Hi there,
i'm just about verification of certs. Since X509v3 there are many
extensions with their own types. Some of them are known to the current
implementation, many aren't.
To implement a validity checking which is aware of different models
shell as of RFC 3280 or chain as af ISIS-MTT.
There are some OIDs that should be used to determine which model should
be used. One of them is 1.3.6.1.4.1.8301.3.5 (by TU Darmstadt, Germany)
which comes with this type:
ValidityModel::= SEQUENCE
{
validityModelId OBJECT IDENTIFIER
validityModelInfo ANY DEFINED BY validityModelId OPTIONAL
}
Sinse the extension ID (validityModelID) is known, only the Info has to
be coded. I tried:
typedef struct X509ValidityModelInfo_st {
ASN1_OBJECT *info;
} X509VALIDITYMODELINFO;
DECLARE_ASN1_ITEM(X509VALIDITYMODELINFO)
DECLARE_ASN1_FUNCTIONS(X509VALIDITYMODELINFO)
together with
ASN1_SEQUENCE(X509VALIDITYMODELINFO) = {
ASN1_OPT(X509VALIDITYMODELINFO, info, ASN1_OBJECT),
} ASN1_SEQUENCE_END(X509VALIDITYMODELINFO)
IMPLEMENT_ASN1_FUNCTIONS(X509VALIDITYMODELINFO)
and using it with following code
int validityModelIsChain(X509 *_cert)
{
int iRet = 0;
int nid = OBJ_txt2nid("id-validityModel");
X509 *cert = X509_dup(_cert); // local copy
int index = X509_get_ext_by_NID(cert, nid, -1);
X509_EXTENSION *ext = X509_get_ext(cert, index);
if (ext)
{
ASN1_OCTET_STRING *os = X509_EXTENSION_get_data(ext);
X509VALIDITYMODELINFO *mi = 0;
d2i_X509VALIDITYMODELINFO(&mi, (const unsigned char **)&os->data,
os->length);
if (mi && mi->info)
{
char buf[60];
nid = OBJ_obj2nid(mi->info);
OBJ_obj2txt(buf, sizeof(buf), mi->info, 0);
printf("ValidityModel: %s\n", buf);
iRet = 1;
}
X509VALIDITYMODELINFO_free(mi); // bad?
}
// X509_EXTENSION_free(ext); // bad, double-relese!
X509_free(cert); // neccessary, else leak
return iRet;
}
I'm missing how to release the temporary items correctly.
Do you have any hints? Is the above approach reasonable?
==
I've been looking into the sources to find a place where the
cert chain checking is done in terms of the certs span of life.
Downwards the chain each cert should become valid while the issuers
cert is valid.
I thought the right place would be somewhere within x509_vfy.c,
perhaps at check_issued, but the search was in vain.
Is there any function to do a comparation of two ASN_TIME values
correctly though different formats and timezones may be in use?
Any hints?
TIA
--
Christian Weber
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
