-----Original Message----- From: Dr. Stephen Henson [mailto:st...@openssl.org] Sent: Thursday, January 12, 2012 8:52 AM To: openssl-users@openssl.org Subject: Re: Optional validation of time in OpenSSL Reg.
On Thu, Jan 12, 2012, Ashok C wrote: > Hi, > > I see that the openSSL certificate verify utility uses the > X509_verify_cert() in x509_vfy.c for certificate validation. > Based on the manual pages for verify, I understand that the order for > verification is as follows: > > 1. Firstly a certificate chain is built up starting from the supplied > certificate and ending in the root CA. > 2. The second operation is to check every untrusted certificate's > extensions for consistency with the supplied purpose. > 3. The third operation is to check the trust settings on the root CA. > 4. The final operation is to check the validity of the certificate > chain. The validity period is checked against the current system time and > the notBefore and notAfter dates in the certificate. The certificate > signatures are also checked at this point. > > What would be the best way to make the time check optional? > > Is there any alternative way to achieve this? I understand that by > passing a custom time using > > void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, > time_t > t); > > and by setting this flag -->X509_V_FLAG_USE_CHECK_TIME, I can make the > verify code use the time I provide, but whatever time I provide > through the time_t variable, will it be used as notBefore or notAfter > time? (since time_t t represents the number of seconds since the start > of the Unix epoch). > Yes it will. This can also be set in the X509_VERIFY_PARAM structure. > I would need this optional time checking since I cannot count on my > system time to be stable all the time :) > Validity time errors in the chain also produce the two errors X509_V_ERR_CERT_NOT_YET_VALID and X509_V_ERR_CERT_HAS_EXPIRED which can be overridden in the verify callback. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
