[openssl.org #3451] patch for x509.c

Tue, 15 Jul 2014 02:01:14 -0700 

I do like the idea, and definitely see the need for this.
A nit pick, though.... '-valid' as a option name is a bit confusing, I'd
personally expect it to take a full blown time argument -- something like
DDD-HH:MM -- and not just hours and minutes. Maybe '-time' or something like
that. That or actually have '-valid' take the full blown argument (thereby
replacing '-days' in the long run).

Thoughts?

On Sun Jul 13 20:13:28 2014, janj...@nikhef.nl wrote:
> hi ,
>
> attached is a minor patch to apps/x509.c. The patch allows the user to
> specify the validity of a certificate in hours and minutes (next to
> days). This is esp useful when creating grid/RFC3820 proxies which
> typically have a duration of 12 hours.
>
> regards,
>
> JJK / Jan Just Keijser
>
>
> ------------------------------------------------------------------------
>
> --- openssl-1.0.1c/apps/x509.c 2011-10-10 01:13:46.000000000 +0200
> +++ openssl-1.0.1c-jjk/apps/x509.c 2012-08-09 09:17:37.783134860 +0200
> @@ -128,6 +128,7 @@
> " -addreject arg - reject certificate for a given purpose\n",
> " -setalias arg - set certificate alias\n",
> " -days arg - How long till expiry of a signed certificate -
> def 30 days\n",
> +" -valid HH:MM - How long till expiry of a signed certificate\n",
> " -checkend arg - check whether the cert expires in the next arg
> seconds\n",
> " exit 1 if so, 0 if not\n",
> " -signkey arg - self sign cert with arg\n",
> @@ -154,12 +155,12 @@
> };
>
> static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx);
> -static int sign (X509 *x, EVP_PKEY *pkey,int days,int clrext, const
> EVP_MD *digest,
> +static int sign (X509 *x, EVP_PKEY *pkey,int minutes,int clrext,
> const EVP_MD *digest,
> CONF *conf, char *section);
> static int x509_certify (X509_STORE *ctx,char *CAfile,const EVP_MD
> *digest,
> X509 *x,X509 *xca,EVP_PKEY *pkey,
> STACK_OF(OPENSSL_STRING) *sigopts,
> - char *serial, int create ,int days, int clrext,
> + char *serial, int create ,int minutes, int clrext,
> CONF *conf, char *section, ASN1_INTEGER *sno);
> static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt);
> static int reqfile=0;
> @@ -194,7 +195,7 @@
> int ocsp_uri=0;
> int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0;
> int C=0;
> - int x509req=0,days=DEF_DAYS,modulus=0,pubkey=0;
> + int x509req=0,days=DEF_DAYS,minutes=0,modulus=0,pubkey=0;
> int pprint = 0;
> const char **pp;
> X509_STORE *ctx=NULL;
> @@ -292,6 +293,26 @@
> goto bad;
> }
> }
> + else if (strcmp(*argv,"-valid") == 0)
> + {
> + if (--argc < 1) goto bad;
> +
> + char *delim = strchr(*(++argv), ':');
> + if (delim)
> + {
> + *delim = '\0';
> + delim++;
> + minutes = atoi( delim );
> + }
> + int hours = atoi( *argv );
> + minutes = 60 * hours + minutes;
> +
> + if (minutes == 0)
> + {
> + BIO_printf(STDout,"bad -valid specification\n");
> + goto bad;
> + }
> + }
> else if (strcmp(*argv,"-passin") == 0)
> {
> if (--argc < 1) goto bad;
> @@ -511,6 +532,10 @@
> goto end;
> }
>
> + if (minutes == 0)
> + {
> + minutes = 24*60*days;
> + }
> if (!X509_STORE_set_default_paths(ctx))
> {
> ERR_print_errors(bio_err);
> @@ -964,7 +989,7 @@
> }
>
> assert(need_rand);
> - if (!sign(x,Upkey,days,clrext,digest,
> + if (!sign(x,Upkey,minutes,clrext,digest,
> extconf, extsect)) goto end;
> }
> else if (CA_flag == i)
> @@ -982,7 +1007,7 @@
> assert(need_rand);
> if (!x509_certify(ctx,CAfile,digest,x,xca,
> CApkey, sigopts,
> - CAserial,CA_createserial,days, clrext,
> + CAserial,CA_createserial,minutes, clrext,
> extconf, extsect, sno))
> goto end;
> }
> @@ -1148,7 +1173,7 @@
> X509 *x, X509 *xca, EVP_PKEY *pkey,
> STACK_OF(OPENSSL_STRING) *sigopts,
> char *serialfile, int create,
> - int days, int clrext, CONF *conf, char *section,
> + int minutes, int clrext, CONF *conf, char *section,
> ASN1_INTEGER *sno)
> {
> int ret=0;
> @@ -1191,7 +1216,7 @@
> goto end;
>
> /* hardwired expired */
> - if (X509_time_adj_ex(X509_get_notAfter(x),days, 0, NULL) == NULL)
> + if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*minutes) == NULL)
> goto end;
>
> if (clrext)
> @@ -1251,7 +1276,7 @@
> }
>
> /* self sign */
> -static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const
> EVP_MD *digest,
> +static int sign(X509 *x, EVP_PKEY *pkey, int minutes, int clrext,
> const EVP_MD *digest,
> CONF *conf, char *section)
> {
>
> @@ -1269,7 +1294,7 @@
> /* memcpy(x->cert_info->validity->notBefore,"700101120000Z",13); */
> /* 28 days to be certified */
>
> - if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) ==
> NULL)
> + if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*minutes) == NULL)
> goto err;
>
> if (!X509_set_pubkey(x,pkey)) goto err;


--
Richard Levitte
levi...@openssl.org

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to