[bugreport+patch] ssh-keygen option -V does not accept single time spec

Arjen Bax arjenbax at googlemail.com
Thu Nov 14 01:17:12 EST 2013 

Hi,

I noticed that the option -V of ssh-keygen (specify certificate
validity period) did not behave as documented:

  A validity interval may consist of a single time, indicating that the
  certificate is valid beginning now and expiring at that time, or may
  consist of two times separated by a colon to indicate an explicit time
  interval.

In openssh-6.4p1, the former format, with a single time spec, caused a
fatal error message to be printed (Invalid certificate life
specification 20140101). Please find a patch below that solves this
issue and will accept both single and double time specifications.

==== BEGINNING OF PATCH ====
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 03c444d..994dea7 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1701,10 +1701,19 @@ parse_absolute_time(const char *s)
     return (u_int64_t)tt;
 }

+static u_int64_t
+parse_rel_or_abs_time(const char *s, time_t now)
+{
+    if (*s == '-' || *s == '+')
+        return parse_relative_time(s, now);
+    else
+        return parse_absolute_time(s);
+}
+
 static void
 parse_cert_times(char *timespec)
 {
-    char *from, *to;
+    char *ts_cp, *from, *to;
     time_t now = time(NULL);
     int64_t secs;

@@ -1722,29 +1731,37 @@ parse_cert_times(char *timespec)
     }

     /*
-     * from:to, where
+     * A validity interval may consist of a single time, indicating that
+     * the certificate is valid beginning now and expiring at that time, or
+     * may consist of two times separated by a colon to indicate an
+     * explicit time interval.
+     * [from:]to, where
      * from := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS
      *   to := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS
      */
-    from = xstrdup(timespec);
-    to = strchr(from, ':');
-    if (to == NULL || from == to || *(to + 1) == '\0')
+    ts_cp = xstrdup(timespec);
+    to = strchr(ts_cp, ':');
+    if (NULL == to) {
+        /* no ':' found, only end time specified */
+        from = "+0";
+        to = ts_cp;
+    } else {
+        /* ':' found, end start time at this point and start end time
+         * immediately after.
+         */
+        from = ts_cp;
+        *to = '\0';
+        to++;
+    }
+    if (0 == *from || 0 == *to)
         fatal("Invalid certificate life specification %s", timespec);
-    *to++ = '\0';

-    if (*from == '-' || *from == '+')
-        cert_valid_from = parse_relative_time(from, now);
-    else
-        cert_valid_from = parse_absolute_time(from);
-
-    if (*to == '-' || *to == '+')
-        cert_valid_to = parse_relative_time(to, cert_valid_from);
-    else
-        cert_valid_to = parse_absolute_time(to);
+    cert_valid_from = parse_rel_or_abs_time(from, now);
+    cert_valid_to = parse_rel_or_abs_time(to, now);

     if (cert_valid_to <= cert_valid_from)
         fatal("Empty certificate validity interval");
-    free(from);
+    free(ts_cp);
 }

 static void
==== END OF PATCH ====

Vriendelijke groet / Kind regards / Vennlig hilsen,
Arjen Bax

More information about the openssh-unix-dev mailing list