From f1cfe4e5eeda6cb3a2bace7fc5404ae43ba37693 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Apr 09 2015 21:59:22 +0000 Subject: Separate local validity lifetime's from selfsign's When generating the local signer's CA certificate, consult the "local" section of certmonger.conf to determine a validity lifetime, using the value in the "selfsign" section as a fallback, instead of always just using the "selfsign" section's value. This allows them to be set to different values, though at present they keep the same default settings. --- diff --git a/src/certmonger.conf.5.in b/src/certmonger.conf.5.in index 554e7e7..1799869 100644 --- a/src/certmonger.conf.5.in +++ b/src/certmonger.conf.5.in @@ -87,6 +87,17 @@ subjectUniqueID and issuerUniqueID fields populated. While RFC5280 prohibits their use, they may be needed and/or used by older applications. The default value is \fI@CM_DEFAULT_POPULATE_UNIQUE_ID@\fR. +.SH LOCAL +Within the \fIlocal\fR section, these variables and values are recognized: + +.IP validity_period +This is the validity period given to the locally-signed CA's certificate when it +is generated. The value is specified as a combination of years (y), months +(M), weeks (w), days (d), hours (h), minutes (m), and/or seconds (s). If no +unit of time is specified, seconds are assumed. If not set, the value of the +\fIvalidity_period\fR setting from the \fIselfsign\fR section, if one is set +there, will be used. The default value is \fI@CM_DEFAULT_CERT_LIFETIME@\fR. + .SH BUGS Please file tickets for any that you find at https://fedorahosted.org/certmonger/ diff --git a/src/certmonger.conf.in b/src/certmonger.conf.in index fec89a6..35898af 100644 --- a/src/certmonger.conf.in +++ b/src/certmonger.conf.in @@ -15,3 +15,6 @@ # [selfsign] # validity_period = @CM_DEFAULT_CERT_LIFETIME@ # +# [local] +# validity_period = @CM_DEFAULT_CERT_LIFETIME@ +# diff --git a/src/local.c b/src/local.c index 19bf7e5..9186bd2 100644 --- a/src/local.c +++ b/src/local.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014 Red Hat, Inc. + * Copyright (C) 2014,2015 Red Hat, Inc. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -238,8 +238,8 @@ get_signer_info(void *parent, char *localdir, X509 ***roots, /* Read the desired lifetime. */ now = time(NULL); - if (cm_submit_u_delta_from_string(cm_prefs_validity_period(), now, - &lifedelta) == 0) { + if (cm_submit_u_delta_from_string(cm_prefs_local_validity_period(), + now, &lifedelta) == 0) { life = lifedelta; } else { if (cm_submit_u_delta_from_string(CM_DEFAULT_CERT_LIFETIME, now, diff --git a/src/prefs.c b/src/prefs.c index be65b1e..6ef0e1c 100644 --- a/src/prefs.c +++ b/src/prefs.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2010,2011,2012,2014 Red Hat, Inc. + * Copyright (C) 2010,2011,2012,2014,2015 Red Hat, Inc. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -280,7 +280,7 @@ cm_prefs_default_ca(void) } const char * -cm_prefs_validity_period(void) +cm_prefs_selfsign_validity_period(void) { static const char *period; if (period == NULL) { @@ -292,6 +292,23 @@ cm_prefs_validity_period(void) return period; } +const char * +cm_prefs_local_validity_period(void) +{ + static const char *period; + + if (period == NULL) { + period = cm_prefs_config("local", "validity_period"); + if (period == NULL) { + period = cm_prefs_config("selfsign", "validity_period"); + if (period == NULL) { + period = CM_DEFAULT_CERT_LIFETIME; + } + } + } + return period; +} + static const char * yes_words[] = {"yes", "y", "true", "t", "1"}; diff --git a/src/prefs.h b/src/prefs.h index c849c3e..f5b25d0 100644 --- a/src/prefs.h +++ b/src/prefs.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2010,2012,2014 Red Hat, Inc. + * Copyright (C) 2010,2012,2014,2015 Red Hat, Inc. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -45,7 +45,8 @@ int cm_prefs_enroll_ttls(const time_t **ttls, unsigned int *n_ttls); enum cm_notification_method cm_prefs_notification_method(void); const char *cm_prefs_notification_destination(void); const char *cm_prefs_default_ca(void); -const char *cm_prefs_validity_period(void); +const char *cm_prefs_selfsign_validity_period(void); +const char *cm_prefs_local_validity_period(void); int cm_prefs_monitor(void); int cm_prefs_autorenew(void); int cm_prefs_populate_unique_id(void); diff --git a/src/submit-sn.c b/src/submit-sn.c index 21fc743..ab67084 100644 --- a/src/submit-sn.c +++ b/src/submit-sn.c @@ -152,7 +152,7 @@ cm_submit_sn_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, } else { now = PR_Now(); } - if (cm_submit_u_delta_from_string(cm_prefs_validity_period(), + if (cm_submit_u_delta_from_string(cm_prefs_selfsign_validity_period(), now / 1000000, &lifedelta) == 0) { life = lifedelta; diff --git a/src/submit-so.c b/src/submit-so.c index 31da4f1..d3d2cba 100644 --- a/src/submit-so.c +++ b/src/submit-so.c @@ -92,8 +92,8 @@ cm_submit_so_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, filename = entry->cm_key_storage_location; keyfp = fopen(filename, "r"); } - if (cm_submit_u_delta_from_string(cm_prefs_validity_period(), now, - &lifedelta) == 0) { + if (cm_submit_u_delta_from_string(cm_prefs_selfsign_validity_period(), + now, &lifedelta) == 0) { life = lifedelta; } else { if (cm_submit_u_delta_from_string(CM_DEFAULT_CERT_LIFETIME, now,