Hi there,

i'm just about verification of certs. Since X509v3 there are many
extensions with their own types. Some of them are known to the current
implementation, many aren't.

To implement a validity checking which is aware of different models
shell as of RFC 3280 or chain as af ISIS-MTT.

There are some OIDs that should be used to determine which model should
be used. One of them is 1.3.6.1.4.1.8301.3.5 (by TU Darmstadt, Germany)
which comes with this type:

> ValidityModel::= SEQUENCE
> {
> validityModelId OBJECT IDENTIFIER
> validityModelInfo ANY DEFINED BY validityModelId OPTIONAL
> }


Sinse the extension ID (validityModelID) is known, only the Info has to
be coded. I tried:

> typedef struct X509ValidityModelInfo_st {
> ASN1_OBJECT *info;
> } X509VALIDITYMODELINFO;
>
> DECLARE_ASN1_ITEM(X509VALIDITYMODELINFO)
> DECLARE_ASN1_FUNCTIONS(X509VALIDITYMODELINFO)


together with

> ASN1_SEQUENCE(X509VALIDITYMODELINFO) = {
> ASN1_OPT(X509VALIDITYMODELINFO, info, ASN1_OBJECT),
> } ASN1_SEQUENCE_END(X509VALIDITYMODELINFO)
>
> IMPLEMENT_ASN1_FUNCTIONS(X509VALIDITYMODELINFO)


and using it with following code

> int validityModelIsChain(X509 *_cert)
> {
> int iRet = 0;
> int nid = OBJ_txt2nid("id-validityModel");
>
> X509 *cert = X509_dup(_cert); // local copy
> int index = X509_get_ext_by_NID(cert, nid, -1);
> X509_EXTENSION *ext = X509_get_ext(cert, index);
>
> if (ext)
> {
> ASN1_OCTET_STRING *os = X509_EXTENSION_get_data(ext);
> X509VALIDITYMODELINFO *mi = 0;
> d2i_X509VALIDITYMODELINFO(&mi, (const unsigned char **)&os->data, os->length);
>
> if (mi && mi->info)
> {
> char buf[60];
> nid = OBJ_obj2nid(mi->info);
> OBJ_obj2txt(buf, sizeof(buf), mi->info, 0);
> printf("ValidityModel: %s\n", buf);
>
> iRet = 1;
> }
> X509VALIDITYMODELINFO_free(mi); // bad?
> }
> // X509_EXTENSION_free(ext); // bad, double-relese!
> X509_free(cert); // neccessary, else leak
> return iRet;
> }


I'm missing how to release the temporary items correctly.
Do you have any hints? Is the above approach reasonable?

==

I've been looking into the sources to find a place where the
cert chain checking is done in terms of the certs span of life.

Downwards the chain each cert should become valid while the issuers
cert is valid.

I thought the right place would be somewhere within x509_vfy.c,
perhaps at check_issued, but the search was in vain.

Is there any function to do a comparation of two ASN_TIME values
correctly though different formats and timezones may be in use?

Any hints?

TIA
--
Christian Weber
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org