Add option to specify certificate expiration (in days)

Maciej Soltysiak · Maciej Soltysiak · commit 6b9603205d36 · 2014-10-14T19:18:43.000+02:00
diff --git a/cert.c b/cert.c
@@ -1,7 +1,7 @@
 #include "dnscrypt.h"
 
 struct SignedCert *
-cert_build_cert(const uint8_t *crypt_publickey)
+cert_build_cert(const uint8_t *crypt_publickey, int cert_file_expire_days)
 {
     struct SignedCert *signed_cert = malloc(sizeof(struct SignedCert));
     if (!signed_cert)
@@ -19,7 +19,10 @@ cert_build_cert(const uint8_t *crypt_publickey)
            sizeof(signed_cert->magic_query));
     memcpy(signed_cert->serial, "0001", 4);
     uint32_t ts_begin = (uint32_t)time(NULL);
-    uint32_t ts_end = ts_begin + 365 * 24 * 3600;
+    uint32_t ts_end = ts_begin + cert_file_expire_days * 24 * 3600;
+    if (cert_file_expire_days <= 0) {
+        ts_begin = ts_end;
+    }
     ts_begin = htonl(ts_begin);
     ts_end = htonl(ts_end);
     memcpy(signed_cert->ts_begin, &ts_begin, 4);
diff --git a/cert.h b/cert.h
@@ -7,6 +7,8 @@
 #define CERT_MINOR_VERSION 0
 #define CERT_MAGIC_HEADER "7PYqwfzt"
 
+#define CERT_FILE_EXPIRE_DAYS 365
+
 struct SignedCert {
     uint8_t magic_cert[4];
     uint8_t version_major[2];
@@ -21,7 +23,7 @@ struct SignedCert {
     uint8_t end[64];
 };
 
-struct SignedCert *cert_build_cert(const uint8_t *crypt_publickey);
+struct SignedCert *cert_build_cert(const uint8_t *crypt_publickey, int cert_file_expire_days);
 int cert_sign(struct SignedCert *signed_cert,
               const uint8_t *provider_secretkey);
 int cert_unsign(struct SignedCert *signed_cert,
diff --git a/main.c b/main.c
@@ -188,6 +188,7 @@ main(int argc, const char **argv)
     int gen_provider_keypair = 0;
     int gen_crypt_keypair = 0;
     int gen_cert_file = 0;
+    int cert_file_expire_days = CERT_FILE_EXPIRE_DAYS;
     int verbose = 0;
     struct argparse argparse;
     struct argparse_option options[] = {
@@ -219,6 +220,7 @@ main(int argc, const char **argv)
                    "provider secret key file"),
         OPT_BOOLEAN(0, "gen-cert-file", &gen_cert_file,
                     "generate pre-signed certificate"),
+        OPT_INTEGER(0, "cert-file-expire-days", &cert_file_expire_days),
         OPT_STRING(0, "provider-name", &c.provider_name, "provider name"),
         OPT_STRING(0, "provider-cert-file", &c.provider_cert_file,
                    "use this to self-serve cert file"),
@@ -323,7 +325,7 @@ main(int argc, const char **argv)
             exit(1);
         }
         logger(LOG_NOTICE, "Generating pre-signed certificate.");
-        struct SignedCert *signed_cert = cert_build_cert(c.crypt_publickey);
+        struct SignedCert *signed_cert = cert_build_cert(c.crypt_publickey, cert_file_expire_days);
         if (!signed_cert || cert_sign(signed_cert, c.provider_secretkey) != 0) {
             logger(LOG_NOTICE, "Failed.");
             exit(1);
