int ASN1_TIME_set_string(ASN1_TIME *s, const char *str) { /* Try UTC, if that fails, try GENERALIZED */ if (ASN1_UTCTIME_set_string(s, str)) return 1; return ASN1_GENERALIZEDTIME_set_string(s, str); }
static int get_times(glite_renewal_core_context ctx, char *proxy_file, time_t *not_after_x509, time_t *not_after_voms) { X509 *cert = NULL; STACK_OF(X509) *chain = NULL; int ret, i; time_t now, end_time, end_time_x509; struct vomsdata *voms_data = NULL; struct voms **voms_cert = NULL; ASN1_UTCTIME *t; char *s, *c; ret = load_proxy(ctx, proxy_file, &cert, NULL, &chain, NULL); if (ret) return ret; ret = get_voms_cert(ctx, cert, chain, &voms_data); if (ret) goto end; end_time = 0; if (voms_data != NULL) { for (voms_cert = voms_data->data; voms_cert && *voms_cert; voms_cert++) { t = ASN1_UTCTIME_new(); if (t == NULL) { glite_renewal_core_set_err(ctx, "ASN1_UTCTIME_new() failed"); ret = 1; goto end; } /* date2 contains a GENERALIZEDTIME format (YYYYMMDDHHSS[.fff]Z) * value, which must be converted to the UTC (YYMMDDHHSSZ) format */ s = strdup((*voms_cert)->date2 + 2); if (s == NULL) { glite_renewal_core_set_err(ctx, "Not enough memory"); ret = ENOMEM; goto end; } c = strchr(s, '.'); if (c) { *c++ = 'Z'; *c = '\0'; } ret = ASN1_UTCTIME_set_string(t, s); if (ret == 0) { glite_renewal_core_set_err(ctx, "ASN1_UTCTIME_set_string() failed\n"); ret = 1; free(s); goto end; } if (end_time == 0 || ASN1_UTCTIME_cmp_time_t(t, end_time) < 0) globus_gsi_cert_utils_make_time(t, &end_time); ASN1_UTCTIME_free(t); free(s); } } globus_gsi_cert_utils_make_time(X509_get_notAfter(cert), &end_time_x509); now = time(NULL); if (end_time_x509 + RENEWAL_CLOCK_SKEW < now) { glite_renewal_core_set_err(ctx, "Expired proxy in %s", proxy_file); ret = EDG_WLPR_PROXY_EXPIRED; goto end; } /* Myproxy seems not to do check on expiration and return expired proxies if credentials in repository are expired */ for (i = 0; i < sk_X509_num(chain); i++) { t = X509_get_notAfter(sk_X509_value(chain, i)); if (ASN1_UTCTIME_cmp_time_t(t, now - RENEWAL_CLOCK_SKEW) < 0) { glite_renewal_core_set_err(ctx, "Expired proxy in %s", proxy_file); ret = EDG_WLPR_PROXY_EXPIRED; goto end; } } *not_after_voms = end_time; *not_after_x509 = end_time_x509; ret = 0; end: if (voms_data) VOMS_Destroy(voms_data); if (chain) sk_X509_pop_free(chain, X509_free); if (cert) X509_free(cert); return ret; }
int file_select(const struct dirent *entry) { cert = X509_new(); certsubject = X509_NAME_new(); int i = 0; char buf[80] = ""; /* check for "." and ".." directory entries */ if(entry->d_name[0]=='.') return 0; /* Check for <id>.pem file name extensions */ if(strstr(entry->d_name, ".pem") == NULL) return 0; /* generate the full file name and path to open it */ snprintf(certfilestr, sizeof(certfilestr), "%s/%s", CACERTSTORE, entry->d_name); /* if we cannot open the file, we move on to the next */ if ((certfile = fopen(certfilestr, "r")) == NULL) return 0; /* now we load the certificate data */ if (! (cert = PEM_read_X509(certfile,NULL,NULL,NULL))) return 0; /* if search type is dn, check if dn field contains the search value */ if (strcmp(search, "dn") == 0) { /* get the subject information to compare the entries in it */ if (! (certsubject = X509_get_subject_name(cert))) return 0; /* now we cycle through all entries of the subject */ for (i = 0; i < X509_NAME_entry_count(certsubject); i++) { e = X509_NAME_get_entry(certsubject, i); OBJ_obj2txt(buf, 80, X509_NAME_ENTRY_get_object(e), 0); /* when the search file matches the cert subject field */ /* check if the field value is equal the search value */ if(strstr(buf, field) != NULL) if(strstr( (char *) X509_NAME_ENTRY_get_data(e), dnvalue) != NULL) return 1; } } /* if search type is exp, check expiration date is between start and end date */ if (strcmp(search, "exp") == 0) { /* get the certificates expiration date */ expiration_date = X509_get_notAfter(cert); /* copy the certificate expiration date into a string */ membio = BIO_new(BIO_s_mem()); ASN1_TIME_print(membio, expiration_date); BIO_gets(membio, membio_buf, sizeof(membio_buf)); BIO_free(membio); //int_error(membio_buf); /* debug correct time parsing */ /* parse the expiration date string into a time struct */ memset (&expiration_tm, '\0', sizeof(expiration_tm)); strptime(membio_buf, "%h %d %T %Y %z", &expiration_tm); // int_error(asctime(&expiration_tm)); /* debug correct time parsing */ /* parse the CGI start date string into the start_tm struct */ memset (&start_tm, '\0', sizeof(start_tm)); strptime(exp_startstr, "%d.%m.%Y %R", &start_tm); // int_error(asctime(&start_tm)); /* debug correct time parsing */ /* parse the CGI end date string into the end_tm struct */ memset (&end_tm, '\0', sizeof(end_tm)); strptime(exp_endstr, "%d.%m.%Y %R", &end_tm); // int_error(asctime(&end_tm)); /* debug correct time parsing */ /* check if expiration date >= start date and <= end date */ if ( difftime(mktime(&start_tm), mktime(&expiration_tm)) <=0 && difftime(mktime(&end_tm), mktime(&expiration_tm)) >= 0 ) return 1; } /* if search type is ena, check enable date is between start and end date */ if (strcmp(search, "ena") == 0) { /* get the certificates enable date */ start_date = X509_get_notBefore(cert); /* copy the certificate expiration date into a string */ membio = BIO_new(BIO_s_mem()); ASN1_TIME_print(membio, start_date); BIO_gets(membio, membio_buf, sizeof(membio_buf)); BIO_free(membio); /* parse the expiration date string into a time struct */ memset (&enable_tm, '\0', sizeof(enable_tm)); strptime(membio_buf, "%h %d %T %Y %z", &enable_tm); // int_error(asctime(&enable_tm)); /* debug correct time parsing */ /* parse the CGI start date string into the start_tm struct */ memset (&start_tm, '\0', sizeof(start_tm)); strptime(ena_startstr, "%d.%m.%Y %R", &start_tm); // int_error(asctime(&start_tm)); /* debug correct time parsing */ /* parse the CGI end date string into the end_tm struct */ memset (&end_tm, '\0', sizeof(end_tm)); strptime(ena_endstr, "%d.%m.%Y %R", &end_tm); // int_error(asctime(&end_tm)); /* debug correct time parsing */ /* check if expiration date >= start date and <= end date */ if ( difftime(mktime(&start_tm), mktime(&enable_tm)) <=0 && difftime(mktime(&end_tm), mktime(&enable_tm)) >= 0 ) return 1; } /* if search type is rev, check if cert was revoked between start and end date */ if (strcmp(search, "rev") == 0) { /* ---------------------------------------------------------- * * Parse the CGI start date string into the start_tm struct * * ---------------------------------------------------------- */ memset (&start_tm, '\0', sizeof(start_tm)); strptime(rev_startstr, "%d.%m.%Y %R", &start_tm); /* ---------------------------------------------------------- * * Parse the CGI end date string into the end_tm struct * * ---------------------------------------------------------- */ memset (&end_tm, '\0', sizeof(end_tm)); strptime(rev_endstr, "%d.%m.%Y %R", &end_tm); /* ---------------------------------------------------------- * * Get all revoked certificates from revocation DB index.txt * * ---------------------------------------------------------- */ CA_DB *db = NULL; DB_ATTR db_attr; if((db = load_index(INDEXFILE, &db_attr)) == NULL) int_error("Error cannot load CRL certificate database file"); /* ---------------------------------------------------------- * * Get the certs serial number, convert it into a hex string * * -----------------------------------------------------------*/ BIGNUM *bn = NULL; bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(cert), NULL); if (!bn) int_error("Cannot extract serial number from cert into BIGNUM"); char *serialstr = BN_bn2hex(bn); /* ---------------------------------------------------------- * * Check if the cert is revoked, looking up its serial in DB * * -----------------------------------------------------------*/ char *const *pp; int i; for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) { pp = sk_OPENSSL_PSTRING_value(db->db->data, i); if ( (strcmp(pp[DB_serial], serialstr) == 0) && (pp[DB_type][0] == DB_TYPE_REV) ) { /* ---------------------------------------------------------- * * Revoked, get the certs revocation date from the database * * -----------------------------------------------------------*/ char *p = strchr(pp[DB_rev_date], ','); if (p) *p = '\0'; // if revocation reason is given, terminate before char *revokedstr = BUF_strdup(pp[DB_rev_date]); revocation_date = ASN1_UTCTIME_new(); ASN1_UTCTIME_set_string(revocation_date, revokedstr); //int_error(revokedstr); /* debug correct time parsing */ /* copy the certificate revocation date into a string */ membio = BIO_new(BIO_s_mem()); ASN1_TIME_print(membio, revocation_date); BIO_gets(membio, membio_buf, sizeof(membio_buf)); BIO_free(membio); //int_error(membio_buf); /* parse the revocation date string into a time struct */ memset (&revoked_tm, '\0', sizeof(revoked_tm)); strptime(membio_buf, "%h %d %T %Y %z", &revoked_tm); //int_error(asctime(&revoked_tm)); /* debug correct time parsing */ /* ---------------------------------------------------------- * * Check if revocation date >= start date and <= end date * * -----------------------------------------------------------*/ if ( difftime(mktime(&start_tm), mktime(&revoked_tm)) <=0 && difftime(mktime(&end_tm), mktime(&revoked_tm)) >= 0 ) return 1; } } BN_free(bn); } /* if search type is ser, check if serial is between start and end serial */ if (strcmp(search, "ser") == 0) { /* convert the serial strings to BIGNUM */ BN_dec2bn(&startserialbn, startserstr); BN_dec2bn(&endserialbn, endserstr); /* get the certificates serial number and convert it to BIGNUM */ if ((certserial = X509_get_serialNumber(cert)) == NULL) int_error("Error: Getting certificate serial number in ASN1 format."); if ((certserialbn = ASN1_INTEGER_to_BN(certserial, NULL)) == NULL) int_error("Error: converting certserial number from ASN1 to BIGNUM."); /* debugging output to see values of BIGNUM */ //membio = BIO_new(BIO_s_mem()); //BN_print(membio, endserialbn); //BIO_gets(membio, membio_buf, sizeof(membio_buf)); //BIO_free(membio); //int_error(membio_buf); /* check if certserial >= startserial and <= endserial */ if ( BN_cmp(startserialbn, certserialbn) <= 0 && BN_cmp(endserialbn, certserialbn) >= 0 ) return 1; } return 0; }
inline void utctime::set_time(const std::string& str) const { throw_error_if_not(ASN1_UTCTIME_set_string(ptr().get(), str.c_str()) != 0); }