> > The following code results in an ASN1_TIME structure with internal length > > field > > of 14 (date1->length =14). > > date1 = ASN1_TIME_new(); > > ASN1_GENERALIZEDTIME_set_string(date1, "20020819093712"); > > > > When extracting time out an existing certificate however with this date/time > > would result in a length field of 15 (date2->length = 15). > > ASN1_GENERALIZEDTIME *date2 = ASN1_TIME_to_generalizedtime > > (X509_get_notBefore(cert), NULL); > > > > Consequently ASN1_STRING_cmp(date1, date2) fails, although the strings are > > exactly the same, 14 characters that make up the date, followed by \0. > > > > Have I missed something or is there a bug somewhere? > > Was this existing certificate created using OpenSSL?
No. The certificate was created with a java library (from bouncycastle.com I think). > What does the time in this existing certificate look like? That is what length > is reported by asn1parse on it. In particular does the certificate encoding > include the trailing \0? The output of openssl asn1parse -inform DER <cert.cer is: 165:d=3 hl=2 l= 13 prim: UTCTIME :020819093712Z May I assume that the Z stands for \0? And l=13 stands for a length of 13 which gives a length of 15 when the year is written as 2002? This clears things up a bit, but then may question is how date/time should be handled using openssl code. I'd like to be able to perform a compare operation (==, <, >) on certificate notBefore and notAfter fields. Are there any 'normalization' functions available for example? Paul ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]