~sircmpwn/gmni-devel

This thread contains a patchset. You're looking at the original emails, but you may wish to use the patch review UI. Review patch
1

[PATCH gmnisrv] Set certificate expiration to maximum value

Details
Message ID
<20210513200320.10863-1-callum@calcuode.com>
DKIM signature
pass
Download raw message
Patch: +1 -1
Quoting RFC 5280 section 4.1.2.5 [0]:
> To indicate that a certificate has no well-defined expiration date,
> the notAfter SHOULD be assigned the GeneralizedTime value of
> 99991231235959Z.

This fixes commit 8b65e303b01fc573cb1c40a365fb5db166146a37 where the
certificate expiration is set to LONG_MAX seconds in the future.
Using LONG_MAX avoids an integer overflow when using 200 years on 32
bit systems, however on 64 bit systems LONG_MAX is 9223372036854775807,
which is around 292 billion years worth of seconds. Unsurpringly, this
doesn't go down well with X509 certificates.

[0] https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.5
---
The notAfter date seems to be a very finickity thing. I'm not sure if
this is an alright way to solve the problem, but it looks OK to my
novice eyes.

 src/tls.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/tls.c b/src/tls.c
index a98dfe0..0f802ca 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -44,7 +44,7 @@ tls_host_gencert(struct gmnisrv_tls *tlsconf, struct gmnisrv_host *host,
	X509_set_version(x509, 2);
	ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
	X509_gmtime_adj(X509_get_notBefore(x509), 0);
	X509_gmtime_adj(X509_get_notAfter(x509), LONG_MAX);
	ASN1_TIME_set_string_X509(X509_get_notAfter(x509), "99991231235959Z");
	X509_set_pubkey(x509, pkey);

	char *organization = "gmnisrv";
-- 
2.31.1
Details
Message ID
<CBEVFHK0D8K2.3PEPQ45M6WSYP@taiga>
In-Reply-To
<20210513200320.10863-1-callum@calcuode.com> (view parent)
DKIM signature
fail
Download raw message
DKIM signature: fail
Went with a similar, but simpler, patch. Thanks anyway!
Reply to thread Export thread (mbox)