Fix for bug 143334 : add support for GeneralizedTime in certificates and CRLs. r=wtc,nelsonb

This commit is contained in:
jpierre%netscape.com 2003-09-19 04:08:51 +00:00
parent c74d14bad9
commit 7d744437c3
12 changed files with 237 additions and 73 deletions

View File

@ -34,7 +34,7 @@
/*
* Certificate handling code
*
* $Id: certdb.c,v 1.54 2003/07/31 00:16:23 nelsonb%netscape.com Exp $
* $Id: certdb.c,v 1.55 2003/09/19 04:08:48 jpierre%netscape.com Exp $
*/
#include "nssilock.h"
@ -955,16 +955,21 @@ CERT_SetSlopTime(PRInt32 slop) /* seconds */
SECStatus
CERT_GetCertTimes(CERTCertificate *c, PRTime *notBefore, PRTime *notAfter)
{
int rv;
SECStatus rv;
if (!c || !notBefore || !notAfter) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
/* convert DER not-before time */
rv = DER_UTCTimeToTime(notBefore, &c->validity.notBefore);
rv = CERT_DecodeTimeChoice(notBefore, &c->validity.notBefore);
if (rv) {
return(SECFailure);
}
/* convert DER not-after time */
rv = DER_UTCTimeToTime(notAfter, &c->validity.notAfter);
rv = CERT_DecodeTimeChoice(notAfter, &c->validity.notAfter);
if (rv) {
return(SECFailure);
}
@ -1015,14 +1020,14 @@ SEC_GetCrlTimes(CERTCrl *date, PRTime *notBefore, PRTime *notAfter)
int rv;
/* convert DER not-before time */
rv = DER_UTCTimeToTime(notBefore, &date->lastUpdate);
rv = CERT_DecodeTimeChoice(notBefore, &date->lastUpdate);
if (rv) {
return(SECFailure);
}
/* convert DER not-after time */
if (date->nextUpdate.data) {
rv = DER_UTCTimeToTime(notAfter, &date->nextUpdate);
rv = CERT_DecodeTimeChoice(notAfter, &date->nextUpdate);
if (rv) {
return(SECFailure);
}
@ -1924,7 +1929,7 @@ CERT_IsNewer(CERTCertificate *certa, CERTCertificate *certb)
return(PR_FALSE);
}
/* get current UTC time */
/* get current time */
now = PR_Now();
if ( newerbefore ) {

View File

@ -33,7 +33,7 @@
/*
* certt.h - public data structures for the certificate library
*
* $Id: certt.h,v 1.23 2002/10/03 03:48:52 wtc%netscape.com Exp $
* $Id: certt.h,v 1.24 2003/09/19 04:08:48 jpierre%netscape.com Exp $
*/
#ifndef _CERTT_H_
#define _CERTT_H_
@ -818,6 +818,7 @@ extern const SEC_ASN1Template CERT_CertExtensionTemplate[];
extern const SEC_ASN1Template CERT_SequenceOfCertExtensionTemplate[];
extern const SEC_ASN1Template SECKEY_PublicKeyTemplate[];
extern const SEC_ASN1Template CERT_SubjectPublicKeyInfoTemplate[];
extern const SEC_ASN1Template CERT_TimeChoiceTemplate[];
extern const SEC_ASN1Template CERT_ValidityTemplate[];
extern const SEC_ASN1Template CERT_PublicKeyAndChallengeTemplate[];
extern const SEC_ASN1Template SEC_CertSequenceTemplate[];
@ -847,6 +848,7 @@ SEC_ASN1_CHOOSER_DECLARE(CERT_SetOfSignedCrlTemplate)
SEC_ASN1_CHOOSER_DECLARE(CERT_SignedDataTemplate)
SEC_ASN1_CHOOSER_DECLARE(CERT_SubjectPublicKeyInfoTemplate)
SEC_ASN1_CHOOSER_DECLARE(SEC_SignedCertificateTemplate)
SEC_ASN1_CHOOSER_DECLARE(CERT_TimeChoiceTemplate)
SEC_END_PROTOS

View File

@ -34,7 +34,7 @@
/*
* Moved from secpkcs7.c
*
* $Id: crl.c,v 1.36 2003/08/30 01:07:21 jpierre%netscape.com Exp $
* $Id: crl.c,v 1.37 2003/09/19 04:08:48 jpierre%netscape.com Exp $
*/
#include "cert.h"
@ -151,8 +151,8 @@ static const SEC_ASN1Template cert_CrlEntryTemplate[] = {
0, NULL, sizeof(CERTCrlEntry) },
{ SEC_ASN1_INTEGER,
offsetof(CERTCrlEntry,serialNumber) },
{ SEC_ASN1_UTC_TIME,
offsetof(CERTCrlEntry,revocationDate) },
{ SEC_ASN1_INLINE,
offsetof(CERTCrlEntry,revocationDate), CERT_TimeChoiceTemplate },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF,
offsetof(CERTCrlEntry, extensions),
SEC_CERTExtensionTemplate},
@ -171,10 +171,10 @@ const SEC_ASN1Template CERT_CrlTemplate[] = {
{ SEC_ASN1_INLINE,
offsetof(CERTCrl,name),
CERT_NameTemplate },
{ SEC_ASN1_UTC_TIME,
offsetof(CERTCrl,lastUpdate) },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_UTC_TIME,
offsetof(CERTCrl,nextUpdate) },
{ SEC_ASN1_INLINE,
offsetof(CERTCrl,lastUpdate), CERT_TimeChoiceTemplate },
{ SEC_ASN1_INLINE | SEC_ASN1_OPTIONAL,
offsetof(CERTCrl,nextUpdate), CERT_TimeChoiceTemplate },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF,
offsetof(CERTCrl,entries),
cert_CrlEntryTemplate },
@ -197,10 +197,10 @@ const SEC_ASN1Template CERT_CrlTemplateNoEntries[] = {
{ SEC_ASN1_INLINE,
offsetof(CERTCrl,name),
CERT_NameTemplate },
{ SEC_ASN1_UTC_TIME,
offsetof(CERTCrl,lastUpdate) },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_UTC_TIME,
offsetof(CERTCrl,nextUpdate) },
{ SEC_ASN1_INLINE,
offsetof(CERTCrl,lastUpdate), CERT_TimeChoiceTemplate },
{ SEC_ASN1_INLINE | SEC_ASN1_OPTIONAL,
offsetof(CERTCrl,nextUpdate), CERT_TimeChoiceTemplate },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF |
SEC_ASN1_SKIP }, /* skip entries */
{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC |
@ -216,8 +216,10 @@ const SEC_ASN1Template CERT_CrlTemplateEntriesOnly[] = {
{ SEC_ASN1_SKIP | SEC_ASN1_INTEGER | SEC_ASN1_OPTIONAL },
{ SEC_ASN1_SKIP },
{ SEC_ASN1_SKIP },
{ SEC_ASN1_SKIP | SEC_ASN1_UTC_TIME },
{ SEC_ASN1_SKIP | SEC_ASN1_OPTIONAL | SEC_ASN1_UTC_TIME },
{ SEC_ASN1_SKIP | SEC_ASN1_INLINE,
offsetof(CERTCrl,lastUpdate), CERT_TimeChoiceTemplate },
{ SEC_ASN1_SKIP | SEC_ASN1_INLINE | SEC_ASN1_OPTIONAL,
offsetof(CERTCrl,nextUpdate), CERT_TimeChoiceTemplate },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_SEQUENCE_OF,
offsetof(CERTCrl,entries),
cert_CrlEntryTemplate }, /* decode entries */
@ -1873,8 +1875,8 @@ CERT_CheckCRL(CERTCertificate* cert, CERTCertificate* issuer, SECItem* dp,
/* check the time if we have one */
if (entry->revocationDate.data && entry->revocationDate.len) {
int64 revocationDate = 0;
if (SECSuccess == DER_UTCTimeToTime(&revocationDate,
&entry->revocationDate)) {
if (SECSuccess == CERT_DecodeTimeChoice(&revocationDate,
&entry->revocationDate)) {
/* we got a good revocation date, only consider the
certificate revoked if the time we are inquiring about
is past the revocation date */

View File

@ -34,7 +34,7 @@
/*
* certhtml.c --- convert a cert to html
*
* $Id: certhtml.c,v 1.3 2001/10/26 21:30:58 wtc%netscape.com Exp $
* $Id: certhtml.c,v 1.4 2003/09/19 04:08:49 jpierre%netscape.com Exp $
*/
#include "seccomon.h"
@ -422,8 +422,8 @@ CERT_HTMLCertInfo(CERTCertificate *cert, PRBool showImages, PRBool showIssuer)
subject = CERT_FormatName (&cert->subject);
version = CERT_Hexify (&cert->version,1);
serialNumber = CERT_Hexify (&cert->serialNumber,1);
notBefore = DER_UTCDayToAscii(&cert->validity.notBefore);
notAfter = DER_UTCDayToAscii(&cert->validity.notAfter);
notBefore = DER_TimeChoiceDayToAscii(&cert->validity.notBefore);
notAfter = DER_TimeChoiceDayToAscii(&cert->validity.notAfter);
servername = CERT_FindNSStringExtension(cert,
SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME);

View File

@ -70,7 +70,7 @@ CERT_CertTimesValid(CERTCertificate *c)
return(SECSuccess);
}
/* get current UTC time */
/* get current time */
now = PR_Now();
rv = CERT_GetCertTimes(c, &notBefore, &notAfter);

View File

@ -758,6 +758,9 @@ SECKEY_PublicKeyStrengthInBits;
;+};
;+NSS_3.9 { # NSS 3.9 release
;+ global:
CERT_DecodeTimeChoice;
CERT_EncodeTimeChoice;
NSS_Get_CERT_TimeChoiceTemplate;
PK11_FindSlotsByAliases;
SEC_DupCrl;
;+ local:

View File

@ -34,7 +34,7 @@
/*
* Certificate handling code
*
* $Id: lowcert.c,v 1.14 2002/09/07 01:12:21 jpierre%netscape.com Exp $
* $Id: lowcert.c,v 1.15 2003/09/19 04:08:50 jpierre%netscape.com Exp $
*/
#include "seccomon.h"
@ -129,12 +129,17 @@ nsslowcert_GetDefaultCertDB(void)
*/
static unsigned char *
nsslowcert_dataStart(unsigned char *buf, unsigned int length,
unsigned int *data_length, PRBool includeTag) {
unsigned int *data_length, PRBool includeTag,
unsigned char* rettag) {
unsigned char tag;
unsigned int used_length= 0;
tag = buf[used_length++];
if (rettag) {
*rettag = tag;
}
/* blow out when we come to the end */
if (tag == 0) {
return NULL;
@ -161,18 +166,38 @@ nsslowcert_dataStart(unsigned char *buf, unsigned int length,
return (buf + (includeTag ? 0 : used_length));
}
static void SetTimeType(SECItem* item, unsigned char tagtype)
{
switch (tagtype) {
case SEC_ASN1_UTC_TIME:
item->type = siUTCTime;
break;
case SEC_ASN1_GENERALIZED_TIME:
item->type = siGeneralizedTime;
break;
default:
PORT_Assert(0);
break;
}
}
static int
nsslowcert_GetValidityFields(unsigned char *buf,int buf_length,
SECItem *notBefore, SECItem *notAfter)
{
unsigned char tagtype;
notBefore->data = nsslowcert_dataStart(buf,buf_length,
&notBefore->len,PR_FALSE);
&notBefore->len,PR_FALSE, &tagtype);
if (notBefore->data == NULL) return SECFailure;
SetTimeType(notBefore, tagtype);
buf_length -= (notBefore->data-buf) + notBefore->len;
buf = notBefore->data + notBefore->len;
notAfter->data = nsslowcert_dataStart(buf,buf_length,
&notAfter->len,PR_FALSE);
&notAfter->len,PR_FALSE, &tagtype);
if (notAfter->data == NULL) return SECFailure;
SetTimeType(notAfter, tagtype);
return SECSuccess;
}
@ -187,33 +212,33 @@ nsslowcert_GetCertFields(unsigned char *cert,int cert_length,
unsigned int dummylen;
/* get past the signature wrap */
buf = nsslowcert_dataStart(cert,cert_length,&buf_length,PR_FALSE);
buf = nsslowcert_dataStart(cert,cert_length,&buf_length,PR_FALSE, NULL);
if (buf == NULL) return SECFailure;
/* get into the raw cert data */
buf = nsslowcert_dataStart(buf,buf_length,&buf_length,PR_FALSE);
buf = nsslowcert_dataStart(buf,buf_length,&buf_length,PR_FALSE, NULL);
if (buf == NULL) return SECFailure;
/* skip past any optional version number */
if ((buf[0] & 0xa0) == 0xa0) {
dummy = nsslowcert_dataStart(buf,buf_length,&dummylen,PR_FALSE);
dummy = nsslowcert_dataStart(buf,buf_length,&dummylen,PR_FALSE, NULL);
if (dummy == NULL) return SECFailure;
buf_length -= (dummy-buf) + dummylen;
buf = dummy + dummylen;
}
/* serial number */
if (derSN) {
derSN->data=nsslowcert_dataStart(buf,buf_length,&derSN->len,PR_TRUE);
derSN->data=nsslowcert_dataStart(buf,buf_length,&derSN->len,PR_TRUE, NULL);
}
serial->data = nsslowcert_dataStart(buf,buf_length,&serial->len,PR_FALSE);
serial->data = nsslowcert_dataStart(buf,buf_length,&serial->len,PR_FALSE, NULL);
if (serial->data == NULL) return SECFailure;
buf_length -= (serial->data-buf) + serial->len;
buf = serial->data + serial->len;
/* skip the OID */
dummy = nsslowcert_dataStart(buf,buf_length,&dummylen,PR_FALSE);
dummy = nsslowcert_dataStart(buf,buf_length,&dummylen,PR_FALSE, NULL);
if (dummy == NULL) return SECFailure;
buf_length -= (dummy-buf) + dummylen;
buf = dummy + dummylen;
/* issuer */
issuer->data = nsslowcert_dataStart(buf,buf_length,&issuer->len,PR_TRUE);
issuer->data = nsslowcert_dataStart(buf,buf_length,&issuer->len,PR_TRUE, NULL);
if (issuer->data == NULL) return SECFailure;
buf_length -= (issuer->data-buf) + issuer->len;
buf = issuer->data + issuer->len;
@ -223,17 +248,17 @@ nsslowcert_GetCertFields(unsigned char *cert,int cert_length,
return SECSuccess;
}
/* validity */
valid->data = nsslowcert_dataStart(buf,buf_length,&valid->len,PR_FALSE);
valid->data = nsslowcert_dataStart(buf,buf_length,&valid->len,PR_FALSE, NULL);
if (valid->data == NULL) return SECFailure;
buf_length -= (valid->data-buf) + valid->len;
buf = valid->data + valid->len;
/*subject */
subject->data=nsslowcert_dataStart(buf,buf_length,&subject->len,PR_TRUE);
subject->data=nsslowcert_dataStart(buf,buf_length,&subject->len,PR_TRUE, NULL);
if (subject->data == NULL) return SECFailure;
buf_length -= (subject->data-buf) + subject->len;
buf = subject->data + subject->len;
/* subject key info */
subjkey->data=nsslowcert_dataStart(buf,buf_length,&subjkey->len,PR_TRUE);
subjkey->data=nsslowcert_dataStart(buf,buf_length,&subjkey->len,PR_TRUE, NULL);
if (subjkey->data == NULL) return SECFailure;
buf_length -= (subjkey->data-buf) + subjkey->len;
buf = subjkey->data + subjkey->len;
@ -253,15 +278,15 @@ nsslowcert_GetCertTimes(NSSLOWCERTCertificate *c, PRTime *notBefore, PRTime *not
}
/* convert DER not-before time */
rv = DER_UTCTimeToTime(notBefore, &validity.notBefore);
rv = CERT_DecodeTimeChoice(notBefore, &validity.notBefore);
if (rv) {
return(SECFailure);
return(SECFailure);
}
/* convert DER not-after time */
rv = DER_UTCTimeToTime(notAfter, &validity.notAfter);
rv = CERT_DecodeTimeChoice(notAfter, &validity.notAfter);
if (rv) {
return(SECFailure);
return(SECFailure);
}
return(SECSuccess);
@ -305,7 +330,7 @@ nsslowcert_IsNewer(NSSLOWCERTCertificate *certa, NSSLOWCERTCertificate *certb)
return(PR_FALSE);
}
/* get current UTC time */
/* get current time */
now = PR_Now();
if ( newerbefore ) {

View File

@ -73,14 +73,18 @@ static long monthToDayInYear[12] = {
/* gmttime must contains UTC time in micro-seconds unit */
SECStatus
DER_TimeToUTCTime(SECItem *dst, int64 gmttime)
DER_TimeToUTCTimeArena(PRArenaPool* arenaOpt, SECItem *dst, int64 gmttime)
{
PRExplodedTime printableTime;
unsigned char *d;
dst->len = 13;
dst->data = d = (unsigned char*) PORT_Alloc(13);
dst->type = siBuffer;
if (arenaOpt) {
dst->data = d = (unsigned char*) PORT_ArenaAlloc(arenaOpt, dst->len);
} else {
dst->data = d = (unsigned char*) PORT_Alloc(dst->len);
}
dst->type = siUTCTime;
if (!d) {
return SECFailure;
}
@ -115,6 +119,13 @@ DER_TimeToUTCTime(SECItem *dst, int64 gmttime)
return SECSuccess;
}
SECStatus
DER_TimeToUTCTime(SECItem *dst, int64 gmttime)
{
return DER_TimeToUTCTimeArena(NULL, dst, gmttime);
}
SECStatus
DER_AsciiToTime(int64 *dst, char *string)
{
@ -222,14 +233,18 @@ DER_UTCTimeToTime(int64 *dst, SECItem *time)
certificate extension, which does not have this restriction.
*/
SECStatus
DER_TimeToGeneralizedTime(SECItem *dst, int64 gmttime)
DER_TimeToGeneralizedTimeArena(PRArenaPool* arenaOpt, SECItem *dst, int64 gmttime)
{
PRExplodedTime printableTime;
unsigned char *d;
dst->len = 15;
dst->data = d = (unsigned char*) PORT_Alloc(15);
dst->type = siBuffer;
if (arenaOpt) {
dst->data = d = (unsigned char*) PORT_ArenaAlloc(arenaOpt, dst->len);
} else {
dst->data = d = (unsigned char*) PORT_Alloc(dst->len);
}
dst->type = siGeneralizedTime;
if (!d) {
return SECFailure;
}
@ -260,6 +275,13 @@ DER_TimeToGeneralizedTime(SECItem *dst, int64 gmttime)
return SECSuccess;
}
SECStatus
DER_TimeToGeneralizedTime(SECItem *dst, int64 gmttime)
{
return DER_TimeToGeneralizedTimeArena(NULL, dst, gmttime);
}
/*
The caller should make sure that the generalized time should only
be used for the certificate validity after the year 2051; otherwise,

View File

@ -38,7 +38,7 @@
* for security libraries. It should not be dependent on any other
* headers, and should not require linking with any libraries.
*
* $Id: seccomon.h,v 1.3 2002/02/21 22:41:44 ian.mcgreer%sun.com Exp $
* $Id: seccomon.h,v 1.4 2003/09/19 04:08:50 jpierre%netscape.com Exp $
*/
#ifndef _SECCOMMON_H_
@ -68,7 +68,9 @@ typedef enum {
siAsciiNameString = 7,
siAsciiString = 8,
siDEROID = 9,
siUnsignedInteger = 10
siUnsignedInteger = 10,
siUTCTime = 11,
siGeneralizedTime = 12
} SECItemType;
typedef struct SECItemStr SECItem;

View File

@ -38,7 +38,7 @@
* secder.h - public data structures and prototypes for the DER encoding and
* decoding utilities library
*
* $Id: secder.h,v 1.2 2002/04/04 00:11:48 nelsonb%netscape.com Exp $
* $Id: secder.h,v 1.3 2003/09/19 04:08:50 jpierre%netscape.com Exp $
*/
#if defined(_WIN32_WCE)
@ -51,6 +51,7 @@
#include "seccomon.h"
#include "secdert.h"
#include "prtime.h"
SEC_BEGIN_PROTOS
@ -137,6 +138,9 @@ extern unsigned long DER_GetUInteger(SECItem *src);
** result->data points to upon a successfull operation.
*/
extern SECStatus DER_TimeToUTCTime(SECItem *result, int64 time);
extern SECStatus DER_TimeToUTCTimeArena(PRArenaPool* arenaOpt,
SECItem *dst, int64 gmttime);
/*
** Convert an ascii encoded time value (according to DER rules) into
@ -165,11 +169,17 @@ extern char *DER_UTCTimeToAscii(SECItem *utcTime);
** The caller is responsible for deallocating the returned buffer.
*/
extern char *DER_UTCDayToAscii(SECItem *utctime);
/* same thing for DER encoded GeneralizedTime */
extern char *DER_GeneralizedDayToAscii(SECItem *gentime);
/* same thing for either DER UTCTime or GeneralizedTime */
extern char *DER_TimeChoiceDayToAscii(SECItem *timechoice);
/*
** Convert a int64 time to a DER encoded Generalized time
*/
extern SECStatus DER_TimeToGeneralizedTime(SECItem *dst, int64 gmttime);
extern SECStatus DER_TimeToGeneralizedTimeArena(PRArenaPool* arenaOpt,
SECItem *dst, int64 gmttime);
/*
** Convert a DER encoded Generalized time value into a UNIX time value.
@ -183,7 +193,7 @@ extern SECStatus DER_GeneralizedTimeToTime(int64 *dst, SECItem *time);
** caller is responsible for deallocating the returned buffer.
*/
extern char *CERT_UTCTime2FormattedAscii (int64 utcTime, char *format);
#define CERT_GeneralizedTime2FormattedAscii CERT_UTCTime2FormattedAscii
/*
** Convert from a int64 Generalized time value to a formatted ascii value. The
@ -191,6 +201,19 @@ extern char *CERT_UTCTime2FormattedAscii (int64 utcTime, char *format);
*/
extern char *CERT_GenTime2FormattedAscii (int64 genTime, char *format);
/*
** decode a SECItem containing either a SEC_ASN1_GENERALIZED_TIME
** or a SEC_ASN1_UTC_TIME
*/
extern SECStatus CERT_DecodeTimeChoice(PRTime* output, SECItem* input);
/* encode a PRTime to an ASN.1 DER SECItem containing either a
SEC_ASN1_GENERALIZED_TIME or a SEC_ASN1_UTC_TIME */
extern SECStatus CERT_EncodeTimeChoice(PRArenaPool* arena, SECItem* output,
PRTime input);
SEC_END_PROTOS
#endif /* _SECDER_H_ */

View File

@ -36,28 +36,31 @@
#include "secder.h"
#include "cert.h"
#include "secitem.h"
#include "secerr.h"
const SEC_ASN1Template CERT_TimeChoiceTemplate[] = {
{ SEC_ASN1_CHOICE, offsetof(SECItem, type), 0, sizeof(SECItem) },
{ SEC_ASN1_UTC_TIME, 0, 0, siUTCTime },
{ SEC_ASN1_GENERALIZED_TIME, 0, 0, siGeneralizedTime },
{ 0 }
};
SEC_ASN1_CHOOSER_IMPLEMENT(CERT_TimeChoiceTemplate);
const SEC_ASN1Template CERT_ValidityTemplate[] = {
{ SEC_ASN1_SEQUENCE,
0, NULL, sizeof(CERTValidity) },
{ SEC_ASN1_UTC_TIME,
offsetof(CERTValidity,notBefore) },
{ SEC_ASN1_UTC_TIME,
offsetof(CERTValidity,notAfter) },
{ SEC_ASN1_INLINE,
offsetof(CERTValidity,notBefore), CERT_TimeChoiceTemplate, 0 },
{ SEC_ASN1_INLINE,
offsetof(CERTValidity,notAfter), CERT_TimeChoiceTemplate, 0 },
{ 0 }
};
DERTemplate CERTValidityTemplate[] = {
{ DER_SEQUENCE,
0, NULL, sizeof(CERTValidity) },
{ DER_UTC_TIME,
offsetof(CERTValidity,notBefore), },
{ DER_UTC_TIME,
offsetof(CERTValidity,notAfter), },
{ 0, }
};
PRTime January1st2050 = LL_INIT(0x0008f81e,0x1b098000);
static char *DecodeUTCTime2FormattedAscii (SECItem *utcTimeDER, char *format);
static char *DecodeGeneralizedTime2FormattedAscii (SECItem *generalizedTimeDER, char *format);
/* convert DER utc time to ascii time string */
char *
@ -73,6 +76,36 @@ DER_UTCDayToAscii(SECItem *utctime)
return (DecodeUTCTime2FormattedAscii (utctime, "%a %b %d, %Y"));
}
/* convert DER generalized time to ascii time string, only include day,
not time */
char *
DER_GeneralizedDayToAscii(SECItem *gentime)
{
return (DecodeGeneralizedTime2FormattedAscii (gentime, "%a %b %d, %Y"));
}
/* convert DER generalized or UTC time to ascii time string, only include
day, not time */
char *
DER_TimeChoiceDayToAscii(SECItem *timechoice)
{
switch (timechoice->type) {
case siUTCTime:
return DER_UTCDayToAscii(timechoice);
case siGeneralizedTime:
return DER_GeneralizedDayToAscii(timechoice);
default:
PORT_Assert(0);
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return NULL;
}
}
CERTValidity *
CERT_CreateValidity(int64 notBefore, int64 notAfter)
{
@ -89,9 +122,9 @@ CERT_CreateValidity(int64 notBefore, int64 notAfter)
v = (CERTValidity*) PORT_ArenaZAlloc(arena, sizeof(CERTValidity));
if (v) {
v->arena = arena;
rv = DER_TimeToUTCTime(&v->notBefore, notBefore);
rv = CERT_EncodeTimeChoice(arena, &v->notBefore, notBefore);
if (rv) goto loser;
rv = DER_TimeToUTCTime(&v->notAfter, notAfter);
rv = CERT_EncodeTimeChoice(arena, &v->notAfter, notAfter);
if (rv) goto loser;
}
return v;
@ -175,3 +208,50 @@ DecodeUTCTime2FormattedAscii (SECItem *utcTimeDER, char *format)
}
return (CERT_UTCTime2FormattedAscii (utcTime, format));
}
/* convert DER utc time to ascii time string, The format of the time string
depends on the input "format"
*/
static char *
DecodeGeneralizedTime2FormattedAscii (SECItem *generalizedTimeDER, char *format)
{
PRTime generalizedTime;
int rv;
rv = DER_GeneralizedTimeToTime(&generalizedTime, generalizedTimeDER);
if (rv) {
return(NULL);
}
return (CERT_GeneralizedTime2FormattedAscii (generalizedTime, format));
}
/* decode a SECItem containing either a SEC_ASN1_GENERALIZED_TIME
or a SEC_ASN1_UTC_TIME */
SECStatus CERT_DecodeTimeChoice(PRTime* output, SECItem* input)
{
switch (input->type) {
case siGeneralizedTime:
return DER_GeneralizedTimeToTime(output, input);
case siUTCTime:
return DER_UTCTimeToTime(output, input);
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
PORT_Assert(0);
return SECFailure;
}
}
/* encode a PRTime to an ASN.1 DER SECItem containing either a
SEC_ASN1_GENERALIZED_TIME or a SEC_ASN1_UTC_TIME */
SECStatus CERT_EncodeTimeChoice(PRArenaPool* arena, SECItem* output, PRTime input)
{
if (LL_CMP(input, >, January1st2050)) {
return DER_TimeToGeneralizedTimeArena(arena, output, input);
} else {
return DER_TimeToUTCTimeArena(arena, output, input);
}
}

View File

@ -339,7 +339,7 @@ cert_CA()
#
CU_ACTION="Creating CA Cert $NICKNAME "
CU_SUBJECT=$ALL_CU_SUBJECT
certu -S -n $NICKNAME -t $TRUSTARG -v 60 $SIGNER -d ${LPROFILE} -1 -2 -5 \
certu -S -n $NICKNAME -t $TRUSTARG -v 600 $SIGNER -d ${LPROFILE} -1 -2 -5 \
-f ${R_PWFILE} -z ${R_NOISE_FILE} -m $CERTSERIAL 2>&1 <<CERTSCRIPT
5
9
@ -618,7 +618,7 @@ MODSCRIPT
CU_ACTION="Generate Certificate for ${CERTNAME}"
CU_SUBJECT="CN=${CERTNAME}, E=fips@bogus.com, O=BOGUS NSS, OU=FIPS PUB 140-1, L=Mountain View, ST=California, C=US"
certu -S -n ${FIPSCERTNICK} -x -t "Cu,Cu,Cu" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -k dsa -m 500 -z "${R_NOISE_FILE}" 2>&1
certu -S -n ${FIPSCERTNICK} -x -t "Cu,Cu,Cu" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -k dsa -v 600 -m 500 -z "${R_NOISE_FILE}" 2>&1
if [ "$RET" -eq 0 ]; then
cert_log "SUCCESS: FIPS passed"
fi