| From: | Donn Cave <donn@u.washington.edu> |
| Subject: | Re: CRL update revision for X509_add_crl |
| Date: | Tue, 7 Nov 2006 16:58:43 -0800 |
| To: | rt@openssl.org |
I sent this in a while back, but it may have fallen victim
to some rt outage. Here it is again - the original source
source file hasn't changed in the meantime, so I haven't
retested.
I modified crypto/x509/x509_lu.c similar to the following,
to support live update to the certificate revocation list.
- Enhancement request
- all platforms
- OpenSSL 0.9.8-beta5
Briefly, X509_STORE_add_crl needs to be able to accept
a CRL input when a previous revision of the same CRL is
already there. Otherwise, we have to reboot the server
(OpenLDAP slapd in my case) to update the CRL. I actually
wrote a parallel function X509_STORE_replace_crl, and
call it from a replacement for X509_load_crl_file, but for
simplicity I propose to just fix X509_STORE_add_crl.
Thanks,
Donn Cave, donn@u.washington.edu
------------------------------------------------------
*** x509_lu.c.dist Fri Jun 17 11:20:56 2005
--- x509_lu.c Fri Jun 17 11:22:35 2005
***************
*** 359,364 ****
--- 359,365 ----
{
X509_OBJECT *obj;
int ret=1;
+ int idx;
if (x == NULL) return 0;
obj=(X509_OBJECT *)OPENSSL_malloc(sizeof(X509_OBJECT));
***************
*** 374,392 ****
X509_OBJECT_up_ref_count(obj);
Show quoted text
Show quoted text
CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
Show quoted text
void X509_OBJECT_up_ref_count(X509_OBJECT *a)
{
--- 375,388 ----
X509_OBJECT_up_ref_count(obj);
Show quoted text
CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
Show quoted text
void X509_OBJECT_up_ref_count(X509_OBJECT *a)
{
to some rt outage. Here it is again - the original source
source file hasn't changed in the meantime, so I haven't
retested.
I modified crypto/x509/x509_lu.c similar to the following,
to support live update to the certificate revocation list.
- Enhancement request
- all platforms
- OpenSSL 0.9.8-beta5
Briefly, X509_STORE_add_crl needs to be able to accept
a CRL input when a previous revision of the same CRL is
already there. Otherwise, we have to reboot the server
(OpenLDAP slapd in my case) to update the CRL. I actually
wrote a parallel function X509_STORE_replace_crl, and
call it from a replacement for X509_load_crl_file, but for
simplicity I propose to just fix X509_STORE_add_crl.
Thanks,
Donn Cave, donn@u.washington.edu
------------------------------------------------------
*** x509_lu.c.dist Fri Jun 17 11:20:56 2005
--- x509_lu.c Fri Jun 17 11:22:35 2005
***************
*** 359,364 ****
--- 359,365 ----
{
X509_OBJECT *obj;
int ret=1;
+ int idx;
if (x == NULL) return 0;
obj=(X509_OBJECT *)OPENSSL_malloc(sizeof(X509_OBJECT));
***************
*** 374,392 ****
X509_OBJECT_up_ref_count(obj);
Show quoted text
! if (X509_OBJECT_retrieve_match(ctx->objs, obj))
! {
! X509_OBJECT_free_contents(obj);
! OPENSSL_free(obj);
! X509err
(X509_F_X509_STORE_ADD_CRL,X509_R_CERT_ALREADY_IN_HASH_TABLE);! {
! X509_OBJECT_free_contents(obj);
! OPENSSL_free(obj);
! X509err
Show quoted text
! ret=0;
! }
! else sk_X509_OBJECT_push(ctx->objs, obj);
! }
! else sk_X509_OBJECT_push(ctx->objs, obj);
CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
Show quoted text
! return ret;
! }
! }
void X509_OBJECT_up_ref_count(X509_OBJECT *a)
{
--- 375,388 ----
X509_OBJECT_up_ref_count(obj);
Show quoted text
! idx=sk_X509_OBJECT_find(ctx->objs, obj);
! if (idx >= 0) sk_X509_OBJECT_delete(ctx->objs, idx);
! sk_X509_OBJECT_push(ctx->objs, obj);
! if (idx >= 0) sk_X509_OBJECT_delete(ctx->objs, idx);
! sk_X509_OBJECT_push(ctx->objs, obj);
CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
Show quoted text
! return 1;
! }
! }
void X509_OBJECT_up_ref_count(X509_OBJECT *a)
{