summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authordjm@openbsd.org@openbsd.org <djm@openbsd.org@openbsd.org>2017-11-03 05:14:04 +0000
committerDamien Miller <djm@mindrot.org>2017-11-03 16:20:41 +1100
commitd52131a98316e76c0caa348f09bf6f7b9b01a1b9 (patch)
tree3328babb2dfeafda48da072003b5bff9e069c9c7
parentfbe8e7ac94c2fa380421a9205a8bc966549c2f91 (diff)
upstream commit
allow certificate validity intervals that specify only a start or stop time (we already support specifying both or neither) OpenBSD-Commit-ID: 9be486545603c003030bdb5c467d1318b46b4e42
Diffstat
-rw-r--r--ssh-keygen.123
-rw-r--r--ssh-keygen.c12
2 files changed, 24 insertions, 11 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 5f1ec09b0..0ade33de9 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1.\" $OpenBSD: ssh-keygen.1,v 1.144 2017/07/08 18:32:54 jmc Exp $ 1.\" $OpenBSD: ssh-keygen.1,v 1.145 2017/11/03 05:14:04 djm Exp $
2.\" 2.\"
3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37.\" 37.\"
38.Dd $Mdocdate: July 8 2017 $ 38.Dd $Mdocdate: November 3 2017 $
39.Dt SSH-KEYGEN 1 39.Dt SSH-KEYGEN 1
40.Os 40.Os
41.Sh NAME 41.Sh NAME
@@ -584,13 +584,20 @@ Specify a validity interval when signing a certificate.
584A validity interval may consist of a single time, indicating that the 584A validity interval may consist of a single time, indicating that the
585certificate is valid beginning now and expiring at that time, or may consist 585certificate is valid beginning now and expiring at that time, or may consist
586of two times separated by a colon to indicate an explicit time interval. 586of two times separated by a colon to indicate an explicit time interval.
587The start time may be specified as a date in YYYYMMDD format, a time 587.Pp
588in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting 588The start time may be specified as the string
589of a minus sign followed by a relative time in the format described in the 589.Dq always
590to indicate the certificate has no specified start time,
591a date in YYYYMMDD format, a time in YYYYMMDDHHMMSS format,
592a relative time (to the current time) consisting of a minus sign followed by
593an interval in the format described in the
590TIME FORMATS section of 594TIME FORMATS section of
591.Xr sshd_config 5 . 595.Xr sshd_config 5 .
592The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or 596.Pp
593a relative time starting with a plus character. 597The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time,
598a relative time starting with a plus character or the string
599.Dq forever
600to indicate that the certificate has no expirty date.
594.Pp 601.Pp
595For example: 602For example:
596.Dq +52w1d 603.Dq +52w1d
@@ -601,6 +608,8 @@ For example:
601(valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011), 608(valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011),
602.Dq -1d:20110101 609.Dq -1d:20110101
603(valid from yesterday to midnight, January 1st, 2011). 610(valid from yesterday to midnight, January 1st, 2011).
611.Dq -1m:forever
612(valid from one minute ago and never expiring).
604.It Fl v 613.It Fl v
605Verbose mode. 614Verbose mode.
606Causes 615Causes
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 835f7d016..02f9b3fb8 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-keygen.c,v 1.307 2017/07/07 03:53:12 djm Exp $ */ 1/* $OpenBSD: ssh-keygen.c,v 1.308 2017/11/03 05:14:04 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1832,7 +1832,7 @@ parse_absolute_time(const char *s)
1832 s, s + 4, s + 6, s + 8, s + 10, s + 12); 1832 s, s + 4, s + 6, s + 8, s + 10, s + 12);
1833 break; 1833 break;
1834 default: 1834 default:
1835 fatal("Invalid certificate time format %s", s); 1835 fatal("Invalid certificate time format \"%s\"", s);
1836 } 1836 }
1837 1837
1838 memset(&tm, 0, sizeof(tm)); 1838 memset(&tm, 0, sizeof(tm));
@@ -1865,8 +1865,8 @@ parse_cert_times(char *timespec)
1865 1865
1866 /* 1866 /*
1867 * from:to, where 1867 * from:to, where
1868 * from := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS 1868 * from := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS | "always"
1869 * to := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS 1869 * to := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS | "forever"
1870 */ 1870 */
1871 from = xstrdup(timespec); 1871 from = xstrdup(timespec);
1872 to = strchr(from, ':'); 1872 to = strchr(from, ':');
@@ -1876,11 +1876,15 @@ parse_cert_times(char *timespec)
1876 1876
1877 if (*from == '-' || *from == '+') 1877 if (*from == '-' || *from == '+')
1878 cert_valid_from = parse_relative_time(from, now); 1878 cert_valid_from = parse_relative_time(from, now);
1879 else if (strcmp(from, "always") == 0)
1880 cert_valid_from = 0;
1879 else 1881 else
1880 cert_valid_from = parse_absolute_time(from); 1882 cert_valid_from = parse_absolute_time(from);
1881 1883
1882 if (*to == '-' || *to == '+') 1884 if (*to == '-' || *to == '+')
1883 cert_valid_to = parse_relative_time(to, now); 1885 cert_valid_to = parse_relative_time(to, now);
1886 else if (strcmp(to, "forever") == 0)
1887 cert_valid_to = ~(u_int64_t)0;
1884 else 1888 else
1885 cert_valid_to = parse_absolute_time(to); 1889 cert_valid_to = parse_absolute_time(to);
1886 1890
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-29 08:25:07 +0000