"Error: unable to get certificate CRL"

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

"Error: unable to get certificate CRL"

Roger Zhang
Hi,

I saw a problem of unable to get certificate CRL. The program is as following. It is changed from O'Reilly openssl book example 10-7. In the program, /home/zhangl/openssl/test/ca1/newcerts/ca1cert.pem is my root self signed CA.  It signed a lot of certificates. 01.pem, 02.pem to 09.pem. While 01.pem signs 02.pem, 02.pem signs 03.pem until 09.pem. I used ca1cert.pem signs 0A.pem, 0B.pem and 0C.pem as another list. I revoked 0A.pem and 0C.pem and generated crl list in /home/zhangl/openssl/test/ca1/newcerts/crl.pem.  0A.pem and 0C.pem have no relationship with 01.pem, 02.pem, etc except they are all signed by ca1cert.pem.  But after I compiled the program, I got "Error: unable to get certificate CRL". If I changed CLIENT_CERT to /home/zhangl/openssl/test/ca1/newcerts/01.pem, then verification passed. Others all failed.  Why 01.pem could success while others failed? 01.pem-09.pem has no relation with 0A.pem and 0C.pem, why I still got this kind of error? Thanks in advance!

Roger

#include <stdio.h>
#include <stdlib.h>
#include <openssl/x509_vfy.h>
#include <openssl/err.h>
#include <openssl/pem.h>
//int RAND_load_file(const char *filename, long bytes);

//int seed_prng(int bytes)
//{
//      if (!RAND_load_file("/dev/random", bytes))
//              return 0;
//return 1;
//}
void handle_error(const char *file, int lineno, const char *msg)
{
        fprintf(stderr, "** %s:%i %s\n", file, lineno, msg);
        ERR_print_errors_fp(stderr);
        exit(-1);
}
#define int_error(msg) handle_error(__FILE__, __LINE__, msg)
/* these are defintions to make the example simpler */
#define CA_FILE "/home/zhangl/openssl/test/ca1/newcerts/ca1cert.pem"
#define CA_DIR "/home/zhangl/openssl/test/ca1/newcerts"
#define CRL_FILE "/home/zhangl/openssl/test/ca1/newcerts/crl.pem"
#define CLIENT_CERT "/home/zhangl/openssl/test/ca1/newcerts/02.pem"
int verify_callback(int ok, X509_STORE_CTX *stor)
{
        if(!ok)
        fprintf(stderr, "Error: %s\n",
        X509_verify_cert_error_string(stor->error));
        return ok;
}

int main(int argc, char *argv[])
{
        X509 *cert;
        X509_STORE *store;
        X509_LOOKUP *lookup;
        X509_STORE_CTX *verify_ctx;
        FILE *fp;
        OpenSSL_add_all_algorithms();
        ERR_load_crypto_strings();
        //seed_prng(100);
        /* first read the client certificate */
        if (!(fp = fopen(CLIENT_CERT, "r")))
                int_error("Error reading client certificate file");
        if (!(cert = PEM_read_X509(fp, NULL, NULL, NULL)))
                int_error("Error reading client certificate in file");
        fclose(fp);
        /* create the cert store and set the verify callback */
        if (!(store = X509_STORE_new()))
                int_error("Error creating X509_STORE_CTX object");
        X509_STORE_set_verify_cb_func(store, verify_callback);
        /* load the CA certificates and CRLs */
        if (X509_STORE_load_locations(store, CA_FILE, CA_DIR) != 1)
                int_error("Error loading the CA file or directory");
        if (X509_STORE_set_default_paths(store) != 1)
                int_error("Error loading the system-wide CA certificates");
        if (!(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file())))
                int_error("Error creating X509_LOOKUP object");
        if (X509_load_crl_file(lookup, CRL_FILE, X509_FILETYPE_PEM) != 1)
                int_error("Error reading the CRL file");
        /* enabling verification against CRLs is not possible
                in prior versions */
        /* set the flags of the store so that CRLs are consulted */
        X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK |
                                X509_V_FLAG_CRL_CHECK_ALL);
        /* create a verification context and initialize it */
        if (!(verify_ctx = X509_STORE_CTX_new()))
                int_error("Error creating X509_STORE_CTX object");
        /* X509_STORE_CTX_init did not return an error condition
        in prior versions */
        if (X509_STORE_CTX_init(verify_ctx, store, cert, NULL) != 1)
                int_error("Error initializing verification context");
        /* verify the certificate */
        if (X509_verify_cert(verify_ctx) != 1)
                int_error("Error verifying the certificate");
        else
                printf("Certificate verified correctly!\n");
        return 0;
}
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: "Error: unable to get certificate CRL"

Roger Zhang
Hi,

Anyone can help me on this issue? I saw there are some mails about "unable to get certificate CRL". Seems like a bug?  I am using openssl-0.9.8a. Thanks!

Roger

> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]]On Behalf Of Zhang,
> Long (Roger)
> Sent: Monday, April 17, 2006 8:18 PM
> To: [hidden email]
> Subject: "Error: unable to get certificate CRL"
>
>
> Hi,
>
> I saw a problem of unable to get certificate CRL. The program
> is as following. It is changed from O'Reilly openssl book
> example 10-7. In the program,
> /home/zhangl/openssl/test/ca1/newcerts/ca1cert.pem is my root
> self signed CA.  It signed a lot of certificates. 01.pem,
> 02.pem to 09.pem. While 01.pem signs 02.pem, 02.pem signs
> 03.pem until 09.pem. I used ca1cert.pem signs 0A.pem, 0B.pem
> and 0C.pem as another list. I revoked 0A.pem and 0C.pem and
> generated crl list in
> /home/zhangl/openssl/test/ca1/newcerts/crl.pem.  0A.pem and
> 0C.pem have no relationship with 01.pem, 02.pem, etc except
> they are all signed by ca1cert.pem.  But after I compiled the
> program, I got "Error: unable to get certificate CRL". If I
> changed CLIENT_CERT to
> /home/zhangl/openssl/test/ca1/newcerts/01.pem, then
> verification passed. Others all failed.  Why 01.pem could
> success while others failed? 01.pem-09.pem has no relation
> with 0A.pem and 0C.pem, why I still got this kind of error?
> Thanks in advance!
>
> Roger
>
> #include <stdio.h>
> #include <stdlib.h>
> #include <openssl/x509_vfy.h>
> #include <openssl/err.h>
> #include <openssl/pem.h>
> //int RAND_load_file(const char *filename, long bytes);
>
> //int seed_prng(int bytes)
> //{
> //      if (!RAND_load_file("/dev/random", bytes))
> //              return 0;
> //return 1;
> //}
> void handle_error(const char *file, int lineno, const char *msg)
> {
>         fprintf(stderr, "** %s:%i %s\n", file, lineno, msg);
>         ERR_print_errors_fp(stderr);
>         exit(-1);
> }
> #define int_error(msg) handle_error(__FILE__, __LINE__, msg)
> /* these are defintions to make the example simpler */
> #define CA_FILE "/home/zhangl/openssl/test/ca1/newcerts/ca1cert.pem"
> #define CA_DIR "/home/zhangl/openssl/test/ca1/newcerts"
> #define CRL_FILE "/home/zhangl/openssl/test/ca1/newcerts/crl.pem"
> #define CLIENT_CERT "/home/zhangl/openssl/test/ca1/newcerts/02.pem"
> int verify_callback(int ok, X509_STORE_CTX *stor)
> {
>         if(!ok)
>         fprintf(stderr, "Error: %s\n",
>         X509_verify_cert_error_string(stor->error));
>         return ok;
> }
>
> int main(int argc, char *argv[])
> {
>         X509 *cert;
>         X509_STORE *store;
>         X509_LOOKUP *lookup;
>         X509_STORE_CTX *verify_ctx;
>         FILE *fp;
>         OpenSSL_add_all_algorithms();
>         ERR_load_crypto_strings();
>         //seed_prng(100);
>         /* first read the client certificate */
>         if (!(fp = fopen(CLIENT_CERT, "r")))
>                 int_error("Error reading client certificate file");
>         if (!(cert = PEM_read_X509(fp, NULL, NULL, NULL)))
>                 int_error("Error reading client certificate in file");
>         fclose(fp);
>         /* create the cert store and set the verify callback */
>         if (!(store = X509_STORE_new()))
>                 int_error("Error creating X509_STORE_CTX object");
>         X509_STORE_set_verify_cb_func(store, verify_callback);
>         /* load the CA certificates and CRLs */
>         if (X509_STORE_load_locations(store, CA_FILE, CA_DIR) != 1)
>                 int_error("Error loading the CA file or directory");
>         if (X509_STORE_set_default_paths(store) != 1)
>                 int_error("Error loading the system-wide CA
> certificates");
>         if (!(lookup = X509_STORE_add_lookup(store,
> X509_LOOKUP_file())))
>                 int_error("Error creating X509_LOOKUP object");
>         if (X509_load_crl_file(lookup, CRL_FILE,
> X509_FILETYPE_PEM) != 1)
>                 int_error("Error reading the CRL file");
>         /* enabling verification against CRLs is not possible
>                 in prior versions */
>         /* set the flags of the store so that CRLs are consulted */
>         X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK |
>                                 X509_V_FLAG_CRL_CHECK_ALL);
>         /* create a verification context and initialize it */
>         if (!(verify_ctx = X509_STORE_CTX_new()))
>                 int_error("Error creating X509_STORE_CTX object");
>         /* X509_STORE_CTX_init did not return an error condition
>         in prior versions */
>         if (X509_STORE_CTX_init(verify_ctx, store, cert, NULL) != 1)
>                 int_error("Error initializing verification context");
>         /* verify the certificate */
>         if (X509_verify_cert(verify_ctx) != 1)
>                 int_error("Error verifying the certificate");
>         else
>                 printf("Certificate verified correctly!\n");
>         return 0;
> }
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]