~sircmpwn/gmni-devel

gmnisrv: Set certificate expiration to maximum value v1 PROPOSED

Callum Brown: 1
 Set certificate expiration to maximum value

 1 files changed, 1 insertions(+), 1 deletions(-)
Export patchset (mbox)
How do I use this?

Copy & paste the following snippet into your terminal to import this patchset into git:

curl -s https://lists.sr.ht/~sircmpwn/gmni-devel/patches/22680/mbox | git am -3
Learn more about email & git
View this thread in the archives

[PATCH gmnisrv] Set certificate expiration to maximum value Export this patch

Quoting RFC 5280 section 4.1.2.5 [0]:
> To indicate that a certificate has no well-defined expiration date,
> the notAfter SHOULD be assigned the GeneralizedTime value of
> 99991231235959Z.

This fixes commit 8b65e303b01fc573cb1c40a365fb5db166146a37 where the
certificate expiration is set to LONG_MAX seconds in the future.
Using LONG_MAX avoids an integer overflow when using 200 years on 32
bit systems, however on 64 bit systems LONG_MAX is 9223372036854775807,
which is around 292 billion years worth of seconds. Unsurpringly, this
doesn't go down well with X509 certificates.

[0] https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.5
---
The notAfter date seems to be a very finickity thing. I'm not sure if
this is an alright way to solve the problem, but it looks OK to my
novice eyes.

 src/tls.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/tls.c b/src/tls.c
index a98dfe0..0f802ca 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -44,7 +44,7 @@ tls_host_gencert(struct gmnisrv_tls *tlsconf, struct gmnisrv_host *host,
	X509_set_version(x509, 2);
	ASN1_INTEGER_set(X509_get_serialNumber(x509), 1);
	X509_gmtime_adj(X509_get_notBefore(x509), 0);
	X509_gmtime_adj(X509_get_notAfter(x509), LONG_MAX);
	ASN1_TIME_set_string_X509(X509_get_notAfter(x509), "99991231235959Z");
	X509_set_pubkey(x509, pkey);

	char *organization = "gmnisrv";
-- 
2.31.1
Went with a similar, but simpler, patch. Thanks anyway!