Geoff Thorpe wrote:
>
> Hi there,
>
> About April Ben made a change to crypto/x509/by_file.c to with adding CRLs
> to the X509_LOOKUP as well as certs. However, the return value of that
> function has me a bit confused - after that chance, the function
> considered it an error unless the file contained a cert AND a CRL. I would
> have thought it more logical to make it an error if the file contained
> neither.
>
> Anyway, the point of this is that Bodo's change on the 26/27th October to
> X509_STORE_load_locations in crypto/x509/x509_d2.c started paying
> attention to these return values. The upshot is that a call to
> SSL_CTX_load_verify_locations with a file containing a CA cert but no CRL
> returns an error (which breaks existing code).
>
[stuff deleted]
>
> For now I've made do with patching the by_file.c as per the attached diff.
>
> I'd appreciate any thoughts on how this should work. Mark was happy to
> commit this change but I'd appreciate some feedback first.
>
I suggest we dump the whole logic and instead use
PEM_X509_INFO_read_bio() to read in the whole lot. This is designed to
read in combinations of CRLs, certificates and private keys. The private
keys can be discarded (for now).
[and I've just noticed that it will need changing to handle my new trust
code: erk!]
There's an example of its use in apps/crl2p7.c but I'd suggest a better
way to handle things would be to up the reference counts of the used
CRLs and certificates then sk_pop_free the whole thing.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
