Hi,
I have a piece of code doing CRL revocation check which worked fine with 0.9.8
but now failing in 1.0.1.
The code does something like:
X509_STORE_add_crl(store,crl);
X509_STORE_CTX_init(ctx, store, cert, NULL);
Ctx->check_revocation(ctx);
In openssl lib (x509_vfy.c), check_cert() does the following:
while (ctx->current_reasons != CRLDP_ALL_REASONS)
{
/* Try to retrieve relevant CRL */
if (ctx->get_crl) <== this is NULL
ok = ctx->get_crl(ctx, &crl, x);
else
ok = get_crl_delta(ctx, &crl, &dcrl, x); <== this line
gets called and returns the CRL in 'crl', 'dcrl' returns null.
/* If error looking up CRL, nothing we can do except
* notify callback
*/
if(!ok)
{
ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
ok = ctx->verify_cb(0, ctx);
goto err;
}
ctx->current_crl = crl;
ok = ctx->check_crl(ctx, crl); <== here it only checks the
validity of the crl, but does not do CRL checking against the cert
if (!ok)
goto err;
if (dcrl)
{
ok = ctx->check_crl(ctx, dcrl);
if (!ok)
goto err;
ok = ctx->cert_crl(ctx, dcrl, x); <== this does not
run since dcrl is NULL
if (!ok)
goto err;
}
else
ok = 1; <== so always return success
Is this something wrong, or am I missing something?
Thanks,
-binlu
