int ASN1_TIME_set_string(ASN1_TIME *s, const char *str)
{
/* Try UTC, if that fails, try GENERALIZED */
if (ASN1_UTCTIME_set_string(s, str))
return 1;
return ASN1_GENERALIZEDTIME_set_string(s, str);
}
static int
get_times(glite_renewal_core_context ctx, char *proxy_file,
time_t *not_after_x509, time_t *not_after_voms)
{
X509 *cert = NULL;
STACK_OF(X509) *chain = NULL;
int ret, i;
time_t now, end_time, end_time_x509;
struct vomsdata *voms_data = NULL;
struct voms **voms_cert = NULL;
ASN1_UTCTIME *t;
char *s, *c;
ret = load_proxy(ctx, proxy_file, &cert, NULL, &chain, NULL);
if (ret)
return ret;
ret = get_voms_cert(ctx, cert, chain, &voms_data);
if (ret)
goto end;
end_time = 0;
if (voms_data != NULL) {
for (voms_cert = voms_data->data; voms_cert && *voms_cert; voms_cert++) {
t = ASN1_UTCTIME_new();
if (t == NULL) {
glite_renewal_core_set_err(ctx, "ASN1_UTCTIME_new() failed");
ret = 1;
goto end;
}
/* date2 contains a GENERALIZEDTIME format (YYYYMMDDHHSS[.fff]Z)
* value, which must be converted to the UTC (YYMMDDHHSSZ) format */
s = strdup((*voms_cert)->date2 + 2);
if (s == NULL) {
glite_renewal_core_set_err(ctx, "Not enough memory");
ret = ENOMEM;
goto end;
}
c = strchr(s, '.');
if (c) {
*c++ = 'Z';
*c = '\0';
}
ret = ASN1_UTCTIME_set_string(t, s);
if (ret == 0) {
glite_renewal_core_set_err(ctx, "ASN1_UTCTIME_set_string() failed\n");
ret = 1;
free(s);
goto end;
}
if (end_time == 0 || ASN1_UTCTIME_cmp_time_t(t, end_time) < 0)
globus_gsi_cert_utils_make_time(t, &end_time);
ASN1_UTCTIME_free(t);
free(s);
}
}
globus_gsi_cert_utils_make_time(X509_get_notAfter(cert), &end_time_x509);
now = time(NULL);
if (end_time_x509 + RENEWAL_CLOCK_SKEW < now) {
glite_renewal_core_set_err(ctx, "Expired proxy in %s", proxy_file);
ret = EDG_WLPR_PROXY_EXPIRED;
goto end;
}
/* Myproxy seems not to do check on expiration and return expired proxies
if credentials in repository are expired */
for (i = 0; i < sk_X509_num(chain); i++) {
t = X509_get_notAfter(sk_X509_value(chain, i));
if (ASN1_UTCTIME_cmp_time_t(t, now - RENEWAL_CLOCK_SKEW) < 0) {
glite_renewal_core_set_err(ctx, "Expired proxy in %s", proxy_file);
ret = EDG_WLPR_PROXY_EXPIRED;
goto end;
}
}
*not_after_voms = end_time;
*not_after_x509 = end_time_x509;
ret = 0;
end:
if (voms_data)
VOMS_Destroy(voms_data);
if (chain)
sk_X509_pop_free(chain, X509_free);
if (cert)
X509_free(cert);
return ret;
}
int file_select(const struct dirent *entry) {
cert = X509_new();
certsubject = X509_NAME_new();
int i = 0;
char buf[80] = "";
/* check for "." and ".." directory entries */
if(entry->d_name[0]=='.') return 0;
/* Check for <id>.pem file name extensions */
if(strstr(entry->d_name, ".pem") == NULL) return 0;
/* generate the full file name and path to open it */
snprintf(certfilestr, sizeof(certfilestr), "%s/%s",
CACERTSTORE, entry->d_name);
/* if we cannot open the file, we move on to the next */
if ((certfile = fopen(certfilestr, "r")) == NULL) return 0;
/* now we load the certificate data */
if (! (cert = PEM_read_X509(certfile,NULL,NULL,NULL))) return 0;
/* if search type is dn, check if dn field contains the search value */
if (strcmp(search, "dn") == 0) {
/* get the subject information to compare the entries in it */
if (! (certsubject = X509_get_subject_name(cert))) return 0;
/* now we cycle through all entries of the subject */
for (i = 0; i < X509_NAME_entry_count(certsubject); i++) {
e = X509_NAME_get_entry(certsubject, i);
OBJ_obj2txt(buf, 80, X509_NAME_ENTRY_get_object(e), 0);
/* when the search file matches the cert subject field */
/* check if the field value is equal the search value */
if(strstr(buf, field) != NULL)
if(strstr( (char *) X509_NAME_ENTRY_get_data(e), dnvalue) != NULL) return 1;
}
}
/* if search type is exp, check expiration date is between start and end date */
if (strcmp(search, "exp") == 0) {
/* get the certificates expiration date */
expiration_date = X509_get_notAfter(cert);
/* copy the certificate expiration date into a string */
membio = BIO_new(BIO_s_mem());
ASN1_TIME_print(membio, expiration_date);
BIO_gets(membio, membio_buf, sizeof(membio_buf));
BIO_free(membio);
//int_error(membio_buf); /* debug correct time parsing */
/* parse the expiration date string into a time struct */
memset (&expiration_tm, '\0', sizeof(expiration_tm));
strptime(membio_buf, "%h %d %T %Y %z", &expiration_tm);
// int_error(asctime(&expiration_tm)); /* debug correct time parsing */
/* parse the CGI start date string into the start_tm struct */
memset (&start_tm, '\0', sizeof(start_tm));
strptime(exp_startstr, "%d.%m.%Y %R", &start_tm);
// int_error(asctime(&start_tm)); /* debug correct time parsing */
/* parse the CGI end date string into the end_tm struct */
memset (&end_tm, '\0', sizeof(end_tm));
strptime(exp_endstr, "%d.%m.%Y %R", &end_tm);
// int_error(asctime(&end_tm)); /* debug correct time parsing */
/* check if expiration date >= start date and <= end date */
if ( difftime(mktime(&start_tm), mktime(&expiration_tm)) <=0 &&
difftime(mktime(&end_tm), mktime(&expiration_tm)) >= 0 ) return 1;
}
/* if search type is ena, check enable date is between start and end date */
if (strcmp(search, "ena") == 0) {
/* get the certificates enable date */
start_date = X509_get_notBefore(cert);
/* copy the certificate expiration date into a string */
membio = BIO_new(BIO_s_mem());
ASN1_TIME_print(membio, start_date);
BIO_gets(membio, membio_buf, sizeof(membio_buf));
BIO_free(membio);
/* parse the expiration date string into a time struct */
memset (&enable_tm, '\0', sizeof(enable_tm));
strptime(membio_buf, "%h %d %T %Y %z", &enable_tm);
// int_error(asctime(&enable_tm)); /* debug correct time parsing */
/* parse the CGI start date string into the start_tm struct */
memset (&start_tm, '\0', sizeof(start_tm));
strptime(ena_startstr, "%d.%m.%Y %R", &start_tm);
// int_error(asctime(&start_tm)); /* debug correct time parsing */
/* parse the CGI end date string into the end_tm struct */
memset (&end_tm, '\0', sizeof(end_tm));
strptime(ena_endstr, "%d.%m.%Y %R", &end_tm);
// int_error(asctime(&end_tm)); /* debug correct time parsing */
/* check if expiration date >= start date and <= end date */
if ( difftime(mktime(&start_tm), mktime(&enable_tm)) <=0 &&
difftime(mktime(&end_tm), mktime(&enable_tm)) >= 0 ) return 1;
}
/* if search type is rev, check if cert was revoked between start and end date */
if (strcmp(search, "rev") == 0) {
/* ---------------------------------------------------------- *
* Parse the CGI start date string into the start_tm struct *
* ---------------------------------------------------------- */
memset (&start_tm, '\0', sizeof(start_tm));
strptime(rev_startstr, "%d.%m.%Y %R", &start_tm);
/* ---------------------------------------------------------- *
* Parse the CGI end date string into the end_tm struct *
* ---------------------------------------------------------- */
memset (&end_tm, '\0', sizeof(end_tm));
strptime(rev_endstr, "%d.%m.%Y %R", &end_tm);
/* ---------------------------------------------------------- *
* Get all revoked certificates from revocation DB index.txt *
* ---------------------------------------------------------- */
CA_DB *db = NULL;
DB_ATTR db_attr;
if((db = load_index(INDEXFILE, &db_attr)) == NULL)
int_error("Error cannot load CRL certificate database file");
/* ---------------------------------------------------------- *
* Get the certs serial number, convert it into a hex string *
* -----------------------------------------------------------*/
BIGNUM *bn = NULL;
bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(cert), NULL);
if (!bn)
int_error("Cannot extract serial number from cert into BIGNUM");
char *serialstr = BN_bn2hex(bn);
/* ---------------------------------------------------------- *
* Check if the cert is revoked, looking up its serial in DB *
* -----------------------------------------------------------*/
char *const *pp;
int i;
for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
pp = sk_OPENSSL_PSTRING_value(db->db->data, i);
if ( (strcmp(pp[DB_serial], serialstr) == 0)
&& (pp[DB_type][0] == DB_TYPE_REV) ) {
/* ---------------------------------------------------------- *
* Revoked, get the certs revocation date from the database *
* -----------------------------------------------------------*/
char *p = strchr(pp[DB_rev_date], ',');
if (p) *p = '\0'; // if revocation reason is given, terminate before
char *revokedstr = BUF_strdup(pp[DB_rev_date]);
revocation_date = ASN1_UTCTIME_new();
ASN1_UTCTIME_set_string(revocation_date, revokedstr);
//int_error(revokedstr); /* debug correct time parsing */
/* copy the certificate revocation date into a string */
membio = BIO_new(BIO_s_mem());
ASN1_TIME_print(membio, revocation_date);
BIO_gets(membio, membio_buf, sizeof(membio_buf));
BIO_free(membio);
//int_error(membio_buf);
/* parse the revocation date string into a time struct */
memset (&revoked_tm, '\0', sizeof(revoked_tm));
strptime(membio_buf, "%h %d %T %Y %z", &revoked_tm);
//int_error(asctime(&revoked_tm)); /* debug correct time parsing */
/* ---------------------------------------------------------- *
* Check if revocation date >= start date and <= end date *
* -----------------------------------------------------------*/
if ( difftime(mktime(&start_tm), mktime(&revoked_tm)) <=0 &&
difftime(mktime(&end_tm), mktime(&revoked_tm)) >= 0 ) return 1;
}
}
BN_free(bn);
}
/* if search type is ser, check if serial is between start and end serial */
if (strcmp(search, "ser") == 0) {
/* convert the serial strings to BIGNUM */
BN_dec2bn(&startserialbn, startserstr);
BN_dec2bn(&endserialbn, endserstr);
/* get the certificates serial number and convert it to BIGNUM */
if ((certserial = X509_get_serialNumber(cert)) == NULL)
int_error("Error: Getting certificate serial number in ASN1 format.");
if ((certserialbn = ASN1_INTEGER_to_BN(certserial, NULL)) == NULL)
int_error("Error: converting certserial number from ASN1 to BIGNUM.");
/* debugging output to see values of BIGNUM */
//membio = BIO_new(BIO_s_mem());
//BN_print(membio, endserialbn);
//BIO_gets(membio, membio_buf, sizeof(membio_buf));
//BIO_free(membio);
//int_error(membio_buf);
/* check if certserial >= startserial and <= endserial */
if ( BN_cmp(startserialbn, certserialbn) <= 0 &&
BN_cmp(endserialbn, certserialbn) >= 0 ) return 1;
}
return 0;
}
inline void utctime::set_time(const std::string& str) const
{
throw_error_if_not(ASN1_UTCTIME_set_string(ptr().get(), str.c_str()) != 0);
}
