List:Commits« Previous MessageNext Message »
From:Davi Arnaut Date:March 14 2011 11:20am
Subject:Re: bzr commit into mysql-trunk branch (Georgi.Kodinov:3749) Bug#11764778
View as plain text  
On 3/14/11 6:04 AM, Georgi Kodinov wrote:
> Davi,
>
> On 11.03.2011, at 20:23, Davi Arnaut wrote:
>
>> On 3/11/11 11:23 AM, Georgi Kodinov wrote:
>>> #Atfile:///Users/kgeorge/mysql/work/B57648-ossl-trunk/  based
>>> onrevid:marc.alff@stripped
>>>
>>> 3749 Georgi Kodinov	2011-03-11 Bug #11764778: server feature
>>> request - expose ssl certificate details in show global st
>>>
>>> There was no easy way to get the expiration dates of the server's
>>> certificate.
>>>
>>> Implemented two session status variables (Ssl_server_not_before
>>> and Ssl_server_not_after) with the same scope as e.g.
>>> Ssl_verify_depth to return the two dates in YYYY-MM-DD HH:MM:SS.
>>>
>>> Extended yaSSL to implement the needed APIs to return the data
>>> correctly similar to OpenSSL. Now correctly storing and filling
>>> in the subtype to yaSSL's ASN1_TIME. Implemented an yaSSL
>>> specific extension function ASN1_TIME_decode() to take ASN1_TIME
>>> and return it's building blocks in separate variables.
>>> Implemented a wrapper for openssl to do the same. Some type
>>> cleanups of some of the internal yaSSL functions. Test case
>>> added.
>>
>> I don't understand why all these date related changes are needed to
>> yaSSL. It seems to me that what is needed is a common function that
>> converts a ASN1_TIME to a time_t (or a string). Am I missing
>> something?
>
> Yes : yaSSL needs a function to extract the parsed server certificate
> first (in order to get the dates in ASN1_TIME). And in order to
> extract it it needs to make sure it's parsed and it's stored in the
> SSL structure after being parsed (similarly to the client

The X509_get_notBefore and X509_get_notAfter do not return meaningful 
values as they are implemented in yaSSL?

 From what I can follow in the current code:

a) After and before dates are stored as members of the X509 class and 
are set when a object of the said class is constructed.

b) The information necessary to construct a X509 object is extracted 
from a certificate, which is parsed by a CertDecoder object.

c) In the CertDecoder class, the method responsible for extracting the 
dates is the GetValidity method. This method is invoked whenever it 
begins decoding a x509 certificate (CertDecoder::Decode).

So, the current code seems to match your definition of parsing and 
storing the dates. Where in this we lose the dates information?

> certificate). As for the ASN1_TIME to string : this is how openssl
> does it, but it's not parsable in any reasonably stable way. As for

Looking at the OpenSSL implementations (depending on the ASN1_TIME type, 
ASN1_UTCTIME_print or ASN1_GENERALIZEDTIME_print), it seems to pretty 
straight forward.

Why didn't you use ASN1_TIME_print for OpenSSL?

Regards,

Davi
Thread
bzr commit into mysql-trunk branch (Georgi.Kodinov:3749) Bug#11764778Georgi Kodinov11 Mar
  • Re: bzr commit into mysql-trunk branch (Georgi.Kodinov:3749) Bug#11764778Davi Arnaut11 Mar
  • Re: bzr commit into mysql-trunk branch (Georgi.Kodinov:3749) Bug#11764778Davi Arnaut15 Mar
Re: bzr commit into mysql-trunk branch (Georgi.Kodinov:3749) Bug#11764778Davi Arnaut14 Mar
Re: bzr commit into mysql-trunk branch (Georgi.Kodinov:3749) Bug#11764778Davi Arnaut14 Mar
Re: bzr commit into mysql-trunk branch (Georgi.Kodinov:3749) Bug#11764778Davi Arnaut14 Mar
Re: bzr commit into mysql-trunk branch (Georgi.Kodinov:3749) Bug#11764778Davi Arnaut14 Mar
Re: bzr commit into mysql-trunk branch (Georgi.Kodinov:3749) Bug#11764778Davi Arnaut14 Mar