> > The following code results in an ASN1_TIME structure with internal
length
> > field
> > of 14 (date1->length =14).
> >    date1 = ASN1_TIME_new();
> >    ASN1_GENERALIZEDTIME_set_string(date1, "20020819093712");
> >
> > When extracting time out an existing certificate however with this
date/time
> > would result in a length field of 15 (date2->length = 15).
> >    ASN1_GENERALIZEDTIME *date2 = ASN1_TIME_to_generalizedtime
> > (X509_get_notBefore(cert), NULL);
> >
> > Consequently ASN1_STRING_cmp(date1, date2) fails, although the strings
are
> > exactly the same, 14 characters that make up the date, followed by \0.
> >
> > Have I missed something or is there a bug somewhere?
>
> Was this existing certificate created using OpenSSL?


No. The certificate was created with a java library (from bouncycastle.com I
think).

> What does the time in this existing certificate look like? That is what
length
> is reported by asn1parse on it. In particular does the certificate
encoding
> include the trailing \0?

The output of openssl asn1parse -inform DER <cert.cer is:
  165:d=3  hl=2 l=  13 prim: UTCTIME           :020819093712Z

May I assume that the Z stands for \0? And l=13 stands for a length of 13
which gives a length of 15 when the year is written as 2002?

This clears things up a bit, but then may question is how date/time should
be handled using openssl code. I'd like to be able to perform a compare
operation (==, <, >)  on certificate notBefore and notAfter fields. Are
there any 'normalization' functions available for example?

Paul

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to