Re: Optional validation of time in OpenSSL Reg.

Thu, 12 Jan 2012 07:02:08 -0800 

On 1/12/2012 2:48 PM, Ashok C wrote:

Hi,
I see that the openSSL certificate verify utility uses the X509_verify_cert() in x509_vfy.c for certificate validation. Based on the manual pages for verify, I understand that the order for verification is as follows: 

 1. Firstly a certificate chain is built up starting from the supplied
    certificate and ending in the root CA.
 2. The second operation is to check every untrusted certificate's
    extensions for consistency with the supplied purpose.
 3. The third operation is to check the trust settings on the root CA.
 4. The final operation is to check the validity of the certificate
    chain. The validity period is checked against the current system
    time and the notBefore and notAfter dates in the certificate. The
    certificate signatures are also checked at this point.

What would be the best way to make the time check optional?
One way as seen from the code could be to make this call optional based on some environmental variable. 

Eg:

if(TIME_CHECK_ON)

check_cert_time(ctx, xs);

else

don't check time;
Is there any alternative way to achieve this? I understand that by passing a custom time using 

void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags,
                                                                time_t t);
and by setting this flag -->X509_V_FLAG_USE_CHECK_TIME, I can make the verify code use the time I provide, but whatever time I provide through the time_t variable, will it be used as notBefore or notAfter time? (since time_t t represents the number of seconds since the start of the Unix epoch). 


It will be used in place of the *current* system time, so now it will
check that the certificates were valid at the time you specify,
not the time the computer thinks is now.  Specifically it will check
that t is not before any NotBefore time in certificates and t is not
after any NotAfter times in certificates.
I would need this optional time checking since I cannot count on my system time to be stable all the time :) 

Regds,

Ashok



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to