Hi. I posted this a while ago on openssl-user, maybe it was not the right place since nobody reacted.
Annoyed by having the time part of notBefore and notAfter fields set to the time I run the command, I hacked a "-cleartime" option to "openssl x509" and "openssl req -x509". I attach the patch against the files from debian etch's openssl 0.9.8c-4. Cheers. -- Eric Deplagne
--- req.c.orig 2007-08-21 12:17:38.000000000 +0200
+++ req.c 2007-08-21 12:08:25.000000000 +0200
@@ -169,7 +169,7 @@
EC_KEY *ec_params = NULL;
#endif
unsigned long nmflag = 0, reqflag = 0;
- int ex=1,x509=0,days=30;
+ int ex=1,x509=0,days=30,cleartime=0;
X509 *x509ss=NULL;
X509_REQ *req=NULL;
EVP_PKEY *pkey=NULL;
@@ -461,6 +461,8 @@
days= atoi(*(++argv));
if (days == 0) days=30;
}
+ else if (strcmp(*argv,"-cleartime") == 0)
+ cleartime=1;
else if (strcmp(*argv,"-set_serial") == 0)
{
if (--argc < 1) goto bad;
@@ -531,6 +533,7 @@
BIO_printf(bio_err," -batch do not ask anything during request generation\n");
BIO_printf(bio_err," -x509 output a x509 structure instead of a cert. req.\n");
BIO_printf(bio_err," -days number of days a certificate generated by -x509 is valid for.\n");
+ BIO_printf(bio_err," -cleartime set the notBefore and notAfter fields to midnight, the considered day\n");
BIO_printf(bio_err," -set_serial serial number to use for a certificate generated by -x509.\n");
BIO_printf(bio_err," -newhdr output \"NEW\" in the header lines\n");
BIO_printf(bio_err," -asn1-kludge Output the 'request' in a format that is wrong but some CA's\n");
@@ -929,6 +932,8 @@
{
EVP_PKEY *tmppkey;
X509V3_CTX ext_ctx;
+ time_t t=0;
+
if ((x509ss=X509_new()) == NULL) goto end;
/* Set version to V3 */
@@ -945,8 +950,13 @@
}
if (!X509_set_issuer_name(x509ss, X509_REQ_get_subject_name(req))) goto end;
- if (!X509_gmtime_adj(X509_get_notBefore(x509ss),0)) goto end;
- if (!X509_gmtime_adj(X509_get_notAfter(x509ss), (long)60*60*24*days)) goto end;
+ if(cleartime)
+ {
+ t=time(NULL);
+ t-=t%(60*60*24);
+ }
+ if (!X509_time_adj(X509_get_notBefore(x509ss),0,&t)) goto end;
+ if (!X509_time_adj(X509_get_notAfter(x509ss), (long)60*60*24*days,&t)) goto end;
if (!X509_set_subject_name(x509ss, X509_REQ_get_subject_name(req))) goto end;
tmppkey = X509_REQ_get_pubkey(req);
if (!tmppkey || !X509_set_pubkey(x509ss,tmppkey)) goto end;
--- x509.c.orig 2007-08-20 18:30:37.000000000 +0200
+++ x509.c 2007-08-21 17:11:17.000000000 +0200
@@ -121,6 +121,7 @@
" -addreject arg - reject certificate for a given purpose\n",
" -setalias arg - set certificate alias\n",
" -days arg - How long till expiry of a signed certificate - def 30 days\n",
+" -cleartime - Set the notBefore and notAfter fields to midnight, the considered day\n",
" -checkend arg - check whether the cert expires in the next arg seconds\n",
" exit 1 if so, 0 if not\n",
" -signkey arg - self sign cert with arg\n",
@@ -147,11 +148,11 @@
};
static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx);
-static int sign (X509 *x, EVP_PKEY *pkey,int days,int clrext, const EVP_MD *digest,
+static int sign (X509 *x, EVP_PKEY *pkey,int days,int cleartime,int clrext, const EVP_MD *digest,
CONF *conf, char *section);
static int x509_certify (X509_STORE *ctx,char *CAfile,const EVP_MD *digest,
X509 *x,X509 *xca,EVP_PKEY *pkey,char *serial,
- int create,int days, int clrext, CONF *conf, char *section,
+ int create,int days,int cleartime, int clrext, CONF *conf, char *section,
ASN1_INTEGER *sno);
static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt);
static int reqfile=0;
@@ -181,7 +182,7 @@
int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0,email=0;
int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0;
int C=0;
- int x509req=0,days=DEF_DAYS,modulus=0,pubkey=0;
+ int x509req=0,days=DEF_DAYS,cleartime=0,modulus=0,pubkey=0;
int pprint = 0;
const char **pp;
X509_STORE *ctx=NULL;
@@ -270,6 +271,8 @@
goto bad;
}
}
+ else if (strcmp(*argv,"-cleartime") == 0)
+ cleartime=++num;
else if (strcmp(*argv,"-passin") == 0)
{
if (--argc < 1) goto bad;
@@ -537,6 +540,7 @@
EVP_PKEY *pkey;
X509_CINF *ci;
BIO *in;
+ time_t t=0;
if (!sign_flag && !CA_flag)
{
@@ -621,8 +625,14 @@
if (!X509_set_issuer_name(x,req->req_info->subject)) goto end;
if (!X509_set_subject_name(x,req->req_info->subject)) goto end;
- X509_gmtime_adj(X509_get_notBefore(x),0);
- X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days);
+ if(cleartime)
+ {
+ t=time(NULL);
+ t-=t%(60*60*24);
+ }
+
+ X509_time_adj(X509_get_notBefore(x),0,&t);
+ X509_time_adj(X509_get_notAfter(x),(long)60*60*24*days,&t);
pkey = X509_REQ_get_pubkey(req);
X509_set_pubkey(x,pkey);
@@ -922,7 +932,7 @@
#endif
assert(need_rand);
- if (!sign(x,Upkey,days,clrext,digest,
+ if (!sign(x,Upkey,days,cleartime,clrext,digest,
extconf, extsect)) goto end;
}
else if (CA_flag == i)
@@ -947,7 +957,7 @@
assert(need_rand);
if (!x509_certify(ctx,CAfile,digest,x,xca,
- CApkey, CAserial,CA_createserial,days, clrext,
+ CApkey, CAserial,CA_createserial,days,cleartime, clrext,
extconf, extsect, sno))
goto end;
}
@@ -1119,12 +1129,13 @@
static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
X509 *x, X509 *xca, EVP_PKEY *pkey, char *serialfile, int create,
- int days, int clrext, CONF *conf, char *section, ASN1_INTEGER *sno)
+ int days, int cleartime, int clrext, CONF *conf, char *section, ASN1_INTEGER *sno)
{
int ret=0;
ASN1_INTEGER *bs=NULL;
X509_STORE_CTX xsc;
EVP_PKEY *upkey;
+ time_t t=0;
upkey = X509_get_pubkey(xca);
EVP_PKEY_copy_parameters(upkey,pkey);
@@ -1156,11 +1167,17 @@
if (!X509_set_issuer_name(x,X509_get_subject_name(xca))) goto end;
if (!X509_set_serialNumber(x,bs)) goto end;
- if (X509_gmtime_adj(X509_get_notBefore(x),0L) == NULL)
+ if(cleartime)
+ {
+ t=time(NULL);
+ t-=t%(60*60*24);
+ }
+
+ if (X509_time_adj(X509_get_notBefore(x),0L,&t) == NULL)
goto end;
/* hardwired expired */
- if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) == NULL)
+ if (X509_time_adj(X509_get_notAfter(x),(long)60*60*24*days,&t) == NULL)
goto end;
if (clrext)
@@ -1219,11 +1236,12 @@
}
/* self sign */
-static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const EVP_MD *digest,
+static int sign(X509 *x, EVP_PKEY *pkey, int days, int cleartime, int clrext, const EVP_MD *digest,
CONF *conf, char *section)
{
EVP_PKEY *pktmp;
+ time_t t=0;
pktmp = X509_get_pubkey(x);
EVP_PKEY_copy_parameters(pktmp,pkey);
@@ -1231,13 +1249,20 @@
EVP_PKEY_free(pktmp);
if (!X509_set_issuer_name(x,X509_get_subject_name(x))) goto err;
- if (X509_gmtime_adj(X509_get_notBefore(x),0) == NULL) goto err;
+
+ if(cleartime)
+ {
+ t=time(NULL);
+ t-=t%(60*60*24);
+ }
+
+ if (X509_time_adj(X509_get_notBefore(x),0,&t) == NULL) goto err;
/* Lets just make it 12:00am GMT, Jan 1 1970 */
/* memcpy(x->cert_info->validity->notBefore,"700101120000Z",13); */
/* 28 days to be certified */
- if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) == NULL)
+ if (X509_time_adj(X509_get_notAfter(x),(long)60*60*24*days,&t) == NULL)
goto err;
if (!X509_set_pubkey(x,pkey)) goto err;
signature.asc
Description: Digital signature
