From: Martin Willi <martin@revosec.ch>
Date: Thu, 27 Mar 2014 13:47:18 +0000 (+0100)
Subject: pki: Support absolute --not-before/after acert lifetimes
X-Git-Tag: 5.1.3rc1~24^2~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6f90e8e6647e6d5c244140320ed29014f8c85aa5;p=thirdparty%2Fstrongswan.git

pki: Support absolute --not-before/after acert lifetimes
---

diff --git a/src/pki/commands/acert.c b/src/pki/commands/acert.c
index 1d0315a1c8..d49365db54 100644
--- a/src/pki/commands/acert.c
+++ b/src/pki/commands/acert.c
@@ -39,7 +39,8 @@ static int acert()
 	char *error = NULL, *keyid = NULL;
 	linked_list_t *groups;
 	chunk_t serial = chunk_empty, encoding = chunk_empty;
-	time_t not_before, not_after, lifetime = 24;
+	time_t not_before, not_after, lifetime = 24 * 60 * 60;
+	char *datenb = NULL, *datena = NULL, *dateform = NULL;
 	rng_t *rng;
 	char *arg;
 
@@ -75,13 +76,22 @@ static int acert()
 				keyid = arg;
 				continue;
 			case 'l':
-				lifetime = atoi(arg);
+				lifetime = atoi(arg) * 60 * 60;
 				if (!lifetime)
 				{
 					error = "invalid --lifetime value";
 					goto usage;
 				}
 				continue;
+			case 'D':
+				dateform = arg;
+				continue;
+			case 'F':
+				datenb = arg;
+				continue;
+			case 'T':
+				datena = arg;
+				continue;
 			case 's':
 				hex = arg;
 				continue;
@@ -100,6 +110,14 @@ static int acert()
 		}
 		break;
 	}
+
+	if (!calculate_lifetime(dateform, datenb, datena, lifetime,
+							&not_before, &not_after))
+	{
+		error = "invalid --not-before/after datetime";
+		goto usage;
+	}
+
 	if (!issuercert)
 	{
 		error = "--issuercert is required";
@@ -195,9 +213,6 @@ static int acert()
 		goto end;
 	}
 
-	not_before = time(NULL);
-	not_after = not_before + lifetime * 60 * 60;
-
 	ac = lib->creds->create(lib->creds,
 							CRED_CERTIFICATE, CERT_X509_AC,
 							BUILD_CERT, cert,
@@ -255,7 +270,8 @@ static void __attribute__ ((constructor))reg()
 		acert, 'z', "acert",
 		"issue an attribute certificate",
 		{"[--in file] [--group name]* --issuerkey file|--issuerkeyid hex",
-		 " --issuercert file [--lifetime hours] [--serial hex]",
+		 " --issuercert file [--serial hex] [--lifetime hours]",
+		 " [--not-before datetime] [--not-after datetime] [--dateform form]",
 		 "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
 		{
 			{"help",			'h', 0, "show usage information"},
@@ -264,8 +280,11 @@ static void __attribute__ ((constructor))reg()
 			{"issuercert",		'c', 1, "issuer certificate file"},
 			{"issuerkey",		'k', 1, "issuer private key file"},
 			{"issuerkeyid",		'x', 1, "keyid on smartcard of issuer private key"},
-			{"lifetime",		'l', 1, "hours the acert is valid, default: 24"},
 			{"serial",			's', 1, "serial number in hex, default: random"},
+			{"lifetime",		'l', 1, "hours the acert is valid, default: 24"},
+			{"not-before",		'F', 1, "date/time the validity of the AC starts"},
+			{"not-after",		'T', 1, "date/time the validity of the AC ends"},
+			{"dateform",		'D', 1, "strptime(3) input format, default: %d.%m.%y %T"},
 			{"digest",			'g', 1, "digest for signature creation, default: sha1"},
 			{"outform",			'f', 1, "encoding of generated cert, default: der"},
 		}