[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[gnurl] 49/282: mk-ca-bundle: add support for CKA_NSS_SERVER_DISTRUST_AF
|
From: |
gnunet |
|
Subject: |
[gnurl] 49/282: mk-ca-bundle: add support for CKA_NSS_SERVER_DISTRUST_AFTER |
|
Date: |
Wed, 01 Apr 2020 14:28:34 +0200 |
This is an automated email from the git hooks/post-receive script.
ng0 pushed a commit to branch master
in repository gnurl.
commit 1ebc53df251819086859f27f22ccfb66ddd58364
Author: Daniel Stenberg <address@hidden>
AuthorDate: Mon Jan 20 22:23:44 2020 +0100
mk-ca-bundle: add support for CKA_NSS_SERVER_DISTRUST_AFTER
For now, no cert in the bundle actually sets a date there...
Co-Authored-by: Jay Satiro
Reported-by: Christian Heimes
Fixes #4834
Closes #4836
---
lib/mk-ca-bundle.pl | 62 ++++++++++++++++++++++++++++++++++++++++++++++-------
1 file changed, 54 insertions(+), 8 deletions(-)
diff --git a/lib/mk-ca-bundle.pl b/lib/mk-ca-bundle.pl
index 33977f322..09e8e5b9b 100755
--- a/lib/mk-ca-bundle.pl
+++ b/lib/mk-ca-bundle.pl
@@ -6,7 +6,7 @@
# * | (__| |_| | _ <| |___
# * \___|\___/|_| \_\_____|
# *
-# * Copyright (C) 1998 - 2016, Daniel Stenberg, <address@hidden>, et al.
+# * Copyright (C) 1998 - 2020, Daniel Stenberg, <address@hidden>, et al.
# *
# * This software is licensed as described in the file COPYING, which
# * you should have received as part of this distribution. The terms
@@ -38,6 +38,7 @@ use warnings;
use vars qw($opt_b $opt_d $opt_f $opt_h $opt_i $opt_k $opt_l $opt_m $opt_n
$opt_p $opt_q $opt_s $opt_t $opt_u $opt_v $opt_w);
use List::Util;
use Text::Wrap;
+use Time::Local;
my $MOD_SHA = "Digest::SHA";
eval "require $MOD_SHA";
if ($@) {
@@ -421,6 +422,8 @@ my $certnum = 0;
my $skipnum = 0;
my $start_of_cert = 0;
my @precert;
+my $cka_value;
+my $valid = 1;
open(TXT,"$txt") or die "Couldn't open $txt: $!\n";
while (<TXT>) {
@@ -435,6 +438,7 @@ while (<TXT>) {
}
elsif(/^# (Issuer|Serial Number|Subject|Not Valid Before|Not Valid After
|Fingerprint \(MD5\)|Fingerprint \(SHA1\)):/) {
push @precert, $_;
+ $valid = 1;
next;
}
elsif(/^#|^\s*$/) {
@@ -443,6 +447,49 @@ while (<TXT>) {
}
chomp;
+ # Example:
+ # CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL
+ # \062\060\060\066\061\067\060\060\060\060\060\060\132
+ # END
+
+ if (/^CKA_NSS_SERVER_DISTRUST_AFTER (CK_BBOOL CK_FALSE|MULTILINE_OCTAL)/) {
+ if($1 eq "MULTILINE_OCTAL") {
+ my @timestamp;
+ while (<TXT>) {
+ last if (/^END/);
+ chomp;
+ my @octets = split(/\\/);
+ shift @octets;
+ for (@octets) {
+ push @timestamp, chr(oct);
+ }
+ }
+ # A trailing Z in the timestamp signifies UTC
+ if($timestamp[12] ne "Z") {
+ report "distrust date stamp is not using UTC";
+ }
+ # Example date: 200617000000Z
+ # Means 2020-06-17 00:00:00 UTC
+ my $distrustat =
+ timegm($timestamp[10] . $timestamp[11], # second
+ $timestamp[8] . $timestamp[9], # minute
+ $timestamp[6] . $timestamp[7], # hour
+ $timestamp[4] . $timestamp[5], # day
+ ($timestamp[2] . $timestamp[3]) - 1, # month
+ "20" . $timestamp[0] . $timestamp[1]); # year
+ if(time >= $distrustat) {
+ # not trusted anymore
+ $skipnum++;
+ report "Skipping: $caname is not trusted anymore" if ($opt_v);
+ $valid = 0;
+ }
+ else {
+ # still trusted
+ }
+ }
+ next;
+ }
+
# this is a match for the start of a certificate
if (/^CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE/) {
$start_of_cert = 1
@@ -452,21 +499,18 @@ while (<TXT>) {
}
my %trust_purposes_by_level;
if ($start_of_cert && /^CKA_VALUE MULTILINE_OCTAL/) {
- my $data;
+ $cka_value="";
while (<TXT>) {
last if (/^END/);
chomp;
my @octets = split(/\\/);
shift @octets;
for (@octets) {
- $data .= chr(oct);
+ $cka_value .= chr(oct);
}
}
- # scan forwards until the trust part
- while (<TXT>) {
- last if (/^CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST/);
- chomp;
- }
+ }
+ if(/^CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST/ && $valid) {
# now scan the trust part to determine how we should trust this cert
while (<TXT>) {
last if (/^#/);
@@ -485,6 +529,8 @@ while (<TXT>) {
$skipnum ++;
report "Skipping: $caname" if ($opt_v);
} else {
+ my $data = $cka_value;
+ $cka_value = "";
my $encoded = MIME::Base64::encode_base64($data, '');
$encoded =~ s/(.{1,${opt_w}})/$1\n/g;
my $pem = "-----BEGIN CERTIFICATE-----\n"
--
To stop receiving notification emails like this one, please contact
address@hidden.
- [gnurl] 64/282: README: mention that the docs is in docs/, (continued)
- [gnurl] 64/282: README: mention that the docs is in docs/, gnunet, 2020/04/01
- [gnurl] 53/282: wolfssh: make it init properly via Curl_ssh_init(), gnunet, 2020/04/01
- [gnurl] 56/282: conncache: removed unused Curl_conncache_bundle_size(), gnunet, 2020/04/01
- [gnurl] 54/282: singleuse.pl: support new API functions, fix curl_dbg_ handling, gnunet, 2020/04/01
- [gnurl] 55/282: strcase: turn Curl_raw_tolower into static, gnunet, 2020/04/01
- [gnurl] 63/282: curl.h: define CURL_WIN32 on windows, gnunet, 2020/04/01
- [gnurl] 57/282: llist: removed unused Curl_llist_move(), gnunet, 2020/04/01
- [gnurl] 59/282: global_init: assume the EINTR bit by default, gnunet, 2020/04/01
- [gnurl] 36/282: polarssl: removed, gnunet, 2020/04/01
- [gnurl] 43/282: data.d: remove "Multiple files can also be specified", gnunet, 2020/04/01
- [gnurl] 49/282: mk-ca-bundle: add support for CKA_NSS_SERVER_DISTRUST_AFTER,
gnunet <=
- [gnurl] 72/282: ngtcp2: update to git master and its draft-25 support, gnunet, 2020/04/01
- [gnurl] 82/282: curl: avoid using strlen for testing if a string is empty, gnunet, 2020/04/01
- [gnurl] 75/282: quiche: Copyright year out of date, gnunet, 2020/04/01
- [gnurl] 65/282: global_init: move the IPv6 works status bool to multi handle, gnunet, 2020/04/01
- [gnurl] 73/282: quiche: update to draft-25, gnunet, 2020/04/01
- [gnurl] 76/282: ntlm: Move the winbind data into the NTLM data structure, gnunet, 2020/04/01
- [gnurl] 74/282: altsvc: use h3-25, gnunet, 2020/04/01
- [gnurl] 80/282: openssl: remove redundant assignment, gnunet, 2020/04/01
- [gnurl] 83/282: tool_operhlp: Copyright year out of date, should be 2020, gnunet, 2020/04/01
- [gnurl] 68/282: multi_done: if multiplexed, make conn->data point to another transfer, gnunet, 2020/04/01