Correct certificate lifetime calculation

Resolves: rhbz#2017667
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
This commit is contained in:
Stephen Gallagher 2021-10-29 13:20:12 -04:00
parent b40aa7ee5c
commit 29dbec123b
No known key found for this signature in database
GPG Key ID: 45DB85A568286D11
3 changed files with 56 additions and 5 deletions

View File

@ -1,7 +1,7 @@
From 60377ad4a6a6ef2012d502f118fedb425f4a11af Mon Sep 17 00:00:00 2001
From d2277e711bb16e3b98f43565e71b7865b5fed423 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Sat, 7 Aug 2021 11:48:04 -0400
Subject: [PATCH] Drop usage of ERR_GET_FUNC()
Subject: [PATCH 1/2] Drop usage of ERR_GET_FUNC()
This macro was dropped in OpenSSL 3.0 and has actually not been
providing a valid return code for some time.
@ -14,7 +14,7 @@ Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
1 file changed, 1 deletion(-)
diff --git a/include/sscg.h b/include/sscg.h
index d4499227ea5bd23ac5cae27680438cfe0709fbc4..99788e6001791b658298626d464edcdc7e4ba2cc 100644
index faf86ba4f68e186bd35c7bc3ec77b98b8e37d253..851dc93175607e5223a70ef40a5feb24b7b69215 100644
--- a/include/sscg.h
+++ b/include/sscg.h
@@ -94,11 +94,10 @@
@ -30,5 +30,5 @@ index d4499227ea5bd23ac5cae27680438cfe0709fbc4..99788e6001791b658298626d464edcdc
fprintf ( \
stderr, \
--
2.31.1
2.33.0

View File

@ -0,0 +1,46 @@
From 87604820a935f87a8f533e3f294419d27c0514eb Mon Sep 17 00:00:00 2001
From: Allison Karlitskaya <allison.karlitskaya@redhat.com>
Date: Tue, 26 Oct 2021 12:32:13 +0200
Subject: [PATCH 2/2] Correct certificate lifetime calculation
sscg allows passing the certificate lifetime, as a number of days, as a
commandline argument. It converts this value to seconds using the
formula
days * 24 * 3650
which is incorrect. The correct value is 3600.
This effectively adds an extra 20 minutes to the lifetime of the
certificate for each day as given on the commandline, and was enough to
cause some new integration tests in cockpit to fail.
Interestingly, 3650 is the old default value for the number of days of
certificate validity (~10 years) so this probably slipped in as a sort
of muscle-memory-assisted typo.
Let's just write `24 * 60 * 60` to make things clear.
---
src/x509.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/x509.c b/src/x509.c
index dc1594a4bdcb9d81607f0fe5ad2d4562e5edb533..7c7e4dfe56d5756862f3e0f851941e846ce96f31 100644
--- a/src/x509.c
+++ b/src/x509.c
@@ -416,11 +416,11 @@ sscg_sign_x509_csr (TALLOC_CTX *mem_ctx,
X509_set_issuer_name (cert, X509_REQ_get_subject_name (csr));
}
/* set time */
X509_gmtime_adj (X509_get_notBefore (cert), 0);
- X509_gmtime_adj (X509_get_notAfter (cert), days * 24 * 3650);
+ X509_gmtime_adj (X509_get_notAfter (cert), days * 24 * 60 * 60);
/* set subject */
subject = X509_NAME_dup (X509_REQ_get_subject_name (csr));
sslret = X509_set_subject_name (cert, subject);
CHECK_SSL (sslret, X509_set_subject_name);
--
2.33.0

View File

@ -9,7 +9,7 @@
Name: sscg
Version: 3.0.0
Release: 3%{?dist}
Release: 4%{?dist}
Summary: Simple SSL certificate generator
License: GPLv3+ with exceptions
@ -27,6 +27,7 @@ BuildRequires: help2man
Patch0001: 0001-Drop-usage-of-ERR_GET_FUNC.patch
Patch0002: 0002-Correct-certificate-lifetime-calculation.patch
%description
@ -58,6 +59,10 @@ false signatures from the service certificate.
%{_mandir}/man8/%{name}.8*
%changelog
* Fri Oct 29 2021 Stephen Gallagher <sgallagh@redhat.com> - 3.0.0-4
- Correct certificate lifetime calculation
- Resolves: rhbz#2017667
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.0-3
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688