Hello,
xmlSecDSigCtxVerify() uses a stack of CRL to ignore revoked certificates.
for this purpose, xmlSecOpenSSLX509VerifyCertAgainstCrls() is called by
xmlSecDSigCtxVerify() to check a certificate against the stack of CRL
In this routine, the first loop try to find the CRL that matches the
certificate (same issuer)
issuer = X509_CRL_get_issuer(crl);
if(xmlSecOpenSSLX509NamesCompare(X509_CRL_get_issuer(crl), issuer)
== 0) {
but this expression is always true and
xmlSecOpenSSLX509VerifyCertAgainstCrls always uses the first CRL
a possible patch : compare CRL issuer against certificate issuer as below
diff -Naur -x configure.txt -x config.h -x Makefile -x '*.pdb'
temp/orig/xmlsec1-1.2.13/src/openssl/x509vfy.c
temp/current/xmlsec1-1.2.13/src/openssl/x509vfy.c
--- temp/orig/xmlsec1-1.2.13/src/openssl/x509vfy.c 2009-09-12
22:08:31.000000000 +0200
+++ temp/current/xmlsec1-1.2.13/src/openssl/x509vfy.c 2014-05-21
19:46:17.193896800 +0200
@@ -967,7 +967,7 @@
continue;
}
- issuer = X509_CRL_get_issuer(crl);
+ issuer = X509_get_issuer_name(cert);
if(xmlSecOpenSSLX509NamesCompare(X509_CRL_get_issuer(crl), issuer)
== 0) {
break;
}
Regards,
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
