Am Sun, 22 Feb 2009 13:12:21 +0100 schrieb Dr. Stephen Henson: > OpenSSL will only use GenerlizedTime in accordance with the > standards: i.e. for years after 2049. However if you set -days to a
Nitpick: RFC 5280 doesn't explicitly mention years before 1950, but OpenSSL already handles these in the only sensible way by using GeneralizedTime, as I've found out with my experiment. I consider that a feature, not a bug. :-) Anyway, what I really wanted was to be able to use -startdate and -enddate with GeneralizedTime (with years before 1950 and after 2049, conforming to the standard). Turns out it is actually a rather simple change to the ca utility, see the attached patch. It doesn't yet verify that the year is actually outside the range of UTCTime, so it can be used to violate the standard. Also, I haven't updated the manpage. And while I'm by no means an expert on X.509 and therefore don't know if I have broken anything, it does seem to work. Cheers, Oliver
--- openssl-0.9.8j/apps/ca.c.orig 2009-02-22 17:16:41.000000000 +0100
+++ openssl-0.9.8j/apps/ca.c 2009-02-22 18:09:25.000000000 +0100
@@ -1095,9 +1095,11 @@
if (startdate == NULL)
ERR_clear_error();
}
- if (startdate && !ASN1_UTCTIME_set_string(NULL,startdate))
+ if (startdate && !ASN1_UTCTIME_set_string(NULL,startdate)
+ && !ASN1_GENERALIZEDTIME_set_string(NULL, startdate))
{
- BIO_printf(bio_err,"start date is invalid, it should be YYMMDDHHMMSSZ\n");
+ BIO_printf(bio_err,"start date is invalid, it should be YYMMDDHHMMSSZ"
+ " or YYYYMMDDHHMMSSZ\n");
goto err;
}
if (startdate == NULL) startdate="today";
@@ -1109,9 +1111,11 @@
if (enddate == NULL)
ERR_clear_error();
}
- if (enddate && !ASN1_UTCTIME_set_string(NULL,enddate))
+ if (enddate && !ASN1_UTCTIME_set_string(NULL,enddate)
+ && !ASN1_GENERALIZEDTIME_set_string(NULL, startdate))
{
- BIO_printf(bio_err,"end date is invalid, it should be YYMMDDHHMMSSZ\n");
+ BIO_printf(bio_err,"end date is invalid, it should be YYMMDDHHMMSSZ"
+ " or YYYYMMDDHHMMSSZ\n");
goto err;
}
@@ -1991,11 +1995,19 @@
if (strcmp(startdate,"today") == 0)
X509_gmtime_adj(X509_get_notBefore(ret),0);
- else ASN1_UTCTIME_set_string(X509_get_notBefore(ret),startdate);
+ else
+ {
+ if (!ASN1_UTCTIME_set_string(X509_get_notBefore(ret),startdate))
+ ASN1_GENERALIZEDTIME_set_string(X509_get_notBefore(ret),startdate);
+ }
if (enddate == NULL)
X509_gmtime_adj(X509_get_notAfter(ret),(long)60*60*24*days);
- else ASN1_UTCTIME_set_string(X509_get_notAfter(ret),enddate);
+ else
+ {
+ if (!ASN1_UTCTIME_set_string(X509_get_notAfter(ret),enddate))
+ ASN1_GENERALIZEDTIME_set_string(X509_get_notAfter(ret),enddate);
+ }
if (!X509_set_subject_name(ret,subject)) goto err;
@@ -2396,11 +2408,15 @@
static int check_time_format(char *str)
{
ASN1_UTCTIME tm;
+ ASN1_GENERALIZEDTIME gtm;
tm.data=(unsigned char *)str;
tm.length=strlen(str);
tm.type=V_ASN1_UTCTIME;
- return(ASN1_UTCTIME_check(&tm));
+ gtm.data=(unsigned char *)str;
+ gtm.length=strlen(str);
+ gtm.type=V_ASN1_GENERALIZEDTIME;
+ return(ASN1_UTCTIME_check(&tm) || ASN1_GENERALIZEDTIME_check(>m));
}
static int do_revoke(X509 *x509, CA_DB *db, int type, char *value)
signature.asc
Description: PGP signature
