[rt-commit] r147 - in /redwax-tool/trunk: ChangeLog redwax-tool.c redwax-tool.h redwax_openssl.c

rt-commit at redwax.eu rt-commit at redwax.eu
Tue Aug 22 17:39:44 CEST 2023


Author: minfrin at redwax.eu
Date: Tue Aug 22 17:39:44 2023
New Revision: 147

Log:
Add --filter-date to specify the date for verification
if not today. Add --filter-threshold to indicate days
before expiry we should treat as a warning. Add the
error, warning, and status fields to validity in
certificate metadata showing days to and from expiry.

Modified:
    redwax-tool/trunk/ChangeLog
    redwax-tool/trunk/redwax-tool.c
    redwax-tool/trunk/redwax-tool.h
    redwax-tool/trunk/redwax_openssl.c

Modified: redwax-tool/trunk/ChangeLog
==============================================================================
--- redwax-tool/trunk/ChangeLog	(original)
+++ redwax-tool/trunk/ChangeLog	Tue Aug 22 17:39:44 2023
@@ -1,5 +1,12 @@
 
 Changes with v0.9.3
+
+ *) Add --filter-date to specify the date for verification
+    if not today. Add --filter-threshold to indicate days
+    before expiry we should treat as a warning. Add the
+    error, warning, and status fields to validity in
+    certificate metadata showing days to and from expiry.
+    [Graham Leggett]
 
  *) Add --order-out parameter to control the order of
     certificates, intermediates, roots and keys that are

Modified: redwax-tool/trunk/redwax-tool.c
==============================================================================
--- redwax-tool/trunk/redwax-tool.c	(original)
+++ redwax-tool/trunk/redwax-tool.c	Tue Aug 22 17:39:44 2023
@@ -51,6 +51,7 @@
         APR_HOOK_LINK(initialise);
         APR_HOOK_LINK(set_verify_param);
         APR_HOOK_LINK(complete_verify_param);
+        APR_HOOK_LINK(set_verify_date);
         APR_HOOK_LINK(process_pem_in);
         APR_HOOK_LINK(complete_pkcs11_in);
         APR_HOOK_LINK(process_pkcs11_in);
@@ -92,6 +93,8 @@
         (redwax_tool_t * r, const char *arg), (r, arg), OK, DECLINED);
 APR_IMPLEMENT_EXTERNAL_HOOK_RUN_ALL(rt, REDWAX, int, complete_verify_param,
         (redwax_tool_t * r, apr_hash_t *params), (r, params), OK, DECLINED);
+APR_IMPLEMENT_EXTERNAL_HOOK_RUN_ALL(rt, REDWAX, int, set_verify_date,
+        (redwax_tool_t * r, const char *arg), (r, arg), OK, DECLINED);
 APR_IMPLEMENT_EXTERNAL_HOOK_RUN_FIRST(rt, REDWAX, int, process_pem_in,
         (redwax_tool_t * r, const char *arg, const char *secret), (r, arg, secret), DECLINED);
 APR_IMPLEMENT_EXTERNAL_HOOK_RUN_FIRST(rt, REDWAX, int, process_pkcs11_in,
@@ -169,52 +172,54 @@
 #define REDWAX_TOOL_FILTER_HOSTNAME 262
 #define REDWAX_TOOL_FILTER_IP 263
 #define REDWAX_TOOL_FILTER_CURRENT 264
-#define REDWAX_TOOL_CERT_OUT 265
-#define REDWAX_TOOL_NO_CERT_OUT 266
-#define REDWAX_TOOL_CHAIN_OUT 267
-#define REDWAX_TOOL_NO_CHAIN_OUT 268
-#define REDWAX_TOOL_ROOT_OUT 269
-#define REDWAX_TOOL_NO_ROOT_OUT 270
-#define REDWAX_TOOL_TRUST_OUT 271
-#define REDWAX_TOOL_NO_TRUST_OUT 272
-#define REDWAX_TOOL_CRL_OUT 273
-#define REDWAX_TOOL_NO_CRL_OUT 274
-#define REDWAX_TOOL_PARAM_OUT 275
-#define REDWAX_TOOL_NO_PARAM_OUT 276
-#define REDWAX_TOOL_KEY_IN 277
-#define REDWAX_TOOL_NO_KEY_IN 278
-#define REDWAX_TOOL_KEY_OUT 279
-#define REDWAX_TOOL_NO_KEY_OUT 280
-#define REDWAX_TOOL_AUTO_OUT 281
-#define REDWAX_TOOL_NO_AUTO_OUT 282
-#define REDWAX_TOOL_FILTER_VERIFY_PARAM 283
-#define REDWAX_TOOL_SECRET_SUFFIX_IN 284
-#define REDWAX_TOOL_SECRET_SUFFIX_OUT 285
-#define REDWAX_TOOL_SECRET_TOKEN_IN 286
-#define REDWAX_TOOL_SECRET_TOKEN_OUT 287
-#define REDWAX_TOOL_LABEL_OUT 288
-#define REDWAX_TOOL_NSS_OUT 289
-#define REDWAX_TOOL_NSS_SLOT_OUT 290
-#define REDWAX_TOOL_DER_OUT 291
-#define REDWAX_TOOL_PEM_OUT 292
-#define REDWAX_TOOL_PKCS12_OUT 293
-#define REDWAX_TOOL_PKCS11_OUT 294
-#define REDWAX_TOOL_PKCS11_MODULE_OUT 295
-#define REDWAX_TOOL_METADATA_OUT 296
-#define REDWAX_TOOL_FORMAT_OUT 297
-#define REDWAX_TOOL_JWKS_OUT 298
-#define REDWAX_TOOL_TEXT_OUT 299
-#define REDWAX_TOOL_NO_TEXT_OUT 300
-#define REDWAX_TOOL_SSH_PRIVATE_OUT 301
-#define REDWAX_TOOL_SSH_PUBLIC_OUT 302
-#define REDWAX_TOOL_SMIMEA_OUT 303
-#define REDWAX_TOOL_SSHFP_OUT 304
-#define REDWAX_TOOL_TLSA_OUT 305
-#define REDWAX_TOOL_USER_IN 306
-#define REDWAX_TOOL_USER_OUT 307
-#define REDWAX_TOOL_GROUP_IN 308
-#define REDWAX_TOOL_GROUP_OUT 309
-#define REDWAX_TOOL_ORDER_OUT 310
+#define REDWAX_TOOL_FILTER_DATE 265
+#define REDWAX_TOOL_FILTER_THRESHOLD 266
+#define REDWAX_TOOL_CERT_OUT 267
+#define REDWAX_TOOL_NO_CERT_OUT 268
+#define REDWAX_TOOL_CHAIN_OUT 269
+#define REDWAX_TOOL_NO_CHAIN_OUT 270
+#define REDWAX_TOOL_ROOT_OUT 271
+#define REDWAX_TOOL_NO_ROOT_OUT 272
+#define REDWAX_TOOL_TRUST_OUT 273
+#define REDWAX_TOOL_NO_TRUST_OUT 274
+#define REDWAX_TOOL_CRL_OUT 275
+#define REDWAX_TOOL_NO_CRL_OUT 276
+#define REDWAX_TOOL_PARAM_OUT 277
+#define REDWAX_TOOL_NO_PARAM_OUT 278
+#define REDWAX_TOOL_KEY_IN 279
+#define REDWAX_TOOL_NO_KEY_IN 280
+#define REDWAX_TOOL_KEY_OUT 281
+#define REDWAX_TOOL_NO_KEY_OUT 282
+#define REDWAX_TOOL_AUTO_OUT 283
+#define REDWAX_TOOL_NO_AUTO_OUT 284
+#define REDWAX_TOOL_FILTER_VERIFY_PARAM 285
+#define REDWAX_TOOL_SECRET_SUFFIX_IN 286
+#define REDWAX_TOOL_SECRET_SUFFIX_OUT 287
+#define REDWAX_TOOL_SECRET_TOKEN_IN 288
+#define REDWAX_TOOL_SECRET_TOKEN_OUT 289
+#define REDWAX_TOOL_LABEL_OUT 290
+#define REDWAX_TOOL_NSS_OUT 291
+#define REDWAX_TOOL_NSS_SLOT_OUT 292
+#define REDWAX_TOOL_DER_OUT 293
+#define REDWAX_TOOL_PEM_OUT 294
+#define REDWAX_TOOL_PKCS12_OUT 295
+#define REDWAX_TOOL_PKCS11_OUT 296
+#define REDWAX_TOOL_PKCS11_MODULE_OUT 297
+#define REDWAX_TOOL_METADATA_OUT 298
+#define REDWAX_TOOL_FORMAT_OUT 299
+#define REDWAX_TOOL_JWKS_OUT 300
+#define REDWAX_TOOL_TEXT_OUT 301
+#define REDWAX_TOOL_NO_TEXT_OUT 302
+#define REDWAX_TOOL_SSH_PRIVATE_OUT 303
+#define REDWAX_TOOL_SSH_PUBLIC_OUT 304
+#define REDWAX_TOOL_SMIMEA_OUT 305
+#define REDWAX_TOOL_SSHFP_OUT 306
+#define REDWAX_TOOL_TLSA_OUT 307
+#define REDWAX_TOOL_USER_IN 308
+#define REDWAX_TOOL_USER_OUT 309
+#define REDWAX_TOOL_GROUP_IN 310
+#define REDWAX_TOOL_GROUP_OUT 311
+#define REDWAX_TOOL_ORDER_OUT 312
 
 #define REDWAX_EXIT_OK 0
 #define REDWAX_EXIT_INIT 1
@@ -253,6 +258,8 @@
     { "filter-current", REDWAX_TOOL_FILTER_CURRENT, 0, "  --filter-current\t\tMatch the top ranking leaf certificate, and\n\t\t\t\tignore all other leaf certificates. The top\n\t\t\t\tcertificate is valid, and has the longest time\n\t\t\t\tto expiry." },
     { "filter-verify-params", REDWAX_TOOL_FILTER_VERIFY_PARAM, 1,
         "  --filter-verify-params=name\tSpecify the name of the set of parameters used\n\t\t\t\tfor verification. If unspecified, set to\n\t\t\t\t'default'." },
+    { "filter-date", REDWAX_TOOL_FILTER_DATE, 1, "  --filter-date=date\t\tSet the date to be used for certificate\n\t\t\t\tverification. If unset, it will default to the\n\t\t\t\tcurrent time. Date format is generalized time\n\t\t\t\tsyntax as defined in RFC 4517 section 3.3.13." },
+    { "filter-threshold", REDWAX_TOOL_FILTER_THRESHOLD, 1, "  --filter-threshold=days\tSet the threshold in days below which an expiry\n\t\t\t\tbecomes a warning. If unset, defaults to no\n\t\t\t\twarning." },
     { "text-out", REDWAX_TOOL_TEXT_OUT, 0,
         "  --text-out\t\t\tInclude additional text in certificate PEM and\n\t\t\t\tmetadata output." },
     { "no-text-out", REDWAX_TOOL_NO_TEXT_OUT, 0,
@@ -278,9 +285,9 @@
     { "no-crl-out", REDWAX_TOOL_NO_CRL_OUT, 0,
         "  --no-crl-out\t\t\tExclude certificate revocation lists from the output." },
     { "parameter-out", REDWAX_TOOL_PARAM_OUT, 0,
-        "  --parameter-out\t\t\tInclude key parameters in the output." },
+        "  --parameter-out\t\tInclude key parameters in the output." },
     { "no-parameter-out", REDWAX_TOOL_NO_PARAM_OUT, 0,
-        "  --no-parameter-out\t\t\tExclude key parameters from the output." },
+        "  --no-parameter-out\t\tExclude key parameters from the output." },
     { "key-in", REDWAX_TOOL_KEY_IN, 0,
         "  --key-in\t\t\tRead private keys in the input. This will trigger a\n\t\t\t\tlogin attempt if needed." },
     { "no-key-in", REDWAX_TOOL_NO_KEY_IN, 0,
@@ -2169,6 +2176,24 @@
     return status;
 }
 
+static apr_status_t redwax_set_verify_date(redwax_tool_t *r, const char *arg)
+{
+    apr_status_t status = rt_run_set_verify_date(r, arg);
+
+    if (status) {
+        r->rc = REDWAX_EXIT_OPTIONS;
+    }
+
+    return status;
+}
+
+static apr_status_t redwax_set_threshold(redwax_tool_t *r, const char *arg)
+{
+    r->threshold = atoi(arg) * 86400;
+
+    return APR_SUCCESS;
+}
+
 static apr_status_t redwax_set_secret_suffix_in(redwax_tool_t *r, const char *arg)
 {
     if (arg && arg[0]) {
@@ -2468,6 +2493,18 @@
         }
         case REDWAX_TOOL_FILTER_VERIFY_PARAM: {
             if (redwax_set_verify_param(r, optarg)) {
+                return REDWAX_EXIT_OPTIONS;
+            }
+            break;
+        }
+        case REDWAX_TOOL_FILTER_DATE: {
+            if (redwax_set_verify_date(r, optarg)) {
+                return REDWAX_EXIT_OPTIONS;
+            }
+            break;
+        }
+        case REDWAX_TOOL_FILTER_THRESHOLD: {
+            if (redwax_set_threshold(r, optarg)) {
                 return REDWAX_EXIT_OPTIONS;
             }
             break;

Modified: redwax-tool/trunk/redwax-tool.h
==============================================================================
--- redwax-tool/trunk/redwax-tool.h	(original)
+++ redwax-tool/trunk/redwax-tool.h	Tue Aug 22 17:39:44 2023
@@ -89,6 +89,7 @@
     apr_hash_t *duplicates_index;
     apr_hash_t *cert_relationships;
     const char *verify_param;
+    const char *verify_date;
     const char *secret_suffix_in;
     const char *secret_suffix_out;
     const char *secret_token_in;
@@ -115,6 +116,7 @@
     int key_in;
     int key_out;
     int auto_out;
+    int threshold;
     int quiet;
     int debug;
     int complete;
@@ -602,6 +604,14 @@
         (redwax_tool_t *r, const char *arg));
 
 /**
+ * Hook to set the verification date.
+ *
+ * @param r The redwax-tool context.
+ */
+APR_DECLARE_EXTERNAL_HOOK(rt, REDWAX, apr_status_t, set_verify_date,
+        (redwax_tool_t *r, const char *arg));
+
+/**
  * Hook to search for intermediate and root certificates.
  *
  * @param r The redwax-tool context.

Modified: redwax-tool/trunk/redwax_openssl.c
==============================================================================
--- redwax-tool/trunk/redwax_openssl.c	(original)
+++ redwax-tool/trunk/redwax_openssl.c	Tue Aug 22 17:39:44 2023
@@ -1384,6 +1384,19 @@
     return APR_SUCCESS;
 }
 
+static apr_status_t redwax_openssl_set_verify_date(redwax_tool_t *r, const char *arg)
+{
+    if (!ASN1_TIME_set_string(NULL, arg)) {
+        redwax_print_error(r,
+                "Verify date could not be parsed: %s\n", arg);
+        return APR_EINVAL;
+    }
+
+    r->verify_date = arg;
+
+    return APR_SUCCESS;
+}
+
 static apr_status_t redwax_openssl_complete_filter_search(redwax_tool_t *r,
         apr_hash_t *filters)
 {
@@ -1680,6 +1693,19 @@
 
              X509_STORE_CTX_set0_trusted_stack(ctx, trusted_index);
              X509_STORE_CTX_set0_crls(ctx, crl_index);
+
+             if (r->verify_date) {
+            	 time_t now_t;
+            	 struct tm now_tm;
+            	 ASN1_TIME *now = ASN1_TIME_new();
+
+            	 ASN1_TIME_set_string(now, r->verify_date);
+            	 ASN1_TIME_normalize(now);
+            	 ASN1_TIME_to_tm(now, &now_tm);
+            	 now_t = mktime(&now_tm);
+
+                 X509_STORE_CTX_set_time(ctx, 0, now_t);
+             }
 
              X509_STORE_CTX_set_verify_cb(ctx, &verify_cb);
 
@@ -4379,7 +4405,8 @@
             const ASN1_BIT_STRING *sig;
 #endif
             ASN1_INTEGER *bs;
-            const ASN1_TIME *tm;
+            const ASN1_TIME *before, *after, *now = NULL;
+            const char *valid_status = NULL, *valid_warning = NULL, *valid_error = NULL;
             long l;
 
             redwax_metadata_push_object(m, "Data", 0);
@@ -4419,16 +4446,64 @@
             /* validity */
             redwax_metadata_push_object(m, "Validity", 0);
 
-            tm = X509_get0_notBefore(x);
-            if (tm) {
-
-                redwax_metadata_add_string(m, "NotBefore", redwax_openssl_time(m->pool, tm));
-            }
-
-            tm = X509_get0_notAfter(x);
-            if (tm) {
-
-                redwax_metadata_add_string(m, "NotAfter", redwax_openssl_time(m->pool, tm));
+            before = X509_get0_notBefore(x);
+            if (before) {
+
+                redwax_metadata_add_string(m, "NotBefore", redwax_openssl_time(m->pool, before));
+            }
+
+            after = X509_get0_notAfter(x);
+            if (after) {
+
+                redwax_metadata_add_string(m, "NotAfter", redwax_openssl_time(m->pool, after));
+            }
+
+            if (r->verify_date) {
+            	ASN1_TIME *now = ASN1_TIME_new();
+            	ASN1_TIME_set_string(now, r->verify_date);
+            	ASN1_TIME_normalize(now);
+            }
+
+            if (before) {
+            	 int pday, psec;
+
+                 ASN1_TIME_diff(&pday, &psec, before, now);
+
+                 if (pday < 0 || psec < 0) {
+                	 valid_error = apr_psprintf(m->pool, "Valid in %d day(s) %d second(s)", -pday, -psec);
+                 }
+                 else {
+                	 valid_status = apr_psprintf(m->pool, "Valid for %d day(s) %d second(s)", pday, psec);
+                 }
+            }
+
+            if (after && !valid_error) {
+            	 int pday, psec;
+
+                 ASN1_TIME_diff(&pday, &psec, now, after);
+
+                 if (pday < 0 || psec < 0) {
+                	 valid_error = apr_psprintf(m->pool, "Expired %d day(s) %d second(s) ago", -pday, -psec);
+                 }
+                 else if (pday * 86400 + psec < r->threshold) {
+                	 valid_warning = apr_psprintf(m->pool, "Expires in %d day(s) %d second(s)", pday, psec);
+                 }
+                 else {
+                	 valid_status = apr_psprintf(m->pool, "Expires in %d day(s) %d second(s)", pday, psec);
+                 }
+            }
+
+            if (valid_error) {
+
+                redwax_metadata_add_string(m, "Error", valid_error);
+            }
+            else if (valid_warning) {
+
+                redwax_metadata_add_string(m, "Warning", valid_warning);
+            }
+            else if (valid_status) {
+
+                redwax_metadata_add_string(m, "Status", valid_status);
             }
 
             redwax_metadata_pop_object(m);



More information about the rt-commit mailing list