Hi, Anyone can help me on this issue? I saw there are some mails about "unable to get certificate CRL". Seems like a bug? I am using openssl-0.9.8a. Thanks!
Roger > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Zhang, > Long (Roger) > Sent: Monday, April 17, 2006 8:18 PM > To: openssl-users@openssl.org > Subject: "Error: unable to get certificate CRL" > > > Hi, > > I saw a problem of unable to get certificate CRL. The program > is as following. It is changed from O'Reilly openssl book > example 10-7. In the program, > /home/zhangl/openssl/test/ca1/newcerts/ca1cert.pem is my root > self signed CA. It signed a lot of certificates. 01.pem, > 02.pem to 09.pem. While 01.pem signs 02.pem, 02.pem signs > 03.pem until 09.pem. I used ca1cert.pem signs 0A.pem, 0B.pem > and 0C.pem as another list. I revoked 0A.pem and 0C.pem and > generated crl list in > /home/zhangl/openssl/test/ca1/newcerts/crl.pem. 0A.pem and > 0C.pem have no relationship with 01.pem, 02.pem, etc except > they are all signed by ca1cert.pem. But after I compiled the > program, I got "Error: unable to get certificate CRL". If I > changed CLIENT_CERT to > /home/zhangl/openssl/test/ca1/newcerts/01.pem, then > verification passed. Others all failed. Why 01.pem could > success while others failed? 01.pem-09.pem has no relation > with 0A.pem and 0C.pem, why I still got this kind of error? > Thanks in advance! > > Roger > > #include <stdio.h> > #include <stdlib.h> > #include <openssl/x509_vfy.h> > #include <openssl/err.h> > #include <openssl/pem.h> > //int RAND_load_file(const char *filename, long bytes); > > //int seed_prng(int bytes) > //{ > // if (!RAND_load_file("/dev/random", bytes)) > // return 0; > //return 1; > //} > void handle_error(const char *file, int lineno, const char *msg) > { > fprintf(stderr, "** %s:%i %s\n", file, lineno, msg); > ERR_print_errors_fp(stderr); > exit(-1); > } > #define int_error(msg) handle_error(__FILE__, __LINE__, msg) > /* these are defintions to make the example simpler */ > #define CA_FILE "/home/zhangl/openssl/test/ca1/newcerts/ca1cert.pem" > #define CA_DIR "/home/zhangl/openssl/test/ca1/newcerts" > #define CRL_FILE "/home/zhangl/openssl/test/ca1/newcerts/crl.pem" > #define CLIENT_CERT "/home/zhangl/openssl/test/ca1/newcerts/02.pem" > int verify_callback(int ok, X509_STORE_CTX *stor) > { > if(!ok) > fprintf(stderr, "Error: %s\n", > X509_verify_cert_error_string(stor->error)); > return ok; > } > > int main(int argc, char *argv[]) > { > X509 *cert; > X509_STORE *store; > X509_LOOKUP *lookup; > X509_STORE_CTX *verify_ctx; > FILE *fp; > OpenSSL_add_all_algorithms(); > ERR_load_crypto_strings(); > //seed_prng(100); > /* first read the client certificate */ > if (!(fp = fopen(CLIENT_CERT, "r"))) > int_error("Error reading client certificate file"); > if (!(cert = PEM_read_X509(fp, NULL, NULL, NULL))) > int_error("Error reading client certificate in file"); > fclose(fp); > /* create the cert store and set the verify callback */ > if (!(store = X509_STORE_new())) > int_error("Error creating X509_STORE_CTX object"); > X509_STORE_set_verify_cb_func(store, verify_callback); > /* load the CA certificates and CRLs */ > if (X509_STORE_load_locations(store, CA_FILE, CA_DIR) != 1) > int_error("Error loading the CA file or directory"); > if (X509_STORE_set_default_paths(store) != 1) > int_error("Error loading the system-wide CA > certificates"); > if (!(lookup = X509_STORE_add_lookup(store, > X509_LOOKUP_file()))) > int_error("Error creating X509_LOOKUP object"); > if (X509_load_crl_file(lookup, CRL_FILE, > X509_FILETYPE_PEM) != 1) > int_error("Error reading the CRL file"); > /* enabling verification against CRLs is not possible > in prior versions */ > /* set the flags of the store so that CRLs are consulted */ > X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | > X509_V_FLAG_CRL_CHECK_ALL); > /* create a verification context and initialize it */ > if (!(verify_ctx = X509_STORE_CTX_new())) > int_error("Error creating X509_STORE_CTX object"); > /* X509_STORE_CTX_init did not return an error condition > in prior versions */ > if (X509_STORE_CTX_init(verify_ctx, store, cert, NULL) != 1) > int_error("Error initializing verification context"); > /* verify the certificate */ > if (X509_verify_cert(verify_ctx) != 1) > int_error("Error verifying the certificate"); > else > printf("Certificate verified correctly!\n"); > return 0; > } > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
