On Fri, 2015-07-31 at 03:09 +0000, Salz, Rich wrote: > > If requested, I can still provide a patch with the alternative variant of > > using a > > X509_V_FLAG_NO_CHECK_TIME flag if that's considered better than using a > > 'special' time of (time_t)-1 with X509_VERIFY_PARAM_set_time(). > > Yes, please.
[dwoodhou@i7 apps]$ ./openssl verify ~/.cert.20100813/certificate.pem C = US, O = Intel Corporation, CN = Intel Intranet Basic Issuing CA 1B error 10 at 1 depth lookup:certificate has expired DC = com, DC = intel, DC = corp, DC = ger, OU = Workers, CN = "Woodhouse, David", emailAddress = david.woodho...@intel.com error 10 at 0 depth lookup:certificate has expired /home/dwmw2/.cert.20100813/certificate.pem: OK [dwoodhou@i7 apps]$ ./openssl verify -no_check_time ~/.cert.20100813/certificate.pem /home/dwmw2/.cert.20100813/certificate.pem: OK -- David Woodhouse Open Source Technology Centre david.woodho...@intel.com Intel Corporation
From 782cf323f9a85c9244dc6aceb13d875723253810 Mon Sep 17 00:00:00 2001
From: David Woodhouse <david.woodho...@intel.com>
Date: Fri, 31 Jul 2015 08:49:50 +0100
Subject: [PATCH] RT3951: Add X509_V_FLAG_NO_CHECK_TIME to suppress time check
In some environments, such as firmware, the current system time is entirely
meaningless. Provide a clean mechanism to suppress the checks against it.
---
apps/apps.h | 8 +++++---
apps/opt.c | 4 ++++
crypto/x509/x509_vfy.c | 4 ++++
doc/crypto/X509_VERIFY_PARAM_set_flags.pod | 4 ++++
include/openssl/x509_vfy.h | 2 ++
5 files changed, 19 insertions(+), 3 deletions(-)
diff --git a/apps/apps.h b/apps/apps.h
index f2dc812..1781deb 100644
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -179,7 +179,7 @@ void unbuffer(FILE *fp);
OPT_V_X509_STRICT, OPT_V_EXTENDED_CRL, OPT_V_USE_DELTAS, \
OPT_V_POLICY_PRINT, OPT_V_CHECK_SS_SIG, OPT_V_TRUSTED_FIRST, \
OPT_V_SUITEB_128_ONLY, OPT_V_SUITEB_128, OPT_V_SUITEB_192, \
- OPT_V_PARTIAL_CHAIN, OPT_V_NO_ALT_CHAINS, \
+ OPT_V_PARTIAL_CHAIN, OPT_V_NO_ALT_CHAINS, OPT_V_NO_CHECK_TIME, \
OPT_V__LAST
# define OPT_V_OPTIONS \
@@ -209,7 +209,8 @@ void unbuffer(FILE *fp);
{ "suiteB_128", OPT_V_SUITEB_128, '-' }, \
{ "suiteB_192", OPT_V_SUITEB_192, '-' }, \
{ "partial_chain", OPT_V_PARTIAL_CHAIN, '-' }, \
- { "no_alt_chains", OPT_V_NO_ALT_CHAINS, '-', "Only use the first cert chain found" }
+ { "no_alt_chains", OPT_V_NO_ALT_CHAINS, '-', "Only use the first cert chain found" }, \
+ { "no_check_time", OPT_V_NO_CHECK_TIME, '-', "Do not check validity against current time" }
# define OPT_V_CASES \
OPT_V__FIRST: case OPT_V__LAST: break; \
@@ -239,7 +240,8 @@ void unbuffer(FILE *fp);
case OPT_V_SUITEB_128: \
case OPT_V_SUITEB_192: \
case OPT_V_PARTIAL_CHAIN: \
- case OPT_V_NO_ALT_CHAINS
+ case OPT_V_NO_ALT_CHAINS: \
+ case OPT_V_NO_CHECK_TIME
/*
* Common "extended"? options.
diff --git a/apps/opt.c b/apps/opt.c
index bfb039e..c7dcc43 100644
--- a/apps/opt.c
+++ b/apps/opt.c
@@ -543,6 +543,10 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
break;
case OPT_V_NO_ALT_CHAINS:
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NO_ALT_CHAINS);
+ break;
+ case OPT_V_NO_CHECK_TIME:
+ X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NO_CHECK_TIME);
+ break;
}
return 1;
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 7062ab2..a1bf0f2 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -952,6 +952,8 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
ctx->current_crl = crl;
if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
ptime = &ctx->param->check_time;
+ else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)
+ return 1;
else
ptime = NULL;
@@ -1672,6 +1674,8 @@ int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet)
if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
ptime = &ctx->param->check_time;
+ else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)
+ return 1;
else
ptime = NULL;
diff --git a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
index 066ce0f..57c7b7b 100644
--- a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
+++ b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
@@ -203,6 +203,10 @@ chain found is not trusted, then OpenSSL will continue to check to see if an
alternative chain can be found that is trusted. With this flag set the behaviour
will match that of OpenSSL versions prior to 1.1.0.
+The B<X509_V_FLAG_NO_CHECK_TIME> flag suppresses checking the validity period
+of certificates and CRLs against the current time. If X509_VERIFY_PARAM_set_time()
+is used to specify a verification time, the check is not suppressed.
+
=head1 NOTES
The above functions should be used to manipulate verification parameters
diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h
index 266bb3f..f33cbc0 100644
--- a/include/openssl/x509_vfy.h
+++ b/include/openssl/x509_vfy.h
@@ -407,6 +407,8 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
* will force the behaviour to match that of previous versions.
*/
# define X509_V_FLAG_NO_ALT_CHAINS 0x100000
+/* Do not check certificate/CRL validity against current time */
+# define X509_V_FLAG_NO_CHECK_TIME 0x200000
# define X509_VP_FLAG_DEFAULT 0x1
# define X509_VP_FLAG_OVERWRITE 0x2
--
2.4.3
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
