2
我正在使用OpenSSL创建第三方应用程序,为嵌入式系统创建新的证书撤销列表。 这里是我的代码在OpenSSL中创建新CRL的问题
crl = X509_CRL_new();
X509_CRL_set_version(crl, CRL_VERSION);
X509_NAME *id = X509_NAME_new();
X509_NAME_add_entry_by_txt(id, "C", MBSTRING_ASC, (const unsigned char*) CRL_ISSUER_COUNTRY, -1, -1, 0);
X509_NAME_add_entry_by_txt(id, "ST", MBSTRING_ASC, (const unsigned char*) CRL_ISSUER_STATE, -1, -1, 0);
X509_NAME_add_entry_by_txt(id, "L", MBSTRING_ASC, (const unsigned char*) CRL_ISSUER_COUNTRY, -1, -1, 0);
X509_NAME_add_entry_by_txt(id, "O", MBSTRING_ASC, (const unsigned char*) CRL_ISSUER_ORGANIZATION, -1, -1, 0);
X509_NAME_add_entry_by_txt(id, "OU", MBSTRING_ASC, (const unsigned char*) CRL_ISSUER_ORGANIZATIONAL_UNIT, -1, -1, 0);
X509_NAME_add_entry_by_txt(id, "CN", MBSTRING_ASC, (const unsigned char*) CRL_ISSUER_COMMON_NAME, -1, -1, 0);
X509_CRL_set_issuer_name(crl, id);
X509_CRL_set_lastUpdate(crl, tmptm);
char filename[50];
strcpy(filename, RW_CRL_LOCATION);
strcat(filename, "crl.pem");
fPointer = fopen(filename, "w+");
result = PEM_write_X509_CRL(fPointer, clr);
当我运行这个它会创建一个CRL文件,当我尝试阅读它使用OpenSSL的命令,它无法加载
OpenSSL 1.0.2d 9 Jul 2015
[email protected]:/vp/test/crl#
[email protected]:/vp/test/crl# openssl crl -in crl.pem -noout -text
unable to load CRL
1995560144:error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:283:
1995560144:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:694:Field=algorithm, Type=X509_ALGOR
1995560144:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:694:Field=sig_alg, Type=X509_CRL_INFO
1995560144:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:694:Field=crl, Type=X509_CRL
1995560144:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83:
但是当我编译并运行相同在我的32位的Linux PC的代码,并尝试打开创建的CRL文件,它的工作原理
OpenSSL 1.0.1f 6 Jan 2014
[email protected]:~/openssl-testing/code/crl$ openssl crl -in crl.pem -noout -text
Certificate Revocation List (CRL):
Version 3 (0x2)
Signature Algorithm: itu-t
Issuer: /C=SL/L=SL/O=VIVOPAY/OU=PISCES
Last Update: Nov 11 05:44:25 2016 GMT
Next Update: NONE
No Revoked Certificates.
Signature Algorithm: itu-t
然后复制使用我的电脑到嵌入式文件系统的CRL文件创建,并试图打开它那里,它工作得很好。并将嵌入式系统创建的crl复制到PC并试图打开,失败。 任何人都可以帮我解决这个问题吗?
您可能编译了32位体系结构的代码。所以在PC上(我猜64位)不起作用。 – LPs
啊好的我会补充,没有我编译和测试在这两个架构 – thilinaur
@ThilinaRathnasooriya - 如果*** _是_ ***真的PEM,然后'文件crl.pem'将返回'ASCII'。如果它返回'binary',那么它的DER。尝试将'-inform'选项添加到'openssl crl -in crl.pem -noout -text'。使用PEM或DER:'-inform DER'或'-inform PEM'。另请参阅['openssl crl'手册页](https://www.openssl.org/docs/man1.1.0/apps/crl.html)。 – jww