On Thu, Dec 09, 2004, Thorsten Müller wrote: > Dr. Stephen Henson wrote: > > > > >The second option, which I implemented, is to cache the original encoding > >and > >use the cached form to verify signatures. This makes signature verification > >much quicker since no reordering is necessary. > > > >This still requires lock when the revoked entries are sorted but they will > >stay > >sorted: therefore no reordering is necessary after the first lookup. > > > >There is a minor disadvantage to this method: if you call X509_CRL_print() > >before a CRL entry search it will represent the original order whereas > >calling > >it afterwards will print out in serial number order. There are ways to fix > >that too but it would require some incompatible changes and will have to be > >in 0.9.8. > > I have a problem which i think belongs to that. I want to update an > existing CRL (adding a new serial numer, update nextUpdate, lastUpdate) > and export the new CRL in PEM format using PEM_write_bio_X509_CRL(). Up > to version 0.9.7d everything worked fine, with 0.9.7e the output is the > old CRL without any updates. Is this a bug, or what should i do to get > the new CRL. >
You need to mark the stored encoding as invalid if you want to do that. You can do that with: crl->crl->enc.modified = 1; As long as you do that before signing the CRL it should then work. I'll add something that does it automatically before signing a CRL for 0.9.7f. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]