validate cert and private key

Discussion to talk about software related topics only.
User avatar
Jon
Posts: 79
Joined: Mon Feb 05, 2018 10:54 am

Re: validate cert and private key

Post by Jon »

Hey RebootExpert,

We definitely need to update SSL_IsCertExpired() to handle both date formats, and the intent was for that function to be able to be used with any certificate. We also had an issue with our snprintf() functions, which is why I ended up having to manually terminate the string. I'll work on fixing both and then get you the updated function.

Finally, I'll also be fixing the function that checks the validity to do a comparison between the key and cert that are passed in. I believe this will cover all of your use cases. Thank you for bringing all of this to our attention. I'll be sure to post updates as soon as I have some fixes in place.

Kind Regards,
Jon
User avatar
Jon
Posts: 79
Joined: Mon Feb 05, 2018 10:54 am

Re: validate cert and private key

Post by Jon »

Hi RebootExpert,

Here's the function that addresses the two different time formats. I'm working on the certificate validation now. Would you mind testing this against your use case and let me know if it works as expected for you?

// Make sure we have system time
if(!SetTimeNTPFromPool(false))
{
return false;
}

uint16_t expBufLen = 64;
unsigned char expBuf[expBufLen] = {0};
if( SSL_GetExpirationDate(certBuff, certLen, expBuf, expBufLen, certBuffFormat))
{
// Get current time and compare it to expiration date
time_t now = time(nullptr);
//NBString dateInfo((const char*)expBuf);


iprintf("Expiration information: ");
for(int i = 0; i < expBufLen; i++)
{
iprintf("%c", expBuf);
}
iprintf("\r\n");

// Two date formats are possible based on the year of expiration according to RFC 5280:
// 1) A 12 digit value in the format of YYMMDDHHMMSSZ when the expiration year falls before 2050 which follows
// the following conventions:
// - Where YY is greater than or equal to 50, the year SHALL be interpreted as 19YY
// - Where YY is less than 50, the year SHALL be interpreted as 20YY
// 2) A 14 digit value in the format of YYYYMMDDHHMMSSZ when the expiration year falls on or after 2050

int bufIndMod = 0;
// 14 Digit Format
if(expBuf[14] != 'Z')
{
bufIndMod = 2;
}

struct tm ExpTime;
char tempBuf[4] = {0};
sniprintf(tempBuf, 3, "%s", &expBuf[4 + bufIndMod]);
ExpTime.tm_mon = atoi(tempBuf) - 1;

sniprintf(tempBuf, 3, "%s", &expBuf[6 + bufIndMod]);
ExpTime.tm_mday = atoi(tempBuf);

sniprintf(tempBuf, (3 + bufIndMod), "%s", &expBuf[2]);
ExpTime.tm_year = atoi(tempBuf);
// If we're using the 12 digit format, we need to modify the year based on the rules above,
// but minus 1900 for the time conversion.
if( bufIndMod == 0 )
{
ExpTime.tm_year += (ExpTime.tm_year >= 50) ? 0 : 100;
}
else
{
ExpTime.tm_year = ExpTime.tm_year - 1900;
}

sniprintf(tempBuf, 3, "%s", &expBuf[8 + bufIndMod]);
ExpTime.tm_hour = atoi(tempBuf);

sniprintf(tempBuf, 3, "%s", &expBuf[10 + bufIndMod]);
ExpTime.tm_min = atoi(tempBuf);

sniprintf(tempBuf, 3, "%s", &expBuf[12 + bufIndMod]);
ExpTime.tm_sec = atoi(tempBuf);

/* set_time() need a parameter of time_t, so use mktime() to convert
* a struct tm type to a time_t type.
*/
time_t exp = mktime(&ExpTime);
return (difftime(exp, now) < 0);
}
return false;

Kind Regards,
Jon
RebootExpert
Posts: 78
Joined: Fri Oct 09, 2020 2:57 pm

Re: validate cert and private key

Post by RebootExpert »

Yeah, it works smoothly, but I have to null terminate the tempBuf as the sniprintf() not null terminating at this point.
One thing I notice, when I test a cert has an expiration date of Mar 16, 2061 4:23:24 PM, the expBuf return as:

2061031616232
23 13 50 48 54 49 48 51 49 54 49 54 50 51 50 0 0 0 0 0... (ascii value)

so this one missing the last digit of second and the ending Z.
User avatar
Jon
Posts: 79
Joined: Mon Feb 05, 2018 10:54 am

Re: validate cert and private key

Post by Jon »

Hi RebootExpert,

You're right on the null termination. Sorry about that. I had fixed the system files for that function, but those won't be out until the next release. That's really interesting on that certificate. Is that one that you generated yourself, or one that you purchased from somewhere? I'd like to see if we can replicate that, and knowing where it came from might help speed up the process.

Kind Regards,
Jon
RebootExpert
Posts: 78
Joined: Fri Oct 09, 2020 2:57 pm

Re: validate cert and private key

Post by RebootExpert »

I use the tool OpenSSL to generate all the certificates.
User avatar
Jon
Posts: 79
Joined: Mon Feb 05, 2018 10:54 am

Re: validate cert and private key

Post by Jon »

Great, I'll give that a shot too and see what I get. Thank you for the additional information.
Post Reply