summaryrefslogtreecommitdiff
path: root/trust
diff options
context:
space:
mode:
authorHarald Hoyer <harald@redhat.com>2018-11-02 10:38:43 +0100
committerDaiki Ueno <ueno@gnu.org>2018-11-02 12:35:00 +0100
commite81f6af7ed3b39b8df0bb7ce150619ea8178d47c (patch)
treecf3f118ebae4e9b29c6fbf64d3d9efe021f5c49a /trust
parent1d6913d5a551b6bd8efaa1705178e49f1527aa7e (diff)
trust/extract-jks.c: also honor SOURCE_DATE_EPOCH time
For reproducible builds, accept a define timestamp for the java keystore. See https://reproducible-builds.org/docs/source-date-epoch/
Diffstat (limited to 'trust')
-rw-r--r--trust/extract-jks.c38
1 files changed, 34 insertions, 4 deletions
diff --git a/trust/extract-jks.c b/trust/extract-jks.c
index e1f1340..33554df 100644
--- a/trust/extract-jks.c
+++ b/trust/extract-jks.c
@@ -48,6 +48,8 @@
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
+#include <errno.h>
+#include <limits.h>
time_t _p11_extract_jks_timestamp = 0;
@@ -247,10 +249,38 @@ prepare_jks_buffer (p11_enumerate *ex,
* when this was this certificate was added to the keystore, however
* we don't have that information. Java uses time in milliseconds
*/
- if (_p11_extract_jks_timestamp)
- now = _p11_extract_jks_timestamp;
- else
- now = time (NULL);
+ {
+ char *source_date_epoch;
+ source_date_epoch = secure_getenv ("SOURCE_DATE_EPOCH");
+ if (source_date_epoch) {
+ unsigned long long epoch;
+ char *endptr;
+ errno = 0;
+ epoch = strtoull (source_date_epoch, &endptr, 10);
+ if ((errno == ERANGE && (epoch == ULLONG_MAX || epoch == 0))
+ || (errno != 0 && epoch == 0)) {
+ p11_message_err (errno, "Environment variable $SOURCE_DATE_EPOCH: strtoull");
+ return false;
+ }
+ if (endptr == source_date_epoch) {
+ fprintf (stderr, "Environment variable $SOURCE_DATE_EPOCH: No digits were found: %s\n", endptr);
+ return false;
+ }
+ if (*endptr != '\0') {
+ fprintf (stderr, "Environment variable $SOURCE_DATE_EPOCH: Trailing garbage: %s\n", endptr);
+ return false;
+ }
+ if (epoch > ULONG_MAX) {
+ fprintf (stderr, "Environment variable $SOURCE_DATE_EPOCH: value must be smaller than or equal to %lu but was found to be: %llu \n", ULONG_MAX, epoch);
+ return false;
+ }
+ now = epoch;
+ } else if (_p11_extract_jks_timestamp)
+ now = _p11_extract_jks_timestamp;
+ else
+ now = time (NULL);
+ }
+
return_val_if_fail (now > 0, false);
now *= 1000; /* seconds to milliseconds */