apps: req/x509 add explicit start and end date #21716
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
openssl-machine
added
the
hold: cla required
paulidale
requested changes
Aug 11, 2023
slontis
reviewed
Aug 11, 2023
slontis
reviewed
Aug 11, 2023
slontis
reviewed
Aug 11, 2023
slontis
reviewed
Aug 11, 2023
Yes, there's currently no check to ensure this. Will add one to |
Atomisirsi
force-pushed
the
feature/apps-req-x509-add-explicit-startdate-enddate
branch
2 times, most recently
from
6fa9038
to
2b2b2f4
Compare
|
Closing and reopening to pass |
openssl-machine
removed
the
hold: cla required
Atomisirsi
force-pushed
the
feature/apps-req-x509-add-explicit-startdate-enddate
branch
from
2b2b2f4
to
859b0f0
Compare
github-actions
bot
added
the
severity: fips change
t8m
approved these changes
Aug 28, 2023
t8m
added
branch: master
|
It would be nice to have some tests for these new options. |
Atomisirsi
force-pushed
the
feature/apps-req-x509-add-explicit-startdate-enddate
branch
from
859b0f0
to
276f844
Compare
I will try to get some tests ready! |
|
This PR is in a state where it requires action by @openssl/committers but the last update was 30 days ago |
When do you think you can do that? |
|
Meanwhile there is a (trivial) merge conflict in Anyway, the new text there meanwhile will need to be moved to an upcoming section on changes to version 3.3 |
DDvO
requested changes
Oct 27, 2023
Thank you very much for your patience and the great feedback! |
t8m
requested changes
Apr 3, 2024
DDvO
approved these changes
Apr 5, 2024
t8m
approved these changes
Apr 5, 2024
t8m
added
approval: done
|
CI is relevant - the number of tests in test_req is already bumped to 108 in current master branch. Please rebase this again and bump the number to 109. I am sorry for this hassle. |
- Added options `-not_before` (start date) and `-not-after` (end date) for explicit setting of the validity period of a certificate in the apps `ca`, `req` and `x509` - The new options accept time strings or "today" - In app `ca`, use the new options as aliases of the already existing options `-startdate` and `-enddate` - When used in apps `req` and `x509`, the end date must be >= the start date, in app `ca` end date < start date is also accepted - In any case, `-not-after` overrides the `-days` option - Added helper function `check_cert_time_string` to validate given certificate time strings - Use the new helper function in apps `ca`, `req` and `x509` - Moved redundant code for time string checking into `set_cert_times` helper function. - Added tests for explicit start and end dates in apps `req` and `x509` - test: Added auxiliary functions for parsing fields from `-text` formatted output to `tconversion.pl` - CHANGES: Added to new section 3.4 Signed-off-by: Stephan Wurm <atomisirsi@gsklan.de>
25-test_req.t: Increment number of planned tests Signed-off-by: Stephan Wurm <atomisirsi@gsklan.de>
Atomisirsi
force-pushed
the
feature/apps-req-x509-add-explicit-startdate-enddate
branch
from
7be6702
to
1d7582b
Compare
t8m
approved these changes
Apr 5, 2024
t8m
added
the
approval: done
openssl-machine
added
approval: ready to merge
|
This pull request is ready to merge |
|
Merged to the master branch. Thank you for your contribution. |
openssl-machine
pushed a commit
that referenced
this pull request
Apr 9, 2024
- Added options `-not_before` (start date) and `-not-after` (end date) for explicit setting of the validity period of a certificate in the apps `ca`, `req` and `x509` - The new options accept time strings or "today" - In app `ca`, use the new options as aliases of the already existing options `-startdate` and `-enddate` - When used in apps `req` and `x509`, the end date must be >= the start date, in app `ca` end date < start date is also accepted - In any case, `-not-after` overrides the `-days` option - Added helper function `check_cert_time_string` to validate given certificate time strings - Use the new helper function in apps `ca`, `req` and `x509` - Moved redundant code for time string checking into `set_cert_times` helper function. - Added tests for explicit start and end dates in apps `req` and `x509` - test: Added auxiliary functions for parsing fields from `-text` formatted output to `tconversion.pl` - CHANGES: Added to new section 3.4 Signed-off-by: Stephan Wurm <atomisirsi@gsklan.de> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #21716)
Atomisirsi
deleted the
feature/apps-req-x509-add-explicit-startdate-enddate
branch
vdukhovni
pushed a commit
to vdukhovni/openssl
that referenced
this pull request
Apr 15, 2024
The tests used localtime to format "today's" date, but then extracted a GMT date from the cert. The comparison breaks when run late in the evening west of UTC, or early in the AM hours east of UTC. Also took care of case when test runs at stroke of midnight, by accepting either the "today" before the cert creation, or the "today" after, should they be different. Fixes fragile tests in openssl#21716
vdukhovni
pushed a commit
that referenced
this pull request
Apr 16, 2024
The tests used localtime to format "today's" date, but then extracted a GMT date from the cert. The comparison breaks when run late in the evening west of UTC, or early in the AM hours east of UTC. Also took care of case when test runs at stroke of midnight, by accepting either the "today" before the cert creation, or the "today" after, should they be different. Fixes fragile tests in #21716
openssl-machine
pushed a commit
that referenced
this pull request
Apr 18, 2024
The tests used localtime to format "today's" date, but then extracted a GMT date from the cert. The comparison breaks when run late in the evening west of UTC, or early in the AM hours east of UTC. Also took care of case when test runs at stroke of midnight, by accepting either the "today" before the cert creation, or the "today" after, should they be different. Fixes fragile tests in #21716 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #24139)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This feature adds options to explicitly set the start and end dates in X509v3 certificate creation with the
reqandx509apps.I stumbled upon this several times now, and I think this adds some convenience to the apps.
For the
reqapp, I borrowed the naming from thecaapp, hence the parameters are called-startdateand-enddate. I also added the same handling fordefault_startdateanddefault_enddateto the respective configuration file section.The
-enddateoption conflicts with the-daysoption, hence only one of both can be used. If a start date is given, but no end date, the-daysoption is processed instead. Currently, this results in an offset of days from the current date, not from the start date.For the
x509app, I had to select different names, as-startdateand-enddateare already in use to print thenotBeforeandnotAfterfields of a certificate. Therefore, I called the options-notbeforeand-notafter. The handling in respect to the-daysoption is similar to thereqapp, but no configuration file parameters exist.Changes:
reqapp.-startdateand-enddateto-not_beforeand-not_afterinreqapp.-not_beforeand-not_afteralso tox509app.reqandx509.caapp:-not_before->-startdate,-not_after->-enddate.check_cert_time_stringtolib/apps.check_cert_times.Checklist