[xmlsec] Custom CRL

Francisco Obispo fobispo at isc.org
Mon May 20 23:01:44 PDT 2013

Dear *,

I'm using the C API to write perl bindings to xmlsec, I'm currently just interested in using the signature validation, since I don't currently care about signing.

I've been able to successfully validate a signature going through the examples, however, I now need to add a custom CRL (Certificate Revocation List), which will be published by the root-ca one or two times a day.

I added the following code to my validator:

  /* initialize CRL */

  /* if a CRLFILE was passed, load it */
  X509_CRL *crl=NULL;
  if(crlfile != NULL){
        goto done;
      xmlSecKeyDataStorePtr x509Store=NULL;
      x509Store = xmlSecKeysMngrGetDataStore(mngr, xmlSecOpenSSLX509StoreId);
      if(x509Store == NULL) {
        fprintf(stderr, "Cannot get key store to open CRL\n");
        goto done;
      if(xmlSecOpenSSLX509StoreAdoptCrl(x509Store, crl ) < 0){
         fprintf(stderr, "Cannot Add CRL to keyStore\n");
          goto done;

However, it yields no results when performing the actual validation, if the signature is valid, but the certificate has been revoked, xmlSecDSigCtxVerify() will still validate.

Any thoughts?

Francisco Obispo 
Director of Applications and Services - ISC
email: fobispo at isc.org
Phone: +1 650 423 1374 || INOC-DBA *3557* NOC

More information about the xmlsec mailing list