Add x509_get_expire() to extract the not-after time from a certificate

as a epoch time_t. Store the expire time for certs, crls will follow after.
OK tb@

diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c
index 979995f..943960a 100644 (file)
--- a/usr.sbin/rpki-client/cert.c
+++ b/usr.sbin/rpki-client/cert.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: cert.c,v 1.33 2021/10/05 11:20:46 job Exp $ */
+/*     $OpenBSD: cert.c,v 1.34 2021/10/07 08:30:39 claudio Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -1061,6 +1061,7 @@ cert_parse_inner(X509 **xp, const char *fn, int ta)
                p.res->aia = x509_get_aia(x, p.fn);
                p.res->crl = x509_get_crl(x, p.fn);
        }
+       p.res->expires = x509_get_expire(x, p.fn);
        p.res->purpose = x509_get_purpose(x, p.fn);
 
        /* Validation on required fields. */

diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h
index 04804a5..13f4dd2 100644 (file)
--- a/usr.sbin/rpki-client/extern.h
+++ b/usr.sbin/rpki-client/extern.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: extern.h,v 1.68 2021/10/05 11:20:46 job Exp $ */
+/*     $OpenBSD: extern.h,v 1.69 2021/10/07 08:30:39 claudio Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -127,6 +127,7 @@ struct cert {
        enum cert_purpose        purpose; /* Certificate Purpose (BGPSec or CA) */
        int              valid; /* validated resources */
        X509            *x509; /* the cert */
+       time_t           expires; /* do not use after */
 };
 
 /*
@@ -232,6 +233,7 @@ struct crl {
        RB_ENTRY(crl)    entry;
        char            *aki;
        X509_CRL        *x509_crl;
+       time_t           expires; /* do not use after */
 };
 /*
  * Tree of CRLs sorted by uri
@@ -527,6 +529,7 @@ char                *hex_encode(const unsigned char *, size_t);
 char           *x509_get_aia(X509 *, const char *);
 char           *x509_get_aki(X509 *, int, const char *);
 char           *x509_get_ski(X509 *, const char *);
+time_t          x509_get_expire(X509 *, const char *);
 char           *x509_get_crl(X509 *, const char *);
 char           *x509_crl_get_aki(X509_CRL *, const char *);
 enum cert_purpose       x509_get_purpose(X509 *, const char *);

diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c
index ffd3938..4e27686 100644 (file)
--- a/usr.sbin/rpki-client/x509.c
+++ b/usr.sbin/rpki-client/x509.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: x509.c,v 1.22 2021/10/05 11:20:46 job Exp $ */
+/*     $OpenBSD: x509.c,v 1.23 2021/10/07 08:30:39 claudio Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -232,6 +232,29 @@ out:
        return aia;
 }
 
+/*
+ * Extract the expire time (not-after) of a certificate.
+ */
+time_t
+x509_get_expire(X509 *x, const char *fn)
+{
+       const ASN1_TIME *at;
+       struct tm        expires_tm;
+       time_t           expires;
+
+       at = X509_get0_notAfter(x);
+       if (at == NULL)
+               errx(1, "%s: X509_get0_notafter failed", fn);
+       memset(&expires_tm, 0, sizeof(expires_tm));
+       if (ASN1_time_parse(at->data, at->length, &expires_tm, 0) == -1)
+               errx(1, "%s: ASN1_time_parse failed", fn);
+
+       if ((expires = mktime(&expires_tm)) == -1)
+               errx(1, "%s: mktime failed", fn);
+
+       return expires;
+}
+
 /*
  * Parse the very specific subset of information in the CRL distribution
  * point extension.