Re: X.509 certificates invalid certiifcates.

2004-07-19 Thread Richard Levitte - VMS Whacker
In message <[EMAIL PROTECTED]> on Mon, 19 Jul 2004 13:27:12 +0200, "Dr. Stephen 
Henson" <[EMAIL PROTECTED]> said:

steve> On Mon, Jul 19, 2004, Richard Levitte - VMS Whacker wrote:
steve> 
steve> > Since you're doing this by programming:
steve> > 
steve> > - You get the validity limits, using the macros X509_get_notBefore() and
steve> >   X509_get_notAfter()
steve> > 
steve> > - extract the year from the limits, using the function
steve> >   ASN1_extract_year() (NOT TESTED!) below.
steve> > 
steve> > - subtract one year from the other and check that it's lower than 31.
steve> > 
steve> > 
steve> 
steve> One complication is that the subtraction would need to be
steve> decremented if one year day was before the first.
steve> 
steve> For example the difference between December 31st 2001 and
steve> January 1st 2002 is obviously less than a year.

Since the requested check is for the difference to be less than a
specific number of years, there's no problem in this case.

Of course, for the general case, it's a bit different...

And yeah, I thought about time zones, but as you say, that's not a
problem either in this specific case.

-
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.

-- 
Richard Levitte   \ Tunnlandsvägen 52 \ [EMAIL PROTECTED]
[EMAIL PROTECTED]  \ S-168 36  BROMMA  \ T: +46-708-26 53 44
\  SWEDEN   \
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

-
A: Because it fouls the order in which people normally read text. 
Q: Why is top-posting such a bad thing? 
A: Top-posting. 
Q: What is the most annoying thing on usenet and in e-mail?
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]


RE: X.509 certificates invalid certiifcates.

2004-07-19 Thread sakthi.subramaniam

Thanks for ur help.

>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Dr.
>Stephen Henson
>Sent: Monday, July 19, 2004 4:57 PM
>To: [EMAIL PROTECTED]
>Subject: Re: X.509 certificates invalid certiifcates.
>
>
>On Mon, Jul 19, 2004, Richard Levitte - VMS Whacker wrote:
>
>> In message
>> <[EMAIL PROTECTED]> on
>> Mon, 19 Jul 2004 09:51:35 +0530, <[EMAIL PROTECTED]> said:
>>
>> sakthi.subramaniam>
>> sakthi.subramaniam> >Its not clear what you want to do from
>this 30/31 years business.
>> sakthi.subramaniam> The number of years difference between "Not Valid
>> sakthi.subramaniam> before and Not valid after"  should not exceed 30
>> sakthi.subramaniam> years in the certificates..How can I check it ?
>>
>> Since you're doing this by programming:
>>
>> - You get the validity limits, using the macros
>X509_get_notBefore() and
>>   X509_get_notAfter()
>>
>> - extract the year from the limits, using the function
>>   ASN1_extract_year() (NOT TESTED!) below.
>>
>> - subtract one year from the other and check that it's lower than 31.
>>
>>
>
>One complication is that the subtraction would need to be
>decremented if one year day was before the first.
>
>For example the difference between December 31st 2001 and
>January 1st 2002 is obviously less than a year.
>
>Timezones could also complicate matters though they are not
>allowed by various specifications (including RFC3280) in
>certificates. There's no legitimate reason AFAICS to have the
>two dates in different timezones but depending on the OPs
>reasons for wanting the check this might need to be taken into account.
>
>Steve.
>--
>Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
>OpenSSL project core developer and freelance consultant.
>Funding needed! Details on homepage.
>Homepage: http://www.drh-consultancy.demon.co.uk
>__
>OpenSSL Project http://www.openssl.org
>User Support Mailing List[EMAIL PROTECTED]
>Automated List Manager   [EMAIL PROTECTED]
>

Confidentiality Notice

The information contained in this electronic message and any attachments to this 
message are intended
for the exclusive use of the addressee(s) and may contain confidential or privileged 
information. If
you are not the intended recipient, please notify the sender at Wipro or [EMAIL 
PROTECTED] immediately
and destroy all copies of this message and any attachments.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]


Re: X.509 certificates invalid certiifcates.

2004-07-19 Thread Dr. Stephen Henson
On Mon, Jul 19, 2004, Richard Levitte - VMS Whacker wrote:

> In message <[EMAIL PROTECTED]> on Mon, 19 Jul 2004 09:51:35 +0530, <[EMAIL 
> PROTECTED]> said:
> 
> sakthi.subramaniam> 
> sakthi.subramaniam> >Its not clear what you want to do from this 30/31 years 
> business.
> sakthi.subramaniam> The number of years difference between "Not Valid
> sakthi.subramaniam> before and Not valid after"  should not exceed 30
> sakthi.subramaniam> years in the certificates..How can I check it ?
> 
> Since you're doing this by programming:
> 
> - You get the validity limits, using the macros X509_get_notBefore() and
>   X509_get_notAfter()
> 
> - extract the year from the limits, using the function
>   ASN1_extract_year() (NOT TESTED!) below.
> 
> - subtract one year from the other and check that it's lower than 31.
> 
> 

One complication is that the subtraction would need to be decremented if one
year day was before the first.

For example the difference between December 31st 2001 and January 1st 2002 is
obviously less than a year.

Timezones could also complicate matters though they are not allowed by various
specifications (including RFC3280) in certificates. There's no legitimate
reason AFAICS to have the two dates in different timezones but depending on the
OPs reasons for wanting the check this might need to be taken into account.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]


Re: X.509 certificates invalid certiifcates.

2004-07-18 Thread Richard Levitte - VMS Whacker
In message <[EMAIL PROTECTED]> on Mon, 19 Jul 2004 09:51:35 +0530, <[EMAIL PROTECTED]> 
said:

sakthi.subramaniam> 
sakthi.subramaniam> >Its not clear what you want to do from this 30/31 years business.
sakthi.subramaniam> The number of years difference between "Not Valid
sakthi.subramaniam> before and Not valid after"  should not exceed 30
sakthi.subramaniam> years in the certificates..How can I check it ?

Since you're doing this by programming:

- You get the validity limits, using the macros X509_get_notBefore() and
  X509_get_notAfter()

- extract the year from the limits, using the function
  ASN1_extract_year() (NOT TESTED!) below.

- subtract one year from the other and check that it's lower than 31.


int ASN1_extract_year(ASN1_TIME *tm)
{
  int i, y;
  char *v;

  i=tm->length;
  v=(char *)tm->data;

  if (tm->type == ASN1_UTCTIME)
{
  if (i < 10) return 0; /* Bad value */

  y= (v[0]-'0')*10+(v[1]-'0');
  if (y < 50) y+=100;
}
  else if (tm->type == ASN1_GENERALIZEDTIME)
{
  int i;
  char *v;

  i=tm->length;
  v=(char *)tm->data;

  if (i < 12) return 0; /* Bad value */

  y = (v[0]-'0')*1000+(v[1]-'0')*100 + (v[2]-'0')*10+(v[3]-'0');
}
  else return 0; /* Bad time value */

  return y;
}


-
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.

-- 
Richard Levitte   \ Tunnlandsvägen 52 \ [EMAIL PROTECTED]
[EMAIL PROTECTED]  \ S-168 36  BROMMA  \ T: +46-708-26 53 44
\  SWEDEN   \
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

-
A: Because it fouls the order in which people normally read text. 
Q: Why is top-posting such a bad thing? 
A: Top-posting. 
Q: What is the most annoying thing on usenet and in e-mail?
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]


RE: X.509 certificates invalid certiifcates.

2004-07-18 Thread sakthi.subramaniam

>Its not clear what you want to do from this 30/31 years business.
The number of years difference between "Not Valid before and Not valid
after"  should not exceed 30 years in the certificates..How can I check
it ?

Thanks
Sakthi S G

>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Dr.
>Stephen Henson
>Sent: Sunday, July 18, 2004 2:28 AM
>To: [EMAIL PROTECTED]
>Subject: Re: X.509 certificates invalid certiifcates.
>
>
>On Thu, Jul 15, 2004, [EMAIL PROTECTED] wrote:
>
>>
>> Hi.,
>>   I am passing the certificates which will be valid for 31 years for
>> openssl routines.. but the I need to have implementation that it
>> should check only for 30 years..Is there any function available?
>> Currently I am calling x509_verify() for this certificate
>but it says
>> it is valid.How can I check all fields (country, organisation,
>> locality, unit) is present in the certificate?
>>
>
>Its not clear what you want to do from this 30/31 years business.
>X509_verify() by itself will just check the signature.
>X509_verify_cert() will do a more complete chain verification
>including extensions and expiry times.
>
>As for checking for the presence of certain fields you can do
>that with the X509_NAME API. You could I suppose use the x509
>program and parse the textual output but that's a bit yucky.
>
>Steve.
>--
>Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
>OpenSSL project core developer and freelance consultant.
>Funding needed! Details on homepage.
>Homepage: http://www.drh-consultancy.demon.co.uk
>__
>OpenSSL Project http://www.openssl.org
>User Support Mailing List[EMAIL PROTECTED]
>Automated List Manager   [EMAIL PROTECTED]
>

Confidentiality Notice

The information contained in this electronic message and any attachments to this 
message are intended
for the exclusive use of the addressee(s) and may contain confidential or privileged 
information. If
you are not the intended recipient, please notify the sender at Wipro or [EMAIL 
PROTECTED] immediately
and destroy all copies of this message and any attachments.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]


Re: X.509 certificates invalid certiifcates.

2004-07-17 Thread Dr. Stephen Henson
On Thu, Jul 15, 2004, [EMAIL PROTECTED] wrote:

> 
> Hi.,
>   I am passing the certificates which will be valid for 31 years for
> openssl routines.. but the I need to have implementation that it should
> check only for 30 years..Is there any function available? Currently I am
> calling x509_verify() for this certificate but it says it is valid.How
> can I check all fields (country, organisation, locality, unit) is
> present in the certificate?
> 

Its not clear what you want to do from this 30/31 years business.
X509_verify() by itself will just check the signature. X509_verify_cert() will
do a more complete chain verification including extensions and expiry times.

As for checking for the presence of certain fields you can do that with the
X509_NAME API. You could I suppose use the x509 program and parse the textual
output but that's a bit yucky.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]