On Thu, Jan 17, 2008, kris vandercapellen wrote: > Hi, > I have an issue altering an X509_CRL. > > I open a crl from file, add some changes and write the resulting crl > somewhere. > However the changes I've done aren't in the resulting crl. > > What am I missing ? >
Well you can't just modify a CRL. It is a digitally signed structure and modifying it will invalidate the signature so you need to sign it using the appropriate private key and X509_CRL_sign(). The reason your modifications don't show up is that OpenSSL caches the encoding of a CRL when it is loaded. This increases processing speed in several cases. If you modify the CRL you need to indicate that the cached encoding is no longer valid. If you call X509_CRL_sign() this is done automatically. If you want to do this manually for some test and don't care about the invalid signature you can do: crl->crl->enc.modified = 1; Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
