[openssl] master update
beldmit at gmail.com
beldmit at gmail.com
Fri Sep 11 11:33:04 UTC 2020
The branch master has been updated
via 64713cb10de05c2e3ac63300f4073b11f57287ba (commit)
from 0e60ce6334c86d271df5342029639048a635fefa (commit)
- Log -----------------------------------------------------------------
commit 64713cb10de05c2e3ac63300f4073b11f57287ba
Author: Chris Novakovic <chris at chrisn.me.uk>
Date: Thu Sep 3 23:42:56 2020 +0100
apps/ca: allow CRL lastUpdate/nextUpdate fields to be specified
When generating a CRL using the "ca" utility, allow values for the
lastUpdate and nextUpdate fields to be specified using the command line
options -crl_lastupdate and -crl_nextupdate respectively.
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12784)
-----------------------------------------------------------------------
Summary of changes:
CHANGES.md | 6 +
apps/ca.c | 37 ++++--
apps/include/apps.h | 3 +
apps/lib/apps.c | 51 ++++++++
doc/man1/openssl-ca.pod.in | 20 ++-
test/recipes/80-test_ca.t | 203 ++++++++++++++++++++++++++++++-
test/recipes/80-test_ca_data/revoked.key | 27 ++++
7 files changed, 331 insertions(+), 16 deletions(-)
create mode 100644 test/recipes/80-test_ca_data/revoked.key
diff --git a/CHANGES.md b/CHANGES.md
index 0f6880d716..19cccb725d 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1158,6 +1158,12 @@ OpenSSL 3.0
*Richard Levitte*
+ * Added the options `-crl_lastupdate` and `-crl_nextupdate` to `openssl ca`,
+ allowing the `lastUpdate` and `nextUpdate` fields in the generated CRL to
+ be set explicitly.
+
+ *Chris Novakovic*
+
* Added support for Linux Kernel TLS data-path. The Linux Kernel data-path
improves application performance by removing data copies and providing
applications with zero-copy system calls such as sendfile and splice.
diff --git a/apps/ca.c b/apps/ca.c
index ff40a13d31..f6a928a0e8 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -155,7 +155,8 @@ typedef enum OPTION_choice {
OPT_KEY, OPT_CERT, OPT_CERTFORM, OPT_SELFSIGN,
OPT_IN, OPT_INFORM, OPT_OUT, OPT_OUTDIR, OPT_VFYOPT,
OPT_SIGOPT, OPT_NOTEXT, OPT_BATCH, OPT_PRESERVEDN, OPT_NOEMAILDN,
- OPT_GENCRL, OPT_MSIE_HACK, OPT_CRLDAYS, OPT_CRLHOURS, OPT_CRLSEC,
+ OPT_GENCRL, OPT_MSIE_HACK, OPT_CRL_LASTUPDATE, OPT_CRL_NEXTUPDATE,
+ OPT_CRLDAYS, OPT_CRLHOURS, OPT_CRLSEC,
OPT_INFILES, OPT_SS_CERT, OPT_SPKAC, OPT_REVOKE, OPT_VALID,
OPT_EXTENSIONS, OPT_EXTFILE, OPT_STATUS, OPT_UPDATEDB, OPT_CRLEXTS,
OPT_RAND_SERIAL,
@@ -241,6 +242,10 @@ const OPTIONS ca_options[] = {
"sets compromise time to val and the revocation reason to keyCompromise"},
{"crl_CA_compromise", OPT_CRL_CA_COMPROMISE, 's',
"sets compromise time to val and the revocation reason to CACompromise"},
+ {"crl_lastupdate", OPT_CRL_LASTUPDATE, 's',
+ "Sets the CRL lastUpdate time to val (YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ)"},
+ {"crl_nextupdate", OPT_CRL_NEXTUPDATE, 's',
+ "Sets the CRL nextUpdate time to val (YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ)"},
{"crldays", OPT_CRLDAYS, 'p', "Days until the next CRL is due"},
{"crlhours", OPT_CRLHOURS, 'p', "Hours until the next CRL is due"},
{"crlsec", OPT_CRLSEC, 'p', "Seconds until the next CRL is due"},
@@ -262,7 +267,6 @@ int ca_main(int argc, char **argv)
EVP_PKEY *pkey = NULL;
BIO *in = NULL, *out = NULL, *Sout = NULL;
ASN1_INTEGER *tmpser;
- ASN1_TIME *tmptm;
CA_DB *db = NULL;
DB_ATTR db_attr;
STACK_OF(CONF_VALUE) *attribs = NULL;
@@ -291,6 +295,7 @@ int ca_main(int argc, char **argv)
int keyformat = FORMAT_PEM, multirdn = 1, notext = 0, output_der = 0;
int ret = 1, email_dn = 1, req = 0, verbose = 0, gencrl = 0, dorevoke = 0;
int rand_ser = 0, i, j, selfsign = 0, def_nid, def_ret;
+ char *crl_lastupdate = NULL, *crl_nextupdate = NULL;
long crldays = 0, crlhours = 0, crlsec = 0, days = 0;
unsigned long chtype = MBSTRING_ASC, certopt = 0;
X509 *x509 = NULL, *x509p = NULL, *x = NULL;
@@ -425,6 +430,12 @@ opthelp:
case OPT_MSIE_HACK:
msie_hack = 1;
break;
+ case OPT_CRL_LASTUPDATE:
+ crl_lastupdate = opt_arg();
+ break;
+ case OPT_CRL_NEXTUPDATE:
+ crl_nextupdate = opt_arg();
+ break;
case OPT_CRLDAYS:
crldays = atol(opt_arg());
break;
@@ -1146,7 +1157,8 @@ end_of_options:
crlhours = 0;
ERR_clear_error();
}
- if ((crldays == 0) && (crlhours == 0) && (crlsec == 0)) {
+ if ((crl_nextupdate == NULL) &&
+ (crldays == 0) && (crlhours == 0) && (crlsec == 0)) {
BIO_printf(bio_err,
"cannot lookup how long until the next CRL is issued\n");
goto end;
@@ -1159,19 +1171,18 @@ end_of_options:
if (!X509_CRL_set_issuer_name(crl, X509_get_subject_name(x509)))
goto end;
- tmptm = ASN1_TIME_new();
- if (tmptm == NULL
- || X509_gmtime_adj(tmptm, 0) == NULL
- || !X509_CRL_set1_lastUpdate(crl, tmptm)
- || X509_time_adj_ex(tmptm, crldays, crlhours * 60 * 60 + crlsec,
- NULL) == NULL) {
- BIO_puts(bio_err, "error setting CRL nextUpdate\n");
- ASN1_TIME_free(tmptm);
+ if (!set_crl_lastupdate(crl, crl_lastupdate)) {
+ BIO_puts(bio_err, "error setting CRL lastUpdate\n");
+ ret = 1;
goto end;
}
- X509_CRL_set1_nextUpdate(crl, tmptm);
- ASN1_TIME_free(tmptm);
+ if (!set_crl_nextupdate(crl, crl_nextupdate,
+ crldays, crlhours, crlsec)) {
+ BIO_puts(bio_err, "error setting CRL nextUpdate\n");
+ ret = 1;
+ goto end;
+ }
for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
pp = sk_OPENSSL_PSTRING_value(db->db->data, i);
diff --git a/apps/include/apps.h b/apps/include/apps.h
index 8d1eb7c280..8a6f2b046c 100644
--- a/apps/include/apps.h
+++ b/apps/include/apps.h
@@ -75,6 +75,9 @@ int has_stdin_waiting(void);
void corrupt_signature(const ASN1_STRING *signature);
int set_cert_times(X509 *x, const char *startdate, const char *enddate,
int days);
+int set_crl_lastupdate(X509_CRL *crl, const char *lastupdate);
+int set_crl_nextupdate(X509_CRL *crl, const char *nextupdate,
+ long days, long hours, long secs);
typedef struct args_st {
int size;
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index d3f3f6d2b6..f2c384494f 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -2704,6 +2704,57 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate,
return 1;
}
+int set_crl_lastupdate(X509_CRL *crl, const char *lastupdate)
+{
+ int ret = 0;
+ ASN1_TIME *tm = ASN1_TIME_new();
+
+ if (tm == NULL)
+ goto end;
+
+ if (lastupdate == NULL) {
+ if (X509_gmtime_adj(tm, 0) == NULL)
+ goto end;
+ } else {
+ if (!ASN1_TIME_set_string_X509(tm, lastupdate))
+ goto end;
+ }
+
+ if (!X509_CRL_set1_lastUpdate(crl, tm))
+ goto end;
+
+ ret = 1;
+end:
+ ASN1_TIME_free(tm);
+ return ret;
+}
+
+int set_crl_nextupdate(X509_CRL *crl, const char *nextupdate,
+ long days, long hours, long secs)
+{
+ int ret = 0;
+ ASN1_TIME *tm = ASN1_TIME_new();
+
+ if (tm == NULL)
+ goto end;
+
+ if (nextupdate == NULL) {
+ if (X509_time_adj_ex(tm, days, hours * 60 * 60 + secs, NULL) == NULL)
+ goto end;
+ } else {
+ if (!ASN1_TIME_set_string_X509(tm, nextupdate))
+ goto end;
+ }
+
+ if (!X509_CRL_set1_nextUpdate(crl, tm))
+ goto end;
+
+ ret = 1;
+end:
+ ASN1_TIME_free(tm);
+ return ret;
+}
+
void make_uppercase(char *string)
{
int i;
diff --git a/doc/man1/openssl-ca.pod.in b/doc/man1/openssl-ca.pod.in
index d196565422..0253b994a0 100644
--- a/doc/man1/openssl-ca.pod.in
+++ b/doc/man1/openssl-ca.pod.in
@@ -22,6 +22,8 @@ B<openssl> B<ca>
[B<-crl_hold> I<instruction>]
[B<-crl_compromise> I<time>]
[B<-crl_CA_compromise> I<time>]
+[B<-crl_lastupdate> I<date>]
+[B<-crl_nextupdate> I<date>]
[B<-crldays> I<days>]
[B<-crlhours> I<hours>]
[B<-crlsec> I<seconds>]
@@ -337,6 +339,20 @@ This option has been deprecated and has no effect.
This option generates a CRL based on information in the index file.
+=item B<-crl_lastupdate> I<time>
+
+Allows the value of the CRL's lastUpdate field to be explicitly set; if
+this option is not present, the current time is used. Accepts times in
+YYMMDDHHMMSSZ format (the same as an ASN1 UTCTime structure) or
+YYYYMMDDHHMMSSZ format (the same as an ASN1 GeneralizedTime structure).
+
+=item B<-crl_nextupdate> I<time>
+
+Allows the value of the CRL's nextUpdate field to be explicitly set; if
+this option is present, any values given for B<-crldays>, B<-crlhours>
+and B<-crlsec> are ignored. Accepts times in the same formats as
+B<-crl_lastupdate>.
+
=item B<-crldays> I<num>
The number of days before the next CRL is due. That is the days from
@@ -781,7 +797,9 @@ then even if a certificate is issued with CA:TRUE it will not be valid.
Since OpenSSL 1.1.1, the program follows RFC5280. Specifically,
certificate validity period (specified by any of B<-startdate>,
-B<-enddate> and B<-days>) will be encoded as UTCTime if the dates are
+B<-enddate> and B<-days>) and CRL last/next update time (specified by
+any of B<-crl_lastupdate>, B<-crl_nextupdate>, B<-crldays>, B<-crlhours>
+and B<-crlsec>) will be encoded as UTCTime if the dates are
earlier than year 2049 (included), and as GeneralizedTime if the dates
are in year 2050 or later.
diff --git a/test/recipes/80-test_ca.t b/test/recipes/80-test_ca.t
index bbb0af7577..d32dcf312f 100644
--- a/test/recipes/80-test_ca.t
+++ b/test/recipes/80-test_ca.t
@@ -12,8 +12,9 @@ use warnings;
use POSIX;
use File::Path 2.00 qw/rmtree/;
-use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file/;
+use OpenSSL::Test qw/:DEFAULT cmdstr data_file srctop_file/;
use OpenSSL::Test::Utils;
+use Time::Local qw/timegm/;
setup("test_ca");
@@ -26,7 +27,7 @@ my $std_openssl_cnf = '"'
rmtree("demoCA", { safe => 0 });
-plan tests => 6;
+plan tests => 15;
SKIP: {
$ENV{OPENSSL_CONFIG} = '-config ' . $cnf;
skip "failed creating CA structure", 4
@@ -71,6 +72,158 @@ SKIP: {
"Signing SM2 certificate request");
}
+test_revoke('notimes', {
+ should_succeed => 1,
+});
+test_revoke('lastupdate_invalid', {
+ lastupdate => '1234567890',
+ should_succeed => 0,
+});
+test_revoke('lastupdate_utctime', {
+ lastupdate => '200901123456Z',
+ should_succeed => 1,
+});
+test_revoke('lastupdate_generalizedtime', {
+ lastupdate => '20990901123456Z',
+ should_succeed => 1,
+});
+test_revoke('nextupdate_invalid', {
+ nextupdate => '1234567890',
+ should_succeed => 0,
+});
+test_revoke('nextupdate_utctime', {
+ nextupdate => '200901123456Z',
+ should_succeed => 1,
+});
+test_revoke('nextupdate_generalizedtime', {
+ nextupdate => '20990901123456Z',
+ should_succeed => 1,
+});
+test_revoke('both_utctime', {
+ lastupdate => '200901123456Z',
+ nextupdate => '200908123456Z',
+ should_succeed => 1,
+});
+test_revoke('both_generalizedtime', {
+ lastupdate => '20990901123456Z',
+ nextupdate => '20990908123456Z',
+ should_succeed => 1,
+});
+
+sub test_revoke {
+ my ($filename, $opts) = @_;
+
+ # Before Perl 5.12.0, the range of times Perl could represent was limited by
+ # the size of time_t, so Time::Local was hamstrung by the Y2038 problem -
+ # Perl 5.12.0 onwards use an internal time implementation with a guaranteed
+ # >32-bit time range on all architectures, so the tests involving post-2038
+ # times won't fail provided we're running under that version or newer
+ if ($] < 5.012000) {
+ plan skip_all => 'Perl >= 5.12.0 required to run certificate revocation tests';
+ }
+
+ subtest "Revoke certificate and generate CRL: $filename" => sub {
+ $ENV{CN2} = $filename;
+ ok(
+ run(app(['openssl',
+ 'req',
+ '-config', $cnf,
+ '-new',
+ '-key', data_file('revoked.key'),
+ '-out', "$filename-req.pem",
+ '-section', 'userreq',
+ ])),
+ 'Generate CSR'
+ );
+ delete $ENV{CN2};
+
+ ok(
+ run(app(['openssl',
+ 'ca',
+ '-batch',
+ '-config', $cnf,
+ '-in', "$filename-req.pem",
+ '-out', "$filename-cert.pem",
+ ])),
+ 'Sign CSR'
+ );
+
+ ok(
+ run(app(['openssl',
+ 'ca',
+ '-config', $cnf,
+ '-revoke', "$filename-cert.pem",
+ ])),
+ 'Revoke certificate'
+ );
+
+ my @gencrl_opts;
+
+ if (exists $opts->{lastupdate}) {
+ push @gencrl_opts, '-crl_lastupdate', $opts->{lastupdate};
+ }
+
+ if (exists $opts->{nextupdate}) {
+ push @gencrl_opts, '-crl_nextupdate', $opts->{nextupdate};
+ }
+
+ is(
+ run(app(['openssl',
+ 'ca',
+ '-config', $cnf,
+ '-gencrl',
+ '-out', "$filename-crl.pem",
+ '-crlsec', '60',
+ @gencrl_opts,
+ ])),
+ $opts->{should_succeed},
+ 'Generate CRL'
+ );
+ my $crl_gentime = time;
+
+ # The following tests only need to run if the CRL was supposed to be
+ # generated:
+ return unless $opts->{should_succeed};
+
+ my $crl_lastupdate = crl_field("$filename-crl.pem", 'lastUpdate');
+ if (exists $opts->{lastupdate}) {
+ is(
+ $crl_lastupdate,
+ rfc5280_time($opts->{lastupdate}),
+ 'CRL lastUpdate field has expected value'
+ );
+ } else {
+ diag("CRL lastUpdate: $crl_lastupdate");
+ diag("openssl run time: $crl_gentime");
+ ok(
+ # Is the CRL's lastUpdate time within a second of the time that
+ # `openssl ca -gencrl` was executed?
+ $crl_gentime - 1 <= $crl_lastupdate && $crl_lastupdate <= $crl_gentime + 1,
+ 'CRL lastUpdate field has (roughly) expected value'
+ );
+ }
+
+ my $crl_nextupdate = crl_field("$filename-crl.pem", 'nextUpdate');
+ if (exists $opts->{nextupdate}) {
+ is(
+ $crl_nextupdate,
+ rfc5280_time($opts->{nextupdate}),
+ 'CRL nextUpdate field has expected value'
+ );
+ } else {
+ diag("CRL nextUpdate: $crl_nextupdate");
+ diag("openssl run time: $crl_gentime");
+ ok(
+ # Is the CRL's lastUpdate time within a second of the time that
+ # `openssl ca -gencrl` was executed, taking into account the use
+ # of '-crlsec 60'?
+ $crl_gentime + 59 <= $crl_nextupdate && $crl_nextupdate <= $crl_gentime + 61,
+ 'CRL nextUpdate field has (roughly) expected value'
+ );
+ }
+ };
+}
+
sub yes {
my $cntr = 10;
open(PIPE, "|-", join(" ", at _));
@@ -80,3 +233,49 @@ sub yes {
return 0;
}
+# Get the value of the lastUpdate or nextUpdate field from a CRL
+sub crl_field {
+ my ($crl_path, $field_name) = @_;
+
+ my @out = run(
+ app(['openssl',
+ 'crl',
+ '-in', $crl_path,
+ '-noout',
+ '-' . lc($field_name),
+ ]),
+ capture => 1,
+ statusvar => \my $exit,
+ );
+ ok($exit, "CRL $field_name field retrieved");
+ diag("CRL $field_name: $out[0]");
+
+ $out[0] =~ s/^\Q$field_name\E=//;
+ $out[0] =~ s/\n?//;
+ my $time = human_time($out[0]);
+
+ return $time;
+}
+
+# Converts human-readable ASN1_TIME_print() output to Unix time
+sub human_time {
+ my ($human) = @_;
+
+ my ($mo, $d, $h, $m, $s, $y) = $human =~ /^([A-Za-z]{3})\s+(\d+) (\d{2}):(\d{2}):(\d{2}) (\d{4})/;
+
+ my %months = (
+ Jan => 0, Feb => 1, Mar => 2, Apr => 3, May => 4, Jun => 5,
+ Jul => 6, Aug => 7, Sep => 8, Oct => 9, Nov => 10, Dec => 11,
+ );
+
+ return timegm($s, $m, $h, $d, $months{$mo}, $y);
+}
+
+# Converts an RFC 5280 timestamp to Unix time
+sub rfc5280_time {
+ my ($asn1) = @_;
+
+ my ($y, $mo, $d, $h, $m, $s) = $asn1 =~ /^(\d{2,4})(\d{2})(\d{2})(\d{2})(\d{2})(\d{2})Z$/;
+
+ return timegm($s, $m, $h, $d, $mo - 1, $y);
+}
diff --git a/test/recipes/80-test_ca_data/revoked.key b/test/recipes/80-test_ca_data/revoked.key
new file mode 100644
index 0000000000..3ecc566018
--- /dev/null
+++ b/test/recipes/80-test_ca_data/revoked.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAvpWG+nFMaupRmFBLmaEsZhXzYPPh/2n7zkgBHf7hLDiw472P
+S0infjrGc+Orv+Habpb1/sPktKitvFY01JYldCfDENs1ECUcjkuBm/tCBHxvPeI4
+bA7kLo4qGG0wzWcqI2s3zwWfzLdZWH+6xAo/jKSty5icwPKPaWcPwU4zz/yFXrte
+z5Owz9n0UnmHsfhNFWhl1bcZCGN/XrE0rQWPWvDk4Y8l8lxcYZWwVi0xKwhleeWx
+O50+uVJLrF3EWGaFjYGzBCj0Py+skgFi1f2OC9oCDHrHbgkcrByyTNdUuCYzsl8U
+87H5PWJNQJlrtueJWJfW1E3qS2hS8zyosTWI2wIDAQABAoIBAAqWkhYt3zn9ZKUa
+qOiTHL1bMNdNFVw0TioKtA0vkOD9EU7FxEVBdxS7PTVJC8ywRotoVahex8EFsglJ
+nMvGv7PxVZQFKbCI70o0hbHdxrArHZ8Jh2rxdNnlSg9rWY+/0IaBOWuF+3fLI+qX
+xg+IJjmxGHq8MtFBaJhJgoWRy60dWNpbIDmp4Yk8E3MqtNCZQU+UMXesVpC3UZ2Z
+k7V+zJaC3clvQaE3vNRl7d2si94HyxHIhA0cdWBDc8+vwzrsUJhQYHZw3QH5yX4g
+3CDVe1wwljts2Jdz6YN1JaqHP1R6Cw8mihnkGEoF10mIM0YFm9pGQrFscVQFOuQQ
+WK0aiwECgYEA4qFjAdorYqnAPM6YnHyJtwheTKEbq5duF9JdSnpkV63usWB9a5B4
+d+QADhmaq6YNh2rjodNwn3oxCqlceV6PhE/sTWLkjXD8+r6wPiR06BFJszBt8BKi
+CjW1IjaMGAEpOa5f9vqhv0xgahpNBjWKfFIj4hHX6ha3N3RScwPep4ECgYEA10hH
+qKCbDiiErluUbCLveKxBx++ldxHoO64iLwbKadsHqhi5w+lIONp7P7B8MfNAHbgi
+NCKZ/Z9llyHUuNKjgFFFwEXXP5Vm1PyQeZRh5Mn7pG0qTNMbEanBRSi4pmkg3ha6
+MfsoroH6aaCIqojTHFxvP2GQUHe6iQTE5KXe/lsCgYAGd3Bpxx3hzNItaf+0x2Du
+lhCKwzYU6Vc82sXKsD9YuR/Mc+JgRVkKorjVrilZqH1OVeB056GZC1WG5lo7JFWY
+AufNNXssBgNR7Er/Gu8zB/tAX6tjZES3YdzvQvswXCge+zjFxVUELlu561IzUSfI
+cFeRxcyRY2CK9oi7u2qJAQKBgQCbwbfW0RxeCgK1A51G/5+y9y5AsapNk68qPrqM
+u6UHIWlSL8F3dPjD6Y7ybYXtvcjNt8NHZSF01jZyOg/mCMAyvppwmhc58aYMww7k
+Z+7L0Tc3p6PLIZGcHe2vU98Ex1r4VAky0DyGxZOfiH5Yo9XZ1ybF/JilH3reV4z8
+wOWtsQKBgBD7oJRC7V+DEiDN7/7SxfOBBDI66LGpOlsnuSFXM++G+Q9yhg4vvpW1
+pnNLQoMazqrub7Iemz2YVp/XBh8R07ISvSMDu0QMzSprxs254UYxpi1SfhUDf5Vt
+HPCAQTzvjohzWfPQVWy/GQxPWtttW8DHRYmcIel3O6XvlH4SYSj9
+-----END RSA PRIVATE KEY-----
More information about the openssl-commits
mailing list