commit b63e30ff449ee1cf0091d5431f9b72cdd3b1e7e0
from: Omar Polo <op@omarpolo.com>
date: Sun Feb 07 21:47:01 2021 UTC

define TLS_CLIENT_NOT_BEFORE/NOT_AFTER in CGI scripts

commit - 9f006a2127398af12ecf9159cd5ef28b3685e7a6
commit + b63e30ff449ee1cf0091d5431f9b72cdd3b1e7e0
blob - 187a4ac461eb025869e5586e5aecd819b4ee8344
blob + 1f9865329807229011b4d195234cf2f3d8985fd0
--- ChangeLog
+++ ChangeLog
@@ -1,6 +1,7 @@
 2021-02-07  Omar Polo  <op@omarpolo.com>
 
 	* ex.c (do_exec): [cgi] split the query in words if needed and add them to the argv
+	(launch_cgi): define TLS_CLIENT_NOT_BEFORE/NOT_AFTER in CGI scripts
 
 	* parse.y (option): added prefork option
 
blob - 0a65472deabc66510a2c758b4d3ac50ecb837912
blob + 8d9f4965a03450f16e513f9818f33d329989f2ce
--- ex.c
+++ ex.c
@@ -129,6 +129,18 @@ recv_vhost(int fd, struct vhost **vhost)
 	if ((*vhost)->domain == NULL)
 		return 0;
 	return 1;
+}
+
+int
+send_time(int fd, time_t t)
+{
+	return write(fd, &t, sizeof(t)) == sizeof(t);
+}
+
+int
+recv_time(int fd, time_t *t)
+{
+	return read(fd, t, sizeof(*t)) == sizeof(*t);
 }
 
 /* send d though fd. see /usr/src/usr.sbin/syslogd/privsep_fdpass.c
@@ -268,13 +280,28 @@ do_exec(const char *ex, const char *spath, char *query
 
 	execvp(ex, argv);
 	warn("execvp: %s", argv[0]);
+}
+
+static inline void
+setenv_time(const char *var, time_t t)
+{
+	char timebuf[21];
+	struct tm tminfo;
+
+	if (t == -1)
+		return;
+
+	strftime(timebuf, sizeof(timebuf), "%FT%TZ",
+	    gmtime_r(&t, &tminfo));
+	setenv(var, timebuf, 1);
 }
 
 /* fd or -1 on error */
 static int
 launch_cgi(struct iri *iri, const char *spath, char *relpath,
     const char *addr, const char *ruser, const char *cissuer,
-    const char *chash, struct vhost *vhost)
+    const char *chash, time_t notbefore, time_t notafter,
+    struct vhost *vhost)
 {
 	int p[2];		/* read end, write end */
 
@@ -344,6 +371,8 @@ launch_cgi(struct iri *iri, const char *spath, char *r
 		safe_setenv("REMOTE_USER", ruser);
 		safe_setenv("TLS_CLIENT_ISSUER", cissuer);
 		safe_setenv("TLS_CLIENT_HASH", chash);
+		setenv_time("TLS_CLIENT_NOT_AFTER", notafter);
+		setenv_time("TLS_CLIENT_NOT_BEFORE", notbefore);
 
 		strlcpy(path, ex, sizeof(path));
 
@@ -374,6 +403,7 @@ executor_main()
 	char *spath, *relpath, *addr, *ruser, *cissuer, *chash;
         struct vhost *vhost;
 	struct iri iri;
+	time_t notbefore, notafter;
 	int d;
 
 #ifdef __OpenBSD__
@@ -397,11 +427,13 @@ executor_main()
 		    || !recv_string(exfd, &ruser)
 		    || !recv_string(exfd, &cissuer)
 		    || !recv_string(exfd, &chash)
+		    || !recv_time(exfd, &notbefore)
+		    || !recv_time(exfd, &notafter)
 		    || !recv_vhost(exfd, &vhost))
 			break;
 
 		d = launch_cgi(&iri, spath, relpath, addr, ruser, cissuer, chash,
-		    vhost);
+		    notbefore, notafter, vhost);
 		if (!send_fd(exfd, d))
 			break;
 		close(d);
blob - 08b8e6eaf8e94371c03717db9c5ebc3c77440f92
blob + faf3e4fb8c3accc0c4c5af162be196b51755286e
--- gmid.1
+++ gmid.1
@@ -351,6 +351,13 @@ unset.
 The hash of the client certificate if provided, otherwise unset.
 The format is
 .Dq ALGO:HASH .
+.It Ev TLS_CLIENT_NOT_AFTER
+The time corresponding to the end of the validity period of the peer
+certificate in the ISO 8601 format
+.Pq e.g. Dq 2021-02-07T20:17:41Z .
+.It Ev TLS_CLIENT_NOT_BEFORE
+The time corresponding to the start of the validity period of the peer
+certificate in the ISO 8601 format.
 .El
 .Pp
 .Sh MIME
blob - 1beb95e383fae7773dede8dc27991e251dc5e9d7
blob + f6567ce4f928171f7ca94f96a29c9c3003fccb30
--- gmid.h
+++ gmid.h
@@ -28,6 +28,7 @@
 #include <signal.h>
 #include <stdio.h>
 #include <stdlib.h>
+#include <time.h>
 #include <tls.h>
 #include <unistd.h>
 
@@ -242,6 +243,8 @@ int		 recv_iri(int, struct iri*);
 void		 free_recvd_iri(struct iri*);
 int		 send_vhost(int, struct vhost*);
 int		 recv_vhost(int, struct vhost**);
+int		 send_time(int, time_t);
+int		 recv_time(int, time_t*);
 int		 send_fd(int, int);
 int		 recv_fd(int);
 int		 executor_main(void);
blob - d44783f6d85fba8a7d17e67980a1c403c3d7467c
blob + d7e2e12aa6331b14655f151ffa73bd15a07ba7cf
--- regress/env
+++ regress/env
@@ -42,6 +42,8 @@ echo AUTH_TYPE=$AUTH_TYPE
 echo REMOTE_USER=$REMOTE_USER
 echo TLS_CLIENT_ISSUER=$TLS_CLIENT_ISSUER
 echo TLS_CLIENT_HASH=$TLS_CLIENT_HASH
+echo TLS_CLIENT_NOT_AFTER=$TLS_CLIENT_NOT_AFTER
+echo TLS_CLIENT_NOT_BEFORE=$TLS_CLIENT_NOT_BEFORE
 echo
 echo
 echo "                          CGI Argument List"
blob - 52c7420fa109b806d15f084a8527aede6cfa5eb0
blob + 6feb7b5df19f540a6cdd6d79f919f0a7555dd429
--- server.c
+++ server.c
@@ -550,7 +550,6 @@ start_cgi(const char *spath, const char *relpath,
     struct pollfd *fds, struct client *c)
 {
 	char addr[NI_MAXHOST];
-	const char *ruser, *cissuer, *chash;
 	int e;
 
 	e = getnameinfo((struct sockaddr*)&c->addr, sizeof(c->addr),
@@ -560,23 +559,15 @@ start_cgi(const char *spath, const char *relpath,
 	if (e != 0)
 		goto err;
 
-	if (tls_peer_cert_provided(c->ctx)) {
-		ruser = tls_peer_cert_subject(c->ctx);
-		cissuer = tls_peer_cert_issuer(c->ctx);
-		chash = tls_peer_cert_hash(c->ctx);
-	} else {
-		ruser = NULL;
-		cissuer = NULL;
-		chash = NULL;
-	}
-
 	if (!send_iri(exfd, &c->iri)
 	    || !send_string(exfd, spath)
 	    || !send_string(exfd, relpath)
 	    || !send_string(exfd, addr)
-	    || !send_string(exfd, ruser)
-	    || !send_string(exfd, cissuer)
-	    || !send_string(exfd, chash)
+	    || !send_string(exfd, tls_peer_cert_subject(c->ctx))
+	    || !send_string(exfd, tls_peer_cert_issuer(c->ctx))
+	    || !send_string(exfd, tls_peer_cert_hash(c->ctx))
+	    || !send_time(exfd, tls_peer_cert_notbefore(c->ctx))
+	    || !send_time(exfd, tls_peer_cert_notafter(c->ctx))
 	    || !send_vhost(exfd, c->host))
 		goto err;