[rt-commit] r147 - in /redwax-tool/trunk: ChangeLog redwax-tool.c redwax-tool.h redwax_openssl.c
rt-commit at redwax.eu
rt-commit at redwax.eu
Tue Aug 22 17:39:44 CEST 2023
Author: minfrin at redwax.eu
Date: Tue Aug 22 17:39:44 2023
New Revision: 147
Log:
Add --filter-date to specify the date for verification
if not today. Add --filter-threshold to indicate days
before expiry we should treat as a warning. Add the
error, warning, and status fields to validity in
certificate metadata showing days to and from expiry.
Modified:
redwax-tool/trunk/ChangeLog
redwax-tool/trunk/redwax-tool.c
redwax-tool/trunk/redwax-tool.h
redwax-tool/trunk/redwax_openssl.c
Modified: redwax-tool/trunk/ChangeLog
==============================================================================
--- redwax-tool/trunk/ChangeLog (original)
+++ redwax-tool/trunk/ChangeLog Tue Aug 22 17:39:44 2023
@@ -1,5 +1,12 @@
Changes with v0.9.3
+
+ *) Add --filter-date to specify the date for verification
+ if not today. Add --filter-threshold to indicate days
+ before expiry we should treat as a warning. Add the
+ error, warning, and status fields to validity in
+ certificate metadata showing days to and from expiry.
+ [Graham Leggett]
*) Add --order-out parameter to control the order of
certificates, intermediates, roots and keys that are
Modified: redwax-tool/trunk/redwax-tool.c
==============================================================================
--- redwax-tool/trunk/redwax-tool.c (original)
+++ redwax-tool/trunk/redwax-tool.c Tue Aug 22 17:39:44 2023
@@ -51,6 +51,7 @@
APR_HOOK_LINK(initialise);
APR_HOOK_LINK(set_verify_param);
APR_HOOK_LINK(complete_verify_param);
+ APR_HOOK_LINK(set_verify_date);
APR_HOOK_LINK(process_pem_in);
APR_HOOK_LINK(complete_pkcs11_in);
APR_HOOK_LINK(process_pkcs11_in);
@@ -92,6 +93,8 @@
(redwax_tool_t * r, const char *arg), (r, arg), OK, DECLINED);
APR_IMPLEMENT_EXTERNAL_HOOK_RUN_ALL(rt, REDWAX, int, complete_verify_param,
(redwax_tool_t * r, apr_hash_t *params), (r, params), OK, DECLINED);
+APR_IMPLEMENT_EXTERNAL_HOOK_RUN_ALL(rt, REDWAX, int, set_verify_date,
+ (redwax_tool_t * r, const char *arg), (r, arg), OK, DECLINED);
APR_IMPLEMENT_EXTERNAL_HOOK_RUN_FIRST(rt, REDWAX, int, process_pem_in,
(redwax_tool_t * r, const char *arg, const char *secret), (r, arg, secret), DECLINED);
APR_IMPLEMENT_EXTERNAL_HOOK_RUN_FIRST(rt, REDWAX, int, process_pkcs11_in,
@@ -169,52 +172,54 @@
#define REDWAX_TOOL_FILTER_HOSTNAME 262
#define REDWAX_TOOL_FILTER_IP 263
#define REDWAX_TOOL_FILTER_CURRENT 264
-#define REDWAX_TOOL_CERT_OUT 265
-#define REDWAX_TOOL_NO_CERT_OUT 266
-#define REDWAX_TOOL_CHAIN_OUT 267
-#define REDWAX_TOOL_NO_CHAIN_OUT 268
-#define REDWAX_TOOL_ROOT_OUT 269
-#define REDWAX_TOOL_NO_ROOT_OUT 270
-#define REDWAX_TOOL_TRUST_OUT 271
-#define REDWAX_TOOL_NO_TRUST_OUT 272
-#define REDWAX_TOOL_CRL_OUT 273
-#define REDWAX_TOOL_NO_CRL_OUT 274
-#define REDWAX_TOOL_PARAM_OUT 275
-#define REDWAX_TOOL_NO_PARAM_OUT 276
-#define REDWAX_TOOL_KEY_IN 277
-#define REDWAX_TOOL_NO_KEY_IN 278
-#define REDWAX_TOOL_KEY_OUT 279
-#define REDWAX_TOOL_NO_KEY_OUT 280
-#define REDWAX_TOOL_AUTO_OUT 281
-#define REDWAX_TOOL_NO_AUTO_OUT 282
-#define REDWAX_TOOL_FILTER_VERIFY_PARAM 283
-#define REDWAX_TOOL_SECRET_SUFFIX_IN 284
-#define REDWAX_TOOL_SECRET_SUFFIX_OUT 285
-#define REDWAX_TOOL_SECRET_TOKEN_IN 286
-#define REDWAX_TOOL_SECRET_TOKEN_OUT 287
-#define REDWAX_TOOL_LABEL_OUT 288
-#define REDWAX_TOOL_NSS_OUT 289
-#define REDWAX_TOOL_NSS_SLOT_OUT 290
-#define REDWAX_TOOL_DER_OUT 291
-#define REDWAX_TOOL_PEM_OUT 292
-#define REDWAX_TOOL_PKCS12_OUT 293
-#define REDWAX_TOOL_PKCS11_OUT 294
-#define REDWAX_TOOL_PKCS11_MODULE_OUT 295
-#define REDWAX_TOOL_METADATA_OUT 296
-#define REDWAX_TOOL_FORMAT_OUT 297
-#define REDWAX_TOOL_JWKS_OUT 298
-#define REDWAX_TOOL_TEXT_OUT 299
-#define REDWAX_TOOL_NO_TEXT_OUT 300
-#define REDWAX_TOOL_SSH_PRIVATE_OUT 301
-#define REDWAX_TOOL_SSH_PUBLIC_OUT 302
-#define REDWAX_TOOL_SMIMEA_OUT 303
-#define REDWAX_TOOL_SSHFP_OUT 304
-#define REDWAX_TOOL_TLSA_OUT 305
-#define REDWAX_TOOL_USER_IN 306
-#define REDWAX_TOOL_USER_OUT 307
-#define REDWAX_TOOL_GROUP_IN 308
-#define REDWAX_TOOL_GROUP_OUT 309
-#define REDWAX_TOOL_ORDER_OUT 310
+#define REDWAX_TOOL_FILTER_DATE 265
+#define REDWAX_TOOL_FILTER_THRESHOLD 266
+#define REDWAX_TOOL_CERT_OUT 267
+#define REDWAX_TOOL_NO_CERT_OUT 268
+#define REDWAX_TOOL_CHAIN_OUT 269
+#define REDWAX_TOOL_NO_CHAIN_OUT 270
+#define REDWAX_TOOL_ROOT_OUT 271
+#define REDWAX_TOOL_NO_ROOT_OUT 272
+#define REDWAX_TOOL_TRUST_OUT 273
+#define REDWAX_TOOL_NO_TRUST_OUT 274
+#define REDWAX_TOOL_CRL_OUT 275
+#define REDWAX_TOOL_NO_CRL_OUT 276
+#define REDWAX_TOOL_PARAM_OUT 277
+#define REDWAX_TOOL_NO_PARAM_OUT 278
+#define REDWAX_TOOL_KEY_IN 279
+#define REDWAX_TOOL_NO_KEY_IN 280
+#define REDWAX_TOOL_KEY_OUT 281
+#define REDWAX_TOOL_NO_KEY_OUT 282
+#define REDWAX_TOOL_AUTO_OUT 283
+#define REDWAX_TOOL_NO_AUTO_OUT 284
+#define REDWAX_TOOL_FILTER_VERIFY_PARAM 285
+#define REDWAX_TOOL_SECRET_SUFFIX_IN 286
+#define REDWAX_TOOL_SECRET_SUFFIX_OUT 287
+#define REDWAX_TOOL_SECRET_TOKEN_IN 288
+#define REDWAX_TOOL_SECRET_TOKEN_OUT 289
+#define REDWAX_TOOL_LABEL_OUT 290
+#define REDWAX_TOOL_NSS_OUT 291
+#define REDWAX_TOOL_NSS_SLOT_OUT 292
+#define REDWAX_TOOL_DER_OUT 293
+#define REDWAX_TOOL_PEM_OUT 294
+#define REDWAX_TOOL_PKCS12_OUT 295
+#define REDWAX_TOOL_PKCS11_OUT 296
+#define REDWAX_TOOL_PKCS11_MODULE_OUT 297
+#define REDWAX_TOOL_METADATA_OUT 298
+#define REDWAX_TOOL_FORMAT_OUT 299
+#define REDWAX_TOOL_JWKS_OUT 300
+#define REDWAX_TOOL_TEXT_OUT 301
+#define REDWAX_TOOL_NO_TEXT_OUT 302
+#define REDWAX_TOOL_SSH_PRIVATE_OUT 303
+#define REDWAX_TOOL_SSH_PUBLIC_OUT 304
+#define REDWAX_TOOL_SMIMEA_OUT 305
+#define REDWAX_TOOL_SSHFP_OUT 306
+#define REDWAX_TOOL_TLSA_OUT 307
+#define REDWAX_TOOL_USER_IN 308
+#define REDWAX_TOOL_USER_OUT 309
+#define REDWAX_TOOL_GROUP_IN 310
+#define REDWAX_TOOL_GROUP_OUT 311
+#define REDWAX_TOOL_ORDER_OUT 312
#define REDWAX_EXIT_OK 0
#define REDWAX_EXIT_INIT 1
@@ -253,6 +258,8 @@
{ "filter-current", REDWAX_TOOL_FILTER_CURRENT, 0, " --filter-current\t\tMatch the top ranking leaf certificate, and\n\t\t\t\tignore all other leaf certificates. The top\n\t\t\t\tcertificate is valid, and has the longest time\n\t\t\t\tto expiry." },
{ "filter-verify-params", REDWAX_TOOL_FILTER_VERIFY_PARAM, 1,
" --filter-verify-params=name\tSpecify the name of the set of parameters used\n\t\t\t\tfor verification. If unspecified, set to\n\t\t\t\t'default'." },
+ { "filter-date", REDWAX_TOOL_FILTER_DATE, 1, " --filter-date=date\t\tSet the date to be used for certificate\n\t\t\t\tverification. If unset, it will default to the\n\t\t\t\tcurrent time. Date format is generalized time\n\t\t\t\tsyntax as defined in RFC 4517 section 3.3.13." },
+ { "filter-threshold", REDWAX_TOOL_FILTER_THRESHOLD, 1, " --filter-threshold=days\tSet the threshold in days below which an expiry\n\t\t\t\tbecomes a warning. If unset, defaults to no\n\t\t\t\twarning." },
{ "text-out", REDWAX_TOOL_TEXT_OUT, 0,
" --text-out\t\t\tInclude additional text in certificate PEM and\n\t\t\t\tmetadata output." },
{ "no-text-out", REDWAX_TOOL_NO_TEXT_OUT, 0,
@@ -278,9 +285,9 @@
{ "no-crl-out", REDWAX_TOOL_NO_CRL_OUT, 0,
" --no-crl-out\t\t\tExclude certificate revocation lists from the output." },
{ "parameter-out", REDWAX_TOOL_PARAM_OUT, 0,
- " --parameter-out\t\t\tInclude key parameters in the output." },
+ " --parameter-out\t\tInclude key parameters in the output." },
{ "no-parameter-out", REDWAX_TOOL_NO_PARAM_OUT, 0,
- " --no-parameter-out\t\t\tExclude key parameters from the output." },
+ " --no-parameter-out\t\tExclude key parameters from the output." },
{ "key-in", REDWAX_TOOL_KEY_IN, 0,
" --key-in\t\t\tRead private keys in the input. This will trigger a\n\t\t\t\tlogin attempt if needed." },
{ "no-key-in", REDWAX_TOOL_NO_KEY_IN, 0,
@@ -2169,6 +2176,24 @@
return status;
}
+static apr_status_t redwax_set_verify_date(redwax_tool_t *r, const char *arg)
+{
+ apr_status_t status = rt_run_set_verify_date(r, arg);
+
+ if (status) {
+ r->rc = REDWAX_EXIT_OPTIONS;
+ }
+
+ return status;
+}
+
+static apr_status_t redwax_set_threshold(redwax_tool_t *r, const char *arg)
+{
+ r->threshold = atoi(arg) * 86400;
+
+ return APR_SUCCESS;
+}
+
static apr_status_t redwax_set_secret_suffix_in(redwax_tool_t *r, const char *arg)
{
if (arg && arg[0]) {
@@ -2468,6 +2493,18 @@
}
case REDWAX_TOOL_FILTER_VERIFY_PARAM: {
if (redwax_set_verify_param(r, optarg)) {
+ return REDWAX_EXIT_OPTIONS;
+ }
+ break;
+ }
+ case REDWAX_TOOL_FILTER_DATE: {
+ if (redwax_set_verify_date(r, optarg)) {
+ return REDWAX_EXIT_OPTIONS;
+ }
+ break;
+ }
+ case REDWAX_TOOL_FILTER_THRESHOLD: {
+ if (redwax_set_threshold(r, optarg)) {
return REDWAX_EXIT_OPTIONS;
}
break;
Modified: redwax-tool/trunk/redwax-tool.h
==============================================================================
--- redwax-tool/trunk/redwax-tool.h (original)
+++ redwax-tool/trunk/redwax-tool.h Tue Aug 22 17:39:44 2023
@@ -89,6 +89,7 @@
apr_hash_t *duplicates_index;
apr_hash_t *cert_relationships;
const char *verify_param;
+ const char *verify_date;
const char *secret_suffix_in;
const char *secret_suffix_out;
const char *secret_token_in;
@@ -115,6 +116,7 @@
int key_in;
int key_out;
int auto_out;
+ int threshold;
int quiet;
int debug;
int complete;
@@ -602,6 +604,14 @@
(redwax_tool_t *r, const char *arg));
/**
+ * Hook to set the verification date.
+ *
+ * @param r The redwax-tool context.
+ */
+APR_DECLARE_EXTERNAL_HOOK(rt, REDWAX, apr_status_t, set_verify_date,
+ (redwax_tool_t *r, const char *arg));
+
+/**
* Hook to search for intermediate and root certificates.
*
* @param r The redwax-tool context.
Modified: redwax-tool/trunk/redwax_openssl.c
==============================================================================
--- redwax-tool/trunk/redwax_openssl.c (original)
+++ redwax-tool/trunk/redwax_openssl.c Tue Aug 22 17:39:44 2023
@@ -1384,6 +1384,19 @@
return APR_SUCCESS;
}
+static apr_status_t redwax_openssl_set_verify_date(redwax_tool_t *r, const char *arg)
+{
+ if (!ASN1_TIME_set_string(NULL, arg)) {
+ redwax_print_error(r,
+ "Verify date could not be parsed: %s\n", arg);
+ return APR_EINVAL;
+ }
+
+ r->verify_date = arg;
+
+ return APR_SUCCESS;
+}
+
static apr_status_t redwax_openssl_complete_filter_search(redwax_tool_t *r,
apr_hash_t *filters)
{
@@ -1680,6 +1693,19 @@
X509_STORE_CTX_set0_trusted_stack(ctx, trusted_index);
X509_STORE_CTX_set0_crls(ctx, crl_index);
+
+ if (r->verify_date) {
+ time_t now_t;
+ struct tm now_tm;
+ ASN1_TIME *now = ASN1_TIME_new();
+
+ ASN1_TIME_set_string(now, r->verify_date);
+ ASN1_TIME_normalize(now);
+ ASN1_TIME_to_tm(now, &now_tm);
+ now_t = mktime(&now_tm);
+
+ X509_STORE_CTX_set_time(ctx, 0, now_t);
+ }
X509_STORE_CTX_set_verify_cb(ctx, &verify_cb);
@@ -4379,7 +4405,8 @@
const ASN1_BIT_STRING *sig;
#endif
ASN1_INTEGER *bs;
- const ASN1_TIME *tm;
+ const ASN1_TIME *before, *after, *now = NULL;
+ const char *valid_status = NULL, *valid_warning = NULL, *valid_error = NULL;
long l;
redwax_metadata_push_object(m, "Data", 0);
@@ -4419,16 +4446,64 @@
/* validity */
redwax_metadata_push_object(m, "Validity", 0);
- tm = X509_get0_notBefore(x);
- if (tm) {
-
- redwax_metadata_add_string(m, "NotBefore", redwax_openssl_time(m->pool, tm));
- }
-
- tm = X509_get0_notAfter(x);
- if (tm) {
-
- redwax_metadata_add_string(m, "NotAfter", redwax_openssl_time(m->pool, tm));
+ before = X509_get0_notBefore(x);
+ if (before) {
+
+ redwax_metadata_add_string(m, "NotBefore", redwax_openssl_time(m->pool, before));
+ }
+
+ after = X509_get0_notAfter(x);
+ if (after) {
+
+ redwax_metadata_add_string(m, "NotAfter", redwax_openssl_time(m->pool, after));
+ }
+
+ if (r->verify_date) {
+ ASN1_TIME *now = ASN1_TIME_new();
+ ASN1_TIME_set_string(now, r->verify_date);
+ ASN1_TIME_normalize(now);
+ }
+
+ if (before) {
+ int pday, psec;
+
+ ASN1_TIME_diff(&pday, &psec, before, now);
+
+ if (pday < 0 || psec < 0) {
+ valid_error = apr_psprintf(m->pool, "Valid in %d day(s) %d second(s)", -pday, -psec);
+ }
+ else {
+ valid_status = apr_psprintf(m->pool, "Valid for %d day(s) %d second(s)", pday, psec);
+ }
+ }
+
+ if (after && !valid_error) {
+ int pday, psec;
+
+ ASN1_TIME_diff(&pday, &psec, now, after);
+
+ if (pday < 0 || psec < 0) {
+ valid_error = apr_psprintf(m->pool, "Expired %d day(s) %d second(s) ago", -pday, -psec);
+ }
+ else if (pday * 86400 + psec < r->threshold) {
+ valid_warning = apr_psprintf(m->pool, "Expires in %d day(s) %d second(s)", pday, psec);
+ }
+ else {
+ valid_status = apr_psprintf(m->pool, "Expires in %d day(s) %d second(s)", pday, psec);
+ }
+ }
+
+ if (valid_error) {
+
+ redwax_metadata_add_string(m, "Error", valid_error);
+ }
+ else if (valid_warning) {
+
+ redwax_metadata_add_string(m, "Warning", valid_warning);
+ }
+ else if (valid_status) {
+
+ redwax_metadata_add_string(m, "Status", valid_status);
}
redwax_metadata_pop_object(m);
More information about the rt-commit
mailing list