[openssl.org #3451] patch for x509.c

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

[openssl.org #3451] patch for x509.c

Rich Salz via RT
I do like the idea, and definitely see the need for this.
A nit pick, though.... '-valid' as a option name is a bit confusing, I'd
personally expect it to take a full blown time argument -- something like
DDD-HH:MM -- and not just hours and minutes. Maybe '-time' or something like
that. That or actually have '-valid' take the full blown argument (thereby
replacing '-days' in the long run).

Thoughts?

On Sun Jul 13 20:13:28 2014, [hidden email] wrote:

> hi ,
>
> attached is a minor patch to apps/x509.c. The patch allows the user to
> specify the validity of a certificate in hours and minutes (next to
> days). This is esp useful when creating grid/RFC3820 proxies which
> typically have a duration of 12 hours.
>
> regards,
>
> JJK / Jan Just Keijser
>
>
> ------------------------------------------------------------------------
>
> --- openssl-1.0.1c/apps/x509.c 2011-10-10 01:13:46.000000000 +0200
> +++ openssl-1.0.1c-jjk/apps/x509.c 2012-08-09 09:17:37.783134860 +0200
> @@ -128,6 +128,7 @@
> " -addreject arg - reject certificate for a given purpose\n",
> " -setalias arg - set certificate alias\n",
> " -days arg - How long till expiry of a signed certificate -
> def 30 days\n",
> +" -valid HH:MM - How long till expiry of a signed certificate\n",
> " -checkend arg - check whether the cert expires in the next arg
> seconds\n",
> " exit 1 if so, 0 if not\n",
> " -signkey arg - self sign cert with arg\n",
> @@ -154,12 +155,12 @@
> };
>
> static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx);
> -static int sign (X509 *x, EVP_PKEY *pkey,int days,int clrext, const
> EVP_MD *digest,
> +static int sign (X509 *x, EVP_PKEY *pkey,int minutes,int clrext,
> const EVP_MD *digest,
> CONF *conf, char *section);
> static int x509_certify (X509_STORE *ctx,char *CAfile,const EVP_MD
> *digest,
> X509 *x,X509 *xca,EVP_PKEY *pkey,
> STACK_OF(OPENSSL_STRING) *sigopts,
> - char *serial, int create ,int days, int clrext,
> + char *serial, int create ,int minutes, int clrext,
> CONF *conf, char *section, ASN1_INTEGER *sno);
> static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt);
> static int reqfile=0;
> @@ -194,7 +195,7 @@
> int ocsp_uri=0;
> int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0;
> int C=0;
> - int x509req=0,days=DEF_DAYS,modulus=0,pubkey=0;
> + int x509req=0,days=DEF_DAYS,minutes=0,modulus=0,pubkey=0;
> int pprint = 0;
> const char **pp;
> X509_STORE *ctx=NULL;
> @@ -292,6 +293,26 @@
> goto bad;
> }
> }
> + else if (strcmp(*argv,"-valid") == 0)
> + {
> + if (--argc < 1) goto bad;
> +
> + char *delim = strchr(*(++argv), ':');
> + if (delim)
> + {
> + *delim = '\0';
> + delim++;
> + minutes = atoi( delim );
> + }
> + int hours = atoi( *argv );
> + minutes = 60 * hours + minutes;
> +
> + if (minutes == 0)
> + {
> + BIO_printf(STDout,"bad -valid specification\n");
> + goto bad;
> + }
> + }
> else if (strcmp(*argv,"-passin") == 0)
> {
> if (--argc < 1) goto bad;
> @@ -511,6 +532,10 @@
> goto end;
> }
>
> + if (minutes == 0)
> + {
> + minutes = 24*60*days;
> + }
> if (!X509_STORE_set_default_paths(ctx))
> {
> ERR_print_errors(bio_err);
> @@ -964,7 +989,7 @@
> }
>
> assert(need_rand);
> - if (!sign(x,Upkey,days,clrext,digest,
> + if (!sign(x,Upkey,minutes,clrext,digest,
> extconf, extsect)) goto end;
> }
> else if (CA_flag == i)
> @@ -982,7 +1007,7 @@
> assert(need_rand);
> if (!x509_certify(ctx,CAfile,digest,x,xca,
> CApkey, sigopts,
> - CAserial,CA_createserial,days, clrext,
> + CAserial,CA_createserial,minutes, clrext,
> extconf, extsect, sno))
> goto end;
> }
> @@ -1148,7 +1173,7 @@
> X509 *x, X509 *xca, EVP_PKEY *pkey,
> STACK_OF(OPENSSL_STRING) *sigopts,
> char *serialfile, int create,
> - int days, int clrext, CONF *conf, char *section,
> + int minutes, int clrext, CONF *conf, char *section,
> ASN1_INTEGER *sno)
> {
> int ret=0;
> @@ -1191,7 +1216,7 @@
> goto end;
>
> /* hardwired expired */
> - if (X509_time_adj_ex(X509_get_notAfter(x),days, 0, NULL) == NULL)
> + if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*minutes) == NULL)
> goto end;
>
> if (clrext)
> @@ -1251,7 +1276,7 @@
> }
>
> /* self sign */
> -static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const
> EVP_MD *digest,
> +static int sign(X509 *x, EVP_PKEY *pkey, int minutes, int clrext,
> const EVP_MD *digest,
> CONF *conf, char *section)
> {
>
> @@ -1269,7 +1294,7 @@
> /* memcpy(x->cert_info->validity->notBefore,"700101120000Z",13); */
> /* 28 days to be certified */
>
> - if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) ==
> NULL)
> + if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*minutes) == NULL)
> goto err;
>
> if (!X509_set_pubkey(x,pkey)) goto err;


--
Richard Levitte
[hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #3451] patch for x509.c

Jan Just Keijser-2
Hi Richard,

On 15/07/14 10:56, Richard Levitte via RT wrote:
> I do like the idea, and definitely see the need for this.
> A nit pick, though.... '-valid' as a option name is a bit confusing, I'd
> personally expect it to take a full blown time argument -- something like
> DDD-HH:MM -- and not just hours and minutes. Maybe '-time' or something like
> that. That or actually have '-valid' take the full blown argument (thereby
> replacing '-days' in the long run).
>
thanks for picking this up; the name '-valid' as well as the format
"HH:MM" came from the Globus Toolkit 'grid-proxy-init' command, which
uses the same syntax. I agree that the name might be a bit confusing. If
I understand you correctly you're suggesting to use
   -valid DDD-HH:MM
(I'm using '-valid' here for lack of a better name right now) where
anything before the hyphen is the number of days, and anything after it
is the time in HH:MM format? It should be possible to specify HH > 24,
and we could also support MM > 60 (e.g -valid 0-0:1440 == -valid 0-24:00
== -valid 1-0:00 == -days 1)

but then the syntax
   -valid 0-24:00
seems confusing as well ...  or we could use logic as follows:

if arg contains hyphen then anything before it is #days, anything after
it is time in HH:MM format
if arg contains no hyphen and no colon then it's the number of days
if arg contains no hyphen but it does contain a colon then #days = 0 and
the entire argument is a time in HH:MM format


suggestions?

JJK / Jan Just Keijser
Nikhef
Amsterdam


> On Sun Jul 13 20:13:28 2014, [hidden email] wrote:
>> hi ,
>>
>> attached is a minor patch to apps/x509.c. The patch allows the user to
>> specify the validity of a certificate in hours and minutes (next to
>> days). This is esp useful when creating grid/RFC3820 proxies which
>> typically have a duration of 12 hours.
>>
>> regards,
>>
>> JJK / Jan Just Keijser
>>
>>
>> ------------------------------------------------------------------------
>>
>> --- openssl-1.0.1c/apps/x509.c 2011-10-10 01:13:46.000000000 +0200
>> +++ openssl-1.0.1c-jjk/apps/x509.c 2012-08-09 09:17:37.783134860 +0200
>> @@ -128,6 +128,7 @@
>> " -addreject arg - reject certificate for a given purpose\n",
>> " -setalias arg - set certificate alias\n",
>> " -days arg - How long till expiry of a signed certificate -
>> def 30 days\n",
>> +" -valid HH:MM - How long till expiry of a signed certificate\n",
>> " -checkend arg - check whether the cert expires in the next arg
>> seconds\n",
>> " exit 1 if so, 0 if not\n",
>> " -signkey arg - self sign cert with arg\n",
>> @@ -154,12 +155,12 @@
>> };
>>
>> static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx);
>> -static int sign (X509 *x, EVP_PKEY *pkey,int days,int clrext, const
>> EVP_MD *digest,
>> +static int sign (X509 *x, EVP_PKEY *pkey,int minutes,int clrext,
>> const EVP_MD *digest,
>> CONF *conf, char *section);
>> static int x509_certify (X509_STORE *ctx,char *CAfile,const EVP_MD
>> *digest,
>> X509 *x,X509 *xca,EVP_PKEY *pkey,
>> STACK_OF(OPENSSL_STRING) *sigopts,
>> - char *serial, int create ,int days, int clrext,
>> + char *serial, int create ,int minutes, int clrext,
>> CONF *conf, char *section, ASN1_INTEGER *sno);
>> static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt);
>> static int reqfile=0;
>> @@ -194,7 +195,7 @@
>> int ocsp_uri=0;
>> int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0;
>> int C=0;
>> - int x509req=0,days=DEF_DAYS,modulus=0,pubkey=0;
>> + int x509req=0,days=DEF_DAYS,minutes=0,modulus=0,pubkey=0;
>> int pprint = 0;
>> const char **pp;
>> X509_STORE *ctx=NULL;
>> @@ -292,6 +293,26 @@
>> goto bad;
>> }
>> }
>> + else if (strcmp(*argv,"-valid") == 0)
>> + {
>> + if (--argc < 1) goto bad;
>> +
>> + char *delim = strchr(*(++argv), ':');
>> + if (delim)
>> + {
>> + *delim = '\0';
>> + delim++;
>> + minutes = atoi( delim );
>> + }
>> + int hours = atoi( *argv );
>> + minutes = 60 * hours + minutes;
>> +
>> + if (minutes == 0)
>> + {
>> + BIO_printf(STDout,"bad -valid specification\n");
>> + goto bad;
>> + }
>> + }
>> else if (strcmp(*argv,"-passin") == 0)
>> {
>> if (--argc < 1) goto bad;
>> @@ -511,6 +532,10 @@
>> goto end;
>> }
>>
>> + if (minutes == 0)
>> + {
>> + minutes = 24*60*days;
>> + }
>> if (!X509_STORE_set_default_paths(ctx))
>> {
>> ERR_print_errors(bio_err);
>> @@ -964,7 +989,7 @@
>> }
>>
>> assert(need_rand);
>> - if (!sign(x,Upkey,days,clrext,digest,
>> + if (!sign(x,Upkey,minutes,clrext,digest,
>> extconf, extsect)) goto end;
>> }
>> else if (CA_flag == i)
>> @@ -982,7 +1007,7 @@
>> assert(need_rand);
>> if (!x509_certify(ctx,CAfile,digest,x,xca,
>> CApkey, sigopts,
>> - CAserial,CA_createserial,days, clrext,
>> + CAserial,CA_createserial,minutes, clrext,
>> extconf, extsect, sno))
>> goto end;
>> }
>> @@ -1148,7 +1173,7 @@
>> X509 *x, X509 *xca, EVP_PKEY *pkey,
>> STACK_OF(OPENSSL_STRING) *sigopts,
>> char *serialfile, int create,
>> - int days, int clrext, CONF *conf, char *section,
>> + int minutes, int clrext, CONF *conf, char *section,
>> ASN1_INTEGER *sno)
>> {
>> int ret=0;
>> @@ -1191,7 +1216,7 @@
>> goto end;
>>
>> /* hardwired expired */
>> - if (X509_time_adj_ex(X509_get_notAfter(x),days, 0, NULL) == NULL)
>> + if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*minutes) == NULL)
>> goto end;
>>
>> if (clrext)
>> @@ -1251,7 +1276,7 @@
>> }
>>
>> /* self sign */
>> -static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const
>> EVP_MD *digest,
>> +static int sign(X509 *x, EVP_PKEY *pkey, int minutes, int clrext,
>> const EVP_MD *digest,
>> CONF *conf, char *section)
>> {
>>
>> @@ -1269,7 +1294,7 @@
>> /* memcpy(x->cert_info->validity->notBefore,"700101120000Z",13); */
>> /* 28 days to be certified */
>>
>> - if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) ==
>> NULL)
>> + if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*minutes) == NULL)
>> goto err;
>>
>> if (!X509_set_pubkey(x,pkey)) goto err;
>
> --
> Richard Levitte
> [hidden email]
>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #3451] patch for x509.c

Rich Salz via RT
Hi Richard,

On 15/07/14 10:56, Richard Levitte via RT wrote:
> I do like the idea, and definitely see the need for this.
> A nit pick, though.... '-valid' as a option name is a bit confusing, I'd
> personally expect it to take a full blown time argument -- something like
> DDD-HH:MM -- and not just hours and minutes. Maybe '-time' or something like
> that. That or actually have '-valid' take the full blown argument (thereby
> replacing '-days' in the long run).
>
thanks for picking this up; the name '-valid' as well as the format
"HH:MM" came from the Globus Toolkit 'grid-proxy-init' command, which
uses the same syntax. I agree that the name might be a bit confusing. If
I understand you correctly you're suggesting to use
   -valid DDD-HH:MM
(I'm using '-valid' here for lack of a better name right now) where
anything before the hyphen is the number of days, and anything after it
is the time in HH:MM format? It should be possible to specify HH > 24,
and we could also support MM > 60 (e.g -valid 0-0:1440 == -valid 0-24:00
== -valid 1-0:00 == -days 1)

but then the syntax
   -valid 0-24:00
seems confusing as well ...  or we could use logic as follows:

if arg contains hyphen then anything before it is #days, anything after
it is time in HH:MM format
if arg contains no hyphen and no colon then it's the number of days
if arg contains no hyphen but it does contain a colon then #days = 0 and
the entire argument is a time in HH:MM format


suggestions?

JJK / Jan Just Keijser
Nikhef
Amsterdam


> On Sun Jul 13 20:13:28 2014, [hidden email] wrote:
>> hi ,
>>
>> attached is a minor patch to apps/x509.c. The patch allows the user to
>> specify the validity of a certificate in hours and minutes (next to
>> days). This is esp useful when creating grid/RFC3820 proxies which
>> typically have a duration of 12 hours.
>>
>> regards,
>>
>> JJK / Jan Just Keijser
>>
>>
>> ------------------------------------------------------------------------
>>
>> --- openssl-1.0.1c/apps/x509.c 2011-10-10 01:13:46.000000000 +0200
>> +++ openssl-1.0.1c-jjk/apps/x509.c 2012-08-09 09:17:37.783134860 +0200
>> @@ -128,6 +128,7 @@
>> " -addreject arg - reject certificate for a given purpose\n",
>> " -setalias arg - set certificate alias\n",
>> " -days arg - How long till expiry of a signed certificate -
>> def 30 days\n",
>> +" -valid HH:MM - How long till expiry of a signed certificate\n",
>> " -checkend arg - check whether the cert expires in the next arg
>> seconds\n",
>> " exit 1 if so, 0 if not\n",
>> " -signkey arg - self sign cert with arg\n",
>> @@ -154,12 +155,12 @@
>> };
>>
>> static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx);
>> -static int sign (X509 *x, EVP_PKEY *pkey,int days,int clrext, const
>> EVP_MD *digest,
>> +static int sign (X509 *x, EVP_PKEY *pkey,int minutes,int clrext,
>> const EVP_MD *digest,
>> CONF *conf, char *section);
>> static int x509_certify (X509_STORE *ctx,char *CAfile,const EVP_MD
>> *digest,
>> X509 *x,X509 *xca,EVP_PKEY *pkey,
>> STACK_OF(OPENSSL_STRING) *sigopts,
>> - char *serial, int create ,int days, int clrext,
>> + char *serial, int create ,int minutes, int clrext,
>> CONF *conf, char *section, ASN1_INTEGER *sno);
>> static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt);
>> static int reqfile=0;
>> @@ -194,7 +195,7 @@
>> int ocsp_uri=0;
>> int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0;
>> int C=0;
>> - int x509req=0,days=DEF_DAYS,modulus=0,pubkey=0;
>> + int x509req=0,days=DEF_DAYS,minutes=0,modulus=0,pubkey=0;
>> int pprint = 0;
>> const char **pp;
>> X509_STORE *ctx=NULL;
>> @@ -292,6 +293,26 @@
>> goto bad;
>> }
>> }
>> + else if (strcmp(*argv,"-valid") == 0)
>> + {
>> + if (--argc < 1) goto bad;
>> +
>> + char *delim = strchr(*(++argv), ':');
>> + if (delim)
>> + {
>> + *delim = '\0';
>> + delim++;
>> + minutes = atoi( delim );
>> + }
>> + int hours = atoi( *argv );
>> + minutes = 60 * hours + minutes;
>> +
>> + if (minutes == 0)
>> + {
>> + BIO_printf(STDout,"bad -valid specification\n");
>> + goto bad;
>> + }
>> + }
>> else if (strcmp(*argv,"-passin") == 0)
>> {
>> if (--argc < 1) goto bad;
>> @@ -511,6 +532,10 @@
>> goto end;
>> }
>>
>> + if (minutes == 0)
>> + {
>> + minutes = 24*60*days;
>> + }
>> if (!X509_STORE_set_default_paths(ctx))
>> {
>> ERR_print_errors(bio_err);
>> @@ -964,7 +989,7 @@
>> }
>>
>> assert(need_rand);
>> - if (!sign(x,Upkey,days,clrext,digest,
>> + if (!sign(x,Upkey,minutes,clrext,digest,
>> extconf, extsect)) goto end;
>> }
>> else if (CA_flag == i)
>> @@ -982,7 +1007,7 @@
>> assert(need_rand);
>> if (!x509_certify(ctx,CAfile,digest,x,xca,
>> CApkey, sigopts,
>> - CAserial,CA_createserial,days, clrext,
>> + CAserial,CA_createserial,minutes, clrext,
>> extconf, extsect, sno))
>> goto end;
>> }
>> @@ -1148,7 +1173,7 @@
>> X509 *x, X509 *xca, EVP_PKEY *pkey,
>> STACK_OF(OPENSSL_STRING) *sigopts,
>> char *serialfile, int create,
>> - int days, int clrext, CONF *conf, char *section,
>> + int minutes, int clrext, CONF *conf, char *section,
>> ASN1_INTEGER *sno)
>> {
>> int ret=0;
>> @@ -1191,7 +1216,7 @@
>> goto end;
>>
>> /* hardwired expired */
>> - if (X509_time_adj_ex(X509_get_notAfter(x),days, 0, NULL) == NULL)
>> + if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*minutes) == NULL)
>> goto end;
>>
>> if (clrext)
>> @@ -1251,7 +1276,7 @@
>> }
>>
>> /* self sign */
>> -static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const
>> EVP_MD *digest,
>> +static int sign(X509 *x, EVP_PKEY *pkey, int minutes, int clrext,
>> const EVP_MD *digest,
>> CONF *conf, char *section)
>> {
>>
>> @@ -1269,7 +1294,7 @@
>> /* memcpy(x->cert_info->validity->notBefore,"700101120000Z",13); */
>> /* 28 days to be certified */
>>
>> - if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) ==
>> NULL)
>> + if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*minutes) == NULL)
>> goto err;
>>
>> if (!X509_set_pubkey(x,pkey)) goto err;
>
> --
> Richard Levitte
> [hidden email]
>


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #3451] patch for x509.c

Felix Laurie von Massenbach


On 15 Jul 2014 11:06, "Jan Just Keijser via RT" <[hidden email]> wrote:
>
> Hi Richard,
>
> On 15/07/14 10:56, Richard Levitte via RT wrote:
> > I do like the idea, and definitely see the need for this.
> > A nit pick, though.... '-valid' as a option name is a bit confusing, I'd
> > personally expect it to take a full blown time argument -- something like
> > DDD-HH:MM -- and not just hours and minutes. Maybe '-time' or something like
> > that. That or actually have '-valid' take the full blown argument (thereby
> > replacing '-days' in the long run).
> >
> thanks for picking this up; the name '-valid' as well as the format
> "HH:MM" came from the Globus Toolkit 'grid-proxy-init' command, which
> uses the same syntax. I agree that the name might be a bit confusing. If
> I understand you correctly you're suggesting to use
>    -valid DDD-HH:MM
> (I'm using '-valid' here for lack of a better name right now) where
> anything before the hyphen is the number of days, and anything after it
> is the time in HH:MM format? It should be possible to specify HH > 24,
> and we could also support MM > 60 (e.g -valid 0-0:1440 == -valid 0-24:00
> == -valid 1-0:00 == -days 1)
>

We should also support things like -valid 1-24:70 and -valid 2-1:10.

> but then the syntax
>    -valid 0-24:00
> seems confusing as well ...  or we could use logic as follows:
>
> if arg contains hyphen then anything before it is #days, anything after
> it is time in HH:MM format
> if arg contains no hyphen and no colon then it's the number of days
> if arg contains no hyphen but it does contain a colon then #days = 0 and
> the entire argument is a time in HH:MM format
>
>
> suggestions?
>
> JJK / Jan Just Keijser
> Nikhef
> Amsterdam
>
>
> > On Sun Jul 13 20:13:28 2014, [hidden email] wrote:
> >> hi ,
> >>
> >> attached is a minor patch to apps/x509.c. The patch allows the user to
> >> specify the validity of a certificate in hours and minutes (next to
> >> days). This is esp useful when creating grid/RFC3820 proxies which
> >> typically have a duration of 12 hours.
> >>
> >> regards,
> >>
> >> JJK / Jan Just Keijser
> >>
> >>
> >> ------------------------------------------------------------------------
> >>
> >> --- openssl-1.0.1c/apps/x509.c 2011-10-10 01:13:46.000000000 +0200
> >> +++ openssl-1.0.1c-jjk/apps/x509.c 2012-08-09 09:17:37.783134860 +0200
> >> @@ -128,6 +128,7 @@
> >> " -addreject arg - reject certificate for a given purpose\n",
> >> " -setalias arg - set certificate alias\n",
> >> " -days arg - How long till expiry of a signed certificate -
> >> def 30 days\n",
> >> +" -valid HH:MM - How long till expiry of a signed certificate\n",
> >> " -checkend arg - check whether the cert expires in the next arg
> >> seconds\n",
> >> " exit 1 if so, 0 if not\n",
> >> " -signkey arg - self sign cert with arg\n",
> >> @@ -154,12 +155,12 @@
> >> };
> >>
> >> static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx);
> >> -static int sign (X509 *x, EVP_PKEY *pkey,int days,int clrext, const
> >> EVP_MD *digest,
> >> +static int sign (X509 *x, EVP_PKEY *pkey,int minutes,int clrext,
> >> const EVP_MD *digest,
> >> CONF *conf, char *section);
> >> static int x509_certify (X509_STORE *ctx,char *CAfile,const EVP_MD
> >> *digest,
> >> X509 *x,X509 *xca,EVP_PKEY *pkey,
> >> STACK_OF(OPENSSL_STRING) *sigopts,
> >> - char *serial, int create ,int days, int clrext,
> >> + char *serial, int create ,int minutes, int clrext,
> >> CONF *conf, char *section, ASN1_INTEGER *sno);
> >> static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt);
> >> static int reqfile=0;
> >> @@ -194,7 +195,7 @@
> >> int ocsp_uri=0;
> >> int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0;
> >> int C=0;
> >> - int x509req=0,days=DEF_DAYS,modulus=0,pubkey=0;
> >> + int x509req=0,days=DEF_DAYS,minutes=0,modulus=0,pubkey=0;
> >> int pprint = 0;
> >> const char **pp;
> >> X509_STORE *ctx=NULL;
> >> @@ -292,6 +293,26 @@
> >> goto bad;
> >> }
> >> }
> >> + else if (strcmp(*argv,"-valid") == 0)
> >> + {
> >> + if (--argc < 1) goto bad;
> >> +
> >> + char *delim = strchr(*(++argv), ':');
> >> + if (delim)
> >> + {
> >> + *delim = '\0';
> >> + delim++;
> >> + minutes = atoi( delim );
> >> + }
> >> + int hours = atoi( *argv );
> >> + minutes = 60 * hours + minutes;
> >> +
> >> + if (minutes == 0)
> >> + {
> >> + BIO_printf(STDout,"bad -valid specification\n");
> >> + goto bad;
> >> + }
> >> + }
> >> else if (strcmp(*argv,"-passin") == 0)
> >> {
> >> if (--argc < 1) goto bad;
> >> @@ -511,6 +532,10 @@
> >> goto end;
> >> }
> >>
> >> + if (minutes == 0)
> >> + {
> >> + minutes = 24*60*days;
> >> + }
> >> if (!X509_STORE_set_default_paths(ctx))
> >> {
> >> ERR_print_errors(bio_err);
> >> @@ -964,7 +989,7 @@
> >> }
> >>
> >> assert(need_rand);
> >> - if (!sign(x,Upkey,days,clrext,digest,
> >> + if (!sign(x,Upkey,minutes,clrext,digest,
> >> extconf, extsect)) goto end;
> >> }
> >> else if (CA_flag == i)
> >> @@ -982,7 +1007,7 @@
> >> assert(need_rand);
> >> if (!x509_certify(ctx,CAfile,digest,x,xca,
> >> CApkey, sigopts,
> >> - CAserial,CA_createserial,days, clrext,
> >> + CAserial,CA_createserial,minutes, clrext,
> >> extconf, extsect, sno))
> >> goto end;
> >> }
> >> @@ -1148,7 +1173,7 @@
> >> X509 *x, X509 *xca, EVP_PKEY *pkey,
> >> STACK_OF(OPENSSL_STRING) *sigopts,
> >> char *serialfile, int create,
> >> - int days, int clrext, CONF *conf, char *section,
> >> + int minutes, int clrext, CONF *conf, char *section,
> >> ASN1_INTEGER *sno)
> >> {
> >> int ret=0;
> >> @@ -1191,7 +1216,7 @@
> >> goto end;
> >>
> >> /* hardwired expired */
> >> - if (X509_time_adj_ex(X509_get_notAfter(x),days, 0, NULL) == NULL)
> >> + if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*minutes) == NULL)
> >> goto end;
> >>
> >> if (clrext)
> >> @@ -1251,7 +1276,7 @@
> >> }
> >>
> >> /* self sign */
> >> -static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const
> >> EVP_MD *digest,
> >> +static int sign(X509 *x, EVP_PKEY *pkey, int minutes, int clrext,
> >> const EVP_MD *digest,
> >> CONF *conf, char *section)
> >> {
> >>
> >> @@ -1269,7 +1294,7 @@
> >> /* memcpy(x->cert_info->validity->notBefore,"700101120000Z",13); */
> >> /* 28 days to be certified */
> >>
> >> - if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) ==
> >> NULL)
> >> + if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*minutes) == NULL)
> >> goto err;
> >>
> >> if (!X509_set_pubkey(x,pkey)) goto err;
> >
> > --
> > Richard Levitte
> > [hidden email]
> >
>
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> Development Mailing List                       [hidden email]
> Automated List Manager                           [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: [openssl.org #3451] patch for x509.c

Salz, Rich
In reply to this post by Jan Just Keijser-2
The Globus syntax is strange. :)

We should support the ISO date/time standard, and use that throughout and not invent yet another syntax, or yet another flag.  It's fairly simple to parse, and handles timezones, relative times, date/time mixing, and so on.  The XML XSD spec, for example, has a reasonable explanation.

        /r$

--  
Principal Security Engineer
Akamai Technologies, Cambridge, MA
IM: [hidden email]; Twitter: RichSalz
:��I"Ϯ��r�m���� (���Z+�7�zZ)���1���x ��h���W^��^��%����&jם.+-1�ځ��j:+v�������h�
Reply | Threaded
Open this post in threaded view
|

RE: [openssl.org #3451] patch for x509.c

Rich Salz via RT
The Globus syntax is strange. :)

We should support the ISO date/time standard, and use that throughout and not invent yet another syntax, or yet another flag.  It's fairly simple to parse, and handles timezones, relative times, date/time mixing, and so on.  The XML XSD spec, for example, has a reasonable explanation.

        /r$

--  
Principal Security Engineer
Akamai Technologies, Cambridge, MA
IM: [hidden email]; Twitter: RichSalz

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #3451] patch for x509.c

Rich Salz via RT
On 07/15/2014 07:58 AM, Salz, Rich via RT wrote:
> The Globus syntax is strange. :)
>
> We should support the ISO date/time standard, and use that throughout and not invent yet another syntax, or yet another flag.  It's fairly simple to parse, and handles timezones, relative times, date/time mixing, and so on.  The XML XSD spec, for example, has a reasonable explanation.

Agreed here.  also, the presence of a hyphen in a time marker is too
easily misunderstood as a minus sign.

If we're talking about the duration of a certificate, we could use
something like the ISO-8601 duration syntax:

  https://en.wikipedia.org/wiki/ISO-8601#Durations

e.g. PT1800S is 1800 seconds

        --dkg



signature.asc (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #3451] patch for x509.c

Rich Salz via RT
In reply to this post by Rich Salz via RT
On 15/07/14 15:20, Daniel Kahn Gillmor wrote:

> On 07/15/2014 07:58 AM, Salz, Rich via RT wrote:
>> The Globus syntax is strange. :)
>>
>> We should support the ISO date/time standard, and use that throughout and not invent yet another syntax, or yet another flag.  It's fairly simple to parse, and handles timezones, relative times, date/time mixing, and so on.  The XML XSD spec, for example, has a reasonable explanation.
> Agreed here.  also, the presence of a hyphen in a time marker is too
> easily misunderstood as a minus sign.
>
> If we're talking about the duration of a certificate, we could use
> something like the ISO-8601 duration syntax:
>
>    https://en.wikipedia.org/wiki/ISO-8601#Durations
>
> e.g. PT1800S is 1800 seconds
>

I like the idea, but I won't have time to rewrite the patch right now.
Implementing "full" ISO8061 timestamps will take some effort. I'd also
propose to rename '-valid' to '-duration' .
I'll get back on this in mid August.

cheers,

JJK / Jan Just Keijser
Nikhef
Amsterdam


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #3451] patch for x509.c

Rich Salz via RT
On Út, 2014-07-15 at 20:08 +0200, Jan Just Keijser via RT wrote:

> On 15/07/14 15:20, Daniel Kahn Gillmor wrote:
> > On 07/15/2014 07:58 AM, Salz, Rich via RT wrote:
> >> The Globus syntax is strange. :)
> >>
> >> We should support the ISO date/time standard, and use that throughout and not invent yet another syntax, or yet another flag.  It's fairly simple to parse, and handles timezones, relative times, date/time mixing, and so on.  The XML XSD spec, for example, has a reasonable explanation.
> > Agreed here.  also, the presence of a hyphen in a time marker is too
> > easily misunderstood as a minus sign.
> >
> > If we're talking about the duration of a certificate, we could use
> > something like the ISO-8601 duration syntax:
> >
> >    https://en.wikipedia.org/wiki/ISO-8601#Durations
> >
> > e.g. PT1800S is 1800 seconds
> >
>
> I like the idea, but I won't have time to rewrite the patch right now.
> Implementing "full" ISO8061 timestamps will take some effort. I'd also
> propose to rename '-valid' to '-duration' .
> I'll get back on this in mid August.

What about just supporting float number argument for -days (0.5 for 12
hours certificate validity)? That should be fairly simple. In the first
step. And add something like -notafter argument that would specify the
exact end date&time in the ISO format (not duration) as a second step.

--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
(You'll never know whether the road is wrong though.)



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #3451] patch for x509.c

Rich Salz via RT
On 07/16/2014 03:39 AM, Tomas Mraz via RT wrote:
> What about just supporting float number argument for -days (0.5 for 12
> hours certificate validity)? That should be fairly simple. In the first
> step. And add something like -notafter argument that would specify the
> exact end date&time in the ISO format (not duration) as a second step.

This also seems like a reasonable proposal to me.

        --dkg





signature.asc (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: [openssl.org #3451] patch for x509.c

Salz, Rich
But then it has to be supported for, like ever. :)

If the right thing to do is the ISO format, and I strongly believe it is, then we should just work toward that and not add variants to solve a short-term need that will require long-term care and confusion.

        /r$

--  
Principal Security Engineer
Akamai Technologies, Cambridge, MA
IM: [hidden email]; Twitter: RichSalz
:��I"Ϯ��r�m���� (���Z+�7�zZ)���1���x ��h���W^��^��%����&jם.+-1�ځ��j:+v�������h�
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #3451] patch for x509.c

Rich Salz via RT
On 07/16/2014 09:40 AM, Salz, Rich wrote:
> But then it has to be supported for, like ever. :)

do you realistically think we'll ever drop support for the -days
argument though?  Dropping -days would break a million scripts.
Extending it to support a non-integer number of days seems like a
straightforward win.

While we're at it, we could extend the -days argument to accept the
ISO-8601 duration format, distinguishing it by whether the first
character is a 'P' or not -- i don't know whether that itself is too
many variants to handle.

> If the right thing to do is the ISO format, and I strongly believe it is, then we should just work toward that and not add variants to solve a short-term need that will require long-term care and confusion.

Tomas' proposal was to use the ISO-8601 date format (which is much
better known than ISO-8601 duration) for a new -notafter argument that
would allow people to specify concrete end times in a standard and
well-understood fashion.

I think this is in line with the goals you describe here, no?

        --dkg



signature.asc (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #3451] patch for x509.c

Hubert Kario
In reply to this post by Salz, Rich
----- Original Message -----

> From: "Rich Salz" <[hidden email]>
> To: [hidden email], [hidden email]
> Sent: Wednesday, 16 July, 2014 3:40:03 PM
> Subject: RE: [openssl.org #3451] patch for x509.c
>
> But then it has to be supported for, like ever. :)
>
> If the right thing to do is the ISO format, and I strongly believe it is,
> then we should just work toward that and not add variants to solve a
> short-term need that will require long-term care and confusion.

The third alternative is just add -startdate and -enddate from ca util
and direct people to the `date` application if they want relative
dates, e.g.:

date '+%Y%m%d%H%M%SZ' -d '2 hours ago'
date '+%Y%m%d%H%M%SZ' -d '1 month 12 hours'

Not applicable to all platforms, but (I'd guess) easiest to implement
and providing most freedom.

--
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Email: [hidden email]
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: [openssl.org #3451] patch for x509.c

Salz, Rich
In reply to this post by Rich Salz via RT
> do you realistically think we'll ever drop support for the -days argument
> though?  Dropping -days would break a million scripts.

No, we'll never drop support for -days.  But whether the code is atoi() or atof() is a big difference and might cause important silent failures for new scripts running on anything other than the most recent openssl.  On most systems atoi("0.5") returns 0 and no error indicator so "-days 0.5" would silently do the wrong thing on anything other than openssl 1.0.whatever  Which seems much worse.

        /r$

--  
Principal Security Engineer
Akamai Technologies, Cambridge, MA
IM: [hidden email]; Twitter: RichSalz

:��I"Ϯ��r�m���� (���Z+�7�zZ)���1���x ��h���W^��^��%����&jם.+-1�ځ��j:+v�������h�
Reply | Threaded
Open this post in threaded view
|

RE: [openssl.org #3451] patch for x509.c

Salz, Rich
In reply to this post by Hubert Kario
> date '+%Y%m%d%H%M%SZ' -d '1 month 12 hours'

Wow.  Old code never dies; that's "my" get_date code from August 1990 :)

        /r$

--  
Principal Security Engineer
Akamai Technologies, Cambridge, MA
IM: [hidden email]; Twitter: RichSalz
:��I"Ϯ��r�m���� (���Z+�7�zZ)���1���x ��h���W^��^��%����&jם.+-1�ځ��j:+v�������h�
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #3451] patch for x509.c

Rich Salz via RT
In reply to this post by Salz, Rich
On 07/16/2014 11:24 AM, Salz, Rich wrote:
>> do you realistically think we'll ever drop support for the -days argument
>> though?  Dropping -days would break a million scripts.
>
> No, we'll never drop support for -days.  But whether the code is atoi() or atof() is a big difference and might cause important silent failures for new scripts running on anything other than the most recent openssl.  On most systems atoi("0.5") returns 0 and no error indicator so "-days 0.5" would silently do the wrong thing on anything other than openssl 1.0.whatever  Which seems much worse.

ugh, you're quite right.  Sorry, i wasn't thinking about the support
hassle in that direction.

And to make matters worse, "openssl req -x509" currently interprets
"-days 0" or "-days 0.5" or "-days PT1800S" as "use the default number
of days", which is 30. :/  From experimentation, i just discovered that
-days is also happy to accept and interpret negative integer arguments
as well, resulting in a key with ValidNotBefore later than ValidNotAfter
:(  not even an error message to let you know that you've just created a
certificate that no validation stack in its right mind should ever accept.

I withdraw my support for making -days take a fractional argument, given
the behavior of the existing deployed base.

        --dkg



signature.asc (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #3451] patch for x509.c

Rich Salz via RT
On St, 2014-07-16 at 17:46 +0200, Daniel Kahn Gillmor via RT wrote:

> On 07/16/2014 11:24 AM, Salz, Rich wrote:
> >> do you realistically think we'll ever drop support for the -days argument
> >> though?  Dropping -days would break a million scripts.
> >
> > No, we'll never drop support for -days.  But whether the code is atoi() or atof() is a big difference and might cause important silent failures for new scripts running on anything other than the most recent openssl.  On most systems atoi("0.5") returns 0 and no error indicator so "-days 0.5" would silently do the wrong thing on anything other than openssl 1.0.whatever  Which seems much worse.
>
> ugh, you're quite right.  Sorry, i wasn't thinking about the support
> hassle in that direction.
>
> And to make matters worse, "openssl req -x509" currently interprets
> "-days 0" or "-days 0.5" or "-days PT1800S" as "use the default number
> of days", which is 30. :/  From experimentation, i just discovered that
> -days is also happy to accept and interpret negative integer arguments
> as well, resulting in a key with ValidNotBefore later than ValidNotAfter
> :(  not even an error message to let you know that you've just created a
> certificate that no validation stack in its right mind should ever accept.
>
> I withdraw my support for making -days take a fractional argument, given
> the behavior of the existing deployed base.

I agree with that as well. I did not look at the actual code in openssl
so I did not know that the fractional argument with the current version
does not error out.

--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
(You'll never know whether the road is wrong though.)



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #3451] patch for x509.c

Viktor Dukhovni
In reply to this post by Rich Salz via RT
On Wed, Jul 16, 2014 at 05:46:42PM +0200, Daniel Kahn Gillmor via RT wrote:

> From experimentation, i just discovered that
> -days is also happy to accept and interpret negative integer arguments
> as well, resulting in a key with ValidNotBefore later than ValidNotAfter

That's a useful feature, at least for testing, certificate verification
engines, you get what you ask for.  Tools that prevent you from asking
for the "wrong" thing without recourse are worse.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]