Dear Sir,
I am encountering an issue in ASN1_UTCTIME_adj_ex when my system time is
set to a future date/year (Year 2085). My certificate is based on UTC time
and I am using OpenSSL 1.0.1c on VxWorks.
During validation of my certificate, openssl (X509_vfy.c) throws the error
"X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD", though the dates in the
certificate is valid (Jul 18 00:00:00 2012 GMT).
Below is the code trace leading to this error. (I have only provided the
relevant code and occassionally embedded comments or printf highlighting
the flow in the scenario). The two important things to be noted in the
scenario is a valid certificate date/year with an invalid/future system
date/year.
Code flow:
static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
{
...
..
i=X509_cmp_time(X509_get_notBefore(x), ptime);
...
..
}
int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
{
...
if (0 != cmp_time)
{
...
}
else
{
printf("\n **** The flow hits this part as cmp_time is 0 ****\n");
}
if (X509_time_adj(&atm, offset*60, cmp_time) == NULL)
{
printf("\n **** X509_cmp_time, X509_time_adj returned failure ****\n");
return 0;
}
...
...
}
Further analyzing and debugging the X509_time_adj code leads to the
following...
ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm)
{
return X509_time_adj_ex(s, 0, offset_sec, in_tm);
}
ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s,
int offset_day, long offset_sec, time_t *in_tm)
{
...
if (in_tm)
{
...
}
else
{
time(&t);
if (0 != &t)
{
// Printing time (integer) here gives
// t = -648380460; // some date in year 2085
}
else
{
...
}
}
if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING))
{
if (s->type == V_ASN1_UTCTIME)
{
....
return ASN1_UTCTIME_adj(s,t, offset_day, offset_sec);
}
....
}
...
...
}
ASN1_UTCTIME *ASN1_UTCTIME_adj(ASN1_UTCTIME *s, time_t t,
int offset_day, long offset_sec)
{
...
if((ts->tm_year < 50) || (ts->tm_year >= 150))
return NULL;
...
}
The above conditional check (ts->tm_year < 50) || (ts->tm_year >= 150)
passes (since the system time year was 2085, tm_year = 185) leading to a
return value of NULL.
The issue is easily reproducible if 't' is set to something like -648380460
as indicated in the code above.
There seems to be two issues here
1. The error is not because of the notBefore field, but because of the
system time. So the return type of notBefore field error is misleading.
2. The above logic does not consider if the system time is beyond UTC time.
Kindly request you to let me know if this is a known issue and has been
fixed in any of the future releases. If not, request you to kindly provide
a fix for this. Any other suggestions are welcome.
Thanks & Best Regards,
Srinivas
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
