From f5999ddfaafcedca04ba3133d151ec3997898104 Mon Sep 17 00:00:00 2001 From: job Date: Fri, 10 Mar 2023 12:02:11 +0000 Subject: [PATCH] Show the X.509 notBefore in filemode OK tb@ --- usr.sbin/rpki-client/aspa.c | 12 +++--------- usr.sbin/rpki-client/cert.c | 4 +++- usr.sbin/rpki-client/extern.h | 10 +++++++++- usr.sbin/rpki-client/gbr.c | 12 +++--------- usr.sbin/rpki-client/geofeed.c | 12 +++--------- usr.sbin/rpki-client/print.c | 28 ++++++++++++++++++++++++++-- usr.sbin/rpki-client/roa.c | 12 +++--------- usr.sbin/rpki-client/rsc.c | 14 ++++---------- usr.sbin/rpki-client/tak.c | 12 +++--------- usr.sbin/rpki-client/x509.c | 22 +++++++++++++++++++++- 10 files changed, 78 insertions(+), 60 deletions(-) diff --git a/usr.sbin/rpki-client/aspa.c b/usr.sbin/rpki-client/aspa.c index dc197d9e844..827a69d8604 100644 --- a/usr.sbin/rpki-client/aspa.c +++ b/usr.sbin/rpki-client/aspa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: aspa.c,v 1.12 2023/03/09 09:46:21 job Exp $ */ +/* $OpenBSD: aspa.c,v 1.13 2023/03/10 12:02:11 job Exp $ */ /* * Copyright (c) 2022 Job Snijders * Copyright (c) 2022 Theo Buehler @@ -188,7 +188,6 @@ aspa_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len) struct parse p; size_t cmsz; unsigned char *cms; - const ASN1_TIME *at; struct cert *cert = NULL; time_t signtime; int rc = 0; @@ -226,15 +225,10 @@ aspa_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len) goto out; } - at = X509_get0_notAfter(*x509); - if (at == NULL) { - warnx("%s: X509_get0_notAfter failed", fn); + if (!x509_get_notbefore(*x509, fn, &p.res->notbefore)) goto out; - } - if (!x509_get_time(at, &p.res->expires)) { - warnx("%s: ASN1_time_parse failed", fn); + if (!x509_get_expire(*x509, fn, &p.res->expires)) goto out; - } if (x509_any_inherits(*x509)) { warnx("%s: inherit elements not allowed in EE cert", fn); diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c index 540e2b338e4..cff5af4ad0d 100644 --- a/usr.sbin/rpki-client/cert.c +++ b/usr.sbin/rpki-client/cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cert.c,v 1.104 2023/03/06 16:58:41 job Exp $ */ +/* $OpenBSD: cert.c,v 1.105 2023/03/10 12:02:11 job Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2021 Job Snijders @@ -756,6 +756,8 @@ cert_parse_pre(const char *fn, const unsigned char *der, size_t len) goto out; if (!x509_get_crl(x, p.fn, &p.res->crl)) goto out; + if (!x509_get_notbefore(x, p.fn, &p.res->notbefore)) + goto out; if (!x509_get_expire(x, p.fn, &p.res->expires)) goto out; p.res->purpose = x509_get_purpose(x, p.fn); diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h index 2da10aeb394..6b7e39f76c6 100644 --- a/usr.sbin/rpki-client/extern.h +++ b/usr.sbin/rpki-client/extern.h @@ -1,4 +1,4 @@ -/* $OpenBSD: extern.h,v 1.170 2023/03/09 12:54:28 job Exp $ */ +/* $OpenBSD: extern.h,v 1.171 2023/03/10 12:02:11 job Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -139,6 +139,7 @@ struct cert { enum cert_purpose purpose; /* BGPSec or CA */ char *pubkey; /* Subject Public Key Info */ X509 *x509; /* the cert */ + time_t notbefore; /* cert's Not Before */ time_t expires; /* do not use after */ }; @@ -245,6 +246,7 @@ struct roa { char *sia; /* SIA signedObject */ char *ski; /* SKI */ time_t signtime; /* CMS signing-time attribute */ + time_t notbefore; /* EE cert's Not Before */ time_t expires; /* do not use after */ }; @@ -269,6 +271,7 @@ struct rsc { char *aki; /* AKI */ char *ski; /* SKI */ time_t signtime; /* CMS signing-time attribute */ + time_t notbefore; /* EE cert's Not Before */ time_t expires; /* Not After of the RSC EE */ }; @@ -298,6 +301,7 @@ struct tak { char *sia; /* SIA signed Object */ char *ski; /* SKI */ time_t signtime; /* CMS signing-time attribute */ + time_t notbefore; /* EE cert's Not Before */ time_t expires; /* Not After of the TAK EE */ }; @@ -319,6 +323,7 @@ struct geofeed { char *aki; /* AKI */ char *ski; /* SKI */ time_t signtime; /* CMS signing-time attribute */ + time_t notbefore; /* EE cert's Not Before */ time_t expires; /* Not After of the Geofeed EE */ int valid; /* all resources covered */ }; @@ -333,6 +338,7 @@ struct gbr { char *sia; /* SIA signedObject */ char *ski; /* SKI */ time_t signtime; /* CMS signing-time attribute */ + time_t notbefore; /* EE cert's Not Before */ time_t expires; /* Not After of the GBR EE */ }; @@ -355,6 +361,7 @@ struct aspa { struct aspa_provider *providers; /* the providers */ size_t providersz; /* number of providers */ time_t signtime; /* CMS signing-time attribute */ + time_t notbefore; /* EE cert's Not Before */ time_t expires; /* NotAfter of the ASPA EE cert */ }; @@ -806,6 +813,7 @@ int x509_get_aia(X509 *, const char *, char **); int x509_get_aki(X509 *, const char *, char **); int x509_get_sia(X509 *, const char *, char **); int x509_get_ski(X509 *, const char *, char **); +int x509_get_notbefore(X509 *, const char *, time_t *); int x509_get_expire(X509 *, const char *, time_t *); int x509_get_crl(X509 *, const char *, char **); char *x509_crl_get_aki(X509_CRL *, const char *); diff --git a/usr.sbin/rpki-client/gbr.c b/usr.sbin/rpki-client/gbr.c index 4062f513fbc..9b1e1b699c4 100644 --- a/usr.sbin/rpki-client/gbr.c +++ b/usr.sbin/rpki-client/gbr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gbr.c,v 1.23 2023/03/09 18:53:24 tb Exp $ */ +/* $OpenBSD: gbr.c,v 1.24 2023/03/10 12:02:11 job Exp $ */ /* * Copyright (c) 2020 Claudio Jeker * @@ -46,7 +46,6 @@ gbr_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len) size_t cmsz; unsigned char *cms; time_t signtime; - const ASN1_TIME *at; memset(&p, 0, sizeof(struct parse)); p.fn = fn; @@ -77,15 +76,10 @@ gbr_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len) goto out; } - at = X509_get0_notAfter(*x509); - if (at == NULL) { - warnx("%s: X509_get0_notAfter failed", fn); + if (!x509_get_notbefore(*x509, fn, &p.res->notbefore)) goto out; - } - if (!x509_get_time(at, &p.res->expires)) { - warnx("%s: ASN1_time_parse failed", fn); + if (!x509_get_expire(*x509, fn, &p.res->expires)) goto out; - } if (!x509_inherits(*x509)) { warnx("%s: RFC 3779 extension not set to inherit", fn); diff --git a/usr.sbin/rpki-client/geofeed.c b/usr.sbin/rpki-client/geofeed.c index 452b3f72f30..87aed15af2a 100644 --- a/usr.sbin/rpki-client/geofeed.c +++ b/usr.sbin/rpki-client/geofeed.c @@ -1,4 +1,4 @@ -/* $OpenBSD: geofeed.c,v 1.11 2023/03/09 09:46:21 job Exp $ */ +/* $OpenBSD: geofeed.c,v 1.12 2023/03/10 12:02:11 job Exp $ */ /* * Copyright (c) 2022 Job Snijders * Copyright (c) 2019 Kristaps Dzonsons @@ -110,7 +110,6 @@ geofeed_parse(X509 **x509, const char *fn, char *buf, size_t len) size_t b64sz = 0; unsigned char *der = NULL; size_t dersz; - const ASN1_TIME *at; struct cert *cert = NULL; int rpki_signature_seen = 0, end_signature_seen = 0; int rc = 0; @@ -248,15 +247,10 @@ geofeed_parse(X509 **x509, const char *fn, char *buf, size_t len) goto out; } - at = X509_get0_notAfter(*x509); - if (at == NULL) { - warnx("%s: X509_get0_notAfter failed", fn); + if (!x509_get_notbefore(*x509, fn, &p.res->notbefore)) goto out; - } - if (!x509_get_time(at, &p.res->expires)) { - warnx("%s: ASN1_time_parse failed", fn); + if (!x509_get_expire(*x509, fn, &p.res->expires)) goto out; - } if ((cert = cert_parse_ee_cert(fn, *x509)) == NULL) goto out; diff --git a/usr.sbin/rpki-client/print.c b/usr.sbin/rpki-client/print.c index aa47d4bfadf..ad5901cb4cd 100644 --- a/usr.sbin/rpki-client/print.c +++ b/usr.sbin/rpki-client/print.c @@ -1,4 +1,4 @@ -/* $OpenBSD: print.c,v 1.29 2023/03/09 12:54:28 job Exp $ */ +/* $OpenBSD: print.c,v 1.30 2023/03/10 12:02:11 job Exp $ */ /* * Copyright (c) 2021 Claudio Jeker * Copyright (c) 2019 Kristaps Dzonsons @@ -182,6 +182,7 @@ cert_print(const struct cert *p) printf("\t\"notify_url\": \"%s\",\n", p->notify); if (p->pubkey != NULL) printf("\t\"router_key\": \"%s\",\n", p->pubkey); + printf("\t\"valid_since\": %lld,\n", (long long)p->notbefore); printf("\t\"valid_until\": %lld,\n", (long long)p->expires); printf("\t\"subordinate_resources\": [\n"); } else { @@ -201,11 +202,16 @@ cert_print(const struct cert *p) if (p->pubkey != NULL) { printf("BGPsec ECDSA public key: %s\n", p->pubkey); + printf("Router key valid since: %s\n", + time2str(p->notbefore)); printf("Router key valid until: %s\n", time2str(p->expires)); - } else + } else { + printf("Certificate valid since: %s\n", + time2str(p->notbefore)); printf("Certificate valid until: %s\n", time2str(p->expires)); + } printf("Subordinate resources: "); } @@ -443,6 +449,7 @@ roa_print(const X509 *x, const struct roa *p) if (p->signtime != 0) printf("\t\"signing_time\": %lld,\n", (long long)p->signtime); + printf("\t\"valid_since\": %lld,\n", (long long)p->notbefore); printf("\t\"valid_until\": %lld,\n", (long long)p->expires); } else { printf("Subject key identifier: %s\n", pretty_key_id(p->ski)); @@ -453,6 +460,8 @@ roa_print(const X509 *x, const struct roa *p) if (p->signtime != 0) printf("Signing time: %s\n", time2str(p->signtime)); + printf("ROA valid since: %s\n", + time2str(p->notbefore)); printf("ROA valid until: %s\n", time2str(p->expires)); printf("asID: %u\n", p->asid); printf("IP address blocks: "); @@ -498,6 +507,7 @@ gbr_print(const X509 *x, const struct gbr *p) if (p->signtime != 0) printf("\t\"signing_time\": %lld,\n", (long long)p->signtime); + printf("\t\"valid_since\": %lld,\n", (long long)p->notbefore); printf("\t\"valid_until\": %lld,\n", (long long)p->expires); printf("\t\"vcard\": \""); for (i = 0; i < strlen(p->vcard); i++) { @@ -520,6 +530,8 @@ gbr_print(const X509 *x, const struct gbr *p) if (p->signtime != 0) printf("Signing time: %s\n", time2str(p->signtime)); + printf("GBR valid since: %s\n", + time2str(p->notbefore)); printf("GBR valid until: %s\n", time2str(p->expires)); printf("vcard:\n%s", p->vcard); } @@ -541,6 +553,7 @@ rsc_print(const X509 *x, const struct rsc *p) if (p->signtime != 0) printf("\t\"signing_time\": %lld,\n", (long long)p->signtime); + printf("\t\"valid_since\": %lld,\n", (long long)p->notbefore); printf("\t\"valid_until\": %lld,\n", (long long)p->expires); printf("\t\"signed_with_resources\": [\n"); } else { @@ -551,6 +564,8 @@ rsc_print(const X509 *x, const struct rsc *p) if (p->signtime != 0) printf("Signing time: %s\n", time2str(p->signtime)); + printf("RSC valid since: %s\n", + time2str(p->notbefore)); printf("RSC valid until: %s\n", time2str(p->expires)); printf("Signed with resources: "); } @@ -673,6 +688,7 @@ aspa_print(const X509 *x, const struct aspa *p) if (p->signtime != 0) printf("\t\"signing_time\": %lld,\n", (long long)p->signtime); + printf("\t\"valid_since\": %lld,\n", (long long)p->notbefore); printf("\t\"valid_until\": %lld,\n", (long long)p->expires); printf("\t\"customer_asid\": %u,\n", p->custasid); printf("\t\"provider_set\": [\n"); @@ -697,6 +713,8 @@ aspa_print(const X509 *x, const struct aspa *p) if (p->signtime != 0) printf("Signing time: %s\n", time2str(p->signtime)); + printf("ASPA valid since: %s\n", + time2str(p->notbefore)); printf("ASPA valid until: %s\n", time2str(p->expires)); printf("Customer AS: %u\n", p->custasid); printf("Provider Set: "); @@ -784,6 +802,7 @@ tak_print(const X509 *x, const struct tak *p) if (p->signtime != 0) printf("\t\"signing_time\": %lld,\n", (long long)p->signtime); + printf("\t\"valid_since\": %lld,\n", (long long)p->notbefore); printf("\t\"valid_until\": %lld,\n", (long long)p->expires); printf("\t\"takeys\": [\n"); } else { @@ -795,6 +814,8 @@ tak_print(const X509 *x, const struct tak *p) if (p->signtime != 0) printf("Signing time: %s\n", time2str(p->signtime)); + printf("TAK valid since: %s\n", + time2str(p->notbefore)); printf("TAK valid until: %s\n", time2str(p->expires)); } @@ -831,6 +852,7 @@ geofeed_print(const X509 *x, const struct geofeed *p) if (p->signtime != 0) printf("\t\"signing_time\": %lld,\n", (long long)p->signtime); + printf("\t\"valid_since\": %lld,\n", (long long)p->notbefore); printf("\t\"valid_until\": %lld,\n", (long long)p->expires); printf("\t\"records\": [\n"); } else { @@ -841,6 +863,8 @@ geofeed_print(const X509 *x, const struct geofeed *p) if (p->signtime != 0) printf("Signing time: %s\n", time2str(p->signtime)); + printf("Geofeed valid since: %s\n", + time2str(p->notbefore)); printf("Geofeed valid until: %s\n", time2str(p->expires)); printf("Geofeed CSV records:\n"); } diff --git a/usr.sbin/rpki-client/roa.c b/usr.sbin/rpki-client/roa.c index e53e995e45c..0c814e99729 100644 --- a/usr.sbin/rpki-client/roa.c +++ b/usr.sbin/rpki-client/roa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: roa.c,v 1.61 2023/03/09 18:53:24 tb Exp $ */ +/* $OpenBSD: roa.c,v 1.62 2023/03/10 12:02:11 job Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2019 Kristaps Dzonsons @@ -211,7 +211,6 @@ roa_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len) struct parse p; size_t cmsz; unsigned char *cms; - const ASN1_TIME *at; struct cert *cert = NULL; time_t signtime; int rc = 0; @@ -242,15 +241,10 @@ roa_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len) goto out; } - at = X509_get0_notAfter(*x509); - if (at == NULL) { - warnx("%s: X509_get0_notAfter failed", fn); + if (!x509_get_notbefore(*x509, fn, &p.res->notbefore)) goto out; - } - if (!x509_get_time(at, &p.res->expires)) { - warnx("%s: ASN1_time_parse failed", fn); + if (!x509_get_expire(*x509, fn, &p.res->expires)) goto out; - } if (!roa_parse_econtent(cms, cmsz, &p)) goto out; diff --git a/usr.sbin/rpki-client/rsc.c b/usr.sbin/rpki-client/rsc.c index 0250d2e429d..cd5a17aa1da 100644 --- a/usr.sbin/rpki-client/rsc.c +++ b/usr.sbin/rpki-client/rsc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsc.c,v 1.21 2023/03/09 15:40:41 job Exp $ */ +/* $OpenBSD: rsc.c,v 1.22 2023/03/10 12:02:11 job Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2022 Job Snijders @@ -377,7 +377,6 @@ rsc_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len) struct parse p; unsigned char *cms; size_t cmsz; - const ASN1_TIME *at; struct cert *cert = NULL; time_t signtime; int rc = 0; @@ -406,16 +405,11 @@ rsc_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len) goto out; } - at = X509_get0_notAfter(*x509); - if (at == NULL) { - warnx("%s: X509_get0_notAfter failed", fn); + if (!x509_get_notbefore(*x509, fn, &p.res->notbefore)) goto out; - } - if (!x509_get_time(at, &p.res->expires)) { - warnx("%s: ASN1_time_parse failed", fn); + if (!x509_get_expire(*x509, fn, &p.res->expires)) goto out; - } - + if (X509_get_ext_by_NID(*x509, NID_sinfo_access, -1) != -1) { warnx("%s: RSC: EE cert must not have an SIA extension", fn); goto out; diff --git a/usr.sbin/rpki-client/tak.c b/usr.sbin/rpki-client/tak.c index d202fe8f8c5..37e3a049d71 100644 --- a/usr.sbin/rpki-client/tak.c +++ b/usr.sbin/rpki-client/tak.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tak.c,v 1.5 2023/03/09 18:53:24 tb Exp $ */ +/* $OpenBSD: tak.c,v 1.6 2023/03/10 12:02:11 job Exp $ */ /* * Copyright (c) 2022 Job Snijders * Copyright (c) 2022 Theo Buehler @@ -230,7 +230,6 @@ tak_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len) struct parse p; unsigned char *cms; size_t cmsz; - const ASN1_TIME *at; time_t signtime; int rc = 0; @@ -260,15 +259,10 @@ tak_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len) goto out; } - at = X509_get0_notAfter(*x509); - if (at == NULL) { - warnx("%s: X509_get0_notAfter failed", fn); + if (!x509_get_notbefore(*x509, fn, &p.res->notbefore)) goto out; - } - if (!x509_get_time(at, &p.res->expires)) { - warnx("%s: ASN1_time_parse failed", fn); + if (!x509_get_expire(*x509, fn, &p.res->expires)) goto out; - } if (!x509_inherits(*x509)) { warnx("%s: RFC 3779 extension not set to inherit", fn); diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c index 433c29455ae..d4930c8a9bc 100644 --- a/usr.sbin/rpki-client/x509.c +++ b/usr.sbin/rpki-client/x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.c,v 1.66 2023/03/06 21:00:41 job Exp $ */ +/* $OpenBSD: x509.c,v 1.67 2023/03/10 12:02:11 job Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2021 Claudio Jeker @@ -485,6 +485,26 @@ x509_get_sia(X509 *x, const char *fn, char **sia) return 0; } +/* + * Extract the notBefore of a certificate. + */ +int +x509_get_notbefore(X509 *x, const char *fn, time_t *tt) +{ + const ASN1_TIME *at; + + at = X509_get0_notBefore(x); + if (at == NULL) { + warnx("%s: X509_get0_notBefore failed", fn); + return 0; + } + if (!x509_get_time(at, tt)) { + warnx("%s: ASN1_time_parse failed", fn); + return 0; + } + return 1; +} + /* * Extract the expire time (not-after) of a certificate. */ -- 2.20.1