I am probably missing something but I don't see how this patch solves the CRL issue. It seems to me that it does exactly the same thing as before.
I would think that the right approach would be to modify xmlSecBuildChainUsingWinapi() function to return not the yes/no (error code) but the certificate it finds. Then the existing logic can be applied to this certificate "as-is". Then it might be a good idea to add to the xmlSecMSCryptoX509StoreConstructCertsChain() function extra code to check revocation list in the Windows storage (right now it does CRL check only for CRLs in the XML document itself). After making these two changes, the code would do both chain creation and CRL verification against both: certs/crls in the XML document and certs/crls in the MSCrypto storage. Aleksey _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
