I know I shouldn't have left this until now, but I'd quite like to
commit this change I've accidentally left lying around, which allows a
certificate age check:
Index: apps/x509.c
===================================================================
RCS file: /e/openssl/cvs/openssl/apps/x509.c,v
retrieving revision 1.39
diff -u -r1.39 x509.c
--- apps/x509.c 2000/02/26 08:36:40 1.39
+++ apps/x509.c 2000/02/27 17:07:21
@@ -113,6 +113,8 @@
" -addreject arg - reject certificate for a given purpose\n",
" -setalias arg - set certificate alias\n",
" -days arg - How long till expiry of a signed certificate - def
30 days\n",
+" -checkend arg - check whether the cert expires in the next arg
seconds\n",
+" exit 1 if so, 0 if not\n",
" -signkey arg - self sign cert with arg\n",
" -x509toreq - output a certification request object\n",
" -req - input is a certificate request, sign and
output.\n",
@@ -173,6 +175,7 @@
LHASH *extconf = NULL;
char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin =
NULL;
int need_rand = 0;
+ int checkend=0,checkoffset=0;
reqfile=0;
@@ -353,6 +356,12 @@
startdate= ++num;
else if (strcmp(*argv,"-enddate") == 0)
enddate= ++num;
+ else if (strcmp(*argv,"-checkend") == 0)
+ {
+ if (--argc < 1) goto bad;
+ checkoffset=atoi(*(++argv));
+ checkend=1;
+ }
else if (strcmp(*argv,"-noout") == 0)
noout= ++num;
else if (strcmp(*argv,"-trustout") == 0)
@@ -825,6 +834,24 @@
noout=1;
}
}
+ }
+
+ if(checkend)
+ {
+ time_t t=ASN1_UTCTIME_get(X509_get_notAfter(x));
+ time_t tnow=time(NULL);
+
+ if(tnow+checkoffset > t)
+ {
+ BIO_printf(out,"Certificate will expire\n");
+ ret=1;
+ }
+ else
+ {
+ BIO_printf(out,"Certificate will not expire\n");
+ ret=0;
+ }
+ goto end;
}
if (noout)
Index: crypto/asn1/a_utctm.c
===================================================================
RCS file: /e/openssl/cvs/openssl/crypto/asn1/a_utctm.c,v
retrieving revision 1.10
diff -u -r1.10 a_utctm.c
--- crypto/asn1/a_utctm.c 1999/10/23 09:19:42 1.10
+++ crypto/asn1/a_utctm.c 2000/02/27 17:07:22
@@ -264,3 +264,32 @@
#endif
return(s);
}
+
+time_t ASN1_UTCTIME_get(const ASN1_UTCTIME *s)
+ {
+ struct tm tm;
+ int offset;
+
+ memset(&tm,'\0',sizeof tm);
+
+#define g2(p) (((p)[0]-'0')*10+(p)[1]-'0')
+ tm.tm_year=g2(s->data);
+ if(tm.tm_year < 50)
+ tm.tm_year+=100;
+ tm.tm_mon=g2(s->data+2)-1;
+ tm.tm_mday=g2(s->data+4);
+ tm.tm_hour=g2(s->data+6);
+ tm.tm_min=g2(s->data+8);
+ tm.tm_sec=g2(s->data+10);
+ if(s->data[12] == 'Z')
+ offset=0;
+ else
+ {
+ offset=g2(s->data+13)*60+g2(s->data+15);
+ if(s->data[12] == '-')
+ offset= -offset;
+ }
+#undef g2
+
+ return timegm(&tm)-offset*60;
+ }
Index: crypto/asn1/asn1.h
===================================================================
RCS file: /e/openssl/cvs/openssl/crypto/asn1/asn1.h,v
retrieving revision 1.60
diff -u -r1.60 asn1.h
--- crypto/asn1/asn1.h 2000/02/26 19:25:25 1.60
+++ crypto/asn1/asn1.h 2000/02/27 17:07:22
@@ -579,6 +579,7 @@
int ASN1_UTCTIME_check(ASN1_UTCTIME *a);
ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s,time_t t);
int ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, char *str);
+time_t ASN1_UTCTIME_get(const ASN1_UTCTIME *s);
int ASN1_GENERALIZEDTIME_check(ASN1_GENERALIZEDTIME *a);
ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(ASN1_GENERALIZEDTIME
*s,time_t t);
--
SECURE HOSTING AT THE BUNKER: http://www.thebunker.net/hosting.htm
http://www.apache-ssl.org/ben.html
Coming to ApacheCon? http://ApacheCon.Com/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
