Hello,
there seems to be way to get what you want see openssl-verify(1)
manual page. there are options which control how openssl treats
time fields when validates certificates:
-attime timestamp
Perform validation checks using time specified by timestamp and not
current system time. timestamp is the number of seconds since
January 1, 1970 (i.e., the Unix Epoch).
-no_check_time
This option suppresses checking the validity period of certificates
and CRLs against the current time. If option -attime is used to
specify a verification time, the check is not suppressed.
I think something like
openssl verify -no_check_time ...
is the option you need to add to you 'verify' subcommand.
to do it in code just get idea from apps/verify.c
in openssl. It looks like you need to do something like:
X509_STORE_set1_param *store;
X509_VERIFY_PARAM *vpm = NULL;
vpm = X509_VERIFY_PARAM_new();
X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NO_CHECK_TIME);
store = X509_STORE_new();
...
X509_STORE_set1_param(store, vpm);
more details can be found in verify_main() at apps/verify.c.
hope it helps
regards
sashan
On Mon, Mar 04, 2024 at 10:22:36PM -0800, Hal Murray wrote:
>
> Context is the chicken and egg problem of using TLS before a system knows the
> time.
>
> I work on NTP software. NTP uses NTS (Network Time Security) which uses TLS
> to make sure it is talking to the right servers.
>
> I'm trying to figure out how to get started on a system that doesn't know the
> time yet. (Many low cost systems like the Raspberry Pi don't have a battery
> backed clock.)
>
> I think I want to try something like:
> Do everything except check the time on certificates
> Get the time, assuming those certificates are valid.
> Now check to see if those certificates were valid.
>
> The command line tools have -no_check_time
>
> Is there something similar in the API? I've looked, but maybe not in the
> right place.
>
> If not, any suggestions for good code to copy?
>
>
>
>
>
>
> --
> These are my opinions. I hate spam.
>
>
>
