diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2022-08-11 01:56:51 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2022-08-11 12:00:49 +1000 |
| commit | ec1ddb72a146fd66d18df9cd423517453a5d8044 (patch) | |
| tree | e719fdf106901824ed54e315a7ec0777140b49b4 /ssh-keygen.c | |
| parent | 4df246ec75751da7eb925e1880498300d8bda187 (diff) | |
| download | openssh-git-ec1ddb72a146fd66d18df9cd423517453a5d8044.tar.gz | |
upstream: allow certificate validity intervals, sshsig verification
times and authorized_keys expiry-time options to accept dates in the UTC time
zone in addition to the default of interpreting them in the system time zone.
YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if
suffixed with a 'Z' character.
Also allow certificate validity intervals to be specified in raw
seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This
is intended for use by regress tests and other tools that call
ssh-keygen as part of a CA workflow.
bz3468 ok dtucker
OpenBSD-Commit-ID: 454db1cdffa9fa346aea5211223a2ce0588dfe13
Diffstat (limited to 'ssh-keygen.c')
| -rw-r--r-- | ssh-keygen.c | 25 |
1 files changed, 22 insertions, 3 deletions
diff --git a/ssh-keygen.c b/ssh-keygen.c index 20b321cc..9b2beda0 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.458 2022/08/05 05:01:40 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.459 2022/08/11 01:56:51 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -1917,6 +1917,21 @@ parse_relative_time(const char *s, time_t now) } static void +parse_hex_u64(const char *s, uint64_t *up) +{ + char *ep; + unsigned long long ull; + + errno = 0; + ull = strtoull(s, &ep, 16); + if (*s == '\0' || *ep != '\0') + fatal("Invalid certificate time: not a number"); + if (errno == ERANGE && ull == ULONG_MAX) + fatal_fr(SSH_ERR_SYSTEM_ERROR, "Invalid certificate time"); + *up = (uint64_t)ull; +} + +static void parse_cert_times(char *timespec) { char *from, *to; @@ -1938,8 +1953,8 @@ parse_cert_times(char *timespec) /* * from:to, where - * from := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS | "always" - * to := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS | "forever" + * from := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS | 0x... | "always" + * to := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS | 0x... | "forever" */ from = xstrdup(timespec); to = strchr(from, ':'); @@ -1951,6 +1966,8 @@ parse_cert_times(char *timespec) cert_valid_from = parse_relative_time(from, now); else if (strcmp(from, "always") == 0) cert_valid_from = 0; + else if (strncmp(from, "0x", 2) == 0) + parse_hex_u64(from, &cert_valid_from); else if (parse_absolute_time(from, &cert_valid_from) != 0) fatal("Invalid from time \"%s\"", from); @@ -1958,6 +1975,8 @@ parse_cert_times(char *timespec) cert_valid_to = parse_relative_time(to, now); else if (strcmp(to, "forever") == 0) cert_valid_to = ~(u_int64_t)0; + else if (strncmp(from, "0x", 2) == 0) + parse_hex_u64(to, &cert_valid_to); else if (parse_absolute_time(to, &cert_valid_to) != 0) fatal("Invalid to time \"%s\"", to); |