summaryrefslogtreecommitdiff
path: root/usr.sbin/rpki-client
diff options
context:
space:
mode:
authorClaudio Jeker <claudio@cvs.openbsd.org>2021-10-07 08:30:40 +0000
committerClaudio Jeker <claudio@cvs.openbsd.org>2021-10-07 08:30:40 +0000
commit941e642e5abd6a671b34801b1011e3290d8e36b8 (patch)
treed4e70d7dfd1c1e03efd82d90d598dfa6b098f211 /usr.sbin/rpki-client
parent67c3269de386e169f2e7a89161a0b35b439017ac (diff)
Add x509_get_expire() to extract the not-after time from a certificate
as a epoch time_t. Store the expire time for certs, crls will follow after. OK tb@
Diffstat (limited to 'usr.sbin/rpki-client')
-rw-r--r--usr.sbin/rpki-client/cert.c3
-rw-r--r--usr.sbin/rpki-client/extern.h5
-rw-r--r--usr.sbin/rpki-client/x509.c25
3 files changed, 30 insertions, 3 deletions
diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c
index 979995f8909..943960a94c2 100644
--- a/usr.sbin/rpki-client/cert.c
+++ b/usr.sbin/rpki-client/cert.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cert.c,v 1.33 2021/10/05 11:20:46 job Exp $ */
+/* $OpenBSD: cert.c,v 1.34 2021/10/07 08:30:39 claudio Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
@@ -1061,6 +1061,7 @@ cert_parse_inner(X509 **xp, const char *fn, int ta)
p.res->aia = x509_get_aia(x, p.fn);
p.res->crl = x509_get_crl(x, p.fn);
}
+ p.res->expires = x509_get_expire(x, p.fn);
p.res->purpose = x509_get_purpose(x, p.fn);
/* Validation on required fields. */
diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h
index 04804a52882..13f4dd29567 100644
--- a/usr.sbin/rpki-client/extern.h
+++ b/usr.sbin/rpki-client/extern.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: extern.h,v 1.68 2021/10/05 11:20:46 job Exp $ */
+/* $OpenBSD: extern.h,v 1.69 2021/10/07 08:30:39 claudio Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
@@ -127,6 +127,7 @@ struct cert {
enum cert_purpose purpose; /* Certificate Purpose (BGPSec or CA) */
int valid; /* validated resources */
X509 *x509; /* the cert */
+ time_t expires; /* do not use after */
};
/*
@@ -232,6 +233,7 @@ struct crl {
RB_ENTRY(crl) entry;
char *aki;
X509_CRL *x509_crl;
+ time_t expires; /* do not use after */
};
/*
* Tree of CRLs sorted by uri
@@ -527,6 +529,7 @@ char *hex_encode(const unsigned char *, size_t);
char *x509_get_aia(X509 *, const char *);
char *x509_get_aki(X509 *, int, const char *);
char *x509_get_ski(X509 *, const char *);
+time_t x509_get_expire(X509 *, const char *);
char *x509_get_crl(X509 *, const char *);
char *x509_crl_get_aki(X509_CRL *, const char *);
enum cert_purpose x509_get_purpose(X509 *, const char *);
diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c
index ffd393804d4..4e27686ac4c 100644
--- a/usr.sbin/rpki-client/x509.c
+++ b/usr.sbin/rpki-client/x509.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.c,v 1.22 2021/10/05 11:20:46 job Exp $ */
+/* $OpenBSD: x509.c,v 1.23 2021/10/07 08:30:39 claudio Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
@@ -233,6 +233,29 @@ out:
}
/*
+ * Extract the expire time (not-after) of a certificate.
+ */
+time_t
+x509_get_expire(X509 *x, const char *fn)
+{
+ const ASN1_TIME *at;
+ struct tm expires_tm;
+ time_t expires;
+
+ at = X509_get0_notAfter(x);
+ if (at == NULL)
+ errx(1, "%s: X509_get0_notafter failed", fn);
+ memset(&expires_tm, 0, sizeof(expires_tm));
+ if (ASN1_time_parse(at->data, at->length, &expires_tm, 0) == -1)
+ errx(1, "%s: ASN1_time_parse failed", fn);
+
+ if ((expires = mktime(&expires_tm)) == -1)
+ errx(1, "%s: mktime failed", fn);
+
+ return expires;
+}
+
+/*
* Parse the very specific subset of information in the CRL distribution
* point extension.
* See RFC 6487, sectoin 4.8.6 for details.