From: Tobias Brunner Date: Fri, 23 Dec 2011 17:01:31 +0000 (+0100) Subject: Allow callers to force ASN.1 date encoding as GENERALIZEDTIME. X-Git-Tag: 4.6.2~76 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e86b685da500f58caf1a59dceee0a2c91be275d6;p=thirdparty%2Fstrongswan.git Allow callers to force ASN.1 date encoding as GENERALIZEDTIME. --- diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c index 6ce818f0d0..1497840572 100644 --- a/src/libstrongswan/asn1/asn1.c +++ b/src/libstrongswan/asn1/asn1.c @@ -426,9 +426,8 @@ time_t asn1_to_time(const chunk_t *utctime, asn1_t type) /** * Convert a date into ASN.1 UTCTIME or GENERALIZEDTIME format */ -chunk_t asn1_from_time(const time_t *time) +chunk_t asn1_from_time(const time_t *time, asn1_t type) { - asn1_t type; int offset; const char *format; char buf[BUF_LEN]; @@ -437,8 +436,10 @@ chunk_t asn1_from_time(const time_t *time) gmtime_r(time, &t); /* RFC 5280 says that dates through the year 2049 MUST be encoded as UTCTIME - * and dates in 2050 or later MUST be encoded as GENERALIZEDTIME */ - type = (t.tm_year < 150) ? ASN1_UTCTIME : ASN1_GENERALIZEDTIME; + * and dates in 2050 or later MUST be encoded as GENERALIZEDTIME. We only + * enforce the latter to avoid overflows but allow callers to force the + * encoding to GENERALIZEDTIME */ + type = (t.tm_year >= 150) ? ASN1_GENERALIZEDTIME : type; if (type == ASN1_GENERALIZEDTIME) { format = "%04d%02d%02d%02d%02d%02dZ"; diff --git a/src/libstrongswan/asn1/asn1.h b/src/libstrongswan/asn1/asn1.h index d5468a430b..15ffff62e3 100644 --- a/src/libstrongswan/asn1/asn1.h +++ b/src/libstrongswan/asn1/asn1.h @@ -191,12 +191,13 @@ time_t asn1_to_time(const chunk_t *utctime, asn1_t type); /** * Converts time_t to an ASN.1 UTCTIME or GENERALIZEDTIME string * - * The type is automatically chosen based on the encoded year. + * @note The type is automatically changed to GENERALIZEDTIME if needed * * @param time time_t in UTC + * @param type ASN1_UTCTIME or ASN1_GENERALIZEDTIME * @return body of an ASN.1 code time object */ -chunk_t asn1_from_time(const time_t *time); +chunk_t asn1_from_time(const time_t *time, asn1_t type); /** * Parse an ASN.1 UTCTIME or GENERALIZEDTIME object diff --git a/src/libstrongswan/crypto/pkcs7.c b/src/libstrongswan/crypto/pkcs7.c index 578021aa41..a4d0e71fe5 100644 --- a/src/libstrongswan/crypto/pkcs7.c +++ b/src/libstrongswan/crypto/pkcs7.c @@ -825,7 +825,7 @@ METHOD(pkcs7_t, build_signedData, bool, /* take the current time as signingTime */ time_t now = time(NULL); - chunk_t signingTime = asn1_from_time(&now); + chunk_t signingTime = asn1_from_time(&now, ASN1_UTCTIME); chunk_t messageDigest, attributes; diff --git a/src/libstrongswan/plugins/x509/x509_ac.c b/src/libstrongswan/plugins/x509/x509_ac.c index 7492aeb689..a2cb589e0e 100644 --- a/src/libstrongswan/plugins/x509/x509_ac.c +++ b/src/libstrongswan/plugins/x509/x509_ac.c @@ -527,8 +527,8 @@ static chunk_t build_v2_form(private_x509_ac_t *this) static chunk_t build_attr_cert_validity(private_x509_ac_t *this) { return asn1_wrap(ASN1_SEQUENCE, "mm", - asn1_from_time(&this->notBefore), - asn1_from_time(&this->notAfter)); + asn1_from_time(&this->notBefore, ASN1_GENERALIZEDTIME), + asn1_from_time(&this->notAfter, ASN1_GENERALIZEDTIME)); } diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c index 25646a7c2e..f828c923a1 100644 --- a/src/libstrongswan/plugins/x509/x509_cert.c +++ b/src/libstrongswan/plugins/x509/x509_cert.c @@ -2316,8 +2316,8 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, asn1_algorithmIdentifier(cert->algorithm), issuer->get_encoding(issuer), asn1_wrap(ASN1_SEQUENCE, "mm", - asn1_from_time(&cert->notBefore), - asn1_from_time(&cert->notAfter)), + asn1_from_time(&cert->notBefore, ASN1_UTCTIME), + asn1_from_time(&cert->notAfter, ASN1_UTCTIME)), subject->get_encoding(subject), key_info, extensions); diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c index f401413388..7bcca16a37 100644 --- a/src/libstrongswan/plugins/x509/x509_crl.c +++ b/src/libstrongswan/plugins/x509/x509_crl.c @@ -736,7 +736,7 @@ static bool generate(private_x509_crl_t *this, certificate_t *cert, } revoked = asn1_wrap(ASN1_SEQUENCE, "mmm", asn1_integer("c", serial), - asn1_from_time(&date), + asn1_from_time(&date, ASN1_UTCTIME), entry_ext); certList = chunk_cat("mm", certList, revoked); } @@ -773,8 +773,8 @@ static bool generate(private_x509_crl_t *this, certificate_t *cert, ASN1_INTEGER_1, asn1_algorithmIdentifier(this->algorithm), this->issuer->get_encoding(this->issuer), - asn1_from_time(&this->thisUpdate), - asn1_from_time(&this->nextUpdate), + asn1_from_time(&this->thisUpdate, ASN1_UTCTIME), + asn1_from_time(&this->nextUpdate, ASN1_UTCTIME), asn1_wrap(ASN1_SEQUENCE, "m", certList), extensions);