Browse Source

Remove the bad OpenSSL ASN.1 time parsing

pull/5/head
Rodolphe Breard 6 years ago
parent
commit
94f46d3776
  1. 1
      acme_common/Cargo.toml
  2. 27
      acme_common/src/crypto/openssl_certificate.rs

1
acme_common/Cargo.toml

@ -28,6 +28,7 @@ serde_json = "1.0"
syslog = "4.0" syslog = "4.0"
time = "0.1" time = "0.1"
toml = "0.5" toml = "0.5"
x509-parser = "0.4"
[target.'cfg(unix)'.dependencies] [target.'cfg(unix)'.dependencies]
nix = "0.14" nix = "0.14"

27
acme_common/src/crypto/openssl_certificate.rs

@ -8,7 +8,7 @@ use openssl::stack::Stack;
use openssl::x509::extension::{BasicConstraints, SubjectAlternativeName}; use openssl::x509::extension::{BasicConstraints, SubjectAlternativeName};
use openssl::x509::{X509Builder, X509Extension, X509NameBuilder, X509Req, X509ReqBuilder, X509}; use openssl::x509::{X509Builder, X509Extension, X509NameBuilder, X509Req, X509ReqBuilder, X509};
use std::collections::HashSet; use std::collections::HashSet;
use time::strptime;
use x509_parser::parse_x509_der;
const APP_ORG: &str = "ACMEd"; const APP_ORG: &str = "ACMEd";
const APP_NAME: &str = "ACMEd"; const APP_NAME: &str = "ACMEd";
@ -75,29 +75,10 @@ impl X509Certificate {
Ok(pub_key) Ok(pub_key)
} }
// OpenSSL ASN1_TIME_print madness
// The real fix would be to add Asn1TimeRef access in the openssl crate.
//
// https://github.com/sfackler/rust-openssl/issues/687
// https://github.com/sfackler/rust-openssl/pull/673
pub fn not_after(&self) -> Result<time::Tm, Error> { pub fn not_after(&self) -> Result<time::Tm, Error> {
let formats = [
"%b %d %T %Y %Z",
"%b %d %T %Y %Z",
"%b %d %T %Y",
"%b %d %T %Y",
"%b %d %T.%f %Y %Z",
"%b %d %T.%f %Y %Z",
"%b %d %T.%f %Y",
"%b %d %T.%f %Y",
];
let not_after = self.inner_cert.not_after().to_string();
for fmt in formats.iter() {
if let Ok(t) = strptime(&not_after, fmt) {
return Ok(t);
}
}
Err(format!("invalid time string: {}", &not_after).into())
let raw_crt = self.inner_cert.to_der()?;
let (_, crt) = parse_x509_der(&raw_crt).map_err(|_| Error::from("Invalid certificate."))?;
Ok(crt.tbs_certificate.validity.not_after)
} }
pub fn subject_alt_names(&self) -> HashSet<String> { pub fn subject_alt_names(&self) -> HashSet<String> {

Loading…
Cancel
Save