Hi,
I saw a problem of unable to get certificate CRL. The program is as following.
It is changed from O'Reilly openssl book example 10-7. In the program,
/home/zhangl/openssl/test/ca1/newcerts/ca1cert.pem is my root self signed CA.
It signed a lot of certificates. 01.pem, 02.pem to 09.pem. While 01.pem signs
02.pem, 02.pem signs 03.pem until 09.pem. I used ca1cert.pem signs 0A.pem,
0B.pem and 0C.pem as another list. I revoked 0A.pem and 0C.pem and generated
crl list in /home/zhangl/openssl/test/ca1/newcerts/crl.pem. 0A.pem and 0C.pem
have no relationship with 01.pem, 02.pem, etc except they are all signed by
ca1cert.pem. But after I compiled the program, I got "Error: unable to get
certificate CRL". If I changed CLIENT_CERT to
/home/zhangl/openssl/test/ca1/newcerts/01.pem, then verification passed. Others
all failed. Why 01.pem could success while others failed? 01.pem-09.pem has no
relation with 0A.pem and 0C.pem, why I still got this kind of error? Thanks in
advance!
Roger
#include <stdio.h>
#include <stdlib.h>
#include <openssl/x509_vfy.h>
#include <openssl/err.h>
#include <openssl/pem.h>
//int RAND_load_file(const char *filename, long bytes);
//int seed_prng(int bytes)
//{
// if (!RAND_load_file("/dev/random", bytes))
// return 0;
//return 1;
//}
void handle_error(const char *file, int lineno, const char *msg)
{
fprintf(stderr, "** %s:%i %s\n", file, lineno, msg);
ERR_print_errors_fp(stderr);
exit(-1);
}
#define int_error(msg) handle_error(__FILE__, __LINE__, msg)
/* these are defintions to make the example simpler */
#define CA_FILE "/home/zhangl/openssl/test/ca1/newcerts/ca1cert.pem"
#define CA_DIR "/home/zhangl/openssl/test/ca1/newcerts"
#define CRL_FILE "/home/zhangl/openssl/test/ca1/newcerts/crl.pem"
#define CLIENT_CERT "/home/zhangl/openssl/test/ca1/newcerts/02.pem"
int verify_callback(int ok, X509_STORE_CTX *stor)
{
if(!ok)
fprintf(stderr, "Error: %s\n",
X509_verify_cert_error_string(stor->error));
return ok;
}
int main(int argc, char *argv[])
{
X509 *cert;
X509_STORE *store;
X509_LOOKUP *lookup;
X509_STORE_CTX *verify_ctx;
FILE *fp;
OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
//seed_prng(100);
/* first read the client certificate */
if (!(fp = fopen(CLIENT_CERT, "r")))
int_error("Error reading client certificate file");
if (!(cert = PEM_read_X509(fp, NULL, NULL, NULL)))
int_error("Error reading client certificate in file");
fclose(fp);
/* create the cert store and set the verify callback */
if (!(store = X509_STORE_new()))
int_error("Error creating X509_STORE_CTX object");
X509_STORE_set_verify_cb_func(store, verify_callback);
/* load the CA certificates and CRLs */
if (X509_STORE_load_locations(store, CA_FILE, CA_DIR) != 1)
int_error("Error loading the CA file or directory");
if (X509_STORE_set_default_paths(store) != 1)
int_error("Error loading the system-wide CA certificates");
if (!(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file())))
int_error("Error creating X509_LOOKUP object");
if (X509_load_crl_file(lookup, CRL_FILE, X509_FILETYPE_PEM) != 1)
int_error("Error reading the CRL file");
/* enabling verification against CRLs is not possible
in prior versions */
/* set the flags of the store so that CRLs are consulted */
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK |
X509_V_FLAG_CRL_CHECK_ALL);
/* create a verification context and initialize it */
if (!(verify_ctx = X509_STORE_CTX_new()))
int_error("Error creating X509_STORE_CTX object");
/* X509_STORE_CTX_init did not return an error condition
in prior versions */
if (X509_STORE_CTX_init(verify_ctx, store, cert, NULL) != 1)
int_error("Error initializing verification context");
/* verify the certificate */
if (X509_verify_cert(verify_ctx) != 1)
int_error("Error verifying the certificate");
else
printf("Certificate verified correctly!\n");
return 0;
}
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
