Fix CRL conversion issue when already in PEM format

If downloaded CRL file is already in PEM format, openssl command will fail as it is always trying to convert from a DER-encoded CRL. 
This commit is for adding a test of the CRL format prior to running the openssl crl conversion. 

Note: as the openssl verify command then assumes that a .pem tmpfile has been generated by the conversion, there would be an issue when the conversion was not needed (i.e. CRL already PEM-encoded) as that .pem would be missing; therefore I also added a copy of the .crl file to a .crl.pem file before the optional conversion.
This commit is contained in:
teki69 2023-05-22 17:10:25 +02:00 committed by GitHub
parent f71619326d
commit ebcb5554a8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 24043 additions and 24042 deletions

View File

@ -1979,7 +1979,8 @@ check_revocation_crl() {
return 1
fi
# -crl_download could be more elegant but is supported from 1.0.2 onwards only
$OPENSSL crl -inform DER -in "$tmpfile" -outform PEM -out "${tmpfile%%.crl}.pem" &>$ERRFILE
cp "$tmpfile" "${tmpfile%%.crl}.pem"
grep -qe 'BEGIN X509 CRL' "${tmpfile%%.crl}.pem" || $OPENSSL crl -inform DER -in "$tmpfile" -outform PEM -out "${tmpfile%%.crl}.pem" &>$ERRFILE
if [[ $? -ne 0 ]]; then
pr_warning "conversion of \"$tmpfile\" failed"
fileout "$jsonID" "WARN" "conversion of CRL to PEM format failed"