DOCGroup · caoxiaolins · Dec 18, 2021 · Apr 25, 2022 · May 5, 2022 · May 5, 2022
diff --git a/ACE/ace/SSL/SSL_Context.cpp b/ACE/ace/SSL/SSL_Context.cpp
@@ -550,6 +550,54 @@ ACE_SSL_Context::load_trusted_ca (const char* ca_file,
   return 0;
 }
 
+int
+ACE_SSL_Context::load_crl_file(const char *file_name, int type)
+{
+  if (context_ == nullptr || file_name == nullptr)
+    {
+      return 0;
+    }
+
+  int ret = 0;
+  BIO *in = nullptr;
+  X509_CRL *x = nullptr;
+  X509_STORE *st = ::SSL_CTX_get_cert_store(context_);
+  if (st == nullptr)
+    {
+      goto err;
+    }
+
+  if (type == SSL_FILETYPE_PEM)
+    {
+      ret = ::SSL_CTX_load_verify_locations(context_, file_name, nullptr);
+    }
+  else if (type == SSL_FILETYPE_ASN1)
+    {
+      in = BIO_new(BIO_s_file());
+      if (in == nullptr || BIO_read_filename(in, file_name) <= 0)
+        {
+          goto err;
+        }
+      x = d2i_X509_CRL_bio(in, nullptr);
+      if (x == nullptr)
+        {
+          goto err;
+        }
+      ret = ::X509_STORE_add_crl(st, x);
+    }
+
+  if (ret == 1)
+    {
+      (void)X509_STORE_set_flags(st, X509_V_FLAG_CRL_CHECK);
+    }
+
+err:
+  X509_CRL_free(x);
+  (void)BIO_free(in);
+
+  return ret;
+}
+
 int
 ACE_SSL_Context::private_key (const char *file_name,
                               int type)

diff --git a/ACE/ace/SSL/SSL_Context.h b/ACE/ace/SSL/SSL_Context.h
@@ -254,6 +254,19 @@ class ACE_SSL_Export ACE_SSL_Context
                        const char* ca_dir = 0,
                        bool use_env_defaults = true);
 
+  /**
+   *  Load the location of the CRL.
+   *
+   *  @param[in] file_name          CRL file pathname. Passed to
+   *                                @c SSL_CTX_Load_verify_locations() if not
+   *                                0 and @a type is SSL_FILETYPE_PEM. Pass to
+   *                                @c X509_STORE_add_crl if not 0 @a type is SSL_FILETYPE_ASN1.
+   *  @param[in] type               CRL file type. Support SSL_FILETYPE_PEM and
+   *                                SSL_FILETYPE_ASN1.
+   *  @return 1 for success or others on error.
+   */
+  int load_crl_file(const char* file_name, int type);
+
   /**
    *  Test whether any CA locations have been successfully loaded and
    *  return the number of successful attempts.

diff --git a/TAO/docs/Security/SSLIOP-USAGE.html b/TAO/docs/Security/SSLIOP-USAGE.html
@@ -167,6 +167,10 @@ <h4>SSLIOP Options</h4>
       <td><code>-SSLCAfile</code> <em>filename</em></td>
       <td>Provide a file containing a trusted certificate, overriding the file named by SSL_CERT_FILE environment variable.</td>
     </tr>
+    <tr>
+      <td><code>-SSLCRLFile</code> <em>filename</em></td>
+      <td>Provide a file containing a certificate revocation list.</td>
+    </tr>
     <tr>
       <td><code>-SSLCApath</code> <em>directory</em></td>
       <td>Provide a directory from which all files are read for trusted certificates overriding the directory named by SSL_CERT_DIR environment variable.<</td>

diff --git a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.cpp b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.cpp
@@ -314,6 +314,9 @@ TAO::SSLIOP::Protocol_Factory::init (int argc, ACE_TCHAR* argv[])
   int private_key_type = -1;
   int dhparams_type = -1;
 
+  CORBA::String_var crl_path;
+  int crl_type = -1;
+
   int prevdebug = -1;
 
   // Force the Singleton instance to be initialized/instantiated.
@@ -411,6 +414,17 @@ TAO::SSLIOP::Protocol_Factory::init (int argc, ACE_TCHAR* argv[])
             }
         }
 
+      else if (ACE_OS::strcasecmp (argv[curarg],
+                                   ACE_TEXT("-SSLCRLFile")) == 0)
+        {
+          curarg++;
+          if (curarg < argc)
+            {
+              crl_type = parse_x509_file (ACE_TEXT_ALWAYS_CHAR(argv[curarg]),
+                                          crl_path.out ());
+            }
+        }
-      else if (ACE_OS::strcasecmp (argv[curarg],
-                                   ACE_TEXT("-SSLCRLFile")) == 0)
-        {
-          curarg++;
-          if (curarg < argc)
-            {
-              crl_type = parse_x509_file (ACE_TEXT_ALWAYS_CHAR(argv[curarg]),
-                                          crl_path.out ());
-            }
-        }
+      else if (ACE_OS::strcasecmp (argv[curarg],
+                                   ACE_TEXT("-SSLCRLFile")) == 0)
+        {
+          curarg++;
+          if (curarg < argc)
+            {
+              crl_type = parse_x509_file (ACE_TEXT_ALWAYS_CHAR(argv[curarg]),
+                                          crl_path.out ());
+              if (crl_type == -1)
+                {
+                  ORBSVCS_ERROR ((LM_ERROR,
+                              ACE_TEXT ("TAO (%P|%t) - Invalid CRL file format ")
+                              ACE_TEXT ("<%C>, must be PEM or ASN1\n"),
+                              argv[curarg]));
+                  return -1;
+                }
+            }
+          else
+            {
+              ORBSVCS_ERROR ((LM_ERROR,
+                          ACE_TEXT ("TAO (%P|%t) - -SSLCRLFile requires a ")
+                          ACE_TEXT ("filename argument\n")));
+              return -1;
+            }
+        }
-      else if (ACE_OS::strcasecmp (argv[curarg],
-                                   ACE_TEXT("-SSLCRLFile")) == 0)
-        {
-          curarg++;
-          if (curarg < argc)
-            {
-              crl_type = parse_x509_file (ACE_TEXT_ALWAYS_CHAR(argv[curarg]),
-                                          crl_path.out ());
-            }
-        }
+      else if (ACE_OS::strcasecmp (argv[curarg],
+                                   ACE_TEXT("-SSLCRLFile")) == 0)
+        {
+          curarg++;
+          if (curarg < argc)
+            {
+              crl_type = parse_x509_file (ACE_TEXT_ALWAYS_CHAR(argv[curarg]),
+                                          crl_path.out ());
+              if (crl_type == -1)
+                {
+                  ORBSVCS_ERROR ((LM_ERROR,
+                              ACE_TEXT ("TAO (%P|%t) - Invalid CRL file format ")
+                              ACE_TEXT ("<%C>, must be PEM or ASN1\n"),
+                              argv[curarg]));
+                  return -1;
+                }
+            }
+          else
+            {
+              ORBSVCS_ERROR ((LM_ERROR,
+                          ACE_TEXT ("TAO (%P|%t) - -SSLCRLFile requires a ")
+                          ACE_TEXT ("filename argument\n")));
+              return -1;
+            }
+        }
+
       else if (ACE_OS::strcasecmp (argv[curarg],
                                    ACE_TEXT("-SSLAuthenticate")) == 0)
         {
@@ -634,6 +648,27 @@ TAO::SSLIOP::Protocol_Factory::init (int argc, ACE_TCHAR* argv[])
         }
     }
 
+  if (crl_path.in() != 0)
+    {
+      if (ssl_ctx->load_crl_file(crl_path.in(), crl_type) != 1)
+        {
+          ORBSVCS_ERROR ((LM_ERROR,
+                          ACE_TEXT ("TAO (%P|%t) - Unable to load crl file ")
+                          ACE_TEXT ("<%C> in SSLIOP factory, errno = %C.\n"),
+                          crl_path.in(), ERR_reason_error_string(ERR_get_error())));
+        }
+      else
+        {
+          if (TAO_debug_level > 0)
+            {
+              ORBSVCS_DEBUG ((LM_INFO,
+                              ACE_TEXT ("TAO (%P|%t) - SSLIOP loaded crl file ")
+                              ACE_TEXT("<%C>\n"),
+                              crl_path.in()));
+            }
+        }
+    }
+
   // Load in the DH params.  If there was a file explicitly specified,
   // then we do that here, otherwise we load them in from the cert file.
   // Note that we only do this on the server side, I think so we might