Bernhard Froehlich wrote:
[...]IMHO that's not a real problem for some years, but I'll try to write a patch for ca.c which at least issues a warning message if the Not Before of a certificate is before the Not After.Ted ;)
The proposed patch (against current CVS version) is attached.I'm thinking about giving the "Year 2038 bug" a try, not so much because I think it's an urgent problem but because it looks like a nice little task to become more acquainted with OpenSSL source code style. Any encouragements? Or warnings?
Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26
Index: apps/ca.c
===================================================================
RCS file: /usr/cvs/openssl/apps/ca.c,v
retrieving revision 1.155
diff -r1.155 ca.c
2004,2017c2004,2022
< if (!X509_set_subject_name(ret,subject)) goto err;
<
< pktmp=X509_REQ_get_pubkey(req);
< i = X509_set_pubkey(ret,pktmp);
< EVP_PKEY_free(pktmp);
< if (!i) goto err;
<
< /* Lets add the extensions, if there are any */
< if (ext_sect)
< {
< X509V3_CTX ctx;
< if (ci->version == NULL)
< if ((ci->version=ASN1_INTEGER_new()) == NULL)
< goto err;
---
> if (X509_cmp_ASN1TIME(X509_get_notBefore(ret), X509_get_notAfter(ret)) >= 0)
> {
> BIO_printf(bio_err, "ERROR: notBefore is after notAfter! Check for date
> overflows.\n");
> goto err;
> }
> if (!X509_set_subject_name(ret,subject)) goto err;
>
> pktmp=X509_REQ_get_pubkey(req);
> i = X509_set_pubkey(ret,pktmp);
> EVP_PKEY_free(pktmp);
> if (!i) goto err;
>
> /* Lets add the extensions, if there are any */
> if (ext_sect)
> {
> X509V3_CTX ctx;
> if (ci->version == NULL)
> if ((ci->version=ASN1_INTEGER_new()) == NULL)
> goto err;
Index: crypto/x509/x509.h
===================================================================
RCS file: /usr/cvs/openssl/crypto/x509/x509.h,v
retrieving revision 1.145
diff -r1.145 x509.h
884a885
> int X509_cmp_ASN1TIME(ASN1_TIME *s, ASN1_TIME *t);
Index: crypto/x509/x509_vfy.c
===================================================================
RCS file: /usr/cvs/openssl/crypto/x509/x509_vfy.c,v
retrieving revision 1.80
diff -r1.80 x509_vfy.c
1145a1146,1177
> int X509_cmp_ASN1TIME(ASN1_TIME *s, ASN1_TIME *t)
> {
> ASN1_GENERALIZEDTIME *t1, *t2;
> int ret = 0;
> char buff1[24],buff2[24];
>
> t1 = ASN1_TIME_to_generalizedtime(s, NULL);
> t2 = ASN1_TIME_to_generalizedtime(t, NULL);
>
> if (!t1 || !t2) goto end;
>
> /* Do we have to handle timezones here? As I understand it
> ASN1_*TIME can contain timezones but RFC2459 demands UTC... */
> /* Just in case we'll throw an error... */
> if (t1->data[t1->length-1] != 'Z') goto end;
> if (t2->data[t2->length-1] != 'Z') goto end;
>
> memset(buff1, 0, sizeof(buff1));
> memset(buff2, 0, sizeof(buff2));
> memcpy(buff1, t1->data, t1->length > 23 ? 23 : t1->length);
> memcpy(buff2, t2->data, t2->length > 23 ? 23 : t2->length);
>
> ret=strcmp(buff1,buff2);
> if (ret == 0) /* wait a second then return younger :-) */
> ret = -1;
>
> end:
> if (t1) ASN1_GENERALIZEDTIME_free(t1);
> if (t2) ASN1_GENERALIZEDTIME_free(t2);
> return ret;
> }
>
smime.p7s
Description: S/MIME Cryptographic Signature
