From: <ope...@li...> - 2002-10-31 12:53:05
|
Update of /cvsroot/openca/openca-0.9/src/common/lib/functions In directory usw-pr-cvs1:/tmp/cvs-serv1406/openca-0.9/src/common/lib/functions Modified Files: crypto-utils.lib Log Message: added a check for certificates lifetime Index: crypto-utils.lib =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/common/lib/functions/crypto-utils.lib,v retrieving revision 1.13 retrieving revision 1.14 diff -C2 -d -r1.13 -r1.14 *** crypto-utils.lib 15 Oct 2002 09:31:18 -0000 1.13 --- crypto-utils.lib 31 Oct 2002 12:53:02 -0000 1.14 *************** *** 643,646 **** --- 643,653 ---- $role = $req->getParsed()->{HEADER}->{ROLE}; + if (libIsLifetimeTooLong($role)) + { + $errno = 6713; + $errval = gettext("New certificate would exceed CA-certificates lifetime."); + return undef; + } + my $extfile = $role; $extfile =~ s/ /_/g; *************** *** 669,673 **** if($#certList > -1) { ! $errno = 6711; $errval = $errorString; return undef; --- 676,680 ---- if($#certList > -1) { ! $errno = 6716; $errval = $errorString; return undef; *************** *** 1147,1150 **** --- 1154,1214 ---- SRC => $tmpdir."/openssl_backup_".$$."_serial"); + } + + sub libIsLifetimeTooLong { + + use Time::Local; + + my $role = $_[0]; + my $days = libLoadOpenSSLconfig($role)->{DAYS}; + my $buffer = 5; ## these are seconds + my $now = time (); + + my $cafile = getRequired ('CACertificate'); + my $cacert = new OpenCA::X509 (SHELL => $cryptoShell, INFILE => $cafile); + + ## convert all to seconds + my $expire = $now + $days * 86400 + $buffer; + my $expire_ca = $cryptoShell->getNumericDate($cacert->getParsed()->{NOTAFTER}); + my ($yyyy,$mm,$dd,$HH,$MM,$SS) = + ( $expire_ca =~ m/(\d\d\d\d)(\d\d)(\d\d)(\d\d)(\d\d)(\d\d)/ ); + my $ca_notafter = timegm($SS,$MM,$HH,$dd,$mm-1,$yyyy-1900); + + if ($expire < $ca_notafter) + { + return undef; + } else { + return 1; + } + } + + sub libLoadOpenSSLconfig { + + my $role = $_[0]; + + ## avoid multiple fileloadings + return $role_config->{$role} if ($role_config and $role_config->{$role}); + + my $opensslfile = $role; + $opensslfile =~ s/ /_/g; + $opensslfile .= ".conf"; + if( $opensslfile ) { + $opensslfile = getRequired ( 'OpenSSL_DIR' )."/${opensslfile}"; + } + + my $content = $tools->getFile ($opensslfile); + my @lines = split '\n', $content; + + foreach my $line (@lines) + { + if ($line =~ /default_days/) + { + $role_config->{$role}->{DAYS} = $line; + $role_config->{$role}->{DAYS} =~ s/\s*default_days\s*=\s*//; + $role_config->{$role}->{DAYS} =~ s/[^0-9].*$//; + } + } + + return $role_config->{$role}; } |