Hi,
I'm using the openssl command to generate test certificates and I'm
running into an annoying "not valid yet" certificate issue. I cannot
set the notbefore field using the openssl command.
I've made a patch (see attachment) that add the support of a
"-start-days-before' option which is symmetric to the "-days" option.
Patch commit message:
"Sometimes the generated X509 certificate notbefore date must be in the
past. For instance, if this certificate is going to be included in a
device that might get its clock reset to its default time value, the
included certificate notbefore field must match (or be prior) its
default date value which might be in the past.
This patch adds the support of a -start-days-before option which is
symmetric to the -days option. "
I'm not sure this is the best approach but having a -notbefore option
taking a date string would require date parsing support which is not
easy across platforms. I think that this totally symmetric to "-days"
option is simple enough and should cover most of the use case.
What do you think ?
Cheers,
Jérémy
--
One Emacs to rule them all
>From 9a39603bc25a63e5e716b0d57116cef8793fd7e2 Mon Sep 17 00:00:00 2001
From: Jeremy Compostella <jeremy.composte...@intel.com>
Date: Thu, 15 Oct 2015 17:12:49 +0200
Subject: [PATCH] apps/req.c: support start_days_before option for x509
Sometimes the generated X509 certificate notbefore date must in the
past. For instance, if this certificate is going to be included in a
device that might get its clock reset to its default time value of its
clock back to the default value. In that situation, the included
certificate notbefore field must match the default date value which
might be in the past.
Change-Id: I2c01bb4f8ea52ab8dd93666ff5eb091fbe236ae0
Tracked-On: NOT YET
Signed-off-by: Jeremy Compostella <jeremy.composte...@intel.com>
---
apps/req.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/apps/req.c b/apps/req.c
index 57781c9..398ee11 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -163,7 +163,7 @@ int MAIN(int argc, char **argv)
{
ENGINE *e = NULL, *gen_eng = NULL;
unsigned long nmflag = 0, reqflag = 0;
- int ex = 1, x509 = 0, days = 30;
+ int ex = 1, x509 = 0, days = 30, start_days_before = 0;
X509 *x509ss = NULL;
X509_REQ *req = NULL;
EVP_PKEY_CTX *genctx = NULL;
@@ -350,6 +350,10 @@ int MAIN(int argc, char **argv)
days = atoi(*(++argv));
if (days == 0)
days = 30;
+ } else if (strcmp(*argv, "-start-days-before") == 0) {
+ if (--argc < 1)
+ goto bad;
+ start_days_before = atoi(*(++argv));
} else if (strcmp(*argv, "-set_serial") == 0) {
if (--argc < 1)
goto bad;
@@ -426,7 +430,9 @@ int MAIN(int argc, char **argv)
BIO_printf(bio_err,
" -x509 output a x509 structure instead of a cert. req.\n");
BIO_printf(bio_err,
- " -days number of days a certificate generated by -x509 is valid for.\n");
+ " -days number of days a certificate generated by -x509 is valid for starting now.\n");
+ BIO_printf(bio_err,
+ " -start-days-before number of days before now a certificate generated by -x509 is valid.\n");
BIO_printf(bio_err,
" -set_serial serial number to use for a certificate generated by -x509.\n");
BIO_printf(bio_err,
@@ -799,7 +805,7 @@ int MAIN(int argc, char **argv)
if (!X509_set_issuer_name(x509ss, X509_REQ_get_subject_name(req)))
goto end;
- if (!X509_gmtime_adj(X509_get_notBefore(x509ss), 0))
+ if (!X509_time_adj_ex(X509_get_notBefore(x509ss), -start_days_before, 0, NULL))
goto end;
if (!X509_time_adj_ex(X509_get_notAfter(x509ss), days, 0, NULL))
goto end;
--
1.9.1
_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-...@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
