[xmlsec] Custom CRL
Aleksey Sanin
aleksey at aleksey.com
Tue May 21 14:49:28 PDT 2013
Did you setup the xmlDsigCtx with the keys manager through
xmlSecDSigCtxCreate() call?
Aleksey
On 5/20/13 11:01 PM, Francisco Obispo wrote:
> Dear *,
>
> I'm using the C API to write perl bindings to xmlsec, I'm currently just interested in using the signature validation, since I don't currently care about signing.
>
> I've been able to successfully validate a signature going through the examples, however, I now need to add a custom CRL (Certificate Revocation List), which will be published by the root-ca one or two times a day.
>
> I added the following code to my validator:
>
>
> /* initialize CRL */
>
> /* if a CRLFILE was passed, load it */
> X509_CRL *crl=NULL;
>
> if(crlfile != NULL){
>
> crl=__load_crl(crlfile);
>
> if(crl==NULL){
> result=-1;
> goto done;
> }
>
> xmlSecKeyDataStorePtr x509Store=NULL;
>
> x509Store = xmlSecKeysMngrGetDataStore(mngr, xmlSecOpenSSLX509StoreId);
> if(x509Store == NULL) {
> fprintf(stderr, "Cannot get key store to open CRL\n");
> goto done;
> }
>
>
> if(xmlSecOpenSSLX509StoreAdoptCrl(x509Store, crl ) < 0){
> fprintf(stderr, "Cannot Add CRL to keyStore\n");
> goto done;
> }
> }
>
>
>
> However, it yields no results when performing the actual validation, if the signature is valid, but the certificate has been revoked, xmlSecDSigCtxVerify() will still validate.
>
> Any thoughts?
>
>
>
> Francisco Obispo
> Director of Applications and Services - ISC
> email: fobispo at isc.org
> Phone: +1 650 423 1374 || INOC-DBA *3557* NOC
> PGP KeyID = B38DB1BE
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
>
More information about the xmlsec
mailing list