Update certificate and CRL time routines to match new standard.
Reviewed-by: Rich Salz <rsalz@openssl.org>
goto err;
}
- if (!X509_set_notBefore(x, tm))
+ if (!X509_set1_notBefore(x, tm))
goto err;
if (enddate == NULL) {
goto err;
}
- if (!X509_set_notAfter(x, tm))
+ if (!X509_set1_notAfter(x, tm))
goto err;
rv = 1;
if (tmptm == NULL)
goto end;
X509_gmtime_adj(tmptm, 0);
- X509_CRL_set_lastUpdate(crl, tmptm);
+ X509_CRL_set1_lastUpdate(crl, tmptm);
if (!X509_time_adj_ex(tmptm, crldays, crlhours * 60 * 60 + crlsec,
NULL)) {
BIO_puts(bio_err, "error setting CRL nextUpdate\n");
goto end;
}
- X509_CRL_set_nextUpdate(crl, tmptm);
+ X509_CRL_set1_nextUpdate(crl, tmptm);
ASN1_TIME_free(tmptm);
{
X509_NAME *name = NULL, *CAname = NULL, *subject = NULL, *dn_subject =
NULL;
- ASN1_UTCTIME *tm;
+ const ASN1_TIME *tm;
ASN1_STRING *str, *str2;
ASN1_OBJECT *obj;
X509 *ret = NULL;
if (enddate != NULL) {
int tdays;
- ASN1_TIME_diff(&tdays, NULL, NULL, X509_get_notAfter(ret));
+ ASN1_TIME_diff(&tdays, NULL, NULL, X509_get0_notAfter(ret));
days = tdays;
}
}
BIO_printf(bio_err, "Certificate is to be certified until ");
- ASN1_TIME_print(bio_err, X509_get_notAfter(ret));
+ ASN1_TIME_print(bio_err, X509_get0_notAfter(ret));
if (days)
BIO_printf(bio_err, " (%ld days)", days);
BIO_printf(bio_err, "\n");
/* We now just add it to the database */
row[DB_type] = OPENSSL_strdup("V");
- tm = X509_get_notAfter(ret);
+ tm = X509_get0_notAfter(ret);
row[DB_exp_date] = app_malloc(tm->length + 1, "row expdate");
memcpy(row[DB_exp_date], tm->data, tm->length);
row[DB_exp_date][tm->length] = '\0';
static int do_revoke(X509 *x509, CA_DB *db, int type, char *value)
{
- ASN1_UTCTIME *tm = NULL;
+ const ASN1_TIME *tm = NULL;
char *row[DB_NUMBER], **rrow, **irow;
char *rev_str = NULL;
BIGNUM *bn = NULL;
/* We now just add it to the database */
row[DB_type] = OPENSSL_strdup("V");
- tm = X509_get_notAfter(x509);
+ tm = X509_get0_notAfter(x509);
row[DB_exp_date] = app_malloc(tm->length + 1, "row exp_data");
memcpy(row[DB_exp_date], tm->data, tm->length);
row[DB_exp_date][tm->length] = '\0';
#endif
if (lastupdate == i) {
BIO_printf(bio_out, "lastUpdate=");
- ASN1_TIME_print(bio_out, X509_CRL_get_lastUpdate(x));
+ ASN1_TIME_print(bio_out, X509_CRL_get0_lastUpdate(x));
BIO_printf(bio_out, "\n");
}
if (nextupdate == i) {
BIO_printf(bio_out, "nextUpdate=");
- if (X509_CRL_get_nextUpdate(x))
- ASN1_TIME_print(bio_out, X509_CRL_get_nextUpdate(x));
+ if (X509_CRL_get0_nextUpdate(x))
+ ASN1_TIME_print(bio_out, X509_CRL_get0_nextUpdate(x));
else
BIO_printf(bio_out, "NONE");
BIO_printf(bio_out, "\n");
case X509_V_ERR_CERT_NOT_YET_VALID:
case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
BIO_printf(bio_err, "notBefore=");
- ASN1_TIME_print(bio_err, X509_get_notBefore(err_cert));
+ ASN1_TIME_print(bio_err, X509_get0_notBefore(err_cert));
BIO_printf(bio_err, "\n");
break;
case X509_V_ERR_CERT_HAS_EXPIRED:
case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
BIO_printf(bio_err, "notAfter=");
- ASN1_TIME_print(bio_err, X509_get_notAfter(err_cert));
+ ASN1_TIME_print(bio_err, X509_get0_notAfter(err_cert));
BIO_printf(bio_err, "\n");
break;
case X509_V_ERR_NO_EXPLICIT_POLICY:
X509_print_ex(out, x, nmflag, certflag);
} else if (startdate == i) {
BIO_puts(out, "notBefore=");
- ASN1_TIME_print(out, X509_get_notBefore(x));
+ ASN1_TIME_print(out, X509_get0_notBefore(x));
BIO_puts(out, "\n");
} else if (enddate == i) {
BIO_puts(out, "notAfter=");
- ASN1_TIME_print(out, X509_get_notAfter(x));
+ ASN1_TIME_print(out, X509_get0_notAfter(x));
BIO_puts(out, "\n");
} else if (fingerprint == i) {
int j;
if (checkend) {
time_t tcheck = time(NULL) + checkoffset;
- if (X509_cmp_time(X509_get_notAfter(x), &tcheck) < 0) {
+ if (X509_cmp_time(X509_get0_notAfter(x), &tcheck) < 0) {
BIO_printf(out, "Certificate will expire\n");
ret = 1;
} else {
BIO_printf(out, "%8sIssuer: %s\n", "", p);
OPENSSL_free(p);
BIO_printf(out, "%8sLast Update: ", "");
- ASN1_TIME_print(out, X509_CRL_get_lastUpdate(x));
+ ASN1_TIME_print(out, X509_CRL_get0_lastUpdate(x));
BIO_printf(out, "\n%8sNext Update: ", "");
- if (X509_CRL_get_nextUpdate(x))
- ASN1_TIME_print(out, X509_CRL_get_nextUpdate(x));
+ if (X509_CRL_get0_nextUpdate(x))
+ ASN1_TIME_print(out, X509_CRL_get0_nextUpdate(x));
else
BIO_printf(out, "NONE");
BIO_printf(out, "\n");
goto err;
if (BIO_write(bp, " Not Before: ", 24) <= 0)
goto err;
- if (!ASN1_TIME_print(bp, X509_get_notBefore(x)))
+ if (!ASN1_TIME_print(bp, X509_get0_notBefore(x)))
goto err;
if (BIO_write(bp, "\n Not After : ", 25) <= 0)
goto err;
- if (!ASN1_TIME_print(bp, X509_get_notAfter(x)))
+ if (!ASN1_TIME_print(bp, X509_get0_notAfter(x)))
goto err;
if (BIO_write(bp, "\n", 1) <= 0)
goto err;
return (in != NULL);
}
-int X509_set_notBefore(X509 *x, const ASN1_TIME *tm)
+int X509_set1_notBefore(X509 *x, const ASN1_TIME *tm)
{
if (x == NULL)
return 0;
return x509_set1_time(&x->cert_info.validity.notBefore, tm);
}
-int X509_set_notAfter(X509 *x, const ASN1_TIME *tm)
+int X509_set1_notAfter(X509 *x, const ASN1_TIME *tm)
{
if (x == NULL)
return 0;
return ASN1_INTEGER_get(x->cert_info.version);
}
-ASN1_TIME * X509_get_notBefore(const X509 *x)
+const ASN1_TIME *X509_get0_notBefore(const X509 *x)
+{
+ return x->cert_info.validity.notBefore;
+}
+
+const ASN1_TIME *X509_get0_notAfter(const X509 *x)
+{
+ return x->cert_info.validity.notAfter;
+}
+
+#if OPENSSL_API_COMPAT < 0x10100000L
+ASN1_TIME *X509_get_notBefore(const X509 *x)
{
return x->cert_info.validity.notBefore;
}
{
return x->cert_info.validity.notAfter;
}
+#endif
int X509_get_signature_type(const X509 *x)
{
else
ptime = NULL;
- i = X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
+ i = X509_cmp_time(X509_CRL_get0_lastUpdate(crl), ptime);
if (i == 0) {
if (!notify)
return 0;
return 0;
}
- if (X509_CRL_get_nextUpdate(crl)) {
- i = X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime);
+ if (X509_CRL_get0_nextUpdate(crl)) {
+ i = X509_cmp_time(X509_CRL_get0_nextUpdate(crl), ptime);
if (i == 0) {
if (!notify)
/* If current CRL is equivalent use it if it is newer */
if (crl_score == best_score) {
int day, sec;
- if (ASN1_TIME_diff(&day, &sec, X509_CRL_get_lastUpdate(best_crl),
- X509_CRL_get_lastUpdate(crl)) == 0)
+ if (ASN1_TIME_diff(&day, &sec, X509_CRL_get0_lastUpdate(best_crl),
+ X509_CRL_get0_lastUpdate(crl)) == 0)
continue;
/*
* ASN1_TIME_diff never returns inconsistent signs for |day|
else
ptime = NULL;
- i = X509_cmp_time(X509_get_notBefore(x), ptime);
+ i = X509_cmp_time(X509_get0_notBefore(x), ptime);
if (i >= 0 && depth < 0)
return 0;
if (i == 0 && !verify_cb_cert(ctx, x, depth,
if (i > 0 && !verify_cb_cert(ctx, x, depth, X509_V_ERR_CERT_NOT_YET_VALID))
return 0;
- i = X509_cmp_time(X509_get_notAfter(x), ptime);
+ i = X509_cmp_time(X509_get0_notAfter(x), ptime);
if (i <= 0 && depth < 0)
return 0;
if (i == 0 && !verify_cb_cert(ctx, x, depth,
if (!X509_CRL_set_issuer_name(crl, X509_CRL_get_issuer(newer)))
goto memerr;
- if (!X509_CRL_set_lastUpdate(crl, X509_CRL_get_lastUpdate(newer)))
+ if (!X509_CRL_set1_lastUpdate(crl, X509_CRL_get0_lastUpdate(newer)))
goto memerr;
- if (!X509_CRL_set_nextUpdate(crl, X509_CRL_get_nextUpdate(newer)))
+ if (!X509_CRL_set1_nextUpdate(crl, X509_CRL_get0_nextUpdate(newer)))
goto memerr;
/* Set base CRL number: must be critical */
return (X509_NAME_set(&x->crl.issuer, name));
}
-int X509_CRL_set_lastUpdate(X509_CRL *x, const ASN1_TIME *tm)
+int X509_CRL_set1_lastUpdate(X509_CRL *x, const ASN1_TIME *tm)
{
if (x == NULL)
return 0;
return x509_set1_time(&x->crl.lastUpdate, tm);
}
-int X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm)
+int X509_CRL_set1_nextUpdate(X509_CRL *x, const ASN1_TIME *tm)
{
if (x == NULL)
return 0;
return ASN1_INTEGER_get(crl->crl.version);
}
-ASN1_TIME *X509_CRL_get_lastUpdate(const X509_CRL *crl)
+const ASN1_TIME *X509_CRL_get0_lastUpdate(const X509_CRL *crl)
{
return crl->crl.lastUpdate;
}
-ASN1_TIME *X509_CRL_get_nextUpdate(const X509_CRL *crl)
+const ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl)
{
return crl->crl.nextUpdate;
}
+#if OPENSSL_API_COMPAT < 0x10100000L
+ASN1_TIME *X509_CRL_get_lastUpdate(X509_CRL *crl)
+{
+ return crl->crl.lastUpdate;
+}
+
+ASN1_TIME *X509_CRL_get_nextUpdate(X509_CRL *crl)
+{
+ return crl->crl.nextUpdate;
+}
+#endif
+
X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl)
{
return crl->crl.issuer;
=head1 NAME
-X509_get_notBefore, X509_get_notAfter, X509_set_notBefore,
-X509_set_notAfter, X509_CRL_get_lastUpdate, X509_CRL_get_nextUpdate,
-X509_CRL_set_lastUpdate, X509_CRL_set_nextUpdate - get or set certificate
-or CRL dates
+X509_get0_notBefore, X509_get_notBefore, X509_get0_notAfter, X509_get_notAfter,
+X509_set1_notBefore, X509_set1_notAfter, X509_CRL_get0_lastUpdate,
+X509_CRL_get0_nextUpdate, X509_CRL_set1_lastUpdate,
+X509_CRL_set1_nextUpdate - get or set certificate or CRL dates
=head1 SYNOPSIS
#include <openssl/x509.h>
+ const ASN1_TIME *X509_get0_notBefore(const X509 *x);
+ const ASN1_TIME *X509_get0_notAfter(const X509 *x);
+
ASN1_TIME *X509_get_notBefore(const X509 *x);
ASN1_TIME *X509_get_notAfter(const X509 *x);
- int X509_set_notBefore(X509 *x, const ASN1_TIME *tm);
- int X509_set_notAfter(X509 *x, const ASN1_TIME *tm);
+ int X509_set1_notBefore(X509 *x, const ASN1_TIME *tm);
+ int X509_set1_notAfter(X509 *x, const ASN1_TIME *tm);
- ASN1_TIME *X509_CRL_get_lastUpdate(const X509_CRL *crl);
- ASN1_TIME *X509_CRL_get_nextUpdate(const X509_CRL *crl);
+ const ASN1_TIME *X509_CRL_get0_lastUpdate(const X509_CRL *crl);
+ const ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl);
- int X509_CRL_set_lastUpdate(X509_CRL *x, const ASN1_TIME *tm);
- int X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm);
+ int X509_CRL_set1_lastUpdate(X509_CRL *x, const ASN1_TIME *tm);
+ int X509_CRL_set1_nextUpdate(X509_CRL *x, const ASN1_TIME *tm);
=head1 DESCRIPTION
-X509_get_notBefore() and X509_get_notAfter() return the B<notBefore>
+X509_get0_notBefore() and X509_get0_notAfter() return the B<notBefore>
and B<notAfter> fields of certificate B<x> respectively. The value
returned is an internal pointer which must not be freed up after
the call.
-X509_set_notBefore() and X509_set_notAfter() set the B<notBefore>
+X509_get_notBefore() and X509_get_notAfter() are similar to
+X509_get0_notBefore() and X509_get0_notAfter() except they do not
+return constant values. They are deprecated in OpenSSL 1.1.0
+
+X509_set1_notBefore() and X509_set1_notAfter() set the B<notBefore>
and B<notAfter> fields of B<x> to B<tm>. Ownership of the passed
parameter B<tm> is not transferred by these functions so it must
be freed up after the call.
-X509_CRL_get_lastUpdate() and X509_CRL_get_nextUpdate() return the
+X509_CRL_get0_lastUpdate() and X509_CRL_get0_nextUpdate() return the
B<lastUpdate> and B<nextUpdate> fields of B<crl>. The value
returned is an internal pointer which must not be freed up after
the call. If the B<nextUpdate> field is absent from B<crl> then
B<NULL> is returned.
-X509_CRL_set_lastUpdate() and X509_CRL_set_nextUpdate() set the B<lastUpdate>
+X509_CRL_set1_lastUpdate() and X509_CRL_set1_nextUpdate() set the B<lastUpdate>
and B<nextUpdate> fields of B<crl> to B<tm>. Ownership of the passed parameter
B<tm> is not transferred by these functions so it must be freed up after the
call.
=head1 RETURN VALUES
-X509_get_notBefore(), X509_get_notAfter() and X509_CRL_get_lastUpdate()
+X509_get0_notBefore(), X509_get0_notAfter() and X509_CRL_get0_lastUpdate()
return a pointer to an B<ASN1_TIME> structure.
-X509_CRL_get_lastUpdate() return a pointer to an B<ASN1_TIME> structure
+X509_CRL_get0_lastUpdate() return a pointer to an B<ASN1_TIME> structure
or NULL if the B<lastUpdate> field is absent.
-X509_set_notBefore(), X509_set_notAfter(), X509_CRL_set_lastUpdate() and
-X509_CRL_set_nextUpdate() return 1 for success or 0 for failure.
+X509_set1_notBefore(), X509_set1_notAfter(), X509_CRL_set1_lastUpdate() and
+X509_CRL_set1_nextUpdate() return 1 for success or 0 for failure.
=head1 SEE ALSO
These functions are available in all versions of OpenSSL.
+X509_get_notBefore() and X509_get_notAfter() were deprecated in OpenSSL
+1.1.0
+
=head1 COPYRIGHT
Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
X509_NAME *X509_get_issuer_name(const X509 *a);
int X509_set_subject_name(X509 *x, X509_NAME *name);
X509_NAME *X509_get_subject_name(const X509 *a);
-ASN1_TIME * X509_get_notBefore(const X509 *x);
-int X509_set_notBefore(X509 *x, const ASN1_TIME *tm);
-ASN1_TIME *X509_get_notAfter(const X509 *x);
-int X509_set_notAfter(X509 *x, const ASN1_TIME *tm);
+const ASN1_TIME * X509_get0_notBefore(const X509 *x);
+DEPRECATEDIN_1_1_0(ASN1_TIME *X509_get_notBefore(const X509 *x))
+int X509_set1_notBefore(X509 *x, const ASN1_TIME *tm);
+const ASN1_TIME *X509_get0_notAfter(const X509 *x);
+DEPRECATEDIN_1_1_0(ASN1_TIME *X509_get_notAfter(const X509 *x))
+int X509_set1_notAfter(X509 *x, const ASN1_TIME *tm);
int X509_set_pubkey(X509 *x, EVP_PKEY *pkey);
int X509_up_ref(X509 *x);
int X509_get_signature_type(const X509 *x);
+
+# if OPENSSL_API_COMPAT < 0x10100000L
+# define X509_set_notBefore X509_set1_notBefore
+# define X509_set_notAfter X509_set1_notAfter
+#endif
+
+
/*
* This one is only used so that a binary form can output, as in
* i2d_X509_NAME(X509_get_X509_PUBKEY(x),&buf)
int X509_CRL_set_version(X509_CRL *x, long version);
int X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name);
-int X509_CRL_set_lastUpdate(X509_CRL *x, const ASN1_TIME *tm);
-int X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm);
+int X509_CRL_set1_lastUpdate(X509_CRL *x, const ASN1_TIME *tm);
+int X509_CRL_set1_nextUpdate(X509_CRL *x, const ASN1_TIME *tm);
int X509_CRL_sort(X509_CRL *crl);
int X509_CRL_up_ref(X509_CRL *crl);
+# if OPENSSL_API_COMPAT < 0x10100000L
+# define X509_CRL_set_lastUpdate X509_CRL_set1_lastUpdate
+# define X509_CRL_set_nextUpdate X509_CRL_set1_nextUpdate
+#endif
+
long X509_CRL_get_version(const X509_CRL *crl);
-ASN1_TIME *X509_CRL_get_lastUpdate(const X509_CRL *crl);
-ASN1_TIME *X509_CRL_get_nextUpdate(const X509_CRL *crl);
+const ASN1_TIME *X509_CRL_get0_lastUpdate(const X509_CRL *crl);
+const ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl);
+DEPRECATEDIN_1_1_0(ASN1_TIME *X509_CRL_get_lastUpdate(X509_CRL *crl))
+DEPRECATEDIN_1_1_0(ASN1_TIME *X509_CRL_get_nextUpdate(X509_CRL *crl))
X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl);
const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(const X509_CRL *crl);
STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl);