API for Certificate checking without date checks

Alexandr Nedvedicky sashan at openssl.org
Tue Mar 5 08:43:36 UTC 2024 

Hello,

there seems to be way to get what you want see openssl-verify(1)
manual page.  there are options which control how openssl treats
time fields when validates certificates:

       -attime timestamp
           Perform validation checks using time specified by timestamp and not
           current system time. timestamp is the number of seconds since
           January 1, 1970 (i.e., the Unix Epoch).

       -no_check_time
           This option suppresses checking the validity period of certificates
           and CRLs against the current time. If option -attime is used to
           specify a verification time, the check is not suppressed.

I think something like
    openssl verify -no_check_time ... 
is the option you need to add to you 'verify' subcommand.

to do it in code just get idea from apps/verify.c
in openssl. It looks like you need to do something like:

    X509_STORE_set1_param *store;
    X509_VERIFY_PARAM *vpm = NULL;

    vpm = X509_VERIFY_PARAM_new();
    X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NO_CHECK_TIME);

    store = X509_STORE_new();
    ...
    X509_STORE_set1_param(store, vpm);


more details can be found in verify_main() at apps/verify.c.

hope it helps
regards
sashan

On Mon, Mar 04, 2024 at 10:22:36PM -0800, Hal Murray wrote:
> 
> Context is the chicken and egg problem of using TLS before a system knows the 
> time.
> 
> I work on NTP software.  NTP uses NTS (Network Time Security) which uses TLS 
> to make sure it is talking to the right servers.
> 
> I'm trying to figure out how to get started on a system that doesn't know the 
> time yet.  (Many low cost systems like the Raspberry Pi don't have a battery 
> backed clock.)
> 
> I think I want to try something like:
>   Do everything except check the time on certificates
>   Get the time, assuming those certificates are valid.
>   Now check to see if those certificates were valid.
> 
> The command line tools have -no_check_time
> 
> Is there something similar in the API?  I've looked, but maybe not in the 
> right place.
> 
> If not, any suggestions for good code to copy?
> 
> 
> 
> 
> 
> 
> -- 
> These are my opinions.  I hate spam.
> 
> 
>

More information about the openssl-users mailing list