aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2017-12-18 17:00:45 -0500
committerJack Lloyd <[email protected]>2017-12-18 17:00:45 -0500
commite886e5942c1117115c72cfa0ed808af37693efab (patch)
tree31aff512f1c346bafb39f96367d16f1fd6969200
parenta29484c932bb40bd2bdd259718d0699d5e717d1a (diff)
Avoid tying encoding of CRLs to the current system clock
-rw-r--r--src/lib/utils/parsing.h3
-rw-r--r--src/lib/x509/x509_ca.cpp47
-rw-r--r--src/lib/x509/x509_ca.h38
3 files changed, 68 insertions, 20 deletions
diff --git a/src/lib/utils/parsing.h b/src/lib/utils/parsing.h
index 1cba23bc3..9185cfaad 100644
--- a/src/lib/utils/parsing.h
+++ b/src/lib/utils/parsing.h
@@ -124,7 +124,8 @@ BOTAN_PUBLIC_API(2,3) uint16_t to_uint16(const std::string& str);
* @param timespec the time specification
* @return number of seconds represented by timespec
*/
-BOTAN_PUBLIC_API(2,0) uint32_t timespec_to_u32bit(const std::string& timespec);
+BOTAN_PUBLIC_API(2,0) uint32_t BOTAN_DEPRECATED("Not used anymore")
+timespec_to_u32bit(const std::string& timespec);
/**
* Convert a string representation of an IPv4 address to a number
diff --git a/src/lib/x509/x509_ca.cpp b/src/lib/x509/x509_ca.cpp
index 6569f506b..22fb8ce80 100644
--- a/src/lib/x509/x509_ca.cpp
+++ b/src/lib/x509/x509_ca.cpp
@@ -146,8 +146,9 @@ X509_Certificate X509_CA::make_cert(PK_Signer* signer,
X509_CRL X509_CA::new_crl(RandomNumberGenerator& rng,
uint32_t next_update) const
{
- std::vector<CRL_Entry> empty;
- return make_crl(empty, 1, next_update, rng);
+ return new_crl(rng,
+ std::chrono::system_clock::now(),
+ std::chrono::seconds(next_update));
}
/*
@@ -158,33 +159,49 @@ X509_CRL X509_CA::update_crl(const X509_CRL& crl,
RandomNumberGenerator& rng,
uint32_t next_update) const
{
- std::vector<CRL_Entry> revoked = crl.get_revoked();
+ return update_crl(crl, new_revoked, rng,
+ std::chrono::system_clock::now(),
+ std::chrono::seconds(next_update));
+ }
+
+
+X509_CRL X509_CA::new_crl(RandomNumberGenerator& rng,
+ std::chrono::system_clock::time_point issue_time,
+ std::chrono::seconds next_update) const
+ {
+ std::vector<CRL_Entry> empty;
+ return make_crl(empty, 1, rng, issue_time, next_update);
+ }
+
+X509_CRL X509_CA::update_crl(const X509_CRL& last_crl,
+ const std::vector<CRL_Entry>& new_revoked,
+ RandomNumberGenerator& rng,
+ std::chrono::system_clock::time_point issue_time,
+ std::chrono::seconds next_update) const
+ {
+ std::vector<CRL_Entry> revoked = last_crl.get_revoked();
std::copy(new_revoked.begin(), new_revoked.end(),
std::back_inserter(revoked));
- return make_crl(revoked, crl.crl_number() + 1, next_update, rng);
+ return make_crl(revoked, last_crl.crl_number() + 1, rng, issue_time, next_update);
}
/*
* Create a CRL
*/
X509_CRL X509_CA::make_crl(const std::vector<CRL_Entry>& revoked,
- uint32_t crl_number, uint32_t next_update,
- RandomNumberGenerator& rng) const
+ uint32_t crl_number,
+ RandomNumberGenerator& rng,
+ std::chrono::system_clock::time_point issue_time,
+ std::chrono::seconds next_update) const
{
const size_t X509_CRL_VERSION = 2;
- if(next_update == 0)
- next_update = timespec_to_u32bit("7d");
-
- // Totally stupid: ties encoding logic to the return of std::time!!
- auto current_time = std::chrono::system_clock::now();
- auto expire_time = current_time + std::chrono::seconds(next_update);
+ auto expire_time = issue_time + next_update;
Extensions extensions;
- extensions.add(
- new Cert_Extension::Authority_Key_ID(m_ca_cert.subject_key_id()));
+ extensions.add(new Cert_Extension::Authority_Key_ID(m_ca_cert.subject_key_id()));
extensions.add(new Cert_Extension::CRL_Number(crl_number));
// clang-format off
@@ -194,7 +211,7 @@ X509_CRL X509_CA::make_crl(const std::vector<CRL_Entry>& revoked,
.encode(X509_CRL_VERSION-1)
.encode(m_ca_sig_algo)
.encode(m_ca_cert.subject_dn())
- .encode(X509_Time(current_time))
+ .encode(X509_Time(issue_time))
.encode(X509_Time(expire_time))
.encode_if(revoked.size() > 0,
DER_Encoder()
diff --git a/src/lib/x509/x509_ca.h b/src/lib/x509/x509_ca.h
index cd122a6fc..49005f530 100644
--- a/src/lib/x509/x509_ca.h
+++ b/src/lib/x509/x509_ca.h
@@ -10,6 +10,7 @@
#include <botan/x509cert.h>
#include <botan/x509_crl.h>
+#include <chrono>
#if defined(BOTAN_HAS_SYSTEM_RNG)
#include <botan/system_rng.h>
@@ -49,12 +50,39 @@ class BOTAN_PUBLIC_API(2,0) X509_CA final
/**
* Create a new and empty CRL for this CA.
* @param rng the random number generator to use
+ * @param issue_time the issue time (typically system_clock::now)
+ * @param next_update the time interval after issue_data within which
+ * a new CRL will be produced.
+ * @return new CRL
+ */
+ X509_CRL new_crl(RandomNumberGenerator& rng,
+ std::chrono::system_clock::time_point issue_time,
+ std::chrono::seconds next_update) const;
+
+ /**
+ * Create a new CRL by with additional entries.
+ * @param last_crl the last CRL of this CA to add the new entries to
+ * @param new_entries contains the new CRL entries to be added to the CRL
+ * @param rng the random number generator to use
+ * @param issue_time the issue time (typically system_clock::now)
+ * @param next_update the time interval after issue_data within which
+ * a new CRL will be produced.
+ */
+ X509_CRL update_crl(const X509_CRL& last_crl,
+ const std::vector<CRL_Entry>& new_entries,
+ RandomNumberGenerator& rng,
+ std::chrono::system_clock::time_point issue_time,
+ std::chrono::seconds next_update) const;
+
+ /**
+ * Create a new and empty CRL for this CA.
+ * @param rng the random number generator to use
* @param next_update the time to set in next update in seconds
* as the offset from the current time
* @return new CRL
*/
X509_CRL new_crl(RandomNumberGenerator& rng,
- uint32_t next_update = 0) const;
+ uint32_t next_update = 604800) const;
/**
* Create a new CRL by with additional entries.
@@ -67,7 +95,7 @@ class BOTAN_PUBLIC_API(2,0) X509_CA final
X509_CRL update_crl(const X509_CRL& last_crl,
const std::vector<CRL_Entry>& new_entries,
RandomNumberGenerator& rng,
- uint32_t next_update = 0) const;
+ uint32_t next_update = 604800) const;
/**
* Interface for creating new certificates
@@ -125,8 +153,10 @@ class BOTAN_PUBLIC_API(2,0) X509_CA final
private:
X509_CRL make_crl(const std::vector<CRL_Entry>& entries,
- uint32_t crl_number, uint32_t next_update,
- RandomNumberGenerator& rng) const;
+ uint32_t crl_number,
+ RandomNumberGenerator& rng,
+ std::chrono::system_clock::time_point issue_time,
+ std::chrono::seconds next_update) const;
AlgorithmIdentifier m_ca_sig_algo;
X509_Certificate m_ca_cert;