Hi All, I am facing a problem with "check_cert_time" function in OpenSSL library. I am trying to handle X509_V_ERR_CERT_NOT_YET_VALID and X509_V_ERR_CERT_NOT_YET_VALID errors.I am trying to simulate this errors with the expired certificate and certificate not yet valid. Problem here is I am always getting the error "certificate is not yet valid".I am not able to get the error "certificate has expired".
I checked the function "check_cert_time". static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) { time_t *ptime; int i; if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) ptime = &ctx->param->check_time; else ptime = NULL; i=X509_cmp_time(X509_get_notBefore(x), ptime); if (i == 0) { ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; ctx->current_cert=x; if (!ctx->verify_cb(0, ctx)) return 0; } if (i > 0) { ctx->error=X509_V_ERR_CERT_NOT_YET_VALID; ctx->current_cert=x; if (!ctx->verify_cb(0, ctx)) return 0; } i=X509_cmp_time(X509_get_notAfter(x), ptime); if (i == 0) { ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; ctx->current_cert=x; if (!ctx->verify_cb(0, ctx)) return 0; } if (i < 0) { ctx->error=X509_V_ERR_CERT_HAS_EXPIRED; ctx->current_cert=x; if (!ctx->verify_cb(0, ctx)) return 0; } return 1; } Here value of i is always 1. Hence I am not able to simulate X509_V_ERR_CERT_HAS_EXPIRED. Here "ctx->param->check_time" is set by another function "X509_VERIFY_PARAM_set_time". Function "X509_STORE_CTX_set_time" invokes "X509_VERIFY_PARAM_set_time". I wanted to know how "X509_STORE_CTX_set_time" function is invoked and where it will be invoked. I am not able to find any information by browsing the code. Thanks and Regards, Jaya ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]