From e886e5942c1117115c72cfa0ed808af37693efab Mon Sep 17 00:00:00 2001 From: Jack Lloyd Date: Mon, 18 Dec 2017 17:00:45 -0500 Subject: Avoid tying encoding of CRLs to the current system clock --- src/lib/utils/parsing.h | 3 ++- src/lib/x509/x509_ca.cpp | 47 ++++++++++++++++++++++++++++++++--------------- src/lib/x509/x509_ca.h | 38 ++++++++++++++++++++++++++++++++++---- 3 files changed, 68 insertions(+), 20 deletions(-) (limited to 'src/lib') diff --git a/src/lib/utils/parsing.h b/src/lib/utils/parsing.h index 1cba23bc3..9185cfaad 100644 --- a/src/lib/utils/parsing.h +++ b/src/lib/utils/parsing.h @@ -124,7 +124,8 @@ BOTAN_PUBLIC_API(2,3) uint16_t to_uint16(const std::string& str); * @param timespec the time specification * @return number of seconds represented by timespec */ -BOTAN_PUBLIC_API(2,0) uint32_t timespec_to_u32bit(const std::string& timespec); +BOTAN_PUBLIC_API(2,0) uint32_t BOTAN_DEPRECATED("Not used anymore") +timespec_to_u32bit(const std::string& timespec); /** * Convert a string representation of an IPv4 address to a number diff --git a/src/lib/x509/x509_ca.cpp b/src/lib/x509/x509_ca.cpp index 6569f506b..22fb8ce80 100644 --- a/src/lib/x509/x509_ca.cpp +++ b/src/lib/x509/x509_ca.cpp @@ -146,8 +146,9 @@ X509_Certificate X509_CA::make_cert(PK_Signer* signer, X509_CRL X509_CA::new_crl(RandomNumberGenerator& rng, uint32_t next_update) const { - std::vector empty; - return make_crl(empty, 1, next_update, rng); + return new_crl(rng, + std::chrono::system_clock::now(), + std::chrono::seconds(next_update)); } /* @@ -158,33 +159,49 @@ X509_CRL X509_CA::update_crl(const X509_CRL& crl, RandomNumberGenerator& rng, uint32_t next_update) const { - std::vector revoked = crl.get_revoked(); + return update_crl(crl, new_revoked, rng, + std::chrono::system_clock::now(), + std::chrono::seconds(next_update)); + } + + +X509_CRL X509_CA::new_crl(RandomNumberGenerator& rng, + std::chrono::system_clock::time_point issue_time, + std::chrono::seconds next_update) const + { + std::vector empty; + return make_crl(empty, 1, rng, issue_time, next_update); + } + +X509_CRL X509_CA::update_crl(const X509_CRL& last_crl, + const std::vector& new_revoked, + RandomNumberGenerator& rng, + std::chrono::system_clock::time_point issue_time, + std::chrono::seconds next_update) const + { + std::vector revoked = last_crl.get_revoked(); std::copy(new_revoked.begin(), new_revoked.end(), std::back_inserter(revoked)); - return make_crl(revoked, crl.crl_number() + 1, next_update, rng); + return make_crl(revoked, last_crl.crl_number() + 1, rng, issue_time, next_update); } /* * Create a CRL */ X509_CRL X509_CA::make_crl(const std::vector& revoked, - uint32_t crl_number, uint32_t next_update, - RandomNumberGenerator& rng) const + uint32_t crl_number, + RandomNumberGenerator& rng, + std::chrono::system_clock::time_point issue_time, + std::chrono::seconds next_update) const { const size_t X509_CRL_VERSION = 2; - if(next_update == 0) - next_update = timespec_to_u32bit("7d"); - - // Totally stupid: ties encoding logic to the return of std::time!! - auto current_time = std::chrono::system_clock::now(); - auto expire_time = current_time + std::chrono::seconds(next_update); + auto expire_time = issue_time + next_update; Extensions extensions; - extensions.add( - new Cert_Extension::Authority_Key_ID(m_ca_cert.subject_key_id())); + extensions.add(new Cert_Extension::Authority_Key_ID(m_ca_cert.subject_key_id())); extensions.add(new Cert_Extension::CRL_Number(crl_number)); // clang-format off @@ -194,7 +211,7 @@ X509_CRL X509_CA::make_crl(const std::vector& revoked, .encode(X509_CRL_VERSION-1) .encode(m_ca_sig_algo) .encode(m_ca_cert.subject_dn()) - .encode(X509_Time(current_time)) + .encode(X509_Time(issue_time)) .encode(X509_Time(expire_time)) .encode_if(revoked.size() > 0, DER_Encoder() diff --git a/src/lib/x509/x509_ca.h b/src/lib/x509/x509_ca.h index cd122a6fc..49005f530 100644 --- a/src/lib/x509/x509_ca.h +++ b/src/lib/x509/x509_ca.h @@ -10,6 +10,7 @@ #include #include +#include #if defined(BOTAN_HAS_SYSTEM_RNG) #include @@ -46,6 +47,33 @@ class BOTAN_PUBLIC_API(2,0) X509_CA final */ X509_Certificate ca_certificate() const; + /** + * Create a new and empty CRL for this CA. + * @param rng the random number generator to use + * @param issue_time the issue time (typically system_clock::now) + * @param next_update the time interval after issue_data within which + * a new CRL will be produced. + * @return new CRL + */ + X509_CRL new_crl(RandomNumberGenerator& rng, + std::chrono::system_clock::time_point issue_time, + std::chrono::seconds next_update) const; + + /** + * Create a new CRL by with additional entries. + * @param last_crl the last CRL of this CA to add the new entries to + * @param new_entries contains the new CRL entries to be added to the CRL + * @param rng the random number generator to use + * @param issue_time the issue time (typically system_clock::now) + * @param next_update the time interval after issue_data within which + * a new CRL will be produced. + */ + X509_CRL update_crl(const X509_CRL& last_crl, + const std::vector& new_entries, + RandomNumberGenerator& rng, + std::chrono::system_clock::time_point issue_time, + std::chrono::seconds next_update) const; + /** * Create a new and empty CRL for this CA. * @param rng the random number generator to use @@ -54,7 +82,7 @@ class BOTAN_PUBLIC_API(2,0) X509_CA final * @return new CRL */ X509_CRL new_crl(RandomNumberGenerator& rng, - uint32_t next_update = 0) const; + uint32_t next_update = 604800) const; /** * Create a new CRL by with additional entries. @@ -67,7 +95,7 @@ class BOTAN_PUBLIC_API(2,0) X509_CA final X509_CRL update_crl(const X509_CRL& last_crl, const std::vector& new_entries, RandomNumberGenerator& rng, - uint32_t next_update = 0) const; + uint32_t next_update = 604800) const; /** * Interface for creating new certificates @@ -125,8 +153,10 @@ class BOTAN_PUBLIC_API(2,0) X509_CA final private: X509_CRL make_crl(const std::vector& entries, - uint32_t crl_number, uint32_t next_update, - RandomNumberGenerator& rng) const; + uint32_t crl_number, + RandomNumberGenerator& rng, + std::chrono::system_clock::time_point issue_time, + std::chrono::seconds next_update) const; AlgorithmIdentifier m_ca_sig_algo; X509_Certificate m_ca_cert; -- cgit v1.2.3