thanks a lot for your lenghty explanation, David Schwartz. I really
appreciate it for you to help me explain all this. I noted you said that what
I did might be sensible if three things are the case: 1) The locale you are
using the certificate has no daylight savings time.
2) The certificate isn't going anywhere, it's only going to be used in one
place.
3) The certificate expires in the near future, so a risk of a change in
daylight savings time rules is low.
For the no (1), i'm not really sure about this daylight savings time.. I
reside in Malaysia (next to singapore and thailand) and I'm not sure whether
my country has any daylight savings time or not. For no(2), currently the
issued certificates is only used in our office.
Anyway to issue certificate, the codes is as below:
if
(!(returnIssueCertificate=IssueCertificate(cinfo,x509,skey,ca,Type,&HexSerial,sendUserName,sendUserID)))
{
MessageDlg("Issue certificate is
failed",mtError,TMsgDlgButtons()<<mbOK, 0);
FreeCertDetail(&cinfo);
return;
}
and this is the called IssueCertificate function
int IssueCertificate(CERT_DETAIL pinfo,char *x509,char *key,char *ca, int
Type, AnsiString *HexSerial, AnsiString receiveUserName, AnsiString
receiveUserID)
{
FILE *fp = NULL;
Base64 encoder;
AnsiString s, ca_cert, ca_key;
int i, key_len, len, ret = 1, nconf = 0;
X509 *x = NULL, *xca = NULL;
X509_REQ *req = NULL;
EVP_PKEY *pkey = NULL, *ca_pkey = NULL;
unsigned char skey[1024*8];
char buf[128], *sconf[100], *mkey = NULL;
char ckey[1024], cacert[1024 * 8], profpass[1024], cacert_file[400],
kbuf[1024],cbuf[1024 * 8];
unsigned char *p, plain[EBUFSIZE+4], emkey[EBUFSIZE+4],
t_emkey[EBUFSIZE+4];
// Load profile certificate and private key
if ((ca_pkey = ReadKey(pinfo.ca_KeyFile.c_str())) == NULL)
return ERROR_READ_CAKEY;
nconf = PrintConfig(&pinfo,sconf,TYPE_CLIENT);
if ((mkey = GenerateMasterKey()) == NULL)
{ ret = ERROR_GENERATE_MKEY;
goto end1;
}
if ((pkey = CVAULT_Key_read(key)) == NULL)
{ ret = ERROR_READ_KEY;
delete mkey;
goto end1;
}
if ((req = MakeRequest(sconf,nconf,pkey,NULL)) == NULL)
{
ret = ERROR_MAKEREQ;
goto end2;
}
if ((x = MakeCertificate(req,sconf,nconf,NULL,ca,ca_pkey,
pinfo.begin_validity,
pinfo.validity,pinfo.serial,pinfo.algo,0)) ==
NULL)
{ ret = ERROR_MAKECERT;
goto end3;
}
X509_gmtime_adj(X509_get_notBefore(x),0); //added on 16/7/2007
X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*pinfo.validity);
//added on 16/7/2007
X509_gmtime_roundup(X509_get_notAfter(x)); //added on 16/7/2007
char buf1[1024];
GetSerialNumber(x->cert_info->serialNumber,buf1);
*HexSerial = (AnsiString)buf1;
CVAULT_X509_write(x,x509);
MakePKCS12(pass.c_str(),name.c_str(),pkey,x,p12Path.c_str());
s = progpath + "client.key";
WriteKey(pkey,s.c_str());
//s = progpath + "user.crt";
s = progpath + receiveUserID + "-" + receiveUserName + ".crt";
if ((fp = fopen(s.c_str(),"w")) == NULL)
{ ShowMessage("ERROR: Open cert.crt");
return -3; //to indicate that program unable to open user.crt
}
fprintf(fp,"%s",x509);
fclose(fp);
// Write CA certificate
if ((xca = ReadCertificate(ca)) == NULL)
{ ret = ERROR_READ_CACERT;
goto end3;
}
CVAULT_X509_write(xca,cacert);
s = progpath + "CA.crt";
if ((fp = fopen(s.c_str(),"w")) == NULL)
{ ShowMessage("ERROR: Open CA.crt");
return -1;
}
fprintf(fp,"%s",cacert);
fclose(fp);
X509_free(xca);
ret = 1;
//MainForm->tinfo = pinfo;
end3:
X509_REQ_free(req);
end2:
EVP_PKEY_free(pkey);
end1:
for (i=0; i<80; i++)
free(sconf[i]);
//endfor
return ret;
}
As you may see above, I added the X509_gmtime_adj and X509_gmtime_roundup
after the call to makeCertificate. The generated certificate will have the
desired expiry date, but the cert itself would be corrupted. It will have
this message displayed in the cert - "The integrity of this certificate
cannot be guaranteed. THe certificate may be corrupted or may have been
altered." I guess this happens because I added the line X509_gmtime_ after
the cert has been created, right? But I don't know anyway else where I
should put it.
And for the MakeCertificate function which was called above, all I could
find was this code:
X509 *MakeCertificate(X509_REQ *preq,char **sconf,int nconf,EVP_PKEY
*self_key,
char* cacert_file,EVP_PKEY *ca_key,int pbegin,int
pdays,
long pserial,int palgo,int ca_type)
which was located in Global.h file. It doesn't seem any where I can put the
X509_gmtime_roundup line....
*Please don't take this the wrong way -- but you are modifying
security-critical code based on a requirement that seems to make no sense.
I've told the management of my company that I don't want to continue
debugging this code, but they insist I have to do it because they have no
one else to do it... yes, lame reason from them, but I'm in no position to
say no. anyway I guess if this software is broken, they're the one who
should be blamed.. bcos i've told them I don't want to continue doing
this...
On 7/16/07, David Schwartz <[EMAIL PROTECTED]> wrote:
hold on! thanks a lot I managed to get it to 23:59:59. all i had to do was
change the value
strcpy(buf+6, "235959Z"); to strcpy(buf+6, "155959Z");
I would not do that. There is no way you can know that 15:59:59 will
correspond to 24:59:59 in the future when the certificate expires. You
are essentially predicting what the time zone shift will be at some future
date. I would strongly urge you to make it expire at midnight UTC/GMT time.
I would go further as to say that whatever tool is presenting certificate
expiration times to you as '1/8/2007 7:59:59' (which is the way you pasted
it) should be dumped and replaced with something sane. This contains no time
zone indicator or GMT offset. If you paste it to a mailing list, it is
meaningless.
If your requirement really is that a certificate expire at midnight for
the time zone in which it was issued, assuming the zone offset will be the
same at certificate issue time as it was at certificate issue time, then
the requirement should be re-examined. For one thing, '155959Z' can't
possibly be right for every possible case (unless your locality has no
daylight savings time and you get lucky and it never does).
You are assuming that 15:59:59 local time will correspond to 24:59:59 UTC
time at the time and place the certificate is being used when it expires.
This seems like a truly crazy assumption. It might be sensible if three
things are the case:
1) The locale you are using the certificate has no daylight savings time.
2) The certificate isn't going anywhere, it's only going to be used in one
place.
3) The certificate expires in the near future, so a risk of a change in
daylight savings time rules is low.
Otherwise, this is broken.
erm... but there's still one problem. where in IssueCertificate should I
add the line
X509_gmtime_roundup(X509_get_notAfter(x)); ?
because currently the line is only added in renewCertificate... as I can't
see where in IssueCertificate can I add those lines.. thanks again
You didn't paste the code to IssueCertificate. You should be able to find
where it sets the expiration time and modify it just like the others. If
not, why are you monkeying in security-critical code?
Please don't take this the wrong way -- but you are modifying
security-critical code based on a requirement that seems to make no sense.
DS
