DOCGroup · caoxiaolins · Dec 18, 2021 · Apr 25, 2022 · May 5, 2022 · May 5, 2022
diff --git a/ACE/ace/SSL/SSL_Context.cpp b/ACE/ace/SSL/SSL_Context.cpp
@@ -550,6 +550,54 @@ ACE_SSL_Context::load_trusted_ca (const char* ca_file,
   return 0;
 }
 
+int
+ACE_SSL_Context::load_crl_file(const char *file_name, int type)
+{
+  if (context_ == nullptr || file_name == nullptr)
+    {
+      return 0;
+    }
+
+  int ret = 0;
+  BIO *in = nullptr;
+  X509_CRL *x = nullptr;
+  X509_STORE *st = ::SSL_CTX_get_cert_store(context_);
+  if (st == nullptr)
+    {
+      goto err;
+    }
+
+  if (type == SSL_FILETYPE_PEM)
+    {
+      ret = ::SSL_CTX_load_verify_locations(context_, file_name, nullptr);
+    }
+  else if (type == SSL_FILETYPE_ASN1)
+    {
+      in = BIO_new(BIO_s_file());
+      if (in == nullptr || BIO_read_filename(in, file_name) <= 0)
+        {
+          goto err;
+        }
+      x = d2i_X509_CRL_bio(in, nullptr);
+      if (x == nullptr)
+        {
+          goto err;
+        }
+      ret = ::X509_STORE_add_crl(st, x);
+    }
+
+  if (ret == 1)
+    {
+      (void)X509_STORE_set_flags(st, X509_V_FLAG_CRL_CHECK);
+    }
+
+err:
+  X509_CRL_free(x);
+  (void)BIO_free(in);
+
+  return ret;
+}
+
 int
 ACE_SSL_Context::private_key (const char *file_name,
                               int type)

diff --git a/ACE/ace/SSL/SSL_Context.h b/ACE/ace/SSL/SSL_Context.h
@@ -254,6 +254,8 @@ class ACE_SSL_Export ACE_SSL_Context
                        const char* ca_dir = 0,
                        bool use_env_defaults = true);
 
+  int load_crl_file(const char* file_name, int type);
+
   /**
    *  Test whether any CA locations have been successfully loaded and
    *  return the number of successful attempts.

diff --git a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.cpp b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.cpp
@@ -314,6 +314,9 @@ TAO::SSLIOP::Protocol_Factory::init (int argc, ACE_TCHAR* argv[])
   int private_key_type = -1;
   int dhparams_type = -1;
 
+  CORBA::String_var crl_path;
+  int crl_type = -1;
+
   int prevdebug = -1;
 
   // Force the Singleton instance to be initialized/instantiated.
@@ -411,6 +414,17 @@ TAO::SSLIOP::Protocol_Factory::init (int argc, ACE_TCHAR* argv[])
             }
         }
 
+      else if (ACE_OS::strcasecmp (argv[curarg],
+                                   ACE_TEXT("-SSLCRLFile")) == 0)
+        {
+          curarg++;
+          if (curarg < argc)
+            {
+              crl_type = parse_x509_file (ACE_TEXT_ALWAYS_CHAR(argv[curarg]),
+                                          crl_path.out ());
+            }
+        }
+
       else if (ACE_OS::strcasecmp (argv[curarg],
                                    ACE_TEXT("-SSLAuthenticate")) == 0)
         {
@@ -634,6 +648,29 @@ TAO::SSLIOP::Protocol_Factory::init (int argc, ACE_TCHAR* argv[])
         }
     }
 
+  if (crl_path.in() != 0)
+    {
+      if (ssl_ctx->load_crl_file(crl_path.in(), crl_type) != 1)
+        {
+          ORBSVCS_ERROR ((LM_ERROR,
+                          ACE_TEXT ("TAO (%P|%t) - Unable to load ")
+                          ACE_TEXT ("crl file ")
+                          ACE_TEXT ("<%C> in SSLIOP factory, errno = %s.\n"),
+                          crl_path.in(), ERR_reason_error_string(ERR_get_error())));
+        }
+      else
+        {
+          if (TAO_debug_level > 0)
+            {
+              ORBSVCS_DEBUG ((LM_INFO,
+                              ACE_TEXT ("TAO (%P|%t) - SSLIOP loaded ")
+                              ACE_TEXT("crl file ")
+                              ACE_TEXT("<%C>\n"),
+                              crl_path.in()));
+            }
+        }
+    }
+
   // Load in the DH params.  If there was a file explicitly specified,
   // then we do that here, otherwise we load them in from the cert file.
   // Note that we only do this on the server side, I think so we might