pki: Support absolute --not-before/after self-signed certificate lifetimes
This commit is contained in:
parent
6f90e8e664
commit
aa8732eb68
|
@ -60,8 +60,8 @@ static int self()
|
|||
int inhibit_mapping = X509_NO_CONSTRAINT, require_explicit = X509_NO_CONSTRAINT;
|
||||
chunk_t serial = chunk_empty;
|
||||
chunk_t encoding = chunk_empty;
|
||||
time_t lifetime = 1095;
|
||||
time_t not_before, not_after;
|
||||
time_t not_before, not_after, lifetime = 1095 * 24 * 60 * 60;
|
||||
char *datenb = NULL, *datena = NULL, *dateform = NULL;
|
||||
x509_flag_t flags = 0;
|
||||
x509_cert_policy_t *policy = NULL;
|
||||
char *arg;
|
||||
|
@ -114,14 +114,24 @@ static int self()
|
|||
case 'a':
|
||||
san->insert_last(san, identification_create_from_string(arg));
|
||||
continue;
|
||||
continue;
|
||||
case 'l':
|
||||
lifetime = atoi(arg);
|
||||
lifetime = atoi(arg) * 24 * 60 * 60;
|
||||
if (!lifetime)
|
||||
{
|
||||
error = "invalid --lifetime value";
|
||||
goto usage;
|
||||
}
|
||||
continue;
|
||||
case 'D':
|
||||
dateform = arg;
|
||||
continue;
|
||||
case 'F':
|
||||
datenb = arg;
|
||||
continue;
|
||||
case 'T':
|
||||
datena = arg;
|
||||
continue;
|
||||
case 's':
|
||||
hex = arg;
|
||||
continue;
|
||||
|
@ -250,6 +260,12 @@ static int self()
|
|||
error = "--dn is required";
|
||||
goto usage;
|
||||
}
|
||||
if (!calculate_lifetime(dateform, datenb, datena, lifetime,
|
||||
¬_before, ¬_after))
|
||||
{
|
||||
error = "invalid --not-before/after datetime";
|
||||
goto usage;
|
||||
}
|
||||
id = identification_create_from_string(dn);
|
||||
if (id->get_type(id) != ID_DER_ASN1_DN)
|
||||
{
|
||||
|
@ -317,8 +333,6 @@ static int self()
|
|||
serial.ptr[0] &= 0x7F;
|
||||
rng->destroy(rng);
|
||||
}
|
||||
not_before = time(NULL);
|
||||
not_after = not_before + lifetime * 24 * 60 * 60;
|
||||
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
|
||||
BUILD_SIGNING_KEY, private, BUILD_PUBLIC_KEY, public,
|
||||
BUILD_SUBJECT, id, BUILD_NOT_BEFORE_TIME, not_before,
|
||||
|
@ -406,6 +420,9 @@ static void __attribute__ ((constructor))reg()
|
|||
{"dn", 'd', 1, "subject and issuer distinguished name"},
|
||||
{"san", 'a', 1, "subjectAltName to include in certificate"},
|
||||
{"lifetime", 'l', 1, "days the certificate is valid, default: 1095"},
|
||||
{"not-before", 'F', 1, "date/time the validity of the cert starts"},
|
||||
{"not-after", 'T', 1, "date/time the validity of the cert ends"},
|
||||
{"dateform", 'D', 1, "strptime(3) input format, default: %d.%m.%y %T"},
|
||||
{"serial", 's', 1, "serial number in hex, default: random"},
|
||||
{"ca", 'b', 0, "include CA basicConstraint, default: no"},
|
||||
{"pathlen", 'p', 1, "set path length constraint"},
|
||||
|
|
Loading…
Reference in New Issue