Allow UTCTIME objects to be retrieved. Check for imminent cert expiry.

[openssl.git] / apps / x509.c

diff --git a/apps/x509.c b/apps/x509.c
index 450d6d44d10fb2b88b732202e42b9581f43e6d15..0184c62bb28e658a4c3fda59ced1a0ecc5ccd0f8 100644 (file)
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -113,6 +113,8 @@ static char *x509_usage[]={
 " -addreject arg  - reject certificate for a given purpose\n",
 " -setalias arg   - set certificate alias\n",
 " -days arg       - How long till expiry of a signed certificate - def 30 days\n",
+" -checkend arg   - check whether the cert expires in the next arg seconds\n",
+"                   exit 1 if so, 0 if not\n",
 " -signkey arg    - self sign cert with arg\n",
 " -x509toreq      - output a certification request object\n",
 " -req            - input is a certificate request, sign and output.\n",
@@ -126,7 +128,7 @@ static char *x509_usage[]={
 " -md2/-md5/-sha1/-mdc2 - digest to use\n",
 " -extfile        - configuration file with X509V3 extensions to add\n",
 " -extensions     - section from config file with X509V3 extensions to add\n",
-" -crlext         - delete extensions before signing and input certificate\n",
+" -clrext         - delete extensions before signing and input certificate\n",
 NULL
 };
 
@@ -173,6 +175,7 @@ int MAIN(int argc, char **argv)
        LHASH *extconf = NULL;
        char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL;
        int need_rand = 0;
+       int checkend=0,checkoffset=0;
 
        reqfile=0;
 
@@ -353,6 +356,12 @@ int MAIN(int argc, char **argv)
                        startdate= ++num;
                else if (strcmp(*argv,"-enddate") == 0)
                        enddate= ++num;
+               else if (strcmp(*argv,"-checkend") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       checkoffset=atoi(*(++argv));
+                       checkend=1;
+                       }
                else if (strcmp(*argv,"-noout") == 0)
                        noout= ++num;
                else if (strcmp(*argv,"-trustout") == 0)
@@ -365,8 +374,15 @@ int MAIN(int argc, char **argv)
                        aliasout= ++num;
                else if (strcmp(*argv,"-CAcreateserial") == 0)
                        CA_createserial= ++num;
+               else if (strcmp(*argv,"-clrext") == 0)
+                       clrext = 1;
+#if 1 /* stay backwards-compatible with 0.9.5; this should go away soon */
                else if (strcmp(*argv,"-crlext") == 0)
+                       {
+                       BIO_printf(bio_err,"use -clrext instead of -crlext\n");
                        clrext = 1;
+                       }
+#endif
                else if ((md_alg=EVP_get_digestbyname(*argv + 1)))
                        {
                        /* ok */
@@ -467,13 +483,18 @@ bad:
                        if (BIO_read_filename(in,infile) <= 0)
                                {
                                perror(infile);
+                               BIO_free(in);
                                goto end;
                                }
                        }
                req=PEM_read_bio_X509_REQ(in,NULL,NULL,NULL);
                BIO_free(in);
 
-               if (req == NULL) { perror(infile); goto end; }
+               if (req == NULL)
+                       {
+                       ERR_print_errors(bio_err);
+                       goto end;
+                       }
 
                if (    (req->req_info == NULL) ||
                        (req->req_info->pubkey == NULL) ||
@@ -555,7 +576,7 @@ bad:
                        }
                }
 
-       if(alias) X509_alias_rset(x, (unsigned char *)alias, -1);
+       if(alias) X509_alias_set1(x, (unsigned char *)alias, -1);
 
        if(clrtrust) X509_trust_clear(x);
        if(clrreject) X509_reject_clear(x);
@@ -563,14 +584,14 @@ bad:
        if(trust) {
                for(i = 0; i < sk_ASN1_OBJECT_num(trust); i++) {
                        objtmp = sk_ASN1_OBJECT_value(trust, i);
-                       X509_radd_trust_object(x, objtmp);
+                       X509_add1_trust_object(x, objtmp);
                }
        }
 
        if(reject) {
                for(i = 0; i < sk_ASN1_OBJECT_num(reject); i++) {
                        objtmp = sk_ASN1_OBJECT_value(reject, i);
-                       X509_radd_reject_object(x, objtmp);
+                       X509_add1_reject_object(x, objtmp);
                }
        }
 
@@ -599,7 +620,7 @@ bad:
                        else if (aliasout == i)
                                {
                                unsigned char *alstr;
-                               alstr = X509_alias_iget(x, NULL);
+                               alstr = X509_alias_get0(x, NULL);
                                if(alstr) BIO_printf(STDout,"%s\n", alstr);
                                else BIO_puts(STDout,"<No Alias>\n");
                                }
@@ -614,7 +635,7 @@ bad:
                                BIO_printf(STDout, "Certificate purposes:\n");
                                for(j = 0; j < X509_PURPOSE_get_count(); j++)
                                        {
-                                       ptmp = X509_PURPOSE_iget(j);
+                                       ptmp = X509_PURPOSE_get0(j);
                                        purpose_print(STDout, x, ptmp);
                                        }
                                }
@@ -827,6 +848,24 @@ bad:
                        }
                }
 
+       if(checkend)
+               {
+               time_t t=ASN1_UTCTIME_get(X509_get_notAfter(x));
+               time_t tnow=time(NULL);
+
+               if(tnow+checkoffset > t)
+                       {
+                       BIO_printf(out,"Certificate will expire\n");
+                       ret=1;
+                       }
+               else
+                       {
+                       BIO_printf(out,"Certificate will not expire\n");
+                       ret=0;
+                       }
+               goto end;
+               }
+
        if (noout)
                {
                ret=0;
@@ -1235,7 +1274,7 @@ static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt)
        int id, i, idret;
        char *pname;
        id = X509_PURPOSE_get_id(pt);
-       pname = X509_PURPOSE_iget_name(pt);
+       pname = X509_PURPOSE_get0_name(pt);
        for(i = 0; i < 2; i++) {
                idret = X509_check_purpose(cert, id, i);
                BIO_printf(bio, "%s%s : ", pname, i ? " CA" : "");