mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-30 15:43:32 +01:00
Add --format argument to --key-expiration option. #30045
This commit is contained in:
parent
700e8a8bb0
commit
1474ab3395
6
changes/feature30045
Normal file
6
changes/feature30045
Normal file
@ -0,0 +1,6 @@
|
||||
o Minor features (admin tools):
|
||||
- Add new --format argument to -key-expiration option to allow
|
||||
specifying the time format of expiration date. Adds Unix
|
||||
timestamp format support. Patch by Daniel Pinto. Closes
|
||||
ticket 30045.
|
||||
|
@ -174,16 +174,22 @@ The following options in this section are only recognized on the
|
||||
If the file descriptor is not specified, the passphrase is read
|
||||
from the terminal by default.
|
||||
|
||||
[[opt-key-expiration]] **`--key-expiration`** [__purpose__]::
|
||||
[[opt-key-expiration]] **`--key-expiration`** [__purpose__] [**`--format`** **`iso8601`**|**`timestamp`**]::
|
||||
The __purpose__ specifies which type of key certificate to determine
|
||||
the expiration of. The only currently recognised __purpose__ is
|
||||
"sign". +
|
||||
+
|
||||
Running **`tor --key-expiration sign`** will attempt to find your
|
||||
signing key certificate and will output, both in the logs as well
|
||||
as to stdout, the signing key certificate's expiration time in
|
||||
ISO-8601 format. For example, the output sent to stdout will be
|
||||
of the form: "signing-cert-expiry: 2017-07-25 08:30:15 UTC"
|
||||
as to stdout. The optional **`--format`** argument lets you specify
|
||||
the time format. Currently, **`iso8601`** and **`timestamp`** are
|
||||
supported. If **`--format`** is not specified, the signing key
|
||||
certificate's expiration time will be in ISO-8601 format. For example,
|
||||
the output sent to stdout will be of the form:
|
||||
"signing-cert-expiry: 2017-07-25 08:30:15 UTC". If **`--format`** **`timestamp`**
|
||||
is specified, the signing key certificate's expiration time will be in
|
||||
Unix timestamp format. For example, the output sent to stdout will be of the form:
|
||||
"signing-cert-expiry: 1500971415".
|
||||
|
||||
[[opt-dbg]] **--dbg-**...::
|
||||
Tor may support other options beginning with the string "dbg". These
|
||||
|
@ -37,7 +37,7 @@ problem file-size /src/app/config/config.c 7525
|
||||
problem include-count /src/app/config/config.c 81
|
||||
problem function-size /src/app/config/config.c:options_act() 381
|
||||
problem function-size /src/app/config/config.c:options_validate_cb() 794
|
||||
problem function-size /src/app/config/config.c:options_init_from_torrc() 198
|
||||
problem function-size /src/app/config/config.c:options_init_from_torrc() 231
|
||||
problem function-size /src/app/config/config.c:options_init_from_string() 103
|
||||
problem function-size /src/app/config/config.c:options_init_logs() 125
|
||||
problem function-size /src/app/config/config.c:parse_bridge_line() 104
|
||||
@ -47,7 +47,7 @@ problem function-size /src/app/config/config.c:parse_dir_fallback_line() 101
|
||||
problem function-size /src/app/config/config.c:port_parse_config() 435
|
||||
problem function-size /src/app/config/config.c:parse_ports() 132
|
||||
problem function-size /src/app/config/resolve_addr.c:resolve_my_address_v4() 197
|
||||
problem file-size /src/app/config/or_options_st.h 1050
|
||||
problem file-size /src/app/config/or_options_st.h 1069
|
||||
problem include-count /src/app/main/main.c 71
|
||||
problem function-size /src/app/main/main.c:dumpstats() 102
|
||||
problem function-size /src/app/main/main.c:tor_init() 109
|
||||
|
@ -2468,6 +2468,8 @@ static const struct {
|
||||
{ .name="--key-expiration",
|
||||
.takes_argument=ARGUMENT_OPTIONAL,
|
||||
.command=CMD_KEY_EXPIRATION },
|
||||
{ .name="--format",
|
||||
.takes_argument=ARGUMENT_NECESSARY },
|
||||
{ .name="--newpass" },
|
||||
{ .name="--no-passphrase" },
|
||||
{ .name="--passphrase-fd",
|
||||
@ -4425,6 +4427,39 @@ options_init_from_torrc(int argc, char **argv)
|
||||
}
|
||||
}
|
||||
|
||||
const config_line_t *format_line = config_line_find(cmdline_only_options,
|
||||
"--format");
|
||||
if (format_line) {
|
||||
if (command == CMD_KEY_EXPIRATION) {
|
||||
const char *v = format_line->value;
|
||||
// keep the same order as enum key_expiration_format
|
||||
const char *formats[] = { "iso8601", "timestamp" };
|
||||
const int formats_len = sizeof(formats) / sizeof(formats[0]);
|
||||
int format = -1;
|
||||
for (int i = 0; i < formats_len; i++) {
|
||||
if (!strcmp(v, formats[i])) {
|
||||
format = i;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if (format < 0) {
|
||||
log_err(LD_CONFIG, "Invalid --format value %s", escaped(v));
|
||||
retval = -1;
|
||||
goto err;
|
||||
} else {
|
||||
get_options_mutable()->key_expiration_format = format;
|
||||
}
|
||||
} else {
|
||||
log_err(LD_CONFIG, "--format specified without --key-expiration!");
|
||||
retval = -1;
|
||||
goto err;
|
||||
}
|
||||
} else {
|
||||
get_options_mutable()->key_expiration_format =
|
||||
KEY_EXPIRATION_FORMAT_ISO8601;
|
||||
}
|
||||
|
||||
if (config_line_find(cmdline_only_options, "--newpass")) {
|
||||
if (command == CMD_KEYGEN) {
|
||||
get_options_mutable()->change_key_passphrase = 1;
|
||||
|
@ -944,6 +944,11 @@ struct or_options_t {
|
||||
* ed25519 identity key except from tor --keygen */
|
||||
int OfflineMasterKey;
|
||||
|
||||
enum {
|
||||
KEY_EXPIRATION_FORMAT_ISO8601 = 0,
|
||||
KEY_EXPIRATION_FORMAT_TIMESTAMP
|
||||
} key_expiration_format;
|
||||
|
||||
enum {
|
||||
FORCE_PASSPHRASE_AUTO=0,
|
||||
FORCE_PASSPHRASE_ON,
|
||||
|
@ -519,19 +519,34 @@ print_cert_expiration(const char *expiration,
|
||||
|
||||
/**
|
||||
* Log when a certificate, <b>cert</b>, with some <b>description</b> and
|
||||
* stored in a file named <b>fname</b>, is going to expire.
|
||||
* stored in a file named <b>fname</b>, is going to expire. Formats the expire
|
||||
* time according to <b>time_format</b>. Valid time formats are in the
|
||||
* key_expiration_format enum, in or_options_t.
|
||||
*/
|
||||
static void
|
||||
log_ed_cert_expiration(const tor_cert_t *cert,
|
||||
const char *description,
|
||||
const char *fname) {
|
||||
char expiration[ISO_TIME_LEN+1];
|
||||
|
||||
const char *fname,
|
||||
int time_format) {
|
||||
if (BUG(!cert)) { /* If the specified key hasn't been loaded */
|
||||
log_warn(LD_OR, "No %s key loaded; can't get certificate expiration.",
|
||||
description);
|
||||
} else {
|
||||
char expiration[ISO_TIME_LEN+1];
|
||||
switch (time_format) {
|
||||
case KEY_EXPIRATION_FORMAT_ISO8601:
|
||||
format_local_iso_time(expiration, cert->valid_until);
|
||||
break;
|
||||
|
||||
case KEY_EXPIRATION_FORMAT_TIMESTAMP:
|
||||
tor_snprintf(expiration, sizeof(expiration), "%"PRId64,
|
||||
(int64_t) cert->valid_until);
|
||||
break;
|
||||
|
||||
default:
|
||||
log_err(LD_BUG, "Unknown time format value: %d.", time_format);
|
||||
return;
|
||||
}
|
||||
log_notice(LD_OR, "The %s certificate stored in %s is valid until %s.",
|
||||
description, fname, expiration);
|
||||
print_cert_expiration(expiration, description);
|
||||
@ -567,7 +582,8 @@ log_master_signing_key_cert_expiration(const or_options_t *options)
|
||||
|
||||
/* If we do have a signing key, log the expiration time. */
|
||||
if (signing_key) {
|
||||
log_ed_cert_expiration(signing_key, "signing", fn);
|
||||
int time_format = options->key_expiration_format;
|
||||
log_ed_cert_expiration(signing_key, "signing", fn, time_format);
|
||||
} else {
|
||||
log_warn(LD_OR, "Could not load signing key certificate from %s, so " \
|
||||
"we couldn't learn anything about certificate expiration.", fn);
|
||||
|
@ -61,6 +61,11 @@ fi
|
||||
CASE1=$dflt
|
||||
CASE2=$dflt
|
||||
CASE3=$dflt
|
||||
CASE4=$dflt
|
||||
CASE5=$dflt
|
||||
CASE6=$dflt
|
||||
CASE7=$dflt
|
||||
CASE8=$dflt
|
||||
|
||||
if [ $# -ge 1 ]; then
|
||||
eval "CASE${1}"=1
|
||||
@ -125,16 +130,17 @@ if [ "$CASE1" = 1 ]; then
|
||||
|
||||
${TOR} ${QUIETLY} --key-expiration 2>"$FN" || true
|
||||
grep "No valid argument to --key-expiration found!" "$FN" >/dev/null || \
|
||||
die "Tor didn't mention supported --key-expiration argmuents"
|
||||
die "Tor didn't mention supported --key-expiration arguments"
|
||||
|
||||
echo "==== Case 1: ok"
|
||||
fi
|
||||
|
||||
if [ "$CASE2" = 1 ]; then
|
||||
echo "==== Case 2: Start Tor with --key-expiration 'sign' and make sure it prints an expiration."
|
||||
echo "==== Case 2: Start Tor with --key-expiration 'sign' and make sure it"
|
||||
echo " prints an expiration using ISO8601 date format."
|
||||
|
||||
${TOR} ${QUIETLY} --key-expiration sign 2>"$FN"
|
||||
grep "signing-cert-expiry:" "$FN" >/dev/null || \
|
||||
grep "signing-cert-expiry: [0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\} [0-9]\{2\}:[0-9]\{2\}:[0-9]\{2\}" "$FN" >/dev/null || \
|
||||
die "Tor didn't print an expiration"
|
||||
|
||||
echo "==== Case 2: ok"
|
||||
@ -160,3 +166,61 @@ if [ "$CASE3" = 1 ]; then
|
||||
|
||||
echo "==== Case 3: ok"
|
||||
fi
|
||||
|
||||
if [ "$CASE4" = 1 ]; then
|
||||
echo "==== Case 4: Start Tor with --format iso8601 and make sure it prints an"
|
||||
echo " error message due to missing --key-expiration argument."
|
||||
|
||||
${TOR} --format iso8601 > "$FN" 2>&1 || true
|
||||
grep -- "--format specified without --key-expiration!" "$FN" >/dev/null || \
|
||||
die "Tor didn't print a missing --key-expiration error message"
|
||||
|
||||
echo "==== Case 4: ok"
|
||||
fi
|
||||
|
||||
if [ "$CASE5" = 1 ]; then
|
||||
echo "==== Case 5: Start Tor with --key-expiration 'sign' --format '' and"
|
||||
echo " make sure it prints an error message due to missing value."
|
||||
|
||||
${TOR} --key-expiration sign --format > "$FN" 2>&1 || true
|
||||
grep "Command-line option '--format' with no value. Failing." "$FN" >/dev/null || \
|
||||
die "Tor didn't print a missing format value error message"
|
||||
|
||||
echo "==== Case 5: ok"
|
||||
fi
|
||||
|
||||
if [ "$CASE6" = 1 ]; then
|
||||
echo "==== Case 6: Start Tor with --key-expiration 'sign' --format 'invalid'"
|
||||
echo " and make sure it prints an error message due to invalid"
|
||||
echo " value."
|
||||
|
||||
${TOR} --key-expiration sign --format invalid > "$FN" 2>&1 || true
|
||||
grep "Invalid --format value" "$FN" >/dev/null || \
|
||||
die "Tor didn't print an invalid format value error message"
|
||||
|
||||
echo "==== Case 6: ok"
|
||||
fi
|
||||
|
||||
if [ "$CASE7" = 1 ]; then
|
||||
echo "==== Case 7: Start Tor with --key-expiration 'sign' --format 'iso8601'"
|
||||
echo " and make sure it prints an expiration using ISO8601 date"
|
||||
echo " format."
|
||||
|
||||
${TOR} ${QUIETLY} --key-expiration sign --format iso8601 2>"$FN"
|
||||
grep "signing-cert-expiry: [0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\} [0-9]\{2\}:[0-9]\{2\}:[0-9]\{2\}" "$FN" >/dev/null || \
|
||||
die "Tor didn't print an expiration"
|
||||
|
||||
echo "==== Case 7: ok"
|
||||
fi
|
||||
|
||||
if [ "$CASE8" = 1 ]; then
|
||||
echo "==== Case 8: Start Tor with --key-expiration 'sign' --format 'timestamp'"
|
||||
echo " and make sure it prints an expiration using timestamp date"
|
||||
echo " format."
|
||||
|
||||
${TOR} ${QUIETLY} --key-expiration sign --format timestamp 2>"$FN"
|
||||
grep "signing-cert-expiry: [0-9]\{5,\}" "$FN" >/dev/null || \
|
||||
die "Tor didn't print an expiration"
|
||||
|
||||
echo "==== Case 8: ok"
|
||||
fi
|
||||
|
Loading…
Reference in New Issue
Block a user