Hi Patrick
We are using following code snippet to load CRL's.
X509_CRL *pCRL, *pTempCRL = 0;
pCRL = d2i_X509_CRL_fp( pfCrlFile, &pTempCRL );
if( !pCRL )
{
rewind(pfCrlFile);
pCRL = PEM_read_X509_CRL(pfCrlFile, &pTempCRL, NULL, 0);
}
rewind(pfCrlFile);
if( !pCRL )
{
logEvent( MLOG_ERROR, RADIUS_C_SERVER, "Unable to read CRL file" );
break;
}
Ultimately we are getting "Unable to read CRL file" if we are loading
DER format CRL. Did you see anything wrong there?
Thanks
Radhakrishna.
-----Original Message-----
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Patrick Patterson
Sent: Friday, December 11, 2009 8:32 PM
To: openssl-users@openssl.org
Subject: Re: Unable to load CRL
Hi Rahhakrishna:
Sounds like you are using PEM_read_crl(), or some such, to read in your
CRL. Since the CRL is actually in DER format, you should probably read
the file in, and then use the Openssl d2i_X509_CRL (look up the man page
- there's even a form of that function that allows you to read the DER
encoded CRL function directly from a file) functions instead.
(of course, your application should probably detect which type of file
it is looking at, and then "do the right thing".)
Since it looks like you're building applications to support the 787, you
may want to also take a look at the ATA Spec42 guidance on building PKI
applications in the air transport industry.
Best Regards,
Patrick Patterson
Chief PKI Architect
Carillon Information Security Inc.
http://www.carillon.ca
Radha krishna Meduri -X (radmedur - HCL at Cisco) wrote:
> Thanks for your support. Yes I have read it already. I am able to read
> crl file with switch "-inform DER" but my application is failing to
> read it while loading CRL from gui. I am trying to find out the issue.
> My application was using API's to read CRL's.
>
> Thanks
> Radhakrishna.
>
> -----Original Message-----
> From: owner-openssl-us...@openssl.org
> [mailto:owner-openssl-us...@openssl.org] On Behalf Of Eisenacher,
> Patrick
> Sent: Friday, December 11, 2009 5:37 PM
> To: 'openssl-users@openssl.org'
> Subject: RE: Unable to load CRL
>
> Hi Radhakrishna,
>
>> -----Original Message-----
>> From: owner-openssl-us...@openssl.org On Behalf Of Radhakrishna
>> Meduri
>
>> -X (radmedur - HCL at Cisco)
>>
>> Hi Patrick Eisenacher
>>
>> I converted this crl to PEM format which worked like charm.
>> Is there any
>> restriction like CRL's should be in PEM for mat only?
>
> nope, as always you can feed it in either PEM- or DER-encoded. PEM is
> openssl's default format. If your CRL is in DER-encoded (binary)
> format, you need to add "-inform DER" to openssl's crl command.
>
> Did you read the "command options" on the link below?
>
> HTH,
> Patrick Eisenacher
>
>> -----Original Message-----
>> From: owner-openssl-us...@openssl.org On Behalf Of Eisenacher,
>> Patrick
>>
>> Hi Radhakrishna,
>>
>> -----Original Message-----
>>> From: owner-openssl-users On Behalf Of Radha krishna Meduri -X
>>>
>>> I am not able to load the crl in text format and I am getting
>>> following error while issuing following command "openssl crl -in
>> abcd.crl -text"
>>> unable to load CRL
>>> 28950:error:0906D06C:PEM routines:PEM_read_bio:no start
>>> line:pem_lib.c:642:Expecting: X509 CRL
>>>
>>> Any idea what could be issue?
>> that means that abcd.crl has no proper PEM-encoding (base64 plus
>> header and footer). The error messages states that openssl can't find
>> the header. For more info about the header and footer, see
>> http://www.openssl.org/docs/apps/crl.html#NOTES
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.org
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
