Re: Add CT methods to standard_exts, fix timestamp printing

2021-11-23 Thread Bob Beck 
ok beck@

> On Nov 23, 2021, at 21:14, Theo Buehler  wrote:
> 
> Two small diffs now that beck has linked the certificate transparency
> code to the build.
> 
> The diff for ext_dat.h links the CT methods to the standard extensions.
> This replaces the gibberish from the CT extensions which are now present
> in most certs with something readable. Try
> 
> $ openssl s_client -connect libressl.org:443 | openssl x509 -noout -text
> 
> The diff for ct_prn makes sure that the timestamp is actually printed.
> Our ASN1_GENERALIZEDTIME_set_string() does not accept fractional
> seconds, so don't feed them into it for printing.  eopenssl11 doesn't
> print the fractional sections either.
> 
> Index: x509/ext_dat.h
> ===
> RCS file: /cvs/src/lib/libcrypto/x509/ext_dat.h,v
> retrieving revision 1.3
> diff -u -p -r1.3 ext_dat.h
> --- x509/ext_dat.h2 Sep 2021 21:27:26 -1.3
> +++ x509/ext_dat.h16 Nov 2021 16:56:19 -
> @@ -73,6 +73,7 @@ extern X509V3_EXT_METHOD v3_crl_hold, v3
> extern X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints;
> extern X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp;
> extern const X509V3_EXT_METHOD v3_addr, v3_asid;
> +extern const X509V3_EXT_METHOD v3_ct_scts[3];
> 
> /* This table will be searched using OBJ_bsearch so it *must* kept in
>  * order of the ext_nid values.
> @@ -129,6 +130,11 @@ static const X509V3_EXT_METHOD *standard
>_idp,
>_alt[2],
>_freshest_crl,
> +#ifndef OPENSSL_NO_CT
> +_ct_scts[0],
> +_ct_scts[1],
> +_ct_scts[2],
> +#endif
> };
> 
> /* Number of standard extensions */
> Index: ct/ct_prn.c
> ===
> RCS file: /cvs/src/lib/libcrypto/ct/ct_prn.c,v
> retrieving revision 1.3
> diff -u -p -r1.3 ct_prn.c
> --- ct/ct_prn.c20 Nov 2021 01:10:49 -1.3
> +++ ct/ct_prn.c21 Nov 2021 15:32:56 -
> @@ -71,8 +71,7 @@ timestamp_print(uint64_t timestamp, BIO 
> * Note GeneralizedTime from ASN1_GENERALIZETIME_adj is always 15
> * characters long with a final Z. Update it with fractional seconds.
> */
> -snprintf(genstr, sizeof(genstr), "%.14s.%03dZ",
> -ASN1_STRING_get0_data(gen), (unsigned int)(timestamp % 1000));
> +snprintf(genstr, sizeof(genstr), "%.14sZ", ASN1_STRING_get0_data(gen));
>if (ASN1_GENERALIZEDTIME_set_string(gen, genstr))
>ASN1_GENERALIZEDTIME_print(out, gen);
>ASN1_GENERALIZEDTIME_free(gen);
>

Add CT methods to standard_exts, fix timestamp printing

2021-11-23 Thread Theo Buehler 
Two small diffs now that beck has linked the certificate transparency
code to the build.

The diff for ext_dat.h links the CT methods to the standard extensions.
This replaces the gibberish from the CT extensions which are now present
in most certs with something readable. Try

$ openssl s_client -connect libressl.org:443 | openssl x509 -noout -text

The diff for ct_prn makes sure that the timestamp is actually printed.
Our ASN1_GENERALIZEDTIME_set_string() does not accept fractional
seconds, so don't feed them into it for printing.  eopenssl11 doesn't
print the fractional sections either.

Index: x509/ext_dat.h
===
RCS file: /cvs/src/lib/libcrypto/x509/ext_dat.h,v
retrieving revision 1.3
diff -u -p -r1.3 ext_dat.h
--- x509/ext_dat.h  2 Sep 2021 21:27:26 -   1.3
+++ x509/ext_dat.h  16 Nov 2021 16:56:19 -
@@ -73,6 +73,7 @@ extern X509V3_EXT_METHOD v3_crl_hold, v3
 extern X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints;
 extern X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp;
 extern const X509V3_EXT_METHOD v3_addr, v3_asid;
+extern const X509V3_EXT_METHOD v3_ct_scts[3];
 
 /* This table will be searched using OBJ_bsearch so it *must* kept in
  * order of the ext_nid values.
@@ -129,6 +130,11 @@ static const X509V3_EXT_METHOD *standard
_idp,
_alt[2],
_freshest_crl,
+#ifndef OPENSSL_NO_CT
+   _ct_scts[0],
+   _ct_scts[1],
+   _ct_scts[2],
+#endif
 };
 
 /* Number of standard extensions */
Index: ct/ct_prn.c
===
RCS file: /cvs/src/lib/libcrypto/ct/ct_prn.c,v
retrieving revision 1.3
diff -u -p -r1.3 ct_prn.c
--- ct/ct_prn.c 20 Nov 2021 01:10:49 -  1.3
+++ ct/ct_prn.c 21 Nov 2021 15:32:56 -
@@ -71,8 +71,7 @@ timestamp_print(uint64_t timestamp, BIO 
 * Note GeneralizedTime from ASN1_GENERALIZETIME_adj is always 15
 * characters long with a final Z. Update it with fractional seconds.
 */
-   snprintf(genstr, sizeof(genstr), "%.14s.%03dZ",
-   ASN1_STRING_get0_data(gen), (unsigned int)(timestamp % 1000));
+   snprintf(genstr, sizeof(genstr), "%.14sZ", ASN1_STRING_get0_data(gen));
if (ASN1_GENERALIZEDTIME_set_string(gen, genstr))
ASN1_GENERALIZEDTIME_print(out, gen);
ASN1_GENERALIZEDTIME_free(gen);