Hi, I've been doing testing for new root ca certificate issuance and openssl's chain building/cert chain validation. And if I have both root ca old cert and root ca new cert (obtained by certificate refresh, i.e. old subject and old key pair is used to get the root ca new cert for a new time period) and time is such that root ca new cert is NOT_YET_VALID and new cert is added last in X509_STORE, then chain building fails with error = CERT_NOT_YET_VALID, even though valid root ca cert (old) is there in X509_STORE. Function static int check_issued(X509_STORE_CTX* ctx, X509* x, X509* issuer) in x509_vfy.c does check for subject dist name, subject/issuer key identifier, basic constaints etc match, but cert time validation is deffered till we have a stack bottom = end entity cert and top = self_signed root cert, i.e. till static int internal_verify(X509_STORE_CTX* ctx). So cause of this root ca new cert is added to the stack, but later in the internal_verify() call it fails with CERT_NOT_YET_VALID, what should happen is cert time validity must be done during building cert chain (adding certs to stack), not after it. So in all all certs in X509_STORE must be lloked before calling internal_verify() for cert signature check.
Similar behaviour is seen if old cert is added last (top of the stack in X509_STORE) and it is expired, then error = CERT_EXPIRED, provided issued cert is still valid, which is basically a wrong practice to issue certs beyond CA valid time period. Thanks Aslam Thanks Aslam ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
