x509.c 2.9 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091
  1. /* Copyright (c) 2003, Roger Dingledine.
  2. * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
  3. * Copyright (c) 2007-2018, The Tor Project, Inc. */
  4. /* See LICENSE for licensing information */
  5. /**
  6. * \file x509_openssl.c
  7. * \brief Wrapper functions to present a consistent interface to
  8. * X.509 functions.
  9. **/
  10. #define TOR_X509_PRIVATE
  11. #include "lib/tls/x509.h"
  12. #include "lib/log/util_bug.h"
  13. #include "lib/crypt_ops/crypto_rand.h"
  14. /** Choose the start and end times for a certificate */
  15. void
  16. tor_tls_pick_certificate_lifetime(time_t now,
  17. unsigned int cert_lifetime,
  18. time_t *start_time_out,
  19. time_t *end_time_out)
  20. {
  21. time_t start_time, end_time;
  22. /* Make sure we're part-way through the certificate lifetime, rather
  23. * than having it start right now. Don't choose quite uniformly, since
  24. * then we might pick a time where we're about to expire. Lastly, be
  25. * sure to start on a day boundary. */
  26. /* Our certificate lifetime will be cert_lifetime no matter what, but if we
  27. * start cert_lifetime in the past, we'll have 0 real lifetime. instead we
  28. * start up to (cert_lifetime - min_real_lifetime - start_granularity) in
  29. * the past. */
  30. const time_t min_real_lifetime = 24*3600;
  31. const time_t start_granularity = 24*3600;
  32. time_t earliest_start_time;
  33. /* Don't actually start in the future! */
  34. if (cert_lifetime <= min_real_lifetime + start_granularity) {
  35. earliest_start_time = now - 1;
  36. } else {
  37. earliest_start_time = now + min_real_lifetime + start_granularity
  38. - cert_lifetime;
  39. }
  40. start_time = crypto_rand_time_range(earliest_start_time, now);
  41. /* Round the start time back to the start of a day. */
  42. start_time -= start_time % start_granularity;
  43. end_time = start_time + cert_lifetime;
  44. *start_time_out = start_time;
  45. *end_time_out = end_time;
  46. }
  47. /** Set *<b>encoded_out</b> and *<b>size_out</b> to <b>cert</b>'s encoded DER
  48. * representation and length, respectively. */
  49. void
  50. tor_x509_cert_get_der(const tor_x509_cert_t *cert,
  51. const uint8_t **encoded_out, size_t *size_out)
  52. {
  53. tor_assert(cert);
  54. tor_assert(encoded_out);
  55. tor_assert(size_out);
  56. *encoded_out = cert->encoded;
  57. *size_out = cert->encoded_len;
  58. }
  59. /** Return the underlying implementation for <b>cert</b> */
  60. const tor_x509_cert_impl_t *
  61. tor_x509_cert_get_impl(const tor_x509_cert_t *cert)
  62. {
  63. tor_assert(cert);
  64. return cert->cert;
  65. }
  66. /** Return a set of digests for the public key in <b>cert</b>, or NULL if this
  67. * cert's public key is not one we know how to take the digest of. */
  68. const common_digests_t *
  69. tor_x509_cert_get_id_digests(const tor_x509_cert_t *cert)
  70. {
  71. if (cert->pkey_digests_set)
  72. return &cert->pkey_digests;
  73. else
  74. return NULL;
  75. }
  76. /** Return a set of digests for the public key in <b>cert</b>. */
  77. const common_digests_t *
  78. tor_x509_cert_get_cert_digests(const tor_x509_cert_t *cert)
  79. {
  80. return &cert->cert_digests;
  81. }