Hi All
I have CA certificates and CRLs in one file. I am passing this file to SSL_CTX_load_verify_locations().
SSL_CTX_load_verify_location() indirectly calls PEM_X509_INFO_read_bio()
& X509_load_cert_crl_file().
PEM_X509_INFO_read_bio() pushes X509_INFO object onto the stack whenever
the next retrieved object (X509_INFO->x509 or X509_INFO->crl etc..)
is of same type. But whenever the next retrieved object is of different type
(first is of type X509 and second is of type CRL) it stores the both objects
in same X509_INFO object and push that onto the stack. When we finished reading
the file we returned stack.
In X509_load_cert_crl_file() we add X509 certificate and crl to X509_STORE_CTX
using the following code.
inf = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL);
BIO_free(in);
if(!inf) {
X509err(X509_F_X509_LOAD_CERT_CRL_FILE,ERR_R_PEM_LIB);
return 0;
}
for(i = 0; i < sk_X509_INFO_num(inf); i++) {
itmp = sk_X509_INFO_value(inf, i);
if(itmp->x509) {
X509_STORE_add_cert(ctx->store_ctx, itmp->x509);
count++;
} else if(itmp->crl) {
X509_STORE_add_crl(ctx->store_ctx, itmp->crl);
count++;
}
}
e.g. I have 3 X509 certificates and 3 crls in a file. The order is first
3 certificates and after that 3 crls.
In this case sk_X509_INFO_num(infI) returns 5 and we can add only total
of five certificates, crls to certificate store. This is because when we
pushed X509_INFO objects onto the stack one of them had pointer to x509 as
well as crl. Code shown above in bold font does not handle such X509_INFO
objects properly. It always adds X509 object to certificate store and misses
crl object.
I guess the code shown above in bold font should be like this...
if(itmp->x509){
X509_STORE_add_cert(ctx->store_ctx, itmp->x509);
count++;
}
if(itmp->crl) {
X509_STORE_add_crl(ctx->store_ctx, itmp->crl);
count++;
}
Waiting for your replies....
I am sorry if i am wrong in understanding some part of it...
Regards
Amar
