On Thu, Jan 17, 2008, kris vandercapellen wrote:

> Hi,
> I have an issue altering an X509_CRL.
>
> I open a crl from file, add some changes and write the resulting crl
> somewhere.
> However the changes I've done aren't in the resulting crl.
>
> What am I missing ?
>


Well you can't just modify a CRL. It is a digitally signed structure and
modifying it will invalidate the signature so you need to sign it using the
appropriate private key and X509_CRL_sign().

The reason your modifications don't show up is that OpenSSL caches the
encoding of a CRL when it is loaded. This increases processing speed in
several cases.

If you modify the CRL you need to indicate that the cached encoding is no
longer valid. If you call X509_CRL_sign() this is done automatically. If you
want to do this manually for some test and don't care about the invalid
signature you can do:

crl->crl->enc.modified = 1;

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Homepage: http://www.drh-consultancy.demon.co.uk
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org