Steve,
You may be correct, however, while I am aware of some ASN.1 types that
are defined as GeneralizedTime, I am not aware of any that are defined
as UTCTime, as this would make it impossible to denote times after
2049. I checked draft-ietf-pkix-new-asn1-07.txt and
draft-ietf-smime-new-asn1-07.txt, and while GeneralizedTime appears in
both of them several times, UTCTime only appears in the definition of Time.
As for the specific error that I am getting, try running the command:
~~/OpenSSL/openssl-1.0.0-beta3/apps/openssl ca -gencrl -config
openssl.cnf -out crl5.pem -crldays 16000
This should create a CRL with thisUpdate = <current time> and nextUpdate
= <sometime after 2050>. Instead the result is
thisUpdate=nextUpdate=<current time>. The change that I proposed
results in a CRL with thisUpdate and nextUpdate having the times
requested, with thisUpdate encoded as UTCTime and nextUpdate encoded as
GeneralizedTime.
Below is GDB trace of the results of running the above command. Note
that ASN1_TIME_adj() in crypto/asn1/a_time.c seems to always set s->type
to V_ASN1_UTCTIME if the time is between 1950 and 2049 and to
V_ASN1_GENERALIZEDTIME otherwise. The result is that when
X509_time_adj_ex() is called just after X509_CRL_set_lastUpdate() in
ca.c, tmptm->type is V_ASN1_UTCTIME. Since X509_time_adj_ex() will only
return a time encoded as UTCTime if tmptm->type is V_ASN1_UTCTIME,
nextUpdate can't be after 2049.
I tried generating a self-signed certificate:
~~/OpenSSL/openssl-1.0.0-beta3/apps/openssl req -x509 -config openssl.cnf
-newkey rsa:1024 -keyout key55.pem -out req55.pem -days 16000
This works without problem since, unlike when generating a CRL, the
notBefore time is not used as an input to the call to generate the
notAfter time:
if (!X509_gmtime_adj(X509_get_notBefore(x509ss),0)) goto end;
if (!X509_time_adj_ex(X509_get_notAfter(x509ss), days, 0, NULL)) goto
end;
I tried making a similar change to ca.c for generating CRLs, and it worked:
X509_gmtime_adj(tmptm,0);
X509_CRL_set_lastUpdate(crl, tmptm);
tmptm = ASN1_TIME_new(); // <-------------------- new line
X509_time_adj_ex(tmptm, crldays, crlhours*60*60 + crlsec, NULL);
X509_CRL_set_nextUpdate(crl, tmptm);
This seems to be consistent with other places in apps/ca.c, apps/x509.c,
and apps/req.c where notAfter is computed as an offset from the current
time, but I don't know if this is the correct general solution. But, at
the moment if X509_time_adj_ex() is called with s->type = V_ASN1_UTCTIME
and s + offset_day + offset_time, s is left unchanged and
X509_time_adj_ex() returns NULL. But not every calling function checks
the value returned by X509_time_adj_ex() and so in some cases the
"unadjusted" time is just used as if the call to X509_time_adj_ex() had
bee successful.
Dave
------------------------------------------------------------------------------------------------
(gdb) break ASN1_TIME_new
Breakpoint 1 at 0x811d324: file a_time.c, line 72.
(gdb) run ca -gencrl -config openssl.cnf -out crl5.pem -crldays 16000
Starting program: /home/cooper/OpenSSL/openssl-1.0.0-beta3/apps/openssl
ca -gencrl -config openssl.cnf -out crl5.pem -crldays 16000
Using configuration from openssl.cnf
Breakpoint 1, ASN1_TIME_new () at a_time.c:72
72 IMPLEMENT_ASN1_FUNCTIONS(ASN1_TIME)
Missing debug package(s), you should install: glibc-debug
(gdb) n
ca_main (argc=0, argv=0xbfea9c98) at ca.c:1403
1403 if (!tmptm) goto err;
(gdb) n
1404 X509_gmtime_adj(tmptm,0);
(gdb) s
X509_gmtime_adj (s=0x8a7d298, adj=0) at x509_vfy.c:1750
1750 return X509_time_adj(s, adj, NULL);
(gdb) s
X509_time_adj (s=0x8a7d298, offset_sec=0, in_tm=0x0) at x509_vfy.c:1755
1755 return X509_time_adj_ex(s, 0, offset_sec, in_tm);
(gdb) s
X509_time_adj_ex (s=0x8a7d298, offset_day=0, offset_sec=0, in_tm=0x0) at
x509_vfy.c:1762
1762 int type = -1;
(gdb) n
1764 if (in_tm) t = *in_tm;
(gdb)
1765 else time(&t);
(gdb)
1767 if (s) type = s->type;
(gdb)
1768 if (type == V_ASN1_UTCTIME)
(gdb)
1770 if (type == V_ASN1_GENERALIZEDTIME)
(gdb)
1772 return ASN1_TIME_adj(s, t, offset_day, offset_sec);
(gdb) s
ASN1_TIME_adj (s=0x8a7d298, t=1250601602, offset_day=0, offset_sec=0) at
a_time.c:112
112 ts=OPENSSL_gmtime(&t,&data);
(gdb) n
113 if (ts == NULL)
(gdb)
118 if (offset_day || offset_sec)
(gdb)
123 if((ts->tm_year >= 50) && (ts->tm_year < 150))
(gdb)
124 return ASN1_UTCTIME_adj(s, t,
offset_day, offset_sec);
(gdb) n
126 }
(gdb)
X509_time_adj_ex (s=0x8a7d298, offset_day=0, offset_sec=0, in_tm=0x0) at
x509_vfy.c:1773
1773 }
(gdb)
X509_time_adj (s=0x8a7d298, offset_sec=0, in_tm=0x0) at x509_vfy.c:1756
1756 }
(gdb)
X509_gmtime_adj (s=0x8a7d298, adj=0) at x509_vfy.c:1751
1751 }
(gdb)
ca_main (argc=0, argv=0xbfea9c98) at ca.c:1405
1405 X509_CRL_set_lastUpdate(crl, tmptm);
(gdb) n
1406 X509_time_adj_ex(tmptm, crldays, crlhours*60*60
+ crlsec, NULL);
(gdb)
1407 X509_CRL_set_nextUpdate(crl, tmptm);
(gdb)
1409 ASN1_TIME_free(tmptm);
(gdb) print *tmptm
$1 = {length = 13, type = 23, data = 0x8a7c890 "090818132002Z", flags = 0}
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
