hi all,
attached is a small patch to x509.c to allow short lived certificates
(proxies) to be generated. Currently the 'openssl x509' command only
support 1-day certificates (or <n> days, where <n> is an integer). With
this patch it is possible to specify the certificate validity in minutes
and hours e.g.
openssl x509 -valid 4:00
We use this patch to x509 to generate grid proxies from an Aladdin
eToken, using the openssl engine support.
regards,
Jan Just Keijser
System Integrator
Nikhef
Amsterdam
--- openssl-0.9.8d/apps/x509.c 2005-07-16 13:13:03.000000000 +0200
+++ openssl-0.9.8d-jjk/apps/x509.c 2007-05-24 13:19:11.000000000 +0200
@@ -121,6 +121,7 @@
" -addreject arg - reject certificate for a given purpose\n",
" -setalias arg - set certificate alias\n",
" -days arg - How long till expiry of a signed certificate - def
30 days\n",
+" -valid HH:MM - How long till expiry of a signed certificate\n",
" -checkend arg - check whether the cert expires in the next arg
seconds\n",
" exit 1 if so, 0 if not\n",
" -signkey arg - self sign cert with arg\n",
@@ -147,11 +148,11 @@
};
static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx);
-static int sign (X509 *x, EVP_PKEY *pkey,int days,int clrext, const
EVP_MD *digest,
+static int sign (X509 *x, EVP_PKEY *pkey,int minutes,int clrext, const
EVP_MD *digest,
CONF *conf, char *section);
static int x509_certify (X509_STORE *ctx,char *CAfile,const EVP_MD *digest,
X509 *x,X509 *xca,EVP_PKEY *pkey,char *serial,
- int create,int days, int clrext, CONF *conf,
char *section,
+ int create,int minutes, int clrext, CONF *conf,
char *section,
ASN1_INTEGER *sno);
static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt);
static int reqfile=0;
@@ -181,7 +182,7 @@
int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0,email=0;
int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0;
int C=0;
- int x509req=0,days=DEF_DAYS,modulus=0,pubkey=0;
+ int x509req=0,days=DEF_DAYS,minutes=0,modulus=0,pubkey=0;
int pprint = 0;
const char **pp;
X509_STORE *ctx=NULL;
@@ -270,6 +271,26 @@
goto bad;
}
}
+ else if (strcmp(*argv,"-valid") == 0)
+ {
+ if (--argc < 1) goto bad;
+
+ char *delim = strchr(*(++argv), ':');
+ if (delim)
+ {
+ *delim = '\0';
+ delim++;
+ minutes = atoi( delim );
+ }
+ int hours = atoi( *argv );
+ minutes = 60 * hours + minutes;
+
+ if (minutes == 0)
+ {
+ BIO_printf(STDout,"bad -valid
specification\n");
+ goto bad;
+ }
+ }
else if (strcmp(*argv,"-passin") == 0)
{
if (--argc < 1) goto bad;
@@ -479,6 +500,10 @@
goto end;
}
+ if (minutes == 0)
+ {
+ minutes = 24*60*days;
+ }
if (!X509_STORE_set_default_paths(ctx))
{
ERR_print_errors(bio_err);
@@ -622,7 +647,7 @@
if (!X509_set_subject_name(x,req->req_info->subject))
goto end;
X509_gmtime_adj(X509_get_notBefore(x),0);
- X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days);
+ X509_gmtime_adj(X509_get_notAfter(x),(long)60*minutes);
pkey = X509_REQ_get_pubkey(req);
X509_set_pubkey(x,pkey);
@@ -922,7 +947,7 @@
#endif
assert(need_rand);
- if (!sign(x,Upkey,days,clrext,digest,
+ if (!sign(x,Upkey,minutes,clrext,digest,
extconf, extsect)) goto
end;
}
else if (CA_flag == i)
@@ -947,7 +972,7 @@
assert(need_rand);
if (!x509_certify(ctx,CAfile,digest,x,xca,
- CApkey,
CAserial,CA_createserial,days, clrext,
+ CApkey,
CAserial,CA_createserial,minutes, clrext,
extconf, extsect, sno))
goto end;
}
@@ -1119,7 +1144,7 @@
static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD
*digest,
X509 *x, X509 *xca, EVP_PKEY *pkey, char *serialfile, int
create,
- int days, int clrext, CONF *conf, char *section,
ASN1_INTEGER *sno)
+ int minutes, int clrext, CONF *conf, char *section,
ASN1_INTEGER *sno)
{
int ret=0;
ASN1_INTEGER *bs=NULL;
@@ -1160,7 +1185,7 @@
goto end;
/* hardwired expired */
- if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) ==
NULL)
+ if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*minutes) == NULL)
goto end;
if (clrext)
@@ -1219,7 +1244,7 @@
}
/* self sign */
-static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const
EVP_MD *digest,
+static int sign(X509 *x, EVP_PKEY *pkey, int minutes, int clrext, const
EVP_MD *digest,
CONF *conf, char *section)
{
@@ -1237,7 +1262,7 @@
/* memcpy(x->cert_info->validity->notBefore,"700101120000Z",13); */
/* 28 days to be certified */
- if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) ==
NULL)
+ if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*minutes) == NULL)
goto err;
if (!X509_set_pubkey(x,pkey)) goto err;
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
