On Thu, Jan 09, 2014, Bin Lu wrote: > Hi, > > I have a piece of code doing CRL revocation check which worked fine with > 0.9.8 but now failing in 1.0.1. > The code does something like: > X509_STORE_add_crl(store,crl); > X509_STORE_CTX_init(ctx, store, cert, NULL); > Ctx->check_revocation(ctx); > > In openssl lib (x509_vfy.c), check_cert() does the following: > while (ctx->current_reasons != CRLDP_ALL_REASONS) > { > /* Try to retrieve relevant CRL */ > if (ctx->get_crl) <== this is NULL > ok = ctx->get_crl(ctx, &crl, x); > else > ok = get_crl_delta(ctx, &crl, &dcrl, x); <== this > line gets called and returns the CRL in 'crl', 'dcrl' returns null. > /* If error looking up CRL, nothing we can do except > * notify callback > */ > if(!ok) > { > ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; > ok = ctx->verify_cb(0, ctx); > goto err; > } > ctx->current_crl = crl; > ok = ctx->check_crl(ctx, crl); <== here it only checks the > validity of the crl, but does not do CRL checking against the cert > if (!ok) > goto err; > > if (dcrl) > { > ok = ctx->check_crl(ctx, dcrl); > if (!ok) > goto err; > ok = ctx->cert_crl(ctx, dcrl, x); <== this does not > run since dcrl is NULL > if (!ok) > goto err; > } > else > ok = 1; <== so always return success > > Is this something wrong, or am I missing something? >
The next bit is: /* Don't look in full CRL if delta reason is removefromCRL */ if (ok != 2) { ok = ctx->cert_crl(ctx, crl, x); if (!ok) goto err; } That looks for the certificate serial number in the CRL. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org