pki: Support absolute --not-before/after issued certificate lifetimes
This commit is contained in:
Martin Willi
parent
aa8732eb68
commit
d6e921181a
|
|
@ -29,7 +29,7 @@
|
|||
/**
|
||||
* Maximum number of options in a command (+3)
|
||||
*/
|
||||
#define MAX_OPTIONS 32
|
||||
#define MAX_OPTIONS 36
|
||||
|
||||
/**
|
||||
* Maximum number of usage summary lines (+1)
|
||||
|
|
|
|||
|
|
@ -72,8 +72,8 @@ static int issue()
|
|||
int inhibit_mapping = X509_NO_CONSTRAINT, require_explicit = X509_NO_CONSTRAINT;
|
||||
chunk_t serial = chunk_empty;
|
||||
chunk_t encoding = chunk_empty;
|
||||
time_t lifetime = 1095;
|
||||
time_t not_before, not_after;
|
||||
time_t not_before, not_after, lifetime = 1095 * 24 * 60 * 60;
|
||||
char *datenb = NULL, *datena = NULL, *dateform = NULL;
|
||||
x509_flag_t flags = 0;
|
||||
x509_t *x509;
|
||||
x509_cdp_t *cdp = NULL;
|
||||
|
|
@ -132,13 +132,22 @@ static int issue()
|
|||
san->insert_last(san, identification_create_from_string(arg));
|
||||
continue;
|
||||
case 'l':
|
||||
lifetime = atoi(arg);
|
||||
lifetime = atoi(arg) * 24 * 60 * 60;
|
||||
if (!lifetime)
|
||||
{
|
||||
error = "invalid --lifetime value";
|
||||
goto usage;
|
||||
}
|
||||
continue;
|
||||
case 'D':
|
||||
dateform = arg;
|
||||
continue;
|
||||
case 'F':
|
||||
datenb = arg;
|
||||
continue;
|
||||
case 'T':
|
||||
datena = arg;
|
||||
continue;
|
||||
case 's':
|
||||
hex = arg;
|
||||
continue;
|
||||
|
|
@ -285,6 +294,12 @@ static int issue()
|
|||
error = "--cakey or --keyid is required";
|
||||
goto usage;
|
||||
}
|
||||
if (!calculate_lifetime(dateform, datenb, datena, lifetime,
|
||||
¬_before, ¬_after))
|
||||
{
|
||||
error = "invalid --not-before/after datetime";
|
||||
goto usage;
|
||||
}
|
||||
if (dn && *dn)
|
||||
{
|
||||
id = identification_create_from_string(dn);
|
||||
|
|
@ -455,9 +470,6 @@ static int issue()
|
|||
chunk_from_chars(ASN1_SEQUENCE, 0));
|
||||
}
|
||||
|
||||
not_before = time(NULL);
|
||||
not_after = not_before + lifetime * 24 * 60 * 60;
|
||||
|
||||
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
|
||||
BUILD_SIGNING_KEY, private, BUILD_SIGNING_CERT, ca,
|
||||
BUILD_PUBLIC_KEY, public, BUILD_SUBJECT, id,
|
||||
|
|
@ -553,6 +565,9 @@ static void __attribute__ ((constructor))reg()
|
|||
{"dn", 'd', 1, "distinguished name to include as subject"},
|
||||
{"san", 'a', 1, "subjectAltName to include in certificate"},
|
||||
{"lifetime", 'l', 1, "days the certificate is valid, default: 1095"},
|
||||
{"not-before", 'F', 1, "date/time the validity of the cert starts"},
|
||||
{"not-after", 'T', 1, "date/time the validity of the cert ends"},
|
||||
{"dateform", 'D', 1, "strptime(3) input format, default: %d.%m.%y %T"},
|
||||
{"serial", 's', 1, "serial number in hex, default: random"},
|
||||
{"ca", 'b', 0, "include CA basicConstraint, default: no"},
|
||||
{"pathlen", 'p', 1, "set path length constraint"},
|
||||
|
|
|
|||
Loading…
Reference in New Issue