在OpenSSL中创建新CRL的问题

时间:2016-11-11 06:52:29

标签: c ssl openssl certificate-revocation

我正在使用OpenSSL创建第三方应用程序,以便为嵌入式系统创建新的证书吊销列表。 这是我的代码

    crl = X509_CRL_new();

    X509_CRL_set_version(crl, CRL_VERSION);

    X509_NAME *id = X509_NAME_new();
    X509_NAME_add_entry_by_txt(id, "C",  MBSTRING_ASC, (const unsigned char*) CRL_ISSUER_COUNTRY, -1, -1, 0);
    X509_NAME_add_entry_by_txt(id, "ST", MBSTRING_ASC, (const unsigned char*) CRL_ISSUER_STATE, -1, -1, 0);
    X509_NAME_add_entry_by_txt(id, "L",  MBSTRING_ASC, (const unsigned char*) CRL_ISSUER_COUNTRY, -1, -1, 0);
    X509_NAME_add_entry_by_txt(id, "O",  MBSTRING_ASC, (const unsigned char*) CRL_ISSUER_ORGANIZATION, -1, -1, 0);
    X509_NAME_add_entry_by_txt(id, "OU", MBSTRING_ASC, (const unsigned char*) CRL_ISSUER_ORGANIZATIONAL_UNIT, -1, -1, 0);
    X509_NAME_add_entry_by_txt(id, "CN", MBSTRING_ASC, (const unsigned char*) CRL_ISSUER_COMMON_NAME, -1, -1, 0);

    X509_CRL_set_issuer_name(crl, id);

    X509_CRL_set_lastUpdate(crl, tmptm);

    char filename[50];
    strcpy(filename, RW_CRL_LOCATION);
    strcat(filename, "crl.pem");

    fPointer = fopen(filename, "w+");
    result = PEM_write_X509_CRL(fPointer, clr);

当我运行它时会创建一个CRL文件,当我尝试使用openssl命令读取它时无法加载

OpenSSL 1.0.2d 9 Jul 2015
root@imx6ulevk:/vp/test/crl# 
root@imx6ulevk:/vp/test/crl# openssl crl -in crl.pem -noout -text
unable to load CRL
1995560144:error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:283:
1995560144:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:694:Field=algorithm, Type=X509_ALGOR
1995560144:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:694:Field=sig_alg, Type=X509_CRL_INFO
1995560144:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:694:Field=crl, Type=X509_CRL
1995560144:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83:

但是当我在我的32位linux PC中编译并运行相同的代码并尝试打开创建的crl文件时,它可以正常工作

OpenSSL 1.0.1f 6 Jan 2014
thilinaur@ubuntu:~/openssl-testing/code/crl$ openssl crl -in crl.pem -noout -text
Certificate Revocation List (CRL):
    Version 3 (0x2)
Signature Algorithm: itu-t
    Issuer: /C=SL/L=SL/O=VIVOPAY/OU=PISCES
    Last Update: Nov 11 05:44:25 2016 GMT
    Next Update: NONE
No Revoked Certificates.
Signature Algorithm: itu-t

然后将使用我的PC创建的crl文件复制到嵌入式文件系统并尝试在那里打开它,它工作正常。并将嵌入式系统创建的crl复制到PC并尝试打开,但失败了。 关于这个问题,有谁可以帮助我?

1 个答案:

答案 0 :(得分:0)

迟到但我终于意识到:你没有签署CRL。签名填写两个算法字段以及实际签名; 1.0.1解码中的两行Signature Algorithm: itu-t是一个旧的bug(或至少是错误的),其中缺失/空OID'解码'为itu-t,因为它被指定为顶弧0. 1.0.2是显然更加严格并抓住了这一点。

根据系统or on the web here上的手册页呼叫X509_CRL_signX509_CRL_sign_ctx

相关问题