On Thu, Jan 09, 2014, Bin Lu wrote:
> Hi,
>
> I have a piece of code doing CRL revocation check which worked fine with
> 0.9.8 but now failing in 1.0.1.
> The code does something like:
> X509_STORE_add_crl(store,crl);
> X509_STORE_CTX_init(ctx, store, cert, NULL);
> Ctx->check_revocation(ctx);
>
> In openssl lib (x509_vfy.c), check_cert() does the following:
> while (ctx->current_reasons != CRLDP_ALL_REASONS)
> {
> /* Try to retrieve relevant CRL */
> if (ctx->get_crl) <== this is NULL
> ok = ctx->get_crl(ctx, &crl, x);
> else
> ok = get_crl_delta(ctx, &crl, &dcrl, x); <== this
> line gets called and returns the CRL in 'crl', 'dcrl' returns null.
> /* If error looking up CRL, nothing we can do except
> * notify callback
> */
> if(!ok)
> {
> ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
> ok = ctx->verify_cb(0, ctx);
> goto err;
> }
> ctx->current_crl = crl;
> ok = ctx->check_crl(ctx, crl); <== here it only checks the
> validity of the crl, but does not do CRL checking against the cert
> if (!ok)
> goto err;
>
> if (dcrl)
> {
> ok = ctx->check_crl(ctx, dcrl);
> if (!ok)
> goto err;
> ok = ctx->cert_crl(ctx, dcrl, x); <== this does not
> run since dcrl is NULL
> if (!ok)
> goto err;
> }
> else
> ok = 1; <== so always return success
>
> Is this something wrong, or am I missing something?
>
The next bit is:
/* Don't look in full CRL if delta reason is removefromCRL */
if (ok != 2)
{
ok = ctx->cert_crl(ctx, crl, x);
if (!ok)
goto err;
}
That looks for the certificate serial number in the CRL.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
