On Mon, Aug 11, 2008, delcour.pierre wrote: > Hello everyone, > > I try to add a certificate in a CRL. To do that, i use a X509* cert, a > X509_CRL* crl with this algorithm : > > X509_REVOKED *r = NULL; > r = X509_REVOKED_new(); > r->serialNumber = X509_get_serialNumber(cert); > if(!crl->crl->revoked) > ci->revoked = sk_X509_REVOKED_new(X509_REVOKED_cmp); > if(!sk_X509_REVOKED_push(ci->revoked, r)) > return false; > ASN1_UTCTIME_set(r->revocationDate,time(NULL)); > ASN1_UTCTIME_set(crl->crl->lastUpdate,time(NULL)); > sk_X509_REVOKED_num( crl->crl->revoked ); // here i see a X value > > After the previous code, i duplicate the X509_CRL : > > X509_CRL* xrl = X509_CRL_dup( crl ); > sk_X509_REVOKED_num( crl->crl->revoked ); // here i see the same X value as > above > sk_X509_REVOKED_num( xrl->crl->revoked ); // here i see a X-1 value. > > After the duplication, the added certificate has disappear ! What do i miss > to do ? >
Well that CRL will be useless because its signatrue is wrong. If you call X509_CRL_sign() to modify the signature it should work. The reason you get that issue is that an X509_CRL contains a cache of the encoding of the signed portion to speed up signature calculation. If you really want to have a CRL with an invalid signature you can manually mark the cached version as invalid with: x->crl->enc.modified = 1; Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
