Hi again,
sorry, we just found the error in using the Macros.
When an asn structure is being parsed, the pointer to the funding
ASN_OCTET_STRING becomes modified and thus points no no freeable
memory.
Christian Weber schrieb am 10.07.2008 13:41:
...
To implement a validity checking which is aware of different models
shell as of RFC 3280 or chain as af ISIS-MTT.
...
Sinse the extension ID (validityModelID) is known, only the Info has to
be coded. I tried:
typedef struct X509ValidityModelInfo_st {
ASN1_OBJECT *info;
} X509VALIDITYMODELINFO;
DECLARE_ASN1_ITEM(X509VALIDITYMODELINFO)
DECLARE_ASN1_FUNCTIONS(X509VALIDITYMODELINFO)
together with
ASN1_SEQUENCE(X509VALIDITYMODELINFO) = {
ASN1_OPT(X509VALIDITYMODELINFO, info, ASN1_OBJECT),
} ASN1_SEQUENCE_END(X509VALIDITYMODELINFO)
IMPLEMENT_ASN1_FUNCTIONS(X509VALIDITYMODELINFO)
and using it with following code
int validityModelIsChain(X509 *_cert)
{
int iRet = 0;
int nid = OBJ_txt2nid("id-validityModel");
X509 *cert = X509_dup(_cert); // local copy
int index = X509_get_ext_by_NID(cert, nid, -1);
X509_EXTENSION *ext = X509_get_ext(cert, index);
if (ext)
{
ASN1_OCTET_STRING *os = X509_EXTENSION_get_data(ext);
X509VALIDITYMODELINFO *mi = 0;
d2i_X509VALIDITYMODELINFO(&mi, (const unsigned char **)&os->data,
os->length);
...
We must not fetch the pointer os->data directly, because it becomes
modified at d2i_...! Now we use:
const unsigned char *p = os->data;
d2i_X509VALIDITYMODELINFO(&mi, &p, os->length);
Afterwards p points to the end of the string at os->data.
Everything is working fine and freeable without memory leaks.
...
if (mi && mi->info)
{
char buf[60];
nid = OBJ_obj2nid(mi->info);
OBJ_obj2txt(buf, sizeof(buf), mi->info, 0);
printf("ValidityModel: %s\n", buf);
iRet = 1;
}
// X509VALIDITYMODELINFO_free(mi); // bad?
}
// X509_EXTENSION_free(ext); // bad, double-release!
X509_free(cert); // neccessary, else leak, but fails
return iRet;
}
...
I've been looking into the sources to find a place where the
cert chain checking is done in terms of the certs span of life.
Downwards the chain each cert should become valid while the issuers
cert is valid.
I thought the right place would be somewhere within x509_vfy.c,
perhaps at check_issued, but the search was in vain.
Is there any function to do a comparation of two ASN_TIME values
correctly though different formats and timezones may be in use?
...
For checking validity against RFC 3280 (shell model) no further time
comparison is needed. Each cert in a chain has to be valid at a certain
point in time (i.e. when used).
That's implemeted sufficiently.
Thanks to all
--
Christian
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
