wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Constify certificate and CRL time routines.

Browse source 
Update certificate and CRL time routines to match new standard.

Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit is contained in:
Dr. Stephen Henson 2016-08-19 12:39:57 +01:00
parent c4fbed6c31
commit 568ce3a583
12 changed files with 115 additions and 65 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
apps/apps.c
View file

@ -2604,7 +2604,7 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate,
goto err;
}
if (!X509_set_notBefore(x, tm))
if (!X509_set1_notBefore(x, tm))
goto err;
if (enddate == NULL) {
@ -2614,7 +2614,7 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate,
goto err;
}
if (!X509_set_notAfter(x, tm))
if (!X509_set1_notAfter(x, tm))
goto err;
rv = 1;

16
apps/ca.c
View file

@ -1100,13 +1100,13 @@ end_of_options:
if (tmptm == NULL)
goto end;
X509_gmtime_adj(tmptm, 0);
X509_CRL_set_lastUpdate(crl, tmptm);
X509_CRL_set1_lastUpdate(crl, tmptm);
if (!X509_time_adj_ex(tmptm, crldays, crlhours * 60 * 60 + crlsec,
NULL)) {
BIO_puts(bio_err, "error setting CRL nextUpdate\n");
goto end;
}
X509_CRL_set_nextUpdate(crl, tmptm);
X509_CRL_set1_nextUpdate(crl, tmptm);
ASN1_TIME_free(tmptm);
@ -1377,7 +1377,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
{
X509_NAME *name = NULL, *CAname = NULL, *subject = NULL, *dn_subject =
NULL;
ASN1_UTCTIME *tm;
const ASN1_TIME *tm;
ASN1_STRING *str, *str2;
ASN1_OBJECT *obj;
X509 *ret = NULL;
@ -1703,7 +1703,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
if (enddate != NULL) {
int tdays;
ASN1_TIME_diff(&tdays, NULL, NULL, X509_get_notAfter(ret));
ASN1_TIME_diff(&tdays, NULL, NULL, X509_get0_notAfter(ret));
days = tdays;
}
@ -1789,7 +1789,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
}
BIO_printf(bio_err, "Certificate is to be certified until ");
ASN1_TIME_print(bio_err, X509_get_notAfter(ret));
ASN1_TIME_print(bio_err, X509_get0_notAfter(ret));
if (days)
BIO_printf(bio_err, " (%ld days)", days);
BIO_printf(bio_err, "\n");
@ -1822,7 +1822,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
/* We now just add it to the database */
row[DB_type] = OPENSSL_strdup("V");
tm = X509_get_notAfter(ret);
tm = X509_get0_notAfter(ret);
row[DB_exp_date] = app_malloc(tm->length + 1, "row expdate");
memcpy(row[DB_exp_date], tm->data, tm->length);
row[DB_exp_date][tm->length] = '\0';
@ -2021,7 +2021,7 @@ static int check_time_format(const char *str)
static int do_revoke(X509 *x509, CA_DB *db, int type, char *value)
{
ASN1_UTCTIME *tm = NULL;
const ASN1_TIME *tm = NULL;
char *row[DB_NUMBER], **rrow, **irow;
char *rev_str = NULL;
BIGNUM *bn = NULL;
@ -2054,7 +2054,7 @@ static int do_revoke(X509 *x509, CA_DB *db, int type, char *value)
/* We now just add it to the database */
row[DB_type] = OPENSSL_strdup("V");
tm = X509_get_notAfter(x509);
tm = X509_get0_notAfter(x509);
row[DB_exp_date] = app_malloc(tm->length + 1, "row exp_data");
memcpy(row[DB_exp_date], tm->data, tm->length);
row[DB_exp_date][tm->length] = '\0';

6
apps/crl.c
View file

@ -285,13 +285,13 @@ int crl_main(int argc, char **argv)
#endif
if (lastupdate == i) {
BIO_printf(bio_out, "lastUpdate=");
ASN1_TIME_print(bio_out, X509_CRL_get_lastUpdate(x));
ASN1_TIME_print(bio_out, X509_CRL_get0_lastUpdate(x));
BIO_printf(bio_out, "\n");
}
if (nextupdate == i) {
BIO_printf(bio_out, "nextUpdate=");
if (X509_CRL_get_nextUpdate(x))
ASN1_TIME_print(bio_out, X509_CRL_get_nextUpdate(x));
if (X509_CRL_get0_nextUpdate(x))
ASN1_TIME_print(bio_out, X509_CRL_get0_nextUpdate(x));
else
BIO_printf(bio_out, "NONE");
BIO_printf(bio_out, "\n");

4
apps/s_cb.c
View file

@ -82,13 +82,13 @@ int verify_callback(int ok, X509_STORE_CTX *ctx)
case X509_V_ERR_CERT_NOT_YET_VALID:
case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
BIO_printf(bio_err, "notBefore=");
ASN1_TIME_print(bio_err, X509_get_notBefore(err_cert));
ASN1_TIME_print(bio_err, X509_get0_notBefore(err_cert));
BIO_printf(bio_err, "\n");
break;
case X509_V_ERR_CERT_HAS_EXPIRED:
case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
BIO_printf(bio_err, "notAfter=");
ASN1_TIME_print(bio_err, X509_get_notAfter(err_cert));
ASN1_TIME_print(bio_err, X509_get0_notAfter(err_cert));
BIO_printf(bio_err, "\n");
break;
case X509_V_ERR_NO_EXPLICIT_POLICY:

6
apps/x509.c
View file

@ -746,11 +746,11 @@ int x509_main(int argc, char **argv)
X509_print_ex(out, x, nmflag, certflag);
} else if (startdate == i) {
BIO_puts(out, "notBefore=");
ASN1_TIME_print(out, X509_get_notBefore(x));
ASN1_TIME_print(out, X509_get0_notBefore(x));
BIO_puts(out, "\n");
} else if (enddate == i) {
BIO_puts(out, "notAfter=");
ASN1_TIME_print(out, X509_get_notAfter(x));
ASN1_TIME_print(out, X509_get0_notAfter(x));
BIO_puts(out, "\n");
} else if (fingerprint == i) {
int j;
@ -837,7 +837,7 @@ int x509_main(int argc, char **argv)
if (checkend) {
time_t tcheck = time(NULL) + checkoffset;
if (X509_cmp_time(X509_get_notAfter(x), &tcheck) < 0) {
if (X509_cmp_time(X509_get0_notAfter(x), &tcheck) < 0) {
BIO_printf(out, "Certificate will expire\n");
ret = 1;
} else {

6
crypto/x509/t_crl.c
View file

@ -51,10 +51,10 @@ int X509_CRL_print(BIO *out, X509_CRL *x)
BIO_printf(out, "%8sIssuer: %s\n", "", p);
OPENSSL_free(p);
BIO_printf(out, "%8sLast Update: ", "");
ASN1_TIME_print(out, X509_CRL_get_lastUpdate(x));
ASN1_TIME_print(out, X509_CRL_get0_lastUpdate(x));
BIO_printf(out, "\n%8sNext Update: ", "");
if (X509_CRL_get_nextUpdate(x))
ASN1_TIME_print(out, X509_CRL_get_nextUpdate(x));
if (X509_CRL_get0_nextUpdate(x))
ASN1_TIME_print(out, X509_CRL_get0_nextUpdate(x));
else
BIO_printf(out, "NONE");
BIO_printf(out, "\n");

4
crypto/x509/t_x509.c
View file

@ -129,11 +129,11 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags,
goto err;
if (BIO_write(bp, " Not Before: ", 24) <= 0)
goto err;
if (!ASN1_TIME_print(bp, X509_get_notBefore(x)))
if (!ASN1_TIME_print(bp, X509_get0_notBefore(x)))
goto err;
if (BIO_write(bp, "\n Not After : ", 25) <= 0)
goto err;
if (!ASN1_TIME_print(bp, X509_get_notAfter(x)))
if (!ASN1_TIME_print(bp, X509_get0_notAfter(x)))
goto err;
if (BIO_write(bp, "\n", 1) <= 0)
goto err;

18
crypto/x509/x509_set.c
View file

@ -71,14 +71,14 @@ int x509_set1_time(ASN1_TIME **ptm, const ASN1_TIME *tm)
return (in != NULL);
}
int X509_set_notBefore(X509 *x, const ASN1_TIME *tm)
int X509_set1_notBefore(X509 *x, const ASN1_TIME *tm)
{
if (x == NULL)
return 0;
return x509_set1_time(&x->cert_info.validity.notBefore, tm);
}
int X509_set_notAfter(X509 *x, const ASN1_TIME *tm)
int X509_set1_notAfter(X509 *x, const ASN1_TIME *tm)
{
if (x == NULL)
return 0;
@ -109,7 +109,18 @@ long X509_get_version(const X509 *x)
return ASN1_INTEGER_get(x->cert_info.version);
}
ASN1_TIME * X509_get_notBefore(const X509 *x)
const ASN1_TIME *X509_get0_notBefore(const X509 *x)
{
return x->cert_info.validity.notBefore;
}
const ASN1_TIME *X509_get0_notAfter(const X509 *x)
{
return x->cert_info.validity.notAfter;
}
#if OPENSSL_API_COMPAT < 0x10100000L
ASN1_TIME *X509_get_notBefore(const X509 *x)
{
return x->cert_info.validity.notBefore;
}
@ -118,6 +129,7 @@ ASN1_TIME *X509_get_notAfter(const X509 *x)
{
return x->cert_info.validity.notAfter;
}
#endif
int X509_get_signature_type(const X509 *x)
{

18
crypto/x509/x509_vfy.c
View file

@ -921,7 +921,7 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
else
ptime = NULL;
i = X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
i = X509_cmp_time(X509_CRL_get0_lastUpdate(crl), ptime);
if (i == 0) {
if (!notify)
return 0;
@ -936,8 +936,8 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
return 0;
}
if (X509_CRL_get_nextUpdate(crl)) {
i = X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime);
if (X509_CRL_get0_nextUpdate(crl)) {
i = X509_cmp_time(X509_CRL_get0_nextUpdate(crl), ptime);
if (i == 0) {
if (!notify)
@ -979,8 +979,8 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
/* If current CRL is equivalent use it if it is newer */
if (crl_score == best_score) {
int day, sec;
if (ASN1_TIME_diff(&day, &sec, X509_CRL_get_lastUpdate(best_crl),
X509_CRL_get_lastUpdate(crl)) == 0)
if (ASN1_TIME_diff(&day, &sec, X509_CRL_get0_lastUpdate(best_crl),
X509_CRL_get0_lastUpdate(crl)) == 0)
continue;
/*
* ASN1_TIME_diff never returns inconsistent signs for |day|
@ -1646,7 +1646,7 @@ int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth)
else
ptime = NULL;
i = X509_cmp_time(X509_get_notBefore(x), ptime);
i = X509_cmp_time(X509_get0_notBefore(x), ptime);
if (i >= 0 && depth < 0)
return 0;
if (i == 0 && !verify_cb_cert(ctx, x, depth,
@ -1655,7 +1655,7 @@ int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth)
if (i > 0 && !verify_cb_cert(ctx, x, depth, X509_V_ERR_CERT_NOT_YET_VALID))
return 0;
i = X509_cmp_time(X509_get_notAfter(x), ptime);
i = X509_cmp_time(X509_get0_notAfter(x), ptime);
if (i <= 0 && depth < 0)
return 0;
if (i == 0 && !verify_cb_cert(ctx, x, depth,
@ -1983,9 +1983,9 @@ X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer,
if (!X509_CRL_set_issuer_name(crl, X509_CRL_get_issuer(newer)))
goto memerr;
if (!X509_CRL_set_lastUpdate(crl, X509_CRL_get_lastUpdate(newer)))
if (!X509_CRL_set1_lastUpdate(crl, X509_CRL_get0_lastUpdate(newer)))
goto memerr;
if (!X509_CRL_set_nextUpdate(crl, X509_CRL_get_nextUpdate(newer)))
if (!X509_CRL_set1_nextUpdate(crl, X509_CRL_get0_nextUpdate(newer)))
goto memerr;
/* Set base CRL number: must be critical */

20
crypto/x509/x509cset.c
View file

@ -33,14 +33,14 @@ int X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name)
return (X509_NAME_set(&x->crl.issuer, name));
}
int X509_CRL_set_lastUpdate(X509_CRL *x, const ASN1_TIME *tm)
int X509_CRL_set1_lastUpdate(X509_CRL *x, const ASN1_TIME *tm)
{
if (x == NULL)
return 0;
return x509_set1_time(&x->crl.lastUpdate, tm);
}
int X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm)
int X509_CRL_set1_nextUpdate(X509_CRL *x, const ASN1_TIME *tm)
{
if (x == NULL)
return 0;
@ -80,16 +80,28 @@ long X509_CRL_get_version(const X509_CRL *crl)
return ASN1_INTEGER_get(crl->crl.version);
}
ASN1_TIME *X509_CRL_get_lastUpdate(const X509_CRL *crl)
const ASN1_TIME *X509_CRL_get0_lastUpdate(const X509_CRL *crl)
{
return crl->crl.lastUpdate;
}
ASN1_TIME *X509_CRL_get_nextUpdate(const X509_CRL *crl)
const ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl)
{
return crl->crl.nextUpdate;
}
#if OPENSSL_API_COMPAT < 0x10100000L
ASN1_TIME *X509_CRL_get_lastUpdate(X509_CRL *crl)
{
return crl->crl.lastUpdate;
}
ASN1_TIME *X509_CRL_get_nextUpdate(X509_CRL *crl)
{
return crl->crl.nextUpdate;
}
#endif
X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl)
{
return crl->crl.issuer;

46
doc/crypto/X509_get_notBefore.pod
View file

@ -2,60 +2,67 @@
=head1 NAME
X509_get_notBefore, X509_get_notAfter, X509_set_notBefore,
X509_set_notAfter, X509_CRL_get_lastUpdate, X509_CRL_get_nextUpdate,
X509_CRL_set_lastUpdate, X509_CRL_set_nextUpdate - get or set certificate
or CRL dates
X509_get0_notBefore, X509_get_notBefore, X509_get0_notAfter, X509_get_notAfter,
X509_set1_notBefore, X509_set1_notAfter, X509_CRL_get0_lastUpdate,
X509_CRL_get0_nextUpdate, X509_CRL_set1_lastUpdate,
X509_CRL_set1_nextUpdate - get or set certificate or CRL dates
=head1 SYNOPSIS
#include <openssl/x509.h>
const ASN1_TIME *X509_get0_notBefore(const X509 *x);
const ASN1_TIME *X509_get0_notAfter(const X509 *x);
ASN1_TIME *X509_get_notBefore(const X509 *x);
ASN1_TIME *X509_get_notAfter(const X509 *x);
int X509_set_notBefore(X509 *x, const ASN1_TIME *tm);
int X509_set_notAfter(X509 *x, const ASN1_TIME *tm);
int X509_set1_notBefore(X509 *x, const ASN1_TIME *tm);
int X509_set1_notAfter(X509 *x, const ASN1_TIME *tm);
ASN1_TIME *X509_CRL_get_lastUpdate(const X509_CRL *crl);
ASN1_TIME *X509_CRL_get_nextUpdate(const X509_CRL *crl);
const ASN1_TIME *X509_CRL_get0_lastUpdate(const X509_CRL *crl);
const ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl);
int X509_CRL_set_lastUpdate(X509_CRL *x, const ASN1_TIME *tm);
int X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm);
int X509_CRL_set1_lastUpdate(X509_CRL *x, const ASN1_TIME *tm);
int X509_CRL_set1_nextUpdate(X509_CRL *x, const ASN1_TIME *tm);
=head1 DESCRIPTION
X509_get_notBefore() and X509_get_notAfter() return the B<notBefore>
X509_get0_notBefore() and X509_get0_notAfter() return the B<notBefore>
and B<notAfter> fields of certificate B<x> respectively. The value
returned is an internal pointer which must not be freed up after
the call.
X509_set_notBefore() and X509_set_notAfter() set the B<notBefore>
X509_get_notBefore() and X509_get_notAfter() are similar to
X509_get0_notBefore() and X509_get0_notAfter() except they do not
return constant values. They are deprecated in OpenSSL 1.1.0
X509_set1_notBefore() and X509_set1_notAfter() set the B<notBefore>
and B<notAfter> fields of B<x> to B<tm>. Ownership of the passed
parameter B<tm> is not transferred by these functions so it must
be freed up after the call.
X509_CRL_get_lastUpdate() and X509_CRL_get_nextUpdate() return the
X509_CRL_get0_lastUpdate() and X509_CRL_get0_nextUpdate() return the
B<lastUpdate> and B<nextUpdate> fields of B<crl>. The value
returned is an internal pointer which must not be freed up after
the call. If the B<nextUpdate> field is absent from B<crl> then
B<NULL> is returned.
X509_CRL_set_lastUpdate() and X509_CRL_set_nextUpdate() set the B<lastUpdate>
X509_CRL_set1_lastUpdate() and X509_CRL_set1_nextUpdate() set the B<lastUpdate>
and B<nextUpdate> fields of B<crl> to B<tm>. Ownership of the passed parameter
B<tm> is not transferred by these functions so it must be freed up after the
call.
=head1 RETURN VALUES
X509_get_notBefore(), X509_get_notAfter() and X509_CRL_get_lastUpdate()
X509_get0_notBefore(), X509_get0_notAfter() and X509_CRL_get0_lastUpdate()
return a pointer to an B<ASN1_TIME> structure.
X509_CRL_get_lastUpdate() return a pointer to an B<ASN1_TIME> structure
X509_CRL_get0_lastUpdate() return a pointer to an B<ASN1_TIME> structure
or NULL if the B<lastUpdate> field is absent.
X509_set_notBefore(), X509_set_notAfter(), X509_CRL_set_lastUpdate() and
X509_CRL_set_nextUpdate() return 1 for success or 0 for failure.
X509_set1_notBefore(), X509_set1_notAfter(), X509_CRL_set1_lastUpdate() and
X509_CRL_set1_nextUpdate() return 1 for success or 0 for failure.
=head1 SEE ALSO
@ -80,6 +87,9 @@ L<X509_verify_cert(3)>
These functions are available in all versions of OpenSSL.
X509_get_notBefore() and X509_get_notAfter() were deprecated in OpenSSL
1.1.0
=head1 COPYRIGHT
Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.

32
include/openssl/x509.h
View file

@ -622,13 +622,22 @@ int X509_set_issuer_name(X509 *x, X509_NAME *name);
X509_NAME *X509_get_issuer_name(const X509 *a);
int X509_set_subject_name(X509 *x, X509_NAME *name);
X509_NAME *X509_get_subject_name(const X509 *a);
ASN1_TIME * X509_get_notBefore(const X509 *x);
int X509_set_notBefore(X509 *x, const ASN1_TIME *tm);
ASN1_TIME *X509_get_notAfter(const X509 *x);
int X509_set_notAfter(X509 *x, const ASN1_TIME *tm);
const ASN1_TIME * X509_get0_notBefore(const X509 *x);
DEPRECATEDIN_1_1_0(ASN1_TIME *X509_get_notBefore(const X509 *x))
int X509_set1_notBefore(X509 *x, const ASN1_TIME *tm);
const ASN1_TIME *X509_get0_notAfter(const X509 *x);
DEPRECATEDIN_1_1_0(ASN1_TIME *X509_get_notAfter(const X509 *x))
int X509_set1_notAfter(X509 *x, const ASN1_TIME *tm);
int X509_set_pubkey(X509 *x, EVP_PKEY *pkey);
int X509_up_ref(X509 *x);
int X509_get_signature_type(const X509 *x);
# if OPENSSL_API_COMPAT < 0x10100000L
# define X509_set_notBefore X509_set1_notBefore
# define X509_set_notAfter X509_set1_notAfter
#endif
/*
* This one is only used so that a binary form can output, as in
* i2d_X509_NAME(X509_get_X509_PUBKEY(x),&buf)
@ -682,14 +691,21 @@ int X509_REQ_add1_attr_by_txt(X509_REQ *req,
int X509_CRL_set_version(X509_CRL *x, long version);
int X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name);
int X509_CRL_set_lastUpdate(X509_CRL *x, const ASN1_TIME *tm);
int X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm);
int X509_CRL_set1_lastUpdate(X509_CRL *x, const ASN1_TIME *tm);
int X509_CRL_set1_nextUpdate(X509_CRL *x, const ASN1_TIME *tm);
int X509_CRL_sort(X509_CRL *crl);
int X509_CRL_up_ref(X509_CRL *crl);
# if OPENSSL_API_COMPAT < 0x10100000L
# define X509_CRL_set_lastUpdate X509_CRL_set1_lastUpdate
# define X509_CRL_set_nextUpdate X509_CRL_set1_nextUpdate
#endif
long X509_CRL_get_version(const X509_CRL *crl);
ASN1_TIME *X509_CRL_get_lastUpdate(const X509_CRL *crl);
ASN1_TIME *X509_CRL_get_nextUpdate(const X509_CRL *crl);
const ASN1_TIME *X509_CRL_get0_lastUpdate(const X509_CRL *crl);
const ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl);
DEPRECATEDIN_1_1_0(ASN1_TIME *X509_CRL_get_lastUpdate(X509_CRL *crl))
DEPRECATEDIN_1_1_0(ASN1_TIME *X509_CRL_get_nextUpdate(X509_CRL *crl))
X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl);
const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(const X509_CRL *crl);
STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl);