在OpenSSL中创建新的CRL时出现问题
[英]Issue creating a new CRL in OpenSSL
问题描述
I am creating a 3rd party application using OpenSSL to create a new certificate revocation list for an embedded system. 
我正在使用OpenSSL创建第三方应用程序,以为嵌入式系统创建新的证书吊销列表。 Here is my code 这是我的代码
crl = X509_CRL_new();
X509_CRL_set_version(crl, CRL_VERSION);
X509_NAME *id = X509_NAME_new();
X509_NAME_add_entry_by_txt(id, "C", MBSTRING_ASC, (const unsigned char*) CRL_ISSUER_COUNTRY, -1, -1, 0);
X509_NAME_add_entry_by_txt(id, "ST", MBSTRING_ASC, (const unsigned char*) CRL_ISSUER_STATE, -1, -1, 0);
X509_NAME_add_entry_by_txt(id, "L", MBSTRING_ASC, (const unsigned char*) CRL_ISSUER_COUNTRY, -1, -1, 0);
X509_NAME_add_entry_by_txt(id, "O", MBSTRING_ASC, (const unsigned char*) CRL_ISSUER_ORGANIZATION, -1, -1, 0);
X509_NAME_add_entry_by_txt(id, "OU", MBSTRING_ASC, (const unsigned char*) CRL_ISSUER_ORGANIZATIONAL_UNIT, -1, -1, 0);
X509_NAME_add_entry_by_txt(id, "CN", MBSTRING_ASC, (const unsigned char*) CRL_ISSUER_COMMON_NAME, -1, -1, 0);
X509_CRL_set_issuer_name(crl, id);
X509_CRL_set_lastUpdate(crl, tmptm);
char filename[50];
strcpy(filename, RW_CRL_LOCATION);
strcat(filename, "crl.pem");
fPointer = fopen(filename, "w+");
result = PEM_write_X509_CRL(fPointer, clr);
When I run this it creates a CRL file and when I try to read it using openssl command it fails to load 当我运行它时,它将创建一个CRL文件,当我尝试使用openssl命令读取它时,它将无法加载
OpenSSL 1.0.2d 9 Jul 2015
root@imx6ulevk:/vp/test/crl#
root@imx6ulevk:/vp/test/crl# openssl crl -in crl.pem -noout -text
unable to load CRL
1995560144:error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:283:
1995560144:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:694:Field=algorithm, Type=X509_ALGOR
1995560144:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:694:Field=sig_alg, Type=X509_CRL_INFO
1995560144:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:694:Field=crl, Type=X509_CRL
1995560144:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83:
But when I compile and run the same piece of code in my 32bit linux PC and try to open the crl file created, it works 但是,当我在32位linux PC中编译并运行同一段代码并尝试打开创建的crl文件时,它就可以工作
OpenSSL 1.0.1f 6 Jan 2014
thilinaur@ubuntu:~/openssl-testing/code/crl$ openssl crl -in crl.pem -noout -text
Certificate Revocation List (CRL):
Version 3 (0x2)
Signature Algorithm: itu-t
Issuer: /C=SL/L=SL/O=VIVOPAY/OU=PISCES
Last Update: Nov 11 05:44:25 2016 GMT
Next Update: NONE
No Revoked Certificates.
Signature Algorithm: itu-t
Then copied the crl file created using my PC to embedded file system and tried to open it there, it worked fine. 然后将使用我的PC创建的crl文件复制到嵌入式文件系统,并尝试在其中打开它,效果很好。 And copied the crl created by embedded system to PC and tried to open, it failed. 并将嵌入式系统创建的crl复制到PC并尝试打开,但失败了。 Can any one please help me regarding this issue ? 关于这个问题,有人可以帮我吗?
1 个解决方案
解决方案1
0 2016-11-29 01:20:20
Late but I finally realized: you didn't sign the CRL. 迟了,但我终于意识到:您没有签署CRL。 Signing fills in the two algorithm fields as well as the actual signature; 签名填写两个算法字段以及实际签名。 the two lines Signature Algorithm: itu-t in the 1.0.1 decode are an old bug (or at least misfeature) where a missing/empty OID 'decodes' as itu-t because that's assigned top arc 0. 1.0.2 is apparently stricter and caught this. 两行Signature Algorithm: itu-t 1.0.1解码中的Signature Algorithm: itu-t是一个古老的错误(或至少是功能缺陷),其中缺失/空的OID将“解码”为itu-t因为它被分配了最高弧度0。1.0.2显然是更严格并抓住了这一点。
Call X509_CRL_sign or X509_CRL_sign_ctx per the man page on your system or on the web here . 在系统或Web上的手册页上,致电X509_CRL_sign或X509_CRL_sign_ctx 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.