Allow UTCTIME objects to be retrieved. Check for imminent cert expiry.

diff --git a/apps/x509.c b/apps/x509.c
index 5403576585adfe4bf4d7f93725ff4a8f806a0c33..0184c62bb28e658a4c3fda59ced1a0ecc5ccd0f8 100644 (file)
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -113,6 +113,8 @@ static char *x509_usage[]={
 " -addreject arg  - reject certificate for a given purpose\n",
 " -setalias arg   - set certificate alias\n",
 " -days arg       - How long till expiry of a signed certificate - def 30 days\n",
+" -checkend arg   - check whether the cert expires in the next arg seconds\n",
+"                   exit 1 if so, 0 if not\n",
 " -signkey arg    - self sign cert with arg\n",
 " -x509toreq      - output a certification request object\n",
 " -req            - input is a certificate request, sign and output.\n",
@@ -173,6 +175,7 @@ int MAIN(int argc, char **argv)
        LHASH *extconf = NULL;
        char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL;
        int need_rand = 0;
+       int checkend=0,checkoffset=0;
 
        reqfile=0;
 
@@ -353,6 +356,12 @@ int MAIN(int argc, char **argv)
                        startdate= ++num;
                else if (strcmp(*argv,"-enddate") == 0)
                        enddate= ++num;
+               else if (strcmp(*argv,"-checkend") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       checkoffset=atoi(*(++argv));
+                       checkend=1;
+                       }
                else if (strcmp(*argv,"-noout") == 0)
                        noout= ++num;
                else if (strcmp(*argv,"-trustout") == 0)
@@ -839,6 +848,24 @@ bad:
                        }
                }
 
+       if(checkend)
+               {
+               time_t t=ASN1_UTCTIME_get(X509_get_notAfter(x));
+               time_t tnow=time(NULL);
+
+               if(tnow+checkoffset > t)
+                       {
+                       BIO_printf(out,"Certificate will expire\n");
+                       ret=1;
+                       }
+               else
+                       {
+                       BIO_printf(out,"Certificate will not expire\n");
+                       ret=0;
+                       }
+               goto end;
+               }
+
        if (noout)
                {
                ret=0;

diff --git a/crypto/asn1/a_utctm.c b/crypto/asn1/a_utctm.c
index 07565974e31f9b20a75bef7b8dad932177151512..e8d2836c58a999cf29a22c1a34901839ec61c982 100644 (file)
--- a/crypto/asn1/a_utctm.c
+++ b/crypto/asn1/a_utctm.c
@@ -264,3 +264,32 @@ ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t)
 #endif
        return(s);
        }
+
+time_t ASN1_UTCTIME_get(const ASN1_UTCTIME *s)
+    {
+    struct tm tm;
+    int offset;
+
+    memset(&tm,'\0',sizeof tm);
+
+#define g2(p) (((p)[0]-'0')*10+(p)[1]-'0')
+    tm.tm_year=g2(s->data);
+    if(tm.tm_year < 50)
+       tm.tm_year+=100;
+    tm.tm_mon=g2(s->data+2)-1;
+    tm.tm_mday=g2(s->data+4);
+    tm.tm_hour=g2(s->data+6);
+    tm.tm_min=g2(s->data+8);
+    tm.tm_sec=g2(s->data+10);
+    if(s->data[12] == 'Z')
+       offset=0;
+    else
+       {
+       offset=g2(s->data+13)*60+g2(s->data+15);
+       if(s->data[12] == '-')
+           offset= -offset;
+       }
+#undef g2
+
+    return timegm(&tm)-offset*60;
+    }

diff --git a/crypto/asn1/asn1.h b/crypto/asn1/asn1.h
index 8cf317640e0d5ab5566f1cb8ce25ad2093431a2f..f340ed41df346800038a9e5115f6c32954a6da49 100644 (file)
--- a/crypto/asn1/asn1.h
+++ b/crypto/asn1/asn1.h
@@ -579,6 +579,7 @@ ASN1_ENUMERATED *d2i_ASN1_ENUMERATED(ASN1_ENUMERATED **a,unsigned char **pp,
 int ASN1_UTCTIME_check(ASN1_UTCTIME *a);
 ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s,time_t t);
 int ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, char *str); 
+time_t ASN1_UTCTIME_get(const ASN1_UTCTIME *s);
 
 int ASN1_GENERALIZEDTIME_check(ASN1_GENERALIZEDTIME *a);
 ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(ASN1_GENERALIZEDTIME *s,time_t t);