On Tue, Jan 14, 2003, Paul Koster wrote: > > > The following code results in an ASN1_TIME structure with internal > length > > > field > > > of 14 (date1->length =14). > > > date1 = ASN1_TIME_new(); > > > ASN1_GENERALIZEDTIME_set_string(date1, "20020819093712"); > > > > > > When extracting time out an existing certificate however with this > date/time > > > would result in a length field of 15 (date2->length = 15). > > > ASN1_GENERALIZEDTIME *date2 = ASN1_TIME_to_generalizedtime > > > (X509_get_notBefore(cert), NULL); > > > > > > Consequently ASN1_STRING_cmp(date1, date2) fails, although the strings > are > > > exactly the same, 14 characters that make up the date, followed by \0. > > > > > > Have I missed something or is there a bug somewhere? > > > > Was this existing certificate created using OpenSSL? > > > No. The certificate was created with a java library (from bouncycastle.com I > think). > > > What does the time in this existing certificate look like? That is what > length > > is reported by asn1parse on it. In particular does the certificate > encoding > > include the trailing \0? > > The output of openssl asn1parse -inform DER <cert.cer is: > 165:d=3 hl=2 l= 13 prim: UTCTIME :020819093712Z > > May I assume that the Z stands for \0? And l=13 stands for a length of 13 > which gives a length of 15 when the year is written as 2002? >
No Z is the actual character 'Z'. Its a time zone but the various certificate standards say it should always be Z for GMT. > This clears things up a bit, but then may question is how date/time should > be handled using openssl code. I'd like to be able to perform a compare > operation (==, <, >) on certificate notBefore and notAfter fields. Are > there any 'normalization' functions available for example? > Both UTCTime and GeneralizedTime can be used to represent date/time, the Time type (with structure ASN1_TIME) is a combination of the two which uses whatever is appropriate. UTCTime can only represent years from 1950 to 2049 whereas GeneralizedTime can represent from 0000 to 9999. So what you can do is check the type using ASN1_STRING_type(str) and interprete its contents accordingly. If however you just want to compare against a time_t value X509_cmp_time() will do the trick. Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
