pki: Support absolute --this/next-update CRL lifetimes
authorMartin Willi <martin@revosec.ch>
Thu, 27 Mar 2014 14:56:20 +0000 (15:56 +0100)
committerMartin Willi <martin@revosec.ch>
Mon, 31 Mar 2014 09:14:59 +0000 (11:14 +0200)
src/pki/commands/signcrl.c

index 4f9dd29..c9eebbf 100644 (file)
@@ -124,7 +124,8 @@ static int sign_crl()
        int serial_len = 0;
        crl_reason_t reason = CRL_REASON_UNSPECIFIED;
        time_t thisUpdate, nextUpdate, date = time(NULL);
-       time_t lifetime = 15;
+       time_t lifetime = 15 * 24 * 60 * 60;
+       char *datetu = NULL, *datenu = NULL, *dateform = NULL;
        linked_list_t *list, *cdps;
        enumerator_t *enumerator, *lastenum = NULL;
        x509_cdp_t *cdp;
@@ -161,13 +162,22 @@ static int sign_crl()
                                lastupdate = arg;
                                continue;
                        case 'l':
-                               lifetime = atoi(arg);
+                               lifetime = atoi(arg) * 24 * 60 * 60;
                                if (!lifetime)
                                {
-                                       error = "invalid lifetime";
+                                       error = "invalid --lifetime value";
                                        goto usage;
                                }
                                continue;
+                       case 'D':
+                               dateform = arg;
+                               continue;
+                       case 'F':
+                               datetu = arg;
+                               continue;
+                       case 'T':
+                               datenu = arg;
+                               continue;
                        case 'z':
                                serial_len = read_serial(arg, serial, sizeof(serial));
                                if (serial_len < 0)
@@ -275,6 +285,12 @@ static int sign_crl()
                error = "--cakey or --keyid is required";
                goto usage;
        }
+       if (!calculate_lifetime(dateform, datetu, datenu, lifetime,
+                                                       &thisUpdate, &nextUpdate))
+       {
+               error = "invalid --this/next-update datetime";
+               goto usage;
+       }
 
        ca = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
                                                        BUILD_FROM_FILE, cacert, BUILD_END);
@@ -321,9 +337,6 @@ static int sign_crl()
                goto error;
        }
 
-       thisUpdate = time(NULL);
-       nextUpdate = thisUpdate + lifetime * 24 * 60 * 60;
-
        if (basecrl)
        {
                lastcrl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
@@ -442,6 +455,9 @@ static void __attribute__ ((constructor))reg()
                        {"cakey",               'k', 1, "CA private key file"},
                        {"cakeyid",             'x', 1, "keyid on smartcard of CA private key"},
                        {"lifetime",    'l', 1, "days the CRL gets a nextUpdate, default: 15"},
+                       {"this-update", 'F', 1, "date/time the validity of the CRL starts"},
+                       {"next-update", 'T', 1, "date/time the validity of the CRL ends"},
+                       {"dateform",    'D', 1, "strptime(3) input format, default: %d.%m.%y %T"},
                        {"lastcrl",             'a', 1, "CRL of lastUpdate to copy revocations from"},
                        {"basecrl",             'b', 1, "base CRL to create a delta CRL for"},
                        {"crluri",              'u', 1, "freshest delta CRL URI to include"},