------=_Part_57210_2661468.1184638892058
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

thanks a lot for your lenghty explanation, David Schwartz. I really
appreciate it for you to help me explain all this. I noted you said that what
I did might be sensible if three things are the case: 1) The locale you are
using the certificate has no daylight savings time.
2) The certificate isn't going anywhere, it's only going to be used in one
place.
3) The certificate expires in the near future, so a risk of a change in
daylight savings time rules is low.

For the no (1), i'm not really sure about this daylight savings time.. I
reside in Malaysia (next to singapore and thailand) and I'm not sure whether
my country has any daylight savings time or not. For no(2), currently the
issued certificates is only used in our office.

Anyway to issue certificate, the codes is as below:

if
(!(returnIssueCertificate=IssueCertificate(cinfo,x 509,skey,ca,Type,&HexSerial,sendUserName,sendUserID)))
{
MessageDlg("Issue certificate is
failed",mtError,TMsgDlgButtons()< FreeCertDetail(&cinfo);
return;
}

and this is the called IssueCertificate function


int IssueCertificate(CERT_DETAIL pinfo,char *x509,char *key,char *ca, int
Type, AnsiString *HexSerial, AnsiString receiveUserName, AnsiString
receiveUserID)
{
FILE *fp = NULL;
Base64 encoder;
AnsiString s, ca_cert, ca_key;
int i, key_len, len, ret = 1, nconf = 0;
X509 *x = NULL, *xca = NULL;
X509_REQ *req = NULL;
EVP_PKEY *pkey = NULL, *ca_pkey = NULL;
unsigned char skey[1024*8];
char buf[128], *sconf[100], *mkey = NULL;
char ckey[1024], cacert[1024 * 8], profpass[1024], cacert_file[400],
kbuf[1024],cbuf[1024 * 8];
unsigned char *p, plain[EBUFSIZE+4], emkey[EBUFSIZE+4],
t_emkey[EBUFSIZE+4];

// Load profile certificate and private key
if ((ca_pkey = ReadKey(pinfo.ca_KeyFile.c_str())) == NULL)
return ERROR_READ_CAKEY;

nconf = PrintConfig(&pinfo,sconf,TYPE_CLIENT);

if ((mkey = GenerateMasterKey()) == NULL)
{ ret = ERROR_GENERATE_MKEY;
goto end1;
}

if ((pkey = CVAULT_Key_read(key)) == NULL)
{ ret = ERROR_READ_KEY;
delete mkey;
goto end1;
}
if ((req = MakeRequest(sconf,nconf,pkey,NULL)) == NULL)
{
ret = ERROR_MAKEREQ;
goto end2;
}


if ((x = MakeCertificate(req,sconf,nconf,NULL,ca,ca_pkey,
pinfo.begin_validity,
pinfo.validity,pinfo.serial,pinfo.algo,0)) ==
NULL)
{ ret = ERROR_MAKECERT;
goto end3;
}

X509_gmtime_adj(X509_get_notBefore(x),0); //added on 16/7/2007
X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*2 4*pinfo.validity);
//added on 16/7/2007
X509_gmtime_roundup(X509_get_notAfter(x)); //added on 16/7/2007

char buf1[1024];
GetSerialNumber(x->cert_info->serialNumber,buf1);
*HexSerial = (AnsiString)buf1;



CVAULT_X509_write(x,x509);
MakePKCS12(pass.c_str(),name.c_str(),pkey,x,p12Pat h.c_str());
s = progpath + "client.key";
WriteKey(pkey,s.c_str());

//s = progpath + "user.crt";
s = progpath + receiveUserID + "-" + receiveUserName + ".crt";
if ((fp = fopen(s.c_str(),"w")) == NULL)
{ ShowMessage("ERROR: Open cert.crt");
return -3; //to indicate that program unable to open user.crt
}
fprintf(fp,"%s",x509);
fclose(fp);


// Write CA certificate
if ((xca = ReadCertificate(ca)) == NULL)
{ ret = ERROR_READ_CACERT;
goto end3;
}

CVAULT_X509_write(xca,cacert);
s = progpath + "CA.crt";
if ((fp = fopen(s.c_str(),"w")) == NULL)
{ ShowMessage("ERROR: Open CA.crt");
return -1;
}
fprintf(fp,"%s",cacert);
fclose(fp);
X509_free(xca);

ret = 1;
//MainForm->tinfo = pinfo;

end3:
X509_REQ_free(req);

end2:
EVP_PKEY_free(pkey);

end1:

for (i=0; i<80; i++)
free(sconf[i]);
//endfor

return ret;
}

As you may see above, I added the X509_gmtime_adj and X509_gmtime_roundup
after the call to makeCertificate. The generated certificate will have the
desired expiry date, but the cert itself would be corrupted. It will have
this message displayed in the cert - "The integrity of this certificate
cannot be guaranteed. THe certificate may be corrupted or may have been
altered." I guess this happens because I added the line X509_gmtime_ after
the cert has been created, right? But I don't know anyway else where I
should put it.


And for the MakeCertificate function which was called above, all I could
find was this code:

X509 *MakeCertificate(X509_REQ *preq,char **sconf,int nconf,EVP_PKEY
*self_key,
char* cacert_file,EVP_PKEY *ca_key,int pbegin,int
pdays,
long pserial,int palgo,int ca_type)

which was located in Global.h file. It doesn't seem any where I can put the
X509_gmtime_roundup line....

*Please don't take this the wrong way -- but you are modifying
security-critical code based on a requirement that seems to make no sense.
I've told the management of my company that I don't want to continue
debugging this code, but they insist I have to do it because they have no
one else to do it... yes, lame reason from them, but I'm in no position to
say no. anyway I guess if this software is broken, they're the one who
should be blamed.. bcos i've told them I don't want to continue doing
this...


On 7/16/07, David Schwartz wrote:
>
>
>
>
> hold on! thanks a lot I managed to get it to 23:59:59. all i had to do was
> change the value
> strcpy(buf+6, "235959Z"); to strcpy(buf+6, "155959Z");
>
> I would not do that. There is no way you can know that 15:59:59 will
> correspond to 24:59:59 in the future when the certificate expires. You
> are essentially predicting what the time zone shift will be at some future
> date. I would strongly urge you to make it expire at midnight UTC/GMT time.
>
> I would go further as to say that whatever tool is presenting certificate
> expiration times to you as '1/8/2007 7:59:59' (which is the way you pasted
> it) should be dumped and replaced with something sane. This contains no time
> zone indicator or GMT offset. If you paste it to a mailing list, it is
> meaningless.
>
> If your requirement really is that a certificate expire at midnight for
> the time zone in which it was issued, assuming the zone offset will be the
> same at certificate issue time as it was at certificate issue time, then
> the requirement should be re-examined. For one thing, '155959Z' can't
> possibly be right for every possible case (unless your locality has no
> daylight savings time and you get lucky and it never does).
> You are assuming that 15:59:59 local time will correspond to 24:59:59 UTC
> time at the time and place the certificate is being used when it expires.
> This seems like a truly crazy assumption. It might be sensible if three
> things are the case:
> 1) The locale you are using the certificate has no daylight savings time.
> 2) The certificate isn't going anywhere, it's only going to be used in one
> place.
> 3) The certificate expires in the near future, so a risk of a change in
> daylight savings time rules is low.
>
> Otherwise, this is broken.
>
> erm... but there's still one problem. where in IssueCertificate should I
> add the line
> X509_gmtime_roundup(X509_get_notAfter(x)); ?
> because currently the line is only added in renewCertificate... as I can't
> see where in IssueCertificate can I add those lines.. thanks again
> You didn't paste the code to IssueCertificate. You should be able to find
> where it sets the expiration time and modify it just like the others. If
> not, why are you monkeying in security-critical code?
>
> Please don't take this the wrong way -- but you are modifying
> security-critical code based on a requirement that seems to make no sense.
>
> DS
>
>


------=_Part_57210_2661468.1184638892058
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

thanks a lot for your lenghty explanation, David Schwartz. I really appreciate it for you to help me explain all this. I noted you said that what I did might be sensible if three things are
the case:

1)
The locale you are using the certificate has no daylight savings
time.

2)
The certificate isn't going anywhere, it's only going to be used in one
place.

3)
The certificate expires in the near future, so a risk of a change in daylight
savings time rules is low.

For the no (1), i'm not really sure about this daylight savings time.. I reside in Malaysia (next to singapore and thailand) and I'm not sure whether my country has any daylight savings time or not. For no(2), currently the issued certificates is only used in our office.


Anyway to issue certificate, the codes is as below:

if (!(returnIssueCertificate=IssueCertificate(cinfo,x 509,skey,ca,Type,&HexSerial,sendUserName,sendUserI D)))
    {
        MessageDlg("Issue certificate is failed",mtError,TMsgDlgButtons()<<mbOK, 0);

        FreeCertDetail(&cinfo);
        return;
    }

and this is the called IssueCertificate function


int IssueCertificate(CERT_DETAIL pinfo,char *x509,char *key,char *ca, int Type, AnsiString *HexSerial, AnsiString receiveUserName, AnsiString receiveUserID)

{
    FILE *fp = NULL;
    Base64 encoder;
    AnsiString s, ca_cert, ca_key;
    int i, key_len, len, ret = 1, nconf = 0;
    X509 *x = NULL, *xca = NULL;
    X509_REQ *req = NULL;
    EVP_PKEY *pkey = NULL, *ca_pkey = NULL;

    unsigned char skey[1024*8];
    char buf[128], *sconf[100], *mkey = NULL;
    char ckey[1024], cacert[1024 * 8], profpass[1024], cacert_file[400], kbuf[1024],cbuf[1024 * 8];
    unsigned char *p, plain[EBUFSIZE+4], emkey[EBUFSIZE+4], t_emkey[EBUFSIZE+4];


    // Load profile certificate and private key
    if ((ca_pkey = ReadKey(pinfo.ca_KeyFile.c_str())) == NULL)
       return ERROR_READ_CAKEY;

    nconf = PrintConfig(&pinfo,sconf,TYPE_CLIENT);


    if ((mkey = GenerateMasterKey()) == NULL)
    {  ret = ERROR_GENERATE_MKEY;
       goto end1;
    }

    if ((pkey = CVAULT_Key_read(key)) == NULL)
    {  ret = ERROR_READ_KEY;
       delete mkey;

       goto end1;
    }
    if ((req = MakeRequest(sconf,nconf,pkey,NULL)) == NULL)
    {
        ret = ERROR_MAKEREQ;
        goto end2;
    }


    if ((x = MakeCertificate(req,sconf,nconf,NULL,ca,ca_pkey,
pinfo.begin_validity,
                             pinfo.validity,pinfo.serial,pinfo.algo,0)) == NULL)
    {  ret = ERROR_MAKECERT;
       goto end3;
    }

    X509_gmtime_adj(X509_get_notBefore(x),0); //added on 16/7/2007

    X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*2 4*pinfo.validity); //added on 16/7/2007
    X509_gmtime_roundup(X509_get_notAfter(x)); //added on 16/7/2007
                                                             

    char buf1[1024];
    GetSerialNumber(x->cert_info->serialNumber,buf1);
    *HexSerial = (AnsiString)buf1;



    CVAULT_X509_write(x,x509);
    MakePKCS12(pass.c_str(),name.c_str(),pkey,x,
p12Path.c_str());
    s = progpath + "client.key";
    WriteKey(pkey,s.c_str());

    //s = progpath + "user.crt";
    s = progpath + receiveUserID + "-" + receiveUserName + ".crt";

    if ((fp = fopen(s.c_str(),"w")) == NULL)
    {  ShowMessage("ERROR: Open cert.crt");
        return -3; //to indicate that program unable to open user.crt
    }
    fprintf(fp,"%s",x509);

    fclose(fp);


    // Write CA certificate
    if ((xca = ReadCertificate(ca)) == NULL)
    {  ret = ERROR_READ_CACERT;
       goto end3;
    }

    CVAULT_X509_write(xca,cacert);
    s = progpath + "
CA.crt";
    if ((fp = fopen(s.c_str(),"w")) == NULL)
    {  ShowMessage("ERROR: Open CA.crt");
       return -1;
    }
    fprintf(fp,"%s",cacert);
    fclose(fp);

    X509_free(xca);

    ret = 1;
    //MainForm->tinfo = pinfo;

end3:
    X509_REQ_free(req);

end2:
    EVP_PKEY_free(pkey);

end1:

    for (i=0; i<80; i++)
       free(sconf[i]);

    //endfor

    return ret;
}

As you may see above, I added the X509_gmtime_adj and X509_gmtime_roundup after the call to makeCertificate. The generated certificate will have the desired expiry date, but the cert itself would be corrupted. It will have this message displayed in the cert - "The integrity of this certificate cannot be guaranteed. THe certificate may be corrupted or may have been altered." I guess this happens because I added the line X509_gmtime_ after the cert has been created, right? But I don't know anyway else where I should put it.



And for the MakeCertificate function which was called above, all I could find was this code:

 X509 *MakeCertificate(X509_REQ *preq,char **sconf,int nconf,EVP_PKEY *self_key,
                          char* cacert_file,EVP_PKEY *ca_key,int pbegin,int pdays,

                          long pserial,int palgo,int ca_type)

which was located in Global.h file. It doesn't seem any where I can put the X509_gmtime_roundup line....

*
Please don't take this the wrong way -- but you are modifying
security-critical code based on a requirement that seems to make no
sense.
I've told the management of my company that I don't want to continue debugging this code, but they insist I have to do it because they have no one else to do it... yes, lame reason from them, but I'm in no position to say no. anyway I guess if this software is broken, they're the one who should be blamed.. bcos i've told them I don't want to continue doing this...



On 7/16/07, David Schwartz <davids@webmaster.com> wrote:







 


hold on! thanks a lot I managed to get it to 23:59:59. all i had to do
was change the value
strcpy(buf+6, "235959Z"); to  strcpy(buf+6,
"155959Z");
 

I
would not do that. There is no way you can know that 15:59:59 will correspond
to 24:59:59 in the future when the certificate expires. You
are essentially predicting what the time zone shift will be at some
future date. I would strongly urge you to make it expire at midnight UTC/GMT
time.

 

I
would go further as to say that whatever tool is presenting certificate
expiration times to you as
'1/8/2007 7:59:59'
(which is the way you pasted it) should be dumped and replaced
with something sane. This contains no time zone indicator or GMT offset. If
you paste it to a mailing list, it is meaningless.

 

If your requirement really is that a certificate expire at
midnight for the time zone in which it was issued, assuming the zone
offset will be the same at certificate issue time as it was at certificate
issue time, then the requirement should be re-examined.
  For one thing, '155959Z' can't possibly
be right for every possible case (unless your locality has no daylight savings
time and you get lucky and it never does).


You
are assuming that 15:59:59 local time will correspond to 24:59:59 UTC time at
the time and place the certificate is being used when it expires. This seems
like a truly crazy assumption. It might be sensible if three things are
the case:

1)
The locale you are using the certificate has no daylight savings
time.

2)
The certificate isn't going anywhere, it's only going to be used in one
place.

3)
The certificate expires in the near future, so a risk of a change in daylight
savings time rules is low.

 

Otherwise, this is broken.

 

erm... but there's still one problem.
where in IssueCertificate should I add the line
X509_gmtime_roundup(X509_get_notAfter(x)); ?
because currently the line is only added in
renewCertificate... as I can't see where in IssueCertificate can I add those
lines.. thanks again


You didn't paste the code to IssueCertificate. You should be able to
find where it sets the expiration time and modify it just like the others. If
not, why are you monkeying in security-critical
code?

 

Please don't take this the wrong way -- but you are modifying
security-critical code based on a requirement that seems to make no
sense.

 

DS




------=_Part_57210_2661468.1184638892058--
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org