diff options
| author | alexei.volkov.bugs%sun.com <devnull@localhost> | 2007-01-04 20:32:26 +0000 |
|---|---|---|
| committer | alexei.volkov.bugs%sun.com <devnull@localhost> | 2007-01-04 20:32:26 +0000 |
| commit | 862f9d5138c3b9e20cba05867ffe7deab1caa169 (patch) | |
| tree | 4de3ab0ab45623d293264662f0c5da68e956c462 | |
| parent | e58446e8f64c21def72e17a49983cfa091d973c8 (diff) | |
| download | nss-hg-862f9d5138c3b9e20cba05867ffe7deab1caa169.tar.gz | |
363987 - crlutil does not change thisUpdate date when creating a modified CRL. r=nelson, neil
| -rw-r--r-- | security/nss/cmd/crlutil/crlutil.c | 16 | ||||
| -rwxr-xr-x | security/nss/tests/cert/cert.sh | 10 |
2 files changed, 22 insertions, 4 deletions
diff --git a/security/nss/cmd/crlutil/crlutil.c b/security/nss/cmd/crlutil/crlutil.c index 7488465c5..9d164a4c8 100644 --- a/security/nss/cmd/crlutil/crlutil.c +++ b/security/nss/cmd/crlutil/crlutil.c @@ -351,7 +351,7 @@ FindSigningCert(CERTCertDBHandle *certHandle, CERTSignedCrl *signCrl, } static CERTSignedCrl* -DuplicateModCrl(PRArenaPool *arena, CERTCertDBHandle *certHandle, +CreateModifiedCRLCopy(PRArenaPool *arena, CERTCertDBHandle *certHandle, CERTCertificate **cert, char *certNickName, PRFileDesc *inFile, PRInt32 decodeOptions, PRInt32 importOptions) @@ -365,7 +365,7 @@ DuplicateModCrl(PRArenaPool *arena, CERTCertDBHandle *certHandle, PORT_Assert(arena != NULL && certHandle != NULL && certNickName != NULL); if (!arena || !certHandle || !certNickName) { - SECU_PrintError(progName, "DuplicateModCrl: invalid args\n"); + SECU_PrintError(progName, "CreateModifiedCRLCopy: invalid args\n"); return NULL; } @@ -429,7 +429,15 @@ DuplicateModCrl(PRArenaPool *arena, CERTCertDBHandle *certHandle, goto loser; } - signCrl->arena = arena; + /* Make sure the update time is current. It can be modified later + * by "update <time>" command from crl generation script */ + rv = DER_EncodeTimeChoice(arena, &signCrl->crl.lastUpdate, PR_Now()); + if (rv != SECSuccess) { + SECU_PrintError(progName, "fail to encode current time\n"); + goto loser; + } + + signCrl->arena = arena; loser: SECITEM_FreeItem(&crlDER, PR_FALSE); @@ -675,7 +683,7 @@ GenerateCRL (CERTCertDBHandle *certHandle, char *certNickName, } if (modifyFlag == PR_TRUE) { - signCrl = DuplicateModCrl(arena, certHandle, &cert, certNickName, + signCrl = CreateModifiedCRLCopy(arena, certHandle, &cert, certNickName, inFile, decodeOptions, importOptions); if (signCrl == NULL) { goto loser; diff --git a/security/nss/tests/cert/cert.sh b/security/nss/tests/cert/cert.sh index 613cbb5ce..e667be958 100755 --- a/security/nss/tests/cert/cert.sh +++ b/security/nss/tests/cert/cert.sh @@ -1164,10 +1164,12 @@ EOF_CRLINI echo "$SCRIPTNAME: Modifying CA CRL by adding one more cert ============" sleep 2 + CRLUPDATE=`date "+%Y%m%d%H%M%SZ"` CRL_GRP_DATE=`date "+%Y%m%d%H%M%SZ"` CU_ACTION="Modify CRL by adding one more cert" crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}_or1 \ -i ${CRL_FILE_GRP_1}_or <<EOF_CRLINI +update=$CRLUPDATE addcert ${CRL_GRP_END} $CRL_GRP_DATE EOF_CRLINI CRL_GEN_RES=`expr $? + $CRL_GEN_RES` @@ -1177,6 +1179,7 @@ EOF_CRLINI CU_ACTION="Modify CRL (ECC) by adding one more cert" crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} \ -o ${CRL_FILE_GRP_1}_or1-ec -i ${CRL_FILE_GRP_1}_or-ec <<EOF_CRLINI +update=$CRLUPDATE addcert ${CRL_GRP_END} $CRL_GRP_DATE EOF_CRLINI CRL_GEN_RES=`expr $? + $CRL_GEN_RES` @@ -1187,8 +1190,11 @@ EOF_CRLINI ########### Removing one cert ${UNREVOKED_CERT_GRP_1} ####################### echo "$SCRIPTNAME: Modifying CA CRL by removing one cert ===============" CU_ACTION="Modify CRL by removing one cert" + sleep 2 + CRLUPDATE=`date "+%Y%m%d%H%M%SZ"` crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1} \ -i ${CRL_FILE_GRP_1}_or1 <<EOF_CRLINI +update=$CRLUPDATE rmcert ${UNREVOKED_CERT_GRP_1} EOF_CRLINI chmod 600 ${CRL_FILE_GRP_1} @@ -1197,6 +1203,7 @@ EOF_CRLINI CU_ACTION="Modify CRL (ECC) by removing one cert" crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}-ec \ -i ${CRL_FILE_GRP_1}_or1-ec <<EOF_CRLINI +update=$CRLUPDATE rmcert ${UNREVOKED_CERT_GRP_1} EOF_CRLINI chmod 600 ${CRL_FILE_GRP_1}-ec @@ -1208,6 +1215,7 @@ EOF_CRLINI CRL_FILE_GRP_2=${R_SERVERDIR}/root.crl_${CRL_GRP_2_BEGIN}-${CRL_GRP_END} echo "$SCRIPTNAME: Creating CA CRL for groups 1 and 2 ===============" + sleep 2 CRLUPDATE=`date "+%Y%m%d%H%M%SZ"` CRL_GRP_DATE=`date "+%Y%m%d%H%M%SZ"` CU_ACTION="Creating CRL for groups 1 and 2" @@ -1268,10 +1276,12 @@ EOF_CRLINI echo "$SCRIPTNAME: Importing Server CA Issued CRL for certs ${CRL_GRP_BEGIN} trough ${CRL_GRP_END}" CU_ACTION="Importing CRL for groups 1" + crlu -D -n TestCA -f "${R_PWFILE}" -d "${R_SERVERDIR}" crlu -I -i ${CRL_FILE} -n "TestCA" -f "${R_PWFILE}" -d "${R_SERVERDIR}" CRL_GEN_RES=`expr $? + $CRL_GEN_RES` if [ -n "$NSS_ENABLE_ECC" ] ; then CU_ACTION="Importing CRL (ECC) for groups 1" + crlu -D -n TestCA-ec -f "${R_PWFILE}" -d "${R_SERVERDIR}" crlu -I -i ${CRL_FILE}-ec -n "TestCA-ec" -f "${R_PWFILE}" \ -d "${R_SERVERDIR}" CRL_GEN_RES=`expr $? + $CRL_GEN_RES` |