[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[or-cvs] r10079: Add an expiry date to key certificates. (in tor/trunk: . doc/spec/proposals src/tools)
- To: or-cvs@xxxxxxxxxxxxx
- Subject: [or-cvs] r10079: Add an expiry date to key certificates. (in tor/trunk: . doc/spec/proposals src/tools)
- From: nickm@xxxxxxxx
- Date: Mon, 30 Apr 2007 21:10:51 -0400 (EDT)
- Delivered-to: archiver@seul.org
- Delivered-to: or-cvs-outgoing@seul.org
- Delivered-to: or-cvs@seul.org
- Delivery-date: Mon, 30 Apr 2007 21:11:00 -0400
- Reply-to: or-dev@xxxxxxxxxxxxx
- Sender: owner-or-cvs@xxxxxxxxxxxxx
Author: nickm
Date: 2007-04-30 21:10:50 -0400 (Mon, 30 Apr 2007)
New Revision: 10079
Modified:
tor/trunk/
tor/trunk/doc/spec/proposals/103-multilevel-keys.txt
tor/trunk/src/tools/tor-gencert.c
Log:
r12605@catbus: nickm | 2007-04-30 21:10:48 -0400
Add an expiry date to key certificates.
Property changes on: tor/trunk
___________________________________________________________________
svk:merge ticket from /tor/trunk [r12605] on 8246c3cf-6607-4228-993b-4d95d33730f1
Modified: tor/trunk/doc/spec/proposals/103-multilevel-keys.txt
===================================================================
--- tor/trunk/doc/spec/proposals/103-multilevel-keys.txt 2007-05-01 01:08:15 UTC (rev 10078)
+++ tor/trunk/doc/spec/proposals/103-multilevel-keys.txt 2007-05-01 01:10:50 UTC (rev 10079)
@@ -118,6 +118,7 @@
"dir-identity-key": The long-term identity key for this authority.
"dir-key-published": The time when this directory's signing key was
last changed.
+ "dir-key-expires": A time after which this key is no longer valid.
"dir-signing-key": As in proposal 101.
"dir-key-certification": A signature of the above fields, in order.
The signed material extends from the beginning of
Modified: tor/trunk/src/tools/tor-gencert.c
===================================================================
--- tor/trunk/src/tools/tor-gencert.c 2007-05-01 01:08:15 UTC (rev 10078)
+++ tor/trunk/src/tools/tor-gencert.c 2007-05-01 01:10:50 UTC (rev 10079)
@@ -29,12 +29,14 @@
#define IDENTITY_KEY_BITS 3072
#define SIGNING_KEY_BITS 1024
+#define DEFAULT_LIFETIME 12
char *identity_key_file = NULL;
char *signing_key_file = NULL;
char *certificate_file = NULL;
int verbose = 0;
int make_new_id = 0;
+int months_lifetime = DEFAULT_LIFETIME;
EVP_PKEY *identity_key = NULL;
EVP_PKEY *signing_key = NULL;
@@ -92,6 +94,16 @@
return 1;
}
certificate_file = tor_strdup(argv[++i]);
+ } else if (!strcmp(argv[i], "-m")) {
+ if (i+1>=argc) {
+ fprintf(stderr, "No argument to -m\n");
+ return 1;
+ }
+ months_lifetime = atoi(argv[++i]);
+ if (months_lifetime > 24 || months_lifetime < 0) {
+ fprintf(stderr, "Lifetime (in months) was out of range.");
+ return 1;
+ }
} else if (!strcmp(argv[i], "-v")) {
verbose = 1;
} else if (!strcmp(argv[i], "--create-identity-key")) {
@@ -275,7 +287,9 @@
{
char buf[8192];
time_t now = time(NULL);
+ struct tm tm;
char published[ISO_TIME_LEN+1];
+ char expires[ISO_TIME_LEN+1];
char fingerprint[FINGERPRINT_LEN+1];
char *ident = key_to_string(identity_key);
char *signing = key_to_string(signing_key);
@@ -286,16 +300,22 @@
int r;
get_fingerprint(identity_key, fingerprint);
+
+ tor_localtime_r(&now, &tm);
+ tm.tm_mon += months_lifetime;
+
format_iso_time(published, now);
+ format_iso_time(expires, mktime(&tm));
tor_snprintf(buf, sizeof(buf),
"dir-key-certificate-version 3\n"
"fingerprint %s\n"
"dir-key-published %s\n"
+ "dir-key-expires %s\n"
"dir-identity-key\n%s"
"dir-signing-key\n%s"
"dir-key-certification\n",
- fingerprint, published, ident, signing);
+ fingerprint, published, expires, ident, signing);
signed_len = strlen(buf);
SHA1((const unsigned char*)buf,signed_len,(unsigned char*)digest);