On Wed, Dec 29, 2004, prakash babu wrote:
> Hello All,
>
> The following is a snippet from the code that creates a crl.
>
> *****************************************************
> for (i=0; i<sk_num(db->db->data); i++)
> {
> pp=(char **)sk_value(db->db->data,i);
>
> /* Check if the first field is 'R' ie revoked .If so add the entry to
> the CRL using the X509_REVOKED structure */
>
> if (pp[DB_type][0] == DB_TYPE_REV)
> {
> r=X509_REVOKED_new();
> char *tmp,*p,*str;
> rtime_str = pp[DB_rev_date];
> revDate =ASN1_UTCTIME_new();
> ASN1_UTCTIME_set_string(revDate,rtime_str);
>
> /* Set the Revocation date in the X509_REVOKED structure */
> X509_REVOKED_set_revocationDate(r,revDate);
> BN_hex2bn(&serial, pp[DB_serial]);
> tmpser = BN_to_ASN1_INTEGER(serial, NULL);
>
> /* Set the Serial number in the X509_REVOKED structure */
> X509_REVOKED_set_serialNumber(r, tmpser);
> X509_CRL_add0_revoked(crl,r);
> }
>
> /* Sort the CRL */
> X509_CRL_sort(crl);
>
> /*Sign the CRL */
> X509_CRL_sign(crl,pkey,EVP_md5());
>
> **********************************************************
>
>
> * The CRL is sorted before creating the CRL signature.
> * So the signature is that of the sorted CRL .
> Why do we need to original order for CRL Signature verification ?
>
Because CRLs not generated by OpenSSL may not be in serial number order.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
