I have written a FIPS-1.1.2 compliant (OpenSSL 0.9.7m) application that
validates certificates that are read in from files. It also loads the CA
certificates and corresponding CRLs from files. I am trying to determine
any limitations with loading large CRLs (~200-250 MB) and to characterize
the resulting performance. I did not have any problem using CRLs that are
~~100MB in size or smaller. However with the ~200MB CRL, I get the following
error,
1418976:error:0D078064:asn1 encoding routines:ASN1_ITEM_EX_D2I:aux
error:tasn_dec.c:407:Type=X509_CRL_INFO
1418976:error:0D08303A:asn1 encoding routines:ANS1_TEMPLATE_D2I:nested asn1
error:tasn_dec.c:567:Field=crl, Type=X509_CRL
1418976:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:82:
This error occurs in a function similar (extraneous stuff has been removed)
to the readX509CRL() function below. The OpenSSL function PEM_read_X509_CRL()
returns an error
int readX509Crl(const std::string& crlPath, X509_CRL **crl) {
int result = 0;
X509_CRL* tempCrl = 0;
FILE* crlFp = 0;
// Open CRL file
crlFp = fopen(crlPath.c_str(), "r");
//If the certificate file opens correctly
if (crlFp) {
//If the PEM encoded file is read correctly
if (PEM_read_X509_CRL(crlFp, &tempCrl, 0, 0)) {
//Set return parameter
*crl = tempCrl;
result = 1;
} else {
result = 0;
//Make sure nothing is returned
*crl = 0;
//If the certificate memory is allocated, free it
if (tempCrl) {
X509_CRL_free(tempCrl);
tempCrl = 0;
}
}
} else {
result = 0;
//Make sure nothing is returned
*crl = 0;
}
//If the file was opened, close it
if (crlFp) {
fclose(crlFp);
}
return result;
}
The certificates and ~200MB CRL in question are all validated successfully
using the OpenSSL command line
openssl verify -CAfile <cafile> -crl_check <certificates>
What could possibly be the problem with using large CRLs in my application?
How can I go about troubleshooting this further. Thanks for any help.
-Ryan Smith
