[tor-commits] [tor/master] Refactor some of the certificate-manipulation logic

nickm at torproject.org nickm at torproject.org
Wed Sep 5 00:47:14 UTC 2018


commit 91c1e88b7a6d41f93f88cd8754746c836b25721f
Author: Nick Mathewson <nickm at torproject.org>
Date:   Sat Aug 11 19:54:11 2018 -0400

    Refactor some of the certificate-manipulation logic
---
 src/lib/tls/tortls.c |  5 ++--
 src/lib/tls/x509.c   | 68 ++++++++++++++++++++++++++++++++--------------------
 src/lib/tls/x509.h   | 14 +++++++----
 3 files changed, 55 insertions(+), 32 deletions(-)

diff --git a/src/lib/tls/tortls.c b/src/lib/tls/tortls.c
index cb507057e..4c5dedb57 100644
--- a/src/lib/tls/tortls.c
+++ b/src/lib/tls/tortls.c
@@ -1856,8 +1856,9 @@ tor_tls_check_lifetime(int severity, tor_tls_t *tls,
   if (!(cert = SSL_get_peer_certificate(tls->ssl)))
     goto done;
 
-  if (check_cert_lifetime_internal(severity, cert, now,
-                                   past_tolerance, future_tolerance) < 0)
+  if (tor_x509_check_cert_lifetime_internal(severity, cert, now,
+                                            past_tolerance,
+                                            future_tolerance) < 0)
     goto done;
 
   r = 0;
diff --git a/src/lib/tls/x509.c b/src/lib/tls/x509.c
index 27cba1be6..8bed6f5a1 100644
--- a/src/lib/tls/x509.c
+++ b/src/lib/tls/x509.c
@@ -85,6 +85,42 @@ tor_x509_name_new(const char *cname)
   /* LCOV_EXCL_STOP */
 }
 
+/** Choose the start and end times for a certificate */
+void
+tor_tls_pick_certificate_lifetime(time_t now,
+                                  unsigned int cert_lifetime,
+                                  time_t *start_time_out,
+                                  time_t *end_time_out)
+{
+  time_t start_time, end_time;
+  /* Make sure we're part-way through the certificate lifetime, rather
+   * than having it start right now. Don't choose quite uniformly, since
+   * then we might pick a time where we're about to expire. Lastly, be
+   * sure to start on a day boundary. */
+  /* Our certificate lifetime will be cert_lifetime no matter what, but if we
+   * start cert_lifetime in the past, we'll have 0 real lifetime.  instead we
+   * start up to (cert_lifetime - min_real_lifetime - start_granularity) in
+   * the past. */
+  const time_t min_real_lifetime = 24*3600;
+  const time_t start_granularity = 24*3600;
+  time_t earliest_start_time;
+  /* Don't actually start in the future! */
+  if (cert_lifetime <= min_real_lifetime + start_granularity) {
+    earliest_start_time = now - 1;
+  } else {
+    earliest_start_time = now + min_real_lifetime + start_granularity
+      - cert_lifetime;
+  }
+  start_time = crypto_rand_time_range(earliest_start_time, now);
+  /* Round the start time back to the start of a day. */
+  start_time -= start_time % start_granularity;
+
+  end_time = start_time + cert_lifetime;
+
+  *start_time_out = start_time;
+  *end_time_out = end_time;
+}
+
 /** Generate and sign an X509 certificate with the public key <b>rsa</b>,
  * signed by the private key <b>rsa_sign</b>.  The commonName of the
  * certificate will be <b>cname</b>; the commonName of the issuer will be
@@ -113,30 +149,10 @@ tor_tls_create_certificate,(crypto_pk_t *rsa,
 
   tor_tls_init();
 
-  /* Make sure we're part-way through the certificate lifetime, rather
-   * than having it start right now. Don't choose quite uniformly, since
-   * then we might pick a time where we're about to expire. Lastly, be
-   * sure to start on a day boundary. */
   time_t now = time(NULL);
-  /* Our certificate lifetime will be cert_lifetime no matter what, but if we
-   * start cert_lifetime in the past, we'll have 0 real lifetime.  instead we
-   * start up to (cert_lifetime - min_real_lifetime - start_granularity) in
-   * the past. */
-  const time_t min_real_lifetime = 24*3600;
-  const time_t start_granularity = 24*3600;
-  time_t earliest_start_time;
-  /* Don't actually start in the future! */
-  if (cert_lifetime <= min_real_lifetime + start_granularity) {
-    earliest_start_time = now - 1;
-  } else {
-    earliest_start_time = now + min_real_lifetime + start_granularity
-      - cert_lifetime;
-  }
-  start_time = crypto_rand_time_range(earliest_start_time, now);
-  /* Round the start time back to the start of a day. */
-  start_time -= start_time % start_granularity;
 
-  end_time = start_time + cert_lifetime;
+  tor_tls_pick_certificate_lifetime(now, cert_lifetime,
+                                    &start_time, &end_time);
 
   tor_assert(rsa);
   tor_assert(cname);
@@ -410,7 +426,7 @@ tor_tls_cert_is_valid(int severity,
 
   /* okay, the signature checked out right.  Now let's check the check the
    * lifetime. */
-  if (check_cert_lifetime_internal(severity, cert->cert, now,
+  if (tor_x509_check_cert_lifetime_internal(severity, cert->cert, now,
                                    48*60*60, 30*24*60*60) < 0)
     goto bad;
 
@@ -509,9 +525,9 @@ log_cert_lifetime(int severity, const X509 *cert, const char *problem,
  * <b>now</b>.)  If it is live, return 0.  If it is not live, log a message
  * and return -1. */
 int
-check_cert_lifetime_internal(int severity, const X509 *cert,
-                             time_t now,
-                             int past_tolerance, int future_tolerance)
+tor_x509_check_cert_lifetime_internal(int severity, const X509 *cert,
+                                      time_t now,
+                                      int past_tolerance, int future_tolerance)
 {
   time_t t;
 
diff --git a/src/lib/tls/x509.h b/src/lib/tls/x509.h
index 4dadba06d..e3dfcf393 100644
--- a/src/lib/tls/x509.h
+++ b/src/lib/tls/x509.h
@@ -33,6 +33,11 @@ struct tor_x509_cert_t {
 };
 #endif
 
+void tor_tls_pick_certificate_lifetime(time_t now,
+                                       unsigned cert_lifetime,
+                                       time_t *start_time_out,
+                                       time_t *end_time_out);
+
 MOCK_DECL(tor_x509_cert_impl_t *, tor_tls_create_certificate,
                                                    (crypto_pk_t *rsa,
                                                     crypto_pk_t *rsa_sign,
@@ -74,9 +79,10 @@ int tor_tls_cert_is_valid(int severity,
                           time_t now,
                           int check_rsa_1024);
 
-int check_cert_lifetime_internal(int severity,
-                                 const tor_x509_cert_impl_t *cert,
-                                 time_t now,
-                                 int past_tolerance, int future_tolerance);
+int tor_x509_check_cert_lifetime_internal(int severity,
+                                          const tor_x509_cert_impl_t *cert,
+                                          time_t now,
+                                          int past_tolerance,
+                                          int future_tolerance);
 
 #endif





More information about the tor-commits mailing list