On 15 Jul 2014 11:06, "Jan Just Keijser via RT" <r...@openssl.org> wrote: > > Hi Richard, > > On 15/07/14 10:56, Richard Levitte via RT wrote: > > I do like the idea, and definitely see the need for this. > > A nit pick, though.... '-valid' as a option name is a bit confusing, I'd > > personally expect it to take a full blown time argument -- something like > > DDD-HH:MM -- and not just hours and minutes. Maybe '-time' or something like > > that. That or actually have '-valid' take the full blown argument (thereby > > replacing '-days' in the long run). > > > thanks for picking this up; the name '-valid' as well as the format > "HH:MM" came from the Globus Toolkit 'grid-proxy-init' command, which > uses the same syntax. I agree that the name might be a bit confusing. If > I understand you correctly you're suggesting to use > -valid DDD-HH:MM > (I'm using '-valid' here for lack of a better name right now) where > anything before the hyphen is the number of days, and anything after it > is the time in HH:MM format? It should be possible to specify HH > 24, > and we could also support MM > 60 (e.g -valid 0-0:1440 == -valid 0-24:00 > == -valid 1-0:00 == -days 1) >
We should also support things like -valid 1-24:70 and -valid 2-1:10. > but then the syntax > -valid 0-24:00 > seems confusing as well ... or we could use logic as follows: > > if arg contains hyphen then anything before it is #days, anything after > it is time in HH:MM format > if arg contains no hyphen and no colon then it's the number of days > if arg contains no hyphen but it does contain a colon then #days = 0 and > the entire argument is a time in HH:MM format > > > suggestions? > > JJK / Jan Just Keijser > Nikhef > Amsterdam > > > > On Sun Jul 13 20:13:28 2014, janj...@nikhef.nl wrote: > >> hi , > >> > >> attached is a minor patch to apps/x509.c. The patch allows the user to > >> specify the validity of a certificate in hours and minutes (next to > >> days). This is esp useful when creating grid/RFC3820 proxies which > >> typically have a duration of 12 hours. > >> > >> regards, > >> > >> JJK / Jan Just Keijser > >> > >> > >> ------------------------------------------------------------------------ > >> > >> --- openssl-1.0.1c/apps/x509.c 2011-10-10 01:13:46.000000000 +0200 > >> +++ openssl-1.0.1c-jjk/apps/x509.c 2012-08-09 09:17:37.783134860 +0200 > >> @@ -128,6 +128,7 @@ > >> " -addreject arg - reject certificate for a given purpose\n", > >> " -setalias arg - set certificate alias\n", > >> " -days arg - How long till expiry of a signed certificate - > >> def 30 days\n", > >> +" -valid HH:MM - How long till expiry of a signed certificate\n", > >> " -checkend arg - check whether the cert expires in the next arg > >> seconds\n", > >> " exit 1 if so, 0 if not\n", > >> " -signkey arg - self sign cert with arg\n", > >> @@ -154,12 +155,12 @@ > >> }; > >> > >> static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx); > >> -static int sign (X509 *x, EVP_PKEY *pkey,int days,int clrext, const > >> EVP_MD *digest, > >> +static int sign (X509 *x, EVP_PKEY *pkey,int minutes,int clrext, > >> const EVP_MD *digest, > >> CONF *conf, char *section); > >> static int x509_certify (X509_STORE *ctx,char *CAfile,const EVP_MD > >> *digest, > >> X509 *x,X509 *xca,EVP_PKEY *pkey, > >> STACK_OF(OPENSSL_STRING) *sigopts, > >> - char *serial, int create ,int days, int clrext, > >> + char *serial, int create ,int minutes, int clrext, > >> CONF *conf, char *section, ASN1_INTEGER *sno); > >> static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt); > >> static int reqfile=0; > >> @@ -194,7 +195,7 @@ > >> int ocsp_uri=0; > >> int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0; > >> int C=0; > >> - int x509req=0,days=DEF_DAYS,modulus=0,pubkey=0; > >> + int x509req=0,days=DEF_DAYS,minutes=0,modulus=0,pubkey=0; > >> int pprint = 0; > >> const char **pp; > >> X509_STORE *ctx=NULL; > >> @@ -292,6 +293,26 @@ > >> goto bad; > >> } > >> } > >> + else if (strcmp(*argv,"-valid") == 0) > >> + { > >> + if (--argc < 1) goto bad; > >> + > >> + char *delim = strchr(*(++argv), ':'); > >> + if (delim) > >> + { > >> + *delim = '\0'; > >> + delim++; > >> + minutes = atoi( delim ); > >> + } > >> + int hours = atoi( *argv ); > >> + minutes = 60 * hours + minutes; > >> + > >> + if (minutes == 0) > >> + { > >> + BIO_printf(STDout,"bad -valid specification\n"); > >> + goto bad; > >> + } > >> + } > >> else if (strcmp(*argv,"-passin") == 0) > >> { > >> if (--argc < 1) goto bad; > >> @@ -511,6 +532,10 @@ > >> goto end; > >> } > >> > >> + if (minutes == 0) > >> + { > >> + minutes = 24*60*days; > >> + } > >> if (!X509_STORE_set_default_paths(ctx)) > >> { > >> ERR_print_errors(bio_err); > >> @@ -964,7 +989,7 @@ > >> } > >> > >> assert(need_rand); > >> - if (!sign(x,Upkey,days,clrext,digest, > >> + if (!sign(x,Upkey,minutes,clrext,digest, > >> extconf, extsect)) goto end; > >> } > >> else if (CA_flag == i) > >> @@ -982,7 +1007,7 @@ > >> assert(need_rand); > >> if (!x509_certify(ctx,CAfile,digest,x,xca, > >> CApkey, sigopts, > >> - CAserial,CA_createserial,days, clrext, > >> + CAserial,CA_createserial,minutes, clrext, > >> extconf, extsect, sno)) > >> goto end; > >> } > >> @@ -1148,7 +1173,7 @@ > >> X509 *x, X509 *xca, EVP_PKEY *pkey, > >> STACK_OF(OPENSSL_STRING) *sigopts, > >> char *serialfile, int create, > >> - int days, int clrext, CONF *conf, char *section, > >> + int minutes, int clrext, CONF *conf, char *section, > >> ASN1_INTEGER *sno) > >> { > >> int ret=0; > >> @@ -1191,7 +1216,7 @@ > >> goto end; > >> > >> /* hardwired expired */ > >> - if (X509_time_adj_ex(X509_get_notAfter(x),days, 0, NULL) == NULL) > >> + if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*minutes) == NULL) > >> goto end; > >> > >> if (clrext) > >> @@ -1251,7 +1276,7 @@ > >> } > >> > >> /* self sign */ > >> -static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const > >> EVP_MD *digest, > >> +static int sign(X509 *x, EVP_PKEY *pkey, int minutes, int clrext, > >> const EVP_MD *digest, > >> CONF *conf, char *section) > >> { > >> > >> @@ -1269,7 +1294,7 @@ > >> /* memcpy(x->cert_info->validity->notBefore,"700101120000Z",13); */ > >> /* 28 days to be certified */ > >> > >> - if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) == > >> NULL) > >> + if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*minutes) == NULL) > >> goto err; > >> > >> if (!X509_set_pubkey(x,pkey)) goto err; > > > > -- > > Richard Levitte > > levi...@openssl.org > > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager majord...@openssl.org