith ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
