Re: How to set a CRLNumber extension in CRL

Wed, 02 Oct 2002 17:51:23 -0700 

On Thu, Oct 03, 2002, Kiyoshi WATANABE wrote:

> 
> Dear all, I want to know the way to implement to
> set the CRLNumber extension in CRL using openssl-0.9.7 beta 3.
> 

The extension is already supported, but not in the 'ca' application which
generates CRLs.

> In the crypto/x509v3 directory, there is a flie v3_ini.c. In this
> source code, the X509V3_EXT_MEHTOD is already defined. Fisrt I think
> that I should add the(X509V3_EXT_S2I)s2i_ASN1_INTEGER in the structure, 
> since the s2i_ASN1_INTEGER code is also defined in v3_util.c.
> 
>   59 #include <stdio.h>
>   60 #include "cryptlib.h"
>   61 #include <openssl/x509v3.h>
>   62
>   63 X509V3_EXT_METHOD v3_crl_num = {
>   64 NID_crl_number, 0, ASN1_ITEM_ref(ASN1_INTEGER),
>   65 0,0,0,0,
>   66 (X509V3_EXT_I2S)i2s_ASN1_INTEGER,
>   67 0,
>   68 0,0,0,0, NULL};
>   69
> 
> In line 67, I will add the (X509V3_EXT_S2I)s2i_ASN1_INTEGER
> 
> In the CRLNumber extension, the ASN.1 in RFC 3280 says: 
> 
>    CRLNumber ::= INTEGER (0..MAX)
> 
> Then I should define the ASN1 macro, but now I do no know how to
> define the ASN1 macro to define the ASN.1.
> 
> Looking at some others examples, if you have a sequence tag, the macro
> will start like :
> 
> ASN1_SEQUENCE(....)
>  ...
> ASN1_SEQUENCE_END(....)
> 
> However the CRLNumber is just INTEGER. I want to know simply just
> define the macro to use or any pointer to take a look at.
> 
> I would be very appreciated if you give me some suggestion.
> 

Its already in there: ASN1_ITEM_ref(ASN1_INTEGER).

What you cannot currently do, as I mentioned is to add this extension using
the 'ca' application. There isn't an s2i_ASN1_INTEGER in the structure for a
reason: this is to stop the extension being used in config files.

Config files are fine for the static extensions whose value will be the same,
however CRLNumber has to increase with each new CRL issued. If you could add
CRLNumber from a config file this may well result in distinct CRLs having the
same number which is a bad thing(tm).

What is really needed is to handle CRLNumber as a special case, for example
via a file which is treated in a similar way to the serial number and updated
with each CRL issued.

Steve.
--
Dr. Stephen Henson      [EMAIL PROTECTED]            
OpenSSL Project         http://www.openssl.org/~steve/
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to