pki: Support absolute --not-before/after self-signed certificate lifetimes
authorMartin Willi <martin@revosec.ch>
Thu, 27 Mar 2014 14:45:32 +0000 (15:45 +0100)
committerMartin Willi <martin@revosec.ch>
Mon, 31 Mar 2014 09:14:59 +0000 (11:14 +0200)
src/pki/commands/self.c

index 7d4bf1c..b684d54 100644 (file)
@@ -60,8 +60,8 @@ static int self()
        int inhibit_mapping = X509_NO_CONSTRAINT, require_explicit = X509_NO_CONSTRAINT;
        chunk_t serial = chunk_empty;
        chunk_t encoding = chunk_empty;
-       time_t lifetime = 1095;
-       time_t not_before, not_after;
+       time_t not_before, not_after, lifetime = 1095 * 24 * 60 * 60;
+       char *datenb = NULL, *datena = NULL, *dateform = NULL;
        x509_flag_t flags = 0;
        x509_cert_policy_t *policy = NULL;
        char *arg;
@@ -114,14 +114,24 @@ static int self()
                        case 'a':
                                san->insert_last(san, identification_create_from_string(arg));
                                continue;
+                               continue;
                        case 'l':
-                               lifetime = atoi(arg);
+                               lifetime = atoi(arg) * 24 * 60 * 60;
                                if (!lifetime)
                                {
                                        error = "invalid --lifetime value";
                                        goto usage;
                                }
                                continue;
+                       case 'D':
+                               dateform = arg;
+                               continue;
+                       case 'F':
+                               datenb = arg;
+                               continue;
+                       case 'T':
+                               datena = arg;
+                               continue;
                        case 's':
                                hex = arg;
                                continue;
@@ -250,6 +260,12 @@ static int self()
                error = "--dn is required";
                goto usage;
        }
+       if (!calculate_lifetime(dateform, datenb, datena, lifetime,
+                                                       &not_before, &not_after))
+       {
+               error = "invalid --not-before/after datetime";
+               goto usage;
+       }
        id = identification_create_from_string(dn);
        if (id->get_type(id) != ID_DER_ASN1_DN)
        {
@@ -317,8 +333,6 @@ static int self()
                serial.ptr[0] &= 0x7F;
                rng->destroy(rng);
        }
-       not_before = time(NULL);
-       not_after = not_before + lifetime * 24 * 60 * 60;
        cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
                                                BUILD_SIGNING_KEY, private, BUILD_PUBLIC_KEY, public,
                                                BUILD_SUBJECT, id, BUILD_NOT_BEFORE_TIME, not_before,
@@ -406,6 +420,9 @@ static void __attribute__ ((constructor))reg()
                        {"dn",                          'd', 1, "subject and issuer distinguished name"},
                        {"san",                         'a', 1, "subjectAltName to include in certificate"},
                        {"lifetime",            'l', 1, "days the certificate is valid, default: 1095"},
+                       {"not-before",          'F', 1, "date/time the validity of the cert starts"},
+                       {"not-after",           'T', 1, "date/time the validity of the cert ends"},
+                       {"dateform",            'D', 1, "strptime(3) input format, default: %d.%m.%y %T"},
                        {"serial",                      's', 1, "serial number in hex, default: random"},
                        {"ca",                          'b', 0, "include CA basicConstraint, default: no"},
                        {"pathlen",                     'p', 1, "set path length constraint"},