Dear *,
I'm using the C API to write perl bindings to xmlsec, I'm currently just
interested in using the signature validation, since I don't currently care
about signing.
I've been able to successfully validate a signature going through the examples,
however, I now need to add a custom CRL (Certificate Revocation List), which
will be published by the root-ca one or two times a day.
I added the following code to my validator:
/* initialize CRL */
/* if a CRLFILE was passed, load it */
X509_CRL *crl=NULL;
if(crlfile != NULL){
crl=__load_crl(crlfile);
if(crl==NULL){
result=-1;
goto done;
}
xmlSecKeyDataStorePtr x509Store=NULL;
x509Store = xmlSecKeysMngrGetDataStore(mngr, xmlSecOpenSSLX509StoreId);
if(x509Store == NULL) {
fprintf(stderr, "Cannot get key store to open CRL\n");
goto done;
}
if(xmlSecOpenSSLX509StoreAdoptCrl(x509Store, crl ) < 0){
fprintf(stderr, "Cannot Add CRL to keyStore\n");
goto done;
}
}
However, it yields no results when performing the actual validation, if the
signature is valid, but the certificate has been revoked, xmlSecDSigCtxVerify()
will still validate.
Any thoughts?
Francisco Obispo
Director of Applications and Services - ISC
email: [email protected]
Phone: +1 650 423 1374 || INOC-DBA *3557* NOC
PGP KeyID = B38DB1BE
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
