I need to determine that a certificate is valid and has not been
revoked.
No matter what settings I make in the Keychain preferences, I never
see any
attempt by the Mac to verify that the certificate has not been
revoked. I
am tracing network activity, and expect the Mac to use OCSP or CRL
to check
the certificate.
In my own software, I am using SecTrustEvaluate to check the
certificate.
This function always succeeds with kSecTrustResultProceed.
Is a CRL cached?
Yes indeed, CRLs are cached in a keychain in /var/db/crls/crlcache.db.
Is there a way to remove the cached CRL to force the Mac
to retrieve one?
% /usr/bin/crlrefresh r
...does an update of all the CRLs in the cache, refreshing them with
up-to-date CRLs if need be. Note that cached CRLs are not used if
they are stale, so if you're doing CRL verification (per Keychain
Access prefs) and you don't see any network activity when you verify
a cert, then cached CRLs are most likely being used.
You can inspect the contents of the CRL cache via
% certtool y k=/var/db/crls/crlcache.db
--dpm
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/apple-cdsa/email@hidden
