X509_CRL_verify() failed after X509_CRL_dup(),why?

[BlackSnail]

Hi,   I write a program to insert revoked certificate information to CRL. After insertion I do X509_CRL_sign() and X509_CRL_verify() and everything is OK. Then I do X509_CRL_dup() to duplicate CRL structure. Things followed are weird.After duplication,I do X509_CRL_verify() again and verification failed! I print the content of CRL as below: /*-----------------------------------------------------*/ 1.Before  X509_CRL_dup()   Certificate Revocation List (CRL):         Version 2 (0x1)         Signature Algorithm: md5WithRSAEncryption         Issuer: /C=CN/ST=B/L=B/O=B/OU=B/CN=B/[EMAIL PROTECTED]         Last Update: Jun  3 01:47:09 2004 GMT         Next Update: May 31 10:01:41 2005 GMT         CRL extensions:             X509v3 CRL Number:                 10 Revoked Certificates:     Serial Number: 18         Revocation Date: Jun  1 04:11:53 2004 GMT             X509v3 CRL Reason Code:                 Unspecified     Serial Number: 22         Revocation Date: Jun  3 01:47:07 2004 GMT             X509v3 CRL Reason Code:                 Unspecified     Serial Number: 19         Revocation Date: Jun  1 04:11:32 2004 GMT             X509v3 CRL Reason Code:                 Unspecified     Signature Algorithm: md5WithRSAEncryption         5c:04:53:ae:02:b7:bc:7c:d8:ec:df:d6:f5:51:2b:08:e5:05:         1a:4b:8a:42:d5:f2:b7:8e:27:7a:66:a2:4a:47:d4:ca:ba:54:         79:a3:d5:d2:58:6b:f8:c0:5f:77:f3:e3:6d:e2:98:06:d9:72:         64:fc:b2:7e:81:69:66:21:54:da:da:de:b0:27:18:02:03:01:         e6:0c:7a:dc:1f:73:3f:7e:8a:bd:d8:71:99:e3:e9:e8:ee:5b:         e4:06:54:01:5c:bb:a3:e3:1d:14:91:4e:74:d0:37:4c:56:e0:         96:cf:f6:64:36:5a:33:1d:04:76:93:62:ea:47:6e:86:28:cf:         e9:1b /*-----------------------------------------------------*/        2.After  crl2=X509_CRL_dup(crl1)          X509_CRL_print(out, crl1);          X509_CRL_print(out, crl2);           The content of crl1 and crl2 are the same.   Certificate Revocation List (CRL):         Version 2 (0x1)         Signature Algorithm: md5WithRSAEncryption         Issuer: /C=CN/ST=B/L=B/O=B/OU=B/CN=B/[EMAIL PROTECTED]         Last Update: Jun  3 01:47:09 2004 GMT         Next Update: May 31 10:01:41 2005 GMT         CRL extensions:             X509v3 CRL Number:                 10 Revoked Certificates:     Serial Number: 22         Revocation Date: Jun  3 01:47:07 2004 GMT             X509v3 CRL Reason Code:                 Unspecified     Serial Number: 18         Revocation Date: Jun  1 04:11:53 2004 GMT             X509v3 CRL Reason Code:                 Unspecified     Serial Number: 19         Revocation Date: Jun  1 04:11:32 2004 GMT             X509v3 CRL Reason Code:                 Unspecified     Signature Algorithm: md5WithRSAEncryption         5c:04:53:ae:02:b7:bc:7c:d8:ec:df:d6:f5:51:2b:08:e5:05:         1a:4b:8a:42:d5:f2:b7:8e:27:7a:66:a2:4a:47:d4:ca:ba:54:         79:a3:d5:d2:58:6b:f8:c0:5f:77:f3:e3:6d:e2:98:06:d9:72:         64:fc:b2:7e:81:69:66:21:54:da:da:de:b0:27:18:02:03:01:         e6:0c:7a:dc:1f:73:3f:7e:8a:bd:d8:71:99:e3:e9:e8:ee:5b:         e4:06:54:01:5c:bb:a3:e3:1d:14:91:4e:74:d0:37:4c:56:e0:         96:cf:f6:64:36:5a:33:1d:04:76:93:62:ea:47:6e:86:28:cf:         e9:1b /*-----------------------------------------------------*/   The only difference is the serial number sequence. I can understand that stack pop operation make the difference. But I can't understand why verify failed.   I replace X509_CRL_dup() with i2d_X509_CRL(crl1,NULL),the result is same.   Any help will be appreciated.Thank you.