47 lines
1.6 KiB
Diff
47 lines
1.6 KiB
Diff
From 87604820a935f87a8f533e3f294419d27c0514eb Mon Sep 17 00:00:00 2001
|
|
From: Allison Karlitskaya <allison.karlitskaya@redhat.com>
|
|
Date: Tue, 26 Oct 2021 12:32:13 +0200
|
|
Subject: [PATCH 2/2] Correct certificate lifetime calculation
|
|
|
|
sscg allows passing the certificate lifetime, as a number of days, as a
|
|
commandline argument. It converts this value to seconds using the
|
|
formula
|
|
|
|
days * 24 * 3650
|
|
|
|
which is incorrect. The correct value is 3600.
|
|
|
|
This effectively adds an extra 20 minutes to the lifetime of the
|
|
certificate for each day as given on the commandline, and was enough to
|
|
cause some new integration tests in cockpit to fail.
|
|
|
|
Interestingly, 3650 is the old default value for the number of days of
|
|
certificate validity (~10 years) so this probably slipped in as a sort
|
|
of muscle-memory-assisted typo.
|
|
|
|
Let's just write `24 * 60 * 60` to make things clear.
|
|
---
|
|
src/x509.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/src/x509.c b/src/x509.c
|
|
index dc1594a4bdcb9d81607f0fe5ad2d4562e5edb533..7c7e4dfe56d5756862f3e0f851941e846ce96f31 100644
|
|
--- a/src/x509.c
|
|
+++ b/src/x509.c
|
|
@@ -416,11 +416,11 @@ sscg_sign_x509_csr (TALLOC_CTX *mem_ctx,
|
|
X509_set_issuer_name (cert, X509_REQ_get_subject_name (csr));
|
|
}
|
|
|
|
/* set time */
|
|
X509_gmtime_adj (X509_get_notBefore (cert), 0);
|
|
- X509_gmtime_adj (X509_get_notAfter (cert), days * 24 * 3650);
|
|
+ X509_gmtime_adj (X509_get_notAfter (cert), days * 24 * 60 * 60);
|
|
|
|
/* set subject */
|
|
subject = X509_NAME_dup (X509_REQ_get_subject_name (csr));
|
|
sslret = X509_set_subject_name (cert, subject);
|
|
CHECK_SSL (sslret, X509_set_subject_name);
|
|
--
|
|
2.33.0
|
|
|