PKCS7_verify with CRL

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

PKCS7_verify with CRL

Venkata Sairam
Hi

I have the PKCS7 object signed by a certificate. The certificate is revoked
and I have the corresponding CRL. I have the certificate in the certs
variable and the CRL in the store variable. I am using the method below:

int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, BIO
*indata, BIO *out, int flags);

Does the method PKCS7_verify verify the certificates in 'certs' against the
CRLs present in the 'store'?

Thanks

-V


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: PKCS7_verify with CRL

Dr. Stephen Henson
On Thu, Mar 02, 2006, Venkata Sairam wrote:

> Hi
>
> I have the PKCS7 object signed by a certificate. The certificate is revoked
> and I have the corresponding CRL. I have the certificate in the certs
> variable and the CRL in the store variable. I am using the method below:
>
> int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, BIO
> *indata, BIO *out, int flags);
>
> Does the method PKCS7_verify verify the certificates in 'certs' against the
> CRLs present in the 'store'?
>

If the crl checking flags are set in the store yes.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: PKCS7_verify with CRL

Venkata Sairam
Hi,

Thanks for the reply.

I want to perform only a CRL check and not a chain verification. My CRL is
present in the store parameter. I have set the flag for CRL_CHECK for the
store parameter.

May I know the flag that needs to be set for the
 int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, BIO
*indata, BIO *out, int flags);

I tested using the PKCS7_NOVERIFY, but this doesn't check for the CRL. Is
there any flag that I can set to perform only CRL check and not a chain
verification?

Thanks

-Venkata



-----Original Message-----
From: [hidden email]
[mailto:[hidden email]]On Behalf Of Dr. Stephen Henson
Sent: Thursday, March 02, 2006 8:41 PM
To: [hidden email]
Subject: Re: PKCS7_verify with CRL


On Thu, Mar 02, 2006, Venkata Sairam wrote:

> Hi
>
> I have the PKCS7 object signed by a certificate. The certificate is
revoked
> and I have the corresponding CRL. I have the certificate in the certs
> variable and the CRL in the store variable. I am using the method below:
>
> int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, BIO
> *indata, BIO *out, int flags);
>
> Does the method PKCS7_verify verify the certificates in 'certs' against
the
> CRLs present in the 'store'?
>

If the crl checking flags are set in the store yes.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]