templates and cert chain validity - Openssl

This is a discussion on templates and cert chain validity - Openssl ; Hi there, I'm just about verification of certs. Since X509v3 there are many extensions with their own types. Some of them are known to the current implementation, many aren't. To implement a validity checking which is aware of different models ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: templates and cert chain validity

  1. templates and cert chain validity

    Hi there,

    I'm just about verification of certs. Since X509v3 there are many
    extensions with their own types. Some of them are known to the current
    implementation, many aren't.

    To implement a validity checking which is aware of different models
    shell as of RFC 3280 or chain as af ISIS-MTT.

    There are some OIDs that should be used to determine which model should
    be used. One of them is 1.3.6.1.4.1.8301.3.5 (by TU Darmstadt, Germany)
    which comes with this type:

    > ValidityModel::= SEQUENCE
    > {
    > validityModelId OBJECT IDENTIFIER
    > validityModelInfo ANY DEFINED BY validityModelId OPTIONAL
    > }


    Sinse the extension ID (validityModelID) is known, only the Info has to
    be coded. I tried:

    > typedef struct X509ValidityModelInfo_st {
    > ASN1_OBJECT *info;
    > } X509VALIDITYMODELINFO;
    >
    > DECLARE_ASN1_ITEM(X509VALIDITYMODELINFO)
    > DECLARE_ASN1_FUNCTIONS(X509VALIDITYMODELINFO)


    together with

    > ASN1_SEQUENCE(X509VALIDITYMODELINFO) = {
    > ASN1_OPT(X509VALIDITYMODELINFO, info, ASN1_OBJECT),
    > } ASN1_SEQUENCE_END(X509VALIDITYMODELINFO)
    >
    > IMPLEMENT_ASN1_FUNCTIONS(X509VALIDITYMODELINFO)


    and using it with following code

    > int validityModelIsChain(X509 *_cert)
    > {
    > int iRet = 0;
    > int nid = OBJ_txt2nid("id-validityModel");
    >
    > X509 *cert = X509_dup(_cert); // local copy
    > int index = X509_get_ext_by_NID(cert, nid, -1);
    > X509_EXTENSION *ext = X509_get_ext(cert, index);
    >
    > if (ext)
    > {
    > ASN1_OCTET_STRING *os = X509_EXTENSION_get_data(ext);
    > X509VALIDITYMODELINFO *mi = 0;
    > d2i_X509VALIDITYMODELINFO(&mi, (const unsigned char **)&os->data, os->length);
    >
    > if (mi && mi->info)
    > {
    > char buf[60];
    > nid = OBJ_obj2nid(mi->info);
    > OBJ_obj2txt(buf, sizeof(buf), mi->info, 0);
    > printf("ValidityModel: %s\n", buf);
    >
    > iRet = 1;
    > }
    > // X509VALIDITYMODELINFO_free(mi); // bad?
    > }
    > // X509_EXTENSION_free(ext); // bad, double-release!
    > X509_free(cert); // neccessary, else leak, but fails
    > return iRet;
    > }


    I'm missing how to release the temporary items correctly.
    Do you have any hints? Is the above approach reasonable?

    ==

    I've been looking into the sources to find a place where the
    cert chain checking is done in terms of the certs span of life.

    Downwards the chain each cert should become valid while the issuers
    cert is valid.

    I thought the right place would be somewhere within x509_vfy.c,
    perhaps at check_issued, but the search was in vain.

    Is there any function to do a comparation of two ASN_TIME values
    correctly though different formats and timezones may be in use?

    Any hints?

    TIA
    --
    Christian Weber
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  2. Re: templates and cert chain validity

    Hi again,

    sorry, we just found the error in using the Macros.

    When an asn structure is being parsed, the pointer to the funding
    ASN_OCTET_STRING becomes modified and thus points no no freeable
    memory.

    Christian Weber schrieb am 10.07.2008 13:41:
    ....
    > To implement a validity checking which is aware of different models
    > shell as of RFC 3280 or chain as af ISIS-MTT.

    ....
    > Sinse the extension ID (validityModelID) is known, only the Info has to
    > be coded. I tried:
    >
    >> typedef struct X509ValidityModelInfo_st {
    >> ASN1_OBJECT *info;
    >> } X509VALIDITYMODELINFO;
    >>
    >> DECLARE_ASN1_ITEM(X509VALIDITYMODELINFO)
    >> DECLARE_ASN1_FUNCTIONS(X509VALIDITYMODELINFO)

    >
    > together with
    >
    >> ASN1_SEQUENCE(X509VALIDITYMODELINFO) = {
    >> ASN1_OPT(X509VALIDITYMODELINFO, info, ASN1_OBJECT),
    >> } ASN1_SEQUENCE_END(X509VALIDITYMODELINFO)
    >>
    >> IMPLEMENT_ASN1_FUNCTIONS(X509VALIDITYMODELINFO)

    >
    > and using it with following code
    >
    >> int validityModelIsChain(X509 *_cert)
    >> {
    >> int iRet = 0;
    >> int nid = OBJ_txt2nid("id-validityModel");
    >>
    >> X509 *cert = X509_dup(_cert); // local copy
    >> int index = X509_get_ext_by_NID(cert, nid, -1);
    >> X509_EXTENSION *ext = X509_get_ext(cert, index);
    >>
    >> if (ext)
    >> {
    >> ASN1_OCTET_STRING *os = X509_EXTENSION_get_data(ext);
    >> X509VALIDITYMODELINFO *mi = 0;
    >> d2i_X509VALIDITYMODELINFO(&mi, (const unsigned char **)&os->data,
    >> os->length);

    ....

    We must not fetch the pointer os->data directly, because it becomes
    modified at d2i_...! Now we use:

    > const unsigned char *p = os->data;
    > d2i_X509VALIDITYMODELINFO(&mi, &p, os->length);


    Afterwards p points to the end of the string at os->data.
    Everything is working fine and freeable without memory leaks.

    ....
    >>
    >> if (mi && mi->info)
    >> {
    >> char buf[60];
    >> nid = OBJ_obj2nid(mi->info);
    >> OBJ_obj2txt(buf, sizeof(buf), mi->info, 0);
    >> printf("ValidityModel: %s\n", buf);
    >>
    >> iRet = 1;
    >> }
    >> // X509VALIDITYMODELINFO_free(mi); // bad?
    >> }
    >> // X509_EXTENSION_free(ext); // bad, double-release!
    >> X509_free(cert); // neccessary, else leak, but fails
    >> return iRet;
    >> }

    ....
    > I've been looking into the sources to find a place where the
    > cert chain checking is done in terms of the certs span of life.
    >
    > Downwards the chain each cert should become valid while the issuers
    > cert is valid.
    >
    > I thought the right place would be somewhere within x509_vfy.c,
    > perhaps at check_issued, but the search was in vain.
    >
    > Is there any function to do a comparation of two ASN_TIME values
    > correctly though different formats and timezones may be in use?

    ....

    For checking validity against RFC 3280 (shell model) no further time
    comparison is needed. Each cert in a chain has to be valid at a certain
    point in time (i.e. when used).

    That's implemeted sufficiently.

    Thanks to all
    --
    Christian
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


+ Reply to Thread