oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

hx509/bx509: Long-lived certs weren't being issued

Browse Source
This commit is contained in:
Nicolas Williams
2021-04-23 14:47:04 -05:00
parent a4adb8354f
commit 83fe958211
1 changed files with 41 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
lib/hx509/ca.c
View File

@@ -2821,6 +2821,22 @@ enomem:
goto out; goto out;
} }
/*
* Set the notBefore/notAfter for the certificate to be issued.
*
* Here `starttime' is the supplicant's credentials' notBefore equivalent,
* while `endtime' is the supplicant's credentials' notAfter equivalent.
*
* `req_life' is the lifetime requested by the supplicant.
*
* `endtime' must be larger than the current time.
*
* `starttime' can be zero or negative, in which case the notBefore will be the
* current time minus five minutes.
*
* `endtime', `req_life' and configuration parameters will be used to compute
* the actual notAfter.
*/
static heim_error_code static heim_error_code
tbs_set_times(hx509_context context, tbs_set_times(hx509_context context,
const heim_config_binding *cf, const heim_config_binding *cf,
@@ -2831,35 +2847,37 @@ tbs_set_times(hx509_context context,
hx509_ca_tbs tbs) hx509_ca_tbs tbs)
{ {
time_t now = time(NULL); time_t now = time(NULL);
time_t fudge = time_t force = heim_config_get_time_default(context->hcontext,
heim_config_get_time_default(context->hcontext, cf, 5 * 24 * 3600, cf, 5 * 24 * 3600,
"force_cert_lifetime", NULL); "force_cert_lifetime", NULL);
time_t clamp = time_t clamp = heim_config_get_time_default(context->hcontext, cf, 0,
heim_config_get_time_default(context->hcontext, cf, 0,
"max_cert_lifetime", NULL); "max_cert_lifetime", NULL);
int allow_more = int allow_more = heim_config_get_bool_default(context->hcontext, cf, FALSE,
heim_config_get_bool_default(context->hcontext, cf, FALSE, "allow_extra_lifetime",
"allow_extra_lifetime", NULL); NULL);
starttime = starttime > 0 ? starttime : now - 5 * 60;
if (!allow_more && fudge && now + fudge > endtime)
allow_more = 1;
starttime = starttime ? starttime : now - 5 * 60;
if (fudge && now + fudge > endtime)
endtime = now + fudge;
if (req_life > 0 && req_life < endtime - now)
endtime = now + req_life;
if (clamp && clamp < endtime - now)
endtime = now + clamp;
if (endtime < now) { if (endtime < now) {
heim_log_msg(context->hcontext, logf, 3, NULL, heim_log_msg(context->hcontext, logf, 3, NULL,
"Endtime would be in the past"); "Endtime is in the past");
hx509_set_error_string(context, 0, ERANGE, hx509_set_error_string(context, 0, ERANGE, "Endtime is in the past");
"Endtime would be in the past");
return ERANGE; return ERANGE;
} }
/* Apply requested lifetime if shorter or if allowed more */
if (req_life > 0 && req_life <= endtime - now)
endtime = now + req_life;
else if (req_life > 0 && allow_more)
endtime = now + req_life;
/* Apply floor */
if (force > 0 && force > endtime - now)
endtime = now + force;
/* Apply ceiling */
if (clamp > 0 && clamp < endtime - now)
endtime = now + clamp;
hx509_ca_tbs_set_notAfter(context, tbs, endtime); hx509_ca_tbs_set_notAfter(context, tbs, endtime);
hx509_ca_tbs_set_notBefore(context, tbs, starttime); hx509_ca_tbs_set_notBefore(context, tbs, starttime);
return 0; return 0;