Allow callers to force ASN.1 date encoding as GENERALIZEDTIME.
authorTobias Brunner <tobias@strongswan.org>
Fri, 23 Dec 2011 17:01:31 +0000 (18:01 +0100)
committerTobias Brunner <tobias@strongswan.org>
Fri, 23 Dec 2011 17:07:39 +0000 (18:07 +0100)
src/libstrongswan/asn1/asn1.c
src/libstrongswan/asn1/asn1.h
src/libstrongswan/crypto/pkcs7.c
src/libstrongswan/plugins/x509/x509_ac.c
src/libstrongswan/plugins/x509/x509_cert.c
src/libstrongswan/plugins/x509/x509_crl.c

index 6ce818f..1497840 100644 (file)
@@ -426,9 +426,8 @@ time_t asn1_to_time(const chunk_t *utctime, asn1_t type)
 /**
  *  Convert a date into ASN.1 UTCTIME or GENERALIZEDTIME format
  */
-chunk_t asn1_from_time(const time_t *time)
+chunk_t asn1_from_time(const time_t *time, asn1_t type)
 {
-       asn1_t type;
        int offset;
        const char *format;
        char buf[BUF_LEN];
@@ -437,8 +436,10 @@ chunk_t asn1_from_time(const time_t *time)
 
        gmtime_r(time, &t);
        /* RFC 5280 says that dates through the year 2049 MUST be encoded as UTCTIME
-        * and dates in 2050 or later MUST be encoded as GENERALIZEDTIME */
-       type = (t.tm_year < 150) ? ASN1_UTCTIME : ASN1_GENERALIZEDTIME;
+        * and dates in 2050 or later MUST be encoded as GENERALIZEDTIME. We only
+        * enforce the latter to avoid overflows but allow callers to force the
+        * encoding to GENERALIZEDTIME */
+       type = (t.tm_year >= 150) ? ASN1_GENERALIZEDTIME : type;
        if (type == ASN1_GENERALIZEDTIME)
        {
                format = "%04d%02d%02d%02d%02d%02dZ";
index d5468a4..15ffff6 100644 (file)
@@ -191,12 +191,13 @@ time_t asn1_to_time(const chunk_t *utctime, asn1_t type);
 /**
  * Converts time_t to an ASN.1 UTCTIME or GENERALIZEDTIME string
  *
- * The type is automatically chosen based on the encoded year.
+ * @note The type is automatically changed to GENERALIZEDTIME if needed
  *
  * @param time         time_t in UTC
+ * @param type         ASN1_UTCTIME or ASN1_GENERALIZEDTIME
  * @return                     body of an ASN.1 code time object
  */
-chunk_t asn1_from_time(const time_t *time);
+chunk_t asn1_from_time(const time_t *time, asn1_t type);
 
 /**
  * Parse an ASN.1 UTCTIME or GENERALIZEDTIME object
index 578021a..a4d0e71 100644 (file)
@@ -825,7 +825,7 @@ METHOD(pkcs7_t, build_signedData, bool,
 
                        /* take the current time as signingTime */
                        time_t now = time(NULL);
-                       chunk_t signingTime = asn1_from_time(&now);
+                       chunk_t signingTime = asn1_from_time(&now, ASN1_UTCTIME);
 
                        chunk_t messageDigest, attributes;
 
index 7492aeb..a2cb589 100644 (file)
@@ -527,8 +527,8 @@ static chunk_t build_v2_form(private_x509_ac_t *this)
 static chunk_t build_attr_cert_validity(private_x509_ac_t *this)
 {
        return asn1_wrap(ASN1_SEQUENCE, "mm",
-                               asn1_from_time(&this->notBefore),
-                               asn1_from_time(&this->notAfter));
+                               asn1_from_time(&this->notBefore, ASN1_GENERALIZEDTIME),
+                               asn1_from_time(&this->notAfter, ASN1_GENERALIZEDTIME));
 }
 
 
index 25646a7..f828c92 100644 (file)
@@ -2316,8 +2316,8 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
                asn1_algorithmIdentifier(cert->algorithm),
                issuer->get_encoding(issuer),
                asn1_wrap(ASN1_SEQUENCE, "mm",
-                       asn1_from_time(&cert->notBefore),
-                       asn1_from_time(&cert->notAfter)),
+                       asn1_from_time(&cert->notBefore, ASN1_UTCTIME),
+                       asn1_from_time(&cert->notAfter, ASN1_UTCTIME)),
                subject->get_encoding(subject),
                key_info, extensions);
 
index f401413..7bcca16 100644 (file)
@@ -736,7 +736,7 @@ static bool generate(private_x509_crl_t *this, certificate_t *cert,
                }
                revoked = asn1_wrap(ASN1_SEQUENCE, "mmm",
                                                        asn1_integer("c", serial),
-                                                       asn1_from_time(&date),
+                                                       asn1_from_time(&date, ASN1_UTCTIME),
                                                        entry_ext);
                certList = chunk_cat("mm", certList, revoked);
        }
@@ -773,8 +773,8 @@ static bool generate(private_x509_crl_t *this, certificate_t *cert,
                                                        ASN1_INTEGER_1,
                                                        asn1_algorithmIdentifier(this->algorithm),
                                                        this->issuer->get_encoding(this->issuer),
-                                                       asn1_from_time(&this->thisUpdate),
-                                                       asn1_from_time(&this->nextUpdate),
+                                                       asn1_from_time(&this->thisUpdate, ASN1_UTCTIME),
+                                                       asn1_from_time(&this->nextUpdate, ASN1_UTCTIME),
                                                        asn1_wrap(ASN1_SEQUENCE, "m", certList),
                                                        extensions);