Hi, Yes u r true, that it will not select CA certificate which is not yet valid, provided the new certificate has a different serail no. Basically I generated the same certificate using same subject dn, serail no and key pair. But I should have changed the CA new certificate serial no.
Thanks Aslam -----Original Message----- From: Lutz Jaenicke [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 11, 2002 3:56 AM To: [EMAIL PROTECTED] Cc: '[EMAIL PROTECTED]' Subject: Re: X509_vfy.c function int check_issued() BUG.. On Wed, Apr 10, 2002 at 03:22:30PM -0400, Aslam wrote: > I've been doing testing for new root ca certificate issuance and openssl's > chain building/cert chain validation. And if I have both root ca old cert > and root ca new cert (obtained by certificate refresh, i.e. old subject and > old key pair is used to get the root ca new cert for a new time period) and > time is such that root ca new cert is NOT_YET_VALID and new cert is added > last in X509_STORE, then chain building fails with error = > CERT_NOT_YET_VALID, even though valid root ca cert (old) is there in > X509_STORE. Function static int check_issued(X509_STORE_CTX* ctx, X509* x, > X509* issuer) in x509_vfy.c does check for subject dist name, subject/issuer > key identifier, basic constaints etc match, but cert time validation is > deffered till we have a stack bottom = end entity cert and top = self_signed > root cert, i.e. till static int internal_verify(X509_STORE_CTX* ctx). So > cause of this root ca new cert is added to the stack, but later in the > internal_verify() call it fails with CERT_NOT_YET_VALID, what should happen > is cert time validity must be done during building cert chain (adding certs > to stack), not after it. So in all all certs in X509_STORE must be lloked > before calling internal_verify() for cert signature check. > > Similar behaviour is seen if old cert is added last (top of the stack in > X509_STORE) and it is expired, then error = CERT_EXPIRED, provided issued > cert is still valid, which is basically a wrong practice to issue certs > beyond CA valid time period. I am not sure that I understand you correctly. You have issued a new CA certificate based on the old key and tried to mimic the old certificate as good as possible. Now the verification routine has problems to distinguish between these certificates. The verification routines distinguish * the DN Distinguished Name * the AKID/SKID (authority key identifier of issued certificate must match the subject key identifier of the CA) * the serial number in the authority key identifer. You therefore could assure correct behaviour by making at least one of these properties different. To be fair: I don't have the time to look around for it, but I would expect that in some RFC this would also be listed as a requirement :-) Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
