From 7fd566d895d9792f9efd5031bf7ea72289459636 Mon Sep 17 00:00:00 2001 From: claudio Date: Thu, 7 Oct 2021 08:30:39 +0000 Subject: [PATCH] Add x509_get_expire() to extract the not-after time from a certificate as a epoch time_t. Store the expire time for certs, crls will follow after. OK tb@ --- usr.sbin/rpki-client/cert.c | 3 ++- usr.sbin/rpki-client/extern.h | 5 ++++- usr.sbin/rpki-client/x509.c | 25 ++++++++++++++++++++++++- 3 files changed, 30 insertions(+), 3 deletions(-) diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c index 979995f8909..943960a94c2 100644 --- a/usr.sbin/rpki-client/cert.c +++ b/usr.sbin/rpki-client/cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cert.c,v 1.33 2021/10/05 11:20:46 job Exp $ */ +/* $OpenBSD: cert.c,v 1.34 2021/10/07 08:30:39 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -1061,6 +1061,7 @@ cert_parse_inner(X509 **xp, const char *fn, int ta) p.res->aia = x509_get_aia(x, p.fn); p.res->crl = x509_get_crl(x, p.fn); } + p.res->expires = x509_get_expire(x, p.fn); p.res->purpose = x509_get_purpose(x, p.fn); /* Validation on required fields. */ diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h index 04804a52882..13f4dd29567 100644 --- a/usr.sbin/rpki-client/extern.h +++ b/usr.sbin/rpki-client/extern.h @@ -1,4 +1,4 @@ -/* $OpenBSD: extern.h,v 1.68 2021/10/05 11:20:46 job Exp $ */ +/* $OpenBSD: extern.h,v 1.69 2021/10/07 08:30:39 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -127,6 +127,7 @@ struct cert { enum cert_purpose purpose; /* Certificate Purpose (BGPSec or CA) */ int valid; /* validated resources */ X509 *x509; /* the cert */ + time_t expires; /* do not use after */ }; /* @@ -232,6 +233,7 @@ struct crl { RB_ENTRY(crl) entry; char *aki; X509_CRL *x509_crl; + time_t expires; /* do not use after */ }; /* * Tree of CRLs sorted by uri @@ -527,6 +529,7 @@ char *hex_encode(const unsigned char *, size_t); char *x509_get_aia(X509 *, const char *); char *x509_get_aki(X509 *, int, const char *); char *x509_get_ski(X509 *, const char *); +time_t x509_get_expire(X509 *, const char *); char *x509_get_crl(X509 *, const char *); char *x509_crl_get_aki(X509_CRL *, const char *); enum cert_purpose x509_get_purpose(X509 *, const char *); diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c index ffd393804d4..4e27686ac4c 100644 --- a/usr.sbin/rpki-client/x509.c +++ b/usr.sbin/rpki-client/x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.c,v 1.22 2021/10/05 11:20:46 job Exp $ */ +/* $OpenBSD: x509.c,v 1.23 2021/10/07 08:30:39 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -232,6 +232,29 @@ out: return aia; } +/* + * Extract the expire time (not-after) of a certificate. + */ +time_t +x509_get_expire(X509 *x, const char *fn) +{ + const ASN1_TIME *at; + struct tm expires_tm; + time_t expires; + + at = X509_get0_notAfter(x); + if (at == NULL) + errx(1, "%s: X509_get0_notafter failed", fn); + memset(&expires_tm, 0, sizeof(expires_tm)); + if (ASN1_time_parse(at->data, at->length, &expires_tm, 0) == -1) + errx(1, "%s: ASN1_time_parse failed", fn); + + if ((expires = mktime(&expires_tm)) == -1) + errx(1, "%s: mktime failed", fn); + + return expires; +} + /* * Parse the very specific subset of information in the CRL distribution * point extension. -- 2.20.1