Re: [openssl.org #3451] patch for x509.c
On Út, 2014-07-15 at 20:08 +0200, Jan Just Keijser via RT wrote: On 15/07/14 15:20, Daniel Kahn Gillmor wrote: On 07/15/2014 07:58 AM, Salz, Rich via RT wrote: The Globus syntax is strange. :) We should support the ISO date/time standard, and use that throughout and not invent yet another syntax, or yet another flag. It's fairly simple to parse, and handles timezones, relative times, date/time mixing, and so on. The XML XSD spec, for example, has a reasonable explanation. Agreed here. also, the presence of a hyphen in a time marker is too easily misunderstood as a minus sign. If we're talking about the duration of a certificate, we could use something like the ISO-8601 duration syntax: https://en.wikipedia.org/wiki/ISO-8601#Durations e.g. PT1800S is 1800 seconds I like the idea, but I won't have time to rewrite the patch right now. Implementing full ISO8061 timestamps will take some effort. I'd also propose to rename '-valid' to '-duration' . I'll get back on this in mid August. What about just supporting float number argument for -days (0.5 for 12 hours certificate validity)? That should be fairly simple. In the first step. And add something like -notafter argument that would specify the exact end datetime in the ISO format (not duration) as a second step. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll never know whether the road is wrong though.) __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #3451] patch for x509.c
On 07/16/2014 03:39 AM, Tomas Mraz via RT wrote: What about just supporting float number argument for -days (0.5 for 12 hours certificate validity)? That should be fairly simple. In the first step. And add something like -notafter argument that would specify the exact end datetime in the ISO format (not duration) as a second step. This also seems like a reasonable proposal to me. --dkg signature.asc Description: PGP signature
RE: [openssl.org #3451] patch for x509.c
But then it has to be supported for, like ever. :) If the right thing to do is the ISO format, and I strongly believe it is, then we should just work toward that and not add variants to solve a short-term need that will require long-term care and confusion. /r$ -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: RichSalz :��IϮ��r�m (Z+�7�zZ)���1���x ��hW^��^��%�����jם.+-1�ځ��j:+v���h�
Re: [openssl.org #3451] patch for x509.c
On 07/16/2014 09:40 AM, Salz, Rich wrote: But then it has to be supported for, like ever. :) do you realistically think we'll ever drop support for the -days argument though? Dropping -days would break a million scripts. Extending it to support a non-integer number of days seems like a straightforward win. While we're at it, we could extend the -days argument to accept the ISO-8601 duration format, distinguishing it by whether the first character is a 'P' or not -- i don't know whether that itself is too many variants to handle. If the right thing to do is the ISO format, and I strongly believe it is, then we should just work toward that and not add variants to solve a short-term need that will require long-term care and confusion. Tomas' proposal was to use the ISO-8601 date format (which is much better known than ISO-8601 duration) for a new -notafter argument that would allow people to specify concrete end times in a standard and well-understood fashion. I think this is in line with the goals you describe here, no? --dkg signature.asc Description: PGP signature
Re: [openssl.org #3451] patch for x509.c
- Original Message - From: Rich Salz rs...@akamai.com To: openssl-dev@openssl.org, janj...@nikhef.nl Sent: Wednesday, 16 July, 2014 3:40:03 PM Subject: RE: [openssl.org #3451] patch for x509.c But then it has to be supported for, like ever. :) If the right thing to do is the ISO format, and I strongly believe it is, then we should just work toward that and not add variants to solve a short-term need that will require long-term care and confusion. The third alternative is just add -startdate and -enddate from ca util and direct people to the `date` application if they want relative dates, e.g.: date '+%Y%m%d%H%M%SZ' -d '2 hours ago' date '+%Y%m%d%H%M%SZ' -d '1 month 12 hours' Not applicable to all platforms, but (I'd guess) easiest to implement and providing most freedom. -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Email: hka...@redhat.com Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
RE: [openssl.org #3451] patch for x509.c
do you realistically think we'll ever drop support for the -days argument though? Dropping -days would break a million scripts. No, we'll never drop support for -days. But whether the code is atoi() or atof() is a big difference and might cause important silent failures for new scripts running on anything other than the most recent openssl. On most systems atoi(0.5) returns 0 and no error indicator so -days 0.5 would silently do the wrong thing on anything other than openssl 1.0.whatever Which seems much worse. /r$ -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: RichSalz :��IϮ��r�m (Z+�7�zZ)���1���x ��hW^��^��%�����jם.+-1�ځ��j:+v���h�
RE: [openssl.org #3451] patch for x509.c
date '+%Y%m%d%H%M%SZ' -d '1 month 12 hours' Wow. Old code never dies; that's my get_date code from August 1990 :) /r$ -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: RichSalz
Re: [openssl.org #3451] patch for x509.c
On 07/16/2014 11:24 AM, Salz, Rich wrote: do you realistically think we'll ever drop support for the -days argument though? Dropping -days would break a million scripts. No, we'll never drop support for -days. But whether the code is atoi() or atof() is a big difference and might cause important silent failures for new scripts running on anything other than the most recent openssl. On most systems atoi(0.5) returns 0 and no error indicator so -days 0.5 would silently do the wrong thing on anything other than openssl 1.0.whatever Which seems much worse. ugh, you're quite right. Sorry, i wasn't thinking about the support hassle in that direction. And to make matters worse, openssl req -x509 currently interprets -days 0 or -days 0.5 or -days PT1800S as use the default number of days, which is 30. :/ From experimentation, i just discovered that -days is also happy to accept and interpret negative integer arguments as well, resulting in a key with ValidNotBefore later than ValidNotAfter :( not even an error message to let you know that you've just created a certificate that no validation stack in its right mind should ever accept. I withdraw my support for making -days take a fractional argument, given the behavior of the existing deployed base. --dkg signature.asc Description: PGP signature
Re: [openssl.org #3451] patch for x509.c
On St, 2014-07-16 at 17:46 +0200, Daniel Kahn Gillmor via RT wrote: On 07/16/2014 11:24 AM, Salz, Rich wrote: do you realistically think we'll ever drop support for the -days argument though? Dropping -days would break a million scripts. No, we'll never drop support for -days. But whether the code is atoi() or atof() is a big difference and might cause important silent failures for new scripts running on anything other than the most recent openssl. On most systems atoi(0.5) returns 0 and no error indicator so -days 0.5 would silently do the wrong thing on anything other than openssl 1.0.whatever Which seems much worse. ugh, you're quite right. Sorry, i wasn't thinking about the support hassle in that direction. And to make matters worse, openssl req -x509 currently interprets -days 0 or -days 0.5 or -days PT1800S as use the default number of days, which is 30. :/ From experimentation, i just discovered that -days is also happy to accept and interpret negative integer arguments as well, resulting in a key with ValidNotBefore later than ValidNotAfter :( not even an error message to let you know that you've just created a certificate that no validation stack in its right mind should ever accept. I withdraw my support for making -days take a fractional argument, given the behavior of the existing deployed base. I agree with that as well. I did not look at the actual code in openssl so I did not know that the fractional argument with the current version does not error out. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll never know whether the road is wrong though.) __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #3451] patch for x509.c
On Wed, Jul 16, 2014 at 05:46:42PM +0200, Daniel Kahn Gillmor via RT wrote: From experimentation, i just discovered that -days is also happy to accept and interpret negative integer arguments as well, resulting in a key with ValidNotBefore later than ValidNotAfter That's a useful feature, at least for testing, certificate verification engines, you get what you ask for. Tools that prevent you from asking for the wrong thing without recourse are worse. -- Viktor. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3451] patch for x509.c
I do like the idea, and definitely see the need for this.
A nit pick, though '-valid' as a option name is a bit confusing, I'd
personally expect it to take a full blown time argument -- something like
DDD-HH:MM -- and not just hours and minutes. Maybe '-time' or something like
that. That or actually have '-valid' take the full blown argument (thereby
replacing '-days' in the long run).
Thoughts?
On Sun Jul 13 20:13:28 2014, janj...@nikhef.nl wrote:
hi ,
attached is a minor patch to apps/x509.c. The patch allows the user to
specify the validity of a certificate in hours and minutes (next to
days). This is esp useful when creating grid/RFC3820 proxies which
typically have a duration of 12 hours.
regards,
JJK / Jan Just Keijser
--- openssl-1.0.1c/apps/x509.c 2011-10-10 01:13:46.0 +0200
+++ openssl-1.0.1c-jjk/apps/x509.c 2012-08-09 09:17:37.783134860 +0200
@@ -128,6 +128,7 @@
-addreject arg - reject certificate for a given purpose\n,
-setalias arg - set certificate alias\n,
-days arg - How long till expiry of a signed certificate -
def 30 days\n,
+ -valid HH:MM - How long till expiry of a signed certificate\n,
-checkend arg - check whether the cert expires in the next arg
seconds\n,
exit 1 if so, 0 if not\n,
-signkey arg - self sign cert with arg\n,
@@ -154,12 +155,12 @@
};
static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx);
-static int sign (X509 *x, EVP_PKEY *pkey,int days,int clrext, const
EVP_MD *digest,
+static int sign (X509 *x, EVP_PKEY *pkey,int minutes,int clrext,
const EVP_MD *digest,
CONF *conf, char *section);
static int x509_certify (X509_STORE *ctx,char *CAfile,const EVP_MD
*digest,
X509 *x,X509 *xca,EVP_PKEY *pkey,
STACK_OF(OPENSSL_STRING) *sigopts,
- char *serial, int create ,int days, int clrext,
+ char *serial, int create ,int minutes, int clrext,
CONF *conf, char *section, ASN1_INTEGER *sno);
static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt);
static int reqfile=0;
@@ -194,7 +195,7 @@
int ocsp_uri=0;
int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0;
int C=0;
- int x509req=0,days=DEF_DAYS,modulus=0,pubkey=0;
+ int x509req=0,days=DEF_DAYS,minutes=0,modulus=0,pubkey=0;
int pprint = 0;
const char **pp;
X509_STORE *ctx=NULL;
@@ -292,6 +293,26 @@
goto bad;
}
}
+ else if (strcmp(*argv,-valid) == 0)
+ {
+ if (--argc 1) goto bad;
+
+ char *delim = strchr(*(++argv), ':');
+ if (delim)
+ {
+ *delim = '\0';
+ delim++;
+ minutes = atoi( delim );
+ }
+ int hours = atoi( *argv );
+ minutes = 60 * hours + minutes;
+
+ if (minutes == 0)
+ {
+ BIO_printf(STDout,bad -valid specification\n);
+ goto bad;
+ }
+ }
else if (strcmp(*argv,-passin) == 0)
{
if (--argc 1) goto bad;
@@ -511,6 +532,10 @@
goto end;
}
+ if (minutes == 0)
+ {
+ minutes = 24*60*days;
+ }
if (!X509_STORE_set_default_paths(ctx))
{
ERR_print_errors(bio_err);
@@ -964,7 +989,7 @@
}
assert(need_rand);
- if (!sign(x,Upkey,days,clrext,digest,
+ if (!sign(x,Upkey,minutes,clrext,digest,
extconf, extsect)) goto end;
}
else if (CA_flag == i)
@@ -982,7 +1007,7 @@
assert(need_rand);
if (!x509_certify(ctx,CAfile,digest,x,xca,
CApkey, sigopts,
- CAserial,CA_createserial,days, clrext,
+ CAserial,CA_createserial,minutes, clrext,
extconf, extsect, sno))
goto end;
}
@@ -1148,7 +1173,7 @@
X509 *x, X509 *xca, EVP_PKEY *pkey,
STACK_OF(OPENSSL_STRING) *sigopts,
char *serialfile, int create,
- int days, int clrext, CONF *conf, char *section,
+ int minutes, int clrext, CONF *conf, char *section,
ASN1_INTEGER *sno)
{
int ret=0;
@@ -1191,7 +1216,7 @@
goto end;
/* hardwired expired */
- if (X509_time_adj_ex(X509_get_notAfter(x),days, 0, NULL) == NULL)
+ if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*minutes) == NULL)
goto end;
if (clrext)
@@ -1251,7 +1276,7 @@
}
/* self sign */
-static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const
EVP_MD *digest,
+static int sign(X509 *x, EVP_PKEY *pkey, int minutes, int clrext,
const EVP_MD *digest,
CONF *conf, char *section)
{
@@ -1269,7 +1294,7 @@
/* memcpy(x-cert_info-validity-notBefore,70010112Z,13); */
/* 28 days to be certified */
- if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) ==
NULL)
+ if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*minutes) == NULL)
goto err;
if (!X509_set_pubkey(x,pkey)) goto err;
--
Richard Levitte
levi...@openssl.org
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
Re: [openssl.org #3451] patch for x509.c
Hi Richard,
On 15/07/14 10:56, Richard Levitte via RT wrote:
I do like the idea, and definitely see the need for this.
A nit pick, though '-valid' as a option name is a bit confusing, I'd
personally expect it to take a full blown time argument -- something like
DDD-HH:MM -- and not just hours and minutes. Maybe '-time' or something like
that. That or actually have '-valid' take the full blown argument (thereby
replacing '-days' in the long run).
thanks for picking this up; the name '-valid' as well as the format
HH:MM came from the Globus Toolkit 'grid-proxy-init' command, which
uses the same syntax. I agree that the name might be a bit confusing. If
I understand you correctly you're suggesting to use
-valid DDD-HH:MM
(I'm using '-valid' here for lack of a better name right now) where
anything before the hyphen is the number of days, and anything after it
is the time in HH:MM format? It should be possible to specify HH 24,
and we could also support MM 60 (e.g -valid 0-0:1440 == -valid 0-24:00
== -valid 1-0:00 == -days 1)
but then the syntax
-valid 0-24:00
seems confusing as well ... or we could use logic as follows:
if arg contains hyphen then anything before it is #days, anything after
it is time in HH:MM format
if arg contains no hyphen and no colon then it's the number of days
if arg contains no hyphen but it does contain a colon then #days = 0 and
the entire argument is a time in HH:MM format
suggestions?
JJK / Jan Just Keijser
Nikhef
Amsterdam
On Sun Jul 13 20:13:28 2014, janj...@nikhef.nl wrote:
hi ,
attached is a minor patch to apps/x509.c. The patch allows the user to
specify the validity of a certificate in hours and minutes (next to
days). This is esp useful when creating grid/RFC3820 proxies which
typically have a duration of 12 hours.
regards,
JJK / Jan Just Keijser
--- openssl-1.0.1c/apps/x509.c 2011-10-10 01:13:46.0 +0200
+++ openssl-1.0.1c-jjk/apps/x509.c 2012-08-09 09:17:37.783134860 +0200
@@ -128,6 +128,7 @@
-addreject arg - reject certificate for a given purpose\n,
-setalias arg - set certificate alias\n,
-days arg - How long till expiry of a signed certificate -
def 30 days\n,
+ -valid HH:MM - How long till expiry of a signed certificate\n,
-checkend arg - check whether the cert expires in the next arg
seconds\n,
exit 1 if so, 0 if not\n,
-signkey arg - self sign cert with arg\n,
@@ -154,12 +155,12 @@
};
static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx);
-static int sign (X509 *x, EVP_PKEY *pkey,int days,int clrext, const
EVP_MD *digest,
+static int sign (X509 *x, EVP_PKEY *pkey,int minutes,int clrext,
const EVP_MD *digest,
CONF *conf, char *section);
static int x509_certify (X509_STORE *ctx,char *CAfile,const EVP_MD
*digest,
X509 *x,X509 *xca,EVP_PKEY *pkey,
STACK_OF(OPENSSL_STRING) *sigopts,
- char *serial, int create ,int days, int clrext,
+ char *serial, int create ,int minutes, int clrext,
CONF *conf, char *section, ASN1_INTEGER *sno);
static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt);
static int reqfile=0;
@@ -194,7 +195,7 @@
int ocsp_uri=0;
int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0;
int C=0;
- int x509req=0,days=DEF_DAYS,modulus=0,pubkey=0;
+ int x509req=0,days=DEF_DAYS,minutes=0,modulus=0,pubkey=0;
int pprint = 0;
const char **pp;
X509_STORE *ctx=NULL;
@@ -292,6 +293,26 @@
goto bad;
}
}
+ else if (strcmp(*argv,-valid) == 0)
+ {
+ if (--argc 1) goto bad;
+
+ char *delim = strchr(*(++argv), ':');
+ if (delim)
+ {
+ *delim = '\0';
+ delim++;
+ minutes = atoi( delim );
+ }
+ int hours = atoi( *argv );
+ minutes = 60 * hours + minutes;
+
+ if (minutes == 0)
+ {
+ BIO_printf(STDout,bad -valid specification\n);
+ goto bad;
+ }
+ }
else if (strcmp(*argv,-passin) == 0)
{
if (--argc 1) goto bad;
@@ -511,6 +532,10 @@
goto end;
}
+ if (minutes == 0)
+ {
+ minutes = 24*60*days;
+ }
if (!X509_STORE_set_default_paths(ctx))
{
ERR_print_errors(bio_err);
@@ -964,7 +989,7 @@
}
assert(need_rand);
- if (!sign(x,Upkey,days,clrext,digest,
+ if (!sign(x,Upkey,minutes,clrext,digest,
extconf, extsect)) goto end;
}
else if (CA_flag == i)
@@ -982,7 +1007,7 @@
assert(need_rand);
if (!x509_certify(ctx,CAfile,digest,x,xca,
CApkey, sigopts,
- CAserial,CA_createserial,days, clrext,
+ CAserial,CA_createserial,minutes, clrext,
extconf, extsect, sno))
goto end;
}
@@ -1148,7 +1173,7 @@
X509 *x, X509 *xca, EVP_PKEY *pkey,
STACK_OF(OPENSSL_STRING) *sigopts,
char *serialfile, int create,
- int days, int clrext, CONF *conf, char *section,
+ int minutes, int clrext, CONF *conf, char *section,
ASN1_INTEGER *sno)
{
int ret=0;
@@ -1191,7 +1216,7 @@
goto end;
/* hardwired expired */
- if (X509_time_adj_ex(X509_get_notAfter(x),days, 0, NULL) == NULL)
+ if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*minutes) == NULL)
goto end;
if (clrext)
@@ -1251,7 +1276,7 @@
}
/* self sign */
-static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const
Re: [openssl.org #3451] patch for x509.c
Hi Richard,
On 15/07/14 10:56, Richard Levitte via RT wrote:
I do like the idea, and definitely see the need for this.
A nit pick, though '-valid' as a option name is a bit confusing, I'd
personally expect it to take a full blown time argument -- something like
DDD-HH:MM -- and not just hours and minutes. Maybe '-time' or something like
that. That or actually have '-valid' take the full blown argument (thereby
replacing '-days' in the long run).
thanks for picking this up; the name '-valid' as well as the format
HH:MM came from the Globus Toolkit 'grid-proxy-init' command, which
uses the same syntax. I agree that the name might be a bit confusing. If
I understand you correctly you're suggesting to use
-valid DDD-HH:MM
(I'm using '-valid' here for lack of a better name right now) where
anything before the hyphen is the number of days, and anything after it
is the time in HH:MM format? It should be possible to specify HH 24,
and we could also support MM 60 (e.g -valid 0-0:1440 == -valid 0-24:00
== -valid 1-0:00 == -days 1)
but then the syntax
-valid 0-24:00
seems confusing as well ... or we could use logic as follows:
if arg contains hyphen then anything before it is #days, anything after
it is time in HH:MM format
if arg contains no hyphen and no colon then it's the number of days
if arg contains no hyphen but it does contain a colon then #days = 0 and
the entire argument is a time in HH:MM format
suggestions?
JJK / Jan Just Keijser
Nikhef
Amsterdam
On Sun Jul 13 20:13:28 2014, janj...@nikhef.nl wrote:
hi ,
attached is a minor patch to apps/x509.c. The patch allows the user to
specify the validity of a certificate in hours and minutes (next to
days). This is esp useful when creating grid/RFC3820 proxies which
typically have a duration of 12 hours.
regards,
JJK / Jan Just Keijser
--- openssl-1.0.1c/apps/x509.c 2011-10-10 01:13:46.0 +0200
+++ openssl-1.0.1c-jjk/apps/x509.c 2012-08-09 09:17:37.783134860 +0200
@@ -128,6 +128,7 @@
-addreject arg - reject certificate for a given purpose\n,
-setalias arg - set certificate alias\n,
-days arg - How long till expiry of a signed certificate -
def 30 days\n,
+ -valid HH:MM - How long till expiry of a signed certificate\n,
-checkend arg - check whether the cert expires in the next arg
seconds\n,
exit 1 if so, 0 if not\n,
-signkey arg - self sign cert with arg\n,
@@ -154,12 +155,12 @@
};
static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx);
-static int sign (X509 *x, EVP_PKEY *pkey,int days,int clrext, const
EVP_MD *digest,
+static int sign (X509 *x, EVP_PKEY *pkey,int minutes,int clrext,
const EVP_MD *digest,
CONF *conf, char *section);
static int x509_certify (X509_STORE *ctx,char *CAfile,const EVP_MD
*digest,
X509 *x,X509 *xca,EVP_PKEY *pkey,
STACK_OF(OPENSSL_STRING) *sigopts,
- char *serial, int create ,int days, int clrext,
+ char *serial, int create ,int minutes, int clrext,
CONF *conf, char *section, ASN1_INTEGER *sno);
static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt);
static int reqfile=0;
@@ -194,7 +195,7 @@
int ocsp_uri=0;
int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0;
int C=0;
- int x509req=0,days=DEF_DAYS,modulus=0,pubkey=0;
+ int x509req=0,days=DEF_DAYS,minutes=0,modulus=0,pubkey=0;
int pprint = 0;
const char **pp;
X509_STORE *ctx=NULL;
@@ -292,6 +293,26 @@
goto bad;
}
}
+ else if (strcmp(*argv,-valid) == 0)
+ {
+ if (--argc 1) goto bad;
+
+ char *delim = strchr(*(++argv), ':');
+ if (delim)
+ {
+ *delim = '\0';
+ delim++;
+ minutes = atoi( delim );
+ }
+ int hours = atoi( *argv );
+ minutes = 60 * hours + minutes;
+
+ if (minutes == 0)
+ {
+ BIO_printf(STDout,bad -valid specification\n);
+ goto bad;
+ }
+ }
else if (strcmp(*argv,-passin) == 0)
{
if (--argc 1) goto bad;
@@ -511,6 +532,10 @@
goto end;
}
+ if (minutes == 0)
+ {
+ minutes = 24*60*days;
+ }
if (!X509_STORE_set_default_paths(ctx))
{
ERR_print_errors(bio_err);
@@ -964,7 +989,7 @@
}
assert(need_rand);
- if (!sign(x,Upkey,days,clrext,digest,
+ if (!sign(x,Upkey,minutes,clrext,digest,
extconf, extsect)) goto end;
}
else if (CA_flag == i)
@@ -982,7 +1007,7 @@
assert(need_rand);
if (!x509_certify(ctx,CAfile,digest,x,xca,
CApkey, sigopts,
- CAserial,CA_createserial,days, clrext,
+ CAserial,CA_createserial,minutes, clrext,
extconf, extsect, sno))
goto end;
}
@@ -1148,7 +1173,7 @@
X509 *x, X509 *xca, EVP_PKEY *pkey,
STACK_OF(OPENSSL_STRING) *sigopts,
char *serialfile, int create,
- int days, int clrext, CONF *conf, char *section,
+ int minutes, int clrext, CONF *conf, char *section,
ASN1_INTEGER *sno)
{
int ret=0;
@@ -1191,7 +1216,7 @@
goto end;
/* hardwired expired */
- if (X509_time_adj_ex(X509_get_notAfter(x),days, 0, NULL) == NULL)
+ if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*minutes) == NULL)
goto end;
if
Re: [openssl.org #3451] patch for x509.c
On 15 Jul 2014 11:06, Jan Just Keijser via RT r...@openssl.org wrote:
Hi Richard,
On 15/07/14 10:56, Richard Levitte via RT wrote:
I do like the idea, and definitely see the need for this.
A nit pick, though '-valid' as a option name is a bit confusing, I'd
personally expect it to take a full blown time argument -- something
like
DDD-HH:MM -- and not just hours and minutes. Maybe '-time' or something
like
that. That or actually have '-valid' take the full blown argument
(thereby
replacing '-days' in the long run).
thanks for picking this up; the name '-valid' as well as the format
HH:MM came from the Globus Toolkit 'grid-proxy-init' command, which
uses the same syntax. I agree that the name might be a bit confusing. If
I understand you correctly you're suggesting to use
-valid DDD-HH:MM
(I'm using '-valid' here for lack of a better name right now) where
anything before the hyphen is the number of days, and anything after it
is the time in HH:MM format? It should be possible to specify HH 24,
and we could also support MM 60 (e.g -valid 0-0:1440 == -valid 0-24:00
== -valid 1-0:00 == -days 1)
We should also support things like -valid 1-24:70 and -valid 2-1:10.
but then the syntax
-valid 0-24:00
seems confusing as well ... or we could use logic as follows:
if arg contains hyphen then anything before it is #days, anything after
it is time in HH:MM format
if arg contains no hyphen and no colon then it's the number of days
if arg contains no hyphen but it does contain a colon then #days = 0 and
the entire argument is a time in HH:MM format
suggestions?
JJK / Jan Just Keijser
Nikhef
Amsterdam
On Sun Jul 13 20:13:28 2014, janj...@nikhef.nl wrote:
hi ,
attached is a minor patch to apps/x509.c. The patch allows the user to
specify the validity of a certificate in hours and minutes (next to
days). This is esp useful when creating grid/RFC3820 proxies which
typically have a duration of 12 hours.
regards,
JJK / Jan Just Keijser
--- openssl-1.0.1c/apps/x509.c 2011-10-10 01:13:46.0 +0200
+++ openssl-1.0.1c-jjk/apps/x509.c 2012-08-09 09:17:37.783134860 +0200
@@ -128,6 +128,7 @@
-addreject arg - reject certificate for a given purpose\n,
-setalias arg - set certificate alias\n,
-days arg - How long till expiry of a signed certificate -
def 30 days\n,
+ -valid HH:MM - How long till expiry of a signed certificate\n,
-checkend arg - check whether the cert expires in the next arg
seconds\n,
exit 1 if so, 0 if not\n,
-signkey arg - self sign cert with arg\n,
@@ -154,12 +155,12 @@
};
static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx);
-static int sign (X509 *x, EVP_PKEY *pkey,int days,int clrext, const
EVP_MD *digest,
+static int sign (X509 *x, EVP_PKEY *pkey,int minutes,int clrext,
const EVP_MD *digest,
CONF *conf, char *section);
static int x509_certify (X509_STORE *ctx,char *CAfile,const EVP_MD
*digest,
X509 *x,X509 *xca,EVP_PKEY *pkey,
STACK_OF(OPENSSL_STRING) *sigopts,
- char *serial, int create ,int days, int clrext,
+ char *serial, int create ,int minutes, int clrext,
CONF *conf, char *section, ASN1_INTEGER *sno);
static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt);
static int reqfile=0;
@@ -194,7 +195,7 @@
int ocsp_uri=0;
int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0;
int C=0;
- int x509req=0,days=DEF_DAYS,modulus=0,pubkey=0;
+ int x509req=0,days=DEF_DAYS,minutes=0,modulus=0,pubkey=0;
int pprint = 0;
const char **pp;
X509_STORE *ctx=NULL;
@@ -292,6 +293,26 @@
goto bad;
}
}
+ else if (strcmp(*argv,-valid) == 0)
+ {
+ if (--argc 1) goto bad;
+
+ char *delim = strchr(*(++argv), ':');
+ if (delim)
+ {
+ *delim = '\0';
+ delim++;
+ minutes = atoi( delim );
+ }
+ int hours = atoi( *argv );
+ minutes = 60 * hours + minutes;
+
+ if (minutes == 0)
+ {
+ BIO_printf(STDout,bad -valid specification\n);
+ goto bad;
+ }
+ }
else if (strcmp(*argv,-passin) == 0)
{
if (--argc 1) goto bad;
@@ -511,6 +532,10 @@
goto end;
}
+ if (minutes == 0)
+ {
+ minutes = 24*60*days;
+ }
if (!X509_STORE_set_default_paths(ctx))
{
ERR_print_errors(bio_err);
@@ -964,7 +989,7 @@
}
assert(need_rand);
- if (!sign(x,Upkey,days,clrext,digest,
+ if (!sign(x,Upkey,minutes,clrext,digest,
extconf, extsect)) goto end;
}
else if (CA_flag == i)
@@ -982,7 +1007,7 @@
assert(need_rand);
if (!x509_certify(ctx,CAfile,digest,x,xca,
CApkey, sigopts,
- CAserial,CA_createserial,days, clrext,
+ CAserial,CA_createserial,minutes, clrext,
extconf, extsect, sno))
goto end;
}
@@ -1148,7 +1173,7 @@
X509 *x, X509 *xca, EVP_PKEY *pkey,
STACK_OF(OPENSSL_STRING) *sigopts,
char *serialfile, int create,
- int days, int clrext, CONF *conf, char *section,
+ int minutes, int clrext,
RE: [openssl.org #3451] patch for x509.c
The Globus syntax is strange. :) We should support the ISO date/time standard, and use that throughout and not invent yet another syntax, or yet another flag. It's fairly simple to parse, and handles timezones, relative times, date/time mixing, and so on. The XML XSD spec, for example, has a reasonable explanation. /r$ -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: RichSalz :��IϮ��r�m (Z+�7�zZ)���1���x ��hW^��^��%�����jם.+-1�ځ��j:+v���h�
RE: [openssl.org #3451] patch for x509.c
The Globus syntax is strange. :) We should support the ISO date/time standard, and use that throughout and not invent yet another syntax, or yet another flag. It's fairly simple to parse, and handles timezones, relative times, date/time mixing, and so on. The XML XSD spec, for example, has a reasonable explanation. /r$ -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: RichSalz __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #3451] patch for x509.c
On 07/15/2014 07:58 AM, Salz, Rich via RT wrote: The Globus syntax is strange. :) We should support the ISO date/time standard, and use that throughout and not invent yet another syntax, or yet another flag. It's fairly simple to parse, and handles timezones, relative times, date/time mixing, and so on. The XML XSD spec, for example, has a reasonable explanation. Agreed here. also, the presence of a hyphen in a time marker is too easily misunderstood as a minus sign. If we're talking about the duration of a certificate, we could use something like the ISO-8601 duration syntax: https://en.wikipedia.org/wiki/ISO-8601#Durations e.g. PT1800S is 1800 seconds --dkg signature.asc Description: PGP signature
Re: [openssl.org #3451] patch for x509.c
On 15/07/14 15:20, Daniel Kahn Gillmor wrote: On 07/15/2014 07:58 AM, Salz, Rich via RT wrote: The Globus syntax is strange. :) We should support the ISO date/time standard, and use that throughout and not invent yet another syntax, or yet another flag. It's fairly simple to parse, and handles timezones, relative times, date/time mixing, and so on. The XML XSD spec, for example, has a reasonable explanation. Agreed here. also, the presence of a hyphen in a time marker is too easily misunderstood as a minus sign. If we're talking about the duration of a certificate, we could use something like the ISO-8601 duration syntax: https://en.wikipedia.org/wiki/ISO-8601#Durations e.g. PT1800S is 1800 seconds I like the idea, but I won't have time to rewrite the patch right now. Implementing full ISO8061 timestamps will take some effort. I'd also propose to rename '-valid' to '-duration' . I'll get back on this in mid August. cheers, JJK / Jan Just Keijser Nikhef Amsterdam __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3451] patch for x509.c
hi ,
attached is a minor patch to apps/x509.c. The patch allows the user to
specify the validity of a certificate in hours and minutes (next to
days). This is esp useful when creating grid/RFC3820 proxies which
typically have a duration of 12 hours.
regards,
JJK / Jan Just Keijser
--- openssl-1.0.1c/apps/x509.c 2011-10-10 01:13:46.0 +0200
+++ openssl-1.0.1c-jjk/apps/x509.c 2012-08-09 09:17:37.783134860 +0200
@@ -128,6 +128,7 @@
-addreject arg - reject certificate for a given purpose\n,
-setalias arg - set certificate alias\n,
-days arg - How long till expiry of a signed certificate - def 30
days\n,
+ -valid HH:MM- How long till expiry of a signed certificate\n,
-checkend arg - check whether the cert expires in the next arg seconds\n,
exit 1 if so, 0 if not\n,
-signkey arg- self sign cert with arg\n,
@@ -154,12 +155,12 @@
};
static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx);
-static int sign (X509 *x, EVP_PKEY *pkey,int days,int clrext, const EVP_MD
*digest,
+static int sign (X509 *x, EVP_PKEY *pkey,int minutes,int clrext, const EVP_MD
*digest,
CONF *conf, char *section);
static int x509_certify (X509_STORE *ctx,char *CAfile,const EVP_MD *digest,
X509 *x,X509 *xca,EVP_PKEY *pkey,
STACK_OF(OPENSSL_STRING) *sigopts,
-char *serial, int create ,int days, int clrext,
+char *serial, int create ,int minutes, int clrext,
CONF *conf, char *section, ASN1_INTEGER *sno);
static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt);
static int reqfile=0;
@@ -194,7 +195,7 @@
int ocsp_uri=0;
int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0;
int C=0;
- int x509req=0,days=DEF_DAYS,modulus=0,pubkey=0;
+ int x509req=0,days=DEF_DAYS,minutes=0,modulus=0,pubkey=0;
int pprint = 0;
const char **pp;
X509_STORE *ctx=NULL;
@@ -292,6 +293,26 @@
goto bad;
}
}
+ else if (strcmp(*argv,-valid) == 0)
+ {
+ if (--argc 1) goto bad;
+
+ char *delim = strchr(*(++argv), ':');
+ if (delim)
+ {
+ *delim = '\0';
+ delim++;
+ minutes = atoi( delim );
+ }
+ int hours = atoi( *argv );
+ minutes = 60 * hours + minutes;
+
+ if (minutes == 0)
+ {
+ BIO_printf(STDout,bad -valid specification\n);
+ goto bad;
+ }
+ }
else if (strcmp(*argv,-passin) == 0)
{
if (--argc 1) goto bad;
@@ -511,6 +532,10 @@
goto end;
}
+ if (minutes == 0)
+ {
+ minutes = 24*60*days;
+ }
if (!X509_STORE_set_default_paths(ctx))
{
ERR_print_errors(bio_err);
@@ -964,7 +989,7 @@
}
assert(need_rand);
- if (!sign(x,Upkey,days,clrext,digest,
+ if (!sign(x,Upkey,minutes,clrext,digest,
extconf, extsect)) goto end;
}
else if (CA_flag == i)
@@ -982,7 +1007,7 @@
assert(need_rand);
if (!x509_certify(ctx,CAfile,digest,x,xca,
CApkey, sigopts,
- CAserial,CA_createserial,days, clrext,
+ CAserial,CA_createserial,minutes,
clrext,
extconf, extsect, sno))
goto end;
}
@@ -1148,7 +1173,7 @@
X509 *x, X509 *xca, EVP_PKEY *pkey,
STACK_OF(OPENSSL_STRING) *sigopts,
char *serialfile, int create,
- int days, int clrext, CONF *conf, char *section,
+ int minutes, int clrext, CONF *conf, char *section,
ASN1_INTEGER *sno)
{
int ret=0;
@@ -1191,7 +1216,7 @@
goto end;
/* hardwired expired */
- if (X509_time_adj_ex(X509_get_notAfter(x),days, 0, NULL) == NULL)
+ if
