Re: newbie: set cert time validity

Mon, 16 Jul 2007 01:20:30 -0700 

Thanks a lot for your help, David Schwartz! I haven't got it correctly yet,
but with your help I could see I'm moving somewhere here.

I added the X509_gmtime_roundup(X509_get_notAfter(x)); at my
renewCertificate function. When I renewed the cert valid to for example, to
31/7/2007, the cert valid to will be strangely changed to '1/8/2007
7:59:59". May I know which part should I alter here?

Btw I have to add the function

void X509_gmtime_roundup(ASN1_UTCTIME *s)
{ /* Rounds an ASN1_UTCTIME up to the end of the current day */
char buf[32];
strcpy(buf, (const char *) ASN1_STRING_data(s));
strcpy(buf+6, "235959Z");
ASN1_UTCTIME_set_string(s, buf);
}

to the top of my code, if not, it will return an 'Call to undefined function
'X509_gmtime_roundup'' error.

Thanks again.

On 7/16/07, David Schwartz <[EMAIL PROTECTED]> wrote:



This function rounds an ASN1_UTCTIME up to the end of the day it belongs
to. You need to call this function on an ASN1_UTCTIME before you set it as
the 'not valid after' date:

void X509_gmtime_roundup(ASN1_UTCTIME *s)
{ /* Rounds an ASN1_UTCTIME up to the end of the current day */
 char buf[32];
 strcpy(buf, (const char *) ASN1_STRING_data(s));
 strcpy(buf+6, "235959Z");
 ASN1_UTCTIME_set_string(s, buf);
}
Here's where I think that goes in your code:


int RenewCertificate(X509 *old_x509,X509 ** new_x509,EVP_PKEY* pkey, int
validity)
{
    X509 *x = NULL;
    x=old_x509;
    char buf[512];

    X509_gmtime_adj(X509_get_notBefore(x),0);
    X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*validity);
Here, the 'not valid after' time was just advanced. You need to round it,
so add:
X509_gmtime_roundup(X509_get_notAfter(x));

 ...
...
}

and

void GenCRL(X509 *x509, EVP_PKEY *pkey, TStringList *ListRev, TStringList
*ListSer, int SumList)
{
...
 X509_gmtime_adj(ci->lastUpdate,0);
    if (ci->nextUpdate == NULL)
        ci->nextUpdate=ASN1_UTCTIME_new();
    X509_gmtime_adj(ci->nextUpdate,(crldays*24+crlhours)*60*60);
If you want to round the CRL time, up, use this line next:
X509_gmtime_roundup(ci->nextUpdate);

...
}


void GenCRL(X509 *x509, EVP_PKEY *pkey, TStringList *ListRev, TStringList
*ListSer, int SumList)
{
 if (ci->nextUpdate == NULL)
        ci->nextUpdate=ASN1_UTCTIME_new();
    X509_gmtime_adj(ci->nextUpdate,(crldays*24+crlhours)*60*60);
This also sets the 'nextUpdate' time. If you want to round that to the end
of the day, add:
X509_gmtime_roudup(ci->nextUpdate);

 }

it seems here all the function that you mentioned are not called to
generate the cert. I'm totally lost on what i should do now...?

Be sure to test this code before relying on it!

DS

Reply via email to