Dr. Stephen Henson wrote:
On Mon, Aug 11, 2008, delcour.pierre wrote:
Hello everyone,
I try to add a certificate in a CRL. To do that, i use a X509* cert, a
X509_CRL* crl with this algorithm :
X509_REVOKED *r = NULL;
r = X509_REVOKED_new();
r->serialNumber = X509_get_serialNumber(cert);
if(!crl->crl->revoked)
ci->revoked = sk_X509_REVOKED_new(X509_REVOKED_cmp);
if(!sk_X509_REVOKED_push(ci->revoked, r))
return false;
ASN1_UTCTIME_set(r->revocationDate,time(NULL));
ASN1_UTCTIME_set(crl->crl->lastUpdate,time(NULL));
sk_X509_REVOKED_num( crl->crl->revoked ); // here i see a X value
After the previous code, i duplicate the X509_CRL :
X509_CRL* xrl = X509_CRL_dup( crl );
sk_X509_REVOKED_num( crl->crl->revoked ); // here i see the same X value as
above
sk_X509_REVOKED_num( xrl->crl->revoked ); // here i see a X-1 value.
After the duplication, the added certificate has disappear ! What do i miss
to do ?
Well that CRL will be useless because its signatrue is wrong. If you call
X509_CRL_sign() to modify the signature it should work.
The reason you get that issue is that an X509_CRL contains a cache of the
encoding of the signed portion to speed up signature calculation. If you
really want to have a CRL with an invalid signature you can manually mark the
cached version as invalid with:
x->crl->enc.modified = 1;
Hi,
Thank you very much, with the invalid cached version it's working :
Have a nice day,
pierre.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
