templates and cert chain validity
Hi there, i'm just about verification of certs. Since X509v3 there are many extensions with their own types. Some of them are known to the current implementation, many aren't. To implement a validity checking which is aware of different models shell as of RFC 3280 or chain as af ISIS-MTT. There are some OIDs that should be used to determine which model should be used. One of them is 1.3.6.1.4.1.8301.3.5 (by TU Darmstadt, Germany) which comes with this type: ValidityModel::= SEQUENCE { validityModelIdOBJECT IDENTIFIER validityModelInfo ANY DEFINED BY validityModelId OPTIONAL } Sinse the extension ID (validityModelID) is known, only the Info has to be coded. I tried: typedef struct X509ValidityModelInfo_st { ASN1_OBJECT *info; } X509VALIDITYMODELINFO; DECLARE_ASN1_ITEM(X509VALIDITYMODELINFO) DECLARE_ASN1_FUNCTIONS(X509VALIDITYMODELINFO) together with ASN1_SEQUENCE(X509VALIDITYMODELINFO) = { ASN1_OPT(X509VALIDITYMODELINFO, info, ASN1_OBJECT), } ASN1_SEQUENCE_END(X509VALIDITYMODELINFO) IMPLEMENT_ASN1_FUNCTIONS(X509VALIDITYMODELINFO) and using it with following code int validityModelIsChain(X509 *_cert) { int iRet = 0; int nid = OBJ_txt2nid(id-validityModel); X509 *cert = X509_dup(_cert); // local copy int index = X509_get_ext_by_NID(cert, nid, -1); X509_EXTENSION *ext = X509_get_ext(cert, index); if (ext) { ASN1_OCTET_STRING *os = X509_EXTENSION_get_data(ext); X509VALIDITYMODELINFO *mi = 0; d2i_X509VALIDITYMODELINFO(mi, (const unsigned char **)os-data, os-length); if (mi mi-info) { char buf[60]; nid = OBJ_obj2nid(mi-info); OBJ_obj2txt(buf, sizeof(buf), mi-info, 0); printf(ValidityModel: %s\n, buf); iRet = 1; } X509VALIDITYMODELINFO_free(mi); // bad? } // X509_EXTENSION_free(ext); // bad, double-relese! X509_free(cert); // neccessary, else leak return iRet; } I'm missing how to release the temporary items correctly. Do you have any hints? Is the above approach reasonable? == I've been looking into the sources to find a place where the cert chain checking is done in terms of the certs span of life. Downwards the chain each cert should become valid while the issuers cert is valid. I thought the right place would be somewhere within x509_vfy.c, perhaps at check_issued, but the search was in vain. Is there any function to do a comparation of two ASN_TIME values correctly though different formats and timezones may be in use? Any hints? TIA -- Christian Weber __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: templates and cert chain validity
Hi again, sorry, we just found the error in using the Macros. When an asn structure is being parsed, the pointer to the funding ASN_OCTET_STRING becomes modified and thus points no no freeable memory. Christian Weber schrieb am 10.07.2008 13:41: ... To implement a validity checking which is aware of different models shell as of RFC 3280 or chain as af ISIS-MTT. ... Sinse the extension ID (validityModelID) is known, only the Info has to be coded. I tried: typedef struct X509ValidityModelInfo_st { ASN1_OBJECT *info; } X509VALIDITYMODELINFO; DECLARE_ASN1_ITEM(X509VALIDITYMODELINFO) DECLARE_ASN1_FUNCTIONS(X509VALIDITYMODELINFO) together with ASN1_SEQUENCE(X509VALIDITYMODELINFO) = { ASN1_OPT(X509VALIDITYMODELINFO, info, ASN1_OBJECT), } ASN1_SEQUENCE_END(X509VALIDITYMODELINFO) IMPLEMENT_ASN1_FUNCTIONS(X509VALIDITYMODELINFO) and using it with following code int validityModelIsChain(X509 *_cert) { int iRet = 0; int nid = OBJ_txt2nid(id-validityModel); X509 *cert = X509_dup(_cert);// local copy int index = X509_get_ext_by_NID(cert, nid, -1); X509_EXTENSION *ext = X509_get_ext(cert, index); if (ext) { ASN1_OCTET_STRING *os = X509_EXTENSION_get_data(ext); X509VALIDITYMODELINFO *mi = 0; d2i_X509VALIDITYMODELINFO(mi, (const unsigned char **)os-data, os-length); ... We must not fetch the pointer os-data directly, because it becomes modified at d2i_...! Now we use: const unsigned char *p = os-data; d2i_X509VALIDITYMODELINFO(mi, p, os-length); Afterwards p points to the end of the string at os-data. Everything is working fine and freeable without memory leaks. ... if (mi mi-info) { char buf[60]; nid = OBJ_obj2nid(mi-info); OBJ_obj2txt(buf, sizeof(buf), mi-info, 0); printf(ValidityModel: %s\n, buf); iRet = 1; } // X509VALIDITYMODELINFO_free(mi); // bad? } // X509_EXTENSION_free(ext); // bad, double-release! X509_free(cert);// neccessary, else leak, but fails return iRet; } ... I've been looking into the sources to find a place where the cert chain checking is done in terms of the certs span of life. Downwards the chain each cert should become valid while the issuers cert is valid. I thought the right place would be somewhere within x509_vfy.c, perhaps at check_issued, but the search was in vain. Is there any function to do a comparation of two ASN_TIME values correctly though different formats and timezones may be in use? ... For checking validity against RFC 3280 (shell model) no further time comparison is needed. Each cert in a chain has to be valid at a certain point in time (i.e. when used). That's implemeted sufficiently. Thanks to all -- Christian __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
templates and cert chain validity
Hi there, I'm just about verification of certs. Since X509v3 there are many extensions with their own types. Some of them are known to the current implementation, many aren't. To implement a validity checking which is aware of different models shell as of RFC 3280 or chain as af ISIS-MTT. There are some OIDs that should be used to determine which model should be used. One of them is 1.3.6.1.4.1.8301.3.5 (by TU Darmstadt, Germany) which comes with this type: ValidityModel::= SEQUENCE { validityModelIdOBJECT IDENTIFIER validityModelInfo ANY DEFINED BY validityModelId OPTIONAL } Sinse the extension ID (validityModelID) is known, only the Info has to be coded. I tried: typedef struct X509ValidityModelInfo_st { ASN1_OBJECT *info; } X509VALIDITYMODELINFO; DECLARE_ASN1_ITEM(X509VALIDITYMODELINFO) DECLARE_ASN1_FUNCTIONS(X509VALIDITYMODELINFO) together with ASN1_SEQUENCE(X509VALIDITYMODELINFO) = { ASN1_OPT(X509VALIDITYMODELINFO, info, ASN1_OBJECT), } ASN1_SEQUENCE_END(X509VALIDITYMODELINFO) IMPLEMENT_ASN1_FUNCTIONS(X509VALIDITYMODELINFO) and using it with following code int validityModelIsChain(X509 *_cert) { int iRet = 0; int nid = OBJ_txt2nid(id-validityModel); X509 *cert = X509_dup(_cert); // local copy int index = X509_get_ext_by_NID(cert, nid, -1); X509_EXTENSION *ext = X509_get_ext(cert, index); if (ext) { ASN1_OCTET_STRING *os = X509_EXTENSION_get_data(ext); X509VALIDITYMODELINFO *mi = 0; d2i_X509VALIDITYMODELINFO(mi, (const unsigned char **)os-data, os-length); if (mi mi-info) { char buf[60]; nid = OBJ_obj2nid(mi-info); OBJ_obj2txt(buf, sizeof(buf), mi-info, 0); printf(ValidityModel: %s\n, buf); iRet = 1; } // X509VALIDITYMODELINFO_free(mi); // bad? } // X509_EXTENSION_free(ext); // bad, double-release! X509_free(cert); // neccessary, else leak, but fails return iRet; } I'm missing how to release the temporary items correctly. Do you have any hints? Is the above approach reasonable? == I've been looking into the sources to find a place where the cert chain checking is done in terms of the certs span of life. Downwards the chain each cert should become valid while the issuers cert is valid. I thought the right place would be somewhere within x509_vfy.c, perhaps at check_issued, but the search was in vain. Is there any function to do a comparation of two ASN_TIME values correctly though different formats and timezones may be in use? Any hints? TIA -- Christian Weber __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]