Optional validation of time in OpenSSL Reg.

[Ashok C]

Hi,

I see that the openSSL certificate verify utility uses the X509_verify_cert() in x509_vfy.c for certificate validation.
Based on the manual pages for verify, I understand that the order for verification is as follows:

1. Firstly a certificate chain is built up starting from the supplied certificate and ending in the root CA.
2. The second operation is to check every untrusted certificate's extensions for consistency with the supplied purpose.
   
3. The third operation is to check the trust settings on the root CA.
   
4. The final operation is to check the validity of the certificate chain. The validity period is checked against the current system time and the notBefore and notAfter dates in the certificate. The certificate signatures are also checked at this point.

What would be the best way to make the time check optional?

One way as seen from the code could be to make this call optional based on some environmental variable.

Eg:

if(TIME_CHECK_ON)

check_cert_time(ctx, xs);

else

don't check time;

Is there any alternative way to achieve this? I understand that by passing a custom time using

void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags,
                                                                time_t t);

and by setting this flag -->X509_V_FLAG_USE_CHECK_TIME, I can make the verify code use the time I provide, but whatever time I provide through the time_t variable, will it be used as notBefore or notAfter time? (since time_t t represents the number of seconds since the start of the Unix epoch).

I would need this optional time checking since I cannot count on my system time to be stable all the time :)

Regds,

Ashok

[Jakob Bohm]

On 1/12/2012 2:48 PM, Ashok C wrote:
> Hi,
>
> I see that the openSSL certificate verify utility uses the
> X509_verify_cert() in x509_vfy.c for certificate validation.
> Based on the manual pages for verify, I understand that the order for
> verification is as follows:
>

> 1. Firstly a certificate chain is built up starting from the supplied

> certificate and ending in the root CA.

> 2. The second operation is to check every untrusted certificate's

> extensions for consistency with the supplied purpose.

> 3. The third operation is to check the trust settings on the root CA.
> 4. The final operation is to check the validity of the certificate

> chain. The validity period is checked against the current system
> time and the notBefore and notAfter dates in the certificate. The
> certificate signatures are also checked at this point.
>
> What would be the best way to make the time check optional?
>
> One way as seen from the code could be to make this call optional
> based on some environmental variable.
>
> Eg:
>
> if(TIME_CHECK_ON)
>
> check_cert_time(ctx, xs);
>
> else
>
> don't check time;
>
> Is there any alternative way to achieve this? I understand that by
> passing a custom time using
>
> void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags,
> time_t t);
>
> and by setting this flag -->X509_V_FLAG_USE_CHECK_TIME, I can make the
> verify code use the time I provide, but whatever time I provide
> through the time_t variable, will it be used as notBefore or notAfter
> time? (since time_t t represents the number of seconds since the start
> of the Unix epoch).
>

It will be used in place of the *current* system time, so now it will
check that the certificates were valid at the time you specify,
not the time the computer thinks is now. Specifically it will check
that t is not before any NotBefore time in certificates and t is not
after any NotAfter times in certificates.

> I would need this optional time checking since I cannot count on my
> system time to be stable all the time :)
>
> Regds,
>
> Ashok
>

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

[Dr. Stephen Henson]

On Thu, Jan 12, 2012, Ashok C wrote:

> Hi,
>
> I see that the openSSL certificate verify utility uses the
> X509_verify_cert() in x509_vfy.c for certificate validation.
> Based on the manual pages for verify, I understand that the order for
> verification is as follows:
>
> 1. Firstly a certificate chain is built up starting from the supplied
> certificate and ending in the root CA.
> 2. The second operation is to check every untrusted certificate's
> extensions for consistency with the supplied purpose.
> 3. The third operation is to check the trust settings on the root CA.
> 4. The final operation is to check the validity of the certificate
> chain. The validity period is checked against the current system time and
> the notBefore and notAfter dates in the certificate. The certificate
> signatures are also checked at this point.
>
> What would be the best way to make the time check optional?
>

> Is there any alternative way to achieve this? I understand that by passing
> a custom time using
>
> void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags,
> time_t t);
>
> and by setting this flag -->X509_V_FLAG_USE_CHECK_TIME, I can make the
> verify code use the time I provide, but whatever time I provide through the
> time_t variable, will it be used as notBefore or notAfter time? (since
> time_t t represents the number of seconds since the start of the Unix
> epoch).
>

Yes it will. This can also be set in the X509_VERIFY_PARAM structure.

> I would need this optional time checking since I cannot count on my system
> time to be stable all the time :)
>

Validity time errors in the chain also produce the two errors
X509_V_ERR_CERT_NOT_YET_VALID and X509_V_ERR_CERT_HAS_EXPIRED which can be
overridden in the verify callback.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org