certtool: Allow specifying CRL dates as fixed dates

diff --git a/src/certtool-args.def b/src/certtool-args.def
index 8e4e4a40d548586426a427c11144a2d4250bea7d..af2c41bfab0b6358af5fae1809808e2dba7dbb52 100644 (file)
--- a/src/certtool-args.def
+++ b/src/certtool-args.def
@@ -888,6 +888,14 @@ encryption_key
 # Comment the field for a time-based number.
 #crl_number = 5
 
+# Specify the update dates more precisely.
+#crl_this_update_date = "2004-02-29 16:21:42"
+#crl_next_update_date = "2025-02-29 16:24:41"
+
+# The date that the certificates will be made seen as
+# being revoked.
+#crl_revocation_date = "2025-02-29 16:24:41"
+
 @end example
 
 _EOT_;

diff --git a/src/certtool-cfg.c b/src/certtool-cfg.c
index 57ca2cc7662ac00697bf8648c653535a8519171b..540ee4265802d1e9316edc2ae0202a2ac391499b 100644 (file)
--- a/src/certtool-cfg.c
+++ b/src/certtool-cfg.c
@@ -103,6 +103,9 @@ static struct cfg_options available_options[] = {
        { .name = "country", .type = OPTION_STRING },
        { .name = "expiration_date", .type = OPTION_STRING },
        { .name = "activation_date", .type = OPTION_STRING },
+       { .name = "crl_revocation_date", .type = OPTION_STRING },
+       { .name = "crl_this_update_date", .type = OPTION_STRING },
+       { .name = "crl_next_update_date", .type = OPTION_STRING },
        { .name = "policy*", .type = OPTION_MULTI_LINE }, /* not a multi-line but there are multi as it is a wildcard */
        { .name = "pkcs12_key_name", .type = OPTION_STRING },
        { .name = "proxy_policy_language", .type = OPTION_STRING },
@@ -157,6 +160,9 @@ typedef struct _cfg_ctx {
        char *pkcs12_key_name;
        char *expiration_date;
        char *activation_date;
+       char *revocation_date;
+       char *this_update_date;
+       char *next_update_date;
        int64_t serial;
        int expiration_days;
        int ca;
@@ -376,6 +382,18 @@ int template_parse(const char *template)
        if (val != NULL && val->valType == OPARG_TYPE_STRING)
                cfg.activation_date = strdup(val->v.strVal);
 
+       val = optionGetValue(pov, "crl_revocation_date");
+       if (val != NULL && val->valType == OPARG_TYPE_STRING)
+               cfg.revocation_date = strdup(val->v.strVal);
+
+       val = optionGetValue(pov, "crl_this_update_date");
+       if (val != NULL && val->valType == OPARG_TYPE_STRING)
+               cfg.this_update_date = strdup(val->v.strVal);
+
+       val = optionGetValue(pov, "crl_next_update_date");
+       if (val != NULL && val->valType == OPARG_TYPE_STRING)
+               cfg.next_update_date = strdup(val->v.strVal);
+
        for (i = 0; i < MAX_POLICIES; i++) {
                snprintf(tmpstr, sizeof(tmpstr), "policy%d", i + 1);
                val = optionGetValue(pov, tmpstr);
@@ -1197,6 +1215,26 @@ time_t get_activation_date(void)
        return time(NULL);
 }
 
+time_t get_crl_revocation_date(void)
+{
+
+       if (batch && cfg.revocation_date != NULL) {
+                       return get_date(cfg.revocation_date);
+       }
+
+       return time(NULL);
+}
+
+time_t get_crl_this_update_date(void)
+{
+
+       if (batch && cfg.this_update_date != NULL) {
+                       return get_date(cfg.this_update_date);
+       }
+
+       return time(NULL);
+}
+
 static
 time_t days_to_secs(int days)
 {
@@ -1853,7 +1891,7 @@ int get_ipsec_ike_status(void)
 
 time_t get_crl_next_update(void)
 {
-       return get_int_date(NULL, cfg.crl_next_update, "The next CRL will be issued in (days): ");
+       return get_int_date(cfg.next_update_date, cfg.crl_next_update, "The next CRL will be issued in (days): ");
 }
 
 const char *get_proxy_policy(char **policy, size_t * policylen)

diff --git a/src/certtool-cfg.h b/src/certtool-cfg.h
index 77472f9b7f3763f2f7b92aba93c62f22e8eb093a..2c7240daa29ad802aa022436e7bab364281b1b1c 100644 (file)
--- a/src/certtool-cfg.h
+++ b/src/certtool-cfg.h
@@ -63,6 +63,8 @@ const char *get_pkcs12_key_name(void);
 int get_tls_client_status(void);
 int get_tls_server_status(void);
 time_t get_crl_next_update(void);
+time_t get_crl_revocation_date(void);
+time_t get_crl_this_update_date(void);
 int get_time_stamp_status(void);
 int get_ocsp_sign_status(void);
 int get_code_sign_status(void);

diff --git a/src/certtool.c b/src/certtool.c
index 6989c4b164066506e3d002c4266201e04776500b..0ab0d846bc59b54d2b553efd12b918a9ead0f416 100644 (file)
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -643,7 +643,7 @@ generate_crl(gnutls_x509_crt_t ca_crt, common_info_st * cinfo)
        size_t size, crl_size;
        int result;
        unsigned int i;
-       time_t secs, now = time(0);
+       time_t secs, this_update, exp;
 
        crls = load_crl_list(0, &crl_size, cinfo);
        if (crls != NULL) {
@@ -663,8 +663,10 @@ generate_crl(gnutls_x509_crt_t ca_crt, common_info_st * cinfo)
 
        crts = load_cert_list(0, &size, cinfo);
 
+       exp = get_crl_revocation_date();
+
        for (i = 0; i < size; i++) {
-               result = gnutls_x509_crl_set_crt(crl, crts[i], now);
+               result = gnutls_x509_crl_set_crt(crl, crts[i], exp);
                if (result < 0) {
                        fprintf(stderr, "crl_set_crt: %s\n",
                                gnutls_strerror(result));
@@ -674,7 +676,9 @@ generate_crl(gnutls_x509_crt_t ca_crt, common_info_st * cinfo)
        }
        gnutls_free(crts);
 
-       result = gnutls_x509_crl_set_this_update(crl, now);
+       this_update = get_crl_this_update_date();
+
+       result = gnutls_x509_crl_set_this_update(crl, this_update);
        if (result < 0) {
                fprintf(stderr, "this_update: %s\n",
                        gnutls_strerror(result));