2

I am creating a 3rd party application using OpenSSL to create a new certificate revocation list for an embedded system. Here is my code

    crl = X509_CRL_new();

    X509_CRL_set_version(crl, CRL_VERSION);

    X509_NAME *id = X509_NAME_new();
    X509_NAME_add_entry_by_txt(id, "C",  MBSTRING_ASC, (const unsigned char*) CRL_ISSUER_COUNTRY, -1, -1, 0);
    X509_NAME_add_entry_by_txt(id, "ST", MBSTRING_ASC, (const unsigned char*) CRL_ISSUER_STATE, -1, -1, 0);
    X509_NAME_add_entry_by_txt(id, "L",  MBSTRING_ASC, (const unsigned char*) CRL_ISSUER_COUNTRY, -1, -1, 0);
    X509_NAME_add_entry_by_txt(id, "O",  MBSTRING_ASC, (const unsigned char*) CRL_ISSUER_ORGANIZATION, -1, -1, 0);
    X509_NAME_add_entry_by_txt(id, "OU", MBSTRING_ASC, (const unsigned char*) CRL_ISSUER_ORGANIZATIONAL_UNIT, -1, -1, 0);
    X509_NAME_add_entry_by_txt(id, "CN", MBSTRING_ASC, (const unsigned char*) CRL_ISSUER_COMMON_NAME, -1, -1, 0);

    X509_CRL_set_issuer_name(crl, id);

    X509_CRL_set_lastUpdate(crl, tmptm);

    char filename[50];
    strcpy(filename, RW_CRL_LOCATION);
    strcat(filename, "crl.pem");

    fPointer = fopen(filename, "w+");
    result = PEM_write_X509_CRL(fPointer, clr);

When I run this it creates a CRL file and when I try to read it using openssl command it fails to load

OpenSSL 1.0.2d 9 Jul 2015
root@imx6ulevk:/vp/test/crl# 
root@imx6ulevk:/vp/test/crl# openssl crl -in crl.pem -noout -text
unable to load CRL
1995560144:error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:283:
1995560144:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:694:Field=algorithm, Type=X509_ALGOR
1995560144:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:694:Field=sig_alg, Type=X509_CRL_INFO
1995560144:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:694:Field=crl, Type=X509_CRL
1995560144:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83:

But when I compile and run the same piece of code in my 32bit linux PC and try to open the crl file created, it works

OpenSSL 1.0.1f 6 Jan 2014
thilinaur@ubuntu:~/openssl-testing/code/crl$ openssl crl -in crl.pem -noout -text
Certificate Revocation List (CRL):
    Version 3 (0x2)
Signature Algorithm: itu-t
    Issuer: /C=SL/L=SL/O=VIVOPAY/OU=PISCES
    Last Update: Nov 11 05:44:25 2016 GMT
    Next Update: NONE
No Revoked Certificates.
Signature Algorithm: itu-t

Then copied the crl file created using my PC to embedded file system and tried to open it there, it worked fine. And copied the crl created by embedded system to PC and tried to open, it failed. Can any one please help me regarding this issue ?

thilinaur
  • 141
  • 6
  • You probably compiled your code for 32bit architecture. So on PC (I guess 64 bits) it doesn't work. – LPs Nov 11 '16 at 07:12
  • ah ok I will add, No i compiled and tested in both architectures – thilinaur Nov 11 '16 at 08:18
  • 1
    @ThilinaRathnasooriya - if it ***_is_*** really PEM, then `file crl.pem` will return `ASCII`. If it returns `binary`, then its DER. Try adding the `-inform` option to `openssl crl -in crl.pem -noout -text`. Use either PEM or DER: `-inform DER` or `-inform PEM`. Also see the [`openssl crl` man page](https://www.openssl.org/docs/man1.1.0/apps/crl.html). – jww Nov 11 '16 at 09:33

1 Answers1

0

Late but I finally realized: you didn't sign the CRL. Signing fills in the two algorithm fields as well as the actual signature; the two lines Signature Algorithm: itu-t in the 1.0.1 decode are an old bug (or at least misfeature) where a missing/empty OID 'decodes' as itu-t because that's assigned top arc 0. 1.0.2 is apparently stricter and caught this.

Call X509_CRL_sign or X509_CRL_sign_ctx per the man page on your system or on the web here.

dave_thompson_085
  • 34,712
  • 6
  • 50
  • 70