templates and cert chain validity
Hi there,
i'm just about verification of certs. Since X509v3 there are many
extensions with their own types. Some of them are known to the current
implementation, many aren't.
To implement a validity checking which is aware of different models
shell as of RFC 3280 or chain as af ISIS-MTT.
There are some OIDs that should be used to determine which model should
be used. One of them is 1.3.6.1.4.1.8301.3.5 (by TU Darmstadt, Germany)
which comes with this type:
ValidityModel::= SEQUENCE
{
validityModelIdOBJECT IDENTIFIER
validityModelInfo ANY DEFINED BY validityModelId OPTIONAL
}
Sinse the extension ID (validityModelID) is known, only the Info has to
be coded. I tried:
typedef struct X509ValidityModelInfo_st {
ASN1_OBJECT *info;
} X509VALIDITYMODELINFO;
DECLARE_ASN1_ITEM(X509VALIDITYMODELINFO)
DECLARE_ASN1_FUNCTIONS(X509VALIDITYMODELINFO)
together with
ASN1_SEQUENCE(X509VALIDITYMODELINFO) = {
ASN1_OPT(X509VALIDITYMODELINFO, info, ASN1_OBJECT),
} ASN1_SEQUENCE_END(X509VALIDITYMODELINFO)
IMPLEMENT_ASN1_FUNCTIONS(X509VALIDITYMODELINFO)
and using it with following code
int validityModelIsChain(X509 *_cert)
{
int iRet = 0;
int nid = OBJ_txt2nid(id-validityModel);
X509 *cert = X509_dup(_cert); // local copy
int index = X509_get_ext_by_NID(cert, nid, -1);
X509_EXTENSION *ext = X509_get_ext(cert, index);
if (ext)
{
ASN1_OCTET_STRING *os = X509_EXTENSION_get_data(ext);
X509VALIDITYMODELINFO *mi = 0;
d2i_X509VALIDITYMODELINFO(mi, (const unsigned char **)os-data,
os-length);
if (mi mi-info)
{
char buf[60];
nid = OBJ_obj2nid(mi-info);
OBJ_obj2txt(buf, sizeof(buf), mi-info, 0);
printf(ValidityModel: %s\n, buf);
iRet = 1;
}
X509VALIDITYMODELINFO_free(mi); // bad?
}
// X509_EXTENSION_free(ext); // bad, double-relese!
X509_free(cert); // neccessary, else leak
return iRet;
}
I'm missing how to release the temporary items correctly.
Do you have any hints? Is the above approach reasonable?
==
I've been looking into the sources to find a place where the
cert chain checking is done in terms of the certs span of life.
Downwards the chain each cert should become valid while the issuers
cert is valid.
I thought the right place would be somewhere within x509_vfy.c,
perhaps at check_issued, but the search was in vain.
Is there any function to do a comparation of two ASN_TIME values
correctly though different formats and timezones may be in use?
Any hints?
TIA
--
Christian Weber
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: templates and cert chain validity
Hi again,
sorry, we just found the error in using the Macros.
When an asn structure is being parsed, the pointer to the funding
ASN_OCTET_STRING becomes modified and thus points no no freeable
memory.
Christian Weber schrieb am 10.07.2008 13:41:
...
To implement a validity checking which is aware of different models
shell as of RFC 3280 or chain as af ISIS-MTT.
...
Sinse the extension ID (validityModelID) is known, only the Info has to
be coded. I tried:
typedef struct X509ValidityModelInfo_st {
ASN1_OBJECT *info;
} X509VALIDITYMODELINFO;
DECLARE_ASN1_ITEM(X509VALIDITYMODELINFO)
DECLARE_ASN1_FUNCTIONS(X509VALIDITYMODELINFO)
together with
ASN1_SEQUENCE(X509VALIDITYMODELINFO) = {
ASN1_OPT(X509VALIDITYMODELINFO, info, ASN1_OBJECT),
} ASN1_SEQUENCE_END(X509VALIDITYMODELINFO)
IMPLEMENT_ASN1_FUNCTIONS(X509VALIDITYMODELINFO)
and using it with following code
int validityModelIsChain(X509 *_cert)
{
int iRet = 0;
int nid = OBJ_txt2nid(id-validityModel);
X509 *cert = X509_dup(_cert);// local copy
int index = X509_get_ext_by_NID(cert, nid, -1);
X509_EXTENSION *ext = X509_get_ext(cert, index);
if (ext)
{
ASN1_OCTET_STRING *os = X509_EXTENSION_get_data(ext);
X509VALIDITYMODELINFO *mi = 0;
d2i_X509VALIDITYMODELINFO(mi, (const unsigned char **)os-data,
os-length);
...
We must not fetch the pointer os-data directly, because it becomes
modified at d2i_...! Now we use:
const unsigned char *p = os-data;
d2i_X509VALIDITYMODELINFO(mi, p, os-length);
Afterwards p points to the end of the string at os-data.
Everything is working fine and freeable without memory leaks.
...
if (mi mi-info)
{
char buf[60];
nid = OBJ_obj2nid(mi-info);
OBJ_obj2txt(buf, sizeof(buf), mi-info, 0);
printf(ValidityModel: %s\n, buf);
iRet = 1;
}
// X509VALIDITYMODELINFO_free(mi); // bad?
}
// X509_EXTENSION_free(ext); // bad, double-release!
X509_free(cert);// neccessary, else leak, but fails
return iRet;
}
...
I've been looking into the sources to find a place where the
cert chain checking is done in terms of the certs span of life.
Downwards the chain each cert should become valid while the issuers
cert is valid.
I thought the right place would be somewhere within x509_vfy.c,
perhaps at check_issued, but the search was in vain.
Is there any function to do a comparation of two ASN_TIME values
correctly though different formats and timezones may be in use?
...
For checking validity against RFC 3280 (shell model) no further time
comparison is needed. Each cert in a chain has to be valid at a certain
point in time (i.e. when used).
That's implemeted sufficiently.
Thanks to all
--
Christian
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
templates and cert chain validity
Hi there,
I'm just about verification of certs. Since X509v3 there are many
extensions with their own types. Some of them are known to the current
implementation, many aren't.
To implement a validity checking which is aware of different models
shell as of RFC 3280 or chain as af ISIS-MTT.
There are some OIDs that should be used to determine which model should
be used. One of them is 1.3.6.1.4.1.8301.3.5 (by TU Darmstadt, Germany)
which comes with this type:
ValidityModel::= SEQUENCE
{
validityModelIdOBJECT IDENTIFIER
validityModelInfo ANY DEFINED BY validityModelId OPTIONAL
}
Sinse the extension ID (validityModelID) is known, only the Info has to
be coded. I tried:
typedef struct X509ValidityModelInfo_st {
ASN1_OBJECT *info;
} X509VALIDITYMODELINFO;
DECLARE_ASN1_ITEM(X509VALIDITYMODELINFO)
DECLARE_ASN1_FUNCTIONS(X509VALIDITYMODELINFO)
together with
ASN1_SEQUENCE(X509VALIDITYMODELINFO) = {
ASN1_OPT(X509VALIDITYMODELINFO, info, ASN1_OBJECT),
} ASN1_SEQUENCE_END(X509VALIDITYMODELINFO)
IMPLEMENT_ASN1_FUNCTIONS(X509VALIDITYMODELINFO)
and using it with following code
int validityModelIsChain(X509 *_cert)
{
int iRet = 0;
int nid = OBJ_txt2nid(id-validityModel);
X509 *cert = X509_dup(_cert); // local copy
int index = X509_get_ext_by_NID(cert, nid, -1);
X509_EXTENSION *ext = X509_get_ext(cert, index);
if (ext)
{
ASN1_OCTET_STRING *os = X509_EXTENSION_get_data(ext);
X509VALIDITYMODELINFO *mi = 0;
d2i_X509VALIDITYMODELINFO(mi, (const unsigned char **)os-data,
os-length);
if (mi mi-info)
{
char buf[60];
nid = OBJ_obj2nid(mi-info);
OBJ_obj2txt(buf, sizeof(buf), mi-info, 0);
printf(ValidityModel: %s\n, buf);
iRet = 1;
}
// X509VALIDITYMODELINFO_free(mi); // bad?
}
// X509_EXTENSION_free(ext); // bad, double-release!
X509_free(cert); // neccessary, else leak, but fails
return iRet;
}
I'm missing how to release the temporary items correctly.
Do you have any hints? Is the above approach reasonable?
==
I've been looking into the sources to find a place where the
cert chain checking is done in terms of the certs span of life.
Downwards the chain each cert should become valid while the issuers
cert is valid.
I thought the right place would be somewhere within x509_vfy.c,
perhaps at check_issued, but the search was in vain.
Is there any function to do a comparation of two ASN_TIME values
correctly though different formats and timezones may be in use?
Any hints?
TIA
--
Christian Weber
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
