[英]OpenSSL C API CRL check
I'm trying to write a CertificatePathValidation Test using the OpenSSL C API. 我正在尝试使用OpenSSL C API编写CertificatePathValidation测试。 I'm currently stuck at testing for revoked intermediate (ca-)certs. 我目前仍在测试已撤销的中间(ca-)证书。 There are two test cases: 1. EndCert is revoked and 2. SubCACert is revoked. 有两个测试用例:1.吊销EndCert和2.吊销SubCACert。 The part of my code: 我的代码部分:
FILE* fl = NULL;
int i;
for(i=0; i<crl_count; i++){
fl = fopen(pem_crl_files[i],"r");
x509 = PEM_read_X509_CRL(fl, NULL,0,NULL);
X509_STORE_add_crl(store, x509);
fclose(fl);
}
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK);
So now when I use the X509_V_FLAG_CRL_CHECK flag, test case 1 works out fine, test case 2 fails (returns cert is valid). 因此,现在当我使用X509_V_FLAG_CRL_CHECK标志时,测试用例1正常运行,测试用例2失败(返回证书有效)。 If I use the X509_V_FLAG_CRL_CHECK_ALL flag, cases 1 and 2 both fail. 如果我使用X509_V_FLAG_CRL_CHECK_ALL标志,情况1和2都将失败。 Does anyone know what I missed? 有人知道我错过了吗?
The behavior of this settings is slightly different than the documentation suggests: 此设置的行为与文档建议的稍有不同:
This means you need to set both X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL
. 这意味着您需要同时设置X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL
。
The relevant code from OpenSSL 1.0.1e, file crypto/x509/x509_vfy.c: OpenSSL 1.0.1e中的相关代码,文件crypto / x509 / x509_vfy.c:
669 static int check_revocation(X509_STORE_CTX *ctx)
670 {
671 int i, last, ok;
672 if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK))
673 return 1;
674 if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL)
675 last = sk_X509_num(ctx->chain) - 1;
As you can see it will skip the whole revocation check in lines 672,673 if X509_V_FLAG_CRL_CHECK is not set. 如您所见,如果未设置X509_V_FLAG_CRL_CHECK,它将在672,673行中跳过整个吊销检查。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.