New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
apps: req/x509 add explicit start and end date #21716
apps: req/x509 add explicit start and end date #21716
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is notafter < notbefore allowed..
Same question applies to days and notbefore.
Yes, there's currently no check to ensure this. Will add one to |
6fa9038
to
2b2b2f4
Compare
Closing and reopening to pass |
2b2b2f4
to
859b0f0
Compare
It would be nice to have some tests for these new options. |
859b0f0
to
276f844
Compare
I will try to get some tests ready! |
This PR is in a state where it requires action by @openssl/committers but the last update was 30 days ago |
When do you think you can do that? |
Meanwhile there is a (trivial) merge conflict in Anyway, the new text there meanwhile will need to be moved to an upcoming section on changes to version 3.3 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice work.
Just a couple of small further improvements suggested.
Plus the other changes and test extensions already planned for.
Thank you very much for your patience and the great feedback! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good work! Just a few nits remaining.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Version number and style nits are fixed.
CI is relevant - the number of tests in test_req is already bumped to 108 in current master branch. Please rebase this again and bump the number to 109. I am sorry for this hassle. |
- Added options `-not_before` (start date) and `-not-after` (end date) for explicit setting of the validity period of a certificate in the apps `ca`, `req` and `x509` - The new options accept time strings or "today" - In app `ca`, use the new options as aliases of the already existing options `-startdate` and `-enddate` - When used in apps `req` and `x509`, the end date must be >= the start date, in app `ca` end date < start date is also accepted - In any case, `-not-after` overrides the `-days` option - Added helper function `check_cert_time_string` to validate given certificate time strings - Use the new helper function in apps `ca`, `req` and `x509` - Moved redundant code for time string checking into `set_cert_times` helper function. - Added tests for explicit start and end dates in apps `req` and `x509` - test: Added auxiliary functions for parsing fields from `-text` formatted output to `tconversion.pl` - CHANGES: Added to new section 3.4 Signed-off-by: Stephan Wurm <atomisirsi@gsklan.de>
25-test_req.t: Increment number of planned tests Signed-off-by: Stephan Wurm <atomisirsi@gsklan.de>
7be6702
to
1d7582b
Compare
This pull request is ready to merge |
Merged to the master branch. Thank you for your contribution. |
- Added options `-not_before` (start date) and `-not-after` (end date) for explicit setting of the validity period of a certificate in the apps `ca`, `req` and `x509` - The new options accept time strings or "today" - In app `ca`, use the new options as aliases of the already existing options `-startdate` and `-enddate` - When used in apps `req` and `x509`, the end date must be >= the start date, in app `ca` end date < start date is also accepted - In any case, `-not-after` overrides the `-days` option - Added helper function `check_cert_time_string` to validate given certificate time strings - Use the new helper function in apps `ca`, `req` and `x509` - Moved redundant code for time string checking into `set_cert_times` helper function. - Added tests for explicit start and end dates in apps `req` and `x509` - test: Added auxiliary functions for parsing fields from `-text` formatted output to `tconversion.pl` - CHANGES: Added to new section 3.4 Signed-off-by: Stephan Wurm <atomisirsi@gsklan.de> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #21716)
The tests used localtime to format "today's" date, but then extracted a GMT date from the cert. The comparison breaks when run late in the evening west of UTC, or early in the AM hours east of UTC. Also took care of case when test runs at stroke of midnight, by accepting either the "today" before the cert creation, or the "today" after, should they be different. Fixes fragile tests in openssl#21716
The tests used localtime to format "today's" date, but then extracted a GMT date from the cert. The comparison breaks when run late in the evening west of UTC, or early in the AM hours east of UTC. Also took care of case when test runs at stroke of midnight, by accepting either the "today" before the cert creation, or the "today" after, should they be different. Fixes fragile tests in #21716
The tests used localtime to format "today's" date, but then extracted a GMT date from the cert. The comparison breaks when run late in the evening west of UTC, or early in the AM hours east of UTC. Also took care of case when test runs at stroke of midnight, by accepting either the "today" before the cert creation, or the "today" after, should they be different. Fixes fragile tests in #21716 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #24139)
This feature adds options to explicitly set the start and end dates in X509v3 certificate creation with the
req
andx509
apps.I stumbled upon this several times now, and I think this adds some convenience to the apps.
For the
req
app, I borrowed the naming from theca
app, hence the parameters are called-startdate
and-enddate
. I also added the same handling fordefault_startdate
anddefault_enddate
to the respective configuration file section.The
-enddate
option conflicts with the-days
option, hence only one of both can be used. If a start date is given, but no end date, the-days
option is processed instead. Currently, this results in an offset of days from the current date, not from the start date.For the
x509
app, I had to select different names, as-startdate
and-enddate
are already in use to print thenotBefore
andnotAfter
fields of a certificate. Therefore, I called the options-notbefore
and-notafter
. The handling in respect to the-days
option is similar to thereq
app, but no configuration file parameters exist.Changes:
req
app.-startdate
and-enddate
to-not_before
and-not_after
inreq
app.-not_before
and-not_after
also tox509
app.req
andx509
.ca
app:-not_before
->-startdate
,-not_after
->-enddate
.check_cert_time_string
tolib/apps
.check_cert_times
.Checklist