hi , attached is a minor patch to apps/x509.c. The patch allows the user to specify the validity of a certificate in hours and minutes (next to days). This is esp useful when creating grid/RFC3820 proxies which typically have a duration of 12 hours.
regards, JJK / Jan Just Keijser ------------------------------------------------------------------------ --- openssl-1.0.1c/apps/x509.c 2011-10-10 01:13:46.000000000 +0200 +++ openssl-1.0.1c-jjk/apps/x509.c 2012-08-09 09:17:37.783134860 +0200 @@ -128,6 +128,7 @@ " -addreject arg - reject certificate for a given purpose\n", " -setalias arg - set certificate alias\n", " -days arg - How long till expiry of a signed certificate - def 30 days\n", +" -valid HH:MM - How long till expiry of a signed certificate\n", " -checkend arg - check whether the cert expires in the next arg seconds\n", " exit 1 if so, 0 if not\n", " -signkey arg - self sign cert with arg\n", @@ -154,12 +155,12 @@ }; static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx); -static int sign (X509 *x, EVP_PKEY *pkey,int days,int clrext, const EVP_MD *digest, +static int sign (X509 *x, EVP_PKEY *pkey,int minutes,int clrext, const EVP_MD *digest, CONF *conf, char *section); static int x509_certify (X509_STORE *ctx,char *CAfile,const EVP_MD *digest, X509 *x,X509 *xca,EVP_PKEY *pkey, STACK_OF(OPENSSL_STRING) *sigopts, - char *serial, int create ,int days, int clrext, + char *serial, int create ,int minutes, int clrext, CONF *conf, char *section, ASN1_INTEGER *sno); static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt); static int reqfile=0; @@ -194,7 +195,7 @@ int ocsp_uri=0; int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0; int C=0; - int x509req=0,days=DEF_DAYS,modulus=0,pubkey=0; + int x509req=0,days=DEF_DAYS,minutes=0,modulus=0,pubkey=0; int pprint = 0; const char **pp; X509_STORE *ctx=NULL; @@ -292,6 +293,26 @@ goto bad; } } + else if (strcmp(*argv,"-valid") == 0) + { + if (--argc < 1) goto bad; + + char *delim = strchr(*(++argv), ':'); + if (delim) + { + *delim = '\0'; + delim++; + minutes = atoi( delim ); + } + int hours = atoi( *argv ); + minutes = 60 * hours + minutes; + + if (minutes == 0) + { + BIO_printf(STDout,"bad -valid specification\n"); + goto bad; + } + } else if (strcmp(*argv,"-passin") == 0) { if (--argc < 1) goto bad; @@ -511,6 +532,10 @@ goto end; } + if (minutes == 0) + { + minutes = 24*60*days; + } if (!X509_STORE_set_default_paths(ctx)) { ERR_print_errors(bio_err); @@ -964,7 +989,7 @@ } assert(need_rand); - if (!sign(x,Upkey,days,clrext,digest, + if (!sign(x,Upkey,minutes,clrext,digest, extconf, extsect)) goto end; } else if (CA_flag == i) @@ -982,7 +1007,7 @@ assert(need_rand); if (!x509_certify(ctx,CAfile,digest,x,xca, CApkey, sigopts, - CAserial,CA_createserial,days, clrext, + CAserial,CA_createserial,minutes, clrext, extconf, extsect, sno)) goto end; } @@ -1148,7 +1173,7 @@ X509 *x, X509 *xca, EVP_PKEY *pkey, STACK_OF(OPENSSL_STRING) *sigopts, char *serialfile, int create, - int days, int clrext, CONF *conf, char *section, + int minutes, int clrext, CONF *conf, char *section, ASN1_INTEGER *sno) { int ret=0; @@ -1191,7 +1216,7 @@ goto end; /* hardwired expired */ - if (X509_time_adj_ex(X509_get_notAfter(x),days, 0, NULL) == NULL) + if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*minutes) == NULL) goto end; if (clrext) @@ -1251,7 +1276,7 @@ } /* self sign */ -static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const EVP_MD *digest, +static int sign(X509 *x, EVP_PKEY *pkey, int minutes, int clrext, const EVP_MD *digest, CONF *conf, char *section) { @@ -1269,7 +1294,7 @@ /* memcpy(x->cert_info->validity->notBefore,"700101120000Z",13); */ /* 28 days to be certified */ - if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) == NULL) + if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*minutes) == NULL) goto err; if (!X509_set_pubkey(x,pkey)) goto err; ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org