-/* $OpenBSD: aspa.c,v 1.12 2023/03/09 09:46:21 job Exp $ */
+/* $OpenBSD: aspa.c,v 1.13 2023/03/10 12:02:11 job Exp $ */
/*
* Copyright (c) 2022 Job Snijders <job@fastly.com>
* Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
struct parse p;
size_t cmsz;
unsigned char *cms;
- const ASN1_TIME *at;
struct cert *cert = NULL;
time_t signtime;
int rc = 0;
goto out;
}
- at = X509_get0_notAfter(*x509);
- if (at == NULL) {
- warnx("%s: X509_get0_notAfter failed", fn);
+ if (!x509_get_notbefore(*x509, fn, &p.res->notbefore))
goto out;
- }
- if (!x509_get_time(at, &p.res->expires)) {
- warnx("%s: ASN1_time_parse failed", fn);
+ if (!x509_get_expire(*x509, fn, &p.res->expires))
goto out;
- }
if (x509_any_inherits(*x509)) {
warnx("%s: inherit elements not allowed in EE cert", fn);
-/* $OpenBSD: cert.c,v 1.104 2023/03/06 16:58:41 job Exp $ */
+/* $OpenBSD: cert.c,v 1.105 2023/03/10 12:02:11 job Exp $ */
/*
* Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
* Copyright (c) 2021 Job Snijders <job@openbsd.org>
goto out;
if (!x509_get_crl(x, p.fn, &p.res->crl))
goto out;
+ if (!x509_get_notbefore(x, p.fn, &p.res->notbefore))
+ goto out;
if (!x509_get_expire(x, p.fn, &p.res->expires))
goto out;
p.res->purpose = x509_get_purpose(x, p.fn);
-/* $OpenBSD: extern.h,v 1.170 2023/03/09 12:54:28 job Exp $ */
+/* $OpenBSD: extern.h,v 1.171 2023/03/10 12:02:11 job Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
enum cert_purpose purpose; /* BGPSec or CA */
char *pubkey; /* Subject Public Key Info */
X509 *x509; /* the cert */
+ time_t notbefore; /* cert's Not Before */
time_t expires; /* do not use after */
};
char *sia; /* SIA signedObject */
char *ski; /* SKI */
time_t signtime; /* CMS signing-time attribute */
+ time_t notbefore; /* EE cert's Not Before */
time_t expires; /* do not use after */
};
char *aki; /* AKI */
char *ski; /* SKI */
time_t signtime; /* CMS signing-time attribute */
+ time_t notbefore; /* EE cert's Not Before */
time_t expires; /* Not After of the RSC EE */
};
char *sia; /* SIA signed Object */
char *ski; /* SKI */
time_t signtime; /* CMS signing-time attribute */
+ time_t notbefore; /* EE cert's Not Before */
time_t expires; /* Not After of the TAK EE */
};
char *aki; /* AKI */
char *ski; /* SKI */
time_t signtime; /* CMS signing-time attribute */
+ time_t notbefore; /* EE cert's Not Before */
time_t expires; /* Not After of the Geofeed EE */
int valid; /* all resources covered */
};
char *sia; /* SIA signedObject */
char *ski; /* SKI */
time_t signtime; /* CMS signing-time attribute */
+ time_t notbefore; /* EE cert's Not Before */
time_t expires; /* Not After of the GBR EE */
};
struct aspa_provider *providers; /* the providers */
size_t providersz; /* number of providers */
time_t signtime; /* CMS signing-time attribute */
+ time_t notbefore; /* EE cert's Not Before */
time_t expires; /* NotAfter of the ASPA EE cert */
};
int x509_get_aki(X509 *, const char *, char **);
int x509_get_sia(X509 *, const char *, char **);
int x509_get_ski(X509 *, const char *, char **);
+int x509_get_notbefore(X509 *, const char *, time_t *);
int x509_get_expire(X509 *, const char *, time_t *);
int x509_get_crl(X509 *, const char *, char **);
char *x509_crl_get_aki(X509_CRL *, const char *);
-/* $OpenBSD: gbr.c,v 1.23 2023/03/09 18:53:24 tb Exp $ */
+/* $OpenBSD: gbr.c,v 1.24 2023/03/10 12:02:11 job Exp $ */
/*
* Copyright (c) 2020 Claudio Jeker <claudio@openbsd.org>
*
size_t cmsz;
unsigned char *cms;
time_t signtime;
- const ASN1_TIME *at;
memset(&p, 0, sizeof(struct parse));
p.fn = fn;
goto out;
}
- at = X509_get0_notAfter(*x509);
- if (at == NULL) {
- warnx("%s: X509_get0_notAfter failed", fn);
+ if (!x509_get_notbefore(*x509, fn, &p.res->notbefore))
goto out;
- }
- if (!x509_get_time(at, &p.res->expires)) {
- warnx("%s: ASN1_time_parse failed", fn);
+ if (!x509_get_expire(*x509, fn, &p.res->expires))
goto out;
- }
if (!x509_inherits(*x509)) {
warnx("%s: RFC 3779 extension not set to inherit", fn);
-/* $OpenBSD: geofeed.c,v 1.11 2023/03/09 09:46:21 job Exp $ */
+/* $OpenBSD: geofeed.c,v 1.12 2023/03/10 12:02:11 job Exp $ */
/*
* Copyright (c) 2022 Job Snijders <job@fastly.com>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
size_t b64sz = 0;
unsigned char *der = NULL;
size_t dersz;
- const ASN1_TIME *at;
struct cert *cert = NULL;
int rpki_signature_seen = 0, end_signature_seen = 0;
int rc = 0;
goto out;
}
- at = X509_get0_notAfter(*x509);
- if (at == NULL) {
- warnx("%s: X509_get0_notAfter failed", fn);
+ if (!x509_get_notbefore(*x509, fn, &p.res->notbefore))
goto out;
- }
- if (!x509_get_time(at, &p.res->expires)) {
- warnx("%s: ASN1_time_parse failed", fn);
+ if (!x509_get_expire(*x509, fn, &p.res->expires))
goto out;
- }
if ((cert = cert_parse_ee_cert(fn, *x509)) == NULL)
goto out;
-/* $OpenBSD: print.c,v 1.29 2023/03/09 12:54:28 job Exp $ */
+/* $OpenBSD: print.c,v 1.30 2023/03/10 12:02:11 job Exp $ */
/*
* Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
printf("\t\"notify_url\": \"%s\",\n", p->notify);
if (p->pubkey != NULL)
printf("\t\"router_key\": \"%s\",\n", p->pubkey);
+ printf("\t\"valid_since\": %lld,\n", (long long)p->notbefore);
printf("\t\"valid_until\": %lld,\n", (long long)p->expires);
printf("\t\"subordinate_resources\": [\n");
} else {
if (p->pubkey != NULL) {
printf("BGPsec ECDSA public key: %s\n",
p->pubkey);
+ printf("Router key valid since: %s\n",
+ time2str(p->notbefore));
printf("Router key valid until: %s\n",
time2str(p->expires));
- } else
+ } else {
+ printf("Certificate valid since: %s\n",
+ time2str(p->notbefore));
printf("Certificate valid until: %s\n",
time2str(p->expires));
+ }
printf("Subordinate resources: ");
}
if (p->signtime != 0)
printf("\t\"signing_time\": %lld,\n",
(long long)p->signtime);
+ printf("\t\"valid_since\": %lld,\n", (long long)p->notbefore);
printf("\t\"valid_until\": %lld,\n", (long long)p->expires);
} else {
printf("Subject key identifier: %s\n", pretty_key_id(p->ski));
if (p->signtime != 0)
printf("Signing time: %s\n",
time2str(p->signtime));
+ printf("ROA valid since: %s\n",
+ time2str(p->notbefore));
printf("ROA valid until: %s\n", time2str(p->expires));
printf("asID: %u\n", p->asid);
printf("IP address blocks: ");
if (p->signtime != 0)
printf("\t\"signing_time\": %lld,\n",
(long long)p->signtime);
+ printf("\t\"valid_since\": %lld,\n", (long long)p->notbefore);
printf("\t\"valid_until\": %lld,\n", (long long)p->expires);
printf("\t\"vcard\": \"");
for (i = 0; i < strlen(p->vcard); i++) {
if (p->signtime != 0)
printf("Signing time: %s\n",
time2str(p->signtime));
+ printf("GBR valid since: %s\n",
+ time2str(p->notbefore));
printf("GBR valid until: %s\n", time2str(p->expires));
printf("vcard:\n%s", p->vcard);
}
if (p->signtime != 0)
printf("\t\"signing_time\": %lld,\n",
(long long)p->signtime);
+ printf("\t\"valid_since\": %lld,\n", (long long)p->notbefore);
printf("\t\"valid_until\": %lld,\n", (long long)p->expires);
printf("\t\"signed_with_resources\": [\n");
} else {
if (p->signtime != 0)
printf("Signing time: %s\n",
time2str(p->signtime));
+ printf("RSC valid since: %s\n",
+ time2str(p->notbefore));
printf("RSC valid until: %s\n", time2str(p->expires));
printf("Signed with resources: ");
}
if (p->signtime != 0)
printf("\t\"signing_time\": %lld,\n",
(long long)p->signtime);
+ printf("\t\"valid_since\": %lld,\n", (long long)p->notbefore);
printf("\t\"valid_until\": %lld,\n", (long long)p->expires);
printf("\t\"customer_asid\": %u,\n", p->custasid);
printf("\t\"provider_set\": [\n");
if (p->signtime != 0)
printf("Signing time: %s\n",
time2str(p->signtime));
+ printf("ASPA valid since: %s\n",
+ time2str(p->notbefore));
printf("ASPA valid until: %s\n", time2str(p->expires));
printf("Customer AS: %u\n", p->custasid);
printf("Provider Set: ");
if (p->signtime != 0)
printf("\t\"signing_time\": %lld,\n",
(long long)p->signtime);
+ printf("\t\"valid_since\": %lld,\n", (long long)p->notbefore);
printf("\t\"valid_until\": %lld,\n", (long long)p->expires);
printf("\t\"takeys\": [\n");
} else {
if (p->signtime != 0)
printf("Signing time: %s\n",
time2str(p->signtime));
+ printf("TAK valid since: %s\n",
+ time2str(p->notbefore));
printf("TAK valid until: %s\n", time2str(p->expires));
}
if (p->signtime != 0)
printf("\t\"signing_time\": %lld,\n",
(long long)p->signtime);
+ printf("\t\"valid_since\": %lld,\n", (long long)p->notbefore);
printf("\t\"valid_until\": %lld,\n", (long long)p->expires);
printf("\t\"records\": [\n");
} else {
if (p->signtime != 0)
printf("Signing time: %s\n",
time2str(p->signtime));
+ printf("Geofeed valid since: %s\n",
+ time2str(p->notbefore));
printf("Geofeed valid until: %s\n", time2str(p->expires));
printf("Geofeed CSV records:\n");
}
-/* $OpenBSD: roa.c,v 1.61 2023/03/09 18:53:24 tb Exp $ */
+/* $OpenBSD: roa.c,v 1.62 2023/03/10 12:02:11 job Exp $ */
/*
* Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
struct parse p;
size_t cmsz;
unsigned char *cms;
- const ASN1_TIME *at;
struct cert *cert = NULL;
time_t signtime;
int rc = 0;
goto out;
}
- at = X509_get0_notAfter(*x509);
- if (at == NULL) {
- warnx("%s: X509_get0_notAfter failed", fn);
+ if (!x509_get_notbefore(*x509, fn, &p.res->notbefore))
goto out;
- }
- if (!x509_get_time(at, &p.res->expires)) {
- warnx("%s: ASN1_time_parse failed", fn);
+ if (!x509_get_expire(*x509, fn, &p.res->expires))
goto out;
- }
if (!roa_parse_econtent(cms, cmsz, &p))
goto out;
-/* $OpenBSD: rsc.c,v 1.21 2023/03/09 15:40:41 job Exp $ */
+/* $OpenBSD: rsc.c,v 1.22 2023/03/10 12:02:11 job Exp $ */
/*
* Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
* Copyright (c) 2022 Job Snijders <job@fastly.com>
struct parse p;
unsigned char *cms;
size_t cmsz;
- const ASN1_TIME *at;
struct cert *cert = NULL;
time_t signtime;
int rc = 0;
goto out;
}
- at = X509_get0_notAfter(*x509);
- if (at == NULL) {
- warnx("%s: X509_get0_notAfter failed", fn);
+ if (!x509_get_notbefore(*x509, fn, &p.res->notbefore))
goto out;
- }
- if (!x509_get_time(at, &p.res->expires)) {
- warnx("%s: ASN1_time_parse failed", fn);
+ if (!x509_get_expire(*x509, fn, &p.res->expires))
goto out;
- }
-
+
if (X509_get_ext_by_NID(*x509, NID_sinfo_access, -1) != -1) {
warnx("%s: RSC: EE cert must not have an SIA extension", fn);
goto out;
-/* $OpenBSD: tak.c,v 1.5 2023/03/09 18:53:24 tb Exp $ */
+/* $OpenBSD: tak.c,v 1.6 2023/03/10 12:02:11 job Exp $ */
/*
* Copyright (c) 2022 Job Snijders <job@fastly.com>
* Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
struct parse p;
unsigned char *cms;
size_t cmsz;
- const ASN1_TIME *at;
time_t signtime;
int rc = 0;
goto out;
}
- at = X509_get0_notAfter(*x509);
- if (at == NULL) {
- warnx("%s: X509_get0_notAfter failed", fn);
+ if (!x509_get_notbefore(*x509, fn, &p.res->notbefore))
goto out;
- }
- if (!x509_get_time(at, &p.res->expires)) {
- warnx("%s: ASN1_time_parse failed", fn);
+ if (!x509_get_expire(*x509, fn, &p.res->expires))
goto out;
- }
if (!x509_inherits(*x509)) {
warnx("%s: RFC 3779 extension not set to inherit", fn);
-/* $OpenBSD: x509.c,v 1.66 2023/03/06 21:00:41 job Exp $ */
+/* $OpenBSD: x509.c,v 1.67 2023/03/10 12:02:11 job Exp $ */
/*
* Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
* Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
return 0;
}
+/*
+ * Extract the notBefore of a certificate.
+ */
+int
+x509_get_notbefore(X509 *x, const char *fn, time_t *tt)
+{
+ const ASN1_TIME *at;
+
+ at = X509_get0_notBefore(x);
+ if (at == NULL) {
+ warnx("%s: X509_get0_notBefore failed", fn);
+ return 0;
+ }
+ if (!x509_get_time(at, tt)) {
+ warnx("%s: ASN1_time_parse failed", fn);
+ return 0;
+ }
+ return 1;
+}
+
/*
* Extract the expire time (not-after) of a certificate.
*/
projects / openbsd / commitdiff