Hi,

I see that the openSSL certificate verify utility uses the
X509_verify_cert() in x509_vfy.c for certificate validation.
Based on the manual pages for verify, I understand that the order for
verification is as follows:

   1. Firstly a certificate chain is built up starting from the supplied
   certificate and ending in the root CA.
   2. The second operation is to check every untrusted certificate's
   extensions for consistency with the supplied purpose.
   3. The third operation is to check the trust settings on the root CA.
   4. The final operation is to check the validity of the certificate
   chain. The validity period is checked against the current system time and
   the notBefore and notAfter dates in the certificate. The certificate
   signatures are also checked at this point.

What would be the best way to make the time check optional?

One way as seen from the code could be to make this call optional based on
some environmental variable.

Eg:

if(TIME_CHECK_ON)

check_cert_time(ctx, xs);

else

don't check time;

Is there any alternative way to achieve this? I understand that by passing
a custom time using

void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags,
                                                                time_t t);

and by setting this flag -->X509_V_FLAG_USE_CHECK_TIME, I can make the
verify code use the time I provide, but whatever time I provide through the
time_t variable, will it be used as notBefore or notAfter time? (since
time_t t represents the number of seconds since the start of the Unix
epoch).

I would need this optional time checking since I cannot count on my system
time to be stable all the time :)

Regds,

Ashok

Reply via email to