Check freshness on signatures.

diff --git a/catsign.1 b/catsign.1
index 9eb2398..596b76f 100644 (file)
--- a/catsign.1
+++ b/catsign.1
@@ -59,6 +59,8 @@ is one of:
 .IR tag ]
 .RB [ \-f
 .IR format ]
+.RB [ \-t
+.IR time ]
 .br
        
 .RB [ \-o
@@ -448,6 +450,15 @@ signature.  Using this option causes verification to fail unless the
 signature header specifies the key named
 .IR tag .
 .TP
+.BI "\-t, \-\-freshtime " time
+Only accept signatures claiming to have been made more recently than
+.IR time .
+If
+.I time
+is
+.B always
+(the default) then any timestamp in the past is acceptable.
+.TP
 .B "\-u, \-\-utc"
 Show the datestamp in the signature in UTC rather than (your) local
 time.  The synonym

diff --git a/catsign.c b/catsign.c
index dc96e55..3cea053 100644 (file)
--- a/catsign.c
+++ b/catsign.c
@@ -50,6 +50,7 @@
 #include "noise.h"
 #include "mprand.h"
 #include "key.h"
+#include "getdate.h"
 #include "cc.h"
 
 #include "ectab.h"
@@ -599,6 +600,7 @@ static int verify(int argc, char *argv[])
   int i;
   char bb[MSGBUFSZ];
   size_t n;
+  time_t t_fresh = 0;
   dstr d = DSTR_INIT, dd = DSTR_INIT;
   const encops *eo;
   msgcanon mc_in = MC_INIT;
@@ -614,11 +616,12 @@ static int verify(int argc, char *argv[])
       { "output",      OPTF_ARGREQ,    0,      'o' },
       { "quiet",       0,              0,      'q' },
       { "utc",         0,              0,      'u' },
+      { "fresh-time",  0,              0,      't' },
       { "gmt",         0,              0,      'u' },
       { "verbose",     0,              0,      'v' },
       { 0,             0,              0,      0 }
     };
-    i = mdwopt(argc, argv, "k:f:o:abquv", opt, 0, 0, 0);
+    i = mdwopt(argc, argv, "k:f:o:abqt:uv", opt, 0, 0, 0);
     if (i < 0) break;
     switch (i) {
       case 'a': ef = "pem"; break;
@@ -627,6 +630,11 @@ static int verify(int argc, char *argv[])
       case 'f': ef = optarg; break;
       case 'o': of = optarg; break;
       case 'u': v.f |= F_UTC; break;
+      case 't':
+       if (strcmp(optarg, "always") == 0) t_fresh = 0;
+        else if ((t_fresh = get_date(optarg, 0)) < 0)
+         die(EXIT_FAILURE, "bad freshness time");
+       break;
       case 'q': if (v.verb > 0) v.verb--; break;
       case 'v': if (v.verb < 10) v.verb++; break;
       default: v.f |= F_BOGUS; break;
@@ -739,6 +747,14 @@ static int verify(int argc, char *argv[])
     if (v.verb) printf("FAIL signature verification failed\n");
     exit(EXIT_FAILURE);
   }
+  if (t_fresh && s.t < t_fresh) {
+    if (v.verb) printf("FAIL signature is stale\n");
+    exit(EXIT_FAILURE);
+  }
+  if (s.t > time(0)) {
+    if (v.verb) printf("FAIL signature timestamp in the future\n");
+    exit(EXIT_FAILURE);
+  }
   if (v.verb) {
     tm = (v.f & F_UTC) ? gmtime(&s.t) : localtime(&s.t);
     strftime(bb, sizeof(bb), "%Y-%m-%d %H:%M:%S %Z", tm);
@@ -1078,6 +1094,7 @@ Options:\n\
 -k, --key=TAG          Require that the message be signed by key TAG.\n\
 -o, --output=FILE      Write message to FILE.\n\
 -q, --quiet            Produce fewer messages.\n\
+-t, --freshtime=TIME   Only accept signatures made after this time.\n\
 -u, --utc              Show dates in UTC rather than local time.\n\
 -v, --verbose          Produce more verbose messages.\n\
 " },

diff --git a/keyutil.c b/keyutil.c
index 9881dc7..6146ae4 100644 (file)
--- a/keyutil.c
+++ b/keyutil.c
@@ -1015,7 +1015,7 @@ static int cmd_add(int argc, char *argv[])
       /* --- Expiry dates get passed to @get_date@ for parsing --- */
 
       case 'e':
-       if (strncmp(optarg, "forever", strlen(optarg)) == 0)
+       if (strcmp(optarg, "forever") == 0)
          exp = KEXP_FOREVER;
        else {
          exp = get_date(optarg, 0);