For this introduce x509_get_time() that converts a ASN1_TIME to time_t.
Also move time2str() to print.c where it makes more sense.
This needs more work but that will happen in tree.
OK tb@
-/* $OpenBSD: crl.c,v 1.13 2022/02/08 14:53:03 tb Exp $ */
+/* $OpenBSD: crl.c,v 1.14 2022/02/10 15:33:47 claudio Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
{
struct crl *crl;
const ASN1_TIME *at;
- struct tm issued_tm, expires_tm;
int rc = 0;
/* just fail for empty buffers, the warning was printed elsewhere */
warnx("%s: X509_CRL_get0_lastUpdate failed", fn);
goto out;
}
- memset(&issued_tm, 0, sizeof(issued_tm));
- if (ASN1_time_parse(at->data, at->length, &issued_tm, 0) == -1) {
+ if (x509_get_time(at, &crl->issued) == -1) {
warnx("%s: ASN1_time_parse failed", fn);
goto out;
}
- if ((crl->issued = mktime(&issued_tm)) == -1)
- errx(1, "%s: mktime failed", fn);
- /* extract expire time for later use */
at = X509_CRL_get0_nextUpdate(crl->x509_crl);
if (at == NULL) {
warnx("%s: X509_CRL_get0_nextUpdate failed", fn);
goto out;
}
- memset(&expires_tm, 0, sizeof(expires_tm));
- if (ASN1_time_parse(at->data, at->length, &expires_tm, 0) == -1) {
+ if (x509_get_time(at, &crl->expires) == -1) {
warnx("%s: ASN1_time_parse failed", fn);
goto out;
}
- if ((crl->expires = mktime(&expires_tm)) == -1)
- errx(1, "%s: mktime failed", fn);
rc = 1;
out:
-/* $OpenBSD: extern.h,v 1.118 2022/02/08 14:53:03 tb Exp $ */
+/* $OpenBSD: extern.h,v 1.119 2022/02/10 15:33:47 claudio Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
char *x509_crl_get_aki(X509_CRL *, const char *);
char *x509_get_pubkey(X509 *, const char *);
enum cert_purpose x509_get_purpose(X509 *, const char *);
+int x509_get_time(const ASN1_TIME *, time_t *);
/* printers */
-void tal_print(const struct tal *);
-void cert_print(const struct cert *);
-void mft_print(const struct mft *);
-void roa_print(const struct roa *);
-void gbr_print(const struct gbr *);
+char *time2str(time_t);
+void tal_print(const struct tal *);
+void cert_print(const struct cert *);
+void crl_print(const struct crl *);
+void mft_print(const struct mft *);
+void roa_print(const struct roa *);
+void gbr_print(const struct gbr *);
/* Output! */
-/* $OpenBSD: parser.c,v 1.63 2022/02/08 14:53:03 tb Exp $ */
+/* $OpenBSD: parser.c,v 1.64 2022/02/10 15:33:47 claudio Exp $ */
/*
* Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
errx(1, "repository already added: id %d, %s", id, path);
}
-static char *
-time2str(time_t t)
-{
- static char buf[64];
- struct tm tm;
-
- if (gmtime_r(&t, &tm) == NULL)
- return "could not convert time";
-
- strftime(buf, sizeof(buf), "%h %d %T %Y %Z", &tm);
- return buf;
-}
-
/*
* Build access path to file based on repoid, path, location and file values.
*/
static int num;
X509 *x509 = NULL;
struct cert *cert = NULL;
+ struct crl *crl = NULL;
struct mft *mft = NULL;
struct roa *roa = NULL;
struct gbr *gbr = NULL;
if (X509_up_ref(x509) == 0)
errx(1, "%s: X509_up_ref failed", __func__);
break;
+ case RTYPE_CRL:
+ crl = crl_parse(file, buf, len);
+ if (crl == NULL)
+ break;
+ crl_print(crl);
+ break;
case RTYPE_MFT:
mft = mft_parse(&x509, file, buf, len);
if (mft == NULL)
break;
tal_print(tal);
break;
- case RTYPE_CRL: /* XXX no printer yet */
default:
printf("%s: unsupported file type\n", file);
break;
if (aia != NULL) {
struct auth *a;
- struct crl *crl;
- char *c;
+ struct crl *c;
+ char *crl_uri;
- c = x509_get_crl(x509, file);
- parse_load_crl(c);
- free(c);
+ crl_uri = x509_get_crl(x509, file);
+ parse_load_crl(crl_uri);
+ free(crl_uri);
if (auth_find(&auths, aki) == NULL)
parse_load_certchain(aia);
a = auth_find(&auths, aki);
- crl = get_crl(a);
+ c = get_crl(a);
- if (valid_x509(file, x509, a, crl, 0))
+ if (valid_x509(file, x509, a, c, 0))
printf("Validation: OK\n");
else
printf("Validation: Failed\n");
X509_free(x509);
cert_free(cert);
+ crl_free(crl);
mft_free(mft);
roa_free(roa);
gbr_free(gbr);
-/* $OpenBSD: print.c,v 1.3 2021/12/22 09:35:14 claudio Exp $ */
+/* $OpenBSD: print.c,v 1.4 2022/02/10 15:33:47 claudio Exp $ */
/*
* Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
return buf;
}
+char *
+time2str(time_t t)
+{
+ static char buf[64];
+ struct tm tm;
+
+ if (gmtime_r(&t, &tm) == NULL)
+ return "could not convert time";
+
+ strftime(buf, sizeof(buf), "%h %d %T %Y %Z", &tm);
+ return buf;
+}
+
void
tal_print(const struct tal *p)
{
}
+void
+crl_print(const struct crl *p)
+{
+ STACK_OF(X509_REVOKED) *revlist;
+ X509_REVOKED *rev;
+ int i;
+ long serial;
+ time_t t;
+
+ printf("Authority key identifier: %s\n", pretty_key_id(p->aki));
+ printf("CRL valid since: %s\n", time2str(p->issued));
+ printf("CRL valid until: %s\n", time2str(p->expires));
+
+ revlist = X509_CRL_get_REVOKED(p->x509_crl);
+ for (i = 0; i < sk_X509_REVOKED_num(revlist); i++) {
+ if (i == 0)
+ printf("Revoked Certificates:\n");
+ rev = sk_X509_REVOKED_value(revlist, i);
+ serial = ASN1_INTEGER_get(X509_REVOKED_get0_serialNumber(rev));
+ x509_get_time(X509_REVOKED_get0_revocationDate(rev), &t);
+ printf(" Serial: %8lx\tRevocation Date: %s\n", serial,
+ time2str(t));
+ }
+ if (i == 0)
+ printf("No Revoked Certificates\n");
+}
+
void
mft_print(const struct mft *p)
{
{
char buf[128];
size_t i;
- char tbuf[21];
printf("Subject key identifier: %s\n", pretty_key_id(p->ski));
printf("Authority key identifier: %s\n", pretty_key_id(p->aki));
printf("Authority info access: %s\n", p->aia);
- strftime(tbuf, sizeof(tbuf), "%FT%TZ", gmtime(&p->expires));
- printf("ROA valid until: %s\n", tbuf);
-
+ printf("ROA valid until: %s\n", time2str(p->expires));
+
printf("asID: %u\n", p->asid);
for (i = 0; i < p->ipsz; i++) {
ip_addr_print(&p->ips[i].addr,
-/* $OpenBSD: roa.c,v 1.37 2022/01/18 16:29:06 claudio Exp $ */
+/* $OpenBSD: roa.c,v 1.38 2022/02/10 15:33:47 claudio Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
unsigned char *cms;
int rc = 0;
const ASN1_TIME *at;
- struct tm expires_tm;
- time_t expires;
memset(&p, 0, sizeof(struct parse));
p.fn = fn;
warnx("%s: X509_get0_notAfter failed", fn);
goto out;
}
- memset(&expires_tm, 0, sizeof(expires_tm));
- if (ASN1_time_parse(at->data, at->length, &expires_tm, 0) == -1) {
+ if (x509_get_time(at, &p.res->expires) == -1) {
warnx("%s: ASN1_time_parse failed", fn);
goto out;
}
- if ((expires = mktime(&expires_tm)) == -1)
- errx(1, "mktime failed");
-
- p.res->expires = expires;
if (!roa_parse_econtent(cms, cmsz, &p))
goto out;
-/* $OpenBSD: x509.c,v 1.34 2022/02/04 16:08:53 tb Exp $ */
+/* $OpenBSD: x509.c,v 1.35 2022/02/10 15:33:47 claudio Exp $ */
/*
* Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
x509_get_expire(X509 *x, const char *fn, time_t *tt)
{
const ASN1_TIME *at;
- struct tm expires_tm;
- time_t expires;
at = X509_get0_notAfter(x);
if (at == NULL) {
warnx("%s: X509_get0_notafter failed", fn);
return 0;
}
- memset(&expires_tm, 0, sizeof(expires_tm));
- if (ASN1_time_parse(at->data, at->length, &expires_tm, 0) == -1) {
+ if (x509_get_time(at, tt) == -1) {
warnx("%s: ASN1_time_parse failed", fn);
return 0;
}
- if ((expires = mktime(&expires_tm)) == -1)
- errx(1, "%s: mktime failed", fn);
-
- *tt = expires;
return 1;
}
AUTHORITY_KEYID_free(akid);
return res;
}
+
+/*
+ * Convert passed ASN1_TIME to time_t *t.
+ * Returns 1 on success and 0 on failure.
+ */
+int
+x509_get_time(const ASN1_TIME *at, time_t *t)
+{
+ struct tm tm;
+
+ *t = 0;
+ memset(&tm, 0, sizeof(tm));
+ if (ASN1_time_parse(at->data, at->length, &tm, 0) == -1)
+ return 0;
+ if ((*t = mktime(&tm)) == -1)
+ errx(1, "mktime failed");
+ return 1;
+}
projects / openbsd / commitdiff