如何在openssl 1.0.1中加载CRL路径? [英] How to load CRL path in openssl 1.0.1?

问题描述

自从我更新到openssl 1.0.1以来，我的应用程序中的吊销检查功能已损坏.在"apps/verfiy.c"的帮助下，我发现CRL文件的加载已更改，到目前为止，我已经完成了以下操作:

since I've updated to openssl 1.0.1 the revocation check functionality in my application is broken. By the help of "apps/verfiy.c" I've found out that the loading of CRL files has changed, which I've done following until now:

X509_LOOKUP *lookup;
const char *crl_path = "/path/to/crls"

X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new();
X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
SSL_CTX_set1_param(ctx, param);

lookup = X509_STORE_add_lookup(ctx->cert_store, X509_LOOKUP_hash_dir());
if (lookup == NULL) {
  return "CRL path initialization error: X509 lookup initialization failed.";
}
if(!X509_LOOKUP_add_dir(lookup, crl_path, X509_FILETYPE_PEM)) {
  return "CRL path initialization error: path addition failed.";
}

X509_VERIFY_PARAM_free(param);

这样做，我总是收到错误无法加载证书CRL".

Doing so now I always get the error "unable to load certificate CRL".

但是，最近在"apps/verify.c"中，通过以下代码一次加载了一个CRL文件:

However, in "apps/verify.c" CRL files are recently loaded one at a time by following code:

STACK_OF(X509_CRL) *crls;
char *crlfile = "/path/to/single/crl"

crls = load_crls(bio_err, crlfile, FORMAT_PEM, NULL, e, "other CRLs");
X509_STORE_CTX_set0_crls(csc, crls);

有人知道如何仍然可以通过使用查找例程(例如X509_LOOKUP_add_dir)以及通过CRL路径的说明一次加载CRL文件吗?

Does anyone know how CRL files can still be loaded by use of lookup routines (e.g., X509_LOOKUP_add_dir) and all at once by the specification of a CRL path?

推荐答案

我知道一些在商店中添加CRL文件的方法 方法1: 使用此API形式的x509_vfy.h文件. int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type); 这里的类型可以是以下任意值

I know some ways to add the CRL file with the store Method 1 : use this API form x509_vfy.h file . int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type); here type can be any one of the following value

X509_FILETYPE_PEM-用于PEM/B64编码的CRL文件

X509_FILETYPE_PEM -- for the PEM/B64 encoded CRL file

X509_FILETYPE_ASN1-用于DER编码的CRL文件

X509_FILETYPE_ASN1 -- for the DER encoded CRL files

方法2.

步骤1将文件转换为X509_CRL格式 (要进行转换，请使用X509.h文件中的以下任一API:

step 1 .convert the file Into X509_CRL format (To convert use the any one of the below API from the X509.h file:

      //If the CRL file is DER encoded 
         X509_CRL *d2i_X509_CRL_fp(FILE *fp,X509_CRL **crl);  
      //If the CRL file is PEM encoded 
        PEM_read_X509_CRL_fp();

    )

第2步:创建CRL的堆栈

step 2 : create a Stack of CRL's

STACK_OF(X509_CRL)mCRLStack;

         STACK_OF(X509_CRL) mCRLStack;

第3步:

     X509_STORE_CTX_set0_crls(lStoreCtx,mCRLStack); 
     /* or */
     lStoreCtx->crls = mCRLStack;

这篇关于如何在openssl 1.0.1中加载CRL路径?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！