diff options
author | Stephan Wurm <atomisirsi@gsklan.de> | 2023-08-09 09:07:46 +0200 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2024-04-09 20:13:31 +0200 |
commit | 8120223773d4c707dd43d9cc42a7fcab19609813 (patch) | |
tree | d6ba640c8b11135d9c6f214a507bbcbad744804f /apps/lib | |
parent | 4514e02cdfc96589d5e8ab0a08942fafa8e418ae (diff) |
apps: ca,req,x509: Add explicit start and end dates options
- Added options `-not_before` (start date) and `-not-after` (end date)
for explicit setting of the validity period of a certificate in the
apps `ca`, `req` and `x509`
- The new options accept time strings or "today"
- In app `ca`, use the new options as aliases of the already existing
options `-startdate` and `-enddate`
- When used in apps `req` and `x509`, the end date must be >= the start
date, in app `ca` end date < start date is also accepted
- In any case, `-not-after` overrides the `-days` option
- Added helper function `check_cert_time_string` to validate given
certificate time strings
- Use the new helper function in apps `ca`, `req` and `x509`
- Moved redundant code for time string checking into `set_cert_times`
helper function.
- Added tests for explicit start and end dates in apps `req` and `x509`
- test: Added auxiliary functions for parsing fields from `-text`
formatted output to `tconversion.pl`
- CHANGES: Added to new section 3.4
Signed-off-by: Stephan Wurm <atomisirsi@gsklan.de>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21716)
Diffstat (limited to 'apps/lib')
-rw-r--r-- | apps/lib/apps.c | 41 |
1 files changed, 36 insertions, 5 deletions
diff --git a/apps/lib/apps.c b/apps/lib/apps.c index e04530ff44..c87f0f02f1 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -3275,23 +3275,54 @@ void corrupt_signature(const ASN1_STRING *signature) s[signature->length - 1] ^= 0x1; } +int check_cert_time_string(const char *time, const char *desc) +{ + if (time == NULL || strcmp(time, "today") == 0 + || ASN1_TIME_set_string_X509(NULL, time)) + return 1; + BIO_printf(bio_err, + "%s is invalid, it should be \"today\" or have format [CC]YYMMDDHHMMSSZ\n", + desc); + return 0; +} + int set_cert_times(X509 *x, const char *startdate, const char *enddate, - int days) + int days, int strict_compare_times) { + if (!check_cert_time_string(startdate, "start date")) + return 0; + if (!check_cert_time_string(enddate, "end date")) + return 0; if (startdate == NULL || strcmp(startdate, "today") == 0) { - if (X509_gmtime_adj(X509_getm_notBefore(x), 0) == NULL) + if (X509_gmtime_adj(X509_getm_notBefore(x), 0) == NULL) { + BIO_printf(bio_err, "Error setting notBefore certificate field\n"); return 0; + } } else { - if (!ASN1_TIME_set_string_X509(X509_getm_notBefore(x), startdate)) + if (!ASN1_TIME_set_string_X509(X509_getm_notBefore(x), startdate)) { + BIO_printf(bio_err, "Error setting notBefore certificate field\n"); return 0; + } + } + if (enddate != NULL && strcmp(enddate, "today") == 0) { + enddate = NULL; + days = 0; } if (enddate == NULL) { - if (X509_time_adj_ex(X509_getm_notAfter(x), days, 0, NULL) - == NULL) + if (X509_time_adj_ex(X509_getm_notAfter(x), days, 0, NULL) == NULL) { + BIO_printf(bio_err, "Error setting notAfter certificate field\n"); return 0; + } } else if (!ASN1_TIME_set_string_X509(X509_getm_notAfter(x), enddate)) { + BIO_printf(bio_err, "Error setting notAfter certificate field\n"); return 0; } + if (ASN1_TIME_compare(X509_get0_notAfter(x), X509_get0_notBefore(x)) < 0) { + BIO_printf(bio_err, "%s: end date before start date\n", + strict_compare_times ? "Error" : "Warning"); + if (strict_compare_times) + return 0; + } return 1; } |