diff options
author | Claudio Jeker <claudio@cvs.openbsd.org> | 2021-10-07 08:30:40 +0000 |
---|---|---|
committer | Claudio Jeker <claudio@cvs.openbsd.org> | 2021-10-07 08:30:40 +0000 |
commit | 941e642e5abd6a671b34801b1011e3290d8e36b8 (patch) | |
tree | d4e70d7dfd1c1e03efd82d90d598dfa6b098f211 /usr.sbin/rpki-client | |
parent | 67c3269de386e169f2e7a89161a0b35b439017ac (diff) |
Add x509_get_expire() to extract the not-after time from a certificate
as a epoch time_t. Store the expire time for certs, crls will follow after.
OK tb@
Diffstat (limited to 'usr.sbin/rpki-client')
-rw-r--r-- | usr.sbin/rpki-client/cert.c | 3 | ||||
-rw-r--r-- | usr.sbin/rpki-client/extern.h | 5 | ||||
-rw-r--r-- | usr.sbin/rpki-client/x509.c | 25 |
3 files changed, 30 insertions, 3 deletions
diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c index 979995f8909..943960a94c2 100644 --- a/usr.sbin/rpki-client/cert.c +++ b/usr.sbin/rpki-client/cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cert.c,v 1.33 2021/10/05 11:20:46 job Exp $ */ +/* $OpenBSD: cert.c,v 1.34 2021/10/07 08:30:39 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -1061,6 +1061,7 @@ cert_parse_inner(X509 **xp, const char *fn, int ta) p.res->aia = x509_get_aia(x, p.fn); p.res->crl = x509_get_crl(x, p.fn); } + p.res->expires = x509_get_expire(x, p.fn); p.res->purpose = x509_get_purpose(x, p.fn); /* Validation on required fields. */ diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h index 04804a52882..13f4dd29567 100644 --- a/usr.sbin/rpki-client/extern.h +++ b/usr.sbin/rpki-client/extern.h @@ -1,4 +1,4 @@ -/* $OpenBSD: extern.h,v 1.68 2021/10/05 11:20:46 job Exp $ */ +/* $OpenBSD: extern.h,v 1.69 2021/10/07 08:30:39 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -127,6 +127,7 @@ struct cert { enum cert_purpose purpose; /* Certificate Purpose (BGPSec or CA) */ int valid; /* validated resources */ X509 *x509; /* the cert */ + time_t expires; /* do not use after */ }; /* @@ -232,6 +233,7 @@ struct crl { RB_ENTRY(crl) entry; char *aki; X509_CRL *x509_crl; + time_t expires; /* do not use after */ }; /* * Tree of CRLs sorted by uri @@ -527,6 +529,7 @@ char *hex_encode(const unsigned char *, size_t); char *x509_get_aia(X509 *, const char *); char *x509_get_aki(X509 *, int, const char *); char *x509_get_ski(X509 *, const char *); +time_t x509_get_expire(X509 *, const char *); char *x509_get_crl(X509 *, const char *); char *x509_crl_get_aki(X509_CRL *, const char *); enum cert_purpose x509_get_purpose(X509 *, const char *); diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c index ffd393804d4..4e27686ac4c 100644 --- a/usr.sbin/rpki-client/x509.c +++ b/usr.sbin/rpki-client/x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.c,v 1.22 2021/10/05 11:20:46 job Exp $ */ +/* $OpenBSD: x509.c,v 1.23 2021/10/07 08:30:39 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -233,6 +233,29 @@ out: } /* + * Extract the expire time (not-after) of a certificate. + */ +time_t +x509_get_expire(X509 *x, const char *fn) +{ + const ASN1_TIME *at; + struct tm expires_tm; + time_t expires; + + at = X509_get0_notAfter(x); + if (at == NULL) + errx(1, "%s: X509_get0_notafter failed", fn); + memset(&expires_tm, 0, sizeof(expires_tm)); + if (ASN1_time_parse(at->data, at->length, &expires_tm, 0) == -1) + errx(1, "%s: ASN1_time_parse failed", fn); + + if ((expires = mktime(&expires_tm)) == -1) + errx(1, "%s: mktime failed", fn); + + return expires; +} + +/* * Parse the very specific subset of information in the CRL distribution * point extension. * See RFC 6487, sectoin 4.8.6 for details. |