Hi Richard,
On 15/07/14 10:56, Richard Levitte via RT wrote:
> I do like the idea, and definitely see the need for this.
> A nit pick, though.... '-valid' as a option name is a bit confusing, I'd
> personally expect it to take a full blown time argument -- something like
> DDD-HH:MM -- and not just hours and minutes. Maybe '-time' or something like
> that. That or actually have '-valid' take the full blown argument (thereby
> replacing '-days' in the long run).
>
thanks for picking this up; the name '-valid' as well as the format
"HH:MM" came from the Globus Toolkit 'grid-proxy-init' command, which
uses the same syntax. I agree that the name might be a bit confusing. If
I understand you correctly you're suggesting to use
-valid DDD-HH:MM
(I'm using '-valid' here for lack of a better name right now) where
anything before the hyphen is the number of days, and anything after it
is the time in HH:MM format? It should be possible to specify HH > 24,
and we could also support MM > 60 (e.g -valid 0-0:1440 == -valid 0-24:00
== -valid 1-0:00 == -days 1)
but then the syntax
-valid 0-24:00
seems confusing as well ... or we could use logic as follows:
if arg contains hyphen then anything before it is #days, anything after
it is time in HH:MM format
if arg contains no hyphen and no colon then it's the number of days
if arg contains no hyphen but it does contain a colon then #days = 0 and
the entire argument is a time in HH:MM format
suggestions?
JJK / Jan Just Keijser
Nikhef
Amsterdam
> On Sun Jul 13 20:13:28 2014, janj...@nikhef.nl wrote:
>> hi ,
>>
>> attached is a minor patch to apps/x509.c. The patch allows the user to
>> specify the validity of a certificate in hours and minutes (next to
>> days). This is esp useful when creating grid/RFC3820 proxies which
>> typically have a duration of 12 hours.
>>
>> regards,
>>
>> JJK / Jan Just Keijser
>>
>>
>> ------------------------------------------------------------------------
>>
>> --- openssl-1.0.1c/apps/x509.c 2011-10-10 01:13:46.000000000 +0200
>> +++ openssl-1.0.1c-jjk/apps/x509.c 2012-08-09 09:17:37.783134860 +0200
>> @@ -128,6 +128,7 @@
>> " -addreject arg - reject certificate for a given purpose\n",
>> " -setalias arg - set certificate alias\n",
>> " -days arg - How long till expiry of a signed certificate -
>> def 30 days\n",
>> +" -valid HH:MM - How long till expiry of a signed certificate\n",
>> " -checkend arg - check whether the cert expires in the next arg
>> seconds\n",
>> " exit 1 if so, 0 if not\n",
>> " -signkey arg - self sign cert with arg\n",
>> @@ -154,12 +155,12 @@
>> };
>>
>> static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx);
>> -static int sign (X509 *x, EVP_PKEY *pkey,int days,int clrext, const
>> EVP_MD *digest,
>> +static int sign (X509 *x, EVP_PKEY *pkey,int minutes,int clrext,
>> const EVP_MD *digest,
>> CONF *conf, char *section);
>> static int x509_certify (X509_STORE *ctx,char *CAfile,const EVP_MD
>> *digest,
>> X509 *x,X509 *xca,EVP_PKEY *pkey,
>> STACK_OF(OPENSSL_STRING) *sigopts,
>> - char *serial, int create ,int days, int clrext,
>> + char *serial, int create ,int minutes, int clrext,
>> CONF *conf, char *section, ASN1_INTEGER *sno);
>> static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt);
>> static int reqfile=0;
>> @@ -194,7 +195,7 @@
>> int ocsp_uri=0;
>> int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0;
>> int C=0;
>> - int x509req=0,days=DEF_DAYS,modulus=0,pubkey=0;
>> + int x509req=0,days=DEF_DAYS,minutes=0,modulus=0,pubkey=0;
>> int pprint = 0;
>> const char **pp;
>> X509_STORE *ctx=NULL;
>> @@ -292,6 +293,26 @@
>> goto bad;
>> }
>> }
>> + else if (strcmp(*argv,"-valid") == 0)
>> + {
>> + if (--argc < 1) goto bad;
>> +
>> + char *delim = strchr(*(++argv), ':');
>> + if (delim)
>> + {
>> + *delim = '\0';
>> + delim++;
>> + minutes = atoi( delim );
>> + }
>> + int hours = atoi( *argv );
>> + minutes = 60 * hours + minutes;
>> +
>> + if (minutes == 0)
>> + {
>> + BIO_printf(STDout,"bad -valid specification\n");
>> + goto bad;
>> + }
>> + }
>> else if (strcmp(*argv,"-passin") == 0)
>> {
>> if (--argc < 1) goto bad;
>> @@ -511,6 +532,10 @@
>> goto end;
>> }
>>
>> + if (minutes == 0)
>> + {
>> + minutes = 24*60*days;
>> + }
>> if (!X509_STORE_set_default_paths(ctx))
>> {
>> ERR_print_errors(bio_err);
>> @@ -964,7 +989,7 @@
>> }
>>
>> assert(need_rand);
>> - if (!sign(x,Upkey,days,clrext,digest,
>> + if (!sign(x,Upkey,minutes,clrext,digest,
>> extconf, extsect)) goto end;
>> }
>> else if (CA_flag == i)
>> @@ -982,7 +1007,7 @@
>> assert(need_rand);
>> if (!x509_certify(ctx,CAfile,digest,x,xca,
>> CApkey, sigopts,
>> - CAserial,CA_createserial,days, clrext,
>> + CAserial,CA_createserial,minutes, clrext,
>> extconf, extsect, sno))
>> goto end;
>> }
>> @@ -1148,7 +1173,7 @@
>> X509 *x, X509 *xca, EVP_PKEY *pkey,
>> STACK_OF(OPENSSL_STRING) *sigopts,
>> char *serialfile, int create,
>> - int days, int clrext, CONF *conf, char *section,
>> + int minutes, int clrext, CONF *conf, char *section,
>> ASN1_INTEGER *sno)
>> {
>> int ret=0;
>> @@ -1191,7 +1216,7 @@
>> goto end;
>>
>> /* hardwired expired */
>> - if (X509_time_adj_ex(X509_get_notAfter(x),days, 0, NULL) == NULL)
>> + if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*minutes) == NULL)
>> goto end;
>>
>> if (clrext)
>> @@ -1251,7 +1276,7 @@
>> }
>>
>> /* self sign */
>> -static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const
>> EVP_MD *digest,
>> +static int sign(X509 *x, EVP_PKEY *pkey, int minutes, int clrext,
>> const EVP_MD *digest,
>> CONF *conf, char *section)
>> {
>>
>> @@ -1269,7 +1294,7 @@
>> /* memcpy(x->cert_info->validity->notBefore,"700101120000Z",13); */
>> /* 28 days to be certified */
>>
>> - if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) ==
>> NULL)
>> + if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*minutes) == NULL)
>> goto err;
>>
>> if (!X509_set_pubkey(x,pkey)) goto err;
>
> --
> Richard Levitte
> levi...@openssl.org
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
