bx509d: Allow requesting longer cert lifetimes

Add a `lifetime=NUMunit` query parameter. Also add a krb5.conf parameter to indicate whether this is allowed. We already have a max lifetime configuration parameter.
2021-03-07 22:20:06 -06:00
parent 00e0475ce2
commit fbb1a4e3ec
7 changed files with 105 additions and 14 deletions
--- a/lib/hx509/ca.c
+++ b/lib/hx509/ca.c
@@ -2835,6 +2835,7 @@ enomem:
 static heim_error_code
 tbs_set_times(hx509_context context,
              const heim_config_binding *cf,
+              heim_log_facility *logf,
              time_t starttime,
              time_t endtime,
              time_t req_life,
@@ -2847,15 +2848,29 @@ tbs_set_times(hx509_context context,
    time_t clamp =
        heim_config_get_time_default(context->hcontext, cf, 0,
                                     "max_cert_lifetime", NULL);
+    int allow_more =
+        heim_config_get_bool_default(context->hcontext, cf, FALSE,
+                                     "allow_extra_lifetime", NULL);
+
+    if (!allow_more && fudge && now + fudge > endtime)
+        allow_more = 1;

    starttime = starttime ?  starttime : now - 5 * 60;
    if (fudge && now + fudge > endtime)
        endtime = now + fudge;
-    if (req_life && req_life < endtime - now)
+    if (req_life > 0 && req_life < endtime - now)
        endtime = now + req_life;
    if (clamp && clamp < endtime - now)
        endtime = now + clamp;

+    if (endtime < now) {
+        heim_log_msg(context->hcontext, logf, 3, NULL,
+                     "Endtime would be in the past");
+        hx509_set_error_string(context, 0, ERANGE,
+                               "Endtime would be in the past");
+        return ERANGE;
+    }
+
    hx509_ca_tbs_set_notAfter(context, tbs, endtime);
    hx509_ca_tbs_set_notBefore(context, tbs, starttime);
    return 0;
@@ -2874,6 +2889,7 @@ _hx509_ca_issue_certificate(hx509_context context,
                            KRB5PrincipalName *cprinc,
                            time_t starttime,
                            time_t endtime,
+                            time_t req_life,
                            int send_chain,
                            hx509_certs *out)
 {
@@ -2995,8 +3011,8 @@ _hx509_ca_issue_certificate(hx509_context context,

    /* Work out cert expiration */
    if (ret == 0)
-        ret = tbs_set_times(context, cf, starttime, endtime,
-                            0 /* XXX req_life */, tbs);
+        ret = tbs_set_times(context, cf, logf, starttime, endtime, req_life,
+                            tbs);

    /* Expand the subjectName template in the TBS using the env */
    if (ret == 0)