thanks a lot for your lenghty explanation, David Schwartz. I really appreciate it for you to help me explain all this. I noted you said that what I did might be sensible if three things are the case: 1) The locale you are using the certificate has no daylight savings time. 2) The certificate isn't going anywhere, it's only going to be used in one place. 3) The certificate expires in the near future, so a risk of a change in daylight savings time rules is low.
For the no (1), i'm not really sure about this daylight savings time.. I reside in Malaysia (next to singapore and thailand) and I'm not sure whether my country has any daylight savings time or not. For no(2), currently the issued certificates is only used in our office. Anyway to issue certificate, the codes is as below: if (!(returnIssueCertificate=IssueCertificate(cinfo,x509,skey,ca,Type,&HexSerial,sendUserName,sendUserID))) { MessageDlg("Issue certificate is failed",mtError,TMsgDlgButtons()<<mbOK, 0); FreeCertDetail(&cinfo); return; } and this is the called IssueCertificate function int IssueCertificate(CERT_DETAIL pinfo,char *x509,char *key,char *ca, int Type, AnsiString *HexSerial, AnsiString receiveUserName, AnsiString receiveUserID) { FILE *fp = NULL; Base64 encoder; AnsiString s, ca_cert, ca_key; int i, key_len, len, ret = 1, nconf = 0; X509 *x = NULL, *xca = NULL; X509_REQ *req = NULL; EVP_PKEY *pkey = NULL, *ca_pkey = NULL; unsigned char skey[1024*8]; char buf[128], *sconf[100], *mkey = NULL; char ckey[1024], cacert[1024 * 8], profpass[1024], cacert_file[400], kbuf[1024],cbuf[1024 * 8]; unsigned char *p, plain[EBUFSIZE+4], emkey[EBUFSIZE+4], t_emkey[EBUFSIZE+4]; // Load profile certificate and private key if ((ca_pkey = ReadKey(pinfo.ca_KeyFile.c_str())) == NULL) return ERROR_READ_CAKEY; nconf = PrintConfig(&pinfo,sconf,TYPE_CLIENT); if ((mkey = GenerateMasterKey()) == NULL) { ret = ERROR_GENERATE_MKEY; goto end1; } if ((pkey = CVAULT_Key_read(key)) == NULL) { ret = ERROR_READ_KEY; delete mkey; goto end1; } if ((req = MakeRequest(sconf,nconf,pkey,NULL)) == NULL) { ret = ERROR_MAKEREQ; goto end2; } if ((x = MakeCertificate(req,sconf,nconf,NULL,ca,ca_pkey, pinfo.begin_validity, pinfo.validity,pinfo.serial,pinfo.algo,0)) == NULL) { ret = ERROR_MAKECERT; goto end3; } X509_gmtime_adj(X509_get_notBefore(x),0); //added on 16/7/2007 X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*pinfo.validity); //added on 16/7/2007 X509_gmtime_roundup(X509_get_notAfter(x)); //added on 16/7/2007 char buf1[1024]; GetSerialNumber(x->cert_info->serialNumber,buf1); *HexSerial = (AnsiString)buf1; CVAULT_X509_write(x,x509); MakePKCS12(pass.c_str(),name.c_str(),pkey,x,p12Path.c_str()); s = progpath + "client.key"; WriteKey(pkey,s.c_str()); //s = progpath + "user.crt"; s = progpath + receiveUserID + "-" + receiveUserName + ".crt"; if ((fp = fopen(s.c_str(),"w")) == NULL) { ShowMessage("ERROR: Open cert.crt"); return -3; //to indicate that program unable to open user.crt } fprintf(fp,"%s",x509); fclose(fp); // Write CA certificate if ((xca = ReadCertificate(ca)) == NULL) { ret = ERROR_READ_CACERT; goto end3; } CVAULT_X509_write(xca,cacert); s = progpath + "CA.crt"; if ((fp = fopen(s.c_str(),"w")) == NULL) { ShowMessage("ERROR: Open CA.crt"); return -1; } fprintf(fp,"%s",cacert); fclose(fp); X509_free(xca); ret = 1; //MainForm->tinfo = pinfo; end3: X509_REQ_free(req); end2: EVP_PKEY_free(pkey); end1: for (i=0; i<80; i++) free(sconf[i]); //endfor return ret; } As you may see above, I added the X509_gmtime_adj and X509_gmtime_roundup after the call to makeCertificate. The generated certificate will have the desired expiry date, but the cert itself would be corrupted. It will have this message displayed in the cert - "The integrity of this certificate cannot be guaranteed. THe certificate may be corrupted or may have been altered." I guess this happens because I added the line X509_gmtime_ after the cert has been created, right? But I don't know anyway else where I should put it. And for the MakeCertificate function which was called above, all I could find was this code: X509 *MakeCertificate(X509_REQ *preq,char **sconf,int nconf,EVP_PKEY *self_key, char* cacert_file,EVP_PKEY *ca_key,int pbegin,int pdays, long pserial,int palgo,int ca_type) which was located in Global.h file. It doesn't seem any where I can put the X509_gmtime_roundup line.... *Please don't take this the wrong way -- but you are modifying security-critical code based on a requirement that seems to make no sense. I've told the management of my company that I don't want to continue debugging this code, but they insist I have to do it because they have no one else to do it... yes, lame reason from them, but I'm in no position to say no. anyway I guess if this software is broken, they're the one who should be blamed.. bcos i've told them I don't want to continue doing this... On 7/16/07, David Schwartz <[EMAIL PROTECTED]> wrote:
hold on! thanks a lot I managed to get it to 23:59:59. all i had to do was change the value strcpy(buf+6, "235959Z"); to strcpy(buf+6, "155959Z"); I would not do that. There is no way you can know that 15:59:59 will correspond to 24:59:59 in the future when the certificate expires. You are essentially predicting what the time zone shift will be at some future date. I would strongly urge you to make it expire at midnight UTC/GMT time. I would go further as to say that whatever tool is presenting certificate expiration times to you as '1/8/2007 7:59:59' (which is the way you pasted it) should be dumped and replaced with something sane. This contains no time zone indicator or GMT offset. If you paste it to a mailing list, it is meaningless. If your requirement really is that a certificate expire at midnight for the time zone in which it was issued, assuming the zone offset will be the same at certificate issue time as it was at certificate issue time, then the requirement should be re-examined. For one thing, '155959Z' can't possibly be right for every possible case (unless your locality has no daylight savings time and you get lucky and it never does). You are assuming that 15:59:59 local time will correspond to 24:59:59 UTC time at the time and place the certificate is being used when it expires. This seems like a truly crazy assumption. It might be sensible if three things are the case: 1) The locale you are using the certificate has no daylight savings time. 2) The certificate isn't going anywhere, it's only going to be used in one place. 3) The certificate expires in the near future, so a risk of a change in daylight savings time rules is low. Otherwise, this is broken. erm... but there's still one problem. where in IssueCertificate should I add the line X509_gmtime_roundup(X509_get_notAfter(x)); ? because currently the line is only added in renewCertificate... as I can't see where in IssueCertificate can I add those lines.. thanks again You didn't paste the code to IssueCertificate. You should be able to find where it sets the expiration time and modify it just like the others. If not, why are you monkeying in security-critical code? Please don't take this the wrong way -- but you are modifying security-critical code based on a requirement that seems to make no sense. DS